707 files changed, 0 insertions, 316852 deletions

diff --git a/security/nss/lib/Makefile b/security/nss/lib/Makefile
deleted file mode 100644
index 91ab94618..000000000
--- a/security/nss/lib/Makefile
+++ /dev/null
@@ -1,88 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-ifdef MOZILLA_SECURITY_BUILD
-FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
-
-export::
-	if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
-	    $(NSINSTALL) -D crypto; \
-	    for file in $(FILES) ; do \
-		if test -f $$file; then \
-		    $(NSINSTALL) -m 444 $$file crypto; \
-		fi; \
-	    done;  \
-		$(NSINSTALL) -m 444 crypto/nscertinit.c certdb; \
-	fi
-endif
diff --git a/security/nss/lib/asn1/Makefile b/security/nss/lib/asn1/Makefile
deleted file mode 100644
index 03e1fb4c6..000000000
--- a/security/nss/lib/asn1/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/asn1/asn1.c b/security/nss/lib/asn1/asn1.c
deleted file mode 100644
index 3d5cfc8f7..000000000
--- a/security/nss/lib/asn1/asn1.c
+++ /dev/null
@@ -1,1726 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * asn1.c
- *
- * At this point in time, this file contains the NSS wrappers for
- * the old "SEC" ASN.1 encoder/decoder stuff.
- */
-
-#ifndef ASN1M_H
-#include "asn1m.h"
-#endif /* ASN1M_H */
-
-#include "plarena.h"
-#include "secasn1.h"
-
-/*
- * The pointer-tracking stuff
- */
-
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker decoder_pointer_tracker;
-
-static PRStatus
-decoder_add_pointer
-(
-  const nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&decoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&decoder_pointer_tracker, decoder);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-decoder_remove_pointer
-(
-  const nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&decoder_pointer_tracker, decoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssASN1Decoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Decoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_verify
-(
-  nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&decoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&decoder_pointer_tracker, decoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ASN1DECODER);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-static nssPointerTracker encoder_pointer_tracker;
-
-static PRStatus
-encoder_add_pointer
-(
-  const nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&encoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&encoder_pointer_tracker, encoder);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-encoder_remove_pointer
-(
-  const nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&encoder_pointer_tracker, encoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssASN1Encoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Encoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_verify
-(
-  nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&encoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&encoder_pointer_tracker, encoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ASN1ENCODER);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-/*
- * nssASN1Decoder_Create
- *
- * This routine creates an ASN.1 Decoder, which will use the specified
- * template to decode a datastream into the specified destination
- * structure.  If the optional arena argument is non-NULL, blah blah 
- * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
- * as a hint?  Or is each encoding distinctive?  This routine may 
- * return NULL upon error, in which case an error will have been 
- * placed upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Decoder upon success.
- */
-
-NSS_IMPLEMENT nssASN1Decoder *
-nssASN1Decoder_Create
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[]
-)
-{
-  SEC_ASN1DecoderContext *rv;
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (nssASN1Decoder *)NULL;
-    }
-  }
-
-  /* 
-   * May destination be NULL?  I'd think so, since one might
-   * have only a filter proc.  But if not, check the pointer here.
-   */
-
-  if( (nssASN1Template *)NULL == template ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Decoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  rv = SEC_ASN1DecoderStart(hack, destination, template);
-  if( (SEC_ASN1DecoderContext *)NULL == rv ) {
-    nss_SetError(PORT_GetError()); /* also evil */
-    return (nssASN1Decoder *)NULL;
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != decoder_add_pointer(rv) ) {
-    (void)SEC_ASN1DecoderFinish(rv);
-    return (nssASN1Decoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  return (nssASN1Decoder *)rv;
-}
-
-/*
- * nssASN1Decoder_Update
- *
- * This routine feeds data to the decoder.  In the event of an error, 
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ASN1DECODER
- *  NSS_ERROR_INVALID_BER
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success.
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_Update
-(
-  nssASN1Decoder *decoder,
-  const void *data,
-  PRUint32 amount
-)
-{
-  PRStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-
-  if( (void *)NULL == data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  rv = SEC_ASN1DecoderUpdate((SEC_ASN1DecoderContext *)decoder, 
-                             (const char *)data,
-                             (unsigned long)amount);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Decoder_Finish
- *
- * This routine finishes the decoding and destroys the decoder.
- * In the event of an error, it will place an error on the error
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_Finish
-(
-  nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  rv = SEC_ASN1DecoderFinish((SEC_ASN1DecoderContext *)decoder);
-
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-  }
-
-#ifdef DEBUG
-  {
-    PRStatus rv2 = decoder_remove_pointer(decoder);
-    if( PR_SUCCESS == rv ) {
-      rv = rv2;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * nssASN1Decoder_SetFilter
- *
- * This routine registers a callback filter routine with the decoder,
- * which will be called blah blah blah.  The specified argument will
- * be passed as-is to the filter routine.  The routine pointer may
- * be NULL, in which case no filter callback will be called.  If the
- * noStore boolean is PR_TRUE, then decoded fields will not be stored
- * in the destination structure specified when the decoder was 
- * created.  This routine returns a PRStatus value; in the event of
- * an error, it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_SetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction *callback,
-  void *argument,
-  PRBool noStore
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1DecoderFilterFunction *)NULL == callback ) {
-     SEC_ASN1DecoderClearFilterProc((SEC_ASN1DecoderContext *)decoder);
-  } else {
-     SEC_ASN1DecoderSetFilterProc((SEC_ASN1DecoderContext *)decoder,
-                                  (SEC_ASN1WriteProc)callback,
-                                  argument, noStore);
-  }
-
-  /* No error returns defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Decoder_GetFilter
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetFilter will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt
- * pointer is non-null, the filter's closure argument will be stored
- * there.  If the optional pNoStoreOpt pointer is non-null, the
- * noStore value specified when setting the filter will be stored
- * there.  This routine returns a PRStatus value; in the event of
- * an error it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_GetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction **pCallbackOpt,
-  void **pArgumentOpt,
-  PRBool *pNoStoreOpt
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1DecoderFilterFunction **)NULL != pCallbackOpt ) {
-    *pCallbackOpt = (nssASN1DecoderFilterFunction *)NULL;
-  }
-
-  if( (void **)NULL != pArgumentOpt ) {
-    *pArgumentOpt = (void *)NULL;
-  }
-
-  if( (PRBool *)NULL != pNoStoreOpt ) {
-    *pNoStoreOpt = PR_FALSE;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1Decoder_SetNotify
- *
- * This routine registers a callback notify routine with the decoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_SetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction *)NULL == callback ) {
-    SEC_ASN1DecoderClearNotifyProc((SEC_ASN1DecoderContext *)decoder);
-  } else {
-    SEC_ASN1DecoderSetNotifyProc((SEC_ASN1DecoderContext *)decoder,
-                                 (SEC_ASN1NotifyProc)callback,
-                                 argument);
-  }
-
-  /* No error returns defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Decoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_GetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction **)NULL != pCallbackOpt ) {
-    *pCallbackOpt = (nssASN1NotifyFunction *)NULL;
-  }
-
-  if( (void **)NULL != pArgumentOpt ) {
-    *pArgumentOpt = (void *)NULL;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1_Decode
- *
- * This routine will decode the specified data into the specified
- * destination structure, as specified by the specified template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_Decode
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const void *berData,
-  PRUint32 amount
-)
-{
-  PRStatus rv;
-  nssASN1Decoder *decoder;
-
-  /* This call will do our pointer-checking for us! */
-  decoder = nssASN1Decoder_Create(arenaOpt, destination, template);
-  if( (nssASN1Decoder *)NULL == decoder ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssASN1Decoder_Update(decoder, berData, amount);
-  if( PR_SUCCESS != nssASN1Decoder_Finish(decoder) ) {
-    rv = PR_FAILURE;
-  }
-
-  return rv;
-}
-
-/*
- * nssASN1_DecodeBER
- *
- * This routine will decode the data in the specified NSSBER
- * into the destination structure, as specified by the template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_NSSBER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_DecodeBER
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const NSSBER *data
-)
-{
-  return nssASN1_Decode(arenaOpt, destination, template, 
-                        data->data, data->size);
-}
-
-/*
- * nssASN1Encoder_Create
- *
- * This routine creates an ASN.1 Encoder, blah blah blah.  This 
- * may return NULL upon error, in which case an error will have been
- * placed on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Encoder upon success
- */
-
-NSS_IMPLEMENT nssASN1Encoder *
-nssASN1Encoder_Create
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-)
-{
-  SEC_ASN1EncoderContext *rv;
-
-#ifdef DEBUG
-  if( (void *)NULL == source ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Encoder *)NULL;
-  }
-
-  if( (nssASN1Template *)NULL == template ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Encoder *)NULL;
-  }
-
-  if( (nssASN1EncoderWriteFunction *)NULL == sink ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Encoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-  case NSSASN1DER:
-    break;
-  case NSSASN1CER:
-  case NSSASN1LWER:
-  case NSSASN1PER:
-  case NSSASN1UnknownEncoding:
-  default:
-    nss_SetError(NSS_ERROR_ENCODING_NOT_SUPPORTED);
-    return (nssASN1Encoder *)NULL;
-  }
-
-  rv = SEC_ASN1EncoderStart((void *)source, template, 
-                            (SEC_ASN1WriteProc)sink, argument);
-  if( (SEC_ASN1EncoderContext *)NULL == rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    return (nssASN1Encoder *)NULL;
-  }
-
-  if( NSSASN1DER == encoding ) {
-    sec_ASN1EncoderSetDER(rv);
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != encoder_add_pointer(rv) ) {
-    (void)SEC_ASN1EncoderFinish(rv);
-    return (nssASN1Encoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  return (nssASN1Encoder *)rv;
-}
-
-/*
- * nssASN1Encoder_Update
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_Update
-(
-  nssASN1Encoder *encoder,
-  const void *data,
-  PRUint32 length
-)
-{
-  PRStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * Can data legitimately be NULL?  If not, verify..
-   */
-#endif /* DEBUG */
-
-  rv = SEC_ASN1EncoderUpdate((SEC_ASN1EncoderContext *)encoder,
-                             (const char *)data, 
-                             (unsigned long)length);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_Finish
- *
- * Destructor.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_Finish
-(
-  nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  SEC_ASN1EncoderFinish((SEC_ASN1EncoderContext *)encoder);
-  rv = PR_SUCCESS; /* no error return defined for that call */
-
-#ifdef DEBUG
-  {
-    PRStatus rv2 = encoder_remove_pointer(encoder);
-    if( PR_SUCCESS == rv ) {
-      rv = rv2;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * nssASN1Encoder_SetNotify
- *
- * This routine registers a callback notify routine with the encoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_SetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction *)NULL == callback ) {
-    SEC_ASN1EncoderClearNotifyProc((SEC_ASN1EncoderContext *)encoder);
-  } else {
-    SEC_ASN1EncoderSetNotifyProc((SEC_ASN1EncoderContext *)encoder,
-                                 (SEC_ASN1NotifyProc)callback,
-                                 argument);
-  }
-
-  /* no error return defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Encoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_GetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction **)NULL != pCallbackOpt ) {
-    *pCallbackOpt = (nssASN1NotifyFunction *)NULL;
-  }
-
-  if( (void **)NULL != pArgumentOpt ) {
-    *pArgumentOpt = (void *)NULL;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1Encoder_SetStreaming
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_SetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool streaming
-)
-{
-  SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext *)encoder;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( streaming ) {
-    SEC_ASN1EncoderSetStreaming(cx);
-  } else {
-    SEC_ASN1EncoderClearStreaming(cx);
-  }
-
-  /* no error return defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_GetStreaming
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool *pStreaming
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (PRBool *)NULL != pStreaming ) {
-    *pStreaming = PR_FALSE;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1Encoder_SetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_SetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool takeFromBuffer
-)
-{
-  SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext *)encoder;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( takeFromBuffer ) {
-    SEC_ASN1EncoderSetTakeFromBuf(cx);
-  } else {
-    SEC_ASN1EncoderClearTakeFromBuf(cx);
-  }
-
-  /* no error return defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_GetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_GetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool *pTakeFromBuffer
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (PRBool *)NULL != pTakeFromBuffer ) {
-    *pTakeFromBuffer = PR_FALSE;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1_Encode
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_Encode
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-)
-{
-  PRStatus rv;
-  nssASN1Encoder *encoder;
-
-  encoder = nssASN1Encoder_Create(source, template, encoding, sink, argument);
-  if( (nssASN1Encoder *)NULL == encoder ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssASN1Encoder_Update(encoder, (const void *)NULL, 0);
-  if( PR_SUCCESS != nssASN1Encoder_Finish(encoder) ) {
-    rv = PR_FAILURE;
-  }
-
-  return rv;
-}
-
-/*
- * nssasn1_encode_item_count
- *
- * This is a helper function for nssASN1_EncodeItem.  It just counts
- * up the space required for an encoding.
- */
-
-static void
-nssasn1_encode_item_count
-(
-  void *arg,
-  const char *buf,
-  unsigned long len,
-  int depth,
-  nssASN1EncodingPart data_kind
-)
-{
-  unsigned long *count;
-
-  count = (unsigned long*)arg;
-  PR_ASSERT (count != NULL);
-
-  *count += len;
-}
-
-/*
- * nssasn1_encode_item_store
- *
- * This is a helper function for nssASN1_EncodeItem.  It appends the
- * new data onto the destination item.
- */
-
-static void
-nssasn1_encode_item_store
-(
-  void *arg,
-  const char *buf,
-  unsigned long len,
-  int depth,
-  nssASN1EncodingPart data_kind
-)
-{
-  NSSItem *dest;
-
-  dest = (NSSItem*)arg;
-  PR_ASSERT (dest != NULL);
-
-  memcpy((unsigned char *)dest->data + dest->size, buf, len);
-  dest->size += len;
-}
-
-/*
- * nssASN1_EncodeItem
- *
- * There must be a better name.  If the optional arena argument is
- * non-null, it'll be used for the space.  If the optional rvOpt is
- * non-null, it'll be the return value-- if it is null, a new one
- * will be allocated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *
- * Return value:
- *  NULL upon error
- *  A valid pointer to an NSSDER upon success
- */
-
-NSS_IMPLEMENT NSSDER *
-nssASN1_EncodeItem
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding
-)
-{
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-  NSSDER *rv;
-  PRUint32 len = 0;
-  PRStatus status;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-
-  if( (void *)NULL == source ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSDER *)NULL;
-  }
-
-  if( (nssASN1Template *)NULL == template ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSDER *)NULL;
-  }
-#endif /* DEBUG */
-
-  status = nssASN1_Encode(source, template, encoding, 
-                          (nssASN1EncoderWriteFunction *)nssasn1_encode_item_count, 
-                          &len);
-  if( PR_SUCCESS != status ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  rv->size = len;
-  rv->data = nss_ZAlloc(arenaOpt, len);
-  if( (void *)NULL == rv->data ) {
-    if( (NSSDER *)NULL == rvOpt ) {
-      nss_ZFreeIf(rv);
-    }
-    return (NSSDER *)NULL;
-  }
-
-  rv->size = 0; /* for nssasn1_encode_item_store */
-
-  status = nssASN1_Encode(source, template, encoding,
-                          (nssASN1EncoderWriteFunction *)nssasn1_encode_item_store, 
-                          rv);
-  if( PR_SUCCESS != status ) {
-    nss_ZFreeIf(rv->data);
-    if( (NSSDER *)NULL == rvOpt ) {
-      nss_ZFreeIf(rv);
-    }
-    return (NSSDER *)NULL;
-  }
-
-  PR_ASSERT(rv->size == len);
-
-  return rv;
-}
-
-/*
- * nssASN1_CreatePRUint32FromBER
- *
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_CreatePRUint32FromBER
-(
-  NSSBER *encoded,
-  PRUint32 *pResult
-)
-{
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FALSE;
-}
-
-/*
- * nssASN1_GetDERFromPRUint32
- *
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_GetDERFromPRUint32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRUint32 value
-)
-{
-  NSSDER *rv;
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-  SECItem *item;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  item = SEC_ASN1EncodeUnsignedInteger(hack, (SECItem *)rv, value);
-  if( (SECItem *)NULL == item ) {
-    if( (NSSDER *)NULL == rvOpt ) {
-      (void)nss_ZFreeIf(rv);
-    }
-
-    nss_SetError(PORT_GetError()); /* ugly */
-    return (NSSDER *)NULL;
-  }
-
-  /* 
-   * I happen to know that these things look alike.. but I'm only
-   * doing it for these "temporary" wrappers.  This is an evil thing.
-   */
-  return (NSSDER *)item;
-}
-
-/*himom*/
-NSS_IMPLEMENT PRStatus
-nssASN1_CreatePRInt32FromBER
-(
-  NSSBER *encoded,
-  PRInt32 *pResult
-)
-{
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FALSE;
-}
-
-/*
- * nssASN1_GetDERFromPRInt32
- *
- */
-
-NSS_IMPLEMENT NSSDER *
-nssASN1_GetDERFromPRInt32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRInt32 value
-)
-{
-  NSSDER *rv;
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-  SECItem *item;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  item = SEC_ASN1EncodeInteger(hack, (SECItem *)rv, value);
-  if( (SECItem *)NULL == item ) {
-    if( (NSSDER *)NULL == rvOpt ) {
-      (void)nss_ZFreeIf(rv);
-    }
-
-    nss_SetError(PORT_GetError()); /* ugly */
-    return (NSSDER *)NULL;
-  }
-
-  /* 
-   * I happen to know that these things look alike.. but I'm only
-   * doing it for these "temporary" wrappers.  This is an evil thing.
-   */
-  return (NSSDER *)item;
-}
-
-/*
- * Generic Templates
- * One for each of the simple types, plus a special one for ANY, plus:
- *	- a pointer to each one of those
- *	- a set of each one of those
- *
- * Note that these are alphabetical (case insensitive); please add new
- * ones in the appropriate place.
- */
-
-const nssASN1Template *nssASN1Template_Any =                             (nssASN1Template *)SEC_AnyTemplate;
-const nssASN1Template *nssASN1Template_BitString =                       (nssASN1Template *)SEC_BitStringTemplate;
-const nssASN1Template *nssASN1Template_BMPString =                       (nssASN1Template *)SEC_BMPStringTemplate;
-const nssASN1Template *nssASN1Template_Boolean =                         (nssASN1Template *)SEC_BooleanTemplate;
-const nssASN1Template *nssASN1Template_Enumerated =                      (nssASN1Template *)SEC_EnumeratedTemplate;
-const nssASN1Template *nssASN1Template_GeneralizedTime =                 (nssASN1Template *)SEC_GeneralizedTimeTemplate;
-const nssASN1Template *nssASN1Template_IA5String =                       (nssASN1Template *)SEC_IA5StringTemplate;
-const nssASN1Template *nssASN1Template_Integer =                         (nssASN1Template *)SEC_IntegerTemplate;
-const nssASN1Template *nssASN1Template_Null =                            (nssASN1Template *)SEC_NullTemplate;
-const nssASN1Template *nssASN1Template_ObjectID =                        (nssASN1Template *)SEC_ObjectIDTemplate;
-const nssASN1Template *nssASN1Template_OctetString =                     (nssASN1Template *)SEC_OctetStringTemplate;
-const nssASN1Template *nssASN1Template_PrintableString =                 (nssASN1Template *)SEC_PrintableStringTemplate;
-const nssASN1Template *nssASN1Template_T61String =                       (nssASN1Template *)SEC_T61StringTemplate;
-const nssASN1Template *nssASN1Template_UniversalString =                 (nssASN1Template *)SEC_UniversalStringTemplate;
-const nssASN1Template *nssASN1Template_UTCTime =                         (nssASN1Template *)SEC_UTCTimeTemplate;
-const nssASN1Template *nssASN1Template_UTF8String =                      (nssASN1Template *)SEC_UTF8StringTemplate;
-const nssASN1Template *nssASN1Template_VisibleString =                   (nssASN1Template *)SEC_VisibleStringTemplate;
-
-const nssASN1Template *nssASN1Template_PointerToAny =                    (nssASN1Template *)SEC_PointerToAnyTemplate;
-const nssASN1Template *nssASN1Template_PointerToBitString =              (nssASN1Template *)SEC_PointerToBitStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToBMPString =              (nssASN1Template *)SEC_PointerToBMPStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToBoolean =                (nssASN1Template *)SEC_PointerToBooleanTemplate;
-const nssASN1Template *nssASN1Template_PointerToEnumerated =             (nssASN1Template *)SEC_PointerToEnumeratedTemplate;
-const nssASN1Template *nssASN1Template_PointerToGeneralizedTime =        (nssASN1Template *)SEC_PointerToGeneralizedTimeTemplate;
-const nssASN1Template *nssASN1Template_PointerToIA5String =              (nssASN1Template *)SEC_PointerToIA5StringTemplate;
-const nssASN1Template *nssASN1Template_PointerToInteger =                (nssASN1Template *)SEC_PointerToIntegerTemplate;
-const nssASN1Template *nssASN1Template_PointerToNull =                   (nssASN1Template *)SEC_PointerToNullTemplate;
-const nssASN1Template *nssASN1Template_PointerToObjectID =               (nssASN1Template *)SEC_PointerToObjectIDTemplate;
-const nssASN1Template *nssASN1Template_PointerToOctetString =            (nssASN1Template *)SEC_PointerToOctetStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToPrintableString =        (nssASN1Template *)SEC_PointerToPrintableStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToT61String =              (nssASN1Template *)SEC_PointerToT61StringTemplate;
-const nssASN1Template *nssASN1Template_PointerToUniversalString =        (nssASN1Template *)SEC_PointerToUniversalStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToUTCTime =                (nssASN1Template *)SEC_PointerToUTCTimeTemplate;
-const nssASN1Template *nssASN1Template_PointerToUTF8String =             (nssASN1Template *)SEC_PointerToUTF8StringTemplate;
-const nssASN1Template *nssASN1Template_PointerToVisibleString =          (nssASN1Template *)SEC_PointerToVisibleStringTemplate;
-
-const nssASN1Template *nssASN1Template_SetOfAny =                        (nssASN1Template *)SEC_SetOfAnyTemplate;
-const nssASN1Template *nssASN1Template_SetOfBitString =                  (nssASN1Template *)SEC_SetOfBitStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfBMPString =                  (nssASN1Template *)SEC_SetOfBMPStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfBoolean =                    (nssASN1Template *)SEC_SetOfBooleanTemplate;
-const nssASN1Template *nssASN1Template_SetOfEnumerated =                 (nssASN1Template *)SEC_SetOfEnumeratedTemplate;
-const nssASN1Template *nssASN1Template_SetOfGeneralizedTime =            (nssASN1Template *)SEC_SetOfGeneralizedTimeTemplate;
-const nssASN1Template *nssASN1Template_SetOfIA5String =                  (nssASN1Template *)SEC_SetOfIA5StringTemplate;
-const nssASN1Template *nssASN1Template_SetOfInteger =                    (nssASN1Template *)SEC_SetOfIntegerTemplate;
-const nssASN1Template *nssASN1Template_SetOfNull =                       (nssASN1Template *)SEC_SetOfNullTemplate;
-const nssASN1Template *nssASN1Template_SetOfObjectID =                   (nssASN1Template *)SEC_SetOfObjectIDTemplate;
-const nssASN1Template *nssASN1Template_SetOfOctetString =                (nssASN1Template *)SEC_SetOfOctetStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfPrintableString =            (nssASN1Template *)SEC_SetOfPrintableStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfT61String =                  (nssASN1Template *)SEC_SetOfT61StringTemplate;
-const nssASN1Template *nssASN1Template_SetOfUniversalString =            (nssASN1Template *)SEC_SetOfUniversalStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfUTCTime =                    (nssASN1Template *)SEC_SetOfUTCTimeTemplate;
-const nssASN1Template *nssASN1Template_SetOfUTF8String =                 (nssASN1Template *)SEC_SetOfUTF8StringTemplate;
-const nssASN1Template *nssASN1Template_SetOfVisibleString =              (nssASN1Template *)SEC_SetOfVisibleStringTemplate;
-
-/*
- *
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSBER *berData
-)
-{
-  NSSUTF8 *rv = NULL;
-  PRUint8 tag;
-  NSSArena *a;
-  NSSItem in;
-  NSSItem out;
-  PRStatus st;
-  const nssASN1Template *templ;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-
-  if( (NSSBER *)NULL == berData ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (void *)NULL == berData->data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  a = NSSArena_Create();
-  if( (NSSArena *)NULL == a ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  in = *berData;
-
-  /*
-   * By the way, at first I succumbed to the temptation to make
-   * this an incestuous nested switch statement.  Count yourself
-   * lucky I cleaned it up.
-   */
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    /*
-     * draft-ietf-pkix-ipki-part1-11 says in part:
-     *
-     * DirectoryString { INTEGER:maxSize } ::= CHOICE {
-     *   teletexString           TeletexString (SIZE (1..maxSize)),
-     *   printableString         PrintableString (SIZE (1..maxSize)),
-     *   universalString         UniversalString (SIZE (1..maxSize)),
-     *   bmpString               BMPString (SIZE(1..maxSize)),
-     *   utf8String              UTF8String (SIZE(1..maxSize))
-     *                       }
-     *
-     * The tags are:
-     *  TeletexString       UNIVERSAL 20
-     *  PrintableString     UNIVERSAL 19
-     *  UniversalString     UNIVERSAL 28
-     *  BMPString           UNIVERSAL 30
-     *  UTF8String          UNIVERSAL 12
-     *
-     * "UNIVERSAL" tags have bits 8 and 7 zero, bit 6 is zero for
-     * primitive encodings, and if the tag value is less than 30,
-     * the tag value is directly encoded in bits 5 through 1.
-     */
-    in.data = (void *)&(((PRUint8 *)berData->data)[1]);
-    in.size = berData->size-1;
-    
-    tag = *(PRUint8 *)berData->data;
-    switch( tag & nssASN1_TAGNUM_MASK ) {
-    case 20:
-      /*
-       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-       * below) but is T61 a suitable value for "Latin-1"?
-       */
-      templ = nssASN1Template_T61String;
-      type = nssStringType_TeletexString;
-      break;
-    case 19:
-      templ = nssASN1Template_PrintableString;
-      type = nssStringType_PrintableString;
-      break;
-    case 28:
-      templ = nssASN1Template_UniversalString;
-      type = nssStringType_UniversalString;
-      break;
-    case 30:
-      templ = nssASN1Template_BMPString;
-      type = nssStringType_BMPString;
-      break;
-    case 12:
-      templ = nssASN1Template_UTF8String;
-      type = nssStringType_UTF8String;
-      break;
-    default:
-      nss_SetError(NSS_ERROR_INVALID_POINTER); /* "pointer"? */
-      (void)NSSArena_Destroy(a);
-      return (NSSUTF8 *)NULL;
-    }
-
-    break;
-
-  case nssStringType_TeletexString:
-    /*
-     * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-     * below) but is T61 a suitable value for "Latin-1"?
-     */
-    templ = nssASN1Template_T61String;
-    break;
-   
-  case nssStringType_PrintableString:
-    templ = nssASN1Template_PrintableString;
-    break;
-
-  case nssStringType_UniversalString:
-    templ = nssASN1Template_UniversalString;
-    break;
-
-  case nssStringType_BMPString:
-    templ = nssASN1Template_BMPString;
-    break;
-
-  case nssStringType_UTF8String:
-    templ = nssASN1Template_UTF8String;
-    break;
-
-  case nssStringType_PHGString:
-    templ = nssASN1Template_IA5String;
-    break;
-
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    (void)NSSArena_Destroy(a);
-    return (NSSUTF8 *)NULL;
-  }
-    
-  st = nssASN1_DecodeBER(a, &out, templ, &in);
-  
-  if( PR_SUCCESS == st ) {
-    rv = nssUTF8_Create(arenaOpt, type, out.data, out.size);
-  }
-  (void)NSSArena_Destroy(a);
-  
-  return rv;
-}
-
-NSS_EXTERN NSSDER *
-nssUTF8_GetDEREncoding
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const NSSUTF8 *string
-)
-{
-  NSSDER *rv = (NSSDER *)NULL;
-  NSSItem str;
-  NSSDER *der;
-  const nssASN1Template *templ;
-  NSSArena *a;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-
-  if( (const NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSDER *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  str.data = (void *)string;
-  str.size = nssUTF8_Size(string, (PRStatus *)NULL);
-  if( 0 == str.size ) {
-    return (NSSDER *)NULL;
-  }
-
-  a = NSSArena_Create();
-  if( (NSSArena *)NULL == a ) {
-    return (NSSDER *)NULL;
-  }
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    {
-      NSSDER *utf;
-      PRUint8 *c;
-
-      utf = nssASN1_EncodeItem(a, (NSSDER *)NULL, &str, 
-                               nssASN1Template_UTF8String,
-                               NSSASN1DER);
-      if( (NSSDER *)NULL == utf ) {
-        (void)NSSArena_Destroy(a);
-        return (NSSDER *)NULL;
-      }
-
-      rv = nss_ZNEW(arenaOpt, NSSDER);
-      if( (NSSDER *)NULL == rv ) {
-        (void)NSSArena_Destroy(a);
-        return (NSSDER *)NULL;
-      }
-
-      rv->size = utf->size + 1;
-      rv->data = nss_ZAlloc(arenaOpt, rv->size);
-      if( (void *)NULL == rv->data ) {
-        (void)nss_ZFreeIf(rv);
-        (void)NSSArena_Destroy(a);
-        return (NSSDER *)NULL;
-      }
-      
-      c = (PRUint8 *)rv->data;
-      (void)nsslibc_memcpy(&c[1], utf->data, utf->size);
-      *c = 12; /* UNIVERSAL primitive encoding tag for UTF8String */
-
-      (void)NSSArena_Destroy(a);
-      return rv;
-    }
-  case nssStringType_TeletexString:
-    /*
-     * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-     * below) but is T61 a suitable value for "Latin-1"?
-     */
-    templ = nssASN1Template_T61String;
-    break;
-  case nssStringType_PrintableString:
-    templ = nssASN1Template_PrintableString;
-    break;
-
-  case nssStringType_UniversalString:
-    templ = nssASN1Template_UniversalString;
-    break;
-
-  case nssStringType_BMPString:
-    templ = nssASN1Template_BMPString;
-    break;
-
-  case nssStringType_UTF8String:
-    templ = nssASN1Template_UTF8String;
-    break;
-
-  case nssStringType_PHGString:
-    templ = nssASN1Template_IA5String;
-    break;
-
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    (void)NSSArena_Destroy(a);
-    return (NSSDER *)NULL;
-  }
-
-  der = nssUTF8_GetDEREncoding(a, type, string);
-  if( (NSSItem *)NULL == der ) {
-    (void)NSSArena_Destroy(a);
-    return (NSSDER *)NULL;
-  }
-
-  rv = nssASN1_EncodeItem(arenaOpt, (NSSDER *)NULL, der, templ, NSSASN1DER);
-  if( (NSSDER *)NULL == rv ) {
-    (void)NSSArena_Destroy(a);
-    return (NSSDER *)NULL;
-  }
-
-  (void)NSSArena_Destroy(a);
-  return rv;
-}
diff --git a/security/nss/lib/asn1/asn1.h b/security/nss/lib/asn1/asn1.h
deleted file mode 100644
index a81f3213d..000000000
--- a/security/nss/lib/asn1/asn1.h
+++ /dev/null
@@ -1,879 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef ASN1_H
-#define ASN1_H
-
-#ifdef DEBUG
-static const char ASN1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * asn1.h
- *
- * This file contains the ASN.1 encoder/decoder routines available
- * internally within NSS.  It's not clear right now if this file
- * will be folded into base.h or something, I just needed to get this
- * going.  At the moment, most of these routines wrap the old SEC_ASN1
- * calls.
- */
-
-#ifndef ASN1T_H
-#include "asn1t.h"
-#endif /* ASN1T_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nssASN1Decoder
- *
- * ... description here ...
- *
- *  nssASN1Decoder_Create (Factory/Constructor)
- *  nssASN1Decoder_Update
- *  nssASN1Decoder_Finish (Destructor)
- *  nssASN1Decoder_SetFilter
- *  nssASN1Decoder_GetFilter
- *  nssASN1Decoder_SetNotify
- *  nssASN1Decoder_GetNotify
- *
- * Debug builds only:
- *
- *  nssASN1Decoder_verify
- *
- * Related functions that aren't type methods:
- *
- *  nssASN1_Decode
- *  nssASN1_DecodeBER
- */
-
-/*
- * nssASN1Decoder_Create
- *
- * This routine creates an ASN.1 Decoder, which will use the specified
- * template to decode a datastream into the specified destination
- * structure.  If the optional arena argument is non-NULL, blah blah 
- * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
- * as a hint?  Or is each encoding distinctive?  This routine may 
- * return NULL upon error, in which case an error will have been 
- * placed upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Decoder upon success.
- */
-
-NSS_EXTERN nssASN1Decoder *
-nssASN1Decoder_Create
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[]
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Decoder_Update
- *
- * This routine feeds data to the decoder.  In the event of an error, 
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ASN1DECODER
- *  NSS_ERROR_INVALID_BER
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success.
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_Update
-(
-  nssASN1Decoder *decoder,
-  const void *data,
-  PRUint32 amount
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-extern const NSSError NSS_ERROR_INVALID_BER;
-
-/*
- * nssASN1Decoder_Finish
- *
- * This routine finishes the decoding and destroys the decoder.
- * In the event of an error, it will place an error on the error
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_Finish
-(
-  nssASN1Decoder *decoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_SetFilter
- *
- * This routine registers a callback filter routine with the decoder,
- * which will be called blah blah blah.  The specified argument will
- * be passed as-is to the filter routine.  The routine pointer may
- * be NULL, in which case no filter callback will be called.  If the
- * noStore boolean is PR_TRUE, then decoded fields will not be stored
- * in the destination structure specified when the decoder was 
- * created.  This routine returns a PRStatus value; in the event of
- * an error, it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_SetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction *callback,
-  void *argument,
-  PRBool noStore
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_GetFilter
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetFilter will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt
- * pointer is non-null, the filter's closure argument will be stored
- * there.  If the optional pNoStoreOpt pointer is non-null, the
- * noStore value specified when setting the filter will be stored
- * there.  This routine returns a PRStatus value; in the event of
- * an error it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_GetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction **pCallbackOpt,
-  void **pArgumentOpt,
-  PRBool *pNoStoreOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_SetNotify
- *
- * This routine registers a callback notify routine with the decoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_SetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_GetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Decoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssASN1Decoder_verify
-(
-  nssASN1Decoder *decoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-#endif /* DEBUG */
-
-/*
- * nssASN1_Decode
- *
- * This routine will decode the specified data into the specified
- * destination structure, as specified by the specified template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1_Decode
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const void *berData,
-  PRUint32 amount
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_INVALID_BER;
-
-/*
- * nssASN1_DecodeBER
- *
- * This routine will decode the data in the specified NSSBER
- * into the destination structure, as specified by the template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_NSSBER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1_DecodeBER
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const NSSBER *data
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_INVALID_BER;
-
-/*
- * nssASN1Encoder
- *
- * ... description here ...
- *
- *  nssASN1Encoder_Create (Factory/Constructor)
- *  nssASN1Encoder_Update
- *  nssASN1Encoder_Finish (Destructor)
- *  nssASN1Encoder_SetNotify
- *  nssASN1Encoder_GetNotify
- *  nssASN1Encoder_SetStreaming
- *  nssASN1Encoder_GetStreaming
- *  nssASN1Encoder_SetTakeFromBuffer
- *  nssASN1Encoder_GetTakeFromBuffer
- *
- * Debug builds only:
- *
- *  nssASN1Encoder_verify
- *
- * Related functions that aren't type methods:
- *
- *  nssASN1_Encode
- *  nssASN1_EncodeItem
- */
-
-/*
- * nssASN1Encoder_Create
- *
- * This routine creates an ASN.1 Encoder, blah blah blah.  This 
- * may return NULL upon error, in which case an error will have been
- * placed on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Encoder upon success
- */
-
-NSS_EXTERN nssASN1Encoder *
-nssASN1Encoder_Create
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
-
-/*
- * nssASN1Encoder_Update
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_Update
-(
-  nssASN1Encoder *encoder,
-  const void *data,
-  PRUint32 length
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Encoder_Finish
- *
- * Destructor.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_Finish
-(
-  nssASN1Encoder *encoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_SetNotify
- *
- * This routine registers a callback notify routine with the encoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_SetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Encoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_SetStreaming
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_SetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool streaming
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_GetStreaming
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool *pStreaming
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Encoder_SetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_SetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool takeFromBuffer
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_GetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool *pTakeFromBuffer
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Encoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Encoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssASN1Encoder_verify
-(
-  nssASN1Encoder *encoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-#endif /* DEBUG */
-
-/*
- * nssASN1_Encode
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1_Encode
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
-
-/*
- * nssASN1_EncodeItem
- *
- * There must be a better name.  If the optional arena argument is
- * non-null, it'll be used for the space.  If the optional rvOpt is
- * non-null, it'll be the return value-- if it is null, a new one
- * will be allocated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *
- * Return value:
- *  NULL upon error
- *  A valid pointer to an NSSDER upon success
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_EncodeItem
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
-
-/*
- * Other basic types' encoding and decoding helper functions:
- *
- *  nssASN1_CreatePRUint32FromBER
- *  nssASN1_GetDERFromPRUint32
- *  nssASN1_CreatePRInt32FromBER
- *  nssASN1_GetDERFromPRInt32
- * ..etc..
- */
-
-/*
- * nssASN1_CreatePRUint32FromBER
- *
- */
-
-NSS_EXTERN PRStatus
-nssASN1_CreatePRUint32FromBER
-(
-  NSSBER *encoded,
-  PRUint32 *pResult
-);
-
-/*
- * nssASN1_GetDERFromPRUint32
- *
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_GetDERFromPRUint32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRUint32 value
-);
-
-/*
- * nssASN1_CreatePRInt32FromBER
- *
- */
-
-NSS_EXTERN PRStatus
-nssASN1_CreatePRInt32FromBER
-(
-  NSSBER *encoded,
-  PRInt32 *pResult
-);
-
-/*
- * nssASN1_GetDERFromPRInt32
- *
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_GetDERFromPRInt32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRInt32 value
-);
-
-/*
- * Builtin templates
- */
-
-/*
- * Generic Templates
- * One for each of the simple types, plus a special one for ANY, plus:
- *	- a pointer to each one of those
- *	- a set of each one of those
- *
- * Note that these are alphabetical (case insensitive); please add new
- * ones in the appropriate place.
- */
-
-extern const nssASN1Template *nssASN1Template_Any;
-extern const nssASN1Template *nssASN1Template_BitString;
-extern const nssASN1Template *nssASN1Template_BMPString;
-extern const nssASN1Template *nssASN1Template_Boolean;
-extern const nssASN1Template *nssASN1Template_Enumerated;
-extern const nssASN1Template *nssASN1Template_GeneralizedTime;
-extern const nssASN1Template *nssASN1Template_IA5String;
-extern const nssASN1Template *nssASN1Template_Integer;
-extern const nssASN1Template *nssASN1Template_Null;
-extern const nssASN1Template *nssASN1Template_ObjectID;
-extern const nssASN1Template *nssASN1Template_OctetString;
-extern const nssASN1Template *nssASN1Template_PrintableString;
-extern const nssASN1Template *nssASN1Template_T61String;
-extern const nssASN1Template *nssASN1Template_UniversalString;
-extern const nssASN1Template *nssASN1Template_UTCTime;
-extern const nssASN1Template *nssASN1Template_UTF8String;
-extern const nssASN1Template *nssASN1Template_VisibleString;
-
-extern const nssASN1Template *nssASN1Template_PointerToAny;
-extern const nssASN1Template *nssASN1Template_PointerToBitString;
-extern const nssASN1Template *nssASN1Template_PointerToBMPString;
-extern const nssASN1Template *nssASN1Template_PointerToBoolean;
-extern const nssASN1Template *nssASN1Template_PointerToEnumerated;
-extern const nssASN1Template *nssASN1Template_PointerToGeneralizedTime;
-extern const nssASN1Template *nssASN1Template_PointerToIA5String;
-extern const nssASN1Template *nssASN1Template_PointerToInteger;
-extern const nssASN1Template *nssASN1Template_PointerToNull;
-extern const nssASN1Template *nssASN1Template_PointerToObjectID;
-extern const nssASN1Template *nssASN1Template_PointerToOctetString;
-extern const nssASN1Template *nssASN1Template_PointerToPrintableString;
-extern const nssASN1Template *nssASN1Template_PointerToT61String;
-extern const nssASN1Template *nssASN1Template_PointerToUniversalString;
-extern const nssASN1Template *nssASN1Template_PointerToUTCTime;
-extern const nssASN1Template *nssASN1Template_PointerToUTF8String;
-extern const nssASN1Template *nssASN1Template_PointerToVisibleString;
-
-extern const nssASN1Template *nssASN1Template_SetOfAny;
-extern const nssASN1Template *nssASN1Template_SetOfBitString;
-extern const nssASN1Template *nssASN1Template_SetOfBMPString;
-extern const nssASN1Template *nssASN1Template_SetOfBoolean;
-extern const nssASN1Template *nssASN1Template_SetOfEnumerated;
-extern const nssASN1Template *nssASN1Template_SetOfGeneralizedTime;
-extern const nssASN1Template *nssASN1Template_SetOfIA5String;
-extern const nssASN1Template *nssASN1Template_SetOfInteger;
-extern const nssASN1Template *nssASN1Template_SetOfNull;
-extern const nssASN1Template *nssASN1Template_SetOfObjectID;
-extern const nssASN1Template *nssASN1Template_SetOfOctetString;
-extern const nssASN1Template *nssASN1Template_SetOfPrintableString;
-extern const nssASN1Template *nssASN1Template_SetOfT61String;
-extern const nssASN1Template *nssASN1Template_SetOfUniversalString;
-extern const nssASN1Template *nssASN1Template_SetOfUTCTime;
-extern const nssASN1Template *nssASN1Template_SetOfUTF8String;
-extern const nssASN1Template *nssASN1Template_SetOfVisibleString;
-
-/*
- *
- */
-
-NSS_EXTERN NSSUTF8 *
-nssUTF8_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSBER *berData
-);
-
-NSS_EXTERN NSSDER *
-nssUTF8_GetDEREncoding
-(
-  NSSArena *arenaOpt,
-  /* Should have an NSSDER *rvOpt */
-  nssStringType type,
-  const NSSUTF8 *string
-);
-
-PR_END_EXTERN_C
-
-#endif /* ASN1_H */
diff --git a/security/nss/lib/asn1/asn1m.h b/security/nss/lib/asn1/asn1m.h
deleted file mode 100644
index 37ed91919..000000000
--- a/security/nss/lib/asn1/asn1m.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef ASN1M_H
-#define ASN1M_H
-
-#ifdef DEBUG
-static const char ASN1M_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * asn1m.h
- *
- * This file contains the ASN.1 encoder/decoder routines available
- * only within the ASN.1 module itself.
- */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nssasn1_number_length
- *
- */
-
-NSS_EXTERN PRUint32
-nssasn1_length_length
-(
-  PRUint32 number
-);
-
-/*
- * nssasn1_get_subtemplate
- *
- */
-
-NSS_EXTERN const nssASN1Template *
-nssasn1_get_subtemplate
-(
-  const nssASN1Template template[],
-  void *thing,
-  PRBool encoding
-);
-
-PR_END_EXTERN_C
-
-#endif /* ASN1M_H */
diff --git a/security/nss/lib/asn1/asn1t.h b/security/nss/lib/asn1/asn1t.h
deleted file mode 100644
index 6183b7fd7..000000000
--- a/security/nss/lib/asn1/asn1t.h
+++ /dev/null
@@ -1,166 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef ASN1T_H
-#define ASN1T_H
-
-#ifdef DEBUG
-static const char ASN1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * asn1t.h
- *
- * This file contains the ASN.1 encoder/decoder types available 
- * internally within NSS.  It's not clear right now if this file
- * will be folded into baset.h or something, I just needed to
- * get this going.  At the moment, these types are wrappers for
- * the old types.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef NSSASN1T_H
-#include "nssasn1t.h"
-#endif /* NSSASN1T_H */
-
-#include "seccomon.h"
-#include "secasn1t.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * XXX fgmr
- *
- * This sort of bites.  Let's keep an eye on this, to make sure
- * we aren't stuck with it forever.
- */
-
-struct nssASN1ItemStr {
-  PRUint32 reserved;
-  PRUint8 *data;
-  PRUint32 size;
-};
-
-typedef struct nssASN1ItemStr nssASN1Item;
-
-/*
- * I'm not documenting these here, since this'll require another
- * pass anyway.
- */
-
-typedef SEC_ASN1Template nssASN1Template;
-
-#define nssASN1_TAG_MASK               SEC_ASN1_TAG_MASK
-
-#define nssASN1_TAGNUM_MASK            SEC_ASN1_TAGNUM_MASK
-#define nssASN1_BOOLEAN                SEC_ASN1_BOOLEAN
-#define nssASN1_INTEGER                SEC_ASN1_INTEGER
-#define nssASN1_BIT_STRING             SEC_ASN1_BIT_STRING
-#define nssASN1_OCTET_STRING           SEC_ASN1_OCTET_STRING
-#define nssASN1_NULL                   SEC_ASN1_NULL
-#define nssASN1_OBJECT_ID              SEC_ASN1_OBJECT_ID
-#define nssASN1_OBJECT_DESCRIPTOR      SEC_ASN1_OBJECT_DESCRIPTOR
-/* External type and instance-of type   0x08 */
-#define nssASN1_REAL                   SEC_ASN1_REAL
-#define nssASN1_ENUMERATED             SEC_ASN1_ENUMERATED
-#define nssASN1_EMBEDDED_PDV           SEC_ASN1_EMBEDDED_PDV
-#define nssASN1_UTF8_STRING            SEC_ASN1_UTF8_STRING
-#define nssASN1_SEQUENCE               SEC_ASN1_SEQUENCE
-#define nssASN1_SET                    SEC_ASN1_SET
-#define nssASN1_NUMERIC_STRING         SEC_ASN1_NUMERIC_STRING
-#define nssASN1_PRINTABLE_STRING       SEC_ASN1_PRINTABLE_STRING
-#define nssASN1_T61_STRING             SEC_ASN1_T61_STRING
-#define nssASN1_TELETEX_STRING         nssASN1_T61_STRING
-#define nssASN1_VIDEOTEX_STRING        SEC_ASN1_VIDEOTEX_STRING
-#define nssASN1_IA5_STRING             SEC_ASN1_IA5_STRING
-#define nssASN1_UTC_TIME               SEC_ASN1_UTC_TIME
-#define nssASN1_GENERALIZED_TIME       SEC_ASN1_GENERALIZED_TIME
-#define nssASN1_GRAPHIC_STRING         SEC_ASN1_GRAPHIC_STRING
-#define nssASN1_VISIBLE_STRING         SEC_ASN1_VISIBLE_STRING
-#define nssASN1_GENERAL_STRING         SEC_ASN1_GENERAL_STRING
-#define nssASN1_UNIVERSAL_STRING       SEC_ASN1_UNIVERSAL_STRING
-/*                                      0x1d */
-#define nssASN1_BMP_STRING             SEC_ASN1_BMP_STRING
-#define nssASN1_HIGH_TAG_NUMBER        SEC_ASN1_HIGH_TAG_NUMBER
-
-#define nssASN1_METHOD_MASK            SEC_ASN1_METHOD_MASK
-#define nssASN1_PRIMITIVE              SEC_ASN1_PRIMITIVE
-#define nssASN1_CONSTRUCTED            SEC_ASN1_CONSTRUCTED
-                                                                
-#define nssASN1_CLASS_MASK             SEC_ASN1_CLASS_MASK
-#define nssASN1_UNIVERSAL              SEC_ASN1_UNIVERSAL
-#define nssASN1_APPLICATION            SEC_ASN1_APPLICATION
-#define nssASN1_CONTEXT_SPECIFIC       SEC_ASN1_CONTEXT_SPECIFIC
-#define nssASN1_PRIVATE                SEC_ASN1_PRIVATE
-
-#define nssASN1_OPTIONAL               SEC_ASN1_OPTIONAL 
-#define nssASN1_EXPLICIT               SEC_ASN1_EXPLICIT 
-#define nssASN1_ANY                    SEC_ASN1_ANY      
-#define nssASN1_INLINE                 SEC_ASN1_INLINE   
-#define nssASN1_POINTER                SEC_ASN1_POINTER  
-#define nssASN1_GROUP                  SEC_ASN1_GROUP    
-#define nssASN1_DYNAMIC                SEC_ASN1_DYNAMIC  
-#define nssASN1_SKIP                   SEC_ASN1_SKIP     
-#define nssASN1_INNER                  SEC_ASN1_INNER    
-#define nssASN1_SAVE                   SEC_ASN1_SAVE     
-#define nssASN1_MAY_STREAM             SEC_ASN1_MAY_STREAM
-#define nssASN1_SKIP_REST              SEC_ASN1_SKIP_REST
-#define nssASN1_CHOICE                 SEC_ASN1_CHOICE
-
-#define nssASN1_SEQUENCE_OF            SEC_ASN1_SEQUENCE_OF 
-#define nssASN1_SET_OF                 SEC_ASN1_SET_OF      
-#define nssASN1_ANY_CONTENTS           SEC_ASN1_ANY_CONTENTS
-
-typedef SEC_ChooseASN1TemplateFunc nssASN1ChooseTemplateFunction;
-
-typedef SEC_ASN1DecoderContext nssASN1Decoder;
-typedef SEC_ASN1EncoderContext nssASN1Encoder;
-
-typedef enum {
-  nssASN1EncodingPartIdentifier    = SEC_ASN1_Identifier,
-  nssASN1EncodingPartLength        = SEC_ASN1_Length,
-  nssASN1EncodingPartContents      = SEC_ASN1_Contents,
-  nssASN1EncodingPartEndOfContents = SEC_ASN1_EndOfContents
-} nssASN1EncodingPart;
-
-typedef SEC_ASN1NotifyProc nssASN1NotifyFunction;
-
-typedef SEC_ASN1WriteProc nssASN1EncoderWriteFunction;
-typedef SEC_ASN1WriteProc nssASN1DecoderFilterFunction;
-
-PR_END_EXTERN_C
-
-#endif /* ASN1T_H */
diff --git a/security/nss/lib/asn1/config.mk b/security/nss/lib/asn1/config.mk
deleted file mode 100644
index 80b3135f4..000000000
--- a/security/nss/lib/asn1/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/asn1/manifest.mn b/security/nss/lib/asn1/manifest.mn
deleted file mode 100644
index 658266d8e..000000000
--- a/security/nss/lib/asn1/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	asn1t.h		  \
-	asn1m.h		  \
-	asn1.h		  \
-	$(NULL)
-
-EXPORTS =	   \
-	nssasn1t.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS =		   \
-	asn1.c	   \
-	$(NULL)
-
-REQUIRES = security nspr
-
-LIBRARY_NAME = asn1
diff --git a/security/nss/lib/asn1/nssasn1t.h b/security/nss/lib/asn1/nssasn1t.h
deleted file mode 100644
index 2488892b4..000000000
--- a/security/nss/lib/asn1/nssasn1t.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSASN1T_H
-#define NSSASN1T_H
-
-#ifdef DEBUG
-static const char NSSASN1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssasn1t.h
- *
- * This file contains the public types related to our ASN.1 encoder 
- * and decoder.
- */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSASN1EncodingType
- *
- * This type enumerates specific types of ASN.1 encodings.
- */
-
-typedef enum {
-  NSSASN1BER,               /* Basic Encoding Rules */
-  NSSASN1CER,               /* Canonical Encoding Rules */
-  NSSASN1DER,               /* Distinguished Encoding Rules */
-  NSSASN1LWER,              /* LightWeight Encoding Rules */
-  NSSASN1PER,               /* Packed Encoding Rules */
-  NSSASN1UnknownEncoding = -1
-} NSSASN1EncodingType;
-
-PR_END_EXTERN_C
-
-#endif /* NSSASN1T_H */
diff --git a/security/nss/lib/base/Makefile b/security/nss/lib/base/Makefile
deleted file mode 100644
index 03e1fb4c6..000000000
--- a/security/nss/lib/base/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/base/arena.c b/security/nss/lib/base/arena.c
deleted file mode 100644
index ce192d719..000000000
--- a/security/nss/lib/base/arena.c
+++ /dev/null
@@ -1,1121 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * arena.c
- *
- * This contains the implementation of NSS's thread-safe arenas.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifdef ARENA_THREADMARK
-#include "prthread.h"
-#endif /* ARENA_THREADMARK */
-
-#include "prlock.h"
-#include "plarena.h"
-
-/*
- * NSSArena
- *
- * This is based on NSPR's arena code, but it is threadsafe.
- *
- * The public methods relating to this type are:
- *
- *  NSSArena_Create  -- constructor
- *  NSSArena_Destroy
- *
- * The nonpublic methods relating to this type are:
- *
- *  nssArena_Create  -- constructor
- *  nssArena_Destroy
- *  nssArena_Mark
- *  nssArena_Release
- *  nssArena_Unmark
- * 
- *  nss_ZAlloc
- *  nss_ZFreeIf
- *  nss_ZRealloc
- *
- * In debug builds, the following calls are available:
- *
- *  nssArena_verifyPointer
- *  nssArena_registerDestructor
- *  nssArena_deregisterDestructor
- */
-
-struct NSSArenaStr {
-  PLArenaPool pool;
-  PRLock *lock;
-#ifdef ARENA_THREADMARK
-  PRThread *marking_thread;
-  nssArenaMark *first_mark;
-  nssArenaMark *last_mark;
-#endif /* ARENA_THREADMARK */
-#ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *first_destructor;
-  struct arena_destructor_node *last_destructor;
-#endif /* ARENA_DESTRUCTOR_LIST */
-};
-
-/*
- * nssArenaMark
- *
- * This type is used to mark the current state of an NSSArena.
- */
-
-struct nssArenaMarkStr {
-  PRUint32 magic;
-  void *mark;
-#ifdef ARENA_THREADMARK
-  nssArenaMark *next;
-#endif /* ARENA_THREADMARK */
-#ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *next_destructor;
-  struct arena_destructor_node *prev_destructor;
-#endif /* ARENA_DESTRUCTOR_LIST */
-};
-
-#define MARK_MAGIC 0x4d41524b /* "MARK" how original */
-
-/*
- * But first, the pointer-tracking code
- */
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker arena_pointer_tracker;
-
-static PRStatus
-arena_add_pointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-arena_remove_pointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssArena_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSArena object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    /*
-     * This is a little disingenious.  We have to initialize the
-     * tracker, because someone could "legitimately" try to verify
-     * an arena pointer before one is ever created.  And this step
-     * might fail, due to lack of memory.  But the only way that
-     * this step can fail is if it's doing the call_once stuff,
-     * (later calls just no-op).  And if it didn't no-op, there
-     * aren't any valid arenas.. so the argument certainly isn't one.
-     */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-#ifdef ARENA_DESTRUCTOR_LIST
-
-struct arena_destructor_node {
-  struct arena_destructor_node *next;
-  struct arena_destructor_node *prev;
-  void (*destructor)(void *argument);
-  void *arg;
-};
-
-/*
- * nssArena_registerDestructor
- *
- * This routine stores a pointer to a callback and an arbitrary
- * pointer-sized argument in the arena, at the current point in
- * the mark stack.  If the arena is destroyed, or an "earlier"
- * mark is released, then this destructor will be called at that
- * time.  Note that the destructor will be called with the arena
- * locked, which means the destructor may free memory in that
- * arena, but it may not allocate or cause to be allocated any
- * memory.  This callback facility was included to support our
- * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
-{
-  struct arena_destructor_node *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-  
-  it = nss_ZNEW(arena, struct arena_destructor_node);
-  if( (struct arena_destructor_node *)NULL == it ) {
-    return PR_FAILURE;
-  }
-
-  it->prev = arena->last_destructor;
-  arena->last_destructor->next = it;
-  arena->last_destructor = it;
-  it->destructor = destructor;
-  it->arg = arg;
-
-  if( (nssArenaMark *)NULL != arena->last_mark ) {
-    arena->last_mark->prev_destructor = it->prev;
-    arena->last_mark->next_destructor = it->next;
-  }
-
-  return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
-{
-  struct arena_destructor_node *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  for( it = arena->first_destructor; it; it = it->next ) {
-    if( (it->destructor == destructor) && (it->arg == arg) ) {
-      break;
-    }
-  }
-
-  if( (struct arena_destructor_node *)NULL == it ) {
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-  }
-
-  if( it == arena->first_destructor ) {
-    arena->first_destructor = it->next;
-  }
-
-  if( it == arena->last_destructor ) {
-    arena->last_destructor = it->prev;
-  }
-
-  if( (struct arena_destructor_node *)NULL != it->prev ) {
-    it->prev->next = it->next;
-  }
-
-  if( (struct arena_destructor_node *)NULL != it->next ) {
-    it->next->prev = it->prev;
-  }
-
-  {
-    nssArenaMark *m;
-    for( m = arena->first_mark; m; m = m->next ) {
-      if( m->next_destructor == it ) {
-        m->next_destructor = it->next;
-      }
-      if( m->prev_destructor == it ) {
-        m->prev_destructor = it->prev;
-      }
-    }
-  }
-
-  nss_ZFreeIf(it);
-  return PR_SUCCESS;
-}
-
-static void
-nss_arena_call_destructor_chain
-(
-  struct arena_destructor_node *it
-)
-{
-  for( ; it ; it = it->next ) {
-    (*(it->destructor))(it->arg);
-  }
-}
-
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-/*
- * NSSArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-NSS_IMPLEMENT NSSArena *
-NSSArena_Create
-(
-  void
-)
-{
-  nss_ClearErrorStack();
-  return nssArena_Create();
-}
-
-/*
- * nssArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-NSS_IMPLEMENT NSSArena *
-nssArena_Create
-(
-  void
-)
-{
-  NSSArena *rv = (NSSArena *)NULL;
-
-  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
-  if( (NSSArena *)NULL == rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
-
-  rv->lock = PR_NewLock();
-  if( (PRLock *)NULL == rv->lock ) {
-    (void)nss_ZFreeIf(rv);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
-
-  /*
-   * Arena sizes.  The current security code has 229 occurrences of
-   * PORT_NewArena.  The default chunksizes specified break down as
-   *
-   *  Size    Mult.   Specified as
-   *   512       1    512
-   *  1024       7    1024
-   *  2048       5    2048
-   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
-   *  2048     190    DER_DEFAULT_CHUNKSIZE
-   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
-   *  4096       1    4096
-   *
-   * Obviously this "default chunksize" flexibility isn't very 
-   * useful to us, so I'll just pick 2048.
-   */
-
-  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
-
-#ifdef DEBUG
-  {
-    PRStatus st;
-    st = arena_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PL_FinishArenaPool(&rv->pool);
-      PR_DestroyLock(rv->lock);
-      (void)nss_ZFreeIf(rv);
-      return (NSSArena *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * NSSArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssArena_Destroy(arena);
-}
-
-/*
- * nssArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-)
-{
-  PRLock *lock;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_Lock(arena->lock);
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-  
-#ifdef DEBUG
-  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-#ifdef ARENA_DESTRUCTOR_LIST
-  /* Note that the arena is locked at this time */
-  nss_arena_call_destructor_chain(arena->first_destructor);
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-  PL_FinishArenaPool(&arena->pool);
-  lock = arena->lock;
-  arena->lock = (PRLock *)NULL;
-  PR_Unlock(lock);
-  PR_DestroyLock(lock);
-  (void)nss_ZFreeIf(arena);
-  return PR_SUCCESS;
-}
-
-/*
- * nssArena_Mark
- *
- * This routine "marks" the current state of an arena.  Space
- * allocated after the arena has been marked can be freed by
- * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
- * have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon failure
- *  An nssArenaMark pointer upon success
- */
-
-NSS_IMPLEMENT nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-)
-{
-  nssArenaMark *rv;
-  void *p;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return (nssArenaMark *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  PR_Lock(arena->lock);
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return (nssArenaMark *)NULL;
-  }
-
-#ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL == arena->marking_thread ) {
-    /* Unmarked.  Store our thread ID */
-    arena->marking_thread = PR_GetCurrentThread();
-    /* This call never fails. */
-  } else {
-    /* Marked.  Verify it's the current thread */
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return (nssArenaMark *)NULL;
-    }
-  }
-#endif /* ARENA_THREADMARK */
-
-  p = PL_ARENA_MARK(&arena->pool);
-  /* No error possible */
-
-  /* Do this after the mark */
-  rv = nss_ZNEW(arena, nssArenaMark);
-  if( (nssArenaMark *)NULL == rv ) {
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (nssArenaMark *)NULL;
-  }
-
-#ifdef ARENA_THREADMARK
-  arena->last_mark->next = rv;
-  arena->last_mark = rv;
-#endif /* ARENA_THREADMARK */
-
-  rv->mark = p;
-  rv->magic = MARK_MAGIC;
-
-#ifdef ARENA_DESTRUCTOR_LIST
-  rv->prev_destructor = arena->last_destructor;
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-  PR_Unlock(arena->lock);
-
-  return rv;
-}
-
-/*
- * nss_arena_unmark_release
- *
- * This static routine implements the routines nssArena_Release
- * ans nssArena_Unmark, which are almost identical.
- */
-
-static PRStatus
-nss_arena_unmark_release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark,
-  PRBool release
-)
-{
-  void *inner_mark;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( MARK_MAGIC != arenaMark->magic ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
-
-  PR_Lock(arena->lock);
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-
-#ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL != arena->marking_thread ) {
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return PR_FAILURE;
-    }
-  }
-#endif /* ARENA_THREADMARK */
-
-  if( MARK_MAGIC != arenaMark->magic ) {
-    /* Just got released */
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
-
-  arenaMark->magic = 0;
-  inner_mark = arenaMark->mark;
-
-#ifdef ARENA_THREADMARK
-  {
-    nssArenaMark **pMark = &arena->first_mark;
-    nssArenaMark *rest;
-    nssArenaMark *last = (nssArenaMark *)NULL;
-
-    /* Find this mark */
-    while( *pMark != arenaMark ) {
-      last = *pMark;
-      pMark = &(*pMark)->next;
-    }
-
-    /* Remember the pointer, then zero it */
-    rest = (*pMark)->next;
-    *pMark = (nssArenaMark *)NULL;
-
-    arena->last_mark = last;
-
-    /* Invalidate any later marks being implicitly released */
-    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
-      rest->magic = 0;
-    }
-
-    /* If we just got rid of the first mark, clear the thread ID */
-    if( (nssArenaMark *)NULL == arena->first_mark ) {
-      arena->marking_thread = (PRThread *)NULL;
-    }
-  }
-#endif /* ARENA_THREADMARK */
-
-  if( release ) {
-#ifdef ARENA_DESTRUCTOR_LIST
-    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
-      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
-    }
-    arena->last_destructor = arenaMark->prev_destructor;
-
-    /* Note that the arena is locked at this time */
-    nss_arena_call_destructor_chain(arenaMark->next_destructor);
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-    PR_ARENA_RELEASE(&arena->pool, inner_mark);
-    /* No error return */
-  }
-
-  PR_Unlock(arena->lock);
-  return PR_SUCCESS;
-}
-
-/*
- * nssArena_Release
- *
- * This routine invalidates and releases all memory allocated from
- * the specified arena after the point at which the specified mark
- * was obtained.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
-{
-  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
-}
-
-/*
- * nssArena_Unmark
- *
- * This routine "commits" the indicated mark and any marks after
- * it, making them unreleasable.  Note that any earlier marks can
- * still be released, and such a release will invalidate these
- * later unmarked regions.  If an arena is to be safely shared by
- * more than one thread, all marks must be either released or
- * unmarked.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
-{
-  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
-}
-
-/*
- * We prefix this header to all allocated blocks.  It is a multiple
- * of the alignment size.  Note that this usage of a header may make
- * purify spew bogus warnings about "potentially leaked blocks" of
- * memory; if that gets too annoying we can add in a pointer to the
- * header in the header itself.  There's not a lot of safety here;
- * maybe we should add a magic value?
- */
-struct pointer_header {
-  NSSArena *arena;
-  PRUint32 size;
-};
-
-/*
- * nss_ZAlloc
- *
- * This routine allocates and zeroes a section of memory of the 
- * size, and returns to the caller a pointer to that memory.  If
- * the optional arena argument is non-null, the memory will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in
- * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
- * zero-length block of memory will be allocated.  This block may
- * be expanded by calling nss_ZRealloc.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-NSS_IMPLEMENT void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-)
-{
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
-
-  if( my_size < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    /* Heap allocation, no locking required. */
-    h = (struct pointer_header *)PR_Calloc(1, my_size);
-    if( (struct pointer_header *)NULL == h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    h->arena = (NSSArena *)NULL;
-    h->size = size;
-    /* We used calloc: it's already zeroed */
-
-    return (void *)((char *)h + sizeof(struct pointer_header));
-  } else {
-    void *p;
-    void *rv;
-    /* Arena allocation */
-#ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (void *)NULL;
-    }
-#endif /* NSSDEBUG */
-
-    PR_Lock(arenaOpt->lock);
-    if( (PRLock *)NULL == arenaOpt->lock ) {
-      /* Just got destroyed */
-      nss_SetError(NSS_ERROR_INVALID_ARENA);
-      return (void *)NULL;
-    }
-
-#ifdef ARENA_THREADMARK
-    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
-      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        PR_Unlock(arenaOpt->lock);
-        return (void *)NULL;
-      }
-    }
-#endif /* ARENA_THREADMARK */
-
-    PR_ARENA_ALLOCATE(p, &arenaOpt->pool, my_size);
-    if( (void *)NULL == p ) {
-      PR_Unlock(arenaOpt->lock);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    /* 
-     * Do this before we unlock.  This way if the user is using
-     * an arena in one thread while destroying it in another, he'll
-     * fault/FMR in his code, not ours.
-     */
-    h = (struct pointer_header *)p;
-    h->arena = arenaOpt;
-    h->size = size;
-    rv = (void *)((char *)h + sizeof(struct pointer_header));
-    (void)nsslibc_memset(rv, 0, size);
-
-    PR_Unlock(arenaOpt->lock);
-
-    return rv;
-  }
-  /*NOTREACHED*/
-}
-
-/*
- * nss_ZFreeIf
- *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-)
-{
-  struct pointer_header *h;
-
-  if( (void *)NULL == pointer ) {
-    return PR_SUCCESS;
-  }
-
-  h = (struct pointer_header *)&((char *)pointer)
-    [ - sizeof(struct pointer_header) ];
-
-  /* Check any magic here */
-
-  if( (NSSArena *)NULL == h->arena ) {
-    /* Heap */
-    (void)nsslibc_memset(pointer, 0, h->size);
-    PR_Free(h);
-    return PR_SUCCESS;
-  } else {
-    /* Arena */
-#ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
-      return PR_FAILURE;
-    }
-#endif /* NSSDEBUG */
-
-    PR_Lock(h->arena->lock);
-    if( (PRLock *)NULL == h->arena->lock ) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return PR_FAILURE;
-    }
-
-    (void)nsslibc_memset(pointer, 0, h->size);
-
-    /* No way to "free" it within an NSPR arena. */
-
-    PR_Unlock(h->arena->lock);
-    return PR_SUCCESS;
-  }
-  /*NOTREACHED*/
-}
-
-/*
- * nss_ZRealloc
- *
- * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
- * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the replacement segment of memory
- */
-
-NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-)
-{
-  struct pointer_header *h, *new_h;
-  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
-  void *rv;
-
-  if( my_newSize < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-
-  if( (void *)NULL == pointer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-
-  h = (struct pointer_header *)&((char *)pointer)
-    [ - sizeof(struct pointer_header) ];
-
-  /* Check any magic here */
-
-  if( newSize == h->size ) {
-    /* saves thrashing */
-    return pointer;
-  }
-
-  if( (NSSArena *)NULL == h->arena ) {
-    /* Heap */
-    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
-    if( (struct pointer_header *)NULL == new_h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    new_h->arena = (NSSArena *)NULL;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
-
-    if( newSize > h->size ) {
-      (void)nsslibc_memcpy(rv, pointer, h->size);
-      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
-                           0, (newSize - h->size));
-    } else {
-      (void)nsslibc_memcpy(rv, pointer, newSize);
-    }
-
-    (void)nsslibc_memset(pointer, 0, h->size);
-    h->size = 0;
-    PR_Free(h);
-
-    return rv;
-  } else {
-    void *p;
-    /* Arena */
-#ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
-      return (void *)NULL;
-    }
-#endif /* NSSDEBUG */
-
-    PR_Lock(h->arena->lock);
-    if( (PRLock *)NULL == h->arena->lock ) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (void *)NULL;
-    }
-
-#ifdef ARENA_THREADMARK
-    if( (PRThread *)NULL != h->arena->marking_thread ) {
-      if( PR_GetCurrentThread() != h->arena->marking_thread ) {
-        PR_Unlock(h->arena->lock);
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        return (void *)NULL;
-      }
-    }
-#endif /* ARENA_THREADMARK */
-
-    if( newSize < h->size ) {
-      /*
-       * We have no general way of returning memory to the arena
-       * (mark/release doesn't work because things may have been
-       * allocated after this object), so the memory is gone
-       * anyway.  We might as well just return the same pointer to
-       * the user, saying "yeah, uh-hunh, you can only use less of
-       * it now."  We'll zero the leftover part, of course.  And
-       * in fact we might as well *not* adjust h->size-- this way,
-       * if the user reallocs back up to something not greater than
-       * the original size, then voila, there's the memory!  This
-       * way a thrash big/small/big/small doesn't burn up the arena.
-       */
-      char *extra = &((char *)pointer)[ newSize ];
-      (void)nsslibc_memset(extra, 0, (h->size - newSize));
-      PR_Unlock(h->arena->lock);
-      return pointer;
-    }
-
-    PR_ARENA_ALLOCATE(p, &h->arena->pool, my_newSize);
-    if( (void *)NULL == p ) {
-      PR_Unlock(h->arena->lock);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    new_h = (struct pointer_header *)p;
-    new_h->arena = h->arena;
-    new_h->size = newSize;
-    rv = (void *)((char *)h + sizeof(struct pointer_header));
-    (void)nsslibc_memcpy(rv, pointer, h->size);
-    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, 
-                         (newSize - h->size));
-    (void)nsslibc_memset(pointer, 0, h->size);
-    h->arena = (NSSArena *)NULL;
-    h->size = 0;
-    PR_Unlock(h->arena->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
-}
diff --git a/security/nss/lib/base/base.h b/security/nss/lib/base/base.h
deleted file mode 100644
index 4206cb542..000000000
--- a/security/nss/lib/base/base.h
+++ /dev/null
@@ -1,1063 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef BASE_H
-#define BASE_H
-
-#ifdef DEBUG
-static const char BASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * base.h
- *
- * This header file contains basic prototypes and preprocessor 
- * definitions used throughout nss but not available publicly.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#include "plhash.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSArena
- *
- * The nonpublic methods relating to this type are:
- *
- *  nssArena_Create  -- constructor
- *  nssArena_Destroy
- *  nssArena_Mark
- *  nssArena_Release
- *  nssArena_Unmark
- *
- *  nss_ZAlloc
- *  nss_ZFreeIf
- *  nss_ZRealloc
- *
- * Additionally, there are some preprocessor macros:
- *
- *  nss_ZNEW
- *  nss_ZNEWARRAY
- *
- * In debug builds, the following calls are available:
- *
- *  nssArena_verifyPointer
- *  nssArena_registerDestructor
- *  nssArena_deregisterDestructor
- *
- * The following preprocessor macro is also always available:
- *
- *  nssArena_VERIFYPOINTER
- *
- * A constant PLHashAllocOps structure is available for users
- * of the NSPL PLHashTable routines.
- *
- *  nssArenaHashAllocOps
- */
-
-/*
- * nssArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-/*
- * XXX fgmr
- * Arenas can be named upon creation; this is mostly of use when
- * debugging.  Should we expose that here, allowing an optional
- * "const char *name" argument?  Should the public version of this
- * call (NSSArena_Create) have it too?
- */
-
-NSS_EXTERN NSSArena *
-nssArena_Create
-(
-  void
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-
-/*
- * nssArena_Mark
- *
- * This routine "marks" the current state of an arena.  Space
- * allocated after the arena has been marked can be freed by
- * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
- * have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon failure
- *  An nssArenaMark pointer upon success
- */
-
-NSS_EXTERN nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-/*
- * nssArena_Release
- *
- * This routine invalidates and releases all memory allocated from
- * the specified arena after the point at which the specified mark
- * was obtained.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
-
-/*
- * nssArena_Unmark
- *
- * This routine "commits" the indicated mark and any marks after
- * it, making them unreleasable.  Note that any earlier marks can
- * still be released, and such a release will invalidate these
- * later unmarked regions.  If an arena is to be safely shared by
- * more than one thread, all marks must be either released or
- * unmarked.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-#ifdef ARENA_DESTRUCTOR_LIST
-
-/*
- * nssArena_registerDestructor
- *
- * This routine stores a pointer to a callback and an arbitrary
- * pointer-sized argument in the arena, at the current point in
- * the mark stack.  If the arena is destroyed, or an "earlier"
- * mark is released, then this destructor will be called at that
- * time.  Note that the destructor will be called with the arena
- * locked, which means the destructor may free memory in that
- * arena, but it may not allocate or cause to be allocated any
- * memory.  This callback facility was included to support our
- * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssArena_deregisterDestructor
- *
- * This routine will remove the first destructor in the specified
- * arena which has the specified destructor and argument values.
- * The destructor will not be called.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NOT_FOUND
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
-
-extern const NSSError NSS_ERROR_INVALID_ITEM;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-/*
- * nss_ZAlloc
- *
- * This routine allocates and zeroes a section of memory of the 
- * size, and returns to the caller a pointer to that memory.  If
- * the optional arena argument is non-null, the memory will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in
- * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
- * zero-length block of memory will be allocated.  This block may
- * be expanded by calling nss_ZRealloc.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-NSS_EXTERN void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-/*
- * nss_ZFreeIf
- *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nss_ZRealloc
- *
- * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
- * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the replacement segment of memory
- */
-
-NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-/*
- * nss_ZNEW
- *
- * This preprocessor macro will allocate memory for a new object
- * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is 
- * non-null, the memory will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
- * upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
-
-/*
- * nss_ZNEWARRAY
- *
- * This preprocessor macro will allocate memory for an array of
- * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will 
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error upon the error 
- * stack.  The array size may be specified as zero.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
-
-/*
- * nssArena_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSArena object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-#endif /* DEBUG */
-
-/*
- * nssArena_VERIFYPOINTER
- *
- * This macro is always available.  In debug builds it will call
- * nssArena_verifyPointer; in non-debug builds, it will merely
- * check that the pointer is not null.  Note that in non-debug
- * builds it cannot place an error on the error stack.
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-#define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
-#else /* DEBUG */
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
-#endif /* DEBUG */
-
-/*
- * nssArenaHashAllocOps
- *
- * This constant structure contains allocation callbacks designed for
- * use with the NSPL routine PL_NewHashTable.  For example:
- *
- *  NSSArena *hashTableArena = nssArena_Create();
- *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
- *    value_compare, nssArenaHashAllocOps, hashTableArena);
- */
-
-NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
-
-/*
- * The error stack
- *
- * The nonpublic methods relating to the error stack are:
- *
- *  nss_SetError
- *  nss_ClearErrorStack
- */
-
-/*
- * nss_SetError
- *
- * This routine places a new error code on the top of the calling 
- * thread's error stack.  Calling this routine wiht an error code
- * of zero will clear the error stack.
- */
-
-NSS_EXTERN void
-nss_SetError
-(
-  PRUint32 error
-);
-
-/*
- * nss_ClearErrorStack
- *
- * This routine clears the calling thread's error stack.
- */
-
-NSS_EXTERN void
-nss_ClearErrorStack
-(
-  void
-);
-
-/*
- * NSSUTF8
- *
- *  nssUTF8_CaseIgnoreMatch
- *  nssUTF8_Duplicate
- *  nssUTF8_Size
- *  nssUTF8_Length
- *  nssUTF8_CopyIntoFixedBuffer
- */
-
-/*
- * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
- * two specified NSSUTF8 pointers differ only in typcase.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
-
-/*
- * nssUTF8_Duplicate
- *
- * This routine duplicates the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
- * not null, the memory required will be obtained from that arena;
- * otherwise, the memory required will be obtained from the heap.
- * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
- * returned.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- */
-
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssUTF8_PrintableMatch
- *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
- * and case is not significant), then PR_TRUE will be returned.
- * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
- * will be returned.  If the optional statusOpt argument is not
- * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
- * location.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
-
-/*
- * nssUTF8_Size
- *
- * This routine returns the length in bytes (including the terminating
- * null) of the UTF8-encoded string pointed to by the specified
- * NSSUTF8 pointer.  Zero is returned on error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  nonzero size of the string
- *  0 on error
- */
-
-NSS_EXTERN PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
-
-/*
- * nssUTF8_Length
- *
- * This routine returns the length in characters (not including the
- * terminating null) of the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  length of the string (which may be zero)
- *  0 on error
- */
-
-NSS_EXTERN PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
-extern const NSSError NSS_ERROR_INVALID_STRING;
-
-/*
- * nssUTF8_Create
- *
- * This routine creates a UTF8 string from a string in some other
- * format.  Some types of string may include embedded null characters,
- * so for them the length parameter must be used.  For string types
- * that are null-terminated, the length parameter is optional; if it
- * is zero, it will be ignored.  If the optional arena argument is
- * non-null, the memory used for the new string will be obtained from
- * that arena, otherwise it will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have
- * placed an error on the error stack.
- *
- * The error may be one of the following:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_UNSUPPORTED_TYPE
- *
- * Return value:
- *  NULL upon error
- *  A non-null pointer to a new UTF8 string otherwise
- */
-
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
-
-NSS_EXTERN NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-);
-
-/*
- * nssUTF8_CopyIntoFixedBuffer
- *
- * This will copy a UTF8 string into a fixed-length buffer, making 
- * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
- * null or space.
- *
- * Blah, blah, blah.
- */
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
-
-NSS_EXTERN PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-);
-
-/*
- * nssUTF8_Equal
- *
- */
-
-NSS_EXTERN PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPointerTracker
- *
- * This type and these methods are only present in debug builds.
- * 
- * The nonpublic methods relating to this type are:
- *
- *  nssPointerTracker_initialize
- *  nssPointerTracker_finalize
- *  nssPointerTracker_add
- *  nssPointerTracker_remove
- *  nssPointerTracker_verify
- */
-
-/*
- * nssPointerTracker_initialize
- *
- * This method is only present in debug builds.
- * 
- * This routine initializes an nssPointerTracker object.  Note that
- * the object must have been declared *static* to guarantee that it
- * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_finalize
- *
- * This method is only present in debug builds.
- * 
- * This routine returns the nssPointerTracker object to the pre-
- * initialized state, releasing all resources used by the object.
- * It will *NOT* destroy the objects being tracked by the pointer
- * (should any remain), and therefore cannot be used to "sweep up"
- * remaining objects.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCES.  On failure it will set an
- * error on the error stack and return PR_FAILURE.  If any objects
- * remain in the tracker when it is finalized, that will be treated
- * as an error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_TRACKER_NOT_EMPTY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-);
-
-extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_add
- *
- * This method is only present in debug builds.
- *
- * This routine adds the specified pointer to the nssPointerTracker
- * object.  It should be called in constructor objects to register
- * new valid objects.  The nssPointerTracker is threadsafe, but this
- * call is not idempotent.  This routine returns a PRStatus value;
- * if successful it will return PR_SUCCESS.  On failure it will set
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_DUPLICATE_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
-extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_remove
- *
- * This method is only present in debug builds.
- *
- * This routine removes the specified pointer from the 
- * nssPointerTracker object.  It does not call any destructor for the
- * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
- * error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
-
-extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
-extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_verify
- *
- * This method is only present in debug builds.
- *
- * This routine verifies that the specified pointer has been registered
- * with the nssPointerTracker object.  The nssPointerTracker object is
- * threadsafe, and this call may be safely called from multiple threads
- * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
- * placing a more type-specific error on the stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILRUE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
-
-extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
-#endif /* DEBUG */
-
-/*
- * libc
- *
- * nsslibc_memcpy
- * nsslibc_memset
- * nsslibc_offsetof
- */
-
-/*
- * nsslibc_memcpy
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_EXTERN void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nsslibc_memset
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_EXTERN void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nsslibc_memequal
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if they match
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-#define nsslibc_offsetof(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
-
-/*
- * nss_NewThreadPrivateIndex
- * 
- */
-
-NSS_EXTERN PRStatus
-nss_NewThreadPrivateIndex
-(
-  PRUintn *ip
-);
-
-/*
- * nss_GetThreadPrivate
- *
- */
-
-NSS_EXTERN void *
-nss_GetThreadPrivate
-(
-  PRUintn i
-);
-
-/*
- * nss_SetThreadPrivate
- *
- */
-
-NSS_EXTERN void
-nss_SetThreadPrivate
-(
-  PRUintn i,
-  void *v
-);
-
-
-PR_END_EXTERN_C
-
-#endif /* BASE_H */
diff --git a/security/nss/lib/base/baset.h b/security/nss/lib/base/baset.h
deleted file mode 100644
index b0e676fc2..000000000
--- a/security/nss/lib/base/baset.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef BASET_H
-#define BASET_H
-
-#ifdef DEBUG
-static const char BASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * baset.h
- *
- * This file contains definitions for the basic types used throughout
- * nss but not available publicly.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#include "plhash.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nssArenaMark
- *
- * This type is used to mark the current state of an NSSArena.
- */
-
-struct nssArenaMarkStr;
-typedef struct nssArenaMarkStr nssArenaMark;
-
-#ifdef DEBUG
-/*
- * ARENA_THREADMARK
- * 
- * Optionally, this arena implementation can be compiled with some
- * runtime checking enabled, which will catch the situation where
- * one thread "marks" the arena, another thread allocates memory,
- * and then the mark is released.  Usually this is a surprise to
- * the second thread, and this leads to weird runtime errors.
- * Define ARENA_THREADMARK to catch these cases; we define it for all
- * (internal and external) debug builds.
- */
-#define ARENA_THREADMARK
-
-/*
- * ARENA_DESTRUCTOR_LIST
- *
- * Unfortunately, our pointer-tracker facility, used in debug
- * builds to agressively fight invalid pointers, requries that
- * pointers be deregistered when objects are destroyed.  This
- * conflicts with the standard arena usage where "memory-only"
- * objects (that don't hold onto resources outside the arena)
- * can be allocated in an arena, and never destroyed other than
- * when the arena is destroyed.  Therefore we have added a
- * destructor-registratio facility to our arenas.  This was not
- * a simple decision, since we're getting ever-further away from
- * the original arena philosophy.  However, it was felt that
- * adding this in debug builds wouldn't be so bad; as it would
- * discourage them from being used for "serious" purposes.
- * This facility requires ARENA_THREADMARK to be defined.
- */
-#ifdef ARENA_THREADMARK
-#define ARENA_DESTRUCTOR_LIST
-#endif /* ARENA_THREADMARK */
-
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker
- *
- * This type is used in debug builds (both external and internal) to
- * track our object pointers.  Objects of this type must be statically
- * allocated, which means the structure size must be available to the
- * compiler.  Therefore we must expose the contents of this structure.
- * But please don't access elements directly; use the accessors.
- */
-
-#ifdef DEBUG
-struct nssPointerTrackerStr {
-  PRCallOnceType once;
-  PRLock *lock;
-  PLHashTable *table;
-};
-typedef struct nssPointerTrackerStr nssPointerTracker;
-#endif /* DEBUG */
-
-/*
- * nssStringType
- *
- * There are several types of strings in the real world.  We try to
- * use only UTF8 and avoid the rest, but that's not always possible.
- * So we have a couple converter routines to go to and from the other
- * string types.  We have to be able to specify those string types,
- * so we have this enumeration.
- */
-
-enum nssStringTypeEnum {
-  nssStringType_DirectoryString,
-  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
-  nssStringType_PrintableString,
-  nssStringType_UniversalString,
-  nssStringType_BMPString,
-  nssStringType_UTF8String,
-  nssStringType_PHGString,
-  nssStringType_GeneralString,
-
-  nssStringType_Unknown = -1
-};
-typedef enum nssStringTypeEnum nssStringType;
-
-PR_END_EXTERN_C
-
-#endif /* BASET_H */
diff --git a/security/nss/lib/base/config.mk b/security/nss/lib/base/config.mk
deleted file mode 100644
index 80b3135f4..000000000
--- a/security/nss/lib/base/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c
deleted file mode 100644
index d3b44c7a0..000000000
--- a/security/nss/lib/base/error.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * error.c
- *
- * This file contains the code implementing the per-thread error 
- * stacks upon which most NSS routines report their errors.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * The stack itself has a header, and a sequence of integers.
- * The header records the amount of space (as measured in stack
- * slots) already allocated for the stack, and the count of the
- * number of records currently being used.
- */
-
-struct stack_header_str {
-  PRUint16 space;
-  PRUint16 count;
-};
-
-struct error_stack_str {
-  struct stack_header_str header;
-  PRInt32 stack[1];
-};
-typedef struct error_stack_str error_stack;
-
-/*
- * error_stack_index
- *
- * Thread-private data must be indexed.  This is that index.
- * See PR_NewThreadPrivateIndex for more information.
- */
-
-static PRUintn error_stack_index;
-
-/*
- * call_once
- *
- * The thread-private index must be obtained (once!) at runtime.
- * This block is used for that one-time call.
- */
-
-static PRCallOnceType error_call_once;
-
-/*
- * error_once_function
- *
- * This is the once-called callback.
- */
-
-static PRStatus
-error_once_function
-(
-  void
-)
-{
-  return nss_NewThreadPrivateIndex(&error_stack_index);
-  /* return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free); */
-}
-
-/*
- * error_get_my_stack
- *
- * This routine returns the calling thread's error stack, creating
- * it if necessary.  It may return NULL upon error, which implicitly
- * means that it ran out of memory.
- */
-
-static error_stack *
-error_get_my_stack
-(
-  void
-)
-{
-  PRStatus st;
-  error_stack *rv;
-  PRUintn new_size;
-  PRUint32 new_bytes;
-  error_stack *new_stack;
-
-  if( 0 == error_stack_index ) {
-    st = PR_CallOnce(&error_call_once, error_once_function);
-    if( PR_SUCCESS != st ) {
-      return (error_stack *)NULL;
-    }
-  }
-
-  rv = (error_stack *)nss_GetThreadPrivate(error_stack_index);
-  if( (error_stack *)NULL == rv ) {
-    /* Doesn't exist; create one */
-    new_size = 16;
-  } else {
-    if( rv->header.count == rv->header.space ) {
-      /* Too small, expand it */
-      new_size = rv->header.space + 16;
-    } else {
-      /* Okay, return it */
-      return rv;
-    }
-  }
-
-  new_bytes = (new_size * sizeof(PRInt32)) + 
-    sizeof(struct stack_header_str);
-  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
-  if( (error_stack *)NULL == rv ) {
-    new_stack = PR_Calloc(1, new_bytes);
-  } else {
-    new_stack = PR_Realloc(rv, new_bytes);
-  }
-  
-  if( (error_stack *)NULL != new_stack ) {
-    new_stack->header.space = new_size;
-  }
-
-  /* Set the value, whether or not the allocation worked */
-  nss_SetThreadPrivate(error_stack_index, new_stack);
-  return new_stack;
-}
-
-/*
- * The error stack
- *
- * The public methods relating to the error stack are:
- *
- *  NSS_GetError
- *  NSS_GetErrorStack
- *
- * The nonpublic methods relating to the error stack are:
- *
- *  nss_SetError
- *  nss_ClearErrorStack
- *
- */
-
-/*
- * NSS_GetError
- *
- * This routine returns the highest-level (most general) error set
- * by the most recent NSS library routine called by the same thread
- * calling this routine.
- *
- * This routine cannot fail.  However, it may return zero, which
- * indicates that the previous NSS library call did not set an error.
- *
- * Return value:
- *  0 if no error has been set
- *  A nonzero error number
- */
-
-NSS_IMPLEMENT PRInt32
-NSS_GetError
-(
-  void
-)
-{
-  error_stack *es = error_get_my_stack();
-
-  if( (error_stack *)NULL == es ) {
-    return NSS_ERROR_NO_MEMORY; /* Good guess! */
-  }
-
-  if( 0 == es->header.count ) {
-    return 0;
-  }
-
-  return es->stack[ es->header.count-1 ];
-}
-
-/*
- * NSS_GetErrorStack
- *
- * This routine returns a pointer to an array of integers, containing
- * the entire sequence or "stack" of errors set by the most recent NSS
- * library routine called by the same thread calling this routine.
- * NOTE: the caller DOES NOT OWN the memory pointed to by the return
- * value.  The pointer will remain valid until the calling thread
- * calls another NSS routine.  The lowest-level (most specific) error 
- * is first in the array, and the highest-level is last.  The array is
- * zero-terminated.  This routine may return NULL upon error; this
- * indicates a low-memory situation.
- *
- * Return value:
- *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
- *  A NON-caller-owned pointer to an array of integers
- */
-
-NSS_IMPLEMENT PRInt32 *
-NSS_GetErrorStack
-(
-  void
-)
-{
-  error_stack *es = error_get_my_stack();
-
-  if( (error_stack *)NULL == es ) {
-    return (PRInt32 *)NULL;
-  }
-
-  /* Make sure it's terminated */
-  es->stack[ es->header.count ] = 0;
-
-  return es->stack;
-}
-
-/*
- * nss_SetError
- *
- * This routine places a new error code on the top of the calling 
- * thread's error stack.  Calling this routine wiht an error code
- * of zero will clear the error stack.
- */
-
-NSS_IMPLEMENT void
-nss_SetError
-(
-  PRUint32 error
-)
-{
-  error_stack *es;
-
-  if( 0 == error ) {
-    nss_ClearErrorStack();
-    return;
-  }
-
-  es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
-    return;
-  }
-
-  es->stack[ es->header.count ] = error;
-  es->header.count++;
-  return;
-}
-
-/*
- * nss_ClearErrorStack
- *
- * This routine clears the calling thread's error stack.
- */
-
-NSS_IMPLEMENT void
-nss_ClearErrorStack
-(
-  void
-)
-{
-  error_stack *es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
-    return;
-  }
-
-  es->header.count = 0;
-  es->stack[0] = 0;
-  return;
-}
diff --git a/security/nss/lib/base/errorval.c b/security/nss/lib/base/errorval.c
deleted file mode 100644
index 5c8835726..000000000
--- a/security/nss/lib/base/errorval.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * errorval.c
- *
- * This file contains the actual error constants used in NSS.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-const NSSError NSS_ERROR_NO_ERROR                       =  0;
-const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
-const NSSError NSS_ERROR_NO_MEMORY                      =  2;
-const NSSError NSS_ERROR_INVALID_POINTER                =  3;
-const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
-const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
-const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
-const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
-const NSSError NSS_ERROR_TRACKER_NOT_EMPTY              =  8;
-const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED        =  9;
-const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD = 10;
-const NSSError NSS_ERROR_VALUE_TOO_LARGE                = 11;
-const NSSError NSS_ERROR_UNSUPPORTED_TYPE               = 12;
-const NSSError NSS_ERROR_BUFFER_TOO_SHORT               = 13;
-const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT           = 14;
-const NSSError NSS_ERROR_INVALID_BASE64                 = 15;
-const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT           = 16;
-const NSSError NSS_ERROR_INVALID_ITEM                   = 17;
-const NSSError NSS_ERROR_INVALID_STRING                 = 18;
-const NSSError NSS_ERROR_INVALID_ASN1ENCODER            = 19;
-const NSSError NSS_ERROR_INVALID_ASN1DECODER            = 20;
-
-const NSSError NSS_ERROR_INVALID_BER                    = 21;
-const NSSError NSS_ERROR_INVALID_ATAV                   = 22;
-const NSSError NSS_ERROR_INVALID_ARGUMENT               = 23;
-const NSSError NSS_ERROR_INVALID_UTF8                   = 24;
-const NSSError NSS_ERROR_INVALID_NSSOID                 = 25;
-const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE              = 26;
-
-const NSSError NSS_ERROR_NOT_FOUND                      = 27;
diff --git a/security/nss/lib/base/hashops.c b/security/nss/lib/base/hashops.c
deleted file mode 100644
index bd2de9a9c..000000000
--- a/security/nss/lib/base/hashops.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * hashops.c
- *
- * This file includes a set of PLHashAllocOps that use NSSArenas.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-static PR_CALLBACK void *
-nss_arena_hash_alloc_table
-(
-  void *pool,
-  PRSize size
-)
-{
-  NSSArena *arena = (NSSArena *)pool;
-
-#ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return nss_ZAlloc(arena, size);
-}
-
-static PR_CALLBACK void
-nss_arena_hash_free_table
-(
-  void *pool, 
-  void *item
-)
-{
-  (void)nss_ZFreeIf(item);
-}
-
-static PR_CALLBACK PLHashEntry *
-nss_arena_hash_alloc_entry
-(
-  void *pool,
-  const void *key
-)
-{
-  NSSArena *arena = (NSSArena *)pool;
-
-#ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return nss_ZNEW(arena, PLHashEntry);
-}
-
-static PR_CALLBACK void
-nss_arena_hash_free_entry
-(
-  void *pool,
-  PLHashEntry *he,
-  PRUintn flag
-)
-{
-  if( HT_FREE_ENTRY == flag ) {
-    (void)nss_ZFreeIf(he);
-  }
-}
-
-NSS_IMPLEMENT_DATA PLHashAllocOps 
-nssArenaHashAllocOps = {
-  nss_arena_hash_alloc_table,
-  nss_arena_hash_free_table,
-  nss_arena_hash_alloc_entry,
-  nss_arena_hash_free_entry
-};
diff --git a/security/nss/lib/base/item.c b/security/nss/lib/base/item.c
deleted file mode 100644
index 073e437d3..000000000
--- a/security/nss/lib/base/item.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * item.c
- *
- * This contains some item-manipulation code.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * nssItem_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *  NSS_ERROR_INVALID_POINTER
- *  
- * Return value:
- *  A pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-
-  if( (const void *)NULL == data ) {
-    if( length > 0 ) {
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (NSSItem *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  if( (NSSItem *)NULL == rvOpt ) {
-    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
-      goto loser;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  rv->size = length;
-  rv->data = nss_ZAlloc(arenaOpt, length);
-  if( (void *)NULL == rv->data ) {
-    goto loser;
-  }
-
-  if( length > 0 ) {
-    (void)nsslibc_memcpy(rv->data, data, length);
-  }
-
-  return rv;
-
- loser:
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
-
-  return (NSSItem *)NULL;
-}
-
-/*
- * nssItem_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *  NSS_ERROR_INVALID_ITEM
- *  
- * Return value:
- *  A pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-)
-{
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-
-  if( (NSSItem *)NULL == obj ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return (NSSItem *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
-}
-
-#ifdef DEBUG
-/*
- * nssItem_verifyPointer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssItem_verifyPointer
-(
-  const NSSItem *item
-)
-{
-  if( ((const NSSItem *)NULL == item) ||
-      (((void *)NULL == item->data) && (item->size > 0)) ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-/*
- * nssItem_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_TRUE if the items are identical
- *  PR_FALSE if they aren't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-)
-{
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
-    return PR_TRUE;
-  }
-
-  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
-    return PR_FALSE;
-  }
-
-  if( one->size != two->size ) {
-    return PR_FALSE;
-  }
-
-  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
-}
diff --git a/security/nss/lib/base/libc.c b/security/nss/lib/base/libc.c
deleted file mode 100644
index 68ab9d920..000000000
--- a/security/nss/lib/base/libc.c
+++ /dev/null
@@ -1,197 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * libc.c
- *
- * This file contains our wrappers/reimplementations for "standard" 
- * libc functions.  Things like "memcpy."  We add to this as we need 
- * it.  Oh, and let's keep it in alphabetical order, should it ever 
- * get large.  Most string/character stuff should be in utf8.c, not 
- * here.  This file (and maybe utf8.c) should be the only ones in
- * NSS to include files with angle brackets.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#include <string.h> /* memcpy, memset */
-
-/*
- * nsslibc_memcpy
- * nsslibc_memset
- * nsslibc_offsetof
- * nsslibc_memequal
- */
-
-/*
- * nsslibc_memcpy
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_IMPLEMENT void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-)
-{
-#ifdef NSSDEBUG
-  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return memcpy(dest, source, (size_t)n);
-}
-
-/*
- * nsslibc_memset
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_IMPLEMENT void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-)
-{
-#ifdef NSSDEBUG
-  if( ((void *)NULL == dest) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return memset(dest, (int)byte, (size_t)n);
-}
-
-/*
- * nsslibc_memequal
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if they match
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
-{
-#ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  if( 0 == memcmp(a, b, len) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
-}
-
-/*
- * nsslibc_memcmp
- */
-
-NSS_IMPLEMENT PRInt32
-nsslibc_memcmp
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
-{
-  int v;
-
-#ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return -2;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  v = memcmp(a, b, len);
-  return (PRInt32)v;
-}
-
-/*
- * offsetof is a preprocessor definition
- */
diff --git a/security/nss/lib/base/manifest.mn b/security/nss/lib/base/manifest.mn
deleted file mode 100644
index 89e64f938..000000000
--- a/security/nss/lib/base/manifest.mn
+++ /dev/null
@@ -1,62 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	baset.h		  \
-	base.h		  \
-	$(NULL)
-
-EXPORTS =	   \
-	nssbaset.h \
-	nssbase.h  \
-	$(NULL)
-
-MODULE = security
-
-CSRCS =		   \
-	arena.c	   \
-	error.c	   \
-	errorval.c \
-	hashops.c  \
-	libc.c	   \
-	tracker.c  \
-	utf8.c	   \
-	whatnspr.c \
-	$(NULL)
-
-REQUIRES = security nspr
-
-LIBRARY_NAME = nssb
diff --git a/security/nss/lib/base/nssbase.h b/security/nss/lib/base/nssbase.h
deleted file mode 100644
index 3960a7810..000000000
--- a/security/nss/lib/base/nssbase.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSBASE_H
-#define NSSBASE_H
-
-#ifdef DEBUG
-static const char NSSBASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssbase.h
- *
- * This header file contains the prototypes of the basic public
- * NSS routines.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSArena
- *
- * The public methods relating to this type are:
- *
- *  NSSArena_Create  -- constructor
- *  NSSArena_Destroy
- */
-
-/*
- * NSSArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-NSS_EXTERN NSSArena *
-NSSArena_Create
-(
-  void
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-
-/*
- * The error stack
- *
- * The public methods relating to the error stack are:
- *
- *  NSS_GetError
- *  NSS_GetErrorStack
- */
-
-/*
- * NSS_GetError
- *
- * This routine returns the highest-level (most general) error set
- * by the most recent NSS library routine called by the same thread
- * calling this routine.
- *
- * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
- * indicates that the previous NSS library call did not set an error.
- *
- * Return value:
- *  0 if no error has been set
- *  A nonzero error number
- */
-
-NSS_EXTERN NSSError
-NSS_GetError
-(
-  void
-);
-
-extern const NSSError NSS_ERROR_NO_ERROR;
-
-/*
- * NSS_GetErrorStack
- *
- * This routine returns a pointer to an array of NSSError values, 
- * containingthe entire sequence or "stack" of errors set by the most 
- * recent NSS library routine called by the same thread calling this 
- * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
- * the return value.  The pointer will remain valid until the calling 
- * thread calls another NSS routine.  The lowest-level (most specific) 
- * error is first in the array, and the highest-level is last.  The 
- * array is zero-terminated.  This routine may return NULL upon error; 
- * this indicates a low-memory situation.
- *
- * Return value:
- *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
- *  A NON-caller-owned pointer to an array of NSSError values
- */
-
-NSS_EXTERN NSSError *
-NSS_GetErrorStack
-(
-  void
-);
-
-PR_END_EXTERN_C
-
-#endif /* NSSBASE_H */
diff --git a/security/nss/lib/base/nssbaset.h b/security/nss/lib/base/nssbaset.h
deleted file mode 100644
index 70b269c96..000000000
--- a/security/nss/lib/base/nssbaset.h
+++ /dev/null
@@ -1,151 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSBASET_H
-#define NSSBASET_H
-
-#ifdef DEBUG
-static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssbaset.h
- *
- * This file contains the most low-level, fundamental public types.
- */
-
-#include "nspr.h"
-
-/*
- * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
- *
- * NSS has its own versions of these NSPR macros, in a form which
- * does not confuse ctags and other related utilities.  NSPR 
- * defines these macros to take the type as an argument, because
- * of a requirement to support win16 dlls.  We do not have that
- * requirement, so we can drop that restriction.
- */
-
-#define NSS_EXTERN         PR_EXTERN(/* */)
-#define NSS_IMPLEMENT      PR_IMPLEMENT(/* */)
-#define NSS_EXTERN_DATA    PR_EXTERN_DATA(/* */)
-#define NSS_IMPLEMENT_DATA PR_IMPLEMENT_DATA(/* */)
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSError
- *
- * Calls to NSS routines may result in one or more errors being placed
- * on the calling thread's "error stack."  Every possible error that
- * may be returned from a function is declared where the function is 
- * prototyped.  All errors are of the following type.
- */
-
-typedef PRInt32 NSSError;
-
-/*
- * NSSArena
- *
- * Arenas are logical sets of heap memory, from which memory may be
- * allocated.  When an arena is destroyed, all memory allocated within
- * that arena is implicitly freed.  These arenas are thread-safe: 
- * an arena pointer may be used by multiple threads simultaneously.
- * However, as they are not backed by shared memory, they may only be
- * used within one process.
- */
-
-struct NSSArenaStr;
-typedef struct NSSArenaStr NSSArena;
-
-/*
- * NSSItem
- *
- * This is the basic type used to refer to an unconstrained datum of
- * arbitrary size.
- */
-
-struct NSSItemStr {
-  void *data;
-  PRUint32 size;
-};
-typedef struct NSSItemStr NSSItem;
-
-
-/*
- * NSSBER
- *
- * Data packed according to the Basic Encoding Rules of ASN.1.
- */
-
-typedef NSSItem NSSBER;
-
-/*
- * NSSDER
- *
- * Data packed according to the Distinguished Encoding Rules of ASN.1;
- * this form is also known as the Canonical Encoding Rules form (CER).
- */
-
-typedef NSSBER NSSDER;
-
-/*
- * NSSBitString
- *
- * Some ASN.1 types use "bit strings," which are passed around as
- * octet strings but whose length is counted in bits.  We use this
- * typedef of NSSItem to point out the occasions when the length
- * is counted in bits, not octets.
- */
-
-typedef NSSItem NSSBitString;
-
-/*
- * NSSUTF8
- *
- * Character strings encoded in UTF-8, as defined by RFC 2279.
- */
-
-typedef PRUint8 NSSUTF8;
-
-/*
- * NSSASCII7
- *
- * Character strings guaranteed to be 7-bit ASCII.
- */
-
-typedef PRUint8 NSSASCII7;
-
-PR_END_EXTERN_C
-
-#endif /* NSSBASET_H */
diff --git a/security/nss/lib/base/tracker.c b/security/nss/lib/base/tracker.c
deleted file mode 100644
index 00d499354..000000000
--- a/security/nss/lib/base/tracker.c
+++ /dev/null
@@ -1,544 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * tracker.c
- * 
- * This file contains the code used by the pointer-tracking calls used
- * in the debug builds to catch bad pointers.  The entire contents are
- * only available in debug builds (both internal and external builds).
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifdef DEBUG
-
-/*
- * call_once
- *
- * Unfortunately, NSPR's PR_CallOnce function doesn't accept a closure
- * variable.  So I have a static version here which does.  This code 
- * is based on NSPR's, and uses the NSPR function to initialize the
- * required lock.
- */
-
-/*
- * The is the "once block" that's passed to the "real" PR_CallOnce
- * function, to call the local initializer myOnceFunction once.
- */
-static PRCallOnceType myCallOnce;
-
-/*
- * This structure is used by the call_once function to make sure that
- * any "other" threads calling the call_once don't return too quickly,
- * before the initializer has finished.
- */
-static struct {
-  PRLock *ml;
-  PRCondVar *cv;
-} mod_init;
-
-/*
- * This is the initializer for the above mod_init structure.
- */
-static PRStatus
-myOnceFunction
-(
-  void
-)
-{
-  mod_init.ml = PR_NewLock();
-  if( (PRLock *)NULL == mod_init.ml ) {
-    return PR_FAILURE;
-  }
-
-  mod_init.cv = PR_NewCondVar(mod_init.ml);
-  if( (PRCondVar *)NULL == mod_init.cv ) {
-    PR_DestroyLock(mod_init.ml);
-    mod_init.ml = (PRLock *)NULL;
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * The nss call_once callback takes a closure argument.
- */
-typedef PRStatus (PR_CALLBACK *nssCallOnceFN)(void *arg);
-
-/*
- * NSS's call_once function.
- */
-static PRStatus
-call_once
-(
-  PRCallOnceType *once,
-  nssCallOnceFN func,
-  void *arg
-)
-{
-  PRStatus rv;
-
-  if( !myCallOnce.initialized ) {
-    rv = PR_CallOnce(&myCallOnce, myOnceFunction);
-    if( PR_SUCCESS != rv ) {
-      return rv;
-    }
-  }
-
-  if( !once->initialized ) {
-    if( 0 == PR_AtomicSet(&once->inProgress, 1) ) {
-      once->status = (*func)(arg);
-      PR_Lock(mod_init.ml);
-      once->initialized = 1;
-      PR_NotifyAllCondVar(mod_init.cv);
-      PR_Unlock(mod_init.ml);
-    } else {
-      PR_Lock(mod_init.ml);
-      while( !once->initialized ) {
-        PR_WaitCondVar(mod_init.cv, PR_INTERVAL_NO_TIMEOUT);
-      }
-      PR_Unlock(mod_init.ml);
-    }
-  }
-
-  return once->status;
-}
-
-/*
- * Now we actually get to my own "call once" payload function.
- * But wait, to create the hash, I need a hash function!
- */
-
-/*
- * identity_hash
- *
- * This static callback is a PLHashFunction as defined in plhash.h
- * It merely returns the value of the object pointer as its hash.
- * There are no possible errors.
- */
-
-static PR_CALLBACK PLHashNumber
-identity_hash
-(
-  const void *key
-)
-{
-  return (PLHashNumber)key;
-}
-
-/*
- * trackerOnceFunc
- *
- * This function is called once, using the nssCallOnce function above.
- * It creates a new pointer tracker object; initialising its hash
- * table and protective lock.
- */
-
-static PRStatus
-trackerOnceFunc
-(
-  void *arg
-)
-{
-  nssPointerTracker *tracker = (nssPointerTracker *)arg;
-
-  tracker->lock = PR_NewLock();
-  if( (PRLock *)NULL == tracker->lock ) {
-    return PR_FAILURE;
-  }
-
-  tracker->table = PL_NewHashTable(0, 
-                                   identity_hash, 
-                                   PL_CompareValues,
-                                   PL_CompareValues,
-                                   (PLHashAllocOps *)NULL, 
-                                   (void *)NULL);
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PR_DestroyLock(tracker->lock);
-    tracker->lock = (PRLock *)NULL;
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssPointerTracker_initialize
- *
- * This method is only present in debug builds.
- * 
- * This routine initializes an nssPointerTracker object.  Note that
- * the object must have been declared *static* to guarantee that it
- * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-)
-{
-  PRStatus rv = call_once(&tracker->once, trackerOnceFunc, tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-  }
-
-  return rv;
-}
-
-#ifdef DONT_DESTROY_EMPTY_TABLES
-/* See same #ifdef below */
-/*
- * count_entries
- *
- * This static routine is a PLHashEnumerator, as defined in plhash.h.
- * It merely causes the enumeration function to count the number of
- * entries.
- */
-
-static PR_CALLBACK PRIntn
-count_entries
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
-{
-  return HT_ENUMERATE_NEXT;
-}
-#endif /* DONT_DESTROY_EMPTY_TABLES */
-
-/*
- * zero_once
- *
- * This is a guaranteed zeroed once block.  It's used to help clear
- * the tracker.
- */
-
-static const PRCallOnceType zero_once;
-
-/*
- * nssPointerTracker_finalize
- *
- * This method is only present in debug builds.
- * 
- * This routine returns the nssPointerTracker object to the pre-
- * initialized state, releasing all resources used by the object.
- * It will *NOT* destroy the objects being tracked by the pointer
- * (should any remain), and therefore cannot be used to "sweep up"
- * remaining objects.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCES.  On failure it will set an
- * error on the error stack and return PR_FAILURE.  If any objects
- * remain in the tracker when it is finalized, that will be treated
- * as an error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_TRACKER_NOT_EMPTY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-)
-{
-  PRLock *lock;
-  PRIntn count;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PRLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  lock = tracker->lock;
-  PR_Lock(lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PR_Unlock(lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-#ifdef DONT_DESTROY_EMPTY_TABLES
-  /*
-   * I changed my mind; I think we don't want this after all.
-   * Comments?
-   */
-  count = PL_HashTableEnumerateEntries(tracker->table, 
-                                       count_entries,
-                                       (void *)NULL);
-
-  if( 0 != count ) {
-    PR_Unlock(lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
-    return PR_FAILURE;
-  }
-#endif /* DONT_DESTROY_EMPTY_TABLES */
-
-  PL_HashTableDestroy(tracker->table);
-  /* memset(tracker, 0, sizeof(nssPointerTracker)); */
-  tracker->once = zero_once;
-  tracker->lock = (PRLock *)NULL;
-  tracker->table = (PLHashTable *)NULL;
-
-  PR_Unlock(lock);
-  PR_DestroyLock(lock);
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssPointerTracker_add
- *
- * This method is only present in debug builds.
- *
- * This routine adds the specified pointer to the nssPointerTracker
- * object.  It should be called in constructor objects to register
- * new valid objects.  The nssPointerTracker is threadsafe, but this
- * call is not idempotent.  This routine returns a PRStatus value;
- * if successful it will return PR_SUCCESS.  On failure it will set
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_DUPLICATE_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
-{
-  void *check;
-  PLHashEntry *entry;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PRLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  PR_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PR_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  check = PL_HashTableLookup(tracker->table, pointer);
-  if( (void *)NULL != check ) {
-    PR_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
-    return PR_FAILURE;
-  }
-
-  entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
-
-  PR_Unlock(tracker->lock);
-
-  if( (PLHashEntry *)NULL == entry ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-  
-/*
- * nssPointerTracker_remove
- *
- * This method is only present in debug builds.
- *
- * This routine removes the specified pointer from the 
- * nssPointerTracker object.  It does not call any destructor for the
- * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
- * error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
-{
-  PRBool registered;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PRLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  PR_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PR_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  registered = PL_HashTableRemove(tracker->table, pointer);
-  PR_Unlock(tracker->lock);
-
-  if( !registered ) {
-    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssPointerTracker_verify
- *
- * This method is only present in debug builds.
- *
- * This routine verifies that the specified pointer has been registered
- * with the nssPointerTracker object.  The nssPointerTracker object is
- * threadsafe, and this call may be safely called from multiple threads
- * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
- * placing a more type-specific error on the stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILRUE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
-{
-  void *check;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PRLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  PR_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PR_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  check = PL_HashTableLookup(tracker->table, pointer);
-  PR_Unlock(tracker->lock);
-
-  if( (void *)NULL == check ) {
-    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
diff --git a/security/nss/lib/base/utf8.c b/security/nss/lib/base/utf8.c
deleted file mode 100644
index 12b3d5d46..000000000
--- a/security/nss/lib/base/utf8.c
+++ /dev/null
@@ -1,759 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * utf8.c
- *
- * This file contains some additional utility routines required for
- * handling UTF8 strings.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#include "plstr.h"
-
-/*
- * NOTES:
- *
- * There's an "is hex string" function in pki1/atav.c.  If we need
- * it in more places, pull that one out.
- */
-
-/*
- * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
- * two specified NSSUTF8 pointers differ only in typcase.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
-{
-#ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  /*
-   * XXX fgmr
-   *
-   * This is, like, so wrong!
-   */
-  if( 0 == PL_strcasecmp((const char *)a, (const char *)b) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
-}
-
-/*
- * nssUTF8_PrintableMatch
- *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
- * and case is not significant), then PR_TRUE will be returned.
- * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
- * will be returned.  If the optional statusOpt argument is not
- * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
- * location.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
-{
-  PRUint8 *c;
-  PRUint8 *d;
-
-#ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  c = (PRUint8 *)a;
-  d = (PRUint8 *)b;
-
-  while( ' ' == *c ) {
-    c++;
-  }
-
-  while( ' ' == *d ) {
-    d++;
-  }
-
-  while( ('\0' != *c) && ('\0' != *d) ) {
-    PRUint8 e, f;
-
-    e = *c;
-    f = *d;
-    
-    if( ('a' <= e) && (e <= 'z') ) {
-      e -= ('a' - 'A');
-    }
-
-    if( ('a' <= f) && (f <= 'z') ) {
-      f -= ('a' - 'A');
-    }
-
-    if( e != f ) {
-      return PR_FALSE;
-    }
-
-    c++;
-    d++;
-
-    if( ' ' == *c ) {
-      while( ' ' == *c ) {
-        c++;
-      }
-      c--;
-    }
-
-    if( ' ' == *d ) {
-      while( ' ' == *d ) {
-        d++;
-      }
-      d--;
-    }
-  }
-
-  while( ' ' == *c ) {
-    c++;
-  }
-
-  while( ' ' == *d ) {
-    d++;
-  }
-
-  if( *c == *d ) {
-    /* And both '\0', btw */
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
-}
-
-/*
- * nssUTF8_Duplicate
- *
- * This routine duplicates the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
- * not null, the memory required will be obtained from that arena;
- * otherwise, the memory required will be obtained from the heap.
- * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
- * returned.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  PRUint32 len;
-
-#ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  len = PL_strlen((const char *)s);
-#ifdef PEDANTIC
-  if( '\0' != ((const char *)s)[ len ] ) {
-    /* must have wrapped, e.g., too big for PRUint32 */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* PEDANTIC */
-  len++; /* zero termination */
-
-  rv = nss_ZAlloc(arenaOpt, len);
-  if( (void *)NULL == rv ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  (void)nsslibc_memcpy(rv, s, len);
-  return rv;
-}
-
-/*
- * nssUTF8_Size
- *
- * This routine returns the length in bytes (including the terminating
- * null) of the UTF8-encoded string pointed to by the specified
- * NSSUTF8 pointer.  Zero is returned on error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  0 on error
- *  nonzero length of the string.
- */
-
-NSS_IMPLEMENT PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-)
-{
-  PRUint32 sv;
-
-#ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return 0;
-  }
-#endif /* NSSDEBUG */
-
-  sv = PL_strlen((const char *)s) + 1;
-#ifdef PEDANTIC
-  if( '\0' != ((const char *)s)[ sv-1 ] ) {
-    /* wrapped */
-    nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return 0;
-  }
-#endif /* PEDANTIC */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  return sv;
-}
-
-/*
- * nssUTF8_Length
- *
- * This routine returns the length in characters (not including the
- * terminating null) of the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  length of the string (which may be zero)
- *  0 on error
- */
-
-NSS_IMPLEMENT PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-)
-{
-  PRUint32 l = 0;
-  const PRUint8 *c = (const PRUint8 *)s;
-
-#ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    goto loser;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * From RFC 2044:
-   *
-   * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
-   * 0000 0000-0000 007F   0xxxxxxx
-   * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
-   * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
-   * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
-   * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
-   * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
-   */  
-
-  while( 0 != *c ) {
-    PRUint32 incr;
-    if( (*c & 0x80) == 0 ) {
-      incr = 1;
-    } else if( (*c & 0xE0) == 0xC0 ) {
-      incr = 2;
-    } else if( (*c & 0xF0) == 0xE0 ) {
-      incr = 3;
-    } else if( (*c & 0xF8) == 0xF0 ) {
-      incr = 4;
-    } else if( (*c & 0xFC) == 0xF8 ) {
-      incr = 5;
-    } else if( (*c & 0xFE) == 0xFC ) {
-      incr = 6;
-    } else {
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      goto loser;
-    }
-
-    l += incr;
-
-#ifdef PEDANTIC
-    if( l < incr ) {
-      /* Wrapped-- too big */
-      nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
-      goto loser;
-    }
-
-    {
-      PRUint8 *d;
-      for( d = &c[1]; d < &c[incr]; d++ ) {
-        if( (*d & 0xC0) != 0xF0 ) {
-          nss_SetError(NSS_ERROR_INVALID_STRING);
-          goto loser;
-        }
-      }
-    }
-#endif /* PEDANTIC */
-
-    c += incr;
-  }
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  return l;
-
- loser:
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_FAILURE;
-  }
-
-  return 0;
-}
-
-
-/*
- * nssUTF8_Create
- *
- * This routine creates a UTF8 string from a string in some other
- * format.  Some types of string may include embedded null characters,
- * so for them the length parameter must be used.  For string types
- * that are null-terminated, the length parameter is optional; if it
- * is zero, it will be ignored.  If the optional arena argument is
- * non-null, the memory used for the new string will be obtained from
- * that arena, otherwise it will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have
- * placed an error on the error stack.
- *
- * The error may be one of the following:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_UNSUPPORTED_TYPE
- *
- * Return value:
- *  NULL upon error
- *  A non-null pointer to a new UTF8 string otherwise
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR; /* XXX fgmr */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-)
-{
-  NSSUTF8 *rv = NULL;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-
-  if( (const void *)NULL == inputString ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    /* This is a composite type requiring BER */
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  case nssStringType_TeletexString:
-    /*
-     * draft-ietf-pkix-ipki-part1-11 says in part:
-     *
-     * In addition, many legacy implementations support names encoded 
-     * in the ISO 8859-1 character set (Latin1String) but tag them as 
-     * TeletexString.  The Latin1String includes characters used in 
-     * Western European countries which are not part of the 
-     * TeletexString charcter set.  Implementations that process 
-     * TeletexString SHOULD be prepared to handle the entire ISO 
-     * 8859-1 character set.[ISO 8859-1].
-     */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_PrintableString:
-    /*
-     * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
-     * This is a subset of ASCII, which is a subset of UTF8.
-     * So we can just duplicate the string over.
-     */
-
-    if( 0 == size ) {
-      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-    } else {
-      rv = nss_ZAlloc(arenaOpt, size+1);
-      if( (NSSUTF8 *)NULL == rv ) {
-        return (NSSUTF8 *)NULL;
-      }
-
-      (void)nsslibc_memcpy(rv, inputString, size);
-    }
-
-    break;
-  case nssStringType_UniversalString:
-    /* 4-byte unicode */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_BMPString:
-    /* Base Multilingual Plane of Unicode */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UTF8String:
-    if( 0 == size ) {
-      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-    } else {
-      rv = nss_ZAlloc(arenaOpt, size+1);
-      if( (NSSUTF8 *)NULL == rv ) {
-        return (NSSUTF8 *)NULL;
-      }
-
-      (void)nsslibc_memcpy(rv, inputString, size);
-    }
-
-    break;
-  case nssStringType_PHGString:
-    /* 
-     * PHGString is an IA5String (with case-insensitive comparisons).
-     * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
-     * currency symbol.
-     */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_GeneralString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-  PRStatus status = PR_SUCCESS;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSItem *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_TeletexString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_PrintableString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UniversalString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_BMPString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UTF8String:
-    {
-      NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
-      if( (NSSUTF8 *)NULL == dup ) {
-        return (NSSItem *)NULL;
-      }
-
-      if( (NSSItem *)NULL == rvOpt ) {
-        rv = nss_ZNEW(arenaOpt, NSSItem);
-        if( (NSSItem *)NULL == rv ) {
-          (void)nss_ZFreeIf(dup);
-          return (NSSItem *)NULL;
-        }
-      } else {
-        rv = rvOpt;
-      }
-
-      rv->data = dup;
-      dup = (NSSUTF8 *)NULL;
-      rv->size = nssUTF8_Size(rv->data, &status);
-      if( (0 == rv->size) && (PR_SUCCESS != status) ) {
-        if( (NSSItem *)NULL == rvOpt ) {
-          (void)nss_ZFreeIf(rv);
-        }
-        return (NSSItem *)NULL;
-      }
-    }
-    break;
-  case nssStringType_PHGString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  }
-
-  return rv;
-}
-
-/*
- * nssUTF8_CopyIntoFixedBuffer
- *
- * This will copy a UTF8 string into a fixed-length buffer, making 
- * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
- * null or space.
- *
- * Blah, blah, blah.
- */
-
-NSS_IMPLEMENT PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-)
-{
-  PRUint32 stringSize = 0;
-
-#ifdef NSSDEBUG
-  if( (char *)NULL == buffer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FALSE;
-  }
-
-  if( 0 == bufferSize ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FALSE;
-  }
-
-  if( (pad & 0x80) != 0x00 ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == string ) {
-    string = (unsigned char*) "";
-  }
-
-  stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
-  stringSize--; /* don't count the trailing null */
-  if( stringSize > bufferSize ) {
-    PRUint32 bs = bufferSize;
-    (void)nsslibc_memcpy(buffer, string, bufferSize);
-    
-    if( (            ((buffer[ bs-1 ] & 0x80) == 0x00)) ||
-        ((bs > 1) && ((buffer[ bs-2 ] & 0xE0) == 0xC0)) ||
-        ((bs > 2) && ((buffer[ bs-3 ] & 0xF0) == 0xE0)) ||
-        ((bs > 3) && ((buffer[ bs-4 ] & 0xF8) == 0xF0)) ||
-        ((bs > 4) && ((buffer[ bs-5 ] & 0xFC) == 0xF8)) ||
-        ((bs > 5) && ((buffer[ bs-6 ] & 0xFE) == 0xFC)) ) {
-      /* It fit exactly */
-      return PR_SUCCESS;
-    }
-
-    /* Too long.  We have to trim the last character */
-    for( bs; bs > 0; bs-- ) {
-      if( (buffer[bs-1] & 0xC0) != 0x80 ) {
-        buffer[bs-1] = pad;
-        break;
-      } else {
-        buffer[bs-1] = pad;
-      }
-    }      
-  } else {
-    (void)nsslibc_memset(buffer, pad, bufferSize);
-    (void)nsslibc_memcpy(buffer, string, stringSize);
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssUTF8_Equal
- *
- */
-
-NSS_IMPLEMENT PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
-{
-  PRUint32 la, lb;
-
-#ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  la = nssUTF8_Size(a, statusOpt);
-  if( 0 == la ) {
-    return PR_FALSE;
-  }
-
-  lb = nssUTF8_Size(b, statusOpt);
-  if( 0 == lb ) {
-    return PR_FALSE;
-  }
-
-  if( la != lb ) {
-    return PR_FALSE;
-  }
-
-  return nsslibc_memequal(a, b, la, statusOpt);
-}
diff --git a/security/nss/lib/base/whatnspr.c b/security/nss/lib/base/whatnspr.c
deleted file mode 100644
index e82c34166..000000000
--- a/security/nss/lib/base/whatnspr.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This file isolates us from differences in NSPR versions.
- * We have to detect the library with which we're running at
- * runtime, and switch behaviours there.  This lets us do
- * stuff like load cryptoki modules in Communicator.
- *
- * Hey, it's the PORT layer all over again!
- */
-
-static int whatnspr = 0;
-
-static int
-set_whatnspr
-(
-  void
-)
-{
-  /*
-   * The only runtime difference I could find was the
-   * return value of PR_dtoa.  We can't just look for
-   * a symbol in NSPR >=2, because it'll always be
-   * found (because we compile against NSPR >=2).
-   * Maybe we could look for a symbol merely in NSPR 1?
-   *
-   */
-
-  char buffer[64];
-  int decpt = 0, sign = 0;
-  char *rve = (char *)0;
-  /* extern int PR_dtoa(double, int, int, int *, int *, char **, char *, int); */
-  int r = (int)PR_dtoa((double)1.0, 0, 5, &decpt, &sign, &rve, 
-                       buffer, sizeof(buffer));
-
-  switch( r ) {
-  case 0:
-  case -1:
-    whatnspr = 2;
-    /*
-     * If we needed to, *now* we could look up "libVersionPoint"
-     * and get more data there.. except all current NSPR's (up
-     * to NSPR 4.x at time of writing) still say 2 in their
-     * version structure.
-     */
-    break;
-  default:
-    whatnspr = 1;
-    break;
-  }
-
-  return whatnspr;
-}
-
-#define WHATNSPR (whatnspr ? whatnspr : set_whatnspr())
-
-NSS_IMPLEMENT PRStatus
-nss_NewThreadPrivateIndex
-(
-  PRUintn *ip
-)
-{
-  switch( WHATNSPR ) {
-  case 1:
-    {
-      PRLibrary *l = (PRLibrary *)0;
-      void *f = PR_FindSymbolAndLibrary("PR_NewThreadPrivateID", &l);
-      typedef PRInt32 (*ntpt)(void);
-      ntpt ntp = (ntpt) f;
-
-      PR_ASSERT((void *)0 != f);
-
-      *ip = ntp();
-      return PR_SUCCESS;
-    }
-  case 2:
-  default:
-    return PR_NewThreadPrivateIndex(ip, NULL);
-  }
-}
-
-NSS_IMPLEMENT void *
-nss_GetThreadPrivate
-(
-  PRUintn i
-)
-{
-  switch( WHATNSPR ) {
-  case 1:
-    {
-      PRLibrary *l = (PRLibrary *)0;
-      void *f = PR_FindSymbolAndLibrary("PR_GetThreadPrivate", &l);
-      typedef void *(*gtpt)(PRThread *, PRInt32);
-      gtpt gtp = (gtpt) f;
-
-      PR_ASSERT((void *)0 != f);
-
-      return gtp(PR_CurrentThread(), i);
-    }
-  case 2:
-  default:
-    return PR_GetThreadPrivate(i);
-  }
-}
-
-NSS_IMPLEMENT void
-nss_SetThreadPrivate
-(
-  PRUintn i,
-  void *v
-)
-{
-  switch( WHATNSPR ) {
-  case 1:
-    {
-      PRLibrary *l = (PRLibrary *)0;
-      void *f = PR_FindSymbolAndLibrary("PR_SetThreadPrivate", &l);
-      typedef PRStatus (*stpt)(PRThread *, PRInt32, void *);
-      stpt stp = (stpt) f;
-
-      PR_ASSERT((void *)0 != f);
-
-      (void)stp(PR_CurrentThread(), i, v);
-      return;
-    }
-  case 2:
-  default:
-    (void)PR_SetThreadPrivate(i, v);
-    return;
-  }
-}
diff --git a/security/nss/lib/certdb/.cvsignore b/security/nss/lib/certdb/.cvsignore
deleted file mode 100644
index ec60123e5..000000000
--- a/security/nss/lib/certdb/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-nscertinit.c
diff --git a/security/nss/lib/certdb/Makefile b/security/nss/lib/certdb/Makefile
deleted file mode 100644
index 12eff17ab..000000000
--- a/security/nss/lib/certdb/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
deleted file mode 100644
index f9b2c7ae5..000000000
--- a/security/nss/lib/certdb/alg1485.c
+++ /dev/null
@@ -1,953 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cert.h"
-#include "xconst.h"
-#include "genname.h"
-#include "secitem.h"
-#include "secerr.h"
-
-struct NameToKind {
-    char *name;
-    SECOidTag kind;
-};
-
-static struct NameToKind name2kinds[] = {
-    { "CN",   		SEC_OID_AVA_COMMON_NAME, 		},
-    { "ST",   		SEC_OID_AVA_STATE_OR_PROVINCE, 		},
-    { "OU",   		SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,	},
-    { "DC",   		SEC_OID_AVA_DC,	},
-    { "C",    		SEC_OID_AVA_COUNTRY_NAME, 		},
-    { "O",    		SEC_OID_AVA_ORGANIZATION_NAME, 		},
-    { "L",    		SEC_OID_AVA_LOCALITY, 			},
-    { "dnQualifier",	SEC_OID_AVA_DN_QUALIFIER, 		},
-    { "E",    		SEC_OID_PKCS9_EMAIL_ADDRESS, 		},
-    { "UID",  		SEC_OID_RFC1274_UID, 			},
-    { "MAIL", 		SEC_OID_RFC1274_MAIL, 			},
-    { 0,      		SEC_OID_UNKNOWN 			},
-};
-
-#define C_DOUBLE_QUOTE '\042'
-
-#define C_BACKSLASH '\134'
-
-#define C_EQUAL '='
-
-#define OPTIONAL_SPACE(c) \
-    (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
-
-#define SPECIAL_CHAR(c)						\
-    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
-     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
-     ((c) == '<') || ((c) == '>') || ((c) == '#') ||		\
-     ((c) == ';') || ((c) == C_BACKSLASH))
-
-
-
-
-
-
-
-#if 0
-/*
-** Find the start and end of a <string>. Strings can be wrapped in double
-** quotes to protect special characters.
-*/
-static int BracketThing(char **startp, char *end, char *result)
-{
-    char *start = *startp;
-    char c;
-
-    /* Skip leading white space */
-    while (start < end) {
-	c = *start++;
-	if (!OPTIONAL_SPACE(c)) {
-	    start--;
-	    break;
-	}
-    }
-    if (start == end) return 0;
-
-    switch (*start) {
-      case '#':
-	/* Process hex thing */
-	start++;
-	*startp = start;
-	while (start < end) {
-	    c = *start++;
-	    if (((c >= '0') && (c <= '9')) ||
-		((c >= 'a') && (c <= 'f')) ||
-		((c >= 'A') && (c <= 'F'))) {
-		continue;
-	    }
-	    break;
-	}
-	rv = IS_HEX;
-	break;
-
-      case C_DOUBLE_QUOTE:
-	start++;
-	*startp = start;
-	while (start < end) {
-	    c = *start++;
-	    if (c == C_DOUBLE_QUOTE) {
-		break;
-	    }
-	    *result++ = c;
-	}
-	rv = IS_STRING;
-	break;
-
-      default:
-	while (start < end) {
-	    c = *start++;
-	    if (SPECIAL_CHAR(c)) {
-		start--;
-		break;
-	    }
-	    *result++ = c;
-	}
-	rv = IS_STRING;
-	break;
-    }
-
-    /* Terminate result string */
-    *result = 0;
-    return start;
-}
-
-static char *BracketSomething(char **startp, char* end, int spacesOK)
-{
-    char *start = *startp;
-    char c;
-    int stopAtDQ;
-
-    /* Skip leading white space */
-    while (start < end) {
-	c = *start;
-	if (!OPTIONAL_SPACE(c)) {
-	    break;
-	}
-	start++;
-    }
-    if (start == end) return 0;
-    stopAtDQ = 0;
-    if (*start == C_DOUBLE_QUOTE) {
-	stopAtDQ = 1;
-    }
-
-    /*
-    ** Find the end of the something. The something is terminated most of
-    ** the time by a space. However, if spacesOK is true then it is
-    ** terminated by a special character only.
-    */
-    *startp = start;
-    while (start < end) {
-	c = *start;
-	if (stopAtDQ) {
-	    if (c == C_DOUBLE_QUOTE) {
-		*start = ' ';
-		break;
-	    }
-	} else {
-	if (SPECIAL_CHAR(c)) {
-	    break;
-	}
-	if (!spacesOK && OPTIONAL_SPACE(c)) {
-	    break;
-	}
-	}
-	start++;
-    }
-    return start;
-}
-#endif
-
-#define IS_PRINTABLE(c)						\
-    ((((c) >= 'a') && ((c) <= 'z')) ||				\
-     (((c) >= 'A') && ((c) <= 'Z')) ||				\
-     (((c) >= '0') && ((c) <= '9')) ||				\
-     ((c) == ' ') ||						\
-     ((c) == '\'') ||						\
-     ((c) == '\050') ||				/* ( */		\
-     ((c) == '\051') ||				/* ) */		\
-     (((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
-     ((c) == ':') ||						\
-     ((c) == '=') ||						\
-     ((c) == '?'))
-
-static PRBool
-IsPrintable(unsigned char *data, unsigned len)
-{
-    unsigned char ch, *end;
-
-    end = data + len;
-    while (data < end) {
-	ch = *data++;
-	if (!IS_PRINTABLE(ch)) {
-	    return PR_FALSE;
-	}
-    }
-    return PR_TRUE;
-}
-
-static void
-skipSpace(char **pbp, char *endptr)
-{
-    char *bp = *pbp;
-    while (bp < endptr && OPTIONAL_SPACE(*bp)) {
-	bp++;
-    }
-    *pbp = bp;
-}
-
-static SECStatus
-scanTag(char **pbp, char *endptr, char *tagBuf, int tagBufSize)
-{
-    char *bp, *tagBufp;
-    int taglen;
-
-    PORT_Assert(tagBufSize > 0);
-    
-    /* skip optional leading space */
-    skipSpace(pbp, endptr);
-    if (*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
-    }
-    
-    /* fill tagBuf */
-    taglen = 0;
-    bp = *pbp;
-    tagBufp = tagBuf;
-    while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
-	if (++taglen >= tagBufSize) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	*tagBufp++ = *bp++;
-    }
-    /* null-terminate tagBuf -- guaranteed at least one space left */
-    *tagBufp++ = 0;
-    *pbp = bp;
-    
-    /* skip trailing spaces till we hit something - should be an equal sign */
-    skipSpace(pbp, endptr);
-    if (*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
-    }
-    if (**pbp != C_EQUAL) {
-	/* should be an equal sign */
-	return SECFailure;
-    }
-    /* skip over the equal sign */
-    (*pbp)++;
-    
-    return SECSuccess;
-}
-
-static SECStatus
-scanVal(char **pbp, char *endptr, char *valBuf, int valBufSize)  
-{
-    char *bp, *valBufp;
-    int vallen;
-    PRBool isQuoted;
-    
-    PORT_Assert(valBufSize > 0);
-    
-    /* skip optional leading space */
-    skipSpace(pbp, endptr);
-    if(*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
-    }
-    
-    bp = *pbp;
-    
-    /* quoted? */
-    if (*bp == C_DOUBLE_QUOTE) {
-	isQuoted = PR_TRUE;
-	/* skip over it */
-	bp++;
-    } else {
-	isQuoted = PR_FALSE;
-    }
-    
-    valBufp = valBuf;
-    vallen = 0;
-    while (bp < endptr) {
-	char c = *bp;
-	if (c == C_BACKSLASH) {
-	    /* escape character */
-	    bp++;
-	    if (bp >= endptr) {
-		/* escape charater must appear with paired char */
-		*pbp = bp;
-		return SECFailure;
-	    }
-	} else if (!isQuoted && SPECIAL_CHAR(c)) {
-	    /* unescaped special and not within quoted value */
-	    break;
-	} else if (c == C_DOUBLE_QUOTE) {
-	    /* reached unescaped double quote */
-	    break;
-	}
-	/* append character */
-        vallen++;
-	if (vallen >= valBufSize) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	*valBufp++ = *bp++;
-    }
-    
-    /* stip trailing spaces from unquoted values */
-    if (!isQuoted) {
-	if (valBufp > valBuf) {
-	    valBufp--;
-	    while ((valBufp > valBuf) && OPTIONAL_SPACE(*valBufp)) {
-		valBufp--;
-	    }
-	    valBufp++;
-	}
-    }
-    
-    if (isQuoted) {
-	/* insist that we stopped on a double quote */
-	if (*bp != C_DOUBLE_QUOTE) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	/* skip over the quote and skip optional space */
-	bp++;
-	skipSpace(&bp, endptr);
-    }
-    
-    *pbp = bp;
-    
-    if (valBufp == valBuf) {
-	/* empty value -- not allowed */
-	return SECFailure;
-    }
-    
-    /* null-terminate valBuf -- guaranteed at least one space left */
-    *valBufp++ = 0;
-    
-    return SECSuccess;
-}
-
-CERTAVA *
-CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr,
-		    PRBool singleAVA) 
-{
-    CERTAVA *a;
-    struct NameToKind *n2k;
-    int vt;
-    int valLen;
-    char *bp;
-
-    char tagBuf[32];
-    char valBuf[384];
-
-    if (scanTag(pbp, endptr, tagBuf, sizeof(tagBuf)) == SECFailure ||
-	scanVal(pbp, endptr, valBuf, sizeof(valBuf)) == SECFailure) {
-	PORT_SetError(SEC_ERROR_INVALID_AVA);
-	return 0;
-    }
-
-    /* insist that if we haven't finished we've stopped on a separator */
-    bp = *pbp;
-    if (bp < endptr) {
-	if (singleAVA || (*bp != ',' && *bp != ';')) {
-	    PORT_SetError(SEC_ERROR_INVALID_AVA);
-	    *pbp = bp;
-	    return 0;
-	}
-	/* ok, skip over separator */
-	bp++;
-    }
-    *pbp = bp;
-
-    for (n2k = name2kinds; n2k->name; n2k++) {
-	if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
-	    valLen = PORT_Strlen(valBuf);
-	    if (n2k->kind == SEC_OID_AVA_COUNTRY_NAME) {
-		vt = SEC_ASN1_PRINTABLE_STRING;
-		if (valLen != 2) {
-		    PORT_SetError(SEC_ERROR_INVALID_AVA);
-		    return 0;
-		}
-		if (!IsPrintable((unsigned char*) valBuf, 2)) {
-		    PORT_SetError(SEC_ERROR_INVALID_AVA);
-		    return 0;
-		}
-	    } else if ((n2k->kind == SEC_OID_PKCS9_EMAIL_ADDRESS) ||
-		       (n2k->kind == SEC_OID_RFC1274_MAIL)) {
-		vt = SEC_ASN1_IA5_STRING;
-	    } else {
-		/* Hack -- for rationale see X.520 DirectoryString defn */
-		if (IsPrintable((unsigned char*)valBuf, valLen)) {
-		    vt = SEC_ASN1_PRINTABLE_STRING;
-		} else {
-		    vt = SEC_ASN1_UNIVERSAL_STRING;
-		}
-	    }
-	    a = CERT_CreateAVA(arena, n2k->kind, vt, (char *) valBuf);
-	    return a;
-	}
-    }
-    /* matched no kind -- invalid tag */
-    PORT_SetError(SEC_ERROR_INVALID_AVA);
-    return 0;
-}
-
-static CERTName *
-ParseRFC1485Name(char *buf, int len)
-{
-    SECStatus rv;
-    CERTName *name;
-    char *bp, *e;
-    CERTAVA *ava;
-    CERTRDN *rdn;
-
-    name = CERT_CreateName(NULL);
-    if (name == NULL) {
-	return NULL;
-    }
-    
-    e = buf + len;
-    bp = buf;
-    while (bp < e) {
-	ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE);
-	if (ava == 0) goto loser;
-	rdn = CERT_CreateRDN(name->arena, ava, 0);
-	if (rdn == 0) goto loser;
-	rv = CERT_AddRDN(name, rdn);
-	if (rv) goto loser;
-	skipSpace(&bp, e);
-    }
-
-    if (name->rdns[0] == 0) {
-	/* empty name -- illegal */
-	goto loser;
-    }
-
-    /* Reverse order of RDNS to comply with RFC */
-    {
-	CERTRDN **firstRdn;
-	CERTRDN **lastRdn;
-	CERTRDN *tmp;
-	
-	/* get first one */
-	firstRdn = name->rdns;
-	
-	/* find last one */
-	lastRdn = name->rdns;
-	while (*lastRdn) lastRdn++;
-	lastRdn--;
-	
-	/* reverse list */
-	for ( ; firstRdn < lastRdn; firstRdn++, lastRdn--) {
-	    tmp = *firstRdn;
-	    *firstRdn = *lastRdn;
-	    *lastRdn = tmp;
-	}
-    }
-    
-    /* return result */
-    return name;
-    
-  loser:
-    CERT_DestroyName(name);
-    return NULL;
-}
-
-CERTName *
-CERT_AsciiToName(char *string)
-{
-    CERTName *name;
-    name = ParseRFC1485Name(string, PORT_Strlen(string));
-    return name;
-}
-
-/************************************************************************/
-
-static SECStatus
-AppendStr(char **bufp, unsigned *buflenp, char *str)
-{
-    char *buf;
-    unsigned bufLen, bufSize, len;
-
-    /* Figure out how much to grow buf by (add in the '\0') */
-    buf = *bufp;
-    bufLen = *buflenp;
-    len = PORT_Strlen(str);
-    bufSize = bufLen + len;
-    if (buf) {
-	buf = (char*) PORT_Realloc(buf, bufSize);
-    } else {
-	bufSize++;
-	buf = (char*) PORT_Alloc(bufSize);
-    }
-    if (!buf) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    *bufp = buf;
-    *buflenp = bufSize;
-
-    /* Concatenate str onto buf */
-    buf = buf + bufLen;
-    if (bufLen) buf--;			/* stomp on old '\0' */
-    PORT_Memcpy(buf, str, len+1);		/* put in new null */
-    return SECSuccess;
-}
-
-SECStatus
-CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen)
-{
-    int i, reqLen=0;
-    char *d = dst;
-    PRBool needsQuoting = PR_FALSE;
-    
-    /* need to make an initial pass to determine if quoting is needed */
-    for (i = 0; i < srclen; i++) {
-	char c = src[i];
-	reqLen++;
-	if (SPECIAL_CHAR(c)) {
-	    /* entirety will need quoting */
-	    needsQuoting = PR_TRUE;
-	}
-	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
-	    /* this char will need escaping */
-	    reqLen++;
-	}
-    }
-    /* if it begins or ends in optional space it needs quoting */
-    if (srclen > 0 &&
-	(OPTIONAL_SPACE(src[srclen-1]) || OPTIONAL_SPACE(src[0]))) {
-	needsQuoting = PR_TRUE;
-    }
-    
-    if (needsQuoting) reqLen += 2;
-
-    /* space for terminal null */
-    reqLen++;
-    
-    if (reqLen > dstlen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-    
-    d = dst;
-    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
-    for (i = 0; i < srclen; i++) {
-	char c = src[i];
-	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
-	    /* escape it */
-	    *d++ = C_BACKSLASH;
-	}
-	*d++ = c;
-    }
-    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
-    *d++ = 0;
-    return SECSuccess;
-}
-
-static SECStatus
-AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava)
-{
-    char *tagName;
-    char tmpBuf[384];
-    unsigned len, maxLen;
-    int lenLen;
-    int tag;
-    SECStatus rv;
-    SECItem *avaValue = NULL;
-
-    tag = CERT_GetAVATag(ava);
-    switch (tag) {
-      case SEC_OID_AVA_COUNTRY_NAME:
-	tagName = "C";
-	maxLen = 2;
-	break;
-      case SEC_OID_AVA_ORGANIZATION_NAME:
-	tagName = "O";
-	maxLen = 64;
-	break;
-      case SEC_OID_AVA_COMMON_NAME:
-	tagName = "CN";
-	maxLen = 64;
-	break;
-      case SEC_OID_AVA_LOCALITY:
-	tagName = "L";
-	maxLen = 128;
-	break;
-      case SEC_OID_AVA_STATE_OR_PROVINCE:
-	tagName = "ST";
-	maxLen = 128;
-	break;
-      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
-	tagName = "OU";
-	maxLen = 64;
-	break;
-      case SEC_OID_AVA_DC:
-	tagName = "DC";
-	maxLen = 128;
-	break;
-      case SEC_OID_AVA_DN_QUALIFIER:
-	tagName = "dnQualifier";
-	maxLen = 0x7fff;
-	break;
-      case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	tagName = "E";
-	maxLen = 128;
-	break;
-      case SEC_OID_RFC1274_UID:
-	tagName = "UID";
-	maxLen = 256;
-	break;
-      case SEC_OID_RFC1274_MAIL:
-	tagName = "MAIL";
-	maxLen = 256;
-	break;
-      default:
-#if 0
-	PORT_SetError(SEC_ERROR_INVALID_AVA);
-	return SECFailure;
-#else
-	rv = AppendStr(bufp, buflenp, "ERR=Unknown AVA");
-	return rv;
-#endif
-    }
-
-    avaValue = CERT_DecodeAVAValue(&ava->value);
-    if(!avaValue) {
-	return SECFailure;
-    }
-
-    /* Check value length */
-    if ((avaValue->len < 2) || (avaValue->len > maxLen)) {
-	PORT_SetError(SEC_ERROR_INVALID_AVA);
-	return SECFailure;
-    }
-
-    len = PORT_Strlen(tagName);
-    PORT_Memcpy(tmpBuf, tagName, len);
-    tmpBuf[len++] = '=';
-    
-    /* escape and quote as necessary */
-    rv = CERT_RFC1485_EscapeAndQuote(tmpBuf+len, sizeof(tmpBuf)-len, 
-		    		     (char *)avaValue->data, avaValue->len);
-    SECITEM_FreeItem(avaValue, PR_TRUE);
-    if (rv) return SECFailure;
-    
-    rv = AppendStr(bufp, buflenp, tmpBuf);
-    return rv;
-}
-
-char *
-CERT_NameToAscii(CERTName *name)
-{
-    SECStatus rv;
-    CERTRDN** rdns;
-    CERTRDN** lastRdn;
-    CERTRDN** rdn;
-    CERTAVA** avas;
-    CERTAVA* ava;
-    PRBool first = PR_TRUE;
-    char *buf = NULL;
-    unsigned buflen = 0;
-    
-    rdns = name->rdns;
-    if (rdns == NULL) {
-	return NULL;
-    }
-    
-    /* find last RDN */
-    lastRdn = rdns;
-    while (*lastRdn) lastRdn++;
-    lastRdn--;
-    
-    /*
-     * Loop over name contents in _reverse_ RDN order appending to string
-     */
-    for (rdn = lastRdn; rdn >= rdns; rdn--) {
-	avas = (*rdn)->avas;
-	while ((ava = *avas++) != NULL) {
-	    /* Put in comma separator */
-	    if (!first) {
-		rv = AppendStr(&buf, &buflen, ", ");
-		if (rv) goto loser;
-	    } else {
-		first = PR_FALSE;
-	    }
-	    
-	    /* Add in tag type plus value into buf */
-	    rv = AppendAVA(&buf, &buflen, ava);
-	    if (rv) goto loser;
-	}
-    }
-    return buf;
-  loser:
-    PORT_Free(buf);
-    return NULL;
-}
-
-/*
- * Return the string representation of a DER encoded distinguished name
- * "dername" - The DER encoded name to convert
- */
-char *
-CERT_DerNameToAscii(SECItem *dername)
-{
-    int rv;
-    PRArenaPool *arena = NULL;
-    CERTName name;
-    char *retstr = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( arena == NULL) {
-	goto loser;
-    }
-    
-    rv = SEC_ASN1DecodeItem(arena, &name, CERT_NameTemplate, dername);
-    
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    retstr = CERT_NameToAscii(&name);
-
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(retstr);
-}
-
-static char *
-CERT_GetNameElement(CERTName *name, int wantedTag)
-{
-    CERTRDN** rdns;
-    CERTRDN *rdn;
-    CERTAVA** avas;
-    CERTAVA* ava;
-    char *buf = 0;
-    int tag;
-    SECItem *decodeItem = NULL;
-    
-    rdns = name->rdns;
-    while ((rdn = *rdns++) != 0) {
-	avas = rdn->avas;
-	while ((ava = *avas++) != 0) {
-	    tag = CERT_GetAVATag(ava);
-	    if ( tag == wantedTag ) {
-		decodeItem = CERT_DecodeAVAValue(&ava->value);
-		if(!decodeItem) {
-		    return NULL;
-		}
-		buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
-		if ( buf ) {
-		    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
-		    buf[decodeItem->len] = 0;
-		}
-		SECITEM_FreeItem(decodeItem, PR_TRUE);
-		goto done;
-	    }
-	}
-    }
-    
-  done:
-    return buf;
-}
-
-char *
-CERT_GetCertificateEmailAddress(CERTCertificate *cert)
-{
-    char *rawEmailAddr = NULL;
-    char *emailAddr = NULL;
-    SECItem subAltName;
-    SECStatus rv;
-    CERTGeneralName *nameList = NULL;
-    CERTGeneralName *current;
-    PRArenaPool *arena = NULL;
-    int i;
-    
-    subAltName.data = NULL;
-
-    rawEmailAddr = CERT_GetNameElement(&(cert->subject), SEC_OID_PKCS9_EMAIL_ADDRESS);
-    if ( rawEmailAddr == NULL ) {
-	rawEmailAddr = CERT_GetNameElement(&(cert->subject), SEC_OID_RFC1274_MAIL);
-    }
-    if ( rawEmailAddr == NULL) {
-
-	rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, &subAltName);
-	if (rv != SECSuccess) {
-	    goto finish;
-	}
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (!arena) {
-	    goto finish;
-	}
-	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
-	if (!nameList ) {
-	    goto finish;
-	}
-	if (nameList != NULL) {
-	    do {
-		if (current->type == certDirectoryName) {
-		    rawEmailAddr = CERT_GetNameElement(&(current->name.directoryName), 
-						       SEC_OID_PKCS9_EMAIL_ADDRESS);
-		    if ( rawEmailAddr == NULL ) {
-			rawEmailAddr = CERT_GetNameElement(&(current->name.directoryName), 
-							   SEC_OID_RFC1274_MAIL);
-		    }
-		} else if (current->type == certRFC822Name) {
-		    rawEmailAddr = (char*)PORT_ZAlloc(current->name.other.len + 1);
-		    if (!rawEmailAddr) {
-			goto finish;
-		    }
-		    PORT_Memcpy(rawEmailAddr, current->name.other.data, 
-				current->name.other.len);
-		    rawEmailAddr[current->name.other.len] = '\0';
-		}
-		if (rawEmailAddr) {
-		    break;
-		}
-		current = cert_get_next_general_name(current);
-	    } while (current != nameList);
-	}
-    }
-    if (rawEmailAddr) {
-	emailAddr = (char*)PORT_ArenaZAlloc(cert->arena, PORT_Strlen(rawEmailAddr) + 1);
-	for (i = 0; i <= PORT_Strlen(rawEmailAddr); i++) {
-	    emailAddr[i] = tolower(rawEmailAddr[i]);
-	}
-    } else {
-	emailAddr = NULL;
-    }
-
-finish:
-    if ( rawEmailAddr ) {
-	PORT_Free(rawEmailAddr);
-    }
-
-    /* Don't free nameList, it's part of the arena. */
-
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    if ( subAltName.data ) {
-	SECITEM_FreeItem(&subAltName, PR_FALSE);
-    }
-
-    return(emailAddr);
-}
-
-char *
-CERT_GetCertEmailAddress(CERTName *name)
-{
-    char *rawEmailAddr;
-    char *emailAddr;
-
-    
-    rawEmailAddr = CERT_GetNameElement(name, SEC_OID_PKCS9_EMAIL_ADDRESS);
-    if ( rawEmailAddr == NULL ) {
-	rawEmailAddr = CERT_GetNameElement(name, SEC_OID_RFC1274_MAIL);
-    }
-    emailAddr = CERT_FixupEmailAddr(rawEmailAddr);
-    if ( rawEmailAddr ) {
-	PORT_Free(rawEmailAddr);
-    }
-    return(emailAddr);
-}
-
-char *
-CERT_GetCommonName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_COMMON_NAME));
-}
-
-char *
-CERT_GetCountryName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_COUNTRY_NAME));
-}
-
-char *
-CERT_GetLocalityName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_LOCALITY));
-}
-
-char *
-CERT_GetStateName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_STATE_OR_PROVINCE));
-}
-
-char *
-CERT_GetOrgName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_ORGANIZATION_NAME));
-}
-
-char *
-CERT_GetDomainComponentName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_DC));
-}
-
-char *
-CERT_GetOrgUnitName(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME));
-}
-
-char *
-CERT_GetDnQualifier(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_AVA_DN_QUALIFIER));
-}
-
-char *
-CERT_GetCertUid(CERTName *name)
-{
-    return(CERT_GetNameElement(name, SEC_OID_RFC1274_UID));
-}
-
diff --git a/security/nss/lib/certdb/cdbhdl.h b/security/nss/lib/certdb/cdbhdl.h
deleted file mode 100644
index 916f8035d..000000000
--- a/security/nss/lib/certdb/cdbhdl.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * cdbhdl.h - certificate database handle
- *   private to the certdb module
- *
- * $Id$
- */
-#ifndef _CDBHDL_H_
-#define _CDBHDL_H_
-
-#include "nspr.h"
-#include "mcom_db.h"
-#include "certt.h"
-
-/*
- * Handle structure for open certificate databases
- */
-struct CERTCertDBHandleStr {
-    DB *permCertDB;
-    DB *tempCertDB;
-    void *spkDigestInfo;
-    CERTStatusConfig *statusConfig;
-    PRMonitor *dbMon;
-};
-
-#endif
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
deleted file mode 100644
index c12b77489..000000000
--- a/security/nss/lib/certdb/cert.h
+++ /dev/null
@@ -1,1387 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * cert.h - public data structures and prototypes for the certificate library
- *
- * $Id$
- */
-
-#ifndef _CERT_H_
-#define _CERT_H_
-
-#include "plarena.h"
-#include "plhash.h"
-#include "prlong.h"
-#include "prlog.h"
-
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "keyt.h"
-#include "certt.h"
-
-SEC_BEGIN_PROTOS
-   
-/****************************************************************************
- *
- * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
- *
- ****************************************************************************/
-
-/*
-** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
-*/
-extern CERTName *CERT_AsciiToName(char *string);
-
-/*
-** Convert an CERTName into its RFC1485 encoded equivalent.
-*/
-extern char *CERT_NameToAscii(CERTName *name);
-
-extern CERTAVA *CERT_CopyAVA(PRArenaPool *arena, CERTAVA *src);
-
-/*
-** Examine an AVA and return the tag that refers to it. The AVA tags are
-** defined as SEC_OID_AVA*.
-*/
-extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
-
-/*
-** Compare two AVA's, returning the difference between them.
-*/
-extern SECComparison CERT_CompareAVA(CERTAVA *a, CERTAVA *b);
-
-/*
-** Create an RDN (relative-distinguished-name). The argument list is a
-** NULL terminated list of AVA's.
-*/
-extern CERTRDN *CERT_CreateRDN(PRArenaPool *arena, CERTAVA *avas, ...);
-
-/*
-** Make a copy of "src" storing it in "dest".
-*/
-extern SECStatus CERT_CopyRDN(PRArenaPool *arena, CERTRDN *dest, CERTRDN *src);
-
-/*
-** Destory an RDN object.
-**	"rdn" the RDN to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyRDN(CERTRDN *rdn, PRBool freeit);
-
-/*
-** Add an AVA to an RDN.
-**	"rdn" the RDN to add to
-**	"ava" the AVA to add
-*/
-extern SECStatus CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
-
-/*
-** Compare two RDN's, returning the difference between them.
-*/
-extern SECComparison CERT_CompareRDN(CERTRDN *a, CERTRDN *b);
-
-/*
-** Create an X.500 style name using a NULL terminated list of RDN's.
-*/
-extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
-
-/*
-** Make a copy of "src" storing it in "dest". Memory is allocated in
-** "dest" for each of the appropriate sub objects. Memory is not freed in
-** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
-** do that).
-*/
-extern SECStatus CERT_CopyName(PRArenaPool *arena, CERTName *dest, CERTName *src);
-
-/*
-** Destroy a Name object.
-**	"name" the CERTName to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyName(CERTName *name);
-
-/*
-** Add an RDN to a name.
-**	"name" the name to add the RDN to
-**	"rdn" the RDN to add to name
-*/
-extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
-
-/*
-** Compare two names, returning the difference between them.
-*/
-extern SECComparison CERT_CompareName(CERTName *a, CERTName *b);
-
-/*
-** Convert a CERTName into something readable
-*/
-extern char *CERT_FormatName (CERTName *name);
-
-/*
-** Convert a der-encoded integer to a hex printable string form.
-** Perhaps this should be a SEC function but it's only used for certs.
-*/
-extern char *CERT_Hexify (SECItem *i, int do_colon);
-
-/**************************************************************************************
- *
- * Certificate handling operations
- *
- **************************************************************************************/
-
-/*
-** Create a new validity object given two unix time values.
-**	"notBefore" the time before which the validity is not valid
-**	"notAfter" the time after which the validity is not valid
-*/
-extern CERTValidity *CERT_CreateValidity(int64 notBefore, int64 notAfter);
-
-/*
-** Destroy a validity object.
-**	"v" the validity to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyValidity(CERTValidity *v);
-
-/*
-** Copy the "src" object to "dest". Memory is allocated in "dest" for
-** each of the appropriate sub-objects. Memory in "dest" is not freed
-** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
-** that).
-*/
-extern SECStatus CERT_CopyValidity
-   (PRArenaPool *arena, CERTValidity *dest, CERTValidity *src);
-
-/*
-** Create a new certificate object. The result must be wrapped with an
-** CERTSignedData to create a signed certificate.
-**	"serialNumber" the serial number
-**	"issuer" the name of the certificate issuer
-**	"validity" the validity period of the certificate
-**	"req" the certificate request that prompted the certificate issuance
-*/
-extern CERTCertificate *
-CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
-			CERTValidity *validity, CERTCertificateRequest *req);
-
-/*
-** Destroy a certificate object
-**	"cert" the certificate to destroy
-** NOTE: certificate's are reference counted. This call decrements the
-** reference count, and if the result is zero, then the object is destroyed
-** and optionally freed.
-*/
-extern void CERT_DestroyCertificate(CERTCertificate *cert);
-
-/*
-** Make a shallow copy of a certificate "c". Just increments the
-** reference count on "c".
-*/
-extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
-
-/*
-** Create a new certificate request. This result must be wrapped with an
-** CERTSignedData to create a signed certificate request.
-**	"name" the subject name (who the certificate request is from)
-**	"spki" describes/defines the public key the certificate is for
-**	"attributes" if non-zero, some optional attribute data
-*/
-extern CERTCertificateRequest *
-CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
-			       SECItem **attributes);
-
-/*
-** Destroy a certificate-request object
-**	"r" the certificate-request to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
-
-/*
-** Extract a public key object from a SubjectPublicKeyInfo
-*/
-extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
-
-/*
- * used to get a public key with Key Material ID. Only used for fortezza V1
- * certificates.
- */
-extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
-
-
-/*
-** Retrieve the Key Type associated with the cert we're dealing with
-*/
-
-extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
-
-/*
-** Initialize the certificate database.  This is called to create
-**  the initial list of certificates in the database.
-*/
-extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
-
-/*
-** Default certificate database routines
-*/
-extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
-
-extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
-
-extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, 
-					       int64 time, 
-					       SECCertUsage usage);
-
-/************************************************************************************
- *
- * X.500 Name handling operations
- *
- ************************************************************************************/
-
-/*
-** Create an AVA (attribute-value-assertion)
-**	"arena" the memory arena to alloc from
-**	"kind" is one of SEC_OID_AVA_*
-**	"valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
-**	   DER_T61_STRING
-**	"value" is the null terminated string containing the value
-*/
-extern CERTAVA *CERT_CreateAVA
-   (PRArenaPool *arena, SECOidTag kind, int valueType, char *value);
-
-/*
-** Extract the Distinguished Name from a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-**	"derName" is the SECItem that the name is returned in
-*/
-extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
-
-/*
-** Extract the Issuers Distinguished Name from a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-**	"derName" is the SECItem that the name is returned in
-*/
-extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, 
-					    SECItem *derName);
-
-
-
-/*
-** Generate a database search key for a certificate, based on the
-** issuer and serial number.
-**	"arena" the memory arena to alloc from
-**	"derCert" the DER encoded certificate
-**	"key" the returned key
-*/
-extern SECStatus CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
-
-extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
-					 SECItem *sn, SECItem *key);
-
-/*
-** Generate a database search key for a crl, based on the
-** issuer.
-**	"arena" the memory arena to alloc from
-**	"derCrl" the DER encoded crl
-**	"key" the returned key
-*/
-extern SECStatus CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key);
-
-/*
-** Open the certificate database.  Use callback to get name of database.
-*/
-extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
-				 CERTDBNameFunc namecb, void *cbarg);
-
-/* Open the certificate database.  Use given filename for database. */
-extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
-					 char *certdbname, PRBool readOnly);
-
-/*
-** Open and initialize a cert database that is entirely in memory.  This
-** can be used when the permanent database can not be opened or created.
-*/
-extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
-
-/*
-** Check the hostname to make sure that it matches the shexp that
-** is given in the common name of the certificate.
-*/
-extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
-
-/*
-** Add a domain name to the list of names that the user has explicitly
-** allowed (despite cert name mismatches) for use with a server cert.
-*/
-extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
-
-/*
-** Decode a DER encoded certificate into an CERTCertificate structure
-**	"derSignedCert" is the DER encoded signed certificate
-**	"copyDER" is true if the DER should be copied, false if the
-**		existing copy should be referenced
-**	"nickname" is the nickname to use in the database.  If it is NULL
-**		then a temporary nickname is generated.
-*/
-extern CERTCertificate *
-CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
-/*
-** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
-**	"derSignedCrl" is the DER encoded signed crl/krl.
-**	"type" is this a CRL or KRL.
-*/
-#define SEC_CRL_TYPE	1
-#define SEC_KRL_TYPE	0
-
-extern CERTSignedCrl *
-CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
-
-/* Validate CRL then import it to the dbase.  If there is already a CRL with the
- * same CA in the dbase, it will be replaced if derCRL is more up to date.  
- * If the process successes, a CRL will be returned.  Otherwise, a NULL will 
- * be returned. The caller should call PORT_GetError() for the exactly error 
- * code.
- */
-extern CERTSignedCrl *
-CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, 
-						int type, void * wincx);
-
-extern void CERT_DestroyCrl (CERTSignedCrl *crl);
-
-/*
-** Decode a certificate and put it into the temporary certificate database
-*/
-extern CERTCertificate *
-CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
-			 char *nickname, PRBool isperm, PRBool copyDER);
-
-/*
-** Add a certificate to the temporary database.
-**	"dbCert" is the certificate from the perm database.
-**	"isperm" indicates if the cert is in the permanent database.
-*/
-extern CERTCertificate *
-CERT_AddTempCertificate (CERTCertDBHandle *handle, certDBEntryCert *entry,
-			 PRBool isperm);
-
-/*
-** Add a temporary certificate to the permanent database.
-** 	"cert" is the temporary cert
-**	"nickname" is the permanent nickname to use
-**	"trust" is the certificate trust parameters to assign to the cert
-*/
-extern SECStatus
-CERT_AddTempCertToPerm (CERTCertificate *cert, char *nickname, CERTCertTrust *trust);
-
-/*
-** Find a certificate in the database
-**	"key" is the database key to look for
-*/
-extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
-
-/*
- * Lookup a certificate in the databases without locking
- *	"certKey" is the database key to look for
- *
- * XXX - this should be internal, but pkcs 11 needs to call it during a
- * traversal.
- */
-CERTCertificate *
-CERT_FindCertByKeyNoLocking(CERTCertDBHandle *handle, SECItem *certKey);
-
-/*
-** Find a certificate in the database by name
-**	"name" is the distinguished name to look up
-*/
-extern CERTCertificate *
-CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
-
-/*
-** Find a certificate in the database by name
-**	"name" is the distinguished name to look up (in ascii)
-*/
-extern CERTCertificate *
-CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
-
-/*
-** Find a certificate in the database by name and keyid
-**	"name" is the distinguished name to look up
-**	"keyID" is the value of the subjectKeyID to match
-*/
-extern CERTCertificate *
-CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
-
-/*
-** Generate a certificate key from the issuer and serialnumber, then look it
-** up in the database.  Return the cert if found.
-**	"issuerAndSN" is the issuer and serial number to look for
-*/
-extern CERTCertificate *
-CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
-
-/*
-** Find a certificate in the database by a nickname
-**	"nickname" is the ascii string nickname to look for
-*/
-extern CERTCertificate *
-CERT_FindCertByNickname (CERTCertDBHandle *handle, char *nickname);
-/*
-** Find a certificate in the database by a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-*/
-extern CERTCertificate *
-CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
-
-/*
-** Find a certificate in the database by a email address
-**	"emailAddr" is the email address to look up
-*/
-CERTCertificate *
-CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
-
-/*
-** Find a certificate in the database by a email address or nickname
-**	"name" is the email address or nickname to look up
-*/
-CERTCertificate *
-CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name);
-
-/*
-** Find a certificate in the database by a digest of a subject public key
-**	"spkDigest" is the digest to look up
-*/
-extern CERTCertificate *
-CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
-
-/*
- * Find the issuer of a cert
- */
-CERTCertificate *
-CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage);
-
-/*
-** Delete a certificate from the temporary database
-**	"cert" is the certificate to be deleted
-*/
-extern SECStatus CERT_DeleteTempCertificate(CERTCertificate *cert);
-
-/*
-** Flush and close the permanent database.
-*/
-extern void CERT_ClosePermCertDB(CERTCertDBHandle *handle);
-
-/*
-** Check the validity times of a certificate vs. time 't', allowing
-** some slop for broken clocks and stuff.
-**	"cert" is the certificate to be checked
-**	"t" is the time to check against
-**	"allowOverride" if true then check to see if the invalidity has
-**		been overridden by the user.
-*/
-extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
-						    int64 t,
-						    PRBool allowOverride);
-
-/*
-** WARNING - this function is depricated, and will either go away or have
-**		a new API in the near future.
-**
-** Check the validity times of a certificate vs. the current time, allowing
-** some slop for broken clocks and stuff.
-**	"cert" is the certificate to be checked
-*/
-extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
-
-/*
-** Extract the validity times from a certificate
-**	"c" is the certificate
-**	"notBefore" is the start of the validity period
-**	"notAfter" is the end of the validity period
-*/
-extern SECStatus
-CERT_GetCertTimes (CERTCertificate *c, int64 *notBefore, int64 *notAfter);
-
-/*
-** Extract the issuer and serial number from a certificate
-*/
-extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PRArenaPool *, 
-							CERTCertificate *);
-
-/*
-** verify the signature of a signed data object with a given certificate
-**	"sd" the signed data object to be verified
-**	"cert" the certificate to use to check the signature
-*/
-extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
-				       CERTCertificate *cert,
-				       int64 t,
-				       void *wincx);
-
-/*
-** verify a certificate by checking validity times against a certain time,
-** that we trust the issuer, and that the signature on the certificate is
-** valid.
-**	"cert" the certificate to verify
-**	"checkSig" only check signatures if true
-*/
-extern SECStatus
-CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertUsage certUsage, int64 t,
-		void *wincx, CERTVerifyLog *log);
-
-/* same as above, but uses current time */
-extern SECStatus
-CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-		   PRBool checkSig, SECCertUsage certUsage, void *wincx);
-
-/*
-** This must only be called on a cert that is known to have an issuer
-** with an invalid time
-*/
-extern CERTCertificate *
-CERT_FindExpiredIssuer (CERTCertDBHandle *handle, CERTCertificate *cert);
-
-/*
-** Read a base64 ascii encoded DER certificate and convert it to our
-** internal format.
-**	"certstr" is a null-terminated string containing the certificate
-*/
-extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
-
-/*
-** Read a certificate in some foreign format, and convert it to our
-** internal format.
-**	"certbuf" is the buffer containing the certificate
-**	"certlen" is the length of the buffer
-** NOTE - currently supports netscape base64 ascii encoded raw certs
-**  and netscape binary DER typed files.
-*/
-extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
-
-extern SECStatus
-CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
-
-/*
-** Read a certificate chain in some foreign format, and pass it to a 
-** callback function.
-**	"certbuf" is the buffer containing the certificate
-**	"certlen" is the length of the buffer
-**	"f" is the callback function
-**	"arg" is the callback argument
-*/
-typedef SECStatus (*CERTImportCertificateFunc)
-   (void *arg, SECItem **certs, int numcerts);
-
-extern SECStatus
-CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
-		       void *arg);
-
-/*
-** Pretty print a certificate in HTML
-**	"cert" is the certificate to print
-**	"showImages" controls whether or not to use about:security URLs
-**		for subject and issuer images.  This should only be true
-**		in the browser.
-*/
-extern char *CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages,
-			       PRBool showIssuer);
-
-/* 
-** Returns the value of an AVA.  This was a formerly static 
-** function that has been exposed due to the need to decode
-** and convert unicode strings to UTF8.  
-**
-** XXX This function resides in certhtml.c, should it be
-** moved elsewhere?
-*/
-extern SECItem *CERT_DecodeAVAValue(SECItem *derAVAValue);
-
-
-/*
-** extract various element strings from a distinguished name.
-**	"name" the distinguished name
-*/
-extern char *CERT_GetCommonName(CERTName *name);
-
-extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
-
-extern char *CERT_GetCertEmailAddress(CERTName *name);
-
-extern char *CERT_GetCommonName(CERTName *name);
-
-extern char *CERT_GetCountryName(CERTName *name);
-
-extern char *CERT_GetLocalityName(CERTName *name);
-
-extern char *CERT_GetStateName(CERTName *name);
-
-extern char *CERT_GetOrgName(CERTName *name);
-
-extern char *CERT_GetOrgUnitName(CERTName *name);
-
-extern char *CERT_GetDomainComponentName(CERTName *name);
-
-extern char *CERT_GetCertUid(CERTName *name);
-
-/* manipulate the trust parameters of a certificate */
-
-extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
-
-extern SECStatus
-CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
-		      CERTCertTrust *trust);
-
-extern SECStatus
-CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
-			    SECCertUsage usage);
-
-/*************************************************************************
- *
- * manipulate the extensions of a certificate
- *
- ************************************************************************/
-
-/*
-** Set up a cert for adding X509v3 extensions.  Returns an opaque handle
-** used by the next two routines.
-**	"cert" is the certificate we are adding extensions to
-*/
-extern void *CERT_StartCertExtensions(CERTCertificate *cert);
-
-/*
-** Add an extension to a certificate.
-**	"exthandle" is the handle returned by the previous function
-**	"idtag" is the integer tag for the OID that should ID this extension
-**	"value" is the value of the extension
-**	"critical" is the critical extension flag
-**	"copyData" is a flag indicating whether the value data should be
-**		copied.
-*/
-extern SECStatus CERT_AddExtension (void *exthandle, int idtag, 
-			SECItem *value, PRBool critical, PRBool copyData);
-
-extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
-			 SECItem *value, PRBool critical, PRBool copyData);
-
-extern SECStatus CERT_EncodeAndAddExtension
-   (void *exthandle, int idtag, void *value, PRBool critical,
-    const SEC_ASN1Template *atemplate);
-
-extern SECStatus CERT_EncodeAndAddBitStrExtension
-   (void *exthandle, int idtag, SECItem *value, PRBool critical);
-
-/*
-** Finish adding cert extensions.  Does final processing on extension
-** data, putting it in the right format, and freeing any temporary
-** storage.
-**	"exthandle" is the handle used to add extensions to a certificate
-*/
-extern SECStatus CERT_FinishExtensions(void *exthandle);
-
-
-/* If the extension is found, return its criticality and value.
-** This allocate storage for the returning extension value.
-*/
-extern SECStatus CERT_GetExtenCriticality
-   (CERTCertExtension **extensions, int tag, PRBool *isCritical);
-
-extern void
-CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
-
-/****************************************************************************
- *
- * DER encode and decode extension values
- *
- ****************************************************************************/
-
-/* Encode the value of the basicConstraint extension.
-**	arena - where to allocate memory for the encoded value.
-**	value - extension value to encode
-**	encodedValue - output encoded value
-*/
-extern SECStatus CERT_EncodeBasicConstraintValue
-   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
-
-/*
-** Encode the value of the authorityKeyIdentifier extension.
-*/
-extern SECStatus CERT_EncodeAuthKeyID
-   (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
-
-/*
-** Encode the value of the crlDistributionPoints extension.
-*/
-extern SECStatus CERT_EncodeCRLDistributionPoints
-   (PRArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
-
-/*
-** Decodes a DER encoded basicConstaint extension value into a readable format
-**	value - decoded value
-**	encodedValue - value to decoded
-*/
-extern SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue);
-
-/* Decodes a DER encoded authorityKeyIdentifier extension value into a
-** readable format.
-**	arena - where to allocate memory for the decoded value
-**	encodedValue - value to be decoded
-**	Returns a CERTAuthKeyID structure which contains the decoded value
-*/
-extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
-			(PRArenaPool *arena, SECItem *encodedValue);
-
-
-/* Decodes a DER encoded crlDistributionPoints extension value into a 
-** readable format.
-**	arena - where to allocate memory for the decoded value
-**	der - value to be decoded
-**	Returns a CERTCrlDistributionPoints structure which contains the 
-**          decoded value
-*/
-extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
-   (PRArenaPool *arena, SECItem *der);
-
-/* Extract certain name type from a generalName */
-extern void *CERT_GetGeneralNameByType
-   (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
-
-
-extern CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem);
-
-
-
-
-/****************************************************************************
- *
- * Find extension values of a certificate 
- *
- ***************************************************************************/
-
-extern SECStatus CERT_FindCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
-extern SECStatus CERT_FindNSCertTypeExtension
-   (CERTCertificate *cert, SECItem *value);
-
-extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
-
-extern SECStatus CERT_FindIssuerCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
-extern SECStatus CERT_FindCertExtensionByOID
-   (CERTCertificate *cert, SECItem *oid, SECItem *value);
-
-extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
-								int catag);
-
-/* Returns the decoded value of the authKeyID extension.
-**   Note that this uses passed in the arena to allocate storage for the result
-*/
-extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PRArenaPool *arena,CERTCertificate *cert);
-
-/* Returns the decoded value of the basicConstraint extension.
- */
-extern SECStatus CERT_FindBasicConstraintExten
-   (CERTCertificate *cert, CERTBasicConstraints *value);
-
-/* Returns the decoded value of the crlDistributionPoints extension.
-**  Note that the arena in cert is used to allocate storage for the result
-*/
-extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
-   (CERTCertificate *cert);
-
-/* Returns value of the keyUsage extension.  This uses PR_Alloc to allocate 
-** buffer for the decoded value, The caller should free up the storage 
-** allocated in value->data.
-*/
-extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, 
-							SECItem *value);
-
-/* Return the decoded value of the subjectKeyID extension. The caller should 
-** free up the storage allocated in retItem->data.
-*/
-extern SECStatus CERT_FindSubjectKeyIDExten (CERTCertificate *cert, 
-							   SECItem *retItem);
-
-/*
-** If cert is a v3 certificate, and a critical keyUsage extension is included,
-** then check the usage against the extension value.  If a non-critical 
-** keyUsage extension is included, this will return SECSuccess without 
-** checking, since the extension is an advisory field, not a restriction.  
-** If cert is not a v3 certificate, this will return SECSuccess.
-**	cert - certificate
-**	usage - one of the x.509 v3 the Key Usage Extension flags
-*/
-extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, 
-							unsigned char usage);
-
-/****************************************************************************
- *
- *  CRL v2 Extensions supported routines
- *
- ****************************************************************************/
-
-extern SECStatus CERT_FindCRLExtensionByOID
-   (CERTCrl *crl, SECItem *oid, SECItem *value);
-
-extern SECStatus CERT_FindCRLExtension
-   (CERTCrl *crl, int tag, SECItem *value);
-
-extern SECStatus
-   CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value);
-
-extern void *CERT_StartCRLExtensions (CERTCrl *crl);
-
-extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
-						 int what, void *wincx);
-
-/*
-** Finds the crlNumber extension and decodes its value into 'value'
-*/
-extern SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value);
-
-extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
-
-extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
-
-extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
-							 CERTCertificate *c2);
-
-/*
-** Generate an array of the Distinguished Names that the given cert database
-** "trusts"
-*/
-extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
-
-extern void CERT_FreeDistNames(CERTDistNames *names);
-
-/*
-** Generate an array of Distinguished names from an array of nicknames
-*/
-extern CERTDistNames *CERT_DistNamesFromNicknames
-   (CERTCertDBHandle *handle, char **nicknames, int nnames);
-
-/*
-** Generate a certificate chain from a certificate.
-*/
-extern CERTCertificateList *
-CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
-		       PRBool includeRoot);
-
-extern CERTCertificateList *
-CERT_CertListFromCert(CERTCertificate *cert);
-
-extern void CERT_DestroyCertificateList(CERTCertificateList *list);
-
-/* is cert a newer than cert b? */
-PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
-
-typedef SECStatus (* CERTCertCallback)(CERTCertificate *cert, void *arg);
-
-SECStatus
-CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle, SECItem *derSubject,
-				 CERTCertCallback cb, void *cbarg);
-int
-CERT_NumPermCertsForSubject(CERTCertDBHandle *handle, SECItem *derSubject);
-
-SECStatus
-CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
-				  CERTCertCallback cb, void *cbarg);
-
-int
-CERT_NumPermCertsForNickname(CERTCertDBHandle *handle, char *nickname);
-
-int
-CERT_NumCertsForCertSubject(CERTCertificate *cert);
-
-int
-CERT_NumPermCertsForCertSubject(CERTCertificate *cert);
-
-SECStatus
-CERT_TraverseCertsForSubject(CERTCertDBHandle *handle,
-			     CERTSubjectList *subjectList,
-			     CERTCertCallback cb, void *cbarg);
-
-/* currently a stub for address book */
-PRBool
-CERT_IsCertRevoked(CERTCertificate *cert);
-
-void
-CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
-
-/* convert an email address to lower case */
-char *CERT_FixupEmailAddr(char *emailAddr);
-
-/* decode string representation of trust flags into trust struct */
-SECStatus
-CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts);
-
-/* encode trust struct into string representation of trust flags */
-char *
-CERT_EncodeTrustString(CERTCertTrust *trust);
-
-/* find the next or prev cert in a subject list */
-CERTCertificate *
-CERT_PrevSubjectCert(CERTCertificate *cert);
-CERTCertificate *
-CERT_NextSubjectCert(CERTCertificate *cert);
-
-/*
- * import a collection of certs into the temporary or permanent cert
- * database
- */
-SECStatus
-CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
-		 unsigned int ncerts, SECItem **derCerts,
-		 CERTCertificate ***retCerts, PRBool keepCerts,
-		 PRBool caOnly, char *nickname);
-
-SECStatus
-CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
-		      PRBool caOnly, char *nickname);
-
-char *
-CERT_MakeCANickname(CERTCertificate *cert);
-
-PRBool
-CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
-
-SECStatus
-CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
-		      SECItem *profileTime);
-
-/*
- * find the smime symmetric capabilities profile for a given cert
- */
-SECItem *
-CERT_FindSMimeProfile(CERTCertificate *cert);
-
-int
-CERT_GetDBContentVersion(CERTCertDBHandle *handle);
-
-void
-CERT_SetDBContentVersion(int version, CERTCertDBHandle *handle);
-
-SECStatus
-CERT_AddNewCerts(CERTCertDBHandle *handle);
-
-CERTPackageType
-CERT_CertPackageType(SECItem *package, SECItem *certitem);
-
-CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
-
-void
-CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
-
-CERTUserNotice *
-CERT_DecodeUserNotice(SECItem *noticeItem);
-
-void
-CERT_DestroyUserNotice(CERTUserNotice *userNotice);
-
-typedef char * (* CERTPolicyStringCallback)(char *org,
-					       unsigned long noticeNumber,
-					       void *arg);
-void
-CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
-
-char *
-CERT_GetCertCommentString(CERTCertificate *cert);
-
-PRBool
-CERT_GovtApprovedBitSet(CERTCertificate *cert);
-
-SECStatus
-CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
-
-/*
- * Given a cert, find the cert with the same subject name that
- * has the given key usage.  If the given cert has the correct keyUsage, then
- * return it, otherwise search the list in order.
- */
-CERTCertificate *
-CERT_FindCertByUsage(CERTCertificate *basecert, unsigned int requiredKeyUsage);
-
-
-CERTCertList *
-CERT_MatchUserCert(CERTCertDBHandle *handle,
-		   SECCertUsage usage,
-		   int nCANames, char **caNames,
-		   void *proto_win);
-
-CERTCertList *
-CERT_NewCertList(void);
-
-void
-CERT_DestroyCertList(CERTCertList *certs);
-
-/* remove the node and free the cert */
-void
-CERT_RemoveCertListNode(CERTCertListNode *node);
-
-SECStatus
-CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
-
-typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
-				    CERTCertificate *certb,
-				    void *arg);
-SECStatus
-CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
-			 CERTSortCallback f, void *arg);
-
-/* callback for CERT_AddCertToListSorted that sorts based on validity
- * period and a given time.
- */
-PRBool
-CERT_SortCBValidity(CERTCertificate *certa,
-		    CERTCertificate *certb,
-		    void *arg);
-
-SECStatus
-CERT_CheckForEvilCert(CERTCertificate *cert);
-
-CERTGeneralName *
-CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena);
-
-int
-CERT_GetNamesLength(CERTGeneralName *names);
-
-CERTCertificate *
-CERT_CompareNameSpace(CERTCertificate  *cert,
-		      CERTGeneralName  *namesList,
-		      SECItem          *namesListIndex,
-		      PRArenaPool      *arena,
-		      CERTCertDBHandle *handle);
-
-SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
-
-char *
-CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena);
-
-/*
- * Creates or adds to a list of all certs with a give subject name, sorted by
- * validity time, newest first.  Invalid certs are considered older than
- * valid certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			   SECItem *name, int64 sorttime, PRBool validOnly);
-
-/*
- * Creates or adds to a list of all certs with a give nickname, sorted by
- * validity time, newest first.  Invalid certs are considered older than valid
- * certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateNicknameCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			    char *nickname, int64 sorttime, PRBool validOnly);
-
-/*
- * Creates or adds to a list of all certs with a give email addr, sorted by
- * validity time, newest first.  Invalid certs are considered older than valid
- * certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateEmailAddrCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			     char *emailAddr, int64 sorttime, PRBool validOnly);
-
-/*
- * remove certs from a list that don't have keyUsage and certType
- * that match the given usage.
- */
-SECStatus
-CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
-			   PRBool ca);
-
-/*
- * check the key usage of a cert against a set of required values
- */
-SECStatus
-CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
-
-/*
- * return required key usage and cert type based on cert usage
- */
-SECStatus
-CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
-				 PRBool ca,
-				 unsigned int *retKeyUsage,
-				 unsigned int *retCertType);
-/*
- * return required trust flags for various cert usages for CAs
- */
-SECStatus
-CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
-			      unsigned int *retFlags,
-			      SECTrustType *retTrustType);
-
-/*
- * Find all user certificates that match the given criteria.
- * 
- *	"handle" - database to search
- *	"usage" - certificate usage to match
- *	"oneCertPerName" - if set then only return the "best" cert per
- *			name
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertList *
-CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
-			  SECCertUsage usage,
-			  PRBool oneCertPerName,
-			  PRBool validOnly,
-			  void *proto_win);
-
-/*
- * Find a user certificate that matchs the given criteria.
- * 
- *	"handle" - database to search
- *	"nickname" - nickname to match
- *	"usage" - certificate usage to match
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertificate *
-CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
-			 char *nickname,
-			 SECCertUsage usage,
-			 PRBool validOnly,
-			 void *proto_win);
-
-/*
- * Filter a list of certificates, removing those certs that do not have
- * one of the named CA certs somewhere in their cert chain.
- *
- *	"certList" - the list of certificates to filter
- *	"nCANames" - number of CA names
- *	"caNames" - array of CA names in string(rfc 1485) form
- *	"usage" - what use the certs are for, this is used when
- *		selecting CA certs
- */
-SECStatus
-CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
-			     char **caNames, SECCertUsage usage);
-
-/*
- * Collect the nicknames from all certs in a CertList.  If the cert is not
- * valid, append a string to that nickname.
- *
- * "certList" - the list of certificates
- * "expiredString" - the string to append to the nickname of any expired cert
- * "notYetGoodString" - the string to append to the nickname of any cert
- *		that is not yet valid
- */
-CERTCertNicknames *
-CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
-				 char *notYetGoodString);
-
-/*
- * Extract the nickname from a nickmake string that may have either
- * expiredString or notYetGoodString appended.
- *
- * Args:
- *	"namestring" - the string containing the nickname, and possibly
- *		one of the validity label strings
- *	"expiredString" - the expired validity label string
- *	"notYetGoodString" - the not yet good validity label string
- *
- * Returns the raw nickname
- */
-char *
-CERT_ExtractNicknameString(char *namestring, char *expiredString,
-			   char *notYetGoodString);
-
-/*
- * Given a certificate, return a string containing the nickname, and possibly
- * one of the validity strings, based on the current validity state of the
- * certificate.
- *
- * "arena" - arena to allocate returned string from.  If NULL, then heap
- *	is used.
- * "cert" - the cert to get nickname from
- * "expiredString" - the string to append to the nickname if the cert is
- *		expired.
- * "notYetGoodString" - the string to append to the nickname if the cert is
- *		not yet good.
- */
-char *
-CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
-				 char *expiredString, char *notYetGoodString);
-
-/*
- * Return the string representation of a DER encoded distinguished name
- * "dername" - The DER encoded name to convert
- */
-char *
-CERT_DerNameToAscii(SECItem *dername);
-
-/*
- * Supported usage values and types:
- *	certUsageSSLClient
- *	certUsageSSLServer
- *	certUsageSSLServerWithStepUp
- *	certUsageEmailSigner
- *	certUsageEmailRecipient
- *	certUsageObjectSigner
- */
-
-CERTCertificate *
-CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
-		      CERTCertOwner owner, SECCertUsage usage,
-		      PRBool preferTrusted, int64 validTime, PRBool validOnly);
-
-
-/*********************************************************************/
-/* A thread safe implementation of General Names                     */
-/*********************************************************************/
-
-/* Destroy a Single CERTGeneralName */
-void
-CERT_DestroyGeneralName(CERTGeneralName *name);
-
-/* Destroys a CERTGeneralNameList */
-void
-CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
-
-/* Creates a CERTGeneralNameList */
-CERTGeneralNameList *
-CERT_CreateGeneralNameList(CERTGeneralName *name);
-
-/* Compares two CERTGeneralNameList */
-SECStatus
-CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
-
-/* returns a copy of the first name of the type requested */
-void *
-CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
-				  CERTGeneralNameType type,
-				  PRArenaPool *arena);
-
-/* Adds a name to the tail of the list */
-void
-CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
-			  CERTGeneralNameType type,
-			  void *data, SECItem *oid);
-
-/* returns a duplicate of the CERTGeneralNameList */
-CERTGeneralNameList *
-CERT_DupGeneralNameList(CERTGeneralNameList *list);
-
-/* returns the length of a CERTGeneralName */
-int
-CERT_GetNamesLength(CERTGeneralName *names);
-
-/*
- * Acquire the global lock on the cert database.
- * This lock is currently used for the following operations:
- *	adding or deleting a cert to either the temp or perm databases
- *	converting a temp to perm or perm to temp
- *	changing(maybe just adding?) the trust of a cert
- *	adjusting the reference count of a cert
- */
-void
-CERT_LockDB(CERTCertDBHandle *handle);
-
-/*
- * Free the global cert database lock.
- */
-void
-CERT_UnlockDB(CERTCertDBHandle *handle);
-
-/*
- * Get the certificate status checking configuratino data for
- * the certificate database
- */
-CERTStatusConfig *
-CERT_GetStatusConfig(CERTCertDBHandle *handle);
-
-/*
- * Set the certificate status checking information for the
- * database.  The input structure becomes part of the certificate
- * database and will be freed by calling the 'Destroy' function in
- * the configuration object.
- */
-void
-CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertRefCount(CERTCertificate *cert);
-
-/*
- * Free the cert reference count lock
- */
-void
-CERT_UnlockCertRefCount(CERTCertificate *cert);
-
-/*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertTrust(CERTCertificate *cert);
-
-/*
- * Free the cert trust lock
- */
-void
-CERT_UnlockCertTrust(CERTCertificate *cert);
-
-/*
- * Digest the cert's subject public key using the specified algorithm.
- * The necessary storage for the digest data is allocated.  If "fill" is
- * non-null, the data is put there, otherwise a SECItem is allocated.
- * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
- * results in a NULL being returned (and an appropriate error set).
- */ 
-extern SECItem *
-CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
-			   SECOidTag digestAlg, SECItem *fill);
-
-
-SEC_END_PROTOS
-
-#endif /* _CERT_H_ */
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
deleted file mode 100644
index 17f084f5b..000000000
--- a/security/nss/lib/certdb/certdb.c
+++ /dev/null
@@ -1,2271 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Certificate handling code
- *
- * $Id$
- */
-
-#include "prlock.h"
-#include "prmon.h"
-#include "prtime.h"
-#include "cert.h"
-#include "secder.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "blapi.h"		/* for SHA1_HashBuf */
-#include "genname.h"
-#include "keyhi.h"
-#include "secitem.h"
-#include "mcom_db.h"
-#include "certdb.h"
-#include "prprf.h"
-#include "sechash.h"
-#include "prlong.h"
-#include "certxutl.h"
-#include "portreg.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "nsslocks.h"
-#include "cdbhdl.h"
-
-/*
- * Certificate database handling code
- */
-
-
-const SEC_ASN1Template CERT_CertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertExtension) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTCertExtension,id) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
-	  offsetof(CERTCertExtension,critical) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCertExtension,value) },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CERT_CertExtensionTemplate }
-};
-
-const SEC_ASN1Template CERT_CertificateTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-      0, NULL, sizeof(CERTCertificate) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0, 		/* XXX DER_DEFAULT */ 
-	  offsetof(CERTCertificate,version),
-	  SEC_IntegerTemplate },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCertificate,serialNumber) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,signature),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE, 
-	  offsetof(CERTCertificate,derIssuer) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,issuer),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,validity),
-	  CERT_ValidityTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCertificate,derSubject) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,subject),
-	  CERT_NameTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCertificate,derPublicKey) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,subjectPublicKeyInfo),
-	  CERT_SubjectPublicKeyInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(CERTCertificate,issuerID),
-	  SEC_ObjectIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(CERTCertificate,subjectID),
-	  SEC_ObjectIDTemplate },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 3,
-	  offsetof(CERTCertificate,extensions),
-	  CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_SignedCertificateTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertificate) },
-    { SEC_ASN1_SAVE, 
-	  offsetof(CERTCertificate,signatureWrap.data) },
-    { SEC_ASN1_INLINE, 
-	  0, CERT_CertificateTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTCertificate,signatureWrap.signature) },
-    { 0 }
-};
-
-/*
- * Find the subjectName in a DER encoded certificate
- */
-const SEC_ASN1Template SEC_CertSubjectTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECItem) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */
-    { SEC_ASN1_SKIP },		/* serial number */
-    { SEC_ASN1_SKIP },		/* signature algorithm */
-    { SEC_ASN1_SKIP },		/* issuer */
-    { SEC_ASN1_SKIP },		/* validity */
-    { SEC_ASN1_ANY, 0, NULL },		/* subject */
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-/*
- * Find the issuerName in a DER encoded certificate
- */
-const SEC_ASN1Template SEC_CertIssuerTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECItem) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */
-    { SEC_ASN1_SKIP },		/* serial number */
-    { SEC_ASN1_SKIP },		/* signature algorithm */
-    { SEC_ASN1_ANY, 0, NULL },		/* issuer */
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-/*
- * Find the issuer and serialNumber in a DER encoded certificate.
- * This data is used as the database lookup key since its the unique
- * identifier of a certificate.
- */
-const SEC_ASN1Template CERT_CertKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertKey) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */ 
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCertKey,serialNumber) },
-    { SEC_ASN1_SKIP },		/* signature algorithm */
-    { SEC_ASN1_ANY,
-	  offsetof(CERTCertKey,derIssuer) },
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-
-
-SECStatus
-CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
-			SECItem *key)
-{
-    key->len = sn->len + issuer->len;
-    
-    key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
-    if ( !key->data ) {
-	goto loser;
-    }
-
-    /* copy the serialNumber */
-    PORT_Memcpy(key->data, sn->data, sn->len);
-
-    /* copy the issuer */
-    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-
-/*
- * Extract the subject name from a DER certificate
- */
-SECStatus
-CERT_NameFromDERCert(SECItem *derCert, SECItem *derName)
-{
-    int rv;
-    PRArenaPool *arena;
-    CERTSignedData sd;
-    void *tmpptr;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-   
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(derName, 0, sizeof(SECItem));
-    rv = SEC_ASN1DecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    tmpptr = derName->data;
-    derName->data = (unsigned char*)PORT_Alloc(derName->len);
-    if ( derName->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(derName->data, tmpptr, derName->len);
-    
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECFailure);
-}
-
-SECStatus
-CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName)
-{
-    int rv;
-    PRArenaPool *arena;
-    CERTSignedData sd;
-    void *tmpptr;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-   
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(derName, 0, sizeof(SECItem));
-    rv = SEC_ASN1DecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    tmpptr = derName->data;
-    derName->data = (unsigned char*)PORT_Alloc(derName->len);
-    if ( derName->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(derName->data, tmpptr, derName->len);
-    
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECFailure);
-}
-
-/*
- * Generate a database key, based on serial number and issuer, from a
- * DER certificate.
- */
-SECStatus
-CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
-{
-    int rv;
-    CERTSignedData sd;
-    CERTCertKey certkey;
-
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));    
-    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));    
-
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));
-    rv = SEC_ASN1DecodeItem(arena, &certkey, CERT_CertKeyTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    return(CERT_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
-				   &certkey.serialNumber, key));
-loser:
-    return(SECFailure);
-}
-
-/*
- * fill in keyUsage field of the cert based on the cert extension
- * if the extension is not critical, then we allow all uses
- */
-static SECStatus
-GetKeyUsage(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem tmpitem;
-    
-    rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
-    if ( rv == SECSuccess ) {
-	/* remember the actual value of the extension */
-	cert->rawKeyUsage = tmpitem.data[0];
-	cert->keyUsagePresent = PR_TRUE;
-	cert->keyUsage = tmpitem.data[0];
-
-	PORT_Free(tmpitem.data);
-	tmpitem.data = NULL;
-	
-    } else {
-	/* if the extension is not present, then we allow all uses */
-	cert->keyUsage = KU_ALL;
-	cert->rawKeyUsage = KU_ALL;
-	cert->keyUsagePresent = PR_FALSE;
-    }
-
-    if ( CERT_GovtApprovedBitSet(cert) ) {
-	cert->keyUsage |= KU_NS_GOVT_APPROVED;
-	cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
-    }
-    
-    return(SECSuccess);
-}
-
-
-/*
- * determine if a fortezza V1 Cert is a CA or not.
- */
-static PRBool
-fortezzaIsCA( CERTCertificate *cert) {
-    PRBool isCA = PR_FALSE;
-    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
-    int tag;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_KEA_DSS) ||
-       (tag == SEC_OID_MISSI_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_DSS) ) {
-	SECItem rawkey;
-	unsigned char *rawptr;
-	unsigned char *end;
-	int len;
-
-        rawkey = spki->subjectPublicKey;
-	DER_ConvertBitString(&rawkey);
-	rawptr = rawkey.data;
-	end = rawkey.data + rawkey.len;
-
-	/* version */	
-	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* skip the key */
-	len = (*rawptr << 8) | rawptr[1];
-	rawptr += 2 + len;
-
-	/* shared key */
-	if (rawptr >= end) { return PR_FALSE; }
-	/* DSS Version is next */
-	rawptr += 2;
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	if (*rawptr & 0x30) isCA = PR_TRUE;
-        
-   }
-   return isCA;
-}
-
-static SECStatus
-findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
-{
-    SECItem **oids;
-    SECItem *oid;
-    SECStatus rv = SECFailure;
-    
-    if (seq != NULL) {
-	oids = seq->oids;
-	while (oids != NULL && *oids != NULL) {
-	    oid = *oids;
-	    if (SECOID_FindOIDTag(oid) == tagnum) {
-		rv = SECSuccess;
-		break;
-	    }
-	    oids++;
-	}
-    }
-    return rv;
-}
-
-/*
- * fill in nsCertType field of the cert based on the cert extension
- */
-SECStatus
-CERT_GetCertType(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem tmpitem;
-    SECItem encodedExtKeyUsage;
-    CERTOidSequence *extKeyUsage = NULL;
-    PRBool basicConstraintPresent = PR_FALSE;
-    CERTBasicConstraints basicConstraint;
-
-    tmpitem.data = NULL;
-    CERT_FindNSCertTypeExtension(cert, &tmpitem);
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, 
-				&encodedExtKeyUsage);
-    if (rv == SECSuccess) {
-	extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
-    }
-    rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
-    if (rv == SECSuccess) {
-	basicConstraintPresent = PR_TRUE;
-    }
-    if (tmpitem.data != NULL || extKeyUsage != NULL) {
-	if (tmpitem.data == NULL) {
-	    cert->nsCertType = 0;
-	} else {
-	    cert->nsCertType = tmpitem.data[0];
-	}
-
-	/* free tmpitem data pointer to avoid memory leak */
-	PORT_Free(tmpitem.data);
-	tmpitem.data = NULL;
-	
-	/*
-	 * for this release, we will allow SSL certs with an email address
-	 * to be used for email
-	 */
-	if ( ( cert->nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
-	    cert->emailAddr ) {
-	    cert->nsCertType |= NS_CERT_TYPE_EMAIL;
-	}
-	/*
-	 * for this release, we will allow SSL intermediate CAs to be
-	 * email intermediate CAs too.
-	 */
-	if ( cert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
-	    cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
-	/*
-	 * allow a cert with the extended key usage of EMail Protect
-	 * to be used for email or as an email CA, if basic constraints
-	 * indicates that it is a CA.
-	 */
-	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
-				    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
-	    SECSuccess) {
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_EMAIL;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
-				    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) ==
-	    SECSuccess){
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
-	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
-	    SECSuccess){
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
-	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_EXT_KEY_USAGE_CODE_SIGN) ==
-	    SECSuccess) {
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_EXT_KEY_USAGE_TIME_STAMP) ==
-	    SECSuccess) {
-	    cert->nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_OCSP_RESPONDER) == 
-	    SECSuccess) {
-	    cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-	}
-    } else {
-	/* if no extension, then allow any ssl or email (no ca or object
-	 * signing)
-	 */
-	cert->nsCertType = NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
-	    NS_CERT_TYPE_EMAIL;
-
-        /* if the basic constraint extension says the cert is a CA, then
-	   allow SSL CA and EMAIL CA and Status Responder */
-	if ((basicConstraintPresent == PR_TRUE)
-	    && (basicConstraint.isCA)) {
-	        cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
-	        cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-		cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-	} else if (CERT_IsCACert(cert, NULL) == PR_TRUE) {
-		cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-	}
-
-	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
-	if (fortezzaIsCA(cert)) {
-	        cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
-	        cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
-    }
-
-    if (extKeyUsage != NULL) {
-	PORT_Free(encodedExtKeyUsage.data);
-	CERT_DestroyOidSequence(extKeyUsage);
-    }
-    return(SECSuccess);
-}
-
-/*
- * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
- */
-SECStatus
-cert_GetKeyID(CERTCertificate *cert)
-{
-    SECItem tmpitem;
-    SECStatus rv;
-    SECKEYPublicKey *key;
-    
-    cert->subjectKeyID.len = 0;
-
-    /* see of the cert has a key identifier extension */
-    rv = CERT_FindSubjectKeyIDExten(cert, &tmpitem);
-    if ( rv == SECSuccess ) {
-	cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
-	if ( cert->subjectKeyID.data != NULL ) {
-	    PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
-	    cert->subjectKeyID.len = tmpitem.len;
-	    cert->keyIDGenerated = PR_FALSE;
-	}
-	
-	PORT_Free(tmpitem.data);
-    }
-    
-    /* if the cert doesn't have a key identifier extension and the cert is
-     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
-     * key identifier.  */
-    key = CERT_KMIDPublicKey(cert);
-
-    if (key != NULL) {
-	
-	if (key->keyType == fortezzaKey) {
-
-	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
-	    if ( cert->subjectKeyID.data != NULL ) {
-	        PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
-	        cert->subjectKeyID.len = 8;
-	        cert->keyIDGenerated = PR_FALSE;
-	    }
-	}
-		
-	SECKEY_DestroyPublicKey(key);
-    }
-
-    /* if the cert doesn't have a key identifier extension, then generate one*/
-    if ( cert->subjectKeyID.len == 0 ) {
-	/*
-	 * pkix says that if the subjectKeyID is not present, then we should
-	 * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
-	 */
-	cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
-	if ( cert->subjectKeyID.data != NULL ) {
-	    rv = SHA1_HashBuf(cert->subjectKeyID.data,
-			      cert->derPublicKey.data,
-			      cert->derPublicKey.len);
-	    if ( rv == SECSuccess ) {
-		cert->subjectKeyID.len = SHA1_LENGTH;
-	    }
-	}
-    }
-
-    if ( cert->subjectKeyID.len == 0 ) {
-	return(SECFailure);
-    }
-    return(SECSuccess);
-
-}
-
-/*
- * take a DER certificate and decode it into a certificate structure
- */
-CERTCertificate *
-CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
-			 char *nickname)
-{
-    CERTCertificate *cert;
-    PRArenaPool *arena;
-    void *data;
-    int rv;
-    int len;
-    char *tmpname;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	return 0;
-    }
-
-    /* allocate the certificate structure */
-    cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-    
-    if ( !cert ) {
-	goto loser;
-    }
-    
-    cert->arena = arena;
-    
-    if ( copyDER ) {
-	/* copy the DER data for the cert into this arena */
-	data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
-	if ( !data ) {
-	    goto loser;
-	}
-	cert->derCert.data = (unsigned char *)data;
-	cert->derCert.len = derSignedCert->len;
-	PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
-    } else {
-	/* point to passed in DER data */
-	cert->derCert = *derSignedCert;
-    }
-
-    /* decode the certificate info */
-    rv = SEC_ASN1DecodeItem(arena, cert, SEC_SignedCertificateTemplate,
-		    &cert->derCert);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) {
-	PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
-	goto loser;
-    }
-
-    /* generate and save the database key for the cert */
-    rv = CERT_KeyFromDERCert(arena, &cert->derCert, &cert->certKey);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* set the nickname */
-    if ( nickname == NULL ) {
-	cert->nickname = NULL;
-    } else {
-	/* copy and install the nickname */
-	len = PORT_Strlen(nickname) + 1;
-	cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
-	if ( cert->nickname == NULL ) {
-	    goto loser;
-	}
-
-	PORT_Memcpy(cert->nickname, nickname, len);
-    }
-
-    /* set the email address */
-    cert->emailAddr = CERT_GetCertificateEmailAddress(cert);
-    
-    /* initialize the subjectKeyID */
-    rv = cert_GetKeyID(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize keyUsage */
-    rv = GetKeyUsage(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize the certType */
-    rv = CERT_GetCertType(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    tmpname = CERT_NameToAscii(&cert->subject);
-    if ( tmpname != NULL ) {
-	cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
-	PORT_Free(tmpname);
-    }
-    
-    tmpname = CERT_NameToAscii(&cert->issuer);
-    if ( tmpname != NULL ) {
-	cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname);
-	PORT_Free(tmpname);
-    }
-    
-    cert->referenceCount = 1;
-    cert->slot = NULL;
-    cert->pkcs11ID = CK_INVALID_KEY;
-    cert->dbnickname = NULL;
-    
-    return(cert);
-    
-loser:
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(0);
-}
-
-/*
-** Amount of time that a certifiate is allowed good before it is actually
-** good. This is used for pending certificates, ones that are about to be
-** valid. The slop is designed to allow for some variance in the clocks
-** of the machine checking the certificate.
-*/
-#define PENDING_SLOP (24L*60L*60L)
-
-SECStatus
-CERT_GetCertTimes(CERTCertificate *c, int64 *notBefore, int64 *notAfter)
-{
-    int rv;
-    
-    /* convert DER not-before time */
-    rv = DER_UTCTimeToTime(notBefore, &c->validity.notBefore);
-    if (rv) {
-	return(SECFailure);
-    }
-    
-    /* convert DER not-after time */
-    rv = DER_UTCTimeToTime(notAfter, &c->validity.notAfter);
-    if (rv) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Check the validity times of a certificate
- */
-SECCertTimeValidity
-CERT_CheckCertValidTimes(CERTCertificate *c, int64 t, PRBool allowOverride)
-{
-    int64 notBefore, notAfter, pendingSlop;
-    SECStatus rv;
-
-    /* if cert is already marked OK, then don't bother to check */
-    if ( allowOverride && c->timeOK ) {
-        return(secCertTimeValid);
-    }
-
-    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
-    
-    if (rv) {
-	return(secCertTimeExpired); /*XXX is this the right thing to do here?*/
-    }
-    
-    LL_I2L(pendingSlop, PENDING_SLOP);
-    LL_SUB(notBefore, notBefore, pendingSlop);
-    if ( LL_CMP( t, <, notBefore ) ) {
-	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
-	return(secCertTimeNotValidYet);
-    }
-    if ( LL_CMP( t, >, notAfter) ) {
-	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
-	return(secCertTimeExpired);
-    }
-
-    return(secCertTimeValid);
-}
-
-SECStatus
-SEC_GetCrlTimes(CERTCrl *date, int64 *notBefore, int64 *notAfter)
-{
-    int rv;
-    
-    /* convert DER not-before time */
-    rv = DER_UTCTimeToTime(notBefore, &date->lastUpdate);
-    if (rv) {
-	return(SECFailure);
-    }
-    
-    /* convert DER not-after time */
-    if (date->nextUpdate.data) {
-	rv = DER_UTCTimeToTime(notAfter, &date->nextUpdate);
-	if (rv) {
-	    return(SECFailure);
-	}
-    }
-    else {
-	LL_I2L(*notAfter, 0L);
-    }
-    return(SECSuccess);
-}
-
-/* These routines should probably be combined with the cert
- * routines using an common extraction routine.
- */
-SECCertTimeValidity
-SEC_CheckCrlTimes(CERTCrl *crl, int64 t) {
-    int64 notBefore, notAfter, pendingSlop;
-    SECStatus rv;
-
-    rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
-    
-    if (rv) {
-	return(secCertTimeExpired); 
-    }
-
-    LL_I2L(pendingSlop, PENDING_SLOP);
-    LL_SUB(notBefore, notBefore, pendingSlop);
-    if ( LL_CMP( t, <, notBefore ) ) {
-	return(secCertTimeNotValidYet);
-    }
-
-    /* If next update is omitted and the test for notBefore passes, then
-       we assume that the crl is up to date.
-     */
-    if ( LL_IS_ZERO(notAfter) ) {
-	return(secCertTimeValid);
-    }
-
-    if ( LL_CMP( t, >, notAfter) ) {
-	return(secCertTimeExpired);
-    }
-
-    return(secCertTimeValid);
-}
-
-PRBool
-SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) {
-    int64 newNotBefore, newNotAfter;
-    int64 oldNotBefore, oldNotAfter;
-    SECStatus rv;
-
-    /* problems with the new CRL? reject it */
-    rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter);
-    if (rv) return PR_FALSE;
-
-    /* problems with the old CRL? replace it */
-    rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter);
-    if (rv) return PR_TRUE;
-
-    /* Question: what about the notAfter's? */
-    return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore));
-}
-   
-/*
- * return required key usage and cert type based on cert usage 
- */
-SECStatus
-CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
-				 PRBool ca,
-				 unsigned int *retKeyUsage,
-				 unsigned int *retCertType)
-{
-    unsigned int requiredKeyUsage = 0;
-    unsigned int requiredCertType = 0;
-    
-    if ( ca ) {
-	switch ( usage ) {
-	  case certUsageSSLServerWithStepUp:
-	    requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageSSLClient:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageSSLServer:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageSSLCA:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageEmailSigner:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
-	    break;
-	  case certUsageEmailRecipient:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
-	    break;
-	  case certUsageObjectSigner:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA;
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageStatusResponder:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
-		NS_CERT_TYPE_EMAIL_CA |
-		    NS_CERT_TYPE_SSL_CA;
-	    break;
-	  default:
-	    PORT_Assert(0);
-	    goto loser;
-	}
-    } else {
-	switch ( usage ) {
-	  case certUsageSSLClient:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = NS_CERT_TYPE_SSL_CLIENT;
-	    break;
-	  case certUsageSSLServer:
-	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
-	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT |
-		KU_NS_GOVT_APPROVED;
-	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
-	    break;
-	  case certUsageSSLCA:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageEmailSigner:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = NS_CERT_TYPE_EMAIL;
-	    break;
-	  case certUsageEmailRecipient:
-	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
-	    requiredCertType = NS_CERT_TYPE_EMAIL;
-	    break;
-	  case certUsageObjectSigner:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING;
-	    break;
-	  case certUsageStatusResponder:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER;
-	    break;
-	  default:
-	    PORT_Assert(0);
-	    goto loser;
-	}
-    }
-
-    if ( retKeyUsage != NULL ) {
-	*retKeyUsage = requiredKeyUsage;
-    }
-    if ( retCertType != NULL ) {
-	*retCertType = requiredCertType;
-    }
-
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-/*
- * check the key usage of a cert against a set of required values
- */
-SECStatus
-CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
-{
-    SECKEYPublicKey *key;
-    
-    /* choose between key agreement or key encipherment based on key
-     * type in cert
-     */
-    if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
-	key = CERT_ExtractPublicKey(cert);
-	if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) ||
-	     ( key->keyType == dhKey ) ) {
-	    requiredUsage |= KU_KEY_AGREEMENT;
-	} else {
-	    requiredUsage |= KU_KEY_ENCIPHERMENT;
-	} 
-
-	/* now turn off the special bit */
-	requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);
-	
-	SECKEY_DestroyPublicKey(key);
-    }
-
-    if ( ( cert->keyUsage & requiredUsage ) != requiredUsage ) {
-	return(SECFailure);
-    }
-    return(SECSuccess);
-}
-
-
-CERTCertificate *
-CERT_DupCertificate(CERTCertificate *c)
-{
-    if (c) {
-	CERT_LockCertRefCount(c);
-	++c->referenceCount;
-	CERT_UnlockCertRefCount(c);
-    }
-    return c;
-}
-
-/*
- * Allow use of default cert database, so that apps(such as mozilla) don't
- * have to pass the handle all over the place.
- */
-static CERTCertDBHandle *default_cert_db_handle = 0;
-
-void
-CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
-{
-    default_cert_db_handle = handle;
-    
-    return;
-}
-
-CERTCertDBHandle *
-CERT_GetDefaultCertDB(void)
-{
-    return(default_cert_db_handle);
-}
-
-/*
- * Open volatile certificate database and index databases.  This is a
- * fallback if the real databases can't be opened or created.  It is only
- * resident in memory, so it will not be persistent.  We do this so that
- * we don't crash if the databases can't be created.
- */
-SECStatus
-CERT_OpenVolatileCertDB(CERTCertDBHandle *handle)
-{
-    /*
-     * Open the memory resident perm cert database.
-     */
-    handle->permCertDB = dbopen( 0, O_RDWR | O_CREAT, 0600, DB_HASH, 0 );
-    if ( !handle->permCertDB ) {
-	goto loser;
-    }
-
-    /*
-     * Open the memory resident decoded cert database.
-     */
-    handle->tempCertDB = dbopen( 0, O_RDWR | O_CREAT, 0600, DB_HASH, 0 );
-    if ( !handle->tempCertDB ) {
-	goto loser;
-    }
-
-    handle->dbMon = PR_NewMonitor();
-    PORT_Assert(handle->dbMon != NULL);
-
-    handle->spkDigestInfo = NULL;
-    handle->statusConfig = NULL;
-
-    /* initialize the cert database */
-    (void) CERT_InitCertDB(handle);
-
-    return (SECSuccess);
-    
-loser:
-
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-
-    if ( handle->permCertDB ) {
-	(* handle->permCertDB->close)(handle->permCertDB);
-	handle->permCertDB = 0;
-    }
-
-    if ( handle->tempCertDB ) {
-	(* handle->tempCertDB->close)(handle->tempCertDB);
-	handle->tempCertDB = 0;
-    }
-
-    return(SECFailure);
-}
-
-/* XXX this would probably be okay/better as an xp routine? */
-static void
-sec_lower_string(char *s)
-{
-    if ( s == NULL ) {
-	return;
-    }
-    
-    while ( *s ) {
-	*s = PORT_Tolower(*s);
-	s++;
-    }
-    
-    return;
-}
-
-/*
-** Add a domain name to the list of names that the user has explicitly
-** allowed (despite cert name mismatches) for use with a server cert.
-*/
-SECStatus
-CERT_AddOKDomainName(CERTCertificate *cert, const char *hn)
-{
-    CERTOKDomainName *domainOK;
-    int               newNameLen;
-
-    if (!hn || !(newNameLen = strlen(hn))) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, 
-                                  (sizeof *domainOK) + newNameLen);
-    if (!domainOK) 
-    	return SECFailure;	/* error code is already set. */
-
-    PORT_Strcpy(domainOK->name, hn);
-    sec_lower_string(domainOK->name);
-
-    /* put at head of list. */
-    domainOK->next = cert->domainOK;
-    cert->domainOK = domainOK;
-    return SECSuccess;
-}
-
-/* Make sure that the name of the host we are connecting to matches the
- * name that is incoded in the common-name component of the certificate
- * that they are using.
- */
-SECStatus
-CERT_VerifyCertName(CERTCertificate *cert, const char *hn)
-{
-    char *    cn;
-    char *    domain;
-    char *    hndomain;
-    char *    hostname;
-    int       regvalid;
-    int       match;
-    SECStatus rv;
-    CERTOKDomainName *domainOK;
-
-    if (!hn || !strlen(hn)) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    hostname = PORT_Strdup(hn);
-    if ( hostname == NULL ) {
-	return(SECFailure);
-    }
-    sec_lower_string(hostname);
-
-    /* if the name is one that the user has already approved, it's OK. */
-    for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) {
-	if (0 == PORT_Strcmp(hostname, domainOK->name)) {
-	    PORT_Free(hostname);
-	    return SECSuccess;
-    	}
-    }
-
-    /* try the cert extension first, then the common name */
-    cn = CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-    if ( cn == NULL ) {
-	cn = CERT_GetCommonName(&cert->subject);
-    }
-    
-    sec_lower_string(cn);
-
-    if ( cn ) {
-	if ( ( hndomain = PORT_Strchr(hostname, '.') ) == NULL ) {
-	    /* No domain in server name */
-	    if ( ( domain = PORT_Strchr(cn, '.') ) != NULL ) {
-		/* there is a domain in the cn string, so chop it off */
-		*domain = '\0';
-	    }
-	}
-
-	regvalid = PORT_RegExpValid(cn);
-	
-	if ( regvalid == NON_SXP ) {
-	    /* compare entire hostname with cert name */
-	    if ( PORT_Strcmp(hostname, cn) == 0 ) {
-		rv = SECSuccess;
-		goto done;
-	    }
-	    
-	    if ( hndomain ) {
-		/* compare just domain name with cert name */
-		if ( PORT_Strcmp(hndomain+1, cn) == 0 ) {
-		    rv = SECSuccess;
-		    goto done;
-		}
-	    }
-
-	    PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-	    rv = SECFailure;
-	    goto done;
-	    
-	} else {
-	    /* try to match the shexp */
-	    match = PORT_RegExpCaseSearch(hostname, cn);
-
-	    if ( match == 0 ) {
-		rv = SECSuccess;
-	    } else {
-		PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-		rv = SECFailure;
-	    }
-	    goto done;
-	}
-    }
-
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    rv = SECFailure;
-
-done:
-    /* free the common name */
-    if ( cn ) {
-	PORT_Free(cn);
-    }
-    
-    if ( hostname ) {
-	PORT_Free(hostname);
-    }
-    
-    return(rv);
-}
-
-PRBool
-CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2)
-{
-    SECComparison comp;
-    
-    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
-    if ( comp == SECEqual ) { /* certs are the same */
-	return(PR_TRUE);
-    } else {
-	return(PR_FALSE);
-    }
-}
-
-static SECStatus
-StringsEqual(char *s1, char *s2) {
-    if ( ( s1 == NULL ) || ( s2 == NULL ) ) {
-	if ( s1 != s2 ) { /* only one is null */
-	    return(SECFailure);
-	}
-	return(SECSuccess); /* both are null */
-    }
-	
-    if ( PORT_Strcmp( s1, s2 ) != 0 ) {
-	return(SECFailure); /* not equal */
-    }
-
-    return(SECSuccess); /* strings are equal */
-}
-
-
-PRBool
-CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2)
-{
-    SECComparison comp;
-    char *c1str, *c2str;
-    SECStatus eq;
-    
-    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
-    if ( comp == SECEqual ) { /* certs are the same */
-	return(PR_TRUE);
-    }
-	
-    /* check if they are issued by the same CA */
-    comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer);
-    if ( comp != SECEqual ) { /* different issuer */
-	return(PR_FALSE);
-    }
-
-    /* check country name */
-    c1str = CERT_GetCountryName(&c1->subject);
-    c2str = CERT_GetCountryName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-
-    /* check locality name */
-    c1str = CERT_GetLocalityName(&c1->subject);
-    c2str = CERT_GetLocalityName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-	
-    /* check state name */
-    c1str = CERT_GetStateName(&c1->subject);
-    c2str = CERT_GetStateName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-
-    /* check org name */
-    c1str = CERT_GetOrgName(&c1->subject);
-    c2str = CERT_GetOrgName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-
-#ifdef NOTDEF	
-    /* check orgUnit name */
-    /*
-     * We need to revisit this and decide which fields should be allowed to be
-     * different
-     */
-    c1str = CERT_GetOrgUnitName(&c1->subject);
-    c2str = CERT_GetOrgUnitName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-#endif
-
-    return(PR_TRUE); /* all fields but common name are the same */
-}
-
-
-/* CERT_CertChainFromCert and CERT_DestroyCertificateList moved
-   to certhigh.c */
-
-
-CERTIssuerAndSN *
-CERT_GetCertIssuerAndSN(PRArenaPool *arena, CERTCertificate *cert)
-{
-    CERTIssuerAndSN *result;
-    SECStatus rv;
-
-    if ( arena == NULL ) {
-	arena = cert->arena;
-    }
-    
-    result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result));
-    if (result == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer);
-    if (rv != SECSuccess)
-	return NULL;
-
-    rv = CERT_CopyName(arena, &result->issuer, &cert->issuer);
-    if (rv != SECSuccess)
-	return NULL;
-
-    rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber);
-    if (rv != SECSuccess)
-	return NULL;
-
-    return result;
-}
-
-char *
-CERT_MakeCANickname(CERTCertificate *cert)
-{
-    char *firstname = NULL;
-    char *org = NULL;
-    char *nickname = NULL;
-    int count;
-    CERTCertificate *dummycert;
-    CERTCertDBHandle *handle;
-    
-    handle = cert->dbhandle;
-    
-    nickname = CERT_GetNickName(cert, handle, cert->arena);
-    if (nickname == NULL) {
-	firstname = CERT_GetCommonName(&cert->subject);
-	if ( firstname == NULL ) {
-	    firstname = CERT_GetOrgUnitName(&cert->subject);
-	}
-
-	org = CERT_GetOrgName(&cert->issuer);
-	if ( org == NULL ) {
-	    goto loser;
-	}
-    
-	count = 1;
-	while ( 1 ) {
-
-	    if ( firstname ) {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s - %s", firstname, org);
-		} else {
-		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
-		}
-	    } else {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s", org);
-		} else {
-		    nickname = PR_smprintf("%s #%d", org, count);
-		}
-	    }
-	    if ( nickname == NULL ) {
-		goto loser;
-	    }
-
-	    /* look up the nickname to make sure it isn't in use already */
-	    dummycert = CERT_FindCertByNickname(handle, nickname);
-
-	    if ( dummycert == NULL ) {
-		goto done;
-	    }
-	
-	    /* found a cert, destroy it and loop */
-	    CERT_DestroyCertificate(dummycert);
-
-	    /* free the nickname */
-	    PORT_Free(nickname);
-
-	    count++;
-	}
-    }
-loser:
-    if ( nickname ) {
-	PORT_Free(nickname);
-    }
-
-    nickname = "";
-    
-done:
-    if ( firstname ) {
-	PORT_Free(firstname);
-    }
-    if ( org ) {
-	PORT_Free(org);
-    }
-    
-    return(nickname);
-}
-
-/* CERT_Import_CAChain moved to certhigh.c */
-
-void
-CERT_DestroyCrl (CERTSignedCrl *crl)
-{
-    SEC_DestroyCrl (crl);
-}
-
-
-
-/*
- * Does a cert belong to a CA?  We decide based on perm database trust
- * flags, Netscape Cert Type Extension, and KeyUsage Extension.
- */
-PRBool
-CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
-{
-    CERTCertTrust *trust;
-    SECStatus rv;
-    unsigned int type;
-    PRBool ret;
-
-    ret = PR_FALSE;
-    type = 0;
-    
-    if ( cert->isperm ) {
-	trust = cert->trust;
-	if ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) {
-	    ret = PR_TRUE;
-	    type |= NS_CERT_TYPE_SSL_CA;
-	}
-	
-	if ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) {
-	    ret = PR_TRUE;
-	    type |= NS_CERT_TYPE_EMAIL_CA;
-	}
-	
-	if ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) ==
-	    CERTDB_VALID_CA ) {
-	    ret = PR_TRUE;
-	    type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-	}
-    } else {
-	if ( cert->nsCertType &
-	    ( NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
-	     NS_CERT_TYPE_OBJECT_SIGNING_CA ) ) {
-	    ret = PR_TRUE;
-	    type = (cert->nsCertType & NS_CERT_TYPE_CA);
-	} else {
-	    CERTBasicConstraints constraints;
-	    rv = CERT_FindBasicConstraintExten(cert, &constraints);
-	    if ( rv == SECSuccess ) {
-		if ( constraints.isCA ) {
-		    ret = PR_TRUE;
-		    type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
-		}
-	    } 
-	} 
-
-	/* finally check if it's a FORTEZZA V1 CA */
-	if (ret == PR_FALSE) {
-	    if (fortezzaIsCA(cert)) {
-		ret = PR_TRUE;
-		type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
-	    }
-	}
-    }
-    if ( rettype != NULL ) {
-	*rettype = type;
-    }
-    
-    return(ret);
-}
-
-/*
- * is certa newer than certb?  If one is expired, pick the other one.
- */
-PRBool
-CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
-{
-    int64 notBeforeA, notAfterA, notBeforeB, notAfterB, now;
-    SECStatus rv;
-    PRBool newerbefore, newerafter;
-    
-    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
-    if ( rv != SECSuccess ) {
-	return(PR_FALSE);
-    }
-    
-    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
-    if ( rv != SECSuccess ) {
-	return(PR_TRUE);
-    }
-
-    newerbefore = PR_FALSE;
-    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
-	newerbefore = PR_TRUE;
-    }
-
-    newerafter = PR_FALSE;
-    if ( LL_CMP(notAfterA, >, notAfterB) ) {
-	newerafter = PR_TRUE;
-    }
-    
-    if ( newerbefore && newerafter ) {
-	return(PR_TRUE);
-    }
-    
-    if ( ( !newerbefore ) && ( !newerafter ) ) {
-	return(PR_FALSE);
-    }
-
-    /* get current UTC time */
-    now = PR_Now();
-
-    if ( newerbefore ) {
-	/* cert A was issued after cert B, but expires sooner */
-	/* if A is expired, then pick B */
-	if ( LL_CMP(notAfterA, <, now ) ) {
-	    return(PR_FALSE);
-	}
-	return(PR_TRUE);
-    } else {
-	/* cert B was issued after cert A, but expires sooner */
-	/* if B is expired, then pick A */
-	if ( LL_CMP(notAfterB, <, now ) ) {
-	    return(PR_TRUE);
-	}
-	return(PR_FALSE);
-    }
-}
-
-void
-CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts)
-{
-    unsigned int i;
-    
-    if ( certs ) {
-	for ( i = 0; i < ncerts; i++ ) {
-	    if ( certs[i] ) {
-		CERT_DestroyCertificate(certs[i]);
-	    }
-	}
-
-	PORT_Free(certs);
-    }
-    
-    return;
-}
-
-char *
-CERT_FixupEmailAddr(char *emailAddr)
-{
-    char *retaddr;
-    char *str;
-
-    if ( emailAddr == NULL ) {
-	return(NULL);
-    }
-    
-    /* copy the string */
-    str = retaddr = PORT_Strdup(emailAddr);
-    if ( str == NULL ) {
-	return(NULL);
-    }
-    
-    /* make it lower case */
-    while ( *str ) {
-	*str = tolower( *str );
-	str++;
-    }
-    
-    return(retaddr);
-}
-
-/*
- * NOTE - don't allow encode of govt-approved or invisible bits
- */
-SECStatus
-CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts)
-{
-    int i;
-    unsigned int *pflags;
-    
-    trust->sslFlags = 0;
-    trust->emailFlags = 0;
-    trust->objectSigningFlags = 0;
-
-    pflags = &trust->sslFlags;
-    
-    for (i=0; i < PORT_Strlen(trusts); i++) {
-	switch (trusts[i]) {
-	  case 'p':
-	      *pflags = *pflags | CERTDB_VALID_PEER;
-	      break;
-
-	  case 'P':
-	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
-	      break;
-
-	  case 'w':
-	      *pflags = *pflags | CERTDB_SEND_WARN;
-	      break;
-
-	  case 'c':
-	      *pflags = *pflags | CERTDB_VALID_CA;
-	      break;
-
-	  case 'T':
-	      *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA;
-	      break;
-
-	  case 'C' :
-	      *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
-	      break;
-
-	  case 'u':
-	      *pflags = *pflags | CERTDB_USER;
-	      break;
-
-#ifdef DEBUG_NSSTEAM_ONLY
-	  case 'i':
-	      *pflags = *pflags | CERTDB_INVISIBLE_CA;
-	      break;
-	  case 'g':
-	      *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
-	      break;
-#endif /* DEBUG_NSSTEAM_ONLY */
-
-	  case ',':
-	      if ( pflags == &trust->sslFlags ) {
-		  pflags = &trust->emailFlags;
-	      } else {
-		  pflags = &trust->objectSigningFlags;
-	      }
-	      break;
-	  default:
-	      return SECFailure;
-	}
-    }
-
-    return SECSuccess;
-}
-
-static void
-EncodeFlags(char *trusts, unsigned int flags)
-{
-    if (flags & CERTDB_VALID_CA)
-	if (!(flags & CERTDB_TRUSTED_CA) &&
-	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
-	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
-	if (!(flags & CERTDB_TRUSTED))
-	    PORT_Strcat(trusts, "p");
-    if (flags & CERTDB_TRUSTED_CA)
-	PORT_Strcat(trusts, "C");
-    if (flags & CERTDB_TRUSTED_CLIENT_CA)
-	PORT_Strcat(trusts, "T");
-    if (flags & CERTDB_TRUSTED)
-	PORT_Strcat(trusts, "P");
-    if (flags & CERTDB_USER)
-	PORT_Strcat(trusts, "u");
-    if (flags & CERTDB_SEND_WARN)
-	PORT_Strcat(trusts, "w");
-    if (flags & CERTDB_INVISIBLE_CA)
-	PORT_Strcat(trusts, "I");
-    if (flags & CERTDB_GOVT_APPROVED_CA)
-	PORT_Strcat(trusts, "G");
-    return;
-}
-
-char *
-CERT_EncodeTrustString(CERTCertTrust *trust)
-{
-    char tmpTrustSSL[32];
-    char tmpTrustEmail[32];
-    char tmpTrustSigning[32];
-    char *retstr = NULL;
-
-    if ( trust ) {
-	tmpTrustSSL[0] = '\0';
-	tmpTrustEmail[0] = '\0';
-	tmpTrustSigning[0] = '\0';
-    
-	EncodeFlags(tmpTrustSSL, trust->sslFlags);
-	EncodeFlags(tmpTrustEmail, trust->emailFlags);
-	EncodeFlags(tmpTrustSigning, trust->objectSigningFlags);
-    
-	retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail,
-			     tmpTrustSigning);
-    }
-    
-    return(retstr);
-}
-
-SECStatus
-CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
-		 unsigned int ncerts, SECItem **derCerts,
-		 CERTCertificate ***retCerts, PRBool keepCerts,
-		 PRBool caOnly, char *nickname)
-{
-    int i;
-    CERTCertificate **certs = NULL;
-    SECStatus rv;
-    int fcerts;
-
-    if ( ncerts ) {
-	certs = (CERTCertificate**)PORT_ZAlloc(sizeof(CERTCertificate *) * ncerts );
-	if ( certs == NULL ) {
-	    return(SECFailure);
-	}
-    
-	/* decode all of the certs into the temporary DB */
-	for ( i = 0, fcerts= 0; i < ncerts; i++) {
-	    certs[fcerts] = CERT_NewTempCertificate(certdb, derCerts[i], NULL,
-					       PR_FALSE, PR_TRUE);
-	    if (certs[fcerts]) fcerts++;
-	}
-
-	if ( keepCerts ) {
-	    for ( i = 0; i < fcerts; i++ ) {
-		SECKEY_UpdateCertPQG(certs[i]);
-		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
-		    /* if we are importing only a single cert and specifying
-		     * a nickname, we want to use that nickname if it a CA,
-		     * otherwise if there are more than one cert, we don't
-		     * know which cert it belongs to.
-		     */
-		    rv = CERT_SaveImportedCert(certs[i], usage, caOnly, NULL);
-		} else {
-		    rv = CERT_SaveImportedCert(certs[i], usage, caOnly, 
-                			       nickname);
-		}
-		/* don't care if it fails - keep going */
-	    }
-	}
-    }
-
-    if ( retCerts ) {
-	*retCerts = certs;
-    } else {
-	CERT_DestroyCertArray(certs, fcerts);
-    }
-
-    return(SECSuccess);
-    
-#if 0	/* dead code here - why ?? XXX */
-loser:
-    if ( retCerts ) {
-	*retCerts = NULL;
-    }
-    if ( certs ) {
-	CERT_DestroyCertArray(certs, ncerts);
-    }    
-    return(SECFailure);
-#endif
-}
-
-/*
- * a real list of certificates - need to convert CERTCertificateList
- * stuff and ASN 1 encoder/decoder over to using this...
- */
-CERTCertList *
-CERT_NewCertList(void)
-{
-    PRArenaPool *arena = NULL;
-    CERTCertList *ret = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
-    if ( ret == NULL ) {
-	goto loser;
-    }
-    
-    ret->arena = arena;
-    
-    PR_INIT_CLIST(&ret->list);
-    
-    return(ret);
-
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-CERT_DestroyCertList(CERTCertList *certs)
-{
-    PRCList *node;
-
-    while( !PR_CLIST_IS_EMPTY(&certs->list) ) {
-	node = PR_LIST_HEAD(&certs->list);
-	CERT_DestroyCertificate(((CERTCertListNode *)node)->cert);
-	PR_REMOVE_LINK(node);
-    }
-    
-    PORT_FreeArena(certs->arena, PR_FALSE);
-    
-    return;
-}
-
-void
-CERT_RemoveCertListNode(CERTCertListNode *node)
-{
-    CERT_DestroyCertificate(node->cert);
-    PR_REMOVE_LINK(&node->links);
-    return;
-}
-
-SECStatus
-CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert)
-{
-    CERTCertListNode *node;
-    
-    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
-						sizeof(CERTCertListNode));
-    if ( node == NULL ) {
-	goto loser;
-    }
-    
-    PR_INSERT_BEFORE(&node->links, &certs->list);
-    /* certs->count++; */
-    node->cert = cert;
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/*
- * Sort callback function to determine if cert a is newer than cert b.
- * Not valid certs are considered older than valid certs.
- */
-PRBool
-CERT_SortCBValidity(CERTCertificate *certa,
-		    CERTCertificate *certb,
-		    void *arg)
-{
-    int64 sorttime;
-    int64 notBeforeA, notAfterA, notBeforeB, notAfterB;
-    SECStatus rv;
-    PRBool newerbefore, newerafter;
-    PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE;
-
-    sorttime = *(int64 *)arg;
-    
-    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
-    if ( rv != SECSuccess ) {
-	return(PR_FALSE);
-    }
-    
-    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
-    if ( rv != SECSuccess ) {
-	return(PR_TRUE);
-    }
-    newerbefore = PR_FALSE;
-    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
-	newerbefore = PR_TRUE;
-    }
-    newerafter = PR_FALSE;
-    if ( LL_CMP(notAfterA, >, notAfterB) ) {
-	newerafter = PR_TRUE;
-    }
-
-    /* check if A is valid at sorttime */
-    if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE)
-	!= secCertTimeValid ) {
-	aNotValid = PR_TRUE;
-    }
-
-    /* check if B is valid at sorttime */
-    if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE)
-	!= secCertTimeValid ) {
-	bNotValid = PR_TRUE;
-    }
-
-    /* a is valid, b is not */
-    if ( bNotValid && ( ! aNotValid ) ) {
-	return(PR_TRUE);
-    }
-
-    /* b is valid, a is not */
-    if ( aNotValid && ( ! bNotValid ) ) {
-	return(PR_FALSE);
-    }
-    
-    /* a and b are either valid or not valid */
-    if ( newerbefore && newerafter ) {
-	return(PR_TRUE);
-    }
-    
-    if ( ( !newerbefore ) && ( !newerafter ) ) {
-	return(PR_FALSE);
-    }
-
-    if ( newerbefore ) {
-	/* cert A was issued after cert B, but expires sooner */
-	return(PR_TRUE);
-    } else {
-	/* cert B was issued after cert A, but expires sooner */
-	return(PR_FALSE);
-    }
-}
-
-
-SECStatus
-CERT_AddCertToListSorted(CERTCertList *certs,
-			 CERTCertificate *cert,
-			 CERTSortCallback f,
-			 void *arg)
-{
-    CERTCertListNode *node;
-    CERTCertListNode *head;
-    PRBool ret;
-    
-    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
-						sizeof(CERTCertListNode));
-    if ( node == NULL ) {
-	goto loser;
-    }
-    
-    head = CERT_LIST_HEAD(certs);
-    
-    while ( !CERT_LIST_END(head, certs) ) {
-
-	/* if cert is already in the list, then don't add it again */
-	if ( cert == head->cert ) {
-	    /*XXX*/
-	    /* don't keep a reference */
-	    CERT_DestroyCertificate(cert);
-	    goto done;
-	}
-	
-	ret = (* f)(cert, head->cert, arg);
-	/* if sort function succeeds, then insert before current node */
-	if ( ret ) {
-	    PR_INSERT_BEFORE(&node->links, &head->links);
-	    goto done;
-	}
-
-	head = CERT_LIST_NEXT(head);
-    }
-    /* if we get to the end, then just insert it at the tail */
-    PR_INSERT_BEFORE(&node->links, &certs->list);
-
-done:    
-    /* certs->count++; */
-    node->cert = cert;
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/* This routine is here because pcertdb.c still has a call to it.
- * The SMIME profile code in pcertdb.c should be split into high (find
- * the email cert) and low (store the profile) code.  At that point, we
- * can move this to certhigh.c where it belongs.
- *
- * remove certs from a list that don't have keyUsage and certType
- * that match the given usage.
- */
-SECStatus
-CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
-			   PRBool ca)
-{
-    unsigned int requiredKeyUsage;
-    unsigned int requiredCertType;
-    CERTCertListNode *node, *savenode;
-    PRBool bad;
-    SECStatus rv;
-    unsigned int certType;
-    PRBool dummyret;
-    
-    if (certList == NULL) goto loser;
-
-    rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage,
-					  &requiredCertType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    node = CERT_LIST_HEAD(certList);
-	
-    while ( !CERT_LIST_END(node, certList) ) {
-
-	bad = PR_FALSE;
-
-	/* bad key usage */
-	if ( CERT_CheckKeyUsage(node->cert, requiredKeyUsage )
-	    != SECSuccess ) {
-	    bad = PR_TRUE;
-	}
-	/* bad cert type */
-	if ( ca ) {
-	    /* This function returns a more comprehensive cert type that
-	     * takes trust flags into consideration.  Should probably
-	     * fix the cert decoding code to do this.
-	     */
-	    dummyret = CERT_IsCACert(node->cert, &certType);
-	} else {
-	    certType = node->cert->nsCertType;
-	}
-	
-	if ( ! ( certType & requiredCertType ) ) {
-	    bad = PR_TRUE;
-	}
-
-	if ( bad ) {
-	    /* remove the node if it is bad */
-	    savenode = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(node);
-	    node = savenode;
-	} else {
-	    node = CERT_LIST_NEXT(node);
-	}
-    }
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/*
- * Acquire the global lock on the cert database.
- * This lock is currently used for the following operations:
- *	adding or deleting a cert to either the temp or perm databases
- *	converting a temp to perm or perm to temp
- *	changing(maybe just adding????) the trust of a cert
- *      chaning the DB status checking Configuration
- */
-void
-CERT_LockDB(CERTCertDBHandle *handle)
-{
-    PR_EnterMonitor(handle->dbMon);
-    return;
-}
-
-/*
- * Free the global cert database lock.
- */
-void
-CERT_UnlockDB(CERTCertDBHandle *handle)
-{
-    PRStatus prstat;
-    
-    prstat = PR_ExitMonitor(handle->dbMon);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-    
-    return;
-}
-
-static PRLock *certRefCountLock = NULL;
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertRefCount(CERTCertificate *cert)
-{
-    if ( certRefCountLock == NULL ) {
-	nss_InitLock(&certRefCountLock);
-	PORT_Assert(certRefCountLock != NULL);
-    }
-    
-    PR_Lock(certRefCountLock);
-    return;
-}
-
-/*
- * Free the cert reference count lock
- */
-void
-CERT_UnlockCertRefCount(CERTCertificate *cert)
-{
-    PRStatus prstat;
-
-    PORT_Assert(certRefCountLock != NULL);
-    
-    prstat = PR_Unlock(certRefCountLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-static PRLock *certTrustLock = NULL;
-
-/*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertTrust(CERTCertificate *cert)
-{
-    if ( certTrustLock == NULL ) {
-	nss_InitLock(&certTrustLock);
-	PORT_Assert(certTrustLock != NULL);
-    }
-    
-    PR_Lock(certTrustLock);
-    return;
-}
-
-/*
- * Free the cert trust lock
- */
-void
-CERT_UnlockCertTrust(CERTCertificate *cert)
-{
-    PRStatus prstat;
-
-    PORT_Assert(certTrustLock != NULL);
-    
-    prstat = PR_Unlock(certTrustLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-
-/*
- * Get the StatusConfig data for this handle
- */
-CERTStatusConfig *
-CERT_GetStatusConfig(CERTCertDBHandle *handle)
-{
-  return handle->statusConfig;
-}
-
-/*
- * Set the StatusConfig data for this handle.  There
- * should not be another configuration set.
- */
-void
-CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
-{
-  PORT_Assert(handle->statusConfig == NULL);
-
-  handle->statusConfig = statusConfig;
-}
diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h
deleted file mode 100644
index 7710b72c9..000000000
--- a/security/nss/lib/certdb/certdb.h
+++ /dev/null
@@ -1,396 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _CERTDB_H_
-#define _CERTDB_H_
-
-#include "plarena.h"
-#include "prlong.h"
-/*
- * Certificate Database related definitions and data structures
- */
-
-/* version number of certificate database */
-#define CERT_DB_FILE_VERSION		7
-#ifdef USE_NS_ROOTS
-#define CERT_DB_CONTENT_VERSION		24
-#else
-#define CERT_DB_CONTENT_VERSION		2
-#endif
-
-#define SEC_DB_ENTRY_HEADER_LEN		3
-#define SEC_DB_KEY_HEADER_LEN		1
-
-/* All database entries have this form:
- * 	
- *	byte offset	field
- *	-----------	-----
- *	0		version
- *	1		type
- *	2		flags
- */
-
-/* database entry types */
-typedef enum {
-    certDBEntryTypeVersion = 0,
-    certDBEntryTypeCert = 1,
-    certDBEntryTypeNickname = 2,
-    certDBEntryTypeSubject = 3,
-    certDBEntryTypeRevocation = 4,
-    certDBEntryTypeKeyRevocation = 5,
-    certDBEntryTypeSMimeProfile = 6,
-    certDBEntryTypeContentVersion = 7
-} certDBEntryType;
-
-typedef struct {
-    certDBEntryType type;
-    unsigned int version;
-    unsigned int flags;
-    PRArenaPool *arena;
-} certDBEntryCommon;
-
-/*
- * Certificate entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		sslFlags-msb
- *	1		sslFlags-lsb
- *	2		emailFlags-msb
- *	3		emailFlags-lsb
- *	4		objectSigningFlags-msb
- *	5		objectSigningFlags-lsb
- *	6		derCert-len-msb
- *	7		derCert-len-lsb
- *	8		nickname-len-msb
- *	9		nickname-len-lsb
- *	...		derCert
- *	...		nickname
- *
- * NOTE: the nickname string as stored in the database is null terminated,
- *		in other words, the last byte of the db entry is always 0
- *		if a nickname is present.
- * NOTE: if nickname is not present, then nickname-len-msb and
- *		nickname-len-lsb will both be zero.
- */
-struct _certDBEntryCert {
-    certDBEntryCommon common;
-    CERTCertTrust trust;
-    SECItem derCert;
-    char *nickname;
-};
-
-/*
- * Certificate Nickname entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		subjectname-len-msb
- *	1	        subjectname-len-lsb
- *	2...		subjectname
- *
- * The database key for this type of entry is a nickname string
- * The "subjectname" value is the DER encoded DN of the identity
- *   that matches this nickname.
- */
-typedef struct {
-    certDBEntryCommon common;
-    char *nickname;
-    SECItem subjectName;
-} certDBEntryNickname;
-
-#define DB_NICKNAME_ENTRY_HEADER_LEN 2
-
-/*
- * Certificate Subject entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		ncerts-msb
- *	1		ncerts-lsb
- *	2		nickname-msb
- *	3		nickname-lsb
- *	4		emailAddr-msb
- *	5		emailAddr-lsb
- *	...		nickname
- *	...		emailAddr
- *	...+2*i		certkey-len-msb
- *	...+1+2*i       certkey-len-lsb
- *	...+2*ncerts+2*i keyid-len-msb
- *	...+1+2*ncerts+2*i keyid-len-lsb
- *	...		certkeys
- *	...		keyids
- *
- * The database key for this type of entry is the DER encoded subject name
- * The "certkey" value is an array of  certificate database lookup keys that
- *   points to the database entries for the certificates that matche
- *   this subject.
- *
- */
-typedef struct _certDBEntrySubject {
-    certDBEntryCommon common;
-    SECItem derSubject;
-    unsigned int ncerts;
-    char *nickname;
-    char *emailAddr;
-    SECItem *certKeys;
-    SECItem *keyIDs;
-} certDBEntrySubject;
-
-#define DB_SUBJECT_ENTRY_HEADER_LEN 6
-
-/*
- * Certificate SMIME profile entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		subjectname-len-msb
- *	1	        subjectname-len-lsb
- *	2		smimeoptions-len-msb
- *	3		smimeoptions-len-lsb
- *	4		options-date-len-msb
- *	5		options-date-len-lsb
- *	6...		subjectname
- *	...		smimeoptions
- *	...		options-date
- *
- * The database key for this type of entry is the email address string
- * The "subjectname" value is the DER encoded DN of the identity
- *   that matches this nickname.
- * The "smimeoptions" value is a string that represents the algorithm
- *   capabilities on the remote user.
- * The "options-date" is the date that the smime options value was created.
- *   This is generally the signing time of the signed message that contained
- *   the options.  It is a UTCTime value.
- */
-typedef struct {
-    certDBEntryCommon common;
-    char *emailAddr;
-    SECItem subjectName;
-    SECItem smimeOptions;
-    SECItem optionsDate;
-} certDBEntrySMime;
-
-#define DB_SMIME_ENTRY_HEADER_LEN 6
-
-/*
- * Crl/krl entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		derCert-len-msb
- *	1		derCert-len-lsb
- *	2		url-len-msb
- *	3		url-len-lsb
- *	...		derCert
- *	...		url
- *
- * NOTE: the url string as stored in the database is null terminated,
- *		in other words, the last byte of the db entry is always 0
- *		if a nickname is present. 
- * NOTE: if url is not present, then url-len-msb and
- *		url-len-lsb will both be zero.
- */
-#define DB_CRL_ENTRY_HEADER_LEN	4
-struct _certDBEntryRevocation {
-    certDBEntryCommon common;
-    SECItem	derCrl;
-    char	*url;	/* where to load the crl from */
-};
-
-/*
- * Database Version Entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	only the low level header...
- *
- * The database key for this type of entry is the string "Version"
- */
-typedef struct {
-    certDBEntryCommon common;
-} certDBEntryVersion;
-
-#define SEC_DB_VERSION_KEY "Version"
-#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
-
-/*
- * Database Content Version Entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		contentVersion
- *
- * The database key for this type of entry is the string "ContentVersion"
- */
-typedef struct {
-    certDBEntryCommon common;
-    char contentVersion;
-} certDBEntryContentVersion;
-
-#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
-#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
-
-typedef union {
-    certDBEntryCommon common;
-    certDBEntryVersion version;
-    certDBEntryCert cert;
-    certDBEntryNickname nickname;
-    certDBEntrySubject subject;
-    certDBEntryRevocation revocation;
-} certDBEntry;
-
-/* length of the fixed part of a database entry */
-#define DBCERT_V4_HEADER_LEN	7
-#define DB_CERT_V5_ENTRY_HEADER_LEN	7
-#define DB_CERT_V6_ENTRY_HEADER_LEN	7
-#define DB_CERT_ENTRY_HEADER_LEN	10
-
-/* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
-#define CERTDB_TRUSTED		(1<<1)
-#define CERTDB_SEND_WARN	(1<<2)
-#define CERTDB_VALID_CA		(1<<3)
-#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
-#define CERTDB_NS_TRUSTED_CA	(1<<5)
-#define CERTDB_USER		(1<<6)
-#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
-#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
-#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
-
-SEC_BEGIN_PROTOS
-
-/*
-** Add a DER encoded certificate to the permanent database.
-**	"derCert" is the DER encoded certificate.
-**	"nickname" is the nickname to use for the cert
-**	"trust" is the trust parameters for the cert
-*/
-SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle, SECItem *derCert,
-				char *nickname, CERTCertTrust *trust);
-
-certDBEntryCert *
-SEC_FindPermCertByKey(CERTCertDBHandle *handle, SECItem *certKey);
-
-certDBEntryCert
-*SEC_FindPermCertByName(CERTCertDBHandle *handle, SECItem *name);
-
-SECStatus SEC_OpenPermCertDB(CERTCertDBHandle *handle,
-			     PRBool readOnly,
-			     CERTDBNameFunc namecb,
-			     void *cbarg);
-
-SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
-
-typedef SECStatus (* PermCertCallback)(CERTCertificate *cert, SECItem *k,
-				      void *pdata);
-/*
-** Traverse the entire permanent database, and pass the certs off to a
-** user supplied function.
-**	"certfunc" is the user function to call for each certificate
-**	"udata" is the user's data, which is passed through to "certfunc"
-*/
-SECStatus
-SEC_TraversePermCerts(CERTCertDBHandle *handle,
-		      PermCertCallback certfunc,
-		      void *udata );
-
-SECStatus
-SEC_AddTempNickname(CERTCertDBHandle *handle, char *nickname, SECItem *certKey);
-
-SECStatus
-SEC_DeleteTempNickname(CERTCertDBHandle *handle, char *nickname);
-
-PRBool
-SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
-			 CERTCertDBHandle *handle);
-
-PRBool
-SEC_CertDBKeyConflict(SECItem *derCert, CERTCertDBHandle *handle);
-
-SECStatus
-SEC_GetCrlTimes(CERTCrl *dates, int64 *notBefore, int64 *notAfter);
-
-SECCertTimeValidity
-SEC_CheckCrlTimes(CERTCrl *crl, int64 t);
-
-PRBool
-SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
-
-CERTSignedCrl *
-SEC_AddPermCrlToTemp(CERTCertDBHandle *handle, certDBEntryRevocation *entry);
-
-SECStatus
-SEC_DeleteTempCrl(CERTSignedCrl *crl);
-
-CERTSignedCrl *
-SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
-
-CERTSignedCrl *
-SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
-
-CERTSignedCrl *
-SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type);
-
-SECStatus 
-SEC_DestroyCrl(CERTSignedCrl *crl);
-
-CERTSignedCrl *
-SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
-
-CERTSignedCrl *
-cert_DBInsertCRL
-   (CERTCertDBHandle *handle, char *url,
-    CERTSignedCrl *newCrl, SECItem *derCrl, int type);
-
-SECStatus
-SEC_CheckKRL(CERTCertDBHandle *handle,SECKEYPublicKey *key,
-	     CERTCertificate *rootCert, int64 t, void *wincx);
-
-SECStatus
-SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert,
-	     CERTCertificate *caCert, int64 t, void *wincx);
-
-SECStatus
-SEC_DeletePermCRL(CERTSignedCrl *crl);
-
-
-SECStatus
-SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type);
-
-SECStatus
-SEC_CrlReplaceUrl(CERTSignedCrl *crl,char *url);
-
-SEC_END_PROTOS
-
-#endif /* _CERTDB_H_ */
diff --git a/security/nss/lib/certdb/certinit.c b/security/nss/lib/certdb/certinit.c
deleted file mode 100644
index bc60ec733..000000000
--- a/security/nss/lib/certdb/certinit.c
+++ /dev/null
@@ -1,399 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cert.h"
-#include "base64.h"
-#include "mcom_db.h"
-#include "certdb.h"
-
-static char example_com_server_ca[] =
-"MIICBTCCAW6gAwIBAgIBATANBgkqhkiG9w0BAQQFADA+MREwDwYICZIm9ZgeZAET"
-"A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRIwEAYDVQQDEwlTZXJ2ZXIgQ0Ew"
-"HhcNMDAwMjAzMjIyMDA3WhcNMTAwNTAzMjIyMDA3WjA+MREwDwYICZIm9ZgeZAET"
-"A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRIwEAYDVQQDEwlTZXJ2ZXIgQ0Ew"
-"gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALGiKEvTd2k4ZJbdAVWokfFlB6Hz"
-"WJXveXm8+IgmFlgtAnicZI11z5wAutFRvDpun7WmRLgHxvEhU3tLoiACGYdGJXPw"
-"+lI2pzHzFSd63B0qcA/NVAW3EOBJeaEFwy0jkUaCIki8qQV06g8RosNX/zv6a+OF"
-"d5NMpS0fecK4fEvdAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN"
-"AQEEBQADgYEAi5rFiG6afWS1PHigssk2LwAJws5cszPbVIeIMHCBbtu259V7uWts"
-"gNxUPJRjeQBsK0ItAfinC0xxLeuMbRfIdZoRYv/OYDxCwGW7hUcNLi+fHlGnJNXH"
-"TWaCRdOwkljnws4v8ABas2DYA/k7xUFAygkIJd9NtE29ZrdrWpfSavI=";
-
-static char example_com_individual_ca[] =
-"MIICDTCCAXagAwIBAgIBAjANBgkqhkiG9w0BAQQFADBCMREwDwYICZIm9ZgeZAET"
-"A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRYwFAYDVQQDEw1JbmRpdmlkdWFs"
-"IENBMB4XDTAwMDIwMzIyMjE1NFoXDTEwMDUwMzIyMjE1NFowQjERMA8GCAmSJvWY"
-"HmQBEwNjb20xFTATBggJkib1mB5kARMHRXhhbXBsZTEWMBQGA1UEAxMNSW5kaXZp"
-"ZHVhbCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu5syfboe93MOkGec"
-"dOuJholyX42wcaH/RgnL3C/8NnZp9WWaTaguvn7KrbCj4TAMzu0pabUN8apB3J60"
-"9C/FlixjXF7r73OzbyTCM5ja6/bPfmHMPmDl9l/9tKqhh+loFvRizXDaWSFRViDS"
-"XvKNeQztwwAOpEAqnJwyTkn4FjECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zAN"
-"BgkqhkiG9w0BAQQFAAOBgQB1XK+5pXdXYq3O3TC/ZY5LWlZ7zuoWUO75OpuMY7XF"
-"iW/jeXbVT5IYZXoRGXJFGGaDmnAuK1/m6FTDhjSTG0XUmd5tg4aFieI+LY4rkYEv"
-"mbJElxKabXl5hVD4mg2bwYlFY7XBmifTa1Ll3HDX3VZM0DC1bm4KCHBnY0qXjSYq"
-"PA==";
-
-static char example_com_objsign_ca[] =
-"MIICETCCAXqgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBEMREwDwYICZIm9ZgeZAET"
-"A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRgwFgYDVQQDEw9Db2RlIFNpZ25p"
-"bmcgQ0EwHhcNMDAwMjAzMjIyMzEzWhcNMTAwNTAzMjIyMzEzWjBEMREwDwYICZIm"
-"9ZgeZAETA2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRgwFgYDVQQDEw9Db2Rl"
-"IFNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALcy76InmpM9"
-"S9K2MlNSjusx6nkYWWbx7eDRTV+xhRPeDxW4t8jtKPqDF5LTusyM9WCI/nneqsIP"
-"7iTSHpxlGx37J1VbqKX5fZsfJ3wKv6ZIylzeRuFY9MFypPA2UmVd1ACDOUB3YDvY"
-"mrCVkOPEhjnZKbq4FfCpf8KNL2A5EBcZAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB"
-"Af8wDQYJKoZIhvcNAQEEBQADgYEAI0IXzwgBRXvow3JQi8Y4YdG2wZc4BWRGW87x"
-"2zOD7GOA0CWN149vb6rEchECykDsJj9LoBl6o1aRxk9WkIFnXmMOJSuJA+ilCe//"
-"81a5OhKbe0p7ym6rh190BLwh2VePFeyabq6NipfZlN6qgWUzoepf+jVblufW/2EI"
-"fbMSylc=";
-
-/* This is the cert->certKey (serial number and issuer name) of
- * the cert that we want to revoke.
- */
-static unsigned char revoked_system_principal_key[] = {
-0x40, 0x18, 0xf2, 0x35, 0x86, 0x06, 0x78, 0xce, 0x87, 0x89,
-0x0c, 0x5d, 0x68, 0x67, 0x33, 0x09, 0x30, 0x81, 0xc1, 0x31,
-0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
-0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54,
-0x72, 0x75, 0x73, 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f,
-0x72, 0x6b, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
-0x0b, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
-0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x3a, 0x30,
-0x38, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x31, 0x56, 0x65,
-0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x4f, 0x62, 0x6a,
-0x65, 0x63, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e,
-0x67, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c, 0x61,
-0x73, 0x73, 0x20, 0x33, 0x20, 0x4f, 0x72, 0x67, 0x61, 0x6e,
-0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x49, 0x30,
-0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40, 0x77, 0x77,
-0x77, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e,
-0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x50, 0x53, 0x20, 0x49,
-0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x62, 0x79, 0x20, 0x52,
-0x65, 0x66, 0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42, 0x49, 0x4c,
-0x49, 0x54, 0x59, 0x20, 0x4c, 0x54, 0x44, 0x2e, 0x28, 0x63,
-0x29, 0x39, 0x37, 0x20, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
-0x67, 0x6e
-};
-
-SECStatus
-CERT_CheckForEvilCert(CERTCertificate *cert)
-{
-    if ( cert->certKey.len == sizeof(revoked_system_principal_key) ) {
-        if ( PORT_Memcmp(cert->certKey.data,
-                         revoked_system_principal_key,
-                         sizeof(revoked_system_principal_key)) == 0 ) {
-            return(SECFailure);
-        }
-    }
-
-    return(SECSuccess);
-}
-
-#define DEFAULT_TRUST_FLAGS (CERTDB_VALID_CA | \
-                             CERTDB_TRUSTED_CA | \
-                             CERTDB_NS_TRUSTED_CA)
-
-typedef enum {
-    certUpdateNone,
-    certUpdateAdd,
-    certUpdateDelete,
-    certUpdateAddTrust,
-    certUpdateRemoveTrust,
-    certUpdateSetTrust
-} certUpdateOp;
-
-typedef struct {
-    char *cert;
-    char *nickname;
-    CERTCertTrust trust;
-    int updateVersion;
-    certUpdateOp op;
-    CERTCertTrust trustDelta;
-} certInitEntry;
-
-static certInitEntry initialcerts[] = {
-  {
-    example_com_server_ca,
-    "Example.com Server CA",
-    { DEFAULT_TRUST_FLAGS | CERTDB_GOVT_APPROVED_CA, 0, 0 },
-    1,
-    certUpdateAdd,
-    { 0, 0, 0 }
-  },
-  {
-    example_com_server_ca,
-    "Example.com Server CA",
-    { DEFAULT_TRUST_FLAGS | CERTDB_GOVT_APPROVED_CA, 0, 0 },
-    2,
-    certUpdateAddTrust,
-    { CERTDB_GOVT_APPROVED_CA, 0, 0 }
-  },
-
-  {
-    example_com_individual_ca,
-    "Example.com Individual CA",
-    { 0, DEFAULT_TRUST_FLAGS, 0 },
-    1,
-    certUpdateAdd,
-    { 0, 0, 0 }
-  },
-  {
-    example_com_individual_ca,
-    "Example.com Individual CA",
-    { 0, DEFAULT_TRUST_FLAGS, 0 },
-    2,
-    certUpdateRemoveTrust,
-    { 0, 0, DEFAULT_TRUST_FLAGS }
-  },
-
-  {
-    example_com_objsign_ca,
-    "Example.com Code Signing CA",
-    { 0, 0, DEFAULT_TRUST_FLAGS },
-    2,
-    certUpdateAdd,
-    { 0, 0, 0 }
-  },
-
-  {
-        0, 0
-  }
-};
-
-
-static SECStatus
-ConvertAndCheckCertificate(CERTCertDBHandle *handle, char *asciicert,
-                           char *nickname, CERTCertTrust *trust)
-{
-    SECItem sdder;
-    SECStatus rv;
-    CERTCertificate *cert;
-    PRBool conflict;
-    SECItem derSubject;
-
-    /* First convert ascii to binary */
-    rv = ATOB_ConvertAsciiToItem (&sdder, asciicert);
-    if (rv != SECSuccess) {
-        return(rv);
-    }
-
-    /*
-    ** Inside the ascii is a Signed Certificate.
-    */
-
-    cert = NULL;
-
-    /* make sure that no conflicts exist */
-    conflict = SEC_CertDBKeyConflict(&sdder, handle);
-    if ( conflict ) {
-        goto done;
-    }
-
-    rv = CERT_NameFromDERCert(&sdder, &derSubject);
-    if ( rv != SECSuccess ) {
-        goto loser;
-    }
-
-    conflict = SEC_CertNicknameConflict(nickname, &derSubject, handle);
-    if ( conflict ) {
-        goto done;
-    }
-
-    cert = CERT_NewTempCertificate(handle, &sdder, NULL, PR_FALSE, PR_TRUE);
-    if ( cert == NULL ) {
-        goto loser;
-    }
-
-    rv = CERT_AddTempCertToPerm(cert, nickname, trust);
-
-    CERT_DestroyCertificate(cert);
-
-    if (rv == SECSuccess) {
-        /*
-        ** XXX should verify signatures too, if we have the certificate for
-        ** XXX its issuer...
-        */
-    }
-
-done:
-    PORT_Free(sdder.data);
-    return(rv);
-
-loser:
-    return(SECFailure);
-}
-
-extern void certdb_InitDBLock(void);
-
-SECStatus
-CERT_InitCertDB(CERTCertDBHandle *handle)
-{
-    SECStatus rv;
-    certInitEntry *entry;
-
-    certdb_InitDBLock();
-
-    entry = initialcerts;
-
-    while ( entry->cert != NULL) {
-        if ( entry->op != certUpdateDelete ) {
-            rv = ConvertAndCheckCertificate(handle, entry->cert,
-                                            entry->nickname, &entry->trust);
-            /* keep going */
-        }
-
-        entry++;
-    }
-done:
-    CERT_SetDBContentVersion(CERT_DB_CONTENT_VERSION, handle);
-    return(rv);
-}
-
-static CERTCertificate *
-CertFromEntry(CERTCertDBHandle *handle, char *asciicert)
-{
-    SECItem sdder;
-    SECStatus rv;
-    CERTCertificate *cert;
-
-    /* First convert ascii to binary */
-    rv = ATOB_ConvertAsciiToItem (&sdder, asciicert);
-    if (rv != SECSuccess) {
-        return(NULL);
-    }
-
-    /*
-    ** Inside the ascii is a Signed Certificate.
-    */
-
-    cert = CERT_NewTempCertificate(handle, &sdder, NULL, PR_FALSE, PR_TRUE);
-
-    return(cert);
-}
-
-SECStatus
-CERT_AddNewCerts(CERTCertDBHandle *handle)
-{
-    int oldversion;
-    int newversion;
-    certInitEntry *entry;
-    CERTCertTrust tmptrust;
-    SECStatus rv;
-    CERTCertificate *cert;
-
-    newversion = CERT_DB_CONTENT_VERSION;
-
-    oldversion = CERT_GetDBContentVersion(handle);
-
-    if ( newversion > oldversion ) {
-        entry = initialcerts;
-
-        while ( entry->cert != NULL ) {
-            if ( entry->updateVersion > oldversion ) {
-                switch ( entry->op ) {
-                  default:
-                    break;
-                  case certUpdateAdd:
-                    rv = ConvertAndCheckCertificate(handle, entry->cert,
-                                                    entry->nickname,
-                                                    &entry->trust);
-                    break;
-                  case certUpdateDelete:
-                    cert = CertFromEntry(handle, entry->cert);
-                    if ( cert != NULL ) {
-                        if ( cert->isperm ) {
-                            rv = SEC_DeletePermCertificate(cert);
-                        }
-                        CERT_DestroyCertificate(cert);
-                    }
-                    break;
-                  case certUpdateAddTrust:
-                    cert = CertFromEntry(handle, entry->cert);
-                    if ( cert != NULL ) {
-                        if ( cert->isperm ) {
-                            tmptrust = *cert->trust;
-                            tmptrust.sslFlags |= entry->trustDelta.sslFlags;
-                            tmptrust.emailFlags |=
-                                entry->trustDelta.emailFlags;
-                            tmptrust.objectSigningFlags |=
-                                entry->trustDelta.objectSigningFlags;
-                            rv = CERT_ChangeCertTrust(handle, cert,
-&tmptrust);
-                        }
-                        CERT_DestroyCertificate(cert);
-                    }
-                    break;
-                  case certUpdateRemoveTrust:
-                    cert = CertFromEntry(handle, entry->cert);
-                    if ( cert != NULL ) {
-                        if ( cert->isperm ) {
-                            tmptrust = *cert->trust;
-                            tmptrust.sslFlags &=
-                                (~entry->trustDelta.sslFlags);
-                            tmptrust.emailFlags &=
-                                (~entry->trustDelta.emailFlags);
-                            tmptrust.objectSigningFlags &=
-                                (~entry->trustDelta.objectSigningFlags);
-                            rv = CERT_ChangeCertTrust(handle, cert,
-&tmptrust);
-                        }
-                        CERT_DestroyCertificate(cert);
-                    }
-                    break;
-                  case certUpdateSetTrust:
-                    cert = CertFromEntry(handle, entry->cert);
-                    if ( cert != NULL ) {
-                        if ( cert->isperm ) {
-                            tmptrust = *cert->trust;
-                            tmptrust.sslFlags = entry->trustDelta.sslFlags;
-                            tmptrust.emailFlags =
-                                entry->trustDelta.emailFlags;
-                            tmptrust.objectSigningFlags =
-                                entry->trustDelta.objectSigningFlags;
-                            rv = CERT_ChangeCertTrust(handle, cert,
-&tmptrust);
-                        }
-                        CERT_DestroyCertificate(cert);
-                    }
-                    break;
-                }
-            }
-
-            entry++;
-        }
-
-        CERT_SetDBContentVersion(newversion, handle);
-    }
-
-    return(SECSuccess);
-}
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
deleted file mode 100644
index ffaaaca66..000000000
--- a/security/nss/lib/certdb/certt.h
+++ /dev/null
@@ -1,804 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * certt.h - public data structures for the certificate library
- *
- * $Id$
- */
-#ifndef _CERTT_H_
-#define _CERTT_H_
-
-#include "prclist.h"
-#include "pkcs11t.h"
-#include "seccomon.h"
-#include "secmodt.h"
-#include "secoidt.h"
-#include "plarena.h"
-#include "prcvar.h"
-#include "prlock.h"
-#include "prio.h"
-#include "prmon.h"
-
-/* Non-opaque objects */
-typedef struct CERTAVAStr                        CERTAVA;
-typedef struct CERTAttributeStr                  CERTAttribute;
-typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
-typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
-typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
-typedef struct CERTCertDBHandleStr               CERTCertDBHandle;
-typedef struct CERTCertExtensionStr              CERTCertExtension;
-typedef struct CERTCertKeyStr                    CERTCertKey;
-typedef struct CERTCertListStr                   CERTCertList;
-typedef struct CERTCertListNodeStr               CERTCertListNode;
-typedef struct CERTCertNicknamesStr              CERTCertNicknames;
-typedef struct CERTCertTrustStr                  CERTCertTrust;
-typedef struct CERTCertificateStr                CERTCertificate;
-typedef struct CERTCertificateListStr            CERTCertificateList;
-typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
-typedef struct CERTCrlStr                        CERTCrl;
-typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
-typedef struct CERTCrlEntryStr                   CERTCrlEntry;
-typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
-typedef struct CERTCrlKeyStr                     CERTCrlKey;
-typedef struct CERTCrlNodeStr                    CERTCrlNode;
-typedef struct CERTDERCertsStr                   CERTDERCerts;
-typedef struct CERTDistNamesStr                  CERTDistNames;
-typedef struct CERTGeneralNameStr                CERTGeneralName;
-typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
-typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
-typedef struct CERTNameStr                       CERTName;
-typedef struct CERTNameConstraintStr             CERTNameConstraint;
-typedef struct CERTNameConstraintsStr            CERTNameConstraints;
-typedef struct CERTOKDomainNameStr               CERTOKDomainName;
-typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
-typedef struct CERTRDNStr                        CERTRDN;
-typedef struct CERTSignedCrlStr                  CERTSignedCrl;
-typedef struct CERTSignedDataStr                 CERTSignedData;
-typedef struct CERTStatusConfigStr               CERTStatusConfig;
-typedef struct CERTSubjectListStr                CERTSubjectList;
-typedef struct CERTSubjectNodeStr                CERTSubjectNode;
-typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
-typedef struct CERTValidityStr                   CERTValidity;
-typedef struct CERTVerifyLogStr                  CERTVerifyLog;
-typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
-typedef struct CRLDistributionPointStr           CRLDistributionPoint;
-
-/* CRL extensions type */
-typedef unsigned long CERTCrlNumber;
-
-/*
-** An X.500 AVA object
-*/
-struct CERTAVAStr {
-    SECItem type;
-    SECItem value;
-};
-
-/*
-** An X.500 RDN object
-*/
-struct CERTRDNStr {
-    CERTAVA **avas;
-};
-
-/*
-** An X.500 name object
-*/
-struct CERTNameStr {
-    PRArenaPool *arena;
-    CERTRDN **rdns;
-};
-
-/*
-** An X.509 validity object
-*/
-struct CERTValidityStr {
-    PRArenaPool *arena;
-    SECItem notBefore;
-    SECItem notAfter;
-};
-
-/*
- * A serial number and issuer name, which is used as a database key
- */
-struct CERTCertKeyStr {
-    SECItem serialNumber;
-    SECItem derIssuer;
-};
-
-/*
-** A signed data object. Used to implement the "signed" macro used
-** in the X.500 specs.
-*/
-struct CERTSignedDataStr {
-    SECItem data;
-    SECAlgorithmID signatureAlgorithm;
-    SECItem signature;
-};
-
-/*
-** An X.509 subject-public-key-info object
-*/
-struct CERTSubjectPublicKeyInfoStr {
-    PRArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem subjectPublicKey;
-};
-
-struct CERTPublicKeyAndChallengeStr {
-    SECItem spki;
-    SECItem challenge;
-};
-
-typedef struct _certDBEntryCert certDBEntryCert;
-typedef struct _certDBEntryRevocation certDBEntryRevocation;
-
-struct CERTCertTrustStr {
-    unsigned int sslFlags;
-    unsigned int emailFlags;
-    unsigned int objectSigningFlags;
-};
-
-/*
- * defined the types of trust that exist
- */
-typedef enum {
-    trustSSL,
-    trustEmail,
-    trustObjectSigning,
-    trustTypeNone
-} SECTrustType;
-
-#define SEC_GET_TRUST_FLAGS(trust,type) \
-        (((type)==trustSSL)?((trust)->sslFlags): \
-	 (((type)==trustEmail)?((trust)->emailFlags): \
-	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
-
-/*
-** An X.509.3 certificate extension
-*/
-struct CERTCertExtensionStr {
-    SECItem id;
-    SECItem critical;
-    SECItem value;
-};
-
-struct CERTSubjectNodeStr {
-    struct CERTSubjectNodeStr *next;
-    struct CERTSubjectNodeStr *prev;
-    SECItem certKey;
-    SECItem keyID;
-};
-
-struct CERTSubjectListStr {
-    PRArenaPool *arena;
-    int ncerts;
-    char *emailAddr;
-    CERTSubjectNode *head;
-    CERTSubjectNode *tail; /* do we need tail? */
-    struct _certDBEntrySubject *entry;
-};
-
-/*
-** An X.509 certificate object (the unsigned form)
-*/
-struct CERTCertificateStr {
-    /* the arena is used to allocate any data structures that have the same
-     * lifetime as the cert.  This is all stuff that hangs off of the cert
-     * structure, and is all freed at the same time.  I is used when the
-     * cert is decoded, destroyed, and at some times when it changes
-     * state
-     */
-    PRArenaPool *arena;
-
-    /* The following fields are static after the cert has been decoded */
-    char *subjectName;
-    char *issuerName;
-    CERTSignedData signatureWrap;	/* XXX */
-    SECItem derCert;			/* original DER for the cert */
-    SECItem derIssuer;			/* DER for issuer name */
-    SECItem derSubject;			/* DER for subject name */
-    SECItem derPublicKey;		/* DER for the public key */
-    SECItem certKey;			/* database key for this cert */
-    SECItem version;
-    SECItem serialNumber;
-    SECAlgorithmID signature;
-    CERTName issuer;
-    CERTValidity validity;
-    CERTName subject;
-    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
-    SECItem issuerID;
-    SECItem subjectID;
-    CERTCertExtension **extensions;
-    char *emailAddr;
-    CERTCertDBHandle *dbhandle;
-    SECItem subjectKeyID;	/* x509v3 subject key identifier */
-    PRBool keyIDGenerated;	/* was the keyid generated? */
-    unsigned int keyUsage;	/* what uses are allowed for this cert */
-    unsigned int rawKeyUsage;	/* value of the key usage extension */
-    PRBool keyUsagePresent;	/* was the key usage extension present */
-    unsigned int nsCertType;	/* value of the ns cert type extension */
-
-    /* these values can be set by the application to bypass certain checks
-     * or to keep the cert in memory for an entire session.
-     * XXX - need an api to set these
-     */
-    PRBool keepSession;			/* keep this cert for entire session*/
-    PRBool timeOK;			/* is the bad validity time ok? */
-    CERTOKDomainName *domainOK;		/* these domain names are ok */
-
-    /*
-     * these values can change when the cert changes state.  These state
-     * changes include transitions from temp to perm or vice-versa, and
-     * changes of trust flags
-     */
-    PRBool isperm;
-    PRBool istemp;
-    char *nickname;
-    char *dbnickname;
-    certDBEntryCert *dbEntry;		/* database entry struct */
-    CERTCertTrust *trust;
-
-    /* the reference count is modified whenever someone looks up, dups
-     * or destroys a certificate
-     */
-    int referenceCount;
-
-    /* The subject list is a list of all certs with the same subject name.
-     * It can be modified any time a cert is added or deleted from either
-     * the in-memory(temporary) or on-disk(permanent) database.
-     */
-    CERTSubjectList *subjectList;
-
-    /* these fields are used by client GUI code to keep track of ssl sockets
-     * that are blocked waiting on GUI feedback related to this cert.
-     * XXX - these should be moved into some sort of application specific
-     *       data structure.  They are only used by the browser right now.
-     */
-    struct SECSocketNode *socketlist;
-    int socketcount;
-    struct SECSocketNode *authsocketlist;
-    int authsocketcount;
-
-    /* This is PKCS #11 stuff. */
-    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
-    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
-    PRBool ownSlot;		/*true if the cert owns the slot reference */
-};
-#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
-#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
-#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
-
-#define SEC_CRL_VERSION_1		0	/* default */
-#define SEC_CRL_VERSION_2		1	/* v2 extensions */
-
-/*
- * used to identify class of cert in mime stream code
- */
-#define SEC_CERT_CLASS_CA	1
-#define SEC_CERT_CLASS_SERVER	2
-#define SEC_CERT_CLASS_USER	3
-#define SEC_CERT_CLASS_EMAIL	4
-
-struct CERTDERCertsStr {
-    PRArenaPool *arena;
-    int numcerts;
-    SECItem *rawCerts;
-};
-
-/*
-** A PKCS ? Attribute
-** XXX this is duplicated through out the code, it *should* be moved
-** to a central location.  Where would be appropriate?
-*/
-struct CERTAttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-
-/*
-** A PKCS#10 certificate-request object (the unsigned form)
-*/
-struct CERTCertificateRequestStr {
-    PRArenaPool *arena;
-    SECItem version;
-    CERTName subject;
-    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
-    SECItem **attributes;
-};
-#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
-
-
-/*
-** A certificate list object.
-*/
-struct CERTCertificateListStr {
-    SECItem *certs;
-    int len;					/* number of certs */
-    PRArenaPool *arena;
-};
-
-struct CERTCertListNodeStr {
-    PRCList links;
-    CERTCertificate *cert;
-    void *appData;
-};
-
-struct CERTCertListStr {
-    PRCList list;
-    PRArenaPool *arena;
-};
-
-#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
-#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
-#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
-
-struct CERTCrlEntryStr {
-    SECItem serialNumber;
-    SECItem revocationDate;
-    CERTCertExtension **extensions;    
-};
-
-struct CERTCrlStr {
-    PRArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID signatureAlg;
-    SECItem derName;
-    CERTName name;
-    SECItem lastUpdate;
-    SECItem nextUpdate;				/* optional for x.509 CRL  */
-    CERTCrlEntry **entries;
-    CERTCertExtension **extensions;    
-};
-
-struct CERTCrlKeyStr {
-    SECItem derName;
-    SECItem dummy;			/* The decoder can not skip a primitive,
-					   this serves as a place holder for the
-					   decoder to finish its task only
-					*/
-};
-
-struct CERTSignedCrlStr {
-    PRArenaPool *arena;
-    CERTCrl crl;
-    certDBEntryRevocation *dbEntry;	/* database entry struct */
-    PRBool keep;			/* keep this crl in the cache for the  session*/
-    PRBool isperm;
-    PRBool istemp;
-    int referenceCount;
-    CERTCertDBHandle *dbhandle;
-    CERTSignedData signatureWrap;	/* XXX */
-    char *url;
-};
-
-
-struct CERTCrlHeadNodeStr {
-    PRArenaPool *arena;
-    CERTCertDBHandle *dbhandle;
-    CERTCrlNode *first;
-    CERTCrlNode *last;
-};
-
-
-struct CERTCrlNodeStr {
-    CERTCrlNode *next;
-    int 	type;
-    CERTSignedCrl *crl;
-};
-
-
-/*
- * Array of X.500 Distinguished Names
- */
-struct CERTDistNamesStr {
-    PRArenaPool *arena;
-    int nnames;
-    SECItem  *names;
-    void *head; /* private */
-};
-
-
-#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
-#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
-#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
-#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
-#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
-#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
-#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
-#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
-
-#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
-#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
-
-#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
-			  NS_CERT_TYPE_SSL_SERVER | \
-			  NS_CERT_TYPE_EMAIL | \
-			  NS_CERT_TYPE_OBJECT_SIGNING )
-
-#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
-			 NS_CERT_TYPE_EMAIL_CA | \
-			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
-			 EXT_KEY_USAGE_STATUS_RESPONDER )
-typedef enum {
-    certUsageSSLClient,
-    certUsageSSLServer,
-    certUsageSSLServerWithStepUp,
-    certUsageSSLCA,
-    certUsageEmailSigner,
-    certUsageEmailRecipient,
-    certUsageObjectSigner,
-    certUsageUserCertImport,
-    certUsageVerifyCA,
-    certUsageProtectedObjectSigner,
-    certUsageStatusResponder,
-    certUsageAnyCA
-} SECCertUsage;
-
-/*
- * Does the cert belong to the user, a peer, or a CA.
- */
-typedef enum {
-    certOwnerUser,
-    certOwnerPeer,
-    certOwnerCA
-} CERTCertOwner;
-
-/*
- * This enum represents the state of validity times of a certificate
- */
-typedef enum {
-    secCertTimeValid,
-    secCertTimeExpired,
-    secCertTimeNotValidYet
-} SECCertTimeValidity;
-
-/*
- * Interface for getting certificate nickname strings out of the database
- */
-
-/* these are values for the what argument below */
-#define SEC_CERT_NICKNAMES_ALL		1
-#define SEC_CERT_NICKNAMES_USER		2
-#define SEC_CERT_NICKNAMES_SERVER	3
-#define SEC_CERT_NICKNAMES_CA		4
-
-struct CERTCertNicknamesStr {
-    PRArenaPool *arena;
-    void *head;
-    int numnicknames;
-    char **nicknames;
-    int what;
-    int totallen;
-};
-
-struct CERTIssuerAndSNStr {
-    SECItem derIssuer;
-    CERTName issuer;
-    SECItem serialNumber;
-};
-
-
-/* X.509 v3 Key Usage Extension flags */
-#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
-#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
-#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
-#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
-#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
-#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
-#define KU_CRL_SIGN			(0x02)  /* bit 6 */
-#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
-					 KU_NON_REPUDIATION | \
-					 KU_KEY_ENCIPHERMENT | \
-					 KU_DATA_ENCIPHERMENT | \
-					 KU_KEY_AGREEMENT | \
-					 KU_KEY_CERT_SIGN | \
-					 KU_CRL_SIGN)
-
-/* This value will not occur in certs.  It is used internally for the case
- * when the key type is not know ahead of time and either key agreement or
- * key encipherment are the correct value based on key type
- */
-#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
-
-/* internal bits that do not match bits in the x509v3 spec, but are used
- * for similar purposes
- */
-#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
-/*
- * x.509 v3 Basic Constraints Extension
- * If isCA is false, the pathLenConstraint is ignored.
- * Otherwise, the following pathLenConstraint values will apply:
- *	< 0 - there is no limit to the certificate path
- *	0   - CA can issues end-entity certificates only
- *	> 0 - the number of certificates in the certificate path is
- *	      limited to this number
- */
-#define CERT_UNLIMITED_PATH_CONSTRAINT -2
-
-struct CERTBasicConstraintsStr {
-    PRBool isCA;			/* on if is CA */
-    int pathLenConstraint;		/* maximum number of certificates that can be
-					   in the cert path.  Only applies to a CA
-					   certificate; otherwise, it's ignored.
-					 */
-};
-
-/* Maximum length of a certificate chain */
-#define CERT_MAX_CERT_CHAIN 20
-
-/* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
-#define RF_UNUSED			(0x80)	/* bit 0 */
-#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
-#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
-#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
-#define RF_SUPERSEDED			(0x08)  /* bit 4 */
-#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
-#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
-
-/* If we needed to extract the general name field, use this */
-/* General Name types */
-typedef enum {
-    certOtherName = 1,
-    certRFC822Name = 2,
-    certDNSName = 3,
-    certX400Address = 4,
-    certDirectoryName = 5,
-    certEDIPartyName = 6,
-    certURI = 7,
-    certIPAddress = 8,
-    certRegisterID = 9
-} CERTGeneralNameType;
-
-
-typedef struct OtherNameStr {
-    SECItem          name;
-    SECItem          oid;
-}OtherName;
-
-
-
-struct CERTGeneralNameStr {
-    CERTGeneralNameType type;		/* name type */
-    union {
-	CERTName directoryName;         /* distinguish name */
-	OtherName  OthName;		/* Other Name */
-	SECItem other;                  /* the rest of the name forms */
-    }name;
-    SECItem derDirectoryName;		/* this is saved to simplify directory name
-					   comparison */
-    PRCList l;
-};
-
-struct CERTGeneralNameListStr {
-    PRArenaPool *arena;
-    CERTGeneralName *name;
-    int refCount;
-    int len;
-    PRLock *lock;
-};
-
-struct CERTNameConstraintStr {
-    CERTGeneralName  name;
-    SECItem          DERName;
-    SECItem          min;
-    SECItem          max;
-    PRCList          l;
-};
-
-
-struct CERTNameConstraintsStr {
-    CERTNameConstraint  *permited;
-    CERTNameConstraint  *excluded;
-    SECItem             **DERPermited;
-    SECItem             **DERExcluded;
-};
-
-
-/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
-   issuer field, we only support URI now.
- */
-struct CERTAuthKeyIDStr {
-    SECItem keyID;			/* unique key identifier */
-    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
-    SECItem authCertSerialNumber;	/* CA's certificate serial number */
-    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
-					   the authCertIssuer field. It is used
-					   by the encoding engine. It should be
-					   used as a read only field by the caller.
-					*/
-};
-
-/* x.509 v3 CRL Distributeion Point */
-
-/*
- * defined the types of CRL Distribution points
- */
-typedef enum {
-    generalName = 1,			/* only support this for now */
-    relativeDistinguishedName = 2
-} DistributionPointTypes;
-
-struct CRLDistributionPointStr {
-    DistributionPointTypes distPointType;
-    union {
-	CERTGeneralName *fullName;
-	CERTRDN relativeName;
-    } distPoint;
-    SECItem reasons;
-    CERTGeneralName *crlIssuer;
-    
-    /* Reserved for internal use only*/
-    SECItem derDistPoint;
-    SECItem derRelativeName;
-    SECItem **derCrlIssuer;
-    SECItem **derFullName;
-    SECItem bitsmap;
-};
-
-struct CERTCrlDistributionPointsStr {
-    CRLDistributionPoint **distPoints;
-};
-
-/*
- * This structure is used to keep a log of errors when verifying
- * a cert chain.  This allows multiple errors to be reported all at
- * once.
- */
-struct CERTVerifyLogNodeStr {
-    CERTCertificate *cert;	/* what cert had the error */
-    long error;			/* what error was it? */
-    unsigned int depth;		/* how far up the chain are we */
-    void *arg;			/* error specific argument */
-    struct CERTVerifyLogNodeStr *next; /* next in the list */
-    struct CERTVerifyLogNodeStr *prev; /* next in the list */
-};
-
-
-struct CERTVerifyLogStr {
-    PRArenaPool *arena;
-    unsigned int count;
-    struct CERTVerifyLogNodeStr *head;
-    struct CERTVerifyLogNodeStr *tail;
-};
-
-
-struct CERTOKDomainNameStr {
-    CERTOKDomainName *next;
-    char              name[1]; /* actual length may be longer. */
-};
-
-
-typedef SECStatus PR_CALLBACK (*CERTStatusChecker) (CERTCertDBHandle *handle,
-						    CERTCertificate *cert,
-						    int64 time,
-						    void *pwArg);
-
-typedef SECStatus PR_CALLBACK (*CERTStatusDestroy) (CERTStatusConfig *handle);
-
-struct CERTStatusConfigStr {
-    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
-    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
-    void *statusContext;		/* cx specific to checking protocol */
-};
-
-struct CERTAuthInfoAccessStr {
-    SECItem method;
-    SECItem derLocation;
-    CERTGeneralName *location;		/* decoded location */
-};
-
-
-/* This is the typedef for the callback passed to CERT_OpenCertDB() */
-/* callback to return database name based on version number */
-typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
-
-/*
- * types of cert packages that we can decode
- */
-typedef enum {
-    certPackageNone,
-    certPackageCert,
-    certPackagePKCS7,
-    certPackageNSCertSeq,
-    certPackageNSCertWrap
-} CERTPackageType;
-
-/*
- * these types are for the PKIX Certificate Policies extension
- */
-typedef struct {
-    SECOidTag oid;
-    SECItem qualifierID;
-    SECItem qualifierValue;
-} CERTPolicyQualifier;
-
-typedef struct {
-    SECOidTag oid;
-    SECItem policyID;
-    CERTPolicyQualifier **policyQualifiers;
-} CERTPolicyInfo;
-
-typedef struct {
-    PRArenaPool *arena;
-    CERTPolicyInfo **policyInfos;
-} CERTCertificatePolicies;
-
-typedef struct {
-    SECItem organization;
-    SECItem **noticeNumbers;
-} CERTNoticeReference;
-
-typedef struct {
-    PRArenaPool *arena;
-    CERTNoticeReference noticeReference;
-    SECItem derNoticeReference;
-    SECItem displayText;
-} CERTUserNotice;
-
-typedef struct {
-    PRArenaPool *arena;
-    SECItem **oids;
-} CERTOidSequence;
-
-
-/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
-
-#include "secasn1t.h"	/* way down here because I expect template stuff to
-			 * move out of here anyway */
-
-extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
-extern const SEC_ASN1Template CERT_CertificateTemplate[];
-extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
-extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
-extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
-extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
-extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
-extern const SEC_ASN1Template CERT_ValidityTemplate[];
-extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
-extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
-
-extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
-extern const SEC_ASN1Template CERT_NameTemplate[];
-extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
-extern const SEC_ASN1Template CERT_RDNTemplate[];
-extern const SEC_ASN1Template CERT_SignedDataTemplate[];
-extern const SEC_ASN1Template CERT_CrlTemplate[];
-
-/*
-** XXX should the attribute stuff be centralized for all of ns/security?
-*/
-extern const SEC_ASN1Template CERT_AttributeTemplate[];
-extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
-
-#endif /* _CERTT_H_ */
diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c
deleted file mode 100644
index ea1016234..000000000
--- a/security/nss/lib/certdb/certv3.c
+++ /dev/null
@@ -1,406 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Code for dealing with X509.V3 extensions.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "certxutl.h"
-#include "secerr.h"
-
-SECStatus
-CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid,
-			    SECItem *value)
-{
-    return (cert_FindExtensionByOID (cert->extensions, oid, value));
-}
-    
-
-SECStatus
-CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value)
-{
-    return (cert_FindExtension (cert->extensions, tag, value));
-}
-
-static void
-SetExts(void *object, CERTCertExtension **exts)
-{
-    CERTCertificate *cert = (CERTCertificate *)object;
-
-    cert->extensions = exts;
-    DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
-}
-
-void *
-CERT_StartCertExtensions(CERTCertificate *cert)
-{
-    return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
-}
-
-/* find the given extension in the certificate of the Issuer of 'cert' */
-SECStatus
-CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
-{
-    CERTCertificate *issuercert;
-    SECStatus rv;
-
-    issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
-    if ( issuercert ) {
-	rv = cert_FindExtension(issuercert->extensions, tag, value);
-	CERT_DestroyCertificate(issuercert);
-    } else {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-/* find a URL extension in the cert or its CA
- * apply the base URL string if it exists
- */
-char *
-CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
-{
-    SECStatus rv;
-    SECItem urlitem;
-    SECItem baseitem;
-    SECItem urlstringitem = {siBuffer,0};
-    SECItem basestringitem = {siBuffer,0};
-    PRArenaPool *arena = NULL;
-    PRBool hasbase;
-    char *urlstring;
-    char *str;
-    int len;
-    int i;
-    
-    urlstring = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( ! arena ) {
-	goto loser;
-    }
-    
-    hasbase = PR_FALSE;
-    urlitem.data = NULL;
-    baseitem.data = NULL;
-    
-    rv = cert_FindExtension(cert->extensions, tag, &urlitem);
-    if ( rv == SECSuccess ) {
-	rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
-				   &baseitem);
-	if ( rv == SECSuccess ) {
-	    hasbase = PR_TRUE;
-	}
-	
-    } else if ( catag ) {
-	/* if the cert doesn't have the extensions, see if the issuer does */
-	rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}	    
-	rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
-					 &baseitem);
-	if ( rv == SECSuccess ) {
-	    hasbase = PR_TRUE;
-	}
-    } else {
-	goto loser;
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, &urlstringitem, SEC_IA5StringTemplate, 
-			    &urlitem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    if ( hasbase ) {
-	rv = SEC_ASN1DecodeItem(arena, &basestringitem, SEC_IA5StringTemplate,
-				&baseitem);
-
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
-    
-    str = urlstring = (char *)PORT_Alloc(len);
-    if ( urlstring == NULL ) {
-	goto loser;
-    }
-    
-    /* copy the URL base first */
-    if ( hasbase ) {
-
-	/* if the urlstring has a : in it, then we assume it is an absolute
-	 * URL, and will not get the base string pre-pended
-	 */
-	for ( i = 0; i < urlstringitem.len; i++ ) {
-	    if ( urlstringitem.data[i] == ':' ) {
-		goto nobase;
-	    }
-	}
-	
-	PORT_Memcpy(str, basestringitem.data, basestringitem.len);
-	str += basestringitem.len;
-	
-    }
-
-nobase:
-    /* copy the rest (or all) of the URL */
-    PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
-    str += urlstringitem.len;
-    
-    *str = '\0';
-    goto done;
-    
-loser:
-    if ( urlstring ) {
-	PORT_Free(urlstring);
-    }
-    
-    urlstring = NULL;
-done:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if ( baseitem.data ) {
-	PORT_Free(baseitem.data);
-    }
-    if ( urlitem.data ) {
-	PORT_Free(urlitem.data);
-    }
-
-    return(urlstring);
-}
-
-/*
- * get the value of the Netscape Certificate Type Extension
- */
-SECStatus
-CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
-{
-
-    return (CERT_FindBitStringExtension
-	    (cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));    
-}
-
-
-/*
- * get the value of a string type extension
- */
-char *
-CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
-{
-    SECItem wrapperItem, tmpItem = {siBuffer,0};
-    SECStatus rv;
-    PRArenaPool *arena = NULL;
-    char *retstring = NULL;
-    
-    wrapperItem.data = NULL;
-    tmpItem.data = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	goto loser;
-    }
-    
-    rv = cert_FindExtension(cert->extensions, oidtag,
-			       &wrapperItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, &tmpItem, SEC_IA5StringTemplate, 
-			    &wrapperItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    retstring = (char *)PORT_Alloc(tmpItem.len + 1 );
-    if ( retstring == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
-    retstring[tmpItem.len] = '\0';
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    if ( wrapperItem.data ) {
-	PORT_Free(wrapperItem.data);
-    }
-
-    return(retstring);
-}
-
-/*
- * get the value of the X.509 v3 Key Usage Extension
- */
-SECStatus
-CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
-{
-
-    return (CERT_FindBitStringExtension(cert->extensions,
-					SEC_OID_X509_KEY_USAGE, retItem));    
-}
-
-/*
- * get the value of the X.509 v3 Key Usage Extension
- */
-SECStatus
-CERT_FindSubjectKeyIDExten(CERTCertificate *cert, SECItem *retItem)
-{
-
-    SECItem encodedValue;
-    SECStatus rv;
-
-    encodedValue.data = NULL;
-    rv = cert_FindExtension
-	 (cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID, &encodedValue);
-    if (rv != SECSuccess)
-	return (rv);
-    rv = SEC_ASN1DecodeItem (NULL, retItem, SEC_OctetStringTemplate,
-			     &encodedValue);
-    PORT_Free (encodedValue.data);
-
-    return (rv);
-}
-
-SECStatus
-CERT_FindBasicConstraintExten(CERTCertificate *cert,
-			      CERTBasicConstraints *value)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (rv);
-    }
-
-    rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue);
-    
-    /* free the raw extension data */
-    PORT_Free(encodedExtenValue.data);
-    encodedExtenValue.data = NULL;
-    
-    return(rv);
-}
-
-CERTAuthKeyID *
-CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-    CERTAuthKeyID *ret;
-    
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (NULL);
-    }
-
-    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
-
-    PORT_Free(encodedExtenValue.data);
-    encodedExtenValue.data = NULL;
-    
-    return(ret);
-}
-
-SECStatus
-CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
-{
-    PRBool critical;    
-    SECItem keyUsage;
-    SECStatus rv;
-
-    /* There is no extension, v1 or v2 certificate */
-    if (cert->extensions == NULL) {
-	return (SECSuccess);
-    }
-    
-    keyUsage.data = NULL;
-
-    do {
-	/* if the keyUsage extension exists and is critical, make sure that the
-	   CA certificate is used for certificate signing purpose only. If the
-	   extension does not exist, we will assum that it can be used for
-	   certificate signing purpose.
-	*/
-	rv = CERT_GetExtenCriticality(cert->extensions,
-				      SEC_OID_X509_KEY_USAGE,
-				      &critical);
-	if (rv == SECFailure) {
-	    rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ?
-		SECSuccess : SECFailure;
-	    break;
-	}
-
-	if (critical == PR_FALSE) {
-	    rv = SECSuccess;
-	    break;
-	}
-
-	rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
-	if (rv != SECSuccess) {
-	    break;
-	}	
-	if (!(keyUsage.data[0] & usage)) {
-	    PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID);
-	    rv = SECFailure;
-	}
-    }while (0);
-    PORT_Free (keyUsage.data);
-    return (rv);
-}
diff --git a/security/nss/lib/certdb/certxutl.c b/security/nss/lib/certdb/certxutl.c
deleted file mode 100644
index 619f576b2..000000000
--- a/security/nss/lib/certdb/certxutl.c
+++ /dev/null
@@ -1,482 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Certificate Extensions handling code
- *
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "certxutl.h"
-#include "secerr.h"
-
-#ifdef OLD
-#include "ocspti.h"	/* XXX a better extensions interface would not
-			 * require knowledge of data structures of callers */
-#endif
-
-static CERTCertExtension *
-GetExtension (CERTCertExtension **extensions, SECItem *oid)
-{
-    CERTCertExtension **exts;
-    CERTCertExtension *ext = NULL;
-    SECComparison comp;
-
-    exts = extensions;
-    
-    if (exts) {
-	while ( *exts ) {
-	    ext = *exts;
-	    comp = SECITEM_CompareItem(oid, &ext->id);
-	    if ( comp == SECEqual ) 
-		break;
-
-	    exts++;
-	}
-	return (*exts ? ext : NULL);
-    }
-    return (NULL);
-}
-
-SECStatus
-cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value)
-{
-    CERTCertExtension *ext;
-    SECStatus rv = SECSuccess;
-    
-    ext = GetExtension (extensions, oid);
-    if (ext == NULL) {
-	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
-	return (SECFailure);
-    }
-    if (value)
-	rv = SECITEM_CopyItem(NULL, value, &ext->value);
-    return (rv);
-}
-    
-
-SECStatus
-CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical)
-{
-    CERTCertExtension *ext;
-    SECOidData *oid;
-
-    if (!isCritical)
-	return (SECSuccess);
-    
-    /* find the extension in the extensions list */
-    oid = SECOID_FindOIDByTag((SECOidTag)tag);
-    if ( !oid ) {
-	return(SECFailure);
-    }
-    ext = GetExtension (extensions, &oid->oid);
-    if (ext == NULL) {
-	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
-	return (SECFailure);
-    }
-
-    /* If the criticality is omitted, then it is false by default.
-       ex->critical.data is NULL */
-    if (ext->critical.data == NULL)
-	*isCritical = PR_FALSE;
-    else
-	*isCritical = (ext->critical.data[0] == 0xff) ? PR_TRUE : PR_FALSE;
-    return (SECSuccess);    
-}
-
-SECStatus
-cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value)
-{
-    SECOidData *oid;
-    
-    oid = SECOID_FindOIDByTag((SECOidTag)tag);
-    if ( !oid ) {
-	return(SECFailure);
-    }
-
-    return(cert_FindExtensionByOID(extensions, &oid->oid, value));
-}
-
-
-typedef struct _extNode {
-    struct _extNode *next;
-    CERTCertExtension *ext;
-} extNode;
-
-typedef struct {
-    void (*setExts)(void *object, CERTCertExtension **exts);
-    void *object;
-    PRArenaPool *ownerArena;
-    PRArenaPool *arena;
-    extNode *head;
-    int count;
-}extRec;
-
-/*
- * cert_StartExtensions
- *
- * NOTE: This interface changed significantly to remove knowledge
- *   about callers data structures (owner objects)
- */
-void *
-cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
-   void (*setExts)(void *object, CERTCertExtension **exts))
-{
-    PRArenaPool *arena;
-    extRec *handle;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return(0);
-    }
-
-    handle = (extRec *)PORT_ArenaAlloc(arena, sizeof(extRec));
-    if ( !handle ) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return(0);
-    }
-
-    handle->object = owner;
-    handle->ownerArena = ownerArena;
-    handle->setExts = setExts;
-
-    handle->arena = arena;
-    handle->head = 0;
-    handle->count = 0;
-    
-    return(handle);
-}
-
-static unsigned char hextrue = 0xff;
-
-/*
- * Note - assumes that data pointed to by oid->data will not move
- */
-SECStatus
-CERT_AddExtensionByOID (void *exthandle, SECItem *oid, SECItem *value,
-			PRBool critical, PRBool copyData)
-{
-    CERTCertExtension *ext;
-    SECStatus rv;
-    extNode *node;
-    extRec *handle;
-    
-    handle = (extRec *)exthandle;
-
-    /* allocate space for extension and list node */
-    ext = (CERTCertExtension*)PORT_ArenaZAlloc(handle->ownerArena,
-                                               sizeof(CERTCertExtension));
-    if ( !ext ) {
-	return(SECFailure);
-    }
-
-    node = (extNode*)PORT_ArenaAlloc(handle->arena, sizeof(extNode));
-    if ( !node ) {
-	return(SECFailure);
-    }
-
-    /* add to list */
-    node->next = handle->head;
-    handle->head = node;
-   
-    /* point to ext struct */
-    node->ext = ext;
-    
-    /* the object ID of the extension */
-    ext->id = *oid;
-    
-    /* set critical field */
-    if ( critical ) {
-	ext->critical.data = (unsigned char*)&hextrue;
-	ext->critical.len = 1;
-    }
-
-    /* set the value */
-    if ( copyData ) {
-	rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
-	if ( rv ) {
-	    return(SECFailure);
-	}
-    } else {
-	ext->value = *value;
-    }
-    
-    handle->count++;
-    
-    return(SECSuccess);
-
-}
-
-SECStatus
-CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
-		     PRBool critical, PRBool copyData)
-{
-    SECOidData *oid;
-    
-    oid = SECOID_FindOIDByTag((SECOidTag)idtag);
-    if ( !oid ) {
-	return(SECFailure);
-    }
-
-    return(CERT_AddExtensionByOID(exthandle, &oid->oid, value, critical, copyData));
-}
-
-SECStatus
-CERT_EncodeAndAddExtension(void *exthandle, int idtag, void *value,
-			   PRBool critical, const SEC_ASN1Template *atemplate)
-{
-    extRec *handle;
-    SECItem *encitem;
-
-    handle = (extRec *)exthandle;
-
-    encitem = SEC_ASN1EncodeItem(handle->ownerArena, NULL, value, atemplate);
-    if ( encitem == NULL ) {
-	return(SECFailure);
-    }
-
-    return CERT_AddExtension(exthandle, idtag, encitem, critical, PR_FALSE);
-}
-
-void
-PrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
-{
-  unsigned char onebyte;
-  unsigned int i, len = 0;
-
-  /* to prevent warning on some platform at compile time */ 
-  onebyte = '\0';   
-  /* Get the position of the right-most turn-on bit */ 
-  for (i = 0; i < (value->len ) * 8; ++i) {
-      if (i % 8 == 0)
-	  onebyte = value->data[i/8];
-      if (onebyte & 0x80)
-	  len = i;            
-      onebyte <<= 1;
-      
-  }
-  bitsmap->data = value->data;
-  /* Add one here since we work with base 1 */ 
-  bitsmap->len = len + 1;
-}
-
-SECStatus
-CERT_EncodeAndAddBitStrExtension (void *exthandle, int idtag,
-				  SECItem *value, PRBool critical)
-{
-  SECItem bitsmap;
-  
-  PrepareBitStringForEncoding (&bitsmap, value);
-  return (CERT_EncodeAndAddExtension
-	  (exthandle, idtag, &bitsmap, critical, SEC_BitStringTemplate));
-}
-
-SECStatus
-CERT_FinishExtensions(void *exthandle)
-{
-    extRec *handle;
-    extNode *node;
-    CERTCertExtension **exts;
-    SECStatus rv = SECFailure;
-    
-    handle = (extRec *)exthandle;
-
-    /* allocate space for extensions array */
-    exts = PORT_ArenaNewArray(handle->ownerArena, CERTCertExtension *,
-			      handle->count + 1);
-    if (exts == NULL) {
-	goto loser;
-    }
-
-    /* put extensions in owner object and update its version number */
-
-#ifdef OLD
-    switch (handle->type) {
-      case CertificateExtensions:
-	handle->owner.cert->extensions = exts;
-	DER_SetUInteger (ownerArena, &(handle->owner.cert->version),
-			 SEC_CERTIFICATE_VERSION_3);
-	break;
-      case CrlExtensions:
-	handle->owner.crl->extensions = exts;
-	DER_SetUInteger (ownerArena, &(handle->owner.crl->version),
-			 SEC_CRL_VERSION_2);
-	break;
-      case OCSPRequestExtensions:
-	handle->owner.request->tbsRequest->requestExtensions = exts;
-	break;
-      case OCSPSingleRequestExtensions:
-	handle->owner.singleRequest->singleRequestExtensions = exts;	
-	break;
-      case OCSPResponseSingleExtensions:
-	handle->owner.singleResponse->singleExtensions = exts;	
-	break;
-    }
-#endif
-
-    handle->setExts(handle->object, exts);
-	
-    /* update the version number */
-
-    /* copy each extension pointer */
-    node = handle->head;
-    while ( node ) {
-	*exts = node->ext;
-	
-	node = node->next;
-	exts++;
-    }
-
-    /* terminate the array of extensions */
-    *exts = 0;
-
-    rv = SECSuccess;
-
-loser:
-    /* free working arena */
-    PORT_FreeArena(handle->arena, PR_FALSE);
-    return rv;
-}
-
-/*
- * get the value of the Netscape Certificate Type Extension
- */
-SECStatus
-CERT_FindBitStringExtension (CERTCertExtension **extensions, int tag,
-			     SECItem *retItem)
-{
-    SECItem wrapperItem, tmpItem = {siBuffer,0};
-    SECStatus rv;
-    PRArenaPool *arena = NULL;
-    
-    wrapperItem.data = NULL;
-    tmpItem.data = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-    
-    rv = cert_FindExtension(extensions, tag, &wrapperItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, &tmpItem, SEC_BitStringTemplate, 
-			    &wrapperItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    retItem->data = (unsigned char *)PORT_Alloc( ( tmpItem.len + 7 ) >> 3 );
-    if ( retItem->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(retItem->data, tmpItem.data, ( tmpItem.len + 7 ) >> 3);
-    retItem->len = tmpItem.len;
-    
-    rv = SECSuccess;
-    goto done;
-    
-loser:
-    rv = SECFailure;
-
-done:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    if ( wrapperItem.data ) {
-	PORT_Free(wrapperItem.data);
-    }
-
-    return(rv);
-}
-
-PRBool
-cert_HasCriticalExtension (CERTCertExtension **extensions)
-{
-    CERTCertExtension **exts;
-    CERTCertExtension *ext = NULL;
-    PRBool hasCriticalExten = PR_FALSE;
-    
-    exts = extensions;
-    
-    if (exts) {
-	while ( *exts ) {
-	    ext = *exts;
-	    /* If the criticality is omitted, it's non-critical */
-	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
-		hasCriticalExten = PR_TRUE;
-		break;
-	    }
-	    exts++;
-	}
-    }
-    return (hasCriticalExten);
-}
-
-PRBool
-cert_HasUnknownCriticalExten (CERTCertExtension **extensions)
-{
-    CERTCertExtension **exts;
-    CERTCertExtension *ext = NULL;
-    PRBool hasUnknownCriticalExten = PR_FALSE;
-    
-    exts = extensions;
-    
-    if (exts) {
-	while ( *exts ) {
-	    ext = *exts;
-	    /* If the criticality is omitted, it's non-critical.
-	       If an extension is critical, make sure that we know
-	       how to process the extension.
-             */
-	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
-		if (SECOID_KnownCertExtenOID (&ext->id) == PR_FALSE) {
-		    hasUnknownCriticalExten = PR_TRUE;
-		    break;
-		}
-	    }
-	    exts++;
-	}
-    }
-    return (hasUnknownCriticalExten);
-}
diff --git a/security/nss/lib/certdb/certxutl.h b/security/nss/lib/certdb/certxutl.h
deleted file mode 100644
index 381226a43..000000000
--- a/security/nss/lib/certdb/certxutl.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * x.509 v3 certificate extension helper routines
- *
- */
-
-
-#ifndef _CERTXUTL_H_
-#define _CERTXUTL_H_
-
-#include "nspr.h"
-
-#ifdef OLD
-typedef enum {
-    CertificateExtensions,
-    CrlExtensions,
-    OCSPRequestExtensions,
-    OCSPSingleRequestExtensions,
-    OCSPResponseSingleExtensions
-} ExtensionsType;
-#endif
-
-extern PRBool
-cert_HasCriticalExtension (CERTCertExtension **extensions);
-
-extern SECStatus
-CERT_FindBitStringExtension (CERTCertExtension **extensions,
-			     int tag, SECItem *retItem);
-extern void *
-cert_StartExtensions (void *owner, PLArenaPool *arena,
-                      void (*setExts)(void *object, CERTCertExtension **exts));
-
-extern SECStatus
-cert_FindExtension (CERTCertExtension **extensions, int tag, SECItem *value);
-
-extern SECStatus
-cert_FindExtensionByOID (CERTCertExtension **extensions,
-			 SECItem *oid, SECItem *value);
-
-extern SECStatus
-cert_GetExtenCriticality (CERTCertExtension **extensions,
-			  int tag, PRBool *isCritical);
-
-extern PRBool
-cert_HasUnknownCriticalExten (CERTCertExtension **extensions);
-
-#endif
diff --git a/security/nss/lib/certdb/config.mk b/security/nss/lib/certdb/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/certdb/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
deleted file mode 100644
index 1e0e909e1..000000000
--- a/security/nss/lib/certdb/crl.c
+++ /dev/null
@@ -1,387 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Moved from secpkcs7.c
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "certxutl.h"
-#include "prtime.h"
-#include "secerr.h"
-
-const SEC_ASN1Template SEC_CERTExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertExtension) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTCertExtension,id) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
-	  offsetof(CERTCertExtension,critical), },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCertExtension,value) },
-    { 0, }
-};
-
-static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
-};
-
-/*
- * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
- * be tested; Lisa did the obvious translation but they still should be
- * verified.
- */
-
-const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTIssuerAndSN) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTIssuerAndSN,derIssuer) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTIssuerAndSN,issuer),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTIssuerAndSN,serialNumber) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrlEntry,revocationDate) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_KrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,signatureAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,lastUpdate) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,nextUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_KrlEntryTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  cert_KrlTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlKey) },
-    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
-    { SEC_ASN1_SKIP },
-    { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrlEntry,revocationDate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrlEntry, extensions),
-	  SEC_CERTExtensionTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_CrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,signatureAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,lastUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,nextUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_CrlEntryTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	  SEC_ASN1_EXPLICIT | 0,
-	  offsetof(CERTCrl,extensions),
-	  SEC_CERTExtensionsTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedCrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  CERT_CrlTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, cert_SignedCrlTemplate },
-};
-
-/* Check the version of the CRL.  If there is a critical extension in the crl
-   or crl entry, then the version must be v2. Otherwise, it should be v1.  If
-   the crl contains critical extension(s), then we must recognized the extension's
-   OID.
-   */
-SECStatus cert_check_crl_version (CERTCrl *crl)
-{
-    CERTCrlEntry **entries;
-    CERTCrlEntry *entry;
-    PRBool hasCriticalExten = PR_FALSE;
-    SECStatus rv = SECSuccess;
-    int version;
-
-    /* CRL version is defaulted to v1 */
-    version = SEC_CRL_VERSION_1;
-    if (crl->version.data != 0) 
-	version = (int)DER_GetUInteger (&crl->version);
-	
-    if (version > SEC_CRL_VERSION_2) {
-	PORT_SetError (SEC_ERROR_BAD_DER);
-	return (SECFailure);
-    }
-
-    /* Check the crl extensions for a critial extension.  If one is found,
-       and the version is not v2, then we are done.
-     */
-    if (crl->extensions) {
-	hasCriticalExten = cert_HasCriticalExtension (crl->extensions);
-	if (hasCriticalExten) {
-	    if (version != SEC_CRL_VERSION_2)
-		return (SECFailure);
-	    /* make sure that there is no unknown critical extension */
-	    if (cert_HasUnknownCriticalExten (crl->extensions) == PR_TRUE) {
-		PORT_SetError (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
-		return (SECFailure);
-	    }
-	}
-    }
-
-	
-    if (crl->entries == NULL) {
-	if (hasCriticalExten == PR_FALSE && version == SEC_CRL_VERSION_2) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    return (SECFailure);
-	}
-        return (SECSuccess);
-    }
-    /* Look in the crl entry extensions.  If there is a critical extension,
-       then the crl version must be v2; otherwise, it should be v1.
-     */
-    entries = crl->entries;
-    while (*entries) {
-	entry = *entries;
-	if (entry->extensions) {
-	    /* If there is a critical extension in the entries, then the
-	       CRL must be of version 2.  If we already saw a critical extension,
-	       there is no need to check the version again.
-	    */
-	    if (hasCriticalExten == PR_FALSE) {
-		hasCriticalExten = cert_HasCriticalExtension (entry->extensions);
-		if (hasCriticalExten && version != SEC_CRL_VERSION_2) { 
-		    rv = SECFailure;
-		    break;
-		}
-	    }
-
-	    /* For each entry, make sure that it does not contain an unknown
-	       critical extension.  If it does, we must reject the CRL since
-	       we don't know how to process the extension.
-	    */
-	    if (cert_HasUnknownCriticalExten (entry->extensions) == PR_TRUE) {
-		PORT_SetError (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
-		rv = SECFailure;
-		break;
-	    }
-	}
-	++entries;
-    }
-    if (rv == SECFailure)
-	return (rv);
-
-    /* There is no critical extension, but the version is set to v2 */
-    if (version != SEC_CRL_VERSION_1 && hasCriticalExten == PR_FALSE) {
-	PORT_SetError (SEC_ERROR_BAD_DER);
-	return (SECFailure);
-    }
-    return (SECSuccess);
-}
-
-/*
- * Generate a database key, based on the issuer name from a
- * DER crl.
- */
-SECStatus
-CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key)
-{
-    SECStatus rv;
-    CERTSignedData sd;
-    CERTCrlKey crlkey;
-
-    PORT_Memset (&sd, 0, sizeof (sd));
-    rv = SEC_ASN1DecodeItem (arena, &sd, CERT_SignedDataTemplate, derCrl);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    PORT_Memset (&crlkey, 0, sizeof (crlkey));
-    rv = SEC_ASN1DecodeItem(arena, &crlkey, cert_CrlKeyTemplate, &sd.data);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    key->len =  crlkey.derName.len;
-    key->data = crlkey.derName.data;
-
-    return(SECSuccess);
-}
-
-/*
- * take a DER CRL or KRL  and decode it into a CRL structure
- */
-CERTSignedCrl *
-CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
-{
-    PRArenaPool *arena;
-    CERTSignedCrl *crl;
-    SECStatus rv;
-
-    /* make a new arena */
-    if (narena == NULL) {
-    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if ( !arena ) {
-	    return NULL;
-	}
-    } else {
-	arena = narena;
-    }
-
-    /* allocate the CRL structure */
-    crl = (CERTSignedCrl *)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
-    if ( !crl ) {
-	goto loser;
-    }
-    
-    crl->arena = arena;
-
-    /* Save the arena in the inner crl for CRL extensions support */
-    crl->crl.arena = arena;
-
-    /* decode the CRL info */
-    switch (type) {
-    case SEC_CRL_TYPE: 
-	rv = SEC_ASN1DecodeItem
-	     (arena, crl, cert_SignedCrlTemplate, derSignedCrl);
-	if (rv != SECSuccess)
-	    break;
-
-	/* If the version is set to v2, make sure that it contains at
-	   least 1 critical extension either the crl extensions or
-	   crl entry extensions. */
-	rv =  cert_check_crl_version (&crl->crl);
-	break;
-
-    case SEC_KRL_TYPE:
-	rv = SEC_ASN1DecodeItem
-	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    crl->referenceCount = 1;
-    
-    return(crl);
-    
-loser:
-
-    if ((narena == NULL) && arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(0);
-}
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c
deleted file mode 100644
index a603b8cec..000000000
--- a/security/nss/lib/certdb/genname.c
+++ /dev/null
@@ -1,1589 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "plarena.h"
-#include "seccomon.h"
-#include "secitem.h"
-#include "secoidt.h"
-#include "mcom_db.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "certt.h"
-#include "cert.h"
-#include "xconst.h"
-#include "secerr.h"
-#include "secoid.h"
-#include "prprf.h"
-#include "genname.h"
-
-
-
-static const SEC_ASN1Template CERTNameConstraintTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) },
-    { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-          offsetof(CERTNameConstraint, min), SEC_IntegerTemplate }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-          offsetof(CERTNameConstraint, max), SEC_IntegerTemplate },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-
-
-const SEC_ASN1Template CERT_NameConstraintSubtreePermitedTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0, 0, CERT_NameConstraintSubtreeSubTemplate }
-};
-
-const SEC_ASN1Template CERT_NameConstraintSubtreeExcludedTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1, 0, CERT_NameConstraintSubtreeSubTemplate }
-};
-
-
-static const SEC_ASN1Template CERTNameConstraintsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-          offsetof(CERTNameConstraints, DERPermited), CERT_NameConstraintSubtreeSubTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-          offsetof(CERTNameConstraints, DERExcluded), CERT_NameConstraintSubtreeSubTemplate},
-    { 0, }
-};
-
-
-static const SEC_ASN1Template CERTOthNameTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) },
-    { SEC_ASN1_OBJECT_ID, 
-	  offsetof(OtherName, oid) },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
-          offsetof(OtherName, name), SEC_AnyTemplate },
-    { 0, } 
-};
-
-static const SEC_ASN1Template CERTOtherNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
-      offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate, 
-      sizeof(CERTGeneralName) }
-};
-
-static const SEC_ASN1Template CERTOtherName2Template[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
-      0, NULL, sizeof(CERTGeneralName) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
-    { 0, } 
-};
-
-static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1 ,
-          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 2 ,
-          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_X400AddressTemplate[] = {
-    { SEC_ASN1_ANY | SEC_ASN1_CONTEXT_SPECIFIC | 3,
-          offsetof(CERTGeneralName, name.other), SEC_AnyTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 4,
-          offsetof(CERTGeneralName, derDirectoryName), SEC_AnyTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-
-static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = {
-    { SEC_ASN1_ANY | SEC_ASN1_CONTEXT_SPECIFIC | 5,
-          offsetof(CERTGeneralName, name.other), SEC_AnyTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_URITemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 6 ,
-          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_IPAddressTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 7 ,
-          offsetof(CERTGeneralName, name.other), SEC_OctetStringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 8 ,
-          offsetof(CERTGeneralName, name.other), SEC_ObjectIDTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-
-const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-
-
-
-void
-CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
-{
-    PRLock *lock;
-
-    if (list != NULL) {
-	lock = list->lock;
-	PR_Lock(lock);
-	if (--list->refCount <= 0 && list->arena != NULL) {
-	    PORT_FreeArena(list->arena, PR_FALSE);
-	    PR_Unlock(lock);
-	    PR_DestroyLock(lock);
-	} else {
-	    PR_Unlock(lock);
-	}
-    }
-    return;
-}
-
-CERTGeneralNameList *
-CERT_CreateGeneralNameList(CERTGeneralName *name) {
-    PRArenaPool *arena;
-    CERTGeneralNameList *list = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto done;
-    }
-    list = (CERTGeneralNameList *)
-	PORT_ArenaZAlloc(arena, sizeof(CERTGeneralNameList));
-    if (name != NULL) {
-	list->name = (CERTGeneralName *)
-	    PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
-	list->name->l.next = list->name->l.prev = &list->name->l;
-	CERT_CopyGeneralName(arena, list->name, name);
-    }
-    list->lock = PR_NewLock();
-    list->arena = arena;
-    list->refCount = 1;
-done:
-    return list;
-}
-
-CERTGeneralName *
-cert_get_next_general_name(CERTGeneralName *current)
-{
-    PRCList *next;
-    
-    next = current->l.next;
-    return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l));
-}
-
-CERTGeneralName *
-cert_get_prev_general_name(CERTGeneralName *current)
-{
-    PRCList *prev;
-    prev = current->l.prev;
-    return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l));
-}
-
-CERTNameConstraint *
-cert_get_next_name_constraint(CERTNameConstraint *current)
-{
-    PRCList *next;
-    
-    next = current->l.next;
-    return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l));
-}
-
-CERTNameConstraint *
-cert_get_prev_name_constraint(CERTNameConstraint *current)
-{
-    PRCList *prev;
-    prev = current->l.prev;
-    return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l));
-}
-
-SECItem *
-cert_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena)
-{
-
-
-    PORT_Assert(arena);
-    if (arena == NULL) {
-	goto loser;
-    }
-    if (dest == NULL) {
-	dest = (SECItem *) PORT_ArenaZAlloc(arena, sizeof(SECItem));
-    }
-    switch (genName->type) {
-      case certURI:
-          dest = SEC_ASN1EncodeItem(arena, dest, genName, 
-				    CERT_URITemplate);
-	  break;
-      case certRFC822Name:
-          dest = SEC_ASN1EncodeItem(arena, dest, genName, 
-				    CERT_RFC822NameTemplate);
-	  break;
-      case certDNSName:
-          dest = SEC_ASN1EncodeItem(arena, dest, genName, 
-				    CERT_DNSNameTemplate);
-	  break;
-      case certIPAddress:
-	  dest = SEC_ASN1EncodeItem(arena, dest, genName,
-				    CERT_IPAddressTemplate);
-	  break;
-      case certOtherName:
-	  dest = SEC_ASN1EncodeItem(arena, dest, genName,
-				    CERTOtherNameTemplate);
-	  break;
-      case certRegisterID:
-	  dest = SEC_ASN1EncodeItem(arena, dest, genName,
-				    CERT_RegisteredIDTemplate);
-	  break;
-      case certEDIPartyName:
-	  /* for this type, we expect the value is already encoded */
-	  dest = SEC_ASN1EncodeItem (arena, dest, genName, 
-				     CERT_EDIPartyNameTemplate);
-	  break;
-      case certX400Address:
-	  /* for this type, we expect the value is already encoded */
-	  dest = SEC_ASN1EncodeItem (arena, dest, genName, 
-				     CERT_X400AddressTemplate);
-	  break;
-      case certDirectoryName:
-	  if (genName->derDirectoryName.data == NULL) {
-	      /* The field hasn't been encoded yet. */
-	      SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName),
-				  &(genName->name.directoryName), 
-				  CERT_NameTemplate);
-	  }
-	  if (genName->derDirectoryName.data == NULL) {
-	      goto loser;
-	  }
-	  dest = SEC_ASN1EncodeItem(arena, dest, genName, 
-				    CERT_DirectoryNameTemplate);
-	  break;
-    }
-    if (!dest) {
-	goto loser;
-    }
-    return dest;
-loser:
-    return NULL;
-}
-
-
-
-SECItem **
-cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names)
-{
-    CERTGeneralName  *current_name;
-    SECItem          **items = NULL;
-    int              count = 0;
-    int              i;
-    PRCList          *head;
-
-    PORT_Assert(arena);
-    current_name = names;
-    if (names != NULL) {
-	count = 1;
-    }
-    head = &(names->l);
-    while (current_name->l.next != head) {
-	current_name = cert_get_next_general_name(current_name);
-	++count;
-    }
-    current_name = cert_get_next_general_name(current_name);
-    items = (SECItem **) PORT_ArenaAlloc(arena, sizeof(SECItem *) * (count + 1));
-    
-    if (items == NULL) {
-	goto loser;
-    }
-    for (i = 0; i < count; i++) {
-	items[i] = cert_EncodeGeneralName(current_name, (SECItem *) NULL, arena);
-	if (items[i] == NULL) {
-	    goto loser;
-	}
-	current_name = cert_get_next_general_name(current_name);
-    }
-    items[i] = NULL;
-    return items;
-loser:
-    return NULL;
-}
-
-CERTGeneralName *
-cert_DecodeGeneralName(PRArenaPool      *arena,
-		       SECItem          *encodedName,
-		       CERTGeneralName  *genName)
-{
-    CERTGeneralNameType              genNameType;
-    SECStatus                        rv = SECSuccess;
-
-    PORT_Assert(arena);
-    if (genName == NULL) {
-	genName = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
-    }
-    genNameType = (CERTGeneralNameType)((*(encodedName->data) & 0x0f) + 1);
-    switch (genNameType) {
-      case certURI:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_URITemplate, encodedName);
-	  break;
-      case certRFC822Name:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_RFC822NameTemplate, encodedName);
-	  break;
-      case certDNSName:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_DNSNameTemplate, encodedName);
-	  break;
-      case certIPAddress:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_IPAddressTemplate, encodedName);
-	  break;
-      case certOtherName:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERTOtherNameTemplate, encodedName);
-	  break;
-      case certRegisterID:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_RegisteredIDTemplate, encodedName);
-	  break;
-      case certEDIPartyName:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_EDIPartyNameTemplate, encodedName);
-	  break;
-      case certX400Address:
-	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_X400AddressTemplate, encodedName);
-	  break;
-      case certDirectoryName:
-		rv = SEC_ASN1DecodeItem
-		     (arena, genName, CERT_DirectoryNameTemplate, encodedName);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		rv = SEC_ASN1DecodeItem
-		      (arena, &(genName->name.directoryName), CERT_NameTemplate,
-		      &(genName->derDirectoryName));
-	  break;
-    }
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    genName->type = genNameType;
-    genName->l.next = (PRCList *) ((char *) genName) + offsetof(CERTGeneralName, l);
-    genName->l.prev = genName->l.next;
-    return genName;
-loser:
-    return NULL;
-}
-
-CERTGeneralName *
-cert_DecodeGeneralNames (PRArenaPool  *arena,
-			 SECItem      **encodedGenName)
-{
-    PRCList                           *head = NULL;
-    PRCList                           *tail = NULL;
-    CERTGeneralName                   *currentName = NULL;
-
-    PORT_Assert(arena);
-    if (!encodedGenName) {
-	goto loser;
-    }
-    while (*encodedGenName != NULL) {
-	currentName = cert_DecodeGeneralName(arena, *encodedGenName, NULL);
-	if (currentName == NULL) {
-	    goto loser;
-	}
-	if (head == NULL) {
-	    head = &(currentName->l);
-	    tail = head;
-	}
-	currentName->l.next = head;
-	currentName->l.prev = tail;
-	tail = &(currentName->l);
-	(cert_get_prev_general_name(currentName))->l.next = tail;
-	encodedGenName++;
-    }
-    (cert_get_next_general_name(currentName))->l.prev = tail;
-    return cert_get_next_general_name(currentName);
-loser:
-    return NULL;
-}
-
-void
-CERT_DestroyGeneralName(CERTGeneralName *name)
-{
-    cert_DestroyGeneralNames(name);
-}
-
-SECStatus
-cert_DestroyGeneralNames(CERTGeneralName *name)
-{
-    CERTGeneralName    *first;
-    CERTGeneralName    *next = NULL;
-
-
-    first = name;
-    do {
-	next = cert_get_next_general_name(name);
-	PORT_Free(name);
-	name = next;
-    } while (name != first);
-    return SECSuccess;
-}
-
-SECItem *
-cert_EncodeNameConstraint(CERTNameConstraint  *constraint, 
-			 SECItem             *dest,
-			 PRArenaPool         *arena)
-{
-    PORT_Assert(arena);
-    if (dest == NULL) {
-	dest = (SECItem *) PORT_ArenaZAlloc(arena, sizeof(SECItem));
-	if (dest == NULL) {
-	    return NULL;
-	}
-    }
-    cert_EncodeGeneralName(&(constraint->name), &(constraint->DERName), 
-			   arena);
-    
-    dest = SEC_ASN1EncodeItem (arena, dest, constraint,
-			       CERTNameConstraintTemplate);
-    return dest;
-} 
-
-SECStatus 
-cert_EncodeNameConstraintSubTree(CERTNameConstraint  *constraints,
-			         PRArenaPool         *arena,
-				 SECItem             ***dest,
-				 PRBool              permited)
-{
-    CERTNameConstraint  *current_constraint = constraints;
-    SECItem             **items = NULL;
-    int                 count = 0;
-    int                 i;
-    PRCList             *head;
-
-    PORT_Assert(arena);
-    if (constraints != NULL) {
-	count = 1;
-    }
-    head = (PRCList *) (((char *) constraints) + offsetof(CERTNameConstraint, l));
-    while (current_constraint->l.next != head) {
-	current_constraint = cert_get_next_name_constraint(current_constraint);
-	++count;
-    }
-    current_constraint = cert_get_next_name_constraint(current_constraint);
-    items = (SECItem **) PORT_ArenaZAlloc(arena, sizeof(SECItem *) * (count + 1));
-    
-    if (items == NULL) {
-	goto loser;
-    }
-    for (i = 0; i < count; i++) {
-	items[i] = cert_EncodeNameConstraint(current_constraint, 
-					     (SECItem *) NULL, arena);
-	if (items[i] == NULL) {
-	    goto loser;
-	}
-	current_constraint = cert_get_next_name_constraint(current_constraint);
-    }
-    *dest = items;
-    if (*dest == NULL) {
-	goto loser;
-    }
-    return SECSuccess;
-loser:
-    return SECFailure;
-}
-
-SECStatus 
-cert_EncodeNameConstraints(CERTNameConstraints  *constraints,
-			   PRArenaPool          *arena,
-			   SECItem              *dest)
-{
-    SECStatus    rv = SECSuccess;
-
-    PORT_Assert(arena);
-    if (constraints->permited != NULL) {
-	rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
-					      &constraints->DERPermited, PR_TRUE);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-    }
-    if (constraints->excluded != NULL) {
-	rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
-					      &constraints->DERExcluded, PR_FALSE);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-    }
-    dest = SEC_ASN1EncodeItem(arena, dest, constraints, 
-			      CERTNameConstraintsTemplate);
-    if (dest == NULL) {
-	goto loser;
-    }
-    return SECSuccess;
-loser:
-    return SECFailure;
-}
-
-
-CERTNameConstraint *
-cert_DecodeNameConstraint(PRArenaPool       *arena,
-			  SECItem           *encodedConstraint)
-{
-    CERTNameConstraint     *constraint;
-    SECStatus              rv = SECSuccess;
-    CERTGeneralName        *temp;
-
-
-
-    PORT_Assert(arena);
-    constraint = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint));
-    rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, encodedConstraint);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    temp = cert_DecodeGeneralName(arena, &(constraint->DERName), &(constraint->name));
-    if (temp != &(constraint->name)) {
-	goto loser;
-    }
-
-    /* ### sjlee: since the name constraint contains only one 
-     *            CERTGeneralName, the list within CERTGeneralName shouldn't 
-     *            point anywhere else.  Otherwise, bad things will happen.
-     */
-    constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
-    return constraint;
-loser:
-    return NULL;
-}
-
-
-CERTNameConstraint *
-cert_DecodeNameConstraintSubTree(PRArenaPool   *arena,
-				 SECItem       **subTree,
-				 PRBool        permited)
-{
-    CERTNameConstraint   *current = NULL;
-    CERTNameConstraint   *first = NULL;
-    CERTNameConstraint   *last = NULL;
-    CERTNameConstraint   *next = NULL;
-    int                  i = 0;
-
-    while (subTree[i] != NULL) {
-	current = cert_DecodeNameConstraint(arena, subTree[i]);
-	if (current == NULL) {
-	    goto loser;
-	}
-	if (last == NULL) {
-	    first = last = current;
-	}
-	current->l.prev = &(last->l);
-	current->l.next = last->l.next;
-	last->l.next = &(current->l);
-	i++;
-    }
-    first->l.prev = &(current->l);
-    return first;
-loser:
-    if (first) {
-	current = first;
-	do {
-	    next = cert_get_next_name_constraint(current);
-	    PORT_Free(current);
-	    current = next;
-	}while (current != first);
-    }
-    return NULL;
-}
-
-CERTNameConstraints *
-cert_DecodeNameConstraints(PRArenaPool   *arena,
-			   SECItem       *encodedConstraints)
-{
-    CERTNameConstraints   *constraints;
-    SECStatus             rv;
-
-    PORT_Assert(arena);
-    PORT_Assert(encodedConstraints);
-    constraints = (CERTNameConstraints *) PORT_ArenaZAlloc(arena, 
-							   sizeof(CERTNameConstraints));
-    if (constraints == NULL) {
-	goto loser;
-    }
-    rv = SEC_ASN1DecodeItem(arena, constraints, CERTNameConstraintsTemplate, 
-			    encodedConstraints);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (constraints->DERPermited != NULL && constraints->DERPermited[0] != NULL) {
-	constraints->permited = cert_DecodeNameConstraintSubTree(arena,
-								 constraints->DERPermited,
-								 PR_TRUE);
-	if (constraints->permited == NULL) {
-	    goto loser;
-	}
-    }
-    if (constraints->DERExcluded != NULL && constraints->DERExcluded[0] != NULL) {
-	constraints->excluded = cert_DecodeNameConstraintSubTree(arena,
-								 constraints->DERExcluded,
-								 PR_FALSE);
-	if (constraints->excluded == NULL) {
-	    goto loser;
-	}
-    }
-    return constraints;
-loser:
-    return NULL;
-}
-
-
-SECStatus
-CERT_CopyGeneralName(PRArenaPool      *arena, 
-		     CERTGeneralName  *dest, 
-		     CERTGeneralName  *src)
-{
-    SECStatus rv;
-    CERTGeneralName *destHead = dest;
-    CERTGeneralName *srcHead = src;
-    CERTGeneralName *temp;
-
-    PORT_Assert(dest != NULL);
-    dest->type = src->type;
-    do {
-	switch (src->type) {
-	  case certDirectoryName: {
-	      rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, &src->derDirectoryName);
-	      if (rv != SECSuccess) {
-		  return rv;
-	      }
-	      rv = CERT_CopyName(arena, &dest->name.directoryName, &src->name.directoryName);
-	      break;
-	  }
-	  case certOtherName: {
-	      rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, &src->name.OthName.name);
-	      if (rv != SECSuccess) {
-		  return rv;
-	      }
-	      rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, &src->name.OthName.oid);
-	      break;
-	  }
-	  default: {
-	      rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other);
-	  }
-	}
-	src = cert_get_next_general_name(src);
-	/* if there is only one general name, we shouldn't do this */
-	if (src != srcHead) {
-	    if (dest->l.next == &destHead->l) {
-		if (arena) {
-		    temp = (CERTGeneralName *) 
-		      PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
-		} else {
-		    temp = (CERTGeneralName *)
-		      PORT_ZAlloc(sizeof(CERTGeneralName));
-		}
-		temp->l.next = &destHead->l;
-		temp->l.prev = &dest->l;
-		destHead->l.prev = &temp->l;
-		dest->l.next = &temp->l;
-		dest = temp;
-	    } else {
-		dest = cert_get_next_general_name(dest);
-	    }
-	}
-    } while (src != srcHead && rv == SECSuccess);
-    return rv;
-}
-
-
-CERTGeneralNameList *
-CERT_DupGeneralNameList(CERTGeneralNameList *list)
-{
-    if (list != NULL) {
-	PR_Lock(list->lock);
-	list->refCount++;
-	PR_Unlock(list->lock);
-    }
-    return list;
-}
-
-CERTNameConstraint *
-CERT_CopyNameConstraint(PRArenaPool         *arena, 
-			CERTNameConstraint  *dest, 
-			CERTNameConstraint  *src)
-{
-    SECStatus  rv;
-    
-    if (dest == NULL) {
-	dest = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint));
-	/* mark that it is not linked */
-	dest->name.l.prev = dest->name.l.next = &(dest->name.l);
-    }
-    rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    dest->l.prev = dest->l.next = &dest->l;
-    return dest;
-loser:
-    return NULL;
-}
-
-
-CERTGeneralName *
-cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
-{
-    PRCList *begin1;
-    PRCList *begin2;
-    PRCList *end1;
-    PRCList *end2;
-
-    if (list1 == NULL){
-	return list2;
-    } else if (list2 == NULL) {
-	return list1;
-    } else {
-	begin1 = &list1->l;
-	begin2 = &list2->l;
-	end1 = list1->l.prev;
-	end2 = list2->l.prev;
-	end1->next = begin2;
-	end2->next = begin1;
-	begin1->prev = end2;
-	begin2->prev = end1;
-	return list1;
-    }
-}
-
-
-CERTNameConstraint *
-cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
-{
-    PRCList *begin1;
-    PRCList *begin2;
-    PRCList *end1;
-    PRCList *end2;
-
-    if (list1 == NULL){
-	return list2;
-    } else if (list2 == NULL) {
-	return list1;
-    } else {
-	begin1 = &list1->l;
-	begin2 = &list2->l;
-	end1 = list1->l.prev;
-	end2 = list2->l.prev;
-	end1->next = begin2;
-	end2->next = begin1;
-	begin1->prev = end2;
-	begin2->prev = end1;
-	return list1;
-    }
-}
-
-
-CERTNameConstraint *
-CERT_AddNameConstraint(CERTNameConstraint *list, 
-		       CERTNameConstraint *constraint)
-{
-    PORT_Assert(constraint != NULL);
-    constraint->l.next = constraint->l.prev = &constraint->l;
-    list = cert_CombineConstraintsLists(list, constraint);
-    return list;
-}
-
-
-SECStatus
-CERT_GetNameConstriantByType (CERTNameConstraint *constraints,
-			      CERTGeneralNameType type, 
-			      CERTNameConstraint **returnList,
-			      PRArenaPool *arena)
-{
-    CERTNameConstraint *current;
-    CERTNameConstraint *temp;
-    
-    *returnList = NULL;
-    if (!constraints)
-	return SECSuccess;
-    current = constraints;
-
-    do {
-	if (current->name.type == type || 
-	    (type == certDirectoryName && current->name.type == certRFC822Name)) {
-	    temp = NULL;
-	    temp = CERT_CopyNameConstraint(arena, temp, current);
-	    if (temp == NULL) {
-		goto loser;
-	    }
-	    *returnList = CERT_AddNameConstraint(*returnList, temp);
-	}
-	current = cert_get_next_name_constraint(current);
-    } while (current != constraints);
-    return SECSuccess;
-loser:
-    return SECFailure;
-}
-
-
-void *
-CERT_GetGeneralNameByType (CERTGeneralName *genNames,
-			   CERTGeneralNameType type, PRBool derFormat)
-{
-    CERTGeneralName *current;
-    
-    if (!genNames)
-	return (NULL);
-    current = genNames;
-
-    do {
-	if (current->type == type) {
-	    switch (type) {
-	      case certDNSName:
-	      case certEDIPartyName:
-	      case certIPAddress:
-	      case certRegisterID:
-	      case certRFC822Name:
-	      case certX400Address:
-	      case certURI: {
-		    return &(current->name.other);
-	      }
-	      case certOtherName: {
-		  return &(current->name.OthName);
-		  break;
-	      }
-	      case certDirectoryName: {
-		  if (derFormat) {
-		      return &(current->derDirectoryName);
-		  } else{
-		      return &(current->name.directoryName);
-		  }
-		  break;
-	      }
-	    }
-	}
-	current = cert_get_next_general_name(current);
-    } while (current != genNames);
-    return (NULL);
-}
-
-int
-CERT_GetNamesLength(CERTGeneralName *names)
-{
-    int              length = 0;
-    CERTGeneralName  *first;
-
-    first = names;
-    if (names != NULL) {
-	do {
-	    length++;
-	    names = cert_get_next_general_name(names);
-	} while (names != first);
-    }
-    return length;
-}
-
-CERTGeneralName *
-CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
-{
-    CERTGeneralName  *DN;
-    CERTGeneralName  *altName;
-    SECItem          altNameExtension;
-    SECStatus        rv;
-
-
-    DN = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
-    if (DN == NULL) {
-	goto loser;
-    }
-    rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
-    DN->type = certDirectoryName;
-    DN->l.next = DN->l.prev = &DN->l;
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv != SECSuccess) {
-	return DN;
-    }
-    altName = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-    if (altName == NULL) {
-	goto loser;
-    }
-    DN = cert_CombineNamesLists(DN, altName);
-    return DN;
-loser:
-    return NULL;
-}
-
-static SECStatus
-compareNameToConstraint(char *name, char *constraint, PRBool substring)
-{
-    SECStatus  rv;
-
-    if (*constraint == '\0' && *name == '\0') {
-	return SECSuccess;
-    }
-    if (*constraint == '*') {
-	return compareNameToConstraint(name, constraint + 1, PR_TRUE);
-    }
-    if (substring) {
-	if (*constraint == '\0') {
-	    return SECSuccess;
-	}
-	while (*name != *constraint) {
-	    if (*name == '\0') {
-		return SECFailure;
-	    }
-	    name++;
-	}
-	rv = compareNameToConstraint(name + 1, constraint + 1, PR_FALSE);
-	if (rv == SECSuccess) {
-	    return rv;
-	}
-	name++;
-    } else {
-	if (*name == *constraint) {
-	    name++;
-	    constraint++;
-	} else {
-	    return SECFailure;
-	}
-    }
-    return compareNameToConstraint(name, constraint, substring);
-}
-
-SECStatus
-cert_CompareNameWithConstraints(CERTGeneralName     *name, 
-				CERTNameConstraint  *constraints,
-				PRBool              excluded)
-{
-    SECStatus           rv = SECSuccess;
-    char                *nameString = NULL;
-    char                *constraintString = NULL;
-    int                 start;
-    int                 end;
-    int                 tag;
-    CERTRDN             **nameRDNS, *nameRDN;
-    CERTRDN             **constraintRDNS, *constraintRDN;
-    CERTAVA             **nameAVAS, *nameAVA;
-    CERTAVA             **constraintAVAS, *constraintAVA;
-    CERTNameConstraint  *current;
-    SECItem             *avaValue;
-    CERTName            constraintName;
-    CERTName            certName;
-    SECComparison       status = SECEqual;
-    PRArenaPool         *certNameArena;
-    PRArenaPool         *constraintNameArena;
-
-    certName.arena = NULL;
-    certName.rdns = NULL;
-    constraintName.arena = NULL;
-    constraintName.rdns = NULL;
-    if (constraints != NULL) {
-	current = constraints;
-	if (name->type == certDirectoryName) {
-	    certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	    CERT_CopyName(certNameArena, &certName, &name->name.directoryName);
-	    nameRDNS = certName.rdns;
-	    for (;;) {
-		nameRDN = *nameRDNS++;
-		nameAVAS = nameRDN->avas;
-		for(;;) {
-		    nameAVA = *nameAVAS++;
-		    tag = CERT_GetAVATag(nameAVA);
-		    if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
-			 tag == SEC_OID_RFC1274_MAIL) {
-			avaValue = CERT_DecodeAVAValue(&nameAVA->value);
-			nameString = (char*)PORT_ZAlloc(avaValue->len + 1);
-			nameString = PORT_Strncpy(nameString, (char *) avaValue->data, avaValue->len);
-			start = 0;
-			while(nameString[start] != '@' && nameString[start + 1] != '\0') {
-			    start++;
-			} 
-			start++;
-			do{
-			    if (current->name.type == certRFC822Name) {
-				constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
-				constraintString = PORT_Strncpy(constraintString, 
-								(char *) current->name.name.other.data,
-								current->name.name.other.len);
-				rv = compareNameToConstraint(nameString + start, constraintString, 
-							     PR_FALSE);
-
-				if (constraintString != NULL) {
-				    PORT_Free(constraintString);
-				    constraintString = NULL;
-				}
-				if (nameString != NULL) {
-				    PORT_Free(nameString);
-				    nameString = NULL;
-				}
-				if (rv == SECSuccess && excluded == PR_TRUE) {
-				    goto found;
-				}
-				if (rv == SECSuccess && excluded == PR_FALSE) {
-				    break;
-				}
-			    }
-			    current = cert_get_next_name_constraint(current);
-			} while (current != constraints);
-		    }
-		    if (rv != SECSuccess && excluded == PR_FALSE) {
-			goto loser;
-		    }
-		    if (*nameAVAS == NULL) {
-			break;
-		    }
-		}
-		if (*nameRDNS == NULL) {
-		    break;
-		}
-	    }
-	}
-	current = constraints;
-	do {
-	    switch (name->type) {
-	      case certDNSName:
-		nameString = (char*)PORT_ZAlloc(name->name.other.len + 1);
-		nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, 
-					  name->name.other.len);
-		constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
-		constraintString = PORT_Strncpy(constraintString, 
-						(char *) current->name.name.other.data,
-						current->name.name.other.len);
-		rv = compareNameToConstraint(nameString, constraintString, PR_FALSE);
-		if (nameString != NULL) {
-		    PORT_Free(nameString);
-		}
-		if (constraintString != NULL) {
-		    PORT_Free(constraintString);
-		}
-		break;
-	      case certRFC822Name:
-		nameString = (char*)PORT_ZAlloc(name->name.other.len + 1);
-		nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, 
-					  name->name.other.len);
-		start = 0;
-		while(nameString[start] != '@' && nameString[start + 1] != '\0') {
-		    start++;
-		} 
-		start++;
-		constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
-		constraintString = PORT_Strncpy(constraintString, 
-						(char *) current->name.name.other.data,
-						current->name.name.other.len);
-		rv = compareNameToConstraint(nameString + start, constraintString, PR_FALSE);
-		if (nameString != NULL) {
-		    PORT_Free(nameString);
-		}
-		if (constraintString != NULL) {
-		    PORT_Free(constraintString);
-		}
-		break;
-	      case certURI:
-	        nameString = (char*)PORT_ZAlloc(name->name.other.len + 1);
-		nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, 
-					  name->name.other.len);
-		while(PORT_Strncmp(nameString + start, "://", 3) != 0 && 
-		      nameString[start + 3] != '\0') {
-		    start++;
-		}
-		start +=3;
-		end = 0;
-		while(nameString[start + end] != '/' && 
-		      nameString[start + end] != '\0') {
-		    end++;
-		}
-		nameString[start + end] = '\0';
-		constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
-		constraintString = PORT_Strncpy(constraintString, 
-						(char *) current->name.name.other.data,
-						current->name.name.other.len);
-		rv = compareNameToConstraint(nameString + start, constraintString, PR_FALSE);
-		if (nameString != NULL) {
-		    PORT_Free(nameString);
-		}
-		if (constraintString != NULL) {
-		    PORT_Free(constraintString);
-		}
-		break;
-	      case certDirectoryName:  
-		if (current->name.type == certDirectoryName) {
-		    constraintNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 
-		    CERT_CopyName(constraintNameArena, &constraintName, &current->name.name.directoryName);
-		    constraintRDNS = constraintName.rdns;  
-		    for (;;) {
-			constraintRDN = *constraintRDNS++;
-			constraintAVAS = constraintRDN->avas;
-			for(;;) {
-			    constraintAVA = *constraintAVAS++;
-			    certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-			    CERT_CopyName(certNameArena, &certName, &name->name.directoryName);
-			    nameRDNS = certName.rdns;
-			    for (;;) {
-				nameRDN = *nameRDNS++;
-				nameAVAS = nameRDN->avas++;
-				for(;;) {
-				    nameAVA = *nameAVAS++;
-				    status = CERT_CompareAVA(constraintAVA, nameAVA);
-				    if (status == SECEqual || *nameAVAS == NULL) {
-					break;
-				    }
-				}
-				if (status == SECEqual || *nameRDNS == NULL) {
-				    break;
-				}
-			    }
-			    if (status != SECEqual || *constraintAVAS == NULL) {
-				break;
-			    }
-			}
-			if (status != SECEqual || *constraintRDNS == NULL) {
-			    break;
-			}
-		    }
-		    if (status == SECEqual) {
-			if (excluded == PR_FALSE) {
-			    goto found;
-			} else {
-			    goto loser;
-			}
-		    }
-		    break;
-		} else if (current->name.type == certRFC822Name) {
-		    current = cert_get_next_name_constraint(current);
-		    continue;
-		}
-	      default:
-		/* other types are not supported */
-		if (excluded) {
-		    goto found;
-		} else {
-		    goto loser;
-		}
-	    }
-	    if (rv == SECSuccess && status == SECEqual) {
-		goto found;
-	    }
-	    current = cert_get_next_name_constraint(current);
-	} while (current !=constraints);
-    } else {
-	goto found;
-    }
-loser:
-    if (certName.arena) {
-	CERT_DestroyName(&certName);
-    }
-    if (constraintName.arena) {
-	CERT_DestroyName(&constraintName);
-    }
-    return SECFailure;
-found:
-    if (certName.arena) {
-	CERT_DestroyName(&certName);
-    }
-    if (constraintName.arena) {
-	CERT_DestroyName(&constraintName);
-    }
-    return SECSuccess;
-}
-
-
-CERTCertificate *
-CERT_CompareNameSpace(CERTCertificate  *cert,
-		      CERTGeneralName  *namesList,
- 		      SECItem          *namesListIndex,
- 		      PRArenaPool      *arena,
- 		      CERTCertDBHandle *handle)
-{
-    SECStatus            rv;
-    SECItem              constraintsExtension;
-    CERTNameConstraints  *constraints;
-    CERTGeneralName      *currentName;
-    int                  count = 0;
-    CERTNameConstraint  *matchingConstraints;
-    CERTCertificate      *badCert = NULL;
-    
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, &constraintsExtension);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-    constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
-    currentName = namesList;
-    if (constraints == NULL) {
-	goto loser;
-    }
-    do {
- 	if (constraints->excluded != NULL) {
- 	    rv = CERT_GetNameConstriantByType(constraints->excluded, currentName->type, 
- 					      &matchingConstraints, arena);
- 	    if (rv != SECSuccess) {
- 		goto loser;
- 	    }
- 	    if (matchingConstraints != NULL) {
- 		rv = cert_CompareNameWithConstraints(currentName, matchingConstraints,
- 						     PR_TRUE);
- 		if (rv != SECFailure) {
- 		    goto loser;
- 		}
- 	    }
- 	}
- 	if (constraints->permited != NULL) {
- 	    rv = CERT_GetNameConstriantByType(constraints->permited, currentName->type, 
- 					      &matchingConstraints, arena);
-            if (rv != SECSuccess) {
-		goto loser;
-	    }
- 	    if (matchingConstraints != NULL) {
- 		rv = cert_CompareNameWithConstraints(currentName, matchingConstraints,
- 						     PR_FALSE);
- 		if (rv != SECSuccess) {
- 		    goto loser;
- 		}
- 	    } else {
- 		goto loser;
- 	    }
- 	}
- 	currentName = cert_get_next_general_name(currentName);
- 	count ++;
-    } while (currentName != namesList);
-    return NULL;
-loser:
-    badCert = CERT_FindCertByName (handle, &namesListIndex[count]);
-    return badCert;
-}
-
-
-
-
-
-char *
-CERT_GetNickName(CERTCertificate   *cert,
- 		 CERTCertDBHandle  *handle,
-		 PRArenaPool      *nicknameArena)
-{ 
-    CERTGeneralName  *current;
-    CERTGeneralName  *names;
-    SECItem          altNameExtension;
-    char             *nickname = NULL;
-    char             *returnName = NULL;
-    char             *tempname = NULL;
-    SECItem          *nick;
-    SECStatus        rv;
-    PRArenaPool      *arena = NULL;
-    int              count;
-    int              length;
-    
-    
-
-    if (handle == NULL) {
-	handle = CERT_GetDefaultCertDB();
-    }
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv != SECSuccess) { 
-	goto loser; 
-    }
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-    if (names == NULL) {
-	goto loser;
-    } 
-    current = names;
-    do {
-	if (current->type == certOtherName && 
-	    SECOID_FindOIDTag(&current->name.OthName.oid) == SEC_OID_NETSCAPE_NICKNAME) {
-	    rv = SEC_ASN1DecodeItem(arena, nick, SEC_IA5StringTemplate, 
-				    &current->name.OthName.name);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	    nickname = (char*)PORT_ZAlloc(nick->len + 1);
-	    if (nickname == NULL) {
-		goto loser;
-	    }
-	    nickname = PORT_Strncpy(nickname, (char *) nick->data, nick->len);
-	    length = nick->len;
-	    count = 1;
-	    tempname = nickname;
-	    while (CERT_FindCertByNickname(handle, nickname) != NULL) {
-		nickname = PR_smprintf("%s #%d", tempname, count);
-		count++;
-	    }
-	    goto done;
-	}
-	current = cert_get_next_general_name(current);
-    } while (current != names);
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (nickname != NULL) {
-	PORT_Free(nickname);
-    }
-    return NULL;
-done:
-    if (nicknameArena != NULL) {
-	returnName =  PORT_ArenaStrdup(cert->arena, nickname);
-    } else {
-	returnName = PORT_Strdup(nickname);
-    }
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    PORT_Free(nickname);
-    return returnName;
-}
-
-
-SECStatus
-CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
-{
-    CERTGeneralName *currentA;
-    CERTGeneralName *currentB;
-    PRBool found;
-
-    currentA = a;
-    currentB = b;
-    if (a != NULL) {
-	do { 
-	    if (currentB == NULL) {
-		return SECFailure;
-	    }
-	    currentB = cert_get_next_general_name(currentB);
-	    currentA = cert_get_next_general_name(currentA);
-	} while (currentA != a);
-    }
-    if (currentB != b) {
-	return SECFailure;
-    }
-    currentA = a;
-    do {
-	currentB = b;
-	found = PR_FALSE;
-	do {
-	    if (currentB->type == currentA->type) {
-		switch (currentB->type) {
-		  case certDNSName:
-		  case certEDIPartyName:
-		  case certIPAddress:
-		  case certRegisterID:
-		  case certRFC822Name:
-		  case certX400Address:
-		  case certURI:
-		    if (SECITEM_CompareItem(&currentA->name.other,
-					    &currentB->name.other) 
-			== SECEqual) {
-			found = PR_TRUE;
-		    }
-		    break;
-		  case certOtherName:
-		    if (SECITEM_CompareItem(&currentA->name.OthName.oid,
-					    &currentB->name.OthName.oid) 
-			== SECEqual &&
-			SECITEM_CompareItem(&currentA->name.OthName.name,
-					    &currentB->name.OthName.name)
-			== SECEqual) {
-			found = PR_TRUE;
-		    }
-		    break;
-		  case certDirectoryName:
-		    if (CERT_CompareName(&currentA->name.directoryName,
-					 &currentB->name.directoryName)
-			== SECEqual) {
-			found = PR_TRUE;
-		    }
-		}
-		    
-	    }
-	    currentB = cert_get_next_general_name(currentB);
-	} while (currentB != b && found != PR_TRUE);
-	if (found != PR_TRUE) {
-	    return SECFailure;
-	}
-	currentA = cert_get_next_general_name(currentA);
-    } while (currentA != a);
-    return SECSuccess;
-}
-
-SECStatus
-CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b)
-{
-    SECStatus rv;
-
-    if (a == b) {
-	return SECSuccess;
-    }
-    if (a != NULL && b != NULL) {
-	PR_Lock(a->lock);
-	PR_Lock(b->lock);
-	rv = CERT_CompareGeneralName(a->name, b->name);
-	PR_Unlock(a->lock);
-	PR_Unlock(b->lock);
-    } else {
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-void *
-CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
-				  CERTGeneralNameType type,
-				  PRArenaPool *arena)
-{
-    CERTName *name = NULL; 
-    SECItem *item = NULL;
-    OtherName *other = NULL;
-    OtherName *tmpOther = NULL;
-    void *data;
-
-    PR_Lock(list->lock);
-    data = CERT_GetGeneralNameByType(list->name, type, PR_FALSE);
-    if (data != NULL) {
-	switch (type) {
-	  case certDNSName:
-	  case certEDIPartyName:
-	  case certIPAddress:
-	  case certRegisterID:
-	  case certRFC822Name:
-	  case certX400Address:
-	  case certURI:
-	    if (arena != NULL) {
-		item = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
-		if (item != NULL) {
-		    SECITEM_CopyItem(arena, item, (SECItem *) data);
-		}
-	    } else { 
-		item = SECITEM_DupItem((SECItem *) data);
-	    }
-	    PR_Unlock(list->lock);
-	    return item;
-	  case certOtherName:
-	    other = (OtherName *) data;
-	    if (arena != NULL) {
-		tmpOther = (OtherName *)PORT_ArenaAlloc(arena, 
-							sizeof(OtherName));
-	    } else {
-		tmpOther = (OtherName *) PORT_Alloc(sizeof(OtherName));
-	    }
-	    if (tmpOther != NULL) {
-		SECITEM_CopyItem(arena, &tmpOther->oid, &other->oid);
-		SECITEM_CopyItem(arena, &tmpOther->name, &other->name);
-	    }
-	    PR_Unlock(list->lock);
-	    return tmpOther;
-	  case certDirectoryName:
-	    if (arena == NULL) {
-		PR_Unlock(list->lock);
-		return NULL;
-	    } else {
-		name = (CERTName *) PORT_ArenaZAlloc(list->arena, 
-						    sizeof(CERTName));
-		if (name != NULL) {
-		    CERT_CopyName(arena, name, (CERTName *) data);
-		}
-		PR_Unlock(list->lock);
-		return name;
-	    }
-	}
-    }
-    PR_Unlock(list->lock);
-    return NULL;
-}
-
-void
-CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
-			  CERTGeneralNameType type,
-			  void *data, SECItem *oid)
-{
-    CERTGeneralName *name;
-
-    if (list != NULL && data != NULL) {
-	PR_Lock(list->lock);
-	name = (CERTGeneralName *) 
-	    PORT_ArenaZAlloc(list->arena, sizeof(CERTGeneralName));
-	name->type = type;
-	switch (type) {
-	  case certDNSName:
-	  case certEDIPartyName:
-	  case certIPAddress:
-	  case certRegisterID:
-	  case certRFC822Name:
-	  case certX400Address:
-	  case certURI:
-	    SECITEM_CopyItem(list->arena, &name->name.other, (SECItem *)data);
-	    break;
-	  case certOtherName:
-	    SECITEM_CopyItem(list->arena, &name->name.OthName.name,
-			     (SECItem *) data);
-	    SECITEM_CopyItem(list->arena, &name->name.OthName.oid,
-			     oid);
-	    break;
-	  case certDirectoryName:
-	    CERT_CopyName(list->arena, &name->name.directoryName,
-			  (CERTName *) data);
-	    break;
-	}
-	name->l.prev = name->l.next = &name->l;
-	list->name = cert_CombineNamesLists(list->name, name);
-	list->len++;
-	PR_Unlock(list->lock);
-    }
-    return;
-}
diff --git a/security/nss/lib/certdb/genname.h b/security/nss/lib/certdb/genname.h
deleted file mode 100644
index 0e33b8eaf..000000000
--- a/security/nss/lib/certdb/genname.h
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _GENAME_H_
-#define _GENAME_H_
-
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "certt.h"
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-extern const SEC_ASN1Template CERT_GeneralNamesTemplate[];
-
-extern CERTGeneralName *
-cert_get_next_general_name(CERTGeneralName *current);
-
-extern CERTGeneralName *
-cert_get_prev_general_name(CERTGeneralName *current);
-
-extern SECItem *
-cert_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
-		       PRArenaPool *arena);
-
-extern SECItem **
-cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names);
-
-extern CERTGeneralName *
-cert_DecodeGeneralName(PRArenaPool *arena, SECItem *encodedName,
-		       CERTGeneralName  *genName);
-
-extern CERTGeneralName *
-cert_DecodeGeneralNames(PRArenaPool *arena, SECItem **encodedGenName);
-
-extern SECStatus
-cert_DestroyGeneralNames(CERTGeneralName *name);
-
-extern SECStatus 
-cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena,
-			   SECItem *dest);
-
-extern CERTNameConstraints *
-cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints);
-
-extern CERTGeneralName *
-cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2);
-
-extern CERTNameConstraint *
-cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2);
-
-SECStatus
-CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b);
-
-SECStatus
-CERT_CopyGeneralName(PRArenaPool      *arena, 
-		     CERTGeneralName  *dest, 
-		     CERTGeneralName  *src);
-
-/* General Name Lists are a thread safe, reference counting layer to 
- * general names */
-
-void
-CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
-
-CERTGeneralNameList *
-CERT_CreateGeneralNameList(CERTGeneralName *name);
-
-SECStatus
-CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
-
-void *
-CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
-				  CERTGeneralNameType type,
-				  PRArenaPool *arena);
-
-void
-CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
-			  CERTGeneralNameType type,
-			  void *data, SECItem *oid);
-
-
-CERTGeneralNameList *
-CERT_DupGeneralNameList(CERTGeneralNameList *list);
-
-
-int
-CERT_GetNamesLength(CERTGeneralName *names);
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn
deleted file mode 100644
index 168cd2b6a..000000000
--- a/security/nss/lib/certdb/manifest.mn
+++ /dev/null
@@ -1,76 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	cert.h \
-	certt.h \
-	certdb.h \
-	cdbhdl.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	genname.h \
-	xconst.h \
-	certxutl.h \
-	$(NULL)
-
-MODULE = security
-
-ifdef MOZILLA_SECURITY_BUILD
-CERTINIT=nscertinit.c
-DEFINES += -DUSE_NS_ROOTS
-else
-CERTINIT=certinit.c
-endif
-
-CSRCS = \
-	alg1485.c \
-	certdb.c \
-	certv3.c \
-	$(CERTINIT) \
-	certxutl.c \
-	crl.c \
-	genname.c \
-	pcertdb.c \
-	polcyxtn.c \
-	secname.c \
-	xauthkid.c \
-	xbsconst.c \
-	xconst.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = certdb
-
diff --git a/security/nss/lib/certdb/pcertdb.c b/security/nss/lib/certdb/pcertdb.c
deleted file mode 100644
index 9edd232b0..000000000
--- a/security/nss/lib/certdb/pcertdb.c
+++ /dev/null
@@ -1,7340 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Permanent Certificate database handling code 
- *
- * $Id$
- */
-#include "prtime.h"
-
-#include "cert.h"
-#include "mcom_db.h"
-#include "certdb.h"
-#include "secitem.h"
-#include "secder.h"
-
-/* Call to PK11_FreeSlot below */
-
-#include "secasn1.h"
-#include "secerr.h"
-#include "prlock.h"
-#include "prmon.h"
-#include "nsslocks.h"
-#include "base64.h"
-#include "sechash.h"
-#include "plhash.h"
-
-#include "cdbhdl.h"
-
-/*
- * the following functions are wrappers for the db library that implement
- * a global lock to make the database thread safe.
- */
-static PRLock *dbLock = NULL;
-
-void
-certdb_InitDBLock(void)
-{
-    if (dbLock == NULL) {
-	nss_InitLock(&dbLock);
-	PORT_Assert(dbLock != NULL);
-    }
-
-    return;
-}
-
-static int
-certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    
-    PORT_Assert(dbLock != NULL);
-    PR_Lock(dbLock);
-    
-    ret = (* db->get)(db, key, data, flags);
-
-    prstat = PR_Unlock(dbLock);
-
-    return(ret);
-}
-
-static int
-certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-
-    PORT_Assert(dbLock != NULL);
-    PR_Lock(dbLock);
-
-    ret = (* db->put)(db, key, data, flags);
-    
-    prstat = PR_Unlock(dbLock);
-
-    return(ret);
-}
-
-static int
-certdb_Sync(DB *db, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-
-    PORT_Assert(dbLock != NULL);
-    PR_Lock(dbLock);
-
-    ret = (* db->sync)(db, flags);
-    
-    prstat = PR_Unlock(dbLock);
-
-    return(ret);
-}
-
-static int
-certdb_Del(DB *db, DBT *key, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-
-    PORT_Assert(dbLock != NULL);
-    PR_Lock(dbLock);
-
-    ret = (* db->del)(db, key, flags);
-    
-    prstat = PR_Unlock(dbLock);
-
-    return(ret);
-}
-
-static int
-certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    
-    PORT_Assert(dbLock != NULL);
-    PR_Lock(dbLock);
-    
-    ret = (* db->seq)(db, key, data, flags);
-
-    prstat = PR_Unlock(dbLock);
-
-    return(ret);
-}
-
-static void
-certdb_Close(DB *db)
-{
-    PRStatus prstat;
-
-    PORT_Assert(dbLock != NULL);
-    PR_Lock(dbLock);
-
-    (* db->close)(db);
-    
-    prstat = PR_Unlock(dbLock);
-
-    return;
-}
-
-/* forward references */
-static void CERT_DestroyCertificateNoLocking(CERTCertificate *cert);
-static SECStatus AddCertToSPKDigestTable(CERTCertDBHandle *handle,
-					 CERTCertificate *cert);
-static SECStatus RemoveCertFromSPKDigestTable(CERTCertDBHandle *handle,
-					      CERTCertificate *cert);
-
-static SECStatus
-DeleteDBEntry(CERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey)
-{
-    DBT key;
-    int ret;
-
-    /* init the database key */
-    key.data = dbkey->data;
-    key.size = dbkey->len;
-    
-    dbkey->data[0] = (unsigned char)type;
-
-    /* delete entry from database */
-    ret = certdb_Del(handle->permCertDB, &key, 0 );
-    if ( ret != 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    ret = certdb_Sync(handle->permCertDB, 0);
-    if ( ret ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-ReadDBEntry(CERTCertDBHandle *handle, certDBEntryCommon *entry,
-	    SECItem *dbkey, SECItem *dbentry, PRArenaPool *arena)
-{
-    DBT data, key;
-    int ret;
-    unsigned char *buf;
-    
-    /* init the database key */
-    key.data = dbkey->data;
-    key.size = dbkey->len;
-    
-    dbkey->data[0] = (unsigned char)entry->type;
-
-    /* read entry from database */
-    ret = certdb_Get(handle->permCertDB, &key, &data, 0 );
-    if ( ret != 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* validate the entry */
-    if ( data.size < SEC_DB_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    buf = (unsigned char *)data.data;
-    if ( buf[0] != (unsigned char)CERT_DB_FILE_VERSION ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    if ( buf[1] != (unsigned char)entry->type ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    /* copy out header information */
-    entry->version = (unsigned int)buf[0];
-    entry->type = (certDBEntryType)buf[1];
-    entry->flags = (unsigned int)buf[2];
-    
-    /* format body of entry for return to caller */
-    dbentry->len = data.size - SEC_DB_ENTRY_HEADER_LEN;
-    if ( dbentry->len ) {
-	dbentry->data = (unsigned char *)PORT_ArenaAlloc(arena, dbentry->len);
-	if ( dbentry->data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-    
-	PORT_Memcpy(dbentry->data, &buf[SEC_DB_ENTRY_HEADER_LEN],
-		  dbentry->len);
-    } else {
-	dbentry->data = NULL;
-    }
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/**
- ** Implement low level database access
- **/
-static SECStatus
-WriteDBEntry(CERTCertDBHandle *handle, certDBEntryCommon *entry,
-	     SECItem *dbkey, SECItem *dbentry)
-{
-    int ret;
-    DBT data, key;
-    unsigned char *buf;
-    
-    data.data = dbentry->data;
-    data.size = dbentry->len;
-    
-    buf = (unsigned char*)data.data;
-    
-    buf[0] = (unsigned char)entry->version;
-    buf[1] = (unsigned char)entry->type;
-    buf[2] = (unsigned char)entry->flags;
-    
-    key.data = dbkey->data;
-    key.size = dbkey->len;
-    
-    dbkey->data[0] = (unsigned char)entry->type;
-
-    /* put the record into the database now */
-    ret = certdb_Put(handle->permCertDB, &key, &data, 0);
-
-    if ( ret != 0 ) {
-	goto loser;
-    }
-
-    ret = certdb_Sync( handle->permCertDB, 0 );
-    
-    if ( ret ) {
-	goto loser;
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * encode a database cert record
- */
-static SECStatus
-EncodeDBCertEntry(certDBEntryCert *entry, PRArenaPool *arena, SECItem *dbitem)
-{
-    unsigned int nnlen;
-    unsigned char *buf;
-    char *nn;
-    char zbuf = 0;
-    
-    if ( entry->nickname ) {
-	nn = entry->nickname;
-    } else {
-	nn = &zbuf;
-    }
-    nnlen = PORT_Strlen(nn) + 1;
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->derCert.len + nnlen + DB_CERT_ENTRY_HEADER_LEN +
-	SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff;
-    buf[1] = entry->trust.sslFlags & 0xff;
-    buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff;
-    buf[3] = entry->trust.emailFlags & 0xff;
-    buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff;
-    buf[5] = entry->trust.objectSigningFlags & 0xff;
-    buf[6] = ( entry->derCert.len >> 8 ) & 0xff;
-    buf[7] = entry->derCert.len & 0xff;
-    buf[8] = ( nnlen >> 8 ) & 0xff;
-    buf[9] = nnlen & 0xff;
-    
-    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
-	      entry->derCert.len);
-
-    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len],
-	      nn, nnlen);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * encode a database key for a cert record
- */
-static SECStatus
-EncodeDBCertKey(SECItem *certKey, PRArenaPool *arena, SECItem *dbkey)
-{
-    dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
-	      certKey->data, certKey->len);
-    dbkey->data[0] = certDBEntryTypeCert;
-
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-EncodeDBGenericKey(SECItem *certKey, PRArenaPool *arena, SECItem *dbkey, 
-				certDBEntryType entryType)
-{
-    /*
-     * we only allow _one_ KRL key!
-     */
-    if (entryType == certDBEntryTypeKeyRevocation) {
-	dbkey->len = SEC_DB_KEY_HEADER_LEN;
- 	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-	if ( dbkey->data == NULL ) {
-	    goto loser;
-	}
-        dbkey->data[0] = (unsigned char) entryType;
-        return(SECSuccess);
-    }
-    
-
-    dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
-	      certKey->data, certKey->len);
-    dbkey->data[0] = (unsigned char) entryType;
-
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
-{
-    unsigned int nnlen;
-    int headerlen;
-    int lenoff;
-
-    /* allow updates of old versions of the database */
-    switch ( entry->common.version ) {
-      case 5:
-	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
-	lenoff = 3;
-	break;
-      case 6:
-	/* should not get here */
-	PORT_Assert(0);
-	headerlen = DB_CERT_V6_ENTRY_HEADER_LEN;
-	lenoff = 3;
-	break;
-      case 7:
-	headerlen = DB_CERT_ENTRY_HEADER_LEN;
-	lenoff = 6;
-	break;
-      default:
-	/* better not get here */
-	PORT_Assert(0);
-	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
-	lenoff = 3;
-	break;
-    }
-    
-    /* is record long enough for header? */
-    if ( dbentry->len < headerlen ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->derCert.len = ( ( dbentry->data[lenoff] << 8 ) |
-			  dbentry->data[lenoff+1] );
-    nnlen = ( ( dbentry->data[lenoff+2] << 8 ) | dbentry->data[lenoff+3] );
-    if ( ( entry->derCert.len + nnlen + headerlen )
-	!= dbentry->len) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the dercert */
-    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-							   entry->derCert.len);
-    if ( entry->derCert.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->derCert.data, &dbentry->data[headerlen],
-	      entry->derCert.len);
-
-    /* copy the nickname */
-    if ( nnlen > 1 ) {
-	entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
-	if ( entry->nickname == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->nickname,
-		    &dbentry->data[headerlen +
-				   entry->derCert.len],
-		    nnlen);
-    } else {
-	entry->nickname = NULL;
-    }
-    
-    if ( entry->common.version < 7 ) {
-	/* allow updates of v5 db */
-	entry->trust.sslFlags = dbentry->data[0];
-	entry->trust.emailFlags = dbentry->data[1];
-	entry->trust.objectSigningFlags = dbentry->data[2];
-    } else {
-	entry->trust.sslFlags = ( dbentry->data[0] << 8 ) | dbentry->data[1];
-	entry->trust.emailFlags = ( dbentry->data[2] << 8 ) | dbentry->data[3];
-	entry->trust.objectSigningFlags =
-	    ( dbentry->data[4] << 8 ) | dbentry->data[5];
-    }
-    
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-
-/*
- * Create a new certDBEntryCert from existing data
- */
-static certDBEntryCert *
-NewDBCertEntry(SECItem *derCert, char *nickname,
-	       CERTCertTrust *trust, int flags)
-{
-    certDBEntryCert *entry;
-    PRArenaPool *arena = NULL;
-    int nnlen;
-    
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
-    if ( !arena ) {
-	goto loser;
-    }
-	
-    entry = (certDBEntryCert *)PORT_ArenaZAlloc(arena, sizeof(certDBEntryCert));
-
-    if ( entry == NULL ) {
-	goto loser;
-    }
-    
-    /* fill in the dbCert */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeCert;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-    
-    if ( trust ) {
-	entry->trust = *trust;
-    }
-
-    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, derCert->len);
-    if ( !entry->derCert.data ) {
-	goto loser;
-    }
-    entry->derCert.len = derCert->len;
-    PORT_Memcpy(entry->derCert.data, derCert->data, derCert->len);
-    
-    nnlen = ( nickname ? strlen(nickname) + 1 : 0 );
-    
-    if ( nnlen ) {
-	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( !entry->nickname ) {
-	    goto loser;
-	}
-	PORT_Memcpy(entry->nickname, nickname, nnlen);
-	
-    } else {
-	entry->nickname = 0;
-    }
-
-    return(entry);
-
-loser:
-    
-    /* allocation error, free arena and return */
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return(0);
-}
-
-/*
- * Decode a version 4 DBCert from the byte stream database format
- * and construct a current database entry struct
- */
-static certDBEntryCert *
-DecodeV4DBCertEntry(unsigned char *buf, int len)
-{
-    certDBEntryCert *entry;
-    int certlen;
-    int nnlen;
-    PRArenaPool *arena;
-    
-    /* make sure length is at least long enough for the header */
-    if ( len < DBCERT_V4_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(0);
-    }
-
-    /* get other lengths */
-    certlen = buf[3] << 8 | buf[4];
-    nnlen = buf[5] << 8 | buf[6];
-    
-    /* make sure DB entry is the right size */
-    if ( ( certlen + nnlen + DBCERT_V4_HEADER_LEN ) != len ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(0);
-    }
-
-    /* allocate arena */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
-    if ( !arena ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(0);
-    }
-	
-    /* allocate structure and members */
-    entry = (certDBEntryCert *)  PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
-
-    if ( !entry ) {
-	goto loser;
-    }
-
-    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, certlen);
-    if ( !entry->derCert.data ) {
-	goto loser;
-    }
-    entry->derCert.len = certlen;
-    
-    if ( nnlen ) {
-	entry->nickname = (char *) PORT_ArenaAlloc(arena, nnlen);
-	if ( !entry->nickname ) {
-	    goto loser;
-	}
-    } else {
-	entry->nickname = 0;
-    }
-
-    entry->common.arena = arena;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.type = certDBEntryTypeCert;
-    entry->common.flags = 0;
-    entry->trust.sslFlags = buf[0];
-    entry->trust.emailFlags = buf[1];
-    entry->trust.objectSigningFlags = buf[2];
-
-    PORT_Memcpy(entry->derCert.data, &buf[DBCERT_V4_HEADER_LEN], certlen);
-    PORT_Memcpy(entry->nickname, &buf[DBCERT_V4_HEADER_LEN + certlen], nnlen);
-
-    return(entry);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return(0);
-}
-
-/*
- * Encode a Certificate database entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBCertEntry(CERTCertDBHandle *handle, certDBEntryCert *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECItem tmpitem;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBCertEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* get the database key and format it */
-    rv = CERT_KeyFromDERCert(tmparena, &entry->derCert, &tmpitem);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = EncodeDBCertKey(&tmpitem, tmparena, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-    
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-
-/*
- * delete a certificate entry
- */
-static SECStatus
-DeleteDBCertEntry(CERTCertDBHandle *handle, SECItem *certKey)
-{
-    SECItem dbkey;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBCertKey(certKey, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = DeleteDBEntry(handle, certDBEntryTypeCert, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a certificate entry
- */
-static certDBEntryCert *
-ReadDBCertEntry(CERTCertDBHandle *handle, SECItem *certKey)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryCert *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeCert;
-
-    rv = EncodeDBCertKey(certKey, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = DecodeDBCertEntry(entry, &dbentry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * encode a database cert record
- */
-static SECStatus
-EncodeDBCrlEntry(certDBEntryRevocation *entry, PRArenaPool *arena, SECItem *dbitem)
-{
-    unsigned int nnlen = 0;
-    unsigned char *buf;
-  
-    if (entry->url) {  
-	nnlen = PORT_Strlen(entry->url) + 1;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->derCrl.len + nnlen 
-		+ SEC_DB_ENTRY_HEADER_LEN + DB_CRL_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->derCrl.len >> 8 ) & 0xff;
-    buf[1] = entry->derCrl.len & 0xff;
-    buf[2] = ( nnlen >> 8 ) & 0xff;
-    buf[3] = nnlen & 0xff;
-    
-    PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
-	      entry->derCrl.len);
-
-    if (nnlen != 0) {
-	PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
-	      entry->url, nnlen);
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry)
-{
-    unsigned int nnlen;
-    
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_CRL_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->derCrl.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    if ( ( entry->derCrl.len + nnlen + DB_CRL_ENTRY_HEADER_LEN )
-	!= dbentry->len) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the dercert */
-    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-							 entry->derCrl.len);
-    if ( entry->derCrl.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN],
-	      entry->derCrl.len);
-
-    /* copy the url */
-    entry->url = NULL;
-    if (nnlen != 0) {
-	entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
-	if ( entry->url == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->url,
-	      &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
-	      nnlen);
-    }
-    
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-/*
- * Create a new certDBEntryRevocation from existing data
- */
-static certDBEntryRevocation *
-NewDBCrlEntry(SECItem *derCrl, char * url, certDBEntryType crlType, int flags)
-{
-    certDBEntryRevocation *entry;
-    PRArenaPool *arena = NULL;
-    int nnlen;
-    
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
-    if ( !arena ) {
-	goto loser;
-    }
-	
-    entry = (certDBEntryRevocation*)
-			PORT_ArenaZAlloc(arena, sizeof(certDBEntryRevocation));
-
-    if ( entry == NULL ) {
-	goto loser;
-    }
-    
-    /* fill in the dbRevolcation */
-    entry->common.arena = arena;
-    entry->common.type = crlType;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-    
-
-    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(arena, derCrl->len);
-    if ( !entry->derCrl.data ) {
-	goto loser;
-    }
-
-    if (url) {
-	nnlen = PORT_Strlen(url) + 1;
-	entry->url  = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( !entry->url ) {
-	    goto loser;
-	}
-	PORT_Memcpy(entry->url, url, nnlen);
-    } else {
-	entry->url = NULL;
-    }
-
-	
-    entry->derCrl.len = derCrl->len;
-    PORT_Memcpy(entry->derCrl.data, derCrl->data, derCrl->len);
-
-    return(entry);
-
-loser:
-    
-    /* allocation error, free arena and return */
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return(0);
-}
-
-
-static SECStatus
-WriteDBCrlEntry(CERTCertDBHandle *handle, certDBEntryRevocation *entry )
-{
-    SECItem dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECItem tmpitem,encodedEntry;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-
-    /* get the database key and format it */
-    rv = CERT_KeyFromDERCrl(tmparena, &entry->derCrl, &tmpitem);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = EncodeDBCrlEntry(entry, tmparena, &encodedEntry);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = EncodeDBGenericKey(&tmpitem, tmparena, &dbkey, entry->common.type);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-    
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &encodedEntry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-/*
- * delete a crl entry
- */
-static SECStatus
-DeleteDBCrlEntry(CERTCertDBHandle *handle, SECItem *crlKey, 
-						certDBEntryType crlType)
-{
-    SECItem dbkey;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBGenericKey(crlKey, arena, &dbkey, crlType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = DeleteDBEntry(handle, crlType, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a certificate entry
- */
-static certDBEntryRevocation *
-ReadDBCrlEntry(CERTCertDBHandle *handle, SECItem *certKey,
-						certDBEntryType crlType)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryRevocation *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryRevocation *)
-			PORT_ArenaAlloc(arena, sizeof(certDBEntryRevocation));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = crlType;
-
-    rv = EncodeDBGenericKey(certKey, tmparena, &dbkey, crlType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = DecodeDBCrlEntry(entry, &dbentry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * destroy a database entry
- */
-static void
-DestroyDBEntry(certDBEntry *entry)
-{
-    PRArenaPool *arena = entry->common.arena;
-
-    /* Zero out the entry struct, so that any further attempts to use it
-     * will cause an exception (e.g. null pointer reference). */
-    PORT_Memset(&entry->common, 0, sizeof entry->common);
-    PORT_FreeArena(arena, PR_FALSE);
-
-    return;
-}
-
-/*
- * Encode a database nickname record
- */
-static SECStatus
-EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena,
-		      SECItem *dbitem)
-{
-    unsigned char *buf;
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
-	SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
-    buf[1] = entry->subjectName.len & 0xff;
-    
-    PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
-	      entry->subjectName.len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Encode a database key for a nickname record
- */
-static SECStatus
-EncodeDBNicknameKey(char *nickname, PRArenaPool *arena,
-		    SECItem *dbkey)
-{
-    unsigned int nnlen;
-    
-    nnlen = PORT_Strlen(nickname) + 1; /* includes null */
-
-    /* now get the database key and format it */
-    dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen);
-    dbkey->data[0] = certDBEntryTypeNickname;
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry)
-{
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    if (( entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN ) !=
-	dbentry->len ){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the certkey */
-    entry->subjectName.data =
-	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					 entry->subjectName.len);
-    if ( entry->subjectName.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->subjectName.data,
-	      &dbentry->data[DB_NICKNAME_ENTRY_HEADER_LEN],
-	      entry->subjectName.len);
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new nickname entry
- */
-static certDBEntryNickname *
-NewDBNicknameEntry(char *nickname, SECItem *subjectName, unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntryNickname *entry;
-    int nnlen;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
-						 sizeof(certDBEntryNickname));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* init common fields */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeNickname;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    /* copy the nickname */
-    nnlen = PORT_Strlen(nickname) + 1;
-    
-    entry->nickname = (char*)PORT_ArenaAlloc(arena, nnlen);
-    if ( entry->nickname == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(entry->nickname, nickname, nnlen);
-    
-    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * delete a nickname entry
- */
-static SECStatus
-DeleteDBNicknameEntry(CERTCertDBHandle *handle, char *nickname)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    SECItem dbkey;
-    
-    if ( nickname == NULL ) {
-	return(SECSuccess);
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBNicknameKey(nickname, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = DeleteDBEntry(handle, certDBEntryTypeNickname, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a nickname entry
- */
-static certDBEntryNickname *
-ReadDBNicknameEntry(CERTCertDBHandle *handle, char *nickname)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryNickname *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
-						 sizeof(certDBEntryNickname));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeNickname;
-
-    rv = EncodeDBNicknameKey(nickname, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    /* is record long enough for header? */
-    if ( dbentry.len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    rv = DecodeDBNicknameEntry(entry, &dbentry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a nickname entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBNicknameEntry(CERTCertDBHandle *handle, certDBEntryNickname *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBNicknameEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = EncodeDBNicknameKey(entry->nickname, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-    
-}
-
-/*
- * Encode a database smime record
- */
-static SECStatus
-EncodeDBSMimeEntry(certDBEntrySMime *entry, PRArenaPool *arena,
-		   SECItem *dbitem)
-{
-    unsigned char *buf;
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->subjectName.len + entry->smimeOptions.len +
-	entry->optionsDate.len +
-	DB_SMIME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
-    buf[1] = entry->subjectName.len & 0xff;
-    buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff;
-    buf[3] = entry->smimeOptions.len & 0xff;
-    buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff;
-    buf[5] = entry->optionsDate.len & 0xff;
-
-    /* if no smime options, then there should not be an options date either */
-    PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) &&
-		    ( entry->optionsDate.len != 0 ) ) );
-    
-    PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data,
-	      entry->subjectName.len);
-    if ( entry->smimeOptions.len ) {
-	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN+entry->subjectName.len],
-		    entry->smimeOptions.data,
-		    entry->smimeOptions.len);
-	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len +
-			 entry->smimeOptions.len],
-		    entry->optionsDate.data,
-		    entry->optionsDate.len);
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Encode a database key for a SMIME record
- */
-static SECStatus
-EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena,
-		 SECItem *dbkey)
-{
-    unsigned int addrlen;
-    
-    addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */
-
-    /* now get the database key and format it */
-    dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen);
-    dbkey->data[0] = certDBEntryTypeSMimeProfile;
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Decode a database SMIME record
- */
-static SECStatus
-DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
-{
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_SMIME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    entry->smimeOptions.len = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    entry->optionsDate.len = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
-    if (( entry->subjectName.len + entry->smimeOptions.len +
-	 entry->optionsDate.len + DB_SMIME_ENTRY_HEADER_LEN ) != dbentry->len){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the subject name */
-    entry->subjectName.data =
-	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					 entry->subjectName.len);
-    if ( entry->subjectName.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->subjectName.data,
-	      &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN],
-	      entry->subjectName.len);
-
-    /* copy the smime options */
-    if ( entry->smimeOptions.len ) {
-	entry->smimeOptions.data =
-	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					     entry->smimeOptions.len);
-	if ( entry->smimeOptions.data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->smimeOptions.data,
-		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
-				   entry->subjectName.len],
-		    entry->smimeOptions.len);
-    }
-    if ( entry->optionsDate.len ) {
-	entry->optionsDate.data =
-	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					     entry->optionsDate.len);
-	if ( entry->optionsDate.data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->optionsDate.data,
-		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
-				   entry->subjectName.len +
-				   entry->smimeOptions.len],
-		    entry->optionsDate.len);
-    }
-
-    /* both options and options date must either exist or not exist */
-    if ( ( ( entry->optionsDate.len == 0 ) ||
-	  ( entry->smimeOptions.len == 0 ) ) &&
-	entry->smimeOptions.len != entry->optionsDate.len ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    entry->emailAddr = (char *)PORT_Alloc(PORT_Strlen(emailAddr)+1);
-    if ( entry->emailAddr ) {
-	PORT_Strcpy(entry->emailAddr, emailAddr);
-    }
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new SMIME entry
- */
-static certDBEntrySMime *
-NewDBSMimeEntry(char *emailAddr, SECItem *subjectName, SECItem *smimeOptions,
-		SECItem *optionsDate, unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntrySMime *entry;
-    int addrlen;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntrySMime));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* init common fields */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSMimeProfile;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    /* copy the email addr */
-    addrlen = PORT_Strlen(emailAddr) + 1;
-    
-    entry->emailAddr = (char*)PORT_ArenaAlloc(arena, addrlen);
-    if ( entry->emailAddr == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(entry->emailAddr, emailAddr, addrlen);
-    
-    /* copy the subject name */
-    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* copy the smime options */
-    if ( smimeOptions ) {
-	rv = SECITEM_CopyItem(arena, &entry->smimeOptions, smimeOptions);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	PORT_Assert(optionsDate == NULL);
-	entry->smimeOptions.data = NULL;
-	entry->smimeOptions.len = 0;
-    }
-
-    /* copy the options date */
-    if ( optionsDate ) {
-	rv = SECITEM_CopyItem(arena, &entry->optionsDate, optionsDate);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	PORT_Assert(smimeOptions == NULL);
-	entry->optionsDate.data = NULL;
-	entry->optionsDate.len = 0;
-    }
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * delete a SMIME entry
- */
-static SECStatus
-DeleteDBSMimeEntry(CERTCertDBHandle *handle, char *emailAddr)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    SECItem dbkey;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBSMimeKey(emailAddr, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = DeleteDBEntry(handle, certDBEntryTypeSMimeProfile, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a SMIME entry
- */
-static certDBEntrySMime *
-ReadDBSMimeEntry(CERTCertDBHandle *handle, char *emailAddr)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntrySMime *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntrySMime));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSMimeProfile;
-
-    rv = EncodeDBSMimeKey(emailAddr, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    /* is record long enough for header? */
-    if ( dbentry.len < DB_SMIME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    rv = DecodeDBSMimeEntry(entry, &dbentry, emailAddr);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a SMIME entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBSMimeEntry(CERTCertDBHandle *handle, certDBEntrySMime *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSMimeEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = EncodeDBSMimeKey(entry->emailAddr, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-    
-}
-
-/*
- * Encode a database subject record
- */
-static SECStatus
-EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
-		     SECItem *dbitem)
-{
-    unsigned char *buf;
-    int len;
-    unsigned int ncerts;
-    unsigned int i;
-    unsigned char *tmpbuf;
-    unsigned int nnlen = 0;
-    unsigned int eaddrlen = 0;
-    int keyidoff;
-    SECItem *certKeys;
-    SECItem *keyIDs;
-    
-    if ( entry->nickname ) {
-	nnlen = PORT_Strlen(entry->nickname) + 1;
-    }
-    if ( entry->emailAddr ) {
-	eaddrlen = PORT_Strlen(entry->emailAddr) + 1;
-    }
-    
-    ncerts = entry->ncerts;
-    
-    /* compute the length of the entry */
-    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
-    len = keyidoff + 4 * ncerts;
-    for ( i = 0; i < ncerts; i++ ) {
-	len += entry->certKeys[i].len;
-	len += entry->keyIDs[i].len;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( ncerts >> 8 ) & 0xff;
-    buf[1] = ncerts & 0xff;
-    buf[2] = ( nnlen >> 8 ) & 0xff;
-    buf[3] = nnlen & 0xff;
-    buf[4] = ( eaddrlen >> 8 ) & 0xff;
-    buf[5] = eaddrlen & 0xff;
-
-    PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
-    PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN+nnlen], entry->emailAddr,
-		eaddrlen);
-    
-    for ( i = 0; i < ncerts; i++ ) {
-
-	certKeys = entry->certKeys;
-	keyIDs = entry->keyIDs;
-
-	buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff;
-	buf[keyidoff+1+i*2] = certKeys[i].len & 0xff;
-	buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff;
-	buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff;
-    }
-    
-    /* temp pointer used to stuff certkeys and keyids into the buffer */
-    tmpbuf = &buf[keyidoff+ncerts*4];
-
-    for ( i = 0; i < ncerts; i++ ) {
-	certKeys = entry->certKeys;
-	PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
-	tmpbuf = tmpbuf + certKeys[i].len;
-    }
-    
-    for ( i = 0; i < ncerts; i++ ) {
-	keyIDs = entry->keyIDs;
-	PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
-	tmpbuf = tmpbuf + keyIDs[i].len;
-    }
-
-    PORT_Assert(tmpbuf == &buf[len]);
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Encode a database key for a subject record
- */
-static SECStatus
-EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena,
-		   SECItem *dbkey)
-{
-    dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data,
-	      derSubject->len);
-    dbkey->data[0] = certDBEntryTypeSubject;
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
-		     SECItem *derSubject)
-{
-    unsigned int ncerts;
-    PRArenaPool *arena;
-    unsigned int len, itemlen;
-    unsigned char *tmpbuf;
-    unsigned int i;
-    SECStatus rv;
-    unsigned int keyidoff;
-    unsigned int nnlen, eaddrlen;
-    
-    arena = entry->common.arena;
-
-    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
-    if ( dbentry->len < ( ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN +
-			 nnlen + eaddrlen) ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena,
-						 sizeof(SECItem) * ncerts);
-    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena,
-					       sizeof(SECItem) * ncerts);
-
-    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    if ( nnlen > 1 ) { /* null terminator is stored */
-	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( entry->nickname == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->nickname,
-		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN],
-		    nnlen);
-    } else {
-	entry->nickname = NULL;
-    }
-    
-    if ( eaddrlen > 1 ) { /* null terminator is stored */
-	entry->emailAddr = (char *)PORT_ArenaAlloc(arena, eaddrlen);
-	if ( entry->emailAddr == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->emailAddr,
-		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN+nnlen],
-		    eaddrlen);
-    } else {
-	entry->emailAddr = NULL;
-    }
-    
-    /* collect the lengths of the certKeys and keyIDs, and total the
-     * overall length.
-     */
-    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
-    len = keyidoff + 4 * ncerts;
-
-    tmpbuf = &dbentry->data[0];
-    
-    for ( i = 0; i < ncerts; i++ ) {
-
-	itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ;
-	len += itemlen;
-	entry->certKeys[i].len = itemlen;
-
-	itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) |
-	    tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ;
-	len += itemlen;
-	entry->keyIDs[i].len = itemlen;
-    }
-    
-    /* is database entry correct length? */
-    if ( len != dbentry->len ){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    tmpbuf = &tmpbuf[keyidoff + 4*ncerts];
-    for ( i = 0; i < ncerts; i++ ) {
-	entry->certKeys[i].data =
-	    (unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len);
-	if ( entry->certKeys[i].data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len);
-	tmpbuf = &tmpbuf[entry->certKeys[i].len];
-    }
-
-    for ( i = 0; i < ncerts; i++ ) {
-	entry->keyIDs[i].data =
-	    (unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len);
-	if ( entry->keyIDs[i].data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len);
-	tmpbuf = &tmpbuf[entry->keyIDs[i].len];
-    }
-    
-    PORT_Assert(tmpbuf == &dbentry->data[dbentry->len]);
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new subject entry with a single cert
- */
-static certDBEntrySubject *
-NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
-		  SECItem *keyID, char *nickname, char *emailAddr,
-		  unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntrySubject *entry;
-    SECStatus rv;
-    unsigned int nnlen;
-    unsigned int eaddrlen;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
-						  sizeof(certDBEntrySubject));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* init common fields */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSubject;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    /* copy the subject */
-    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    entry->ncerts = 1;
-    /* copy nickname */
-    if ( nickname && ( *nickname != '\0' ) ) {
-	nnlen = PORT_Strlen(nickname) + 1;
-	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( entry->nickname == NULL ) {
-	    goto loser;
-	}
-						  
-	PORT_Memcpy(entry->nickname, nickname, nnlen);
-    } else {
-	entry->nickname = NULL;
-    }
-    
-    /* copy email addr */
-    if ( emailAddr && ( *emailAddr != '\0' ) ) {
-	emailAddr = CERT_FixupEmailAddr(emailAddr);
-	if ( emailAddr == NULL ) {
-	    entry->emailAddr = NULL;
-	    goto loser;
-	}
-	
-	eaddrlen = PORT_Strlen(emailAddr) + 1;
-	entry->emailAddr = (char *)PORT_ArenaAlloc(arena, eaddrlen);
-	if ( entry->emailAddr == NULL ) {
-	    PORT_Free(emailAddr);
-	    goto loser;
-	}
-	
-	PORT_Memcpy(entry->emailAddr, emailAddr, eaddrlen);
-	PORT_Free(emailAddr);
-    } else {
-	entry->emailAddr = NULL;
-    }
-    
-    /* allocate space for certKeys and keyIDs */
-    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
-    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
-    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
-	goto loser;
-    }
-
-    /* copy the certKey and keyID */
-    rv = SECITEM_CopyItem(arena, &entry->certKeys[0], certKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &entry->keyIDs[0], keyID);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * delete a subject entry
- */
-static SECStatus
-DeleteDBSubjectEntry(CERTCertDBHandle *handle, SECItem *derSubject)
-{
-    SECItem dbkey;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSubjectKey(derSubject, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = DeleteDBEntry(handle, certDBEntryTypeSubject, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read the subject entry
- */
-static certDBEntrySubject *
-ReadDBSubjectEntry(CERTCertDBHandle *handle, SECItem *derSubject)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntrySubject *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntrySubject));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSubject;
-
-    rv = EncodeDBSubjectKey(derSubject, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = DecodeDBSubjectEntry(entry, &dbentry, derSubject);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a subject name entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBSubjectEntry(CERTCertDBHandle *handle, certDBEntrySubject *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSubjectEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSubjectKey(&entry->derSubject, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-    
-}
-
-static SECStatus
-UpdateSubjectWithEmailAddr(CERTCertificate *cert, char *emailAddr)
-{
-    CERTSubjectList *subjectList;
-    PRBool save = PR_FALSE, delold = PR_FALSE;
-    certDBEntrySubject *entry;
-    SECStatus rv;
-    
-    emailAddr = CERT_FixupEmailAddr(emailAddr);
-    if ( emailAddr == NULL ) {
-	return(SECFailure);
-    }
-    
-    subjectList = cert->subjectList;
-    PORT_Assert(subjectList != NULL);
-    
-    if ( subjectList->emailAddr ) {
-	if ( PORT_Strcmp(subjectList->emailAddr, emailAddr) != 0 ) {
-	    save = PR_TRUE;
-	    delold = PR_TRUE;
-	}
-    } else {
-	save = PR_TRUE;
-    }
-
-    if ( delold ) {
-	/* delete the old smime entry, because this cert now has a new
-	 * smime entry pointing to it
-	 */
-	PORT_Assert(save);
-	PORT_Assert(subjectList->emailAddr != NULL);
-	DeleteDBSMimeEntry(cert->dbhandle, subjectList->emailAddr);
-    }
-
-    if ( save ) {
-	unsigned int len;
-	
-	entry = subjectList->entry;
-
-	PORT_Assert(entry != NULL);
-	len = PORT_Strlen(emailAddr) + 1;
-	entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena, len);
-	if ( entry->emailAddr == NULL ) {
-	    goto loser;
-	}
-	PORT_Memcpy(entry->emailAddr, emailAddr, len);
-	
-	/* delete the subject entry */
-	DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-
-	/* write the new one */
-	rv = WriteDBSubjectEntry(cert->dbhandle, entry);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-
-    PORT_Free(emailAddr);
-    return(SECSuccess);
-
-loser:
-    PORT_Free(emailAddr);
-    return(SECFailure);
-}
-
-/*
- * writes a nickname to an existing subject entry that does not currently
- * have one
- */
-static SECStatus
-AddNicknameToSubject(CERTCertificate *cert, char *nickname)
-{
-    CERTSubjectList *subjectList;
-    certDBEntrySubject *entry;
-    SECStatus rv;
-    
-    if ( nickname == NULL ) {
-	return(SECFailure);
-    }
-    
-    subjectList = cert->subjectList;
-    PORT_Assert(subjectList != NULL);
-    if ( subjectList == NULL ) {
-	goto loser;
-    }
-    
-    entry = subjectList->entry;
-    PORT_Assert(entry != NULL);
-    if ( entry == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Assert(entry->nickname == NULL);
-    if ( entry->nickname != NULL ) {
-	goto loser;
-    }
-    
-    entry->nickname = (nickname) ? PORT_ArenaStrdup(entry->common.arena, nickname) : NULL;
-    
-    if ( entry->nickname == NULL ) {
-	goto loser;
-    }
-	
-    /* delete the subject entry */
-    DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-
-    /* write the new one */
-    rv = WriteDBSubjectEntry(cert->dbhandle, entry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new version entry
- */
-static certDBEntryVersion *
-NewDBVersionEntry(unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntryVersion *entry;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
-					       sizeof(certDBEntryVersion));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeVersion;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Read the version entry
- */
-static certDBEntryVersion *
-ReadDBVersionEntry(CERTCertDBHandle *handle)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryVersion *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntryVersion));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeVersion;
-
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
-	      SEC_DB_VERSION_KEY_LEN);
-
-    ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-
-/*
- * Encode a version entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBVersionEntry(CERTCertDBHandle *handle, certDBEntryVersion *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem.len = SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len);
-    if ( dbitem.data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
-	      SEC_DB_VERSION_KEY_LEN);
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-/*
- * create a new version entry
- */
-static certDBEntryContentVersion *
-NewDBContentVersionEntry(unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntryContentVersion *entry;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntryContentVersion *)
-	PORT_ArenaAlloc(arena, sizeof(certDBEntryContentVersion));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeContentVersion;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    entry->contentVersion = CERT_DB_CONTENT_VERSION;
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Read the version entry
- */
-static certDBEntryContentVersion *
-ReadDBContentVersionEntry(CERTCertDBHandle *handle)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryContentVersion *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryContentVersion *)
-	PORT_ArenaAlloc(arena, sizeof(certDBEntryContentVersion));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeContentVersion;
-
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_CONTENT_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_CONTENT_VERSION_KEY,
-		SEC_DB_CONTENT_VERSION_KEY_LEN);
-
-    dbentry.len = 0;
-    dbentry.data = NULL;
-    
-    ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-
-    if ( dbentry.len != 1 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    entry->contentVersion = dbentry.data[0];
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a version entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBContentVersionEntry(CERTCertDBHandle *handle,
-			   certDBEntryContentVersion *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem.len = SEC_DB_ENTRY_HEADER_LEN + 1;
-    
-    dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len);
-    if ( dbitem.data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    dbitem.data[SEC_DB_ENTRY_HEADER_LEN] = entry->contentVersion;
-    
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_CONTENT_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_CONTENT_VERSION_KEY,
-		SEC_DB_CONTENT_VERSION_KEY_LEN);
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-/*
- * delete a content version entry
- */
-static SECStatus
-DeleteDBContentVersionEntry(CERTCertDBHandle *handle)
-{
-    SECItem dbkey;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_CONTENT_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_CONTENT_VERSION_KEY,
-		SEC_DB_CONTENT_VERSION_KEY_LEN);
-    
-    rv = DeleteDBEntry(handle, certDBEntryTypeContentVersion, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Routines and datastructures to manage the list of certificates for a
- * particular subject name.
- */
-
-/*
- * Create a new certificate subject list.  If entry exists, then populate
- * the list with the entries from the permanent database.
- */
-static CERTSubjectList *
-NewSubjectList(certDBEntrySubject *entry)
-{
-    PRArenaPool *permarena;
-    unsigned int i;
-    CERTSubjectList *subjectList;
-    CERTSubjectNode *node;
-    SECStatus rv;
-    
-    permarena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( permarena == NULL ) {
-	goto loser;
-    }
-    subjectList = (CERTSubjectList *)PORT_ArenaAlloc(permarena,
-						     sizeof(CERTSubjectList));
-    if ( subjectList == NULL ) {
-	goto loser;
-    }
-
-    subjectList->arena = permarena;
-    subjectList->ncerts = 0;
-    subjectList->head = NULL;
-    subjectList->tail = NULL;
-    subjectList->entry = entry;
-    subjectList->emailAddr = NULL;
-    if ( entry ) {
-	
-	/* initialize the list with certs from database entry */
-	for ( i = 0; i < entry->ncerts; i++ ) {
-	    /* Init the node */
-	    node = (CERTSubjectNode *)PORT_ArenaAlloc(permarena,
-						      sizeof(CERTSubjectNode));
-	    if ( node == NULL ) {
-		goto loser;
-	    }
-
-	    /* copy certKey and keyID to node */
-	    rv = SECITEM_CopyItem(permarena, &node->certKey,
-				  &entry->certKeys[i]);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	    rv = SECITEM_CopyItem(permarena, &node->keyID,
-				  &entry->keyIDs[i]);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-
-	    /* the certs are already in order, so just add them
-	     * to the tail.
-	     */
-	    node->next = NULL;
-	    if ( subjectList->tail == NULL ) {
-		/* first in list */
-		subjectList->head = node;
-		subjectList->tail = node;
-		node->prev = NULL;
-	    } else {
-		/* add to end of list */
-		node->prev = subjectList->tail;
-		subjectList->tail = node;
-		node->prev->next = node;
-	    }
-	    subjectList->ncerts++;
-	}
-    }
-    
-    return(subjectList);
-
-loser:
-    PORT_FreeArena(permarena, PR_FALSE);
-    return(NULL);
-}
-
-/*
- * Find the Subject entry in the temp database.  It it is not in the
- * temp database, then get it from the perm DB.  It its not there either,
- * then create a new one.
- */
-static CERTSubjectList *
-FindSubjectList(CERTCertDBHandle *handle, SECItem *subject, PRBool create)
-{
-    PRArenaPool *arena = NULL;
-    SECItem keyitem;
-    SECStatus rv;
-    DBT namekey;
-    DBT tmpdata;
-    int ret;
-    CERTSubjectList *subjectList = NULL;
-    certDBEntrySubject *entry;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBSubjectKey(subject, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    namekey.data = keyitem.data;
-    namekey.size = keyitem.len;
-    
-    /* lookup in the temporary database */
-    ret = certdb_Get(handle->tempCertDB, &namekey, &tmpdata, 0);
-
-    /* error accessing the database */
-    if ( ret < 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    if ( ret == 0 ) {	/* found in temp database */
-	if ( tmpdata.size != sizeof(CERTCertificate *) ) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    goto loser;
-	}
-
-	/* copy pointer out of database */
-	PORT_Memcpy(&subjectList, tmpdata.data, tmpdata.size);
-    } else {		/* not found in temporary database */
-	entry = ReadDBSubjectEntry(handle, subject);
-	if ( entry || create ) {
-	    /* decode or create new subject list */
-	    subjectList = NewSubjectList(entry);
-
-	    /* put it in the temp database */
-	    if ( subjectList ) {
-		tmpdata.data = (unsigned char *)(&subjectList);
-		tmpdata.size = sizeof(subjectList);
-		ret = certdb_Put(handle->tempCertDB, &namekey,
-				 &tmpdata, R_NOOVERWRITE);
-		if ( ret ) {
-		    goto loser;
-		}
-	    }
-	} else {
-	    PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
-	    goto loser;
-	}
-    }
-
-    goto done;
-
-loser:
-    subjectList = NULL;
-    
-done:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(subjectList);
-}
-
-/*
- * Add a temp cert to the temp subject list
- */
-static SECStatus
-AddTempCertToSubjectList(CERTCertificate *cert)
-{
-    CERTSubjectList *subjectList;
-    CERTSubjectNode *node, *newnode;
-    CERTCertificate *cmpcert;
-    PRBool newer;
-    SECStatus rv;
-    
-    PORT_Assert(cert->isperm == PR_FALSE);
-    PORT_Assert(cert->subjectList == NULL);
-    
-    subjectList = FindSubjectList(cert->dbhandle, &cert->derSubject, PR_TRUE);
-    
-    if ( subjectList == NULL ) {
-	goto loser;
-    }
-
-    newnode = (CERTSubjectNode*)PORT_ArenaAlloc(subjectList->arena,
-						sizeof(CERTSubjectNode));
-    /* copy certKey and keyID to node */
-    rv = SECITEM_CopyItem(subjectList->arena, &newnode->certKey,
-			  &cert->certKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(subjectList->arena, &newnode->keyID,
-			  &cert->subjectKeyID);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    node = subjectList->head;
-
-    if ( node ) {
-	/* list is not empty */
-	while ( node ) {
-	    cmpcert = CERT_FindCertByKeyNoLocking(cert->dbhandle,
-						  &node->certKey);
-	    if ( cmpcert ) {
-		
-		newer =  CERT_IsNewer(cert, cmpcert);
-		CERT_DestroyCertificateNoLocking(cmpcert);
-		if ( newer ) {
-		    /* insert before this cert */
-		    newnode->next = node;
-		    newnode->prev = node->prev;
-		    if ( newnode->prev ) {
-			newnode->prev->next = newnode;
-		    } else {
-			/* at the head of the list */
-			subjectList->head = newnode;
-		    }
-		    node->prev = newnode;
-		    goto done;
-		}
-	    }
-	    node = node->next;
-	}
-	/* if we get here, we add the node to the end of the list */
-	newnode->prev = subjectList->tail;
-	newnode->next = NULL;
-	subjectList->tail->next = newnode;
-	subjectList->tail = newnode;
-    } else {
-	/* this is a new/empty list */
-	newnode->next = NULL;
-	newnode->prev = NULL;
-	subjectList->head = newnode;
-	subjectList->tail = newnode;
-    }
-    
-done:
-    subjectList->ncerts++;
-    cert->subjectList = subjectList;
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/*
- * Find the node in a subjectList that belongs a cert
- */
-static CERTSubjectNode *
-FindCertSubjectNode(CERTCertificate *cert)
-{
-    CERTSubjectList *subjectList;
-    CERTSubjectNode *node = NULL;
-    
-    PORT_Assert(cert->subjectList);
-    
-    subjectList = cert->subjectList;
-    
-    if ( subjectList ) {
-	node = subjectList->head;
-    }
-    
-    while ( node ) {
-	if ( SECITEM_CompareItem(&node->certKey, &cert->certKey) == SECEqual ){
-	    return(node);
-	    break;
-	}
-	
-	node = node->next;
-    }
-
-    return(NULL);
-}
-
-/*
- * Remove a temp cert from the temp subject list
- */
-static SECStatus
-RemoveTempCertFromSubjectList(CERTCertificate *cert)
-{
-    CERTSubjectList *subjectList;
-    CERTSubjectNode *node;
-    SECItem keyitem;
-    DBT namekey;
-    SECStatus rv;
-    int ret;
-    CERTCertDBHandle *handle;
-    
-    PORT_Assert(cert->subjectList);
-
-    /* don't remove perm certs */
-    if ( cert->isperm ) {
-	return(SECSuccess);
-    }
-    
-    subjectList = cert->subjectList;
-
-    node = FindCertSubjectNode(cert);
-    
-    if ( node ) {
-	/* found it, unlink it */
-	if ( node->next ) {
-	    node->next->prev = node->prev;
-	} else {
-	    /* removing from tail of list */
-	    subjectList->tail = node->prev;
-	}
-	if ( node->prev ) {
-	    node->prev->next = node->next;
-	} else {
-	    /* removing from head of list */
-	    subjectList->head = node->next;
-	}
-
-	subjectList->ncerts--;
-	
-	/* dont need to free the node, because it is from subjectList
-	 * arena.
-	 */
-	
-	/* remove reference from cert */
-	cert->subjectList = NULL;
-	
-	/* if the list is now empty, remove the list from the db and free it */
-	if ( subjectList->head == NULL ) {
-	    PORT_Assert(subjectList->ncerts == 0);
-	    rv = EncodeDBSubjectKey(&cert->derSubject, subjectList->arena,
-				    &keyitem);
-	    if ( rv == SECSuccess ) {
-		namekey.data = keyitem.data;
-		namekey.size = keyitem.len;
-
-		handle = cert->dbhandle;
-		
-		ret = certdb_Del(handle->tempCertDB, &namekey, 0);
-		/* keep going if it fails */
-
-		if ( cert->dbnickname ) {
-		    rv = SEC_DeleteTempNickname(handle, cert->dbnickname);
-		} else if ( cert->nickname ) {
-		    rv = SEC_DeleteTempNickname(handle, cert->nickname);
-		}
-		
-		/* keep going if it fails */
-	    }
-
-	    PORT_FreeArena(subjectList->arena, PR_FALSE);
-	}
-    }
-
-    PORT_Assert(cert->subjectList == NULL);
-    
-    if ( cert->subjectList != NULL ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * cert is no longer a perm cert, but will remain a temp cert
- */
-static SECStatus
-RemovePermSubjectNode(CERTCertificate *cert)
-{
-    CERTSubjectList *subjectList;
-    certDBEntrySubject *entry;
-    unsigned int i;
-    SECStatus rv;
-
-    PORT_Assert(cert->isperm);
-    if ( !cert->isperm ) {
-	return(SECFailure);
-    }
-    
-    subjectList = cert->subjectList;
-    PORT_Assert(subjectList);
-    if ( subjectList == NULL ) {
-	return(SECFailure);
-    }
-    entry = subjectList->entry;
-    PORT_Assert(entry);
-    if ( entry == NULL ) {
-	return(SECFailure);
-    }
-
-    PORT_Assert(entry->ncerts);
-    rv = SECFailure;
-    
-    if ( entry->ncerts > 1 ) {
-	for ( i = 0; i < entry->ncerts; i++ ) {
-	    if ( SECITEM_CompareItem(&entry->certKeys[i], &cert->certKey) ==
-		SECEqual ) {
-		/* copy rest of list forward one entry */
-		for ( i = i + 1; i < entry->ncerts; i++ ) {
-		    entry->certKeys[i-1] = entry->certKeys[i];
-		    entry->keyIDs[i-1] = entry->keyIDs[i];
-		}
-		entry->ncerts--;
-		DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-		rv = WriteDBSubjectEntry(cert->dbhandle, entry);
-		break;
-	    }
-	}
-    } else {
-	/* no entries left, delete the perm entry in the DB */
-	if ( subjectList->entry->emailAddr ) {
-	    /* if the subject had an email record, then delete it too */
-	    DeleteDBSMimeEntry(cert->dbhandle, subjectList->entry->emailAddr);
-	}
-	
-	DestroyDBEntry((certDBEntry *)subjectList->entry);
-	subjectList->entry = NULL;
-	DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-    }
-
-    return(rv);
-}
-
-/*
- * add a cert to the perm subject list
- */
-static SECStatus
-AddPermSubjectNode(CERTCertificate *cert, char *nickname)
-{
-    CERTSubjectList *subjectList;
-    certDBEntrySubject *entry;
-    SECItem *newCertKeys, *newKeyIDs;
-    int i;
-    SECStatus rv;
-    CERTCertificate *cmpcert;
-    unsigned int nnlen;
-    int ncerts;
-    
-    subjectList = cert->subjectList;
-    
-    PORT_Assert(subjectList);
-    if ( subjectList == NULL ) {
-	return(SECFailure);
-    }
-
-    entry = subjectList->entry;
-    
-    if ( entry ) {
-	ncerts = entry->ncerts;
-	
-	if ( nickname && entry->nickname ) {
-	    /* nicknames must be the same */
-	    PORT_Assert(PORT_Strcmp(nickname, entry->nickname) == 0);
-	}
-
-	if ( ( entry->nickname == NULL ) && ( nickname != NULL ) ) {
-	    /* copy nickname into the entry */
-	    nnlen = PORT_Strlen(nickname) + 1;
-	    entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena,
-						      nnlen);
-	    if ( entry->nickname == NULL ) {
-		return(SECFailure);
-	    }
-	    PORT_Memcpy(entry->nickname, nickname, nnlen);
-	}
-	
-	/* a DB entry already exists, so add this cert */
-	newCertKeys = (SECItem *)PORT_ArenaAlloc(entry->common.arena,
-						 sizeof(SECItem) *
-						 ( ncerts + 1 ) );
-	newKeyIDs = (SECItem *)PORT_ArenaAlloc(entry->common.arena,
-					       sizeof(SECItem) *
-					       ( ncerts + 1 ) );
-
-	if ( ( newCertKeys == NULL ) || ( newKeyIDs == NULL ) ) {
-	    return(SECFailure);
-	}
-
-	for ( i = 0; i < ncerts; i++ ) {
-	    cmpcert = CERT_FindCertByKeyNoLocking(cert->dbhandle,
-						  &entry->certKeys[i]);
-	    PORT_Assert(cmpcert);
-	    
-	    if ( CERT_IsNewer(cert, cmpcert) ) {
-		/* insert before cmpcert */
-		rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[i],
-				      &cert->certKey);
-		if ( rv != SECSuccess ) {
-		    return(SECFailure);
-		}
-		rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[i],
-				      &cert->subjectKeyID);
-		if ( rv != SECSuccess ) {
-		    return(SECFailure);
-		}
-		/* copy the rest of the entry */
-		for ( ; i < ncerts; i++ ) {
-		    newCertKeys[i+1] = entry->certKeys[i];
-		    newKeyIDs[i+1] = entry->keyIDs[i];
-		}
-
-		/* update certKeys and keyIDs */
-		entry->certKeys = newCertKeys;
-		entry->keyIDs = newKeyIDs;
-		
-		/* increment count */
-		entry->ncerts++;
-		break;
-	    }
-	    /* copy this cert entry */
-	    newCertKeys[i] = entry->certKeys[i];
-	    newKeyIDs[i] = entry->keyIDs[i];
-	}
-
-	if ( entry->ncerts == ncerts ) {
-	    /* insert new one at end */
-	    rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[ncerts],
-				  &cert->certKey);
-	    if ( rv != SECSuccess ) {
-		return(SECFailure);
-	    }
-	    rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[ncerts],
-				  &cert->subjectKeyID);
-	    if ( rv != SECSuccess ) {
-		return(SECFailure);
-	    }
-
-	    /* update certKeys and keyIDs */
-	    entry->certKeys = newCertKeys;
-	    entry->keyIDs = newKeyIDs;
-		
-	    /* increment count */
-	    entry->ncerts++;
-	}
-    } else {
-	/* need to make a new DB entry */
-	entry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey,
-				  &cert->subjectKeyID, nickname,
-				  NULL, 0);
-	cert->subjectList->entry = entry;
-    }
-    if ( entry ) {
-	DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-	rv = WriteDBSubjectEntry(cert->dbhandle, entry);
-    } else {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-
-
-SECStatus
-CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle, SECItem *derSubject,
-				 CERTCertCallback cb, void *cbarg)
-{
-    certDBEntrySubject *entry;
-    int i;
-    CERTCertificate *cert;
-    SECStatus rv = SECSuccess;
-    
-    entry = ReadDBSubjectEntry(handle, derSubject);
-
-    if ( entry == NULL ) {
-	return(SECFailure);
-    }
-    
-    for( i = 0; i < entry->ncerts; i++ ) {
-	cert = CERT_FindCertByKey(handle, &entry->certKeys[i]);
-	rv = (* cb)(cert, cbarg);
-	CERT_DestroyCertificate(cert);
-	if ( rv == SECFailure ) {
-	    break;
-	}
-    }
-
-    DestroyDBEntry((certDBEntry *)entry);
-
-    return(rv);
-}
-
-int
-CERT_NumPermCertsForSubject(CERTCertDBHandle *handle, SECItem *derSubject)
-{
-    certDBEntrySubject *entry;
-    int ret;
-    
-    entry = ReadDBSubjectEntry(handle, derSubject);
-
-    if ( entry == NULL ) {
-	return(SECFailure);
-    }
-
-    ret = entry->ncerts;
-    
-    DestroyDBEntry((certDBEntry *)entry);
-    
-    return(ret);
-}
-
-SECStatus
-CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
-				  CERTCertCallback cb, void *cbarg)
-{
-    certDBEntryNickname *nnentry = NULL;
-    certDBEntrySMime *smentry = NULL;
-    SECStatus rv;
-    SECItem *derSubject = NULL;
-    
-    nnentry = ReadDBNicknameEntry(handle, nickname);
-    if ( nnentry ) {
-	derSubject = &nnentry->subjectName;
-    } else {
-	smentry = ReadDBSMimeEntry(handle, nickname);
-	if ( smentry ) {
-	    derSubject = &smentry->subjectName;
-	}
-    }
-    
-    if ( derSubject ) {
-	rv = CERT_TraversePermCertsForSubject(handle, derSubject,
-					      cb, cbarg);
-    } else {
-	rv = SECFailure;
-    }
-
-    if ( nnentry ) {
-	DestroyDBEntry((certDBEntry *)nnentry);
-    }
-    if ( smentry ) {
-	DestroyDBEntry((certDBEntry *)smentry);
-    }
-    
-    return(rv);
-}
-
-int
-CERT_NumPermCertsForNickname(CERTCertDBHandle *handle, char *nickname)
-{
-    certDBEntryNickname *entry;
-    int ret;
-    
-    entry = ReadDBNicknameEntry(handle, nickname);
-    
-    if ( entry ) {
-	ret = CERT_NumPermCertsForSubject(handle, &entry->subjectName);
-	DestroyDBEntry((certDBEntry *)entry);
-    } else {
-	ret = 0;
-    }
-    return(ret);
-}
-
-int
-CERT_NumCertsForCertSubject(CERTCertificate *cert)
-{
-    int ret = 0;
-    
-    if ( cert->subjectList ) {
-	ret = cert->subjectList->ncerts;
-    }
-    return(ret);
-}
-
-int
-CERT_NumPermCertsForCertSubject(CERTCertificate *cert)
-{
-    int ret = 0;
-    
-    if ( cert->subjectList ) {
-	if ( cert->subjectList->entry ) {
-	    ret = cert->subjectList->entry->ncerts;
-	}
-    }
-    return(ret);
-}
-
-SECStatus
-CERT_TraverseCertsForSubject(CERTCertDBHandle *handle,
-			     CERTSubjectList *subjectList,
-			     CERTCertCallback cb, void *cbarg)
-{
-    CERTSubjectNode *node;
-    CERTCertificate *cert;
-    SECStatus rv = SECSuccess;
-    
-    CERT_LockDB(handle);
-
-    node = subjectList->head;
-    while ( node ) {
-
-	cert = CERT_FindCertByKeyNoLocking(handle, &node->certKey);
-
-	PORT_Assert(cert != NULL);
-
-	if ( cert != NULL ) {
-	    rv = (* cb)(cert, cbarg);
-	    CERT_DestroyCertificateNoLocking(cert);
-	    if ( rv == SECFailure ) {
-		break;
-	    }
-	}
-
-	node = node->next;
-    }
-
-    CERT_UnlockDB(handle);
-
-    return(rv);
-}
-
-
-/*
- * Given a cert, find the cert with the same subject name that
- * has the given key usage.  If the given cert has the correct keyUsage, then
- * return it, otherwise search the list in order.
- */
-CERTCertificate *
-CERT_FindCertByUsage(CERTCertificate *basecert, unsigned int requiredKeyUsage)
-{
-    CERTSubjectNode *node;
-    CERTCertificate *cert;
-    CERTSubjectList *subjectList;
-    
-    if ( ( basecert->keyUsage & requiredKeyUsage ) == requiredKeyUsage ) {
-	return(CERT_DupCertificate(basecert));
-    }
-    
-    CERT_LockDB(basecert->dbhandle);
-
-    subjectList = basecert->subjectList;
-	
-    node = subjectList->head;
-    while ( node ) {
-
-	cert = CERT_FindCertByKeyNoLocking(basecert->dbhandle, &node->certKey);
-
-	PORT_Assert(cert != NULL);
-
-	if ( cert != NULL ) {
-	    if ( ( cert->keyUsage & requiredKeyUsage ) ==
-		 requiredKeyUsage ) {
-		CERT_UnlockDB(basecert->dbhandle);
-		return(cert);
-	    }
-	
-	    CERT_DestroyCertificateNoLocking(cert);
-	}
-
-	node = node->next;
-    }
-
-    CERT_UnlockDB(basecert->dbhandle);
-
-    return(NULL);
-}
-
-
-/*
- * add a nickname to a cert that doesn't have one
- */
-static SECStatus
-AddNicknameToPermCert(CERTCertificate *cert, char *nickname)
-{
-    certDBEntryCert *entry;
-    int rv;
-    
-    PORT_Assert(cert->isperm);
-    if ( !cert->isperm ) {
-	goto loser;
-    }
-
-    entry = cert->dbEntry;
-    PORT_Assert(entry != NULL);
-    if ( entry == NULL ) {
-	goto loser;
-    }
-
-    entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname);
-
-    rv = WriteDBCertEntry(cert->dbhandle, entry);
-    if ( rv ) {
-	goto loser;
-    }
-
-    cert->nickname = PORT_ArenaStrdup(cert->arena, nickname);
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/*
- * add a nickname to a cert that is already in the perm database, but doesn't
- * have one yet (it is probably an e-mail cert).
- */
-SECStatus
-CERT_AddPermNickname(CERTCertificate *cert, char *nickname)
-{
-    SECStatus rv;
-    
-    CERT_LockDB(cert->dbhandle);
-    
-    PORT_Assert(cert->nickname == NULL);
-    PORT_Assert(cert->isperm);
-    PORT_Assert(cert->subjectList != NULL);
-    PORT_Assert(cert->subjectList->entry != NULL);
-    
-    if ( cert->nickname != NULL ) {
-	goto done;
-    }
-
-    if ( cert->subjectList == NULL ) {
-	goto loser;
-    }
-    
-    if ( cert->subjectList->entry == NULL ) {
-	goto loser;
-    }
-
-    if ( cert->subjectList->entry->nickname == NULL ) {
-	/* no nickname for subject */
-	rv = AddNicknameToSubject(cert, nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	rv = AddNicknameToPermCert(cert, nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	rv = SEC_AddTempNickname(cert->dbhandle, nickname,
-				 &cert->derSubject);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-    } else {
-	/* subject already has a nickname */
-	rv = AddNicknameToPermCert(cert, cert->subjectList->entry->nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-
-done:
-    CERT_UnlockDB(cert->dbhandle);
-    return(SECSuccess);
-loser:
-    CERT_UnlockDB(cert->dbhandle);
-    return(SECFailure);
-}
-
-static certDBEntryCert *
-AddCertToPermDB(CERTCertDBHandle *handle, CERTCertificate *cert,
-		char *nickname, CERTCertTrust *trust)
-{
-    certDBEntryCert *certEntry = NULL;
-    certDBEntryNickname *nicknameEntry = NULL;
-    certDBEntrySubject *subjectEntry = NULL;
-    int state = 0;
-    SECStatus rv;
-    PRBool donnentry = PR_FALSE;
-
-    if ( nickname ) {
-	donnentry = PR_TRUE;
-    }
-	
-    if ( cert->subjectList != NULL ) {
-	if ( cert->subjectList->entry != NULL ) {
-	    if ( cert->subjectList->entry->ncerts > 0 ) {
-		/* of other certs with same subject exist, then they already
-		 * have a nickname, so don't add a new one.
-		 */
-		donnentry = PR_FALSE;
-		nickname = cert->subjectList->entry->nickname;
-	    }
-	}
-    }
-    
-    certEntry = NewDBCertEntry(&cert->derCert, nickname, trust, 0);
-    if ( certEntry == NULL ) {
-	goto loser;
-    }
-    
-    if ( donnentry ) {
-	nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
-	if ( nicknameEntry == NULL ) {
-	    goto loser;
-	}
-    }
-    
-    rv = WriteDBCertEntry(handle, certEntry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    state = 1;
-    
-    if ( nicknameEntry ) {
-	rv = WriteDBNicknameEntry(handle, nicknameEntry);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    state = 2;
-    
-    /* add to or create new subject entry */
-    if ( cert->subjectList ) {
-	rv = AddPermSubjectNode(cert, nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	/* make a new subject entry - this case is only used when updating
-	 * an old version of the database.  This is OK because the oldnickname
-	 * db format didn't allow multiple certs with the same subject.
-	 */
-	subjectEntry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey,
-					 &cert->subjectKeyID, nickname,
-					 NULL, 0);
-	if ( subjectEntry == NULL ) {
-	    goto loser;
-	}
-	rv = WriteDBSubjectEntry(handle, subjectEntry);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    state = 3;
-    
-    if ( nicknameEntry ) {
-	DestroyDBEntry((certDBEntry *)nicknameEntry);
-    }
-    
-    if ( subjectEntry ) {
-	DestroyDBEntry((certDBEntry *)subjectEntry);
-    }
-
-    return(certEntry);
-
-loser:
-    /* don't leave partial entry in the database */
-    if ( state > 0 ) {
-	rv = DeleteDBCertEntry(handle, &cert->certKey);
-    }
-    if ( ( state > 1 ) && donnentry ) {
-	rv = DeleteDBNicknameEntry(handle, nickname);
-    }
-    if ( state > 2 ) {
-	rv = DeleteDBSubjectEntry(handle, &cert->derSubject);
-    }
-    if ( certEntry ) {
-	DestroyDBEntry((certDBEntry *)certEntry);
-    }
-    if ( nicknameEntry ) {
-	DestroyDBEntry((certDBEntry *)nicknameEntry);
-    }
-    if ( subjectEntry ) {
-	DestroyDBEntry((certDBEntry *)subjectEntry);
-    }
-
-    return(NULL);
-}
-
-/*
- * NOTE - Version 6 DB did not go out to the real world in a release,
- * so we can remove this function in a later release.
- */
-static SECStatus
-UpdateV6DB(CERTCertDBHandle *handle, DB *updatedb)
-{
-    int ret;
-    DBT key, data;
-    unsigned char *buf, *tmpbuf = NULL;
-    certDBEntryType type;
-    certDBEntryNickname *nnEntry = NULL;
-    certDBEntrySubject *subjectEntry = NULL;
-    certDBEntrySMime *emailEntry = NULL;
-    char *nickname;
-    char *emailAddr;
-    SECStatus rv;
-    
-    /*
-     * Sequence through the old database and copy all of the entries
-     * to the new database.  Subject name entries will have the new
-     * fields inserted into them (with zero length).
-     */
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-    if ( ret ) {
-	return(SECFailure);
-    }
-
-    do {
-	buf = (unsigned char *)data.data;
-	
-	if ( data.size >= 3 ) {
-	    if ( buf[0] == 6 ) { /* version number */
-		type = (certDBEntryType)buf[1];
-		if ( type == certDBEntryTypeSubject ) {
-		    /* expando subjecto entrieo */
-		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 4);
-		    if ( tmpbuf ) {
-			/* copy header stuff */
-			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN + 2);
-			/* insert 4 more bytes of zero'd header */
-			PORT_Memset(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2],
-				    0, 4);
-			/* copy rest of the data */
-			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
-				    &buf[SEC_DB_ENTRY_HEADER_LEN + 2],
-				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 2));
-
-			data.data = (void *)tmpbuf;
-			data.size += 4;
-			buf = tmpbuf;
-		    }
-		} else if ( type == certDBEntryTypeCert ) {
-		    /* expando certo entrieo */
-		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 3);
-		    if ( tmpbuf ) {
-			/* copy header stuff */
-			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN);
-
-			/* copy trust flage, setting msb's to 0 */
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN] = 0;
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+1] =
-			    buf[SEC_DB_ENTRY_HEADER_LEN];
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+2] = 0;
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+3] =
-			    buf[SEC_DB_ENTRY_HEADER_LEN+1];
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+4] = 0;
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+5] =
-			    buf[SEC_DB_ENTRY_HEADER_LEN+2];
-			
-			/* copy rest of the data */
-			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
-				    &buf[SEC_DB_ENTRY_HEADER_LEN + 3],
-				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 3));
-
-			data.data = (void *)tmpbuf;
-			data.size += 3;
-			buf = tmpbuf;
-		    }
-
-		}
-
-		/* update the record version number */
-		buf[0] = CERT_DB_FILE_VERSION;
-
-		/* copy to the new database */
-		ret = certdb_Put(handle->permCertDB, &key, &data, 0);
-		if ( tmpbuf ) {
-		    PORT_Free(tmpbuf);
-		    tmpbuf = NULL;
-		}
-	    }
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    ret = certdb_Sync(handle->permCertDB, 0);
-
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-    if ( ret ) {
-	return(SECFailure);
-    }
-
-    do {
-	buf = (unsigned char *)data.data;
-	
-	if ( data.size >= 3 ) {
-	    if ( buf[0] == CERT_DB_FILE_VERSION ) { /* version number */
-		type = (certDBEntryType)buf[1];
-		if ( type == certDBEntryTypeNickname ) {
-		    nickname = &((char *)key.data)[1];
-
-		    /* get the matching nickname entry in the new DB */
-		    nnEntry = ReadDBNicknameEntry(handle, nickname);
-		    if ( nnEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    /* find the subject entry pointed to by nickname */
-		    subjectEntry = ReadDBSubjectEntry(handle,
-						      &nnEntry->subjectName);
-		    if ( subjectEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    subjectEntry->nickname =
-			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
-						key.size - 1);
-		    if ( subjectEntry->nickname ) {
-			PORT_Memcpy(subjectEntry->nickname, nickname,
-				    key.size - 1);
-			rv = WriteDBSubjectEntry(handle, subjectEntry);
-		    }
-		} else if ( type == certDBEntryTypeSMimeProfile ) {
-		    emailAddr = &((char *)key.data)[1];
-
-		    /* get the matching smime entry in the new DB */
-		    emailEntry = ReadDBSMimeEntry(handle, emailAddr);
-		    if ( emailEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    /* find the subject entry pointed to by nickname */
-		    subjectEntry = ReadDBSubjectEntry(handle,
-						      &emailEntry->subjectName);
-		    if ( subjectEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    subjectEntry->nickname =
-			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
-						key.size - 1);
-		    if ( subjectEntry->emailAddr ) {
-			PORT_Memcpy(subjectEntry->emailAddr, emailAddr,
-				    key.size - 1);
-			rv = WriteDBSubjectEntry(handle, subjectEntry);
-		    }
-		}
-		
-endloop:
-		if ( subjectEntry ) {
-		    DestroyDBEntry((certDBEntry *)subjectEntry);
-		    subjectEntry = NULL;
-		}
-		if ( nnEntry ) {
-		    DestroyDBEntry((certDBEntry *)nnEntry);
-		    nnEntry = NULL;
-		}
-		if ( emailEntry ) {
-		    DestroyDBEntry((certDBEntry *)emailEntry);
-		    emailEntry = NULL;
-		}
-	    }
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    ret = certdb_Sync(handle->permCertDB, 0);
-
-    (* updatedb->close)(updatedb);
-    return(SECSuccess);
-}
-
-
-static SECStatus
-updateV5Callback(CERTCertificate *cert, SECItem *k, void *pdata)
-{
-    CERTCertDBHandle *handle;
-    certDBEntryCert *entry;
-    CERTCertTrust *trust;
-    
-    handle = (CERTCertDBHandle *)pdata;
-    trust = &cert->dbEntry->trust;
-
-    /* SSL user certs can be used for email if they have an email addr */
-    if ( cert->emailAddr && ( trust->sslFlags & CERTDB_USER ) &&
-	( trust->emailFlags == 0 ) ) {
-	trust->emailFlags = CERTDB_USER;
-    }
-    
-    entry = AddCertToPermDB(handle, cert, cert->dbEntry->nickname,
-			    &cert->dbEntry->trust);
-    if ( entry ) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    
-    return(SECSuccess);
-}
-
-static SECStatus
-UpdateV5DB(CERTCertDBHandle *handle, DB *updatedb)
-{
-    CERTCertDBHandle updatehandle;
-    SECStatus rv;
-    
-    updatehandle.permCertDB = updatedb;
-    updatehandle.dbMon = PR_NewMonitor();
-    
-    rv = SEC_TraversePermCerts(&updatehandle, updateV5Callback,
-			       (void *)handle);
-    
-    PR_DestroyMonitor(updatehandle.dbMon);
-    
-    return(rv);
-}
-
-static SECStatus
-UpdateV4DB(CERTCertDBHandle *handle, DB *updatedb)
-{
-    DBT key, data;
-    certDBEntryCert *entry, *entry2;
-    SECItem derSubject;
-    int ret;
-    PRArenaPool *arena = NULL;
-    CERTCertificate *cert;
-
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-
-    if ( ret ) {
-	return(SECFailure);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	return(SECFailure);
-    }
-    
-    do {
-	if ( data.size != 1 ) { /* skip version number */
-
-	    /* decode the old DB entry */
-	    entry = (certDBEntryCert *)DecodeV4DBCertEntry((unsigned char*)data.data, data.size);
-	    derSubject.data = NULL;
-	    
-	    if ( entry ) {
-		cert = CERT_DecodeDERCertificate(&entry->derCert, PR_TRUE,
-						 entry->nickname);
-
-		if ( cert != NULL ) {
-		    /* add to new database */
-		    entry2 = AddCertToPermDB(handle, cert, entry->nickname,
-					     &entry->trust);
-		    
-		    CERT_DestroyCertificate(cert);
-		    if ( entry2 ) {
-			DestroyDBEntry((certDBEntry *)entry2);
-		    }
-		}
-		DestroyDBEntry((certDBEntry *)entry);
-	    }
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    PORT_FreeArena(arena, PR_FALSE);
-    (* updatedb->close)(updatedb);
-    return(SECSuccess);
-}
-
-/*
- * return true if a database key conflict exists
- */
-PRBool
-SEC_CertDBKeyConflict(SECItem *derCert, CERTCertDBHandle *handle)
-{
-    SECStatus rv;
-    DBT tmpdata;
-    DBT namekey;
-    int ret;
-    SECItem keyitem;
-    PRArenaPool *arena = NULL;
-    SECItem derKey;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    /* get the db key of the cert */
-    rv = CERT_KeyFromDERCert(arena, derCert, &derKey);
-    if ( rv != SECSuccess ) {
-        goto loser;
-    }
-
-    rv = EncodeDBCertKey(&derKey, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    namekey.data = keyitem.data;
-    namekey.size = keyitem.len;
-    
-    /* lookup in the temporary database */
-    ret = certdb_Get(handle->tempCertDB, &namekey, &tmpdata, 0);
-
-    if ( ret == 0 ) {	/* found in temp database */
-	goto loser;
-    } else {		/* not found in temporary database */
-	ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0);
-	if ( ret == 0 ) {
-	    goto loser;
-	}
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    
-    return(PR_FALSE);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(PR_TRUE);
-}
-
-#ifdef NOTDEF
-/*
- * return true if a subject name conflict exists
- * NOTE: caller must have already made sure that this exact cert
- * doesn't exist in the DB
- */
-PRBool
-SEC_CertSubjectConflict(SECItem *derCert, CERTCertDBHandle *handle)
-{
-    SECStatus rv;
-    DBT tmpdata;
-    DBT namekey;
-    int ret;
-    SECItem keyitem;
-    PRArenaPool *arena = NULL;
-    SECItem derName;
-    
-    derName.data = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    /* get the subject name of the cert */
-    rv = CERT_NameFromDERCert(derCert, &derName);
-    if ( rv != SECSuccess ) {
-        goto loser;
-    }
-
-    rv = EncodeDBSubjectKey(&derName, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    namekey.data = keyitem.data;
-    namekey.size = keyitem.len;
-    
-    /* lookup in the temporary database */
-    ret = certdb_Get(handle->tempCertDB, &namekey, &tmpdata, 0);
-
-    if ( ret == 0 ) {	/* found in temp database */
-	return(PR_TRUE);
-    } else {		/* not found in temporary database */
-	ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0);
-	if ( ret == 0 ) {
-	    return(PR_TRUE);
-	}
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    PORT_Free(derName.data);
-    
-    return(PR_FALSE);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if ( derName.data ) {
-	PORT_Free(derName.data);
-    }
-    
-    return(PR_TRUE);
-}
-#endif
-
-/*
- * return true if a nickname conflict exists
- * NOTE: caller must have already made sure that this exact cert
- * doesn't exist in the DB
- */
-PRBool
-SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
-			 CERTCertDBHandle *handle)
-{
-    PRBool rv;
-    certDBEntryNickname *entry;
-    
-    if ( nickname == NULL ) {
-	return(PR_FALSE);
-    }
-    
-    entry = ReadDBNicknameEntry(handle, nickname);
-
-    if ( entry == NULL ) {
-	/* no entry for this nickname, so no conflict */
-	return(PR_FALSE);
-    }
-
-    rv = PR_TRUE;
-    if ( SECITEM_CompareItem(derSubject, &entry->subjectName) == SECEqual ) {
-	/* if subject names are the same, then no conflict */
-	rv = PR_FALSE;
-    }
-
-    DestroyDBEntry((certDBEntry *)entry);
-    return(rv);
-}
-
-/*
- * Open the certificate database and index databases.  Create them if
- * they are not there or bad.
- */
-SECStatus
-SEC_OpenPermCertDB(CERTCertDBHandle *handle, PRBool readOnly,
-		   CERTDBNameFunc namecb, void *cbarg)
-{
-    SECStatus rv;
-    int openflags;
-    certDBEntryVersion *versionEntry = NULL;
-    DB *updatedb = NULL;
-    char *tmpname;
-    char *certdbname;
-    PRBool updated = PR_FALSE;
-    PRBool forceUpdate = PR_FALSE;
-    
-    certdbname = (* namecb)(cbarg, CERT_DB_FILE_VERSION);
-    if ( certdbname == NULL ) {
-	return(SECFailure);
-    }
-    
-    if ( readOnly ) {
-	openflags = O_RDONLY;
-    } else {
-	openflags = O_RDWR;
-    }
-    
-    /*
-     * first open the permanent file based database.
-     */
-    handle->permCertDB = dbopen( certdbname, openflags, 0600, DB_HASH, 0 );
-
-    /* check for correct version number */
-    if ( handle->permCertDB ) {
-	versionEntry = ReadDBVersionEntry(handle);
-
-	if ( versionEntry == NULL ) {
-	    /* no version number */
-	    certdb_Close(handle->permCertDB);
-	    handle->permCertDB = 0;
-	} else if ( versionEntry->common.version != CERT_DB_FILE_VERSION ) {
-	    /* wrong version number, can't update in place */
-	    DestroyDBEntry((certDBEntry *)versionEntry);
-	    return(SECFailure);
-	}
-
-    }
-
-
-    /* if first open fails, try to create a new DB */
-    if ( handle->permCertDB == NULL ) {
-
-	/* don't create if readonly */
-	if ( readOnly ) {
-	    goto loser;
-	}
-	
-	handle->permCertDB = dbopen(certdbname,
-				    O_RDWR | O_CREAT | O_TRUNC,
-				    0600, DB_HASH, 0);
-
-	/* if create fails then we lose */
-	if ( handle->permCertDB == 0 ) {
-	    goto loser;
-	}
-
-	versionEntry = NewDBVersionEntry(0);
-	if ( versionEntry == NULL ) {
-	    goto loser;
-	}
-	
-	rv = WriteDBVersionEntry(handle, versionEntry);
-
-	DestroyDBEntry((certDBEntry *)versionEntry);
-
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-	/* try to upgrade old db here */
-	tmpname = (* namecb)(cbarg, 6);	/* get v6 db name */
-	if ( tmpname ) {
-	    updatedb = dbopen( tmpname, O_RDONLY, 0600, DB_HASH, 0 );
-	    PORT_Free(tmpname);
-	    if ( updatedb ) {
-		rv = UpdateV6DB(handle, updatedb);
-		if ( rv != SECSuccess ) {
-		    goto loser;
-		}
-		updated = PR_TRUE;
-	    } else { /* no v6 db, so try v5 db */
-		tmpname = (* namecb)(cbarg, 5);	/* get v5 db name */
-		if ( tmpname ) {
-		    updatedb = dbopen( tmpname, O_RDONLY, 0600, DB_HASH, 0 );
-		    PORT_Free(tmpname);
-		    if ( updatedb ) {
-			rv = UpdateV5DB(handle, updatedb);
-			if ( rv != SECSuccess ) {
-			    goto loser;
-			}
-			updated = PR_TRUE;
-		    } else { /* no v5 db, so try v4 db */
-			/* try to upgrade v4 db */
-			tmpname = (* namecb)(cbarg, 4);	/* get v4 db name */
-			if ( tmpname ) {
-			    updatedb = dbopen( tmpname, O_RDONLY, 0600,
-					      DB_HASH, 0 );
-			    PORT_Free(tmpname);
-			    if ( updatedb ) {
-				rv = UpdateV4DB(handle, updatedb);
-				if ( rv != SECSuccess ) {
-				    goto loser;
-				}
-				forceUpdate = PR_TRUE;
-				updated = PR_TRUE;
-			    }
-			}
-		    }
-		}
-	    }
-	}
-
-	/* initialize the database with our well known certificates
-	 * or in the case of update, just fall down to CERT_AddNewCerts()
-	 * below.
-	 * Note - if we are updating a really old database, then we try
-	 * to push all of the certs into it.
-	 */
-	if ( ( !updated ) || forceUpdate ) {
-	    rv = CERT_InitCertDB(handle);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	}
-    }
-
-    rv = CERT_AddNewCerts(handle);
-    
-    return (SECSuccess);
-    
-loser:
-
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    
-    if ( handle->permCertDB ) {
-	certdb_Close(handle->permCertDB);
-	handle->permCertDB = 0;
-    }
-
-    return(SECFailure);
-}
-
-/*
- * delete all DB records associated with a particular certificate
- */
-static SECStatus
-DeletePermCert(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECStatus ret;
-
-    ret = SECSuccess;
-    
-    rv = DeleteDBCertEntry(cert->dbhandle, &cert->certKey);
-    if ( rv != SECSuccess ) {
-	ret = SECFailure;
-    }
-    
-    if ( cert->nickname ) {
-	rv = DeleteDBNicknameEntry(cert->dbhandle, cert->nickname);
-	if ( rv != SECSuccess ) {
-	    ret = SECFailure;
-	}
-    }
-    
-    rv = RemovePermSubjectNode(cert);
-
-    return(ret);
-}
-
-/*
- * Delete a certificate from the permanent database.
- */
-SECStatus
-SEC_DeletePermCertificate(CERTCertificate *cert)
-{
-    SECStatus rv;
-    
-    if ( !cert->isperm ) {
-	return(SECSuccess);
-    }
-    CERT_LockDB(cert->dbhandle);
-    /* delete the records from the permanent database */
-    rv = DeletePermCert(cert);
-    
-    /* no longer permanent */
-    cert->isperm = PR_FALSE;
-
-    /* get rid of dbcert and stuff pointing to it */
-    DestroyDBEntry((certDBEntry *)cert->dbEntry);
-    cert->dbEntry = NULL;
-    cert->trust = NULL;
-
-    /* delete it from the temporary database too.  It will remain in
-     * memory until all references go away.
-     */
-    if (cert->slot) {
-    /* If it's owned by a PKCS #11 slot, don't deleted if from the temp DB just
-     * yet... rv inherited from DeletePermCert (as if anyone checks the return
-     * code from this function anyway. */
-	CERT_DestroyCertificateNoLocking(cert);
-	rv = SECSuccess;
-    } else {
-	rv = CERT_DeleteTempCertificate(cert);
-    }
-
-    CERT_UnlockDB(cert->dbhandle);
-    return(rv);
-}
-
-/*
- * Lookup a certificate in the databases.
- */
-certDBEntryCert *
-SEC_FindPermCertByKey(CERTCertDBHandle *handle, SECItem *key)
-{
-    return(ReadDBCertEntry(handle, key));
-}
-
-/*
- * Lookup a certificate in the database by name
- */
-certDBEntryCert *
-SEC_FindPermCertByName(CERTCertDBHandle *handle, SECItem *derSubject)
-{
-    certDBEntrySubject *subjectEntry;
-    certDBEntryCert *certEntry;
-    
-    subjectEntry = ReadDBSubjectEntry(handle, derSubject);
-    
-    if ( subjectEntry == NULL ) {
-	goto loser;
-    }
-
-    certEntry = ReadDBCertEntry(handle, &subjectEntry->certKeys[0]);
-    DestroyDBEntry((certDBEntry *)subjectEntry);
-    
-    return(certEntry);
-
-loser:
-    return(NULL);
-}
-
-/*
- * Lookup a certificate in the database by nickname
- */
-certDBEntryCert *
-SEC_FindPermCertByNickname(CERTCertDBHandle *handle, char *nickname)
-{
-    certDBEntryNickname *nicknameEntry;
-    certDBEntryCert *certEntry;
-    
-    nicknameEntry = ReadDBNicknameEntry(handle, nickname);
-    
-    if ( nicknameEntry == NULL ) {
-	goto loser;
-    }
-
-    certEntry = SEC_FindPermCertByName(handle, &nicknameEntry->subjectName);
-    DestroyDBEntry((certDBEntry *)nicknameEntry);
-    
-    return(certEntry);
-
-loser:
-    return(NULL);
-}
-
-/*
- * Traverse all of the entries in the database of a particular type
- * call the given function for each one.
- */
-SECStatus
-SEC_TraverseDBEntries(CERTCertDBHandle *handle,
-		      certDBEntryType type,
-		      SECStatus (* callback)(SECItem *data, SECItem *key,
-					    certDBEntryType type, void *pdata),
-		      void *udata )
-{
-    DBT data;
-    DBT key;
-    SECStatus rv;
-    int ret;
-    SECItem dataitem;
-    SECItem keyitem;
-    unsigned char *buf;
-    unsigned char *keybuf;
-    
-    ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST);
-
-    if ( ret ) {
-	return(SECFailure);
-    }
-    
-    do {
-	buf = (unsigned char *)data.data;
-	
-	if ( buf[1] == (unsigned char)type ) {
-	    dataitem.len = data.size;
-	    dataitem.data = buf;
-            dataitem.type = siBuffer;
-	    keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN;
-	    keybuf = (unsigned char *)key.data;
-	    keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN];
-            keyitem.type = siBuffer;
-	    
-	    rv = (* callback)(&dataitem, &keyitem, type, udata);
-	    if ( rv != SECSuccess ) {
-		return(rv);
-	    }
-	}
-    } while ( certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0 );
-
-    return(SECSuccess);
-}
-
-typedef struct {
-    PermCertCallback certfunc;
-    CERTCertDBHandle *handle;
-    void *data;
-} PermCertCallbackState;
-
-/*
- * traversal callback to decode certs and call callers callback
- */
-static SECStatus
-certcallback(SECItem *dbdata, SECItem *dbkey, certDBEntryType type, void *data)
-{
-    PermCertCallbackState *mystate;
-    SECStatus rv;
-    certDBEntryCert entry;
-    SECItem entryitem;
-    CERTCertificate *cert;
-    PRArenaPool *arena = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    mystate = (PermCertCallbackState *)data;
-    entry.common.version = (unsigned int)dbdata->data[0];
-    entry.common.type = (certDBEntryType)dbdata->data[1];
-    entry.common.flags = (unsigned int)dbdata->data[2];
-    entry.common.arena = arena;
-    
-    entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN;
-    entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    rv = DecodeDBCertEntry(&entry, &entryitem);
-    if (rv != SECSuccess ) {
-	goto loser;
-    }
-    entry.derCert.type = siBuffer;
-    
-    cert = CERT_DecodeDERCertificate(&entry.derCert, PR_FALSE,
-				    entry.nickname);
-    cert->dbEntry = &entry;
-    cert->trust = &entry.trust;
-    cert->dbhandle = mystate->handle;
-
-    if ( CERT_IsCACert(cert, NULL) ||
-         (( cert->trust->sslFlags & CERTDB_VALID_CA ) ||
-          ( cert->trust->emailFlags & CERTDB_VALID_CA ) ||
-          ( cert->trust->objectSigningFlags & CERTDB_VALID_CA)) ) {
-        cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-    }
-
-    rv = (* mystate->certfunc)(cert, dbkey, mystate->data);
-
-    /* arena destroyed by SEC_DestroyCert */
-    CERT_DestroyCertificateNoLocking(cert);
-
-    return(rv);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-/*
- * Traverse all of the certificates in the permanent database and
- * call the given function for each one; expect the caller to have lock.
- */
-static SECStatus
-TraversePermCertsNoLocking(CERTCertDBHandle *handle,
-			   SECStatus (* certfunc)(CERTCertificate *cert,
-						  SECItem *k,
-						  void *pdata),
-			   void *udata )
-{
-    SECStatus rv;
-    PermCertCallbackState mystate;
-
-    mystate.certfunc = certfunc;
-    mystate.handle = handle;
-    mystate.data = udata;
-    rv = SEC_TraverseDBEntries(handle, certDBEntryTypeCert, certcallback,
-			       (void *)&mystate);
-    
-    return(rv);
-}
-
-/*
- * Traverse all of the certificates in the permanent database and
- * call the given function for each one.
- */
-SECStatus
-SEC_TraversePermCerts(CERTCertDBHandle *handle,
-		      SECStatus (* certfunc)(CERTCertificate *cert, SECItem *k,
-					    void *pdata),
-		      void *udata )
-{
-    SECStatus rv;
-
-    CERT_LockDB(handle);
-    rv = TraversePermCertsNoLocking(handle, certfunc, udata);
-    CERT_UnlockDB(handle);
-    
-    return(rv);
-}
-
-
-
-/*
- * Close the database
- */
-void
-CERT_ClosePermCertDB(CERTCertDBHandle *handle)
-{
-    if ( handle ) {
-	if ( handle->permCertDB ) {
-	    if ( handle->statusConfig ) {
-		PORT_Assert(handle->statusConfig->statusDestroy != NULL);
-		(void) (* handle->statusConfig->statusDestroy)(handle->statusConfig);
-		handle->statusConfig = NULL; /* Destroy frees the structure */
-		PORT_Assert(handle->statusConfig == NULL);
-	    }
-	    certdb_Close( handle->permCertDB );
-	    handle->permCertDB = 0;
-	}
-    }
-    return;
-}
-
-/*
- * Get the trust attributes from a certificate
- */
-SECStatus
-CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
-{
-    SECStatus rv;
-    
-    CERT_LockCertTrust(cert);
-    
-    if ( cert->trust == NULL ) {
-	rv = SECFailure;
-    } else {
-	*trust = *cert->trust;
-	rv = SECSuccess;
-    }
-    
-    CERT_UnlockCertTrust(cert);
-    return(rv);
-}
-
-/*
- * Change the trust attributes of a certificate and make them permanent
- * in the database.
- */
-SECStatus
-CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
-		    CERTCertTrust *trust)
-{
-    certDBEntryCert *entry;
-    int rv;
-    SECStatus ret;
-    
-    CERT_LockDB(handle);
-    CERT_LockCertTrust(cert);
-    /* only set the trust on permanent certs */
-    if ( cert->trust == NULL ) {
-	ret = SECFailure;
-	goto done;
-    }
-
-    *cert->trust = *trust;
-    if ( cert->dbEntry == NULL ) {
-	ret = SECSuccess; /* not in permanent database */
-	goto done;
-    }
-    
-    entry = cert->dbEntry;
-    entry->trust = *trust;
-    
-    rv = WriteDBCertEntry(handle, entry);
-    if ( rv ) {
-	ret = SECFailure;
-	goto done;
-    }
-
-    ret = SECSuccess;
-    
-done:
-    CERT_UnlockCertTrust(cert);
-    CERT_UnlockDB(handle);
-    return(ret);
-}
-
-
-SECStatus
-CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
-		       CERTCertTrust *trust)
-{
-    char *oldnn;
-    certDBEntryCert *entry;
-    SECStatus rv;
-    PRBool conflict;
-    SECStatus ret;
-
-    PORT_Assert(cert->dbhandle);
-
-    CERT_LockDB(cert->dbhandle);
-    
-    PORT_Assert(cert->istemp);
-    PORT_Assert(!cert->isperm);
-    PORT_Assert(!cert->dbEntry);
-
-    /* don't add a conflicting nickname */
-    conflict = SEC_CertNicknameConflict(nickname, &cert->derSubject,
-					cert->dbhandle);
-    if ( conflict ) {
-	ret = SECFailure;
-	goto done;
-    }
-    
-    /* save old nickname so that we can delete it */
-    oldnn = cert->nickname;
-
-    entry = AddCertToPermDB(cert->dbhandle, cert, nickname, trust);
-    
-    if ( entry == NULL ) {
-	ret = SECFailure;
-	goto done;
-    }
-    
-    cert->nickname = (entry->nickname) ? PORT_ArenaStrdup(cert->arena,entry->nickname) : NULL;
-    cert->trust = &entry->trust;
-    cert->isperm = PR_TRUE;
-    cert->dbEntry = entry;
-
-    if ( nickname && oldnn && ( PORT_Strcmp(nickname, oldnn) != 0 ) ) {
-	/* only delete the old one if they are not the same */
-	/* delete old nickname from temp database */
-	rv = SEC_DeleteTempNickname(cert->dbhandle, oldnn);
-	if ( rv != SECSuccess ) {
-	    /* do we care?? */
-	}
-    }
-    /* add new nickname to temp database */
-    if ( cert->nickname ) {
-	rv = SEC_AddTempNickname(cert->dbhandle, cert->nickname,
-				 &cert->derSubject);
-	if ( rv != SECSuccess ) {
-	    ret = SECFailure;
-	    goto done;
-	}
-    }
-    
-    ret = SECSuccess;
-done:
-    CERT_UnlockDB(cert->dbhandle);
-    return(ret);
-}
-
-/*
- * Open the certificate database and index databases.  Create them if
- * they are not there or bad.
- */
-SECStatus
-CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
-		CERTDBNameFunc namecb, void *cbarg)
-{
-    int rv;
-
-    certdb_InitDBLock();
-    
-    handle->dbMon = PR_NewMonitor();
-    PORT_Assert(handle->dbMon != NULL);
-
-    handle->spkDigestInfo = NULL;
-    handle->statusConfig = NULL;
-
-    /*
-     * Open the memory resident decoded cert database.
-     */
-    handle->tempCertDB = dbopen( 0, O_RDWR | O_CREAT, 0600, DB_HASH, 0 );
-    if ( !handle->tempCertDB ) {
-	goto loser;
-    }
-
-    rv = SEC_OpenPermCertDB(handle, readOnly, namecb, cbarg);
-    if ( rv ) {
-	goto loser;
-    }
-
-    return (SECSuccess);
-    
-loser:
-
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    
-    if ( handle->tempCertDB ) {
-	certdb_Close(handle->tempCertDB);
-	handle->tempCertDB = 0;
-    }
-
-    return(SECFailure);
-}
-
-static char *
-certDBFilenameCallback(void *arg, int dbVersion)
-{
-    return((char *)arg);
-}
-
-SECStatus
-CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
-			PRBool readOnly)
-{
-    return(CERT_OpenCertDB(handle, readOnly, certDBFilenameCallback,
-			   (void *)certdbname));
-}
-
-/*
- * Add a nickname to the temp database
- */
-SECStatus
-SEC_AddTempNickname(CERTCertDBHandle *handle, char *nickname,
-		    SECItem *subjectName)
-{
-    DBT namekey;
-    int ret;
-    SECItem nameitem;
-    SECStatus rv;
-    DBT keydata;
-    PRArenaPool *arena = NULL;
-    SECItem tmpitem;
-    
-    PORT_Assert(nickname != NULL);
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = EncodeDBNicknameKey(nickname, arena, &nameitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    namekey.data = nameitem.data;
-    namekey.size = nameitem.len;
-
-    /* see if an entry already exists */
-    ret = certdb_Get(handle->tempCertDB, &namekey, &keydata, 0);
-
-    if ( ret == 0 ) {
-	/* found in temp database */
-	tmpitem.data = (unsigned char*)keydata.data;
-	tmpitem.len = keydata.size;
-
-	if ( SECITEM_CompareItem(subjectName, &tmpitem) == SECEqual ) {
-	    /* same subject name */
-	    goto done;
-	} else {
-	    /* different subject name is an error */
-	    goto loser;
-	}
-    }
-    
-    keydata.data = subjectName->data;
-    keydata.size = subjectName->len;
-    
-    /* put into temp byname index */
-    ret = certdb_Put(handle->tempCertDB, &namekey, &keydata, R_NOOVERWRITE);
-
-    if ( ret ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-done:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-SECStatus
-SEC_DeleteTempNickname(CERTCertDBHandle *handle, char *nickname)
-{
-    DBT namekey;
-    SECStatus rv;
-    PRArenaPool *arena = NULL;
-    SECItem nameitem;
-    int ret;
-    
-    PORT_Assert(nickname != NULL);
-    if ( nickname == NULL ) {
-	return(SECSuccess);
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* format a database key based on the nickname */
-    if ( nickname ) {
-	rv = EncodeDBNicknameKey(nickname, arena, &nameitem);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-	namekey.data = nameitem.data;
-	namekey.size = nameitem.len;
-
-	ret = certdb_Del(handle->tempCertDB, &namekey, 0);
-	if ( ret ) {
-	    goto loser;
-	}
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-/*
- * Decode a certificate and enter it into the temporary certificate database.
- * Deal with nicknames correctly
- *
- * nickname is only used if isperm == PR_TRUE
- *
- * This is the private entry point, and locking is optional
- */
-static CERTCertificate *
-NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, char *nickname,
-		   PRBool isperm, PRBool copyDER, PRBool lockdb)
-
-{
-    DBT key;
-    DBT data;
-    int status;
-    CERTCertificate *cert = NULL;
-    PRBool promoteError = PR_TRUE;
-    PRArenaPool *arena = NULL;
-    SECItem keyitem;
-    SECStatus rv;
-    
-    if ( isperm == PR_FALSE ) {
-	cert = CERT_FindCertByDERCert(handle, derCert);
-	if ( cert ) {
-	    return(cert);
-	}
-
-	nickname = NULL;
-    }
-
-    if ( lockdb ) {
-	CERT_LockDB(handle);
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    cert = CERT_DecodeDERCertificate(derCert, copyDER, nickname );
-    
-    if ( cert == NULL ) {
-	/* We want to save the decoding error here */
-	promoteError = PR_FALSE;
-	goto loser;
-    }
-
-    cert->dbhandle = handle;
-
-    /* only save pointer to cert in database */
-    data.data = &cert;
-    data.size = sizeof(cert);
-
-    /* if this is a perm cert, then it is already in the subject db */
-    if ( isperm == PR_FALSE ) {
-	/* enter into the subject index */
-	rv = AddTempCertToSubjectList(cert);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	/*
-	 * Since it's not a perm cert, add it to the key hash lookup; if it
-	 * is permanent it will either already be there or will get put there
-	 * later along with the rest of the perm certs.  A failure of the
-	 * addition does not seem to warrant failing this whole function,
-	 * so we intentionally ignore the returned status.
-	 */
-	(void) AddCertToSPKDigestTable(handle, cert);
-    } else {
-	cert->subjectList = FindSubjectList(cert->dbhandle, &cert->derSubject,
-					    PR_FALSE);
-    }
-    
-    rv = EncodeDBCertKey(&cert->certKey, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    key.data = keyitem.data;
-    key.size = keyitem.len;
-    
-    /* enter into main db */
-    status = certdb_Put(handle->tempCertDB, &key, &data, R_NOOVERWRITE);
-    if ( status ) {
-	goto loser;
-    }
-
-    if ( cert->nickname ) {
-	status = SEC_AddTempNickname(handle, cert->nickname,
-				     &cert->derSubject);
-	if ( status ) {
-	    promoteError = PR_FALSE;
-	    goto loser;
-	}
-    }
-
-    cert->isperm = isperm;
-    cert->istemp = PR_TRUE;
-    
-    PORT_FreeArena(arena, PR_FALSE);
-
-    if ( lockdb ) {
-	CERT_UnlockDB(handle);
-    }
-
-    return(cert);
-
-loser:
-    if ( cert ) {
-	CERT_DestroyCertificateNoLocking(cert);
-    }
-    
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    if ( promoteError ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    }
-
-    if ( lockdb ) {
-	CERT_UnlockDB(handle);
-    }
-
-    return(0);
-}
-
-/*
- * Decode a certificate and enter it into the temporary certificate database.
- * Deal with nicknames correctly
- *
- * nickname is only used if isperm == PR_TRUE
- *
- * This is the public entry point and does locking.
- */
-CERTCertificate *
-CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
-			char *nickname, PRBool isperm, PRBool copyDER)
-{
-    return( NewTempCertificate(handle, derCert, nickname, isperm, copyDER,
-			       PR_TRUE) );
-}
-
-/*
- * Decode a permanent certificate and enter it into the temporary certificate
- * database.
- */
-static CERTCertificate *
-SEC_AddPermCertToTemp(CERTCertDBHandle *handle, certDBEntryCert *entry)
-{
-    CERTCertificate *cert;
-
-    /* we already hold the lock */
-    cert = NewTempCertificate(handle, &entry->derCert, entry->nickname,
-			      PR_TRUE, PR_TRUE, PR_FALSE);
-    if ( !cert ) {
-	return(0);
-    }
-
-    cert->dbEntry = entry;
-
-    cert->trust = &entry->trust;
-    
-    return(cert);
-}
-
-SECStatus
-CERT_DeleteTempCertificate(CERTCertificate *cert)
-{
-    SECStatus rv;
-    DBT nameKey;
-    CERTCertDBHandle *handle;
-    SECItem keyitem;
-    PRArenaPool *arena;
-    int ret;
-    
-    handle = cert->dbhandle;
-
-    if ( !cert->istemp ) {
-	return(SECSuccess);
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-   
-    if (cert->slot) {
-	PK11_FreeSlot(cert->slot);
-	cert->slot = NULL;
-	cert->pkcs11ID = CK_INVALID_KEY;
-    }
-    
-    /* delete from subject list (also takes care of nickname) */
-    rv = RemoveTempCertFromSubjectList(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    if ( !cert->isperm ) {
-	/*
-	 * Remove the cert from the subject public key digest table,
-	 * though we do not care if the removal fails (perhaps meaning
-	 * the cert wasn't even there).
-	 */
-	(void) RemoveCertFromSPKDigestTable(handle, cert);
-    }
-
-    rv = EncodeDBCertKey(&cert->certKey, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    nameKey.data = keyitem.data;
-    nameKey.size = keyitem.len;
-    /* delete the cert */
-    ret = certdb_Del(handle->tempCertDB, &nameKey, 0);
-    if ( ret ) {
-	goto loser;
-    }
-
-    cert->istemp = PR_FALSE;
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return(SECFailure);
-}
-
-/*
- * Lookup a certificate in the databases.
- */
-static CERTCertificate *
-FindCertByKey(CERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb)
-{
-    DBT tmpdata;
-    int ret;
-    SECItem keyitem;
-    DBT key;
-    SECStatus rv;
-    CERTCertificate *cert = NULL;
-    PRArenaPool *arena = NULL;
-    certDBEntryCert *entry;
-    PRBool locked = PR_FALSE;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBCertKey(certKey, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    key.data = keyitem.data;
-    key.size = keyitem.len;
-    
-    if ( lockdb ) {
-	locked = PR_TRUE;
-	CERT_LockDB(handle);
-    }
-	
-    /* lookup in the temporary database */
-    ret = certdb_Get( handle->tempCertDB, &key, &tmpdata, 0 );
-
-    /* error accessing the database */
-    if ( ret < 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    if ( ret == 0 ) {	/* found in temp database */
-	if ( tmpdata.size != sizeof(CERTCertificate *) ) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    goto loser;
-	}
-	
-	PORT_Memcpy(&cert, tmpdata.data, tmpdata.size);
-	CERT_LockCertRefCount(cert);
-	cert->referenceCount++;
-	CERT_UnlockCertRefCount(cert);
-    }
-    if ( ret != 0 ) {
-	/* not found in temporary database */
-
-	/* find in perm database */
-	entry = SEC_FindPermCertByKey(handle, certKey);
-	
-	if ( entry == NULL ) {
-	    goto loser;
-	}
-    
-	cert = SEC_AddPermCertToTemp(handle, entry);
-    }
-
-loser:
-    if ( locked ) {
-	CERT_UnlockDB(handle);
-    }
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(cert);
-}
-
-/*
- * Lookup a certificate in the databases, with locking
- */
-CERTCertificate *
-CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *certKey)
-{
-    return(FindCertByKey(handle, certKey, PR_TRUE));
-}
-
-/*
- * Lookup a certificate in the databases without locking
- */
-CERTCertificate *
-CERT_FindCertByKeyNoLocking(CERTCertDBHandle *handle, SECItem *certKey)
-{
-    return(FindCertByKey(handle, certKey, PR_FALSE));
-}
-
-/*
- * Generate a key from an issuerAndSerialNumber, and find the
- * associated cert in the database.
- */
-CERTCertificate *
-CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
-{
-    SECItem certKey;
-    CERTCertificate *cert;
-    
-    certKey.len = issuerAndSN->serialNumber.len + issuerAndSN->derIssuer.len;
-    certKey.data = (unsigned char*)PORT_Alloc(certKey.len);
-    
-    if ( certKey.data == NULL ) {
-	return(0);
-    }
-
-    /* copy the serialNumber */
-    PORT_Memcpy(certKey.data, issuerAndSN->serialNumber.data,
-	      issuerAndSN->serialNumber.len);
-
-    /* copy the issuer */
-    PORT_Memcpy( &certKey.data[issuerAndSN->serialNumber.len],
-	      issuerAndSN->derIssuer.data, issuerAndSN->derIssuer.len);
-
-    cert = CERT_FindCertByKey(handle, &certKey);
-    
-    PORT_Free(certKey.data);
-    
-    return(cert);
-}
-
-/*
- * Lookup a certificate in the database by name
- */
-CERTCertificate *
-CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
-{
-    CERTCertificate *cert = NULL;
-    CERTSubjectList *subjectList;
-    
-    CERT_LockDB(handle);
-
-    subjectList = FindSubjectList(handle, name, PR_FALSE);
-
-    if ( subjectList ) {
-	PORT_Assert(subjectList->head);
-	cert = CERT_FindCertByKeyNoLocking(handle,
-					   &subjectList->head->certKey);
-    }
-	
-    CERT_UnlockDB(handle);
-
-    return(cert);
-}
-
-/*
- * Lookup a certificate in the database by name and key ID
- */
-CERTCertificate *
-CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
-{
-    CERTCertificate *cert = NULL;
-    CERTSubjectList *subjectList;
-    CERTSubjectNode *node;
-
-    CERT_LockDB(handle);
-
-    /* find the list of certs for the given subject */
-    subjectList = FindSubjectList(handle, name, PR_FALSE);
-
-    if ( subjectList ) {
-	PORT_Assert(subjectList->head);
-	node = subjectList->head;
-
-	/* walk through the certs until we find one with a matching key ID */
-	while ( node ) {
-	    if ( SECITEM_CompareItem(keyID, &node->keyID) == SECEqual ) {
-		cert = CERT_FindCertByKeyNoLocking(handle, &node->certKey);
-		break;
-	    }
-	    node = node->next;
-	}
-    }
-
-    CERT_UnlockDB(handle);
-
-    return(cert);
-}
-
-/*
- * look up a cert by its nickname string
- */
-CERTCertificate *
-CERT_FindCertByNickname(CERTCertDBHandle *handle, char *nickname)
-{
-    DBT tmpdata;
-    DBT namekey;
-    CERTCertificate *cert;
-    SECStatus rv;
-    int ret;
-    SECItem keyitem;
-    PRArenaPool *arena = NULL;
-    certDBEntryCert *entry;
-    
-    PORT_Assert(nickname != NULL);
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBNicknameKey(nickname, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    namekey.data = keyitem.data;
-    namekey.size = keyitem.len;
-    
-    /* lookup in the temporary database */
-    ret = certdb_Get(handle->tempCertDB, &namekey, &tmpdata, 0);
-
-    /* error accessing the database */
-    if ( ret < 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    if ( ret == 0 ) {	/* found in temp database */
-	SECItem nameitem;
-	
-	nameitem.len = tmpdata.size;
-	nameitem.data = (unsigned char *)PORT_Alloc(tmpdata.size);
-	if ( nameitem.data == NULL ) {
-	    goto loser;
-	}
-	PORT_Memcpy(nameitem.data, tmpdata.data, nameitem.len);
-	cert = CERT_FindCertByName(handle, &nameitem);
-	PORT_Free(nameitem.data);
-    } else {		/* not found in temporary database */
-
-	CERT_LockDB(handle);
-	
-	entry = SEC_FindPermCertByNickname(handle, nickname);
-	
-	if ( entry == NULL ) {
-	    CERT_UnlockDB(handle);
-	    goto loser;
-	}
-    
-	cert = SEC_AddPermCertToTemp(handle, entry);
-	CERT_UnlockDB(handle);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-
-    return(cert);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(0);
-}
-
-/*
- * look for the given DER certificate in the database
- */
-CERTCertificate *
-CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
-{
-    PRArenaPool *arena;
-    SECItem certKey;
-    SECStatus rv;
-    CERTCertificate *cert = NULL;
-    
-    /* create a scratch arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return(NULL);
-    }
-    
-    /* extract the database key from the cert */
-    rv = CERT_KeyFromDERCert(arena, derCert, &certKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* find the certificate */
-    cert = CERT_FindCertByKey(handle, &certKey);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(cert);
-}
-
-/*
- * The following is bunch of types and code to allow looking up a certificate
- * by a hash of its subject public key.  Because the words "hash" and "key"
- * are overloaded and thus terribly confusing, I tried to disambiguate things.
- * - Where I could, I used "digest" instead of "hash" when referring to
- *   hashing of the subject public key.  The PLHashTable interfaces and
- *   our own HASH_Foo interfaces had to be left as is, obviously.  The latter
- *   should be thought of as "digest" in this case.
- * - There are three keys in use here -- the subject public key, the key
- *   used to do a lookup in the PLHashTable, and the key used to do a lookup
- *   in the cert database.  As the latter is a fairly pervasive interface,
- *   I left it alone.  The other two uses I changed to "spk" or "SPK" when
- *   referring to the subject public key, and "index" when referring to the
- *   key into the PLHashTable.
- */
-
-typedef struct SPKDigestInfoStr {
-    PLHashTable *table;
-    PRBool permPopulated;
-} SPKDigestInfo;
-
-/*
- * Since the key hash information is "hidden" (in a void pointer in the handle)
- * these macros with the appropriate casts make it easy to get at the parts.
- */
-#define SPK_DIGEST_TABLE(handle)	\
-	(((SPKDigestInfo *)(handle->spkDigestInfo))->table)
-
-/*
-** Hash allocator ops for the SPKDigest hash table.  The rules are:
-**   + The index and value fields are "owned" by the hash table, and are
-**     freed when the table entry is deleted.
-**   + Replacing a value in the table is not allowed, since the caller can't
-**     tell whether the index field was used or not, resulting in a memory
-**     leak.  (This is a bug in the PL_Hash routines.
-*/
-static void * PR_CALLBACK
-spkAllocTable(void *pool, PRSize size)
-{
-#if defined(XP_MAC)
-#pragma unused (pool)
-#endif
-
-    return PR_MALLOC(size);
-}
-
-static void PR_CALLBACK
-spkFreeTable(void *pool, void *item)
-{
-#if defined(XP_MAC)
-#pragma unused (pool)
-#endif
-
-    PR_Free(item);
-}
-
-/* NOTE: the key argument here appears to be useless, since the RawAdd
- * routine in PL_Hash just uses the original anyway.
- */
-static PLHashEntry * PR_CALLBACK
-spkAllocEntry(void *pool, const void *key)
-{
-#if defined(XP_MAC)
-#pragma unused (pool,key)
-#endif
-
-    return PR_NEW(PLHashEntry);
-}
-
-static void PR_CALLBACK
-spkFreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
-{
-#if defined(XP_MAC)
-#pragma unused (pool)
-#endif
-
-    SECItem *value = (SECItem *)he->value;
-
-    /* The flag should always be to free the whole entry.  Otherwise the
-     * index field gets leaked because the caller can't tell whether
-     * the "new" value (which is the same as the old) was used or not.
-     */
-    PORT_Assert(flag == HT_FREE_ENTRY);
-
-    /* We always free the value */
-    SECITEM_FreeItem(value, PR_TRUE);
-    
-    if (flag == HT_FREE_ENTRY)
-    {
-        /* Comes from BTOA, is this the right free call? */
-        PORT_Free((char *)he->key);
-        PR_Free(he);
-    }
-}
-
-static PLHashAllocOps spkHashAllocOps = {
-    spkAllocTable, spkFreeTable,
-    spkAllocEntry, spkFreeEntry
-};
-
-
-/*
- * Create the key hash lookup table.  Note that the table, and the
- * structure which holds it and a little more information, is never freed.
- * This is because the temporary database is never actually closed out,
- * so there is no safe/obvious place to free the whole thing.
- *
- * The database must be locked already.
- */
-static SECStatus
-InitDBspkDigestInfo(CERTCertDBHandle *handle)
-{
-    SPKDigestInfo *spkDigestInfo;
-    PLHashTable *table;
-
-    PORT_Assert(handle != NULL);
-    PORT_Assert(handle->spkDigestInfo == NULL);
-
-    spkDigestInfo = PORT_ZAlloc(sizeof(SPKDigestInfo));
-    if ( spkDigestInfo == NULL ) {
-	return(SECFailure);
-    }
-
-    table = PL_NewHashTable(128, PL_HashString, PL_CompareStrings,
-			    (PLHashComparator) SECITEM_ItemsAreEqual,
-			    &spkHashAllocOps, NULL);
-    if ( table == NULL ) {
-	PORT_Free(spkDigestInfo);
-	return(SECFailure);
-    }
-
-    spkDigestInfo->table = table;
-    handle->spkDigestInfo = spkDigestInfo;
-    return(SECSuccess);
-}
-
-static SECHashObject *
-OidTagToRawDigestObject(SECOidTag digestAlg)
-{
-    SECHashObject *rawDigestObject;
-
-    switch (digestAlg) {
-      case SEC_OID_MD2:
-	rawDigestObject = &SECRawHashObjects[HASH_AlgMD2];
-	break;
-      case SEC_OID_MD5:
-	rawDigestObject = &SECRawHashObjects[HASH_AlgMD5];
-	break;
-      case SEC_OID_SHA1:
-	rawDigestObject = &SECRawHashObjects[HASH_AlgSHA1];
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	rawDigestObject = NULL;
-	break;
-    }
-    return(rawDigestObject);
-}
-
-/*
- * Digest the cert's subject public key using the specified algorithm.
- * The necessary storage for the digest data is allocated.  If "fill" is
- * non-null, the data is put there, otherwise a SECItem is allocated.
- * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
- * results in a NULL being returned (and an appropriate error set).
- */ 
-SECItem *
-CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
-			   SECOidTag digestAlg, SECItem *fill)
-{
-    SECHashObject *digestObject;
-    void *digestContext;
-    SECItem *result = NULL;
-    void *mark = NULL;
-    SECItem spk;
-
-    if ( arena != NULL ) {
-	mark = PORT_ArenaMark(arena);
-    }
-
-    /*
-     * This can end up being called before PKCS #11 is initialized,
-     * so we have to use the raw digest functions.
-     */
-    digestObject = OidTagToRawDigestObject(digestAlg);
-    if ( digestObject == NULL ) {
-	goto loser;
-    }
-
-    result = SECITEM_AllocItem(arena, fill, digestObject->length);
-    if ( result == NULL ) {
-	goto loser;
-    }
-
-    /*
-     * Copy just the length and data pointer (nothing needs to be freed)
-     * of the subject public key so we can convert the length from bits
-     * to bytes, which is what the digest function expects.
-     */
-    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
-    DER_ConvertBitString(&spk);
-
-    /*
-     * Now digest the value, using the specified algorithm.
-     */
-    digestContext = digestObject->create();
-    if ( digestContext == NULL ) {
-	goto loser;
-    }
-    digestObject->begin(digestContext);
-    digestObject->update(digestContext, spk.data, spk.len);
-    digestObject->end(digestContext, result->data, &(result->len), result->len);
-    digestObject->destroy(digestContext, PR_TRUE);
-
-    if ( arena != NULL ) {
-	PORT_ArenaUnmark(arena, mark);
-    }
-    return(result);
-
-loser:
-    if ( arena != NULL ) {
-	PORT_ArenaRelease(arena, mark);
-    } else {
-	if ( result != NULL ) {
-	    SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
-	}
-    }
-    return(NULL);
-}
-
-/*
- * Return the index for the spk digest lookup table for "spkDigest".
- *
- * Caller is responsible for freeing the returned string.
- */
-static char *
-spkDigestIndexFromDigest(SECItem *spkDigest)
-{
-    return BTOA_ConvertItemToAscii(spkDigest);
-}
-
-/*
- * Return the index for the spk digest lookup table for this certificate,
- * based on the specified digest algorithm.
- *
- * Caller is responsible for freeing the returned string.
- */
-static char *
-spkDigestIndexFromCert(CERTCertificate *cert, SECOidTag digestAlg)
-{
-    SECItem *spkDigest;
-    char *index;
-
-    spkDigest = CERT_SPKDigestValueForCert(NULL, cert, digestAlg, NULL);
-    if ( spkDigest == NULL )
-	return(NULL);
-
-    index = spkDigestIndexFromDigest(spkDigest);
-
-    SECITEM_FreeItem(spkDigest, PR_TRUE);
-
-    return(index);
-}
-
-/*
- * Remove the spk digest for the given cert from the spk digest table,
- * based on the given digest algorithm.
- *
- * The database must be locked already.
- */
-static SECStatus
-RemoveCertFromSPKDigestTableForAlg(CERTCertDBHandle *handle,
-				   CERTCertificate *cert, SECOidTag digestAlg)
-{
-    SECStatus rv = SECSuccess;
-    char *index = NULL;
-    PLHashTable *table;
-
-    /* Expect to only be called if there is a table to work with. */
-    PORT_Assert(handle->spkDigestInfo != NULL);
-
-    table = SPK_DIGEST_TABLE(handle);
-    PORT_Assert(table != NULL);
-
-    index = spkDigestIndexFromCert(cert, digestAlg);
-    if ( index == NULL ) {
-	rv = SECFailure;
-	goto done;
-    }
-
-    if ( PL_HashTableRemove(table, index) != PR_TRUE ) {
-	/* not found means nothing to remove, which is fine */
-    }
-
-done:
-    if ( index != NULL ) {
-	PORT_Free(index);
-    }
-    return(rv);
-}
-
-/*
- * Remove the spk digests for the given cert from the spk digest table,
- * for all known digest algorithms.
- *
- * The database must be locked already.
- */
-static SECStatus
-RemoveCertFromSPKDigestTable(CERTCertDBHandle *handle, CERTCertificate *cert)
-{
-    /*
-     * If no certs have been added yet, then nothing to do.
-     */
-    if ( handle->spkDigestInfo == NULL ) {
-	return(SECSuccess);
-    }
-
-    (void) RemoveCertFromSPKDigestTableForAlg(handle, cert, SEC_OID_MD2);
-    (void) RemoveCertFromSPKDigestTableForAlg(handle, cert, SEC_OID_MD5);
-    return RemoveCertFromSPKDigestTableForAlg(handle, cert, SEC_OID_SHA1);
-}
-
-/*
- * Add the spk digest for the given cert to the spk digest table,
- * based on the given digest algorithm.
- *
- * If a cert for the same spk digest is already in the table, choose whichever
- * cert is "newer".  (The other cert cannot be found via spk digest.)
- *
- * The database must be locked already.
- * 
- * XXX Note that this implementation results in leaking the index value.
- * Fixing that did not seem worth the trouble, given we will only leak
- * once per cert.  This whole thing should be done differently in the
- * new rewrite (Stan), and then the problem will go away.
- */
-static SECStatus
-AddCertToSPKDigestTableForAlg(CERTCertDBHandle *handle, CERTCertificate *cert,
-			      SECItem *certDBKey, SECOidTag digestAlg)
-{
-    SECStatus rv = SECFailure;
-    SECItem *oldCertDBKey;
-    PRBool addit = PR_TRUE;
-    CERTCertificate *oldCert = NULL;
-    char *index = NULL;
-    PLHashTable *table;
-
-    /*
-     * After running some testing doing key hash lookups (like using OCSP),
-     * if these are never hit, they can probably be removed.
-     */
-    PORT_Assert(handle != NULL);
-    PORT_Assert(handle == cert->dbhandle);
-    PORT_Assert(handle->spkDigestInfo != NULL);
-    PORT_Assert((certDBKey == &cert->certKey)
-		|| (SECITEM_CompareItem(certDBKey,
-					&cert->certKey) == SECEqual));
-
-    table = SPK_DIGEST_TABLE(handle);
-    PORT_Assert(table != NULL);
-
-    index = spkDigestIndexFromCert(cert, digestAlg);
-    if ( index == NULL ) {
-	goto loser;
-    }
-
-    /*
-     * See if this cert's spk digest is already in the table.
-     */
-    oldCertDBKey = PL_HashTableLookup(table, index);
-    if ( oldCertDBKey != NULL ) {
-	/*
-	 * The spk digest *is* already in the table.  We need to find that
-	 * cert and see -- if it is the same, then we can just leave as is.
-	 * Otherwise we have to choose which cert we want represented;
-	 * in that case the best plan I can think of is to hang onto the
-	 * most recent one.
-	 */
-	oldCert = CERT_FindCertByKey(handle, oldCertDBKey);
-	if ( oldCert != NULL ) {
-	    if ( cert == oldCert ) {
-		/* They are the same cert, so we are done. */
-		addit = PR_FALSE;
-	    } else if ( CERT_IsNewer(cert, oldCert) ) {
-		if ( PL_HashTableRemove(table, index) != PR_TRUE ) {
-		    goto loser;
-		}
-	    } else {
-		/* oldCert is "newer", so we are done. */
-		addit = PR_FALSE;
-	    }
-	}
-    }
-
-    if ( addit ) {
-	certDBKey = SECITEM_DupItem(certDBKey);
-	if ( certDBKey == NULL ) {
-	    goto loser;
-	}
-	if ( PL_HashTableAdd(table, index, certDBKey) == NULL ) {
-	    SECITEM_FreeItem(certDBKey, PR_TRUE);
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	index = NULL;				/* don't want to free it */
-    }
-
-    rv = SECSuccess;
-
-loser:
-    if ( index != NULL ) {
-	PORT_Free(index);
-    }
-    if ( oldCert != NULL ) {
-	CERT_DestroyCertificate(oldCert);
-    }
-    return(rv);
-}
-
-/*
- * Add the spk digest for the given cert to the spk digest table,
- * for all known digest algorithms.
- *
- * The database must be locked already, and the digest table already created.
- */
-static SECStatus
-AddCertToSPKDigestTableForAllAlgs(CERTCertDBHandle *handle,
-				  CERTCertificate *cert, SECItem *certDBKey)
-{
-    (void) AddCertToSPKDigestTableForAlg(handle, cert, certDBKey, SEC_OID_MD2);
-    (void) AddCertToSPKDigestTableForAlg(handle, cert, certDBKey, SEC_OID_MD5);
-    return AddCertToSPKDigestTableForAlg(handle, cert, certDBKey, SEC_OID_SHA1);
-}
-
-/*
- * Add the spk digests for the given cert to the spk digest table,
- * for all known digest algorithms.  (This function is called when a
- * new cert is added to the temporary database.)
- *
- * If the spk digest table does not yet exist, create it.
- *
- * In an ideal world, we would not hardwire the digest algorithms.
- * But it is the case that we do not currently support any digest
- * algorithms outside of these three.  In the newer, cleaned-up world,
- * this may be done differently.
- *
- * The database must be locked already.
- */
-static SECStatus
-AddCertToSPKDigestTable(CERTCertDBHandle *handle, CERTCertificate *cert)
-{
-    SECStatus rv;
-
-    if ( handle->spkDigestInfo == NULL ) {
-	rv = InitDBspkDigestInfo(handle);
-	if ( rv != SECSuccess ) {
-	    return(rv);
-	}
-    }
-
-    return AddCertToSPKDigestTableForAllAlgs(handle, cert, &cert->certKey);
-}
-
-/*
- * Add the spk digest for the given cert to the spk digest table,
- * for all known digest algorithms.  This function is called while
- * traversing all of the certs in the permanent database -- since
- * that imposes some constraints on its arguments this routine is a
- * simple cover for the "real" interface.
- *
- * The database must be locked already, and the digest table already created.
- */
-static SECStatus
-AddCertToSPKDigestTableInTraversal(CERTCertificate *cert, SECItem *certDBKey,
-				   void *data)
-{
-    CERTCertDBHandle *handle = data;
-
-    return AddCertToSPKDigestTableForAllAlgs(handle, cert, certDBKey);
-}
-
-/*
- * Add the spk digests for the all permanent certs to the spk digest table,
- * for all known digest algorithms.
- *
- * This locks the database, and then checks to make sure that the work
- * actually needs to get done.
- *
- * If the spk digest table does not yet exist, it is created.
- */
-static SECStatus
-PopulateSPKDigestTable(CERTCertDBHandle *handle)
-{
-    SPKDigestInfo *spkDigestInfo;
-    SECStatus rv = SECSuccess;
-
-    CERT_LockDB(handle);
-
-    spkDigestInfo = handle->spkDigestInfo;
-    if ( spkDigestInfo == NULL ) {
-	rv = InitDBspkDigestInfo(handle);
-	if ( rv != SECSuccess ) {
-	    return(rv);
-	}
-	spkDigestInfo = handle->spkDigestInfo;
-	PORT_Assert(spkDigestInfo != NULL);
-    } else {
-	/*
-	 * Check to see if someone already did it; it is important to do
-	 * this after getting the lock.
-	 */
-	if ( spkDigestInfo->permPopulated == PR_TRUE ) {
-	    goto done;
-	}
-    }
-
-    rv = TraversePermCertsNoLocking(handle, AddCertToSPKDigestTableInTraversal,
-				    handle);
-
-    if ( rv != SECSuccess ) {
-	goto done;
-    }
-
-    spkDigestInfo->permPopulated = PR_TRUE;
-
-done:
-    CERT_UnlockDB(handle);
-
-    return(rv);
-}
-
-/*
- * Lookup a certificate by a digest of a subject public key.  If it is
- * found, it is returned (and must then be destroyed by the caller).
- * NULL is returned otherwise -- if there was a problem performing the
- * lookup, an appropriate error is set (e.g. SEC_ERROR_NO_MEMORY);
- * if the cert simply was not found, the error is SEC_ERROR_UNKNOWN_CERT.
- *
- * If the lookup table has not yet been created or populated, do that first.
- */
-CERTCertificate *
-CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest)
-{
-    SPKDigestInfo *spkDigestInfo;
-    char *index = NULL;
-    SECItem *certDBKey;
-    CERTCertificate *cert = NULL;
-
-    PORT_Assert(handle != NULL);
-    spkDigestInfo = handle->spkDigestInfo;
-
-    if ( spkDigestInfo == NULL || spkDigestInfo->permPopulated != PR_TRUE ) {
-	if ( PopulateSPKDigestTable(handle) != SECSuccess ) {
-	    goto loser;
-	}
-    }
-
-    index = spkDigestIndexFromDigest(spkDigest);
-    if ( index == NULL ) {
-	goto loser;
-    }
-
-    certDBKey = PL_HashTableLookup(SPK_DIGEST_TABLE(handle), index);
-    if ( certDBKey != NULL ) {
-	cert = CERT_FindCertByKey(handle, certDBKey);
-    }
-
-    if ( cert == NULL ) {
-	PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
-    }
-
-loser:
-    if ( index != NULL ) {
-	PORT_Free(index);
-    }
-    return(cert);
-}
-
-static void
-DestroyCertificate(CERTCertificate *cert, PRBool lockdb)
-{
-    int refCount;
-    CERTCertDBHandle *handle;
-    
-    if ( cert ) {
-
-	handle = cert->dbhandle;
-
-	/*
-	 * handle may be NULL, for example if the cert was created with
-	 * CERT_DecodeDERCertificate.
-	 */
-	if ( lockdb && handle ) {
-	    CERT_LockDB(handle);
-	}
-
-        CERT_LockCertRefCount(cert);
-	PORT_Assert(cert->referenceCount > 0);
-	refCount = --cert->referenceCount;
-        CERT_UnlockCertRefCount(cert);
-
-	if ( ( refCount == 0 ) && !cert->keepSession ) {
-	    certDBEntryCert *entry  = cert->dbEntry;
-	    PRArenaPool *    arena  = cert->arena;
-
-	    if ( cert->istemp ) {
-		CERT_DeleteTempCertificate(cert);
-	    }
-
-	    if ( entry ) {
-		DestroyDBEntry((certDBEntry *)entry);
-            }
-
-	    /* zero cert before freeing. Any stale references to this cert
-	     * after this point will probably cause an exception.  */
-	    PORT_Memset(cert, 0, sizeof *cert);
-
-	    cert = NULL;
-	    
-	    /* free the arena that contains the cert. */
-	    PORT_FreeArena(arena, PR_FALSE);
-        }
-	if ( lockdb && handle ) {
-	    CERT_UnlockDB(handle);
-	}
-    }
-
-    return;
-}
-
-void
-CERT_DestroyCertificate(CERTCertificate *cert)
-{
-    DestroyCertificate(cert, PR_TRUE);
-    return;
-}
-
-void
-CERT_DestroyCertificateNoLocking(CERTCertificate *cert)
-{
-    DestroyCertificate(cert, PR_FALSE);
-    return;
-}
-
-/*
- * cache a CRL from the permanent database into the temporary database
- */
-CERTSignedCrl *
-SEC_AddPermCrlToTemp(CERTCertDBHandle *handle, certDBEntryRevocation *entry)
-{
-    CERTSignedCrl *crl = NULL;
-    DBT key;
-    DBT data;
-    int status;
-    PRArenaPool *arena = NULL;
-    SECItem keyitem;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    crl = CERT_DecodeDERCrl(NULL, &entry->derCrl, 
-       entry->common.type == certDBEntryTypeRevocation ? 
-						SEC_CRL_TYPE : SEC_KRL_TYPE);
-    
-    if ( crl == NULL ) {
-	goto loser;
-    }
-
-    /* only save pointer to cert in database */
-    data.data = &crl;
-    data.size = sizeof(crl);
-
-
-    rv = EncodeDBGenericKey(&(crl->crl.derName), arena, 
-						&keyitem, entry->common.type);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    if (entry->url) {
-	int nnlen = PORT_Strlen(entry->url) + 1;
-	crl->url  = (char *)PORT_ArenaAlloc(crl->arena, nnlen);
-	if ( !crl->url ) {
-	    goto loser;
-	}
-	PORT_Memcpy(crl->url, entry->url, nnlen);
-    } else {
-	crl->url = NULL;
-    }
-    
-    key.data = keyitem.data;
-    key.size = keyitem.len;
-    
-    /* enter into main db */
-    status = certdb_Put(handle->tempCertDB, &key, &data, R_NOOVERWRITE);
-    if ( status ) {
-	goto loser;
-    }
-
-    crl->istemp = PR_TRUE;
-    crl->isperm = PR_TRUE;    
-    crl->dbhandle = handle;
-    crl->dbEntry = entry;
-
-    
-    PORT_FreeArena(arena, PR_FALSE);
-
-    crl->keep = PR_TRUE;
-    return(crl);
-
-loser:
-    if ( crl ) {
-	SEC_DestroyCrl(crl);
-    }
-    
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    return(0);
-}
-
-SECStatus
-SEC_DeleteTempCrl(CERTSignedCrl *crl)
-{
-    SECStatus rv;
-    DBT nameKey;
-    CERTCertDBHandle *handle;
-    SECItem keyitem;
-    PRArenaPool *arena;
-    int ret;
-    
-    handle = crl->dbhandle;
-
-    if ( !crl->istemp ) {
-	return(SECSuccess);
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBGenericKey
-	 (&crl->crl.derName, arena, &keyitem, crl->dbEntry->common.type);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    nameKey.data = keyitem.data;
-    nameKey.size = keyitem.len;
-
-    /* delete the cert */
-    ret = certdb_Del(handle->tempCertDB, &nameKey, 0);
-    if ( ret ) {
-	goto loser;
-    }
-
-    crl->istemp = PR_FALSE;
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return(SECFailure);
-}
-
-/*
- * Lookup a CRL in the databases. We mirror the same fast caching data base
- *  caching stuff used by certificates....?
- */
-CERTSignedCrl *
-SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type)
-{
-    DBT tmpdata;
-    int ret;
-    SECItem keyitem;
-    DBT key;
-    SECStatus rv;
-    CERTSignedCrl *crl = NULL;
-    PRArenaPool *arena = NULL;
-    certDBEntryRevocation *entry;
-    certDBEntryType crlType = (type == SEC_CRL_TYPE) ?
-	 certDBEntryTypeRevocation : certDBEntryTypeKeyRevocation;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBGenericKey(crlKey, arena, &keyitem, crlType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    key.data = keyitem.data;
-    key.size = keyitem.len;
-    
-    /* lookup in the temporary database */
-    ret = certdb_Get( handle->tempCertDB, &key, &tmpdata, 0 );
-
-    /* error accessing the database */
-    if ( ret < 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    if ( ret == 0 ) {	/* found in temp database */
-	if ( tmpdata.size != sizeof(CERTSignedCrl *) ) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    goto loser;
-	}
-	
-	PORT_Memcpy(&crl, tmpdata.data, tmpdata.size);
-	crl->referenceCount++;
-    } else {		/* not found in temporary database */
-
-	/* find in perm database */
-	entry = ReadDBCrlEntry(handle, crlKey, crlType);
-	
-	if ( entry == NULL ) {
-	    goto loser;
-	}
-    
-	crl = SEC_AddPermCrlToTemp(handle, entry);
-    }
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(crl);
-}
-
-
-CERTSignedCrl *
-SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
-{
-	return SEC_FindCrlByKey(handle,crlKey,type);
-}
-
-CERTSignedCrl *
-SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type)
-{
-    PRArenaPool *arena;
-    SECItem crlKey;
-    SECStatus rv;
-    CERTSignedCrl *crl = NULL;
-    
-    /* create a scratch arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return(NULL);
-    }
-    
-    /* extract the database key from the cert */
-    rv = CERT_KeyFromDERCrl(arena, derCrl, &crlKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* find the crl */
-    crl = SEC_FindCrlByKey(handle, &crlKey, type);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(crl);
-}
-
-
-SECStatus
-SEC_DestroyCrl(CERTSignedCrl *crl)
-{
-    if (crl) {
-	if (crl->referenceCount-- <= 1) {
-	    if (!crl->keep) {
-		SEC_DeleteTempCrl(crl);
-		if (crl->dbEntry) {
-		    DestroyDBEntry((certDBEntry *)crl->dbEntry);
-		}
-		PORT_FreeArena(crl->arena, PR_FALSE);
-	    }
-	}
-    }
-    return SECSuccess;
-}
-
-CERTSignedCrl *
-cert_DBInsertCRL (CERTCertDBHandle *handle, char *url,
-		  CERTSignedCrl *newCrl, SECItem *derCrl, int type)
-{
-    CERTSignedCrl *oldCrl = NULL, *crl = NULL;
-    certDBEntryRevocation *entry = NULL;
-    PRArenaPool *arena = NULL;
-    SECCertTimeValidity validity;
-    certDBEntryType crlType = (type == SEC_CRL_TYPE) ?
-	 certDBEntryTypeRevocation : certDBEntryTypeKeyRevocation;
-    SECStatus rv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto done;
-
-    validity = SEC_CheckCrlTimes(&newCrl->crl,PR_Now());
-    if ( validity == secCertTimeExpired) {
-	if (type == SEC_CRL_TYPE) {
-	    PORT_SetError(SEC_ERROR_CRL_EXPIRED);
-	} else {
-	    PORT_SetError(SEC_ERROR_KRL_EXPIRED);
-	}
-	goto done;
-    } else if (validity == secCertTimeNotValidYet) {
-	if (type == SEC_CRL_TYPE) {
-	    PORT_SetError(SEC_ERROR_CRL_NOT_YET_VALID);
-	} else {
-	    PORT_SetError(SEC_ERROR_KRL_NOT_YET_VALID);
-	}
-	goto done;
-    }
-
-    oldCrl = SEC_FindCrlByKey(handle, &newCrl->crl.derName, type);
-
-    /* if there is an old crl, make sure the one we are installing
-     * is newer. If not, exit out, otherwise delete the old crl.
-     */
-    if (oldCrl != NULL) {
-	if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
-
-	    if (type == SEC_CRL_TYPE) {
-		PORT_SetError(SEC_ERROR_OLD_CRL);
-	    } else {
-		PORT_SetError(SEC_ERROR_OLD_KRL);
-	    }
-
-	    goto done;
-	}
-
-	if ((SECITEM_CompareItem(&newCrl->crl.derName, 
-	        &oldCrl->crl.derName) != SECEqual) &&
-	    (type == SEC_KRL_TYPE) ) {
-	    
-	    PORT_SetError(SEC_ERROR_CKL_CONFLICT);
-	    goto done;
-	}
-
-	/* if we have a url in the database, use that one */
-	if (oldCrl->url) {
-	    int nnlen = PORT_Strlen(oldCrl->url) + 1;
-	    url  = (char *)PORT_ArenaAlloc(arena, nnlen);
-	    if ( url != NULL ) {
-	        PORT_Memcpy(url, oldCrl->url, nnlen);
-	    }
-	}
-
-
-	/* really destroy this crl */
-	/* first drum it out of the permanment Data base */
-	SEC_DeletePermCRL(oldCrl);
-	/* then get rid of our reference to it... */
-	SEC_DestroyCrl(oldCrl);
-	oldCrl = NULL;
-
-    }
-
-    /* Write the new entry into the data base */
-    entry = NewDBCrlEntry(derCrl, url, crlType, 0);
-    if (entry == NULL) goto done;
-
-    rv = WriteDBCrlEntry(handle, entry);
-    if (rv != SECSuccess) goto done;
-
-    crl = SEC_AddPermCrlToTemp(handle, entry);
-    if (crl) entry = NULL; /*crl->dbEntry now points to entry data */
-    crl->isperm = PR_TRUE;
-
-done:
-    if (entry) DestroyDBEntry((certDBEntry *)entry);
-    if (arena) PORT_FreeArena(arena, PR_FALSE);
-    if (oldCrl) SEC_DestroyCrl(oldCrl);
-
-    return crl;
-}
-
-
-/*
- * create a new CRL from DER material.
- *
- * The signature on this CRL must be checked before you
- * load it. ???
- */
-CERTSignedCrl *
-SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type)
-{
-    CERTSignedCrl *newCrl = NULL, *crl = NULL;
-
-    /* make this decode dates! */
-    newCrl = CERT_DecodeDERCrl(NULL, derCrl, type);
-    if (newCrl == NULL) {
-	if (type == SEC_CRL_TYPE) {
-	    PORT_SetError(SEC_ERROR_CRL_INVALID);
-	} else {
-	    PORT_SetError(SEC_ERROR_KRL_INVALID);
-	}
-	goto done;
-    }
-
-    crl = cert_DBInsertCRL (handle, url, newCrl, derCrl, type);
-
-
-done:
-    if (newCrl) PORT_FreeArena(newCrl->arena, PR_FALSE);
-
-    return crl;
-}
-
-
-/*
- * replace the existing URL in the data base with a new one
- */
-SECStatus
-SEC_CrlReplaceUrl(CERTSignedCrl *crl,char *url) {
-    SECStatus rv = SECFailure;
-    certDBEntryRevocation *entry = NULL;
-    int nnlen=0;
-
-    SEC_DeletePermCRL(crl);
-
-    /* Write the new entry into the data base */
-    entry = NewDBCrlEntry(&crl->dbEntry->derCrl, url, crl->dbEntry->common.type, 0);
-    if (entry == NULL) goto done;
-
-    rv = WriteDBCrlEntry(crl->dbhandle, entry);
-    if (rv != SECSuccess) goto done;
-
-    if (url) {
-	nnlen = PORT_Strlen(url) + 1;
-	crl->url  = (char *)PORT_ArenaAlloc(crl->arena, nnlen);
-	if ( !crl->url ) {
-	    goto done;
-	}
-	PORT_Memcpy(crl->url, url, nnlen);
-    } else {
-	crl->url = NULL;
-    }
-done:
-    return rv;
-}
-    
-
-/*
- * collect a linked list of CRL's
- */
-static SECStatus CollectCrls(SECItem *dbdata, SECItem *dbkey, 
-					certDBEntryType type, void *data) {
-    SECStatus rv;
-    certDBEntryRevocation entry;
-    SECItem entryitem;
-    PRArenaPool *arena = NULL;
-    CERTCrlHeadNode *head;
-    CERTCrlNode *new_node;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    head = (CERTCrlHeadNode *)data;
-    entry.common.version = (unsigned int)dbdata->data[0];
-    entry.common.type = (certDBEntryType)dbdata->data[1];
-    entry.common.flags = (unsigned int)dbdata->data[2];
-    entry.common.arena = arena;
-    
-    entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN;
-    entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    rv = DecodeDBCrlEntry(&entry, &entryitem);
-    if (rv != SECSuccess ) {
-	goto loser;
-    }
-
-    new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode));
-    if (new_node == NULL) {
-	goto loser;
-    }
-
-    new_node->type = (entry.common.type == certDBEntryTypeRevocation) ? 
-						SEC_CRL_TYPE : SEC_KRL_TYPE;
-    new_node->crl=CERT_DecodeDERCrl(head->arena,&entry.derCrl,new_node->type);
-
-    if (entry.url) {
-	int nnlen = PORT_Strlen(entry.url) + 1;
-	new_node->crl->url  = (char *)PORT_ArenaAlloc(head->arena, nnlen);
-	if ( !new_node->crl->url ) {
-	    goto loser;
-	}
-	PORT_Memcpy(new_node->crl->url, entry.url, nnlen);
-    } else {
-	new_node->crl->url = NULL;
-    }
-    
-
-    new_node->next = NULL;
-    if (head->last) {
-	head->last->next = new_node;
-	head->last = new_node;
-    } else {
-	head->first = head->last = new_node;
-    }
-    return (SECSuccess);
-    
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-	
-SECStatus
-SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
-{
-    CERTCrlHeadNode *head;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-
-    *nodes = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return SECFailure;
-    }
-
-    /* build a head structure */
-    head = (CERTCrlHeadNode *)PORT_ArenaAlloc(arena, sizeof(CERTCrlHeadNode));
-    head->arena = arena;
-    head->first = NULL;
-    head->last = NULL;
-    head->dbhandle = handle;
-
-    /* Look up the proper crl types */
-    *nodes = head;
-    
-    CERT_LockDB(handle);
-    
-    switch (type) {
-    case SEC_CRL_TYPE:
-	rv = SEC_TraverseDBEntries(handle, certDBEntryTypeRevocation,
-						CollectCrls, (void *)head);
-	break;
-    case SEC_KRL_TYPE:
-	rv = SEC_TraverseDBEntries(handle, certDBEntryTypeKeyRevocation,
-					CollectCrls, (void *)head);
-	break;
-    case -1:
-	rv = SEC_TraverseDBEntries(handle, certDBEntryTypeKeyRevocation,
-						CollectCrls, (void *)head);
-	if (rv != SECSuccess) break;
-	rv = SEC_TraverseDBEntries(handle, certDBEntryTypeRevocation,
-					CollectCrls, (void *)head);
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-
-    CERT_UnlockDB(handle);
-    
-    if (rv != SECSuccess) {
-	if ( arena ) {
-	    PORT_FreeArena(arena, PR_FALSE);
-	    *nodes = NULL;
-	}
-    }
-
-    return rv;
-}
-	
-
-SECStatus
-SEC_DeletePermCRL(CERTSignedCrl *crl) {
-    SECStatus rv;
-
-    if (crl == NULL) {
-	return SECFailure;
-    }
-    
-    rv = DeleteDBCrlEntry(crl->dbhandle, &crl->crl.derName, 
-					crl->dbEntry->common.type);
-    if (rv != SECSuccess) goto done;
-
-    /* now force it to be freed when all the reference counts go */
-    crl->keep = PR_FALSE;
-    /* force it out of the temporary data base */
-    SEC_DeleteTempCrl(crl);
-  
-done:
-    return rv;
-}
-
-/*
- * find a cert by email address
- *
- * pick one that is a valid recipient, meaning that it is an encryption
- * cert.
- *
- */
-static CERTCertificate*
-find_smime_recipient_cert(CERTCertDBHandle* handle, const char* email_addr)
-{
-    CERTCertificate* cert = NULL;
-    CERTCertList* certList = NULL;
-    SECStatus rv;
-
-    certList = CERT_CreateEmailAddrCertList(NULL, handle, (char*)email_addr,
-					    PR_Now(), PR_TRUE);
-    if (certList == NULL) {
-	return NULL;
-    }
-
-    rv = CERT_FilterCertListByUsage(certList, certUsageEmailRecipient,
-				    PR_FALSE);
-
-    if (!CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) {
-	cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
-    }
-
-    CERT_DestroyCertList(certList);
-
-    return cert;    /* cert may point to a cert or may be NULL */
-}
-
-/*
- * This function has the logic that decides if another person's cert and
- * email profile from an S/MIME message should be saved.  It can deal with
- * the case when there is no profile.
- */
-SECStatus
-CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
-		      SECItem *profileTime)
-{
-    certDBEntrySMime *entry = NULL, *oldentry = NULL;
-    int64 oldtime;
-    int64 newtime;
-    SECStatus rv;
-    CERTCertificate *oldcert = NULL;
-    PRBool saveit;
-    CERTCertTrust trust;
-    CERTCertTrust tmptrust;
-    char *emailAddr;
-    
-    emailAddr = cert->emailAddr;
-    
-    PORT_Assert(emailAddr);
-    if ( emailAddr == NULL ) {
-	goto loser;
-    }
-
-    saveit = PR_FALSE;
-    
-    oldcert = find_smime_recipient_cert(cert->dbhandle, emailAddr);
-	if (oldcert) {
-	    /* see if there is an entry already */
-		oldentry = ReadDBSMimeEntry(cert->dbhandle, emailAddr);
-	}
-    
-    /* both profileTime and emailProfile have to exist or not exist */
-    if ( emailProfile == NULL ) {
-	profileTime = NULL;
-    } else if ( profileTime == NULL ) {
-	emailProfile = NULL;
-    }
-   
-    if ( oldentry == NULL ) {
-	/* no old entry for this address */
-	PORT_Assert(oldcert == NULL);
-	saveit = PR_TRUE;
-    } else {
-	/* there was already a profile for this email addr */
-	if ( profileTime ) {
-	    /* we have an old and new profile - save whichever is more recent*/
-	    if ( oldentry->optionsDate.len == 0 ) {
-		/* always replace if old entry doesn't have a time */
-		oldtime = LL_MININT;
-	    } else {
-		rv = DER_UTCTimeToTime(&oldtime, &oldentry->optionsDate);
-		if ( rv != SECSuccess ) {
-		    goto loser;
-		}
-	    }
-	    
-	    rv = DER_UTCTimeToTime(&newtime, profileTime);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	
-	    if ( LL_CMP(newtime, >, oldtime ) ) {
-		/* this is a newer profile, save it and cert */
-		saveit = PR_TRUE;
-	    }
-	} else {
-	    /* we don't have a new profile or time */
-	    if ( oldentry->optionsDate.len == 0 ) {
-		/* the old entry doesn't have a time either, so compare certs*/
-		if ( CERT_IsNewer(cert, oldcert) ) {
-		    /* new cert is newer, use it instead */
-		    saveit = PR_TRUE;
-		}
-	    } else {
-		if (oldcert) {
-			if (CERT_IsNewer(cert, oldcert)) {
-				saveit = PR_TRUE;
-			}
-		} else {
-			saveit = PR_TRUE;
-		}
-	    }
-	}
-    }
-
-    if ( saveit ) {
-	if ( oldcert && ( oldcert != cert ) ) {
-	    /* old cert is different from new cert */
-	    if ( PORT_Memcmp(oldcert->trust, &trust, sizeof(trust)) == 0 ) {
-		/* old cert is only for e-mail, so delete it */
-		SEC_DeletePermCertificate(oldcert);
-	    } else {
-		/* old cert is for other things too, so just change trust */
-		tmptrust = *oldcert->trust;
-		tmptrust.emailFlags &= ( ~CERTDB_VALID_PEER );
-		rv = CERT_ChangeCertTrust(oldcert->dbhandle, oldcert,
-					  &tmptrust);
-		if ( rv != SECSuccess ) {
-		    goto loser;
-		}
-	    }
-	}
-
-/* Subroutine */
-	/* now save the entry */
-	entry = NewDBSMimeEntry(emailAddr, &cert->derSubject, emailProfile,
-				profileTime, 0);
-	if ( entry == NULL ) {
-	    goto loser;
-	}
-
-	CERT_LockDB(cert->dbhandle);
-
-	rv = DeleteDBSMimeEntry(cert->dbhandle, emailAddr);
-	/* if delete fails, try to write new entry anyway... */
-	
-	rv = WriteDBSMimeEntry(cert->dbhandle, entry);
-	if ( rv != SECSuccess ) {
-	    CERT_UnlockDB(cert->dbhandle);
-	    goto loser;
-	}
-
-	/* link subject entry back here */
-	rv = UpdateSubjectWithEmailAddr(cert, emailAddr);
-	if ( rv != SECSuccess ) {
-	    CERT_UnlockDB(cert->dbhandle);
-	    goto loser;
-	}
-
-	CERT_UnlockDB(cert->dbhandle);
-/* End Subroutine */
-    }
-
-    rv = SECSuccess;
-    goto done;
-    
-loser:
-    rv = SECFailure;
-    
-done:
-    if ( oldcert ) {
-	CERT_DestroyCertificate(oldcert);
-    }
-    
-    if ( entry ) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    if ( oldentry ) {
-	DestroyDBEntry((certDBEntry *)oldentry);
-    }
-    
-    return(rv);
-}
-
-CERTCertificate *
-CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr)
-{
-    certDBEntrySMime *entry;
-    CERTCertificate *cert = NULL;
-
-    emailAddr = CERT_FixupEmailAddr(emailAddr);
-    if ( emailAddr == NULL ) {
-	return(NULL);
-    }
-    
-    entry = ReadDBSMimeEntry(handle, emailAddr);
-
-    /* XXX - this will have to change when multiple certs per subject
-     * are allowed
-     */
-    if ( entry != NULL ) {
-	cert = CERT_FindCertByName(handle, &entry->subjectName);
-    }
-
-    if ( entry ) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-
-    PORT_Free(emailAddr);
-    
-    return(cert);
-}
-
-/*
- * find the smime symmetric capabilities profile for a given cert
- */
-SECItem *
-CERT_FindSMimeProfile(CERTCertificate *cert)
-{
-    certDBEntrySMime *entry;
-    SECItem *retitem = NULL;
-    
-    PORT_Assert(cert->emailAddr != NULL);
-    
-    if ( cert->emailAddr == NULL ) {
-	return(NULL);
-    }
-    
-    entry = ReadDBSMimeEntry(cert->dbhandle, cert->emailAddr);
-
-    if ( entry ) {
-	retitem = SECITEM_DupItem(&entry->smimeOptions);
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-
-    return(retitem);
-}
-
-CERTCertificate *
-CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name)
-{
-    CERTCertificate *cert;
-    cert = CERT_FindCertByNickname(handle, name);
-    if ( cert == NULL ) {
-	cert = CERT_FindCertByEmailAddr(handle, name);
-    }
-
-    return(cert);
-}
-
-PRBool
-CERT_IsCertRevoked(CERTCertificate *cert)
-{
-    return(PR_FALSE);
-}
-
-CERTCertificate *
-CERT_NextSubjectCert(CERTCertificate *cert)
-{
-    CERTSubjectNode *node;
-    CERTCertificate *retcert = NULL;
-
-    CERT_LockDB(cert->dbhandle);
-    
-    node = FindCertSubjectNode(cert);
-    PORT_Assert(node != NULL);
-    
-    if ( node->next != NULL ) {
-	retcert = CERT_FindCertByKeyNoLocking(cert->dbhandle,
-					      &node->next->certKey);
-    }
-
-    CERT_UnlockDB(cert->dbhandle);
-
-    return(retcert);
-}
-
-CERTCertificate *
-CERT_PrevSubjectCert(CERTCertificate *cert)
-{
-    CERTSubjectNode *node;
-    CERTCertificate *retcert = NULL;
-    
-    CERT_LockDB(cert->dbhandle);
-    node = FindCertSubjectNode(cert);
-    PORT_Assert(node != NULL);
-    
-    if ( node->prev != NULL ) {
-	retcert = CERT_FindCertByKeyNoLocking(cert->dbhandle,
-					      &node->prev->certKey);
-    }
-    CERT_UnlockDB(cert->dbhandle);
-
-    return(retcert);
-}
-
-SECStatus
-CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
-		      PRBool caOnly, char *nickname)
-{
-    SECStatus rv;
-    PRBool saveit;
-    CERTCertTrust trust;
-    CERTCertTrust tmptrust;
-    PRBool isCA;
-    unsigned int certtype;
-    PRBool freeNickname = PR_FALSE;
-    
-    isCA = CERT_IsCACert(cert, NULL);
-    if ( caOnly && ( !isCA ) ) {
-	return(SECSuccess);
-    }
-    
-    saveit = PR_TRUE;
-    
-    PORT_Memset((void *)&trust, 0, sizeof(trust));
-
-    certtype = cert->nsCertType;
-
-    /* if no CA bits in cert type, then set all CA bits */
-    if ( isCA && ( ! ( certtype & NS_CERT_TYPE_CA ) ) ) {
-	certtype |= NS_CERT_TYPE_CA;
-    }
-
-    /* if no app bits in cert type, then set all app bits */
-    if ( ( !isCA ) && ( ! ( certtype & NS_CERT_TYPE_APP ) ) ) {
-	certtype |= NS_CERT_TYPE_APP;
-    }
-
-    if ( isCA && !nickname ) {
-	nickname = CERT_MakeCANickname(cert);
-	if ( nickname != NULL ) {
-	    freeNickname = PR_TRUE;
-	}
-    }
-    
-    switch ( usage ) {
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-	if ( isCA ) {
-	    if ( certtype & NS_CERT_TYPE_EMAIL_CA ) {
-		trust.emailFlags = CERTDB_VALID_CA;
-	    }
-	} else {
-	    PORT_Assert(nickname == NULL);
-
-	    if ( cert->emailAddr == NULL ) {
-		saveit = PR_FALSE;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
-		trust.emailFlags = CERTDB_VALID_PEER;
-		if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
-		    /* don't save it if KeyEncipherment is not allowed */
-		    saveit = PR_FALSE;
-		}
-	    }
-	}
-	break;
-      case certUsageUserCertImport:
-	if ( isCA ) {
-	    if ( certtype & NS_CERT_TYPE_SSL_CA ) {
-		trust.sslFlags = CERTDB_VALID_CA;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL_CA ) {
-		trust.emailFlags = CERTDB_VALID_CA;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
-		trust.objectSigningFlags = CERTDB_VALID_CA;
-	    }
-	    
-	} else {
-	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
-		trust.sslFlags = CERTDB_VALID_PEER;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
-		trust.emailFlags = CERTDB_VALID_PEER;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
-		trust.objectSigningFlags = CERTDB_VALID_PEER;
-	    }
-	}
-	break;
-      default:	/* XXX added to quiet warnings; no other cases needed? */
-	break;
-    }
-
-    if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){
-	saveit = PR_FALSE;
-    }
-
-    if ( saveit ) {
-	if ( cert->isperm ) {
-	    /* Cert already in the DB.  Just adjust flags */
-	    tmptrust = *cert->trust;
-	    tmptrust.sslFlags |= trust.sslFlags;
-	    tmptrust.emailFlags |= trust.emailFlags;
-	    tmptrust.objectSigningFlags |= trust.objectSigningFlags;
-	    
-	    rv = CERT_ChangeCertTrust(cert->dbhandle, cert,
-				      &tmptrust);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	} else {
-	    /* Cert not already in the DB.  Add it */
-	    rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	}
-    }
-
-    rv = SECSuccess;
-    goto done;
-
-loser:
-    rv = SECFailure;
-done:
-
-    if ( freeNickname ) {
-	PORT_Free(nickname);
-    }
-    
-    return(rv);
-}
-
-SECStatus
-CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb,
-			    CERTCertificate *cert, SECCertUsage usage)
-{
-    SECStatus rv;
-    CERTCertTrust trust;
-    CERTCertTrust tmptrust;
-    unsigned int certtype;
-    PRBool saveit;
-    
-    saveit = PR_TRUE;
-    
-    PORT_Memset((void *)&trust, 0, sizeof(trust));
-
-    certtype = cert->nsCertType;
-
-    /* if no app bits in cert type, then set all app bits */
-    if ( ! ( certtype & NS_CERT_TYPE_APP ) ) {
-	certtype |= NS_CERT_TYPE_APP;
-    }
-
-    switch ( usage ) {
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-	if ( certtype & NS_CERT_TYPE_EMAIL ) {
-	     trust.emailFlags = CERTDB_VALID_PEER;
-	     if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
-		/* don't save it if KeyEncipherment is not allowed */
-		saveit = PR_FALSE;
-	    }
-	}
-	break;
-      case certUsageUserCertImport:
-	if ( certtype & NS_CERT_TYPE_EMAIL ) {
-	    trust.emailFlags = CERTDB_VALID_PEER;
-	}
-	/* VALID_USER is already set if the cert was imported, 
-	 * in the case that the cert was already in the database
-	 * through SMIME or other means, we should set the USER
-	 * flags, if they are not already set.
-	 */
-	if( cert->isperm ) {
-	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
-		if( !(cert->trust->sslFlags & CERTDB_USER) ) {
-		    trust.sslFlags |= CERTDB_USER;
-		}
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
-		if( !(cert->trust->emailFlags & CERTDB_USER) ) {
-		    trust.emailFlags |= CERTDB_USER;
-		}
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
-		if( !(cert->trust->objectSigningFlags & CERTDB_USER) ) {
-		    trust.objectSigningFlags |= CERTDB_USER;
-		}
-	    }
-	}
-	break;
-      default:	/* XXX added to quiet warnings; no other cases needed? */
-	break;
-    }
-
-    if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){
-	saveit = PR_FALSE;
-    }
-
-    if ( saveit && cert->isperm ) {
-	/* Cert already in the DB.  Just adjust flags */
-	tmptrust = *cert->trust;
-	tmptrust.sslFlags |= trust.sslFlags;
-	tmptrust.emailFlags |= trust.emailFlags;
-	tmptrust.objectSigningFlags |= trust.objectSigningFlags;
-	    
-	rv = CERT_ChangeCertTrust(cert->dbhandle, cert,
-				  &tmptrust);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-
-    rv = SECSuccess;
-    goto done;
-
-loser:
-    rv = SECFailure;
-done:
-
-    return(rv);
-}
-
-int
-CERT_GetDBContentVersion(CERTCertDBHandle *handle)
-{
-    certDBEntryContentVersion *entry;
-    int ret;
-    
-    entry = ReadDBContentVersionEntry(handle);
-    
-    if ( entry == NULL ) {
-	return(0);
-    }
-
-    ret = entry->contentVersion;
-
-    DestroyDBEntry((certDBEntry *)entry);
-
-    return(ret);
-}
-
-void
-CERT_SetDBContentVersion(int version, CERTCertDBHandle *handle)
-{
-    SECStatus rv;
-    certDBEntryContentVersion *entry;
-    
-    entry = NewDBContentVersionEntry(0);
-    
-    if ( entry == NULL ) {
-	return;
-    }
-    
-    rv = DeleteDBContentVersionEntry(handle);
-    rv = WriteDBContentVersionEntry(handle, entry);
-    
-    DestroyDBEntry((certDBEntry *)entry);
-    
-    return;
-}
-
-/*
- * Creates or adds to a list of all certs with a give subject name, sorted by
- * validity time, newest first.  Invalid certs are considered older than
- * valid certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			   SECItem *name, int64 sorttime, PRBool validOnly)
-{
-    CERTCertificate *cert = NULL;
-    CERTSubjectList *subjectList = NULL;
-    CERTSubjectNode *node;
-    SECStatus rv;
-
-    if ( certList == NULL ) {
-	certList = CERT_NewCertList();
-    }
-    
-    if ( certList == NULL ) {
-	goto loser;
-    }
-    
-    subjectList = FindSubjectList(handle, name, PR_FALSE);
-
-    if ( subjectList != NULL ) {
-	node = subjectList->head;
-	PORT_Assert(node);
-	while (node) {
-	    cert = CERT_FindCertByKey(handle, &node->certKey);
-
-	    /* if validOnly, then check validity period before adding to list*/
-	    if ( ( !validOnly ) ||
-		( CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE)
-		    == secCertTimeValid ) ) {
-		rv = CERT_AddCertToListSorted(certList, cert,
-					      CERT_SortCBValidity,
-					      (void *)&sorttime);
-		if ( rv != SECSuccess ) {
-		    CERT_DestroyCertificate(cert);
-		    goto loser;
-		}
-	    } else {
-		CERT_DestroyCertificate(cert);
-	    }
-
-	    node = node->next;
-	}
-    }
-
-    return(certList);
-
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Creates or adds to a list of all certs with a give nickname, sorted by
- * validity time, newest first.  Invalid certs are considered older than valid
- * certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateNicknameCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			    char *nickname, int64 sorttime, PRBool validOnly)
-{
-    CERTCertificate *cert;
-    CERTCertList *ret;
-    
-    cert = CERT_FindCertByNickname(handle, nickname);
-    if ( cert == NULL ) {
-	return(NULL);
-    }
-    
-    ret = CERT_CreateSubjectCertList(certList, handle, &cert->derSubject,
-				     sorttime, validOnly);
-
-    CERT_DestroyCertificate(cert);
-    
-    return(ret);
-}
-
-/*
- * Creates or adds to a list of all certs with a give email addr, sorted by
- * validity time, newest first.  Invalid certs are considered older than valid
- * certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateEmailAddrCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			     char *emailAddr, int64 sorttime, PRBool validOnly)
-{
-    CERTCertificate *cert;
-    CERTCertList *ret;
-    
-    cert = CERT_FindCertByEmailAddr(handle, emailAddr);
-    if ( cert == NULL ) {
-	return(NULL);
-    }
-    
-    ret = CERT_CreateSubjectCertList(certList, handle, &cert->derSubject,
-				     sorttime, validOnly);
-
-    CERT_DestroyCertificate(cert);
-    
-    return(ret);
-}
diff --git a/security/nss/lib/certdb/polcyxtn.c b/security/nss/lib/certdb/polcyxtn.c
deleted file mode 100644
index 7f3dd3a78..000000000
--- a/security/nss/lib/certdb/polcyxtn.c
+++ /dev/null
@@ -1,541 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support for various policy related extensions
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secport.h"
-#include "secder.h"
-#include "cert.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "nspr.h"
-
-const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTNoticeReference) },
-/* NOTE: this should be a choice */
-    { SEC_ASN1_IA5_STRING,
-	  offsetof(CERTNoticeReference, organization) },
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTNoticeReference, noticeNumbers),
-	  SEC_IntegerTemplate }, 
-    { 0 }
-};
-
-/* this template can not be encoded because of the option inline */
-const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTUserNotice) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED,
-	  offsetof(CERTUserNotice, derNoticeReference) }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(CERTUserNotice, displayText) }, 
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTPolicyQualifier) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTPolicyQualifier, qualifierID) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTPolicyQualifier, qualifierValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTPolicyInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTPolicyInfo, policyID) },
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTPolicyInfo, policyQualifiers),
-	  CERT_PolicyQualifierTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCertificatePolicies, policyInfos),
-	  CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
-};
-
-static void
-breakLines(char *string)
-{
-    char *tmpstr;
-    char *lastspace = NULL;
-    int curlen = 0;
-    int c;
-    
-    tmpstr = string;
-
-    while ( ( c = *tmpstr ) != '\0' ) {
-	switch ( c ) {
-	  case ' ':
-	    lastspace = tmpstr;
-	    break;
-	  case '\n':
-	    lastspace = NULL;
-	    curlen = 0;
-	    break;
-	}
-	
-	if ( ( curlen >= 55 ) && ( lastspace != NULL ) ) {
-	    *lastspace = '\n';
-	    curlen = ( tmpstr - lastspace );
-	    lastspace = NULL;
-	}
-	
-	curlen++;
-	tmpstr++;
-    }
-    
-    return;
-}
-
-CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTCertificatePolicies *policies;
-    CERTPolicyInfo **policyInfos, *policyInfo;
-    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the certifiate policies structure */
-    policies = (CERTCertificatePolicies *)
-	PORT_ArenaZAlloc(arena, sizeof(CERTCertificatePolicies));
-    
-    if ( policies == NULL ) {
-	goto loser;
-    }
-    
-    policies->arena = arena;
-
-    /* decode the policy info */
-    rv = SEC_ASN1DecodeItem(arena, policies, CERT_CertificatePoliciesTemplate,
-			    extnValue);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize the oid tags */
-    policyInfos = policies->policyInfos;
-    while (*policyInfos != NULL ) {
-	policyInfo = *policyInfos;
-	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
-	policyQualifiers = policyInfo->policyQualifiers;
-	while ( *policyQualifiers != NULL ) {
-	    policyQualifier = *policyQualifiers;
-	    policyQualifier->oid =
-		SECOID_FindOIDTag(&policyQualifier->qualifierID);
-	    policyQualifiers++;
-	}
-	policyInfos++;
-    }
-
-    return(policies);
-    
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
-{
-    if ( policies != NULL ) {
-	PORT_FreeArena(policies->arena, PR_FALSE);
-    }
-    return;
-}
-
-
-CERTUserNotice *
-CERT_DecodeUserNotice(SECItem *noticeItem)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTUserNotice *userNotice;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the userNotice structure */
-    userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena,
-						    sizeof(CERTUserNotice));
-    
-    if ( userNotice == NULL ) {
-	goto loser;
-    }
-    
-    userNotice->arena = arena;
-
-    /* decode the user notice */
-    rv = SEC_ASN1DecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
-			    noticeItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    if (userNotice->derNoticeReference.data != NULL) {
-	/* sigh, the asn1 parser stripped the sequence encoding, re add it
-	 * before we decode.
-	 */
-	SECItem tmpbuf;
-	int	newBytes;
-
-	newBytes = SEC_ASN1LengthLength(userNotice->derNoticeReference.len)+1;
-	tmpbuf.len = newBytes + userNotice->derNoticeReference.len;
-	tmpbuf.data = PORT_ZAlloc(tmpbuf.len);
-	if (tmpbuf.data == NULL) {
-	    goto loser;
-	}
-	tmpbuf.data[0] = SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED;
-	SEC_ASN1EncodeLength(&tmpbuf.data[1],userNotice->derNoticeReference.len);
-	PORT_Memcpy(&tmpbuf.data[newBytes],userNotice->derNoticeReference.data,
-				userNotice->derNoticeReference.len);
-
-	/* OK, no decode it */
-    	rv = SEC_ASN1DecodeItem(arena, &userNotice->noticeReference, 
-	    CERT_NoticeReferenceTemplate, &tmpbuf);
-
-	PORT_Free(tmpbuf.data); tmpbuf.data = NULL;
-    	if ( rv != SECSuccess ) {
-	    goto loser;
-    	}
-    }
-
-    return(userNotice);
-    
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-CERT_DestroyUserNotice(CERTUserNotice *userNotice)
-{
-    if ( userNotice != NULL ) {
-	PORT_FreeArena(userNotice->arena, PR_FALSE);
-    }
-    return;
-}
-
-static CERTPolicyStringCallback policyStringCB = NULL;
-static void *policyStringCBArg = NULL;
-
-void
-CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
-{
-    policyStringCB = cb;
-    policyStringCBArg = cbarg;
-    return;
-}
-
-char *
-stringFromUserNotice(SECItem *noticeItem)
-{
-    SECItem *org;
-    unsigned int len, headerlen;
-    char *stringbuf;
-    CERTUserNotice *userNotice;
-    char *policystr;
-    char *retstr = NULL;
-    SECItem *displayText;
-    SECItem **noticeNumbers;
-    unsigned int strnum;
-    
-    /* decode the user notice */
-    userNotice = CERT_DecodeUserNotice(noticeItem);
-    if ( userNotice == NULL ) {
-	return(NULL);
-    }
-    
-    org = &userNotice->noticeReference.organization;
-    if ( (org->len != 0 ) && ( policyStringCB != NULL ) ) {
-	/* has a noticeReference */
-
-	/* extract the org string */
-	len = org->len;
-	stringbuf = (char*)PORT_Alloc(len + 1);
-	if ( stringbuf != NULL ) {
-	    PORT_Memcpy(stringbuf, org->data, len);
-	    stringbuf[len] = '\0';
-
-	    noticeNumbers = userNotice->noticeReference.noticeNumbers;
-	    while ( *noticeNumbers != NULL ) {
-		/* XXX - only one byte integers right now*/
-		strnum = (*noticeNumbers)->data[0];
-		policystr = (* policyStringCB)(stringbuf,
-					       strnum,
-					       policyStringCBArg);
-		if ( policystr != NULL ) {
-		    if ( retstr != NULL ) {
-			retstr = PR_sprintf_append(retstr, "\n%s", policystr);
-		    } else {
-			retstr = PR_sprintf_append(retstr, "%s", policystr);
-		    }
-
-		    PORT_Free(policystr);
-		}
-		
-		noticeNumbers++;
-	    }
-
-	    PORT_Free(stringbuf);
-	}
-    }
-
-    if ( retstr == NULL ) {
-	if ( userNotice->displayText.len != 0 ) {
-	    displayText = &userNotice->displayText;
-
-	    if ( displayText->len > 2 ) {
-		if ( displayText->data[0] == SEC_ASN1_VISIBLE_STRING ) {
-		    headerlen = 2;
-		    if ( displayText->data[1] & 0x80 ) {
-			/* multibyte length */
-			headerlen += ( displayText->data[1] & 0x7f );
-		    }
-
-		    len = displayText->len - headerlen;
-		    retstr = (char*)PORT_Alloc(len + 1);
-		    if ( retstr != NULL ) {
-			PORT_Memcpy(retstr, &displayText->data[headerlen],len);
-			retstr[len] = '\0';
-		    }
-		}
-	    }
-	}
-    }
-    
-    CERT_DestroyUserNotice(userNotice);
-    
-    return(retstr);
-}
-
-char *
-CERT_GetCertCommentString(CERTCertificate *cert)
-{
-    char *retstring = NULL;
-    SECStatus rv;
-    SECItem policyItem;
-    CERTCertificatePolicies *policies = NULL;
-    CERTPolicyInfo **policyInfos;
-    CERTPolicyQualifier **policyQualifiers, *qualifier;
-
-    policyItem.data = NULL;
-    
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
-				&policyItem);
-    if ( rv != SECSuccess ) {
-	goto nopolicy;
-    }
-
-    policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
-    if ( policies == NULL ) {
-	goto nopolicy;
-    }
-
-    policyInfos = policies->policyInfos;
-    /* search through policyInfos looking for the verisign policy */
-    while (*policyInfos != NULL ) {
-	if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) {
-	    policyQualifiers = (*policyInfos)->policyQualifiers;
-	    /* search through the policy qualifiers looking for user notice */
-	    while ( *policyQualifiers != NULL ) {
-		qualifier = *policyQualifiers;
-		if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) {
-		    retstring =
-			stringFromUserNotice(&qualifier->qualifierValue);
-		    break;
-		}
-
-		policyQualifiers++;
-	    }
-	    break;
-	}
-	policyInfos++;
-    }
-
-nopolicy:
-    if ( policyItem.data != NULL ) {
-	PORT_Free(policyItem.data);
-    }
-
-    if ( policies != NULL ) {
-	CERT_DestroyCertificatePoliciesExtension(policies);
-    }
-    
-    if ( retstring == NULL ) {
-	retstring = CERT_FindNSStringExtension(cert,
-					       SEC_OID_NS_CERT_EXT_COMMENT);
-    }
-    
-    if ( retstring != NULL ) {
-	breakLines(retstring);
-    }
-    
-    return(retstring);
-}
-
-
-const SEC_ASN1Template CERT_OidSeqTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTOidSequence, oids),
-	  SEC_ObjectIDTemplate }
-};
-
-CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTOidSequence *oidSeq;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the userNotice structure */
-    oidSeq = (CERTOidSequence *)PORT_ArenaZAlloc(arena,
-						 sizeof(CERTOidSequence));
-    
-    if ( oidSeq == NULL ) {
-	goto loser;
-    }
-    
-    oidSeq->arena = arena;
-
-    /* decode the user notice */
-    rv = SEC_ASN1DecodeItem(arena, oidSeq, CERT_OidSeqTemplate, seqItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    return(oidSeq);
-    
-loser:
-    return(NULL);
-}
-
-
-void
-CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
-{
-    if ( oidSeq != NULL ) {
-	PORT_FreeArena(oidSeq->arena, PR_FALSE);
-    }
-    return;
-}
-
-PRBool
-CERT_GovtApprovedBitSet(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem extItem;
-    CERTOidSequence *oidSeq = NULL;
-    PRBool ret;
-    SECItem **oids;
-    SECItem *oid;
-    SECOidTag oidTag;
-    
-    extItem.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    oidSeq = CERT_DecodeOidSequence(&extItem);
-    if ( oidSeq == NULL ) {
-	goto loser;
-    }
-
-    oids = oidSeq->oids;
-    while ( oids != NULL && *oids != NULL ) {
-	oid = *oids;
-	
-	oidTag = SECOID_FindOIDTag(oid);
-	
-	if ( oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED ) {
-	    goto success;
-	}
-	
-	oids++;
-    }
-
-loser:
-    ret = PR_FALSE;
-    goto done;
-success:
-    ret = PR_TRUE;
-done:
-    if ( oidSeq != NULL ) {
-	CERT_DestroyOidSequence(oidSeq);
-    }
-    if (extItem.data != NULL) {
-	PORT_Free(extItem.data);
-    }
-    return(ret);
-}
diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c
deleted file mode 100644
index 4bef4b6d9..000000000
--- a/security/nss/lib/certdb/secname.c
+++ /dev/null
@@ -1,625 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cert.h"
-#include "secoid.h"
-#include "secder.h"	/* XXX remove this when remove the DERTemplates */
-#include "secasn1.h"
-#include "secitem.h"
-#include <stdarg.h>
-#include "secerr.h"
-
-static const SEC_ASN1Template cert_AVATemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTAVA) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTAVA,type), },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTAVA,value), },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_RDNTemplate[] = {
-    { SEC_ASN1_SET_OF,
-	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
-};
-
-
-static int
-CountArray(void **array)
-{
-    int count = 0;
-    if (array) {
-	while (*array++) {
-	    count++;
-	}
-    }
-    return count;
-}
-
-static void
-**AddToArray(PRArenaPool *arena, void **array, void *element)
-{
-    unsigned count;
-    void **ap;
-
-    /* Count up number of slots already in use in the array */
-    count = 0;
-    ap = array;
-    if (ap) {
-	while (*ap++) {
-	    count++;
-	}
-    }
-
-    if (array) {
-	array = (void**) PORT_ArenaGrow(arena, array,
-					(count + 1) * sizeof(void *),
-					(count + 2) * sizeof(void *));
-    } else {
-	array = (void**) PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
-    }
-    if (array) {
-	array[count] = element;
-	array[count+1] = 0;
-    }
-    return array;
-}
-
-#if 0
-static void
-**RemoveFromArray(void **array, void *element)
-{
-    unsigned count;
-    void **ap;
-    int slot;
-
-    /* Look for element */
-    ap = array;
-    if (ap) {
-	count = 1;			/* count the null at the end */
-	slot = -1;
-	for (; *ap; ap++, count++) {
-	    if (*ap == element) {
-		/* Found it */
-		slot = ap - array;
-	    }
-	}
-	if (slot >= 0) {
-	    /* Found it. Squish array down */
-	    PORT_Memmove((void*) (array + slot), (void*) (array + slot + 1),
-		       (count - slot - 1) * sizeof(void*));
-	    /* Don't bother reallocing the memory */
-	}
-    }
-    return array;
-}
-#endif /* 0 */
-
-SECOidTag
-CERT_GetAVATag(CERTAVA *ava)
-{
-    SECOidData *oid;
-    if (!ava->type.data) return (SECOidTag)-1;
-
-    oid = SECOID_FindOID(&ava->type);
-    
-    if ( oid ) {
-	return(oid->offset);
-    }
-    return (SECOidTag)-1;
-}
-
-static SECStatus
-SetupAVAType(PRArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
-{
-    unsigned char *oid;
-    unsigned oidLen;
-    unsigned char *cp;
-    unsigned maxLen;
-    SECOidData *oidrec;
-
-    oidrec = SECOID_FindOIDByTag(type);
-    if (oidrec == NULL)
-	return SECFailure;
-
-    oid = oidrec->oid.data;
-    oidLen = oidrec->oid.len;
-
-    switch (type) {
-      case SEC_OID_AVA_COUNTRY_NAME:
-	maxLen = 2;
-	break;
-      case SEC_OID_AVA_ORGANIZATION_NAME:
-	maxLen = 64;
-	break;
-      case SEC_OID_AVA_COMMON_NAME:
-	maxLen = 64;
-	break;
-      case SEC_OID_AVA_LOCALITY:
-	maxLen = 128;
-	break;
-      case SEC_OID_AVA_STATE_OR_PROVINCE:
-	maxLen = 128;
-	break;
-      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
-	maxLen = 64;
-	break;
-      case SEC_OID_AVA_DC:
-	maxLen = 128;
-	break;
-      case SEC_OID_AVA_DN_QUALIFIER:
-	maxLen = 0x7fff;
-	break;
-      case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	maxLen = 128;
-	break;
-      case SEC_OID_RFC1274_UID:
-	maxLen = 256;  /* RFC 1274 specifies 256 */
-	break;
-      case SEC_OID_RFC1274_MAIL:
-	maxLen = 256;  /* RFC 1274 specifies 256 */
-	break; 
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, oidLen);
-    if (cp == NULL) {
-	return SECFailure;
-    }
-    it->len = oidLen;
-    PORT_Memcpy(cp, oid, oidLen);
-    *maxLenp = maxLen;
-    return SECSuccess;
-}
-
-static SECStatus
-SetupAVAValue(PRArenaPool *arena, int valueType, char *value, SECItem *it,
-	      unsigned maxLen)
-{
-    unsigned valueLen, valueLenLen, total;
-    unsigned ucs4Len = 0, ucs4MaxLen;
-    unsigned char *cp, *ucs4Val;
-
-    switch (valueType) {
-      case SEC_ASN1_PRINTABLE_STRING:
-      case SEC_ASN1_IA5_STRING:
-      case SEC_ASN1_T61_STRING:
-	valueLen = PORT_Strlen(value);
-	break;
-      case SEC_ASN1_UNIVERSAL_STRING:
-	valueLen = PORT_Strlen(value);
-	ucs4Val = (unsigned char *)PORT_ArenaZAlloc(arena, 
-						    PORT_Strlen(value) * 6);
-	ucs4MaxLen = PORT_Strlen(value) * 6;
-	if(!ucs4Val || !PORT_UCS4_UTF8Conversion(PR_TRUE, (unsigned char *)value, valueLen,
-					ucs4Val, ucs4MaxLen, &ucs4Len)) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	value = (char *)ucs4Val;
-	valueLen = ucs4Len;
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (((valueType != SEC_ASN1_UNIVERSAL_STRING) && (valueLen > maxLen)) ||
-	(valueType == SEC_ASN1_UNIVERSAL_STRING) && (valueLen > (maxLen * 4))) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    } 
-
-    valueLenLen = DER_LengthLength(valueLen);
-    total = 1 + valueLenLen + valueLen;
-    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, total);
-    if (!cp) {
-	return SECFailure;
-    }
-    it->len = total;
-    cp = (unsigned char*) DER_StoreHeader(cp, valueType, valueLen);
-    PORT_Memcpy(cp, value, valueLen);
-    return SECSuccess;
-}
-
-CERTAVA *
-CERT_CreateAVA(PRArenaPool *arena, SECOidTag kind, int valueType, char *value)
-{
-    CERTAVA *ava;
-    int rv;
-    unsigned maxLen;
-
-    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
-    if (ava) {
-	rv = SetupAVAType(arena, kind, &ava->type, &maxLen);
-	if (rv) {
-	    /* Illegal AVA type */
-	    return 0;
-	}
-	rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen);
-	if (rv) {
-	    /* Illegal value type */
-	    return 0;
-	}
-    }
-    return ava;
-}
-
-CERTAVA *
-CERT_CopyAVA(PRArenaPool *arena, CERTAVA *from)
-{
-    CERTAVA *ava;
-    int rv;
-
-    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
-    if (ava) {
-	rv = SECITEM_CopyItem(arena, &ava->type, &from->type);
-	if (rv) goto loser;
-	rv = SECITEM_CopyItem(arena, &ava->value, &from->value);
-	if (rv) goto loser;
-    }
-    return ava;
-
-  loser:
-    return 0;
-}
-
-/************************************************************************/
-/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
-static const SEC_ASN1Template cert_RDNTemplate[] = {
-    { SEC_ASN1_SET_OF,
-	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
-};
-
-
-CERTRDN *
-CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...)
-{
-    CERTAVA *ava;
-    CERTRDN *rdn;
-    va_list ap;
-    unsigned count;
-    CERTAVA **avap;
-
-    rdn = (CERTRDN*) PORT_ArenaAlloc(arena, sizeof(CERTRDN));
-    if (rdn) {
-	/* Count number of avas going into the rdn */
-	count = 1;
-	va_start(ap, ava0);
-	while ((ava = va_arg(ap, CERTAVA*)) != 0) {
-	    count++;
-	}
-	va_end(ap);
-
-	/* Now fill in the pointers */
-	rdn->avas = avap =
-	    (CERTAVA**) PORT_ArenaAlloc( arena, (count + 1)*sizeof(CERTAVA*));
-	if (!avap) {
-	    return 0;
-	}
-	*avap++ = ava0;
-	va_start(ap, ava0);
-	while ((ava = va_arg(ap, CERTAVA*)) != 0) {
-	    *avap++ = ava;
-	}
-	va_end(ap);
-	*avap++ = 0;
-    }
-    return rdn;
-}
-
-SECStatus
-CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava)
-{
-    rdn->avas = (CERTAVA**) AddToArray(arena, (void**) rdn->avas, ava);
-    return rdn->avas ? SECSuccess : SECFailure;
-}
-
-SECStatus
-CERT_CopyRDN(PRArenaPool *arena, CERTRDN *to, CERTRDN *from)
-{
-    CERTAVA **avas, *fava, *tava;
-    SECStatus rv;
-
-    /* Copy each ava from from */
-    avas = from->avas;
-    while ((fava = *avas++) != 0) {
-	tava = CERT_CopyAVA(arena, fava);
-	if (!tava) return SECFailure;
-	rv = CERT_AddAVA(arena, to, tava);
-	if (rv) return rv;
-    }
-    return SECSuccess;
-}
-
-/************************************************************************/
-
-const SEC_ASN1Template CERT_NameTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTName,rdns), CERT_RDNTemplate, sizeof(CERTName) }
-};
-
-CERTName *
-CERT_CreateName(CERTRDN *rdn0, ...)
-{
-    CERTRDN *rdn;
-    CERTName *name;
-    va_list ap;
-    unsigned count;
-    CERTRDN **rdnp;
-    PRArenaPool *arena;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return(0);
-    }
-    
-    name = (CERTName*) PORT_ArenaAlloc(arena, sizeof(CERTName));
-    if (name) {
-	name->arena = arena;
-	
-	/* Count number of RDNs going into the Name */
-	count = 1;
-	va_start(ap, rdn0);
-	while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
-	    count++;
-	}
-	va_end(ap);
-
-	/* Now fill in the pointers */
-	name->rdns = rdnp =
-	    (CERTRDN**) PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN*));
-	if (!name->rdns) {
-	    goto loser;
-	}
-	*rdnp++ = rdn0;
-	va_start(ap, rdn0);
-	while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
-	    *rdnp++ = rdn;
-	}
-	va_end(ap);
-	*rdnp++ = 0;
-    }
-    return name;
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(0);
-}
-
-void
-CERT_DestroyName(CERTName *name)
-{
-    if (name)
-    {
-        PRArenaPool *arena = name->arena;
-        name->rdns = NULL;
-	name->arena = NULL;
-	if (arena) PORT_FreeArena(arena, PR_FALSE);
-    }
-}
-
-SECStatus
-CERT_AddRDN(CERTName *name, CERTRDN *rdn)
-{
-    name->rdns = (CERTRDN**) AddToArray(name->arena, (void**) name->rdns, rdn);
-    return name->rdns ? SECSuccess : SECFailure;
-}
-
-SECStatus
-CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from)
-{
-    CERTRDN **rdns, *frdn, *trdn;
-    SECStatus rv;
-
-    CERT_DestroyName(to);
-    to->arena = arena;
-
-    /* Copy each rdn from from */
-    rdns = from->rdns;
-    while ((frdn = *rdns++) != 0) {
-	trdn = CERT_CreateRDN(arena, 0);
-	if ( trdn == NULL ) {
-	    return(SECFailure);
-	}
-	rv = CERT_CopyRDN(arena, trdn, frdn);
-	if (rv) return rv;
-	rv = CERT_AddRDN(to, trdn);
-	if (rv) return rv;
-    }
-    return SECSuccess;
-}
-
-/************************************************************************/
-
-SECComparison
-CERT_CompareAVA(CERTAVA *a, CERTAVA *b)
-{
-    SECComparison rv;
-
-    rv = SECITEM_CompareItem(&a->type, &b->type);
-    if (rv) {
-	/*
-	** XXX for now we are going to just assume that a bitwise
-	** comparison of the value codes will do the trick.
-	*/
-    }
-    rv = SECITEM_CompareItem(&a->value, &b->value);
-    return rv;
-}
-
-SECComparison
-CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
-{
-    CERTAVA **aavas, *aava;
-    CERTAVA **bavas, *bava;
-    int ac, bc;
-    SECComparison rv = SECEqual;
-
-    aavas = a->avas;
-    bavas = b->avas;
-
-    /*
-    ** Make sure array of ava's are the same length. If not, then we are
-    ** not equal
-    */
-    ac = CountArray((void**) aavas);
-    bc = CountArray((void**) bavas);
-    if (ac < bc) return SECLessThan;
-    if (ac > bc) return SECGreaterThan;
-
-    for (;;) {
-	aava = *aavas++;
-	bava = *bavas++;
-	if (!aava) {
-	    break;
-	}
-	rv = CERT_CompareAVA(aava, bava);
-	if (rv) return rv;
-    }
-    return rv;
-}
-
-SECComparison
-CERT_CompareName(CERTName *a, CERTName *b)
-{
-    CERTRDN **ardns, *ardn;
-    CERTRDN **brdns, *brdn;
-    int ac, bc;
-    SECComparison rv = SECEqual;
-
-    ardns = a->rdns;
-    brdns = b->rdns;
-
-    /*
-    ** Make sure array of rdn's are the same length. If not, then we are
-    ** not equal
-    */
-    ac = CountArray((void**) ardns);
-    bc = CountArray((void**) brdns);
-    if (ac < bc) return SECLessThan;
-    if (ac > bc) return SECGreaterThan;
-
-    for (;;) {
-	ardn = *ardns++;
-	brdn = *brdns++;
-	if (!ardn) {
-	    break;
-	}
-	rv = CERT_CompareRDN(ardn, brdn);
-	if (rv) return rv;
-    }
-    return rv;
-}
-
-/* Moved from certhtml.c */
-SECItem *
-CERT_DecodeAVAValue(SECItem *derAVAValue)
-{
-          SECItem          *retItem; 
-    const SEC_ASN1Template *theTemplate       = NULL;
-          PRBool            convertUCS4toUTF8 = PR_FALSE;
-          PRBool            convertUCS2toUTF8 = PR_FALSE;
-          SECItem           avaValue          = {siBuffer, 0}; 
-
-    if(!derAVAValue) {
-	return NULL;
-    }
-
-    switch(derAVAValue->data[0]) {
-	case SEC_ASN1_UNIVERSAL_STRING:
-	    convertUCS4toUTF8 = PR_TRUE;
-	    theTemplate = SEC_UniversalStringTemplate;
-	    break;
-	case SEC_ASN1_IA5_STRING:
-	    theTemplate = SEC_IA5StringTemplate;
-	    break;
-	case SEC_ASN1_PRINTABLE_STRING:
-	    theTemplate = SEC_PrintableStringTemplate;
-	    break;
-	case SEC_ASN1_T61_STRING:
-	    theTemplate = SEC_T61StringTemplate;
-	    break;
-	case SEC_ASN1_BMP_STRING:
-	    convertUCS2toUTF8 = PR_TRUE;
-	    theTemplate = SEC_BMPStringTemplate;
-	    break;
-	default:
-	    return NULL;
-    }
-
-    PORT_Memset(&avaValue, 0, sizeof(SECItem));
-    if(SEC_ASN1DecodeItem(NULL, &avaValue, theTemplate, derAVAValue) 
-				!= SECSuccess) {
-	return NULL;
-    }
-
-    if (convertUCS4toUTF8) {
-	unsigned int   utf8ValLen = avaValue.len * 3;
-	unsigned char *utf8Val    = (unsigned char*)PORT_ZAlloc(utf8ValLen);
-
-	if(!PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
-				     utf8Val, utf8ValLen, &utf8ValLen)) {
-	    PORT_Free(utf8Val);
-	    PORT_Free(avaValue.data);
-	    return NULL;
-	}
-
-	PORT_Free(avaValue.data);
-	avaValue.data = utf8Val;
-	avaValue.len = utf8ValLen;
-
-    } else if (convertUCS2toUTF8) {
-
-	unsigned int   utf8ValLen = avaValue.len * 3;
-	unsigned char *utf8Val    = (unsigned char*)PORT_ZAlloc(utf8ValLen);
-
-	if(!PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
-				     utf8Val, utf8ValLen, &utf8ValLen)) {
-	    PORT_Free(utf8Val);
-	    PORT_Free(avaValue.data);
-	    return NULL;
-	}
-
-	PORT_Free(avaValue.data);
-	avaValue.data = utf8Val;
-	avaValue.len = utf8ValLen;
-    }
-
-    retItem = SECITEM_DupItem(&avaValue);
-    PORT_Free(avaValue.data);
-    return retItem;
-}
diff --git a/security/nss/lib/certdb/xauthkid.c b/security/nss/lib/certdb/xauthkid.c
deleted file mode 100644
index 8b7ac4a92..000000000
--- a/security/nss/lib/certdb/xauthkid.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * X.509 v3 Subject Key Usage Extension 
- *
- */
-
-#include "prtypes.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-#include "secasn1.h"
-#include "secport.h"
-#include "certt.h"  
-#include "genname.h"
-#include "secerr.h"
-
-   
-const SEC_ASN1Template CERTAuthKeyIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(CERTAuthKeyID,keyID), SEC_OctetStringTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
-          offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(CERTAuthKeyID,authCertSerialNumber), SEC_IntegerTemplate},
-    { 0 }
-};
-
-
-
-SECStatus CERT_EncodeAuthKeyID (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue)
-{
-    SECStatus rv = SECFailure;
- 
-    PORT_Assert (value);
-    PORT_Assert (arena);
-    PORT_Assert (value->DERAuthCertIssuer == NULL);
-    PORT_Assert (encodedValue);
-
-    do {
-	
-	/* If both of the authCertIssuer and the serial number exist, encode
-	   the name first.  Otherwise, it is an error if one exist and the other
-	   is not.
-	 */
-	if (value->authCertIssuer) {
-	    if (!value->authCertSerialNumber.data) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		break;
-	    }
-
-	    value->DERAuthCertIssuer = cert_EncodeGeneralNames
-		(arena, value->authCertIssuer);
-	    if (!value->DERAuthCertIssuer) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		break;
-	    }
-	}
-	else if (value->authCertSerialNumber.data) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		break;
-	}
-
-	if (SEC_ASN1EncodeItem (arena, encodedValue, value,
-				CERTAuthKeyIDTemplate) == NULL)
-	    break;
-	rv = SECSuccess;
-
-    } while (0);
-     return(rv);
-}
-
-CERTAuthKeyID *
-CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue)
-{
-    CERTAuthKeyID * value = NULL;
-    SECStatus       rv    = SECFailure;
-    void *          mark;
-
-    PORT_Assert (arena);
-   
-    do {
-	mark = PORT_ArenaMark (arena);
-        value = (CERTAuthKeyID*)PORT_ArenaZAlloc (arena, sizeof (*value));
-	value->DERAuthCertIssuer = NULL;
-	if (value == NULL)
-	    break;
-	rv = SEC_ASN1DecodeItem
-	     (arena, value, CERTAuthKeyIDTemplate, encodedValue);
-	if (rv != SECSuccess)
-	    break;
-
-        value->authCertIssuer = cert_DecodeGeneralNames (arena, value->DERAuthCertIssuer);
-	if (value->authCertIssuer == NULL)
-	    break;
-	
-	/* what if the general name contains other format but not URI ?
-	   hl
-	 */
-	if ((value->authCertSerialNumber.data && !value->authCertIssuer) ||
-	    (!value->authCertSerialNumber.data && value->authCertIssuer)){
-	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-	    break;
-	}
-    } while (0);
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease (arena, mark);
-	return ((CERTAuthKeyID *)NULL);	    
-    } 
-    PORT_ArenaUnmark(arena, mark);
-    return (value);
-}
diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c
deleted file mode 100644
index f03595cb7..000000000
--- a/security/nss/lib/certdb/xbsconst.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * X.509 v3 Basic Constraints Extension 
- */
-
-#include "prtypes.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-#include "secasn1.h"
-#include "certt.h"
-#include "secder.h"
-#include "prprf.h"
-#include "secerr.h"
-
-typedef struct EncodedContext{
-    SECItem isCA;
-    SECItem pathLenConstraint;
-    SECItem encodedValue;
-    PRArenaPool *arena;
-}EncodedContext;
-
-static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(EncodedContext) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
-	  offsetof(EncodedContext,isCA)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
-	  offsetof(EncodedContext,pathLenConstraint) },
-    { 0, }
-};
-
-static unsigned char hexTrue = 0xff;
-static unsigned char hexFalse = 0x00;
-
-#define GEN_BREAK(status) rv = status; break;
-
-SECStatus CERT_EncodeBasicConstraintValue
-   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
-{
-    EncodedContext encodeContext;
-    PRArenaPool *our_pool = NULL;   
-    SECStatus rv = SECSuccess;
-
-    do {
-	PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-	if (!value->isCA && value->pathLenConstraint >= 0) {
-	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-	    GEN_BREAK (SECFailure);
-	}
-
-        encodeContext.arena = arena;
-	if (value->isCA == PR_TRUE) {
-	    encodeContext.isCA.data =  &hexTrue ;
-	    encodeContext.isCA.len = 1;
-	}
-
-	/* If the pathLenConstraint is less than 0, then it should be
-	 * omitted from the encoding.
-	 */
-	if (value->isCA && value->pathLenConstraint >= 0) {
-	    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	    if (our_pool == NULL) {
-		PORT_SetError (SEC_ERROR_NO_MEMORY);
-		GEN_BREAK (SECFailure);
-	    }
-	    if (SEC_ASN1EncodeUnsignedInteger
-		(our_pool, &encodeContext.pathLenConstraint,
-		 (unsigned long)value->pathLenConstraint) == NULL) {
-		PORT_SetError (SEC_ERROR_NO_MEMORY);
-		GEN_BREAK (SECFailure);
-	    }
-	}
-	if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
-				CERTBasicConstraintsTemplate) == NULL)
-	    GEN_BREAK (SECFailure);
-    } while (0);
-    if (our_pool)
-	PORT_FreeArena (our_pool, PR_FALSE);
-    return(rv);
-
-}
-
-SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue)
-{
-    EncodedContext decodeContext;
-    PRArenaPool *our_pool;
-    SECStatus rv = SECSuccess;
-
-    do {
-	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
-	/* initialize the value just in case we got "0x30 00", or when the
-	   pathLenConstraint is omitted.
-         */
-	decodeContext.isCA.data =&hexFalse;
-	decodeContext.isCA.len = 1;
-	
-	our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	if (our_pool == NULL) {
-	    PORT_SetError (SEC_ERROR_NO_MEMORY);
-	    GEN_BREAK (SECFailure);
-	}
-
-	rv = SEC_ASN1DecodeItem
-	     (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
-	if (rv == SECFailure)
-	    break;
-	
-	value->isCA = (PRBool)(*decodeContext.isCA.data);
-	if (decodeContext.pathLenConstraint.data == NULL) {
-	    /* if the pathLenConstraint is not encoded, and the current setting
-	      is CA, then the pathLenConstraint should be set to a negative number
-	      for unlimited certificate path.
-	     */
-	    if (value->isCA)
-		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-	}
-	else if (value->isCA)
-	    value->pathLenConstraint = DER_GetUInteger (&decodeContext.pathLenConstraint);
-	else {
-	    /* here we get an error where the subject is not a CA, but
-	       the pathLenConstraint is set */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    GEN_BREAK (SECFailure);
-	    break;
-	}
-	 
-    } while (0);
-    PORT_FreeArena (our_pool, PR_FALSE);
-    return (rv);
-
-}
diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c
deleted file mode 100644
index 0f404f958..000000000
--- a/security/nss/lib/certdb/xconst.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * X.509 Extension Encoding  
- */
-
-#include "prtypes.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-#include "secasn1.h"
-#include "certt.h"
-#include "secder.h"
-#include "prprf.h"
-#include "xconst.h"
-#include "genname.h"
-#include "secasn1.h"
-
-
-
-static const SEC_ASN1Template CERTSubjectKeyIDTemplate[] = {
-{ SEC_ASN1_OCTET_STRING }
-};
-
-
-static const SEC_ASN1Template CERTIA5TypeTemplate[] = {
-{ SEC_ASN1_IA5_STRING }
-};
-
-
-static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-      0, NULL, sizeof(PKUPEncodedContext) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 0,	
-	  offsetof(PKUPEncodedContext, notBefore), SEC_GeneralizedTimeTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
-	  offsetof(PKUPEncodedContext, notAfter), SEC_GeneralizedTimeTemplate},
-    { 0, } 
-};
-
-
-const SEC_ASN1Template CERTAltNameTemplate[] = {
-    { SEC_ASN1_CONSTRUCTED, offsetof(AltNameEncodedContext, encodedGenName), 
-      CERT_GeneralNamesTemplate}
-};
-
-const SEC_ASN1Template CERTAuthInfoAccessItemTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-      0, NULL, sizeof(CERTAuthInfoAccess) },
-    { SEC_ASN1_OBJECT_ID,
-      offsetof(CERTAuthInfoAccess, method) },
-    { SEC_ASN1_ANY,
-      offsetof(CERTAuthInfoAccess, derLocation) },
-    { 0, }
-};
-
-const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CERTAuthInfoAccessItemTemplate }
-};
-
-
-SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue)
-{
-    SECItem encodeContext;
-    SECStatus rv = SECSuccess;
-
-
-    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-    
-    if (value != NULL) {
-	encodeContext.data = (unsigned char *)value;
-	encodeContext.len = len;
-    }
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
-			    CERTSubjectKeyIDTemplate) == NULL) {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-
-SECStatus
-CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup, SECItem *encodedValue)
-{
-    SECStatus rv = SECSuccess;
-
-    if (SEC_ASN1EncodeItem (arena, encodedValue, pkup,
-			    CERTPrivateKeyUsagePeriodTemplate) == NULL) {
-	rv = SECFailure;
-    }
-    return(rv);
-}
-
-
-SECStatus 
-CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue)
-{
-    SECItem encodeContext;
-    SECStatus rv = SECSuccess;
-
-
-    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-    
-    if (value != NULL) {
-	encodeContext.data = (unsigned char *)value;
-	encodeContext.len = strlen(value);
-    }
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
-			    CERTIA5TypeTemplate) == NULL) {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-SECStatus
-CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue)
-{
-    SECItem                **encodedGenName;
-    SECStatus              rv = SECSuccess;
-
-    encodedGenName = cert_EncodeGeneralNames(arena, value);
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodedGenName,
-			    CERT_GeneralNamesTemplate) == NULL) {
-	rv = SECFailure;
-    }
-
-    return rv;
-}
-
-CERTGeneralName *
-CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName)
-{
-    SECStatus              rv = SECSuccess;
-    AltNameEncodedContext  encodedContext;
-
-    encodedContext.encodedGenName = NULL;
-    PORT_Memset(&encodedContext, 0, sizeof(AltNameEncodedContext));
-    rv = SEC_ASN1DecodeItem (arena, &encodedContext, CERT_GeneralNamesTemplate,
-			     EncodedAltName);
-    if (rv == SECFailure) {
-	goto loser;
-    }
-    return cert_DecodeGeneralNames(arena, encodedContext.encodedGenName);
-loser:
-    return NULL;
-}
-
-
-SECStatus
-CERT_EncodeNameConstraintsExtension(PRArenaPool          *arena, 
-				    CERTNameConstraints  *value,
-				    SECItem              *encodedValue)
-{
-    SECStatus     rv = SECSuccess;
-    
-    rv = cert_EncodeNameConstraints(value, arena, encodedValue);
-    return rv;
-}
-
-
-CERTNameConstraints *
-CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
-				    SECItem              *encodedConstraints)
-{
-    return  cert_DecodeNameConstraints(arena, encodedConstraints);
-}
-
-
-CERTAuthInfoAccess **
-cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   SECItem     *encodedExtension)
-{
-    CERTAuthInfoAccess **info = NULL;
-    SECStatus rv;
-    int i;
-
-    rv = SEC_ASN1DecodeItem(arena, &info, CERTAuthInfoAccessTemplate, 
-			    encodedExtension);
-    if (rv != SECSuccess || info == NULL) {
-	return NULL;
-    }
-
-    for (i = 0; info[i] != NULL; i++) {
-	info[i]->location = cert_DecodeGeneralName(arena,
-						   &(info[i]->derLocation),
-						   NULL);
-    }
-    return info;
-}
-
-SECStatus
-cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   CERTAuthInfoAccess **info,
-				   SECItem *dest)
-{
-    SECItem *dummy;
-    int i;
-
-    PORT_Assert(info != NULL);
-    PORT_Assert(dest != NULL);
-    if (info == NULL || dest == NULL) {
-	return SECFailure;
-    }
-
-    for (i = 0; info[i] != NULL; i++) {
-	if (cert_EncodeGeneralName(info[i]->location, &(info[i]->derLocation),
-				   arena) == NULL)
-	    /* Note that this may leave some of the locations filled in. */
-	    return SECFailure;
-    }
-    dummy = SEC_ASN1EncodeItem(arena, dest, &info,
-			       CERTAuthInfoAccessTemplate);
-    if (dummy == NULL) {
-	return SECFailure;
-    }
-    return SECSuccess;
-}
diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h
deleted file mode 100644
index 42c49f2e4..000000000
--- a/security/nss/lib/certdb/xconst.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "certt.h"
-
-typedef struct PKUPEncodedContext{
-    SECItem notBefore;
-    SECItem notAfter;
-    /*    SECItem encodedValue; */
-    PRArenaPool *arena;
-}PKUPEncodedContext;
-
-typedef struct AltNameEncodedContext{
-    SECItem **encodedGenName;
-}AltNameEncodedContext;
-
-
-typedef struct NameConstraint{
-    CERTGeneralName  generalName;
-    int              min;
-    int              max;
-}NameConstraint;
-
-
-
-extern SECStatus
-CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup,
-				SECItem *encodedValue);
-
-extern SECStatus
-CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
-
-extern SECStatus
-CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, CERTNameConstraints  *value,
-			    SECItem *encodedValue);
-extern CERTGeneralName *
-CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName);
-
-extern CERTNameConstraints *
-CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedConstraints);
-
-extern SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
-
-extern SECStatus 
-CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue);
-
-CERTAuthInfoAccess **
-cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   SECItem     *encodedExtension);
-
-SECStatus
-cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   CERTAuthInfoAccess **info,
-				   SECItem *dest);
diff --git a/security/nss/lib/certhigh/Makefile b/security/nss/lib/certhigh/Makefile
deleted file mode 100644
index 08b7137d5..000000000
--- a/security/nss/lib/certhigh/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
deleted file mode 100644
index c75f97a6e..000000000
--- a/security/nss/lib/certhigh/certhigh.c
+++ /dev/null
@@ -1,1053 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "nspr.h"
-#include "secerr.h"
-#include "secasn1.h"
-#include "seccomon.h"
-#include "pk11func.h"
-#include "certdb.h"
-#include "certt.h"
-#include "cert.h"
-
-/*
- * Find all user certificates that match the given criteria.
- * 
- *	"handle" - database to search
- *	"usage" - certificate usage to match
- *	"oneCertPerName" - if set then only return the "best" cert per
- *			name
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertList *
-CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
-			  SECCertUsage usage,
-			  PRBool oneCertPerName,
-			  PRBool validOnly,
-			  void *proto_win)
-{
-    CERTCertNicknames *nicknames = NULL;
-    char **nnptr;
-    int nn;
-    CERTCertificate *cert = NULL;
-    CERTCertList *certList = NULL;
-    SECStatus rv;
-    int64 time;
-    CERTCertListNode *node = NULL;
-    CERTCertListNode *freenode = NULL;
-    int n;
-    
-    time = PR_Now();
-    
-    nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER,
-				      proto_win);
-    
-    if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) {
-	goto loser;
-    }
-
-    nnptr = nicknames->nicknames;
-    nn = nicknames->numnicknames;
-
-    while ( nn > 0 ) {
-	cert = NULL;
-	/* use the pk11 call so that we pick up any certs on tokens,
-	 * which may require login
-	 */
-	if ( proto_win != NULL ) {
-	    cert = PK11_FindCertFromNickname(*nnptr,proto_win);
-	}
-
-	/* Sigh, It turns out if the cert is already in the temp db, because
-	 * it's in the perm db, then the nickname lookup doesn't work.
-	 * since we already have the cert here, though, than we can just call
-	 * CERT_CreateSubjectCertList directly. For those cases where we didn't
-	 * find the cert in pkcs #11 (because we didn't have a password arg,
-	 * or because the nickname is for a peer, server, or CA cert, then we
-	 * go look the cert up.
-	 */
-	if (cert == NULL) { 
-	    cert = CERT_FindCertByNickname(handle,*nnptr);
-	}
-
-	if ( cert != NULL ) {
-	   /* collect certs for this nickname, sorting them into the list */
-	    certList = CERT_CreateSubjectCertList(certList, handle, 
-				&cert->derSubject, time, validOnly);
-	
-	    /* drop the extra reference */
-	    CERT_DestroyCertificate(cert);
-	}
-	
-	nnptr++;
-	nn--;
-    }
-
-    /* remove certs with incorrect usage */
-    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* remove any extra certs for each name */
-    if ( oneCertPerName ) {
-	PRBool *flags;
-
-	nn = nicknames->numnicknames;
-	nnptr = nicknames->nicknames;
-	
-	flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
-	if ( flags == NULL ) {
-	    goto loser;
-	}
-	
-	node = CERT_LIST_HEAD(certList);
-	
-	/* treverse all certs in the list */
-	while ( !CERT_LIST_END(node, certList) ) {
-
-	    /* find matching nickname index */
-	    for ( n = 0; n < nn; n++ ) {
-		if ( PORT_Strcmp(nnptr[n], node->cert->nickname) == 0 ) {
-		    /* We found a match.  If this is the first one, then
-		     * set the flag and move on to the next cert.  If this
-		     * is not the first one then delete it from the list.
-		     */
-		    if ( flags[n] ) {
-			/* We have already seen a cert with this nickname,
-			 * so delete this one.
-			 */
-			freenode = node;
-			node = CERT_LIST_NEXT(node);
-			CERT_RemoveCertListNode(freenode);
-		    } else {
-			/* keep the first cert for each nickname, but set the
-			 * flag so we know to delete any others with the same
-			 * nickname.
-			 */
-			flags[n] = PR_TRUE;
-			node = CERT_LIST_NEXT(node);
-		    }
-		    break;
-		}
-	    }
-	    if ( n == nn ) {
-		/* if we get here it means that we didn't find a matching
-		 * nickname, which should not happen.
-		 */
-		PORT_Assert(0);
-		node = CERT_LIST_NEXT(node);
-	    }
-	}
-	PORT_Free(flags);
-    }
-
-    goto done;
-    
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-	certList = NULL;
-    }
-
-done:
-    if ( nicknames != NULL ) {
-	CERT_FreeNicknames(nicknames);
-    }
-
-    return(certList);
-}
-
-/*
- * Find a user certificate that matchs the given criteria.
- * 
- *	"handle" - database to search
- *	"nickname" - nickname to match
- *	"usage" - certificate usage to match
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertificate *
-CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
-			 char *nickname,
-			 SECCertUsage usage,
-			 PRBool validOnly,
-			 void *proto_win)
-{
-    CERTCertificate *cert = NULL;
-    CERTCertList *certList = NULL;
-    SECStatus rv;
-    int64 time;
-    
-    time = PR_Now();
-    
-    /* use the pk11 call so that we pick up any certs on tokens,
-     * which may require login
-     */
-    /* XXX - why is this restricted? */
-    if ( proto_win != NULL ) {
-	cert = PK11_FindCertFromNickname(nickname,proto_win);
-    }
-
-
-    /* sigh, There are still problems find smart cards from the temp
-     * db. This will get smart cards working again. The real fix
-     * is to make sure we can search the temp db by their token nickname.
-     */
-    if (cert == NULL) {
-	cert = CERT_FindCertByNickname(handle,nickname);
-    }
-
-    if ( cert != NULL ) {
- 	/* collect certs for this nickname, sorting them into the list */
-	certList = CERT_CreateSubjectCertList(certList, handle, 
-					&cert->derSubject, time, validOnly);
-
-	/* drop the extra reference */
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-	
-    if ( certList == NULL ) {
-	goto loser;
-    }
-    
-    /* remove certs with incorrect usage */
-    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) {
-	cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
-    }
-    
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-    }
-
-    return(cert);
-}
-
-CERTCertList *
-CERT_MatchUserCert(CERTCertDBHandle *handle,
-		   SECCertUsage usage,
-		   int nCANames, char **caNames,
-		   void *proto_win)
-{
-    CERTCertList *certList = NULL;
-    SECStatus rv;
-
-    certList = CERT_FindUserCertsByUsage(handle, usage, PR_TRUE, PR_TRUE,
-					 proto_win);
-    if ( certList == NULL ) {
-	goto loser;
-    }
-    
-    rv = CERT_FilterCertListByCANames(certList, nCANames, caNames, usage);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    goto done;
-    
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-	certList = NULL;
-    }
-
-done:
-
-    return(certList);
-}
-
-
-typedef struct stringNode {
-    struct stringNode *next;
-    char *string;
-} stringNode;
-    
-static SECStatus
-CollectNicknames( CERTCertificate *cert, SECItem *k, void *data)
-{
-    CERTCertNicknames *names;
-    PRBool saveit = PR_FALSE;
-    CERTCertTrust *trust;
-    stringNode *node;
-    int len;
-    
-    names = (CERTCertNicknames *)data;
-    
-    if ( cert->nickname ) {
-	trust = cert->trust;
-	
-	switch(names->what) {
-	  case SEC_CERT_NICKNAMES_ALL:
-	    if ( ( trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
-	      ( trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
-	      ( trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ) {
-		saveit = PR_TRUE;
-	    }
-	    
-	    break;
-	  case SEC_CERT_NICKNAMES_USER:
-	    if ( ( trust->sslFlags & CERTDB_USER ) ||
-		( trust->emailFlags & CERTDB_USER ) ||
-		( trust->objectSigningFlags & CERTDB_USER ) ) {
-		saveit = PR_TRUE;
-	    }
-	    
-	    break;
-	  case SEC_CERT_NICKNAMES_SERVER:
-	    if ( trust->sslFlags & CERTDB_VALID_PEER ) {
-		saveit = PR_TRUE;
-	    }
-	    
-	    break;
-	  case SEC_CERT_NICKNAMES_CA:
-	    if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
-		( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
-		( ( trust->objectSigningFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ) {
-		saveit = PR_TRUE;
-	    }
-	    break;
-	}
-    }
-
-    /* traverse the list of collected nicknames and make sure we don't make
-     * a duplicate
-     */
-    if ( saveit ) {
-	node = (stringNode *)names->head;
-	while ( node != NULL ) {
-	    if ( PORT_Strcmp(cert->nickname, node->string) == 0 ) { 
-		/* if the string matches, then don't save this one */
-		saveit = PR_FALSE;
-		break;
-	    }
-	    node = node->next;
-	}
-    }
-
-    if ( saveit ) {
-	
-	/* allocate the node */
-	node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
-	if ( node == NULL ) {
-	    return(SECFailure);
-	}
-
-	/* copy the string */
-	len = PORT_Strlen(cert->nickname) + 1;
-	node->string = (char*)PORT_ArenaAlloc(names->arena, len);
-	if ( node->string == NULL ) {
-	    return(SECFailure);
-	}
-	PORT_Memcpy(node->string, cert->nickname, len);
-
-	/* link it into the list */
-	node->next = (stringNode *)names->head;
-	names->head = (void *)node;
-
-	/* bump the count */
-	names->numnicknames++;
-    }
-    
-    return(SECSuccess);
-}
-
-CERTCertNicknames *
-CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
-{
-    PRArenaPool *arena;
-    CERTCertNicknames *names;
-    int i;
-    SECStatus rv;
-    stringNode *node;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(NULL);
-    }
-    
-    names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
-    if ( names == NULL ) {
-	goto loser;
-    }
-
-    names->arena = arena;
-    names->head = NULL;
-    names->numnicknames = 0;
-    names->nicknames = NULL;
-    names->what = what;
-    names->totallen = 0;
-    
-    rv = SEC_TraversePermCerts(handle, CollectNicknames, (void *)names);
-    if ( rv ) {
-	goto loser;
-    }
-
-    if ( wincx != NULL ) {
-	rv = PK11_TraverseSlotCerts(CollectNicknames, (void *)names, wincx);
-	if ( rv ) {
-	    goto loser;
-	}
-    }
-
-    if ( names->numnicknames ) {
-	names->nicknames = (char**)PORT_ArenaAlloc(arena,
-					 names->numnicknames * sizeof(char *));
-
-	if ( names->nicknames == NULL ) {
-	    goto loser;
-	}
-    
-	node = (stringNode *)names->head;
-	
-	for ( i = 0; i < names->numnicknames; i++ ) {
-	    PORT_Assert(node != NULL);
-	    
-	    names->nicknames[i] = node->string;
-	    names->totallen += PORT_Strlen(node->string);
-	    node = node->next;
-	}
-
-	PORT_Assert(node == NULL);
-    }
-
-    return(names);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(NULL);
-}
-
-void
-CERT_FreeNicknames(CERTCertNicknames *nicknames)
-{
-    PORT_FreeArena(nicknames->arena, PR_FALSE);
-    
-    return;
-}
-
-/* [ FROM pcertdb.c ] */
-
-typedef struct dnameNode {
-    struct dnameNode *next;
-    SECItem name;
-} dnameNode;
-
-void
-CERT_FreeDistNames(CERTDistNames *names)
-{
-    PORT_FreeArena(names->arena, PR_FALSE);
-    
-    return;
-}
-
-static SECStatus
-CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
-{
-    CERTDistNames *names;
-    PRBool saveit = PR_FALSE;
-    CERTCertTrust *trust;
-    dnameNode *node;
-    int len;
-    
-    names = (CERTDistNames *)data;
-    
-    if ( cert->trust ) {
-	trust = cert->trust;
-	
-	/* only collect names of CAs trusted for issuing SSL clients */
-	if ( ( trust->sslFlags &
-	      ( CERTDB_VALID_CA | CERTDB_TRUSTED_CLIENT_CA ) ) ==
-	       ( CERTDB_VALID_CA | CERTDB_TRUSTED_CLIENT_CA ) ) {
-	    saveit = PR_TRUE;
-	}
-    }
-
-    if ( saveit ) {
-	/* allocate the node */
-	node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
-	if ( node == NULL ) {
-	    return(SECFailure);
-	}
-
-	/* copy the name */
-	node->name.len = len = cert->derSubject.len;
-	node->name.data = (unsigned char*)PORT_ArenaAlloc(names->arena, len);
-	if ( node->name.data == NULL ) {
-	    return(SECFailure);
-	}
-	PORT_Memcpy(node->name.data, cert->derSubject.data, len);
-
-	/* link it into the list */
-	node->next = (dnameNode *)names->head;
-	names->head = (void *)node;
-
-	/* bump the count */
-	names->nnames++;
-    }
-    
-    return(SECSuccess);
-}
-
-/*
- * Return all of the CAs that are "trusted" for SSL.
- */
-CERTDistNames *
-CERT_GetSSLCACerts(CERTCertDBHandle *handle)
-{
-    PRArenaPool *arena;
-    CERTDistNames *names;
-    int i;
-    SECStatus rv;
-    dnameNode *node;
-    
-    /* allocate an arena to use */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(NULL);
-    }
-    
-    /* allocate the header structure */
-    names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames));
-    if ( names == NULL ) {
-	goto loser;
-    }
-
-    /* initialize the header struct */
-    names->arena = arena;
-    names->head = NULL;
-    names->nnames = 0;
-    names->names = NULL;
-    
-    /* collect the names from the database */
-    rv = SEC_TraversePermCerts(handle, CollectDistNames, (void *)names);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* construct the array from the list */
-    if ( names->nnames ) {
-	names->names = (SECItem*)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem));
-
-	if ( names->names == NULL ) {
-	    goto loser;
-	}
-    
-	node = (dnameNode *)names->head;
-	
-	for ( i = 0; i < names->nnames; i++ ) {
-	    PORT_Assert(node != NULL);
-	    
-	    names->names[i] = node->name;
-	    node = node->next;
-	}
-
-	PORT_Assert(node == NULL);
-    }
-
-    return(names);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(NULL);
-}
-
-CERTDistNames *
-CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
-			   int nnames)
-{
-    CERTDistNames *dnames = NULL;
-    PRArenaPool *arena;
-    int i, rv;
-    SECItem *names = NULL;
-    CERTCertificate *cert = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto loser;
-    dnames = (CERTDistNames*)PORT_Alloc(sizeof(CERTDistNames));
-    if (dnames == NULL) goto loser;
-
-    dnames->arena = arena;
-    dnames->nnames = nnames;
-    dnames->names = names = (SECItem*)PORT_Alloc(nnames * sizeof(SECItem));
-    if (names == NULL) goto loser;
-    
-    for (i = 0; i < nnames; i++) {
-	cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
-	if (cert == NULL) goto loser;
-	rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
-	if (rv == SECFailure) goto loser;
-	CERT_DestroyCertificate(cert);
-    }
-    return dnames;
-    
-loser:
-    if (cert != NULL)
-	CERT_DestroyCertificate(cert);
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/* [ from pcertdb.c - calls Ascii to Name ] */
-/*
- * Lookup a certificate in the database by name
- */
-CERTCertificate *
-CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr)
-{
-    CERTName *name;
-    SECItem *nameItem;
-    CERTCertificate *cert = NULL;
-    PRArenaPool *arena = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    name = CERT_AsciiToName(nameStr);
-    
-    if ( name ) {
-	nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name,
-				       CERT_NameTemplate);
-	if ( nameItem == NULL ) {
-	    goto loser;
-	}
-
-	cert = CERT_FindCertByName(handle, nameItem);
-	CERT_DestroyName(name);
-    }
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(cert);
-}
-
-/* From certv3.c */
-
-CERTCrlDistributionPoints *
-CERT_FindCRLDistributionPoints (CERTCertificate *cert)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_CRL_DIST_POINTS,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (NULL);
-    }
-
-    return (CERT_DecodeCRLDistributionPoints (cert->arena,
-					      &encodedExtenValue));
-}
-
-/* From crl.c */
-CERTSignedCrl * CERT_ImportCRL
-   (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx)
-{
-    CERTCertificate *caCert;
-    CERTSignedCrl *newCrl, *crl;
-    SECStatus rv;
-
-    newCrl = crl = NULL;
-
-    PORT_Assert (handle != NULL);
-    do {
-
-	newCrl = CERT_DecodeDERCrl(NULL, derCRL, type);
-	if (newCrl == NULL) {
-	    if (type == SEC_CRL_TYPE) {
-		/* only promote error when the error code is too generic */
-		if (PORT_GetError () == SEC_ERROR_BAD_DER)
-			PORT_SetError(SEC_ERROR_CRL_INVALID);
-	    } else {
-		PORT_SetError(SEC_ERROR_KRL_INVALID);
-	    }
-	    break;		
-	}
-    
-	caCert = CERT_FindCertByName (handle, &newCrl->crl.derName);
-	if (caCert == NULL) {
-	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);	    
-	    break;
-	}
-
-	/* If caCert is a v3 certificate, make sure that it can be used for
-	   crl signing purpose */
-	rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
-	if (rv != SECSuccess) {
-	    break;
-	}
-
-	rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
-				   PR_Now(), wincx);
-	if (rv != SECSuccess) {
-	    if (type == SEC_CRL_TYPE) {
-		PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
-	    } else {
-		PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
-	    }
-	    break;
-	}
-
-	/* Do CRL validation and add to the dbase if this crl is more present then the one
-	   in the dbase, if one exists.
-	 */
-	crl = cert_DBInsertCRL (handle, url, newCrl, derCRL, type);
-
-    } while (0);
-
-    SEC_DestroyCrl (newCrl);
-    return (crl);
-}
-
-/* From certdb.c */
-SECStatus
-CERT_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage)
-{
-    SECStatus rv;
-    SECItem *derCert;
-    SECItem certKey;
-    PRArenaPool *arena;
-    CERTCertificate *cert = NULL;
-    CERTCertificate *newcert = NULL;
-    CERTCertDBHandle *handle;
-    CERTCertTrust trust;
-    PRBool isca;
-    char *nickname;
-    unsigned int certtype;
-    
-    handle = CERT_GetDefaultCertDB();
-    
-    arena = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( ! arena ) {
-	goto loser;
-    }
-
-    while (numcerts--) {
-	derCert = certs;
-	certs++;
-	
-	/* get the key (issuer+cn) from the cert */
-	rv = CERT_KeyFromDERCert(arena, derCert, &certKey);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-	/* same cert already exists in the database, don't need to do
-	 * anything more with it
-	 */
-	cert = CERT_FindCertByKey(handle, &certKey);
-	if ( cert ) {
-	    CERT_DestroyCertificate(cert);
-	    cert = NULL;
-	    continue;
-	}
-
-	/* decode my certificate */
-	newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
-	if ( newcert == NULL ) {
-	    goto loser;
-	}
-
-	/* make sure that cert is valid */
-	rv = CERT_CertTimesValid(newcert);
-	if ( rv == SECFailure ) {
-	    goto endloop;
-	}
-
-	/* does it have the CA extension */
-	
-	/*
-	 * Make sure that if this is an intermediate CA in the chain that
-	 * it was given permission by its signer to be a CA.
-	 */
-	isca = CERT_IsCACert(newcert, &certtype);
-
-	if ( !isca ) {
-	    goto endloop;
-	}
-
-	/* SSL ca's must have the ssl bit set */
-	if ( ( certUsage == certUsageSSLCA ) &&
-	    ( ( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA ) ) {
-	    goto endloop;
-	}
-
-	/* it passed all of the tests, so lets add it to the database */
-	/* mark it as a CA */
-	PORT_Memset((void *)&trust, 0, sizeof(trust));
-	switch ( certUsage ) {
-	  case certUsageSSLCA:
-	    trust.sslFlags = CERTDB_VALID_CA;
-	    break;
-	  case certUsageUserCertImport:
-	    if ( ( certtype & NS_CERT_TYPE_SSL_CA ) == NS_CERT_TYPE_SSL_CA ) {
-		trust.sslFlags = CERTDB_VALID_CA;
-	    }
-	    if ( ( certtype & NS_CERT_TYPE_EMAIL_CA ) ==
-		NS_CERT_TYPE_EMAIL_CA ) {
-		trust.emailFlags = CERTDB_VALID_CA;
-	    }
-	    if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) ==
-		NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
-		trust.objectSigningFlags = CERTDB_VALID_CA;
-	    }
-	    break;
-	  default:
-	    PORT_Assert(0);
-	    break;
-	}
-	
-	cert = CERT_NewTempCertificate(handle, derCert, NULL, PR_FALSE, PR_TRUE);
-	if ( cert == NULL ) {
-	    goto loser;
-	}
-	
-	/* get a default nickname for it */
-	nickname = CERT_MakeCANickname(cert);
-
-	rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
-	/* free the nickname */
-	if ( nickname ) {
-	    PORT_Free(nickname);
-	}
-
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-	
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-endloop:
-	if ( newcert ) {
-	    CERT_DestroyCertificate(newcert);
-	    newcert = NULL;
-	}
-	
-    }
-
-    rv = SECSuccess;
-    goto done;
-loser:
-    rv = SECFailure;
-done:
-    
-    if ( newcert ) {
-	CERT_DestroyCertificate(newcert);
-	newcert = NULL;
-    }
-    
-    if ( cert ) {
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-    
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return(rv);
-}
-
-/* Moved from certdb.c */
-/*
-** CERT_CertChainFromCert
-**
-** Construct a CERTCertificateList consisting of the given certificate and all
-** of the issuer certs until we either get to a self-signed cert or can't find
-** an issuer.  Since we don't know how many certs are in the chain we have to
-** build a linked list first as we count them.
-*/
-
-typedef struct certNode {
-    struct certNode *next;
-    CERTCertificate *cert;
-} certNode;
-
-CERTCertificateList *
-CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
-		       PRBool includeRoot)
-{
-    CERTCertificateList *chain = NULL;
-    CERTCertificate *c;
-    SECItem *p;
-    int rv, len = 0;
-    PRArenaPool *tmpArena, *arena;
-    certNode *head, *tail, *node;
-
-    /*
-     * Initialize stuff so we can goto loser.
-     */
-    head = NULL;
-    arena = NULL;
-
-    /* arena for linked list */
-    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (tmpArena == NULL) goto no_memory;
-
-    /* arena for SecCertificateList */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto no_memory;
-
-    head = tail = (certNode*)PORT_ArenaZAlloc(tmpArena, sizeof(certNode));
-    if (head == NULL) goto no_memory;
-
-    /* put primary cert first in the linked list */
-    head->cert = c = CERT_DupCertificate(cert);
-    if (head->cert == NULL) goto loser;
-    len++;
-
-    /* add certs until we come to a self-signed one */
-    while(SECITEM_CompareItem(&c->derIssuer, &c->derSubject) != SECEqual) {
-	c = CERT_FindCertIssuer(tail->cert, PR_Now(), usage);
-	if (c == NULL) {
-	    /* no root is found, so make sure we don't attempt to delete one
-	     * below
-	     */
-	    includeRoot = PR_TRUE;
-	    break;
-	}
-	
-	tail->next = (certNode*)PORT_ArenaZAlloc(tmpArena, sizeof(certNode));
-	tail = tail->next;
-	if (tail == NULL) goto no_memory;
-	
-	tail->cert = c;
-	len++;
-    }
-
-    /* now build the CERTCertificateList */
-    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
-    if (chain == NULL) goto no_memory;
-    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
-    if (chain->certs == NULL) goto no_memory;
-    
-    for(node = head, p = chain->certs; node; node = node->next, p++) {
-	rv = SECITEM_CopyItem(arena, p, &node->cert->derCert);
-	CERT_DestroyCertificate(node->cert);
-	node->cert = NULL;
-	if (rv < 0) goto loser;
-    }
-    if ( includeRoot ) {
-	chain->len = len;
-    } else {
-	chain->len = len - 1;
-    }
-    
-    chain->arena = arena;
-
-    PORT_FreeArena(tmpArena, PR_FALSE);
-    
-    return chain;
-
-no_memory:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-loser:
-    if (head != NULL) {
-	for (node = head; node; node = node->next) {
-	    if (node->cert != NULL)
-		CERT_DestroyCertificate(node->cert);
-	}
-    }
-
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    if (tmpArena != NULL) {
-	PORT_FreeArena(tmpArena, PR_FALSE);
-    }
-
-    return NULL;
-}
-
-CERTCertificateList *
-CERT_CertListFromCert(CERTCertificate *cert)
-{
-    CERTCertificateList *chain = NULL;
-    int rv;
-    PRArenaPool *arena;
-
-    /* arena for SecCertificateList */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto no_memory;
-
-    /* build the CERTCertificateList */
-    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
-    if (chain == NULL) goto no_memory;
-    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem));
-    if (chain->certs == NULL) goto no_memory;
-    rv = SECITEM_CopyItem(arena, chain->certs, &(cert->derCert));
-    if (rv < 0) goto loser;
-    chain->len = 1;
-    chain->arena = arena;
-
-    return chain;
-
-no_memory:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-void
-CERT_DestroyCertificateList(CERTCertificateList *list)
-{
-    PORT_FreeArena(list->arena, PR_FALSE);
-}
-
diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c
deleted file mode 100644
index 4190a52a3..000000000
--- a/security/nss/lib/certhigh/certhtml.c
+++ /dev/null
@@ -1,623 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * certhtml.c --- convert a cert to html
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "sechash.h"
-#include "cert.h"
-#include "keyhi.h"
-#include "secder.h"
-#include "prprf.h"
-#include "secport.h"
-#include "secasn1.h"
-#include "pk11func.h"
-
-static char *hex = "0123456789ABCDEF";
-
-/*
-** Convert a der-encoded integer to a hex printable string form
-*/
-char *CERT_Hexify (SECItem *i, int do_colon)
-{
-    unsigned char *cp, *end;
-    char *rv, *o;
-
-    if (!i->len) {
-	return PORT_Strdup("00");
-    }
-
-    rv = o = (char*) PORT_Alloc(i->len * 3);
-    if (!rv) return rv;
-
-    cp = i->data;
-    end = cp + i->len;
-    while (cp < end) {
-	unsigned char ch = *cp++;
-	*o++ = hex[(ch >> 4) & 0xf];
-	*o++ = hex[ch & 0xf];
-	if (cp != end) {
-	    if (do_colon) {
-		*o++ = ':';
-	    }
-	} 
-    }
-    *o = 0;           /* Null terminate the string */
-    return rv;
-}
-
-static char *
-gatherStrings(char **strings)
-{
-    char **strs;
-    int len;
-    char *ret;
-    char *s;
-
-    /* find total length of all strings */
-    strs = strings;
-    len = 0;
-    while ( *strs ) {
-	len += PORT_Strlen(*strs);
-	strs++;
-    }
-    
-    /* alloc enough memory for it */
-    ret = (char*)PORT_Alloc(len + 1);
-    if ( !ret ) {
-	return(ret);
-    }
-
-    s = ret;
-    
-    /* copy the strings */
-    strs = strings;
-    while ( *strs ) {
-	PORT_Strcpy(s, *strs);
-	s += PORT_Strlen(*strs);
-	strs++;
-    }
-
-    return( ret );
-}
-
-static PRBool
-CERT_IsAVAInUnicode(CERTAVA *ava, SECOidTag type)
-{
-    switch(type) {
-	case SEC_OID_AVA_COUNTRY_NAME:
-	case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	case SEC_OID_RFC1274_MAIL:
-	    return PR_FALSE;
-	default:
-	    if(ava->value.data[0] == SEC_ASN1_UNIVERSAL_STRING) {
-		return PR_TRUE;
-	    }
-	    break;
-    }
-
-    return PR_FALSE;
-}
-
-#define BREAK "<br>"
-#define BREAKLEN 4
-#define COMMA ", "
-#define COMMALEN 2
-
-#define MAX_OUS 20
-#define MAX_DC MAX_OUS
-
-
-char *CERT_FormatName (CERTName *name)
-{
-    CERTRDN** rdns;
-    CERTRDN * rdn;
-    CERTAVA** avas;
-    CERTAVA*  ava;
-    char *    buf	= 0;
-    char *    tmpbuf	= 0;
-    SECItem * cn	= 0;
-    SECItem * email	= 0;
-    SECItem * org	= 0;
-    SECItem * loc	= 0;
-    SECItem * state	= 0;
-    SECItem * country	= 0;
-    SECItem * dq     	= 0;
-
-    unsigned  len 	= 0;
-    int       tag;
-    int       i;
-    int       ou_count = 0;
-    int       dc_count = 0;
-    PRBool    first;
-    SECItem * orgunit[MAX_OUS];
-    SECItem * dc[MAX_DC];
-
-    /* Loop over name components and gather the interesting ones */
-    rdns = name->rdns;
-    while ((rdn = *rdns++) != 0) {
-	avas = rdn->avas;
-	while ((ava = *avas++) != 0) {
-	    tag = CERT_GetAVATag(ava);
-	    switch(tag) {
-	      case SEC_OID_AVA_COMMON_NAME:
-		cn = CERT_DecodeAVAValue(&ava->value);
-		len += cn->len;
-		break;
-	      case SEC_OID_AVA_COUNTRY_NAME:
-		country = CERT_DecodeAVAValue(&ava->value);
-		len += country->len;
-		break;
-	      case SEC_OID_AVA_LOCALITY:
-		loc = CERT_DecodeAVAValue(&ava->value);
-		len += loc->len;
-		break;
-	      case SEC_OID_AVA_STATE_OR_PROVINCE:
-		state = CERT_DecodeAVAValue(&ava->value);
-		len += state->len;
-		break;
-	      case SEC_OID_AVA_ORGANIZATION_NAME:
-		org = CERT_DecodeAVAValue(&ava->value);
-		len += org->len;
-		break;
-	      case SEC_OID_AVA_DN_QUALIFIER:
-		dq = CERT_DecodeAVAValue(&ava->value);
-		len += dq->len;
-		break;
-	      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
-		if (ou_count < MAX_OUS) {
-			orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
-			len += orgunit[ou_count++]->len;
-		}
-		break;
-	      case SEC_OID_AVA_DC:
-		if (dc_count < MAX_DC) {
-			dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
-			len += dc[dc_count++]->len;
-		}
-		break;
-	      case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	      case SEC_OID_RFC1274_MAIL:
-		email = CERT_DecodeAVAValue(&ava->value);
-		len += email->len;
-		break;
-	      default:
-		break;
-	    }
-	}
-    }
-
-    /* XXX - add some for formatting */
-    len += 128;
-
-    /* allocate buffer */
-    buf = (char *)PORT_Alloc(len);
-    if ( !buf ) {
-	return(0);
-    }
-
-    tmpbuf = buf;
-    
-    if ( cn ) {
-	PORT_Memcpy(tmpbuf, cn->data, cn->len);
-	tmpbuf += cn->len;
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(cn, PR_TRUE);
-    }
-    if ( email ) {
-	PORT_Memcpy(tmpbuf, email->data, email->len);
-	tmpbuf += ( email->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(email, PR_TRUE);
-    }
-    for (i=ou_count-1; i >= 0; i--) {
-	PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
-	tmpbuf += ( orgunit[i]->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(orgunit[i], PR_TRUE);
-    }
-    if ( dq ) {
-	PORT_Memcpy(tmpbuf, dq->data, dq->len);
-	tmpbuf += ( dq->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(dq, PR_TRUE);
-    }
-    if ( org ) {
-	PORT_Memcpy(tmpbuf, org->data, org->len);
-	tmpbuf += ( org->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(org, PR_TRUE);
-    }
-    for (i=dc_count-1; i >= 0; i--) {
-	PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
-	tmpbuf += ( dc[i]->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(dc[i], PR_TRUE);
-    }
-    first = PR_TRUE;
-    if ( loc ) {
-	PORT_Memcpy(tmpbuf, loc->data,  loc->len);
-	tmpbuf += ( loc->len );
-	first = PR_FALSE;
-	SECITEM_FreeItem(loc, PR_TRUE);
-    }
-    if ( state ) {
-	if ( !first ) {
-	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
-	    tmpbuf += COMMALEN;
-	}
-	PORT_Memcpy(tmpbuf, state->data, state->len);
-	tmpbuf += ( state->len );
-	first = PR_FALSE;
-	SECITEM_FreeItem(state, PR_TRUE);
-    }
-    if ( country ) {
-	if ( !first ) {
-	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
-	    tmpbuf += COMMALEN;
-	}
-	PORT_Memcpy(tmpbuf, country->data, country->len);
-	tmpbuf += ( country->len );
-	first = PR_FALSE;
-	SECITEM_FreeItem(country, PR_TRUE);
-    }
-    if ( !first ) {
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-    }
-
-    *tmpbuf = 0;
-
-    return(buf);
-}
-
-static char *sec_FortezzaClearance(SECItem *clearance) {
-    unsigned char clr = 0;
-
-    if (clearance->len > 0) { clr = clearance->data[0]; }
-
-    if (clr & 0x4) return "Top Secret";
-    if (clr & 0x8) return "Secret";
-    if (clr & 0x10) return "Confidential";
-    if (clr & 0x20) return "Sensitive";
-    if (clr & 0x40) return "Unclassified";
-    return "None";
-}
-
-static char *sec_FortezzaMessagePriviledge(SECItem *priv) {
-    unsigned char clr = 0;
-
-    if (priv->len > 0) { clr = (priv->data[0]) & 0x78; }
-
-    if (clr == 0x00) {
-	return "None";
-    } else {
-
-	return PR_smprintf("%s%s%s%s%s%s%s",
-
-	    clr&0x40?"Critical/Flash":"",
-	    (clr&0x40) && (clr&0x38) ? ", " : "" ,
-
-	    clr&0x20?"Immediate/Priority":"",
-	    (clr&0x20) && (clr&0x18) ? ", " : "" ,
-
-	    clr&0x10?"Routine/Deferred":"",
-	    (clr&0x10) && (clr&0x08) ? ", " : "" ,
-
-	    clr&0x08?"Rekey Agent":"");
-    }
-
-}
-					
-static char *sec_FortezzaCertPriviledge(SECItem *priv) {
-    unsigned char clr = 0;
-
-    if (priv->len > 0) { clr = priv->data[0]; }
-
-    return PR_smprintf("%s%s%s%s%s%s%s%s%s%s%s%s",
-	clr&0x40?"Organizational Releaser":"",
-	(clr&0x40) && (clr&0x3e) ? "," : "" ,
-	clr&0x20?"Policy Creation Authority":"",
-	(clr&0x20) && (clr&0x1e) ? "," : "" ,
-	clr&0x10?"Certificate Authority":"",
-	(clr&0x10) && (clr&0x0e) ? "," : "" ,
-	clr&0x08?"Local Managment Authority":"",
-	(clr&0x08) && (clr&0x06) ? "," : "" ,
-	clr&0x04?"Configuration Vector Authority":"",
-	(clr&0x04) && (clr&0x02) ? "," : "" ,
-	clr&0x02?"No Signature Capability":"",
-	clr&0x7e?"":"Signing Only"
-    );
-}
-
-static char *htmlcertstrings[] = {
-    "<table border=0 cellspacing=0 cellpadding=0><tr><td valign=top>"
-    "<font size=2><b>This Certificate belongs to:</b><br>"
-    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
-    0, /* image goes here */
-    0,
-    0,
-    "</td><td width=10> </td><td><font size=2>",
-    0, /* subject name goes here */
-    "</td></tr></table></font></td><td width=20> </td><td valign=top>"
-    "<font size=2><b>This Certificate was issued by:</b><br>"
-    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
-    0, /* image goes here */
-    0,
-    0,
-    "</td><td width=10> </td><td><font size=2>",
-    0, /* issuer name goes here */
-    "</td></tr></table></font></td></tr></table>"
-    "<b>Serial Number:</b> ",
-    0,
-    "<br><b>This Certificate is valid from ",
-    0, /* notBefore goes here */
-    " to ",
-    0, /* notAfter does here */
-    "</b><br><b>Clearance:</b>",
-    0,
-    "<br><b>DSS Priviledges:</b>",
-    0,
-    "<br><b>KEA Priviledges:</b>",
-    0,
-    "<br><b>KMID:</b>",
-    0,
-    "<br><b>Certificate Fingerprint:</b>"
-    "<table border=0 cellspacing=0 cellpadding=0><tr>"
-    "<td width=10> </td><td><font size=2>",
-    0, /* fingerprint goes here */
-    "</td></tr></table>",
-    0, /* comment header goes here */
-    0, /* comment goes here */
-    0, /* comment trailer goes here */
-    0
-};
-
-char *
-CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
-{
-    SECStatus rv;
-    char *issuer, *subject, *serialNumber, *version;
-    char *notBefore, *notAfter;
-    char *ret;
-    char *nickname;
-    SECItem dummyitem;
-    unsigned char fingerprint[16];   /* result of MD5, always 16 bytes */
-    char *fpstr;
-    SECItem fpitem;
-    char *commentstring = NULL;
-    SECKEYPublicKey *pubk;
-    char *DSSPriv;
-    char *KMID = NULL;
-    char *servername;
-    
-    if (!cert) {
-	return(0);
-    }
-
-    issuer = CERT_FormatName (&cert->issuer);
-    subject = CERT_FormatName (&cert->subject);
-    version = CERT_Hexify (&cert->version,1);
-    serialNumber = CERT_Hexify (&cert->serialNumber,1);
-    notBefore = DER_UTCDayToAscii(&cert->validity.notBefore);
-    notAfter = DER_UTCDayToAscii(&cert->validity.notAfter);
-    servername = CERT_FindNSStringExtension(cert,
-				   SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-
-    nickname = cert->nickname;
-    if ( nickname == NULL ) {
-	showImages = PR_FALSE;
-    }
-
-    dummyitem.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
-			       &dummyitem);
-    if ( dummyitem.data ) {
-	PORT_Free(dummyitem.data);
-    }
-    
-    if ( rv || !showImages ) {
-	htmlcertstrings[1] = "";
-	htmlcertstrings[2] = "";
-	htmlcertstrings[3] = "";
-    } else {
-	htmlcertstrings[1] = "<img src=\"about:security?subject-logo=";
-	htmlcertstrings[2] = nickname;
-	htmlcertstrings[3] = "\">";
-    }
-
-    if ( servername ) {
-	char *tmpstr;
-	tmpstr = (char *)PORT_Alloc(PORT_Strlen(subject) +
-				    PORT_Strlen(servername) +
-				    sizeof("<br>") + 1);
-	if ( tmpstr ) {
-	    PORT_Strcpy(tmpstr, servername);
-	    PORT_Strcat(tmpstr, "<br>");
-	    PORT_Strcat(tmpstr, subject);
-	    PORT_Free(subject);
-	    subject = tmpstr;
-	}
-    }
-    
-    htmlcertstrings[5] = subject;
-
-    dummyitem.data = NULL;
-    
-    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
-			       &dummyitem);
-    if ( dummyitem.data ) {
-	PORT_Free(dummyitem.data);
-    }
-    
-    if ( rv || !showImages ) {
-	htmlcertstrings[7] = "";
-	htmlcertstrings[8] = "";
-	htmlcertstrings[9] = "";
-    } else {
-	htmlcertstrings[7] = "<img src=\"about:security?issuer-logo=";
-	htmlcertstrings[8] = nickname;
-	htmlcertstrings[9] = "\">";
-    }
-
-    
-    if (showIssuer == PR_TRUE) {
-        htmlcertstrings[11] = issuer;
-    } else {
-	htmlcertstrings[11] = "";
-    }
-
-    htmlcertstrings[13] = serialNumber;
-    htmlcertstrings[15] = notBefore;
-    htmlcertstrings[17] = notAfter;
-
-    pubk = CERT_ExtractPublicKey(cert);
-    DSSPriv = NULL;
-    if (pubk && (pubk->keyType == fortezzaKey)) {
-	htmlcertstrings[18] = "</b><br><b>Clearance:</b>";
-	htmlcertstrings[19] = sec_FortezzaClearance(
-					&pubk->u.fortezza.clearance);
-	htmlcertstrings[20] = "<br><b>DSS Priviledges:</b>";
-	DSSPriv = sec_FortezzaCertPriviledge(
-					&pubk->u.fortezza.DSSpriviledge);
-	htmlcertstrings[21] = DSSPriv;
-	htmlcertstrings[22] = "<br><b>KEA Priviledges:</b>";
-	htmlcertstrings[23] = sec_FortezzaMessagePriviledge(
-					&pubk->u.fortezza.KEApriviledge);
-	htmlcertstrings[24] = "<br><b>KMID:</b>";
-	dummyitem.data = &pubk->u.fortezza.KMID[0];
-	dummyitem.len = sizeof(pubk->u.fortezza.KMID);
-	KMID = CERT_Hexify (&dummyitem,0);
-	htmlcertstrings[25] = KMID;
-    } else {
-	/* clear out the headers in the non-fortezza cases */
-	htmlcertstrings[18] = "";
-	htmlcertstrings[19] = "";
-	htmlcertstrings[20] = "";
-	htmlcertstrings[21] = "";
-	htmlcertstrings[22] = "";
-	htmlcertstrings[23] = "";
-	htmlcertstrings[24] = "";
-	htmlcertstrings[25] = "</b>";
-    }
-
-    if (pubk) {
-      SECKEY_DestroyPublicKey(pubk);
-    }
-
-#define HTML_OFF 27
-    rv = PK11_HashBuf(SEC_OID_MD5, fingerprint, 
-    	              cert->derCert.data, cert->derCert.len);
-    
-    fpitem.data = fingerprint;
-    fpitem.len = sizeof(fingerprint);
-
-    fpstr = CERT_Hexify (&fpitem,1);
-    
-    htmlcertstrings[HTML_OFF] = fpstr;
-
-    commentstring = CERT_GetCertCommentString(cert);
-
-    if (commentstring == NULL) {
-	htmlcertstrings[HTML_OFF+2] = "";
-	htmlcertstrings[HTML_OFF+3] = "";
-	htmlcertstrings[HTML_OFF+4] = "";
-    } else {
-	htmlcertstrings[HTML_OFF+2] =
-	    "<b>Comment:</b>"
-	    "<table border=0 cellspacing=0 cellpadding=0><tr>"
-	    "<td width=10> </td><td><font size=3>"
-	    "<textarea name=foobar rows=4 cols=55 onfocus=\"this.blur()\">";
-	htmlcertstrings[HTML_OFF+3] = commentstring;
-	htmlcertstrings[HTML_OFF+4] = "</textarea></font></td></tr></table>";
-    }
-    
-    ret = gatherStrings(htmlcertstrings);
-    
-    if ( issuer ) {
-	PORT_Free(issuer);
-    }
-    
-    if ( subject ) {
-	PORT_Free(subject);
-    }
-    
-    if ( version ) {
-	PORT_Free(version);
-    }
-    
-    if ( serialNumber ) {
-	PORT_Free(serialNumber);
-    }
-    
-    if ( notBefore ) {
-	PORT_Free(notBefore);
-    }
-    
-    if ( notAfter ) {
-	PORT_Free(notAfter);
-    }
-    
-    if ( fpstr ) {
-	PORT_Free(fpstr);
-    }
-    if (DSSPriv) {
-	PORT_Free(DSSPriv);
-    }
-
-    if (KMID) {
-	PORT_Free(KMID);
-    }
-
-    if ( commentstring ) {
-	PORT_Free(commentstring);
-    }
-    
-    if ( servername ) {
-	PORT_Free(servername);
-    }
-    
-    return(ret);
-}
-
diff --git a/security/nss/lib/certhigh/certread.c b/security/nss/lib/certhigh/certread.c
deleted file mode 100644
index 5c5ddab78..000000000
--- a/security/nss/lib/certhigh/certread.c
+++ /dev/null
@@ -1,535 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cert.h"
-#include "secpkcs7.h"
-#include "base64.h"
-#include "secitem.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-
-SECStatus
-SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
-{
-    SEC_PKCS7ContentInfo *contentInfo = NULL;
-    SECStatus rv;
-    SECItem **certs;
-    int count;
-
-    contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL, 
-				      NULL, NULL);
-    if ( contentInfo == NULL ) {
-	goto loser;
-    }
-
-    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
-	goto loser;
-    }
-
-    certs = contentInfo->content.signedData->rawCerts;
-    if ( certs ) {
-	count = 0;
-	
-	while ( *certs ) {
-	    count++;
-	    certs++;
-	}
-	rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
-    }
-    
-    rv = SECSuccess;
-    
-    goto done;
-loser:
-    rv = SECFailure;
-    
-done:
-    if ( contentInfo ) {
-	SEC_PKCS7DestroyContentInfo(contentInfo);
-    }
-
-    return(rv);
-}
-
-const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  0, SECAnyTemplate }
-};
-
-SECStatus
-SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
-{
-    SECStatus rv;
-    SECItem **certs;
-    int count;
-    SECItem **rawCerts = NULL;
-    PRArenaPool *arena;
-    SEC_PKCS7ContentInfo *contentInfo = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	return SECFailure;
-    }
-
-    contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL, 
-				      NULL, NULL);
-    if ( contentInfo == NULL ) {
-	goto loser;
-    }
-
-    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
-	goto loser;
-    }
-
-
-    rv = SEC_ASN1DecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
-		    contentInfo->content.data);
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    certs = rawCerts;
-    if ( certs ) {
-	count = 0;
-	
-	while ( *certs ) {
-	    count++;
-	    certs++;
-	}
-	rv = (* f)(arg, rawCerts, count);
-    }
-    
-    rv = SECSuccess;
-    
-    goto done;
-loser:
-    rv = SECFailure;
-    
-done:
-    if ( contentInfo ) {
-	SEC_PKCS7DestroyContentInfo(contentInfo);
-    }
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(rv);
-}
-
-CERTCertificate *
-CERT_ConvertAndDecodeCertificate(char *certstr)
-{
-    CERTCertificate *cert;
-    SECStatus rv;
-    SECItem der;
-
-    rv = ATOB_ConvertAsciiToItem(&der, certstr);
-    if (rv != SECSuccess)
-	return NULL;
-
-    cert = CERT_DecodeDERCertificate(&der, PR_TRUE, NULL);
-
-    PORT_Free(der.data);
-    return cert;
-}
-
-#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
-#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
-
-#define CERTIFICATE_TYPE_STRING "certificate"
-#define CERTIFICATE_TYPE_LEN (sizeof(CERTIFICATE_TYPE_STRING)-1)
-
-CERTPackageType
-CERT_CertPackageType(SECItem *package, SECItem *certitem)
-{
-    unsigned char *cp;
-    int seqLen, seqLenLen;
-    SECItem oiditem;
-    SECOidData *oiddata;
-    CERTPackageType type = certPackageNone;
-    
-    cp = package->data;
-
-    /* is a DER encoded certificate of some type? */
-    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
-	cp++;
-	
-	if ( *cp & 0x80) {
-	    /* Multibyte length */
-	    seqLenLen = cp[0] & 0x7f;
-	    
-	    switch (seqLenLen) {
-	      case 4:
-		seqLen = ((unsigned long)cp[1]<<24) |
-		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
-		break;
-	      case 3:
-		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
-		break;
-	      case 2:
-		seqLen = (cp[1]<<8) | cp[2];
-		break;
-	      case 1:
-		seqLen = cp[1];
-		break;
-	      default:
-		/* indefinite length */
-		seqLen = 0;
-	    }
-	    cp += ( seqLenLen + 1 );
-
-	} else {
-	    seqLenLen = 0;
-	    seqLen = *cp;
-	    cp++;
-	}
-
-	/* check entire length if definite length */
-	if ( seqLen || seqLenLen ) {
-	    if ( package->len != ( seqLen + seqLenLen + 2 ) ) {
-		/* not a DER package */
-		return(type);
-	    }
-	}
-	
-	/* check the type string */
-	/* netscape wrapped DER cert */
-	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
-	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
-	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
-	    
-	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
-
-	    /* it had better be a certificate by now!! */
-	    if ( certitem ) {
-		certitem->data = cp;
-		certitem->len = package->len -
-		    ( cp - (unsigned char *)package->data );
-	    }
-	    type = certPackageNSCertWrap;
-	    
-	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
-	    /* XXX - assume DER encoding of OID len!! */
-	    oiditem.len = cp[1];
-	    oiditem.data = (unsigned char *)&cp[2];
-	    oiddata = SECOID_FindOID(&oiditem);
-	    if ( oiddata == NULL ) {
-		/* failure */
-		return(type);
-	    }
-
-	    if ( certitem ) {
-		certitem->data = package->data;
-		certitem->len = package->len;
-	    }
-	    
-	    switch ( oiddata->offset ) {
-	      case SEC_OID_PKCS7_SIGNED_DATA:
-		type = certPackagePKCS7;
-		break;
-	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
-		type = certPackageNSCertSeq;
-		break;
-	      default:
-		break;
-	    }
-	    
-	} else {
-	    /* it had better be a certificate by now!! */
-	    if ( certitem ) {
-		certitem->data = package->data;
-		certitem->len = package->len;
-	    }
-	    
-	    type = certPackageCert;
-	}
-    }
-
-    return(type);
-}
-
-/*
- * read an old style ascii or binary certificate chain
- */
-SECStatus
-CERT_DecodeCertPackage(char *certbuf,
-		       int certlen,
-		       CERTImportCertificateFunc f,
-		       void *arg)
-{
-    unsigned char *cp;
-    int seqLen, seqLenLen;
-    int cl;
-    unsigned char *bincert = NULL, *certbegin = NULL, *certend = NULL;
-    unsigned int binLen;
-    char *ascCert = NULL;
-    int asciilen;
-    CERTCertificate *cert;
-    SECItem certitem, oiditem;
-    SECStatus rv;
-    SECOidData *oiddata;
-    SECItem *pcertitem = &certitem;
-    
-    if ( certbuf == NULL ) {
-	return(SECFailure);
-    }
-    
-    cert = 0;
-    cp = (unsigned char *)certbuf;
-
-    /* is a DER encoded certificate of some type? */
-    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
-	cp++;
-	
-	if ( *cp & 0x80) {
-	    /* Multibyte length */
-	    seqLenLen = cp[0] & 0x7f;
-	    
-	    switch (seqLenLen) {
-	      case 4:
-		seqLen = ((unsigned long)cp[1]<<24) |
-		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
-		break;
-	      case 3:
-		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
-		break;
-	      case 2:
-		seqLen = (cp[1]<<8) | cp[2];
-		break;
-	      case 1:
-		seqLen = cp[1];
-		break;
-	      default:
-		/* indefinite length */
-		seqLen = 0;
-	    }
-	    cp += ( seqLenLen + 1 );
-
-	} else {
-	    seqLenLen = 0;
-	    seqLen = *cp;
-	    cp++;
-	}
-
-	/* check entire length if definite length */
-	if ( seqLen || seqLenLen ) {
-	    if ( certlen != ( seqLen + seqLenLen + 2 ) ) {
-		goto notder;
-	    }
-	}
-	
-	/* check the type string */
-	/* netscape wrapped DER cert */
-	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
-	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
-	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
-	    
-	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
-
-	    /* it had better be a certificate by now!! */
-	    certitem.data = cp;
-	    certitem.len = certlen - ( cp - (unsigned char *)certbuf );
-	    
-	    rv = (* f)(arg, &pcertitem, 1);
-	    
-	    return(rv);
-	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
-	    /* XXX - assume DER encoding of OID len!! */
-	    oiditem.len = cp[1];
-	    oiditem.data = (unsigned char *)&cp[2];
-	    oiddata = SECOID_FindOID(&oiditem);
-	    if ( oiddata == NULL ) {
-		return(SECFailure);
-	    }
-
-	    certitem.data = (unsigned char*)certbuf;
-	    certitem.len = certlen;
-	    
-	    switch ( oiddata->offset ) {
-	      case SEC_OID_PKCS7_SIGNED_DATA:
-		return(SEC_ReadPKCS7Certs(&certitem, f, arg));
-		break;
-	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
-		return(SEC_ReadCertSequence(&certitem, f, arg));
-		break;
-	      default:
-		break;
-	    }
-	    
-	} else {
-	    /* it had better be a certificate by now!! */
-	    certitem.data = (unsigned char*)certbuf;
-	    certitem.len = certlen;
-	    
-	    rv = (* f)(arg, &pcertitem, 1);
-	    return(rv);
-	}
-    }
-
-    /* now look for a netscape base64 ascii encoded cert */
-notder:
-    cp = (unsigned char *)certbuf;
-    cl = certlen;
-    certbegin = 0;
-    certend = 0;
-
-    /* find the beginning marker */
-    while ( cl > sizeof(NS_CERT_HEADER) ) {
-	if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
-			     sizeof(NS_CERT_HEADER)-1) ) {
-	    cp = cp + sizeof(NS_CERT_HEADER);
-	    certbegin = cp;
-	    break;
-	}
-	
-	/* skip to next eol */
-	do {
-	    cp++;
-	    cl--;
-	} while ( ( *cp != '\n') && cl );
-
-	/* skip all blank lines */
-	while ( ( *cp == '\n') && cl ) {
-	    cp++;
-	    cl--;
-	}
-    }
-
-    if ( certbegin ) {
-
-	/* find the ending marker */
-	while ( cl > sizeof(NS_CERT_TRAILER) ) {
-	    if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
-				 sizeof(NS_CERT_TRAILER)-1) ) {
-		certend = (unsigned char *)cp;
-		break;
-	    }
-
-	    /* skip to next eol */
-	    do {
-		cp++;
-		cl--;
-	    } while ( ( *cp != '\n') && cl );
-
-	    /* skip all blank lines */
-	    while ( ( *cp == '\n') && cl ) {
-		cp++;
-		cl--;
-	    }
-	}
-    }
-
-    if ( certbegin && certend ) {
-
-	/* Convert the ASCII data into a nul-terminated string */
-	asciilen = certend - certbegin;
-	ascCert = (char *)PORT_Alloc(asciilen+1);
-	if (!ascCert) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	PORT_Memcpy(ascCert, certbegin, asciilen);
-	ascCert[asciilen] = '\0';
-	
-	/* convert to binary */
-	bincert = ATOB_AsciiToData(ascCert, &binLen);
-	if (!bincert) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* now recurse to decode the binary */
-	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
-	
-    } else {
-	rv = SECFailure;
-    }
-
-loser:
-
-    if ( bincert ) {
-	PORT_Free(bincert);
-    }
-
-    if ( ascCert ) {
-	PORT_Free(ascCert);
-    }
-
-    return(rv);
-}
-
-typedef struct {
-    PRArenaPool *arena;
-    SECItem cert;
-} collect_args;
-
-static SECStatus
-collect_certs(void *arg, SECItem **certs, int numcerts)
-{
-    SECStatus rv;
-    collect_args *collectArgs;
-    
-    collectArgs = (collect_args *)arg;
-    
-    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
-
-    return(rv);
-}
-
-
-/*
- * read an old style ascii or binary certificate
- */
-CERTCertificate *
-CERT_DecodeCertFromPackage(char *certbuf, int certlen)
-{
-    collect_args collectArgs;
-    SECStatus rv;
-    CERTCertificate *cert = NULL;
-    
-    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
-				(void *)&collectArgs);
-    if ( rv == SECSuccess ) {
-	cert = CERT_DecodeDERCertificate(&collectArgs.cert, PR_TRUE, NULL);
-    }
-    
-    PORT_FreeArena(collectArgs.arena, PR_FALSE);
-    
-    return(cert);
-}
diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c
deleted file mode 100644
index 0c3038139..000000000
--- a/security/nss/lib/certhigh/certreq.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cert.h"
-#include "secder.h"
-#include "key.h"
-#include "secitem.h"
-#include "secasn1.h"
-
-const SEC_ASN1Template CERT_AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(CERTAttribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
-    { SEC_ASN1_SET_OF, offsetof(CERTAttribute, attrValue),
-	SEC_AnyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
-};
-
-const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertificateRequest) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCertificateRequest,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificateRequest,subject),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
-	  CERT_SubjectPublicKeyInfoTemplate },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(CERTCertificateRequest,attributes), 
-	  CERT_SetOfAttributeTemplate },
-    { 0 }
-};
-
-CERTCertificate *
-CERT_CreateCertificate(unsigned long serialNumber,
-		      CERTName *issuer,
-		      CERTValidity *validity,
-		      CERTCertificateRequest *req)
-{
-    CERTCertificate *c;
-    int rv;
-    PRArenaPool *arena;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	return(0);
-    }
-
-    c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-    
-    if (c) {
-	c->referenceCount = 1;
-	c->arena = arena;
-
-	/*
-	 * Default is a plain version 1.
-	 * If extensions are added, it will get changed as appropriate.
-	 */
-	rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
-	if (rv) goto loser;
-
-	rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
-	if (rv) goto loser;
-
-	rv = CERT_CopyName(arena, &c->issuer, issuer);
-	if (rv) goto loser;
-
-	rv = CERT_CopyValidity(arena, &c->validity, validity);
-	if (rv) goto loser;
-
-	rv = CERT_CopyName(arena, &c->subject, &req->subject);
-	if (rv) goto loser;
-	rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
-					  &req->subjectPublicKeyInfo);
-	if (rv) goto loser;
-    }
-    return c;
-
-  loser:
-    CERT_DestroyCertificate(c);
-    return 0;
-}
-
-/************************************************************************/
-
-CERTCertificateRequest *
-CERT_CreateCertificateRequest(CERTName *subject,
-			     CERTSubjectPublicKeyInfo *spki,
-			     SECItem **attributes)
-{
-    CERTCertificateRequest *certreq;
-    PRArenaPool *arena;
-    SECStatus rv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return NULL;
-    }
-    
-    certreq = (CERTCertificateRequest *)
-			PORT_ArenaZAlloc(arena, sizeof(CERTCertificateRequest));
-
-    if (certreq != NULL) {
-	certreq->arena = arena;
-	
-	rv = DER_SetUInteger(arena, &certreq->version,
-			     SEC_CERTIFICATE_REQUEST_VERSION);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	rv = CERT_CopyName(arena, &certreq->subject, subject);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	rv = SECKEY_CopySubjectPublicKeyInfo(arena,
-					  &certreq->subjectPublicKeyInfo,
-					  spki);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	/* Copy over attribute information */
-	if (attributes) {
-	    int i = 0;
-
-	    /* allocate space for attributes */
-	    while(attributes[i] != NULL) i++;
-	    certreq->attributes = (SECItem**)PORT_ArenaZAlloc(arena, 
-						   	      sizeof(SECItem *) * (i + 1));
-	    if(!certreq->attributes) {
-		goto loser;
-	    }
-
-	    /* copy attributes */
-	    i = 0;
-	    while(attributes[i]) {
-		/*
-		** Attributes are a SetOf Attribute which implies
-		** lexigraphical ordering.  It is assumes that the
-		** attributes are passed in sorted.  If we need to
-		** add functionality to sort them, there is an
-		** example in the PKCS 7 code.
-		*/
-		certreq->attributes[i] = (SECItem*)PORT_ArenaZAlloc(arena, 
-							  	    sizeof(SECItem));
-		if(!certreq->attributes[i]) {
-		    goto loser;
-		};
-		rv = SECITEM_CopyItem(arena, certreq->attributes[i], 
-				      attributes[i]);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		i++;
-	    }
-	    certreq->attributes[i] = NULL;
-	} else {
-	    /*
-	     ** Invent empty attribute information. According to the
-	     ** pkcs#10 spec, attributes has this ASN.1 type:
-	     **
-	     ** attributes [0] IMPLICIT Attributes
-	     ** 
-	     ** Which means, we should create a NULL terminated list
-	     ** with the first entry being NULL;
-	     */
-	    certreq->attributes = (SECItem**)PORT_ArenaZAlloc(arena, sizeof(SECItem *));
-	    if(!certreq->attributes) {
-		goto loser;
-	    }
-	    certreq->attributes[0] = NULL;
-	} 
-    } else {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return certreq;
-
-loser:
-    CERT_DestroyCertificateRequest(certreq);
-    return NULL;
-}
-
-void
-CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
-{
-    if (req && req->arena) {
-	PORT_FreeArena(req->arena, PR_FALSE);
-    }
-    return;
-}
-
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
deleted file mode 100644
index 807c0a9e0..000000000
--- a/security/nss/lib/certhigh/certvfy.c
+++ /dev/null
@@ -1,1575 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "nspr.h"
-#include "secerr.h"
-#include "secport.h"
-#include "seccomon.h"
-#include "secoid.h"
-#include "sslerr.h"
-#include "genname.h"
-#include "keyhi.h"
-#include "cert.h"
-#include "certdb.h"
-#include "cryptohi.h"
-
-#define PENDING_SLOP (24L*60L*60L)
-
-/*
- * WARNING - this function is depricated, and will go away in the near future.
- *	It has been superseded by CERT_CheckCertValidTimes().
- *
- * Check the validity times of a certificate
- */
-SECStatus
-CERT_CertTimesValid(CERTCertificate *c)
-{
-    int64 now, notBefore, notAfter, pendingSlop;
-    SECStatus rv;
-    
-    /* if cert is already marked OK, then don't bother to check */
-    if ( c->timeOK ) {
-	return(SECSuccess);
-    }
-    
-    /* get current UTC time */
-    now = PR_Now();
-    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
-    
-    if (rv) {
-	return(SECFailure);
-    }
-    
-    LL_I2L(pendingSlop, PENDING_SLOP);
-    LL_SUB(notBefore, notBefore, pendingSlop);
-
-    if (LL_CMP(now, <, notBefore) || LL_CMP(now, >, notAfter)) {
-	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * verify the signature of a signed data object with the given certificate
- */
-SECStatus
-CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert,
-		      int64 t, void *wincx)
-{
-    SECItem sig;
-    SECKEYPublicKey *pubKey = 0;
-    SECStatus rv;
-    SECCertTimeValidity validity;
-    SECOidTag algid;
-
-    /* check the certificate's validity */
-    validity = CERT_CheckCertValidTimes(cert, t, PR_FALSE);
-    if ( validity != secCertTimeValid ) {
-	return(SECFailure);
-    }
-
-    /* get cert's public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if ( !pubKey ) {
-	return(SECFailure);
-    }
-    
-    /* check the signature */
-    sig = sd->signature;
-    DER_ConvertBitString(&sig);
-
-    algid = SECOID_GetAlgorithmTag(&sd->signatureAlgorithm);
-    rv = VFY_VerifyData(sd->data.data, sd->data.len, pubKey, &sig,
-			algid, wincx);
-
-    SECKEY_DestroyPublicKey(pubKey);
-
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-
-/*
- * This must only be called on a cert that is known to have an issuer
- * with an invalid time
- */
-CERTCertificate *
-CERT_FindExpiredIssuer(CERTCertDBHandle *handle, CERTCertificate *cert)
-{
-    CERTCertificate *issuerCert = NULL;
-    CERTCertificate *subjectCert;
-    int              count;
-    SECStatus        rv;
-    SECComparison    rvCompare;
-    
-    subjectCert = CERT_DupCertificate(cert);
-    if ( subjectCert == NULL ) {
-	goto loser;
-    }
-    
-    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
-	/* find the certificate of the issuer */
-	issuerCert = CERT_FindCertByName(handle, &subjectCert->derIssuer);
-    
-	if ( ! issuerCert ) {
-	    goto loser;
-	}
-
-	rv = CERT_CertTimesValid(issuerCert);
-	if ( rv == SECFailure ) {
-	    /* this is the invalid issuer */
-	    CERT_DestroyCertificate(subjectCert);
-	    return(issuerCert);
-	}
-
-	/* make sure that the issuer is not self signed.  If it is, then
-	 * stop here to prevent looping.
-	 */
-	rvCompare = SECITEM_CompareItem(&issuerCert->derSubject,
-				 &issuerCert->derIssuer);
-	if (rvCompare == SECEqual) {
-	    PORT_Assert(0);		/* No expired issuer! */
-	    goto loser;
-	}
-	CERT_DestroyCertificate(subjectCert);
-	subjectCert = issuerCert;
-    }
-
-loser:
-    if ( issuerCert ) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    
-    if ( subjectCert ) {
-	CERT_DestroyCertificate(subjectCert);
-    }
-    
-    return(NULL);
-}
-
-/* Software FORTEZZA installation hack. The software fortezza installer does
- * not have access to the krl and cert.db file. Accept FORTEZZA Certs without
- * KRL's in this case. 
- */
-static int dont_use_krl = 0;
-/* not a public exposed function... */
-void sec_SetCheckKRLState(int value) { dont_use_krl = value; }
-
-SECStatus
-SEC_CheckKRL(CERTCertDBHandle *handle,SECKEYPublicKey *key,
-	     CERTCertificate *rootCert, int64 t, void * wincx)
-{
-    CERTSignedCrl *crl = NULL;
-    SECStatus rv = SECFailure;
-    SECStatus rv2;
-    CERTCrlEntry **crlEntry;
-    SECCertTimeValidity validity;
-    CERTCertificate *issuerCert = NULL;
-
-    if (dont_use_krl) return SECSuccess;
-
-    /* first look up the KRL */
-    crl = SEC_FindCrlByName(handle,&rootCert->derSubject, SEC_KRL_TYPE);
-    if (crl == NULL) {
-	PORT_SetError(SEC_ERROR_NO_KRL);
-	goto done;
-    }
-
-    /* get the issuing certificate */
-    issuerCert = CERT_FindCertByName(handle, &crl->crl.derName);
-    if (issuerCert == NULL) {
-        PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
-        goto done;
-    }
-
-
-    /* now verify the KRL signature */
-    rv2 = CERT_VerifySignedData(&crl->signatureWrap, issuerCert, t, wincx);
-    if (rv2 != SECSuccess) {
-	PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
-    	goto done;
-    }
-
-    /* Verify the date validity of the KRL */
-    validity = SEC_CheckCrlTimes(&crl->crl, t);
-    if (validity == secCertTimeExpired) {
-	PORT_SetError(SEC_ERROR_KRL_EXPIRED);
-	goto done;
-    }
-
-    /* now make sure the key in this cert is still valid */
-    if (key->keyType != fortezzaKey) {
-	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-	goto done; /* This should be an assert? */
-    }
-
-    /* now make sure the key is not on the revocation list */
-    for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) {
-	if (PORT_Memcmp((*crlEntry)->serialNumber.data,
-				key->u.fortezza.KMID,
-				    (*crlEntry)->serialNumber.len) == 0) {
-	    PORT_SetError(SEC_ERROR_REVOKED_KEY);
-	    goto done;
-	}
-    }
-    rv = SECSuccess;
-
-done:
-    if (issuerCert) CERT_DestroyCertificate(issuerCert);
-    if (crl) SEC_DestroyCrl(crl);
-    return rv;
-}
-
-SECStatus
-SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert,
-	     CERTCertificate *caCert, int64 t, void * wincx)
-{
-    CERTSignedCrl *crl = NULL;
-    SECStatus rv = SECSuccess;
-    CERTCrlEntry **crlEntry;
-    SECCertTimeValidity validity;
-
-    /* first look up the CRL */
-    crl = SEC_FindCrlByName(handle,&caCert->derSubject, SEC_CRL_TYPE);
-    if (crl == NULL) {
-	/* XXX for now no CRL is ok */
-	goto done;
-    }
-
-    /* now verify the CRL signature */
-    rv = CERT_VerifySignedData(&crl->signatureWrap, caCert, t, wincx);
-    if (rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
-        rv = SECWouldBlock; /* Soft error, ask the user */
-    	goto done;
-    }
-
-    /* Verify the date validity of the KRL */
-    validity = SEC_CheckCrlTimes(&crl->crl,t);
-    if (validity == secCertTimeExpired) {
-	PORT_SetError(SEC_ERROR_CRL_EXPIRED);
-        rv = SECWouldBlock; /* Soft error, ask the user */
-    } else if (validity == secCertTimeNotValidYet) {
-	PORT_SetError(SEC_ERROR_CRL_NOT_YET_VALID);
-	rv = SECWouldBlock; /* Soft error, ask the user */
-    }
-
-    /* now make sure the key is not on the revocation list */
-    for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) {
-	if (SECITEM_CompareItem(&(*crlEntry)->serialNumber,&cert->serialNumber) == SECEqual) {
-	    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-	    rv = SECFailure; /* cert is revoked */
-	    goto done;
-	}
-    }
-
-done:
-    if (crl) SEC_DestroyCrl(crl);
-    return rv;
-}
-
-/*
- * Find the issuer of a cert.  Use the authorityKeyID if it exists.
- */
-CERTCertificate *
-CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage)
-{
-    CERTAuthKeyID *   authorityKeyID = NULL;  
-    CERTCertificate * issuerCert     = NULL;
-    SECItem *         caName;
-    PRArenaPool       *tmpArena = NULL;
-    SECItem           issuerCertKey;
-    SECStatus         rv;
-
-    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !tmpArena ) {
-	goto loser;
-    }
-    authorityKeyID = CERT_FindAuthKeyIDExten(tmpArena,cert);
-
-    if ( authorityKeyID != NULL ) {
-	/* has the authority key ID extension */
-	if ( authorityKeyID->keyID.data != NULL ) {
-	    /* extension contains a key ID, so lookup based on it */
-	    issuerCert = CERT_FindCertByKeyID(cert->dbhandle, &cert->derIssuer,
-					      &authorityKeyID->keyID);
-	    if ( issuerCert == NULL ) {
-		PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-		goto loser;
-	    }
-	    
-	} else if ( authorityKeyID->authCertIssuer != NULL ) {
-	    /* no key ID, so try issuer and serial number */
-	    caName = (SECItem*)CERT_GetGeneralNameByType(authorityKeyID->authCertIssuer,
-					       		 certDirectoryName, PR_TRUE);
-
-	    /*
-	     * caName is NULL when the authCertIssuer field is not
-	     * being used, or other name form is used instead.
-	     * If the directoryName format and serialNumber fields are
-	     * used, we use them to find the CA cert.
-	     * Note:
-	     *	By the time it gets here, we known for sure that if the
-	     *	authCertIssuer exists, then the authCertSerialNumber
-	     *	must also exists (CERT_DecodeAuthKeyID() ensures this).
-	     *	We don't need to check again. 
-	     */
-
-	    if (caName != NULL) {
-		rv = CERT_KeyFromIssuerAndSN(tmpArena, caName,
-					     &authorityKeyID->authCertSerialNumber,
-					     &issuerCertKey);
-		if ( rv == SECSuccess ) {
-		    issuerCert = CERT_FindCertByKey(cert->dbhandle,
-						    &issuerCertKey);
-		}
-		
-		if ( issuerCert == NULL ) {
-		    PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-		    goto loser;
-		}
-	    }
-	}
-    }
-    if ( issuerCert == NULL ) {
-	/* if there is not authorityKeyID, then try to find the issuer */
-	/* find a valid CA cert with correct usage */
-	issuerCert = CERT_FindMatchingCert(cert->dbhandle,
-					   &cert->derIssuer,
-					   certOwnerCA, usage, PR_TRUE,
-					   validTime, PR_TRUE);
-
-	/* if that fails, then fall back to grabbing any cert with right name*/
-	if ( issuerCert == NULL ) {
-	    issuerCert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
-	    if ( issuerCert == NULL ) {
-		PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-	    }
-	}
-    }
-
-loser:
-    if (tmpArena != NULL) {
-	PORT_FreeArena(tmpArena, PR_FALSE);
-	tmpArena = NULL;
-    }
-
-    return(issuerCert);
-}
-
-/*
- * return required trust flags for various cert usages for CAs
- */
-SECStatus
-CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
-			      unsigned int *retFlags,
-			      SECTrustType *retTrustType)
-{
-    unsigned int requiredFlags;
-    SECTrustType trustType;
-
-    switch ( usage ) {
-      case certUsageSSLClient:
-	requiredFlags = CERTDB_TRUSTED_CLIENT_CA;
-	trustType = trustSSL;
-        break;
-      case certUsageSSLServer:
-      case certUsageSSLCA:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustSSL;
-        break;
-      case certUsageSSLServerWithStepUp:
-	requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
-	trustType = trustSSL;
-        break;
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustEmail;
-	break;
-      case certUsageObjectSigner:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustObjectSigning;
-	break;
-      case certUsageVerifyCA:
-      case certUsageAnyCA:
-      case certUsageStatusResponder:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustTypeNone;
-	break;
-      default:
-	PORT_Assert(0);
-	goto loser;
-    }
-    if ( retFlags != NULL ) {
-	*retFlags = requiredFlags;
-    }
-    if ( retTrustType != NULL ) {
-	*retTrustType = trustType;
-    }
-    
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-
-
-
-
-static void
-AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
-	       unsigned int depth, void *arg)
-{
-    CERTVerifyLogNode *node, *tnode;
-
-    PORT_Assert(log != NULL);
-    
-    node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
-						sizeof(CERTVerifyLogNode));
-    if ( node != NULL ) {
-	node->cert = CERT_DupCertificate(cert);
-	node->error = error;
-	node->depth = depth;
-	node->arg = arg;
-	
-	if ( log->tail == NULL ) {
-	    /* empty list */
-	    log->head = log->tail = node;
-	    node->prev = NULL;
-	    node->next = NULL;
-	} else if ( depth >= log->tail->depth ) {
-	    /* add to tail */
-	    node->prev = log->tail;
-	    log->tail->next = node;
-	    log->tail = node;
-	    node->next = NULL;
-	} else if ( depth < log->head->depth ) {
-	    /* add at head */
-	    node->prev = NULL;
-	    node->next = log->head;
-	    log->head->prev = node;
-	    log->head = node;
-	} else {
-	    /* add in middle */
-	    tnode = log->tail;
-	    while ( tnode != NULL ) {
-		if ( depth >= tnode->depth ) {
-		    /* insert after tnode */
-		    node->prev = tnode;
-		    node->next = tnode->next;
-		    tnode->next->prev = node;
-		    tnode->next = node;
-		    break;
-		}
-
-		tnode = tnode->prev;
-	    }
-	}
-
-	log->count++;
-    }
-    return;
-}
-
-#define EXIT_IF_NOT_LOGGING(log) \
-    if ( log == NULL ) { \
-	goto loser; \
-    }
-
-#define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
-    if ( log != NULL ) { \
-	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
-    } else { \
-	goto loser; \
-    }
-
-#define LOG_ERROR(log,cert,depth,arg) \
-    if ( log != NULL ) { \
-	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
-    }
-
-
-
-
-SECStatus
-CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     PRBool checkSig, SECCertUsage certUsage, int64 t,
-		     void *wincx, CERTVerifyLog *log)
-{
-    SECTrustType trustType;
-    CERTBasicConstraints basicConstraint;
-    CERTCertificate *issuerCert = NULL;
-    CERTCertificate *subjectCert = NULL;
-    CERTCertificate *badCert = NULL;
-    PRBool isca;
-    PRBool isFortezzaV1 = PR_FALSE;
-    SECStatus rv;
-    SECComparison rvCompare;
-    SECStatus rvFinal = SECSuccess;
-    int count;
-    int currentPathLen = -1;
-    int flags;
-    unsigned int caCertType;
-    unsigned int requiredCAKeyUsage;
-    unsigned int requiredFlags;
-    PRArenaPool *arena = NULL;
-    CERTGeneralName *namesList = NULL;
-    CERTGeneralName *subjectNameList = NULL;
-    SECItem *namesIndex = NULL;
-    int namesIndexLen = 10;
-    int namesCount = 0;
-
-    enum { cbd_None, cbd_User, cbd_CA } last_type = cbd_None;
-    SECKEYPublicKey *key;
-
-    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
-					 &requiredCAKeyUsage,
-					 &caCertType)
-	!= SECSuccess ) {
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredCAKeyUsage = 0;
-	caCertType = 0;
-    }
-
-    switch ( certUsage ) {
-      case certUsageSSLClient:
-      case certUsageSSLServer:
-      case certUsageSSLCA:
-      case certUsageSSLServerWithStepUp:
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-      case certUsageObjectSigner:
-      case certUsageVerifyCA:
-      case certUsageStatusResponder:
-	if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
-					   &trustType) != SECSuccess ) {
-	    PORT_Assert(0);
-	    EXIT_IF_NOT_LOGGING(log);
-	    requiredFlags = 0;
-	    trustType = trustSSL;
-	}
-	break;
-      default:
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredFlags = 0;
-	trustType = trustSSL;/* This used to be 0, but we need something
-			      * that matches the enumeration type.
-			      */
-	caCertType = 0;
-    }
-    
-    subjectCert = CERT_DupCertificate(cert);
-    if ( subjectCert == NULL ) {
-	goto loser;
-    }
-
-    /* determine if the cert is fortezza. Getting the key is an easy
-     * way to determine it, especially since we need to get the privillege
-     * from the key anyway.
-     */
-    key = CERT_ExtractPublicKey(cert);
-
-    if (key != NULL) {
-	isFortezzaV1 = (PRBool)(key->keyType == fortezzaKey);
-
-	/* find out what type of cert we are starting with */
-	if (isFortezzaV1) {
-	    unsigned char priv = 0;;
-
-	    rv = SEC_CheckKRL(handle, key, NULL, t, wincx);
-	    if (rv == SECFailure) {
-		/**** PORT_SetError is already set by SEC_CheckKRL **/
-		SECKEY_DestroyPublicKey(key);
-		/**** Bob - should we log and continue when logging? **/
-		LOG_ERROR(log,subjectCert,0,0);
-		goto loser;
-	    }                
-
-	    if (key->u.fortezza.DSSpriviledge.len > 0) {
-		priv = key->u.fortezza.DSSpriviledge.data[0];
-	    }
-
-	    last_type = (priv & 0x30) ? cbd_CA : cbd_User;
-	}
-		
-	SECKEY_DestroyPublicKey(key);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    namesIndex = (SECItem *) PORT_ZAlloc(sizeof(SECItem) * namesIndexLen);
-    if (namesIndex == NULL) {
-	goto loser;
-    }
-
-    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
-	int subjectNameListLen;
-	int i;
-
-	/* Construct a list of names for the current and all previous certifcates 
-	   to be verified against the name constraints extension of the issuer
-	   certificate. */
-	subjectNameList = CERT_GetCertificateNames(subjectCert, arena);
-	subjectNameListLen = CERT_GetNamesLength(subjectNameList);
-	for (i = 0; i < subjectNameListLen; i++) {
-	    if (namesIndexLen < namesCount + i) {
-		namesIndexLen = namesIndexLen * 2;
-		namesIndex = (SECItem *) PORT_Realloc(namesIndex, namesIndexLen * 
-						       sizeof(SECItem));
-		if (namesIndex == NULL) {
-		    goto loser;
-		}
-	    }
-	    rv = SECITEM_CopyItem(arena, &(namesIndex[namesCount + i]), &(subjectCert->derSubject));
-	}
-	namesCount += subjectNameListLen;
-	namesList = cert_CombineNamesLists(namesList, subjectNameList);
-
-	/* find the certificate of the issuer */
-	issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage);
-	if ( ! issuerCert ) {
-	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-	    LOG_ERROR(log,subjectCert,count,0);
-	    goto loser;
-	}
-
-	/* verify the signature on the cert */
-	if ( checkSig ) {
-	    rv = CERT_VerifySignedData(&subjectCert->signatureWrap,
-				       issuerCert, t, wincx);
-    
-	    if ( rv != SECSuccess ) {
-		if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) {
-		    PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
-		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		} else {
-		    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
-		}
-	    }
-	}
-
-	/*
-	 * XXX - fortezza may need error logging stuff added
-	 */
-	if (isFortezzaV1) {
-	    unsigned char priv = 0;
-
-	    /* read the key */
-	    key = CERT_ExtractPublicKey(issuerCert);
-
-	    /* Cant' get Key? fail. */
-	    if (key == NULL) {
-	    	PORT_SetError(SEC_ERROR_BAD_KEY);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		goto fortezzaDone;
-	    }
-
-
-	    /* if the issuer is not an old fortezza cert, we bail */
-	    if (key->keyType != fortezzaKey) {
-	    	SECKEY_DestroyPublicKey(key);
-		/* CA Cert not fortezza */
-	    	PORT_SetError(SEC_ERROR_NOT_FORTEZZA_ISSUER);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		goto fortezzaDone;
-	    }
-
-	    /* get the privilege mask */
-	    if (key->u.fortezza.DSSpriviledge.len > 0) {
-		priv = key->u.fortezza.DSSpriviledge.data[0];
-	    }
-
-	    /*
-	     * make sure the CA's keys are OK
-	     */
-            
-	    rv = SEC_CheckKRL(handle, key, NULL, t, wincx);
-	    if (rv != SECSuccess) {
-	    	SECKEY_DestroyPublicKey(key);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		goto fortezzaDone;
-		/** fall through looking for more stuff **/
-	    } else {
-	        SECKEY_DestroyPublicKey(key);
-	    }
-
-	    switch (last_type) {
-	      case cbd_User:
-		/* first check for subordination */
-		/*rv = FortezzaSubordinateCheck(cert,issuerCert);*/
-		rv = SECSuccess;
-
-		/* now check for issuer privilege */
-		if ((rv != SECSuccess) || ((priv & 0x10) == 0)) {
-		    /* bail */
-		    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		}
-		break;
-	      case cbd_CA:
-	      case cbd_None:
-		if ((priv & 0x20) == 0) {
-		    /* bail */
-		    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		}
-		break;
-	      default:
-		/* bail */ /* shouldn't ever happen */
-	    	PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	    }
-
-fortezzaDone:
-	    last_type =  cbd_CA;
-	}
-
-	/* If the basicConstraint extension is included in an immediate CA
-	 * certificate, make sure that the isCA flag is on.  If the
-	 * pathLenConstraint component exists, it must be greater than the
-	 * number of CA certificates we have seen so far.  If the extension
-	 * is omitted, we will assume that this is a CA certificate with
-	 * an unlimited pathLenConstraint (since it already passes the
-	 * netscape-cert-type extension checking).
-	 *
-	 * In the fortezza (V1) case, we've already checked the CA bits
-	 * in the key, so we're presumed to be a CA; however we really don't
-	 * want to bypass Basic constraint or netscape extension parsing.
-         * 
-         * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA
-	 */
-
-	rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
-	if ( rv != SECSuccess ) {
-	    if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	    } else {
-		currentPathLen = CERT_UNLIMITED_PATH_CONSTRAINT;
-	    }
-	    /* no basic constraints found, if we're fortezza, CA bit is already
-	     * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca
-	     * isca = PR_FALSE */
-	    isca = isFortezzaV1;
-	} else  {
-	    if ( basicConstraint.isCA == PR_FALSE ) {
-		PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	    }
-	    
-	    /* make sure that the path len constraint is properly set.
-	     */
-	    if ( basicConstraint.pathLenConstraint ==
-		CERT_UNLIMITED_PATH_CONSTRAINT ) {
-		currentPathLen = CERT_UNLIMITED_PATH_CONSTRAINT;
-	    } else if ( currentPathLen == CERT_UNLIMITED_PATH_CONSTRAINT ) {
-		/* error if the previous CA's path length constraint is
-		 * unlimited but its CA's path is not.
-		 */
-		PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,basicConstraint.pathLenConstraint);
-	    } else if (basicConstraint.pathLenConstraint > currentPathLen) {
-		currentPathLen = basicConstraint.pathLenConstraint;
-	    } else {
-		PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,basicConstraint.pathLenConstraint);
-	    }
-
-	    isca = PR_TRUE;
-	}
-	
-	/* XXX - the error logging may need to go down into CRL stuff at some
-	 * point
-	 */
-	/* check revoked list (issuer) */
-	rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
-	if (rv == SECFailure) {
-	    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
-	} else if (rv == SECWouldBlock) {
-	    /* We found something fishy, so we intend to issue an
-	     * error to the user, but the user may wish to continue
-	     * processing, in which case we better make sure nothing
-	     * worse has happened... so keep cranking the loop */
-	    rvFinal = SECFailure;
-	    LOG_ERROR(log,subjectCert,count,0);
-	}
-
-
-	if ( issuerCert->trust ) {
-	    /*
-	     * check the trust parms of the issuer
-	     */
-	    if ( certUsage == certUsageVerifyCA ) {
-		if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
-		    trustType = trustEmail;
-		} else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
-		    trustType = trustSSL;
-		} else {
-		    trustType = trustObjectSigning;
-		}
-	    }
-	    
-	    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
-	    
-	    if ( (flags & CERTDB_VALID_CA) ||
-		 (certUsage == certUsageStatusResponder)) {
-		if ( ( flags & requiredFlags ) == requiredFlags ||
-		     certUsage == certUsageStatusResponder ) {
-		    /* we found a trusted one, so return */
-		    rv = rvFinal; 
-		    goto done;
-		}
-	    }
-	}
-
-	/*
-	 * Make sure that if this is an intermediate CA in the chain that
-	 * it was given permission by its signer to be a CA.
-	 */
-	if ( isca ) {
-	    /*
-	     * if basicConstraints says it is a ca, then we check the
-	     * nsCertType.  If the nsCertType has any CA bits set, then
-	     * it must have the right one.
-	     */
-	    if ( issuerCert->nsCertType & NS_CERT_TYPE_CA ) {
-		if ( issuerCert->nsCertType & caCertType ) {
-		    isca = PR_TRUE;
-		} else {
-		    isca = PR_FALSE;
-		}
-	    }
-	} else {
-	    if ( issuerCert->nsCertType & caCertType ) {
-		isca = PR_TRUE;
-	    } else {
-		isca = PR_FALSE;
-	    }
-	}
-	
-	if (  !isca  ) {
-	    PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
-	    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	}
-	    
-	/* make sure key usage allows cert signing */
-	if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-	    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
-	}
-	/* make sure that the entire chain is within the name space of the current issuer
-	 * certificate.
-	 */
-
-	badCert = CERT_CompareNameSpace(issuerCert, namesList, namesIndex, arena, handle);
-	if (badCert != NULL) {
-	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
-	    goto loser;
-	}
-	/* make sure that the issuer is not self signed.  If it is, then
-	 * stop here to prevent looping.
-	 */
-	rvCompare = SECITEM_CompareItem(&issuerCert->derSubject,
-				 &issuerCert->derIssuer);
-	if (rvCompare == SECEqual) {
-	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
-	    LOG_ERROR(log, issuerCert, count+1, 0);
-	    goto loser;
-	}
-
-	CERT_DestroyCertificate(subjectCert);
-	subjectCert = issuerCert;
-    }
-
-    subjectCert = NULL;
-    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-    LOG_ERROR(log,issuerCert,count,0);
-loser:
-    rv = SECFailure;
-done:
-    if (namesIndex != NULL) {
-	PORT_Free(namesIndex);
-    }
-    if ( issuerCert ) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    
-    if ( subjectCert ) {
-	CERT_DestroyCertificate(subjectCert);
-    }
-
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-			
-/*
- * verify a certificate by checking if its valid and that we
- * trust the issuer.
- * Note that this routine does not verify the signature of the certificate.
- */
-SECStatus
-CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertUsage certUsage, int64 t,
-		void *wincx, CERTVerifyLog *log)
-{
-    SECStatus rv;
-    unsigned int requiredKeyUsage;
-    unsigned int requiredCertType;
-    unsigned int flags;
-    unsigned int certType;
-    PRBool       allowOverride;
-    SECCertTimeValidity validity;
-    CERTStatusConfig *statusConfig;
-    
-    /* check if this cert is in the Evil list */
-    rv = CERT_CheckForEvilCert(cert);
-    if ( rv != SECSuccess ) {
-	PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-	LOG_ERROR_OR_EXIT(log,cert,0,0);
-    }
-    
-    /* make sure that the cert is valid at time t */
-    allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
-                             (certUsage == certUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
-    if ( validity != secCertTimeValid ) {
-	LOG_ERROR_OR_EXIT(log,cert,0,validity);
-    }
-
-    /* check key usage and netscape cert type */
-    CERT_GetCertType(cert);
-    certType = cert->nsCertType;
-    switch ( certUsage ) {
-      case certUsageSSLClient:
-      case certUsageSSLServer:
-      case certUsageSSLServerWithStepUp:
-      case certUsageSSLCA:
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-      case certUsageObjectSigner:
-      case certUsageStatusResponder:
-	rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
-					      &requiredKeyUsage,
-					      &requiredCertType);
-	if ( rv != SECSuccess ) {
-	    PORT_Assert(0);
-	    EXIT_IF_NOT_LOGGING(log);
-	    requiredKeyUsage = 0;
-	    requiredCertType = 0;
-	}
-	break;
-      case certUsageVerifyCA:
-	requiredKeyUsage = KU_KEY_CERT_SIGN;
-	requiredCertType = NS_CERT_TYPE_CA;
-	if ( ! ( certType & NS_CERT_TYPE_CA ) ) {
-	    certType |= NS_CERT_TYPE_CA;
-	}
-	break;
-      default:
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredKeyUsage = 0;
-	requiredCertType = 0;
-    }
-    if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
-	PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-	LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
-    }
-    if ( !( certType & requiredCertType ) ) {
-	PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
-	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
-    }
-
-    /* check trust flags to see if this cert is directly trusted */
-    if ( cert->trust ) { /* the cert is in the DB */
-	switch ( certUsage ) {
-	  case certUsageSSLClient:
-	  case certUsageSSLServer:
-	    flags = cert->trust->sslFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    /* XXX - step up certs can't be directly trusted */
-	    break;
-	  case certUsageSSLCA:
-	    break;
-	  case certUsageEmailSigner:
-	  case certUsageEmailRecipient:
-	    flags = cert->trust->emailFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
-
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageVerifyCA:
-	  case certUsageStatusResponder:
-	    flags = cert->trust->sslFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->emailFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->objectSigningFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageProtectedObjectSigner:
-	  case certUsageUserCertImport:
-	    /* XXX to make the compiler happy.  Should these be
-	     * explicitly handled?
-	     */
-	    break;
-	}
-    }
-
-    rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
-			      t, wincx, log);
-    if (rv != SECSuccess) {
-	EXIT_IF_NOT_LOGGING(log);
-    }
-
-    /*
-     * Check revocation status, but only if the cert we are checking
-     * is not a status reponder itself.  We only do this in the case
-     * where we checked the cert chain (above); explicit trust "wins"
-     * (avoids status checking, just as it avoids CRL checking, which
-     * is all done inside VerifyCertChain) by bypassing this code.
-     */
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (certUsage != certUsageStatusResponder && statusConfig != NULL) {
-	if (statusConfig->statusChecker != NULL) {
-	    rv = (* statusConfig->statusChecker)(handle, cert,
-							 t, wincx);
-	    if (rv != SECSuccess) {
-		LOG_ERROR_OR_EXIT(log,cert,0,0);
-	    }
-	}
-    }
-
-winner:
-    return(SECSuccess);
-
-loser:
-    rv = SECFailure;
-    
-    return(rv);
-}
-
-/*
- * verify a certificate by checking if its valid and that we
- * trust the issuer.  Verify time against now.
- */
-SECStatus
-CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-		   PRBool checkSig, SECCertUsage certUsage, void *wincx)
-{
-    return(CERT_VerifyCert(handle, cert, checkSig, 
-		   certUsage, PR_Now(), wincx, NULL));
-}
-
-/* [ FROM pcertdb.c ] */
-/*
- * Supported usage values and types:
- *	certUsageSSLClient
- *	certUsageSSLServer
- *	certUsageSSLServerWithStepUp
- *	certUsageEmailSigner
- *	certUsageEmailRecipient
- *	certUsageObjectSigner
- */
-
-CERTCertificate *
-CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
-		      CERTCertOwner owner, SECCertUsage usage,
-		      PRBool preferTrusted, int64 validTime, PRBool validOnly)
-{
-    CERTCertList *certList = NULL;
-    CERTCertificate *cert = NULL;
-    unsigned int requiredTrustFlags;
-    SECTrustType requiredTrustType;
-    unsigned int flags;
-    
-    PRBool lookingForCA = PR_FALSE;
-    SECStatus rv;
-    CERTCertListNode *node;
-    CERTCertificate *saveUntrustedCA = NULL;
-    
-    /* if preferTrusted is set, must be a CA cert */
-    PORT_Assert( ! ( preferTrusted && ( owner != certOwnerCA ) ) );
-    
-    if ( owner == certOwnerCA ) {
-	lookingForCA = PR_TRUE;
-	if ( preferTrusted ) {
-	    rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags,
-					       &requiredTrustType);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	    requiredTrustFlags |= CERTDB_VALID_CA;
-	}
-    }
-
-    certList = CERT_CreateSubjectCertList(NULL, handle, derName, validTime,
-					  validOnly);
-    if ( certList != NULL ) {
-	rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	
-	node = CERT_LIST_HEAD(certList);
-	
-	while ( !CERT_LIST_END(node, certList) ) {
-	    cert = node->cert;
-
-	    /* looking for a trusted CA cert */
-	    if ( ( owner == certOwnerCA ) && preferTrusted &&
-		( requiredTrustType != trustTypeNone ) ) {
-
-		if ( cert->trust == NULL ) {
-		    flags = 0;
-		} else {
-		    flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
-		}
-
-		if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
-		    /* cert is not trusted */
-		    /* if this is the first cert to get this far, then save
-		     * it, so we can use it if we can't find a trusted one
-		     */
-		    if ( saveUntrustedCA == NULL ) {
-			saveUntrustedCA = cert;
-		    }
-		    goto endloop;
-		}
-	    }
-	    /* if we got this far, then this cert meets all criteria */
-	    break;
-	    
-endloop:
-	    node = CERT_LIST_NEXT(node);
-	    cert = NULL;
-	}
-
-	/* use the saved one if we have it */
-	if ( cert == NULL ) {
-	    cert = saveUntrustedCA;
-	}
-
-	/* if we found one then bump the ref count before freeing the list */
-	if ( cert != NULL ) {
-	    /* bump the ref count */
-	    cert = CERT_DupCertificate(cert);
-	}
-	
-	CERT_DestroyCertList(certList);
-    }
-
-    return(cert);
-
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-    }
-
-    return(NULL);
-}
-
-
-/* [ From certdb.c ] */
-/*
- * Filter a list of certificates, removing those certs that do not have
- * one of the named CA certs somewhere in their cert chain.
- *
- *	"certList" - the list of certificates to filter
- *	"nCANames" - number of CA names
- *	"caNames" - array of CA names in string(rfc 1485) form
- *	"usage" - what use the certs are for, this is used when
- *		selecting CA certs
- */
-SECStatus
-CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
-			     char **caNames, SECCertUsage usage)
-{
-    CERTCertificate *issuerCert = NULL;
-    CERTCertificate *subjectCert;
-    CERTCertListNode *node, *freenode;
-    CERTCertificate *cert;
-    int n;
-    char **names;
-    PRBool found;
-    int64 time;
-    
-    if ( nCANames <= 0 ) {
-	return(SECSuccess);
-    }
-
-    time = PR_Now();
-    
-    node = CERT_LIST_HEAD(certList);
-    
-    while ( ! CERT_LIST_END(node, certList) ) {
-	cert = node->cert;
-	
-	subjectCert = CERT_DupCertificate(cert);
-
-	/* traverse the CA certs for this cert */
-	found = PR_FALSE;
-	while ( subjectCert != NULL ) {
-	    n = nCANames;
-	    names = caNames;
-	   
-            if (subjectCert->issuerName != NULL) { 
-	        while ( n > 0 ) {
-		    if ( PORT_Strcmp(*names, subjectCert->issuerName) == 0 ) {
-		        found = PR_TRUE;
-		        break;
-		    }
-
-		    n--;
-		    names++;
-                }
-	    }
-
-	    if ( found ) {
-		break;
-	    }
-	    
-	    issuerCert = CERT_FindCertIssuer(subjectCert, time, usage);
-	    if ( issuerCert == subjectCert ) {
-		CERT_DestroyCertificate(issuerCert);
-		issuerCert = NULL;
-		break;
-	    }
-	    CERT_DestroyCertificate(subjectCert);
-	    subjectCert = issuerCert;
-
-	}
-	CERT_DestroyCertificate(subjectCert);
-	if ( !found ) {
-	    /* CA was not found, so remove this cert from the list */
-	    freenode = node;
-	    node = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(freenode);
-	} else {
-	    /* CA was found, so leave it in the list */
-	    node = CERT_LIST_NEXT(node);
-	}
-    }
-    
-    return(SECSuccess);
-}
-
-/*
- * Given a certificate, return a string containing the nickname, and possibly
- * one of the validity strings, based on the current validity state of the
- * certificate.
- *
- * "arena" - arena to allocate returned string from.  If NULL, then heap
- *	is used.
- * "cert" - the cert to get nickname from
- * "expiredString" - the string to append to the nickname if the cert is
- *		expired.
- * "notYetGoodString" - the string to append to the nickname if the cert is
- *		not yet good.
- */
-char *
-CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
-				 char *expiredString, char *notYetGoodString)
-{
-    SECCertTimeValidity validity;
-    char *nickname, *tmpstr;
-    
-    validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
-
-    /* if the cert is good, then just use the nickname directly */
-    if ( validity == secCertTimeValid ) {
-	if ( arena == NULL ) {
-	    nickname = PORT_Strdup(cert->nickname);
-	} else {
-	    nickname = PORT_ArenaStrdup(arena, cert->nickname);
-	}
-	
-	if ( nickname == NULL ) {
-	    goto loser;
-	}
-    } else {
-	    
-	/* if the cert is not valid, then tack one of the strings on the
-	 * end
-	 */
-	if ( validity == secCertTimeExpired ) {
-	    tmpstr = PR_smprintf("%s%s", cert->nickname,
-				 expiredString);
-	} else {
-	    /* not yet valid */
-	    tmpstr = PR_smprintf("%s%s", cert->nickname,
-				 notYetGoodString);
-	}
-	if ( tmpstr == NULL ) {
-	    goto loser;
-	}
-
-	if ( arena ) {
-	    /* copy the string into the arena and free the malloc'd one */
-	    nickname = PORT_ArenaStrdup(arena, tmpstr);
-	    PORT_Free(tmpstr);
-	} else {
-	    nickname = tmpstr;
-	}
-	if ( nickname == NULL ) {
-	    goto loser;
-	}
-    }    
-    return(nickname);
-
-loser:
-    return(NULL);
-}
-
-/*
- * Collect the nicknames from all certs in a CertList.  If the cert is not
- * valid, append a string to that nickname.
- *
- * "certList" - the list of certificates
- * "expiredString" - the string to append to the nickname of any expired cert
- * "notYetGoodString" - the string to append to the nickname of any cert
- *		that is not yet valid
- */
-CERTCertNicknames *
-CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
-				 char *notYetGoodString)
-{
-    CERTCertNicknames *names;
-    PRArenaPool *arena;
-    CERTCertListNode *node;
-    char **nn;
-    
-    /* allocate an arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return(NULL);
-    }
-    
-    /* allocate the structure */
-    names = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
-    if ( names == NULL ) {
-	goto loser;
-    }
-
-    /* init the structure */
-    names->arena = arena;
-    names->head = NULL;
-    names->numnicknames = 0;
-    names->nicknames = NULL;
-    names->totallen = 0;
-
-    /* count the certs in the list */
-    node = CERT_LIST_HEAD(certList);
-    while ( ! CERT_LIST_END(node, certList) ) {
-	names->numnicknames++;
-	node = CERT_LIST_NEXT(node);
-    }
-    
-    /* allocate nicknames array */
-    names->nicknames = PORT_ArenaAlloc(arena,
-				       sizeof(char *) * names->numnicknames);
-    if ( names->nicknames == NULL ) {
-	goto loser;
-    }
-
-    /* just in case printf can't deal with null strings */
-    if (expiredString == NULL ) {
-	expiredString = "";
-    }
-
-    if ( notYetGoodString == NULL ) {
-	notYetGoodString = "";
-    }
-    
-    /* traverse the list of certs and collect the nicknames */
-    nn = names->nicknames;
-    node = CERT_LIST_HEAD(certList);
-    while ( ! CERT_LIST_END(node, certList) ) {
-	*nn = CERT_GetCertNicknameWithValidity(arena, node->cert,
-					       expiredString,
-					       notYetGoodString);
-	if ( *nn == NULL ) {
-	    goto loser;
-	}
-
-	names->totallen += PORT_Strlen(*nn);
-	
-	nn++;
-	node = CERT_LIST_NEXT(node);
-    }
-
-    return(names);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(NULL);
-}
-
-/*
- * Extract the nickname from a nickmake string that may have either
- * expiredString or notYetGoodString appended.
- *
- * Args:
- *	"namestring" - the string containing the nickname, and possibly
- *		one of the validity label strings
- *	"expiredString" - the expired validity label string
- *	"notYetGoodString" - the not yet good validity label string
- *
- * Returns the raw nickname
- */
-char *
-CERT_ExtractNicknameString(char *namestring, char *expiredString,
-			   char *notYetGoodString)
-{
-    int explen, nyglen, namelen;
-    int retlen;
-    char *retstr;
-    
-    namelen = PORT_Strlen(namestring);
-    explen = PORT_Strlen(expiredString);
-    nyglen = PORT_Strlen(notYetGoodString);
-    
-    if ( namelen > explen ) {
-	if ( PORT_Strcmp(expiredString, &namestring[namelen-explen]) == 0 ) {
-	    retlen = namelen - explen;
-	    retstr = (char *)PORT_Alloc(retlen+1);
-	    if ( retstr == NULL ) {
-		goto loser;
-	    }
-	    
-	    PORT_Memcpy(retstr, namestring, retlen);
-	    retstr[retlen] = '\0';
-	    goto done;
-	}
-    }
-
-    if ( namelen > nyglen ) {
-	if ( PORT_Strcmp(notYetGoodString, &namestring[namelen-nyglen]) == 0) {
-	    retlen = namelen - nyglen;
-	    retstr = (char *)PORT_Alloc(retlen+1);
-	    if ( retstr == NULL ) {
-		goto loser;
-	    }
-	    
-	    PORT_Memcpy(retstr, namestring, retlen);
-	    retstr[retlen] = '\0';
-	    goto done;
-	}
-    }
-
-    /* if name string is shorter than either invalid string, then it must
-     * be a raw nickname
-     */
-    retstr = PORT_Strdup(namestring);
-    
-done:
-    return(retstr);
-
-loser:
-    return(NULL);
-}
-
-CERTCertList *
-CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage)
-{
-    CERTCertList *chain;
-
-    if (cert != NULL) {
-	chain = CERT_NewCertList();
-	cert = CERT_DupCertificate(cert);
-	while (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject) 
-	       != SECEqual) {
-	    CERT_AddCertToListTail(chain, cert);
-	    cert = CERT_FindCertIssuer(cert, time, usage);
-	}
-	CERT_AddCertToListTail(chain, cert);
-	return chain;
-    }
-    return NULL;
-}
-
-
diff --git a/security/nss/lib/certhigh/config.mk b/security/nss/lib/certhigh/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/certhigh/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/certhigh/crlv2.c b/security/nss/lib/certhigh/crlv2.c
deleted file mode 100644
index 2600d9878..000000000
--- a/security/nss/lib/certhigh/crlv2.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Code for dealing with x.509 v3 crl and crl entries extensions.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secoidt.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "certxutl.h"
-
-SECStatus
-CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value)
-{
-    return (cert_FindExtensionByOID (crl->extensions, oid, value));
-}
-    
-
-SECStatus
-CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value)
-{
-    return (cert_FindExtension (crl->extensions, tag, value));
-}
-
-
-/* Callback to set extensions and adjust verison */
-static void
-SetCrlExts(void *object, CERTCertExtension **exts)
-{
-    CERTCrl *crl = (CERTCrl *)object;
-
-    crl->extensions = exts;
-    DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
-}
-
-void *
-CERT_StartCRLExtensions(CERTCrl *crl)
-{
-    return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts));
-}
-
-
-SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension
-	 (crl->extensions, SEC_OID_X509_CRL_NUMBER, &encodedExtenValue);
-    if ( rv != SECSuccess )
-	return (rv);
-
-    rv = SEC_ASN1DecodeItem (NULL, value, SEC_IntegerTemplate,
-			     &encodedExtenValue);
-    PORT_Free (encodedExtenValue.data);
-    return (rv);
-}
-
-SECStatus CERT_FindCRLReasonExten (CERTCrl *crl, SECItem *value)
-{
-    return (CERT_FindBitStringExtension
-	    (crl->extensions, SEC_OID_X509_REASON_CODE, value));    
-}
-
-SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value)
-{
-    SECItem encodedExtenValue;
-    SECItem decodedExtenValue = {siBuffer,0};
-    SECStatus rv;
-
-    encodedExtenValue.data = decodedExtenValue.data = NULL;
-    encodedExtenValue.len = decodedExtenValue.len = 0;
-
-    rv = cert_FindExtension
-	 (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
-    if ( rv != SECSuccess )
-	return (rv);
-
-    rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
-			     SEC_GeneralizedTimeTemplate, &encodedExtenValue);
-    if (rv != SECSuccess)
-	return (rv);
-    rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
-    PORT_Free (decodedExtenValue.data);
-    PORT_Free (encodedExtenValue.data);
-    return (rv);
-}
diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn
deleted file mode 100644
index 260a3e258..000000000
--- a/security/nss/lib/certhigh/manifest.mn
+++ /dev/null
@@ -1,60 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	ocsp.h \
-	ocspt.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	ocspti.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	certhtml.c \
-	certread.c \
-	certreq.c \
-	crlv2.c \
-	ocsp.c \
-	certhigh.c \
-    certvfy.c \
-    xcrldist.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = certhi
-
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
deleted file mode 100644
index 5eb340b28..000000000
--- a/security/nss/lib/certhigh/ocsp.c
+++ /dev/null
@@ -1,3897 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Implementation of OCSP services, for both client and server.
- * (XXX, really, mostly just for client right now, but intended to do both.)
- *
- * $Id$
- */
-
-#include "prerror.h"
-#include "prprf.h"
-#include "plarena.h"
-#include "prnetdb.h"
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "secoidt.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "cert.h"
-#include "xconst.h"
-#include "secerr.h"
-#include "secoid.h"
-#include "hasht.h"
-#include "sechash.h"
-#include "secasn1.h"
-#include "keyhi.h"
-#include "cryptohi.h"
-#include "ocsp.h"
-#include "ocspti.h"
-#include "genname.h"
-#include "certxutl.h"
-#include "pk11func.h"	/* for PK11_HashBuf */
-#include <stdarg.h>
-
-
-/*
- * The following structure is only used internally.  It is allocated when
- * someone turns on OCSP checking, and hangs off of the status-configuration
- * structure in the certdb structure.  We use it to keep configuration
- * information specific to OCSP checking.
- */
-typedef struct ocspCheckingContextStr {
-    PRBool useDefaultResponder;
-    char *defaultResponderURI;
-    char *defaultResponderNickname;
-    CERTCertificate *defaultResponderCert;
-} ocspCheckingContext;
-
-
-/*
- * Forward declarations of sub-types, so I can lay out the types in the
- * same order as the ASN.1 is laid out in the OCSP spec itself.
- *
- * These are in alphabetical order (case-insensitive); please keep it that way!
- */
-extern const SEC_ASN1Template ocsp_CertIDTemplate[];
-extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[];
-extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[];
-extern const SEC_ASN1Template ocsp_ResponseDataTemplate[];
-extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[];
-extern const SEC_ASN1Template ocsp_SingleRequestTemplate[];
-extern const SEC_ASN1Template ocsp_SingleResponseTemplate[];
-extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
-
-
-/*
- * Request-related templates...
- */
-
-/*
- * OCSPRequest	::=	SEQUENCE {
- *	tbsRequest		TBSRequest,
- *	optionalSignature	[0] EXPLICIT Signature OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(CERTOCSPRequest) },
-    { SEC_ASN1_POINTER,
-	offsetof(CERTOCSPRequest, tbsRequest),
-	ocsp_TBSRequestTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(CERTOCSPRequest, optionalSignature),
-	ocsp_PointerToSignatureTemplate },
-    { 0 }
-};
-
-/*
- * TBSRequest	::=	SEQUENCE {
- *	version			[0] EXPLICIT Version DEFAULT v1,
- *	requestorName		[1] EXPLICIT GeneralName OPTIONAL,
- *	requestList		SEQUENCE OF Request,
- *	requestExtensions	[2] EXPLICIT Extensions OPTIONAL }
- *
- * Version	::=	INTEGER { v1(0) }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspTBSRequest) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspTBSRequest, version),
-	SEC_IntegerTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(ocspTBSRequest, derRequestorName),
-	SEC_PointerToAnyTemplate },
-    { SEC_ASN1_SEQUENCE_OF,
-	offsetof(ocspTBSRequest, requestList),
-	ocsp_SingleRequestTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	offsetof(ocspTBSRequest, requestExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-/*
- * Signature	::=	SEQUENCE {
- *	signatureAlgorithm	AlgorithmIdentifier,
- *	signature		BIT STRING,
- *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_SignatureTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspSignature) },
-    { SEC_ASN1_INLINE,
-	offsetof(ocspSignature, signatureAlgorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	offsetof(ocspSignature, signature) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspSignature, derCerts), 
-	SEC_SequenceOfAnyTemplate },
-    { 0 }
-};
-
-/*
- * This template is just an extra level to use in an explicitly-tagged
- * reference to a Signature.
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = {
-    { SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate }
-};
-
-/*
- * Request	::=	SEQUENCE {
- *	reqCert			CertID,
- *	singleRequestExtensions	[0] EXPLICIT Extensions OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(ocspSingleRequest) },
-    { SEC_ASN1_POINTER,
-	offsetof(ocspSingleRequest, reqCert),
-	ocsp_CertIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspSingleRequest, singleRequestExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-
-/*
- * This data structure and template (CertID) is used by both OCSP
- * requests and responses.  It is the only one that is shared.
- *
- * CertID	::=	SEQUENCE {
- *	hashAlgorithm		AlgorithmIdentifier,
- *	issuerNameHash		OCTET STRING,	-- Hash of Issuer DN
- *	issuerKeyHash		OCTET STRING,	-- Hash of Issuer public key
- *	serialNumber		CertificateSerialNumber }
- *
- * CertificateSerialNumber ::=	INTEGER
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_CertIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(CERTOCSPCertID) },
-    { SEC_ASN1_INLINE,
-	offsetof(CERTOCSPCertID, hashAlgorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(CERTOCSPCertID, issuerNameHash) },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(CERTOCSPCertID, issuerKeyHash) },
-    { SEC_ASN1_INTEGER, 
-	offsetof(CERTOCSPCertID, serialNumber) },
-    { 0 }
-};
-
-
-/*
- * Response-related templates...
- */
-
-/*
- * OCSPResponse	::=	SEQUENCE {
- *	responseStatus		OCSPResponseStatus,
- *	responseBytes		[0] EXPLICIT ResponseBytes OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(CERTOCSPResponse) },
-    { SEC_ASN1_ENUMERATED, 
-	offsetof(CERTOCSPResponse, responseStatus) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(CERTOCSPResponse, responseBytes),
-	ocsp_PointerToResponseBytesTemplate },
-    { 0 }
-};
-
-/*
- * ResponseBytes	::=	SEQUENCE {
- *	responseType		OBJECT IDENTIFIER,
- *	response		OCTET STRING }
- */
-static const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspResponseBytes) },
-    { SEC_ASN1_OBJECT_ID,
-	offsetof(ocspResponseBytes, responseType) },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(ocspResponseBytes, response) },
-    { 0 }
-};
-
-/*
- * This template is just an extra level to use in an explicitly-tagged
- * reference to a ResponseBytes.
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = {
-    { SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate }
-};
-
-/*
- * BasicOCSPResponse	::=	SEQUENCE {
- *	tbsResponseData		ResponseData,
- *	signatureAlgorithm	AlgorithmIdentifier,
- *	signature		BIT STRING,
- *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspBasicOCSPResponse) },
-    { SEC_ASN1_POINTER,
-	offsetof(ocspBasicOCSPResponse, tbsResponseData),
-	ocsp_ResponseDataTemplate },
-    { SEC_ASN1_INLINE,
-	offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
-	SEC_SequenceOfAnyTemplate },
-    { 0 }
-};
-
-/*
- * ResponseData	::=	SEQUENCE {
- *	version			[0] EXPLICIT Version DEFAULT v1,
- *	responderID		ResponderID,
- *	producedAt		GeneralizedTime,
- *	responses		SEQUENCE OF SingleResponse,
- *	responseExtensions	[1] EXPLICIT Extensions OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspResponseData) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspResponseData, version),
-	SEC_IntegerTemplate },
-    { SEC_ASN1_ANY,
-	offsetof(ocspResponseData, derResponderID) },
-    { SEC_ASN1_GENERALIZED_TIME,
-	offsetof(ocspResponseData, producedAt) },
-    { SEC_ASN1_SEQUENCE_OF,
-	offsetof(ocspResponseData, responses),
-	ocsp_SingleResponseTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(ocspResponseData, responseExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-/*
- * ResponderID	::=	CHOICE {
- *	byName			[1] EXPLICIT Name,
- *	byKey			[2] EXPLICIT KeyHash }
- *
- * KeyHash ::=	OCTET STRING -- SHA-1 hash of responder's public key
- * (excluding the tag and length fields)
- *
- * XXX Because the ASN.1 encoder and decoder currently do not provide
- * a way to automatically handle a CHOICE, we need to do it in two
- * steps, looking at the type tag and feeding the exact choice back
- * to the ASN.1 code.  Hopefully that will change someday and this
- * can all be simplified down into a single template.  Anyway, for
- * now we list each choice as its own template:
- */
-static const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(ocspResponderID, responderIDValue.name),
-	CERT_NameTemplate }
-};
-static const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	offsetof(ocspResponderID, responderIDValue.keyHash),
-	SEC_OctetStringTemplate }
-};
-static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
-    { SEC_ASN1_ANY,
-	offsetof(ocspResponderID, responderIDValue.other) }
-};
-
-/*
- * SingleResponse	::=	SEQUENCE {
- *	certID			CertID,
- *	certStatus		CertStatus,
- *	thisUpdate		GeneralizedTime,
- *	nextUpdate		[0] EXPLICIT GeneralizedTime OPTIONAL,
- *	singleExtensions	[1] EXPLICIT Extensions OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(CERTOCSPSingleResponse) },
-    { SEC_ASN1_POINTER,
-	offsetof(CERTOCSPSingleResponse, certID),
-	ocsp_CertIDTemplate },
-    { SEC_ASN1_ANY,
-	offsetof(CERTOCSPSingleResponse, derCertStatus) },
-    { SEC_ASN1_GENERALIZED_TIME,
-	offsetof(CERTOCSPSingleResponse, thisUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(CERTOCSPSingleResponse, nextUpdate),
-	SEC_PointerToGeneralizedTimeTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(CERTOCSPSingleResponse, singleExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-/*
- * CertStatus	::=	CHOICE {
- *	good			[0] IMPLICIT NULL,
- *	revoked			[1] IMPLICIT RevokedInfo,
- *	unknown			[2] IMPLICIT UnknownInfo }
- *
- * Because the ASN.1 encoder and decoder currently do not provide
- * a way to automatically handle a CHOICE, we need to do it in two
- * steps, looking at the type tag and feeding the exact choice back
- * to the ASN.1 code.  Hopefully that will change someday and this
- * can all be simplified down into a single template.  Anyway, for
- * now we list each choice as its own template:
- */
-static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspCertStatus, certStatusInfo.goodInfo),
-	SEC_NullTemplate }
-};
-static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-	offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
-	ocsp_RevokedInfoTemplate }
-};
-static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
-	SEC_NullTemplate }
-};
-static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
-    { SEC_ASN1_POINTER,
-	offsetof(ocspCertStatus, certStatusInfo.otherInfo),
-	SEC_AnyTemplate }
-};
-
-/*
- * RevokedInfo	::=	SEQUENCE {
- *	revocationTime		GeneralizedTime,
- *	revocationReason	[0] EXPLICIT CRLReason OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspRevokedInfo) },
-    { SEC_ASN1_GENERALIZED_TIME,
-	offsetof(ocspRevokedInfo, revocationTime) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspRevokedInfo, revocationReason), 
-	SEC_PointerToEnumeratedTemplate },
-    { 0 }
-};
-
-
-/*
- * OCSP-specific extension templates:
- */
-
-/*
- * ServiceLocator	::=	SEQUENCE {
- *	issuer			Name,
- *	locator			AuthorityInfoAccessSyntax OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspServiceLocator) },
-    { SEC_ASN1_POINTER,
-	offsetof(ocspServiceLocator, issuer),
-	CERT_NameTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	offsetof(ocspServiceLocator, locator) },
-    { 0 }
-};
-
-
-/*
- * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy):
- */
-
-/* 
- * FUNCTION: CERT_EncodeOCSPRequest
- *   DER encodes an OCSP Request, possibly adding a signature as well.
- *   XXX Signing is not yet supported, however; see comments in code.
- * INPUTS: 
- *   PRArenaPool *arena
- *     The return value is allocated from here.
- *     If a NULL is passed in, allocation is done from the heap instead.
- *   CERTOCSPRequest *request
- *     The request to be encoded.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * RETURN:
- *   Returns a NULL on error and a pointer to the SECItem with the
- *   encoded value otherwise.  Any error is likely to be low-level
- *   (e.g. no memory).
- */
-SECItem *
-CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
-		       void *pwArg)
-{
-    ocspTBSRequest *tbsRequest;
-    SECStatus rv;
-
-    /* XXX All of these should generate errors if they fail. */
-    PORT_Assert(request);
-    PORT_Assert(request->tbsRequest);
-
-    tbsRequest = request->tbsRequest;
-
-    if (request->tbsRequest->extensionHandle != NULL) {
-	rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
-	request->tbsRequest->extensionHandle = NULL;
-	if (rv != SECSuccess)
-	    return NULL;
-    }
-
-    /*
-     * XXX When signed requests are supported and request->optionalSignature
-     * is not NULL:
-     *  - need to encode tbsRequest->requestorName
-     *  - need to encode tbsRequest
-     *  - need to sign that encoded result (using cert in sig), filling in the
-     *    request->optionalSignature structure with the result, the signing
-     *    algorithm and (perhaps?) the cert (and its chain?) in derCerts
-     */
-
-    return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate);
-}
-
-
-/*
- * FUNCTION: CERT_DecodeOCSPRequest
- *   Decode a DER encoded OCSP Request.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Request.
- * RETURN:
- *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
- *   On error, returns NULL.  Most likely error is trouble decoding
- *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
- */
-CERTOCSPRequest *
-CERT_DecodeOCSPRequest(SECItem *src)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECFailure;
-    CERTOCSPRequest *dest = NULL;
-    int i;
-
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena, 
-						sizeof(CERTOCSPRequest));
-    if (dest == NULL) {
-	goto loser;
-    }
-    dest->arena = arena;
-
-    rv = SEC_ASN1DecodeItem(arena, dest, ocsp_OCSPRequestTemplate, src);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
-	goto loser;
-    }
-
-    /*
-     * XXX I would like to find a way to get rid of the necessity
-     * of doing this copying of the arena pointer.
-     */
-    for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) {
-	dest->tbsRequest->requestList[i]->arena = arena;
-    }
-
-    return dest;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-
-/*
- * Create and fill-in a CertID.  This function fills in the hash values
- * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1.
- * Someday it might need to be more flexible about hash algorithm, but
- * for now we have no intention/need to create anything else, and until
- * we have more flexible underlying interfaces, it's just not as easy
- * as it should be to just take an algorithm id and call some helper
- * functions to do all the work (no algid->length translation, no function
- * to hash from and into a SECItem, etc.).
- *
- * Error causes a null to be returned; most likely cause is trouble
- * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER).
- * Other errors are low-level problems (no memory, bad database, etc.).
- */
-static CERTOCSPCertID *
-ocsp_CreateCertID(PRArenaPool *arena, CERTCertificate *cert, int64 time)
-{
-    CERTOCSPCertID *certID;
-    CERTCertificate *issuerCert = NULL;
-    SECItem *tempItem = NULL;
-    void *mark = PORT_ArenaMark(arena);
-    SECStatus rv;
-
-    PORT_Assert(arena != NULL);
-
-    certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
-    if (certID == NULL) {
-	goto loser;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
-			       NULL);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-
-    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
-    if (issuerCert == NULL) {
-	goto loser;
-    }
-
-    tempItem = SEC_ASN1EncodeItem(NULL, NULL, &issuerCert->subject,
-				  CERT_NameTemplate);
-    if (tempItem == NULL) {
-	goto loser;
-    }
-
-    if (SECITEM_AllocItem(arena, &(certID->issuerNameHash),
-			  SHA1_LENGTH) == NULL) {
-	goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_SHA1, certID->issuerNameHash.data,
-		      tempItem->data, tempItem->len);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-    SECITEM_FreeItem(tempItem, PR_TRUE);
-    tempItem = NULL;
-
-    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_SHA1,
-				   &(certID->issuerKeyHash)) == NULL) {
-	goto loser;
-    }
-
-    /* now we are done with issuerCert */
-    CERT_DestroyCertificate(issuerCert);
-    issuerCert = NULL;
-
-    rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-
-    PORT_ArenaUnmark(arena, mark);
-    return certID;
-
-loser:
-    if (issuerCert != NULL) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    if (tempItem != NULL) {
-	SECITEM_FreeItem(tempItem, PR_TRUE);
-    }
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-
-/*
- * Callback to set Extensions in request object
- */
-void SetSingleReqExts(void *object, CERTCertExtension **exts)
-{
-  ocspSingleRequest *singleRequest =
-    (ocspSingleRequest *)object;
-
-  singleRequest->singleRequestExtensions = exts;
-}
-
-/*
- * Add the Service Locator extension to the singleRequestExtensions
- * for the given singleRequest.
- *
- * All errors are internal or low-level problems (e.g. no memory).
- */
-static SECStatus
-ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
-				CERTCertificate *cert)
-{
-    ocspServiceLocator *serviceLocator = NULL;
-    void *extensionHandle = NULL;
-    SECStatus rv = SECFailure;
-
-    serviceLocator = PORT_ZNew(ocspServiceLocator);
-    if (serviceLocator == NULL)
-	goto loser;
-
-    /*
-     * Normally it would be a bad idea to do a direct reference like
-     * this rather than allocate and copy the name *or* at least dup
-     * a reference of the cert.  But all we need is to be able to read
-     * the issuer name during the encoding we are about to do, so a
-     * copy is just a waste of time.
-     */
-    serviceLocator->issuer = &cert->issuer;
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
-				&serviceLocator->locator);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
-	    goto loser;
-    }
-
-    /* prepare for following loser gotos */
-    rv = SECFailure;
-
-    extensionHandle = cert_StartExtensions(singleRequest,
-                       singleRequest->arena, SetSingleReqExts);
-    if (extensionHandle == NULL)
-	goto loser;
-
-    rv = CERT_EncodeAndAddExtension(extensionHandle,
-				    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
-				    serviceLocator, PR_FALSE,
-				    ocsp_ServiceLocatorTemplate);
-
-loser:
-    if (extensionHandle != NULL) {
-	/*
-	 * Either way we have to finish out the extension context (so it gets
-	 * freed).  But careful not to override any already-set bad status.
-	 */
-	SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
-	if (rv == SECSuccess)
-	    rv = tmprv;
-    }
-
-    /*
-     * Finally, free the serviceLocator structure itself and we are done.
-     */
-    if (serviceLocator != NULL) {
-	if (serviceLocator->locator.data != NULL)
-	    SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
-	PORT_Free(serviceLocator);
-    }
-
-    return rv;
-}
-
-/*
- * Creates an array of ocspSingleRequest based on a list of certs.
- * Note that the code which later compares the request list with the
- * response expects this array to be in the exact same order as the
- * certs are found in the list.  It would be harder to change that
- * order than preserve it, but since the requirement is not obvious,
- * it deserves to be mentioned.
- *
- * Any problem causes a null return and error set:
- *	SEC_ERROR_UNKNOWN_ISSUER
- * Other errors are low-level problems (no memory, bad database, etc.).
- */
-static ocspSingleRequest **
-ocsp_CreateSingleRequestList(PRArenaPool *arena, CERTCertList *certList,
-			     int64 time, PRBool includeLocator)
-{
-    ocspSingleRequest **requestList = NULL;
-    CERTCertListNode *node;
-    int i, count;
-    void *mark = PORT_ArenaMark(arena);
- 
-    node = CERT_LIST_HEAD(certList);
-    for (count = 0; !CERT_LIST_END(node, certList); count++) {
-	node = CERT_LIST_NEXT(node);
-    }
-
-    if (count == 0)
-	goto loser;
-
-    requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1);
-    if (requestList == NULL)
-	goto loser;
-
-    node = CERT_LIST_HEAD(certList);
-    for (i = 0; !CERT_LIST_END(node, certList); i++) {
-        requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest);
-	if (requestList[i] == NULL)
-	    goto loser;
-
-	requestList[i]->arena = arena;
-	requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time);
-	if (requestList[i]->reqCert == NULL)
-	    goto loser;
-
-	if (includeLocator == PR_TRUE) {
-	    SECStatus rv;
-
-	    rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert);
-	    if (rv != SECSuccess)
-		goto loser;
-	}
-
-	node = CERT_LIST_NEXT(node);
-    }
-
-    PORT_Assert(i == count);
-
-    PORT_ArenaUnmark(arena, mark);
-    requestList[i] = NULL;
-    return requestList;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-
-/*
- * FUNCTION: CERT_CreateOCSPRequest
- *   Creates a CERTOCSPRequest, requesting the status of the certs in 
- *   the given list.
- * INPUTS:
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no effect on the request itself.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *     XXX note that request signing is not yet supported; see comment in code
- * RETURN:
- *   A pointer to a CERTOCSPRequest structure containing an OCSP request
- *   for the cert list.  On error, null is returned, with an error set
- *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
- *   (The issuer is needed to create a request for the certificate.)
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-CERTOCSPRequest *
-CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
-		       PRBool addServiceLocator,
-		       CERTCertificate *signerCert)
-{
-    PRArenaPool *arena = NULL;
-    CERTOCSPRequest *request = NULL;
-    ocspTBSRequest *tbsRequest = NULL;
-
-    /*
-     * XXX This should set an error, but since it is only temporary and
-     * since PSM will not initially provide a way to turn on signing of
-     * requests anyway, I figure we can just skip defining an error that
-     * will be obsolete in the next release.  When we are prepared to
-     * put signing of requests back in, this entire check will go away,
-     * and later in this function we will need to allocate a signature
-     * structure for the request, fill in the "derCerts" field in it,
-     * save the signerCert there, as well as fill in the "requestorName"
-     * field of the tbsRequest.
-     */
-    if (signerCert != NULL) {
-	return NULL;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    request = PORT_ArenaZNew(arena, CERTOCSPRequest);
-    if (request == NULL) {
-	goto loser;
-    }
-    request->arena = arena;
-
-    tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest);
-    if (tbsRequest == NULL) {
-	goto loser;
-    }
-    request->tbsRequest = tbsRequest;
-
-    /* version 1 is the default, so we need not fill in a version number */
-
-    /*
-     * Now create the list of single requests, one for each cert.
-     */
-    tbsRequest->requestList = ocsp_CreateSingleRequestList(arena, certList,
-							   time,
-							   addServiceLocator);
-    if (tbsRequest->requestList == NULL) {
-	goto loser;
-    }
-    return request;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-
-/*
- * FUNCTION: CERT_AddOCSPAcceptableResponses
- *   Add the AcceptableResponses extension to an OCSP Request.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     The request to which the extension should be added.
- *   ...
- *     A list (of one or more) of SECOidTag -- each of the response types
- *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
- *     (This marks the end of the list, and it must be specified because a
- *     client conforming to the OCSP standard is required to handle the basic
- *     response type.)  The OIDs are not checked in any way.
- * RETURN:
- *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
- *   All errors are internal or low-level problems (e.g. no memory).
- */
-
-void SetRequestExts(void *object, CERTCertExtension **exts)
-{
-  CERTOCSPRequest *request = (CERTOCSPRequest *)object;
-
-  request->tbsRequest->requestExtensions = exts;
-}
-
-SECStatus
-CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, ...)
-{
-    void *extHandle;
-    va_list ap;
-    int i, count;
-    SECOidTag responseType;
-    SECOidData *responseOid;
-    SECItem **acceptableResponses = NULL;
-    SECStatus rv = SECFailure;
-
-    extHandle = request->tbsRequest->extensionHandle;
-    if (extHandle == NULL) {
-	extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
-	if (extHandle == NULL)
-	    goto loser;
-    }
-
-    /* Count number of OIDS going into the extension value. */
-    count = 0;
-    va_start(ap, request);
-    do {
-	count++;
-	responseType = va_arg(ap, SECOidTag);
-    } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-    va_end(ap);
-
-    acceptableResponses = PORT_NewArray(SECItem *, count + 1);
-    if (acceptableResponses == NULL)
-	goto loser;
-
-    va_start(ap, request);
-    for (i = 0; i < count; i++) {
-	responseType = va_arg(ap, SECOidTag);
-	responseOid = SECOID_FindOIDByTag(responseType);
-	acceptableResponses[i] = &(responseOid->oid);
-    }
-    va_end(ap);
-    acceptableResponses[i] = NULL;
-
-    rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE,
-				    &acceptableResponses, PR_FALSE,
-				    SEC_SequenceOfObjectIDTemplate);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_Free(acceptableResponses);
-    if (request->tbsRequest->extensionHandle == NULL)
-	request->tbsRequest->extensionHandle = extHandle;
-    return SECSuccess;
-
-loser:
-    if (acceptableResponses != NULL)
-	PORT_Free(acceptableResponses);
-    if (extHandle != NULL)
-	(void) CERT_FinishExtensions(extHandle);
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_DestroyOCSPRequest
- *   Frees an OCSP Request structure.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     Pointer to CERTOCSPRequest to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-void
-CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
-{
-    if (request == NULL)
-	return;
-
-    if (request->tbsRequest != NULL) {
-	if (request->tbsRequest->requestorName != NULL)
-	    CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
-	if (request->tbsRequest->extensionHandle != NULL)
-	    (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle);
-    }
-
-    if (request->optionalSignature != NULL) {
-	if (request->optionalSignature->cert != NULL)
-	    CERT_DestroyCertificate(request->optionalSignature->cert);
-
-	/*
-	 * XXX Need to free derCerts?  Or do they come out of arena?
-	 * (Currently we never fill in derCerts, which is why the
-	 * answer is not obvious.  Once we do, add any necessary code
-	 * here and remove this comment.)
-	 */
-    }
-
-    /*
-     * We should actually never have a request without an arena,
-     * but check just in case.  (If there isn't one, there is not
-     * much we can do about it...)
-     */
-    PORT_Assert(request->arena != NULL);
-    if (request->arena != NULL)
-	PORT_FreeArena(request->arena, PR_FALSE);
-}
-
-
-/*
- * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
- */
-
-/*
- * Helper function for encoding or decoding a ResponderID -- based on the
- * given type, return the associated template for that choice.
- */
-static const SEC_ASN1Template *
-ocsp_ResponderIDTemplateByType(ocspResponderIDType responderIDType)
-{
-    const SEC_ASN1Template *responderIDTemplate;
-
-    switch (responderIDType) {
-	case ocspResponderID_byName:
-	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
-	    break;
-	case ocspResponderID_byKey:
-	    responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
-	    break;
-	case ocspResponderID_other:
-	default:
-	    PORT_Assert(responderIDType == ocspResponderID_other);
-	    responderIDTemplate = ocsp_ResponderIDOtherTemplate;
-	    break;
-    }
-
-    return responderIDTemplate;
-}
-
-/*
- * Helper function for encoding or decoding a CertStatus -- based on the
- * given type, return the associated template for that choice.
- */
-static const SEC_ASN1Template *
-ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType)
-{
-    const SEC_ASN1Template *certStatusTemplate;
-
-    switch (certStatusType) {
-	case ocspCertStatus_good:
-	    certStatusTemplate = ocsp_CertStatusGoodTemplate;
-	    break;
-	case ocspCertStatus_revoked:
-	    certStatusTemplate = ocsp_CertStatusRevokedTemplate;
-	    break;
-	case ocspCertStatus_unknown:
-	    certStatusTemplate = ocsp_CertStatusUnknownTemplate;
-	    break;
-	case ocspCertStatus_other:
-	default:
-	    PORT_Assert(certStatusType == ocspCertStatus_other);
-	    certStatusTemplate = ocsp_CertStatusOtherTemplate;
-	    break;
-    }
-
-    return certStatusTemplate;
-}
-
-/*
- * Helper function for decoding a certStatus -- turn the actual DER tag
- * into our local translation.
- */
-static ocspCertStatusType
-ocsp_CertStatusTypeByTag(int derTag)
-{
-    ocspCertStatusType certStatusType;
-
-    switch (derTag) {
-	case 0:
-	    certStatusType = ocspCertStatus_good;
-	    break;
-	case 1:
-	    certStatusType = ocspCertStatus_revoked;
-	    break;
-	case 2:
-	    certStatusType = ocspCertStatus_unknown;
-	    break;
-	default:
-	    certStatusType = ocspCertStatus_other;
-	    break;
-    }
-
-    return certStatusType;
-}
-
-/*
- * Helper function for decoding SingleResponses -- they each contain
- * a status which is encoded as CHOICE, which needs to be decoded "by hand".
- *
- * Note -- on error, this routine does not release the memory it may
- * have allocated; it expects its caller to do that.
- */
-static SECStatus
-ocsp_FinishDecodingSingleResponses(PRArenaPool *arena,
-				   CERTOCSPSingleResponse **responses)
-{
-    ocspCertStatus *certStatus;
-    ocspCertStatusType certStatusType;
-    const SEC_ASN1Template *certStatusTemplate;
-    int derTag;
-    int i;
-    SECStatus rv = SECFailure;
-
-    if (responses == NULL)			/* nothing to do */
-	return SECSuccess;
-
-    for (i = 0; responses[i] != NULL; i++) {
-	/*
-	 * The following assert points out internal errors (problems in
-	 * the template definitions or in the ASN.1 decoder itself, etc.).
-	 */
-	PORT_Assert(responses[i]->derCertStatus.data != NULL);
-
-	derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
-	certStatusType = ocsp_CertStatusTypeByTag(derTag);
-	certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
-
-	certStatus = PORT_ArenaZAlloc(arena, sizeof(ocspCertStatus));
-	if (certStatus == NULL) {
-	    goto loser;
-	}
-	rv = SEC_ASN1DecodeItem(arena, certStatus, certStatusTemplate,
-				&responses[i]->derCertStatus);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SEC_ERROR_BAD_DER)
-		PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	    goto loser;
-	}
-
-	certStatus->certStatusType = certStatusType;
-	responses[i]->certStatus = certStatus;
-    }
-
-    return SECSuccess;
-
-loser:
-    return rv;
-}
-
-/*
- * Helper function for decoding a responderID -- turn the actual DER tag
- * into our local translation.
- */
-static ocspResponderIDType
-ocsp_ResponderIDTypeByTag(int derTag)
-{
-    ocspResponderIDType responderIDType;
-
-    switch (derTag) {
-	case 1:
-	    responderIDType = ocspResponderID_byName;
-	    break;
-	case 2:
-	    responderIDType = ocspResponderID_byKey;
-	    break;
-	default:
-	    responderIDType = ocspResponderID_other;
-	    break;
-    }
-
-    return responderIDType;
-}
-
-/*
- * Decode "src" as a BasicOCSPResponse, returning the result.
- */
-static ocspBasicOCSPResponse *
-ocsp_DecodeBasicOCSPResponse(PRArenaPool *arena, SECItem *src)
-{
-    void *mark;
-    ocspBasicOCSPResponse *basicResponse;
-    ocspResponseData *responseData;
-    ocspResponderID *responderID;
-    ocspResponderIDType responderIDType;
-    const SEC_ASN1Template *responderIDTemplate;
-    int derTag;
-    SECStatus rv;
-
-    mark = PORT_ArenaMark(arena);
-
-    basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
-    if (basicResponse == NULL) {
-	goto loser;
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, basicResponse,
-			    ocsp_BasicOCSPResponseTemplate, src);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	goto loser;
-    }
-
-    responseData = basicResponse->tbsResponseData;
-
-    /*
-     * The following asserts point out internal errors (problems in
-     * the template definitions or in the ASN.1 decoder itself, etc.).
-     */
-    PORT_Assert(responseData != NULL);
-    PORT_Assert(responseData->derResponderID.data != NULL);
-
-    /*
-     * XXX Because responderID is a CHOICE, which is not currently handled
-     * by our ASN.1 decoder, we have to decode it "by hand".
-     */
-    derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK;
-    responderIDType = ocsp_ResponderIDTypeByTag(derTag);
-    responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType);
-
-    responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID));
-    if (responderID == NULL) {
-	goto loser;
-    }
-    rv = SEC_ASN1DecodeItem(arena, responderID, responderIDTemplate,
-			    &responseData->derResponderID);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	goto loser;
-    }
-
-    responderID->responderIDType = responderIDType;
-    responseData->responderID = responderID;
-
-    /*
-     * XXX Each SingleResponse also contains a CHOICE, which has to be
-     * fixed up by hand.
-     */
-    rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(arena, mark);
-    return basicResponse;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-
-/*
- * Decode the responseBytes based on the responseType found in "rbytes",
- * leaving the resulting translated/decoded information in there as well.
- */
-static SECStatus
-ocsp_DecodeResponseBytes(PRArenaPool *arena, ocspResponseBytes *rbytes)
-{
-    PORT_Assert(rbytes != NULL);		/* internal error, really */
-    if (rbytes == NULL)
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);	/* XXX set better error? */
-
-    rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType);
-    switch (rbytes->responseTypeTag) {
-	case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
-	    {
-		ocspBasicOCSPResponse *basicResponse;
-
-		basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
-							     &rbytes->response);
-		if (basicResponse == NULL)
-		    return SECFailure;
-
-		rbytes->decodedResponse.basic = basicResponse;
-	    }
-	    break;
-
-	/*
-	 * Add new/future response types here.
-	 */
-
-	default:
-	    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
-	    return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_DecodeOCSPResponse
- *   Decode a DER encoded OCSP Response.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Response.
- * RETURN:
- *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
- *   the caller is responsible for destroying it.  Or NULL if error (either
- *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
- *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
- *   or a low-level or internal error occurred).
- */
-CERTOCSPResponse *
-CERT_DecodeOCSPResponse(SECItem *src)
-{
-    PRArenaPool *arena = NULL;
-    CERTOCSPResponse *response = NULL;
-    SECStatus rv = SECFailure;
-    ocspResponseStatus sv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena,
-						     sizeof(CERTOCSPResponse));
-    if (response == NULL) {
-	goto loser;
-    }
-    response->arena = arena;
-
-    rv = SEC_ASN1DecodeItem(arena, response, ocsp_OCSPResponseTemplate, src);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	goto loser;
-    }
-
-    sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
-    response->statusValue = sv;
-    if (sv != ocspResponse_successful) {
-	/*
-	 * If the response status is anything but successful, then we
-	 * are all done with decoding; the status is all there is.
-	 */
-	return response;
-    }
-
-    /*
-     * A successful response contains much more information, still encoded.
-     * Now we need to decode that.
-     */
-    rv = ocsp_DecodeResponseBytes(arena, response->responseBytes);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    return response;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-/*
- * The way an OCSPResponse is defined, there are many levels to descend
- * before getting to the actual response information.  And along the way
- * we need to check that the response *type* is recognizable, which for
- * now means that it is a BasicOCSPResponse, because that is the only
- * type currently defined.  Rather than force all routines to perform
- * a bunch of sanity checking every time they want to work on a response,
- * this function isolates that and gives back the interesting part.
- * Note that no copying is done, this just returns a pointer into the
- * substructure of the response which is passed in.
- *
- * XXX This routine only works when a valid response structure is passed
- * into it; this is checked with many assertions.  Assuming the response
- * was creating by decoding, it wouldn't make it this far without being
- * okay.  That is a sufficient assumption since the entire OCSP interface
- * is only used internally.  When this interface is officially exported,
- * each assertion below will need to be followed-up with setting an error
- * and returning (null).
- */
-static ocspResponseData *
-ocsp_GetResponseData(CERTOCSPResponse *response)
-{
-    ocspBasicOCSPResponse *basic;
-    ocspResponseData *responseData;
-
-    PORT_Assert(response != NULL);
-
-    PORT_Assert(response->responseBytes != NULL);
-
-    PORT_Assert(response->responseBytes->responseTypeTag
-		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-
-    basic = response->responseBytes->decodedResponse.basic;
-    PORT_Assert(basic != NULL);
-
-    responseData = basic->tbsResponseData;
-    PORT_Assert(responseData != NULL);
-
-    return responseData;
-}
-
-/*
- * Much like the routine above, except it returns the response signature.
- * Again, no copy is done.
- */
-static ocspSignature *
-ocsp_GetResponseSignature(CERTOCSPResponse *response)
-{
-    ocspBasicOCSPResponse *basic;
-
-    PORT_Assert(response != NULL);
-    PORT_Assert(response->responseBytes != NULL);
-    PORT_Assert(response->responseBytes->responseTypeTag
-		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-
-    basic = response->responseBytes->decodedResponse.basic;
-    PORT_Assert(basic != NULL);
-
-    return &(basic->responseSignature);
-}
-
-
-/*
- * FUNCTION: CERT_DestroyOCSPResponse
- *   Frees an OCSP Response structure.
- * INPUTS:
- *   CERTOCSPResponse *request
- *     Pointer to CERTOCSPResponse to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-void
-CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
-{
-    if (response != NULL) {
-	ocspSignature *signature = ocsp_GetResponseSignature(response);
-	if (signature->cert != NULL)
-	    CERT_DestroyCertificate(signature->cert);
-
-	/*
-	 * We should actually never have a response without an arena,
-	 * but check just in case.  (If there isn't one, there is not
-	 * much we can do about it...)
-	 */
-	PORT_Assert(response->arena != NULL);
-	if (response->arena != NULL) {
-	    PORT_FreeArena(response->arena, PR_FALSE);
-	}
-    }
-}
-
-
-/*
- * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response):
- */
-
-
-/*
- * Pick apart a URL, saving the important things in the passed-in pointers.
- *
- * We expect to find "http://<hostname>[:<port>]/[path]", though we will
- * tolerate that final slash character missing, as well as beginning and
- * trailing whitespace, and any-case-characters for "http".  All of that
- * tolerance is what complicates this routine.  What we want is just to
- * pick out the hostname, the port, and the path.
- *
- * On a successful return, the caller will need to free the output pieces
- * of hostname and path, which are copies of the values found in the url.
- */
-static SECStatus
-ocsp_ParseURL(char *url, char **pHostname, PRUint16 *pPort, char **pPath)
-{
-    unsigned short port = 80;		/* default, in case not in url */
-    char *hostname = NULL;
-    char *path = NULL;
-    char *save;
-    char c;
-    int len;
-
-    if (url == NULL)
-	goto loser;
-
-    /*
-     * Skip beginning whitespace.
-     */
-    c = *url;
-    while ((c == ' ' || c == '\t') && c != '\0') {
-	url++;
-	c = *url;
-    }
-    if (c == '\0')
-	goto loser;
-
-    /*
-     * Confirm, then skip, protocol.  (Since we only know how to do http,
-     * that is all we will accept).
-     */
-    if (PORT_Strncasecmp(url, "http://", 7) != 0)
-	goto loser;
-    url += 7;
-
-    /*
-     * Whatever comes next is the hostname (or host IP address).  We just
-     * save it aside and then search for its end so we can determine its
-     * length and copy it.
-     *
-     * XXX Note that because we treat a ':' as a terminator character
-     * (and below, we expect that to mean there is a port specification
-     * immediately following), we will not handle IPv6 addresses.  That is
-     * apparently an acceptable limitation, for the time being.  Some day,
-     * when there is a clear way to specify a URL with an IPv6 address that
-     * can be parsed unambiguously, this code should be made to do that.
-     */
-    save = url;
-    c = *url;
-    while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') {
-	url++;
-	c = *url;
-    }
-    len = url - save;
-    hostname = PORT_Alloc(len + 1);
-    if (hostname == NULL)
-	goto loser;
-    PORT_Memcpy(hostname, save, len);
-    hostname[len] = '\0';
-
-    /*
-     * Now we figure out if there was a port specified or not.
-     * If so, we need to parse it (as a number) and skip it.
-     */
-    if (c == ':') {
-	url++;
-	port = (unsigned short) PORT_Atoi(url);
-	c = *url;
-	while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
-	    if (c < '0' || c > '9')
-		goto loser;
-	    url++;
-	    c = *url;
-	}
-    }
-
-    /*
-     * Last thing to find is a path.  There *should* be a slash,
-     * if nothing else -- but if there is not we provide one.
-     */
-    if (c == '/') {
-	save = url;
-	while (c != '\0' && c != ' ' && c != '\t') {
-	    url++;
-	    c = *url;
-	}
-	len = url - save;
-	path = PORT_Alloc(len + 1);
-	if (path == NULL)
-	    goto loser;
-	PORT_Memcpy(path, save, len);
-	path[len] = '\0';
-    } else {
-	path = PORT_Strdup("/");
-    }
-
-    *pHostname = hostname;
-    *pPort = port;
-    *pPath = path;
-    return SECSuccess;
-
-loser:
-    if (hostname != NULL)
-	PORT_Free(hostname);
-    if (path != NULL)
-	PORT_Free(path);
-    PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    return SECFailure;
-}
-
-/*
- * Open a socket to the specified host on the specified port, and return it.
- * The host is either a hostname or an IP address.
- */
-static PRFileDesc *
-ocsp_ConnectToHost(const char *host, PRUint16 port)
-{
-    PRFileDesc *sock = NULL;
-    PRIntervalTime timeout;
-    PRNetAddr addr;
-    char *netdbbuf = NULL;
-
-    sock = PR_NewTCPSocket();
-    if (sock == NULL)
-	goto loser;
-
-    /* XXX Some day need a way to set (and get?) the following value */
-    timeout = PR_SecondsToInterval(30);
-
-    /*
-     * If the following converts an IP address string in "dot notation"
-     * into a PRNetAddr.  If it fails, we assume that is because we do not
-     * have such an address, but instead a host *name*.  In that case we
-     * then lookup the host by name.  Using the NSPR function this way
-     * means we do not have to have our own logic for distinguishing a
-     * valid numerical IP address from a hostname.
-     */
-    if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) {
-	PRIntn hostIndex;
-	PRHostEnt hostEntry;
-
-	netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
-	if (netdbbuf == NULL)
-	    goto loser;
-
-	if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
-			     &hostEntry) != PR_SUCCESS)
-	    goto loser;
-
-	hostIndex = 0;
-	do {
-	    hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
-	    if (hostIndex < 0)
-		goto loser;
-	} while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS
-		 && hostIndex > 0);
-
-        if (hostIndex == 0)
-	    goto loser;
-
-	PORT_Free(netdbbuf);
-    } else {
-	/*
-	 * First put the port into the address, then connect.
-	 */
-	if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
-	    goto loser;
-	if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
-	    goto loser;
-    }
-
-    return sock;
-
-loser:
-    if (sock != NULL)
-	PR_Close(sock);
-    if (netdbbuf != NULL)
-	PORT_Free(netdbbuf);
-    return NULL;
-}
-
-/*
- * Sends an encoded OCSP request to the server identified by "location",
- * and returns the socket on which it was sent (so can listen for the reply).
- * "location" is expected to be a valid URL -- an error parsing it produces
- * SEC_ERROR_CERT_BAD_ACCESS_LOCATION.  Other errors are likely problems
- * connecting to it, or writing to it, or allocating memory, and the low-level
- * errors appropriate to the problem will be set.
- */
-static PRFileDesc *
-ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
-{
-    char *hostname = NULL;
-    char *path = NULL;
-    PRUint16 port;
-    SECStatus rv;
-    PRFileDesc *sock = NULL;
-    PRFileDesc *returnSock = NULL;
-    char *header = NULL;
-
-    /*
-     * Take apart the location, getting the hostname, port, and path.
-     */
-    rv = ocsp_ParseURL(location, &hostname, &port, &path);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_Assert(hostname != NULL);
-    PORT_Assert(path != NULL);
-
-    sock = ocsp_ConnectToHost(hostname, port);
-    if (sock == NULL)
-	goto loser;
-
-    header = PR_smprintf("POST %s HTTP/1.0\r\n"
-			 "Host: %s:%d\r\n"
-			 "Content-Type: application/ocsp-request\r\n"
-			 "Content-Length: %u\r\n\r\n",
-			 path, hostname, port, encodedRequest->len);
-    if (header == NULL)
-	goto loser;
-
-    /*
-     * The NSPR documentation promises that if it can, it will write the full
-     * amount; this will not return a partial value expecting us to loop.
-     */
-    if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
-	goto loser;
-
-    if (PR_Write(sock, encodedRequest->data,
-		 (PRInt32) encodedRequest->len) < 0)
-	goto loser;
-
-    returnSock = sock;
-    sock = NULL;
-
-loser:
-    if (header != NULL)
-	PORT_Free(header);
-    if (sock != NULL)
-	PR_Close(sock);
-    if (path != NULL)
-	PORT_Free(path);
-    if (hostname != NULL)
-	PORT_Free(hostname);
-
-    return returnSock;
-}
-
-/*
- * Read from "fd" into "buf" -- expect/attempt to read a "minimum" number
- * of bytes, but do not exceed "maximum".  (Obviously, stop at less than
- * "minimum" if hit end-of-stream.)  Only problems are low-level i/o errors.
- */
-static int
-ocsp_MinMaxRead(PRFileDesc *fd, unsigned char *buf, int minimum, int maximum)
-{
-    int total = 0;
-
-    while (total < minimum) {
-	PRInt32 got;
-
-	got = PR_Read(fd, buf + total, (PRInt32) (maximum - total));
-	if (got < 0) {
-	    if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		break;
-	    }
-	    continue;
-	} else if (got == 0) {			/* EOS */
-	    break;
-	}
-
-	total += got;
-    }
-
-    return total;
-}
-
-#ifdef BUFSIZ
-#define OCSP_BUFSIZE BUFSIZ
-#else
-#define OCSP_BUFSIZE 1024
-#endif
-
-/*
- * Listens on the given socket and returns an encoded response when received.
- * Properly formatted HTTP response headers are expected to be read from the
- * socket, preceding a binary-encoded OCSP response.  Problems with parsing
- * cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be set; any other
- * problems are likely low-level i/o or memory allocation errors.
- */
-static SECItem *
-ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)
-{
-    unsigned char *buf = NULL;
-    int bufsize, bytesRead, len;
-    const unsigned char *bufEnd;
-    const char *s;
-    const char *newline = NULL;
-    PRBool headersDone = PR_FALSE;
-    PRBool pendingCR = PR_FALSE;
-    PRBool contentTypeOK = PR_FALSE;
-    unsigned int contentLength = 0;
-    void *mark = NULL;
-    SECItem *result = NULL;
-
-
-    bufsize = OCSP_BUFSIZE;
-    buf = PORT_Alloc(bufsize);
-    if (buf == NULL) {
-	goto loser;
-    }
-    /*
-     * I picked 128 because:
-     *	- It is a nice "round" number. ;-)
-     *  - I am sure it should cover at least the first line of the http
-     *	  response (on the order of 20 should be enough but I am allowing
-     *	  for excessive leading whitespace) so that I don't have to keep
-     *	  checking for going past the end of the buffer until after that.
-     *	- I am sure that any interesting response will be bigger than that;
-     *    the exception is one that is status-only, like "tryLater".
-     *  - Given a trim response (no extra whitespace), it should cover
-     *	  all of the http headers, and just a bit of the content.
-     *	  This is what I was aiming for, to minimize data copying.
-     */
-    bytesRead = ocsp_MinMaxRead(sock, buf, 128, bufsize);
-    if (bytesRead <= 0) {
-	if (bytesRead == 0)
-	    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-	goto loser;
-    }
-    bufEnd = buf + bytesRead;
-    /*
-     * Skip leading whitespace.
-     */
-    for (s = (char *)buf; s < (char *)bufEnd; s++) {
-	if (*s != ' ' && *s != '\t') {
-	    break;
-	}
-    }
-    /*
-     * Here we expect to find something like "HTTP/1.x 200 OK\r\n".
-     * (The status code may be anything, but should be 3 digits.
-     * The comment (e.g. "OK") may be anything as well.)  I figure that
-     * the minimal line would be "HTTP/x.y zzz\n", which is 13 chars.
-     * That may not even meet the spec, but we will accept it -- anything
-     * less than that, though, we will not.
-     */
-    if (((char *)bufEnd - s) < 13 || PORT_Strncasecmp(s, "http/", 5) != 0) {
-	PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-	goto loser;
-    }
-    s += 5;			/* skip "http/" */
-    /*
-     * I don't see a reason to look at the version number.  Assuming that
-     * whatever version it is, it supports the one or two headers we are
-     * looking for, and doesn't completely change the interpretation of
-     * status values, it shouldn't matter.  We shouldn't reject something
-     * that would otherwise work just because the code was picky about
-     * version number.  So we just skip it, hoping real incompatibility
-     * will manifest itself in the parsing.
-     */
-    while (*s++ != ' ') {	/* skip "x.y ", without interpretation */
-	/*
-	 * We expect the version number to be only a few characters,
-	 * and that we should easily have enough in the buffer to cover.
-	 * So, if we go past the end, just bail.
-	 */
-	if (s >= (char *)bufEnd) {
-	    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-	    goto loser;
-	}
-    }
-    /*
-     * Now get, and check, the status.  Accept 200-299; reject all else.
-     * There are some 200s that basically have no content, but that will
-     * fall out as bad below, and it's just easier to handle it that way
-     * than to try to know all the different status values.
-     */
-    {
-	int statusCode = PORT_Atoi(s);
-
-	if (statusCode < 200 || statusCode >= 300) {
-	    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-	    goto loser;
-	}
-    }
-    s += 3;			/* skip 3-digit status code */
-    /*
-     * The rest of the line is a comment, which we just want to skip.
-     * The next thing to do is continue through all of the HTTP headers,
-     * watching for the couple we are interested in.  The end of the
-     * headers (and thus the beginning of the content) is marked by
-     * two consecutive newlines.  (According to spec that should be
-     * CRLF followed by CRLF, but we are being generous and allowing
-     * for people who send only CRs or only LFs, too.)
-     *
-     * XXX Explain better about how the following code works.
-     * Especially what the potential values of "newline" are and what
-     * each one means.
-     */
-    while (1) {
-	/*
-	 * Move forward to the next line, stopping when we find a CRLF,
-	 * CR, or LF, or the end of the buffer.  We have to be careful
-	 * when we find a lone CR at the end of the buffer, because if
-	 * the next character read is an LF we want to treat it as one
-	 * newline altogether.
-	 *
-	 * We also need to detect two newlines in a row, which is what
-	 * marks the end of the headers and time for us to quit out of
-	 * the outer loop.
-	 */
-	for (; s < (char *)bufEnd; s++) {
-	    if (*s == '\r' || *s == '\n') {
-		if (s == newline) {
-		    headersDone = PR_TRUE;	/* 2nd consecutive newline */
-		}
-		newline = s;
-		if (newline[0] == '\r') {
-		    if (s == (char *)bufEnd - 1) {
-			/* CR at end - wait for the next character */
-			newline = NULL;
-			pendingCR = PR_TRUE;
-			break;
-		    } else if (newline[1] == '\n') {
-			/* CRLF seen; swallow both */
-			newline++;
-		    }
-		}
-		newline++;
-		break;
-	    }
-	    /*
-	     * After the first time through, we no longer need to remember
-	     * where the previous line started.  We needed it for checking
-	     * for consecutive newlines, but now we need it to be clear in
-	     * case we finish the loop by finishing off the buffer.
-	     */
-	    newline = NULL;
-	}
-	if (headersDone) {
-	    s = newline;
-	    break;
-	}
-	/*
-	 * When we are here, either:
-	 *	- newline is NULL, meaning we're at the end of the buffer
-	 *	  and we need to refill it, or
-	 *	- newline points to the first character on the new line
-	 */
-	if (newline == NULL) {
-	    /* So, we need to refill the buffer. */
-	    len = pendingCR ? 1 : 0;
-	    bytesRead = ocsp_MinMaxRead(sock, buf + len, 64 - len,
-					bufsize - len);
-	    if (bytesRead <= 0) {
-		if (bytesRead == 0)
-		    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-		goto loser;
-	    }
-	    s = (char *)buf;
-	    bufEnd = buf + len + bytesRead;
-	    if (pendingCR) {
-		buf[0] = '\r';
-		pendingCR = PR_FALSE;
-	    }
-	    continue;
-	}
-	/*
-	 * So, we have a good newline pointer (just past a CR, LF or CRLF),
-	 * but now we want to make sure that what it points to is long
-	 * enough to be something we are looking for.  If it isn't, add
-	 * more to the buffer after first copying what's left to the
-	 * beginning.
-	 */
-	if (((char *)bufEnd - newline) < 40) {
-	    len = (char *)bufEnd - newline;
-	    PORT_Memmove(buf, newline, len);
-	    bytesRead = ocsp_MinMaxRead(sock, buf + len, 40 - len,
-					bufsize - len);
-	    if (bytesRead <= 0) {
-		if (bytesRead == 0)
-		    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-		goto loser;
-	    }
-	    newline = (char *)buf;
-	    bufEnd = buf + len + bytesRead;
-	}
-	/*
-	 * Okay, now we know that we are looking at an HTTP header line
-	 * with enough length to be safe for our comparisons.  See if it is
-	 * one of the ones we are interested in.  (That is, "Content-Length"
-	 * or "Content-Type".)
-	 */
-	if (PORT_Strncasecmp(newline, "content-", 8) == 0) {
-	    s = newline + 8;
-	    if (PORT_Strncasecmp(s, "type: ", 6) == 0) {
-		s += 6;
-		if (PORT_Strncasecmp(s, "application/ocsp-response",
-				     25) != 0) {
-		    break;
-		}
-		contentTypeOK = PR_TRUE;
-		s += 25;
-	    } else if (PORT_Strncasecmp(s, "length: ", 8) == 0) {
-		s += 8;
-		contentLength = PORT_Atoi(s);
-	    }
-	    newline = NULL;
-	} else {
-	    /*
-	     * Not an interesting header.  We will go around the loop
-	     * again to find the next line.
-	     */
-	    s = newline;
-	}
-    }
-
-    /*
-     * Check that we got the correct content type.  (If !contentTypeOK,
-     * the content-type header was either bad or missing.)
-     */
-    if (!contentTypeOK) {
-	PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-	goto loser;
-    }
-
-    /*
-     * Now we need to handle the actual content.  We may not have a
-     * good content-length; things are harder if we do not -- in that
-     * case we will just read until we get EOS.
-     */
-
-    /*
-     * We are finally about the allocate the return area; before that
-     * mark the arena so we can release-back on error.
-     */
-    if (arena != NULL) {
-	mark = PORT_ArenaMark(arena);
-    }
-    /*
-     * How much of the content is already in the buffer?
-     */ 
-    if (s == NULL) {
-	len = 0;
-    } else {
-	len = (char *)bufEnd - s;
-	if (contentLength && len > contentLength) {
-	    len = contentLength;
-	}
-    }
-    /*
-     * Now allocate the item to hold the data.
-     */
-    result = SECITEM_AllocItem(arena, NULL,
-			       contentLength ? contentLength : len);
-    if (result == NULL) {
-	goto loser;
-    }
-    /*
-     * And copy the data left in the buffer.
-     */
-    if (len) {
-	PORT_Memcpy(result->data, s, len);
-    }
-
-    /*
-     * Now we need to read all of the (rest of the) content.  If we know
-     * the length, it's easy, just one big read.  If not, we need to loop,
-     * reading until there is nothing left to read.
-     */
-    if (contentLength) {
-	int remaining;
-
-	/*
-	 * It may be the case that our last buffer ended exactly on the
-	 * second CR of the CRLF pair which denotes the end of the headers.
-	 * If so, we have to be prepared to read, and skip over, an LF.
-	 * Since we want to read the rest of the content directly into
-	 * the buffer we are returning, we read one byte specifically and
-	 * see if it is an LF.  If not, we just copy that byte into the
-	 * first byte of our return value.
-	 */
-	if (pendingCR) {
-	    PORT_Assert(len == 0);
-	    bytesRead = ocsp_MinMaxRead(sock, buf, 1, 1);
-	    if (bytesRead < 1) {
-		goto loser;
-	    }
-	    if (buf[0] != '\n') {
-		result->data[0] = buf[0];
-		len = 1;
-	    }
-	}
-	remaining = contentLength - len;
-	if (remaining) {
-	    bytesRead = ocsp_MinMaxRead(sock, result->data + len,
-					remaining, remaining);
-	    if (bytesRead < remaining) {
-		if (bytesRead > 0) {
-		    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-		}
-		goto loser;
-	    }
-	}
-    } else while (1) {
-	/*
-	 * Read as much as we can.  There is no real minimum here,
-	 * we will just take whatever we can get and copy it over
-	 * into our result area.
-	 */
-	bytesRead = ocsp_MinMaxRead(sock, buf, 1, bufsize);
-	if (bytesRead < 0) {
-	    goto loser;
-	}
-	if (bytesRead == 0) {		/* EOS: all done reading */
-	    break;
-	}
-	/*
-	 * Now make room for that many more bytes in our result area.
-	 */
-	if (SECITEM_ReallocItem(arena, result, len,
-				len + bytesRead) != SECSuccess) {
-	    goto loser;
-	}
-	/*
-	 * The first time through this loop, it may be the case that
-	 * we have the final LF of our CRLF pair that ended the headers.
-	 * If so, we need to skip over it.
-	 */
-	if (pendingCR && buf[0] == '\n') {
-	    PORT_Memcpy(result->data + len, buf + 1, bytesRead - 1);
-	    len += bytesRead - 1;
-	} else {
-	    PORT_Memcpy(result->data + len, buf, bytesRead);
-	    len += bytesRead;
-	}
-	/*
-	 * In any case, after the first time through, we are done
-	 * looking for that LF.
-	 */
-	pendingCR = PR_FALSE;
-	/*
-	 * If we are reading "slowly", get ourselves a bigger buffer.
-	 */
-	if (bytesRead == bufsize) {
-	    bufsize *= 2;
-	    PORT_Free(buf);
-	    buf = PORT_Alloc(bufsize);
-	    if (buf == NULL) {
-		goto loser;
-	    }
-	}
-    }
-
-    /*
-     * Finally, we are done!  The encoded response (the content of the
-     * HTTP response) is now in "result".  We just have a little cleaning
-     * up to do before we return.
-     */
-    if (mark != NULL) {
-	PORT_ArenaUnmark(arena, mark);
-    }
-    PORT_Free(buf);
-    return result;
-
-loser:
-    if (mark != NULL) {
-	PORT_ArenaRelease(arena, mark);
-    } else if (result != NULL) {
-	SECITEM_FreeItem(result, PR_TRUE);
-    }
-    if (buf != NULL) {
-	PORT_Free(buf);
-    }
-    return NULL;
-}
-
-
-/*
- * FUNCTION: CERT_GetEncodedOCSPResponse
- *   Creates and sends a request to an OCSP responder, then reads and
- *   returns the (encoded) response.
- * INPUTS:
- *   PRArenaPool *arena
- *     Pointer to arena from which return value will be allocated.
- *     If NULL, result will be allocated from the heap (and thus should
- *     be freed via SECITEM_FreeItem).
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   char *location
- *     The location of the OCSP responder (a URL).
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no other bearing on the operation.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * OUTPUTS:
- *   CERTOCSPRequest **pRequest
- *     Pointer in which to store the OCSP request created for the given
- *     list of certificates.  It is only filled in if the entire operation
- *     is successful and the pointer is not null -- and in that case the
- *     caller is then reponsible for destroying it.
- * RETURN:
- *   Returns a pointer to the SECItem holding the response.
- *   On error, returns null with error set describing the reason:
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-SECItem *
-CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
-			    char *location, int64 time,
-			    PRBool addServiceLocator,
-			    CERTCertificate *signerCert, void *pwArg,
-			    CERTOCSPRequest **pRequest)
-{
-    CERTOCSPRequest *request = NULL;
-    SECItem *encodedRequest = NULL;
-    SECItem *encodedResponse = NULL;
-    PRFileDesc *sock = NULL;
-    SECStatus rv;
-
-    request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
-				     signerCert);
-    if (request == NULL)
-	goto loser;
-
-    rv = CERT_AddOCSPAcceptableResponses(request,
-					 SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-    if (rv != SECSuccess)
-	goto loser;
-
-    encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
-    if (encodedRequest == NULL)
-	goto loser;
-
-    sock = ocsp_SendEncodedRequest(location, encodedRequest);
-    if (sock == NULL)
-	goto loser;
-
-    encodedResponse = ocsp_GetEncodedResponse(arena, sock);
-    if (encodedResponse != NULL && pRequest != NULL) {
-	*pRequest = request;
-	request = NULL;			/* avoid destroying below */
-    }
-
-loser:
-    if (request != NULL)
-	CERT_DestroyOCSPRequest(request);
-    if (encodedRequest != NULL)
-	SECITEM_FreeItem(encodedRequest, PR_TRUE);
-    if (sock != NULL)
-	PR_Close(sock);
-
-    return encodedResponse;
-}
-
-
-/* Checks a certificate for the key usage extension of OCSP signer. */
-static PRBool
-ocsp_CertIsOCSPSigner(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem extItem;
-    SECItem **oids;
-    SECItem *oid;
-    SECOidTag oidTag;
-    PRBool retval;
-    CERTOidSequence *oidSeq = NULL;
-
-
-    extItem.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    oidSeq = CERT_DecodeOidSequence(&extItem);
-    if ( oidSeq == NULL ) {
-	goto loser;
-    }
-
-    oids = oidSeq->oids;
-    while ( *oids != NULL ) {
-	oid = *oids;
-	
-	oidTag = SECOID_FindOIDTag(oid);
-	
-	if ( oidTag == SEC_OID_OCSP_RESPONDER ) {
-	    goto success;
-	}
-	
-	oids++;
-    }
-
-loser:
-    retval = PR_FALSE;
-    goto done;
-success:
-    retval = PR_TRUE;
-done:
-    if ( extItem.data != NULL ) {
-	PORT_Free(extItem.data);
-    }
-    if ( oidSeq != NULL ) {
-	CERT_DestroyOidSequence(oidSeq);
-    }
-    
-    return(retval);
-}
-
-
-#ifdef LATER	/*
-		 * XXX This function is not currently used, but will
-		 * be needed later when we do revocation checking of
-		 * the responder certificate.  Of course, it may need
-		 * revising then, if the cert extension interface has
-		 * changed.  (Hopefully it will!)
-		 */
-
-/* Checks a certificate to see if it has the OCSP no check extension. */
-static PRBool
-ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem extItem;
-    
-    extItem.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, 
-				&extItem);
-    if (extItem.data != NULL) {
-	PORT_Free(extItem.data);
-    }
-    if (rv == SECSuccess) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-#endif	/* LATER */
-
-/*
- * Check the signature on some OCSP data.  This is a helper function that
- * can be used to check either a request or a response.  The result is
- * saved in the signature structure itself for future reference (to avoid
- * repeating the expensive verification operation), as well as returned.
- * In addition to checking the signature, the certificate (and its chain)
- * are also checked for validity (at the specified time) and usage.
- *
- * The type of cert lookup to be performed is specified by "lookupByName":
- * if true, then "certIndex" is actually a CERTName; otherwise it is a
- * SECItem which contains a key hash.
- *
- * If the signature verifies okay, and the argument "pSignerCert" is not
- * null, that parameter will be filled-in with a pointer to the signer's
- * certificate.  The caller is then responsible for destroying the cert.
- *
- * A return of SECSuccess means the verification succeeded.  If not,
- * an error will be set with the reason.  Most likely are:
- *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
- *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
- * Other errors are any of the many possible failures in cert verification
- * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- * verifying the signer's cert, or low-level problems (no memory, etc.)
- */
-static SECStatus
-ocsp_CheckSignature(ocspSignature *signature, void *tbs,
-		    const SEC_ASN1Template *encodeTemplate,
-		    CERTCertDBHandle *handle, SECCertUsage certUsage,
-		    int64 checkTime, PRBool lookupByName, void *certIndex,
-		    void *pwArg, CERTCertificate **pSignerCert)
-{
-    SECItem rawSignature;
-    SECItem *encodedTBS = NULL;
-    CERTCertificate *signerCert = NULL;
-    SECKEYPublicKey *signerKey = NULL;
-    CERTCertificate **certs = NULL;
-    SECStatus rv = SECFailure;
-    int certCount;
-
-    /*
-     * If this signature has already gone through verification, just
-     * return the cached result.
-     */
-    if (signature->wasChecked) {
-	if (signature->status == SECSuccess) {
-	    if (pSignerCert != NULL)
-		*pSignerCert = CERT_DupCertificate(signature->cert);
-	} else {
-	    PORT_SetError(signature->failureReason);
-	}
-	return signature->status;
-    }
-
-    /*
-     * If the signature contains some certificates as well, temporarily
-     * import them in case they are needed for verification.
-     *
-     * Note that the result of this is that each cert in "certs" needs
-     * to be destroyed.
-     */
-    certCount = 0;
-    if (signature->derCerts != NULL) {
-	for (; signature->derCerts[certCount] != NULL; certCount++) {
-	    /* just counting */
-	}
-    }
-    rv = CERT_ImportCerts(handle, certUsage, certCount,
-			  signature->derCerts, &certs,
-			  PR_FALSE, PR_FALSE, NULL);
-    if (rv != SECSuccess)
-	goto finish;
-
-    /*
-     * Now look up the certificate that did the signing.
-     * The signer can be specified either by name or by key hash.
-     */
-    if (lookupByName) {
-	SECItem *encodedName;
-
-	encodedName = SEC_ASN1EncodeItem(NULL, NULL, certIndex,
-					 CERT_NameTemplate);
-	if (encodedName == NULL)
-	    goto finish;
-
-	signerCert = CERT_FindCertByName(handle, encodedName);
-	SECITEM_FreeItem(encodedName, PR_TRUE);
-    } else {
-	signerCert = CERT_FindCertBySPKDigest(handle, certIndex);
-    }
-
-    if (signerCert == NULL) {
-	rv = SECFailure;
-	if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
-	    /* Make the error a little more specific. */
-	    PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
-	}
-	goto finish;
-    }
-
-    /*
-     * We could mark this true at the top of this function, or always
-     * below at "finish", but if the problem was just that we could not
-     * find the signer's cert, leave that as if the signature hasn't
-     * been checked in case a subsequent call might have better luck.
-     */
-    signature->wasChecked = PR_TRUE;
-
-    /*
-     * Just because we have a cert does not mean it is any good; check
-     * it for validity, trust and usage.
-     */
-    rv = CERT_VerifyCert(handle, signerCert, PR_TRUE, certUsage, checkTime,
-			 pwArg, NULL);
-    if (rv != SECSuccess)
-	goto finish;
-
-    /*
-     * Now get the public key from the signer's certificate; we need
-     * it to perform the verification.
-     */
-    signerKey = CERT_ExtractPublicKey(signerCert);
-    if (signerKey == NULL)
-	goto finish;
-
-    /*
-     * Prepare the data to be verified; it needs to be DER encoded first.
-     */
-    encodedTBS = SEC_ASN1EncodeItem(NULL, NULL, tbs, encodeTemplate);
-    if (encodedTBS == NULL)
-	goto finish;
-
-    /*
-     * We copy the signature data *pointer* and length, so that we can
-     * modify the length without damaging the original copy.  This is a
-     * simple copy, not a dup, so no destroy/free is necessary.
-     */
-    rawSignature = signature->signature;
-    /*
-     * The raw signature is a bit string, but we need to represent its
-     * length in bytes, because that is what the verify function expects.
-     */
-    DER_ConvertBitString(&rawSignature);
-
-    rv = VFY_VerifyData(encodedTBS->data, encodedTBS->len, signerKey,
-			&rawSignature,
-			SECOID_GetAlgorithmTag(&signature->signatureAlgorithm),
-			pwArg);
-
-finish:
-    if (signature->wasChecked)
-	signature->status = rv;
-
-    if (rv != SECSuccess) {
-	signature->failureReason = PORT_GetError();
-	if (signerCert != NULL)
-	    CERT_DestroyCertificate(signerCert);
-    } else {
-	/*
-	 * Save signer's certificate in signature.
-	 */
-	signature->cert = signerCert;
-	if (pSignerCert != NULL) {
-	    /*
-	     * Pass pointer to signer's certificate back to our caller,
-	     * who is also now responsible for destroying it.
-	     */
-	    *pSignerCert = CERT_DupCertificate(signerCert);
-	}
-    }
-
-    if (encodedTBS != NULL)
-	SECITEM_FreeItem(encodedTBS, PR_TRUE);
-
-    if (signerKey != NULL)
-	SECKEY_DestroyPublicKey(signerKey);
-
-    if (certs != NULL)
-	CERT_DestroyCertArray(certs, certCount);
-
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_VerifyOCSPResponseSignature
- *   Check the signature on an OCSP Response.  Will also perform a
- *   verification of the signer's certificate.  Note, however, that a
- *   successful verification does not make any statement about the
- *   signer's *authority* to provide status for the certificate(s),
- *   that must be checked individually for each certificate.
- * INPUTS:
- *   CERTOCSPResponse *response
- *     Pointer to response structure with signature to be checked.
- *   CERTCertDBHandle *handle
- *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.
- * OUTPUTS:
- *   CERTCertificate **pSignerCert
- *     Pointer in which to store signer's certificate; only filled-in if
- *     non-null.
- * RETURN:
- *   Returns SECSuccess when signature is valid, anything else means invalid.
- *   Possible errors set:
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
- *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
- *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
- *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (no memory, etc.)
- */
-SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
-				 CERTCertDBHandle *handle, void *pwArg,
-				 CERTCertificate **pSignerCert)
-{
-    ocspResponseData *tbsData;		/* this is what is signed */
-    PRBool byName;
-    void *certIndex;
-    int64 producedAt;
-    SECStatus rv;
-
-    tbsData = ocsp_GetResponseData(response);
-
-    PORT_Assert(tbsData->responderID != NULL);
-    switch (tbsData->responderID->responderIDType) {
-      case ocspResponderID_byName:
-	byName = PR_TRUE;
-	certIndex = &tbsData->responderID->responderIDValue.name;
-	break;
-      case ocspResponderID_byKey:
-	byName = PR_FALSE;
-	certIndex = &tbsData->responderID->responderIDValue.keyHash;
-	break;
-      case ocspResponderID_other:
-      default:
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	return SECFailure;
-    }
-
-    /*
-     * ocsp_CheckSignature will also verify the signer certificate; we
-     * need to tell it *when* that certificate must be valid -- for our
-     * purposes we expect it to be valid when the response was signed.
-     * The value of "producedAt" is the signing time.
-     */
-    rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt);
-    if (rv != SECSuccess)
-	return rv;
-
-    return ocsp_CheckSignature(ocsp_GetResponseSignature(response),
-			       tbsData, ocsp_ResponseDataTemplate,
-			       handle, certUsageStatusResponder, producedAt,
-			       byName, certIndex, pwArg, pSignerCert);
-}
-
-/*
- * See if two certIDs match.  This can be easy or difficult, depending
- * on whether the same hash algorithm was used.
- */
-static PRBool
-ocsp_CertIDsMatch(CERTCertDBHandle *handle,
-		  CERTOCSPCertID *certID1, CERTOCSPCertID *certID2)
-{
-    PRBool match = PR_FALSE;
-    CERTCertificate *issuer1 = NULL;
-    CERTCertificate *issuer2 = NULL;
-    SECItem *foundHash = NULL;
-    CERTCertificate *found;
-    SECOidTag hashAlg;
-    SECItem *givenHash;
-
-    /*
-     * In order to match, they must have the same issuer and the same
-     * serial number.
-     *
-     * We just compare the easier things first.
-     */
-    if (SECITEM_CompareItem(&certID1->serialNumber,
-			    &certID2->serialNumber) != SECEqual) {
-	goto done;
-    }
-
-    if (SECOID_CompareAlgorithmID(&certID1->hashAlgorithm,
-				  &certID2->hashAlgorithm) == SECEqual) {
-	/*
-	 * If the hash algorithms match then we can do a simple compare
-	 * of the hash values themselves.
-	 */
-	if ((SECITEM_CompareItem(&certID1->issuerNameHash,
-				 &certID2->issuerNameHash) == SECEqual)
-	    && (SECITEM_CompareItem(&certID1->issuerKeyHash,
-				    &certID2->issuerKeyHash) == SECEqual)) {
-	    match = PR_TRUE;
-	}
-	goto done;
-    }
-
-    /*
-     * The hash algorithms are different; this is harder.  We have
-     * to do a lookup of each one and compare them.
-     */
-    issuer1 = CERT_FindCertBySPKDigest(handle, &certID1->issuerKeyHash);
-    issuer2 = CERT_FindCertBySPKDigest(handle, &certID2->issuerKeyHash);
-
-    if (issuer1 == NULL && issuer2 == NULL) {
-	/* If we cannot find an issuer cert, we have no way to compare. */
-	goto done;
-    }
-
-    if (issuer1 != NULL && issuer2 != NULL) {
-	/* If we found a cert for each hash, we can just compare them. */
-	if (issuer1 == issuer2)
-	    match = PR_TRUE;
-	goto done;
-    }
-
-    /*
-     * We found one issuer, but not both.  So we have to use the other certID
-     * hash algorithm on the key in the found issuer cert to see if they match.
-     */
-
-    if (issuer1 != NULL) {
-	found = issuer1;
-	hashAlg = SECOID_FindOIDTag(&certID2->hashAlgorithm.algorithm);
-	givenHash = &certID2->issuerKeyHash;
-    } else {
-	found = issuer2;
-	hashAlg = SECOID_FindOIDTag(&certID1->hashAlgorithm.algorithm);
-	givenHash = &certID1->issuerKeyHash;
-    }
-
-    foundHash = CERT_SPKDigestValueForCert(NULL, found, hashAlg, NULL);
-    if (foundHash == NULL) {
-	goto done;
-    }
-
-    if (SECITEM_CompareItem(foundHash, givenHash) == SECEqual) {
-	/*
-	 * Strictly speaking, we should compare the issuerNameHash, too,
-	 * but I think the added complexity doesn't actually buy anything.
-	 */
-	match = PR_TRUE;
-    }
-
-done:
-    if (issuer1 != NULL) {
-	CERT_DestroyCertificate(issuer1);
-    }
-    if (issuer2 != NULL) {
-	CERT_DestroyCertificate(issuer2);
-    }
-    if (foundHash != NULL) {
-	SECITEM_FreeItem(foundHash, PR_TRUE);
-    }
-    return match;
-}
-
-/*
- * Find the single response for the cert specified by certID.
- * No copying is done; this just returns a pointer to the appropriate
- * response within responses, if it is found (and null otherwise).
- * This is fine, of course, since this function is internal-use only.
- */
-static CERTOCSPSingleResponse *
-ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses,
-				CERTCertDBHandle *handle,
-				CERTOCSPCertID *certID)
-{
-    CERTOCSPSingleResponse *single;
-    int i;
-
-    if (responses == NULL)
-	return NULL;
-
-    for (i = 0; responses[i] != NULL; i++) {
-	single = responses[i];
-	if (ocsp_CertIDsMatch(handle, certID, single->certID) == PR_TRUE) {
-	    return single;
-	}
-    }
-
-    /*
-     * The OCSP server should have included a response even if it knew
-     * nothing about the certificate in question.  Since it did not,
-     * this will make it look as if it had.
-     * 
-     * XXX Should we make this a separate error to notice the server's
-     * bad behavior?
-     */
-    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
-    return NULL;
-}
-
-static ocspCheckingContext *
-ocsp_GetCheckingContext(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    ocspCheckingContext *ocspcx = NULL;
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (statusConfig != NULL) {
-	ocspcx = statusConfig->statusContext;
-
-	/*
-	 * This is actually an internal error, because we should never
-	 * have a good statusConfig without a good statusContext, too.
-	 * For lack of anything better, though, we just assert and use
-	 * the same error as if there were no statusConfig (set below).
-	 */
-	PORT_Assert(ocspcx != NULL);
-    }
-
-    if (ocspcx == NULL)
-	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
-
-    return ocspcx;
-}
-
-/*
- * Return true if the given signerCert is the default responder for
- * the given certID.  If not, or if any error, return false.
- */
-static PRBool
-ocsp_CertIsDefaultResponderForCertID(CERTCertDBHandle *handle,
-				     CERTCertificate *signerCert,
-				     CERTOCSPCertID *certID)
-{
-    ocspCheckingContext *ocspcx;
-
-    ocspcx = ocsp_GetCheckingContext(handle);
-    if (ocspcx == NULL)
-	goto loser;
-
-   /*
-    * Right now we have only one default responder.  It applies to
-    * all certs when it is used, so the check is simple and certID
-    * has no bearing on the answer.  Someday in the future we may
-    * allow configuration of different responders for different
-    * issuers, and then we would have to use the issuer specified
-    * in certID to determine if signerCert is the right one.
-    */
-    if (ocspcx->useDefaultResponder) {
-	PORT_Assert(ocspcx->defaultResponderCert != NULL);
-	if (ocspcx->defaultResponderCert == signerCert)
-	    return PR_TRUE;
-    }
-
-loser:
-    return PR_FALSE;
-}
-
-/*
- * Check that the given signer certificate is authorized to sign status
- * information for the given certID.  Return true if it is, false if not
- * (or if there is any error along the way).  If false is returned because
- * the signer is not authorized, the following error will be set:
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- * Other errors are low-level problems (no memory, bad database, etc.).
- *
- * There are three ways to be authorized.  In the order in which we check,
- * using the terms used in the OCSP spec, the signer must be one of:
- *  1.  A "trusted responder" -- it matches a local configuration
- *      of OCSP signing authority for the certificate in question.
- *  2.  The CA who issued the certificate in question.
- *  3.  A "CA designated responder", aka an "authorized responder" -- it
- *      must be represented by a special cert issued by the CA who issued
- *      the certificate in question.
- */
-static PRBool
-ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
-				  CERTCertificate *signerCert,
-				  CERTOCSPCertID *certID,
-				  int64 thisUpdate)
-{
-    CERTCertificate *issuerCert = NULL;
-    SECItem *issuerKeyHash = NULL;
-    SECOidTag hashAlg;
-    PRBool okay = PR_FALSE;
-
-    /*
-     * Check first for a trusted responder, which overrides everything else.
-     */
-    if (ocsp_CertIsDefaultResponderForCertID(handle, signerCert, certID))
-	return PR_TRUE;
-
-    /*
-     * In the other two cases, we need to do an issuer comparison.
-     * How we do it depends on whether the signer certificate has the
-     * special extension (for a designated responder) or not.
-     */
-
-    if (ocsp_CertIsOCSPSigner(signerCert)) {
-	/*
-	 * The signer is a designated responder.  Its issuer must match
-	 * the issuer of the cert being checked.
-	 */
-	issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate,
-					 certUsageAnyCA);
-	if (issuerCert == NULL) {
-	    /*
-	     * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
-	     * but the following will give slightly more information.
-	     * Once we have an error stack, things will be much better.
-	     */
-	    PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
-	    goto loser;
-	}
-    } else {
-	/*
-	 * The signer must *be* the issuer of the cert being checked.
-	 */
-	issuerCert = signerCert;
-    }
-
-    hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
-    issuerKeyHash = CERT_SPKDigestValueForCert(NULL, issuerCert, hashAlg, NULL);
-    if (issuerKeyHash == NULL)
-	goto loser;
-
-    if (SECITEM_CompareItem(issuerKeyHash,
-			    &certID->issuerKeyHash) != SECEqual) {
-	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
-	goto loser;
-    }
-
-    okay = PR_TRUE;
-
-loser:
-    if (issuerKeyHash != NULL)
-	SECITEM_FreeItem(issuerKeyHash, PR_TRUE);
-
-    if (issuerCert != NULL && issuerCert != signerCert)
-	CERT_DestroyCertificate(issuerCert);
-
-    return okay;
-}
-
-/*
- * We need to check that a responder gives us "recent" information.
- * Since a responder can pre-package responses, we need to pick an amount
- * of time that is acceptable to us, and reject any response that is
- * older than that.
- *
- * XXX This *should* be based on some configuration parameter, so that
- * different usages could specify exactly what constitutes "sufficiently
- * recent".  But that is not going to happen right away.  For now, we
- * want something from within the last 24 hours.  This macro defines that
- * number in seconds.
- */
-#define OCSP_ALLOWABLE_LAPSE_SECONDS	(24L * 60L * 60L)
-
-static PRBool
-ocsp_TimeIsRecent(int64 checkTime)
-{
-    int64 now = PR_Now();
-    int64 lapse, tmp;
-
-    LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS);
-    LL_I2L(tmp, PR_USEC_PER_SEC);
-    LL_MUL(lapse, lapse, tmp);		/* allowable lapse in microseconds */
-
-    LL_ADD(checkTime, checkTime, lapse);
-    if (LL_CMP(now, >, checkTime))
-	return PR_FALSE;
-
-    return PR_TRUE;
-}
-
-/*
- * Check that this single response is okay.  A return of SECSuccess means:
- *   1. The signer (represented by "signerCert") is authorized to give status
- *	for the cert represented by the individual response in "single".
- *   2. The value of thisUpdate is earlier than now.
- *   3. The value of producedAt is later than or the same as thisUpdate.
- *   4. If nextUpdate is given:
- *	- The value of nextUpdate is later than now.
- *	- The value of producedAt is earlier than nextUpdate.
- *	Else if no nextUpdate:
- *	- The value of thisUpdate is fairly recent.
- *	- The value of producedAt is fairly recent.
- *	However we do not need to perform an explicit check for this last
- *	constraint because it is already guaranteed by checking that
- *	producedAt is later than thisUpdate and thisUpdate is recent.
- * Oh, and any responder is "authorized" to say that a cert is unknown to it.
- *
- * If any of those checks fail, SECFailure is returned and an error is set:
- *	SEC_ERROR_OCSP_FUTURE_RESPONSE
- *	SEC_ERROR_OCSP_OLD_RESPONSE
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- * Other errors are low-level problems (no memory, bad database, etc.).
- */ 
-static SECStatus
-ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
-			  CERTCertDBHandle *handle,
-			  CERTCertificate *signerCert,
-			  int64 producedAt)
-{
-    CERTOCSPCertID *certID = single->certID;
-    int64 now, thisUpdate, nextUpdate;
-    SECStatus rv;
-
-    /*
-     * If all the responder said was that the given cert was unknown to it,
-     * that is a valid response.  Not very interesting to us, of course,
-     * but all this function is concerned with is validity of the response,
-     * not the status of the cert.
-     */
-    PORT_Assert(single->certStatus != NULL);
-    if (single->certStatus->certStatusType == ocspCertStatus_unknown)
-	return SECSuccess;
-
-    /*
-     * We need to extract "thisUpdate" for use below and to pass along
-     * to AuthorizedResponderForCertID in case it needs it for doing an
-     * issuer look-up.
-     */
-    rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
-    if (rv != SECSuccess)
-	return rv;
-
-    /*
-     * First confirm that signerCert is authorized to give this status.
-     */
-    if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID,
-					  thisUpdate) != PR_TRUE)
-	return SECFailure;
-
-    /*
-     * Now check the time stuff, as described above.
-     */
-    now = PR_Now();
-    if (LL_CMP(thisUpdate, >, now) || LL_CMP(producedAt, <, thisUpdate)) {
-	PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
-	return SECFailure;
-    }
-    if (single->nextUpdate != NULL) {
-	rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
-	if (rv != SECSuccess)
-	    return rv;
-
-	if (LL_CMP(nextUpdate, <, now) || LL_CMP(producedAt, >, nextUpdate)) {
-	    PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
-	    return SECFailure;
-	}
-    } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
-	PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
- *   Get the value of the URI of the OCSP responder for the given cert.
- *   This is found in the (optional) Authority Information Access extension
- *   in the cert.
- * INPUTS:
- *   CERTCertificate *cert
- *     The certificate being examined.
- * RETURN:
- *   char *
- *     A copy of the URI for the OCSP method, if found.  If either the
- *     extension is not present or it does not contain an entry for OCSP,
- *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
- *     Any other error will also result in a NULL being returned.
- *     
- *     This result should be freed (via PORT_Free) when no longer in use.
- */
-char *
-CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert)
-{
-    CERTGeneralName *locname = NULL;
-    SECItem *location = NULL;
-    SECItem *encodedAuthInfoAccess = NULL;
-    CERTAuthInfoAccess **authInfoAccess = NULL;
-    char *locURI = NULL;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    int i;
-
-    /*
-     * Allocate this one from the heap because it will get filled in
-     * by CERT_FindCertExtension which will also allocate from the heap,
-     * and we can free the entire thing on our way out.
-     */
-    encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
-    if (encodedAuthInfoAccess == NULL)
-	goto loser;
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
-				encodedAuthInfoAccess);
-    if (rv == SECFailure)
-	goto loser;
-
-    /*
-     * The rest of the things allocated in the routine will come out of
-     * this arena, which is temporary just for us to decode and get at the
-     * AIA extension.  The whole thing will be destroyed on our way out,
-     * after we have copied the location string (url) itself (if found).
-     */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	goto loser;
-
-    authInfoAccess = cert_DecodeAuthInfoAccessExtension(arena,
-							encodedAuthInfoAccess);
-    if (authInfoAccess == NULL)
-	goto loser;
-
-    for (i = 0; authInfoAccess[i] != NULL; i++) {
-	if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
-	    locname = authInfoAccess[i]->location;
-    }
-
-    /*
-     * If we found an AIA extension, but it did not include an OCSP method,
-     * that should look to our caller as if we did not find the extension
-     * at all, because it is only an OCSP method that we care about.
-     * So set the same error that would be set if the AIA extension was
-     * not there at all.
-     */
-    if (locname == NULL) {
-	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-	goto loser;
-    }
-
-    /*
-     * The following is just a pointer back into locname (i.e. not a copy);
-     * thus it should not be freed.
-     */
-    location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE);
-    if (location == NULL) {
-	/*
-	 * XXX Appears that CERT_GetGeneralNameByType does not set an
-	 * error if there is no name by that type.  For lack of anything
-	 * better, act as if the extension was not found.  In the future
-	 * this should probably be something more like the extension was
-	 * badly formed.
-	 */
-	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-	goto loser;
-    }
-
-    /*
-     * That location is really a string, but it has a specified length
-     * without a null-terminator.  We need a real string that does have
-     * a null-terminator, and we need a copy of it anyway to return to
-     * our caller -- so allocate and copy.
-     */
-    locURI = PORT_Alloc(location->len + 1);
-    if (locURI == NULL) {
-	goto loser;
-    }
-    PORT_Memcpy(locURI, location->data, location->len);
-    locURI[location->len] = '\0';
-
-loser:
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-
-    if (encodedAuthInfoAccess != NULL)
-	SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
-
-    return locURI;
-}
-
-
-/*
- * Figure out where we should go to find out the status of the given cert
- * via OCSP.  If a default responder is set up, that is our answer.
- * If not, see if the certificate has an Authority Information Access (AIA)
- * extension for OCSP, and return the value of that.  Otherwise return NULL.
- * We also let our caller know whether or not the responder chosen was
- * a default responder or not through the output variable isDefault;
- * its value has no meaning unless a good (non-null) value is returned
- * for the location.
- *
- * The result needs to be freed (PORT_Free) when no longer in use.
- */
-static char *
-ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
-			  PRBool *isDefault)
-{
-    ocspCheckingContext *ocspcx;
-
-    ocspcx = ocsp_GetCheckingContext(handle);
-    if (ocspcx != NULL && ocspcx->useDefaultResponder) {
-	/*
-	 * A default responder wins out, if specified.
-	 * XXX Someday this may be a more complicated determination based
-	 * on the cert's issuer.  (That is, we could have different default
-	 * responders configured for different issuers.)
-	 */
-	PORT_Assert(ocspcx->defaultResponderURI != NULL);
-	*isDefault = PR_TRUE;
-	return (PORT_Strdup(ocspcx->defaultResponderURI));
-    }
-
-    /*
-     * No default responder set up, so go see if we can find an AIA
-     * extension that has a value for OCSP, and get the url from that.
-     */
-    *isDefault = PR_FALSE;
-    return CERT_GetOCSPAuthorityInfoAccessLocation(cert);
-}
-
-/*
- * Return SECSuccess if the cert was revoked *after* "time",
- * SECFailure otherwise.
- */
-static SECStatus
-ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, int64 time)
-{
-    int64 revokedTime;
-    SECStatus rv;
-
-    rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime);
-    if (rv != SECSuccess)
-	return rv;
-
-    /*
-     * Set the error even if we will return success; someone might care.
-     */
-    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-
-    if (LL_CMP(revokedTime, >, time))
-	return SECSuccess;
-
-    return SECFailure;
-}
-
-/*
- * See if the cert represented in the single response had a good status
- * at the specified time.
- */
-static SECStatus
-ocsp_CertHasGoodStatus(CERTOCSPSingleResponse *single, int64 time)
-{
-    ocspCertStatus *status;
-    SECStatus rv;
-
-    status = single->certStatus;
-
-    switch (status->certStatusType) {
-      case ocspCertStatus_good:
-	rv = SECSuccess;
-	break;
-      case ocspCertStatus_revoked:
-	rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
-	break;
-      case ocspCertStatus_unknown:
-	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
-	rv = SECFailure;
-	break;
-      case ocspCertStatus_other:
-      default:
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	rv = SECFailure;
-	break;
-    }
-
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_CheckOCSPStatus
- *   Checks the status of a certificate via OCSP.  Will only check status for
- *   a certificate that has an AIA (Authority Information Access) extension
- *   for OCSP *or* when a "default responder" is specified and enabled.
- *   (If no AIA extension for OCSP and no default responder in place, the
- *   cert is considered to have a good status and SECSuccess is returned.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     certificate DB of the cert that is being checked
- *   CERTCertificate *cert
- *     the certificate being checked
- *   XXX in the long term also need a boolean parameter that specifies
- *	whether to check the cert chain, as well; for now we check only
- *	the leaf (the specified certificate)
- *   int64 time
- *     time for which status is to be determined
- *   void *pwArg
- *     argument for password prompting, if needed
- * RETURN:
- *   Returns SECSuccess if an approved OCSP responder "knows" the cert
- *   *and* returns a non-revoked status for it; SECFailure otherwise,
- *   with an error set describing the reason:
- *
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *	SEC_ERROR_OCSP_FUTURE_RESPONSE
- *	SEC_ERROR_OCSP_MALFORMED_REQUEST
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
- *	SEC_ERROR_OCSP_OLD_RESPONSE
- *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
- *	SEC_ERROR_OCSP_SERVER_ERROR
- *	SEC_ERROR_OCSP_TRY_SERVER_LATER
- *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- *	SEC_ERROR_OCSP_UNKNOWN_CERT
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
- *
- *	SEC_ERROR_BAD_SIGNATURE
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_INVALID_TIME
- *	SEC_ERROR_REVOKED_CERTIFICATE
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_UNKNOWN_SIGNER
- *
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (error allocating
- *   memory, error performing ASN.1 decoding, etc.).
- */    
-SECStatus 
-CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     int64 time, void *pwArg)
-{
-    char *location = NULL;
-    PRBool locationIsDefault;
-    CERTCertList *certList = NULL;
-    SECItem *encodedResponse = NULL;
-    CERTOCSPRequest *request = NULL;
-    CERTOCSPResponse *response = NULL;
-    CERTCertificate *signerCert = NULL;
-    ocspResponseData *responseData;
-    int64 producedAt;
-    CERTOCSPCertID *certID;
-    CERTOCSPSingleResponse *single;
-    SECStatus rv = SECFailure;
-
-
-    /*
-     * The first thing we need to do is find the location of the responder.
-     * This will be the value of the default responder (if enabled), else
-     * it will come out of the AIA extension in the cert (if present).
-     * If we have no such location, then this cert does not "deserve" to
-     * be checked -- that is, we consider it a success and just return.
-     * The way we tell that is by looking at the error number to see if
-     * the problem was no AIA extension was found; any other error was
-     * a true failure that we unfortunately have to treat as an overall
-     * failure here.
-     */
-    location = ocsp_GetResponderLocation(handle, cert, &locationIsDefault);
-    if (location == NULL) {
-	if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
-	    return SECSuccess;
-	else
-	    return SECFailure;
-    }
-
-    /*
-     * For now, create a cert-list of one.
-     * XXX In the fullness of time, we will want/need to handle a
-     * certificate chain.  This will be done either when a new parameter
-     * tells us to, or some configuration variable tells us to.  In any
-     * case, handling it is complicated because we may need to send as
-     * many requests (and receive as many responses) as we have certs
-     * in the chain.  If we are going to talk to a default responder,
-     * and we only support one default responder, we can put all of the
-     * certs together into one request.  Otherwise, we must break them up
-     * into multiple requests.  (Even if all of the requests will go to
-     * the same location, the signature on each response will be different,
-     * because each issuer is different.  Carefully read the OCSP spec
-     * if you do not understand this.)
-     */
-
-    certList = CERT_NewCertList();
-    if (certList == NULL)
-	goto loser;
-
-    /* dup it because freeing the list will destroy the cert, too */
-    cert = CERT_DupCertificate(cert);
-    if (cert == NULL)
-	goto loser;
-
-    if (CERT_AddCertToListTail(certList, cert) != SECSuccess) {
-	CERT_DestroyCertificate(cert);
-	goto loser;
-    }
-
-    /*
-     * XXX If/when signing of requests is supported, that second NULL
-     * should be changed to be the signer certificate.  Not sure if that
-     * should be passed into this function or retrieved via some operation
-     * on the handle/context.
-     */
-    encodedResponse = CERT_GetEncodedOCSPResponse(NULL, certList, location,
-						  time, locationIsDefault,
-						  NULL, pwArg, &request);
-    if (encodedResponse == NULL) {
-	goto loser;
-    }
-
-    response = CERT_DecodeOCSPResponse(encodedResponse);
-    if (response == NULL) {
-	goto loser;
-    }
-
-    /*
-     * Okay, we at least have a response that *looks* like a response!
-     * Now see if the overall response status value is good or not.
-     * If not, we set an error and give up.  (It means that either the
-     * server had a problem, or it didn't like something about our
-     * request.  Either way there is nothing to do but give up.)
-     * Otherwise, we continue to find the actual per-cert status
-     * in the response.
-     */
-    switch (response->statusValue) {
-      case ocspResponse_successful:
-	break;
-      case ocspResponse_malformedRequest:
-	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
-	goto loser;
-      case ocspResponse_internalError:
-	PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
-	goto loser;
-      case ocspResponse_tryLater:
-	PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
-	goto loser;
-      case ocspResponse_sigRequired:
-	/* XXX We *should* retry with a signature, if possible. */
-	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
-	goto loser;
-      case ocspResponse_unauthorized:
-	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
-	goto loser;
-      case ocspResponse_other:
-      case ocspResponse_unused:
-      default:
-	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
-	goto loser;
-    }
-
-    /*
-     * If we've made it this far, we expect a response with a good signature.
-     * So, check for that.
-     */
-    rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_Assert(signerCert != NULL);	/* internal consistency check */
-    /* XXX probably should set error, return failure if signerCert is null */
-
-    /*
-     * The ResponseData part is the real guts of the response.
-     */
-    responseData = ocsp_GetResponseData(response);
-    if (responseData == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /*
-     * There is one producedAt time for the entire response (and a separate
-     * thisUpdate time for each individual single response).  We need to
-     * compare them, so get the overall time to pass into the check of each
-     * single response.
-     */
-    rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * Again, we are only doing one request for one cert.
-     * XXX When we handle cert chains, the following code will obviously
-     * have to be modified, in coordation with the code above that will
-     * have to determine how to make multiple requests, etc.  It will need
-     * to loop, and for each certID in the request, find the matching
-     * single response and check the status specified by it.
-     *
-     * We are helped here in that we know that the requests are made with
-     * the request list in the same order as the order of the certs we hand
-     * to it.  This is why I can directly access the first member of the
-     * single request array for the one cert I care about.
-     */
-
-    certID = request->tbsRequest->requestList[0]->reqCert;
-    single = ocsp_GetSingleResponseForCertID(responseData->responses,
-					     handle, certID);
-    if (single == NULL)
-	goto loser;
-
-    rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * Okay, the last step is to check whether the status says revoked,
-     * and if so how that compares to the time value passed into this routine.
-     */
-
-    rv = ocsp_CertHasGoodStatus(single, time);
-
-loser:
-    if (signerCert != NULL)
-	CERT_DestroyCertificate(signerCert);
-    if (response != NULL)
-	CERT_DestroyOCSPResponse(response);
-    if (request != NULL)
-	CERT_DestroyOCSPRequest(request);
-    if (encodedResponse != NULL)
-	SECITEM_FreeItem(encodedResponse, PR_TRUE);
-    if (certList != NULL)
-	CERT_DestroyCertList(certList);
-    if (location != NULL)
-	PORT_Free(location);
-
-    return rv;
-}
-
-
-/*
- * Disable status checking and destroy related structures/data.
- */
-static SECStatus
-ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
-{
-    ocspCheckingContext *statusContext;
-
-    /*
-     * Disable OCSP checking
-     */
-    statusConfig->statusChecker = NULL;
-
-    statusContext = statusConfig->statusContext;
-    PORT_Assert(statusContext != NULL);
-    if (statusContext == NULL)
-	return SECFailure;
-
-    if (statusContext->defaultResponderURI != NULL)
-	PORT_Free(statusContext->defaultResponderURI);
-    if (statusContext->defaultResponderNickname != NULL)
-	PORT_Free(statusContext->defaultResponderNickname);
-
-    PORT_Free(statusContext);
-    statusConfig->statusContext = NULL;
-
-    PORT_Free(statusConfig);
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_DisableOCSPChecking
- *   Turns off OCSP checking for the given certificate database.
- *   This routine disables OCSP checking.  Though it will return
- *   SECFailure if OCSP checking is not enabled, it is "safe" to
- *   call it that way and just ignore the return value, if it is
- *   easier to just call it than to "remember" whether it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be disabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (usually means that OCSP
- *   checking was not enabled or status contexts were not initialized --
- *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
- */
-SECStatus
-CERT_DisableOCSPChecking(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    ocspCheckingContext *statusContext;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    statusContext = ocsp_GetCheckingContext(handle);
-    if (statusContext == NULL)
-	return SECFailure;
-
-    if (statusConfig->statusChecker != CERT_CheckOCSPStatus) {
-	/*
-	 * Status configuration is present, but either not currently
-	 * enabled or not for OCSP.
-	 */
-	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
-	return SECFailure;
-    }
-
-    /*
-     * This is how we disable status checking.  Everything else remains
-     * in place in case we are enabled again.
-     */
-    statusConfig->statusChecker = NULL;
-
-    return SECSuccess;
-}
-
-/*
- * Allocate and initialize the informational structures for status checking.
- * This is done when some configuration of OCSP is being done or when OCSP
- * checking is being turned on, whichever comes first.
- */
-static SECStatus
-ocsp_InitStatusChecking(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig = NULL;
-    ocspCheckingContext *statusContext = NULL;
-
-    PORT_Assert(CERT_GetStatusConfig(handle) == NULL);
-    if (CERT_GetStatusConfig(handle) != NULL) {
-	/* XXX or call statusConfig->statusDestroy and continue? */
-	return SECFailure;
-    }
-
-    statusConfig = PORT_ZNew(CERTStatusConfig);
-    if (statusConfig == NULL)
-	goto loser;
-
-    statusContext = PORT_ZNew(ocspCheckingContext);
-    if (statusContext == NULL)
-	goto loser;
-
-    statusConfig->statusDestroy = ocsp_DestroyStatusChecking;
-    statusConfig->statusContext = statusContext;
-
-    CERT_SetStatusConfig(handle, statusConfig);
-
-    return SECSuccess;
-
-loser:
-    if (statusContext != NULL)
-	PORT_Free(statusContext);
-    if (statusConfig != NULL)
-	PORT_Free(statusConfig);
-    return SECFailure;
-}
-
-
-/*
- * FUNCTION: CERT_EnableOCSPChecking
- *   Turns on OCSP checking for the given certificate database.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be enabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (likely only problem
- *   allocating memory); SECSuccess otherwise.
- */
-SECStatus
-CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    
-    SECStatus rv;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (statusConfig == NULL) {
-	rv = ocsp_InitStatusChecking(handle);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/* Get newly established value */
-	statusConfig = CERT_GetStatusConfig(handle);
-	PORT_Assert(statusConfig != NULL);
-    }
-
-    /*
-     * Setting the checker function is what really enables the checking
-     * when each cert verification is done.
-     */
-    statusConfig->statusChecker = CERT_CheckOCSPStatus;
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_SetOCSPDefaultResponder
- *   Specify the location and cert of the default responder.
- *   If OCSP checking is already enabled *and* use of a default responder
- *   is also already enabled, all OCSP checking from now on will go directly
- *   to the specified responder.  If OCSP checking is not enabled, or if
- *   it is but use of a default responder is not enabled, the information
- *   will be recorded and take effect whenever both are enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- *   char *url
- *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
- *     Note that the location will not be tested until the first attempt
- *     to send a request there.
- *   char *name
- *     The nickname of the cert to trust (expected) to sign the OCSP responses.
- *     If the corresponding cert cannot be found, SECFailure is returned.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   The most likely error is that the cert for "name" could not be found
- *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
- *   bad database, etc.).
- */
-SECStatus
-CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
-			     const char *url, const char *name)
-{
-    CERTCertificate *cert;
-    ocspCheckingContext *statusContext;
-    char *url_copy = NULL;
-    char *name_copy = NULL;
-    SECStatus rv;
-
-    if (handle == NULL || url == NULL || name == NULL) {
-	/*
-	 * XXX When interface is exported, probably want better errors;
-	 * perhaps different one for each parameter.
-	 */
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /*
-     * Find the certificate for the specified nickname.  Do this first
-     * because it seems the most likely to fail.
-     *
-     * XXX Shouldn't need that cast if the FindCertByNickname interface
-     * used const to convey that it does not modify the name.  Maybe someday.
-     */
-    cert = CERT_FindCertByNickname(handle, (char *) name);
-    if (cert == NULL)
-	return SECFailure;
-
-    /*
-     * Make a copy of the url and nickname.
-     */
-    url_copy = PORT_Strdup(url);
-    name_copy = PORT_Strdup(name);
-    if (url_copy == NULL || name_copy == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    statusContext = ocsp_GetCheckingContext(handle);
-
-    /*
-     * Allocate and init the context if it doesn't already exist.
-     */
-    if (statusContext == NULL) {
-	rv = ocsp_InitStatusChecking(handle);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	statusContext = ocsp_GetCheckingContext(handle);
-	PORT_Assert(statusContext != NULL);	/* extreme paranoia */
-    }
-
-    /*
-     * Note -- we do not touch the status context until after all of
-     * the steps which could cause errors.  If something goes wrong,
-     * we want to leave things as they were.
-     */
-
-    /*
-     * Get rid of old url and name if there.
-     */
-    if (statusContext->defaultResponderNickname != NULL)
-	PORT_Free(statusContext->defaultResponderNickname);
-    if (statusContext->defaultResponderURI != NULL)
-	PORT_Free(statusContext->defaultResponderURI);
-
-    /*
-     * And replace them with the new ones.
-     */
-    statusContext->defaultResponderURI = url_copy;
-    statusContext->defaultResponderNickname = name_copy;
-
-    /*
-     * If there was already a cert in place, get rid of it and replace it.
-     * Otherwise, we are not currently enabled, so we don't want to save it;
-     * it will get re-found and set whenever use of a default responder is
-     * enabled.
-     */
-    if (statusContext->defaultResponderCert != NULL) {
-	CERT_DestroyCertificate(statusContext->defaultResponderCert);
-	statusContext->defaultResponderCert = cert;
-    } else {
-	PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
-	CERT_DestroyCertificate(cert);
-    }
-
-    return SECSuccess;
-
-loser:
-    CERT_DestroyCertificate(cert);
-    if (url_copy != NULL)
-	PORT_Free(url_copy);
-    if (name_copy != NULL)
-	PORT_Free(name_copy);
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_EnableOCSPDefaultResponder
- *   Turns on use of a default responder when OCSP checking.
- *   If OCSP checking is already enabled, this will make subsequent checks
- *   go directly to the default responder.  (The location of the responder
- *   and the nickname of the responder cert must already be specified.)
- *   If OCSP checking is not enabled, this will be recorded and take effect
- *   whenever it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   No errors are especially likely unless the caller did not previously
- *   perform a successful call to SetOCSPDefaultResponder (in which case
- *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
- */
-SECStatus
-CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
-{
-    ocspCheckingContext *statusContext;
-    CERTCertificate *cert;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusContext = ocsp_GetCheckingContext(handle);
-
-    if (statusContext == NULL) {
-	/*
-	 * Strictly speaking, the error already set is "correct",
-	 * but cover over it with one more helpful in this context.
-	 */
-	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
-	return SECFailure;
-    }
-
-    if (statusContext->defaultResponderURI == NULL) {
-	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
-	return SECFailure;
-    }
-
-    if (statusContext->defaultResponderNickname == NULL) {
-	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
-	return SECFailure;
-    }
-
-    /*
-     * Find the cert for the nickname.
-     */
-    cert = CERT_FindCertByNickname(handle,
-				   statusContext->defaultResponderNickname);
-    /*
-     * We should never have trouble finding the cert, because its
-     * existence should have been proven by SetOCSPDefaultResponder.
-     */
-    PORT_Assert(cert != NULL);
-    if (cert == NULL)
-	return SECFailure;
-
-    /*
-     * And hang onto it.
-     */
-    statusContext->defaultResponderCert = cert;
-
-    /*
-     * Finally, record the fact that we now have a default responder enabled.
-     */
-    statusContext->useDefaultResponder = PR_TRUE;
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_DisableOCSPDefaultResponder
- *   Turns off use of a default responder when OCSP checking.
- *   (Does nothing if use of a default responder is not enabled.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should stop using a default
- *     responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   Errors very unlikely (like random memory corruption...).
- */
-SECStatus
-CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    ocspCheckingContext *statusContext;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (statusConfig == NULL)
-	return SECSuccess;
-
-    statusContext = ocsp_GetCheckingContext(handle);
-    PORT_Assert(statusContext != NULL);
-    if (statusContext == NULL)
-	return SECFailure;
-
-    if (statusContext->defaultResponderCert != NULL) {
-	CERT_DestroyCertificate(statusContext->defaultResponderCert);
-	statusContext->defaultResponderCert = NULL;
-    }
-
-    /*
-     * Finally, record the fact.
-     */
-    statusContext->useDefaultResponder = PR_FALSE;
-    return SECSuccess;
-}
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
deleted file mode 100644
index 51f81e867..000000000
--- a/security/nss/lib/certhigh/ocsp.h
+++ /dev/null
@@ -1,452 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Interface to the OCSP implementation.
- *
- * $Id$
- */
-
-#ifndef _OCSP_H_
-#define _OCSP_H_
-
-
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "keyt.h"
-#include "certt.h"
-#include "ocspt.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * FUNCTION: CERT_EnableOCSPChecking
- *   Turns on OCSP checking for the given certificate database.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be enabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (likely only problem
- *   allocating memory); SECSuccess otherwise.
- */
-extern SECStatus
-CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
-
-/*
- * FUNCTION: CERT_DisableOCSPChecking
- *   Turns off OCSP checking for the given certificate database.
- *   This routine disables OCSP checking.  Though it will return
- *   SECFailure if OCSP checking is not enabled, it is "safe" to
- *   call it that way and just ignore the return value, if it is
- *   easier to just call it than to "remember" whether it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be disabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (usually means that OCSP
- *   checking was not enabled or status contexts were not initialized --
- *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
- */
-extern SECStatus
-CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
-
-/*
- * FUNCTION: CERT_SetOCSPDefaultResponder
- *   Specify the location and cert of the default responder.
- *   If OCSP checking is already enabled *and* use of a default responder
- *   is also already enabled, all OCSP checking from now on will go directly
- *   to the specified responder.  If OCSP checking is not enabled, or if
- *   it is but use of a default responder is not enabled, the information
- *   will be recorded and take effect whenever both are enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- *   char *url
- *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
- *     Note that the location will not be tested until the first attempt
- *     to send a request there.
- *   char *name
- *     The nickname of the cert to trust (expected) to sign the OCSP responses.
- *     If the corresponding cert cannot be found, SECFailure is returned.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   The most likely error is that the cert for "name" could not be found
- *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
- *   bad database, etc.).
- */
-extern SECStatus
-CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
-			     const char *url, const char *name);
-
-/*
- * FUNCTION: CERT_EnableOCSPDefaultResponder
- *   Turns on use of a default responder when OCSP checking.
- *   If OCSP checking is already enabled, this will make subsequent checks
- *   go directly to the default responder.  (The location of the responder
- *   and the nickname of the responder cert must already be specified.)
- *   If OCSP checking is not enabled, this will be recorded and take effect
- *   whenever it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   No errors are especially likely unless the caller did not previously
- *   perform a successful call to SetOCSPDefaultResponder (in which case
- *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
- */
-extern SECStatus
-CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
-
-/*
- * FUNCTION: CERT_DisableOCSPDefaultResponder
- *   Turns off use of a default responder when OCSP checking.
- *   (Does nothing if use of a default responder is not enabled.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should stop using a default
- *     responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   Errors very unlikely (like random memory corruption...).
- */
-extern SECStatus
-CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
-
-/*
- * -------------------------------------------------------
- * The Functions above are those expected to be used by a client
- * providing OCSP status checking along with every cert verification.
- * The functions below are for OCSP testing, debugging, or clients
- * or servers performing more specialized OCSP tasks.
- * -------------------------------------------------------
- */
-
-/*
- * FUNCTION: CERT_CreateOCSPRequest
- *   Creates a CERTOCSPRequest, requesting the status of the certs in 
- *   the given list.
- * INPUTS:
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no effect on the request itself.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *     XXX note that request signing is not yet supported; see comment in code
- * RETURN:
- *   A pointer to a CERTOCSPRequest structure containing an OCSP request
- *   for the cert list.  On error, null is returned, with an error set
- *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
- *   (The issuer is needed to create a request for the certificate.)
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-extern CERTOCSPRequest *
-CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
-		       PRBool addServiceLocator,
-		       CERTCertificate *signerCert);
-
-/*
- * FUNCTION: CERT_AddOCSPAcceptableResponses
- *   Add the AcceptableResponses extension to an OCSP Request.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     The request to which the extension should be added.
- *   ...
- *     A list (of one or more) of SECOidTag -- each of the response types
- *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
- *     (This marks the end of the list, and it must be specified because a
- *     client conforming to the OCSP standard is required to handle the basic
- *     response type.)  The OIDs are not checked in any way.
- * RETURN:
- *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
- *   All errors are internal or low-level problems (e.g. no memory).
- */
-extern SECStatus
-CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, ...);
-
-/* 
- * FUNCTION: CERT_EncodeOCSPRequest
- *   DER encodes an OCSP Request, possibly adding a signature as well.
- *   XXX Signing is not yet supported, however; see comments in code.
- * INPUTS: 
- *   PRArenaPool *arena
- *     The return value is allocated from here.
- *     If a NULL is passed in, allocation is done from the heap instead.
- *   CERTOCSPRequest *request
- *     The request to be encoded.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * RETURN:
- *   Returns a NULL on error and a pointer to the SECItem with the
- *   encoded value otherwise.  Any error is likely to be low-level
- *   (e.g. no memory).
- */
-extern SECItem *
-CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
-		       void *pwArg);
-
-/*
- * FUNCTION: CERT_DecodeOCSPRequest
- *   Decode a DER encoded OCSP Request.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Request.
- * RETURN:
- *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
- *   On error, returns NULL.  Most likely error is trouble decoding
- *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
- */
-extern CERTOCSPRequest *
-CERT_DecodeOCSPRequest(SECItem *src);
-
-/*
- * FUNCTION: CERT_DestroyOCSPRequest
- *   Frees an OCSP Request structure.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     Pointer to CERTOCSPRequest to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-extern void
-CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
-
-/*
- * FUNCTION: CERT_DecodeOCSPResponse
- *   Decode a DER encoded OCSP Response.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Response.
- * RETURN:
- *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
- *   the caller is responsible for destroying it.  Or NULL if error (either
- *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
- *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
- *   or a low-level or internal error occurred).
- */
-extern CERTOCSPResponse *
-CERT_DecodeOCSPResponse(SECItem *src);
-
-/*
- * FUNCTION: CERT_DestroyOCSPResponse
- *   Frees an OCSP Response structure.
- * INPUTS:
- *   CERTOCSPResponse *request
- *     Pointer to CERTOCSPResponse to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-extern void
-CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
-
-/*
- * FUNCTION: CERT_GetEncodedOCSPResponse
- *   Creates and sends a request to an OCSP responder, then reads and
- *   returns the (encoded) response.
- * INPUTS:
- *   PRArenaPool *arena
- *     Pointer to arena from which return value will be allocated.
- *     If NULL, result will be allocated from the heap (and thus should
- *     be freed via SECITEM_FreeItem).
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   char *location
- *     The location of the OCSP responder (a URL).
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no other bearing on the operation.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * OUTPUTS:
- *   CERTOCSPRequest **pRequest
- *     Pointer in which to store the OCSP request created for the given
- *     list of certificates.  It is only filled in if the entire operation
- *     is successful and the pointer is not null -- and in that case the
- *     caller is then reponsible for destroying it.
- * RETURN:
- *   Returns a pointer to the SECItem holding the response.
- *   On error, returns null with error set describing the reason:
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-extern SECItem *
-CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
-			    char *location, int64 time,
-			    PRBool addServiceLocator,
-			    CERTCertificate *signerCert, void *pwArg,
-			    CERTOCSPRequest **pRequest);
-
-/*
- * FUNCTION: CERT_VerifyOCSPResponseSignature
- *   Check the signature on an OCSP Response.  Will also perform a
- *   verification of the signer's certificate.  Note, however, that a
- *   successful verification does not make any statement about the
- *   signer's *authority* to provide status for the certificate(s),
- *   that must be checked individually for each certificate.
- * INPUTS:
- *   CERTOCSPResponse *response
- *     Pointer to response structure with signature to be checked.
- *   CERTCertDBHandle *handle
- *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.
- * OUTPUTS:
- *   CERTCertificate **pSignerCert
- *     Pointer in which to store signer's certificate; only filled-in if
- *     non-null.
- * RETURN:
- *   Returns SECSuccess when signature is valid, anything else means invalid.
- *   Possible errors set:
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
- *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
- *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
- *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (no memory, etc.)
- */
-extern SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
-				 CERTCertDBHandle *handle, void *pwArg,
-				 CERTCertificate **pSignerCert);
-
-/*
- * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
- *   Get the value of the URI of the OCSP responder for the given cert.
- *   This is found in the (optional) Authority Information Access extension
- *   in the cert.
- * INPUTS:
- *   CERTCertificate *cert
- *     The certificate being examined.
- * RETURN:
- *   char *
- *     A copy of the URI for the OCSP method, if found.  If either the
- *     extension is not present or it does not contain an entry for OCSP,
- *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
- *     Any other error will also result in a NULL being returned.
- *     
- *     This result should be freed (via PORT_Free) when no longer in use.
- */
-extern char *
-CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
-
-/*
- * FUNCTION: CERT_CheckOCSPStatus
- *   Checks the status of a certificate via OCSP.  Will only check status for
- *   a certificate that has an AIA (Authority Information Access) extension
- *   for OCSP *or* when a "default responder" is specified and enabled.
- *   (If no AIA extension for OCSP and no default responder in place, the
- *   cert is considered to have a good status and SECSuccess is returned.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     certificate DB of the cert that is being checked
- *   CERTCertificate *cert
- *     the certificate being checked
- *   XXX in the long term also need a boolean parameter that specifies
- *	whether to check the cert chain, as well; for now we check only
- *	the leaf (the specified certificate)
- *   int64 time
- *     time for which status is to be determined
- *   void *pwArg
- *     argument for password prompting, if needed
- * RETURN:
- *   Returns SECSuccess if an approved OCSP responder "knows" the cert
- *   *and* returns a non-revoked status for it; SECFailure otherwise,
- *   with an error set describing the reason:
- *
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *	SEC_ERROR_OCSP_FUTURE_RESPONSE
- *	SEC_ERROR_OCSP_MALFORMED_REQUEST
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
- *	SEC_ERROR_OCSP_OLD_RESPONSE
- *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
- *	SEC_ERROR_OCSP_SERVER_ERROR
- *	SEC_ERROR_OCSP_TRY_SERVER_LATER
- *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- *	SEC_ERROR_OCSP_UNKNOWN_CERT
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
- *
- *	SEC_ERROR_BAD_SIGNATURE
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_INVALID_TIME
- *	SEC_ERROR_REVOKED_CERTIFICATE
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_UNKNOWN_SIGNER
- *
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (error allocating
- *   memory, error performing ASN.1 decoding, etc.).
- */    
-extern SECStatus 
-CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     int64 time, void *pwArg);
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _OCSP_H_ */
diff --git a/security/nss/lib/certhigh/ocspt.h b/security/nss/lib/certhigh/ocspt.h
deleted file mode 100644
index 3f1563855..000000000
--- a/security/nss/lib/certhigh/ocspt.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Public header for exported OCSP types.
- *
- * $Id$
- */
-
-#ifndef _OCSPT_H_
-#define _OCSPT_H_
-
-/*
- * The following are all opaque types.  If someone needs to get at
- * a field within, then we need to fix the API.  Try very hard not
- * make the type available to them.
- */
-typedef struct CERTOCSPRequestStr CERTOCSPRequest;
-typedef struct CERTOCSPResponseStr CERTOCSPResponse;
-
-/*
- * XXX I think only those first two above should need to be exported,
- * but until I know for certain I am leaving the rest of these here, too.
- */
-typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
-typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
-typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
-
-#endif /* _OCSPT_H_ */
diff --git a/security/nss/lib/certhigh/ocspti.h b/security/nss/lib/certhigh/ocspti.h
deleted file mode 100644
index 5f530c4bf..000000000
--- a/security/nss/lib/certhigh/ocspti.h
+++ /dev/null
@@ -1,398 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Private header defining OCSP types.
- *
- * $Id$
- */
-
-#ifndef _OCSPTI_H_
-#define _OCSPTI_H_
-
-#include "ocspt.h"
-
-#include "certt.h"
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-
-
-/*
- * Some notes about naming conventions...
- *
- * The public data types all start with "CERTOCSP" (e.g. CERTOCSPRequest).
- * (Even the public types are opaque, however.  Only their names are
- * "exported".)
- *
- * Internal-only data types drop the "CERT" prefix and use only the
- * lower-case "ocsp" (e.g. ocspTBSRequest), for brevity sake.
- *
- * In either case, the base/suffix of the type name usually matches the
- * name as defined in the OCSP specification.  The exceptions to this are:
- *  - When there is overlap between the "OCSP" or "ocsp" prefix and
- *    the name used in the standard.  That is, you cannot strip off the
- *    "CERTOCSP" or "ocsp" prefix and necessarily get the name of the
- *    type as it is defined in the standard; the "real" name will be
- *    *either* "OCSPSuffix" or just "Suffix".
- *  - When the name in the standard was a little too generic.  (e.g. The
- *    standard defines "Request" but we call it a "SingleRequest".)
- *    In this case a comment above the type definition calls attention
- *    to the difference.
- *
- * The definitions laid out in this header file are intended to follow
- * the same order as the definitions in the OCSP specification itself.
- * With the OCSP standard in hand, you should be able to move through
- * this file and follow along.  To future modifiers of this file: please
- * try to keep it that way.  The only exceptions are the few cases where
- * we need to define a type before it is referenced (e.g. enumerations),
- * whereas in the OCSP specification these are usually defined the other
- * way around (reference before definition).
- */
-
-
-/*
- * Forward-declarations of internal-only data structures.
- *
- * These are in alphabetical order (case-insensitive); please keep it that way!
- */
-typedef struct ocspBasicOCSPResponseStr ocspBasicOCSPResponse;
-typedef struct ocspCertStatusStr ocspCertStatus;
-typedef struct ocspResponderIDStr ocspResponderID;
-typedef struct ocspResponseBytesStr ocspResponseBytes;
-typedef struct ocspResponseDataStr ocspResponseData;
-typedef struct ocspRevokedInfoStr ocspRevokedInfo;
-typedef struct ocspServiceLocatorStr ocspServiceLocator;
-typedef struct ocspSignatureStr ocspSignature;
-typedef struct ocspSingleRequestStr ocspSingleRequest;
-typedef struct ocspSingleResponseStr ocspSingleResponse;
-typedef struct ocspTBSRequestStr ocspTBSRequest;
-
-
-/*
- * An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
- */
-struct CERTOCSPRequestStr {
-    PRArenaPool *arena;			/* local; not part of encoding */
-    ocspTBSRequest *tbsRequest;
-    ocspSignature *optionalSignature;
-};
-
-/*
- * A TBSRequest; when an OCSPRequest is signed, the encoding of this
- * is what the signature is actually applied to.  ("TBS" == To Be Signed)
- * Whether signed or not, however, this structure will be present, and
- * is the "meat" of the OCSPRequest.
- *
- * Note that the "requestorName" field cannot be encoded/decoded in the
- * same pass as the entire request -- it needs to be handled with a special
- * call to convert to/from our internal form of a GeneralName.  Thus the
- * "derRequestorName" field, which is the actual DER-encoded bytes.
- *
- * The "extensionHandle" field is used on creation only; it holds
- * in-progress extensions as they are optionally added to the request.
- */
-struct ocspTBSRequestStr {
-    SECItem version;			/* an INTEGER */
-    SECItem *derRequestorName;		/* encoded GeneralName; see above */
-    CERTGeneralNameList *requestorName;	/* local; not part of encoding */
-    ocspSingleRequest **requestList;
-    CERTCertExtension **requestExtensions;
-    void *extensionHandle;		/* local; not part of encoding */
-};
-
-/*
- * This is the actual signature information for an OCSPRequest (applied to
- * the TBSRequest structure) or for a BasicOCSPResponse (applied to a
- * ResponseData structure).
- *
- * Note that the "signature" field itself is a BIT STRING; operations on
- * it need to keep that in mind, converting the length to bytes as needed
- * and back again afterward (so that the length is usually expressing bits).
- *
- * The "cert" field is the signer's certificate.  In the case of a received
- * signature, it will be filled in when the signature is verified.  In the
- * case of a created signature, it is filled in on creation and will be the
- * cert used to create the signature when the signing-and-encoding occurs,
- * as well as the cert (and its chain) to fill in derCerts if requested.
- *
- * The extra fields cache information about the signature after we have
- * attempted a verification.  "wasChecked", if true, means the signature
- * has been checked against the appropriate data and thus that "status"
- * contains the result of that verification.  If "status" is not SECSuccess,
- * "failureReason" is a copy of the error code that was set at the time;
- * presumably it tells why the signature verification failed.
- */
-struct ocspSignatureStr {
-    SECAlgorithmID signatureAlgorithm;
-    SECItem signature;			/* a BIT STRING */
-    SECItem **derCerts;			/* a SEQUENCE OF Certificate */
-    CERTCertificate *cert;		/* local; not part of encoding */
-    PRBool wasChecked;			/* local; not part of encoding */
-    SECStatus status;			/* local; not part of encoding */
-    int failureReason;			/* local; not part of encoding */
-};
-
-/*
- * An OCSPRequest contains a SEQUENCE OF these, one for each certificate
- * whose status is being checked.
- *
- * Note that in the OCSP specification this is just called "Request",
- * but since that seemed confusing (vs. an OCSPRequest) and to be more
- * consistent with the parallel type "SingleResponse", I called it a
- * "SingleRequest".
- * 
- * XXX figure out how to get rid of that arena -- there must be a way
- */
-struct ocspSingleRequestStr {
-    PRArenaPool *arena;			/* just a copy of the response arena,
-					 * needed here for extension handling
-					 * routines, on creation only */
-    CERTOCSPCertID *reqCert;
-    CERTCertExtension **singleRequestExtensions;
-};
-
-/*
- * A CertID is the means of identifying a certificate, used both in requests
- * and in responses.
- *
- * When in a SingleRequest it specifies the certificate to be checked.
- * When in a SingleResponse it is the cert whose status is being given.
- */
-struct CERTOCSPCertIDStr {
-    SECAlgorithmID hashAlgorithm;
-    SECItem issuerNameHash;		/* an OCTET STRING */
-    SECItem issuerKeyHash;		/* an OCTET STRING */
-    SECItem serialNumber;		/* an INTEGER */
-};
-
-/*
- * This describes the value of the responseStatus field in an OCSPResponse.
- * The corresponding ASN.1 definition is:
- *
- * OCSPResponseStatus	::=	ENUMERATED {
- *	successful		(0),	--Response has valid confirmations
- *	malformedRequest	(1),	--Illegal confirmation request
- *	internalError		(2),	--Internal error in issuer
- *	tryLater		(3),	--Try again later
- *					--(4) is not used
- *	sigRequired		(5),	--Must sign the request
- *	unauthorized		(6),	--Request unauthorized
- * }
- */
-typedef enum {
-    ocspResponse_successful = 0,
-    ocspResponse_malformedRequest = 1,
-    ocspResponse_internalError = 2,
-    ocspResponse_tryLater = 3,
-    ocspResponse_unused = 4,
-    ocspResponse_sigRequired = 5,
-    ocspResponse_unauthorized = 6,
-    ocspResponse_other			/* unknown/unrecognized value */
-} ocspResponseStatus;
-
-/*
- * An OCSPResponse is what is sent (encoded) by an OCSP responder.
- *
- * The field "responseStatus" is the ASN.1 encoded value; the field
- * "statusValue" is simply that same value translated into our local
- * type ocspResponseStatus.
- */
-struct CERTOCSPResponseStr {
-    PRArenaPool *arena;			/* local; not part of encoding */
-    SECItem responseStatus;		/* an ENUMERATED, see above */
-    ocspResponseStatus statusValue;	/* local; not part of encoding */
-    ocspResponseBytes *responseBytes;	/* only when status is successful */
-};
-
-/*
- * A ResponseBytes (despite appearances) is what contains the meat
- * of a successful response -- but still in encoded form.  The type
- * given as "responseType" tells you how to decode the string.
- *
- * We look at the OID and translate it into our local OID representation
- * "responseTypeTag", and use that value to tell us how to decode the
- * actual response itself.  For now the only kind of OCSP response we
- * know about is a BasicOCSPResponse.  However, the intention in the
- * OCSP specification is to allow for other response types, so we are
- * building in that flexibility from the start and thus put a pointer
- * to that data structure inside of a union.  Whenever OCSP adds more
- * response types, just add them to the union.
- */
-struct ocspResponseBytesStr {
-    SECItem responseType;		/* an OBJECT IDENTIFIER */
-    SECOidTag responseTypeTag;		/* local; not part of encoding */
-    SECItem response;			/* an OCTET STRING */
-    union {
-	ocspBasicOCSPResponse *basic;	/* when type is id-pkix-ocsp-basic */
-    } decodedResponse;			/* local; not part of encoding */
-};
-
-/*
- * A BasicOCSPResponse -- when the responseType in a ResponseBytes is
- * id-pkix-ocsp-basic, the "response" OCTET STRING above is the DER
- * encoding of one of these.
- *
- * Note that in the OCSP specification, the signature fields are not
- * part of a separate sub-structure.  But since they are the same fields
- * as we define for the signature in a request, it made sense to share
- * the C data structure here and in some shared code to operate on them.
- */
-struct ocspBasicOCSPResponseStr {
-    ocspResponseData *tbsResponseData;	/* "tbs" == To Be Signed */
-    ocspSignature responseSignature;
-};
-
-/*
- * A ResponseData is the part of a BasicOCSPResponse that is signed
- * (after it is DER encoded).  It contains the real details of the response
- * (a per-certificate status).
- */
-struct ocspResponseDataStr {
-    SECItem version;			/* an INTEGER */
-    SECItem derResponderID;
-    ocspResponderID *responderID;	/* local; not part of encoding */
-    SECItem producedAt;			/* a GeneralizedTime */
-    CERTOCSPSingleResponse **responses;
-    CERTCertExtension **responseExtensions;
-};
-
-/*
- * A ResponderID identifies the responder -- or more correctly, the
- * signer of the response.  The ASN.1 definition of a ResponderID is:
- *
- * ResponderID	::=	CHOICE {
- *	byName			[1] EXPLICIT Name,
- *	byKey			[2] EXPLICIT KeyHash }
- *
- * Because it is CHOICE, the type of identification used and the
- * identification itself are actually encoded together.  To represent
- * this same information internally, we explicitly define a type and
- * save it, along with the value, into a data structure.
- */
-
-typedef enum {
-    ocspResponderID_byName,
-    ocspResponderID_byKey,
-    ocspResponderID_other		/* unknown kind of responderID */
-} ocspResponderIDType;
-
-struct ocspResponderIDStr {
-    ocspResponderIDType responderIDType;/* local; not part of encoding */
-    union {
-	CERTName name;			/* when ocspResponderID_byName */
-	SECItem keyHash;		/* when ocspResponderID_byKey */
-	SECItem other;			/* when ocspResponderID_other */
-    } responderIDValue;
-};
-
-/*
- * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
- * SingleResponse -- one for each certificate whose status is being supplied.
- * 
- * XXX figure out how to get rid of that arena -- there must be a way
- */
-struct CERTOCSPSingleResponseStr {
-    PRArenaPool *arena;			/* just a copy of the response arena,
-					 * needed here for extension handling
-					 * routines, on creation only */
-    CERTOCSPCertID *certID;
-    SECItem derCertStatus;
-    ocspCertStatus *certStatus;		/* local; not part of encoding */
-    SECItem thisUpdate;			/* a GeneralizedTime */
-    SECItem *nextUpdate;		/* a GeneralizedTime */
-    CERTCertExtension **singleExtensions;
-};
-
-/*
- * A CertStatus is the actual per-certificate status.  Its ASN.1 definition:
- *
- * CertStatus	::=	CHOICE {
- *	good			[0] IMPLICIT NULL,
- *	revoked			[1] IMPLICIT RevokedInfo,
- *	unknown			[2] IMPLICIT UnknownInfo }
- *
- * (where for now UnknownInfo is defined to be NULL but in the
- * future may be replaced with an enumeration).
- *
- * Because it is CHOICE, the status value and its associated information
- * (if any) are actually encoded together.  To represent this same
- * information internally, we explicitly define a type and save it,
- * along with the value, into a data structure.
- */
-
-typedef enum {
-    ocspCertStatus_good,		/* cert is not revoked */
-    ocspCertStatus_revoked,		/* cert is revoked */
-    ocspCertStatus_unknown,		/* cert was unknown to the responder */
-    ocspCertStatus_other		/* status was not an expected value */
-} ocspCertStatusType;
-
-/*
- * This is the actual per-certificate status.
- *
- * The "goodInfo" and "unknownInfo" items are only place-holders for a NULL.
- * (Though someday OCSP may replace UnknownInfo with an enumeration that
- * gives more detailed information.)
- */
-struct ocspCertStatusStr {
-    ocspCertStatusType certStatusType;	/* local; not part of encoding */
-    union {
-	SECItem *goodInfo;		/* when ocspCertStatus_good */
-	ocspRevokedInfo *revokedInfo;	/* when ocspCertStatus_revoked */
-	SECItem *unknownInfo;		/* when ocspCertStatus_unknown */
-	SECItem *otherInfo;		/* when ocspCertStatus_other */
-    } certStatusInfo; 
-};
-
-/*
- * A RevokedInfo gives information about a revoked certificate -- when it
- * was revoked and why.
- */
-struct ocspRevokedInfoStr {
-    SECItem revocationTime;		/* a GeneralizedTime */
-    SECItem *revocationReason;		/* a CRLReason; ignored for now */
-};
-
-/*
- * ServiceLocator can be included as one of the singleRequestExtensions.
- * When added, it specifies the (name of the) issuer of the cert being
- * checked, and optionally the value of the AuthorityInfoAccess extension
- * if the cert has one.
- */
-struct ocspServiceLocatorStr {
-    CERTName *issuer;
-    SECItem locator;	/* DER encoded authInfoAccess extension from cert */
-};
-
-#endif /* _OCSPTI_H_ */
diff --git a/security/nss/lib/certhigh/xcrldist.c b/security/nss/lib/certhigh/xcrldist.c
deleted file mode 100644
index d560cfd23..000000000
--- a/security/nss/lib/certhigh/xcrldist.c
+++ /dev/null
@@ -1,222 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Code for dealing with x.509 v3 CRL Distribution Point extension.
- */
-#include "genname.h"
-#include "certt.h"
-#include "secerr.h"
-
-extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value);
-
-static const SEC_ASN1Template FullNameTemplate[] = {
-    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
-	offsetof (CRLDistributionPoint,derFullName), CERT_GeneralNamesTemplate}
-};
-
-static const SEC_ASN1Template RelativeNameTemplate[] = {
-    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
-	offsetof (CRLDistributionPoint,distPoint.relativeName), CERT_RDNTemplate}
-};
-	 
-static const SEC_ASN1Template CRLDistributionPointTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) },
-	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
-	    SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
-	    offsetof(CRLDistributionPoint,derDistPoint), SEC_AnyTemplate},
-	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	    offsetof(CRLDistributionPoint,bitsmap), SEC_BitStringTemplate},
-	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
-	    SEC_ASN1_CONSTRUCTED | 2,
-	    offsetof(CRLDistributionPoint, derCrlIssuer), CERT_GeneralNamesTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = {
-    {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate}
-};
-
-SECStatus
-CERT_EncodeCRLDistributionPoints (PRArenaPool *arena, CERTCrlDistributionPoints *value,
-				  SECItem *derValue)
-{
-    CRLDistributionPoint **pointList, *point;
-    PRArenaPool *ourPool = NULL;
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert (derValue);
-    PORT_Assert (value && value->distPoints);
-
-    do {
-	ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	if (ourPool == NULL) {
-	    rv = SECFailure;
-	    break;
-	}    
-	
-	pointList = value->distPoints;
-	while (*pointList) {
-	    point = *pointList;
-	    point->derFullName = NULL;
-	    point->derDistPoint.data = NULL;
-
-	    if (point->distPointType == generalName) {
-		point->derFullName = cert_EncodeGeneralNames
-		    (ourPool, point->distPoint.fullName);
-		
-		if (point->derFullName) {
-		    rv = (SEC_ASN1EncodeItem (ourPool, &point->derDistPoint,
-			  point, FullNameTemplate) == NULL) ? SECFailure : SECSuccess;
-		} else {
-		    rv = SECFailure;
-		}
-	    }
-	    else if (point->distPointType == relativeDistinguishedName) {
-		if (SEC_ASN1EncodeItem
-		     (ourPool, &point->derDistPoint, 
-		      point, RelativeNameTemplate) == NULL) 
-		    rv = SECFailure;
-	    }
-	    /* distributionPointName is omitted */
-	    else if (point->distPointType != 0) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		rv = SECFailure;
-	    }
-	    if (rv != SECSuccess)
-		break;
-
-	    if (point->reasons.data)
-		PrepareBitStringForEncoding (&point->bitsmap, &point->reasons);
-
-	    if (point->crlIssuer) {
-		point->derCrlIssuer = cert_EncodeGeneralNames
-		    (ourPool, point->crlIssuer);
-		if (!point->crlIssuer)
-		    break;
-	    }
-	    
-	    ++pointList;
-	}
-	if (rv != SECSuccess)
-	    break;
-	if (SEC_ASN1EncodeItem
-	     (arena, derValue, value, CERTCRLDistributionPointsTemplate) == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-    } while (0);
-    PORT_FreeArena (ourPool, PR_FALSE);
-    return (rv);
-}
-
-CERTCrlDistributionPoints *
-CERT_DecodeCRLDistributionPoints (PRArenaPool *arena, SECItem *encodedValue)
-{
-   CERTCrlDistributionPoints *value = NULL;    
-   CRLDistributionPoint **pointList, *point;    
-   SECStatus rv;
-
-   PORT_Assert (arena);
-   do {
-	value = (CERTCrlDistributionPoints*)PORT_ArenaZAlloc (arena, sizeof (*value));
-	if (value == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	    
-	rv = SEC_ASN1DecodeItem
-	     (arena, &value->distPoints, CERTCRLDistributionPointsTemplate,
-	      encodedValue);
-	if (rv != SECSuccess)
-	    break;
-
-	pointList = value->distPoints;
-	while (*pointList) {
-	    point = *pointList;
-
-	    /* get the data if the distributionPointName is not omitted */
-	    if (point->derDistPoint.data != NULL) {
-		point->distPointType = (DistributionPointTypes)
-					((point->derDistPoint.data[0] & 0x1f) +1);
-		if (point->distPointType == generalName) {
-		    SECItem innerDER;
-		
-		    innerDER.data = NULL;
-		    rv = SEC_ASN1DecodeItem
-			 (arena, point, FullNameTemplate, &(point->derDistPoint));
-		    if (rv != SECSuccess)
-			break;
-		    point->distPoint.fullName = cert_DecodeGeneralNames
-			(arena, point->derFullName);
-
-		    if (!point->distPoint.fullName)
-			break;
-		}
-		else if ( relativeDistinguishedName) {
-		    rv = SEC_ASN1DecodeItem
-			 (arena, point, RelativeNameTemplate, &(point->derDistPoint));
-		    if (rv != SECSuccess)
-			break;
-		}
-		else {
-		    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		    break;
-		}
-	    }
-
-	    /* Get the reason code if it's not omitted in the encoding */
-	    if (point->bitsmap.data != NULL) {
-		point->reasons.data = (unsigned char*) PORT_ArenaAlloc
-				      (arena, (point->bitsmap.len + 7) >> 3);
-		if (!point->reasons.data) {
-		    rv = SECFailure;
-		    break;
-		}
-		PORT_Memcpy (point->reasons.data, point->bitsmap.data,
-			     point->reasons.len = ((point->bitsmap.len + 7) >> 3));
-	    }
-
-	    /* Get the crl issuer name if it's not omitted in the encoding */
-	    if (point->derCrlIssuer != NULL) {
-		point->crlIssuer = cert_DecodeGeneralNames
-		    (arena, point->derCrlIssuer);
-
-		if (!point->crlIssuer)
-		    break;
-	    }
-	    ++pointList;
-	}
-   } while (0);
-   return (rv == SECSuccess ? value : NULL);
-}
diff --git a/security/nss/lib/ckfw/.cvsignore b/security/nss/lib/ckfw/.cvsignore
deleted file mode 100644
index 988228d5a..000000000
--- a/security/nss/lib/ckfw/.cvsignore
+++ /dev/null
@@ -1,4 +0,0 @@
-nssckepv.h
-nssckg.h
-nssckft.h
-nssck.api
diff --git a/security/nss/lib/ckfw/Makefile b/security/nss/lib/ckfw/Makefile
deleted file mode 100644
index df7317052..000000000
--- a/security/nss/lib/ckfw/Makefile
+++ /dev/null
@@ -1,46 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# This'll need some help from a build person.
-
-nssckepv.h: ck.api ckapi.perl
-nssckft.h: ck.api ckapi.perl
-nssckg.h: ck.api ckapi.perl
-	perl ckapi.perl < ck.api
-
diff --git a/security/nss/lib/ckfw/builtins/.cvsignore b/security/nss/lib/ckfw/builtins/.cvsignore
deleted file mode 100644
index ccbbcce86..000000000
--- a/security/nss/lib/ckfw/builtins/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-certdata.c
diff --git a/security/nss/lib/ckfw/builtins/Makefile b/security/nss/lib/ckfw/builtins/Makefile
deleted file mode 100644
index 31d5ab3fb..000000000
--- a/security/nss/lib/ckfw/builtins/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# This'll need some help from a build person.
-
-certdata.c: certdata.txt certdata.perl
-	perl certdata.perl < certdata.txt
diff --git a/security/nss/lib/ckfw/builtins/anchor.c b/security/nss/lib/ckfw/builtins/anchor.c
deleted file mode 100644
index 12c77a75c..000000000
--- a/security/nss/lib/ckfw/builtins/anchor.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * builtins/anchor.c
- *
- * This file "anchors" the actual cryptoki entry points in this module's
- * shared library, which is required for dynamic loading.  See the 
- * comments in nssck.api for more information.
- */
-
-#include "builtins.h"
-
-#define MODULE_NAME builtins
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance
-#include "nssck.api"
diff --git a/security/nss/lib/ckfw/builtins/builtins.h b/security/nss/lib/ckfw/builtins/builtins.h
deleted file mode 100644
index b506ccdc0..000000000
--- a/security/nss/lib/ckfw/builtins/builtins.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "nssckmdt.h"
-#include "nssckfw.h"
-
-/*
- * I'm including this for access to the arena functions.
- * Looks like we should publish that API.
- */
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This is where the Netscape extensions live, at least for now.
- */
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-struct builtinsInternalObjectStr {
-  CK_ULONG n;
-  CK_ATTRIBUTE_TYPE *types;
-  NSSItem *items;
-};
-typedef struct builtinsInternalObjectStr builtinsInternalObject;
-
-NSS_EXTERN_DATA const builtinsInternalObject nss_builtins_data[];
-NSS_EXTERN_DATA const PRUint32               nss_builtins_nObjects;
-
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_CryptokiVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_ManufacturerID;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_LibraryDescription;
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_LibraryVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_SlotDescription;
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_HardwareVersion;
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_FirmwareVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenLabel;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenModel;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenSerialNumber;
-
-NSS_EXTERN_DATA const NSSCKMDInstance nss_builtins_mdInstance;
-NSS_EXTERN_DATA const NSSCKMDSlot     nss_builtins_mdSlot;
-NSS_EXTERN_DATA const NSSCKMDToken    nss_builtins_mdToken;
-
-NSS_EXTERN NSSCKMDSession *
-nss_builtins_CreateSession
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nss_builtins_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDObject *
-nss_builtins_CreateMDObject
-(
-  NSSArena *arena,
-  builtinsInternalObject *io,
-  CK_RV *pError
-);
diff --git a/security/nss/lib/ckfw/builtins/certdata.perl b/security/nss/lib/ckfw/builtins/certdata.perl
deleted file mode 100644
index 5ccd2e5ad..000000000
--- a/security/nss/lib/ckfw/builtins/certdata.perl
+++ /dev/null
@@ -1,291 +0,0 @@
-#!perl -w
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-my $cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
-use strict;
-
-my %constants;
-my $count = 0;
-my $o;
-my @objects = ();
-my @objsize;
-my $cvsid;
-
-$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
-$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
-$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";
-
-while(<>) {
-  my @fields = ();
-  my $size;
-
-  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-  next if (/^\s*$/);
-
-  if( /(^CVS_ID\s+)(.*)/ ) {
-#    print "The CVS ID is $2\n";
-    $cvsid = $2 . "\"; $cvs_id\"";
-    my $scratch = $cvsid;
-    $size = 1 + $scratch =~ s/[^"\n]//g;
-    @{$objects[0][0]} = ( "CKA_CLASS", "&cko_data", "sizeof(CK_OBJECT_CLASS)" );
-    @{$objects[0][1]} = ( "CKA_TOKEN", "&ck_true", "sizeof(CK_BBOOL)" );
-    @{$objects[0][2]} = ( "CKA_PRIVATE", "&ck_false", "sizeof(CK_BBOOL)" );
-    @{$objects[0][3]} = ( "CKA_MODIFIABLE", "&ck_false", "sizeof(CK_BBOOL)" );
-    @{$objects[0][4]} = ( "CKA_LABEL", "\"CVS ID\"", "7" );
-    @{$objects[0][5]} = ( "CKA_APPLICATION", "\"NSS\"", "4" );
-    @{$objects[0][6]} = ( "CKA_VALUE", $cvsid, "$size" );
-    $objsize[0] = 7;
-    next;
-  }
-
-  # This was taken from the perl faq #4.
-  my $text = $_;
-  push(@fields, $+) while $text =~ m{
-      "([^\"\\]*(?:\\.[^\"\\]*)*)"\s?  # groups the phrase inside the quotes
-    | ([^\s]+)\s?
-    | \s
-  }gx;
-  push(@fields, undef) if substr($text,-1,1) eq '\s';
-
-  if( $fields[0] =~ /BEGINDATA/ ) {
-    next;
-  }
-
-  if( $fields[1] =~ /MULTILINE/ ) {
-    $fields[2] = "";
-    while(<>) {
-      last if /END/;
-      chomp;
-      $fields[2] .= "\"$_\"\n";
-    }
-  }
-
-  if( $fields[1] =~ /UTF8/ ) {
-    if( $fields[2] =~ /^"/ ) {
-      ;
-    } else {
-      $fields[2] = "\"" . $fields[2] . "\"";
-    }
-
-    my $scratch = $fields[2];
-    $size = $scratch =~ s/[^"\n]//g; # should supposedly handle multilines, too..
-    $size += 1; # null terminate
-  }
-
-  if( $fields[1] =~ /OCTAL/ ) {
-    if( $fields[2] =~ /^"/ ) {
-      ;
-    } else {
-      $fields[2] = "\"" . $fields[2] . "\"";
-    }
-
-    my $scratch = $fields[2];
-    $size = $scratch =~ tr/\\//;
-    # no null termination
-  }
-
-  if( $fields[1] =~ /^CK_/ ) {
-    my $lcv = $fields[2];
-    $lcv =~ tr/A-Z/a-z/;
-    if( !defined($constants{$fields[2]}) ) {
-      $constants{$fields[2]} = "static const $fields[1] $lcv = $fields[2];\n";
-    }
-    
-    $size = "sizeof($fields[1])";
-    $fields[2] = "&$lcv";
-  }
-
-  if( $fields[0] =~ /CKA_CLASS/ ) {
-    $count++;
-    $objsize[$count] = 0;
-  }
-
-  @{$objects[$count][$objsize[$count]++]} = ( "$fields[0]", $fields[2], "$size" );
-
-#  print "$fields[0] | $fields[1] | $size | $fields[2]\n";
-}
-
-doprint();
-
-sub dudump {
-my $i;
-#for( $i = 0; $i <= $count; $i++ ) {
-#  print "\n";
-#  $o = $objects[$i];
-#  my @ob = @{$o};
-#  my $l;
-#  my $j;
-#  for( $j = 0; $j < @ob; $j++ ) {
-#    $l = $ob[$j];
-#    my @a = @{$l};
-#    print "$a[0] ! $a[1] ! $a[2]\n";
-#  }
-#}
-
-}
-
-sub doprint {
-my $i;
-
-open(CFILE, ">certdata.c") || die "Can't open certdata.c: $!";
-
-print CFILE <<EOD
-/* THIS IS A GENERATED FILE */
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifdef DEBUG
-static const char CVS_ID[] = $cvsid;
-#endif /* DEBUG */
-
-#ifndef BUILTINS_H
-#include "builtins.h"
-#endif /* BUILTINS_H */
-
-EOD
-    ;
-
-while(($a,$b) = each(%constants)) {
-  print CFILE $b;
-}
-
-for( $i = 0; $i <= $count; $i++ ) {
-  if( 0 == $i ) {
-    print CFILE "#ifdef DEBUG\n";
-  }
-
-  print CFILE "static const CK_ATTRIBUTE_TYPE nss_builtins_types_$i [] = {\n";
-  $o = $objects[$i];
-  my @ob = @{$o};
-  my $j;
-  for( $j = 0; $j < @ob; $j++ ) {
-    my $l = $ob[$j];
-    my @a = @{$l};
-    print CFILE " $a[0]";
-    if( $j+1 != @ob ) {
-      print CFILE ", ";
-    }
-  }
-  print CFILE "\n};\n";
-
-  if( 0 == $i ) {
-    print CFILE "#endif /* DEBUG */\n";
-  }
-}
-
-for( $i = 0; $i <= $count; $i++ ) {
-  if( 0 == $i ) {
-    print CFILE "#ifdef DEBUG\n";
-  }
-
-  print CFILE "static const NSSItem nss_builtins_items_$i [] = {\n";
-  $o = $objects[$i];
-  my @ob = @{$o};
-  my $j;
-  for( $j = 0; $j < @ob; $j++ ) {
-    my $l = $ob[$j];
-    my @a = @{$l};
-    print CFILE "  { (void *)$a[1], (PRUint32)$a[2] }";
-    if( $j+1 != @ob ) {
-      print CFILE ",\n";
-    } else {
-      print CFILE "\n";
-    }
-  }
-  print CFILE "};\n";
-
-  if( 0 == $i ) {
-    print CFILE "#endif /* DEBUG */\n";
-  }
-}
-
-print CFILE "\nPR_IMPLEMENT_DATA(const builtinsInternalObject)\n";
-print CFILE "nss_builtins_data[] = {\n";
-
-for( $i = 0; $i <= $count; $i++ ) {
-
-  if( 0 == $i ) {
-    print CFILE "#ifdef DEBUG\n";
-  }
-
-  print CFILE "  { $objsize[$i], nss_builtins_types_$i, nss_builtins_items_$i }";
-
-  if( $i == $count ) {
-    print CFILE "\n";
-  } else {
-    print CFILE ",\n";
-  }
-
-  if( 0 == $i ) {
-    print CFILE "#endif /* DEBUG */\n";
-  }
-}
-
-print CFILE "};\n";
-
-print CFILE "PR_IMPLEMENT_DATA(const PRUint32)\n";
-print CFILE "#ifdef DEBUG\n";
-print CFILE "  nss_builtins_nObjects = $count+1;\n";
-print CFILE "#else\n";
-print CFILE "  nss_builtins_nObjects = $count;\n";
-print CFILE "#endif /* DEBUG */\n";
-}
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
deleted file mode 100644
index 355993a29..000000000
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ /dev/null
@@ -1,143 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-#
-# certdata.txt
-#
-# This file contains the object definitions for the certs and other
-# information "built into" NSS.
-#
-# Object definitions:
-#
-#    Certificates
-#
-#  -- Attribute --          -- type --              -- value --
-#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE
-#  CKA_TOKEN                CK_BBOOL                CK_TRUE
-#  CKA_PRIVATE              CK_BBOOL                CK_FALSE
-#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE
-#  CKA_LABEL                UTF8                    (varies)
-#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509
-#  CKA_SUBJECT              DER+base64              (varies)
-#  CKA_ID                   byte array              (varies)
-#  CKA_ISSUER               DER+base64              (varies)
-#  CKA_SERIAL_NUMBER        DER+base64              (varies)
-#  CKA_VALUE                DER+base64              (varies)
-#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)
-#
-#    Trust
-#
-#  -- Attribute --              -- type --          -- value --
-#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST
-#  CKA_TOKEN                    CK_BBOOL            CK_TRUE
-#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE
-#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE
-#  CKA_LABEL                    UTF8                (varies)
-#  CKA_ISSUER                   DER+base64          (varies)
-#  CKA_SERIAL_NUMBER            DER+base64          (varies)
-#  CKA_CERT_HASH                binary+base64       (varies)
-#  CKA_EXPIRES                  CK_DATE             (not used here)
-#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)
-#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)
-#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)
-#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)
-#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)
-#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)
-#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)
-#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)
-#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)
-#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)
-#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)
-#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)
-#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)
-#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)
-#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)
-#  (other trust attributes can be defined)
-#
-
-BEGINDATA
-
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Test certificate #3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\103\101\061\023\060
-\021\006\012\011\222\046\211\223\362\054\144\001\001\023\003\155
-\142\146\061\034\060\032\006\003\125\004\013\023\023\111\156\144
-\165\163\164\162\151\141\154\040\114\151\147\150\164\151\156\147
-\061\033\060\031\006\003\125\004\012\023\022\115\157\156\153\145
-\171\142\165\164\164\145\162\040\106\141\162\155\163\061\037\060
-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\152\157
-\145\100\156\145\164\163\143\141\160\145\056\156\145\164\061\026
-\060\024\006\003\125\004\003\023\015\144\165\155\160\143\145\162
-\164\040\164\145\163\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\064\061\030\060\026\006\003\125\004\012\023\017\103\145\162
-\164\055\117\055\115\141\164\151\143\040\111\111\061\030\060\026
-\006\003\125\004\003\023\017\103\145\162\164\055\117\055\115\141
-\164\151\143\040\111\111
-END
-CKA_SERIAL_NUMBER OCTAL \001\276
-CKA_VALUE MULTILINE_OCTAL
-\0
-END
-
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Test certificate #3"
-CKA_ISSUER MULTILINE_OCTAL
-\060\064\061\030\060\026\006\003\125\004\012\023\017\103\145\162
-\164\055\117\055\115\141\164\151\143\040\111\111\061\030\060\026
-\006\003\125\004\003\023\017\103\145\162\164\055\117\055\115\141
-\164\151\143\040\111\111
-END
-CKA_SERIAL_NUMBER OCTAL \001\276
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED
-CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED
-CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
diff --git a/security/nss/lib/ckfw/builtins/config.mk b/security/nss/lib/ckfw/builtins/config.mk
deleted file mode 100644
index 80b3135f4..000000000
--- a/security/nss/lib/ckfw/builtins/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/ckfw/builtins/constants.c b/security/nss/lib/ckfw/builtins/constants.c
deleted file mode 100644
index 1173c75b0..000000000
--- a/security/nss/lib/ckfw/builtins/constants.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * builtins/constants.c
- *
- * Identification and other constants, all collected here in one place.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_CryptokiVersion = { 2, 1 };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_ManufacturerID = "Netscape Communications Corp.";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_LibraryDescription = "NSS Builtin Object Cryptoki Module";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_LibraryVersion = { 1, 0 };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_SlotDescription = "";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_HardwareVersion = { 1, 0 };
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_FirmwareVersion = { 1, 0 };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_TokenLabel = "Builtin Object Token";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_TokenModel = "1";
-
-/* should this be e.g. the certdata.txt RCS revision number? */
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_TokenSerialNumber = "1";
-
diff --git a/security/nss/lib/ckfw/builtins/find.c b/security/nss/lib/ckfw/builtins/find.c
deleted file mode 100644
index 774f0abde..000000000
--- a/security/nss/lib/ckfw/builtins/find.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef BUILTINS_H
-#include "builtins.h"
-#endif /* BUILTINS_H */
-
-/*
- * builtins/find.c
- *
- * This file implements the NSSCKMDFindObjects object for the
- * "builtin objects" cryptoki module.
- */
-
-struct builtinsFOStr {
-  NSSArena *arena;
-  CK_ULONG n;
-  CK_ULONG i;
-  builtinsInternalObject **objs;
-};
-
-static void
-builtins_mdFindObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
-
-  nss_ZFreeIf(fo->objs);
-  nss_ZFreeIf(fo);
-
-  return;
-}
-
-static NSSCKMDObject *
-builtins_mdFindObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
-  builtinsInternalObject *io;
-
-  if( fo->i == fo->n ) {
-    *pError = CKR_OK;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  io = fo->objs[ fo->i ];
-  fo->i++;
-
-  return nss_builtins_CreateMDObject(arena, io, pError);
-}
-
-static CK_BBOOL
-builtins_attrmatch
-(
-  CK_ATTRIBUTE_PTR a,
-  NSSItem *b
-)
-{
-  PRBool prb;
-
-  if( a->ulValueLen != b->size ) {
-    return CK_FALSE;
-  }
-
-  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
-
-  if( PR_TRUE == prb ) {
-    return CK_TRUE;
-  } else {
-    return CK_FALSE;
-  }
-}
-
-
-static CK_BBOOL
-builtins_match
-(
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  builtinsInternalObject *o
-)
-{
-  CK_ULONG i;
-
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    CK_ULONG j;
-
-    for( j = 0; j < o->n; j++ ) {
-      if( o->types[j] == pTemplate[i].type ) {
-        if( CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j]) ) {
-          return CK_FALSE;
-        } else {
-          break;
-        }
-      }
-    }
-
-    if( j == o->n ) {
-      /* Loop ran to the end: no matching attribute */
-      return CK_FALSE;
-    }
-  }
-
-  /* Every attribute passed */
-  return CK_TRUE;
-}
-
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nss_builtins_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  /* This could be made more efficient.  I'm rather rushed. */
-  NSSArena *arena;
-  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
-  struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL;
-  builtinsInternalObject **temp = (builtinsInternalObject **)NULL;
-  PRUint32 i;
-
-  arena = NSSCKFWSession_GetArena(fwSession, pError);
-  if( (NSSArena *)NULL == arena ) {
-    goto loser;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fo = nss_ZNEW(arena, struct builtinsFOStr);
-  if( (struct builtinsFOStr *)NULL == fo ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fo->arena = arena;
-  /* fo->n and fo->i are already zero */
-
-  rv->etc = (void *)fo;
-  rv->Final = builtins_mdFindObjects_Final;
-  rv->Next = builtins_mdFindObjects_Next;
-  rv->null = (void *)NULL;
-
-  temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, 
-                       nss_builtins_nObjects);
-  if( (builtinsInternalObject **)NULL == temp ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  for( i = 0; i < nss_builtins_nObjects; i++ ) {
-    builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i];
-
-    if( CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o) ) {
-      temp[ fo->n ] = o;
-      fo->n++;
-    }
-  }
-
-  fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n);
-  if( (builtinsInternalObject **)NULL == temp ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n);
-  nss_ZFreeIf(temp);
-  temp = (builtinsInternalObject **)NULL;
-
-  return rv;
-
- loser:
-  nss_ZFreeIf(temp);
-  nss_ZFreeIf(fo);
-  nss_ZFreeIf(rv);
-  return (NSSCKMDFindObjects *)NULL;
-}
-
diff --git a/security/nss/lib/ckfw/builtins/instance.c b/security/nss/lib/ckfw/builtins/instance.c
deleted file mode 100644
index e97c0d4bf..000000000
--- a/security/nss/lib/ckfw/builtins/instance.c
+++ /dev/null
@@ -1,130 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/instance.c
- *
- * This file implements the NSSCKMDInstance object for the 
- * "builtin objects" cryptoki module.
- */
-
-/*
- * NSSCKMDInstance methods
- */
-
-static CK_ULONG
-builtins_mdInstance_GetNSlots
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (CK_ULONG)1;
-}
-
-static CK_VERSION
-builtins_mdInstance_GetCryptokiVersion
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_CryptokiVersion;
-}
-
-static NSSUTF8 *
-builtins_mdInstance_GetManufacturerID
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_ManufacturerID;
-}
-
-static NSSUTF8 *
-builtins_mdInstance_GetLibraryDescription
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_LibraryDescription;
-}
-
-static CK_VERSION
-builtins_mdInstance_GetLibraryVersion
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_LibraryVersion;
-}
-
-static CK_RV
-builtins_mdInstance_GetSlots
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *slots[]
-)
-{
-  slots[0] = (NSSCKMDSlot *)&nss_builtins_mdSlot;
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDInstance
-nss_builtins_mdInstance = {
-  (void *)NULL, /* etc */
-  NULL, /* Initialize */
-  NULL, /* Finalize */
-  builtins_mdInstance_GetNSlots,
-  builtins_mdInstance_GetCryptokiVersion,
-  builtins_mdInstance_GetManufacturerID,
-  builtins_mdInstance_GetLibraryDescription,
-  builtins_mdInstance_GetLibraryVersion,
-  NULL, /* ModuleHandlesSessionObjects -- defaults to false */
-  builtins_mdInstance_GetSlots,
-  NULL, /* WaitForSlotEvent */
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/builtins/manifest.mn b/security/nss/lib/ckfw/builtins/manifest.mn
deleted file mode 100644
index 9b134b01f..000000000
--- a/security/nss/lib/ckfw/builtins/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-CORE_DEPTH = ../../../..
-
-MODULE = security
-
-CSRCS =			\
-	anchor.c	\
-	constants.c	\
-	find.c		\
-	instance.c	\
-	object.c	\
-	session.c	\
-	slot.c		\
-	token.c		\
-	certdata.c	\
-	$(NULL)
-
-REQUIRES = security nspr
-
-LIBRARY_NAME = nssckbi
-
-EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lnspr4 -lplc4 -lplds4
\ No newline at end of file
diff --git a/security/nss/lib/ckfw/builtins/object.c b/security/nss/lib/ckfw/builtins/object.c
deleted file mode 100644
index 18cefda8a..000000000
--- a/security/nss/lib/ckfw/builtins/object.c
+++ /dev/null
@@ -1,254 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/object.c
- *
- * This file implements the NSSCKMDObject object for the
- * "builtin objects" cryptoki module.
- */
-
-/*
- * Finalize - unneeded
- * Destroy - CKR_SESSION_READ_ONLY
- * IsTokenObject - CK_TRUE
- * GetAttributeCount
- * GetAttributeTypes
- * GetAttributeSize
- * GetAttribute
- * SetAttribute - unneeded
- * GetObjectSize
- */
-
-static CK_RV
-builtins_mdObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_SESSION_READ_ONLY;
-}
-
-static CK_BBOOL
-builtins_mdObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_ULONG
-builtins_mdObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  return io->n;
-}
-
-static CK_RV
-builtins_mdObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-
-  if( io->n != ulCount ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-
-  for( i = 0; i < io->n; i++ ) {
-    typeArray[i] = io->types[i];
-  }
-
-  return CKR_OK;
-}
-
-static CK_ULONG
-builtins_mdObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-
-  for( i = 0; i < io->n; i++ ) {
-    if( attribute == io->types[i] ) {
-      return (CK_ULONG)(io->items[i].size);
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return 0;
-}
-
-static NSSItem *
-builtins_mdObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-
-  for( i = 0; i < io->n; i++ ) {
-    if( attribute == io->types[i] ) {
-      return &io->items[i];
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return (NSSItem *)NULL;
-}
-
-static CK_ULONG
-builtins_mdObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-  CK_ULONG rv = sizeof(CK_ULONG);
-
-  for( i = 0; i < io->n; i++ ) {
-    rv += sizeof(CK_ATTRIBUTE_TYPE) + sizeof(NSSItem) + io->items[i].size;
-  }
-
-  return rv;
-}
-
-static NSSCKMDObject
-builtins_prototype_mdObject = {
-  (void *)NULL, /* etc */
-  NULL, /* Finalize */
-  builtins_mdObject_Destroy,
-  builtins_mdObject_IsTokenObject,
-  builtins_mdObject_GetAttributeCount,
-  builtins_mdObject_GetAttributeTypes,
-  builtins_mdObject_GetAttributeSize,
-  builtins_mdObject_GetAttribute,
-  NULL, /* SetAttribute */
-  builtins_mdObject_GetObjectSize,
-  (void *)NULL /* null terminator */
-};
-
-NSS_IMPLEMENT NSSCKMDObject *
-nss_builtins_CreateMDObject
-(
-  NSSArena *arena,
-  builtinsInternalObject *io,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *rv;
-
-  rv = nss_ZNEW(arena, NSSCKMDObject);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  *rv = builtins_prototype_mdObject;
-  rv->etc = (void *)io;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/builtins/session.c b/security/nss/lib/ckfw/builtins/session.c
deleted file mode 100644
index e8d7f7522..000000000
--- a/security/nss/lib/ckfw/builtins/session.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/session.c
- *
- * This file implements the NSSCKMDSession object for the 
- * "builtin objects" cryptoki module.
- */
-
-static NSSCKMDFindObjects *
-builtins_mdSession_FindObjectsInit
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  return nss_builtins_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
-}
-
-NSS_IMPLEMENT NSSCKMDSession *
-nss_builtins_CreateSession
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  NSSCKMDSession *rv;
-
-  arena = NSSCKFWSession_GetArena(fwSession, pError);
-  if( (NSSArena *)NULL == arena ) {
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDSession);
-  if( (NSSCKMDSession *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  /* 
-   * rv was zeroed when allocated, so we only 
-   * need to set the non-zero members.
-   */
-
-  rv->etc = (void *)fwSession;
-  /* rv->Close */
-  /* rv->GetDeviceError */
-  /* rv->Login */
-  /* rv->Logout */
-  /* rv->InitPIN */
-  /* rv->SetPIN */
-  /* rv->GetOperationStateLen */
-  /* rv->GetOperationState */
-  /* rv->SetOperationState */
-  /* rv->CreateObject */
-  /* rv->CopyObject */
-  rv->FindObjectsInit = builtins_mdSession_FindObjectsInit;
-  /* rv->SeedRandom */
-  /* rv->GetRandom */
-  /* rv->null */
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/builtins/slot.c b/security/nss/lib/ckfw/builtins/slot.c
deleted file mode 100644
index 1a2df9e70..000000000
--- a/security/nss/lib/ckfw/builtins/slot.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/slot.c
- *
- * This file implements the NSSCKMDSlot object for the
- * "builtin objects" cryptoki module.
- */
-
-static NSSUTF8 *
-builtins_mdSlot_GetSlotDescription
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_SlotDescription;
-}
-
-static NSSUTF8 *
-builtins_mdSlot_GetManufacturerID
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_ManufacturerID;
-}
-
-static CK_VERSION
-builtins_mdSlot_GetHardwareVersion
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_HardwareVersion;
-}
-
-static CK_VERSION
-builtins_mdSlot_GetFirmwareVersion
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_FirmwareVersion;
-}
-
-static NSSCKMDToken *
-builtins_mdSlot_GetToken
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSCKMDToken *)&nss_builtins_mdToken;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDSlot
-nss_builtins_mdSlot = {
-  (void *)NULL, /* etc */
-  NULL, /* Initialize */
-  NULL, /* Destroy */
-  builtins_mdSlot_GetSlotDescription,
-  builtins_mdSlot_GetManufacturerID,
-  NULL, /* GetTokenPresent -- defaults to true */
-  NULL, /* GetRemovableDevice -- defaults to false */
-  NULL, /* GetHardwareSlot -- defaults to false */
-  builtins_mdSlot_GetHardwareVersion,
-  builtins_mdSlot_GetFirmwareVersion,
-  builtins_mdSlot_GetToken,
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/builtins/token.c b/security/nss/lib/ckfw/builtins/token.c
deleted file mode 100644
index ddf068e8e..000000000
--- a/security/nss/lib/ckfw/builtins/token.c
+++ /dev/null
@@ -1,184 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/token.c
- *
- * This file implements the NSSCKMDToken object for the
- * "builtin objects" cryptoki module.
- */
-
-static NSSUTF8 *
-builtins_mdToken_GetLabel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_TokenLabel;
-}
-
-static NSSUTF8 *
-builtins_mdToken_GetManufacturerID
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_ManufacturerID;
-}
-
-static NSSUTF8 *
-builtins_mdToken_GetModel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_TokenModel;
-}
-
-static NSSUTF8 *
-builtins_mdToken_GetSerialNumber
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_TokenSerialNumber;
-}
-
-static CK_BBOOL
-builtins_mdToken_GetIsWriteProtected
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_VERSION
-builtins_mdToken_GetHardwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_HardwareVersion;
-}
-
-static CK_VERSION
-builtins_mdToken_GetFirmwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_FirmwareVersion;
-}
-
-static NSSCKMDSession *
-builtins_mdToken_OpenSession
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  return nss_builtins_CreateSession(fwSession, pError);
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDToken
-nss_builtins_mdToken = {
-  (void *)NULL, /* etc */
-  NULL, /* Setup */
-  NULL, /* Invalidate */
-  NULL, /* InitToken -- default errs */
-  builtins_mdToken_GetLabel,
-  builtins_mdToken_GetManufacturerID,
-  builtins_mdToken_GetModel,
-  builtins_mdToken_GetSerialNumber,
-  NULL, /* GetHasRNG -- default is false */
-  builtins_mdToken_GetIsWriteProtected,
-  NULL, /* GetLoginRequired -- default is false */
-  NULL, /* GetUserPinInitialized -- default is false */
-  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
-  NULL, /* GetHasClockOnToken -- default is false */
-  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
-  NULL, /* GetSupportsDualCryptoOperations -- default is false */
-  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetMaxPinLen -- irrelevant */
-  NULL, /* GetMinPinLen -- irrelevant */
-  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  builtins_mdToken_GetHardwareVersion,
-  builtins_mdToken_GetFirmwareVersion,
-  NULL, /* GetUTCTime -- no clock */
-  builtins_mdToken_OpenSession,
-  NULL, /* GetMechanismCount -- default is zero */
-  NULL, /* GetMechanismTypes -- irrelevant */
-  NULL, /* GetMechanism -- irrelevant */
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/ck.api b/security/nss/lib/ckfw/ck.api
deleted file mode 100644
index 6bae20fd3..000000000
--- a/security/nss/lib/ckfw/ck.api
+++ /dev/null
@@ -1,571 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-# This file is in part derived from a file "pkcs11f.h" made available
-# by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11f.h
-
-CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-# Fields
-#  FUNCTION introduces a Cryptoki function
-#  CK_type specifies and introduces an argument
-#
-
-# General-purpose
-
-# C_Initialize initializes the Cryptoki library.
-FUNCTION C_Initialize
-CK_VOID_PTR pInitArgs   # if this is not NULL_PTR, it gets
-                        # cast to CK_C_INITIALIZE_ARGS_PTR
-                        # and dereferenced
-
-# C_Finalize indicates that an application is done with the
-# Cryptoki library.
-FUNCTION C_Finalize
-CK_VOID_PTR pReserved   # reserved.  Should be NULL_PTR
-
-# C_GetInfo returns general information about Cryptoki. 
-FUNCTION C_GetInfo
-CK_INFO_PTR pInfo       # location that receives information
-
-# C_GetFunctionList returns the function list. 
-FUNCTION C_GetFunctionList
-CK_FUNCTION_LIST_PTR_PTR ppFunctionList # receives pointer to function 
-                                        # list
-
-
-# Slot and token management 
-
-# C_GetSlotList obtains a list of slots in the system. 
-FUNCTION C_GetSlotList
-CK_BBOOL       tokenPresent # only slots with tokens? 
-CK_SLOT_ID_PTR pSlotList    # receives array of slot IDs 
-CK_ULONG_PTR   pulCount     # receives number of slots 
-
-# C_GetSlotInfo obtains information about a particular slot in the 
-# system.
-FUNCTION C_GetSlotInfo
-CK_SLOT_ID       slotID     # the ID of the slot 
-CK_SLOT_INFO_PTR pInfo      # receives the slot information 
-
-# C_GetTokenInfo obtains information about a particular token in the 
-# system. 
-FUNCTION C_GetTokenInfo
-CK_SLOT_ID        slotID    # ID of the token's slot 
-CK_TOKEN_INFO_PTR pInfo     # receives the token information 
-
-# C_GetMechanismList obtains a list of mechanism types supported by a 
-# token. 
-FUNCTION C_GetMechanismList
-CK_SLOT_ID            slotID            # ID of token's slot 
-CK_MECHANISM_TYPE_PTR pMechanismList    # gets mech. array 
-CK_ULONG_PTR          pulCount          # gets # of mechs. 
-
-# C_GetMechanismInfo obtains information about a particular mechanism 
-# possibly supported by a token. 
-FUNCTION C_GetMechanismInfo
-CK_SLOT_ID            slotID    # ID of the token's slot 
-CK_MECHANISM_TYPE     type      # type of mechanism 
-CK_MECHANISM_INFO_PTR pInfo     # receives mechanism info 
-
-# C_InitToken initializes a token. 
-FUNCTION C_InitToken
-CK_SLOT_ID  slotID      # ID of the token's slot 
-CK_CHAR_PTR pPin        # the SO's initial PIN 
-CK_ULONG    ulPinLen    # length in bytes of the PIN 
-CK_CHAR_PTR pLabel      # 32-byte token label (blank padded) 
-
-# C_InitPIN initializes the normal user's PIN. 
-FUNCTION C_InitPIN
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_CHAR_PTR       pPin      # the normal user's PIN 
-CK_ULONG          ulPinLen  # length in bytes of the PIN 
-
-# C_SetPIN modifies the PIN of the user who is logged in. 
-FUNCTION C_SetPIN
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_CHAR_PTR       pOldPin   # the old PIN 
-CK_ULONG          ulOldLen  # length of the old PIN 
-CK_CHAR_PTR       pNewPin   # the new PIN 
-CK_ULONG          ulNewLen  # length of the new PIN 
-
-
-# Session management 
-
-# C_OpenSession opens a session between an application and a token. 
-FUNCTION C_OpenSession
-CK_SLOT_ID            slotID        # the slot's ID 
-CK_FLAGS              flags         # from CK_SESSION_INFO 
-CK_VOID_PTR           pApplication  # passed to callback 
-CK_NOTIFY             Notify        # callback function 
-CK_SESSION_HANDLE_PTR phSession     # gets session handle 
-
-# C_CloseSession closes a session between an application and a token. 
-FUNCTION C_CloseSession
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-# C_CloseAllSessions closes all sessions with a token. 
-FUNCTION C_CloseAllSessions
-CK_SLOT_ID slotID   # the token's slot 
-
-# C_GetSessionInfo obtains information about the session. 
-FUNCTION C_GetSessionInfo
-CK_SESSION_HANDLE   hSession    # the session's handle 
-CK_SESSION_INFO_PTR pInfo       # receives session info 
-
-# C_GetOperationState obtains the state of the cryptographic 
-# operation in a session. 
-FUNCTION C_GetOperationState
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pOperationState       # gets state 
-CK_ULONG_PTR      pulOperationStateLen  # gets state length 
-
-# C_SetOperationState restores the state of the cryptographic 
-# operation in a session. 
-FUNCTION C_SetOperationState
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR      pOperationState        # holds state 
-CK_ULONG         ulOperationStateLen    # holds state length 
-CK_OBJECT_HANDLE hEncryptionKey         # en/decryption key 
-CK_OBJECT_HANDLE hAuthenticationKey     # sign/verify key 
-
-# C_Login logs a user into a token. 
-FUNCTION C_Login
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_USER_TYPE      userType  # the user type 
-CK_CHAR_PTR       pPin      # the user's PIN 
-CK_ULONG          ulPinLen  # the length of the PIN 
-
-# C_Logout logs a user out from a token. 
-FUNCTION C_Logout
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-
-# Object management 
-
-# C_CreateObject creates a new object. 
-FUNCTION C_CreateObject
-CK_SESSION_HANDLE    hSession   # the session's handle 
-CK_ATTRIBUTE_PTR     pTemplate  # the object's template 
-CK_ULONG             ulCount    # attributes in template 
-CK_OBJECT_HANDLE_PTR phObject   # gets new object's handle. 
-
-# C_CopyObject copies an object, creating a new object for the copy.
-FUNCTION C_CopyObject
-CK_SESSION_HANDLE    hSession       # the session's handle 
-CK_OBJECT_HANDLE     hObject        # the object's handle 
-CK_ATTRIBUTE_PTR     pTemplate      # template for new object 
-CK_ULONG             ulCount        # attributes in template 
-CK_OBJECT_HANDLE_PTR phNewObject    # receives handle of copy 
-
-# C_DestroyObject destroys an object. 
-FUNCTION C_DestroyObject
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_OBJECT_HANDLE  hObject   # the object's handle 
-
-# C_GetObjectSize gets the size of an object in bytes. 
-FUNCTION C_GetObjectSize
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_OBJECT_HANDLE  hObject   # the object's handle 
-CK_ULONG_PTR      pulSize   # receives size of object 
-
-# C_GetAttributeValue obtains the value of one or more object 
-# attributes. 
-FUNCTION C_GetAttributeValue
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_OBJECT_HANDLE  hObject     # the object's handle 
-CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs; gets vals 
-CK_ULONG          ulCount     # attributes in template 
-
-# C_SetAttributeValue modifies the value of one or more object 
-# attributes 
-FUNCTION C_SetAttributeValue
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_OBJECT_HANDLE  hObject     # the object's handle 
-CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs and values 
-CK_ULONG          ulCount     # attributes in template 
-
-# C_FindObjectsInit initializes a search for token and session 
-# objects that match a template. 
-FUNCTION C_FindObjectsInit
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_ATTRIBUTE_PTR  pTemplate   # attribute values to match 
-CK_ULONG          ulCount     # attrs in search template 
-
-# C_FindObjects continues a search for token and session objects that 
-# match a template, obtaining additional object handles. 
-FUNCTION C_FindObjects
-CK_SESSION_HANDLE    hSession           # session's handle 
-CK_OBJECT_HANDLE_PTR phObject           # gets obj. handles 
-CK_ULONG             ulMaxObjectCount   # max handles to get 
-CK_ULONG_PTR         pulObjectCount     # actual # returned 
-
-# C_FindObjectsFinal finishes a search for token and session objects. 
-FUNCTION C_FindObjectsFinal
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-
-# Encryption and decryption 
-
-# C_EncryptInit initializes an encryption operation. 
-FUNCTION C_EncryptInit
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_MECHANISM_PTR  pMechanism  # the encryption mechanism 
-CK_OBJECT_HANDLE  hKey        # handle of encryption key 
-
-# C_Encrypt encrypts single-part data. 
-FUNCTION C_Encrypt
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pData                 # the plaintext data 
-CK_ULONG          ulDataLen             # bytes of plaintext 
-CK_BYTE_PTR       pEncryptedData        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedDataLen   # gets c-text size 
-
-# C_EncryptUpdate continues a multiple-part encryption operation. 
-FUNCTION C_EncryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pPart                 # the plaintext data 
-CK_ULONG          ulPartLen             # plaintext data len 
-CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text size 
-
-# C_EncryptFinal finishes a multiple-part encryption operation. 
-FUNCTION C_EncryptFinal
-CK_SESSION_HANDLE hSession                  # session handle 
-CK_BYTE_PTR       pLastEncryptedPart        # last c-text 
-CK_ULONG_PTR      pulLastEncryptedPartLen   # gets last size 
-
-# C_DecryptInit initializes a decryption operation. 
-FUNCTION C_DecryptInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the decryption mechanism 
-CK_OBJECT_HANDLE  hKey          # handle of decryption key 
-
-# C_Decrypt decrypts encrypted data in a single part. 
-FUNCTION C_Decrypt
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedData        # ciphertext 
-CK_ULONG          ulEncryptedDataLen    # ciphertext length 
-CK_BYTE_PTR       pData                 # gets plaintext 
-CK_ULONG_PTR      pulDataLen            # gets p-text size 
-
-# C_DecryptUpdate continues a multiple-part decryption operation. 
-FUNCTION C_DecryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedPart        # encrypted data 
-CK_ULONG          ulEncryptedPartLen    # input length 
-CK_BYTE_PTR       pPart                 # gets plaintext 
-CK_ULONG_PTR      pulPartLen            # p-text size 
-
-# C_DecryptFinal finishes a multiple-part decryption operation. 
-FUNCTION C_DecryptFinal
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pLastPart         # gets plaintext 
-CK_ULONG_PTR      pulLastPartLen    # p-text size 
-
-
-# Message digesting 
-
-# C_DigestInit initializes a message-digesting operation. 
-FUNCTION C_DigestInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the digesting mechanism 
-
-# C_Digest digests data in a single part. 
-FUNCTION C_Digest
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_BYTE_PTR       pData         # data to be digested 
-CK_ULONG          ulDataLen     # bytes of data to digest 
-CK_BYTE_PTR       pDigest       # gets the message digest 
-CK_ULONG_PTR      pulDigestLen  # gets digest length 
-
-# C_DigestUpdate continues a multiple-part message-digesting operation.
-FUNCTION C_DigestUpdate
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pPart     # data to be digested 
-CK_ULONG          ulPartLen # bytes of data to be digested 
-
-# C_DigestKey continues a multi-part message-digesting operation, by 
-# digesting the value of a secret key as part of the data already 
-# digested. 
-FUNCTION C_DigestKey
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_OBJECT_HANDLE  hKey      # secret key to digest 
-
-# C_DigestFinal finishes a multiple-part message-digesting operation. 
-FUNCTION C_DigestFinal
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_BYTE_PTR       pDigest       # gets the message digest 
-CK_ULONG_PTR      pulDigestLen  # gets byte count of digest 
-
-
-# Signing and MACing 
-
-# C_SignInit initializes a signature (private key encryption) 
-# operation, where the signature is (will be) an appendix to the 
-# data, and plaintext cannot be recovered from the signature. 
-FUNCTION C_SignInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
-CK_OBJECT_HANDLE  hKey          # handle of signature key 
-
-# C_Sign signs (encrypts with private key) data in a single part, 
-# where the signature is (will be) an appendix to the data, and 
-# plaintext cannot be recovered from the signature. 
-FUNCTION C_Sign
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pData             # the data to sign 
-CK_ULONG          ulDataLen         # count of bytes to sign 
-CK_BYTE_PTR       pSignature        # gets the signature 
-CK_ULONG_PTR      pulSignatureLen   # gets signature length 
-
-# C_SignUpdate continues a multiple-part signature operation, where 
-# the signature is (will be) an appendix to the data, and plaintext 
-# cannot be recovered from the signature. 
-FUNCTION C_SignUpdate
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pPart     # the data to sign 
-CK_ULONG          ulPartLen # count of bytes to sign 
-
-# C_SignFinal finishes a multiple-part signature operation, returning 
-# the signature. 
-FUNCTION C_SignFinal
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pSignature        # gets the signature 
-CK_ULONG_PTR      pulSignatureLen   # gets signature length 
-
-# C_SignRecoverInit initializes a signature operation, where the data 
-# can be recovered from the signature. 
-FUNCTION C_SignRecoverInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
-CK_OBJECT_HANDLE  hKey          # handle of the signature key 
-
-# C_SignRecover signs data in a single operation, where the data can 
-# be recovered from the signature. 
-FUNCTION C_SignRecover
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pData             # the data to sign 
-CK_ULONG          ulDataLen         # count of bytes to sign 
-CK_BYTE_PTR       pSignature        # gets the signature 
-CK_ULONG_PTR      pulSignatureLen   # gets signature length 
-
-
-# Verifying signatures and MACs 
-
-# C_VerifyInit initializes a verification operation, where the 
-# signature is an appendix to the data, and plaintext cannot cannot 
-# be recovered from the signature (e.g. DSA). 
-FUNCTION C_VerifyInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
-CK_OBJECT_HANDLE  hKey          # verification key  
-
-# C_Verify verifies a signature in a single-part operation, where the 
-# signature is an appendix to the data, and plaintext cannot be 
-# recovered from the signature. 
-FUNCTION C_Verify
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pData             # signed data 
-CK_ULONG          ulDataLen         # length of signed data 
-CK_BYTE_PTR       pSignature        # signature 
-CK_ULONG          ulSignatureLen    # signature length
-
-# C_VerifyUpdate continues a multiple-part verification operation, 
-# where the signature is an appendix to the data, and plaintext cannot be 
-# recovered from the signature. 
-FUNCTION C_VerifyUpdate
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pPart     # signed data 
-CK_ULONG          ulPartLen # length of signed data 
-
-# C_VerifyFinal finishes a multiple-part verification operation, 
-# checking the signature. 
-FUNCTION C_VerifyFinal
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pSignature        # signature to verify 
-CK_ULONG          ulSignatureLen    # signature length 
-
-# C_VerifyRecoverInit initializes a signature verification operation, 
-# where the data is recovered from the signature. 
-FUNCTION C_VerifyRecoverInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
-CK_OBJECT_HANDLE  hKey          # verification key 
-
-# C_VerifyRecover verifies a signature in a single-part operation, 
-# where the data is recovered from the signature. 
-FUNCTION C_VerifyRecover
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pSignature        # signature to verify 
-CK_ULONG          ulSignatureLen    # signature length 
-CK_BYTE_PTR       pData             # gets signed data 
-CK_ULONG_PTR      pulDataLen        # gets signed data len 
-
-
-# Dual-function cryptographic operations 
-
-# C_DigestEncryptUpdate continues a multiple-part digesting and 
-# encryption operation. 
-FUNCTION C_DigestEncryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pPart                 # the plaintext data 
-CK_ULONG          ulPartLen             # plaintext length 
-CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
-
-# C_DecryptDigestUpdate continues a multiple-part decryption and 
-# digesting operation. 
-FUNCTION C_DecryptDigestUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedPart        # ciphertext 
-CK_ULONG          ulEncryptedPartLen    # ciphertext length 
-CK_BYTE_PTR       pPart                 # gets plaintext 
-CK_ULONG_PTR      pulPartLen            # gets plaintext len 
-
-# C_SignEncryptUpdate continues a multiple-part signing and 
-# encryption operation. 
-FUNCTION C_SignEncryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pPart                 # the plaintext data 
-CK_ULONG          ulPartLen             # plaintext length 
-CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
-
-# C_DecryptVerifyUpdate continues a multiple-part decryption and 
-# verify operation. 
-FUNCTION C_DecryptVerifyUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedPart        # ciphertext 
-CK_ULONG          ulEncryptedPartLen    # ciphertext length 
-CK_BYTE_PTR       pPart                 # gets plaintext 
-CK_ULONG_PTR      pulPartLen            # gets p-text length 
-
-
-# Key management 
-
-# C_GenerateKey generates a secret key, creating a new key object. 
-FUNCTION C_GenerateKey
-CK_SESSION_HANDLE    hSession   # the session's handle 
-CK_MECHANISM_PTR     pMechanism # key generation mech. 
-CK_ATTRIBUTE_PTR     pTemplate  # template for new key 
-CK_ULONG             ulCount    # # of attrs in template 
-CK_OBJECT_HANDLE_PTR phKey      # gets handle of new key 
-
-# C_GenerateKeyPair generates a public-key/private-key pair, creating 
-# new key objects. 
-FUNCTION C_GenerateKeyPair
-CK_SESSION_HANDLE    hSession                   # session handle
-CK_MECHANISM_PTR     pMechanism                 # key-gen mech.
-CK_ATTRIBUTE_PTR     pPublicKeyTemplate         # template for pub. key
-CK_ULONG             ulPublicKeyAttributeCount  # # pub. attrs.
-CK_ATTRIBUTE_PTR     pPrivateKeyTemplate        # template for priv. key
-CK_ULONG             ulPrivateKeyAttributeCount # # priv. attrs.
-CK_OBJECT_HANDLE_PTR phPublicKey                # gets pub. key handle
-CK_OBJECT_HANDLE_PTR phPrivateKey               # gets priv. key handle
-
-# C_WrapKey wraps (i.e., encrypts) a key. 
-FUNCTION C_WrapKey
-CK_SESSION_HANDLE hSession         # the session's handle 
-CK_MECHANISM_PTR  pMechanism       # the wrapping mechanism 
-CK_OBJECT_HANDLE  hWrappingKey     # wrapping key 
-CK_OBJECT_HANDLE  hKey             # key to be wrapped 
-CK_BYTE_PTR       pWrappedKey      # gets wrapped key 
-CK_ULONG_PTR      pulWrappedKeyLen # gets wrapped key size 
-
-# C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key 
-# object. 
-FUNCTION C_UnwrapKey
-CK_SESSION_HANDLE    hSession           # session's handle 
-CK_MECHANISM_PTR     pMechanism         # unwrapping mech. 
-CK_OBJECT_HANDLE     hUnwrappingKey     # unwrapping key 
-CK_BYTE_PTR          pWrappedKey        # the wrapped key 
-CK_ULONG             ulWrappedKeyLen    # wrapped key len 
-CK_ATTRIBUTE_PTR     pTemplate          # new key template 
-CK_ULONG             ulAttributeCount   # template length 
-CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
-
-# C_DeriveKey derives a key from a base key, creating a new key object.
-FUNCTION C_DeriveKey
-CK_SESSION_HANDLE    hSession           # session's handle 
-CK_MECHANISM_PTR     pMechanism         # key deriv. mech. 
-CK_OBJECT_HANDLE     hBaseKey           # base key 
-CK_ATTRIBUTE_PTR     pTemplate          # new key template 
-CK_ULONG             ulAttributeCount   # template length 
-CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
-
-
-# Random number generation 
-
-# C_SeedRandom mixes additional seed material into the token's random 
-# number generator. 
-FUNCTION C_SeedRandom
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pSeed     # the seed material 
-CK_ULONG          ulSeedLen # length of seed material 
-
-# C_GenerateRandom generates random data. 
-FUNCTION C_GenerateRandom
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_BYTE_PTR       RandomData    # receives the random data 
-CK_ULONG          ulRandomLen   # # of bytes to generate 
-
-
-# Parallel function management 
-
-# C_GetFunctionStatus is a legacy function; it obtains an updated 
-# status of a function running in parallel with an application.
-FUNCTION C_GetFunctionStatus
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-# C_CancelFunction is a legacy function; it cancels a function running 
-# in parallel. 
-FUNCTION C_CancelFunction
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-
-# Functions added in for Cryptoki Version 2.01 or later 
-
-# C_WaitForSlotEvent waits for a slot event (token insertion, removal, 
-# etc.) to occur. 
-FUNCTION C_WaitForSlotEvent
-CK_FLAGS       flags    # blocking/nonblocking flag 
-CK_SLOT_ID_PTR pSlot    # location that receives the slot ID 
-CK_VOID_PTR    pRserved # reserved.  Should be NULL_PTR 
-
-## C_ConfigureSlot passes an installation-specified bytestring to a 
-## slot. 
-#FUNCTION C_ConfigureSlot
-#CK_SLOT_ID slotID      # the slot to configure 
-#CK_BYTE_PTR pConfig    # the configuration string 
-#CK_ULONG ulConfigLen   # length of the config string 
diff --git a/security/nss/lib/ckfw/ck.h b/security/nss/lib/ckfw/ck.h
deleted file mode 100644
index 04df10656..000000000
--- a/security/nss/lib/ckfw/ck.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef CK_H
-#define CK_H
-
-#ifdef DEBUG
-static const char CK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * ck.h
- *
- * This header file consolidates all header files needed by the source
- * files implementing the NSS Cryptoki Framework.  This makes managing
- * the source files a bit easier.
- */
-
-/* Types */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFT_H
-#include "nssckft.h"
-#endif /* NSSCKFT_H */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKMDT_H
-#include "nssckmdt.h"
-#endif /* NSSCKMDT_H */
-
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-#ifndef CKFWTM_H
-#include "ckfwtm.h"
-#endif /* CKFWTM_H */
-
-/* Prototypes */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef NSSCKG_H
-#include "nssckg.h"
-#endif /* NSSCKG_H */
-
-#ifndef NSSCKFW_H
-#include "nssckfw.h"
-#endif /* NSSCKFW_H */
-
-#ifndef NSSCKFWC_H
-#include "nssckfwc.h"
-#endif /* NSSCKFWC_H */
-
-#ifndef CKFW_H
-#include "ckfw.h"
-#endif /* CKFW_H */
-
-#ifndef CKFWM_H
-#include "ckfwm.h"
-#endif /* CKFWM_H */
-
-#ifndef CKMD_H
-#include "ckmd.h"
-#endif /* CKMD_H */
-
-/* NSS-private */
-
-/* nss_ZNEW and the like.  We might want to publish the memory APIs.. */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#endif /* CK_H */
diff --git a/security/nss/lib/ckfw/ckapi.perl b/security/nss/lib/ckfw/ckapi.perl
deleted file mode 100644
index 5ec2d20b2..000000000
--- a/security/nss/lib/ckfw/ckapi.perl
+++ /dev/null
@@ -1,497 +0,0 @@
-#!perl
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
-
-$copyright = '/* THIS IS A GENERATED FILE */
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-';
-
-$count = -1;
-$i = 0;
-while(<>) {
-  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-  next if (/^\s*$/);
-
-#  print;
-
-  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
-  $name = $1;
-  $value = $2;
-
-  if( ($name =~ "FUNCTION") && !($name =~ "CK_FUNCTION") ) {
-    $count++;
-    $x[$count]{name} = $value;
-    $i = 0;
-  } else {
-    if( $count < 0 ) {
-      $value =~ s/"//g;
-      $g{$name} = $value;
-    } else {
-      $x[$count]{args}[$i]{type} = $name;
-      $x[$count]{args}[$i]{name} = $value;
-      $i++;
-      $x[$count]{nargs} = $i; # rewritten each time, oh well
-    }
-  }
-}
-
-# dodump();
-doprint();
-
-sub dodump {
-  for( $j = 0; $j <= $count; $j++ ) {
-    print "CK_RV CK_ENTRY $x[$j]{name}\n";
-    for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-      print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-      if( $i == ($x[$j]{nargs} - 1) ) {
-        print "\n";
-      } else {
-        print ",\n";
-      }
-    }
-  }
-}
-
-sub doprint {
-open(PROTOTYPE, ">nssckg.h") || die "Can't open nssckg.h: $!";
-open(TYPEDEF, ">nssckft.h") || die "Can't open nssckft.h: $!";
-open(EPV, ">nssckepv.h") || die "Can't open nssckepv.h: $!";
-open(API, ">nssck.api") || die "Can't open nssck.api: $!";
-
-select PROTOTYPE;
-
-print $copyright;
-print <<EOD
-#ifndef NSSCKG_H
-#define NSSCKG_H
-
-#ifdef DEBUG
-static const char NSSCKG_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssckg.h
- *
- * This automatically-generated header file prototypes the Cryptoki
- * functions specified by PKCS#11.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-  print "CK_RV CK_ENTRY $x[$j]{name}\n";
-  print "(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ");\n\n";
-}
-
-print <<EOD
-#endif /* NSSCKG_H */
-EOD
-    ;
-
-select TYPEDEF;
-
-print $copyright;
-print <<EOD
-#ifndef NSSCKFT_H
-#define NSSCKFT_H
-
-#ifdef DEBUG
-static const char NSSCKFT_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssckft.h
- *
- * The automatically-generated header file declares a typedef
- * each of the Cryptoki functions specified by PKCS#11.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-#  print "typedef CK_RV (CK_ENTRY *CK_$x[$j]{name})(\n";
-  print "typedef CK_CALLBACK_FUNCTION(CK_RV, CK_$x[$j]{name})(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ");\n\n";
-}
-
-print <<EOD
-#endif /* NSSCKFT_H */
-EOD
-    ;
-
-select EPV;
-
-print $copyright;
-print <<EOD
-#ifndef NSSCKEPV_H
-#define NSSCKEPV_H
-
-#ifdef DEBUG
-static const char NSSCKEPV_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssckepv.h
- *
- * This automatically-generated header file defines the type
- * CK_FUNCTION_LIST specified by PKCS#11.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFT_H
-#include "nssckft.h"
-#endif /* NSSCKFT_H */
-
-struct CK_FUNCTION_LIST {
-  CK_VERSION version;
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-  print "  CK_$x[$j]{name} $x[$j]{name};\n";
-}
-
-print <<EOD
-};
-
-#endif /* NSSCKEPV_H */
-EOD
-    ;
-
-select API;
-
-print $copyright;
-print <<EOD
-
-#ifdef DEBUG
-static const char NSSCKAPI_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssck.api
- *
- * This automatically-generated file is used to generate a set of
- * Cryptoki entry points within the object space of a Module using
- * the NSS Cryptoki Framework.
- *
- * The Module should have a .c file with the following:
- *
- *  #define MODULE_NAME name
- *  #define INSTANCE_NAME instance
- *  #include "nssck.api"
- *
- * where "name" is some module-specific name that can be used to
- * disambiguate various modules.  This included file will then
- * define the actual Cryptoki routines which pass through to the
- * Framework calls.  All routines, except C_GetFunctionList, will
- * be prefixed with the name; C_GetFunctionList will be generated
- * to return an entry-point vector with these routines.  The
- * instance specified should be the basic instance of NSSCKMDInstance.
- *
- * If, prior to including nssck.api, the .c file also specifies
- *
- *  #define DECLARE_STRICT_CRYTPOKI_NAMES
- *
- * Then a set of "stub" routines not prefixed with the name will
- * be included.  This would allow the combined module and framework
- * to be used in applications which are hard-coded to use the
- * PKCS#11 names (instead of going through the EPV).  Please note
- * that such applications should be careful resolving symbols when
- * more than one PKCS#11 module is loaded.
- */
-
-#ifndef MODULE_NAME
-#error "Error: MODULE_NAME must be defined."
-#endif /* MODULE_NAME */
-
-#ifndef INSTANCE_NAME
-#error "Error: INSTANCE_NAME must be defined."
-#endif /* INSTANCE_NAME */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKFWC_H
-#include "nssckfwc.h"
-#endif /* NSSCKFWC_H */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#define __ADJOIN(x,y) x##y
-
-/*
- * The anchor.  This object is used to store an "anchor" pointer in
- * the Module's object space, so the wrapper functions can relate
- * back to this instance.
- */
-
-static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
-
-CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Initialize)
-(
-  CK_VOID_PTR pInitArgs
-)
-{
-  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY 
-C_Initialize
-(
-  CK_VOID_PTR pInitArgs
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Finalize)
-(
-  CK_VOID_PTR pReserved
-)
-{
-  return NSSCKFWC_Finalize(&fwInstance);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Finalize
-(
-  CK_VOID_PTR pReserved
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetInfo)
-(
-  CK_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetInfo(fwInstance, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetInfo
-(
-  CK_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-/*
- * C_GetFunctionList is defined at the end.
- */
-
-EOD
-    ;
-
-for( $j = 4; $j <= $count; $j++ ) {
-  print "CK_RV CK_ENTRY\n";
-  print "__ADJOIN(MODULE_NAME,$x[$j]{name})\n";
-  print "(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ")\n";
-  print "{\n";
-  print "  return NSSCKFW$x[$j]{name}(fwInstance, ";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "$x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print ");\n";
-    } else {
-      print ", ";
-    }
-  }
-  print "}\n\n";
-
-  print "#ifdef DECLARE_STRICT_CRYPTOKI_NAMES\n";
-  print "CK_RV CK_ENTRY\n";
-  print "$x[$j]{name}\n";
-  print "(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ")\n";
-  print "{\n";
-  print "  return __ADJOIN(MODULE_NAME,$x[$j]{name})(";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "$x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print ");\n";
-    } else {
-      print ", ";
-    }
-  }
-  print "}\n";
-  print "#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */\n\n";
-}
-
-print <<EOD
-CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionList)
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-);
-
-static CK_FUNCTION_LIST FunctionList = {
-  { 2, 1 },
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-  print "__ADJOIN(MODULE_NAME,$x[$j]{name})";
-  if( $j < $count ) {
-    print ",\n";
-  } else {
-    print "\n};\n\n";
-  }
-}
-
-print <<EOD
-CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionList)
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-  *ppFunctionList = &FunctionList;
-  return CKR_OK;
-}
-
-/* This one is always present */
-CK_RV CK_ENTRY
-C_GetFunctionList
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
-}
-
-#undef __ADJOIN
-
-EOD
-    ;
-
-select STDOUT;
-
-}
diff --git a/security/nss/lib/ckfw/ckfw.h b/security/nss/lib/ckfw/ckfw.h
deleted file mode 100644
index 2e83f8c35..000000000
--- a/security/nss/lib/ckfw/ckfw.h
+++ /dev/null
@@ -1,1858 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef CKFW_H
-#define CKFW_H
-
-#ifdef DEBUG
-static const char CKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * ckfw.h
- *
- * This file prototypes the private calls of the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKMDT_H
-#include "nssckmdt.h"
-#endif /* NSSCKMDT_H */
-
-/*
- * NSSCKFWInstance
- *
- *  -- create/destroy --
- *  nssCKFWInstance_Create
- *  nssCKFWInstance_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWInstance_GetMDInstance
- *  nssCKFWInstance_GetArena
- *  nssCKFWInstance_MayCreatePthreads
- *  nssCKFWInstance_CreateMutex
- *  nssCKFWInstance_GetConfigurationData
- *
- *  -- private accessors --
- *  nssCKFWInstance_CreateSessionHandle
- *  nssCKFWInstance_ResolveSessionHandle
- *  nssCKFWInstance_DestroySessionHandle
- *  nssCKFWInstance_FindSessionHandle
- *  nssCKFWInstance_CreateObjectHandle
- *  nssCKFWInstance_ResolveObjectHandle
- *  nssCKFWInstance_DestroyObjectHandle
- *  nssCKFWInstance_FindObjectHandle
- *
- *  -- module fronts --
- *  nssCKFWInstance_GetNSlots
- *  nssCKFWInstance_GetCryptokiVersion
- *  nssCKFWInstance_GetManufacturerID
- *  nssCKFWInstance_GetFlags
- *  nssCKFWInstance_GetLibraryDescription
- *  nssCKFWInstance_GetLibraryVersion
- *  nssCKFWInstance_GetModuleHandlesSessionObjects
- *  nssCKFWInstance_GetSlots
- *  nssCKFWInstance_WaitForSlotEvent
- *
- *  -- debugging versions only --
- *  nssCKFWInstance_verifyPointer
- */
-
-/*
- * nssCKFWInstance_Create
- *
- */
-NSS_EXTERN NSSCKFWInstance *
-nssCKFWInstance_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  NSSCKMDInstance *mdInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_Destroy
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetMDInstance
- *
- */
-NSS_EXTERN NSSCKMDInstance *
-nssCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_MayCreatePthreads
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_CreateMutex
- *
- */
-NSS_EXTERN NSSCKFWMutex *
-nssCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_GetConfigurationData
- *
- */
-NSS_EXTERN NSSUTF8 *
-nssCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_CreateSessionHandle
- *
- */
-NSS_EXTERN CK_SESSION_HANDLE
-nssCKFWInstance_CreateSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_ResolveSessionHandle
- *
- */
-NSS_EXTERN NSSCKFWSession *
-nssCKFWInstance_ResolveSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * nssCKFWInstance_DestroySessionHandle
- *
- */
-NSS_EXTERN void
-nssCKFWInstance_DestroySessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * nssCKFWInstance_FindSessionHandle
- *
- */
-NSS_EXTERN CK_SESSION_HANDLE
-nssCKFWInstance_FindSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWInstance_CreateObjectHandle
- *
- */
-NSS_EXTERN CK_OBJECT_HANDLE
-nssCKFWInstance_CreateObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_FindObjectHandle
- *
- */
-NSS_EXTERN CK_OBJECT_HANDLE
-nssCKFWInstance_FindObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWInstance_ResolveObjectHandle
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWInstance_ResolveObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * nssCKFWInstance_ReassignObjectHandle
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_ReassignObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWInstance_DestroyObjectHandle
- *
- */
-NSS_EXTERN void
-nssCKFWInstance_DestroyObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * nssCKFWInstance_FindObjectHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWInstance_FindObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWInstance_GetNSlots
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWInstance_GetNSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_GetCryptokiVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWInstance_GetCryptokiVersion
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetManufacturerID
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_GetManufacturerID
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR manufacturerID[32]
-);
-
-/*
- * nssCKFWInstance_GetFlags
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWInstance_GetFlags
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetLibraryDescription
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_GetLibraryDescription
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR libraryDescription[32]
-);
-
-/*
- * nssCKFWInstance_GetLibraryVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWInstance_GetLibraryVersion
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetModuleHandlesSessionObjects
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWInstance_GetModuleHandlesSessionObjects
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetSlots
- *
- */
-NSS_EXTERN NSSCKFWSlot **
-nssCKFWInstance_GetSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_WaitForSlotEvent
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWInstance_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL block,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_verifyPointer
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_verifyPointer
-(
-  const NSSCKFWInstance *fwInstance
-);
-
-
-/*
- * NSSCKFWSlot
- *
- *  -- create/destroy --
- *  nssCKFWSlot_Create
- *  nssCKFWSlot_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWSlot_GetMDSlot
- *  nssCKFWSlot_GetFWInstance
- *  nssCKFWSlot_GetMDInstance
- *
- *  -- private accessors --
- *  nssCKFWSlot_GetSlotID
- *
- *  -- module fronts --
- *  nssCKFWSlot_GetSlotDescription
- *  nssCKFWSlot_GetManufacturerID
- *  nssCKFWSlot_GetTokenPresent
- *  nssCKFWSlot_GetRemovableDevice
- *  nssCKFWSlot_GetHardwareSlot
- *  nssCKFWSlot_GetHardwareVersion
- *  nssCKFWSlot_GetFirmwareVersion
- *  nssCKFWSlot_GetToken
- */
-
-/*
- * nssCKFWSlot_Create
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWSlot_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *mdSlot,
-  CK_SLOT_ID slotID,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSlot_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSlot_Destroy
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetMDSlot
- *
- */
-NSS_EXTERN NSSCKMDSlot *
-nssCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetFWInstance
- *
- */
-
-NSS_EXTERN NSSCKFWInstance *
-nssCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetMDInstance
- *
- */
-
-NSS_EXTERN NSSCKMDInstance *
-nssCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetSlotID
- *
- */
-NSS_EXTERN CK_SLOT_ID
-nssCKFWSlot_GetSlotID
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetSlotDescription
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSlot_GetSlotDescription
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR slotDescription[64]
-);
-
-/*
- * nssCKFWSlot_GetManufacturerID
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSlot_GetManufacturerID
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR manufacturerID[32]
-);
-
-/*
- * nssCKFWSlot_GetTokenPresent
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSlot_GetTokenPresent
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetRemovableDevice
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSlot_GetRemovableDevice
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetHardwareSlot
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSlot_GetHardwareSlot
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetHardwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWSlot_GetHardwareVersion
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetFirmwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWSlot_GetFirmwareVersion
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetToken
- * 
- */
-NSS_EXTERN NSSCKFWToken *
-nssCKFWSlot_GetToken
-(
-  NSSCKFWSlot *fwSlot,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSlot_ClearToken
- *
- */
-NSS_EXTERN void
-nssCKFWSlot_ClearToken
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWToken
- *
- *  -- create/destroy --
- *  nssCKFWToken_Create
- *  nssCKFWToken_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWToken_GetMDToken
- *  nssCKFWToken_GetFWSlot
- *  nssCKFWToken_GetMDSlot
- *  nssCKFWToken_GetSessionState
- *
- *  -- private accessors --
- *  nssCKFWToken_SetSessionState
- *  nssCKFWToken_RemoveSession
- *  nssCKFWToken_CloseAllSessions
- *  nssCKFWToken_GetSessionCount
- *  nssCKFWToken_GetRwSessionCount
- *  nssCKFWToken_GetRoSessionCount
- *  nssCKFWToken_GetSessionObjectHash
- *  nssCKFWToken_GetMDObjectHash
- *  nssCKFWToken_GetObjectHandleHash
- *
- *  -- module fronts --
- *  nssCKFWToken_InitToken
- *  nssCKFWToken_GetLabel
- *  nssCKFWToken_GetManufacturerID
- *  nssCKFWToken_GetModel
- *  nssCKFWToken_GetSerialNumber
- *  nssCKFWToken_GetHasRNG
- *  nssCKFWToken_GetIsWriteProtected
- *  nssCKFWToken_GetLoginRequired
- *  nssCKFWToken_GetUserPinInitialized
- *  nssCKFWToken_GetRestoreKeyNotNeeded
- *  nssCKFWToken_GetHasClockOnToken
- *  nssCKFWToken_GetHasProtectedAuthenticationPath
- *  nssCKFWToken_GetSupportsDualCryptoOperations
- *  nssCKFWToken_GetMaxSessionCount
- *  nssCKFWToken_GetMaxRwSessionCount
- *  nssCKFWToken_GetMaxPinLen
- *  nssCKFWToken_GetMinPinLen
- *  nssCKFWToken_GetTotalPublicMemory
- *  nssCKFWToken_GetFreePublicMemory
- *  nssCKFWToken_GetTotalPrivateMemory
- *  nssCKFWToken_GetFreePrivateMemory
- *  nssCKFWToken_GetHardwareVersion
- *  nssCKFWToken_GetFirmwareVersion
- *  nssCKFWToken_GetUTCTime
- *  nssCKFWToken_OpenSession
- *  nssCKFWToken_GetMechanismCount
- *  nssCKFWToken_GetMechanismTypes
- *  nssCKFWToken_GetMechanism
- */
-
-/*
- * nssCKFWToken_Create
- *
- */
-NSS_EXTERN NSSCKFWToken *
-nssCKFWToken_Create
-(
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDToken *mdToken,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_Destroy
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMDToken
- *
- */
-NSS_EXTERN NSSCKMDToken *
-nssCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_GetFWSlot
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMDSlot
- *
- */
-NSS_EXTERN NSSCKMDSlot *
-nssCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSessionState
- *
- */
-NSS_EXTERN CK_STATE
-nssCKFWToken_GetSessionState
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_InitToken
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_InitToken
-(
-  NSSCKFWToken *fwToken,
-  NSSItem *pin,
-  NSSUTF8 *label
-);
-
-/*
- * nssCKFWToken_GetLabel
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetLabel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR label[32]
-);
-
-/*
- * nssCKFWToken_GetManufacturerID
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetManufacturerID
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR manufacturerID[32]
-);
-
-/*
- * nssCKFWToken_GetModel
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetModel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR model[16]
-);
-
-/*
- * nssCKFWToken_GetSerialNumber
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetSerialNumber
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR serialNumber[16]
-);
-
-/*
- * nssCKFWToken_GetHasRNG
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetHasRNG
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetIsWriteProtected
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetIsWriteProtected
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetLoginRequired
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetLoginRequired
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetUserPinInitialized
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetUserPinInitialized
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetRestoreKeyNotNeeded
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetRestoreKeyNotNeeded
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetHasClockOnToken
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetHasClockOnToken
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetHasProtectedAuthenticationPath
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetHasProtectedAuthenticationPath
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSupportsDualCryptoOperations
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetSupportsDualCryptoOperations
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMaxSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMaxSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMaxRwSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMaxRwSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMaxPinLen
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMaxPinLen
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMinPinLen
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMinPinLen
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetTotalPublicMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetTotalPublicMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetFreePublicMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetFreePublicMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetTotalPrivateMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetTotalPrivateMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetFreePrivateMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetFreePrivateMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetHardwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWToken_GetHardwareVersion
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetFirmwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWToken_GetFirmwareVersion
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetUTCTime
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetUTCTime
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR utcTime[16]
-);
-
-/*
- * nssCKFWToken_OpenSession
- *
- */
-NSS_EXTERN NSSCKFWSession *
-nssCKFWToken_OpenSession
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_GetMechanismCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMechanismCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMechanismTypes
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetMechanismTypes
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE types[]
-);
-
-/*
- * nssCKFWToken_GetMechanism
- *
- */
-NSS_EXTERN NSSCKFWMechanism *
-nssCKFWToken_GetMechanism
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE which,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_SetSessionState
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_SetSessionState
-(
-  NSSCKFWToken *fwToken,
-  CK_STATE newState
-);
-
-/*
- * nssCKFWToken_RemoveSession
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_RemoveSession
-(
-  NSSCKFWToken *fwToken,
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWToken_CloseAllSessions
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_CloseAllSessions
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetRwSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetRwSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetRoSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetRoSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSessionObjectHash
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWToken_GetSessionObjectHash
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMDObjectHash
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWToken_GetMDObjectHash
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetObjectHandleHash
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWToken_GetObjectHandleHash
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWMechanism
- *
- *  -- create/destroy --
- *  nssCKFWMechanism_Create
- *  nssCKFWMechanism_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWMechanism_GetMDMechanism
- *  nssCKFWMechanism_GetParameter
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWMechanism_GetMinKeySize
- *  nssCKFWMechanism_GetMaxKeySize
- *  nssCKFWMechanism_GetInHardware
- */
-
-/*
- * nssCKFWMechanism_Create
- *
- */
-NSS_EXTERN NSSCKFWMechanism *
-nssCKFWMechanism_Create
-(
-  void /* XXX fgmr */
-);
-
-/*
- * nssCKFWMechanism_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMechanism_Destroy
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetMDMechanism
- *
- */
-
-NSS_EXTERN NSSCKMDMechanism *
-nssCKFWMechanism_GetMDMechanism
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetParameter
- *
- * XXX fgmr-- or as an additional parameter to the crypto ops?
- */
-NSS_EXTERN NSSItem *
-nssCKFWMechanism_GetParameter
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetMinKeySize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWMechanism_GetMinKeySize
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetMaxKeySize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWMechanism_GetMaxKeySize
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetInHardware
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWMechanism_GetInHardware
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * NSSCKFWSession
- *
- *  -- create/destroy --
- *  nssCKFWSession_Create
- *  nssCKFWSession_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWSession_GetMDSession
- *  nssCKFWSession_GetArena
- *  nssCKFWSession_CallNotification
- *  nssCKFWSession_IsRWSession
- *  nssCKFWSession_IsSO
- *
- *  -- private accessors --
- *  nssCKFWSession_GetFWSlot
- *  nssCKFWSession_GetSessionState
- *  nssCKFWSession_SetFWFindObjects
- *  nssCKFWSession_GetFWFindObjects
- *  nssCKFWSession_SetMDSession
- *  nssCKFWSession_SetHandle
- *  nssCKFWSession_GetHandle
- *  nssCKFWSession_RegisterSessionObject
- *  nssCKFWSession_DeregisterSessionObject
- *
- *  -- module fronts --
- *  nssCKFWSession_GetDeviceError
- *  nssCKFWSession_Login
- *  nssCKFWSession_Logout
- *  nssCKFWSession_InitPIN
- *  nssCKFWSession_SetPIN
- *  nssCKFWSession_GetOperationStateLen
- *  nssCKFWSession_GetOperationState
- *  nssCKFWSession_SetOperationState
- *  nssCKFWSession_CreateObject
- *  nssCKFWSession_CopyObject
- *  nssCKFWSession_FindObjectsInit
- *  nssCKFWSession_SeedRandom
- *  nssCKFWSession_GetRandom
- */
-
-/*
- * nssCKFWSession_Create
- *
- */
-NSS_EXTERN NSSCKFWSession *
-nssCKFWSession_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_Destroy
-(
-  NSSCKFWSession *fwSession,
-  CK_BBOOL removeFromTokenHash
-);
-
-/*
- * nssCKFWSession_GetMDSession
- *
- */
-NSS_EXTERN NSSCKMDSession *
-nssCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_CallNotification
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-);
-
-/*
- * nssCKFWSession_IsRWSession
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_IsSO
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_GetFWSlot
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWSession_GetFWSlot
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCFKWSession_GetSessionState
- *
- */
-NSS_EXTERN CK_STATE
-nssCKFWSession_GetSessionState
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_SetFWFindObjects
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetFWFindObjects
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWFindObjects *fwFindObjects
-);
-
-/*
- * nssCKFWSession_GetFWFindObjects
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWSession_GetFWFindObjects
-(
-  NSSCKFWSession *fwSesssion,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_SetMDSession
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetMDSession
-(
-  NSSCKFWSession *fwSession,
-  NSSCKMDSession *mdSession
-);
-
-/*
- * nssCKFWSession_SetHandle
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetHandle
-(
-  NSSCKFWSession *fwSession,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * nssCKFWSession_GetHandle
- *
- */
-NSS_EXTERN CK_SESSION_HANDLE
-nssCKFWSession_GetHandle
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_RegisterSessionObject
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_RegisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWSession_DeregisterSessionObject
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_DeregisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWSession_GetDeviceError
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWSession_GetDeviceError
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_Login
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_Login
-(
-  NSSCKFWSession *fwSession,
-  CK_USER_TYPE userType,
-  NSSItem *pin
-);
-
-/*
- * nssCKFWSession_Logout
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_Logout
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_InitPIN
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_InitPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *pin
-);
-
-/*
- * nssCKFWSession_SetPIN
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *newPin,
-  NSSItem *oldPin
-);
-
-/*
- * nssCKFWSession_GetOperationStateLen
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWSession_GetOperationStateLen
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_GetOperationState
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_GetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-);
-
-/*
- * nssCKFWSession_SetOperationState
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *state,
-  NSSCKFWObject *encryptionKey,
-  NSSCKFWObject *authenticationKey
-);
-
-/*
- * nssCKFWSession_CreateObject
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWSession_CreateObject
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_CopyObject
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWSession_CopyObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *object,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_FindObjectsInit
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWSession_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_SeedRandom
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SeedRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *seed
-);
-
-/*
- * nssCKFWSession_GetRandom
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_GetRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-);
-
-/*
- * NSSCKFWObject
- *
- * -- create/destroy --
- *  nssCKFWObject_Create
- *  nssCKFWObject_Finalize
- *  nssCKFWObject_Destroy
- *
- * -- implement public accessors --
- *  nssCKFWObject_GetMDObject
- *  nssCKFWObject_GetArena
- *
- * -- private accessors --
- *  nssCKFWObject_SetHandle
- *  nssCKFWObject_GetHandle
- *
- * -- module fronts --
- *  nssCKFWObject_IsTokenObject
- *  nssCKFWObject_GetAttributeCount
- *  nssCKFWObject_GetAttributeTypes
- *  nssCKFWObject_GetAttributeSize
- *  nssCKFWObject_GetAttribute
- *  nssCKFWObject_SetAttribute
- *  nssCKFWObject_GetObjectSize
- */
-
-/*
- * nssCKFWObject_Create
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWObject_Create
-(
-  NSSArena *arena,
-  NSSCKMDObject *mdObject,
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_Finalize
- *
- */
-NSS_EXTERN void
-nssCKFWObject_Finalize
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWObject_Destroy
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_GetMDObject
- *
- */
-NSS_EXTERN NSSCKMDObject *
-nssCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_SetHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_SetHandle
-(
-  NSSCKFWObject *fwObject,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * nssCKFWObject_GetHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWObject_GetHandle
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_IsTokenObject
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_GetAttributeCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_GetAttributeTypes
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-);
-
-/*
- * nssCKFWObject_GetAttributeSize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_GetAttribute
- *
- * Usual NSS allocation rules:
- * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
- * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
- * the buffer will be allocated; otherwise, the buffer will be used.
- * Any allocations will come from the optional arena, if one is
- * specified.
- */
-NSS_EXTERN NSSItem *
-nssCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_SetAttribute
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWObject_SetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-);
-
-/*
- * nssCKFWObject_GetObjectSize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWFindObjects
- *
- *  -- create/destroy --
- *  nssCKFWFindObjects_Create
- *  nssCKFWFindObjects_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWFindObjects_GetMDFindObjects
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWFindObjects_Next
- */
-
-/*
- * nssCKFWFindObjects_Create
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWFindObjects_Create
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDFindObjects *mdFindObjects1,
-  NSSCKMDFindObjects *mdFindObjects2,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWFindObjects_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWFindObjects_Destroy
-(
-  NSSCKFWFindObjects *fwFindObjects
-);
-
-/*
- * nssCKFWFindObjects_GetMDFindObjects
- *
- */
-NSS_EXTERN NSSCKMDFindObjects *
-nssCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *fwFindObjects
-);
-
-/*
- * nssCKFWFindObjects_Next
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWFindObjects_Next
-(
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWMutex
- *
- *  nssCKFWMutex_Create
- *  nssCKFWMutex_Destroy
- *  nssCKFWMutex_Lock
- *  nssCKFWMutex_Unlock
- *
- */
-
-/*
- * nssCKFWMutex_Create
- *
- */
-NSS_EXTERN NSSCKFWMutex *
-nssCKFWMutex_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWMutex_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * nssCKFWMutex_Lock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * nssCKFWMutex_Unlock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-);
-
-#endif /* CKFW_H */
diff --git a/security/nss/lib/ckfw/ckfwm.h b/security/nss/lib/ckfw/ckfwm.h
deleted file mode 100644
index 82fd74830..000000000
--- a/security/nss/lib/ckfw/ckfwm.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef CKFWM_H
-#define CKFWM_H
-
-#ifdef DEBUG
-static const char CKFWM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * ckfwm.h
- *
- * This file prototypes the module-private calls of the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-/*
- * nssCKFWHash
- *
- *  nssCKFWHash_Create
- *  nssCKFWHash_Destroy
- *  nssCKFWHash_Add
- *  nssCKFWHash_Remove
- *  nssCKFWHash_Count
- *  nssCKFWHash_Exists
- *  nssCKFWHash_Lookup
- *  nssCKFWHash_Iterate
- */
-
-/*
- * nssCKFWHash_Create
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWHash_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWHash_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWHash_Destroy
-(
-  nssCKFWHash *hash
-);
-
-/*
- * nssCKFWHash_Add
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWHash_Add
-(
-  nssCKFWHash *hash,
-  const void *key,
-  const void *value
-);
-
-/*
- * nssCKFWHash_Remove
- *
- */
-NSS_EXTERN void
-nssCKFWHash_Remove
-(
-  nssCKFWHash *hash,
-  const void *it
-);
-
-/*
- * nssCKFWHash_Count
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWHash_Count
-(
-  nssCKFWHash *hash
-);
-
-/*
- * nssCKFWHash_Exists
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWHash_Exists
-(
-  nssCKFWHash *hash,
-  const void *it
-);
-
-/*
- * nssCKFWHash_Lookup
- *
- */
-NSS_EXTERN void *
-nssCKFWHash_Lookup
-(
-  nssCKFWHash *hash,
-  const void *it
-);
-
-/*
- * nssCKFWHash_Iterate
- *
- */
-NSS_EXTERN void
-nssCKFWHash_Iterate
-(
-  nssCKFWHash *hash,
-  nssCKFWHashIterator fcn,
-  void *closure
-);
-
-#endif /* CKFWM_H */
diff --git a/security/nss/lib/ckfw/ckfwtm.h b/security/nss/lib/ckfw/ckfwtm.h
deleted file mode 100644
index 0f631f02d..000000000
--- a/security/nss/lib/ckfw/ckfwtm.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef CKFWTM_H
-#define CKFWTM_H
-
-#ifdef DEBUG
-static const char CKFWTM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * ckfwtm.h
- *
- * This file declares the module-private types of the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-struct nssCKFWHashStr;
-typedef struct nssCKFWHashStr nssCKFWHash;
-
-typedef void (PR_CALLBACK *nssCKFWHashIterator)(const void *key, void *value, void *closure);
-
-#endif /* CKFWTM_H */
diff --git a/security/nss/lib/ckfw/ckmd.h b/security/nss/lib/ckfw/ckmd.h
deleted file mode 100644
index 5b7f394f5..000000000
--- a/security/nss/lib/ckfw/ckmd.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef CKMD_H
-#define CKMD_H
-
-#ifdef DEBUG
-static const char CKMD_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * ckmd.h
- *
- */
-
-NSS_EXTERN NSSCKMDObject *
-nssCKMDSessionObject_Create
-(
-  NSSCKFWToken *fwToken,
-  NSSArena *arena,
-  CK_ATTRIBUTE_PTR attributes,
-  CK_ULONG ulCount,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nssCKMDFindSessionObjects_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_RV *pError
-);
-
-#endif /* CKMD_H */
diff --git a/security/nss/lib/ckfw/ckt.h b/security/nss/lib/ckfw/ckt.h
deleted file mode 100644
index 9b9a471ca..000000000
--- a/security/nss/lib/ckfw/ckt.h
+++ /dev/null
@@ -1,196 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef CKT_H
-#define CKT_H
-
-#ifdef DEBUG
-static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * ckt.h
- *
- * This file contains the NSS-specific type definitions for Cryptoki
- * (PKCS#11).
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-/*
- * NSSCK_VENDOR_NETSCAPE
- *
- * Cryptoki reserves the high half of all the number spaces for
- * vendor-defined use.  I'd like to keep all of our Netscape-
- * specific values together, but not in the oh-so-obvious
- * 0x80000001, 0x80000002, etc. area.  So I've picked an offset,
- * and constructed values for the beginnings of our spaces.
- *
- * Note that some "historical" Netscape values don't fall within
- * this range.
- */
-#define NSSCK_VENDOR_NETSCAPE 0x4E534350 /* NSCP */
-
-/*
- * Netscape-defined object classes
- * 
- */
-#define CKO_NETSCAPE (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
-#define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
-#define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
-
-/*
- * Netscape-defined key types
- *
- */
-#define CKK_NETSCAPE (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKK_NETSCAPE_PKCS8              (CKK_NETSCAPE + 1)
-/*
- * Netscape-defined certificate types
- *
- */
-#define CKC_NETSCAPE (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-/*
- * Netscape-defined object attributes
- *
- */
-#define CKA_NETSCAPE (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKA_NETSCAPE_URL                (CKA_NETSCAPE +  1)
-#define CKA_NETSCAPE_EMAIL              (CKA_NETSCAPE +  2)
-#define CKA_NETSCAPE_SMIME_INFO         (CKA_NETSCAPE +  3)
-#define CKA_NETSCAPE_SMIME_TIMESTAMP    (CKA_NETSCAPE +  4)
-#define CKA_NETSCAPE_PKCS8_SALT         (CKA_NETSCAPE +  5)
-#define CKA_NETSCAPE_PASSWORD_CHECK     (CKA_NETSCAPE +  6)
-#define CKA_NETSCAPE_EXPIRES            (CKA_NETSCAPE +  7)
-
-/*
- * Trust attributes:
- *
- * If trust goes standard, these probably will too.  So I'll
- * put them all in one place.
- */
-
-#define CKA_TRUST (CKA_NETSCAPE + 0x2000)
-
-/* "Usage" key information */
-#define CKA_TRUST_DIGITAL_SIGNATURE     (CKA_TRUST +  1)
-#define CKA_TRUST_NON_REPUDIATION       (CKA_TRUST +  2)
-#define CKA_TRUST_KEY_ENCIPHERMENT      (CKA_TRUST +  3)
-#define CKA_TRUST_DATA_ENCIPHERMENT     (CKA_TRUST +  4)
-#define CKA_TRUST_KEY_AGREEMENT         (CKA_TRUST +  5)
-#define CKA_TRUST_KEY_CERT_SIGN         (CKA_TRUST +  6)
-#define CKA_TRUST_CRL_SIGN              (CKA_TRUST +  7)
-
-/* "Purpose" trust information */
-#define CKA_TRUST_SERVER_AUTH           (CKA_TRUST +  8)
-#define CKA_TRUST_CLIENT_AUTH           (CKA_TRUST +  9)
-#define CKA_TRUST_CODE_SIGNING          (CKA_TRUST + 10)
-#define CKA_TRUST_EMAIL_PROTECTION      (CKA_TRUST + 11)
-#define CKA_TRUST_IPSEC_END_SYSTEM      (CKA_TRUST + 12)
-#define CKA_TRUST_IPSEC_TUNNEL          (CKA_TRUST + 13)
-#define CKA_TRUST_IPSEC_USER            (CKA_TRUST + 14)
-#define CKA_TRUST_TIME_STAMPING         (CKA_TRUST + 15)
-
-/* Netscape trust stuff */
-/* XXX fgmr new ones here-- step-up, etc. */
-
-/* HISTORICAL: define used to pass in the database key for DSA private keys */
-#define CKA_NETSCAPE_DB                 0xD5A0DB00L
-#define CKA_NETSCAPE_TRUST              0x80000001L
-
-/*
- * Netscape-defined crypto mechanisms
- *
- */
-#define CKM_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-/*
- * HISTORICAL:
- * Do not attempt to use these. They are only used by NETSCAPE's internal
- * PKCS #11 interface. Most of these are place holders for other mechanism
- * and will change in the future.
- */
-#define CKM_NETSCAPE_PBE_KEY_GEN                0x80000001L
-#define CKM_NETSCAPE_PBE_SHA1_DES_CBC           0x80000002L
-#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC    0x80000003L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC    0x80000004L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC   0x80000005L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4        0x80000006L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4       0x80000007L
-#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC   0x80000008L
-#define CKM_TLS_MASTER_KEY_DERIVE               0x80000371L
-#define CKM_TLS_KEY_AND_MAC_DERIVE              0x80000372L
-
-/*
- * Netscape-defined return values
- *
- */
-#define CKR_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-/*
- * Trust info
- *
- * This isn't part of the Cryptoki standard (yet), so I'm putting
- * all the definitions here.  Some of this would move to nssckt.h
- * if trust info were made part of the standard.  In view of this
- * possibility, I'm putting my (Netscape) values in the netscape
- * vendor space, like everything else.
- */
-
-typedef CK_ULONG          CK_TRUST;
-
-/* The following trust types are defined: */
-#define CKT_VENDOR_DEFINED     0x80000000
-
-#define CKT_NETSCAPE (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-/* If trust goes standard, these'll probably drop out of vendor space. */
-#define CKT_NETSCAPE_TRUSTED            (CKT_NETSCAPE + 1)
-#define CKT_NETSCAPE_TRUSTED_DELEGATOR  (CKT_NETSCAPE + 2)
-#define CKT_NETSCAPE_UNTRUSTED          (CKT_NETSCAPE + 3)
-
-/* 
- * These may well remain Netscape-specific; I'm only using them
- * to cache resolution data.
- */
-#define CKT_NETSCAPE_VALID              (CKT_NETSCAPE + 4)
-#define CKT_NETSCAPE_VALID_DELEGATOR    (CKT_NETSCAPE + 5)
-
-
-#endif /* CKT_H */
diff --git a/security/nss/lib/ckfw/config.mk b/security/nss/lib/ckfw/config.mk
deleted file mode 100644
index 80b3135f4..000000000
--- a/security/nss/lib/ckfw/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/ckfw/dbm/Makefile b/security/nss/lib/ckfw/dbm/Makefile
deleted file mode 100644
index 03e1fb4c6..000000000
--- a/security/nss/lib/ckfw/dbm/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/ckfw/dbm/anchor.c b/security/nss/lib/ckfw/dbm/anchor.c
deleted file mode 100644
index 588fd00e0..000000000
--- a/security/nss/lib/ckfw/dbm/anchor.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * dbm/anchor.c
- *
- * This file "anchors" the actual cryptoki entry points in this module's
- * shared library, which is required for dynamic loading.  See the 
- * comments in nssck.api for more information.
- */
-
-#include "ckdbm.h"
-
-#define MODULE_NAME dbm
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
-#include "nssck.api"
diff --git a/security/nss/lib/ckfw/dbm/ckdbm.h b/security/nss/lib/ckfw/dbm/ckdbm.h
deleted file mode 100644
index 7bab87ec7..000000000
--- a/security/nss/lib/ckfw/dbm/ckdbm.h
+++ /dev/null
@@ -1,281 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CKDBM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef CKDBM_H
-#define CKDBM_H
-
-#include "nssckmdt.h"
-#include "nssckfw.h"
-
-/*
- * I'm including this for access to the arena functions.
- * Looks like we should publish that API.
- */
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This is where the Netscape extensions live, at least for now.
- */
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-#include "mcom_db.h"
-
-NSS_EXTERN_DATA NSSCKMDInstance nss_dbm_mdInstance;
-
-typedef struct nss_dbm_db_struct nss_dbm_db_t;
-struct nss_dbm_db_struct {
-  DB *db;
-  NSSCKFWMutex *crustylock;
-};
-
-typedef struct nss_dbm_dbt_struct nss_dbm_dbt_t;
-struct nss_dbm_dbt_struct {
-  DBT dbt;
-  nss_dbm_db_t *my_db;
-};
-
-typedef struct nss_dbm_instance_struct nss_dbm_instance_t;
-struct nss_dbm_instance_struct {
-  NSSArena *arena;
-  CK_ULONG nSlots;
-  char **filenames;
-  int *flags; /* e.g. O_RDONLY, O_RDWR */
-};
-
-typedef struct nss_dbm_slot_struct nss_dbm_slot_t;
-struct nss_dbm_slot_struct {
-  nss_dbm_instance_t *instance;
-  char *filename;
-  int flags;
-  nss_dbm_db_t *token_db;
-};
-
-typedef struct nss_dbm_token_struct nss_dbm_token_t;
-struct nss_dbm_token_struct {
-  NSSArena *arena;
-  nss_dbm_slot_t *slot;
-  nss_dbm_db_t *session_db;
-  NSSUTF8 *label;
-};
-
-struct nss_dbm_dbt_node {
-  struct nss_dbm_dbt_node *next;
-  nss_dbm_dbt_t *dbt;
-};
-
-typedef struct nss_dbm_session_struct nss_dbm_session_t;
-struct nss_dbm_session_struct {
-  NSSArena *arena;
-  nss_dbm_token_t *token;
-  CK_ULONG deviceError;
-  struct nss_dbm_dbt_node *session_objects;
-  NSSCKFWMutex *list_lock;
-};
-
-typedef struct nss_dbm_object_struct nss_dbm_object_t;
-struct nss_dbm_object_struct {
-  NSSArena *arena; /* token or session */
-  nss_dbm_dbt_t *handle;
-};
-
-typedef struct nss_dbm_find_struct nss_dbm_find_t;
-struct nss_dbm_find_struct {
-  NSSArena *arena;
-  struct nss_dbm_dbt_node *found;
-  NSSCKFWMutex *list_lock;
-};
-
-NSS_EXTERN NSSCKMDSlot *
-nss_dbm_mdSlot_factory
-(
-  nss_dbm_instance_t *instance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDToken *
-nss_dbm_mdToken_factory
-(
-  nss_dbm_slot_t *slot,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDSession *
-nss_dbm_mdSession_factory
-(
-  nss_dbm_token_t *token,
-  NSSCKFWSession *fwSession,
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL rw,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDObject *
-nss_dbm_mdObject_factory
-(
-  nss_dbm_object_t *object,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nss_dbm_mdFindObjects_factory
-(
-  nss_dbm_find_t *find,
-  CK_RV *pError
-);
-
-NSS_EXTERN nss_dbm_db_t *
-nss_dbm_db_open
-(
-  NSSArena *arena,
-  NSSCKFWInstance *fwInstance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-);
-
-NSS_EXTERN void
-nss_dbm_db_close
-(
-  nss_dbm_db_t *db
-);
-
-NSS_EXTERN CK_VERSION
-nss_dbm_db_get_format_version
-(
-  nss_dbm_db_t *db
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_set_label
-(
-  nss_dbm_db_t *db,
-  NSSUTF8 *label
-);
-
-NSS_EXTERN NSSUTF8 *
-nss_dbm_db_get_label
-(
-  nss_dbm_db_t *db,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_delete_object
-(
-  nss_dbm_dbt_t *dbt
-);
-
-NSS_EXTERN nss_dbm_dbt_t *
-nss_dbm_db_create_object
-(
-  NSSArena *arena,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_find_objects
-(
-  nss_dbm_find_t *find,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_BBOOL
-nss_dbm_db_object_still_exists
-(
-  nss_dbm_dbt_t *dbt
-);
-
-NSS_EXTERN CK_ULONG
-nss_dbm_db_get_object_attribute_count
-(
-  nss_dbm_dbt_t *dbt,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_get_object_attribute_types
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_ULONG
-nss_dbm_db_get_object_attribute_size
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN NSSItem *
-nss_dbm_db_get_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  NSSArena *arena,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_set_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  NSSItem *value,
-  CK_ULONG *pdbrv
-);
-
-#endif /* CKDBM_H */
diff --git a/security/nss/lib/ckfw/dbm/config.mk b/security/nss/lib/ckfw/dbm/config.mk
deleted file mode 100644
index 80b3135f4..000000000
--- a/security/nss/lib/ckfw/dbm/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/ckfw/dbm/db.c b/security/nss/lib/ckfw/dbm/db.c
deleted file mode 100644
index 307c7f21d..000000000
--- a/security/nss/lib/ckfw/dbm/db.c
+++ /dev/null
@@ -1,1065 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-#define PREFIX_METADATA "0000"
-#define PREFIX_OBJECT   "0001"
-#define PREFIX_INDEX    "0002"
-
-static CK_VERSION nss_dbm_db_format_version = { 1, 0 };
-struct handle {
-  char prefix[4];
-  CK_ULONG id;
-};
-
-NSS_IMPLEMENT nss_dbm_db_t *
-nss_dbm_db_open
-(
-  NSSArena *arena,
-  NSSCKFWInstance *fwInstance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-)
-{
-  nss_dbm_db_t *rv;
-  CK_VERSION db_version;
-
-  rv = nss_ZNEW(arena, nss_dbm_db_t);
-  if( (nss_dbm_db_t *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  rv->db = dbopen(filename, flags, 0600, DB_HASH, (const void *)NULL);
-  if( (DB *)NULL == rv->db ) {
-    *pError = CKR_TOKEN_NOT_PRESENT;
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  rv->crustylock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == rv->crustylock ) {
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  db_version = nss_dbm_db_get_format_version(rv);
-  if( db_version.major != nss_dbm_db_format_version.major ) {
-    nss_dbm_db_close(rv);
-    *pError = CKR_TOKEN_NOT_RECOGNIZED;
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT void
-nss_dbm_db_close
-(
-  nss_dbm_db_t *db
-)
-{
-  if( (NSSCKFWMutex *)NULL != db->crustylock ) {
-    (void)NSSCKFWMutex_Destroy(db->crustylock);
-  }
-
-  if( (DB *)NULL != db->db ) {
-    (void)db->db->close(db->db);
-  }
-
-  nss_ZFreeIf(db);
-}
-
-NSS_IMPLEMENT CK_VERSION
-nss_dbm_db_get_format_version
-(
-  nss_dbm_db_t *db
-)
-{
-  CK_VERSION rv;
-  DBT k, v;
-  int dbrv;
-  char buffer[64];
-
-  rv.major = rv.minor = 0;
-
-  k.data = PREFIX_METADATA "FormatVersion";
-  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-  (void)memset(&v, 0, sizeof(v));
-
-  /* Locked region */ 
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
-      return rv;
-    }
-
-    dbrv = db->db->get(db->db, &k, &v, 0);
-    if( dbrv == 0 ) {
-      CK_ULONG major = 0, minor = 0;
-      (void)PR_sscanf(v.data, "%ld.%ld", &major, &minor);
-      rv.major = major;
-      rv.minor = minor;
-    } else if( dbrv > 0 ) {
-      (void)PR_snprintf(buffer, sizeof(buffer), "%ld.%ld", nss_dbm_db_format_version.major,
-                        nss_dbm_db_format_version.minor);
-      v.data = buffer;
-      v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
-      dbrv = db->db->put(db->db, &k, &v, 0);
-      (void)db->db->sync(db->db, 0);
-      rv = nss_dbm_db_format_version;
-    } else {
-      /* No error return.. */
-      ;
-    }
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_set_label
-(
-  nss_dbm_db_t *db,
-  NSSUTF8 *label
-)
-{
-  CK_RV rv;
-  DBT k, v;
-  int dbrv;
-
-  k.data = PREFIX_METADATA "Label";
-  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-  v.data = label;
-  v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
-
-  /* Locked region */ 
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
-      return rv;
-    }
-
-    dbrv = db->db->put(db->db, &k, &v, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-    }
-
-    dbrv = db->db->sync(db->db, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-    }
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nss_dbm_db_get_label
-(
-  nss_dbm_db_t *db,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  NSSUTF8 *rv = (NSSUTF8 *)NULL;
-  DBT k, v;
-  int dbrv;
-
-  k.data = PREFIX_METADATA "Label";
-  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-
-  /* Locked region */ 
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
-      return rv;
-    }
-
-    dbrv = db->db->get(db->db, &k, &v, 0);
-    if( 0 == dbrv ) {
-      rv = nssUTF8_Duplicate((NSSUTF8 *)v.data, arena);
-      if( (NSSUTF8 *)NULL == rv ) {
-        *pError = CKR_HOST_MEMORY;
-      }
-    } else if( dbrv > 0 ) {
-      /* Just return null */
-      ;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      ;
-    }
-
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_delete_object
-(
-  nss_dbm_dbt_t *dbt
-)
-{
-  CK_RV rv;
-  int dbrv;
-
-  /* Locked region */
-  {
-    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-
-    dbrv = dbt->my_db->db->del(dbt->my_db->db, &dbt->dbt, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    dbrv = dbt->my_db->db->sync(dbt->my_db->db, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-static CK_ULONG
-nss_dbm_db_new_handle
-(
-  nss_dbm_db_t *db,
-  DBT *dbt, /* pre-allocated */
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-  DBT k, v;
-  CK_ULONG align = 0, id, myid;
-  struct handle *hp;
-
-  if( sizeof(struct handle) != dbt->size ) {
-    return EINVAL;
-  }
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(db->crustylock);
-    if( CKR_OK != *pError ) {
-      return EINVAL;
-    }
-
-    k.data = PREFIX_METADATA "LastID";
-    k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-    (void)memset(&v, 0, sizeof(v));
-
-    rv = db->db->get(db->db, &k, &v, 0);
-    if( 0 == rv ) {
-      (void)memcpy(&align, v.data, sizeof(CK_ULONG));
-      id = ntohl(align);
-    } else if( rv > 0 ) {
-      id = 0;
-    } else {
-      goto done;
-    }
-
-    myid = id;
-    id++;
-    align = htonl(id);
-    v.data = &align;
-    v.size = sizeof(CK_ULONG);
-
-    rv = db->db->put(db->db, &k, &v, 0);
-    if( 0 != rv ) {
-      goto done;
-    }
-
-    rv = db->db->sync(db->db, 0);
-    if( 0 != rv ) {
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  if( 0 != rv ) {
-    return rv;
-  }
-
-  hp = (struct handle *)dbt->data;
-  (void)memcpy(&hp->prefix[0], PREFIX_OBJECT, 4);
-  hp->id = myid;
-
-  return 0;
-}
-
-/*
- * This attribute-type-dependent swapping should probably
- * be in the Framework, because it'll be a concern of just
- * about every Module.  Of course any Framework implementation
- * will have to be augmentable or overridable by a Module.
- */
-
-enum swap_type { type_byte, type_short, type_long, type_opaque };
-
-static enum swap_type
-nss_dbm_db_swap_type
-(
-  CK_ATTRIBUTE_TYPE type
-)
-{
-  switch( type ) {
-  case CKA_CLASS: return type_long;
-  case CKA_TOKEN: return type_byte;
-  case CKA_PRIVATE: return type_byte;
-  case CKA_LABEL: return type_opaque;
-  case CKA_APPLICATION: return type_opaque;
-  case CKA_VALUE: return type_opaque;
-  case CKA_CERTIFICATE_TYPE: return type_long;
-  case CKA_ISSUER: return type_opaque;
-  case CKA_SERIAL_NUMBER: return type_opaque;
-  case CKA_KEY_TYPE: return type_long;
-  case CKA_SUBJECT: return type_opaque;
-  case CKA_ID: return type_opaque;
-  case CKA_SENSITIVE: return type_byte;
-  case CKA_ENCRYPT: return type_byte;
-  case CKA_DECRYPT: return type_byte;
-  case CKA_WRAP: return type_byte;
-  case CKA_UNWRAP: return type_byte;
-  case CKA_SIGN: return type_byte;
-  case CKA_SIGN_RECOVER: return type_byte;
-  case CKA_VERIFY: return type_byte;
-  case CKA_VERIFY_RECOVER: return type_byte;
-  case CKA_DERIVE: return type_byte;
-  case CKA_START_DATE: return type_opaque;
-  case CKA_END_DATE: return type_opaque;
-  case CKA_MODULUS: return type_opaque;
-  case CKA_MODULUS_BITS: return type_long;
-  case CKA_PUBLIC_EXPONENT: return type_opaque;
-  case CKA_PRIVATE_EXPONENT: return type_opaque;
-  case CKA_PRIME_1: return type_opaque;
-  case CKA_PRIME_2: return type_opaque;
-  case CKA_EXPONENT_1: return type_opaque;
-  case CKA_EXPONENT_2: return type_opaque;
-  case CKA_COEFFICIENT: return type_opaque;
-  case CKA_PRIME: return type_opaque;
-  case CKA_SUBPRIME: return type_opaque;
-  case CKA_BASE: return type_opaque;
-  case CKA_VALUE_BITS: return type_long;
-  case CKA_VALUE_LEN: return type_long;
-  case CKA_EXTRACTABLE: return type_byte;
-  case CKA_LOCAL: return type_byte;
-  case CKA_NEVER_EXTRACTABLE: return type_byte;
-  case CKA_ALWAYS_SENSITIVE: return type_byte;
-  case CKA_MODIFIABLE: return type_byte;
-  case CKA_NETSCAPE_URL: return type_opaque;
-  case CKA_NETSCAPE_EMAIL: return type_opaque;
-  case CKA_NETSCAPE_SMIME_INFO: return type_opaque;
-  case CKA_NETSCAPE_SMIME_TIMESTAMP: return type_opaque;
-  case CKA_NETSCAPE_PKCS8_SALT: return type_opaque;
-  case CKA_NETSCAPE_PASSWORD_CHECK: return type_opaque;
-  case CKA_NETSCAPE_EXPIRES: return type_opaque;
-  case CKA_TRUST_DIGITAL_SIGNATURE: return type_long;
-  case CKA_TRUST_NON_REPUDIATION: return type_long;
-  case CKA_TRUST_KEY_ENCIPHERMENT: return type_long;
-  case CKA_TRUST_DATA_ENCIPHERMENT: return type_long;
-  case CKA_TRUST_KEY_AGREEMENT: return type_long;
-  case CKA_TRUST_KEY_CERT_SIGN: return type_long;
-  case CKA_TRUST_CRL_SIGN: return type_long;
-  case CKA_TRUST_SERVER_AUTH: return type_long;
-  case CKA_TRUST_CLIENT_AUTH: return type_long;
-  case CKA_TRUST_CODE_SIGNING: return type_long;
-  case CKA_TRUST_EMAIL_PROTECTION: return type_long;
-  case CKA_TRUST_IPSEC_END_SYSTEM: return type_long;
-  case CKA_TRUST_IPSEC_TUNNEL: return type_long;
-  case CKA_TRUST_IPSEC_USER: return type_long;
-  case CKA_TRUST_TIME_STAMPING: return type_long;
-  case CKA_NETSCAPE_DB: return type_opaque;
-  case CKA_NETSCAPE_TRUST: return type_opaque;
-  default: return type_opaque;
-  }
-}
-
-static void
-nss_dbm_db_swap_copy
-(
-  CK_ATTRIBUTE_TYPE type,
-  void *dest,
-  void *src,
-  CK_ULONG len
-)
-{
-  switch( nss_dbm_db_swap_type(type) ) {
-  case type_byte:
-  case type_opaque:
-    (void)memcpy(dest, src, len);
-    break;
-  case type_short:
-    {
-      CK_USHORT s, d;
-      (void)memcpy(&s, src, sizeof(CK_USHORT));
-      d = htons(s);
-      (void)memcpy(dest, &d, sizeof(CK_USHORT));
-      break;
-    }
-  case type_long:
-    {
-      CK_ULONG s, d;
-      (void)memcpy(&s, src, sizeof(CK_ULONG));
-      d = htonl(s);
-      (void)memcpy(dest, &d, sizeof(CK_ULONG));
-      break;
-    }
-  }
-}
-
-static CK_RV
-nss_dbm_db_wrap_object
-(
-  NSSArena *arena,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  DBT *object
-)
-{
-  CK_ULONG object_size;
-  CK_ULONG i;
-  CK_ULONG *pulData;
-  char *pcData;
-  CK_ULONG offset;
-
-  object_size = (1 + ulAttributeCount*3) * sizeof(CK_ULONG);
-  offset = object_size;
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    object_size += pTemplate[i].ulValueLen;
-  }
-
-  object->size = object_size;
-  object->data = nss_ZAlloc(arena, object_size);
-  if( (void *)NULL == object->data ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  pulData = (CK_ULONG *)object->data;
-  pcData = (char *)object->data;
-
-  pulData[0] = htonl(ulAttributeCount);
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    CK_ULONG len = pTemplate[i].ulValueLen;
-    pulData[1 + i*3] = htonl(pTemplate[i].type);
-    pulData[2 + i*3] = htonl(len);
-    pulData[3 + i*3] = htonl(offset);
-    nss_dbm_db_swap_copy(pTemplate[i].type, &pcData[offset], pTemplate[i].pValue, len);
-    offset += len;
-  }
-
-  return CKR_OK;
-}
-
-static CK_RV
-nss_dbm_db_unwrap_object
-(
-  NSSArena *arena,
-  DBT *object,
-  CK_ATTRIBUTE_PTR *ppTemplate,
-  CK_ULONG *pulAttributeCount
-)
-{
-  CK_ULONG *pulData;
-  char *pcData;
-  CK_ULONG n, i;
-  CK_ATTRIBUTE_PTR pTemplate;
-
-  pulData = (CK_ULONG *)object->data;
-  pcData = (char *)object->data;
-
-  n = ntohl(pulData[0]);
-  *pulAttributeCount = n;
-  pTemplate = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, n);
-  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  for( i = 0; i < n; i++ ) {
-    CK_ULONG len;
-    CK_ULONG offset;
-    void *p;
-
-    pTemplate[i].type = ntohl(pulData[1 + i*3]);
-    len = ntohl(pulData[2 + i*3]);
-    offset = ntohl(pulData[3 +  i*3]);
-    
-    p = nss_ZAlloc(arena, len);
-    if( (void *)NULL == p ) {
-      return CKR_HOST_MEMORY;
-    }
-    
-    nss_dbm_db_swap_copy(pTemplate[i].type, p, &pcData[offset], len);
-    pTemplate[i].ulValueLen = len;
-    pTemplate[i].pValue = p;
-  }
-
-  *ppTemplate = pTemplate;
-  return CKR_OK;
-}
-
-
-NSS_IMPLEMENT nss_dbm_dbt_t *
-nss_dbm_db_create_object
-(
-  NSSArena *arena,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  NSSArena *tmparena = (NSSArena *)NULL;
-  nss_dbm_dbt_t *rv = (nss_dbm_dbt_t *)NULL;
-  DBT object;
-
-  rv = nss_ZNEW(arena, nss_dbm_dbt_t);
-  if( (nss_dbm_dbt_t *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  rv->my_db = db;
-  rv->dbt.size = sizeof(struct handle);
-  rv->dbt.data = nss_ZAlloc(arena, rv->dbt.size);
-  if( (void *)NULL == rv->dbt.data ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  *pdbrv = nss_dbm_db_new_handle(db, &rv->dbt, pError);
-  if( 0 != *pdbrv ) {
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  tmparena = NSSArena_Create();
-  if( (NSSArena *)NULL == tmparena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  *pError = nss_dbm_db_wrap_object(tmparena, pTemplate, ulAttributeCount, &object);
-  if( CKR_OK != *pError ) {
-    return (nss_dbm_dbt_t *)NULL;
-  }
-  
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(db->crustylock);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-
-    *pdbrv = db->db->put(db->db, &rv->dbt, &object, 0);
-    if( 0 != *pdbrv ) {
-      *pError = CKR_DEVICE_ERROR;
-    }
-
-    (void)db->db->sync(db->db, 0);
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
- loser:  
-  if( (NSSArena *)NULL != tmparena ) {
-    (void)NSSArena_Destroy(tmparena);
-  }
-
-  return rv;
-}
-
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_find_objects
-(
-  nss_dbm_find_t *find,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_ULONG *pdbrv
-)
-{
-  CK_RV rv = CKR_OK;
-
-  if( (nss_dbm_db_t *)NULL != db ) {
-    DBT k, v;
-
-    rv = NSSCKFWMutex_Lock(db->crustylock);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-
-    *pdbrv = db->db->seq(db->db, &k, &v, R_FIRST);
-    while( 0 == *pdbrv ) {
-      CK_ULONG i, j;
-      NSSArena *tmparena = (NSSArena *)NULL;
-      CK_ULONG ulac;
-      CK_ATTRIBUTE_PTR pt;
-
-      if( (k.size < 4) || (0 != memcmp(k.data, PREFIX_OBJECT, 4)) ) {
-        goto nomatch;
-      }
-
-      tmparena = NSSArena_Create();
-
-      rv = nss_dbm_db_unwrap_object(tmparena, &v, &pt, &ulac);
-      if( CKR_OK != rv ) {
-        goto loser;
-      }
-
-      for( i = 0; i < ulAttributeCount; i++ ) {
-        for( j = 0; j < ulac; j++ ) {
-          if( pTemplate[i].type == pt[j].type ) {
-            if( pTemplate[i].ulValueLen != pt[j].ulValueLen ) {
-              goto nomatch;
-            }
-            if( 0 != memcmp(pTemplate[i].pValue, pt[j].pValue, pt[j].ulValueLen) ) {
-              goto nomatch;
-            }
-            break;
-          }
-        }
-        if( j == ulac ) {
-          goto nomatch;
-        }
-      }
-
-      /* entire template matches */
-      {
-        struct nss_dbm_dbt_node *node;
-
-        node = nss_ZNEW(find->arena, struct nss_dbm_dbt_node);
-        if( (struct nss_dbm_dbt_node *)NULL == node ) {
-          rv = CKR_HOST_MEMORY;
-          goto loser;
-        }
-
-        node->dbt = nss_ZNEW(find->arena, nss_dbm_dbt_t);
-        if( (nss_dbm_dbt_t *)NULL == node->dbt ) {
-          rv = CKR_HOST_MEMORY;
-          goto loser;
-        }
-        
-        node->dbt->dbt.size = k.size;
-        node->dbt->dbt.data = nss_ZAlloc(find->arena, k.size);
-        if( (void *)NULL == node->dbt->dbt.data ) {
-          rv = CKR_HOST_MEMORY;
-          goto loser;
-        }
-
-        (void)memcpy(node->dbt->dbt.data, k.data, k.size);
-
-        node->dbt->my_db = db;
-
-        node->next = find->found;
-        find->found = node;
-      }
-
-    nomatch:
-      if( (NSSArena *)NULL != tmparena ) {
-        (void)NSSArena_Destroy(tmparena);
-      }
-      *pdbrv = db->db->seq(db->db, &k, &v, R_NEXT);
-    }
-
-    if( *pdbrv < 0 ) {
-      rv = CKR_DEVICE_ERROR;
-      goto loser;
-    }
-
-    rv = CKR_OK;
-
-  loser:
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_BBOOL
-nss_dbm_db_object_still_exists
-(
-  nss_dbm_dbt_t *dbt
-)
-{
-  CK_BBOOL rv;
-  CK_RV ckrv;
-  int dbrv;
-  DBT object;
-
-  ckrv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-  if( CKR_OK != ckrv ) {
-    return CK_FALSE;
-  }
-
-  dbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-  if( 0 == dbrv ) {
-    rv = CK_TRUE;
-  } else {
-    rv = CK_FALSE;
-  }
-
-  (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_ULONG
-nss_dbm_db_get_object_attribute_count
-(
-  nss_dbm_dbt_t *dbt,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  CK_ULONG rv = 0;
-  DBT object;
-  CK_ULONG *pulData;
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != *pError ) {
-      return rv;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      *pError = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    pulData = (CK_ULONG *)object.data;
-    rv = ntohl(pulData[0]);
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_get_object_attribute_types
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount,
-  CK_ULONG *pdbrv
-)
-{
-  CK_RV rv = CKR_OK;
-  DBT object;
-  CK_ULONG *pulData;
-  CK_ULONG n, i;
-
-  /* Locked region */
-  {
-    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      rv = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    pulData = (CK_ULONG *)object.data;
-    n = ntohl(pulData[0]);
-
-    if( ulCount < n ) {
-      rv = CKR_BUFFER_TOO_SMALL;
-      goto done;
-    }
-
-    for( i = 0; i < n; i++ ) {
-      typeArray[i] = ntohl(pulData[1 + i*3]);
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_ULONG
-nss_dbm_db_get_object_attribute_size
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  CK_ULONG rv = 0;
-  DBT object;
-  CK_ULONG *pulData;
-  CK_ULONG n, i;
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != *pError ) {
-      return rv;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      *pError = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    pulData = (CK_ULONG *)object.data;
-    n = ntohl(pulData[0]);
-
-    for( i = 0; i < n; i++ ) {
-      if( type == ntohl(pulData[1 + i*3]) ) {
-        rv = ntohl(pulData[2 + i*3]);
-      }
-    }
-
-    if( i == n ) {
-      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSItem *
-nss_dbm_db_get_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  NSSArena *arena,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-  DBT object;
-  CK_ULONG i;
-  NSSArena *tmp = NSSArena_Create();
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulAttributeCount;
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      *pError = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    *pError = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
-    if( CKR_OK != *pError ) {
-      goto done;
-    }
-
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      if( type == pTemplate[i].type ) {
-        rv = nss_ZNEW(arena, NSSItem);
-        if( (NSSItem *)NULL == rv ) {
-          *pError = CKR_HOST_MEMORY;
-          goto done;
-        }
-        rv->size = pTemplate[i].ulValueLen;
-        rv->data = nss_ZAlloc(arena, rv->size);
-        if( (void *)NULL == rv->data ) {
-          *pError = CKR_HOST_MEMORY;
-          goto done;
-        }
-        (void)memcpy(rv->data, pTemplate[i].pValue, rv->size);
-        break;
-      }
-    }
-    if( ulAttributeCount == i ) {
-      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
- loser:
-  if( (NSSArena *)NULL != tmp ) {
-    NSSArena_Destroy(tmp);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_set_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  NSSItem *value,
-  CK_ULONG *pdbrv
-)
-{
-  CK_RV rv = CKR_OK;
-  DBT object;
-  CK_ULONG i;
-  NSSArena *tmp = NSSArena_Create();
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulAttributeCount;
-
-  /* Locked region */
-  {
-    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != rv ) {
-      goto loser;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      rv = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    rv = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
-    if( CKR_OK != rv ) {
-      goto done;
-    }
-
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      if( type == pTemplate[i].type ) {
-        /* Replacing an existing attribute */
-        pTemplate[i].ulValueLen = value->size;
-        pTemplate[i].pValue = value->data;
-        break;
-      }
-    }
-
-    if( i == ulAttributeCount ) {
-      /* Adding a new attribute */
-      CK_ATTRIBUTE_PTR npt = nss_ZNEWARRAY(tmp, CK_ATTRIBUTE, ulAttributeCount+1);
-      if( (CK_ATTRIBUTE_PTR)NULL == npt ) {
-        rv = CKR_DEVICE_ERROR;
-        goto done;
-      }
-
-      for( i = 0; i < ulAttributeCount; i++ ) {
-        npt[i] = pTemplate[i];
-      }
-
-      npt[ulAttributeCount].type = type;
-      npt[ulAttributeCount].ulValueLen = value->size;
-      npt[ulAttributeCount].pValue = value->data;
-
-      pTemplate = npt;
-      ulAttributeCount++;
-    }
-
-    rv = nss_dbm_db_wrap_object(tmp, pTemplate, ulAttributeCount, &object);
-    if( CKR_OK != rv ) {
-      goto done;
-    }
-
-    *pdbrv = dbt->my_db->db->put(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 != *pdbrv ) {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    (void)dbt->my_db->db->sync(dbt->my_db->db, 0);
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
- loser:
-  if( (NSSArena *)NULL != tmp ) {
-    NSSArena_Destroy(tmp);
-  }
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/find.c b/security/nss/lib/ckfw/dbm/find.c
deleted file mode 100644
index 81fe5d8fb..000000000
--- a/security/nss/lib/ckfw/dbm/find.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static void
-nss_dbm_mdFindObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
-
-  /* Locks might have system resources associated */
-  (void)NSSCKFWMutex_Destroy(find->list_lock);
-  (void)NSSArena_Destroy(find->arena);
-}
-
-
-static NSSCKMDObject *
-nss_dbm_mdFindObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
-  struct nss_dbm_dbt_node *node;
-  nss_dbm_object_t *object;
-  NSSCKMDObject *rv;
-
-  while(1) {
-    /* Lock */
-    {
-      *pError = NSSCKFWMutex_Lock(find->list_lock);
-      if( CKR_OK != *pError ) {
-        return (NSSCKMDObject *)NULL;
-      }
-      
-      node = find->found;
-      if( (struct nss_dbm_dbt_node *)NULL != node ) {
-        find->found = node->next;
-      }
-      
-      *pError = NSSCKFWMutex_Unlock(find->list_lock);
-      if( CKR_OK != *pError ) {
-        /* screwed now */
-        return (NSSCKMDObject *)NULL;
-      }
-    }
-
-    if( (struct nss_dbm_dbt_node *)NULL == node ) {
-      break;
-    }
-
-    if( nss_dbm_db_object_still_exists(node->dbt) ) {
-      break;
-    }
-  }
-
-  if( (struct nss_dbm_dbt_node *)NULL == node ) {
-    *pError = CKR_OK;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object = nss_ZNEW(arena, nss_dbm_object_t);
-  if( (nss_dbm_object_t *)NULL == object ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object->arena = arena;
-  object->handle = nss_ZNEW(arena, nss_dbm_dbt_t);
-  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object->handle->my_db = node->dbt->my_db;
-  object->handle->dbt.size = node->dbt->dbt.size;
-  object->handle->dbt.data = nss_ZAlloc(arena, node->dbt->dbt.size);
-  if( (void *)NULL == object->handle->dbt.data ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  (void)memcpy(object->handle->dbt.data, node->dbt->dbt.data, node->dbt->dbt.size);
-
-  rv = nss_dbm_mdObject_factory(object, pError);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    return (NSSCKMDObject *)NULL;
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nss_dbm_mdFindObjects_factory
-(
-  nss_dbm_find_t *find,
-  CK_RV *pError
-)
-{
-  NSSCKMDFindObjects *rv;
-
-  rv = nss_ZNEW(find->arena, NSSCKMDFindObjects);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  rv->etc = (void *)find;
-  rv->Final = nss_dbm_mdFindObjects_Final;
-  rv->Next = nss_dbm_mdFindObjects_Next;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/instance.c b/security/nss/lib/ckfw/dbm/instance.c
deleted file mode 100644
index 70681803f..000000000
--- a/security/nss/lib/ckfw/dbm/instance.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static CK_RV
-nss_dbm_mdInstance_Initialize
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  NSSUTF8 *configurationData
-)
-{
-  CK_RV rv = CKR_OK;
-  NSSArena *arena;
-  nss_dbm_instance_t *instance;
-
-  arena = NSSCKFWInstance_GetArena(fwInstance, &rv);
-  if( ((NSSArena *)NULL == arena) && (CKR_OK != rv) ) {
-    return rv;
-  }
-
-  instance = nss_ZNEW(arena, nss_dbm_instance_t);
-  if( (nss_dbm_instance_t *)NULL == instance ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  instance->arena = arena;
-
-  /*
-   * This should parse the configuration data for information on
-   * number and locations of databases, modes (e.g. readonly), etc.
-   * But for now, we'll have one slot with a creatable read-write
-   * database called "cert8.db."
-   */
-
-  instance->nSlots = 1;
-  instance->filenames = nss_ZNEWARRAY(arena, char *, instance->nSlots);
-  if( (char **)NULL == instance->filenames ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  instance->flags = nss_ZNEWARRAY(arena, int, instance->nSlots);
-  if( (int *)NULL == instance->flags ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  instance->filenames[0] = "cert8.db";
-  instance->flags[0] = O_RDWR|O_CREAT;
-
-  mdInstance->etc = (void *)instance;
-  return CKR_OK;
-}
-
-/* nss_dbm_mdInstance_Finalize is not required */
-
-static CK_ULONG
-nss_dbm_mdInstance_GetNSlots
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  return instance->nSlots;
-}
-
-static CK_VERSION
-nss_dbm_mdInstance_GetCryptokiVersion
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  static CK_VERSION rv = { 2, 1 };
-  return rv;
-}
-
-static NSSUTF8 *
-nss_dbm_mdInstance_GetManufacturerID
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Netscape Communications Corp.";
-}
-
-static NSSUTF8 *
-nss_dbm_mdInstance_GetLibraryDescription
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Berkeley Database Module";
-}
-
-static CK_VERSION
-nss_dbm_mdInstance_GetLibraryVersion
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  static CK_VERSION rv = { 1, 0 }; /* My own version number */
-  return rv;
-}
-
-static CK_BBOOL
-nss_dbm_mdInstance_ModuleHandlesSessionObjects
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_RV
-nss_dbm_mdInstance_GetSlots
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *slots[]
-)
-{
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  CK_ULONG i;
-  CK_RV rv = CKR_OK;
-
-  for( i = 0; i < instance->nSlots; i++ ) {
-    slots[i] = nss_dbm_mdSlot_factory(instance, instance->filenames[i], 
-                                      instance->flags[i], &rv);
-    if( (NSSCKMDSlot *)NULL == slots[i] ) {
-      return rv;
-    }
-  }
-
-  return rv;
-}
-
-/* nss_dbm_mdInstance_WaitForSlotEvent is not relevant */
-
-NSS_IMPLEMENT_DATA NSSCKMDInstance 
-nss_dbm_mdInstance = {
-  NULL, /* etc; filled in later */
-  nss_dbm_mdInstance_Initialize,
-  NULL, /* nss_dbm_mdInstance_Finalize */
-  nss_dbm_mdInstance_GetNSlots,
-  nss_dbm_mdInstance_GetCryptokiVersion,
-  nss_dbm_mdInstance_GetManufacturerID,
-  nss_dbm_mdInstance_GetLibraryDescription,
-  nss_dbm_mdInstance_GetLibraryVersion,
-  nss_dbm_mdInstance_ModuleHandlesSessionObjects,
-  nss_dbm_mdInstance_GetSlots,
-  NULL, /* nss_dbm_mdInstance_WaitForSlotEvent */
-  NULL /* terminator */
-};
diff --git a/security/nss/lib/ckfw/dbm/manifest.mn b/security/nss/lib/ckfw/dbm/manifest.mn
deleted file mode 100644
index 193e46bef..000000000
--- a/security/nss/lib/ckfw/dbm/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-CORE_DEPTH = ../../../..
-
-MODULE = security
-
-CSRCS =		   \
-	anchor.c   \
-	instance.c \
-	slot.c	   \
-	token.c	   \
-	session.c  \
-	object.c   \
-	find.c	   \
-	db.c	   \
-	$(NULL)
-
-REQUIRES = security dbm nspr
-
-LIBRARY_NAME = nssckdbm
-
-EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -ldbm -lnspr4 -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/dbm/object.c b/security/nss/lib/ckfw/dbm/object.c
deleted file mode 100644
index 2bd7578fd..000000000
--- a/security/nss/lib/ckfw/dbm/object.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static void
-nss_dbm_mdObject_Finalize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  ;
-}
-
-static CK_RV
-nss_dbm_mdObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  return nss_dbm_db_delete_object(object->handle);
-}
-
-static CK_ULONG
-nss_dbm_mdObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute_count(object->handle, pError, 
-                                               &session->deviceError);
-}
-
-static CK_RV
-nss_dbm_mdObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute_types(object->handle, typeArray,
-                                               ulCount, &session->deviceError);
-}
-
-static CK_ULONG
-nss_dbm_mdObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute_size(object->handle, attribute, pError, 
-                                              &session->deviceError);
-}
-
-static NSSItem *
-nss_dbm_mdObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute(object->handle, object->arena, attribute,
-                                         pError, &session->deviceError);
-}
-
-static CK_RV
-nss_dbm_mdObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_set_object_attribute(object->handle, attribute, value,
-                                         &session->deviceError);
-}
-
-NSS_IMPLEMENT NSSCKMDObject *
-nss_dbm_mdObject_factory
-(
-  nss_dbm_object_t *object,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *rv;
-
-  rv = nss_ZNEW(object->arena, NSSCKMDObject);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  rv->etc = (void *)object;
-  rv->Finalize = nss_dbm_mdObject_Finalize;
-  rv->Destroy = nss_dbm_mdObject_Destroy;
-  /*  IsTokenObject can be deferred */
-  rv->GetAttributeCount = nss_dbm_mdObject_GetAttributeCount;
-  rv->GetAttributeTypes = nss_dbm_mdObject_GetAttributeTypes;
-  rv->GetAttributeSize = nss_dbm_mdObject_GetAttributeSize;
-  rv->GetAttribute = nss_dbm_mdObject_GetAttribute;
-  rv->SetAttribute = nss_dbm_mdObject_SetAttribute;
-  /*  GetObjectSize can be deferred */
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/session.c b/security/nss/lib/ckfw/dbm/session.c
deleted file mode 100644
index c0969d948..000000000
--- a/security/nss/lib/ckfw/dbm/session.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static void
-nss_dbm_mdSession_Close
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-
-  struct nss_dbm_dbt_node *w;
-
-  /* Lock */
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(session->list_lock) ) {
-      return;
-    }
-
-    w = session->session_objects;
-    session->session_objects = (struct nss_dbm_dbt_node *)NULL; /* sanity */
-    
-    (void)NSSCKFWMutex_Unlock(session->list_lock);
-  }
-
-  for( ; (struct nss_dbm_dbt_node *)NULL != w; w = w->next ) {
-    (void)nss_dbm_db_delete_object(w->dbt);
-  }
-}
-
-static CK_ULONG
-nss_dbm_mdSession_GetDeviceError
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return session->deviceError;
-}
-
-/* Login isn't needed */
-/* Logout isn't needed */
-/* InitPIN is irrelevant */
-/* SetPIN is irrelevant */
-/* GetOperationStateLen is irrelevant */
-/* GetOperationState is irrelevant */
-/* SetOperationState is irrelevant */
-
-static NSSCKMDObject *
-nss_dbm_mdSession_CreateObject
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *handyArenaPointer,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  CK_ULONG i;
-  CK_BBOOL isToken = CK_FALSE; /* defaults to false */
-  NSSCKMDObject *rv;
-  struct nss_dbm_dbt_node *node = (struct nss_dbm_dbt_node *)NULL;
-  nss_dbm_object_t *object;
-  nss_dbm_db_t *which_db;
-
-  /* This framework should really pass this to me */
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if( CKA_TOKEN == pTemplate[i].type ) {
-      isToken = *(CK_BBOOL *)pTemplate[i].pValue;
-      break;
-    }
-  }
-
-  object = nss_ZNEW(handyArenaPointer, nss_dbm_object_t);
-  if( (nss_dbm_object_t *)NULL == object ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object->arena = handyArenaPointer;
-  which_db = isToken ? token->slot->token_db : token->session_db;
-
-  /* Do this before the actual database call; it's easier to recover from */
-  rv = nss_dbm_mdObject_factory(object, pError);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    return (NSSCKMDObject *)NULL;
-  }
-
-  if( CK_FALSE == isToken ) {
-    node = nss_ZNEW(session->arena, struct nss_dbm_dbt_node);
-    if( (struct nss_dbm_dbt_node *)NULL == node ) {
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKMDObject *)NULL;
-    }
-  }
-
-  object->handle = nss_dbm_db_create_object(handyArenaPointer, which_db, 
-                                            pTemplate, ulAttributeCount,
-                                            pError, &session->deviceError);
-  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
-    return (NSSCKMDObject *)NULL;
-  }
-
-  if( CK_FALSE == isToken ) {
-    node->dbt = object->handle;
-    /* Lock */
-    {
-      *pError = NSSCKFWMutex_Lock(session->list_lock);
-      if( CKR_OK != *pError ) {
-        (void)nss_dbm_db_delete_object(object->handle);
-        return (NSSCKMDObject *)NULL;
-      }
-      
-      node->next = session->session_objects;
-      session->session_objects = node;
-      
-      *pError = NSSCKFWMutex_Unlock(session->list_lock);
-    }
-  }
-
-  return rv;
-}
-
-/* CopyObject isn't needed; the framework will use CreateObject */
-
-static NSSCKMDFindObjects *
-nss_dbm_mdSession_FindObjectsInit
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  NSSArena *arena;
-  nss_dbm_find_t *find;
-  NSSCKMDFindObjects *rv;
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  find = nss_ZNEW(arena, nss_dbm_find_t);
-  if( (nss_dbm_find_t *)NULL == find ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  find->arena = arena;
-  find->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == find->list_lock ) {
-    goto loser;
-  }
-
-  *pError = nss_dbm_db_find_objects(find, token->slot->token_db, pTemplate, 
-                                    ulAttributeCount, &session->deviceError);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-  *pError = nss_dbm_db_find_objects(find, token->session_db, pTemplate, 
-                                    ulAttributeCount, &session->deviceError);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-  rv = nss_dbm_mdFindObjects_factory(find, pError);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    goto loser;
-  }
-
-  return rv;
-
- loser:
-  if( (NSSArena *)NULL != arena ) {
-    (void)NSSArena_Destroy(arena);
-  }
-
-  return (NSSCKMDFindObjects *)NULL;
-}
-
-/* SeedRandom is irrelevant */
-/* GetRandom is irrelevant */
-
-NSS_IMPLEMENT NSSCKMDSession *
-nss_dbm_mdSession_factory
-(
-  nss_dbm_token_t *token,
-  NSSCKFWSession *fwSession,
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  nss_dbm_session_t *session;
-  NSSCKMDSession *rv;
-
-  arena = NSSCKFWSession_GetArena(fwSession, pError);
-
-  session = nss_ZNEW(arena, nss_dbm_session_t);
-  if( (nss_dbm_session_t *)NULL == session ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDSession);
-  if( (NSSCKMDSession *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  session->arena = arena;
-  session->token = token;
-  session->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == session->list_lock ) {
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv->etc = (void *)session;
-  rv->Close = nss_dbm_mdSession_Close;
-  rv->GetDeviceError = nss_dbm_mdSession_GetDeviceError;
-  /*  Login isn't needed */
-  /*  Logout isn't needed */
-  /*  InitPIN is irrelevant */
-  /*  SetPIN is irrelevant */
-  /*  GetOperationStateLen is irrelevant */
-  /*  GetOperationState is irrelevant */
-  /*  SetOperationState is irrelevant */
-  rv->CreateObject = nss_dbm_mdSession_CreateObject;
-  /*  CopyObject isn't needed; the framework will use CreateObject */
-  rv->FindObjectsInit = nss_dbm_mdSession_FindObjectsInit;
-  rv->null = NULL;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/slot.c b/security/nss/lib/ckfw/dbm/slot.c
deleted file mode 100644
index 40898897a..000000000
--- a/security/nss/lib/ckfw/dbm/slot.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static CK_RV
-nss_dbm_mdSlot_Initialize
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  CK_RV rv = CKR_OK;
-
-  slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, slot->filename, 
-                                   slot->flags, &rv);
-  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
-    if( CKR_TOKEN_NOT_PRESENT == rv ) {
-      /* This is not an error-- just means "the token isn't there" */
-      rv = CKR_OK;
-    }
-  }
-
-  return rv;
-}
-
-static void
-nss_dbm_mdSlot_Destroy
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-
-  if( (nss_dbm_db_t *)NULL != slot->token_db ) {
-    nss_dbm_db_close(slot->token_db);
-    slot->token_db = (nss_dbm_db_t *)NULL;
-  }
-}
-
-static NSSUTF8 *
-nss_dbm_mdSlot_GetSlotDescription
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Database";
-}
-
-static NSSUTF8 *
-nss_dbm_mdSlot_GetManufacturerID
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Berkeley";
-}
-
-static CK_BBOOL
-nss_dbm_mdSlot_GetTokenPresent
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-
-  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
-    return CK_FALSE;
-  } else {
-    return CK_TRUE;
-  }
-}
-
-static CK_BBOOL
-nss_dbm_mdSlot_GetRemovableDevice
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  /*
-   * Well, this supports "tokens" (databases) that aren't there, so in
-   * that sense they're removable.  It'd be nice to handle databases
-   * that suddenly disappear (NFS-mounted home directories and network
-   * errors, for instance) but that's a harder problem.  We'll say
-   * we support removable devices, badly.
-   */
-
-  return CK_TRUE;
-}
-
-/* nss_dbm_mdSlot_GetHardwareSlot defaults to CK_FALSE */
-/* 
- * nss_dbm_mdSlot_GetHardwareVersion
- * nss_dbm_mdSlot_GetFirmwareVersion
- *
- * These are kinda fuzzy concepts here.  I suppose we could return the
- * Berkeley DB version for one of them, if we had an actual number we
- * were confident in.  But mcom's "dbm" has been hacked enough that I
- * don't really know from what "real" version it stems..
- */
-
-static NSSCKMDToken *
-nss_dbm_mdSlot_GetToken
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-  return nss_dbm_mdToken_factory(slot, pError);
-}
-
-NSS_IMPLEMENT NSSCKMDSlot *
-nss_dbm_mdSlot_factory
-(
-  nss_dbm_instance_t *instance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-)
-{
-  nss_dbm_slot_t *slot;
-  NSSCKMDSlot *rv;
-
-  slot = nss_ZNEW(instance->arena, nss_dbm_slot_t);
-  if( (nss_dbm_slot_t *)NULL == slot ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSlot *)NULL;
-  }
-
-  slot->instance = instance;
-  slot->filename = filename;
-  slot->flags = flags;
-  slot->token_db = (nss_dbm_db_t *)NULL;
-
-  rv = nss_ZNEW(instance->arena, NSSCKMDSlot);
-  if( (NSSCKMDSlot *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSlot *)NULL;
-  }
-
-  rv->etc = (void *)slot;
-  rv->Initialize = nss_dbm_mdSlot_Initialize;
-  rv->Destroy = nss_dbm_mdSlot_Destroy;
-  rv->GetSlotDescription = nss_dbm_mdSlot_GetSlotDescription;
-  rv->GetManufacturerID = nss_dbm_mdSlot_GetManufacturerID;
-  rv->GetTokenPresent = nss_dbm_mdSlot_GetTokenPresent;
-  rv->GetRemovableDevice = nss_dbm_mdSlot_GetRemovableDevice;
-  /*  GetHardwareSlot */
-  /*  GetHardwareVersion */
-  /*  GetFirmwareVersion */
-  rv->GetToken = nss_dbm_mdSlot_GetToken;
-  rv->null = (void *)NULL;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/token.c b/security/nss/lib/ckfw/dbm/token.c
deleted file mode 100644
index 7c7fbf9e5..000000000
--- a/security/nss/lib/ckfw/dbm/token.c
+++ /dev/null
@@ -1,315 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static CK_RV
-nss_dbm_mdToken_Setup
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  CK_RV rv = CKR_OK;
-
-  token->arena = NSSCKFWToken_GetArena(fwToken, &rv);
-  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
-                                      O_RDWR|O_CREAT, &rv);
-  if( (nss_dbm_db_t *)NULL == token->session_db ) {
-    return rv;
-  }
-
-  /* Add a label record if there isn't one? */
-
-  return CKR_OK;
-}
-
-static void
-nss_dbm_mdToken_Invalidate
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-
-  if( (nss_dbm_db_t *)NULL != token->session_db ) {
-    nss_dbm_db_close(token->session_db);
-    token->session_db = (nss_dbm_db_t *)NULL;
-  }
-}
-
-static CK_RV
-nss_dbm_mdToken_InitToken
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSItem *pin,
-  NSSUTF8 *label
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  CK_RV rv;
-
-  /* Wipe the session object data */
-  
-  if( (nss_dbm_db_t *)NULL != token->session_db ) {
-    nss_dbm_db_close(token->session_db);
-  }
-
-  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
-                                      O_RDWR|O_CREAT, &rv);
-  if( (nss_dbm_db_t *)NULL == token->session_db ) {
-    return rv;
-  }
-
-  /* Wipe the token object data */
-
-  if( token->slot->flags & O_RDWR ) {
-    if( (nss_dbm_db_t *)NULL != token->slot->token_db ) {
-      nss_dbm_db_close(token->slot->token_db);
-    }
-
-    token->slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, 
-                                            token->slot->filename,
-                                            token->slot->flags | O_CREAT | O_TRUNC, 
-                                            &rv);
-    if( (nss_dbm_db_t *)NULL == token->slot->token_db ) {
-      return rv;
-    }
-
-    /* PIN is irrelevant */
-
-    rv = nss_dbm_db_set_label(token->slot->token_db, label);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-  }
-
-  return CKR_OK;
-}
-
-static NSSUTF8 *
-nss_dbm_mdToken_GetLabel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-
-  if( (NSSUTF8 *)NULL == token->label ) {
-    token->label = nss_dbm_db_get_label(token->slot->token_db, token->arena, pError);
-  }
-
-  /* If no label has been set, return *something* */
-  if( (NSSUTF8 *)NULL == token->label ) {
-    return token->slot->filename;
-  }
-
-  return token->label;
-}
-
-static NSSUTF8 *
-nss_dbm_mdToken_GetManufacturerID
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "mozilla.org NSS";
-}
-
-static NSSUTF8 *
-nss_dbm_mdToken_GetModel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "dbm";
-}
-
-/* GetSerialNumber is irrelevant */
-/* GetHasRNG defaults to CK_FALSE */
-
-static CK_BBOOL
-nss_dbm_mdToken_GetIsWriteProtected
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-
-  if( token->slot->flags & O_RDWR ) {
-    return CK_FALSE;
-  } else {
-    return CK_TRUE;
-  }
-}
-
-/* GetLoginRequired defaults to CK_FALSE */
-/* GetUserPinInitialized defaults to CK_FALSE */
-/* GetRestoreKeyNotNeeded is irrelevant */
-/* GetHasClockOnToken defaults to CK_FALSE */
-/* GetHasProtectedAuthenticationPath defaults to CK_FALSE */
-/* GetSupportsDualCryptoOperations is irrelevant */
-
-static CK_ULONG
-nss_dbm_mdToken_effectively_infinite
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_EFFECTIVELY_INFINITE;
-}
-
-static CK_VERSION
-nss_dbm_mdToken_GetHardwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  return nss_dbm_db_get_format_version(token->slot->token_db);
-}
-
-/* GetFirmwareVersion is irrelevant */
-/* GetUTCTime is irrelevant */
-
-static NSSCKMDSession *
-nss_dbm_mdToken_OpenSession
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  return nss_dbm_mdSession_factory(token, fwSession, fwInstance, rw, pError);
-}
-
-/* GetMechanismCount defaults to zero */
-/* GetMechanismTypes is irrelevant */
-/* GetMechanism is irrelevant */
-
-NSS_IMPLEMENT NSSCKMDToken *
-nss_dbm_mdToken_factory
-(
-  nss_dbm_slot_t *slot,
-  CK_RV *pError
-)
-{
-  nss_dbm_token_t *token;
-  NSSCKMDToken *rv;
-
-  token = nss_ZNEW(slot->instance->arena, nss_dbm_token_t);
-  if( (nss_dbm_token_t *)NULL == token ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDToken *)NULL;
-  }
-
-  rv = nss_ZNEW(slot->instance->arena, NSSCKMDToken);
-  if( (NSSCKMDToken *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDToken *)NULL;
-  }
-
-  token->slot = slot;
-
-  rv->etc = (void *)token;
-  rv->Setup = nss_dbm_mdToken_Setup;
-  rv->Invalidate = nss_dbm_mdToken_Invalidate;
-  rv->InitToken = nss_dbm_mdToken_InitToken;
-  rv->GetLabel = nss_dbm_mdToken_GetLabel;
-  rv->GetManufacturerID = nss_dbm_mdToken_GetManufacturerID;
-  rv->GetModel = nss_dbm_mdToken_GetModel;
-  /*  GetSerialNumber is irrelevant */
-  /*  GetHasRNG defaults to CK_FALSE */
-  rv->GetIsWriteProtected = nss_dbm_mdToken_GetIsWriteProtected;
-  /*  GetLoginRequired defaults to CK_FALSE */
-  /*  GetUserPinInitialized defaults to CK_FALSE */
-  /*  GetRestoreKeyNotNeeded is irrelevant */
-  /*  GetHasClockOnToken defaults to CK_FALSE */
-  /*  GetHasProtectedAuthenticationPath defaults to CK_FALSE */
-  /*  GetSupportsDualCryptoOperations is irrelevant */
-  rv->GetMaxSessionCount = nss_dbm_mdToken_effectively_infinite;
-  rv->GetMaxRwSessionCount = nss_dbm_mdToken_effectively_infinite;
-  /*  GetMaxPinLen is irrelevant */
-  /*  GetMinPinLen is irrelevant */
-  /*  GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  /*  GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  /*  GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  /*  GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  rv->GetHardwareVersion = nss_dbm_mdToken_GetHardwareVersion;
-  /*  GetFirmwareVersion is irrelevant */
-  /*  GetUTCTime is irrelevant */
-  rv->OpenSession = nss_dbm_mdToken_OpenSession;
-  rv->null = NULL;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/find.c b/security/nss/lib/ckfw/find.c
deleted file mode 100644
index 434e0a162..000000000
--- a/security/nss/lib/ckfw/find.c
+++ /dev/null
@@ -1,408 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * find.c
- *
- * This file implements the nssCKFWFindObjects type and methods.
- */
-
-#ifndef CK_H
-#include "ck.h"
-#endif /* CK_H */
-
-/*
- * NSSCKFWFindObjects
- *
- *  -- create/destroy --
- *  nssCKFWFindObjects_Create
- *  nssCKFWFindObjects_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWFindObjects_GetMDFindObjects
- * 
- *  -- implement public accessors --
- *  nssCKFWFindObjects_GetMDFindObjects
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWFindObjects_Next
- */
-
-struct NSSCKFWFindObjectsStr {
-  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
-  NSSCKMDFindObjects *mdfo1;
-  NSSCKMDFindObjects *mdfo2;
-  NSSCKFWSession *fwSession;
-  NSSCKMDSession *mdSession;
-  NSSCKFWToken *fwToken;
-  NSSCKMDToken *mdToken;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-
-  NSSCKMDFindObjects *mdFindObjects; /* varies */
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do these routines as no-ops.
- */
-
-static CK_RV
-findObjects_add_pointer
-(
-  const NSSCKFWFindObjects *fwFindObjects
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-findObjects_remove_pointer
-(
-  const NSSCKFWFindObjects *fwFindObjects
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWFindObjects_verifyPointer
-(
-  const NSSCKFWFindObjects *fwFindObjects
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWFindObjects_Create
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWFindObjects_Create
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDFindObjects *mdFindObjects1,
-  NSSCKMDFindObjects *mdFindObjects2,
-  CK_RV *pError
-)
-{
-  NSSCKFWFindObjects *fwFindObjects;
-  NSSArena *arena;
-  NSSCKMDSession *mdSession;
-  NSSCKMDToken *mdToken;
-  NSSCKMDInstance *mdInstance;
-
-  mdSession = nssCKFWSession_GetMDSession(fwSession);
-  mdToken = nssCKFWToken_GetMDToken(fwToken);
-  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-
-  arena = nssCKFWSession_GetArena(fwSession, pError);
-  if( (NSSArena *)NULL == arena ) {
-    goto loser;
-  }
-
-  fwFindObjects = nss_ZNEW(arena, NSSCKFWFindObjects);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fwFindObjects->mdfo1 = mdFindObjects1;
-  fwFindObjects->mdfo2 = mdFindObjects2;
-  fwFindObjects->fwSession = fwSession;
-  fwFindObjects->mdSession = mdSession;
-  fwFindObjects->fwToken = fwToken;
-  fwFindObjects->mdToken = mdToken;
-  fwFindObjects->fwInstance = fwInstance;
-  fwFindObjects->mdInstance = mdInstance;
-
-  fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) {
-    goto loser;
-  }
-
-#ifdef DEBUG
-  *pError = findObjects_add_pointer(fwFindObjects);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return fwFindObjects;
-
- loser:
-  nss_ZFreeIf(fwFindObjects);
-
-  if( (NSSCKMDFindObjects *)NULL != mdFindObjects1 ) {
-    if( (void *)NULL != (void *)mdFindObjects1->Final ) {
-      fwFindObjects->mdFindObjects = mdFindObjects1;
-      mdFindObjects1->Final(mdFindObjects1, fwFindObjects, mdSession, 
-        fwSession, mdToken, fwToken, mdInstance, fwInstance);
-    }
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != mdFindObjects2 ) {
-    if( (void *)NULL != (void *)mdFindObjects2->Final ) {
-      fwFindObjects->mdFindObjects = mdFindObjects2;
-      mdFindObjects2->Final(mdFindObjects2, fwFindObjects, mdSession, 
-        fwSession, mdToken, fwToken, mdInstance, fwInstance);
-    }
-  }
-
-  if( CKR_OK == *pError ) {
-    *pError = CKR_GENERAL_ERROR;
-  }
-
-  return (NSSCKFWFindObjects *)NULL;
-}
-
-
-/*
- * nssCKFWFindObjects_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWFindObjects_Destroy
-(
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwFindObjects->mutex);
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
-      fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
-        fwFindObjects->mdSession, fwFindObjects->fwSession, 
-        fwFindObjects->mdToken, fwFindObjects->fwToken,
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-    }
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
-      fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
-        fwFindObjects->mdSession, fwFindObjects->fwSession, 
-        fwFindObjects->mdToken, fwFindObjects->fwToken,
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-    }
-  }
-
-  nss_ZFreeIf(fwFindObjects);
-
-#ifdef DEBUG
-  (void)findObjects_remove_pointer(fwFindObjects);
-#endif /* DEBUG */
-
-  return;
-}
-
-/*
- * nssCKFWFindObjects_GetMDFindObjects
- *
- */
-NSS_EXTERN NSSCKMDFindObjects *
-nssCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwFindObjects->mdFindObjects;
-}
-
-/*
- * nssCKFWFindObjects_Next
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWFindObjects_Next
-(
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *mdObject;
-  NSSCKFWObject *fwObject = (NSSCKFWObject *)NULL;
-  NSSArena *objArena;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWFindObjects_verifyPointer(fwFindObjects);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwFindObjects->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
-      mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1,
-        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
-        fwFindObjects->mdToken, fwFindObjects->fwToken, 
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
-        arenaOpt, pError);
-      if( (NSSCKMDObject *)NULL == mdObject ) {
-        if( CKR_OK != *pError ) {
-          goto done;
-        }
-
-        /* All done. */
-        fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
-          fwFindObjects->mdSession, fwFindObjects->fwSession,
-          fwFindObjects->mdToken, fwFindObjects->fwToken, 
-          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-        fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
-      } else {
-        goto wrap;
-      }
-    }
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
-      mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2,
-        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
-        fwFindObjects->mdToken, fwFindObjects->fwToken, 
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
-        arenaOpt, pError);
-      if( (NSSCKMDObject *)NULL == mdObject ) {
-        if( CKR_OK != *pError ) {
-          goto done;
-        }
-
-        /* All done. */
-        fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
-          fwFindObjects->mdSession, fwFindObjects->fwSession,
-          fwFindObjects->mdToken, fwFindObjects->fwToken, 
-          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-        fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
-      } else {
-        goto wrap;
-      }
-    }
-  }
-  
-  /* No more objects */
-  *pError = CKR_OK;
-  goto done;
-
- wrap:
-  /*
-   * This is less than ideal-- we should determine if it's a token
-   * object or a session object, and use the appropriate arena.
-   * But that duplicates logic in nssCKFWObject_IsTokenObject.
-   * Worry about that later.  For now, be conservative, and use
-   * the token arena.
-   */
-  objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError);
-  if( (NSSArena *)NULL == objArena ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_HOST_MEMORY;
-    }
-    goto done;
-  }
-
-  fwObject = nssCKFWObject_Create(objArena, mdObject,
-               fwFindObjects->fwSession, fwFindObjects->fwToken, 
-               fwFindObjects->fwInstance, pError);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwFindObjects->mutex);
-  return fwObject;
-}
-
-/*
- * NSSCKFWFindObjects_GetMDFindObjects
- *
- */
-
-NSS_EXTERN NSSCKMDFindObjects *
-NSSCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWFindObjects_GetMDFindObjects(fwFindObjects);
-}
diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c
deleted file mode 100644
index f9790493b..000000000
--- a/security/nss/lib/ckfw/hash.c
+++ /dev/null
@@ -1,334 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * hash.c
- *
- * This is merely a couple wrappers around NSPR's PLHashTable, using
- * the identity hash and arena-aware allocators.  The reason I did
- * this is that hash tables are used in a few places throughout the
- * NSS Cryptoki Framework in a fairly stereotyped way, and this allows
- * me to pull the commonalities into one place.  Should we ever want
- * to change the implementation, it's all right here.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * nssCKFWHash
- *
- *  nssCKFWHash_Create
- *  nssCKFWHash_Destroy
- *  nssCKFWHash_Add
- *  nssCKFWHash_Remove
- *  nssCKFWHash_Count
- *  nssCKFWHash_Exists
- *  nssCKFWHash_Lookup
- *  nssCKFWHash_Iterate
- */
-
-struct nssCKFWHashStr {
-  NSSCKFWMutex *mutex;
-
-  /*
-   * The invariant that mutex protects is:
-   *   The count accurately reflects the hashtable state.
-   */
-
-  PLHashTable *plHashTable;
-  CK_ULONG count;
-};
-
-static PLHashNumber
-nss_ckfw_identity_hash
-(
-  const void *key
-)
-{
-  PRUint32 i = (PRUint32)key;
-  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
-  return (PLHashNumber)i;
-}
-
-/*
- * nssCKFWHash_Create
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWHash_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  nssCKFWHash *rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (nssCKFWHash *)NULL;
-  }
-
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  rv = nss_ZNEW(arena, nssCKFWHash);
-  if( (nssCKFWHash *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nssCKFWHash *)NULL;
-  }
-
-  rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == rv->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    return (nssCKFWHash *)NULL;
-  }
-
-  rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, 
-    PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena);
-  if( (PLHashTable *)NULL == rv->plHashTable ) {
-    (void)nssCKFWMutex_Destroy(rv->mutex);
-    (void)nss_ZFreeIf(rv);
-    *pError = CKR_HOST_MEMORY;
-    return (nssCKFWHash *)NULL;
-  }
-
-  rv->count = 0;
-
-  return rv;
-}
-
-/*
- * nssCKFWHash_Destroy
- *
- */
-NSS_IMPLEMENT void
-nssCKFWHash_Destroy
-(
-  nssCKFWHash *hash
-)
-{
-  (void)nssCKFWMutex_Destroy(hash->mutex);
-  PL_HashTableDestroy(hash->plHashTable);
-  (void)nss_ZFreeIf(hash);
-}
-
-/*
- * nssCKFWHash_Add
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWHash_Add
-(
-  nssCKFWHash *hash,
-  const void *key,
-  const void *value
-)
-{
-  CK_RV error = CKR_OK;
-  PLHashEntry *he;
-
-  error = nssCKFWMutex_Lock(hash->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-  
-  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
-  if( (PLHashEntry *)NULL == he ) {
-    error = CKR_HOST_MEMORY;
-  } else {
-    hash->count++;
-  }
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return error;
-}
-
-/*
- * nssCKFWHash_Remove
- *
- */
-NSS_IMPLEMENT void
-nssCKFWHash_Remove
-(
-  nssCKFWHash *hash,
-  const void *it
-)
-{
-  PRBool found;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return;
-  }
-
-  found = PL_HashTableRemove(hash->plHashTable, it);
-  if( found ) {
-    hash->count--;
-  }
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-  return;
-}
-
-/*
- * nssCKFWHash_Count
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWHash_Count
-(
-  nssCKFWHash *hash
-)
-{
-  CK_ULONG count;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  count = hash->count;
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return count;
-}
-
-/*
- * nssCKFWHash_Exists
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWHash_Exists
-(
-  nssCKFWHash *hash,
-  const void *it
-)
-{
-  void *value;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return CK_FALSE;
-  }
-
-  value = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  if( (void *)NULL == value ) {
-    return CK_FALSE;
-  } else {
-    return CK_TRUE;
-  }
-}
-
-/*
- * nssCKFWHash_Lookup
- *
- */
-NSS_IMPLEMENT void *
-nssCKFWHash_Lookup
-(
-  nssCKFWHash *hash,
-  const void *it
-)
-{
-  void *rv;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return (void *)NULL;
-  }
-
-  rv = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return rv;
-}
-
-struct arg_str {
-  nssCKFWHashIterator fcn;
-  void *closure;
-};
-
-static PRIntn
-nss_ckfwhash_enumerator
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
-{
-  struct arg_str *as = (struct arg_str *)arg;
-  as->fcn(he->key, he->value, as->closure);
-  return HT_ENUMERATE_NEXT;
-}
-
-/*
- * nssCKFWHash_Iterate
- *
- * NOTE that the iteration function will be called with the hashtable locked.
- */
-NSS_IMPLEMENT void
-nssCKFWHash_Iterate
-(
-  nssCKFWHash *hash,
-  nssCKFWHashIterator fcn,
-  void *closure
-)
-{
-  struct arg_str as;
-  as.fcn = fcn;
-  as.closure = closure;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return;
-  }
-
-  PL_HashTableEnumerateEntries(hash->plHashTable, nss_ckfwhash_enumerator, &as);
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return;
-}
diff --git a/security/nss/lib/ckfw/instance.c b/security/nss/lib/ckfw/instance.c
deleted file mode 100644
index a10b52cba..000000000
--- a/security/nss/lib/ckfw/instance.c
+++ /dev/null
@@ -1,1310 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * instance.c
- *
- * This file implements the NSSCKFWInstance type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWInstance
- *
- *  -- create/destroy --
- *  nssCKFWInstance_Create
- *  nssCKFWInstance_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWInstance_GetMDInstance
- *  NSSCKFWInstance_GetArena
- *  NSSCKFWInstance_MayCreatePthreads
- *  NSSCKFWInstance_CreateMutex
- *  NSSCKFWInstance_GetConfigurationData
- *
- *  -- implement public accessors --
- *  nssCKFWInstance_GetMDInstance
- *  nssCKFWInstance_GetArena
- *  nssCKFWInstance_MayCreatePthreads
- *  nssCKFWInstance_CreateMutex
- *  nssCKFWInstance_GetConfigurationData
- *
- *  -- private accessors --
- *  nssCKFWInstance_CreateSessionHandle
- *  nssCKFWInstance_ResolveSessionHandle
- *  nssCKFWInstance_DestroySessionHandle
- *  nssCKFWInstance_FindSessionHandle
- *  nssCKFWInstance_CreateObjectHandle
- *  nssCKFWInstance_ResolveObjectHandle
- *  nssCKFWInstance_DestroyObjectHandle
- *
- *  -- module fronts --
- *  nssCKFWInstance_GetNSlots
- *  nssCKFWInstance_GetCryptokiVersion
- *  nssCKFWInstance_GetManufacturerID
- *  nssCKFWInstance_GetFlags
- *  nssCKFWInstance_GetLibraryDescription
- *  nssCKFWInstance_GetLibraryVersion
- *  nssCKFWInstance_GetModuleHandlesSessionObjects
- *  nssCKFWInstance_GetSlots
- *  nssCKFWInstance_WaitForSlotEvent
- *
- *  -- debugging versions only --
- *  nssCKFWInstance_verifyPointer
- */
-
-struct NSSCKFWInstanceStr {
-  NSSCKFWMutex *mutex;
-  NSSArena *arena;
-  NSSCKMDInstance *mdInstance;
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs;
-  CK_BBOOL mayCreatePthreads;
-  NSSUTF8 *configurationData;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **fwSlotList;
-  NSSCKMDSlot **mdSlotList;
-  CK_BBOOL moduleHandlesSessionObjects;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The invariants the mutex protects are:
-   *
-   *  1) Each of the cached descriptions (versions, etc.) are in an
-   *     internally consistant state.
-   *
-   *  2) The session handle hashes and count are consistant
-   *
-   *  3) The object handle hashes and count are consistant.
-   *
-   * I could use multiple locks, but let's wait to see if that's 
-   * really necessary.
-   *
-   * Note that the calls accessing the cached descriptions will 
-   * call the NSSCKMDInstance methods with the mutex locked.  Those
-   * methods may then call the public NSSCKFWInstance routines.
-   * Those public routines only access the constant data above, so
-   * there's no problem.  But be careful if you add to this object;
-   * mutexes are in general not reentrant, so don't create deadlock
-   * situations.
-   */
-
-  CK_VERSION cryptokiVersion;
-  NSSUTF8 *manufacturerID;
-  NSSUTF8 *libraryDescription;
-  CK_VERSION libraryVersion;
-
-  CK_ULONG lastSessionHandle;
-  nssCKFWHash *sessionHandleHash;
-
-  CK_ULONG lastObjectHandle;
-  nssCKFWHash *objectHandleHash;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-instance_add_pointer
-(
-  const NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-instance_remove_pointer
-(
-  const NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_verifyPointer
-(
-  const NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWInstance_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWInstance *
-nssCKFWInstance_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  NSSCKMDInstance *mdInstance,
-  CK_RV *pError
-)
-{
-  NSSCKFWInstance *fwInstance;
-  NSSArena *arena = (NSSArena *)NULL;
-  CK_ULONG i;
-  CK_BBOOL called_Initialize = CK_FALSE;
-
-#ifdef NSSDEBUG
-  if( (CK_RV)NULL == pError ) {
-    return (NSSCKFWInstance *)NULL;
-  }
-
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWInstance *)NULL;
-  }
-
-  fwInstance = nss_ZNEW(arena, NSSCKFWInstance);
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    goto nomem;
-  }
-
-  fwInstance->arena = arena;
-  fwInstance->mdInstance = mdInstance;
-  fwInstance->pInitArgs = pInitArgs;
-
-  if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
-    if( pInitArgs->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS ) {
-      fwInstance->mayCreatePthreads = CK_FALSE;
-    } else {
-      fwInstance->mayCreatePthreads = CK_TRUE;
-    }
-    fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
-  } else {
-    fwInstance->mayCreatePthreads = CK_TRUE;
-  }
-
-  fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwInstance->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  if( (void *)NULL != (void *)mdInstance->Initialize ) {
-    *pError = mdInstance->Initialize(mdInstance, fwInstance, fwInstance->configurationData);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-
-    called_Initialize = CK_TRUE;
-  }
-
-  if( (void *)NULL != (void *)mdInstance->ModuleHandlesSessionObjects ) {
-    fwInstance->moduleHandlesSessionObjects = 
-      mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
-  } else {
-    fwInstance->moduleHandlesSessionObjects = CK_FALSE;
-  }
-
-  if( (void *)NULL == (void *)mdInstance->GetNSlots ) {
-    /* That routine is required */
-    *pError = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  fwInstance->nSlots = mdInstance->GetNSlots(mdInstance, fwInstance, pError);
-  if( (CK_ULONG)0 == fwInstance->nSlots ) {
-    if( CKR_OK == *pError ) {
-      /* Zero is not a legitimate answer */
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  fwInstance->fwSlotList = nss_ZNEWARRAY(arena, NSSCKFWSlot *, fwInstance->nSlots);
-  if( (NSSCKFWSlot **)NULL == fwInstance->fwSlotList ) {
-    goto nomem;
-  }
-
-  fwInstance->mdSlotList = nss_ZNEWARRAY(arena, NSSCKMDSlot *, fwInstance->nSlots);
-  if( (NSSCKMDSlot **)NULL == fwInstance->mdSlotList ) {
-    goto nomem;
-  }
-
-  fwInstance->sessionHandleHash = nssCKFWHash_Create(fwInstance, 
-    fwInstance->arena, pError);
-  if( (nssCKFWHash *)NULL == fwInstance->sessionHandleHash ) {
-    goto loser;
-  }
-
-  fwInstance->objectHandleHash = nssCKFWHash_Create(fwInstance,
-    fwInstance->arena, pError);
-  if( (nssCKFWHash *)NULL == fwInstance->objectHandleHash ) {
-    goto loser;
-  }
-
-  if( (void *)NULL == (void *)mdInstance->GetSlots ) {
-    /* That routine is required */
-    *pError = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  *pError = mdInstance->GetSlots(mdInstance, fwInstance, fwInstance->mdSlotList);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-  for( i = 0; i < fwInstance->nSlots; i++ ) {
-    NSSCKMDSlot *mdSlot = fwInstance->mdSlotList[i];
-
-    if( (NSSCKMDSlot *)NULL == mdSlot ) {
-      *pError = CKR_GENERAL_ERROR;
-      goto loser;
-    }
-
-    fwInstance->fwSlotList[i] = nssCKFWSlot_Create(fwInstance, mdSlot, i, pError);
-    if( CKR_OK != *pError ) {
-      CK_ULONG j;
-
-      for( j = 0; j < i; j++ ) {
-        (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[j]);
-      }
-
-      for( j = i; j < fwInstance->nSlots; j++ ) {
-        NSSCKMDSlot *mds = fwInstance->mdSlotList[j];
-        if( (void *)NULL != (void *)mds->Destroy ) {
-          mds->Destroy(mds, (NSSCKFWSlot *)NULL, mdInstance, fwInstance);
-        }
-      }
-
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  *pError = instance_add_pointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    for( i = 0; i < fwInstance->nSlots; i++ ) {
-      (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
-    }
-    
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return fwInstance;
-
- nomem:
-  *pError = CKR_HOST_MEMORY;
-  /*FALLTHROUGH*/
- loser:
-
-  if( CK_TRUE == called_Initialize ) {
-    if( (void *)NULL != (void *)mdInstance->Finalize ) {
-      mdInstance->Finalize(mdInstance, fwInstance);
-    }
-  }
-
-  (void)NSSArena_Destroy(arena);
-  return (NSSCKFWInstance *)NULL;
-}
-
-/*
- * nssCKFWInstance_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_Destroy
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  nssCKFWMutex_Destroy(fwInstance->mutex);
-
-  for( i = 0; i < fwInstance->nSlots; i++ ) {
-    (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
-  }
-
-  if( (void *)NULL != (void *)fwInstance->mdInstance->Finalize ) {
-    fwInstance->mdInstance->Finalize(fwInstance->mdInstance, fwInstance);
-  }
-
-#ifdef DEBUG
-  (void)instance_remove_pointer(fwInstance);
-#endif /* DEBUG */
-
-  (void)NSSArena_Destroy(fwInstance->arena);
-  return CKR_OK;
-}
-
-/*
- * nssCKFWInstance_GetMDInstance
- *
- */
-NSS_IMPLEMENT NSSCKMDInstance *
-nssCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->mdInstance;
-}
-
-/*
- * nssCKFWInstance_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = CKR_OK;
-  return fwInstance->arena;
-}
-
-/*
- * nssCKFWInstance_MayCreatePthreads
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->mayCreatePthreads;
-}
-
-/*
- * nssCKFWInstance_CreateMutex
- *
- */
-NSS_IMPLEMENT NSSCKFWMutex *
-nssCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  NSSCKFWMutex *mutex;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arena ) {
-    arena = fwInstance->arena;
-  }
-
-  mutex = nssCKFWMutex_Create(fwInstance->pInitArgs, arena, pError);
-  if( (NSSCKFWMutex *)NULL == mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  return mutex;
-}
-
-/*
- * nssCKFWInstance_GetConfigurationData
- *
- */
-NSS_IMPLEMENT NSSUTF8 *
-nssCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->configurationData;
-}
-
-/*
- * nssCKFWInstance_CreateSessionHandle
- *
- */
-NSS_IMPLEMENT CK_SESSION_HANDLE
-nssCKFWInstance_CreateSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  CK_SESSION_HANDLE hSession;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-
-  hSession = ++(fwInstance->lastSessionHandle);
-
-  /* Alan would say I should unlock for this call. */
-  
-  *pError = nssCKFWSession_SetHandle(fwSession, hSession);
-  if( CKR_OK != *pError ) {
-    goto done;
-  }
-
-  *pError = nssCKFWHash_Add(fwInstance->sessionHandleHash, 
-              (const void *)hSession, (const void *)fwSession);
-  if( CKR_OK != *pError ) {
-    hSession = (CK_SESSION_HANDLE)0;
-    goto done;
-  }
-
- done:
-  nssCKFWMutex_Unlock(fwInstance->mutex);
-  return hSession;
-}
-
-/*
- * nssCKFWInstance_ResolveSessionHandle
- *
- */
-NSS_IMPLEMENT NSSCKFWSession *
-nssCKFWInstance_ResolveSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  NSSCKFWSession *fwSession;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKFWSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
-                fwInstance->sessionHandleHash, (const void *)hSession);
-
-  /* Assert(hSession == nssCKFWSession_GetHandle(fwSession)) */
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-
-  return fwSession;
-}
-
-/*
- * nssCKFWInstance_DestroySessionHandle
- *
- */
-NSS_IMPLEMENT void
-nssCKFWInstance_DestroySessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  NSSCKFWSession *fwSession;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return;
-  }
-
-  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
-                fwInstance->sessionHandleHash, (const void *)hSession);
-
-  nssCKFWHash_Remove(fwInstance->sessionHandleHash, (const void *)hSession);
-  nssCKFWSession_SetHandle(fwSession, (CK_SESSION_HANDLE)0);
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-
-  return;
-}
-
-/*
- * nssCKFWInstance_FindSessionHandle
- *
- */
-NSS_IMPLEMENT CK_SESSION_HANDLE
-nssCKFWInstance_FindSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  return nssCKFWSession_GetHandle(fwSession);
-  /* look it up and assert? */
-}
-
-/*
- * nssCKFWInstance_CreateObjectHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWInstance_CreateObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-  CK_OBJECT_HANDLE hObject;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-
-  hObject = ++(fwInstance->lastObjectHandle);
-
-  *pError = nssCKFWObject_SetHandle(fwObject, hObject);
-  if( CKR_OK != *pError ) {
-    hObject = (CK_OBJECT_HANDLE)0;
-    goto done;
-  }
-
-  *pError = nssCKFWHash_Add(fwInstance->objectHandleHash, 
-              (const void *)hObject, (const void *)fwObject);
-  if( CKR_OK != *pError ) {
-    hObject = (CK_OBJECT_HANDLE)0;
-    goto done;
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return hObject;
-}
-
-/*
- * nssCKFWInstance_ResolveObjectHandle
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWInstance_ResolveObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  NSSCKFWObject *fwObject;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
-                fwInstance->objectHandleHash, (const void *)hObject);
-
-  /* Assert(hObject == nssCKFWObject_GetHandle(fwObject)) */
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return fwObject;
-}
-
-/*
- * nssCKFWInstance_ReassignObjectHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_ReassignObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject,
-  NSSCKFWObject *fwObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWObject *oldObject;
-
-#ifdef NSSDEBUG
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  oldObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
-                 fwInstance->objectHandleHash, (const void *)hObject);
-  /* Assert(hObject == nssCKFWObject_GetHandle(oldObject) */
-  (void)nssCKFWObject_SetHandle(oldObject, (CK_SESSION_HANDLE)0);
-  nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
-
-  error = nssCKFWObject_SetHandle(fwObject, hObject);
-  if( CKR_OK != error ) {
-    goto done;
-  }
-  error = nssCKFWHash_Add(fwInstance->objectHandleHash, 
-            (const void *)hObject, (const void *)fwObject);
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return error;
-}
-
-/*
- * nssCKFWInstance_DestroyObjectHandle
- *
- */
-NSS_IMPLEMENT void
-nssCKFWInstance_DestroyObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  NSSCKFWObject *fwObject;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return;
-  }
-
-  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
-                fwInstance->objectHandleHash, (const void *)hObject);
-  /* Assert(hObject = nssCKFWObject_GetHandle(fwObject)) */
-  nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
-  (void)nssCKFWObject_SetHandle(fwObject, (CK_SESSION_HANDLE)0);
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return;
-}
-
-/*
- * nssCKFWInstance_FindObjectHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWInstance_FindObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-  
-  return nssCKFWObject_GetHandle(fwObject);
-}
-
-/*
- * nssCKFWInstance_GetNSlots
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWInstance_GetNSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = CKR_OK;
-  return fwInstance->nSlots;
-}  
-
-/*
- * nssCKFWInstance_GetCryptokiVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWInstance_GetCryptokiVersion
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwInstance->cryptokiVersion.major) ||
-      (0 != fwInstance->cryptokiVersion.minor) ) {
-    rv = fwInstance->cryptokiVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwInstance->mdInstance->GetCryptokiVersion ) {
-    fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
-      fwInstance->mdInstance, fwInstance);
-  } else {
-    fwInstance->cryptokiVersion.major = 2;
-    fwInstance->cryptokiVersion.minor = 1;
-  }
-
-  rv = fwInstance->cryptokiVersion;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWInstance_GetManufacturerID
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_GetManufacturerID
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR manufacturerID[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwInstance->manufacturerID ) {
-    if( (void *)NULL != (void *)fwInstance->mdInstance->GetManufacturerID ) {
-      fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
-        fwInstance->mdInstance, fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwInstance->manufacturerID) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwInstance->manufacturerID = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, manufacturerID, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return error;
-}
-
-/*
- * nssCKFWInstance_GetFlags
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWInstance_GetFlags
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  /* No "instance flags" are yet defined by Cryptoki. */
-  return (CK_ULONG)0;
-}
-
-/*
- * nssCKFWInstance_GetLibraryDescription
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_GetLibraryDescription
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR libraryDescription[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == libraryDescription ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwInstance->libraryDescription ) {
-    if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryDescription ) {
-      fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
-        fwInstance->mdInstance, fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwInstance->libraryDescription) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwInstance->libraryDescription = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, libraryDescription, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return error;
-}
-
-/*
- * nssCKFWInstance_GetLibraryVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWInstance_GetLibraryVersion
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwInstance->libraryVersion.major) ||
-      (0 != fwInstance->libraryVersion.minor) ) {
-    rv = fwInstance->libraryVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) {
-    fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
-      fwInstance->mdInstance, fwInstance);
-  } else {
-    fwInstance->libraryVersion.major = 0;
-    fwInstance->libraryVersion.minor = 1;
-  }
-
-  rv = fwInstance->libraryVersion;
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWInstance_GetModuleHandlesSessionObjects
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWInstance_GetModuleHandlesSessionObjects
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->moduleHandlesSessionObjects;
-}
-
-/*
- * nssCKFWInstance_GetSlots
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot **
-nssCKFWInstance_GetSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSlot **)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSlot **)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->fwSlotList;
-}
-
-/*
- * nssCKFWInstance_WaitForSlotEvent
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWInstance_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL block,
-  CK_RV *pError
-)
-{
-  NSSCKFWSlot *fwSlot = (NSSCKFWSlot *)NULL;
-  NSSCKMDSlot *mdSlot;
-  CK_ULONG i, n;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  switch( block ) {
-  case CK_TRUE:
-  case CK_FALSE:
-    break;
-  default:
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwInstance->mdInstance->WaitForSlotEvent ) {
-    *pError = CKR_NO_EVENT;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  mdSlot = fwInstance->mdInstance->WaitForSlotEvent(
-    fwInstance->mdInstance,
-    fwInstance,
-    block,
-    pError
-  );
-
-  if( (NSSCKMDSlot *)NULL == mdSlot ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  n = nssCKFWInstance_GetNSlots(fwInstance, pError);
-  if( ((CK_ULONG)0 == n) && (CKR_OK != *pError) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  for( i = 0; i < n; i++ ) {
-    if( fwInstance->mdSlotList[i] == mdSlot ) {
-      fwSlot = fwInstance->fwSlotList[i];
-      break;
-    }
-  }
-
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    /* Internal error */
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  return fwSlot;
-}
-
-/*
- * NSSCKFWInstance_GetMDInstance
- *
- */
-NSS_IMPLEMENT NSSCKMDInstance *
-NSSCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetMDInstance(fwInstance);
-}
-
-/*
- * NSSCKFWInstance_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-NSSCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetArena(fwInstance, pError);
-}
-
-/*
- * NSSCKFWInstance_MayCreatePthreads
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_MayCreatePthreads(fwInstance);
-}
-
-/*
- * NSSCKFWInstance_CreateMutex
- *
- */
-NSS_IMPLEMENT NSSCKFWMutex *
-NSSCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-}
-
-/*
- * NSSCKFWInstance_GetConfigurationData
- *
- */
-NSS_IMPLEMENT NSSUTF8 *
-NSSCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetConfigurationData(fwInstance);
-}
diff --git a/security/nss/lib/ckfw/manifest.mn b/security/nss/lib/ckfw/manifest.mn
deleted file mode 100644
index 799fca1ae..000000000
--- a/security/nss/lib/ckfw/manifest.mn
+++ /dev/null
@@ -1,77 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	ck.h		  \
-	ckfw.h		  \
-	ckfwm.h		  \
-	ckfwtm.h	  \
-	ckmd.h		  \
-	ckt.h		  \
-	$(NULL)
-
-EXPORTS =	   \
-	nssck.api  \
-	nssckepv.h \
-	nssckft.h  \
-	nssckfw.h  \
-	nssckfwc.h \
-	nssckfwt.h \
-	nssckg.h   \
-	nssckmdt.h \
-	nssckp.h   \
-	nssckt.h   \
-	nsscku.h   \
-	$(NULL)
-
-MODULE = security
-
-CSRCS =		   \
-	find.c	   \
-	hash.c	   \
-	instance.c \
-	mutex.c	   \
-	object.c   \
-	session.c  \
-	sessobj.c  \
-	slot.c	   \
-	token.c	   \
-	wrap.c	   \
-	$(NULL)
-
-REQUIRES = security nspr
-
-LIBRARY_NAME = nssckfw
diff --git a/security/nss/lib/ckfw/mutex.c b/security/nss/lib/ckfw/mutex.c
deleted file mode 100644
index e4c363f31..000000000
--- a/security/nss/lib/ckfw/mutex.c
+++ /dev/null
@@ -1,346 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * mutex.c
- *
- * This file implements a mutual-exclusion locking facility for Modules
- * using the NSS Cryptoki Framework.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWMutex
- *
- *  NSSCKFWMutex_Destroy
- *  NSSCKFWMutex_Lock
- *  NSSCKFWMutex_Unlock
- *
- *  nssCKFWMutex_Create
- *  nssCKFWMutex_Destroy
- *  nssCKFWMutex_Lock
- *  nssCKFWMutex_Unlock
- *
- *  -- debugging versions only --
- *  nssCKFWMutex_verifyPointer
- *
- */
-
-struct NSSCKFWMutexStr {
-  CK_VOID_PTR etc;
-
-  CK_DESTROYMUTEX Destroy;
-  CK_LOCKMUTEX Lock;
-  CK_UNLOCKMUTEX Unlock;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-mutex_add_pointer
-(
-  const NSSCKFWMutex *fwMutex
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-mutex_remove_pointer
-(
-  const NSSCKFWMutex *fwMutex
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWMutex_verifyPointer
-(
-  const NSSCKFWMutex *fwMutex
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-static CK_RV
-mutex_noop
-(
-  CK_VOID_PTR pMutex
-)
-{
-  return CKR_OK;
-}
-
-/*
- * nssCKFWMutex_Create
- *
- */
-NSS_EXTERN NSSCKFWMutex *
-nssCKFWMutex_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  NSSCKFWMutex *mutex;
-  CK_ULONG count = (CK_ULONG)0;
-  CK_BBOOL os_ok = CK_FALSE;
-  CK_VOID_PTR pMutex = (CK_VOID_PTR)NULL;
-
-  if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
-    if( (CK_CREATEMUTEX )NULL != pInitArgs->CreateMutex  ) count++;
-    if( (CK_DESTROYMUTEX)NULL != pInitArgs->DestroyMutex ) count++;
-    if( (CK_LOCKMUTEX   )NULL != pInitArgs->LockMutex    ) count++;
-    if( (CK_UNLOCKMUTEX )NULL != pInitArgs->UnlockMutex  ) count++;
-    os_ok = (pInitArgs->flags & CKF_OS_LOCKING_OK) ? CK_TRUE : CK_FALSE;
-
-    if( (0 != count) && (4 != count) ) {
-      *pError = CKR_ARGUMENTS_BAD;
-      return (NSSCKFWMutex *)NULL;
-    }
-  }
-
-  if( (0 == count) && (CK_TRUE == os_ok) ) {
-    /*
-     * This is case #2 in the description of C_Initialize:
-     * The library will be called in a multithreaded way, but
-     * no routines were specified: os locking calls should be
-     * used.  Unfortunately, this can be hard.. like, I think
-     * I may have to dynamically look up the entry points in
-     * the instance of NSPR already going in the application.
-     *
-     * I know that *we* always specify routines, so this only
-     * comes up if someone is using NSS to create their own
-     * PCKS#11 modules for other products.  Oh, heck, I'll 
-     * worry about this then.
-     */
-    *pError = CKR_CANT_LOCK;
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  mutex = nss_ZNEW(arena, NSSCKFWMutex);
-  if( (NSSCKFWMutex *)NULL == mutex ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  if( 0 == count ) {
-    /*
-     * With the above test out of the way, we know this is case
-     * #1 in the description of C_Initialize: this library will
-     * not be called in a multithreaded way.  I'll just return
-     * an object with noop calls.
-     */
-
-    mutex->Destroy = (CK_DESTROYMUTEX)mutex_noop;
-    mutex->Lock    = (CK_LOCKMUTEX   )mutex_noop;
-    mutex->Unlock  = (CK_UNLOCKMUTEX )mutex_noop;
-  } else {
-    /*
-     * We know that we're in either case #3 or #4 in the description
-     * of C_Initialize.  Case #3 says we should use the specified
-     * functions, case #4 cays we can use either the specified ones
-     * or the OS ones.  I'll use the specified ones.
-     */
-
-    mutex->Destroy = pInitArgs->DestroyMutex;
-    mutex->Lock    = pInitArgs->LockMutex;
-    mutex->Unlock  = pInitArgs->UnlockMutex;
-    
-    *pError = pInitArgs->CreateMutex(&mutex->etc);
-    if( CKR_OK != *pError ) {
-      (void)nss_ZFreeIf(mutex);
-      return (NSSCKFWMutex *)NULL;
-    }
-  }
-
-#ifdef DEBUG
-  *pError = mutex_add_pointer(mutex);
-  if( CKR_OK != *pError ) {
-    (void)nss_ZFreeIf(mutex);
-    return (NSSCKFWMutex *)NULL;
-  }
-#endif /* DEBUG */
-
-  return mutex;
-}  
-
-/*
- * nssCKFWMutex_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-)
-{
-  CK_RV rv = CKR_OK;
-
-#ifdef NSSDEBUG
-  rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* NSSDEBUG */
-  
-  rv = mutex->Destroy(mutex->etc);
-
-#ifdef DEBUG
-  (void)mutex_remove_pointer(mutex);
-#endif /* DEBUG */
-
-  (void)nss_ZFreeIf(mutex);
-  return rv;
-}
-
-/*
- * nssCKFWMutex_Lock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef NSSDEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* NSSDEBUG */
-  
-  return mutex->Lock(mutex->etc);
-}
-
-/*
- * nssCKFWMutex_Unlock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef NSSDEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  return mutex->Unlock(mutex->etc);
-}
-
-/*
- * NSSCKFWMutex_Destroy
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef DEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* DEBUG */
-  
-  return nssCKFWMutex_Destroy(mutex);
-}
-
-/*
- * NSSCKFWMutex_Lock
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef DEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* DEBUG */
-  
-  return nssCKFWMutex_Lock(mutex);
-}
-
-/*
- * NSSCKFWMutex_Unlock
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef DEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWMutex_Unlock(mutex);
-}
diff --git a/security/nss/lib/ckfw/nssckfw.h b/security/nss/lib/ckfw/nssckfw.h
deleted file mode 100644
index ce16f2b7b..000000000
--- a/security/nss/lib/ckfw/nssckfw.h
+++ /dev/null
@@ -1,499 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSCKFW_H
-#define NSSCKFW_H
-
-#ifdef DEBUG
-static const char NSSCKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssckfw.h
- *
- * This file prototypes the publicly available calls of the 
- * NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-/*
- * NSSCKFWInstance
- *
- *  NSSCKFWInstance_GetMDInstance
- *  NSSCKFWInstance_GetArena
- *  NSSCKFWInstance_MayCreatePthreads
- *  NSSCKFWInstance_CreateMutex
- *  NSSCKFWInstance_GetConfigurationData
- */
-
-/*
- * NSSCKFWInstance_GetMDInstance
- *
- */
-
-NSS_EXTERN NSSCKMDInstance *
-NSSCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWInstance_GetArena
- *
- */
-
-NSS_EXTERN NSSArena *
-NSSCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWInstance_MayCreatePthreads
- *
- */
-
-NSS_EXTERN CK_BBOOL
-NSSCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWInstance_CreateMutex
- *
- */
-
-NSS_EXTERN NSSCKFWMutex *
-NSSCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWInstance_GetConfigurationData
- *
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWSlot
- *
- *  NSSCKFWSlot_GetMDSlot
- *  NSSCKFWSlot_GetFWInstance
- *  NSSCKFWSlot_GetMDInstance
- *
- */
-
-/*
- * NSSCKFWSlot_GetMDSlot
- *
- */
-
-NSS_EXTERN NSSCKMDSlot *
-NSSCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWSlot_GetFWInstance
- *
- */
-
-NSS_EXTERN NSSCKFWInstance *
-NSSCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWSlot_GetMDInstance
- *
- */
-
-NSS_EXTERN NSSCKMDInstance *
-NSSCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWToken
- *
- *  NSSCKFWToken_GetMDToken
- *  NSSCKFWToken_GetFWSlot
- *  NSSCKFWToken_GetMDSlot
- *  NSSCKFWToken_GetSessionState
- *
- */
-
-/*
- * NSSCKFWToken_GetMDToken
- *
- */
-
-NSS_EXTERN NSSCKMDToken *
-NSSCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWToken_GetArena
- *
- */
-
-NSS_EXTERN NSSArena *
-NSSCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWToken_GetFWSlot
- *
- */
-
-NSS_EXTERN NSSCKFWSlot *
-NSSCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWToken_GetMDSlot
- *
- */
-
-NSS_EXTERN NSSCKMDSlot *
-NSSCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWToken_GetSessionState
- *
- */
-
-NSS_EXTERN CK_STATE
-NSSCKFWSession_GetSessionState
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWMechanism
- *
- *  NSSKCFWMechanism_GetMDMechanism
- *  NSSCKFWMechanism_GetParameter
- *
- */
-
-/*
- * NSSKCFWMechanism_GetMDMechanism
- *
- */
-
-NSS_EXTERN NSSCKMDMechanism *
-NSSCKFWMechanism_GetMDMechanism
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * NSSCKFWMechanism_GetParameter
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCKFWMechanism_GetParameter
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * NSSCKFWSession
- *
- *  NSSCKFWSession_GetMDSession
- *  NSSCKFWSession_GetArena
- *  NSSCKFWSession_CallNotification
- *  NSSCKFWSession_IsRWSession
- *  NSSCKFWSession_IsSO
- *
- */
-
-/*
- * NSSCKFWSession_GetMDSession
- *
- */
-
-NSS_EXTERN NSSCKMDSession *
-NSSCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * NSSCKFWSession_GetArena
- *
- */
-
-NSS_EXTERN NSSArena *
-NSSCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWSession_CallNotification
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-);
-
-/*
- * NSSCKFWSession_IsRWSession
- *
- */
-
-NSS_EXTERN CK_BBOOL
-NSSCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * NSSCKFWSession_IsSO
- *
- */
-
-NSS_EXTERN CK_BBOOL
-NSSCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * NSSCKFWObject
- *
- *  NSSCKFWObject_GetMDObject
- *  NSSCKFWObject_GetArena
- *  NSSCKFWObject_IsTokenObject
- *  NSSCKFWObject_GetAttributeCount
- *  NSSCKFWObject_GetAttributeTypes
- *  NSSCKFWObject_GetAttributeSize
- *  NSSCKFWObject_GetAttribute
- *  NSSCKFWObject_GetObjectSize
- */
-
-/*
- * NSSCKFWObject_GetMDObject
- *
- */
-NSS_EXTERN NSSCKMDObject *
-NSSCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * NSSCKFWObject_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-NSSCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_IsTokenObject
- *
- */
-NSS_EXTERN CK_BBOOL
-NSSCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * NSSCKFWObject_GetAttributeCount
- *
- */
-NSS_EXTERN CK_ULONG
-NSSCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_GetAttributeTypes
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-);
-
-/*
- * NSSCKFWObject_GetAttributeSize
- *
- */
-NSS_EXTERN CK_ULONG
-NSSCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_GetAttribute
- *
- */
-NSS_EXTERN NSSItem *
-NSSCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_GetObjectSize
- *
- */
-NSS_EXTERN CK_ULONG
-NSSCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWFindObjects
- *
- *  NSSCKFWFindObjects_GetMDFindObjects
- *
- */
-
-/*
- * NSSCKFWFindObjects_GetMDFindObjects
- *
- */
-
-NSS_EXTERN NSSCKMDFindObjects *
-NSSCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *
-);
-
-/*
- * NSSCKFWMutex
- *
- *  NSSCKFWMutex_Destroy
- *  NSSCKFWMutex_Lock
- *  NSSCKFWMutex_Unlock
- *
- */
-
-/*
- * NSSCKFWMutex_Destroy
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * NSSCKFWMutex_Lock
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * NSSCKFWMutex_Unlock
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-);
-
-#endif /* NSSCKFW_H */
-
diff --git a/security/nss/lib/ckfw/nssckfwc.h b/security/nss/lib/ckfw/nssckfwc.h
deleted file mode 100644
index 02b15ec35..000000000
--- a/security/nss/lib/ckfw/nssckfwc.h
+++ /dev/null
@@ -1,1046 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSCKFWC_H
-#define NSSCKFWC_H
-
-#ifdef DEBUG
-static const char NSSCKFWC_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssckfwc.h
- *
- * This file prototypes all of the NSS Cryptoki Framework "wrapper" 
- * which implement the PKCS#11 API.  Technically, these are public
- * routines (with capital "NSS" prefixes), since they are called
- * from (generated) code within a Module using the Framework.
- * However, they should not be called except from those generated
- * calls.  Hence, the prototypes have been split out into this file.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKMDT_H
-#include "nssckmdt.h"
-#endif /* NSSCKMDT_H */
-
-/*
- * NSSCKFWC_Initialize
- * NSSCKFWC_Finalize
- * NSSCKFWC_GetInfo
- * -- NSSCKFWC_GetFunctionList -- see the API insert file
- * NSSCKFWC_GetSlotList
- * NSSCKFWC_GetSlotInfo
- * NSSCKFWC_GetTokenInfo
- * NSSCKFWC_WaitForSlotEvent
- * NSSCKFWC_GetMechanismList
- * NSSCKFWC_GetMechanismInfo
- * NSSCKFWC_InitToken
- * NSSCKFWC_InitPIN
- * NSSCKFWC_SetPIN
- * NSSCKFWC_OpenSession
- * NSSCKFWC_CloseSession
- * NSSCKFWC_CloseAllSessions
- * NSSCKFWC_GetSessionInfo
- * NSSCKFWC_GetOperationState
- * NSSCKFWC_SetOperationState
- * NSSCKFWC_Login
- * NSSCKFWC_Logout
- * NSSCKFWC_CreateObject
- * NSSCKFWC_CopyObject
- * NSSCKFWC_DestroyObject
- * NSSCKFWC_GetObjectSize
- * NSSCKFWC_GetAttributeValue
- * NSSCKFWC_SetAttributeValue
- * NSSCKFWC_FindObjectsInit
- * NSSCKFWC_FindObjects
- * NSSCKFWC_FindObjectsFinal
- * NSSCKFWC_EncryptInit
- * NSSCKFWC_Encrypt
- * NSSCKFWC_EncryptUpdate
- * NSSCKFWC_EncryptFinal
- * NSSCKFWC_DecryptInit
- * NSSCKFWC_Decrypt
- * NSSCKFWC_DecryptUpdate
- * NSSCKFWC_DecryptFinal
- * NSSCKFWC_DigestInit
- * NSSCKFWC_Digest
- * NSSCKFWC_DigestUpdate
- * NSSCKFWC_DigestKey
- * NSSCKFWC_DigestFinal
- * NSSCKFWC_SignInit
- * NSSCKFWC_Sign
- * NSSCKFWC_SignUpdate
- * NSSCKFWC_SignFinal
- * NSSCKFWC_SignRecoverInit
- * NSSCKFWC_SignRecover
- * NSSCKFWC_VerifyInit
- * NSSCKFWC_Verify
- * NSSCKFWC_VerifyUpdate
- * NSSCKFWC_VerifyFinal
- * NSSCKFWC_VerifyRecoverInit
- * NSSCKFWC_VerifyRecover
- * NSSCKFWC_DigestEncryptUpdate
- * NSSCKFWC_DecryptDigestUpdate
- * NSSCKFWC_SignEncryptUpdate
- * NSSCKFWC_DecryptVerifyUpdate
- * NSSCKFWC_GenerateKey
- * NSSCKFWC_GenerateKeyPair
- * NSSCKFWC_WrapKey
- * NSSCKFWC_UnwrapKey
- * NSSCKFWC_DeriveKey
- * NSSCKFWC_SeedRandom
- * NSSCKFWC_GenerateRandom
- * NSSCKFWC_GetFunctionStatus
- * NSSCKFWC_CancelFunction
- */
-
-/*
- * NSSCKFWC_Initialize
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Initialize
-(
-  NSSCKFWInstance **pFwInstance,
-  NSSCKMDInstance *mdInstance,
-  CK_VOID_PTR pInitArgs
-);
-
-/*
- * NSSCKFWC_Finalize
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Finalize
-(
-  NSSCKFWInstance **pFwInstance
-);
-
-/*
- * NSSCKFWC_GetInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_INFO_PTR pInfo
-);
-  
-/*
- * C_GetFunctionList is implemented entirely in the Module's file which
- * includes the Framework API insert file.  It requires no "actual"
- * NSSCKFW routine.
- */
-
-/*
- * NSSCKFWC_GetSlotList
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetSlotList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR pulCount
-);
- 
-/*
- * NSSCKFWC_GetSlotInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetSlotInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_SLOT_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_GetTokenInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetTokenInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_TOKEN_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_WaitForSlotEvent
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_FLAGS flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR pReserved
-);
-
-/*
- * NSSCKFWC_GetMechanismList
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetMechanismList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR pulCount
-);
-
-/*
- * NSSCKFWC_GetMechanismInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetMechanismInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE type,
-  CK_MECHANISM_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_InitToken
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_InitToken
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen,
-  CK_CHAR_PTR pLabel
-);
-
-/*
- * NSSCKFWC_InitPIN
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_InitPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-);
-
-/*
- * NSSCKFWC_SetPIN
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SetPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pOldPin,
-  CK_ULONG ulOldLen,
-  CK_CHAR_PTR pNewPin,
-  CK_ULONG ulNewLen
-);
-
-/*
- * NSSCKFWC_OpenSession
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_OpenSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_FLAGS flags,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_SESSION_HANDLE_PTR phSession
-);
-
-/*
- * NSSCKFWC_CloseSession
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CloseSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_CloseAllSessions
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CloseAllSessions
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID
-);
-
-/*
- * NSSCKFWC_GetSessionInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetSessionInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_SESSION_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_GetOperationState
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG_PTR pulOperationStateLen
-);
-
-/*
- * NSSCKFWC_SetOperationState
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-);
-
-/*
- * NSSCKFWC_Login
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Login
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE userType,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-);
-
-/*
- * NSSCKFWC_Logout
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Logout
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_CreateObject
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CreateObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-);
-
-/*
- * NSSCKFWC_CopyObject
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CopyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-);
-
-/*
- * NSSCKFWC_DestroyObject
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DestroyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * NSSCKFWC_GetObjectSize
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetObjectSize
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ULONG_PTR pulSize
-);
-
-/*
- * NSSCKFWC_GetAttributeValue
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-);
-  
-/*
- * NSSCKFWC_SetAttributeValue
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-);
-
-/*
- * NSSCKFWC_FindObjectsInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_FindObjectsInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-);
-
-/*
- * NSSCKFWC_FindObjects
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_FindObjects
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG ulMaxObjectCount,
-  CK_ULONG_PTR pulObjectCount
-);
-
-/*
- * NSSCKFWC_FindObjectsFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_FindObjectsFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_EncryptInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_EncryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Encrypt
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Encrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG_PTR pulEncryptedDataLen
-);
-
-/*
- * NSSCKFWC_EncryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_EncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_EncryptFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_EncryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastEncryptedPart,
-  CK_ULONG_PTR pulLastEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_DecryptInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Decrypt
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Decrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG ulEncryptedDataLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-);
-
-/*
- * NSSCKFWC_DecryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-);
-
-/*
- * NSSCKFWC_DecryptFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastPart,
-  CK_ULONG_PTR pulLastPartLen
-);
-
-/*
- * NSSCKFWC_DigestInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism
-);
-
-/*
- * NSSCKFWC_Digest
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Digest
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-);
-
-/*
- * NSSCKFWC_DigestUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen
-);
-
-/*
- * NSSCKFWC_DigestKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_DigestFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-);
-
-/*
- * NSSCKFWC_SignInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Sign
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Sign
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-);
-
-/*
- * NSSCKFWC_SignUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-);
-
-/*
- * NSSCKFWC_SignFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-);
-
-/*
- * NSSCKFWC_SignRecoverInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_SignRecover
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-);
-
-/*
- * NSSCKFWC_VerifyInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Verify
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Verify
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-);
-
-/*
- * NSSCKFWC_VerifyUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-);
-
-/*
- * NSSCKFWC_VerifyFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-);
-
-/*
- * NSSCKFWC_VerifyRecoverInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_VerifyRecover
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-);
-
-/*
- * NSSCKFWC_DigestEncryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_DecryptDigestUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptDigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-);
-
-/*
- * NSSCKFWC_SignEncryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_DecryptVerifyUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptVerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-);
-
-/*
- * NSSCKFWC_GenerateKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GenerateKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-);
-
-/*
- * NSSCKFWC_GenerateKeyPair
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GenerateKeyPair
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-  CK_ULONG ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-  CK_ULONG ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-);
-
-/*
- * NSSCKFWC_WrapKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_WrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hWrappingKey,
-  CK_OBJECT_HANDLE hKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG_PTR pulWrappedKeyLen
-);
-
-/*
- * NSSCKFWC_UnwrapKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_UnwrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hUnwrappingKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-);
-
-/*
- * NSSCKFWC_DeriveKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DeriveKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hBaseKey,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-);
-
-/*
- * NSSCKFWC_SeedRandom
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SeedRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSeed,
-  CK_ULONG ulSeedLen
-);
-
-/*
- * NSSCKFWC_GenerateRandom
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GenerateRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pRandomData,
-  CK_ULONG ulRandomLen
-);
-
-/*
- * NSSCKFWC_GetFunctionStatus
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetFunctionStatus
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_CancelFunction
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CancelFunction
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-#endif /* NSSCKFWC_H */
diff --git a/security/nss/lib/ckfw/nssckfwt.h b/security/nss/lib/ckfw/nssckfwt.h
deleted file mode 100644
index 13be0f325..000000000
--- a/security/nss/lib/ckfw/nssckfwt.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSCKFWT_H
-#define NSSCKFWT_H
-
-#ifdef DEBUG
-static const char NSSCKFWT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssckfwt.h
- *
- * This file declares the public types used by the NSS Cryptoki Framework.
- */
-
-/*
- * NSSCKFWInstance
- *
- */
-
-struct NSSCKFWInstanceStr;
-typedef struct NSSCKFWInstanceStr NSSCKFWInstance;
-
-/*
- * NSSCKFWSlot
- *
- */
-
-struct NSSCKFWSlotStr;
-typedef struct NSSCKFWSlotStr NSSCKFWSlot;
-
-/*
- * NSSCKFWToken
- *
- */
-
-struct NSSCKFWTokenStr;
-typedef struct NSSCKFWTokenStr NSSCKFWToken;
-
-/*
- * NSSCKFWMechanism
- *
- */
-
-struct NSSCKFWMechanismStr;
-typedef struct NSSCKFWMechanismStr NSSCKFWMechanism;
-
-/*
- * NSSCKFWSession
- *
- */
-
-struct NSSCKFWSessionStr;
-typedef struct NSSCKFWSessionStr NSSCKFWSession;
-
-/*
- * NSSCKFWObject
- *
- */
-
-struct NSSCKFWObjectStr;
-typedef struct NSSCKFWObjectStr NSSCKFWObject;
-
-/*
- * NSSCKFWFindObjects
- *
- */
-
-struct NSSCKFWFindObjectsStr;
-typedef struct NSSCKFWFindObjectsStr NSSCKFWFindObjects;
-
-/*
- * NSSCKFWMutex
- *
- */
-
-struct NSSCKFWMutexStr;
-typedef struct NSSCKFWMutexStr NSSCKFWMutex;
-
-#endif /* NSSCKFWT_H */
diff --git a/security/nss/lib/ckfw/nssckmdt.h b/security/nss/lib/ckfw/nssckmdt.h
deleted file mode 100644
index d45a089d2..000000000
--- a/security/nss/lib/ckfw/nssckmdt.h
+++ /dev/null
@@ -1,2014 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSCKMDT_H
-#define NSSCKMDT_H
-
-#ifdef DEBUG
-static const char NSSCKMDT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nssckmdt.h
- *
- * This file specifies the basic types that must be implemented by
- * any Module using the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-typedef struct NSSCKMDInstanceStr NSSCKMDInstance;
-typedef struct NSSCKMDSlotStr NSSCKMDSlot;
-typedef struct NSSCKMDTokenStr NSSCKMDToken;
-typedef struct NSSCKMDSessionStr NSSCKMDSession;
-typedef struct NSSCKMDFindObjectsStr NSSCKMDFindObjects;
-typedef struct NSSCKMDMechanismStr NSSCKMDMechanism;
-typedef struct NSSCKMDObjectStr NSSCKMDObject;
-
-/*
- * NSSCKMDInstance
- *
- * This is the basic handle for an instance of a PKCS#11 Module.
- * It is returned by the Module's CreateInstance routine, and
- * may be obtained from the corresponding NSSCKFWInstance object.
- * It contains a pointer for use by the Module, to store any
- * instance-related data, and it contains the EPV for a set of
- * routines which the Module may implement for use by the Framework.
- * Some of these routines are optional; others are mandatory.
- */
-
-struct NSSCKMDInstanceStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework to initialize
-   * the Module.  This routine is optional; if unimplemented,
-   * it won't be called.  If this routine returns an error,
-   * then the initialization will fail.
-   */
-  CK_RV (PR_CALLBACK *Initialize)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    NSSUTF8 *configurationData
-  );
-
-  /*
-   * This routine is called when the Framework is finalizing
-   * the PKCS#11 Module.  It is the last thing called before
-   * the NSSCKFWInstance's NSSArena is destroyed.  This routine
-   * is optional; if unimplemented, it merely won't be called.
-   */
-  void (PR_CALLBACK *Finalize)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine gets the number of slots.  This value must
-   * never change, once the instance is initialized.  This 
-   * routine must be implemented.  It may return zero on error.
-   */
-  CK_ULONG (PR_CALLBACK *GetNSlots)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the version of the Cryptoki standard
-   * to which this Module conforms.  This routine is optional;
-   * if unimplemented, the Framework uses the version to which
-   * ~it~ was implemented.
-   */
-  CK_VERSION (PR_CALLBACK *GetCryptokiVersion)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing the manufacturer ID for this Module.  Only
-   * the characters completely encoded in the first thirty-
-   * two bytes are significant.  This routine is optional.
-   * The string returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing a description of this Module library.  Only
-   * the characters completely encoded in the first thirty-
-   * two bytes are significant.  This routine is optional.
-   * The string returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetLibraryDescription)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the version of this Module library.
-   * This routine is optional; if unimplemented, the Framework
-   * will assume a Module library version of 0.1.
-   */
-  CK_VERSION (PR_CALLBACK *GetLibraryVersion)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the Module wishes to
-   * handle session objects.  This routine is optional.
-   * If this routine is NULL, or if it exists but returns
-   * CK_FALSE, the Framework will assume responsibility
-   * for managing session objects.
-   */
-  CK_BBOOL (PR_CALLBACK *ModuleHandlesSessionObjects)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine stuffs pointers to NSSCKMDSlot objects into
-   * the specified array; one for each slot supported by this
-   * instance.  The Framework will determine the size needed
-   * for the array by calling GetNSlots.  This routine is
-   * required.
-   */
-  CK_RV (PR_CALLBACK *GetSlots)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDSlot *slots[]
-  );
-
-  /*
-   * This call returns a pointer to the slot in which an event
-   * has occurred.  If the block argument is CK_TRUE, the call 
-   * should block until a slot event occurs; if CK_FALSE, it 
-   * should check to see if an event has occurred, occurred, 
-   * but return NULL (and set *pError to CK_NO_EVENT) if one 
-   * hasn't.  This routine is optional; if unimplemented, the
-   * Framework will assume that no event has happened.  This
-   * routine may return NULL upon error.
-   */
-  NSSCKMDSlot *(PR_CALLBACK *WaitForSlotEvent)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_BBOOL block,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-
-/*
- * NSSCKMDSlot
- *
- * This is the basic handle for a PKCS#11 Module Slot.  It is
- * created by the NSSCKMDInstance->GetSlots call, and may be
- * obtained from the Framework's corresponding NSSCKFWSlot
- * object.  It contains a pointer for use by the Module, to
- * store any slot-related data, and it contains the EPV for
- * a set of routines which the Module may implement for use
- * by the Framework.  Some of these routines are optional.
- */
-
-struct NSSCKMDSlotStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called during the Framework initialization
-   * step, after the Framework Instance has obtained the list
-   * of slots (by calling NSSCKMDInstance->GetSlots).  Any slot-
-   * specific initialization can be done here.  This routine is
-   * optional; if unimplemented, it won't be called.  Note that
-   * if this routine returns an error, the entire Framework
-   * initialization for this Module will fail.
-   */
-  CK_RV (PR_CALLBACK *Initialize)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is called when the Framework is finalizing
-   * the PKCS#11 Module.  This call (for each of the slots)
-   * is the last thing called before NSSCKMDInstance->Finalize.
-   * This routine is optional; if unimplemented, it merely 
-   * won't be called.  Note: In the rare circumstance that
-   * the Framework initialization cannot complete (due to,
-   * for example, memory limitations), this can be called with
-   * a NULL value for fwSlot.
-   */
-  void (PR_CALLBACK *Destroy)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing a description of this slot.  Only the characters
-   * completely encoded in the first sixty-four bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetSlotDescription)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing a description of the manufacturer of this slot.
-   * Only the characters completely encoded in the first thirty-
-   * two bytes are significant.  This routine is optional.  
-   * The string  returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns CK_TRUE if a token is present in this
-   * slot.  This routine is optional; if unimplemented, CK_TRUE
-   * is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetTokenPresent)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the slot supports removable
-   * tokens.  This routine is optional; if unimplemented, CK_FALSE
-   * is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetRemovableDevice)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if this slot is a hardware
-   * device, or CK_FALSE if this slot is a software device.  This
-   * routine is optional; if unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHardwareSlot)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version of this slot's hardware.
-   * This routine is optional; if unimplemented, the Framework
-   * will assume a hardware version of 0.1.
-   */
-  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version of this slot's firmware.
-   * This routine is optional; if unimplemented, the Framework
-   * will assume a hardware version of 0.1.
-   */
-  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine should return a pointer to an NSSCKMDToken
-   * object corresponding to the token in the specified slot.
-   * The NSSCKFWToken object passed in has an NSSArena
-   * available which is dedicated for this token.  This routine
-   * must be implemented.  This routine may return NULL upon
-   * error.
-   */
-  NSSCKMDToken *(PR_CALLBACK *GetToken)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDToken
- *
- * This is the basic handle for a PKCS#11 Token.  It is created by
- * the NSSCKMDSlot->GetToken call, and may be obtained from the
- * Framework's corresponding NSSCKFWToken object.  It contains a
- * pointer for use by the Module, to store any token-related
- * data, and it contains the EPV for a set of routines which the
- * Module may implement for use by the Framework.  Some of these
- * routines are optional.
- */
-
-struct NSSCKMDTokenStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is used to prepare a Module token object for
-   * use.  It is called after the NSSCKMDToken object is obtained
-   * from NSSCKMDSlot->GetToken.  It is named "Setup" here because
-   * Cryptoki already defines "InitToken" to do the process of
-   * wiping out any existing state on a token and preparing it for
-   * a new use.  This routine is optional; if unimplemented, it
-   * merely won't be called.
-   */
-  CK_RV (PR_CALLBACK *Setup)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is called by the Framework whenever it notices
-   * that the token object is invalid.  (Typically this is when a 
-   * routine indicates an error such as CKR_DEVICE_REMOVED).  This
-   * call is the last thing called before the NSSArena in the
-   * corresponding NSSCKFWToken is destroyed.  This routine is
-   * optional; if unimplemented, it merely won't be called.
-   */
-  void (PR_CALLBACK *Invalidate)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine initialises the token in the specified slot.
-   * This routine is optional; if unimplemented, the Framework
-   * will fail this operation with an error of CKR_DEVICE_ERROR.
-   */
-
-  CK_RV (PR_CALLBACK *InitToken)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *pin,
-    NSSUTF8 *label
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's label.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetLabel)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's manufacturer ID.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's model name.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetModel)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's serial number.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetSerialNumber)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token has its own
-   * random number generator.  This routine is optional; if
-   * unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHasRNG)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if this token is write-protected.
-   * This routine is optional; if unimplemented, CK_FALSE is
-   * assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetIsWriteProtected)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if this token requires a login.
-   * This routine is optional; if unimplemented, CK_FALSE is
-   * assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetLoginRequired)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the normal user's PIN on this
-   * token has been initialised.  This routine is optional; if
-   * unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetUserPinInitialized)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if a successful save of a
-   * session's cryptographic operations state ~always~ contains
-   * all keys needed to restore the state of the session.  This
-   * routine is optional; if unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetRestoreKeyNotNeeded)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token has its own
-   * hardware clock.  This routine is optional; if unimplemented,
-   * CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHasClockOnToken)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token has a protected
-   * authentication path.  This routine is optional; if
-   * unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHasProtectedAuthenticationPath)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token supports dual
-   * cryptographic operations within a single session.  This
-   * routine is optional; if unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetSupportsDualCryptoOperations)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * XXX fgmr-- should we have a call to return all the flags
-   * at once, for folks who already know about Cryptoki?
-   */
-
-  /*
-   * This routine returns the maximum number of sessions that
-   * may be opened on this token.  This routine is optional;
-   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
-   * is assumed.  XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxSessionCount)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the maximum number of read/write
-   * sesisons that may be opened on this token.  This routine
-   * is optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.  XXX fgmr-- or 
-   * CK_EFFECTIVELY_INFINITE?
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxRwSessionCount)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the maximum PIN code length that is
-   * supported on this token.  This routine is optional;
-   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
-   * is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxPinLen)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the minimum PIN code length that is
-   * supported on this token.  This routine is optional; if
-   * unimplemented, the special value CK_UNAVAILABLE_INFORMATION
-   *  is assumed.  XXX fgmr-- or 0?
-   */
-  CK_ULONG (PR_CALLBACK *GetMinPinLen)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the total amount of memory on the token
-   * in which public objects may be stored.  This routine is
-   * optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetTotalPublicMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the amount of unused memory on the
-   * token in which public objects may be stored.  This routine
-   * is optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetFreePublicMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the total amount of memory on the token
-   * in which private objects may be stored.  This routine is
-   * optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetTotalPrivateMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the amount of unused memory on the
-   * token in which private objects may be stored.  This routine
-   * is optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetFreePrivateMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version number of this token's
-   * hardware.  This routine is optional; if unimplemented,
-   * the value 0.1 is assumed.
-   */
-  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version number of this token's
-   * firmware.  This routine is optional; if unimplemented,
-   * the value 0.1 is assumed.
-   */
-  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine stuffs the current UTC time, as obtained from
-   * the token, into the sixteen-byte buffer in the form
-   * YYYYMMDDhhmmss00.  This routine need only be implemented
-   * by token which indicate that they have a real-time clock.
-   * XXX fgmr-- think about time formats.
-   */
-  CK_RV (PR_CALLBACK *GetUTCTime)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_CHAR utcTime[16]
-  );
-
-  /*
-   * This routine creates a session on the token, and returns
-   * the corresponding NSSCKMDSession object.  The value of
-   * rw will be CK_TRUE if the session is to be a read/write 
-   * session, or CK_FALSE otherwise.  An NSSArena dedicated to
-   * the new session is available from the specified NSSCKFWSession.
-   * This routine may return NULL upon error.
-   */
-  NSSCKMDSession *(PR_CALLBACK *OpenSession)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWSession *fwSession,
-    CK_BBOOL rw,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the number of PKCS#11 Mechanisms
-   * supported by this token.  This routine is optional; if
-   * unimplemented, zero is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetMechanismCount)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine stuffs into the specified array the types
-   * of the mechanisms supported by this token.  The Framework
-   * determines the size of the array by calling GetMechanismCount.
-   */
-  CK_RV (PR_CALLBACK *GetMechanismTypes)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_MECHANISM_TYPE types[]
-  );
-
-  /*
-   * This routine returns a pointer to a Module mechanism
-   * object corresponding to a specified type.  This routine
-   * need only exist for tokens implementing at least one
-   * mechanism.
-   */
-  NSSCKMDMechanism *(PR_CALLBACK *GetMechanism)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWMechanism *fwMechanism,
-    CK_MECHANISM_TYPE which
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDSession
- *
- * This is the basic handle for a session on a PKCS#11 Token.  It
- * is created by NSSCKMDToken->OpenSession, and may be obtained
- * from the Framework's corresponding NSSCKFWSession object.  It
- * contains a pointer for use by the Module, to store any session-
- * realted data, and it contains the EPV for a set of routines
- * which the Module may implement for use by the Framework.  Some
- * of these routines are optional.
- */
-
-struct NSSCKMDSessionStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework when a session is
-   * closed.  This call is the last thing called before the
-   * NSSArena in the correspoinding NSSCKFWSession is destroyed.
-   * This routine is optional; if unimplemented, it merely won't
-   * be called.
-   */
-  void (PR_CALLBACK *Close)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to get any device-specific error.
-   * This routine is optional.
-   */
-  CK_ULONG (PR_CALLBACK *GetDeviceError)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to log in a user to the token.  This
-   * routine is optional, since the Framework's NSSCKFWSession
-   * object keeps track of the login state.
-   */
-  CK_RV (PR_CALLBACK *Login)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_USER_TYPE userType,
-    NSSItem *pin,
-    CK_STATE oldState,
-    CK_STATE newState
-  );
-
-  /*
-   * This routine is used to log out a user from the token.  This
-   * routine is optional, since the Framework's NSSCKFWSession
-   * object keeps track of the login state.
-   */
-  CK_RV (PR_CALLBACK *Logout)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_STATE oldState,
-    CK_STATE newState
-  );
-
-  /*
-   * This routine is used to initialize the normal user's PIN or
-   * password.  This will only be called in the "read/write
-   * security officer functions" state.  If this token has a
-   * protected authentication path, then the pin argument will
-   * be NULL.  This routine is optional; if unimplemented, the
-   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
-   */
-  CK_RV (PR_CALLBACK *InitPIN)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *pin
-  );
-
-  /*
-   * This routine is used to modify a user's PIN or password.  This
-   * routine will only be called in the "read/write security officer
-   * functions" or "read/write user functions" state.  If this token
-   * has a protected authentication path, then the pin arguments
-   * will be NULL.  This routine is optional; if unimplemented, the
-   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
-   */
-  CK_RV (PR_CALLBACK *SetPIN)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *oldPin,
-    NSSItem *newPin
-  );
-
-  /*
-   * This routine is used to find out how much space would be required
-   * to save the current operational state.  This routine is optional;
-   * if unimplemented, the Framework will reject any attempts to save
-   * the operational state with the error CKR_STATE_UNSAVEABLE.  This
-   * routine may return zero on error.
-   */
-  CK_ULONG (PR_CALLBACK *GetOperationStateLen)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is used to store the current operational state.  This
-   * routine is only required if GetOperationStateLen is implemented 
-   * and can return a nonzero value.  The buffer in the specified item
-   * will be pre-allocated, and the length will specify the amount of
-   * space available (which may be more than GetOperationStateLen
-   * asked for, but which will not be smaller).
-   */
-  CK_RV (PR_CALLBACK *GetOperationState)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   * This routine is used to restore an operational state previously
-   * obtained with GetOperationState.  The Framework will take pains
-   * to be sure that the state is (or was at one point) valid; if the
-   * Module notices that the state is invalid, it should return an
-   * error, but it is not required to be paranoid about the issue.
-   * [XXX fgmr-- should (can?) the framework verify the keys match up?]
-   * This routine is required only if GetOperationState is implemented.
-   */
-  CK_RV (PR_CALLBACK *SetOperationState)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *state,
-    NSSCKMDObject *mdEncryptionKey,
-    NSSCKFWObject *fwEncryptionKey,
-    NSSCKMDObject *mdAuthenticationKey,
-    NSSCKFWObject *fwAuthenticationKey
-  );
-
-  /*
-   * This routine is used to create an object.  The specified template
-   * will only specify a session object if the Module has indicated 
-   * that it wishes to handle its own session objects.  This routine
-   * is optional; if unimplemented, the Framework will reject the
-   * operation with the error CKR_TOKEN_WRITE_PROTECTED.  Space for
-   * token objects should come from the NSSArena available from the
-   * NSSCKFWToken object; space for session objects (if supported)
-   * should come from the NSSArena available from the NSSCKFWSession
-   * object.  The appropriate NSSArena pointer will, as a convenience,
-   * be passed as the handyArenaPointer argument.  This routine may
-   * return NULL upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *CreateObject)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSArena *handyArenaPointer,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is used to make a copy of an object.  It is entirely
-   * optional; if unimplemented, the Framework will try to use
-   * CreateObject instead.  If the Module has indicated that it does
-   * not wish to handle session objects, then this routine will only
-   * be called to copy a token object to another token object.
-   * Otherwise, either the original object or the new may be of
-   * either the token or session variety.  As with CreateObject, the
-   * handyArenaPointer will point to the appropriate arena for the
-   * new object.  This routine may return NULL upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *CopyObject)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdOldObject,
-    NSSCKFWObject *fwOldObject,
-    NSSArena *handyArenaPointer,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is used to begin an object search.  This routine may
-   * be unimplemented only if the Module does not handle session 
-   * objects, and if none of its tokens have token objects.  The
-   * NSSCKFWFindObjects pointer has an NSSArena that may be used for
-   * storage for the life of this "find" operation.  This routine may
-   * return NULL upon error.  If the Module can determine immediately
-   * that the search will not find any matching objects, it may return
-   * NULL, and specify CKR_OK as the error.
-   */
-  NSSCKMDFindObjects *(PR_CALLBACK *FindObjectsInit)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine seeds the random-number generator.  It is
-   * optional, even if GetRandom is implemented.  If unimplemented,
-   * the Framework will issue the error CKR_RANDOM_SEED_NOT_SUPPORTED.
-   */
-  CK_RV (PR_CALLBACK *SeedRandom)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *seed
-  );
-
-  /*
-   * This routine gets random data.  It is optional.  If unimplemented,
-   * the Framework will issue the error CKR_RANDOM_NO_RNG.
-   */
-  CK_RV (PR_CALLBACK *GetRandom)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDFindObjects
- *
- * This is the basic handle for an object search.  It is
- * created by NSSCKMDSession->FindObjectsInit, and may be
- * obtained from the Framework's corresponding object.
- * It contains a pointer for use by the Module, to store
- * any search-related data, and it contains the EPV for a
- * set of routines which the Module may implement for use
- * by the Framework.  Some of these routines are optional.
- */
-
-struct NSSCKMDFindObjectsStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework to finish a
-   * search operation.  Note that the Framework may finish
-   * a search before it has completed.  This routine is
-   * optional; if unimplemented, it merely won't be called.
-   */
-  void (PR_CALLBACK *Final)(
-    NSSCKMDFindObjects *mdFindObjects,
-    NSSCKFWFindObjects *fwFindObjects,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to obtain another pointer to an
-   * object matching the search criteria.  This routine is
-   * required.  If no (more) objects match the search, it
-   * should return NULL and set the error to CKR_OK.
-   */
-  NSSCKMDObject *(PR_CALLBACK *Next)(
-    NSSCKMDFindObjects *mdFindObjects,
-    NSSCKFWFindObjects *fwFindObjects,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSArena *arena,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDMechanism
- *
- */
-
-struct NSSCKMDMechanismStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine returns the minimum key size allowed for
-   * this mechanism.  This routine is optional; if unimplemented,
-   * zero will be assumed.  This routine may return zero on
-   * error; if the error is CKR_OK, zero will be accepted as
-   * a valid response.
-   */
-  CK_ULONG (PR_CALLBACK *GetMinKeySize)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the maximum key size allowed for
-   * this mechanism.  This routine is optional; if unimplemented,
-   * zero will be assumed.  This routine may return zero on
-   * error; if the error is CKR_OK, zero will be accepted as
-   * a valid response.
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxKeySize)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is called to determine if the mechanism is
-   * implemented in hardware or software.  It returns CK_TRUE
-   * if it is done in hardware.
-   */
-  CK_BBOOL (PR_CALLBACK *GetInHardware)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * The crypto routines themselves.  Most crypto operations may
-   * be performed in two ways, streaming and single-part.  The
-   * streaming operations involve the use of (typically) three
-   * calls-- an Init method to set up the operation, an Update
-   * method to feed data to the operation, and a Final method to
-   * obtain the final result.  Single-part operations involve
-   * one method, to perform the crypto operation all at once.
-   * The NSS Cryptoki Framework can implement the single-part
-   * operations in terms of the streaming operations on behalf
-   * of the Module.  There are a few variances.
-   * 
-   * For simplicity, the routines are listed in summary here:
-   *
-   *  EncryptInit, EncryptUpdate, EncryptFinal; Encrypt
-   *  DecryptInit, DecryptUpdate, DecryptFinal; Decrypt
-   *  DigestInit, DigestUpdate, DigestKey, DigestFinal; Digest
-   *  SignInit, SignUpdate, SignFinal; Sign
-   *  SignRecoverInit; SignRecover
-   *  VerifyInit, VerifyUpdate, VerifyFinal; Verify
-   *  VerifyRecoverInit; VerifyRecover
-   * 
-   * Also, there are some combined-operation calls:
-   * 
-   *  DigestEncryptUpdate
-   *  DecryptDigestUpdate
-   *  SignEncryptUpdate
-   *  DecryptVerifyUpdate
-   *
-   * The key-management routines are
-   *
-   *  GenerateKey
-   *  GenerateKeyPair
-   *  WrapKey
-   *  UnwrapKey
-   *  DeriveKey
-   *
-   * All of these routines based directly on the Cryptoki API; 
-   * see PKCS#11 for further information.
-   */
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *EncryptInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *EncryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *EncryptFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Encrypt)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Decrypt)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Digest)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Sign)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWObject *key
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyFinish)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Verify)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWObject *key,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignRecover)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyRecover)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestEncryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptDigestUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignEncryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptVerifyUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   * Key management operations.
-   */
-
-  /*
-   * This routine generates a key.  This routine may return NULL
-   * upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *GenerateKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine generates a key pair.
-   */
-  CK_RV (PR_CALLBACK *GenerateKeyPair)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-    CK_ULONG ulPublicKeyAttributeCount,
-    CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-    CK_ULONG ulPrivateKeyAttributeCount,
-    NSSCKMDObject **pPublicKey,
-    NSSCKMDObject **pPrivateKey
-  );
-
-  /*
-   * This routine wraps a key.
-   */
-  CK_RV (PR_CALLBACK *WrapKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdWrappingKey,
-    NSSCKFWObject *fwWrappingKey,
-    NSSCKMDObject *mdWrappedKey,
-    NSSCKFWObject *fwWrappedKey,
-    NSSItem *buffer
-  );
-
-  /*
-   * This routine unwraps a key.  This routine may return NULL
-   * upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *UnwrapKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdWrappingKey,
-    NSSCKFWObject *fwWrappingKey,
-    NSSItem *wrappedKey,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );    
-    
-  /*
-   * This routine derives a key.  This routine may return NULL
-   * upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *DeriveKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdBaseKey,
-    NSSCKFWObject *fwBaseKey,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );    
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDObject
- *
- * This is the basic handle for any object used by a PKCS#11 Module.
- * Modules must implement it if they support their own objects, and
- * the Framework supports it for Modules that do not handle session
- * objects.  This type contains a pointer for use by the implementor,
- * to store any object-specific data, and it contains an EPV for a
- * set of routines used to access the object.
- */
-
-struct NSSCKMDObjectStr {
-  /*
-   * The implementation my use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework when it is letting
-   * go of an object handle.  It can be used by the Module to
-   * free any resources tied up by an object "in use."  It is
-   * optional.
-   */
-  void (PR_CALLBACK *Finalize)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to completely destroy an object.
-   * It is optional.  The parameter fwObject might be NULL
-   * if the framework runs out of memory at the wrong moment.
-   */
-  CK_RV (PR_CALLBACK *Destroy)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This helper routine is used by the Framework, and is especially
-   * useful when it is managing session objects on behalf of the
-   * Module.  This routine is optional; if unimplemented, the
-   * Framework will actually look up the CKA_TOKEN attribute.  In the
-   * event of an error, just make something up-- the Framework will
-   * find out soon enough anyway.
-   */
-  CK_BBOOL (PR_CALLBACK *IsTokenObject)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the number of attributes of which this
-   * object consists.  It is mandatory.  It can return zero on
-   * error.
-   */
-  CK_ULONG (PR_CALLBACK *GetAttributeCount)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine stuffs the attribute types into the provided array.
-   * The array size (as obtained from GetAttributeCount) is passed in
-   * as a check; return CKR_BUFFER_TOO_SMALL if the count is wrong
-   * (either too big or too small).
-   */
-  CK_RV (PR_CALLBACK *GetAttributeTypes)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE_PTR typeArray,
-    CK_ULONG ulCount
-  );
-
-  /*
-   * This routine returns the size (in bytes) of the specified
-   * attribute.  It can return zero on error.
-   */
-  CK_ULONG (PR_CALLBACK *GetAttributeSize)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE attribute,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the specified attribute.  It can return
-   * NULL upon error.  The pointer in the item will not be freed;
-   * any host memory required should come from the object's arena
-   * (which is likely the Framework's token or session arena).
-   * It may return NULL on error.
-   */
-  NSSItem *(PR_CALLBACK *GetAttribute)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE attribute,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine changes the specified attribute.  If unimplemented,
-   * the object will be considered read-only.
-   */
-  CK_RV (PR_CALLBACK *SetAttribute)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE attribute,
-    NSSItem *value
-  );
-
-  /*
-   * This routine returns the storage requirements of this object,
-   * in bytes.  Cryptoki doesn't strictly define the definition,
-   * but it should relate to the values returned by the "Get Memory"
-   * routines of the NSSCKMDToken.  This routine is optional; if
-   * unimplemented, the Framework will consider this information
-   * sensitive.  This routine may return zero on error.  If the
-   * specified error is CKR_OK, zero will be accepted as a valid
-   * response.
-   */
-  CK_ULONG (PR_CALLBACK *GetObjectSize)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-
-#endif /* NSSCKMDT_H */
diff --git a/security/nss/lib/ckfw/nssckp.h b/security/nss/lib/ckfw/nssckp.h
deleted file mode 100644
index 502e18408..000000000
--- a/security/nss/lib/ckfw/nssckp.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * This file is in part derived from a file "pkcs11t.h" made available
- * by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11t.h
- */
-
-#ifndef NSSCKP_H
-#define NSSCKP_H
-
-#ifdef DEBUG
-static const char NSSCKP_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#endif /* NSSCKP_H */
-
-/*
- * These platform-dependent packing rules are required by all PKCS#11
- * modules, to be binary compatible.  These rules have been placed in 
- * separate header files (nssckp.h to enable the packing, nsscku.h to 
- * disable) for consistancy.  These files can be included many times,
- * so the bodies should *NOT* be in the multiple-inclusion-preventing
- * #ifndef/#endif area above.
- */
-
-/*
- * WIN32 is defined (when appropriate) in NSPR's prcpucfg.h.
- */
-
-#ifdef WIN32
-#pragma warning(disable:4103)
-#pragma pack(push, cryptoki, 1)
-#endif /* WIN32 */
-
-/* End of nssckp.h */
diff --git a/security/nss/lib/ckfw/nssckt.h b/security/nss/lib/ckfw/nssckt.h
deleted file mode 100644
index f2bf36f1d..000000000
--- a/security/nss/lib/ckfw/nssckt.h
+++ /dev/null
@@ -1,1123 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * This file is in part derived from a file "pkcs11t.h" made available
- * by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11t.h
- *
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security Inc Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- *
- */
-
-#ifndef NSSCKT_H
-#define NSSCKT_H
-
-#ifdef DEBUG
-static const char NSSCKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "nspr.h"
-
-/*
- * nssckt.h
- *
- * This file contains the type definitions for Cryptoki (PKCS#11).
- * These definitions are taken from the RSA Standard.
- *
- * NOTE: Unlike most things in NSS, there are public types and 
- * preprocessor definitions which do *NOT* begin with NSS-- rather,
- * they begin with CK, as per the standard.
- */
-
-#ifndef CK_FALSE
-#define CK_FALSE             0
-#endif
-
-#ifndef CK_TRUE
-#define CK_TRUE              (!CK_FALSE)
-#endif
-
-#define CK_PTR *
-#define CK_NULL_PTR 0
-#define CK_CALLBACK_FUNCTION(rv,func) rv (PR_CALLBACK * func)
-#define CK_DECLARE_FUNCTION(rv,func) NSS_EXTERN rv func
-#define CK_DECLARE_FUNCTION_POINTER(rv,func) rv (PR_CALLBACK * func)
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 16 bits long */
-typedef unsigned short int CK_USHORT;
-
-/* a signed value, the same size as a CK_USHORT */
-typedef short int         CK_SHORT;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-#define CK_ENTRY
-
-/* pack */
-#include "nssckp.h"
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
-  CK_CHAR       libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  CK_CHAR       slotDescription[64];  /* blank padded */
-  CK_CHAR       manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  CK_CHAR       label[32];           /* blank padded */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_CHAR       model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning 
- */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 
-
-
-/* CK_USER_TYPE enumerates the types of Cryptoki users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO    0
-/* Normal user */
-#define CKU_USER  1
-
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that Cryptoki recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA            0x00000000
-#define CKO_CERTIFICATE     0x00000001
-#define CKO_PUBLIC_KEY      0x00000002
-#define CKO_PRIVATE_KEY     0x00000003
-#define CKO_SECRET_KEY      0x00000004
-#define CKO_VENDOR_DEFINED  0x80000000
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
-
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-
-/* Cryptoki V2.01 probably won't actually have ECDSA in it */
-#define CKK_ECDSA           0x00000003
-
-#define CKK_KEA             0x00000005
-
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018  /* CAST128=CAST5 */
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-
-#define CKK_VENDOR_DEFINED  0x80000000
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-#define CKC_X_509           0x00000000
-#define CKC_VENDOR_DEFINED  0x80000000
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-typedef CK_ATTRIBUTE_TYPE CK_PTR CK_ATTRIBUTE_TYPE_PTR;
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, and CKA_MODIFIABLE are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-#define CKA_MODIFIABLE         0x00000170
-
-#define CKA_VENDOR_DEFINED     0x80000000
-
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* All of the following mechanisms are new for v2.0 */
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST128_KEY_GEN            0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST128_ECB                0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST128_CBC                0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST128_MAC                0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST128_MAC_GENERAL        0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_CAST128_CBC_PAD            0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-
-/* Cryptoki V2.01 probably won't actually have ECDSA in it */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-
-#define CKM_VENDOR_DEFINED             0x80000000
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism  */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-
-  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask        Meaning */
-#define CKF_HW                 0x00000001  /* performed by HW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
- * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
- * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
- * and CKF_DERIVE are new for v2.0.  They specify whether or not
- * a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100
-#define CKF_DECRYPT            0x00000200
-#define CKF_DIGEST             0x00000400
-#define CKF_SIGN               0x00000800
-#define CKF_SIGN_RECOVER       0x00001000
-#define CKF_VERIFY             0x00002000
-#define CKF_VERIFY_RECOVER     0x00004000
-#define CKF_GENERATE           0x00008000
-#define CKF_GENERATE_KEY_PAIR  0x00010000
-#define CKF_WRAP               0x00020000
-#define CKF_UNWRAP             0x00040000
-#define CKF_DERIVE             0x00080000
-
-#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a
- * Cryptoki function */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
- * v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and
- * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-#define CKR_VENDOR_DEFINED                    0x80000000
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-
-/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
- * version and pointers of appropriate types to all the
- * Cryptoki functions */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize */
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-#ifdef FGMR
-  CK_BYTE_PTR pConfig;
-  CK_ULONG ulConfigLen;
-#endif /* FGMR */
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-#define CKF_OS_LOCKING_OK                  0x00000002
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism */
-typedef struct CK_RC2_CBC_PARAMS {
-  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_CHAR_PTR  pInitVector;
-  CK_CHAR_PTR  pPassword;
-  CK_ULONG     ulPasswordLen;
-  CK_CHAR_PTR  pSalt;
-  CK_ULONG     ulSaltLen;
-  CK_ULONG     ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-/* undo packing */
-#include "nsscku.h"
-
-#endif /* NSSCKT_H */
diff --git a/security/nss/lib/ckfw/nsscku.h b/security/nss/lib/ckfw/nsscku.h
deleted file mode 100644
index 46f4d1f59..000000000
--- a/security/nss/lib/ckfw/nsscku.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * This file is in part derived from a file "pkcs11t.h" made available
- * by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11t.h
- *
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security Inc. Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-
-#ifndef NSSCKU_H
-#define NSSCKU_H
-
-#ifdef DEBUG
-static const char NSSCKU_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#endif /* NSSCKU_H */
-
-/*
- * These platform-dependent packing rules are required by all PKCS#11
- * modules, to be binary compatible.  These rules have been placed in 
- * separate header files (nssckp.h to enable the packing, nsscku.h to 
- * disable) for consistancy.  These files can be included many times,
- * so the bodies should *NOT* be in the multiple-inclusion-preventing
- * #ifndef/#endif area above.
- */
-
-/*
- * WIN32 is defined (when appropriate) in NSPR's prcpucfg.h.
- */
-
-#ifdef WIN32
-#pragma warning(disable:4103)
-#pragma pack(pop, cryptoki)
-#endif /* WIN32 */
-
-/* End of nsscku.h */
diff --git a/security/nss/lib/ckfw/object.c b/security/nss/lib/ckfw/object.c
deleted file mode 100644
index ec8dfd6d5..000000000
--- a/security/nss/lib/ckfw/object.c
+++ /dev/null
@@ -1,1044 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * object.c
- *
- * This file implements the NSSCKFWObject type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWObject
- *
- * -- create/destroy --
- *  nssCKFWObject_Create
- *  nssCKFWObject_Finalize
- *  nssCKFWObject_Destroy
- *
- * -- public accessors --
- *  NSSCKFWObject_GetMDObject
- *  NSSCKFWObject_GetArena
- *  NSSCKFWObject_IsTokenObject
- *  NSSCKFWObject_GetAttributeCount
- *  NSSCKFWObject_GetAttributeTypes
- *  NSSCKFWObject_GetAttributeSize
- *  NSSCKFWObject_GetAttribute
- *  NSSCKFWObject_SetAttribute
- *  NSSCKFWObject_GetObjectSize
- *
- * -- implement public accessors --
- *  nssCKFWObject_GetMDObject
- *  nssCKFWObject_GetArena
- *
- * -- private accessors --
- *  nssCKFWObject_SetHandle
- *  nssCKFWObject_GetHandle
- *
- * -- module fronts --
- *  nssCKFWObject_IsTokenObject
- *  nssCKFWObject_GetAttributeCount
- *  nssCKFWObject_GetAttributeTypes
- *  nssCKFWObject_GetAttributeSize
- *  nssCKFWObject_GetAttribute
- *  nssCKFWObject_SetAttribute
- *  nssCKFWObject_GetObjectSize
- */
-
-struct NSSCKFWObjectStr {
-  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
-  NSSArena *arena;
-  NSSCKMDObject *mdObject;
-  NSSCKMDSession *mdSession;
-  NSSCKFWSession *fwSession;
-  NSSCKMDToken *mdToken;
-  NSSCKFWToken *fwToken;
-  NSSCKMDInstance *mdInstance;
-  NSSCKFWInstance *fwInstance;
-  CK_OBJECT_HANDLE hObject;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-object_add_pointer
-(
-  const NSSCKFWObject *fwObject
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-object_remove_pointer
-(
-  const NSSCKFWObject *fwObject
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_verifyPointer
-(
-  const NSSCKFWObject *fwObject
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-
-/*
- * nssCKFWObject_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWObject_Create
-(
-  NSSArena *arena,
-  NSSCKMDObject *mdObject,
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  NSSCKFWObject *fwObject;
-  nssCKFWHash *mdObjectHash;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == mdObjectHash ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( nssCKFWHash_Exists(mdObjectHash, mdObject) ) {
-    fwObject = nssCKFWHash_Lookup(mdObjectHash, mdObject);
-    return fwObject;
-  }
-
-  fwObject = nss_ZNEW(arena, NSSCKFWObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWObject *)NULL;
-  }
-
-  fwObject->arena = arena;
-  fwObject->mdObject = mdObject;
-  fwObject->fwSession = fwSession;
-
-  if( (NSSCKFWSession *)NULL != fwSession ) {
-    fwObject->mdSession = nssCKFWSession_GetMDSession(fwSession);
-  }
-
-  fwObject->fwToken = fwToken;
-
-  if( (NSSCKFWToken *)NULL != fwToken ) {
-    fwObject->mdToken = nssCKFWToken_GetMDToken(fwToken);
-  }
-
-  fwObject->fwInstance = fwInstance;
-  fwObject->mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-  fwObject->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwObject->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWHash_Add(mdObjectHash, mdObject, fwObject);
-  if( CKR_OK != *pError ) {
-    nss_ZFreeIf(fwObject);
-    return (NSSCKFWObject *)NULL;
-  }
-
-#ifdef DEBUG
-  *pError = object_add_pointer(fwObject);
-  if( CKR_OK != *pError ) {
-    nssCKFWHash_Remove(mdObjectHash, mdObject);
-    nss_ZFreeIf(fwObject);
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return fwObject;
-}
-
-/*
- * nssCKFWObject_Finalize
- *
- */
-NSS_IMPLEMENT void
-nssCKFWObject_Finalize
-(
-  NSSCKFWObject *fwObject
-)
-{
-  nssCKFWHash *mdObjectHash;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwObject->mutex);
-
-  if( (void *)NULL != (void *)fwObject->mdObject->Finalize ) {
-    fwObject->mdObject->Finalize(fwObject->mdObject, fwObject,
-      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
-      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
-  }
-
-  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
-  if( (nssCKFWHash *)NULL != mdObjectHash ) {
-    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
-  }
-
-  nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
-  nss_ZFreeIf(fwObject);
-
-#ifdef DEBUG
-  (void)object_remove_pointer(fwObject);
-#endif /* DEBUG */
-
-  return;
-}
-
-/*
- * nssCKFWObject_Destroy
- *
- */
-NSS_IMPLEMENT void
-nssCKFWObject_Destroy
-(
-  NSSCKFWObject *fwObject
-)
-{
-  nssCKFWHash *mdObjectHash;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwObject->mutex);
-
-  if( (void *)NULL != (void *)fwObject->mdObject->Destroy ) {
-    fwObject->mdObject->Destroy(fwObject->mdObject, fwObject,
-      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
-      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
-  }
-
-  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
-  if( (nssCKFWHash *)NULL != mdObjectHash ) {
-    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
-  }
-
-  nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
-  nss_ZFreeIf(fwObject);
-
-#ifdef DEBUG
-  (void)object_remove_pointer(fwObject);
-#endif /* DEBUG */
-
-  return;
-}
-
-/*
- * nssCKFWObject_GetMDObject
- *
- */
-NSS_IMPLEMENT NSSCKMDObject *
-nssCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (NSSCKMDObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwObject->mdObject;
-}
-
-/*
- * nssCKFWObject_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwObject->arena;
-}
-
-/*
- * nssCKFWObject_SetHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_SetHandle
-(
-  NSSCKFWObject *fwObject,
-  CK_OBJECT_HANDLE hObject
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( (CK_OBJECT_HANDLE)0 != fwObject->hObject ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  fwObject->hObject = hObject;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWObject_GetHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWObject_GetHandle
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  return fwObject->hObject;
-}
-
-/*
- * nssCKFWObject_IsTokenObject
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-  CK_BBOOL b = CK_FALSE;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwObject->mutex) ) {
-    return CK_FALSE;
-  }
-
-  if( (void *)NULL == (void *)fwObject->mdObject->IsTokenObject ) {
-    NSSItem item;
-    NSSItem *pItem;
-    CK_RV rv = CKR_OK;
-
-    item.data = (void *)&b;
-    item.size = sizeof(b);
-
-    pItem = nssCKFWObject_GetAttribute(fwObject, CKA_TOKEN, &item, 
-      (NSSArena *)NULL, &rv);
-    if( (NSSItem *)NULL == pItem ) {
-      /* Error of some type */
-      b = CK_FALSE;
-      goto done;
-    }
-
-    goto done;
-  }
-
-  b = fwObject->mdObject->IsTokenObject(fwObject->mdObject, fwObject, 
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
-
- done:
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return b;
-}
-
-/*
- * nssCKFWObject_GetAttributeCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeCount ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwObject->mdObject->GetAttributeCount(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    pError);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWObject_GetAttributeTypes
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeTypes ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  error = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  error = fwObject->mdObject->GetAttributeTypes(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    typeArray, ulCount);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return error;
-}
-
-/*
- * nssCKFWObject_GetAttributeSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (CK_ULONG )0;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwObject->mdObject->GetAttributeSize(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    attribute, pError);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWObject_GetAttribute
- *
- * Usual NSS allocation rules:
- * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
- * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
- * the buffer will be allocated; otherwise, the buffer will be used.
- * Any allocations will come from the optional arena, if one is
- * specified.
- */
-NSS_IMPLEMENT NSSItem *
-nssCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-  NSSItem *mdItem;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSItem *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSItem *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSItem *)NULL;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSItem *)NULL;
-  }
-
-  mdItem = fwObject->mdObject->GetAttribute(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    attribute, pError);
-
-  if( (NSSItem *)NULL == mdItem ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-
-    goto done;
-  }
-
-  if( (NSSItem *)NULL == itemOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
-      *pError = CKR_HOST_MEMORY;
-      goto done;
-    }
-  } else {
-    rv = itemOpt;
-  }
-
-  if( (void *)NULL == rv->data ) {
-    rv->size = mdItem->size;
-    rv->data = nss_ZAlloc(arenaOpt, rv->size);
-    if( (void *)NULL == rv->data ) {
-      *pError = CKR_HOST_MEMORY;
-      if( (NSSItem *)NULL == itemOpt ) {
-        nss_ZFreeIf(rv);
-      }
-      rv = (NSSItem *)NULL;
-      goto done;
-    }
-  } else {
-    if( rv->size >= mdItem->size ) {
-      rv->size = mdItem->size;
-    } else {
-      *pError = CKR_BUFFER_TOO_SMALL;
-      /* Should we set rv->size to mdItem->size? */
-      /* rv can't have been allocated */
-      rv = (NSSItem *)NULL;
-      goto done;
-    }
-  }
-
-  (void)nsslibc_memcpy(rv->data, mdItem->data, rv->size);
-
- done:
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWObject_SetAttribute
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_SetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKA_TOKEN == attribute ) {
-    /*
-     * We're changing from a session object to a token object or 
-     * vice-versa.
-     */
-
-    CK_ATTRIBUTE a;
-    NSSCKFWObject *newFwObject;
-    NSSCKFWObject swab;
-
-    a.type = CKA_TOKEN;
-    a.pValue = value->data;
-    a.ulValueLen = value->size;
-
-    newFwObject = nssCKFWSession_CopyObject(fwObject->fwSession, fwObject,
-                    &a, 1, &error);
-    if( (NSSCKFWObject *)NULL == newFwObject ) {
-      if( CKR_OK == error ) {
-        error = CKR_GENERAL_ERROR;
-      }
-      return error;
-    }
-
-    /*
-     * Actually, I bet the locking is worse than this.. this part of
-     * the code could probably use some scrutiny and reworking.
-     */
-    error = nssCKFWMutex_Lock(fwObject->mutex);
-    if( CKR_OK != error ) {
-      nssCKFWObject_Destroy(newFwObject);
-      return error;
-    }
-
-    error = nssCKFWMutex_Lock(newFwObject->mutex);
-    if( CKR_OK != error ) {
-      nssCKFWMutex_Unlock(fwObject->mutex);
-      nssCKFWObject_Destroy(newFwObject);
-      return error;
-    }
-
-    /* 
-     * Now, we have our new object, but it has a new fwObject pointer,
-     * while we have to keep the existing one.  So quick swap the contents.
-     */
-    swab = *fwObject;
-    *fwObject = *newFwObject;
-    *newFwObject = swab;
-
-    /* But keep the mutexes the same */
-    swab.mutex = fwObject->mutex;
-    fwObject->mutex = newFwObject->mutex;
-    newFwObject->mutex = swab.mutex;
-
-    (void)nssCKFWMutex_Unlock(newFwObject->mutex);
-    (void)nssCKFWMutex_Unlock(fwObject->mutex);
-
-    /*
-     * Either remove or add this to the list of session objects
-     */
-
-    if( CK_FALSE == *(CK_BBOOL *)value->data ) {
-      /* 
-       * New one is a session object, except since we "stole" the fwObject, it's
-       * not in the list.  Add it.
-       */
-      nssCKFWSession_RegisterSessionObject(fwObject->fwSession, fwObject);
-    } else {
-      /*
-       * New one is a token object, except since we "stole" the fwObject, it's
-       * in the list.  Remove it.
-       */
-      nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
-    }
-
-    /*
-     * Now delete the old object.  Remember the names have changed.
-     */
-    nssCKFWObject_Destroy(newFwObject);
-
-    return CKR_OK;
-  } else {
-    /*
-     * An "ordinary" change.
-     */
-    if( (void *)NULL == (void *)fwObject->mdObject->SetAttribute ) {
-      /* We could fake it with copying, like above.. later */
-      return CKR_ATTRIBUTE_READ_ONLY;
-    }
-
-    error = nssCKFWMutex_Lock(fwObject->mutex);
-    if( CKR_OK != error ) {
-      return error;
-    }
-
-    error = fwObject->mdObject->SetAttribute(fwObject->mdObject, fwObject,
-      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-      attribute, value);
-
-    (void)nssCKFWMutex_Unlock(fwObject->mutex);
-
-    return error;
-  }
-}
-
-/*
- * nssCKFWObject_GetObjectSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetObjectSize ) {
-    *pError = CKR_INFORMATION_SENSITIVE;
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwObject->mdObject->GetObjectSize(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    pError);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * NSSCKFWObject_GetMDObject
- *
- */
-NSS_IMPLEMENT NSSCKMDObject *
-NSSCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (NSSCKMDObject *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetMDObject(fwObject);
-}
-
-/*
- * NSSCKFWObject_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-NSSCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetArena(fwObject, pError);
-}
-
-/*
- * NSSCKFWObject_IsTokenObject
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_IsTokenObject(fwObject);
-}
-
-/*
- * NSSCKFWObject_GetAttributeCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-NSSCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttributeCount(fwObject, pError);
-}
-
-/*
- * NSSCKFWObject_GetAttributeTypes
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef DEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttributeTypes(fwObject, typeArray, ulCount);
-}
-
-/*
- * NSSCKFWObject_GetAttributeSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-NSSCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttributeSize(fwObject, attribute, pError);
-}
-
-/*
- * NSSCKFWObject_GetAttribute
- *
- */
-NSS_IMPLEMENT NSSItem *
-NSSCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSItem *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSItem *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttribute(fwObject, attribute, itemOpt, arenaOpt, pError);
-}
-
-/*
- * NSSCKFWObject_GetObjectSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-NSSCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetObjectSize(fwObject, pError);
-}
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
deleted file mode 100644
index e12c74b8b..000000000
--- a/security/nss/lib/ckfw/session.c
+++ /dev/null
@@ -1,1962 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * session.c
- *
- * This file implements the NSSCKFWSession type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWSession
- *
- *  -- create/destroy --
- *  nssCKFWSession_Create
- *  nssCKFWSession_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWSession_GetMDSession
- *  NSSCKFWSession_GetArena
- *  NSSCKFWSession_CallNotification
- *  NSSCKFWSession_IsRWSession
- *  NSSCKFWSession_IsSO
- *
- *  -- implement public accessors --
- *  nssCKFWSession_GetMDSession
- *  nssCKFWSession_GetArena
- *  nssCKFWSession_CallNotification
- *  nssCKFWSession_IsRWSession
- *  nssCKFWSession_IsSO
- *
- *  -- private accessors --
- *  nssCKFWSession_GetSlot
- *  nssCKFWSession_GetSessionState
- *  nssCKFWSession_SetFWFindObjects
- *  nssCKFWSession_GetFWFindObjects
- *  nssCKFWSession_SetMDSession
- *  nssCKFWSession_SetHandle
- *  nssCKFWSession_GetHandle
- *  nssCKFWSession_RegisterSessionObject
- *  nssCKFWSession_DeegisterSessionObject
- *
- *  -- module fronts --
- *  nssCKFWSession_GetDeviceError
- *  nssCKFWSession_Login
- *  nssCKFWSession_Logout
- *  nssCKFWSession_InitPIN
- *  nssCKFWSession_SetPIN
- *  nssCKFWSession_GetOperationStateLen
- *  nssCKFWSession_GetOperationState
- *  nssCKFWSession_SetOperationState
- *  nssCKFWSession_CreateObject
- *  nssCKFWSession_CopyObject
- *  nssCKFWSession_FindObjectsInit
- *  nssCKFWSession_SeedRandom
- *  nssCKFWSession_GetRandom
- */
-
-struct NSSCKFWSessionStr {
-  NSSArena *arena;
-  NSSCKMDSession *mdSession;
-  NSSCKFWToken *fwToken;
-  NSSCKMDToken *mdToken;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-  CK_VOID_PTR pApplication;
-  CK_NOTIFY Notify;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The items below are atomic.  No locking required.  If we fear
-   * about pointer-copies being nonatomic, we'll lock fwFindObjects.
-   */
-
-  CK_BBOOL rw;
-  NSSCKFWFindObjects *fwFindObjects;
-  nssCKFWHash *sessionObjectHash;
-  CK_SESSION_HANDLE hSession;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-session_add_pointer
-(
-  const NSSCKFWSession *fwSession
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-session_remove_pointer
-(
-  const NSSCKFWSession *fwSession
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_verifyPointer
-(
-  const NSSCKFWSession *fwSession
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWSession_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWSession *
-nssCKFWSession_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-)
-{
-  NSSArena *arena = (NSSArena *)NULL;
-  NSSCKFWSession *fwSession;
-  NSSCKFWSlot *fwSlot;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWSession *)NULL;
-  }
-
-  fwSession = nss_ZNEW(arena, NSSCKFWSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fwSession->arena = arena;
-  fwSession->mdSession = (NSSCKMDSession *)NULL; /* set later */
-  fwSession->fwToken = fwToken;
-  fwSession->mdToken = nssCKFWToken_GetMDToken(fwToken);
-
-  fwSlot = nssCKFWToken_GetFWSlot(fwToken);
-  fwSession->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
-  fwSession->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
-
-  fwSession->rw = rw;
-  fwSession->pApplication = pApplication;
-  fwSession->Notify = Notify;
-
-  fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL;
-
-  fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError);
-  if( (nssCKFWHash *)NULL == fwSession->sessionObjectHash ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-#ifdef DEBUG
-  *pError = session_add_pointer(fwSession);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return fwSession;
-
- loser:
-  if( (NSSArena *)NULL != arena ) {
-    if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
-      (void)nssCKFWHash_Destroy(fwSession->sessionObjectHash);
-    }
-    NSSArena_Destroy(arena);
-  }
-
-  return (NSSCKFWSession *)NULL;
-}
-
-static void
-nss_ckfw_session_object_destroy_iterator
-(
-  const void *key,
-  void *value,
-  void *closure
-)
-{
-  NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
-  nssCKFWObject_Finalize(fwObject);
-}
-
-/*
- * nssCKFWSession_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_Destroy
-(
-  NSSCKFWSession *fwSession,
-  CK_BBOOL removeFromTokenHash
-)
-{
-  CK_RV error = CKR_OK;
-  nssCKFWHash *sessionObjectHash;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( removeFromTokenHash ) {
-    error = nssCKFWToken_RemoveSession(fwSession->fwToken, fwSession);
-  }
-
-  /*
-   * Invalidate session objects
-   */
-
-  sessionObjectHash = fwSession->sessionObjectHash;
-  fwSession->sessionObjectHash = (nssCKFWHash *)NULL;
-
-  nssCKFWHash_Iterate(sessionObjectHash, 
-                      nss_ckfw_session_object_destroy_iterator, 
-                      (void *)NULL);
-
-#ifdef DEBUG
-  (void)session_remove_pointer(fwSession);
-#endif /* DEBUG */
-  (void)nssCKFWHash_Destroy(sessionObjectHash);
-  NSSArena_Destroy(fwSession->arena);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_GetMDSession
- *
- */
-NSS_IMPLEMENT NSSCKMDSession *
-nssCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKMDSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->mdSession;
-}
-
-/*
- * nssCKFWSession_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->arena;
-}
-
-/*
- * nssCKFWSession_CallNotification
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-)
-{
-  CK_RV error = CKR_OK;
-  CK_SESSION_HANDLE handle;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( (CK_NOTIFY)NULL == fwSession->Notify ) {
-    return CKR_OK;
-  }
-
-  handle = nssCKFWInstance_FindSessionHandle(fwSession->fwInstance, fwSession);
-  if( (CK_SESSION_HANDLE)0 == handle ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  error = fwSession->Notify(handle, event, fwSession->pApplication);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_IsRWSession
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->rw;
-}
-
-/*
- * nssCKFWSession_IsSO
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-)
-{
-  CK_STATE state;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
-  switch( state ) {
-  case CKS_RO_PUBLIC_SESSION:
-  case CKS_RO_USER_FUNCTIONS:
-  case CKS_RW_PUBLIC_SESSION:
-  case CKS_RW_USER_FUNCTIONS:
-    return CK_FALSE;
-  case CKS_RW_SO_FUNCTIONS:
-    return CK_TRUE;
-  default:
-    return CK_FALSE;
-  }
-}
-
-/*
- * nssCKFWSession_GetFWSlot
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWSession_GetFWSlot
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return nssCKFWToken_GetFWSlot(fwSession->fwToken);
-}
-
-/*
- * nssCFKWSession_GetSessionState
- *
- */
-NSS_IMPLEMENT CK_STATE
-nssCKFWSession_GetSessionState
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CKS_RO_PUBLIC_SESSION; /* whatever */
-  }
-#endif /* NSSDEBUG */
-
-  return nssCKFWToken_GetSessionState(fwSession->fwToken);
-}
-
-/*
- * nssCKFWSession_SetFWFindObjects
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetFWFindObjects
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /* fwFindObjects may be null */
-#endif /* NSSDEBUG */
-
-  if( ((NSSCKFWFindObjects *)NULL != fwSession->fwFindObjects) &&
-      ((NSSCKFWFindObjects *)NULL != fwFindObjects) ) {
-    return CKR_OPERATION_ACTIVE;
-  }
-
-  fwSession->fwFindObjects = fwFindObjects;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_GetFWFindObjects
- *
- */
-NSS_IMPLEMENT NSSCKFWFindObjects *
-nssCKFWSession_GetFWFindObjects
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSCKFWFindObjects *)NULL == fwSession->fwFindObjects ) {
-    *pError = CKR_OPERATION_NOT_INITIALIZED;
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  return fwSession->fwFindObjects;
-}
-
-/*
- * nssCKFWSession_SetMDSession
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetMDSession
-(
-  NSSCKFWSession *fwSession,
-  NSSCKMDSession *mdSession
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == mdSession ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSCKMDSession *)NULL != fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  fwSession->mdSession = mdSession;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_SetHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetHandle
-(
-  NSSCKFWSession *fwSession,
-  CK_SESSION_HANDLE hSession
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( (CK_SESSION_HANDLE)0 != fwSession->hSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  fwSession->hSession = hSession;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_GetHandle
- *
- */
-NSS_IMPLEMENT CK_SESSION_HANDLE
-nssCKFWSession_GetHandle
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKMDSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->hSession;
-}
-
-/*
- * nssCKFWSession_RegisterSessionObject
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_RegisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-)
-{
-  CK_RV rv = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
-    rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
-  }
-
-  return rv;
-}
-
-/*
- * nssCKFWSession_DeregisterSessionObject
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_DeregisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
-    nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject);
-  }
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_GetDeviceError
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWSession_GetDeviceError
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (CK_ULONG)0;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetDeviceError ) {
-    return (CK_ULONG)0;
-  }
-
-  return fwSession->mdSession->GetDeviceError(fwSession->mdSession, 
-    fwSession, fwSession->mdToken, fwSession->fwToken, 
-    fwSession->mdInstance, fwSession->fwInstance);
-}
-
-/*
- * nssCKFWSession_Login
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_Login
-(
-  NSSCKFWSession *fwSession,
-  CK_USER_TYPE userType,
-  NSSItem *pin
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE oldState;
-  CK_STATE newState;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  switch( userType ) {
-  case CKU_SO:
-  case CKU_USER:
-    break;
-  default:
-    return CKR_USER_TYPE_INVALID;
-  }
-
-  if( (NSSItem *)NULL == pin ) {
-    if( CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken) ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
-
-  /*
-   * It's not clear what happens when you're already logged in.
-   * I'll just fail; but if we decide to change, the logic is
-   * all right here.
-   */
-
-  if( CKU_SO == userType ) {
-    switch( oldState ) {
-    case CKS_RO_PUBLIC_SESSION:      
-      /*
-       * There's no such thing as a read-only security officer
-       * session, so fail.  The error should be CKR_SESSION_READ_ONLY,
-       * except that C_Login isn't defined to return that.  So we'll
-       * do CKR_SESSION_READ_ONLY_EXISTS, which is what is documented.
-       */
-      return CKR_SESSION_READ_ONLY_EXISTS;
-    case CKS_RO_USER_FUNCTIONS:
-      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
-    case CKS_RW_PUBLIC_SESSION:
-      newState = CKS_RW_SO_FUNCTIONS;
-      break;
-    case CKS_RW_USER_FUNCTIONS:
-      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
-    case CKS_RW_SO_FUNCTIONS:
-      return CKR_USER_ALREADY_LOGGED_IN;
-    default:
-      return CKR_GENERAL_ERROR;
-    }
-  } else /* CKU_USER == userType */ {
-    switch( oldState ) {
-    case CKS_RO_PUBLIC_SESSION:      
-      newState = CKS_RO_USER_FUNCTIONS;
-      break;
-    case CKS_RO_USER_FUNCTIONS:
-      return CKR_USER_ALREADY_LOGGED_IN;
-    case CKS_RW_PUBLIC_SESSION:
-      newState = CKS_RW_USER_FUNCTIONS;
-      break;
-    case CKS_RW_USER_FUNCTIONS:
-      return CKR_USER_ALREADY_LOGGED_IN;
-    case CKS_RW_SO_FUNCTIONS:
-      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
-    default:
-      return CKR_GENERAL_ERROR;
-    }
-  }
-
-  /*
-   * So now we're in one of three cases:
-   *
-   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_SO_FUNCTIONS;
-   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_USER_FUNCTIONS;
-   * Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS;
-   */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->Login ) {
-    /*
-     * The Module doesn't want to be informed (or check the pin)
-     * it'll just rely on the Framework as needed.
-     */
-    ;
-  } else {
-    error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
-      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-      fwSession->fwInstance, userType, pin, oldState, newState);
-    if( CKR_OK != error ) {
-      return error;
-    }
-  }
-
-  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_Logout
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_Logout
-(
-  NSSCKFWSession *fwSession
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE oldState;
-  CK_STATE newState;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
-
-  switch( oldState ) {
-  case CKS_RO_PUBLIC_SESSION:
-    return CKR_USER_NOT_LOGGED_IN;
-  case CKS_RO_USER_FUNCTIONS:
-    newState = CKS_RO_PUBLIC_SESSION;
-    break;
-  case CKS_RW_PUBLIC_SESSION:
-    return CKR_USER_NOT_LOGGED_IN;
-  case CKS_RW_USER_FUNCTIONS:
-    newState = CKS_RW_PUBLIC_SESSION;
-    break;
-  case CKS_RW_SO_FUNCTIONS:
-    newState = CKS_RW_PUBLIC_SESSION;
-    break;
-  default:
-    return CKR_GENERAL_ERROR;
-  }
-
-  /*
-   * So now we're in one of three cases:
-   *
-   * Old == CKS_RW_SO_FUNCTIONS,   New == CKS_RW_PUBLIC_SESSION;
-   * Old == CKS_RW_USER_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
-   * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
-   */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->Logout ) {
-    /*
-     * The Module doesn't want to be informed.  Okay.
-     */
-    ;
-  } else {
-    error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
-      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-      fwSession->fwInstance, oldState, newState);
-    if( CKR_OK != error ) {
-      /*
-       * Now what?!  A failure really should end up with the Framework
-       * considering it logged out, right?
-       */
-      ;
-    }
-  }
-
-  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
-  return error;
-}
-
-/*
- * nssCKFWSession_InitPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_InitPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *pin
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE state;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
-  if( CKS_RW_SO_FUNCTIONS != state ) {
-    return CKR_USER_NOT_LOGGED_IN;
-  }
-
-  if( (NSSItem *)NULL == pin ) {
-    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
-    if( CK_TRUE != has ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (void *)NULL == (void *)fwSession->mdSession->InitPIN ) {
-    return CKR_TOKEN_WRITE_PROTECTED;
-  }
-
-  error = fwSession->mdSession->InitPIN(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, pin);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_SetPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *newPin,
-  NSSItem *oldPin
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE state;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
-  if( (CKS_RW_SO_FUNCTIONS != state) &&
-      (CKS_RW_USER_FUNCTIONS != state) ) {
-    return CKR_USER_NOT_LOGGED_IN;
-  }
-
-  if( (NSSItem *)NULL == newPin ) {
-    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
-    if( CK_TRUE != has ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (NSSItem *)NULL == oldPin ) {
-    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
-    if( CK_TRUE != has ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (void *)NULL == (void *)fwSession->mdSession->SetPIN ) {
-    return CKR_TOKEN_WRITE_PROTECTED;
-  }
-
-  error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, newPin, oldPin);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_GetOperationStateLen
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWSession_GetOperationStateLen
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  CK_ULONG mdAmt;
-  CK_ULONG fwAmt;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationStateLen ) {
-    *pError = CKR_STATE_UNSAVEABLE;
-  }
-
-  /*
-   * We could check that the session is actually in some state..
-   */
-
-  mdAmt = fwSession->mdSession->GetOperationStateLen(fwSession->mdSession,
-    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, pError);
-
-  if( ((CK_ULONG)0 == mdAmt) && (CKR_OK != *pError) ) {
-    return (CK_ULONG)0;
-  }
-
-  /*
-   * Add a bit of sanity-checking
-   */
-  fwAmt = mdAmt + 2*sizeof(CK_ULONG);
-
-  return fwAmt;
-}
-
-/*
- * nssCKFWSession_GetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_GetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG fwAmt;
-  CK_ULONG *ulBuffer;
-  NSSItem i2;
-  CK_ULONG n, i;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == buffer ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == buffer->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationState ) {
-    return CKR_STATE_UNSAVEABLE;
-  }
-
-  /*
-   * Sanity-check the caller's buffer.
-   */
-
-  error = CKR_OK;
-  fwAmt = nssCKFWSession_GetOperationStateLen(fwSession, &error);
-  if( ((CK_ULONG)0 == fwAmt) && (CKR_OK != error) ) {
-    return error;
-  }
-
-  if( buffer->size < fwAmt ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-
-  ulBuffer = (CK_ULONG *)buffer->data;
-
-  i2.size = buffer->size - 2*sizeof(CK_ULONG);
-  i2.data = (void *)&ulBuffer[2];
-
-  error = fwSession->mdSession->GetOperationState(fwSession->mdSession,
-    fwSession, fwSession->mdToken, fwSession->fwToken, 
-    fwSession->mdInstance, fwSession->fwInstance, &i2);
-
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /*
-   * Add a little integrety/identity check.  
-   * NOTE: right now, it's pretty stupid.  
-   * A CRC or something would be better.
-   */
-
-  ulBuffer[0] = 0x434b4657; /* CKFW */
-  ulBuffer[1] = 0;
-  n = i2.size/sizeof(CK_ULONG);
-  for( i = 0; i < n; i++ ) {
-    ulBuffer[1] ^= ulBuffer[2+i];
-  }
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_SetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *state,
-  NSSCKFWObject *encryptionKey,
-  NSSCKFWObject *authenticationKey
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG *ulBuffer;
-  CK_ULONG n, i;
-  CK_ULONG x;
-  NSSItem s;
-  NSSCKMDObject *mdek;
-  NSSCKMDObject *mdak;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == state ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == state->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKFWObject *)NULL != encryptionKey ) {
-    error = nssCKFWObject_verifyPointer(encryptionKey);
-    if( CKR_OK != error ) {
-      return error;
-    }
-  }
-
-  if( (NSSCKFWObject *)NULL != authenticationKey ) {
-    error = nssCKFWObject_verifyPointer(authenticationKey);
-    if( CKR_OK != error ) {
-      return error;
-    }
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  ulBuffer = (CK_ULONG *)state->data;
-  if( 0x43b4657 != ulBuffer[0] ) {
-    return CKR_SAVED_STATE_INVALID;
-  }
-  n = (state->size / sizeof(CK_ULONG)) - 2;
-  x = (CK_ULONG)0;
-  for( i = 0; i < n; i++ ) {
-    x ^= ulBuffer[2+i];
-  }
-
-  if( x != ulBuffer[1] ) {
-    return CKR_SAVED_STATE_INVALID;
-  }
-
-  if( (void *)NULL == (void *)fwSession->mdSession->SetOperationState ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  s.size = state->size - 2*sizeof(CK_ULONG);
-  s.data = (void *)&ulBuffer[2];
-
-  if( (NSSCKFWObject *)NULL != encryptionKey ) {
-    mdek = nssCKFWObject_GetMDObject(encryptionKey);
-  } else {
-    mdek = (NSSCKMDObject *)NULL;
-  }
-
-  if( (NSSCKFWObject *)NULL != authenticationKey ) {
-    mdak = nssCKFWObject_GetMDObject(authenticationKey);
-  } else {
-    mdak = (NSSCKMDObject *)NULL;
-  }
-
-  error = fwSession->mdSession->SetOperationState(fwSession->mdSession, 
-    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
-
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /*
-   * Here'd we restore any session data
-   */
-  
-  return CKR_OK;
-}
-
-static CK_BBOOL
-nss_attributes_form_token_object
-(
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount
-)
-{
-  CK_ULONG i;
-  CK_BBOOL rv;
-
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if( CKA_TOKEN == pTemplate[i].type ) {
-      /* If we sanity-check, we can remove this sizeof check */
-      if( sizeof(CK_BBOOL) == pTemplate[i].ulValueLen ) {
-        (void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
-        return rv;
-      } else {
-        return CK_FALSE;
-      }
-    }
-  }
-
-  return CK_FALSE;
-}
-
-/*
- * nssCKFWSession_CreateObject
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWSession_CreateObject
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  NSSCKMDObject *mdObject;
-  NSSCKFWObject *fwObject;
-  CK_BBOOL isTokenObject;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * Here would be an excellent place to sanity-check the object.
-   */
-
-  isTokenObject = nss_attributes_form_token_object(pTemplate, ulAttributeCount);
-  if( CK_TRUE == isTokenObject ) {
-    /* === TOKEN OBJECT === */
-
-    if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
-      *pError = CKR_TOKEN_WRITE_PROTECTED;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-    if( (NSSArena *)NULL == arena ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    goto callmdcreateobject;
-  } else {
-    /* === SESSION OBJECT === */
-
-    arena = nssCKFWSession_GetArena(fwSession, pError);
-    if( (NSSArena *)NULL == arena ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    if( CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
-                     fwSession->fwInstance) ) {
-      /* --- module handles the session object -- */
-
-      if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
-        *pError = CKR_GENERAL_ERROR;
-        return (NSSCKFWObject *)NULL;
-      }
-      
-      goto callmdcreateobject;
-    } else {
-      /* --- framework handles the session object -- */
-      mdObject = nssCKMDSessionObject_Create(fwSession->fwToken, 
-        arena, pTemplate, ulAttributeCount, pError);
-      goto gotmdobject;
-    }
-  }
-
- callmdcreateobject:
-  mdObject = fwSession->mdSession->CreateObject(fwSession->mdSession,
-    fwSession, fwSession->mdToken, fwSession->fwToken,
-    fwSession->mdInstance, fwSession->fwInstance, arena, pTemplate,
-    ulAttributeCount, pError);
-
- gotmdobject:
-  if( (NSSCKMDObject *)NULL == mdObject ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    return (NSSCKFWObject *)NULL;
-  }
-
-  fwObject = nssCKFWObject_Create(arena, mdObject, fwSession, 
-    fwSession->fwToken, fwSession->fwInstance, pError);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    
-    if( (void *)NULL != (void *)mdObject->Destroy ) {
-      (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
-        fwSession->mdSession, fwSession, fwSession->mdToken,
-        fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
-    }
-    
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( CK_FALSE == isTokenObject ) {
-    if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, fwObject) ) {
-      *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
-      if( CKR_OK != *pError ) {
-        nssCKFWObject_Finalize(fwObject);
-        return (NSSCKFWObject *)NULL;
-      }
-    }
-  }
-  
-  return fwObject;
-}
-
-/*
- * nssCKFWSession_CopyObject
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWSession_CopyObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  CK_BBOOL oldIsToken;
-  CK_BBOOL newIsToken;
-  CK_ULONG i;
-  NSSCKFWObject *rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * Sanity-check object
-   */
-
-  oldIsToken = nssCKFWObject_IsTokenObject(fwObject);
-
-  newIsToken = oldIsToken;
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if( CKA_TOKEN == pTemplate[i].type ) {
-      /* Since we sanity-checked the object, we know this is the right size. */
-      (void)nsslibc_memcpy(&newIsToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
-      break;
-    }
-  }
-
-  /*
-   * If the Module handles its session objects, or if both the new
-   * and old object are token objects, use CopyObject if it exists.
-   */
-
-  if( ((void *)NULL != (void *)fwSession->mdSession->CopyObject) &&
-      (((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) ||
-       (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
-                     fwSession->fwInstance))) ) {
-    /* use copy object */
-    NSSArena *arena;
-    NSSCKMDObject *mdOldObject;
-    NSSCKMDObject *mdObject;
-
-    mdOldObject = nssCKFWObject_GetMDObject(fwObject);
-
-    if( CK_TRUE == newIsToken ) {
-      arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-    } else {
-      arena = nssCKFWSession_GetArena(fwSession, pError);
-    }
-    if( (NSSArena *)NULL == arena ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    mdObject = fwSession->mdSession->CopyObject(fwSession->mdSession,
-      fwSession, fwSession->mdToken, fwSession->fwToken,
-      fwSession->mdInstance, fwSession->fwInstance, mdOldObject,
-      fwObject, arena, pTemplate, ulAttributeCount, pError);
-    if( (NSSCKMDObject *)NULL == mdObject ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    rv = nssCKFWObject_Create(arena, mdObject, fwSession,
-      fwSession->fwToken, fwSession->fwInstance, pError);
-    if( (NSSCKFWObject *)NULL == fwObject ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-
-      if( (void *)NULL != (void *)mdObject->Destroy ) {
-        (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
-          fwSession->mdSession, fwSession, fwSession->mdToken,
-          fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
-      }
-    
-      return (NSSCKFWObject *)NULL;
-    }
-
-    if( CK_FALSE == newIsToken ) {
-      if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv) ) {
-        *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
-        if( CKR_OK != *pError ) {
-          nssCKFWObject_Finalize(rv);
-          return (NSSCKFWObject *)NULL;
-        }
-      }
-    }
-
-    return rv;
-  } else {
-    /* use create object */
-    NSSArena *tmpArena;
-    CK_ATTRIBUTE_PTR newTemplate;
-    CK_ULONG i, j, n, newLength, k;
-    CK_ATTRIBUTE_TYPE_PTR oldTypes;
-    NSSCKFWObject *rv;
-    
-    tmpArena = NSSArena_Create();
-    if( (NSSArena *)NULL == tmpArena ) {
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    n = nssCKFWObject_GetAttributeCount(fwObject, pError);
-    if( (0 == n) && (CKR_OK != *pError) ) {
-      return (NSSCKFWObject *)NULL;
-    }
-
-    oldTypes = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE_TYPE, n);
-    if( (CK_ATTRIBUTE_TYPE_PTR)NULL == oldTypes ) {
-      NSSArena_Destroy(tmpArena);
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    *pError = nssCKFWObject_GetAttributeTypes(fwObject, oldTypes, n);
-    if( CKR_OK != *pError ) {
-      NSSArena_Destroy(tmpArena);
-      return (NSSCKFWObject *)NULL;
-    }
-
-    newLength = n;
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      for( j = 0; j < n; j++ ) {
-        if( oldTypes[j] == pTemplate[i].type ) {
-          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
-            /* Removing the attribute */
-            newLength--;
-          }
-          break;
-        }
-      }
-      if( j == n ) {
-        /* Not found */
-        newLength++;
-      }
-    }
-
-    newTemplate = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE, newLength);
-    if( (CK_ATTRIBUTE_PTR)NULL == newTemplate ) {
-      NSSArena_Destroy(tmpArena);
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    k = 0;
-    for( j = 0; j < n; j++ ) {
-      for( i = 0; i < ulAttributeCount; i++ ) {
-        if( oldTypes[j] == pTemplate[i].type ) {
-          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
-            /* This attribute is being deleted */
-            ;
-          } else {
-            /* This attribute is being replaced */
-            newTemplate[k].type = pTemplate[i].type;
-            newTemplate[k].pValue = pTemplate[i].pValue;
-            newTemplate[k].ulValueLen = pTemplate[i].ulValueLen;
-            k++;
-          }
-          break;
-        }
-      }
-      if( i == ulAttributeCount ) {
-        /* This attribute is being copied over from the old object */
-        NSSItem item, *it;
-        item.size = 0;
-        item.data = (void *)NULL;
-        it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j],
-          &item, tmpArena, pError);
-        if( (NSSItem *)NULL == it ) {
-          if( CKR_OK == *pError ) {
-            *pError = CKR_GENERAL_ERROR;
-          }
-          NSSArena_Destroy(tmpArena);
-          return (NSSCKFWObject *)NULL;
-        }
-        newTemplate[k].type = oldTypes[j];
-        newTemplate[k].pValue = it->data;
-        newTemplate[k].ulValueLen = it->size;
-        k++;
-      }
-    }
-    /* assert that k == newLength */
-
-    rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError);
-    if( (NSSCKFWObject *)NULL == rv ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      NSSArena_Destroy(tmpArena);
-      return (NSSCKFWObject *)NULL;
-    }
-
-    NSSArena_Destroy(tmpArena);
-    return rv;
-  }
-}
-
-/*
- * nssCKFWSession_FindObjectsInit
- *
- */
-NSS_IMPLEMENT NSSCKFWFindObjects *
-nssCKFWSession_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  NSSCKMDFindObjects *mdfo1 = (NSSCKMDFindObjects *)NULL;
-  NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  if( ((CK_ATTRIBUTE_PTR)NULL == pTemplate) && (ulAttributeCount != 0) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
-                   fwSession->fwInstance) ) {
-    CK_ULONG i;
-
-    /*
-     * Does the search criteria restrict us to token or session
-     * objects?
-     */
-
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      if( CKA_TOKEN == pTemplate[i].type ) {
-        /* Yes, it does. */
-        CK_BBOOL isToken;
-        if( sizeof(CK_BBOOL) != pTemplate[i].ulValueLen ) {
-          *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-          return (NSSCKFWFindObjects *)NULL;
-        }
-        (void)nsslibc_memcpy(&isToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
-
-        if( CK_TRUE == isToken ) {
-          /* Pass it on to the module's search routine */
-          if( (void *)NULL == (void *)fwSession->mdSession->FindObjectsInit ) {
-            goto wrap;
-          }
-
-          mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
-                    fwSession, fwSession->mdToken, fwSession->fwToken,
-                    fwSession->mdInstance, fwSession->fwInstance, 
-                    pTemplate, ulAttributeCount, pError);
-        } else {
-          /* Do the search ourselves */
-          mdfo1 = nssCKMDFindSessionObjects_Create(fwSession->fwToken, 
-                    pTemplate, ulAttributeCount, pError);
-        }
-
-        if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
-          if( CKR_OK == *pError ) {
-            *pError = CKR_GENERAL_ERROR;
-          }
-          return (NSSCKFWFindObjects *)NULL;
-        }
-        
-        goto wrap;
-      }
-    }
-
-    if( i == ulAttributeCount ) {
-      /* No, it doesn't.  Do a hybrid search. */
-      mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
-                fwSession, fwSession->mdToken, fwSession->fwToken,
-                fwSession->mdInstance, fwSession->fwInstance, 
-                pTemplate, ulAttributeCount, pError);
-
-      if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
-        if( CKR_OK == *pError ) {
-          *pError = CKR_GENERAL_ERROR;
-        }
-        return (NSSCKFWFindObjects *)NULL;
-      }
-
-      mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken,
-                pTemplate, ulAttributeCount, pError);
-      if( (NSSCKMDFindObjects *)NULL == mdfo2 ) {
-        if( CKR_OK == *pError ) {
-          *pError = CKR_GENERAL_ERROR;
-        }
-        if( (void *)NULL != (void *)mdfo1->Final ) {
-          mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession,
-            fwSession, fwSession->mdToken, fwSession->fwToken, 
-            fwSession->mdInstance, fwSession->fwInstance);
-        }
-        return (NSSCKFWFindObjects *)NULL;
-      }
-
-      goto wrap;
-    }
-    /*NOTREACHED*/
-  } else {
-    /* Module handles all its own objects.  Pass on to module's search */
-    mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
-              fwSession, fwSession->mdToken, fwSession->fwToken,
-              fwSession->mdInstance, fwSession->fwInstance, 
-              pTemplate, ulAttributeCount, pError);
-
-    if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWFindObjects *)NULL;
-    }
-
-    goto wrap;
-  }
-
- wrap:
-  return nssCKFWFindObjects_Create(fwSession, fwSession->fwToken,
-           fwSession->fwInstance, mdfo1, mdfo2, pError);
-}
-
-/*
- * nssCKFWSession_SeedRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SeedRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *seed
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == seed ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == seed->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( 0 == seed->size ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->SeedRandom ) {
-    return CKR_RANDOM_SEED_NOT_SUPPORTED;
-  }
-
-  error = fwSession->mdSession->SeedRandom(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, seed);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_GetRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_GetRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == buffer ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == buffer->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetRandom ) {
-    if( CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken) ) {
-      return CKR_GENERAL_ERROR;
-    } else {
-      return CKR_RANDOM_NO_RNG;
-    }
-  }
-
-  if( 0 == buffer->size ) {
-    return CKR_OK;
-  }
-
-  error = fwSession->mdSession->GetRandom(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, buffer);
-
-  return error;
-}
-
-/*
- * NSSCKFWSession_GetMDSession
- *
- */
-
-NSS_IMPLEMENT NSSCKMDSession *
-NSSCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKMDSession *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_GetMDSession(fwSession);
-}
-
-/*
- * NSSCKFWSession_GetArena
- *
- */
-
-NSS_IMPLEMENT NSSArena *
-NSSCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_GetArena(fwSession, pError);
-}
-
-/*
- * NSSCKFWSession_CallNotification
- *
- */
-
-NSS_IMPLEMENT CK_RV
-NSSCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef DEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_CallNotification(fwSession, event);
-}
-
-/*
- * NSSCKFWSession_IsRWSession
- *
- */
-
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_IsRWSession(fwSession);
-}
-
-/*
- * NSSCKFWSession_IsSO
- *
- */
-
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_IsSO(fwSession);
-}
diff --git a/security/nss/lib/ckfw/sessobj.c b/security/nss/lib/ckfw/sessobj.c
deleted file mode 100644
index 28555f408..000000000
--- a/security/nss/lib/ckfw/sessobj.c
+++ /dev/null
@@ -1,1090 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * sessobj.c
- *
- * This file contains an NSSCKMDObject implementation for session 
- * objects.  The framework uses this implementation to manage
- * session objects when a Module doesn't wish to be bothered.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * nssCKMDSessionObject
- *
- *  -- create --
- *  nssCKMDSessionObject_Create
- *
- *  -- EPV calls --
- *  nss_ckmdSessionObject_Finalize
- *  nss_ckmdSessionObject_IsTokenObject
- *  nss_ckmdSessionObject_GetAttributeCount
- *  nss_ckmdSessionObject_GetAttributeTypes
- *  nss_ckmdSessionObject_GetAttributeSize
- *  nss_ckmdSessionObject_GetAttribute
- *  nss_ckmdSessionObject_SetAttribute
- *  nss_ckmdSessionObject_GetObjectSize
- */
-
-struct nssCKMDSessionObjectStr {
-  CK_ULONG n;
-  NSSArena *arena;
-  NSSItem *attributes;
-  CK_ATTRIBUTE_TYPE_PTR types;
-  nssCKFWHash *hash;
-};
-typedef struct nssCKMDSessionObjectStr nssCKMDSessionObject;
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-nss_ckmdSessionObject_add_pointer
-(
-  const NSSCKMDObject *mdObject
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-nss_ckmdSessionObject_remove_pointer
-(
-  const NSSCKMDObject *mdObject
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-nss_ckmdSessionObject_verifyPointer
-(
-  const NSSCKMDObject *mdObject
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * We must forward-declare these routines
- */
-static void
-nss_ckmdSessionObject_Finalize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static CK_RV
-nss_ckmdSessionObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static CK_BBOOL
-nss_ckmdSessionObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-static CK_RV
-nss_ckmdSessionObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-);
-
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-static NSSItem *
-nss_ckmdSessionObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-static CK_RV
-nss_ckmdSessionObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-);
-
-static CK_ULONG
-nss_ckmdSessionObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKMDSessionObject_Create
- *
- */
-NSS_IMPLEMENT NSSCKMDObject *
-nssCKMDSessionObject_Create
-(
-  NSSCKFWToken *fwToken,
-  NSSArena *arena,
-  CK_ATTRIBUTE_PTR attributes,
-  CK_ULONG ulCount,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *mdObject = (NSSCKMDObject *)NULL;
-  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)NULL;
-  CK_ULONG i;
-  nssCKFWHash *hash;
-
-  mdso = nss_ZNEW(arena, nssCKMDSessionObject);
-  if( (nssCKMDSessionObject *)NULL == mdso ) {
-    goto loser;
-  }
-
-  mdso->arena = arena;
-  mdso->n = ulCount;
-  mdso->attributes = nss_ZNEWARRAY(arena, NSSItem, ulCount);
-  if( (NSSItem *)NULL == mdso->attributes ) {
-    goto loser;
-  }
-
-  mdso->types = nss_ZNEWARRAY(arena, CK_ATTRIBUTE_TYPE, ulCount);
-
-  for( i = 0; i < ulCount; i++ ) {
-    mdso->types[i] = attributes[i].type;
-    mdso->attributes[i].size = attributes[i].ulValueLen;
-    mdso->attributes[i].data = nss_ZAlloc(arena, attributes[i].ulValueLen);
-    if( (void *)NULL == mdso->attributes[i].data ) {
-      goto loser;
-    }
-    (void)nsslibc_memcpy(mdso->attributes[i].data, attributes[i].pValue,
-      attributes[i].ulValueLen);
-  }
-
-  mdObject = nss_ZNEW(arena, NSSCKMDObject);
-  if( (NSSCKMDObject *)NULL == mdObject ) {
-    goto loser;
-  }
-
-  mdObject->etc = (void *)mdso;
-  mdObject->Finalize = nss_ckmdSessionObject_Finalize;
-  mdObject->Destroy = nss_ckmdSessionObject_Destroy;
-  mdObject->IsTokenObject = nss_ckmdSessionObject_IsTokenObject;
-  mdObject->GetAttributeCount = nss_ckmdSessionObject_GetAttributeCount;
-  mdObject->GetAttributeTypes = nss_ckmdSessionObject_GetAttributeTypes;
-  mdObject->GetAttributeSize = nss_ckmdSessionObject_GetAttributeSize;
-  mdObject->GetAttribute = nss_ckmdSessionObject_GetAttribute;
-  mdObject->SetAttribute = nss_ckmdSessionObject_SetAttribute;
-  mdObject->GetObjectSize = nss_ckmdSessionObject_GetObjectSize;
-
-  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == hash ) {
-    *pError = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  mdso->hash = hash;
-
-  *pError = nssCKFWHash_Add(hash, mdObject, mdObject);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-#ifdef DEBUG
-  if( CKR_OK != nss_ckmdSessionObject_add_pointer(mdObject) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return mdObject;
-
- loser:
-  if( (nssCKMDSessionObject *)NULL != mdso ) {
-    if( (NSSItem *)NULL != mdso->attributes ) {
-      for( i = 0; i < ulCount; i++ ) {
-        nss_ZFreeIf(mdso->attributes[i].data);
-      }
-
-      nss_ZFreeIf(mdso->attributes);
-    }
-
-    nss_ZFreeIf(mdso->types);
-    nss_ZFreeIf(mdso);
-  }
-
-  nss_ZFreeIf(mdObject);
-  *pError = CKR_HOST_MEMORY;
-  return (NSSCKMDObject *)NULL;
-}
-
-/*
- * nss_ckmdSessionObject_Finalize
- *
- */
-static void
-nss_ckmdSessionObject_Finalize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  /* This shouldn't ever be called */
-  return;
-}
-
-/*
- * nss_ckmdSessionObject_Destroy
- *
- */
-
-static CK_RV
-nss_ckmdSessionObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-  nssCKMDSessionObject *mdso;
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  error = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  mdso = (nssCKMDSessionObject *)mdObject->etc;
-
-  nssCKFWHash_Remove(mdso->hash, mdObject);
-
-  for( i = 0; i < mdso->n; i++ ) {
-    nss_ZFreeIf(mdso->attributes[i].data);
-  }
-  nss_ZFreeIf(mdso->attributes);
-  nss_ZFreeIf(mdso->types);
-  nss_ZFreeIf(mdso);
-  nss_ZFreeIf(mdObject);
-
-#ifdef DEBUG
-  (void)nss_ckmdSessionObject_remove_pointer(mdObject);
-#endif /* DEBUG */
-
-  return CKR_OK;
-}
-
-/*
- * nss_ckmdSessionObject_IsTokenObject
- *
- */
-
-static CK_BBOOL
-nss_ckmdSessionObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nss_ckmdSessionObject_verifyPointer(mdObject) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * This implementation is only ever used for session objects.
-   */
-  return CK_FALSE;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttributeCount
- *
- */
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  return obj->n;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttributeTypes
- *
- */
-static CK_RV
-nss_ckmdSessionObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-  nssCKMDSessionObject *obj;
-
-#ifdef NSSDEBUG
-  error = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  if( ulCount < obj->n ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-
-  (void)nsslibc_memcpy(typeArray, obj->types, 
-    sizeof(CK_ATTRIBUTE_TYPE) * obj->n);
-
-  return CKR_OK;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttributeSize
- *
- */
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  for( i = 0; i < obj->n; i++ ) {
-    if( attribute == obj->types[i] ) {
-      return (CK_ULONG)(obj->attributes[i].size);
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return 0;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttribute
- *
- */
-static NSSItem *
-nss_ckmdSessionObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  for( i = 0; i < obj->n; i++ ) {
-    if( attribute == obj->types[i] ) {
-      return &obj->attributes[i];
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return 0;
-}
-
-/*
- * nss_ckmdSessionObject_SetAttribute
- *
- */
-
-/*
- * Okay, so this implementation sucks.  It doesn't support removing
- * an attribute (if value == NULL), and could be more graceful about
- * memory.  It should allow "blank" slots in the arrays, with some
- * invalid attribute type, and then it could support removal much
- * more easily.  Do this later.
- */
-static CK_RV
-nss_ckmdSessionObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-  NSSItem n;
-  NSSItem *ra;
-  CK_ATTRIBUTE_TYPE_PTR rt;
-#ifdef NSSDEBUG
-  CK_RV error;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != error ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  n.size = value->size;
-  n.data = nss_ZAlloc(obj->arena, n.size);
-  if( (void *)NULL == n.data ) {
-    return CKR_HOST_MEMORY;
-  }
-  (void)nsslibc_memcpy(n.data, value->data, n.size);
-
-  for( i = 0; i < obj->n; i++ ) {
-    if( attribute == obj->types[i] ) {
-      nss_ZFreeIf(obj->attributes[i].data);
-      obj->attributes[i] = n;
-      return CKR_OK;
-    }
-  }
-
-  /*
-   * It's new.
-   */
-
-  ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1));
-  if( (NSSItem *)NULL == ra ) {
-    nss_ZFreeIf(n.data);
-    return CKR_HOST_MEMORY;
-  }
-
-  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
-    nss_ZFreeIf(n.data);
-    obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n);
-    if( (NSSItem *)NULL == obj->attributes ) {
-      return CKR_GENERAL_ERROR;
-    }
-    return CKR_HOST_MEMORY;
-  }
-
-  obj->attributes = ra;
-  obj->types = rt;
-  obj->attributes[obj->n] = n;
-  obj->types[obj->n] = attribute;
-  obj->n++;
-
-  return CKR_OK;
-}
-
-/*
- * nss_ckmdSessionObject_GetObjectSize
- *
- */
-static CK_ULONG
-nss_ckmdSessionObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-  CK_ULONG rv = (CK_ULONG)0;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  for( i = 0; i < obj->n; i++ ) {
-    rv += obj->attributes[i].size;
-  }
-
-  rv += sizeof(NSSItem) * obj->n;
-  rv += sizeof(CK_ATTRIBUTE_TYPE) * obj->n;
-  rv += sizeof(nssCKMDSessionObject);
-
-  return rv;
-}
-
-/*
- * nssCKMDFindSessionObjects
- *
- *  -- create --
- *  nssCKMDFindSessionObjects_Create
- *
- *  -- EPV calls --
- *  nss_ckmdFindSessionObjects_Final
- *  nss_ckmdFindSessionObjects_Next
- */
-
-struct nodeStr {
-  struct nodeStr *next;
-  NSSCKMDObject *mdObject;
-};
-
-struct nssCKMDFindSessionObjectsStr {
-  NSSArena *arena;
-  CK_RV error;
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulCount;
-  struct nodeStr *list;
-  nssCKFWHash *hash;
-
-};
-typedef struct nssCKMDFindSessionObjectsStr nssCKMDFindSessionObjects;
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-nss_ckmdFindSessionObjects_add_pointer
-(
-  const NSSCKMDFindObjects *mdFindObjects
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-nss_ckmdFindSessionObjects_remove_pointer
-(
-  const NSSCKMDFindObjects *mdFindObjects
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-nss_ckmdFindSessionObjects_verifyPointer
-(
-  const NSSCKMDFindObjects *mdFindObjects
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * We must forward-declare these routines.
- */
-static void
-nss_ckmdFindSessionObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static NSSCKMDObject *
-nss_ckmdFindSessionObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-static CK_BBOOL
-items_match
-(
-  NSSItem *a,
-  CK_VOID_PTR pValue,
-  CK_ULONG ulValueLen
-)
-{
-  if( a->size != ulValueLen ) {
-    return CK_FALSE;
-  }
-
-  if( PR_TRUE == nsslibc_memequal(a->data, pValue, ulValueLen, (PRStatus *)NULL) ) {
-    return CK_TRUE;
-  } else {
-    return CK_FALSE;
-  }
-}
-
-/*
- * Our hashtable iterator
- */
-static void
-findfcn
-(
-  const void *key,
-  void *value,
-  void *closure
-)
-{
-  NSSCKMDObject *mdObject = (NSSCKMDObject *)value;
-  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)mdObject->etc;
-  nssCKMDFindSessionObjects *mdfso = (nssCKMDFindSessionObjects *)closure;
-  CK_ULONG i, j;
-  struct nodeStr *node;
-
-  if( CKR_OK != mdfso->error ) {
-    return;
-  }
-
-  for( i = 0; i < mdfso->ulCount; i++ ) {
-    CK_ATTRIBUTE_PTR p = &mdfso->pTemplate[i];
-
-    for( j = 0; j < mdso->n; j++ ) {
-      if( mdso->types[j] == p->type ) {
-        if( !items_match(&mdso->attributes[j], p->pValue, p->ulValueLen) ) {
-          return;
-        } else {
-          break;
-        }
-      }
-    }
-
-    if( j == mdso->n ) {
-      /* Attribute not found */
-      return;
-    }
-  }
-
-  /* Matches */
-  node = nss_ZNEW(mdfso->arena, struct nodeStr);
-  if( (struct nodeStr *)NULL == node ) {
-    mdfso->error = CKR_HOST_MEMORY;
-    return;
-  }
-
-  node->mdObject = mdObject;
-  node->next = mdfso->list;
-  mdfso->list = node;
-
-  return;
-}
-
-/*
- * nssCKMDFindSessionObjects_Create
- *
- */
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nssCKMDFindSessionObjects_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  nssCKMDFindSessionObjects *mdfso;
-  nssCKFWHash *hash;
-  NSSCKMDFindObjects *rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == hash ) {
-    *pError= CKR_GENERAL_ERROR;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  mdfso = nss_ZNEW(arena, nssCKMDFindSessionObjects);
-  if( (nssCKMDFindSessionObjects *)NULL == mdfso ) {
-    NSSArena_Destroy(arena);
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
-
-  mdfso->error = CKR_OK;
-  mdfso->pTemplate = pTemplate;
-  mdfso->ulCount = ulCount;
-  mdfso->hash = hash;
-
-  nssCKFWHash_Iterate(hash, findfcn, mdfso);
-
-  if( CKR_OK != mdfso->error ) {
-    NSSArena_Destroy(arena);
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  rv->etc = (void *)mdfso;
-  rv->Final = nss_ckmdFindSessionObjects_Final;
-  rv->Next = nss_ckmdFindSessionObjects_Next;
-
-#ifdef DEBUG
-  if( *pError != nss_ckmdFindSessionObjects_add_pointer(rv) ) {
-    NSSArena_Destroy(arena);
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* DEBUG */    
-
-  return rv;
-}
-
-static void
-nss_ckmdFindSessionObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nssCKMDFindSessionObjects *mdfso;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
-  NSSArena_Destroy(mdfso->arena);
-
-#ifdef DEBUG
-  (void)nss_ckmdFindSessionObjects_remove_pointer(mdFindObjects);
-#endif /* DEBUG */
-
-  return;
-}
-
-static NSSCKMDObject *
-nss_ckmdFindSessionObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  nssCKMDFindSessionObjects *mdfso;
-  NSSCKMDObject *rv = (NSSCKMDObject *)NULL;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
-    return (NSSCKMDObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
-
-  while( (NSSCKMDObject *)NULL == rv ) {
-    if( (struct nodeStr *)NULL == mdfso->list ) {
-      *pError = CKR_OK;
-      return (NSSCKMDObject *)NULL;
-    }
-
-    if( nssCKFWHash_Exists(mdfso->hash, mdfso->list->mdObject) ) {
-      rv = mdfso->list->mdObject;
-    }
-
-    mdfso->list = mdfso->list->next;
-  }
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/slot.c b/security/nss/lib/ckfw/slot.c
deleted file mode 100644
index 6530f04d3..000000000
--- a/security/nss/lib/ckfw/slot.c
+++ /dev/null
@@ -1,753 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * slot.c
- *
- * This file implements the NSSCKFWSlot type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWSlot
- *
- *  -- create/destroy --
- *  nssCKFWSlot_Create
- *  nssCKFWSlot_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWSlot_GetMDSlot
- *  NSSCKFWSlot_GetFWInstance
- *  NSSCKFWSlot_GetMDInstance
- *
- *  -- implement public accessors --
- *  nssCKFWSlot_GetMDSlot
- *  nssCKFWSlot_GetFWInstance
- *  nssCKFWSlot_GetMDInstance
- *
- *  -- private accessors --
- *  nssCKFWSlot_GetSlotID
- *  nssCKFWSlot_ClearToken
- *
- *  -- module fronts --
- *  nssCKFWSlot_GetSlotDescription
- *  nssCKFWSlot_GetManufacturerID
- *  nssCKFWSlot_GetTokenPresent
- *  nssCKFWSlot_GetRemovableDevice
- *  nssCKFWSlot_GetHardwareSlot
- *  nssCKFWSlot_GetHardwareVersion
- *  nssCKFWSlot_GetFirmwareVersion
- *  nssCKFWSlot_InitToken
- *  nssCKFWSlot_GetToken
- */
-
-struct NSSCKFWSlotStr {
-  NSSCKFWMutex *mutex;
-  NSSCKMDSlot *mdSlot;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-  CK_SLOT_ID slotID;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The invariants the mutex protects are:
-   *
-   * 1) Each of the cached descriptions (versions, etc.) are in an
-   *    internally consistant state.
-   *
-   * 2) The fwToken points to the token currently in the slot, and
-   *    it is in a consistant state.
-   *
-   * Note that the calls accessing the cached descriptions will
-   * call the NSSCKMDSlot methods with the mutex locked.  Those
-   * methods may then call the public NSSCKFWSlot routines.  Those
-   * public routines only access the constant data above, so there's
-   * no problem.  But be careful if you add to this object; mutexes
-   * are in general not reentrant, so don't create deadlock situations.
-   */
-
-  NSSUTF8 *slotDescription;
-  NSSUTF8 *manufacturerID;
-  CK_VERSION hardwareVersion;
-  CK_VERSION firmwareVersion;
-  NSSCKFWToken *fwToken;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-slot_add_pointer
-(
-  const NSSCKFWSlot *fwSlot
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-slot_remove_pointer
-(
-  const NSSCKFWSlot *fwSlot
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_verifyPointer
-(
-  const NSSCKFWSlot *fwSlot
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWSlot_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWSlot_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *mdSlot,
-  CK_SLOT_ID slotID,
-  CK_RV *pError
-)
-{
-  NSSCKFWSlot *fwSlot;
-  NSSCKMDInstance *mdInstance;
-  NSSArena *arena;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  arena = nssCKFWInstance_GetArena(fwInstance, pError);
-  if( (NSSArena *)NULL == arena ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-  }
-
-  fwSlot = nss_ZNEW(arena, NSSCKFWSlot);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  fwSlot->mdSlot = mdSlot;
-  fwSlot->fwInstance = fwInstance;
-  fwSlot->mdInstance = mdInstance;
-  fwSlot->slotID = slotID;
-
-  fwSlot->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwSlot->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    (void)nss_ZFreeIf(fwSlot);
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  if( (void *)NULL != (void *)mdSlot->Initialize ) {
-    *pError = CKR_OK;
-    *pError = mdSlot->Initialize(mdSlot, fwSlot, mdInstance, fwInstance);
-    if( CKR_OK != *pError ) {
-      (void)nssCKFWMutex_Destroy(fwSlot->mutex);
-      (void)nss_ZFreeIf(fwSlot);
-      return (NSSCKFWSlot *)NULL;
-    }
-  }
-
-#ifdef DEBUG
-  *pError = slot_add_pointer(fwSlot);
-  if( CKR_OK != *pError ) {
-    if( (void *)NULL != (void *)mdSlot->Destroy ) {
-      mdSlot->Destroy(mdSlot, fwSlot, mdInstance, fwInstance);
-    }
-
-    (void)nssCKFWMutex_Destroy(fwSlot->mutex);
-    (void)nss_ZFreeIf(fwSlot);
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return fwSlot;
-}
-
-/*
- * nssCKFWSlot_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_Destroy
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwSlot->mutex);
-
-  if( (void *)NULL != (void *)fwSlot->mdSlot->Destroy ) {
-    fwSlot->mdSlot->Destroy(fwSlot->mdSlot, fwSlot, 
-      fwSlot->mdInstance, fwSlot->fwInstance);
-  }
-
-#ifdef DEBUG
-  error = slot_remove_pointer(fwSlot);
-#endif /* DEBUG */
-  (void)nss_ZFreeIf(fwSlot);
-  return error;
-}
-
-/*
- * nssCKFWSlot_GetMDSlot
- *
- */
-NSS_IMPLEMENT NSSCKMDSlot *
-nssCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->mdSlot;
-}
-
-/*
- * nssCKFWSlot_GetFWInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKFWInstance *
-nssCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKFWInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->fwInstance;
-}
-
-/*
- * nssCKFWSlot_GetMDInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKMDInstance *
-nssCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->mdInstance;
-}
-
-/*
- * nssCKFWSlot_GetSlotID
- *
- */
-NSS_IMPLEMENT CK_SLOT_ID
-nssCKFWSlot_GetSlotID
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (CK_SLOT_ID)0;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->slotID;
-}
-
-/*
- * nssCKFWSlot_GetSlotDescription
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_GetSlotDescription
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR slotDescription[64]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == slotDescription ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwSlot->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwSlot->slotDescription ) {
-    if( (void *)NULL != (void *)fwSlot->mdSlot->GetSlotDescription ) {
-      fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
-        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
-        fwSlot->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwSlot->slotDescription) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwSlot->slotDescription = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, slotDescription, 64, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return error;
-}
-
-/*
- * nssCKFWSlot_GetManufacturerID
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_GetManufacturerID
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR manufacturerID[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwSlot->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwSlot->manufacturerID ) {
-    if( (void *)NULL != (void *)fwSlot->mdSlot->GetManufacturerID ) {
-      fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
-        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
-        fwSlot->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwSlot->manufacturerID) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwSlot->manufacturerID = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, manufacturerID, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return error;
-}
-
-/*
- * nssCKFWSlot_GetTokenPresent
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSlot_GetTokenPresent
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetTokenPresent ) {
-    return CK_TRUE;
-  }
-
-  return fwSlot->mdSlot->GetTokenPresent(fwSlot->mdSlot, fwSlot,
-    fwSlot->mdInstance, fwSlot->fwInstance);
-}
-
-/*
- * nssCKFWSlot_GetRemovableDevice
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSlot_GetRemovableDevice
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetRemovableDevice ) {
-    return CK_FALSE;
-  }
-
-  return fwSlot->mdSlot->GetRemovableDevice(fwSlot->mdSlot, fwSlot,
-    fwSlot->mdInstance, fwSlot->fwInstance);
-}
-
-/*
- * nssCKFWSlot_GetHardwareSlot
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSlot_GetHardwareSlot
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetHardwareSlot ) {
-    return CK_FALSE;
-  }
-
-  return fwSlot->mdSlot->GetHardwareSlot(fwSlot->mdSlot, fwSlot,
-    fwSlot->mdInstance, fwSlot->fwInstance);
-}
-
-/*
- * nssCKFWSlot_GetHardwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWSlot_GetHardwareVersion
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwSlot->hardwareVersion.major) ||
-      (0 != fwSlot->hardwareVersion.minor) ) {
-    rv = fwSlot->hardwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwSlot->mdSlot->GetHardwareVersion ) {
-    fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
-      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-  } else {
-    fwSlot->hardwareVersion.major = 0;
-    fwSlot->hardwareVersion.minor = 1;
-  }
-
-  rv = fwSlot->hardwareVersion;
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWSlot_GetFirmwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWSlot_GetFirmwareVersion
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwSlot->firmwareVersion.major) ||
-      (0 != fwSlot->firmwareVersion.minor) ) {
-    rv = fwSlot->firmwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwSlot->mdSlot->GetFirmwareVersion ) {
-    fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
-      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-  } else {
-    fwSlot->firmwareVersion.major = 0;
-    fwSlot->firmwareVersion.minor = 1;
-  }
-
-  rv = fwSlot->firmwareVersion;
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWSlot_GetToken
- * 
- */
-NSS_IMPLEMENT NSSCKFWToken *
-nssCKFWSlot_GetToken
-(
-  NSSCKFWSlot *fwSlot,
-  CK_RV *pError
-)
-{
-  NSSCKMDToken *mdToken;
-  NSSCKFWToken *fwToken;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWToken *)NULL;
-  }
-
-  *pError = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWToken *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwSlot->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWToken *)NULL;
-  }
-
-  if( (NSSCKFWToken *)NULL == fwSlot->fwToken ) {
-    if( (void *)NULL == (void *)fwSlot->mdSlot->GetToken ) {
-      *pError = CKR_GENERAL_ERROR;
-      fwToken = (NSSCKFWToken *)NULL;
-      goto done;
-    }
-
-    mdToken = fwSlot->mdSlot->GetToken(fwSlot->mdSlot, fwSlot,
-      fwSlot->mdInstance, fwSlot->fwInstance, pError);
-    if( (NSSCKMDToken *)NULL == mdToken ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWToken *)NULL;
-    }
-
-    fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
-    fwSlot->fwToken = fwToken;
-  } else {
-    fwToken = fwSlot->fwToken;
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return fwToken;
-}
-
-/*
- * nssCKFWSlot_ClearToken
- *
- */
-NSS_IMPLEMENT void
-nssCKFWSlot_ClearToken
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
-    /* Now what? */
-    return;
-  }
-
-  fwSlot->fwToken = (NSSCKFWToken *)NULL;
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return;
-}
-
-/*
- * NSSCKFWSlot_GetMDSlot
- *
- */
-
-NSS_IMPLEMENT NSSCKMDSlot *
-NSSCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSlot_GetMDSlot(fwSlot);
-}
-
-/*
- * NSSCKFWSlot_GetFWInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKFWInstance *
-NSSCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKFWInstance *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSlot_GetFWInstance(fwSlot);
-}
-
-/*
- * NSSCKFWSlot_GetMDInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKMDInstance *
-NSSCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSlot_GetMDInstance(fwSlot);
-}
diff --git a/security/nss/lib/ckfw/token.c b/security/nss/lib/ckfw/token.c
deleted file mode 100644
index a5e30898c..000000000
--- a/security/nss/lib/ckfw/token.c
+++ /dev/null
@@ -1,1864 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * token.c
- *
- * This file implements the NSSCKFWToken type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWToken
- *
- *  -- create/destroy --
- *  nssCKFWToken_Create
- *  nssCKFWToken_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWToken_GetMDToken
- *  NSSCKFWToken_GetFWSlot
- *  NSSCKFWToken_GetMDSlot
- *  NSSCKFWToken_GetSessionState
- *
- *  -- implement public accessors --
- *  nssCKFWToken_GetMDToken
- *  nssCKFWToken_GetFWSlot
- *  nssCKFWToken_GetMDSlot
- *  nssCKFWToken_GetSessionState
- *  nssCKFWToken_SetSessionState
- *
- *  -- private accessors --
- *  nssCKFWToken_SetSessionState
- *  nssCKFWToken_RemoveSession
- *  nssCKFWToken_CloseAllSessions
- *  nssCKFWToken_GetSessionCount
- *  nssCKFWToken_GetRwSessionCount
- *  nssCKFWToken_GetRoSessionCount
- *  nssCKFWToken_GetSessionObjectHash
- *  nssCKFWToken_GetMDObjectHash
- *  nssCKFWToken_GetObjectHandleHash
- *
- *  -- module fronts --
- *  nssCKFWToken_InitToken
- *  nssCKFWToken_GetLabel
- *  nssCKFWToken_GetManufacturerID
- *  nssCKFWToken_GetModel
- *  nssCKFWToken_GetSerialNumber
- *  nssCKFWToken_GetHasRNG
- *  nssCKFWToken_GetIsWriteProtected
- *  nssCKFWToken_GetLoginRequired
- *  nssCKFWToken_GetUserPinInitialized
- *  nssCKFWToken_GetRestoreKeyNotNeeded
- *  nssCKFWToken_GetHasClockOnToken
- *  nssCKFWToken_GetHasProtectedAuthenticationPath
- *  nssCKFWToken_GetSupportsDualCryptoOperations
- *  nssCKFWToken_GetMaxSessionCount
- *  nssCKFWToken_GetMaxRwSessionCount
- *  nssCKFWToken_GetMaxPinLen
- *  nssCKFWToken_GetMinPinLen
- *  nssCKFWToken_GetTotalPublicMemory
- *  nssCKFWToken_GetFreePublicMemory
- *  nssCKFWToken_GetTotalPrivateMemory
- *  nssCKFWToken_GetFreePrivateMemory
- *  nssCKFWToken_GetHardwareVersion
- *  nssCKFWToken_GetFirmwareVersion
- *  nssCKFWToken_GetUTCTime
- *  nssCKFWToken_OpenSession
- *  nssCKFWToken_GetMechanismCount
- *  nssCKFWToken_GetMechanismTypes
- *  nssCKFWToken_GetMechanism
- */
-
-struct NSSCKFWTokenStr {
-  NSSCKFWMutex *mutex;
-  NSSArena *arena;
-  NSSCKMDToken *mdToken;
-  NSSCKFWSlot *fwSlot;
-  NSSCKMDSlot *mdSlot;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The invariants the mutex protects are:
-   *
-   * 1) Each of the cached descriptions (versions, etc.) are in an
-   *    internally consistant state.
-   *
-   * 2) The session counts and hashes are consistant.
-   *
-   * 3) The object hashes are consistant.
-   *
-   * Note that the calls accessing the cached descriptions will call
-   * the NSSCKMDToken methods with the mutex locked.  Those methods
-   * may then call the public NSSCKFWToken routines.  Those public
-   * routines only access the constant data above and the atomic
-   * CK_STATE session state variable below, so there's no problem.
-   * But be careful if you add to this object; mutexes are in
-   * general not reentrant, so don't create deadlock situations.
-   */
-
-  NSSUTF8 *label;
-  NSSUTF8 *manufacturerID;
-  NSSUTF8 *model;
-  NSSUTF8 *serialNumber;
-  CK_VERSION hardwareVersion;
-  CK_VERSION firmwareVersion;
-
-  CK_ULONG sessionCount;
-  CK_ULONG rwSessionCount;
-  nssCKFWHash *sessions;
-  nssCKFWHash *sessionObjectHash;
-  nssCKFWHash *mdObjectHash;
-
-  CK_STATE state;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-token_add_pointer
-(
-  const NSSCKFWToken *fwToken
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-token_remove_pointer
-(
-  const NSSCKFWToken *fwToken
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_verifyPointer
-(
-  const NSSCKFWToken *fwToken
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWToken_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWToken *
-nssCKFWToken_Create
-(
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDToken *mdToken,
-  CK_RV *pError
-)
-{
-  NSSArena *arena = (NSSArena *)NULL;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  CK_BBOOL called_setup = CK_FALSE;
-
-  /*
-   * We have already verified the arguments in nssCKFWSlot_GetToken.
-   */
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fwToken = nss_ZNEW(arena, NSSCKFWToken);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }    
-
-  fwToken->arena = arena;
-  fwToken->mdToken = mdToken;
-  fwToken->fwSlot = fwSlot;
-  fwToken->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
-  fwToken->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
-  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
-  fwToken->sessionCount = 0;
-  fwToken->rwSessionCount = 0;
-
-  fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwToken->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
-                   fwToken->fwInstance) ) {
-    fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
-                                   arena, pError);
-    if( (nssCKFWHash *)NULL == fwToken->sessionObjectHash ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      goto loser;
-    }
-  }
-
-  fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
-                            arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
-                                arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  /* More here */
-
-  if( (void *)NULL != (void *)mdToken->Setup ) {
-    *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-  }
-
-  called_setup = CK_TRUE;
-
-#ifdef DEBUG
-  *pError = token_add_pointer(fwToken);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return fwToken;
-
- loser:
-
-  if( CK_TRUE == called_setup ) {
-    if( (void *)NULL != (void *)mdToken->Invalidate ) {
-      mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    }
-  }
-
-  if( (NSSArena *)NULL != arena ) {
-    (void)NSSArena_Destroy(arena);
-  }
-
-  return (NSSCKFWToken *)NULL;
-}
-
-/*
- * nssCKFWToken_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_Destroy
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwToken->mutex);
-  
-  if( (void *)NULL != (void *)fwToken->mdToken->Invalidate ) {
-    fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken,
-      fwToken->mdInstance, fwToken->fwInstance);
-  }
-
-  nssCKFWSlot_ClearToken(fwToken->fwSlot);
-  
-#ifdef DEBUG
-  error = token_remove_pointer(fwToken);
-#endif /* DEBUG */
-
-  (void)NSSArena_Destroy(fwToken->arena);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetMDToken
- *
- */
-NSS_IMPLEMENT NSSCKMDToken *
-nssCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDToken *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdToken;
-}
-
-/*
- * nssCKFWToken_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->arena;
-}
-
-/*
- * nssCKFWToken_GetFWSlot
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->fwSlot;
-}
-
-/*
- * nssCKFWToken_GetMDSlot
- *
- */
-NSS_IMPLEMENT NSSCKMDSlot *
-nssCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdSlot;
-}
-
-/*
- * nssCKFWToken_GetSessionState
- *
- */
-NSS_IMPLEMENT CK_STATE
-nssCKFWToken_GetSessionState
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CKS_RO_PUBLIC_SESSION; /* whatever */
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * BTW, do not lock the token in this method.
-   */
-
-  /*
-   * Theoretically, there is no state if there aren't any
-   * sessions open.  But then we'd need to worry about
-   * reporting an error, etc.  What the heck-- let's just
-   * revert to CKR_RO_PUBLIC_SESSION as the "default."
-   */
-
-  return fwToken->state;
-}
-
-/*
- * nssCKFWToken_InitToken
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_InitToken
-(
-  NSSCKFWToken *fwToken,
-  NSSItem *pin,
-  NSSUTF8 *label
-)
-{
-  CK_RV error;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( fwToken->sessionCount > 0 ) {
-    error = CKR_SESSION_EXISTS;
-    goto done;
-  }
-
-  if( (void *)NULL == (void *)fwToken->mdToken->InitToken ) {
-    error = CKR_DEVICE_ERROR;
-    goto done;
-  }
-
-  if( (NSSItem *)NULL == pin ) {
-    if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
-      ; /* okay */
-    } else {
-      error = CKR_PIN_INCORRECT;
-      goto done;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == label ) {
-    label = "";
-  }
-
-  error = fwToken->mdToken->InitToken(fwToken->mdToken, fwToken,
-            fwToken->mdInstance, fwToken->fwInstance, pin, label);
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetLabel
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetLabel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR label[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == label ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->label ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetLabel ) {
-      fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
-        fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->label) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->label = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, label, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetManufacturerID
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetManufacturerID
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR manufacturerID[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->manufacturerID ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetManufacturerID ) {
-      fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
-        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->manufacturerID) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->manufacturerID = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, manufacturerID, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetModel
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetModel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR model[16]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == model ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->model ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetModel ) {
-      fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
-        fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->model) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->model = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, model, 16, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetSerialNumber
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetSerialNumber
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR serialNumber[16]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == serialNumber ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->serialNumber ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetSerialNumber ) {
-      fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken, 
-        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->serialNumber) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->serialNumber = "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, serialNumber, 16, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-
-/*
- * nssCKFWToken_GetHasRNG
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetHasRNG
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasRNG ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetHasRNG(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetIsWriteProtected
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetIsWriteProtected
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetIsWriteProtected ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetIsWriteProtected(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetLoginRequired
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetLoginRequired
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetLoginRequired ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetLoginRequired(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetUserPinInitialized
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetUserPinInitialized
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetUserPinInitialized ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetUserPinInitialized(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetRestoreKeyNotNeeded
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetRestoreKeyNotNeeded
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetRestoreKeyNotNeeded ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetRestoreKeyNotNeeded(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetHasClockOnToken
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetHasClockOnToken
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasClockOnToken ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetHasClockOnToken(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetHasProtectedAuthenticationPath
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetHasProtectedAuthenticationPath
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasProtectedAuthenticationPath ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetHasProtectedAuthenticationPath(fwToken->mdToken, 
-    fwToken, fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetSupportsDualCryptoOperations
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetSupportsDualCryptoOperations
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetSupportsDualCryptoOperations ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetSupportsDualCryptoOperations(fwToken->mdToken, 
-    fwToken, fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMaxSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMaxSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxSessionCount ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMaxSessionCount(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMaxRwSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMaxRwSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxRwSessionCount ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMaxRwSessionCount(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMaxPinLen
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMaxPinLen
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxPinLen ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMaxPinLen(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMinPinLen
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMinPinLen
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMinPinLen ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMinPinLen(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetTotalPublicMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetTotalPublicMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPublicMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetTotalPublicMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetFreePublicMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetFreePublicMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePublicMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetFreePublicMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetTotalPrivateMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetTotalPrivateMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPrivateMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetTotalPrivateMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetFreePrivateMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetFreePrivateMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePrivateMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetFreePrivateMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetHardwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWToken_GetHardwareVersion
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwToken->hardwareVersion.major) ||
-      (0 != fwToken->hardwareVersion.minor) ) {
-    rv = fwToken->hardwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwToken->mdToken->GetHardwareVersion ) {
-    fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
-      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-  } else {
-    fwToken->hardwareVersion.major = 0;
-    fwToken->hardwareVersion.minor = 1;
-  }
-
-  rv = fwToken->hardwareVersion;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetFirmwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWToken_GetFirmwareVersion
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwToken->firmwareVersion.major) ||
-      (0 != fwToken->firmwareVersion.minor) ) {
-    rv = fwToken->firmwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwToken->mdToken->GetFirmwareVersion ) {
-    fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
-      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-  } else {
-    fwToken->firmwareVersion.major = 0;
-    fwToken->firmwareVersion.minor = 1;
-  }
-
-  rv = fwToken->firmwareVersion;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetUTCTime
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetUTCTime
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR utcTime[16]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (CK_CHAR_PTR)NULL == utcTime ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* DEBUG */
-
-  if( CK_TRUE != nssCKFWToken_GetHasClockOnToken(fwToken) ) {
-    /* return CKR_DEVICE_ERROR; */
-    (void)nssUTF8_CopyIntoFixedBuffer((NSSUTF8 *)NULL, utcTime, 16, ' ');
-    return CKR_OK;
-  }
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetUTCTime ) {
-    /* It said it had one! */
-    return CKR_GENERAL_ERROR;
-  }
-
-  error = fwToken->mdToken->GetUTCTime(fwToken->mdToken, fwToken, 
-            fwToken->mdInstance, fwToken->fwInstance, utcTime);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /* Sanity-check the data */
-  {
-    /* Format is YYYYMMDDhhmmss00 */
-    int i;
-    int Y, M, D, h, m, s, z;
-    static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
-
-    for( i = 0; i < 16; i++ ) {
-      if( (utcTime[i] < '0') || (utcTime[i] > '9') ) {
-        goto badtime;
-      }
-    }
-
-    Y = ((utcTime[ 0] - '0') * 1000) + ((utcTime[1] - '0') * 100) +
-        ((utcTime[ 2] - '0') * 10) + (utcTime[ 3] - '0');
-    M = ((utcTime[ 4] - '0') * 10) + (utcTime[ 5] - '0');
-    D = ((utcTime[ 6] - '0') * 10) + (utcTime[ 7] - '0');
-    h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
-    m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
-    s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
-    z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
-
-    if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem.  heh heh heh */
-    if( (M < 1) || (M > 12) ) goto badtime;
-    if( (D < 1) || (D > 31) ) goto badtime;
-
-    if( D > dims[M-1] ) goto badtime; /* per-month check */
-    if( (2 == M) && (((Y%4)||!(Y%100))&&(Y%400)) && (D > 28) ) goto badtime; /* leap years */
-
-    if( (h < 0) || (h > 23) ) goto badtime;
-    if( (m < 0) || (m > 60) ) goto badtime;
-    if( (s < 0) || (s > 61) ) goto badtime;
-
-    /* 60m and 60 or 61s is only allowed for leap seconds. */
-    if( (60 == m) || (s >= 60) ) {
-      if( (23 != h) || (60 != m) || (s < 60) ) goto badtime;
-      /* leap seconds can only happen on June 30 or Dec 31.. I think */
-      /* if( ((6 != M) || (30 != D)) && ((12 != M) || (31 != D)) ) goto badtime; */
-    }
-  }
-
-  return CKR_OK;
-
- badtime:
-  return CKR_GENERAL_ERROR;
-}
-
-/*
- * nssCKFWToken_OpenSession
- *
- */
-NSS_IMPLEMENT NSSCKFWSession *
-nssCKFWToken_OpenSession
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-)
-{
-  NSSCKFWSession *fwSession = (NSSCKFWSession *)NULL;
-  NSSCKMDSession *mdSession;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  switch( rw ) {
-  case CK_TRUE:
-  case CK_FALSE:
-    break;
-  default:
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  if( CK_TRUE == rw ) {
-    /* Read-write session desired */
-    if( CK_TRUE != nssCKFWToken_GetIsWriteProtected(fwToken) ) {
-      *pError = CKR_TOKEN_WRITE_PROTECTED;
-      goto done;
-    }
-  } else {
-    /* Read-only session desired */
-    if( CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken) ) {
-      *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
-      goto done;
-    }
-  }
-
-  /* We could compare sesion counts to any limits we know of, I guess.. */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->OpenSession ) {
-    /*
-     * I'm not sure that the Module actually needs to implement
-     * mdSessions -- the Framework can keep track of everything 
-     * needed, really.  But I'll sort out that detail later..
-     */
-    *pError = CKR_GENERAL_ERROR;
-    goto done;
-  }
-
-  fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto done;
-  }
-
-  mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken,
-                fwToken->mdInstance, fwToken->fwInstance, fwSession,
-                rw, pError);
-  if( (NSSCKMDSession *)NULL == mdSession ) {
-    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto done;
-  }
-
-  *pError = nssCKFWSession_SetMDSession(fwSession, mdSession);
-  if( CKR_OK != *pError ) {
-    if( (void *)NULL != (void *)mdSession->Close ) {
-      mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken,
-      fwToken->mdInstance, fwToken->fwInstance);
-    }
-    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-    goto done;
-  }
-
-  *pError = nssCKFWHash_Add(fwToken->sessions, fwSession, fwSession);
-  if( CKR_OK != *pError ) {
-    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-    fwSession = (NSSCKFWSession *)NULL;
-    goto done;
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return fwSession;
-}
-
-/*
- * nssCKFWToken_GetMechanismCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMechanismCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return 0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == fwToken->mdToken->GetMechanismCount ) {
-    return 0;
-  }
-
-  return fwToken->mdToken->GetMechanismCount(fwToken->mdToken, fwToken,
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMechanismTypes
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetMechanismTypes
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE types[]
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (CK_MECHANISM_TYPE *)NULL == types ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == fwToken->mdToken->GetMechanismTypes ) {
-    /*
-     * This should only be called with a sufficiently-large
-     * "types" array, which can only be done if GetMechanismCount
-     * is implemented.  If that's implemented (and returns nonzero),
-     * then this should be too.  So return an error.
-     */
-    return CKR_GENERAL_ERROR;
-  }
-
-  return fwToken->mdToken->GetMechanismTypes(fwToken->mdToken, fwToken,
-    fwToken->mdInstance, fwToken->fwInstance, types);
-}
-
-
-/*
- * nssCKFWToken_GetMechanism
- *
- */
-NSS_IMPLEMENT NSSCKFWMechanism *
-nssCKFWToken_GetMechanism
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE which,
-  CK_RV *pError
-)
-{
-  /* XXX fgmr */
-  return (NSSCKFWMechanism *)NULL;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_SetSessionState
-(
-  NSSCKFWToken *fwToken,
-  CK_STATE newState
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  switch( newState ) {
-  case CKS_RO_PUBLIC_SESSION:
-  case CKS_RO_USER_FUNCTIONS:
-  case CKS_RW_PUBLIC_SESSION:
-  case CKS_RW_USER_FUNCTIONS:
-  case CKS_RW_SO_FUNCTIONS:
-    break;
-  default:
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  fwToken->state = newState;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return CKR_OK;
-}
-
-/*
- * nssCKFWToken_RemoveSession
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_RemoveSession
-(
-  NSSCKFWToken *fwToken,
-  NSSCKFWSession *fwSession
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( CK_TRUE != nssCKFWHash_Exists(fwToken->sessions, fwSession) ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto done;
-  }
-
-  nssCKFWHash_Remove(fwToken->sessions, fwSession);
-  fwToken->sessionCount--;
-
-  if( nssCKFWSession_IsRWSession(fwSession) ) {
-    fwToken->rwSessionCount--;
-  }
-
-  if( 0 == fwToken->sessionCount ) {
-    fwToken->rwSessionCount = 0; /* sanity */
-    fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
-  }
-
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-static void
-nss_ckfwtoken_session_iterator
-(
-  const void *key,
-  void *value,
-  void *closure
-)
-{
-  /*
-   * Remember that the fwToken->mutex is locked
-   */
-  NSSCKFWSession *fwSession = (NSSCKFWSession *)value;
-  (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-  return;
-}
-
-/*
- * nssCKFWToken_CloseAllSessions
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_CloseAllSessions
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, (void *)NULL);
-
-  nssCKFWHash_Destroy(fwToken->sessions);
-
-  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error);
-  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
-    if( CKR_OK == error ) {
-      error = CKR_GENERAL_ERROR;
-    }
-    goto done;
-  }
-
-  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
-  fwToken->sessionCount = 0;
-  fwToken->rwSessionCount = 0;
-
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwToken->sessionCount;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetRwSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetRwSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwToken->rwSessionCount;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetRoSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetRoSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwToken->sessionCount - fwToken->rwSessionCount;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetSessionObjectHash
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWToken_GetSessionObjectHash
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->sessionObjectHash;
-}
-
-/*
- * nssCKFWToken_GetMDObjectHash
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWToken_GetMDObjectHash
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdObjectHash;
-}
-
-/*
- * nssCKFWToken_GetObjectHandleHash
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWToken_GetObjectHandleHash
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdObjectHash;
-}
-
-/*
- * NSSCKFWToken_GetMDToken
- *
- */
-
-NSS_IMPLEMENT NSSCKMDToken *
-NSSCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDToken *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetMDToken(fwToken);
-}
-
-/*
- * NSSCKFWToken_GetArena
- *
- */
-
-NSS_IMPLEMENT NSSArena *
-NSSCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetArena(fwToken, pError);
-}
-
-/*
- * NSSCKFWToken_GetFWSlot
- *
- */
-
-NSS_IMPLEMENT NSSCKFWSlot *
-NSSCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetFWSlot(fwToken);
-}
-
-/*
- * NSSCKFWToken_GetMDSlot
- *
- */
-
-NSS_IMPLEMENT NSSCKMDSlot *
-NSSCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetMDSlot(fwToken);
-}
-
-/*
- * NSSCKFWToken_GetSessionState
- *
- */
-
-NSS_IMPLEMENT CK_STATE
-NSSCKFWSession_GetSessionState
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CKS_RO_PUBLIC_SESSION;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetSessionState(fwToken);
-}
diff --git a/security/nss/lib/ckfw/wrap.c b/security/nss/lib/ckfw/wrap.c
deleted file mode 100644
index b15a70811..000000000
--- a/security/nss/lib/ckfw/wrap.c
+++ /dev/null
@@ -1,3414 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * wrap.c
- *
- * This file contains the routines that actually implement the cryptoki
- * API, using the internal APIs of the NSS Cryptoki Framework.  There is
- * one routine here for every cryptoki routine.  For linking reasons
- * the actual entry points passed back with C_GetFunctionList have to
- * exist in one of the Module's source files; however, those are merely
- * simple wrappers that call these routines.  The intelligence of the
- * implementations is here.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWC_Initialize
- * NSSCKFWC_Finalize
- * NSSCKFWC_GetInfo
- * -- NSSCKFWC_GetFunctionList -- see the API insert file
- * NSSCKFWC_GetSlotList
- * NSSCKFWC_GetSlotInfo
- * NSSCKFWC_GetTokenInfo
- * NSSCKFWC_WaitForSlotEvent
- * NSSCKFWC_GetMechanismList
- * NSSCKFWC_GetMechanismInfo
- * NSSCKFWC_InitToken
- * NSSCKFWC_InitPIN
- * NSSCKFWC_SetPIN
- * NSSCKFWC_OpenSession
- * NSSCKFWC_CloseSession
- * NSSCKFWC_CloseAllSessions
- * NSSCKFWC_GetSessionInfo
- * NSSCKFWC_GetOperationState
- * NSSCKFWC_SetOperationState
- * NSSCKFWC_Login
- * NSSCKFWC_Logout
- * NSSCKFWC_CreateObject
- * NSSCKFWC_CopyObject
- * NSSCKFWC_DestroyObject
- * NSSCKFWC_GetObjectSize
- * NSSCKFWC_GetAttributeValue
- * NSSCKFWC_SetAttributeValue
- * NSSCKFWC_FindObjectsInit
- * NSSCKFWC_FindObjects
- * NSSCKFWC_FindObjectsFinal
- * NSSCKFWC_EncryptInit
- * NSSCKFWC_Encrypt
- * NSSCKFWC_EncryptUpdate
- * NSSCKFWC_EncryptFinal
- * NSSCKFWC_DecryptInit
- * NSSCKFWC_Decrypt
- * NSSCKFWC_DecryptUpdate
- * NSSCKFWC_DecryptFinal
- * NSSCKFWC_DigestInit
- * NSSCKFWC_Digest
- * NSSCKFWC_DigestUpdate
- * NSSCKFWC_DigestKey
- * NSSCKFWC_DigestFinal
- * NSSCKFWC_SignInit
- * NSSCKFWC_Sign
- * NSSCKFWC_SignUpdate
- * NSSCKFWC_SignFinal
- * NSSCKFWC_SignRecoverInit
- * NSSCKFWC_SignRecover
- * NSSCKFWC_VerifyInit
- * NSSCKFWC_Verify
- * NSSCKFWC_VerifyUpdate
- * NSSCKFWC_VerifyFinal
- * NSSCKFWC_VerifyRecoverInit
- * NSSCKFWC_VerifyRecover
- * NSSCKFWC_DigestEncryptUpdate
- * NSSCKFWC_DecryptDigestUpdate
- * NSSCKFWC_SignEncryptUpdate
- * NSSCKFWC_DecryptVerifyUpdate
- * NSSCKFWC_GenerateKey
- * NSSCKFWC_GenerateKeyPair
- * NSSCKFWC_WrapKey
- * NSSCKFWC_UnwrapKey
- * NSSCKFWC_DeriveKey
- * NSSCKFWC_SeedRandom
- * NSSCKFWC_GenerateRandom
- * NSSCKFWC_GetFunctionStatus
- * NSSCKFWC_CancelFunction
- */
-
-/*
- * NSSCKFWC_Initialize
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Initialize
-(
-  NSSCKFWInstance **pFwInstance,
-  NSSCKMDInstance *mdInstance,
-  CK_VOID_PTR pInitArgs
-)
-{
-  CK_RV error = CKR_OK;
-
-  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  if( (NSSCKFWInstance *)NULL != *pFwInstance ) {
-    error = CKR_CRYPTOKI_ALREADY_INITIALIZED;
-    goto loser;
-  }
-
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  *pFwInstance = nssCKFWInstance_Create(pInitArgs, mdInstance, &error);
-  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_ARGUMENTS_BAD:
-  case CKR_CANT_LOCK:
-  case CKR_CRYPTOKI_ALREADY_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_NEED_TO_CREATE_THREADS:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_Finalize
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Finalize
-(
-  NSSCKFWInstance **pFwInstance
-)
-{
-  CK_RV error = CKR_OK;
-
-  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  error = nssCKFWInstance_Destroy(*pFwInstance);
-
-  /* In any case */
-  *pFwInstance = (NSSCKFWInstance *)NULL;
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OK:
-    break;
-  default:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-
-  if( (CK_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here means a caller error
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_INFO));
-
-  pInfo->cryptokiVersion = nssCKFWInstance_GetCryptokiVersion(fwInstance);
-
-  error = nssCKFWInstance_GetManufacturerID(fwInstance, pInfo->manufacturerID);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  pInfo->flags = nssCKFWInstance_GetFlags(fwInstance);
-
-  error = nssCKFWInstance_GetLibraryDescription(fwInstance, pInfo->libraryDescription);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  pInfo->libraryVersion = nssCKFWInstance_GetLibraryVersion(fwInstance);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-    break;
-  default:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-  
-/*
- * C_GetFunctionList is implemented entirely in the Module's file which
- * includes the Framework API insert file.  It requires no "actual"
- * NSSCKFW routine.
- */
-
-/*
- * NSSCKFWC_GetSlotList
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetSlotList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR pulCount
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  switch( tokenPresent ) {
-  case CK_TRUE:
-  case CK_FALSE:
-    break;
-  default:
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList ) {
-    *pulCount = nSlots;
-    return CKR_OK;
-  } 
-    
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));
-
-  if( *pulCount < nSlots ) {
-    *pulCount = nSlots;
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  } else {
-    CK_ULONG i;
-    *pulCount = nSlots;
-    
-    /* 
-     * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
-     * just index one when we need it.
-     */
-
-    for( i = 0; i < nSlots; i++ ) {
-      pSlotList[i] = i+1;
-    }
-
-    return CKR_OK;
-  }
-
- loser:
-  switch( error ) {
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
- 
-/*
- * NSSCKFWC_GetSlotInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetSlotInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_SLOT_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( (CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SLOT_INFO));
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  error = nssCKFWSlot_GetSlotDescription(fwSlot, pInfo->slotDescription);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWSlot_GetManufacturerID(fwSlot, pInfo->manufacturerID);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  if( nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    pInfo->flags |= CKF_TOKEN_PRESENT;
-  }
-
-  if( nssCKFWSlot_GetRemovableDevice(fwSlot) ) {
-    pInfo->flags |= CKF_REMOVABLE_DEVICE;
-  }
-
-  if( nssCKFWSlot_GetHardwareSlot(fwSlot) ) {
-    pInfo->flags |= CKF_HW_SLOT;
-  }
-
-  pInfo->hardwareVersion = nssCKFWSlot_GetHardwareVersion(fwSlot);
-  pInfo->firmwareVersion = nssCKFWSlot_GetFirmwareVersion(fwSlot);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetTokenInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetTokenInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_TOKEN_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( (CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_TOKEN_INFO));
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetLabel(fwToken, pInfo->label);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetManufacturerID(fwToken, pInfo->manufacturerID);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetModel(fwToken, pInfo->model);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetSerialNumber(fwToken, pInfo->serialNumber);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  if( nssCKFWToken_GetHasRNG(fwToken) ) {
-    pInfo->flags |= CKF_RNG;
-  }
-
-  if( nssCKFWToken_GetIsWriteProtected(fwToken) ) {
-    pInfo->flags |= CKF_WRITE_PROTECTED;
-  }
-
-  if( nssCKFWToken_GetLoginRequired(fwToken) ) {
-    pInfo->flags |= CKF_LOGIN_REQUIRED;
-  }
-
-  if( nssCKFWToken_GetUserPinInitialized(fwToken) ) {
-    pInfo->flags |= CKF_USER_PIN_INITIALIZED;
-  }
-
-  if( nssCKFWToken_GetRestoreKeyNotNeeded(fwToken) ) {
-    pInfo->flags |= CKF_RESTORE_KEY_NOT_NEEDED;
-  }
-
-  if( nssCKFWToken_GetHasClockOnToken(fwToken) ) {
-    pInfo->flags |= CKF_CLOCK_ON_TOKEN;
-  }
-
-  if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
-    pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
-  }
-
-  if( nssCKFWToken_GetSupportsDualCryptoOperations(fwToken) ) {
-    pInfo->flags |= CKF_DUAL_CRYPTO_OPERATIONS;
-  }
-
-  pInfo->ulMaxSessionCount = nssCKFWToken_GetMaxSessionCount(fwToken);
-  pInfo->ulSessionCount = nssCKFWToken_GetSessionCount(fwToken);
-  pInfo->ulMaxRwSessionCount = nssCKFWToken_GetMaxRwSessionCount(fwToken);
-  pInfo->ulRwSessionCount= nssCKFWToken_GetRwSessionCount(fwToken);
-  pInfo->ulMaxPinLen = nssCKFWToken_GetMaxPinLen(fwToken);
-  pInfo->ulMinPinLen = nssCKFWToken_GetMinPinLen(fwToken);
-  pInfo->ulTotalPublicMemory = nssCKFWToken_GetTotalPublicMemory(fwToken);
-  pInfo->ulFreePublicMemory = nssCKFWToken_GetFreePublicMemory(fwToken);
-  pInfo->ulTotalPrivateMemory = nssCKFWToken_GetTotalPrivateMemory(fwToken);
-  pInfo->ulFreePrivateMemory = nssCKFWToken_GetFreePrivateMemory(fwToken);
-  pInfo->hardwareVersion = nssCKFWToken_GetHardwareVersion(fwToken);
-  pInfo->firmwareVersion = nssCKFWToken_GetFirmwareVersion(fwToken);
-  
-  error = nssCKFWToken_GetUTCTime(fwToken, pInfo->utcTime);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_WaitForSlotEvent
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_FLAGS flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR pReserved
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  CK_BBOOL block;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  CK_ULONG i;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  if( flags & ~CKF_DONT_BLOCK ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  block = (flags & CKF_DONT_BLOCK) ? CK_TRUE : CK_FALSE;
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  if( (CK_VOID_PTR)CK_NULL_PTR != pReserved ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    goto loser;
-  }
-
-  for( i = 0; i < nSlots; i++ ) {
-    if( fwSlot == slots[i] ) {
-      *pSlot = (CK_SLOT_ID)(CK_ULONG)(i+1);
-    }
-
-    return CKR_OK;
-  }
-
-  error = CKR_GENERAL_ERROR; /* returned something not in the slot list */
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_NO_EVENT:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetMechanismList
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetMechanismList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR pulCount
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  CK_ULONG count;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  count = nssCKFWToken_GetMechanismCount(fwToken);
-
-  if( (CK_MECHANISM_TYPE_PTR)CK_NULL_PTR == pMechanismList ) {
-    *pulCount = count;
-    return CKR_OK;
-  }
-
-  if( *pulCount < count ) {
-    *pulCount = count;
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));
-
-  *pulCount = count;
-
-  if( 0 != count ) {
-    error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
-  } else {
-    error = CKR_OK;
-  }
-
-  if( CKR_OK == error ) {
-    return CKR_OK;
-  }
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetMechanismInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetMechanismInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE type,
-  CK_MECHANISM_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  NSSCKFWMechanism *fwMechanism;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  if( (CK_MECHANISM_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO));
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
-    goto loser;
-  }
-
-  pInfo->ulMinKeySize = nssCKFWMechanism_GetMinKeySize(fwMechanism);
-  pInfo->ulMaxKeySize = nssCKFWMechanism_GetMaxKeySize(fwMechanism);
-
-  if( nssCKFWMechanism_GetInHardware(fwMechanism) ) {
-    pInfo->flags |= CKF_HW;
-  }
-
-  /* More here... */
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_MECHANISM_INVALID:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_InitToken
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_InitToken
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen,
-  CK_CHAR_PTR pLabel
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  NSSItem pin;
-  NSSUTF8 *label;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  pin.size = (PRUint32)ulPinLen;
-  pin.data = (void *)pPin;
-  label = (NSSUTF8 *)pLabel; /* identity conversion */
-
-  error = nssCKFWToken_InitToken(fwToken, &pin, label);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_INCORRECT:
-  case CKR_PIN_LOCKED:
-  case CKR_SESSION_EXISTS:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_InitPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_InitPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem pin, *arg;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
-    arg = (NSSItem *)NULL;
-  } else {
-    arg = &pin;
-    pin.size = (PRUint32)ulPinLen;
-    pin.data = (void *)pPin;
-  }
-
-  error = nssCKFWSession_InitPIN(fwSession, arg);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_INVALID:
-  case CKR_PIN_LEN_RANGE:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_TOKEN_WRITE_PROTECTED:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_SetPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SetPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pOldPin,
-  CK_ULONG ulOldLen,
-  CK_CHAR_PTR pNewPin,
-  CK_ULONG ulNewLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem oldPin, newPin, *oldArg, *newArg;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pOldPin ) {
-    oldArg = (NSSItem *)NULL;
-  } else {
-    oldArg = &oldPin;
-    oldPin.size = (PRUint32)ulOldLen;
-    oldPin.data = (void *)pOldPin;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pNewPin ) {
-    newArg = (NSSItem *)NULL;
-  } else {
-    newArg = &newPin;
-    newPin.size = (PRUint32)ulNewLen;
-    newPin.data = (void *)pNewPin;
-  }
-
-  error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_INCORRECT:
-  case CKR_PIN_INVALID:
-  case CKR_PIN_LEN_RANGE:
-  case CKR_PIN_LOCKED:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_OpenSession
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_OpenSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_FLAGS flags,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_SESSION_HANDLE_PTR phSession
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  NSSCKFWSession *fwSession;
-  CK_BBOOL rw;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( flags & CKF_RW_SESSION ) {
-    rw = CK_TRUE;
-  } else {
-    rw = CK_FALSE;
-  }
-
-  if( flags & CKF_SERIAL_SESSION ) {
-    ;
-  } else {
-    error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
-    goto loser;
-  }
-
-  if( flags & ~(CKF_RW_SESSION|CKF_SERIAL_SESSION) ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  if( (CK_SESSION_HANDLE_PTR)CK_NULL_PTR == phSession ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *phSession = (CK_SESSION_HANDLE)0;
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication,
-               Notify, &error);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    goto loser;
-  }
-
-  *phSession = nssCKFWInstance_CreateSessionHandle(fwInstance,
-                 fwSession, &error);
-  if( (CK_SESSION_HANDLE)0 == *phSession ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_COUNT:
-  case CKR_SESSION_EXISTS:
-  case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
-  case CKR_SESSION_READ_WRITE_SO_EXISTS:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_PRESENT:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CloseSession
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CloseSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  nssCKFWInstance_DestroySessionHandle(fwInstance, hSession);
-  error = nssCKFWSession_Destroy(fwSession, CK_TRUE);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CloseAllSessions
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CloseAllSessions
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_CloseAllSessions(fwToken);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_PRESENT:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetSessionInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetSessionInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_SESSION_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWSlot *fwSlot;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_SESSION_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO));
-
-  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  pInfo->slotID = nssCKFWSlot_GetSlotID(fwSlot);
-  pInfo->state = nssCKFWSession_GetSessionState(fwSession);
-
-  if( CK_TRUE == nssCKFWSession_IsRWSession(fwSession) ) {
-    pInfo->flags |= CKF_RW_SESSION;
-  }
-
-  pInfo->flags |= CKF_SERIAL_SESSION; /* Always true */
-
-  pInfo->ulDeviceError = nssCKFWSession_GetDeviceError(fwSession);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG_PTR pulOperationStateLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  CK_ULONG len;
-  NSSItem buf;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulOperationStateLen ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  len = nssCKFWSession_GetOperationStateLen(fwSession, &error);
-  if( ((CK_ULONG)0 == len) && (CKR_OK != error) ) {
-    goto loser;
-  }
-
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
-    *pulOperationStateLen = len;
-    return CKR_OK;
-  }
-
-  if( *pulOperationStateLen < len ) {
-    *pulOperationStateLen = len;
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  }
-
-  buf.size = (PRUint32)*pulOperationStateLen;
-  buf.data = (void *)pOperationState;
-  *pulOperationStateLen = len;
-  error = nssCKFWSession_GetOperationState(fwSession, &buf);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_NOT_INITIALIZED:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_STATE_UNSAVEABLE:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_SetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *eKey;
-  NSSCKFWObject *aKey;
-  NSSItem state;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /* 
-   * We could loop through the buffer, to catch any purify errors
-   * in a place with a "user error" note.
-   */
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE)0 == hEncryptionKey ) {
-    eKey = (NSSCKFWObject *)NULL;
-  } else {
-    eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
-    if( (NSSCKFWObject *)NULL == eKey ) {
-      error = CKR_KEY_HANDLE_INVALID;
-      goto loser;
-    }
-  }
-
-  if( (CK_OBJECT_HANDLE)0 == hAuthenticationKey ) {
-    aKey = (NSSCKFWObject *)NULL;
-  } else {
-    aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
-    if( (NSSCKFWObject *)NULL == aKey ) {
-      error = CKR_KEY_HANDLE_INVALID;
-      goto loser;
-    }
-  }
-
-  error = nssCKFWSession_SetOperationState(fwSession, &state, eKey, aKey);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_KEY_CHANGED:
-  case CKR_KEY_NEEDED:
-  case CKR_KEY_NOT_NEEDED:
-  case CKR_SAVED_STATE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_Login
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Login
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE userType,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem pin, *arg;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
-    arg = (NSSItem *)NULL;
-  } else {
-    arg = &pin;
-    pin.size = (PRUint32)ulPinLen;
-    pin.data = (void *)pPin;
-  }
-
-  error = nssCKFWSession_Login(fwSession, userType, arg);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_EXPIRED:
-  case CKR_PIN_INCORRECT:
-  case CKR_PIN_LOCKED:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY_EXISTS:
-  case CKR_USER_ALREADY_LOGGED_IN:
-  case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
-  case CKR_USER_PIN_NOT_INITIALIZED:
-  case CKR_USER_TOO_MANY_TYPES:
-  case CKR_USER_TYPE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_Logout
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Logout
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  error = nssCKFWSession_Logout(fwSession);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CreateObject
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CreateObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *phObject = (CK_OBJECT_HANDLE)0;
-
-  fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate,
-               ulCount, &error);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    goto loser;
-  }
-
-  *phObject = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
-  if( (CK_OBJECT_HANDLE)0 == *phObject ) {
-    nssCKFWObject_Destroy(fwObject);
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_READ_ONLY:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TEMPLATE_INCOMPLETE:
-  case CKR_TEMPLATE_INCONSISTENT:
-  case CKR_TOKEN_WRITE_PROTECTED:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CopyObject
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CopyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-  NSSCKFWObject *fwNewObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phNewObject ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *phNewObject = (CK_OBJECT_HANDLE)0;
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject,
-                  pTemplate, ulCount, &error);
-  if( (NSSCKFWObject *)NULL == fwNewObject ) {
-    goto loser;
-  }
-
-  *phNewObject = nssCKFWInstance_CreateObjectHandle(fwInstance, 
-                   fwNewObject, &error);
-  if( (CK_OBJECT_HANDLE)0 == *phNewObject ) {
-    nssCKFWObject_Destroy(fwNewObject);
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_READ_ONLY:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TEMPLATE_INCONSISTENT:
-  case CKR_TOKEN_WRITE_PROTECTED:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_DestroyObject
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DestroyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  nssCKFWObject_Destroy(fwObject);
-  nssCKFWInstance_DestroyObjectHandle(fwInstance, hObject);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetObjectSize
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetObjectSize
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ULONG_PTR pulSize
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulSize ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *pulSize = (CK_ULONG)0;
-
-  *pulSize = nssCKFWObject_GetObjectSize(fwObject, &error);
-  if( ((CK_ULONG)0 == *pulSize) && (CKR_OK != error) ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_INFORMATION_SENSITIVE:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetAttributeValue
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-  CK_BBOOL sensitive = CK_FALSE;
-  CK_BBOOL invalid = CK_FALSE;
-  CK_BBOOL tooSmall = CK_FALSE;
-  CK_ULONG i;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  for( i = 0; i < ulCount; i++ ) {
-    CK_ULONG size = nssCKFWObject_GetAttributeSize(fwObject, 
-                      pTemplate[i].type, &error);
-    if( (CK_ULONG)0 == size ) {
-      switch( error ) {
-      case CKR_ATTRIBUTE_SENSITIVE:
-      case CKR_INFORMATION_SENSITIVE:
-        sensitive = CK_TRUE;
-        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-        continue;
-      case CKR_ATTRIBUTE_TYPE_INVALID:
-        invalid = CK_TRUE;
-        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-        continue;
-      case CKR_OK:
-        break;
-      default:
-        goto loser;
-      }
-    }
-
-    if( (CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue ) {
-      pTemplate[i].ulValueLen = size;
-    } else {
-      NSSItem it, *p;
-
-      if( pTemplate[i].ulValueLen < size ) {
-        tooSmall = CK_TRUE;
-        continue;
-      }
-
-      it.size = (PRUint32)pTemplate[i].ulValueLen;
-      it.data = (void *)pTemplate[i].pValue;
-      p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it, 
-            (NSSArena *)NULL, &error);
-      if( (NSSItem *)NULL == p ) {
-        switch( error ) {
-        case CKR_ATTRIBUTE_SENSITIVE:
-        case CKR_INFORMATION_SENSITIVE:
-          sensitive = CK_TRUE;
-          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-          continue;
-        case CKR_ATTRIBUTE_TYPE_INVALID:
-          invalid = CK_TRUE;
-          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-          continue;
-        default:
-          goto loser;
-        }
-      }
-
-      pTemplate[i].ulValueLen = size;
-    }
-  }
-
-  if( sensitive ) {
-    error = CKR_ATTRIBUTE_SENSITIVE;
-    goto loser;
-  } else if( invalid ) {
-    error = CKR_ATTRIBUTE_TYPE_INVALID;
-    goto loser;
-  } else if( tooSmall ) {
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_SENSITIVE:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-  
-/*
- * NSSCKFWC_SetAttributeValue
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-  NSSCKFWObject *newFwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  newFwObject = nssCKFWSession_CopyObject(fwSession, fwObject, pTemplate, 
-                  ulCount, &error);
-  if( (NSSCKFWObject *)NULL == newFwObject ) {
-    goto loser;
-  }
-
-  error = nssCKFWInstance_ReassignObjectHandle(fwInstance, hObject, newFwObject);
-  nssCKFWObject_Destroy(fwObject);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_READ_ONLY:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TEMPLATE_INCONSISTENT:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_FindObjectsInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_FindObjectsInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWFindObjects *fwFindObjects;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) && (ulCount != 0) ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL != fwFindObjects ) {
-    error = CKR_OPERATION_ACTIVE;
-    goto loser;
-  }
-
-  if( CKR_OPERATION_NOT_INITIALIZED != error ) {
-    goto loser;
-  }
-
-  fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession,
-                    pTemplate, ulCount, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    goto loser;
-  }
-
-  error = nssCKFWSession_SetFWFindObjects(fwSession, fwFindObjects);
-
-  if( CKR_OK != error ) {
-    nssCKFWFindObjects_Destroy(fwFindObjects);
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_ACTIVE:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_FindObjects
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_FindObjects
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG ulMaxObjectCount,
-  CK_ULONG_PTR pulObjectCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWFindObjects *fwFindObjects;
-  CK_ULONG i;
-  NSSArena *arena;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  arena = nssCKFWSession_GetArena(fwSession, &error);
-  if( (NSSArena *)NULL == arena ) {
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(phObject, 0, sizeof(CK_OBJECT_HANDLE) * ulMaxObjectCount);
-  *pulObjectCount = (CK_ULONG)0;
-
-  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    goto loser;
-  }
-
-  for( i = 0; i < ulMaxObjectCount; i++ ) {
-    NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects,
-                                arena, &error);
-    if( (NSSCKFWObject *)NULL == fwObject ) {
-      break;
-    }
-
-    phObject[i] = nssCKFWInstance_FindObjectHandle(fwInstance, fwObject);
-    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
-      phObject[i] = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
-    }
-    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
-      /* This isn't right either, is it? */
-      nssCKFWObject_Destroy(fwObject);
-      goto loser;
-    }
-  }
-
-  *pulObjectCount = i;
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_NOT_INITIALIZED:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_FindObjectsFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_FindObjectsFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWFindObjects *fwFindObjects;
-  
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    error = CKR_OPERATION_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nssCKFWFindObjects_Destroy(fwFindObjects);
-  error = nssCKFWSession_SetFWFindObjects(fwSession, (NSSCKFWFindObjects *)NULL);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_NOT_INITIALIZED:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_EncryptInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_EncryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Encrypt
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Encrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG_PTR pulEncryptedDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_EncryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_EncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_EncryptFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_EncryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastEncryptedPart,
-  CK_ULONG_PTR pulLastEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Decrypt
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Decrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG ulEncryptedDataLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastPart,
-  CK_ULONG_PTR pulLastPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Digest
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Digest
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Sign
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Sign
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignRecoverInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignRecover
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Verify
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Verify
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyRecoverInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyRecover
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestEncryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptDigestUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptDigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignEncryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptVerifyUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptVerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_GenerateKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GenerateKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_GenerateKeyPair
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GenerateKeyPair
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-  CK_ULONG ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-  CK_ULONG ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_WrapKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_WrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hWrappingKey,
-  CK_OBJECT_HANDLE hKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG_PTR pulWrappedKeyLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_UnwrapKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_UnwrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hUnwrappingKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DeriveKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DeriveKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hBaseKey,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SeedRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SeedRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSeed,
-  CK_ULONG ulSeedLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem seed;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pSeed ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /* We could read through the buffer in a Purify trap */
-
-  seed.size = (PRUint32)ulSeedLen;
-  seed.data = (void *)pSeed;
-
-  error = nssCKFWSession_SeedRandom(fwSession, &seed);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_CANCELED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_ACTIVE:
-  case CKR_RANDOM_SEED_NOT_SUPPORTED:
-  case CKR_RANDOM_NO_RNG:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GenerateRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GenerateRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pRandomData,
-  CK_ULONG ulRandomLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem buffer;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pRandomData ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pRandomData, 0, ulRandomLen);
-
-  buffer.size = (PRUint32)ulRandomLen;
-  buffer.data = (void *)pRandomData;
-
-  error = nssCKFWSession_GetRandom(fwSession, &buffer);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_CANCELED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_ACTIVE:
-  case CKR_RANDOM_NO_RNG:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetFunctionStatus
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetFunctionStatus
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  return CKR_FUNCTION_NOT_PARALLEL;
-}
-
-/*
- * NSSCKFWC_CancelFunction
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CancelFunction
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  return CKR_FUNCTION_NOT_PARALLEL;
-}
diff --git a/security/nss/lib/crmf/Makefile b/security/nss/lib/crmf/Makefile
deleted file mode 100644
index a376529c7..000000000
--- a/security/nss/lib/crmf/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-export:: private_export
diff --git a/security/nss/lib/crmf/asn1cmn.c b/security/nss/lib/crmf/asn1cmn.c
deleted file mode 100644
index 8dae9749c..000000000
--- a/security/nss/lib/crmf/asn1cmn.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-
-static const SEC_ASN1Template CMMFCertResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertResponse)},
-    { SEC_ASN1_INTEGER, offsetof(CMMFCertResponse, certReqId)},
-    { SEC_ASN1_INLINE, offsetof(CMMFCertResponse, status), 
-      CMMFPKIStatusInfoTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER, 
-      offsetof(CMMFCertResponse, certifiedKeyPair),
-      CMMFCertifiedKeyPairTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CMMFCertOrEncCertTemplate[] = {
-    { SEC_ASN1_ANY, offsetof(CMMFCertOrEncCert, derValue), NULL, 
-      sizeof(CMMFCertOrEncCert)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertifiedKeyPair)},
-    { SEC_ASN1_INLINE, offsetof(CMMFCertifiedKeyPair, certOrEncCert),
-      CMMFCertOrEncCertTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
-      offsetof(CMMFCertifiedKeyPair, privateKey),
-      CRMFEncryptedValueTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      offsetof (CMMFCertifiedKeyPair, derPublicationInfo),
-      SEC_AnyTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFPKIStatusInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFPKIStatusInfo)},
-    { SEC_ASN1_INTEGER, offsetof(CMMFPKIStatusInfo, status)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTF8_STRING, 
-      offsetof(CMMFPKIStatusInfo, statusString)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING, 
-      offsetof(CMMFPKIStatusInfo, failInfo)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFSequenceOfCertsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_SignedCertificateTemplate}
-};
-
-const SEC_ASN1Template CMMFRandTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFRand)},
-    { SEC_ASN1_INTEGER, offsetof(CMMFRand, integer)},
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFRand, senderHash)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, offsetof(CMMFPOPODecKeyRespContent, responses),
-      SEC_IntegerTemplate, sizeof(CMMFPOPODecKeyRespContent)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      0,
-      CRMFEncryptedValueTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      0,
-      SEC_SignedCertificateTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertRepContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertRepContent)},
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL |
-      SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      offsetof(CMMFCertRepContent, caPubs),
-      CMMFSequenceOfCertsTemplate },
-    { SEC_ASN1_SEQUENCE_OF, offsetof(CMMFCertRepContent, response),
-      CMMFCertResponseTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CMMFChallengeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFChallenge)},
-    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL, offsetof(CMMFChallenge, owf),
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, witness) },
-    { SEC_ASN1_ANY, offsetof(CMMFChallenge, senderDER) },
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, key) },
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, challenge) },
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,offsetof(CMMFPOPODecKeyChallContent, challenges),
-      CMMFChallengeTemplate, sizeof(CMMFPOPODecKeyChallContent) },
-    { 0 }
-};
-
-SECStatus
-cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
-				  CERTCertDBHandle *db,
-				  CMMFCertResponse *inCertResp)
-{
-    SECStatus rv = SECSuccess;
-  
-    if (inCertResp->certifiedKeyPair != NULL) {
-        rv = cmmf_decode_process_certified_key_pair(poolp, 
-						    db,
-						inCertResp->certifiedKeyPair);
-    }
-    return rv;
-}
-
-static CERTCertificate*
-cmmf_DecodeDERCertificate(CERTCertDBHandle *db, SECItem *derCert)
-{
-    CERTCertificate *newCert;
-
-    newCert = CERT_DecodeDERCertificate(derCert, PR_TRUE, NULL);
-    if (newCert != NULL && newCert->dbhandle == NULL) {
-        newCert->dbhandle = db;
-    }
-    return newCert;
-}
-
-static CMMFCertOrEncCertChoice
-cmmf_get_certorenccertchoice_from_der(SECItem *der)
-{
-    CMMFCertOrEncCertChoice retChoice; 
-
-    switch(der->data[0] & 0x0f) {
-    case 0:
-        retChoice = cmmfCertificate;
-	break;
-    case 1:
-        retChoice = cmmfEncryptedCert;
-	break;
-    default:
-        retChoice = cmmfNoCertOrEncCert;
-	break;
-    }
-    return retChoice;
-}
-
-static SECStatus
-cmmf_decode_process_certorenccert(PRArenaPool       *poolp,
-				  CERTCertDBHandle  *db,
-				  CMMFCertOrEncCert *inCertOrEncCert)
-{
-    SECStatus rv = SECSuccess;
-
-    inCertOrEncCert->choice = 
-        cmmf_get_certorenccertchoice_from_der(&inCertOrEncCert->derValue);
-
-    switch (inCertOrEncCert->choice) {
-    case cmmfCertificate:
-        {
-	    /* The DER has implicit tagging, so we gotta switch it to 
-	     * un-tagged in order for the ASN1 parser to understand it.
-	     * Saving the bits that were changed.
-	     */ 
-	    inCertOrEncCert->derValue.data[0] = 0x30;
-	    inCertOrEncCert->cert.certificate = 
-	        cmmf_DecodeDERCertificate(db, &inCertOrEncCert->derValue);
-	    if (inCertOrEncCert->cert.certificate == NULL) {
-	        rv = SECFailure;
-	    }
-	
-	}
-	break;
-    case cmmfEncryptedCert:
-        inCertOrEncCert->cert.encryptedCert =
-	    PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-	if (inCertOrEncCert->cert.encryptedCert == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	rv = SEC_ASN1Decode(poolp, inCertOrEncCert->cert.encryptedCert, 
-			    CMMFCertOrEncCertEncryptedCertTemplate, 
-			    (const char*)inCertOrEncCert->derValue.data,
-			    inCertOrEncCert->derValue.len);
-	break;
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus 
-cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
-				       CERTCertDBHandle     *db,
-				       CMMFCertifiedKeyPair *inCertKeyPair)
-{
-    return cmmf_decode_process_certorenccert (poolp,
-					      db,
-					      &inCertKeyPair->certOrEncCert);
-}
-
-
diff --git a/security/nss/lib/crmf/challcli.c b/security/nss/lib/crmf/challcli.c
deleted file mode 100644
index 08702eb2e..000000000
--- a/security/nss/lib/crmf/challcli.c
+++ /dev/null
@@ -1,284 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "pk11func.h"
-
-CMMFPOPODecKeyChallContent*
-CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len)
-{
-    PRArenaPool                *poolp;
-    CMMFPOPODecKeyChallContent *challContent;
-    SECStatus                   rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
-    if (challContent == NULL) {
-        goto loser;
-    }
-    challContent->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, challContent, 
-			CMMFPOPODecKeyChallContentTemplate, buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (challContent->challenges) {
-      while (challContent->challenges[challContent->numChallenges] != NULL) {
-	  challContent->numChallenges++;
-      }
-      challContent->numAllocated = challContent->numChallenges;
-    }
-    return challContent;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-int
-CMMF_POPODecKeyChallContentGetNumChallenges 
-                              (CMMFPOPODecKeyChallContent *inKeyChallCont)
-{
-    PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL) {
-        return 0;
-    }
-    return inKeyChallCont->numChallenges;
-}
-
-SECItem* 
-CMMF_POPODecKeyChallContentGetPublicValue
-                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				    int                         inIndex)
-{
-    PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL || (inIndex > inKeyChallCont->numChallenges-1)||
-	inIndex < 0) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inKeyChallCont->challenges[inIndex]->key);
-}
-
-static SECAlgorithmID*
-cmmf_get_owf(CMMFPOPODecKeyChallContent *inChalCont, 
-	     int                         inIndex)
-{
-   int i;
-   
-   for (i=inIndex; i >= 0; i--) {
-       if (inChalCont->challenges[i]->owf != NULL) {
-	   return inChalCont->challenges[i]->owf;
-       }
-   }
-   return NULL;
-}
-
-SECStatus 
-CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
-					 int                         inIndex,
-					 SECKEYPrivateKey           *inPrivKey)
-{
-    CMMFChallenge  *challenge;
-    SECItem        *decryptedRand=NULL;
-    SECStatus       rv = SECFailure;
-    PK11SlotInfo   *slot;
-    PK11SymKey     *symKey = NULL;
-    CMMFRand        randStr;
-    SECAlgorithmID *owf;
-    unsigned char   hash[SHA1_LENGTH]; /*SHA1 is the longest, so we'll use
-					*it's length.
-					*/
-    SECItem         hashItem;
-    SECOidTag       tag;
-
-    PORT_Assert(inChalCont != NULL && inPrivKey != NULL);
-    if (inChalCont == NULL || inIndex <0 || inIndex > inChalCont->numChallenges
-	|| inPrivKey == NULL){
-        return SECFailure;
-    }
-    challenge = inChalCont->challenges[inIndex];
-    decryptedRand = PORT_ZNew(SECItem);
-    if (decryptedRand == NULL) {
-        goto loser;
-    }
-    decryptedRand->data = 
-        PORT_NewArray(unsigned char, challenge->challenge.len);
-    if (decryptedRand->data == NULL) {
-        goto loser;
-    }
-    slot = inPrivKey->pkcs11Slot;
-    symKey = PK11_PubUnwrapSymKey(inPrivKey, &challenge->challenge, 
-				  CKM_RSA_PKCS, CKA_VALUE, 0);
-    if (symKey == NULL) {
-      rv = SECFailure;
-      goto loser;
-    }
-    rv = PK11_ExtractKeyValue(symKey);
-    if (rv != SECSuccess) {
-      goto loser;
-    }
-    decryptedRand = PK11_GetKeyData(symKey);
-    rv = SEC_ASN1DecodeItem(NULL, &randStr, CMMFRandTemplate,
-			    decryptedRand); 
-    /* The decryptedRand returned points to a member within the symKey structure,
-     * so we don't want to free it. Let the symKey destruction function deal with
-     * freeing that memory.
-     */
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SECFailure; /* Just so that when we do go to loser,
-		      * I won't have to set it again.
-		      */
-    owf = cmmf_get_owf(inChalCont, inIndex);
-    if (owf == NULL) {
-        /* No hashing algorithm came with the challenges.  Can't verify */
-        goto loser;
-    }
-    /* Verify the hashes in the challenge */
-    tag = SECOID_FindOIDTag(&owf->algorithm);
-    switch (tag) {
-    case SEC_OID_MD2:
-        hashItem.len = MD2_LENGTH;
-	break;
-    case SEC_OID_MD5:
-        hashItem.len = MD5_LENGTH;
-	break;
-    case SEC_OID_SHA1:
-        hashItem.len = SHA1_LENGTH;
-	break;
-    default:
-        goto loser;
-    }
-    rv = PK11_HashBuf(tag, hash, randStr.integer.data, randStr.integer.len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    hashItem.data = hash;
-    if (SECITEM_CompareItem(&hashItem, &challenge->witness) != SECEqual) {
-        /* The hash for the data we decrypted doesn't match the hash provided
-	 * in the challenge.  Bail out.
-	 */
-        rv = SECFailure;
-	goto loser;
-    }
-    rv = PK11_HashBuf(tag, hash, challenge->senderDER.data, 
-		      challenge->senderDER.len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (SECITEM_CompareItem(&hashItem, &randStr.senderHash) != SECEqual) {
-        /* The hash for the data we decrypted doesn't match the hash provided
-	 * in the challenge.  Bail out.
-	 */
-        rv = SECFailure;
-	goto loser;
-    }
-    /* All of the hashes have verified, so we can now store the integer away.*/
-    rv = SECITEM_CopyItem(inChalCont->poolp, &challenge->randomNumber,
-			  &randStr.integer);
- loser:
-    if (symKey != NULL) {
-        PK11_FreeSymKey(symKey);
-    }
-    return rv;
-}
-
-SECStatus
-CMMF_POPODecKeyChallContentGetRandomNumber
-                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				    int                          inIndex,
-				    long                        *inDest)
-{
-    CMMFChallenge *challenge;
-    
-    PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >= 
-	inKeyChallCont->numChallenges) {
-        return SECFailure;
-    }
-    challenge = inKeyChallCont->challenges[inIndex];
-    if (challenge->randomNumber.data == NULL) {
-        /* There is no random number here, nothing to see. */
-        return SECFailure;
-    }
-    *inDest = DER_GetInteger(&challenge->randomNumber);
-    return (*inDest == -1) ? SECFailure : SECSuccess;
-}
-
-SECStatus 
-CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
-				 int                       inNumRand,
-				 CRMFEncoderOutputCallback inCallback,
-				 void                     *inArg)
-{
-    PRArenaPool *poolp;
-    CMMFPOPODecKeyRespContent *response;
-    SECItem *currItem;
-    SECStatus rv=SECFailure;
-    int i;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return SECFailure;
-    }
-    response = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
-    if (response == NULL) {
-        goto loser;
-    }
-    response->responses = PORT_ArenaZNewArray(poolp, SECItem*, inNumRand+1);
-    if (response->responses == NULL) {
-        goto loser;
-    }
-    for (i=0; i<inNumRand; i++) {
-        currItem = response->responses[i] = PORT_ArenaZNew(poolp,SECItem);
-	if (currItem == NULL) {
-	    goto loser;
-	}
-	SEC_ASN1EncodeInteger(poolp, currItem,inDecodedRand[i]);
-    }
-    rv = cmmf_user_encode(response, inCallback, inArg,
-			  CMMFPOPODecKeyRespContentTemplate);
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return rv;
-}
diff --git a/security/nss/lib/crmf/cmmf.h b/security/nss/lib/crmf/cmmf.h
deleted file mode 100644
index a10220429..000000000
--- a/security/nss/lib/crmf/cmmf.h
+++ /dev/null
@@ -1,1119 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _CMMF_H_
-#define _CMMF_H_
-/*
- * These are the functions exported by the security library for 
- * implementing Certificate Management Message Formats (CMMF).
- *
- * This API is designed against July 1998 CMMF draft.  Please read this
- * draft before trying to use this API in an application that use CMMF.
- */
-#include "seccomon.h"
-#include "cmmft.h"
-#include "crmf.h"
-
-SEC_BEGIN_PROTOS
-
-/******************* Creation Functions *************************/
-
-/*
- * FUNCTION: CMMF_CreateCertRepContent
- * INPUTS:
- *    NONE
- * NOTES:
- *    This function will create an empty CMMFCertRepContent Structure.  
- *    The client of the library must set the CMMFCertResponses.
- *    Call CMMF_CertRepContentSetCertResponse to accomplish this task.
- *    If the client of the library also wants to include the chain of 
- *    CA certs required to make the certificates in CMMFCertResponse valid, 
- *    then the user must also set the caPubs field of CMMFCertRepContent.
- *    Call CMMF_CertRepContentSetCAPubs to accomplish this.  After setting
- *    the desired fields, the user can then call CMMF_EncodeCertRepContent 
- *    to DER-encode the CertRepContent.
- * RETURN:
- *    A pointer to the CMMFCertRepContent.  A NULL return value indicates 
- *    an error in allocating memory or failure to initialize the structure.
- */
-extern CMMFCertRepContent* CMMF_CreateCertRepContent(void);
-
-/*
- * FUNCTION: CMMF_CreateCertRepContentFromDER
- * INPUTS
- *    db
- *        The certificate database where the certificates will be placed.
- *        The certificates will be placed in the temporary database associated
- *        with the handle. 
- *    buf
- *        A buffer to the DER-encoded CMMFCertRepContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES:
- *    This function passes the buffer to the ASN1 decoder and creates a
- *    CMMFCertRepContent structure.  The user must call 
- *    CMMF_DestroyCertRepContent after the return value is no longer needed.
- *
- * RETURN:
- *    A pointer to the CMMFCertRepContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFCertRepContent* 
-       CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, 
-					const char       *buf, 
-					long              len);
-
-/*
- * FUNCTION: CMMF_CreateCertResponse
- * INPUTS:
- *    inCertReqId
- *        The Certificate Request Id this response is for.
- * NOTES:
- *    This creates a CMMFCertResponse.  This response should correspond
- *    to a request that was received via CRMF.  From the CRMF message you
- *    can get the Request Id to pass in as inCertReqId, in essence binding 
- *    a CMRFCertRequest message to the CMMFCertResponse created by this
- *    function.  If no requuest id is associated with the response to create
- *    then the user should pass in -1 for 'inCertReqId'.
- *
- * RETURN:
- *    A pointer to the new CMMFCertResponse corresponding to the request id 
- *    passed in.  A NULL return value indicates an error while trying to 
- *    create the CMMFCertResponse.
- */
-extern CMMFCertResponse* CMMF_CreateCertResponse(long inCertReqId);
-
-/*
- * FUNCTION: CMMF_CreateKeyRecRepContent
- * INPUTS:
- *    NONE
- * NOTES:
- *    This function creates a new empty CMMFKeyRecRepContent structure.
- *    At the very minimum, the user  must call 
- *    CMMF_KeyRecRepContentSetPKIStatusInfoStatus field to have an
- *    encodable structure.  Depending on what the response is, the user may
- *    have to set other fields as well to properly build up the structure so
- *    that it can be encoded.  Refer to the CMMF draft for how to properly
- *    set up a CMMFKeyRecRepContent. This is the structure that an RA returns
- *    to an end entity when doing key recovery.
-
- *    The user must call CMMF_DestroyKeyRecRepContent when the return value
- *    is no longer needed.
- * RETURN:
- *    A pointer to the empty CMMFKeyRecRepContent.  A return value of NULL
- *    indicates an error in allocating memory or initializing the structure.
- */
-extern CMMFKeyRecRepContent *CMMF_CreateKeyRecRepContent(void);
-
-/*
- * FUNCTION: CMMF_CreateKeyRecRepContentFromDER
- * INPUTS:
- *    db
- *        The handle for the certificate database where the decoded 
- *        certificates will be placed.  The decoded certificates will
- *        be placed in the temporary database associated with the 
- *        handle.
- *    buf
- *        A buffer contatining the DER-encoded CMMFKeyRecRepContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES
- *    This function passes the buffer to the ASN1 decoder and creates a 
- *    CMMFKeyRecRepContent structure.
- *
- * RETURN:
- *    A pointer to the CMMFKeyRecRepContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFKeyRecRepContent* 
-       CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db,
-					  const char       *buf,
-					  long              len);
-
-/*
- * FUNCTION: CMMF_CreatePOPODecKeyChallContent
- * INPUTS:
- *    NONE
- * NOTES:
- *    This function creates an empty CMMFPOPODecKeyChallContent.  The user
- *    must add the challenges individually specifying the random number to
- *    be used and the public key to be used when creating each individual 
- *    challenge.  User can accomplish this by calling the function 
- *    CMMF_POPODecKeyChallContentSetNextChallenge.
- * RETURN:
- *    A pointer to a CMMFPOPODecKeyChallContent structure.  Ther user can
- *    then call CMMF_EncodePOPODecKeyChallContent passing in the return
- *    value from this function after setting all of the challenges.  A 
- *    return value of NULL indicates an error while creating the 
- *    CMMFPOPODecKeyChallContent structure.
- */
-extern CMMFPOPODecKeyChallContent*
-       CMMF_CreatePOPODecKeyChallContent(void);
-
-/*
- * FUNCTION: CMMF_CreatePOPODecKeyChallContentFromDER
- * INPUTS
- *    buf
- *        A buffer containing the DER-encoded CMMFPOPODecKeyChallContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES:
- *    This function passes the buffer to the ASN1 decoder and creates a
- *    CMMFPOPODecKeyChallContent structure.  
- *
- * RETURN:
- *    A pointer to the CMMFPOPODecKeyChallContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFPOPODecKeyChallContent*
-       CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len);
-
-/*
- * FUNCTION: CMMF_CreatePOPODecKeyRespContentFromDER
- * INPUTS:
- *    buf
- *        A buffer contatining the DER-encoded CMMFPOPODecKeyRespContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES
- *    This function passes the buffer to the ASN1 decoder and creates a 
- *    CMMFPOPODecKeyRespContent structure.
- *
- * RETURN:
- *    A pointer to the CMMFPOPODecKeyRespContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFPOPODecKeyRespContent*
-       CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len);
-
-/************************** Set Functions *************************/
-
-/*
- * FUNCTION: CMMF_CertRepContentSetCertResponses
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- *    inCertResponses
- *        An array of pointers to CMMFCertResponse structures to 
- *        add to the CMMFCertRepContent structure.
- *    inNumResponses
- *        The length of the array 'inCertResponses'
- * NOTES:
- *    This function will add the CMMFCertResponse structure to the 
- *    CMMFCertRepContent passed in.  The CMMFCertResponse field of 
- *    CMMFCertRepContent is required, so the client must call this function
- *    before calling CMMF_EncodeCertRepContent.  If the user calls 
- *    CMMF_EncodeCertRepContent before calling this function, 
- *    CMMF_EncodeCertRepContent will fail.
- *
- * RETURN:
- *    SECSuccess if adding the CMMFCertResponses to the CMMFCertRepContent
- *    structure was successful.  Any other return value indicates an error
- *    while trying to add the CMMFCertResponses.
- */
-extern SECStatus 
-      CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
-					  CMMFCertResponse  **inCertResponses,
-					  int                 inNumResponses);
-
-/*
- * FUNCTION: CMMF_CertRepContentSetCAPubs
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- *    inCAPubs
- *        The certificate list which makes up the chain of CA certificates
- *        required to make the issued cert valid.
- * NOTES:
- *    This function will set the the certificates in the CA chain as part
- *    of the CMMFCertRepContent.  This field is an optional member of the 
- *    CMMFCertRepContent structure, so the client is not required to call
- *    this function before calling CMMF_EncodeCertRepContent.
- *
- * RETURN:
- *    SECSuccess if adding the 'inCAPubs' to the CERTRepContent was successful.
- *    Any other return value indicates an error while adding 'inCAPubs' to the 
- *    CMMFCertRepContent structure.
- * 
- */
-extern SECStatus 
-       CMMF_CertRepContentSetCAPubs (CMMFCertRepContent  *inCertRepContent,
-				     CERTCertList        *inCAPubs);
-
-/*
- * FUNCTION: CMMF_CertResponseSetPKIStatusInfoStatus
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- *     inPKIStatus
- *        The value to set for the PKIStatusInfo.status field.
- * NOTES:
- *    This function will set the CertResponse.status.status field of 
- *    the CMMFCertResponse structure.  (View the definition of CertResponse
- *    in the CMMF draft to see exactly which value this talks about.)  This
- *    field is a required member of the structure, so the user must call this
- *    function in order to have a CMMFCertResponse that can be encoded.
- *
- * RETURN:
- *    SECSuccess if setting the field with the passed in value was successful.
- *    Any other return value indicates an error while trying to set the field.
- */
-extern SECStatus 
-     CMMF_CertResponseSetPKIStatusInfoStatus (CMMFCertResponse *inCertResp,
-					      CMMFPKIStatus     inPKIStatus);
-
-/*
- * FUNCTION: CMMF_CertResponseSetCertificate
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- *    inCertificate
- *        The certificate to add to the 
- *        CertResponse.CertifiedKeyPair.certOrEncCert.certificate field.
- * NOTES:
- *    This function will take the certificate and make it a member of the
- *    CMMFCertResponse.  The certificate should be the actual certificate
- *    being issued via the response.
- *
- * RETURN:
- *    SECSuccess if adding the certificate to the response was successful.
- *    Any other return value indicates an error in adding the certificate to
- *    the CertResponse.
- */
-extern SECStatus 
-       CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
-					CERTCertificate  *inCertificate);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetPKIStatusInfoStatus
- * INPUTS: 
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inPKIStatus
- *        The value to set the PKIStatusInfo.status field to.
- * NOTES:
- *    This function sets the only required field for the KeyRecRepContent.
- *    In most cases, the user will set this field and other fields of the
- *    structure to properly create the CMMFKeyRecRepContent structure.  
- *    Refer to the CMMF draft to see which fields need to be set in order
- *    to create the desired CMMFKeyRecRepContent.
- * 
- * RETURN:
- *    SECSuccess if setting the PKIStatusInfo.status field was successful.
- *    Any other return value indicates an error in setting the field.
- */
-extern SECStatus 
-CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
-					    CMMFPKIStatus         inPKIStatus);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetNewSignCert
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inNewSignCert
- *        The new signing cert to add to the CMMFKeyRecRepContent structure.
- * NOTES:
- *    This function sets the new signeing cert in the CMMFKeyRecRepContent
- *    structure.
- *
- * RETURN:
- *    SECSuccess if setting the new signing cert was successful.  Any other 
- *    return value indicates an error occurred while trying to add the
- *    new signing certificate.
- */
-extern SECStatus 
-       CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
-					   CERTCertificate     *inNewSignCert);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetCACerts
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inCACerts
- *        The list of CA certificates required to construct a valid 
- *        certificate chain with the certificates that will be returned
- *        to the end user via this KeyRecRepContent.
- * NOTES:
- *    This function sets the caCerts that are required to form a chain with the
- *    end entity certificates that are being re-issued in this 
- *    CMMFKeyRecRepContent structure.
- *
- * RETURN:
- *    SECSuccess if adding the caCerts was successful.  Any other return value
- *    indicates an error while tring to add the caCerts.
- */
-extern SECStatus 
-       CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
-				       CERTCertList         *inCACerts);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetCertifiedKeyPair
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inCert
- *        The certificate to add to the CMMFKeyRecRepContent structure.
- *    inPrivKey
- *        The private key associated with the certificate above passed in.
- *    inPubKey
- *        The public key to use for wrapping the private key.
- * NOTES:
- *    This function adds another certificate-key pair to the 
- *    CMMFKeyRecRepcontent structure.  There may be more than one 
- *    certificate-key pair in the structure, so the user must call this 
- *    function multiple times to add more than one cert-key pair.
- *
- * RETURN:
- *    SECSuccess if adding the certified key pair was successful.  Any other
- *    return value indicates an error in adding certified key pair to 
- *    CMMFKeyRecRepContent structure.
- */
-extern SECStatus 
-    CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
-					     CERTCertificate      *inCert,
-					     SECKEYPrivateKey     *inPrivKey,
-					     SECKEYPublicKey      *inPubKey);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
- * INPUTS:
- *    inDecKeyChall
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inRandom
- *        The random number to use when generating the challenge,
- *    inSender
- *        The GeneralName representation of the sender of the challenge.
- *    inPubKey
- *        The public key to use when encrypting the challenge.
- *    passwdArg
- *        This value will be passed to the function used for getting a
- *        password.  The password for getting a password should be registered
- *        by calling PK11_SetPasswordFunc before this function is called. 
- *        If no password callback is registered and the library needs to 
- *        authenticate to the slot for any reason, this function will fail.
- * NOTES:
- *    This function adds a challenge to the end of the list of challenges
- *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
- *    the random number passed in and the sender's GeneralName are used
- *    to generate the challenge and witness fields of the challenge.  This
- *    library will use SHA1 as the one-way function for generating the 
- *    witess field of the challenge.
- *
- * RETURN:
- *    SECSuccess if generating the challenge and adding to the end of list
- *    of challenges was successful.  Any other return value indicates an error
- *    while trying to generate the challenge.
- */
-extern SECStatus
-CMMF_POPODecKeyChallContentSetNextChallenge
-                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
-				    long                        inRandom,
-				    CERTGeneralName            *inSender,
-				    SECKEYPublicKey            *inPubKey,
-				    void                       *passwdArg);
-
-
-/************************** Encoding Functions *************************/
-
-/*
- * FUNCTION: CMMF_EncodeCertRepContent
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to DER-encode.
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback funtion whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded CMMFCertRepContent structure.
- *
- * RETURN:
- *    SECSuccess if encoding the CMMFCertRepContent was successful.  Any 
- *    other return value indicates an error while decoding the structure.
- */
-extern SECStatus 
-       CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
-				  CRMFEncoderOutputCallback  inCallback,
-				  void                      *inArg);
-
-/*
- * FUNCTION: CMMF_EncodeKeyRecRepContent
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRepContent to DER-encode.
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback funtion whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded CMMFCertRepContent structure.
- *
- * RETURN:
- *    SECSuccess if encoding the CMMFKeyRecRepContent was successful.  Any 
- *    other return value indicates an error while decoding the structure.
- */
-extern SECStatus
-       CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
-				   CRMFEncoderOutputCallback  inCallback,
-				   void                      *inArg);
-
-/*
- * FUNCTION: CMMF_EncodePOPODecKeyChallContent
- * INPUTS:
- *    inDecKeyChall
- *        The CMMFDecKeyChallContent to operate on.
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback function whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded CMMFCertRepContent structure.
- *    The DER will be an encoding of the type POPODecKeyChallContents, which
- *    is just a sequence of challenges.
- *
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value indicates
- *    an error in trying to encode the Challenges.
- */
-extern SECStatus 
-CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
-				  CRMFEncoderOutputCallback inCallback,
-				  void                     *inArg);
-
-/*
- * FUNCTION: CMMF_EncodePOPODecKeyRespContent
- * INPUTS:
- *    inDecodedRand
- *        An array of integers to encode as the responses to 
- *        CMMFPOPODecKeyChallContent.  The integers must be in the same order
- *        as the challenges extracted from CMMFPOPODecKeyChallContent.
- *    inNumRand
- *        The number of random integers contained in the array 'inDecodedRand'
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback funtion whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded  POPODecKeyRespContent.
- *
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value indicates
- *    an error in trying to encode the Challenges.
- */
-extern SECStatus 
-      CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
-				       int                       inNumRand,
-				       CRMFEncoderOutputCallback inCallback,
-				       void                     *inArg); 
-
-/***************  Accessor function  ***********************************/
-
-/*
- * FUNCTION: CMMF_CertRepContentGetCAPubs
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to extract the caPubs from.
- * NOTES:
- *    This function will return a copy of the list of certificates that
- *    make up the chain of CA's required to make the cert issued valid.
- *    The user must call CERT_DestroyCertList on the return value when 
- *    done using the return value.  
- *
- *    Only call this function on a CertRepContent that has been decoded.
- *    The client must call CERT_DestroyCertList when the certificate list
- *    is no longer needed. 
- *
- *    The certs in the list will not be in the temporary database.  In order
- *    to make these certificates a part of the permanent CA internal database,
- *    the user must collect the der for all of these certs and call 
- *    CERT_ImportCAChain.  Afterwards the certs will be part of the permanent
- *    database.
- *    
- * RETURN:
- *    A pointer to the CERTCertList representing the CA chain associated 
- *    with the issued cert.  A NULL return value indicates  that no CA Pubs
- *    were available in the CMMFCertRepContent structure. 
- */
-extern CERTCertList* 
-       CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent);
-
-
-/*
- * FUNCTION: CMMF_CertRepContentGetNumResponses
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- * NOTES:
- *    This function will return the number of CertResponses that are contained
- *    by the CMMFCertRepContent passed in.
- * 
- * RETURN:
- *    The number of CMMFCertResponses contained in the structure passed in.
- */
-extern int 
- CMMF_CertRepContentGetNumResponses (CMMFCertRepContent *inCertRepContent);
-
-/*
- * FUNCTION: CMMF_CertRepContentGetResponseAtIndex
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- *    inIndex
- *        The index of the CMMFCertResponse the user wants a copy of.
- * NOTES:
- *    This funciton creates a copy of the CMMFCertResponse at the index 
- *    corresponding to the parameter 'inIndex'.  Indexing is done like a
- *    traditional C array, ie the valid indexes are (0...numResponses-1).
- *    The user must call CMMF_DestroyCertResponse after the return value is 
- *    no longer needed.
- *
- * RETURN:
- *    A pointer to the CMMFCertResponse at the index corresponding to 
- *    'inIndex'.  A return value of NULL indicates an error in copying 
- *    the CMMFCertResponse.
- */
-extern CMMFCertResponse*
-CMMF_CertRepContentGetResponseAtIndex (CMMFCertRepContent *inCertRepContent,
-				       int                 inIndex);
-
-/*
- * FUNCTION: CMMF_CertResponseGetCertReqId
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- * NOTES:
- *    This function returns the CertResponse.certReqId from the 
- *    CMMFCertResponse structure passed in.  If the return value is -1, that
- *    means there is no associated certificate request with the CertResponse.
- * RETURN:
- *    A long representing the id of the certificate request this 
- *    CMMFCertResponse corresponds to.  A return value of -1 indicates an
- *    error in extracting the value of the integer.
- */
-extern long CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp);
-
-/*
- * FUNCTION: CMMF_CertResponseGetPKIStatusInfoStatus
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- * NOTES:
- *    This function returns the CertResponse.status.status field of the 
- *    CMMFCertResponse structure.
- *
- * RETURN:
- *    The enumerated value corresponding to the PKIStatus defined in the CMMF
- *    draft.  See the CMMF draft for the definition of PKIStatus.  See crmft.h
- *    for the definition of CMMFPKIStatus.
- */
-extern CMMFPKIStatus 
-       CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp);
-
-/*
- * FUNCTION: CMMF_CertResponseGetCertificate
- * INPUTS:
- *    inCertResp
- *        The Certificate Response to operate on.
- *    inCertdb
- *        This is the certificate database where the function will place the
- *        newly issued certificate.
- * NOTES:
- *    This function retrieves the CertResponse.certifiedKeyPair.certificate
- *    from the CMMFCertResponse.  The user will get a copy of that certificate
- *    so  the user must call CERT_DestroyCertificate when the return value is 
- *    no longer needed.  The certificate returned will be in the temporary 
- *    certificate database.
- *
- * RETURN:
- *    A pointer to a copy of the certificate contained within the 
- *    CMMFCertResponse.  A return value of NULL indicates an error while trying
- *    to make a copy of the certificate.
- */
-extern CERTCertificate*
-       CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
-                                       CERTCertDBHandle *inCertdb);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetPKIStatusInfoStatus
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent structure to operate on.
- * NOTES:
- *    This function retrieves the KeyRecRepContent.status.status field of 
- *    the CMMFKeyRecRepContent structure.
- * RETURN:
- *    The CMMFPKIStatus corresponding to the value held in the 
- *    CMMFKeyRecRepContent structure.
- */
-extern CMMFPKIStatus 
-CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetNewSignCert
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- * NOTES:
- *    This function retrieves the KeyRecRepContent.newSignCert field of the
- *    CMMFKeyRecRepContent structure.  The user must call 
- *    CERT_DestroyCertificate when the return value is no longer needed. The
- *    returned certificate will be in the temporary database.  The user 
- *    must then place the certificate permanently in whatever token the
- *    user determines is the proper destination.  A return value of NULL
- *    indicates the newSigCert field was not present.
- */
-extern CERTCertificate*
-       CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetCACerts
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- * NOTES:
- *    This function returns a CERTCertList which contains all of the 
- *    certficates that are in the sequence KeyRecRepContent.caCerts
- *    User must call CERT_DestroyCertList when the return value is no longer 
- *    needed.  All of these certificates will be placed in the tempoaray
- *    database.
- *
- * RETURN:
- *    A pointer to the list of caCerts contained in the CMMFKeyRecRepContent
- *    structure.  A return value of NULL indicates the library was not able to 
- *    make a copy of the certifcates.  This may be because there are no caCerts
- *    included in the CMMFKeyRecRepContent strucure or an internal error.  Call
- *    CMMF_KeyRecRepContentHasCACerts to find out if there are any caCerts 
- *    included in 'inKeyRecRep'.
- */
-extern CERTCertList*
-       CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetNumKeyPairs
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- * RETURN:
- *    This function returns the number of CMMFCertifiedKeyPair structures that
- *    that are stored in the KeyRecRepContent structure.
- */
-extern int 
-       CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetCertKeyAtIndex
- * INPUTS:
- *    inKeyRecRepContent
- *        The CMMFKeyRecRepContent to operate on.
- *    inIndex
- *        The index of the desired CMMFCertifiedKeyPair
- * NOTES:
- *    This function retrieves the CMMFCertifiedKeyPair structure at the index
- *    'inIndex'.  Valid indexes are 0...(numKeyPairs-1)  The user must call 
- *    CMMF_DestroyCertifiedKeyPair when the return value is no longer needed.
- *
- * RETURN:
- *    A pointer to the Certified Key Pair at the desired index.  A return value
- *    of NULL indicates an error in extracting the Certified Key Pair at the 
- *    desired index.
- */
-extern CMMFCertifiedKeyPair*
-      CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
-					     int                   inIndex);
-
-/*
- * FUNCTION: CMMF_CertifiedKeyPairGetCertificate
- * INPUTS:
- *    inCertKeyPair
- *        The CMMFCertifiedKeyPair to operate on.
- *    inCertdb
- *        The database handle for the database you want this certificate
- *        to wind up in.
- * NOTES:
- *    This function retrieves the certificate at 
- *    CertifiedKeyPair.certOrEncCert.certificate
- *    The user must call CERT_DestroyCertificate when the return value is no
- *    longer needed.  The user must import this certificate as a token object
- *    onto PKCS#11 slot in order to make it a permanent object.  The returned
- *    certificate will be in the temporary database.
- * 
- * RETURN:
- *    A pointer to the certificate contained within the certified key pair.
- *    A return value of NULL indicates an error in creating the copy of the 
- *    certificate.
- */
-extern CERTCertificate*
-      CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
-					  CERTCertDBHandle     *inCertdb);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
- * INPUTS:
- *    inKeyChallCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- * RETURN:
- *    This function returns the number of CMMFChallenges are contained in 
- *    the CMMFPOPODecKeyChallContent structure.
- */
-extern int CMMF_POPODecKeyChallContentGetNumChallenges
-                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetPublicValue
- * ---------------------------------------------------
- * INPUTS:
- *    inKeyChallCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inIndex
- *        The index of the Challenge within inKeyChallCont to operate on.
- *        Indexes start from 0, ie the Nth Challenge corresponds to index
- *        N-1.
- * NOTES:
- * This function retrieves the public value stored away in the Challenge at
- * index inIndex of inKeyChallCont.
- * RETURN:
- * A pointer to a SECItem containing the public value.  User must call 
- * SECITEM_FreeItem on the return value when the value is no longer necessary.
- * A return value of NULL indicates an error while retrieving the public value.
- */
-extern SECItem* CMMF_POPODecKeyChallContentGetPublicValue
-                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				    int                         inIndex);
-
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetRandomNumber
- * INPUTS:
- *    inChallContent
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inIndex
- *        The index of the challenge to look at.  Valid indexes are 0 through
- *        (CMMF_POPODecKeyChallContentGetNumChallenges(inChallContent) - 1).
- *    inDest
- *        A pointer to a user supplied buffer where the library
- *        can place a copy of the random integer contatained in the
- *        challenge.
- * NOTES:
- *    This function returns the value held in the decrypted Rand structure
- *    corresponding to the random integer.  The user must call 
- *    CMMF_POPODecKeyChallContentDecryptChallenge before calling this function.  Call 
- *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
- *    decrypted.
- *
- * RETURN:
- *    SECSuccess indicates the witness field has been previously decrypted
- *    and the value for the random integer was successfully placed at *inDest.
- *    Any other return value indicates an error and that the value at *inDest
- *    is not a valid value.
- */
-extern SECStatus CMMF_POPODecKeyChallContentGetRandomNumber
-                                      (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				       int                          inIndex,
-				       long                        *inDest);
-
-/*
- * FUNCTION: CMMF_POPODecKeyRespContentGetNumResponses
- * INPUTS:
- *    inRespCont
- *        The POPODecKeyRespContent to operate on.
- * RETURN:
- * This function returns the number of responses contained in inRespContent.
- */
-extern int 
- CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont);
-
-/*
- * FUNCTION: CMMF_POPODecKeyRespContentGetResponse
- * INPUTS:
- *    inRespCont
- *        The POPODecKeyRespContent to operate on.
- *    inIndex
- *        The index of the response to retrieve.
- *        The Nth response is at index N-1, ie the 1st response is at index 0,
- *        the 2nd response is at index 1, and so on.
- *    inDest
- *        A pointer to a pre-allocated buffer where the library can put the 
- *        value of the response located at inIndex.
- * NOTES:
- * The function returns the response contained at index inIndex.  
- * CMMFPOPODecKeyRespContent is a structure that the server will generally 
- * get in response to a CMMFPOPODecKeyChallContent.  The server will expect
- * to see the responses in the same order as it constructed them in 
- * the CMMFPOPODecKeyChallContent structure.
- * RETURN:
- * SECSuccess if getting the response at the desired index was successful.  Any
- * other return value indicates an errror.
- */
-extern SECStatus
-     CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
-					    int                        inIndex,
-					    long                      *inDest);
-
-/************************* Destructor Functions ******************************/
-
-/*
- * FUNCTION: CMMF_DestroyCertResponse
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to destroy.
- * NOTES:
- *    This function frees all the memory associated with the CMMFCertResponse
- *    passed in.
- * RETURN:
- *    SECSuccess if freeing the memory was successful.  Any other return value
- *    indicates an error while freeing the memory.
- */
-extern SECStatus CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp);
-
-/*
- * FUNCTION: CMMF_DestroyCertRepContent
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to destroy
- * NOTES:
- *    This function frees the memory associated with the CMMFCertRepContent
- *    passed in.
- * RETURN:
- *    SECSuccess if freeing all the memory associated with the 
- *    CMMFCertRepContent passed in is successful.  Any other return value 
- *    indicates an error while freeing the memory.
- */
-extern SECStatus 
-       CMMF_DestroyCertRepContent (CMMFCertRepContent *inCertRepContent);
-
-/*
- * FUNCTION: CMMF_DestroyKeyRecRepContent
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to destroy.
- * NOTES:
- *    This function destroys all the memory associated with the 
- *    CMMFKeyRecRepContent passed in.
- *
- * RETURN:
- *    SECSuccess if freeing all the memory is successful.  Any other return 
- *    value indicates an error in freeing the memory.
- */
-extern SECStatus 
-       CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_DestroyCertifiedKeyPair
- * INPUTS:
- *    inCertKeyPair
- *        The CMMFCertifiedKeyPair to operate on.
- * NOTES: 
- *    This function frees up all the memory associated with 'inCertKeyPair'
- *
- * RETURN:
- *    SECSuccess if freeing all the memory associated with 'inCertKeyPair'
- *    is successful.  Any other return value indicates an error while trying
- *    to free the memory.
- */
-extern SECStatus 
-       CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
- * INPUTS:
- *    inDecKeyResp
- *        The CMMFPOPODecKeyRespContent structure to free.
- * NOTES:
- *    This function frees up all the memory associate with the 
- *    CMMFPOPODecKeyRespContent.
- *
- * RETURN:
- *    SECSuccess if freeing up all the memory associated with the
- *    CMMFPOPODecKeyRespContent structure is successful.  Any other
- *    return value indicates an error while freeing the memory.
- */
-extern SECStatus
-       CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
-
-
-/************************** Miscellaneous Functions *************************/
- 
-/*
- * FUNCTION: CMMF_CertifiedKeyPairUnwrapPrivKey
- * INPUTS:
- *    inCertKeyPair
- *        The CMMFCertifiedKeyPair to operate on.
- *    inPrivKey
- *        The private key to use to un-wrap the private key
- *    inNickName
- *        This is the nickname that will be associated with the private key
- *        to be unwrapped.
- *    inSlot
- *        The PKCS11 slot where the unwrapped private key should end up.
- *    inCertdb
- *        The Certificate database with which the new key will be associated.
- *    destPrivKey
- *        A pointer to memory where the library can place a pointer to the
- *        private key after importing the key onto the specified slot.
- *    wincx
- *        An opaque pointer that the library will use in a callback function
- *        to get the password if necessary.
- *    
- * NOTES:
- *    This function uses the private key passed in to unwrap the private key
- *    contained within the CMMFCertifiedKeyPair structure. After this 
- *    function successfully returns, the private key has been unwrapped and
- *    placed in the specified slot. 
- *
- * RETURN:
- *    SECSuccess if unwrapping the private key was successful.  Any other 
- *    return value indicates an error while trying to un-wrap the private key.
- */
-extern SECStatus 
-       CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
-					  SECKEYPrivateKey     *inPrivKey,
-					  SECItem              *inNickName,
-					  PK11SlotInfo         *inSlot,
-                                          CERTCertDBHandle     *inCertdb,
-					  SECKEYPrivateKey    **destPrivKey,
-					  void                 *wincx);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentHasCACerts
- * INPUTS:
- *    inKeyRecRecp
- *        The CMMFKeyRecRepContent to operate on.
- * RETURN:
- *    This function returns PR_TRUE if there are one or more certificates in 
- *    the sequence KeyRecRepContent.caCerts within the CMMFKeyRecRepContent
- *    structure.  The function will return PR_FALSE if there are 0 certificate
- *    in the above mentioned sequence.
- */
-extern PRBool 
-       CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContDecryptChallenge
- * INPUTS:
- *    inChalCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inIndex
- *        The index of the Challenge to operate on.  The 1st Challenge is
- *        at index 0, the second at index 1 and so forth.
- *    inPrivKey
- *        The private key to use to decrypt the witness field.
- * NOTES:
- *    This function uses the private key to decrypt the challenge field
- *    contained in the appropriate challenge.  Make sure the private key matches 
- *    the public key that was used to encrypt the witness.  Use 
- *    CMMF_POPODecKeyChallContentGetPublicValue to get the public value of
- *    the key used to encrypt the witness and then use that to determine the
- *    appropriate private key.  This can be done by calling PK11_MakeIDFromPubKey
- *    and then passing that return value to PK11_FindKeyByKeyID.  The creator of 
- *    the challenge will most likely be an RA that has the public key
- *    from a Cert request.  So the private key should be the private key
- *    associated with public key in that request.  This function will also
- *    verify the witness field of the challenge.  This function also verifies
- *    that the sender and witness hashes match within the challenge.
- *
- * RETURN:
- *    SECSuccess if decrypting the witness field was successful.  This does
- *    not indicate that the decrypted data is valid, since the private key 
- *    passed in may not be the actual key needed to properly decrypt the 
- *    witness field.  Meaning that there is a decrypted structure now, but
- *    may be garbage because the private key was incorrect.
- *    Any other return value indicates the function could not complete the
- *    decryption process.
- */
-extern SECStatus 
-  CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
-					   int                         inIndex,
-					   SECKEYPrivateKey           *inPrivKey);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
- * INPUTS:
- *    inDecKeyCont
- *        The CMMFPOPODecKeyChallContent to free
- * NOTES:
- *    This function frees up all the memory associated with the 
- *    CMMFPOPODecKeyChallContent 
- * RETURN:
- *    SECSuccess if freeing up all the memory associatd with the 
- *    CMMFPOPODecKeyChallContent is successful.  Any other return value
- *    indicates an error while freeing the memory.
- *
- */
-extern SECStatus 
- CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
-
-SEC_END_PROTOS
-#endif /* _CMMF_H_ */
diff --git a/security/nss/lib/crmf/cmmfasn1.c b/security/nss/lib/crmf/cmmfasn1.c
deleted file mode 100644
index 6f0363571..000000000
--- a/security/nss/lib/crmf/cmmfasn1.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secasn1.h"
-#include "secitem.h"
-
-static const SEC_ASN1Template CMMFSequenceOfCertifiedKeyPairsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CMMFCertifiedKeyPairTemplate}
-};
-
-static const SEC_ASN1Template CMMFKeyRecRepContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFKeyRecRepContent)},
-    { SEC_ASN1_INLINE, offsetof(CMMFKeyRecRepContent, status), 
-      CMMFPKIStatusInfoTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
-      offsetof(CMMFKeyRecRepContent, newSigCert),
-      SEC_SignedCertificateTemplate},
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      offsetof(CMMFKeyRecRepContent, caCerts),
-      CMMFSequenceOfCertsTemplate},
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-      offsetof(CMMFKeyRecRepContent, keyPairHist),
-      CMMFSequenceOfCertifiedKeyPairsTemplate},
-    { 0 }
-};
-
-SECStatus
-CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
-			   CRMFEncoderOutputCallback  inCallback,
-			   void                      *inArg)
-{
-    return cmmf_user_encode(inCertRepContent, inCallback, inArg,
-			    CMMFCertRepContentTemplate);
-}
-
-SECStatus
-CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
-				  CRMFEncoderOutputCallback inCallback,
-				  void                     *inArg)
-{
-    return cmmf_user_encode(inDecKeyChall, inCallback, inArg,
-			    CMMFPOPODecKeyChallContentTemplate);
-}
-
-CMMFPOPODecKeyRespContent*
-CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len)
-{
-    PRArenaPool               *poolp;
-    CMMFPOPODecKeyRespContent *decKeyResp;
-    SECStatus                  rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    decKeyResp = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
-    if (decKeyResp == NULL) {
-        goto loser;
-    }
-    decKeyResp->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, decKeyResp, CMMFPOPODecKeyRespContentTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return decKeyResp;
-    
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
-			    CRMFEncoderOutputCallback  inCallback,
-			    void                      *inArg)
-{
-    return cmmf_user_encode(inKeyRecRep, inCallback, inArg,
-			    CMMFKeyRecRepContentTemplate);
-}
-
-CMMFKeyRecRepContent* 
-CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
-				   long len)
-{
-    PRArenaPool          *poolp;
-    CMMFKeyRecRepContent *keyRecContent;
-    SECStatus             rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
-    if (keyRecContent == NULL) {
-        goto loser;
-    }
-    keyRecContent->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, keyRecContent, CMMFKeyRecRepContentTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (keyRecContent->keyPairHist != NULL) {
-        while(keyRecContent->keyPairHist[keyRecContent->numKeyPairs] != NULL) {
-	    rv = cmmf_decode_process_certified_key_pair(poolp, db,
-		       keyRecContent->keyPairHist[keyRecContent->numKeyPairs]);
-	    if (rv != SECSuccess) {
-	        goto loser;
-	    }
-	    keyRecContent->numKeyPairs++;
-	}
-	keyRecContent->allocKeyPairs = keyRecContent->numKeyPairs;
-    }
-    keyRecContent->isDecoded = PR_TRUE;
-    return keyRecContent;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
diff --git a/security/nss/lib/crmf/cmmfchal.c b/security/nss/lib/crmf/cmmfchal.c
deleted file mode 100644
index 2e0beadd4..000000000
--- a/security/nss/lib/crmf/cmmfchal.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "sechash.h"
-#include "genname.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "secitem.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "keyhi.h"
-
-static SECStatus
-cmmf_create_witness_and_challenge(PRArenaPool     *poolp,
-				  CMMFChallenge   *challenge,
-				  long             inRandom,
-				  SECItem         *senderDER,
-				  SECKEYPublicKey *inPubKey,
-				  void            *passwdArg)
-{
-    SECItem       *encodedRandNum;
-    SECItem        encodedRandStr = {siBuffer, NULL, 0};
-    SECItem        encryptBlock   = {siBuffer, NULL, 0};
-    SECItem       *dummy;
-    unsigned char *randHash, *senderHash, *encChal=NULL;
-    unsigned       modulusLen = 0;
-    SECStatus      rv = SECFailure;
-    CMMFRand       randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
-    PK11SlotInfo  *slot;
-    PK11SymKey    *symKey = NULL;
-    CK_OBJECT_HANDLE id;
-    CERTSubjectPublicKeyInfo *spki = NULL;
-
-    
-    encodedRandNum = SEC_ASN1EncodeInteger(poolp, &challenge->randomNumber,
-					   inRandom);
-    encodedRandNum = &challenge->randomNumber;
-    randHash   = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
-    senderHash = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
-    if (randHash == NULL) {
-        goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_SHA1, randHash, encodedRandNum->data, 
-		      (uint32)encodedRandNum->len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_SHA1, senderHash, senderDER->data,
-		      (uint32)senderDER->len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    challenge->witness.data = randHash;
-    challenge->witness.len  = SHA1_LENGTH;
-
-    randStr.integer    = *encodedRandNum;
-    randStr.senderHash.data = senderHash;
-    randStr.senderHash.len  = SHA1_LENGTH;
-    dummy = SEC_ASN1EncodeItem(NULL, &encodedRandStr, &randStr, 
-			       CMMFRandTemplate);
-    if (dummy != &encodedRandStr) {
-        rv = SECFailure;
-        goto loser;
-    }
-    /* XXXX Now I have to encrypt encodedRandStr and stash it away. */
-    modulusLen = SECKEY_PublicKeyStrength(inPubKey);
-    encChal = PORT_ArenaNewArray(poolp, unsigned char, modulusLen);
-    if (encChal == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-    slot =PK11_GetBestSlot(CKM_RSA_PKCS, passwdArg);
-    if (slot == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-    id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
-    /* In order to properly encrypt the data, we import as a symmetric
-     * key, and then wrap that key.  That in essence encrypts the data.
-     * This is the method recommended in the PK11 world in order
-     * to prevent threading issues as well as breaking any other semantics
-     * the PK11 libraries depend on.
-     */
-    symKey = PK11_ImportSymKey(slot, CKM_RSA_PKCS, PK11_OriginGenerated,
-			       CKA_VALUE, &encodedRandStr, passwdArg);
-    if (symKey == NULL) {
-        rv = SECFailure;
-	goto loser;
-    }
-    challenge->challenge.data = encChal;
-    challenge->challenge.len  = modulusLen;
-    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, inPubKey, symKey, 
-			    &challenge->challenge);
-    PK11_FreeSlot(slot);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &challenge->senderDER, senderDER);
-    crmf_get_public_value(inPubKey, &challenge->key);
-    /* Fall through */
- loser:
-    if (spki != NULL) {
-        SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    if (encodedRandStr.data != NULL) {
-        PORT_Free(encodedRandStr.data);
-    }
-    if (encodedRandNum != NULL) {
-        SECITEM_FreeItem(encodedRandNum, PR_TRUE);
-    }
-    if (symKey != NULL) {
-        PK11_FreeSymKey(symKey);
-    }
-    return rv;
-}
-
-static SECStatus
-cmmf_create_first_challenge(CMMFPOPODecKeyChallContent *challContent, 
-			    long                        inRandom, 
-			    SECItem                    *senderDER, 
-			    SECKEYPublicKey            *inPubKey,
-			    void                       *passwdArg)
-{
-    SECOidData     *oidData;
-    CMMFChallenge  *challenge;
-    SECAlgorithmID *algId;
-    PRArenaPool    *poolp;
-    SECStatus       rv;
-
-    oidData = SECOID_FindOIDByTag(SEC_OID_SHA1);
-    if (oidData == NULL) {
-        return SECFailure;
-    }
-    poolp = challContent->poolp;
-    challenge = PORT_ArenaZNew(poolp, CMMFChallenge);
-    if (challenge == NULL) {
-        return SECFailure;
-    }
-    algId = challenge->owf = PORT_ArenaZNew(poolp, SECAlgorithmID);
-    if (algId == NULL) {
-        return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &algId->algorithm, &oidData->oid);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    rv = cmmf_create_witness_and_challenge(poolp, challenge, inRandom, 
-					   senderDER, inPubKey, passwdArg);
-    challContent->challenges[0] = (rv == SECSuccess) ? challenge : NULL;
-    challContent->numChallenges++;
-    return rv ;
-}
-
-CMMFPOPODecKeyChallContent*
-CMMF_CreatePOPODecKeyChallContent (void)
-{
-    PRArenaPool *poolp;
-    CMMFPOPODecKeyChallContent *challContent;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
-    if (challContent == NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-    challContent->poolp = poolp;
-    return challContent;
-}
-
-SECStatus
-CMMF_POPODecKeyChallContentSetNextChallenge
-                                    (CMMFPOPODecKeyChallContent *inDecKeyChall,
-				     long                        inRandom,
-				     CERTGeneralName            *inSender,
-				     SECKEYPublicKey            *inPubKey,
-				     void                       *passwdArg)
-{
-    CMMFChallenge               *curChallenge;
-    PRArenaPool                 *genNamePool = NULL, *poolp;
-    SECStatus                    rv;
-    SECItem                     *genNameDER;
-    void                        *mark;
-    SECItem                      senderDER = {siBuffer, NULL, 0};
-
-    PORT_Assert (inDecKeyChall != NULL &&
-		 inSender      != NULL &&
-		 inPubKey      != NULL);
-
-    if (inDecKeyChall == NULL || 
-	inSender      == NULL || inPubKey == NULL) {
-        return SECFailure;
-    }
-    poolp = inDecKeyChall->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    genNamePool = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    genNameDER = cert_EncodeGeneralName(inSender, NULL, genNamePool);
-    if (genNameDER == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-    if (inDecKeyChall->challenges == NULL) {
-        inDecKeyChall->challenges =
-	    PORT_ArenaZNewArray(poolp, CMMFChallenge*,(CMMF_MAX_CHALLENGES+1));
-	inDecKeyChall->numAllocated = CMMF_MAX_CHALLENGES;
-    }
-
-    if (inDecKeyChall->numChallenges >= inDecKeyChall->numAllocated) {
-        rv = SECFailure;
-        goto loser;
-    }
-
-    if (inDecKeyChall->numChallenges == 0) {
-        rv = cmmf_create_first_challenge(inDecKeyChall, inRandom, 
-					 genNameDER, inPubKey, passwdArg);
-    } else {
-        curChallenge = PORT_ArenaZNew(poolp, CMMFChallenge);
-	if (curChallenge == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	rv = cmmf_create_witness_and_challenge(poolp, curChallenge, inRandom, 
-					       genNameDER, inPubKey, 
-					       passwdArg);
-	if (rv == SECSuccess) {
-	    inDecKeyChall->challenges[inDecKeyChall->numChallenges] =
-	        curChallenge;
-	    inDecKeyChall->numChallenges++;
-	}
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    PORT_FreeArena(genNamePool, PR_FALSE);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    if (genNamePool != NULL) {
-        PORT_FreeArena(genNamePool, PR_FALSE);
-    }
-    PORT_Assert(rv != SECSuccess);
-    return rv;
-}
-
-SECStatus
-CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp)
-{
-    PORT_Assert(inDecKeyResp != NULL);
-    if (inDecKeyResp != NULL && inDecKeyResp->poolp != NULL) {
-        PORT_FreeArena(inDecKeyResp->poolp, PR_FALSE);
-    }
-    return SECSuccess;
-}
-
-int 
-CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont)
-{
-    int numResponses = 0;
-
-    PORT_Assert(inRespCont != NULL);
-    if (inRespCont == NULL) {
-        return 0;
-    }
-
-    while (inRespCont->responses[numResponses] != NULL) {
-        numResponses ++;
-    }
-    return numResponses;
-}
-
-SECStatus
-CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
-				       int                        inIndex,
-				       long                      *inDest)
-{
-    PORT_Assert(inRespCont != NULL);
-    
-    if (inRespCont == NULL || inIndex < 0 || 
-	inIndex >= CMMF_POPODecKeyRespContentGetNumResponses(inRespCont)) {
-        return SECFailure;
-    }
-    *inDest = DER_GetInteger(inRespCont->responses[inIndex]);
-    return (*inDest == -1) ? SECFailure : SECSuccess;
-}
diff --git a/security/nss/lib/crmf/cmmfi.h b/security/nss/lib/crmf/cmmfi.h
deleted file mode 100644
index 0a476badd..000000000
--- a/security/nss/lib/crmf/cmmfi.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * These are the definitions needed by the library internally to implement
- * CMMF.  Most of these will be helper utilities for manipulating internal
- * data strucures.
- */
-#ifndef _CMMFI_H_
-#define _CMMFI_H_
-#include "cmmfit.h"
-#include "crmfi.h"
-
-#define CMMF_MAX_CHALLENGES 10
-#define CMMF_MAX_KEY_PAIRS  50
-
-/*
- * Some templates that the code will need to implement CMMF.
- */
-extern const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[];
-extern const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[];
-extern const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[];
-extern const SEC_ASN1Template CMMFRandTemplate[];
-extern const SEC_ASN1Template CMMFSequenceOfCertsTemplate[];
-extern const SEC_ASN1Template CMMFPKIStatusInfoTemplate[];
-extern const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[];
-
-
-/*
- * Some utility functions that are shared by multiple files in this 
- * implementation.
- */
-
-extern SECStatus cmmf_CopyCertResponse (PRArenaPool      *poolp, 
-					CMMFCertResponse *dest, 
-					CMMFCertResponse *src);
-
-extern SECStatus cmmf_CopyPKIStatusInfo (PRArenaPool       *poolp, 
-					 CMMFPKIStatusInfo *dest,
-					 CMMFPKIStatusInfo *src);
-
-extern SECStatus cmmf_CopyCertifiedKeyPair(PRArenaPool          *poolp, 
-					   CMMFCertifiedKeyPair *dest,
-					   CMMFCertifiedKeyPair *src);
-
-extern SECStatus cmmf_DestroyPKIStatusInfo(CMMFPKIStatusInfo *info, 
-					   PRBool freeit);
-
-extern SECStatus cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, 
-					   PRBool freeit);
-
-extern SECStatus cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
-					     PRArenaPool          *poolp,
-					     CMMFPKIStatus         inStatus);
-
-extern SECStatus cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
-					   PRArenaPool       *poolp,
-					   CERTCertificate ***certArray);
-
-extern SECStatus 
-       cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
-					PRArenaPool       *poolp,
-					CERTCertificate   *inCert);
-
-extern CMMFPKIStatus 
-       cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus);
-
-extern CERTCertList*
-       cmmf_MakeCertList(CERTCertificate **inCerts);
-
-extern CERTCertificate*
-cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
-                                 CERTCertDBHandle  *certdb);
-
-extern SECStatus
-cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
-				  CERTCertDBHandle *db,
-				  CMMFCertResponse *inCertResp);
-
-extern SECStatus
-cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
-				       CERTCertDBHandle     *db,
-				       CMMFCertifiedKeyPair *inCertKeyPair);
-
-extern SECStatus
-cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
-		 const SEC_ASN1Template *inTemplate);
-
-extern SECStatus
-cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src);
-#endif /*_CMMFI_H_*/
-
-
-
-
-
diff --git a/security/nss/lib/crmf/cmmfit.h b/security/nss/lib/crmf/cmmfit.h
deleted file mode 100644
index e6ef02f96..000000000
--- a/security/nss/lib/crmf/cmmfit.h
+++ /dev/null
@@ -1,145 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _CMMFIT_H_
-#define _CMMFIT_H_
-
-/*
- * All fields marked by a PKIStausInfo in comments is an integer
- * with the following possible values.
- *
- *  Integer Value          Meaning
- *  -------------          -------
- *         0               granted- got exactly what you asked for.
- *
- *         1               grantedWithMods-got something like what you asked 
- *                          for;requester is responsible for ascertainging the
- *                          differences.
- *
- *         2               rejection-you don't get what you asked for; more 
- *                          information elsewhere in the message
- *
- *         3               waiting-the request body part has not yet been 
- *                          processed, expect to hear more later.
- *
- *         4               revocationWarning-this message contains a warning 
- *                          that a revocation is imminent.
- *
- *         5               revocationNotification-notification that a 
- *                          revocation has occurred.
- *
- *         6               keyUpdateWarning-update already done for the 
- *                          oldCertId specified in FullCertTemplate.
- */
-
-struct CMMFPKIStatusInfoStr {
-    SECItem status;
-    SECItem statusString;
-    SECItem failInfo;
-};
-
-struct CMMFCertOrEncCertStr {
-    union { 
-        CERTCertificate    *certificate;
-        CRMFEncryptedValue *encryptedCert;
-    } cert;
-    CMMFCertOrEncCertChoice choice;
-    SECItem                 derValue;
-};
-
-struct CMMFCertifiedKeyPairStr {
-    CMMFCertOrEncCert   certOrEncCert;
-    CRMFEncryptedValue *privateKey;
-    SECItem             derPublicationInfo; /* We aren't creating 
-					     * PKIPublicationInfo's, so 
-					     * we'll store away the der 
-					     * here if we decode one that
-					     * does have pubInfo.
-					     */
-    SECItem unwrappedPrivKey;
-};
-
-struct CMMFCertResponseStr {
-    SECItem               certReqId;
-    CMMFPKIStatusInfo     status; /*PKIStatusInfo*/
-    CMMFCertifiedKeyPair *certifiedKeyPair;
-};
-
-struct CMMFCertRepContentStr {
-    CERTCertificate  **caPubs;
-    CMMFCertResponse **response;
-    PRArenaPool       *poolp;
-    PRBool             isDecoded;
-};
-
-struct CMMFChallengeStr {
-    SECAlgorithmID  *owf;
-    SECItem          witness;
-    SECItem          senderDER;
-    SECItem          key;
-    SECItem          challenge;
-    SECItem          randomNumber;
-};
-
-struct CMMFRandStr {
-    SECItem          integer;
-    SECItem          senderHash;
-    CERTGeneralName *sender;
-};
-
-struct CMMFPOPODecKeyChallContentStr {
-    CMMFChallenge **challenges;
-    PRArenaPool    *poolp;
-    int             numChallenges;
-    int             numAllocated;
-};
-
-struct CMMFPOPODecKeyRespContentStr {
-    SECItem     **responses;
-    PRArenaPool  *poolp;
-};
-
-struct CMMFKeyRecRepContentStr {
-    CMMFPKIStatusInfo      status; /* PKIStatusInfo */
-    CERTCertificate       *newSigCert;
-    CERTCertificate      **caCerts;
-    CMMFCertifiedKeyPair **keyPairHist;
-    PRArenaPool           *poolp;
-    int                    numKeyPairs;
-    int                    allocKeyPairs;
-    PRBool                 isDecoded;
-};
-
-#endif /* _CMMFIT_H_ */
-
diff --git a/security/nss/lib/crmf/cmmfrec.c b/security/nss/lib/crmf/cmmfrec.c
deleted file mode 100644
index ce0126b91..000000000
--- a/security/nss/lib/crmf/cmmfrec.c
+++ /dev/null
@@ -1,337 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * This file will implement the functions related to key recovery in 
- * CMMF
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "keyhi.h"
-
-CMMFKeyRecRepContent*
-CMMF_CreateKeyRecRepContent(void)
-{
-    PRArenaPool          *poolp;
-    CMMFKeyRecRepContent *keyRecContent;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
-    if (keyRecContent == NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-    keyRecContent->poolp = poolp;
-    return keyRecContent;
-}
-
-SECStatus
-CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep != NULL && inKeyRecRep->poolp != NULL) {
-        if (!inKeyRecRep->isDecoded) {
-	    int i;
-
-	    CERT_DestroyCertificate(inKeyRecRep->newSigCert);
-	    if (inKeyRecRep->caCerts != NULL) {
-	        for (i=0; inKeyRecRep->caCerts[i] != NULL; i++) {
-		    CERT_DestroyCertificate(inKeyRecRep->caCerts[i]);
-		}
-	    }
-	    if (inKeyRecRep->keyPairHist != NULL) {
-	        for (i=0; inKeyRecRep->keyPairHist[i] != NULL; i++) {
-		    if (inKeyRecRep->keyPairHist[i]->certOrEncCert.choice ==
-			cmmfCertificate) {
-		        CERT_DestroyCertificate(inKeyRecRep->keyPairHist[i]->
-					       certOrEncCert.cert.certificate);
-		    }
-		}
-	    }
-	}
-        PORT_FreeArena(inKeyRecRep->poolp, PR_TRUE);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
-					    CMMFPKIStatus         inPKIStatus)
-{
-    PORT_Assert(inKeyRecRep != NULL && inPKIStatus >= cmmfGranted &&
-		inPKIStatus < cmmfNumPKIStatus);
-    if (inKeyRecRep == NULL) {
-        return SECFailure;
-    }
-    
-    return cmmf_PKIStatusInfoSetStatus(&inKeyRecRep->status, 
-				       inKeyRecRep->poolp,
-				       inPKIStatus);
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
-				    CERTCertificate      *inNewSignCert)
-{
-    PORT_Assert (inKeyRecRep != NULL && inNewSignCert != NULL);
-    if (inKeyRecRep == NULL || inNewSignCert == NULL) {
-        return SECFailure;
-    }
-    inKeyRecRep->newSigCert = CERT_DupCertificate(inNewSignCert);
-    return (inKeyRecRep->newSigCert == NULL) ? SECFailure : SECSuccess;    
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
-				CERTCertList         *inCACerts)
-{
-    SECStatus rv;
-    void *mark;
-
-    PORT_Assert (inKeyRecRep != NULL && inCACerts != NULL);
-    if (inKeyRecRep == NULL || inCACerts == NULL) {
-        return SECFailure;
-    }
-    mark = PORT_ArenaMark(inKeyRecRep->poolp);
-    rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
-				   &inKeyRecRep->caCerts);
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(inKeyRecRep->poolp, mark);
-    } else {
-        PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
-    }
-    return rv;
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
-					 CERTCertificate      *inCert,
-					 SECKEYPrivateKey     *inPrivKey,
-					 SECKEYPublicKey      *inPubKey)
-{
-    CMMFCertifiedKeyPair *keyPair;
-    CRMFEncryptedValue   *dummy;
-    PRArenaPool          *poolp;
-    void                 *mark;
-    SECStatus             rv;
-
-    PORT_Assert (inKeyRecRep != NULL &&
-		 inCert      != NULL &&
-		 inPrivKey   != NULL &&
-		 inPubKey    != NULL);
-    if (inKeyRecRep == NULL ||
-	inCert      == NULL ||
-	inPrivKey   == NULL ||
-	inPubKey    == NULL) {
-        return SECFailure;
-    }
-    poolp = inKeyRecRep->poolp;
-    mark = PORT_ArenaMark(poolp);
-    if (inKeyRecRep->keyPairHist == NULL) {
-        inKeyRecRep->keyPairHist = PORT_ArenaNewArray(poolp, 
-						      CMMFCertifiedKeyPair*,
-						      (CMMF_MAX_KEY_PAIRS+1));
-	if (inKeyRecRep->keyPairHist == NULL) {
-	    goto loser;
-	}
-	inKeyRecRep->allocKeyPairs = CMMF_MAX_KEY_PAIRS;
-	inKeyRecRep->numKeyPairs   = 0;
-    }
-
-    if (inKeyRecRep->allocKeyPairs == inKeyRecRep->numKeyPairs) {
-        goto loser;
-    }
-    
-    keyPair = PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
-    if (keyPair == NULL) {
-        goto loser;
-    }
-    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert,
-					  poolp, inCert);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    keyPair->privateKey = PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-    if (keyPair->privateKey == NULL) {
-        goto loser;
-    }
-    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, inPubKey, 
-							keyPair->privateKey);
-    PORT_Assert(dummy = keyPair->privateKey);
-    if (dummy != keyPair->privateKey) {
-        crmf_destroy_encrypted_value(dummy, PR_TRUE);
-	goto loser;
-    }
-    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = keyPair;
-    inKeyRecRep->numKeyPairs++;
-    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-CMMFPKIStatus
-CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep == NULL) {
-        return cmmfNoPKIStatus;
-    }
-    return cmmf_PKIStatusInfoGetStatus(&inKeyRecRep->status);
-}
-
-CERTCertificate*
-CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep             == NULL ||
-	inKeyRecRep->newSigCert == NULL) {
-        return NULL;
-    }
-    return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
-			          &inKeyRecRep->newSigCert->signatureWrap.data,
-				   NULL, PR_FALSE, PR_TRUE);
-}
-
-CERTCertList*
-CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep == NULL || inKeyRecRep->caCerts == NULL) {
-        return NULL;
-    }
-    return cmmf_MakeCertList(inKeyRecRep->caCerts);
-}
-
-int 
-CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    return (inKeyRecRep == NULL) ? 0 : inKeyRecRep->numKeyPairs;
-}
-
-PRBool
-cmmf_KeyRecRepContentIsValidIndex(CMMFKeyRecRepContent *inKeyRecRep,
-				  int                   inIndex)
-{
-    int numKeyPairs = CMMF_KeyRecRepContentGetNumKeyPairs(inKeyRecRep);
-    
-    return (PRBool)(inIndex >= 0 && inIndex < numKeyPairs);
-}
-
-CMMFCertifiedKeyPair*
-CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
-				       int                   inIndex)
-{
-    CMMFCertifiedKeyPair *newKeyPair;
-    SECStatus             rv;
-
-    PORT_Assert(inKeyRecRep != NULL &&
-		cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex));
-    if (inKeyRecRep == NULL ||
-	!cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex)) {
-        return NULL;
-    }
-    newKeyPair = PORT_ZNew(CMMFCertifiedKeyPair);
-    if (newKeyPair == NULL) {
-        return NULL;
-    }
-    rv = cmmf_CopyCertifiedKeyPair(NULL, newKeyPair, 
-				   inKeyRecRep->keyPairHist[inIndex]);
-    if (rv != SECSuccess) {
-        CMMF_DestroyCertifiedKeyPair(newKeyPair);
-	newKeyPair = NULL;
-    }
-    return newKeyPair;
-}
-
-SECStatus 
-CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
-				   SECKEYPrivateKey     *inPrivKey,
-				   SECItem              *inNickName,
-				   PK11SlotInfo         *inSlot,
-				   CERTCertDBHandle     *inCertdb,
-				   SECKEYPrivateKey    **destPrivKey,
-				   void                 *wincx)
-{
-    CERTCertificate *cert;
-    SECItem keyUsageValue = {siBuffer, NULL, 0};
-    unsigned char keyUsage = 0x0;
-    SECKEYPublicKey *pubKey;
-    SECStatus rv;
-
-    PORT_Assert(inKeyPair != NULL &&
-		inPrivKey != NULL && inCertdb != NULL);
-    if (inKeyPair             == NULL ||
-	inPrivKey             == NULL ||
-	inKeyPair->privateKey == NULL ||
-	inCertdb              == NULL) {
-        return SECFailure;
-    }
-    
-    cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
-    CERT_FindKeyUsageExtension(cert, &keyUsageValue);
-    if (keyUsageValue.data != NULL) {
-        keyUsage = keyUsageValue.data[3];
-	PORT_Free(keyUsageValue.data);
-    }
-    pubKey = CERT_ExtractPublicKey(cert);
-    rv = crmf_encrypted_value_unwrap_priv_key(NULL, inKeyPair->privateKey,
-					      inPrivKey, pubKey, 
-					      inNickName, inSlot, keyUsage, 
-					      destPrivKey, wincx);
-    SECKEY_DestroyPublicKey(pubKey);
-    CERT_DestroyCertificate(cert);
-    return rv;
-}
-
-
-PRBool 
-CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep == NULL) {
-        return PR_FALSE;
-    }
-    return (PRBool)(inKeyRecRep->caCerts    != NULL && 
-		    inKeyRecRep->caCerts[0] != NULL);
-}
diff --git a/security/nss/lib/crmf/cmmfresp.c b/security/nss/lib/crmf/cmmfresp.c
deleted file mode 100644
index 3aae6368d..000000000
--- a/security/nss/lib/crmf/cmmfresp.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * This file will contain all routines dealing with creating a 
- * CMMFCertRepContent structure through Create/Set functions.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "crmf.h"
-#include "crmfi.h"
-#include "secitem.h"
-#include "secder.h"
-
-CMMFCertRepContent*
-CMMF_CreateCertRepContent(void)
-{
-    CMMFCertRepContent *retCertRep;
-    PRArenaPool        *poolp;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    retCertRep = PORT_ArenaZNew(poolp, CMMFCertRepContent);
-    if (retCertRep == NULL) {
-        goto loser;
-    }
-    retCertRep->poolp = poolp;
-    return retCertRep;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus 
-cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
-				 PRArenaPool       *poolp,
-				 CERTCertificate   *inCert)
-{
-    SECItem               *derDest = NULL;
-    SECStatus             rv;
-
-    if (inCert->derCert.data == NULL) {
-        derDest = SEC_ASN1EncodeItem(NULL, NULL, inCert, 
-				     CMMFCertOrEncCertCertificateTemplate);
-	if (derDest == NULL) {
-	    goto loser;
-	}
-    } else {
-        derDest = SECITEM_DupItem(&inCert->derCert);
-	if (derDest == NULL) {
-	    goto loser;
-	}
-    }
-    PORT_Assert(certOrEncCert->cert.certificate == NULL);
-    certOrEncCert->cert.certificate = CERT_DupCertificate(inCert);
-    certOrEncCert->choice = cmmfCertificate;
-    if (poolp != NULL) {
-        rv = SECITEM_CopyItem(poolp, &certOrEncCert->derValue, derDest);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-        certOrEncCert->derValue = *derDest;
-    }
-    PORT_Free(derDest);
-    return SECSuccess;
- loser:
-    if (derDest != NULL) {
-        SECITEM_FreeItem(derDest, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
-			  PRArenaPool       *poolp,
-			  CERTCertificate ***certArray)
-{
-    CERTCertificate  **arrayLocalCopy;
-    CERTCertListNode  *node;
-    int                numNodes = 0, i;
-
-    for (node = CERT_LIST_HEAD(inCertList); !CERT_LIST_END(node, inCertList);
-	 node = CERT_LIST_NEXT(node)) {
-        numNodes++;
-    }
-
-    arrayLocalCopy = *certArray = (poolp == NULL) ?
-                    PORT_NewArray(CERTCertificate*, (numNodes+1)) :
-                    PORT_ArenaNewArray(poolp, CERTCertificate*, (numNodes+1));
-    if (arrayLocalCopy == NULL) {
-        return SECFailure;
-    }
-    for (node = CERT_LIST_HEAD(inCertList), i=0; 
-	 !CERT_LIST_END(node, inCertList);
-	 node = CERT_LIST_NEXT(node), i++) {
-        arrayLocalCopy[i] = CERT_DupCertificate(node->cert);
-	if (arrayLocalCopy[i] == NULL) {
-	    int j;
-	    
-	    for (j=0; j<i; j++) {
-	        CERT_DestroyCertificate(arrayLocalCopy[j]);
-	    }
-	    if (poolp == NULL) {
-	        PORT_Free(arrayLocalCopy);
-	    }
-	    *certArray = NULL;
-	    return SECFailure;
-	}
-    }
-    arrayLocalCopy[numNodes] = NULL;
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
-				    CMMFCertResponse  **inCertResponses,
-				    int                 inNumResponses)
-{
-    PRArenaPool       *poolp;
-    CMMFCertResponse **respArr, *newResp;
-    void              *mark;
-    SECStatus          rv;
-    int                i;
-
-    PORT_Assert (inCertRepContent != NULL &&
-		 inCertResponses  != NULL &&
-		 inNumResponses    > 0);
-    if (inCertRepContent == NULL ||
-	inCertResponses  == NULL ||
-	inCertRepContent->response != NULL) {
-        return SECFailure;
-    }
-    poolp = inCertRepContent->poolp;
-    mark = PORT_ArenaMark(poolp);
-    respArr = inCertRepContent->response = 
-        PORT_ArenaZNewArray(poolp, CMMFCertResponse*, (inNumResponses+1));
-    if (respArr == NULL) {
-        goto loser;
-    }
-    for (i=0; i<inNumResponses; i++) {
-        newResp = PORT_ArenaZNew(poolp, CMMFCertResponse);
-	if (newResp == NULL) {
-	    goto loser;
-	}
-        rv = cmmf_CopyCertResponse(poolp, newResp, inCertResponses[i]);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	respArr[i] = newResp;
-    }
-    respArr[inNumResponses] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-CMMFCertResponse*
-CMMF_CreateCertResponse(long inCertReqId)
-{
-    SECItem          *dummy;
-    CMMFCertResponse *newResp;
-    
-    newResp = PORT_ZNew(CMMFCertResponse);
-    if (newResp == NULL) {
-        goto loser;
-    }
-    dummy = SEC_ASN1EncodeInteger(NULL, &newResp->certReqId, inCertReqId);
-    if (dummy != &newResp->certReqId) {
-        goto loser;
-    }
-    return newResp;
-
- loser:
-    if (newResp != NULL) {
-        CMMF_DestroyCertResponse(newResp);
-    }
-    return NULL;
-}
-
-SECStatus
-CMMF_CertResponseSetPKIStatusInfoStatus(CMMFCertResponse *inCertResp,
-					CMMFPKIStatus     inPKIStatus)
-{
-    PORT_Assert (inCertResp != NULL && inPKIStatus >= cmmfGranted
-		 && inPKIStatus < cmmfNumPKIStatus);
-
-    if  (inCertResp == NULL) {
-        return SECFailure;
-    }
-    return cmmf_PKIStatusInfoSetStatus(&inCertResp->status, NULL,
-				       inPKIStatus);
-}
-
-SECStatus
-CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
-				 CERTCertificate  *inCertificate)
-{
-    CMMFCertifiedKeyPair *keyPair = NULL;
-    SECStatus             rv = SECFailure;
-
-    PORT_Assert(inCertResp != NULL && inCertificate != NULL);
-    if (inCertResp == NULL || inCertificate == NULL) {
-        return SECFailure;
-    }
-    if (inCertResp->certifiedKeyPair == NULL) {
-        keyPair = inCertResp->certifiedKeyPair = 
-	    PORT_ZNew(CMMFCertifiedKeyPair);
-    } else {
-        keyPair = inCertResp->certifiedKeyPair;
-    }
-    if (keyPair == NULL) {
-        goto loser;
-    }
-    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert, NULL,
-					  inCertificate);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    if (keyPair) {
-        if (keyPair->certOrEncCert.derValue.data) {
-	    PORT_Free(keyPair->certOrEncCert.derValue.data);
-	}
-	PORT_Free(keyPair);
-    }
-    return rv;
-}
-
-
-SECStatus
-CMMF_CertRepContentSetCAPubs(CMMFCertRepContent *inCertRepContent,
-			     CERTCertList       *inCAPubs)
-{
-    PRArenaPool      *poolp;
-    void             *mark;
-    SECStatus         rv;
-
-    PORT_Assert(inCertRepContent != NULL &&
-		inCAPubs         != NULL &&
-		inCertRepContent->caPubs == NULL);
-    
-    if (inCertRepContent == NULL ||
-	inCAPubs == NULL || inCertRepContent == NULL) {
-        return SECFailure;
-    }
-
-    poolp = inCertRepContent->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    rv = cmmf_ExtractCertsFromList(inCAPubs, poolp,
-				   &inCertRepContent->caPubs);
-
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(poolp, mark);
-    } else {
-        PORT_ArenaUnmark(poolp, mark);
-    }
-    return rv;
-}
-
-CERTCertificate*
-CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
-				    CERTCertDBHandle     *inCertdb)
-{
-    PORT_Assert(inCertKeyPair != NULL);
-    if (inCertKeyPair == NULL) {
-        return NULL;
-    }
-    return cmmf_CertOrEncCertGetCertificate(&inCertKeyPair->certOrEncCert,
-					    inCertdb);
-}
diff --git a/security/nss/lib/crmf/cmmft.h b/security/nss/lib/crmf/cmmft.h
deleted file mode 100644
index 3db678714..000000000
--- a/security/nss/lib/crmf/cmmft.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _CMMFT_H_
-#define _CMMFT_H_
-
-#include "secasn1.h"
-
-/*
- * These are the enumerations used to distinguish between the different
- * choices available for the CMMFCertOrEncCert structure.
- */
-typedef enum {
-    cmmfNoCertOrEncCert,
-    cmmfCertificate,
-    cmmfEncryptedCert
-} CMMFCertOrEncCertChoice;
-
-/*
- * This is the enumeration and the corresponding values used to 
- * represent the CMMF type PKIStatus
- */
-typedef enum {
-    cmmfGranted,
-    cmmfGrantedWithMods,
-    cmmfRejection,
-    cmmfWaiting,
-    cmmfRevocationWarning,
-    cmmfRevocationNotification,
-    cmmfKeyUpdateWarning,
-    cmmfNumPKIStatus,
-    cmmfNoPKIStatus
-} CMMFPKIStatus;
-
-/*
- * These enumerations are used to represent the corresponding values
- * in PKIFailureInfo defined in CMMF.
- */
-typedef enum {
-    cmmfBadAlg,
-    cmmfBadMessageCheck,
-    cmmfBadRequest,
-    cmmfBadTime,
-    cmmfBadCertId,
-    cmmfBadDataFormat,
-    cmmfWrongAuthority,
-    cmmfIncorrectData,
-    cmmfMissingTimeStamp,
-    cmmfNoFailureInfo
-} CMMFPKIFailureInfo;
-
-typedef struct CMMFPKIStatusInfoStr          CMMFPKIStatusInfo;
-typedef struct CMMFCertOrEncCertStr          CMMFCertOrEncCert;
-typedef struct CMMFCertifiedKeyPairStr       CMMFCertifiedKeyPair;
-typedef struct CMMFCertResponseStr           CMMFCertResponse;
-typedef struct CMMFCertResponseSeqStr        CMMFCertResponseSeq;
-typedef struct CMMFPOPODecKeyChallContentStr CMMFPOPODecKeyChallContent;
-typedef struct CMMFChallengeStr              CMMFChallenge;
-typedef struct CMMFRandStr                   CMMFRand;
-typedef struct CMMFPOPODecKeyRespContentStr  CMMFPOPODecKeyRespContent;
-typedef struct CMMFKeyRecRepContentStr       CMMFKeyRecRepContent;
-typedef struct CMMFCertRepContentStr         CMMFCertRepContent;
-
-/* Export this so people can call SEC_ASN1EncodeItem instead of having to 
- * write callbacks that are passed in to the high level encode function
- * for CMMFCertRepContent.
- */
-extern const SEC_ASN1Template CMMFCertRepContentTemplate[];
-extern const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[];
-
-#endif /*_CMMFT_H_*/
diff --git a/security/nss/lib/crmf/config.mk b/security/nss/lib/crmf/config.mk
deleted file mode 100644
index 1684cf3fa..000000000
--- a/security/nss/lib/crmf/config.mk
+++ /dev/null
@@ -1,45 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h
deleted file mode 100644
index cf7b91095..000000000
--- a/security/nss/lib/crmf/crmf.h
+++ /dev/null
@@ -1,1779 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#ifndef _CRMF_H_
-#define _CRMF_H_
-
-#include "seccomon.h"
-#include "cert.h"
-#include "crmft.h"
-#include "secoid.h"
-#include "secpkcs7.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * FUNCTION: CRMF_EncodeCertReqMsg
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to be encoded.
- *    fn
- *        A Callback function that the ASN1 encoder calls whenever
- *        the encoder wants to write out some DER encoded bytes.
- *    arg
- *        An opaque pointer that gets passed to the function fn
- * OUTPUT:
- *    The function fn will be called multiple times.  Look at the
- *    comments in crmft.h where the CRMFEncoderOutputCallback type is 
- *    defined for information on proper behavior of the function fn.
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value
- *    indicates an error occurred during encoding.
- */
-extern SECStatus 
-        CRMF_EncodeCertReqMsg (CRMFCertReqMsg            *inCertReqMsg, 
-			       CRMFEncoderOutputCallback  fn,
-			       void                      *arg);
-
-/*
- * FUNCTION: CRMF_EncoderCertRequest
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to be encoded.
- *    fn
- *        A Callback function that the ASN1 encoder calls whenever
- *        the encoder wants to write out some DER encoded bytes.
- *    arg
- *        An opaque pointer that gets passed to the function fn.
- * OUTPUT:
- *    The function fn will be called, probably multiple times whenever 
- *    the ASN1 encoder wants to write out DER-encoded bytes.  Look at the 
- *    comments in crmft.h where the CRMFEncoderOuputCallback type is
- *    defined for information on proper behavior of the funciton fn.
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value 
- *    indicates an error occured during encoding.
- */
-extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest           *inCertReq,
-					 CRMFEncoderOutputCallback  fn,
-					 void                      *arg);
-/*
- * FUNCTION: CRMF_EncodeCertReqMessages
- * INPUTS:
- *    inCertReqMsgs
- *        An array of pointers to the Certificate Request Messages
- *        to encode.  The user must place a NULL pointer in the index
- *        after the last message to be encoded.  When the library runs
- *        into the NULL pointer, the library assumes there are no more
- *        messages to encode.
- *    fn
- *        A Callback function that the ASN1 encoder calls whenever
- *        the encoder wants to write out some DER encoded byts.
- *    arg
- *        An opaque pointer that gets passed to the function fn.
- *
- * NOTES:
- *    The parameter inCertReqMsgs needs to be an array with a NULL pointer
- *    to signal the end of messages.  An array in the form of 
- *    {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and
- *    m3.  All messages from m4 on will not be looked at by the library.
- *
- * OUTPUT:
- *    The function fn will be called, probably multiple times.  Look at the 
- *    comments in crmft.h where the CRMFEncoderOuputCallback type is
- *    defined for information on proper behavior of the funciton fn.
- *
- * RETURN:
- * SECSuccess if encoding the Certificate Request Messages was successful. 
- * Any other return value indicates an error occurred while encoding the
- * certificate request messages.
- */
-extern SECStatus 
-       CRMF_EncodeCertReqMessages(CRMFCertReqMsg           **inCertReqMsgs,
-				  CRMFEncoderOutputCallback  fn,
-				  void                      *arg);
-
-
-/*
- * FUNCTION: CRMF_CreateCertReqMsg
- * INPUTS:
- *    NONE
- * OUTPUT:
- *    An empty CRMF Certificate Request Message.
- *    Before encoding this message, the user must set
- *    the ProofOfPossession field and the certificate 
- *    request which are necessary for the full message.
- *    After the user no longer needs this CertReqMsg,
- *    the user must call CRMF_DestroyCertReqMsg to free
- *    all memory associated with the Certificate Request
- *    Message.
- * RETURN:
- *    A pointer to a Certificate Request Message.  The user 
- *    must pass the return value of this function to 
- *    CRMF_DestroyCertReqMsg after the Certificate Request
- *    Message is no longer necessary.
- */
-extern CRMFCertReqMsg* CRMF_CreateCertReqMsg(void);
-
-/*
- * FUNCTION: CRMF_DestroyCertReqMsg
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to destroy.
- *  NOTES:
- *    This function frees all the memory used for the Certificate
- *    Request Message and all the memory used in making copies of
- *    fields of elelments of the message, eg. the Proof Of Possession
- *    filed and the Cetificate Request.  
- * RETURN:
- *    SECSuccess if destruction was successful.  Any other return value
- *    indicates an error while trying to free the memory associated
- *    with inCertReqMsg.
- *    
- */
-extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetCertRequest
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message that the function will set
- *        the certificate request for.
- *    inCertReq
- *        The Certificate Request that will be added to the Certificate
- *        Request Message.
- * NOTES:
- *    This function will make a copy of the Certificate Request passed in
- *    and store it as part of the Certificate Request Message.  Therefore,
- *    the user must not call this function until the Certificate Request
- *    has been fully built and is ready to be encoded.
- * RETURN:
- *    SECSuccess 
- *        If copying the Certificate as a member of the Certificate
- *        request message was successful.
- *    Any other return value indicates a failure to copy the Certificate
- *    Request and make it a part of the Certificate Request Message.
- */
-extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg  *inCertReqMsg, 
-					       CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CreateCertRequest
- * INPUTS:
- *    inRequestID
- *        The ID that will be associated with this certificate request.
- * OUTPUTS:
- *    A certificate request which only has the requestID set.
- * NOTES:
- *    The user must call the function CRMF_DestroyCertRequest when
- *    the returned value is no longer needed.  This is usually the
- *    case after fully constructing the Certificate Request and then
- *    calling the function CRMF_CertReqMsgSetCertRequest.
- * RETURN:
- *    A pointer to the new Certificate Request.  A NULL return value
- *    indicates an error in creating the Certificate Request.
- */
-extern CRMFCertRequest *CRMF_CreateCertRequest (long inRequestID);
-
-/*
- * FUNCTION: CRMF_DestroyCertRequest
- * INPUTS:
- *    inCertReq
- *        The Certificate Request that will be destroyed.
- * RETURN:
- *    SECSuccess
- *        If freeing the memory associated with the certificate request 
- *        was successful.
- *    Any other return value indicates an error while trying to free the 
- *    memory.
- */
-extern SECStatus CRMF_DestroyCertRequest (CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CreateCertExtension
- * INPUTS:
- *    id
- *        The SECOidTag to associate with this CertExtension.  This must
- *        correspond to a valid Certificate Extension, if not the function
- *        will fail.
- *    isCritical
- *        A boolean value stating if the extension value is crtical.  PR_TRUE
- *        means the value is crtical.  PR_FALSE indicates the value is not 
- *        critical.
- *    data
- *        This is the data associated with the extension.  The user of the
- *        library is responsible for making sure the value passed in is a
- *        valid interpretation of the certificate extension.
- * NOTES:
- * Use this function to create CRMFCertExtension Structures which will 
- * then be passed to CRMF_AddFieldToCertTemplate as part of the 
- * CRMFCertCreationInfo.extensions  The user must call 
- * CRMF_DestroyCertExtension after the extension has been added to a certifcate
- * and the extension is no longer needed.
- *
- * RETURN:
- * A pointer to a newly created CertExtension.  A return value of NULL
- * indicates the id passed in was an invalid certificate extension.
- */
-extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag      id, 
-						   PRBool         isCritical,
-						   SECItem       *data);
-
-/*
- * FUNCTION: CMRF_DestroyCertExtension
- * INPUTS:
- *    inExtension
- *        The Cert Extension to destroy
- * NOTES:
- * Destroy a structure allocated by CRMF_CreateCertExtension.
- *
- * RETURN:
- * SECSuccess if freeing the memory associated with the certificate extension
- * was successful.  Any other error indicates an error while freeing the 
- * memory.
- */
-extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension);
-
-/* 
- * FUNCTION: CRMF_CertRequestSetTemplateField
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    inTemplateField
- *        An enumeration that indicates which field of the Certificate
- *        template to add.
- *    data
- *        A generic pointer that will be type cast according to the
- *        table under NOTES and used as the key for adding to the
- *        certificate template;
- * NOTES:
- *
- * Below is a table that tells what type to pass in as data
- * depending on the template field one wants to set.
- *
- * Look in crmft.h for the definition of CRMFCertTemplateField.
- * 
- * In all cases, the library makes copies of the data passed in.
- *
- *   CRMFCertTemplateField    Type of data    What data means
- *   ---------------------    ------------    ---------------
- *   crmfVersion              long *          The version of
- *                                            the certificate
- *                                            to be created.
- *
- *   crmfSerialNumber         long *          The serial number
- *                                            for the cert to be
- *                                            created.
- *   
- *   crmfSigningAlg           SECAlgorithm *  The ASN.1 object ID for
- *                                            the algorithm used in encoding
- *                                            the certificate.
- *
- *   crmfIssuer               CERTName *      Certificate Library 
- *                                            representation of the ASN1 type
- *                                            Name from X.509
- *
- *   crmfValidity     CRMFValidityCreationInfo *  At least one of the two
- *                                                fields in the structure must
- *                                                be present.  A NULL pointer 
- *                                                in the structure indicates
- *                                                that member should not be 
- *                                                added.
- *
- *   crmfSubject              CERTName *      Certificate Library 
- *                                            representation of the ASN1 type
- *                                            Name from X.509
- *
- *   crmfPublicKey    CERTSubjectPublicKeyInfo *  The public key info for the
- *                                                certificate being requested.
- *
- *   crmfIssuerUID            SECItem *           A bit string representation
- *                                                of the issuer UID. NOTE: The
- *                                                length is the number of bits
- *                                                and not the number of bytes.
- *
- *   crmfSubjectUID           SECItem*            A bit string representation
- *                                                of the subject UID. NOTE: The
- *                                                length is the number of bits
- *                                                and not the number of bytes.
- *
- *   crmfExtension   CRMFCertExtCreationInfo *     A pointer to the structure
- *                                                 populated with an array of 
- *                                                 of certificate extensions
- *                                                 and an integer that tells
- *                                                 how many elements are in the
- *                                                 array. Look in crmft.h for
- *                                                 the definition of 
- *                                                 CRMFCertExtCreationInfo
- * RETURN:
- *    SECSuccess if adding the desired field to the template was successful.
- *    Any other return value indicates failure when trying to add the field 
- *    to the template.
- *                                                
- */
-extern SECStatus
-  CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
-				   CRMFCertTemplateField  inTemplateField,
-				   void                  *data);
-
-/*
- * FUNCTION: CRMF_CertRequestIsFieldPresent
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    inTemplateField
- *        The enumeration for the template field the user wants to query
- *        about.
- * NOTES:
- * This function checks to see if the the field associated with inTemplateField
- * enumeration is already present in the certificate request passed in.
- *
- * RETURN:
- * The function returns PR_TRUE if the field associated with inTemplateField
- * is already present in the certificate request.  If the field is not present
- * the function returns PR_FALSE.
- */
-extern PRBool
-  CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
-				 CRMFCertTemplateField  inTemplateField);
-
-/*
- * FUNCTION: CRMF_CertRequestIsControlPresent
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    inControlType
- *        The type of control to look for.
- * NOTES:
- * This function looks at the control present in the certificate request
- * and returns PR_TRUE iff a control of type inControlType already exists.
- * The CRMF draft does not explicitly state that two controls of the same
- * type can not exist within the same request.  So the library will not
- * cause an error if you try to add a control and one of the same type
- * already exists.  It is up to the application to ensure that multiple
- * controls of the same type do not exist, if that is the desired behavior
- * by the application.
- *
- * RETURN:
- * The function returns PR_TRUE if a control of type inControlType already
- * exists in the certificate request.  If a control of type inControlType
- * does not exist, the function will return PR_FALSE.
- */
-extern PRBool
-  CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
-				   CRMFControlType  inControlType);
-				   
-
-/*
- * FUNCTION: CRMF_CertRequestSetRegTokenControl
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    value
- *        The UTF8 value which will be the Registration Token Control
- *        for this Certificate Request.
- * NOTES:
- *    The library does no verification that the value passed in is 
- *    a valid UTF8 value.  The caller must make sure of this in order
- *    to get an encoding that is valid.  The library will ultimately
- *    encode this value as it was passed in.
- * RETURN:
- *    SECSucces on successful addition of the Registration Token Control.
- *    Any other return value indicates an unsuccessful attempt to add the
- *    control.
- *
- */
-extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq,
-						    SECItem         *value);
-
-/*
- * FUNCTION: CRMF_CertRequestSetAuthenticatorControl
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    value
- *        The UTF8 value that will become the Authenticator Control
- *        for the passed in Certificate Request.
- * NOTES:
- *    The library does no verification that the value passed in is 
- *    a valid UTF8 value.  The caller must make sure of this in order
- *    to get an encoding that is valid.  The library will ultimately
- *    encode this value as it was passed in.
- * RETURN:
- *    SECSucces on successful addition of the Authenticator Control.
- *    Any other return value indicates an unsuccessful attempt to add the
- *    control.
- */
-extern SECStatus 
-       CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq,
-						SECItem         *value);
-
-/*
- * FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue
- * INPUTS:
- *    inPrivKey
- *        This is the private key associated with a certificate that is
- *        being requested.  This structure will eventually wind up as 
- *        a part of the PKIArchiveOptions Control.  
- *    inCACert
- *        This is the certificate for the CA that will be receiving the 
- *        certificate request for the private key passed in.
- * OUTPUT:
- *    A CRMFEncryptedKey that can ultimately be used as part of the 
- *    PKIArchiveOptions Control.
- *
- * RETURN:
- *    A pointer to a CRMFEncyptedKey.  A NULL return value indicates an erro
- *    during the creation of the encrypted key.
- */
-extern CRMFEncryptedKey* 
-       CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey,
-						 CERTCertificate  *inCACert);
-
-/*
- * FUNCTION: CRMF_DestroyEncryptedKey
- * INPUTS:
- *    inEncrKey
- *        The CRMFEncryptedKey to be destroyed.
- * NOTES:
- *    Frees all memory associated with the CRMFEncryptedKey passed in.
- * RETURN:
- *    SECSuccess if freeing the memory was successful.  Any other return
- *    value indicates an error while freeig the memroy.
- */
-extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey);
-						
-/*
- * FUNCTION: CRMF_CreatePKIArchiveOptions
- * INPUTS:
- *    inType
- *        An enumeration value indicating which option for 
- *        PKIArchiveOptions to use.
- *    data
- *        A pointer that will be type-cast and de-referenced according
- *        to the table under NOTES.
- * NOTES:
- * A table listing what should be passed in as data
- * ------------------------------------------------
- *
- * inType                            data
- * ------                            ----
- * crmfEncryptedPrivateKey           CRMFEncryptedKey*
- * crmfKeyGenParameters              SECItem*(This needs to be an octet string)
- * crmfArchiveRemGenPrivKey          PRBool*
- *
- * RETURN:
- *    A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate
- *    Request.  A NULL pointer indicates an error occurred while creating
- *    the CRMFPKIArchiveOptions Structure.
- */
-extern CRMFPKIArchiveOptions*
-       CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType  inType,
-				    void                      *data);
-/*
- * FUNCTION: CRMF_DestroyPKIArchiveOptions
- * INPUTS:
- *    inArchOpt
- *        A pointer to the CRMFPKIArchiveOptions structure to free.
- * NOTES:
- *    Will free all memory associated with 'inArchOpt'.
- * RETURN:
- *    SECSuccess if successful in freeing the memory used by 'inArchOpt'
- *    Any other return value indicates an error while freeing the memory.
- */
-extern SECStatus 
-       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt);
-
-/*
- * FUNCTION: CRMF_CertRequestSetPKIArchiveOptions
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to add the the options to.
- *    inOptions
- *        The Archive Options to add to the Certificate Request.
- * NOTES:
- *    Adds the PKIArchiveOption to the Certificate Request.  This is what
- *    enables Key Escrow to take place through CRMF.  The library makes
- *    its own copy of the information.
- * RETURN:
- *    SECSuccess if successful in adding the ArchiveOptions to the Certificate
- *    request.  Any other return value indicates an error when trying to add
- *    the Archive Options  to the Certificate Request.
- */
-extern SECStatus 
-       CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
-					    CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPType
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- * NOTES:
- *    Returns an enumeration value indicating the method of Proof
- *    of Possession that was used for the passed in Certificate Request
- *    Message.
- * RETURN:
- *    An enumeration indicating what method for Proof Of Possession is
- *    being used in this Certificate Request Message.  Look in the file
- *    crmft.h for the definition of CRMFPOPChoice for the possible return
- *    values.
- */
-extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP
- * INPUT:
- *    InCertReqMsg
- *        The Certificate Request Message to operate on.
- * NOTES:
- *    This function will set the method of Proof Of Possession to 
- *    crmfRAVerified which means the RA has already verified the 
- *    requester does possess the private key.
- * RETURN:
- *    SECSuccess if adding RAVerified to the message is successful.  
- *    Any other message indicates an error while trying to add RAVerified
- *    as the Proof of Possession.
- */
-extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetSignaturePOP
- * INPUT:
- *    inCertReqMsg
- *        The Certificate Request Message to add the SignaturePOP to.
- *    inPrivKey
- *        The Private Key which corresponds to the the Certificate Request
- *        Message.
- *    inPubKey
- *        The Public Key which corresponds to the Private Key passed in.
- *    inCertForInput
- *        A Certificate that in the future may be used to create 
- *        POPOSigningKeyInput.
- *    fn
- *        A callback for retrieving a password which may be used in the
- *       future to generate POPOSigningKeyInput.
- *    arg
- *        An opaque pointer that would be passed to fn whenever it is
- *        called.
- * NOTES:
- * Adds Proof Of Possession to the CertRequest using the signature field 
- * of the ProofOfPossession field.  NOTE: In order to use this option, 
- * the certificate template must contain the publicKey at the very minimum.
- * 
- * If you don't want the function to generate POPOSigningKeyInput, then
- * make sure the cert template already contains the subject and public key
- * values.  Currently creating POPOSigningKeyInput is not supported, so 
- * a Message passed to this function must have the publicKey and the subject
- * as part of the template
- *
- * This will take care of creating the entire POPOSigningKey structure
- * that will become part of the message.
- *
- * inPrivKey is the key to be used in the signing operation when creating
- * POPOSigningKey structure.  This should be the key corresponding to
- * the certificate being requested.
- *
- * inCertForInput will be used if POPOSigningKeyInput needs to be generated.
- * It will be used in generating the authInfo.sender field.  If the parameter
- * is not passed in then authInfo.publicKeyMAC will be generated instead.
- * If passed in, this certificate needs to be a valid certificate.
- *
- * The last 3 arguments are for future compatibility in case we ever want to
- * support generating POPOSigningKeyInput.  Pass in NULL for all 3 if you 
- * definitely don't want the funciton to even try to generate 
- * POPOSigningKeyInput.  If you try to use POPOSigningKeyInput, the function
- * will fail.
- *
- * RETURN:
- *    SECSuccess if adding the Signature Proof Of Possession worked.
- *    Any other return value indicates an error in trying to add
- *    the Signature Proof Of Possession.
- */
-extern SECStatus 
-       CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
-				      SECKEYPrivateKey *inPrivKey,
-				      SECKEYPublicKey  *inPubKey,
-				      CERTCertificate  *inCertForInput,
-				      CRMFMACPasswordCallback  fn,
-				      void                    *arg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- *    inKeyChoice
- *        An enumeration indicating which POPOPrivKey Choice to use
- *        in constructing the KeyEnciphermentPOP.
- *    subseqMess
- *        This parameter must be provided iff inKeyChoice is 
- *        crmfSubsequentMessage.  This details how the RA is to respond
- *        in order to perform Proof Of Possession.  Look in crmft.h under
- *        the definition of CRMFSubseqMessOptions for possible values.
- *    encPrivKey
- *        This parameter only needs to be provided if inKeyChoice is
- *        crmfThisMessage.  The item should contain the encrypted private
- *        key.
- *        
- * NOTES:
- * Adds Proof Of Possession using the keyEncipherment field of
- * ProofOfPossession.
- *
- * The funciton looks at the the inKeyChoice parameter and interprets it in
- * in the following manner.
- *
- * If a parameter is not mentioned under interpretation, the funciton will not
- * look at its value when implementing that case.
- *
- * inKeyChoice          Interpretation
- * -----------          --------------
- * crmfThisMessage      This options requires that the encrypted private key
- *                      be included in the thisMessage field of POPOPrivKey.
- *                      We don't support this yet, so any clients who want
- *                      to use this feature have to implement a wrapping
- *                      function and agree with the server on how to properly
- *                      wrap the key.  That encrypted key must be passed in
- *                      as the encPrivKey parameter.
- *
- * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
- *                      be either CRMFEncrCert or CRMFChallengeResp.  The
- *                      parameter encPrivKey will not be looked at in this
- *                      case.
- *
- * crmfDHMAC            This is not a valid option for this function.  Passing
- *                      in this value will result in the function returning
- *                      SECFailure.
- * RETURN:
- *    SECSuccess if adding KeyEnciphermentPOP was successful.  Any other return
- *    value indicates an error in adding KeyEnciphermentPOP.
- */
-extern SECStatus 
-      CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
-					   CRMFPOPOPrivKeyChoice  inKeyChoice,
-					   CRMFSubseqMessOptions  subseqMess,
-					   SECItem               *encPrivKey);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- *    inKeyChoice
- *        An enumeration indicating which POPOPrivKey Choice to use
- *        in constructing the KeyAgreementPOP.
- *    subseqMess
- *        This parameter must be provided iff inKeyChoice is 
- *        crmfSubsequentMessage.  This details how the RA is to respond
- *        in order to perform Proof Of Possession.  Look in crmft.h under
- *        the definition of CRMFSubseqMessOptions for possible values.
- *    encPrivKey
- *        This parameter only needs to be provided if inKeyChoice is
- *        crmfThisMessage.  The item should contain the encrypted private
- *        key.
- * Adds Proof Of Possession using the keyAgreement field of
- * ProofOfPossession.
- *
- * The funciton looks at the the inKeyChoice parameter and interprets it in
- * in the following manner.
- *
- * If a parameter is not mentioned under interpretation, the funciton will not
- * look at its value when implementing that case.
- *
- * inKeyChoice          Interpretation
- * -----------          --------------
- * crmfThisMessage      This options requires that the encrypted private key
- *                      be included in the thisMessage field of POPOPrivKey.
- *                      We don't support this yet, so any clients who want
- *                      to use this feature have to implement a wrapping
- *                      function and agree with the server on how to properly
- *                      wrap the key.  That encrypted key must be passed in
- *                      as the encPrivKey parameter.
- *
- * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
- *                      be either crmfEncrCert or crmfChallengeResp.  The
- *                      parameter encPrivKey will not be looked at in this
- *                      case.
- *
- * crmfDHMAC            This option is not supported.
- */
-extern SECStatus 
-       CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg        *inCertReqMsg,
-					 CRMFPOPOPrivKeyChoice  inKeyChoice,
-					 CRMFSubseqMessOptions  subseqMess,
-					 SECItem               *encPrivKey);
-
-/*
- * FUNCTION: CRMF_CreateCertReqMsgFromDER
- * INPUTS:
- *    buf
- *        A buffer to the DER-encoded Certificate Request Message.
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES:
- * This function passes the buffer to the ASN1 decoder and creates a 
- * CRMFCertReqMsg structure.  Do not try adding any fields to a message
- * returned from this function.  Specifically adding more Controls or 
- * Extensions may cause your program to crash.
- *
- * RETURN:
- *    A pointer to the Certificate Request Message structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CRMFCertReqMsg* CRMF_CreateCertReqMsgFromDER(const char *buf, long len);
-
-/*
- * FUNCTION: CRMF_CreateCertReqMessagesFromDER
- * INPUTS:
- *    buf
- *        A buffer to the DER-encoded Certificate Request Messages.
- *    len
- *        The length in bytes of buf
- * NOTES:
- * This function passes the buffer to the ASN1 decoder and creates a 
- * CRMFCertReqMessages structure.  Do not try adding any fields to a message
- * derived from this function.  Specifically adding more Controls or 
- * Extensions may cause your program to crash.
- * The user must call CRMF_DestroyCertReqMessages after the return value is 
- * no longer needed, ie when all individual messages have been extracted.
- *  
- * RETURN:
- *    A pointer to the Certificate Request Messages structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */ 
-extern CRMFCertReqMessages*
-       CRMF_CreateCertReqMessagesFromDER(const char *buf, long len);
-
-/*
- * FUNCTION: CRMF_DestroyCertReqMessages
- * INPUTS
- *    inCertReqMsgs
- *        The Messages to destroy.
- * RETURN:
- *    SECSuccess if freeing the memory was done successfully.  Any other
- *    return value indicates an error in freeing up memory.
- */ 
-extern SECStatus 
-       CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs);
-
-/*
- * FUNCTION: CRMF_CertReqMessagesGetNumMessages
- * INPUTS:
- *    inCertReqMsgs
- *        The Request Messages to operate on.
- * RETURN:
- *    The number of messages contained in the in the Request Messages 
- *    strucure.
- */
-extern int 
-       CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs);
-
-/*
- * FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex
- * INPUTS:
- *    inReqMsgs
- *        The Certificate Request Messages to operate on.
- *    index
- *        The index of the single message the user wants a copy of.
- * NOTES:
- * This function returns a copy of the request messages stored at the 
- * index corresponding to the parameter 'index'.  Indexing of the messages
- * is done in the same manner as a C array.  Meaning the valid index are 
- * 0...numMessages-1.  User must call CRMF_DestroyCertReqMsg when done using
- * the return value of this function.
- *
- * RETURN:
- * SECSuccess if copying the message at the requested index was successful.
- * Any other return value indicates an invalid index or error while copying
- * the single request message.
- */
-extern CRMFCertReqMsg*
-       CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
-						int                  index);
-
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetID
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to get the ID from.
- *    destID
- *        A pointer to where the library can place the ID of the Message.
- * RETURN:
- *    SECSuccess if the function was able to retrieve the ID and place it
- *    at *destID.  Any other return value indicates an error meaning the value
- *    in *destId is un-reliable and should not be used by the caller of this 
- *    function.
- *    
- */
-extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, 
-				      long           *destID);
-
-/*
- * FUNCTION: CRMF_DoesRequestHaveField
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    inField
- *        An enumeration indicating which filed of the certificate template
- *        to look for.
- * NOTES:
- * All the fields in a certificate template are optional.  This function
- * checks to see if the requested field is present.  Look in crmft.h at the
- * definition of CRMFCertTemplateField for possible values for possible 
- * querying.
- *
- * RETURN:
- * PR_TRUE iff the field corresponding to 'inField' has been specified as part
- *         of 'inCertReq'
- * PR_FALSE iff the field corresponding to 'inField' has not been speicified
- *          as part of 'inCertReq'
- *        
- */
-extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest       *inCertReq,
-					CRMFCertTemplateField  inField);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetCertRequest
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- * NOTES:
- *    This function returns a copy of the Certificate Request to the user.
- *    The user can keep adding to this request and then making it a part
- *    of another message.  After the user no longer wants to use the
- *    returned request, the user must call CRMF_DestroyCertRequest and
- *    pass it the request returned by this function.
- * RETURN:
- *    A pointer to a copy of the certificate request contained by the message.
- *    A NULL return value indicates an error occurred while copying the 
- *   certificate request.
- */
-extern CRMFCertRequest *
-       CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateVersion
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    version
- *        A pointer to where the library can store the version contatined
- *        in the certificate template within the certifcate request.
- * RETURN:
- *    SECSuccess if the Certificate template contains the version field.  In 
- *    this case, *version will hold the value of the certificate template 
- *    version.
- *    SECFailure indicates that version field was not present as part of
- *    of the certificate template.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
-					      long            *version);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    serialNumber
- *        A pointer where the library can put the serial number contained
- *        in the certificate request's certificate template.
- * RETURN:
- * If a serial number exists in the CertTemplate of the request, the function 
- * returns SECSuccess and the value at *serialNumber contains the serial 
- * number.
- * If no serial number is present, then the function returns SECFailure and
- * the value at *serialNumber is un-changed.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq, 
-						   long         *serialNumber);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg
- * INPUT:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destAlg
- *        A Pointer to where the library can place a copy of the signing alg
- *        used in the cert request's cert template.
- * RETURN:
- * If the signingAlg is present in the CertRequest's CertTemplate, then
- * the function returns SECSuccess and places a copy of sigingAlg in 
- * *destAlg.
- * If no signingAlg is present, then the function returns SECFailure and
- * the value at *destAlg is un-changed
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
-						 SECAlgorithmID  *destAlg);
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateIssuer
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destIssuer
- *        A pointer to where the library can place a copy of the cert
- *        request's cert template issuer field.
- * RETURN:
- * If the issuer is present in the cert request cert template, the function 
- * returns SECSuccess and places a  copy of the issuer in *destIssuer.
- * If there is no issuer present, the funciton returns SECFailure and the
- * value at *destIssuer is unchanged.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
-					     CERTName        *destIssuer);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateValidity
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destValdity
- *        A pointer to where the library can place a copy of the validity
- *        info in the cert request cert template.
- * NOTES:
- * Pass the pointer to 
- * RETURN: 
- * If there is an OptionalValidity field, the function will return SECSuccess
- * and place the appropriate values in *destValidity->notBefore and 
- * *destValidity->notAfter. (Each field is optional, but at least one will
- * be present if the function returns SECSuccess)
- *
- * If there is no OptionalValidity field, the function will return SECFailure
- * and the values at *destValidity will be un-changed.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
-					       CRMFGetValidity *destValidity);
-/*
- * FUNCTION: CRMF_DestroyGetValidity
- * INPUTS:
- *    inValidity
- *        A pointer to the memroy to be freed.
- * NOTES:
- * The function will free the memory allocated by the function 
- * CRMF_CertRequestGetCertTemplateValidity.  That means only memory pointed
- * to within the CRMFGetValidity structure.  Since 
- * CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the
- * structure passed into it, it will not free it.  Meaning this function will
- * free the memory at inValidity->notBefore and inValidity->notAfter, but not
- * the memory directly at inValdity.
- *
- * RETURN:
- * SECSuccess if freeing the memory was successful.  Any other return value
- * indicates an error while freeing the memory.
- */
-extern SECStatus 
-       CRMF_DestroyGetValidity(CRMFGetValidity *inValidity);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSubject
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destSubject
- *        A pointer to where the library can place a copy of the subject
- *        contained in the request's cert template.
- * RETURN:
- * If there is a subject in the CertTemplate, then the function returns 
- * SECSuccess and a copy of the subject is placed in *destSubject.
- *
- * If there is no subject, the function returns SECFailure and the values at
- * *destSubject is unchanged.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateSubject (CRMFCertRequest *inCertReq,
-					       CERTName        *destSubject);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey
- * INPUTS:
- *    inCertReq
- *        The Cert request to operate on.
- *    destPublicKey
- *        A pointer to where the library can place a copy of the request's
- *        cert template public key.
- * RETURN:
- * If there is a publicKey parameter in the CertRequest, the function returns
- * SECSuccess, and places a copy of the publicKey in *destPublicKey.
- *
- * If there is no publicKey, the function returns SECFailure and the value
- * at *destPublicKey is un-changed.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq,
-				      CERTSubjectPublicKeyInfo *destPublicKey);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID
- * INPUTS:
- *    inCertReq
- *        The Cert request to operate on.
- *    destIssuerUID
- *        A pointer to where the library can store a copy of the request's
- *        cert template destIssuerUID.
- *
- * NOTES: 
- * destIssuerUID is a bit string and will be returned in a SECItem as
- * a bit string.  Meaning the len field contains the number of valid bits as
- * opposed to the number of bytes allocated.
- *
- * RETURN:
- * If the CertTemplate has an issuerUID, the function returns SECSuccess and
- * places a copy of the issuerUID in *destIssuerUID.
- *
- * If there is no issuerUID, the function returns SECFailure and the value
- * *destIssuerUID is unchanged.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
-						SECItem        *destIssuerUID);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID
- *    inCertReq
- *        The Cert request to operate on.
- *    destSubjectUID
- *        A pointer to where the library can store a copy of the request's
- *        cert template destIssuerUID.
- *
- * NOTES: 
- * destSubjectUID is a bit string and will be returned in a SECItem as
- * a bit string.  Meaning the len field contains the number of valid bits as
- * opposed to the number of bytes allocated.
- *
- * RETURN:
- * If the CertTemplate has an issuerUID, the function returns SECSuccess and
- * places a copy of the issuerUID in *destIssuerUID.
- *
- * If there is no issuerUID, the function returns SECSuccess and the value
- * *destIssuerUID is unchanged.
- */
-extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
-						SECItem       *destSubjectUID);
-
-/*
- * FUNCTION: CRMF_CertRequestGetNumberOfExtensions
- * INPUTS:
- *    inCertReq
- *        The cert request to operate on.
- * RETURN:
- *    Returns the number of extensions contained by the Cert Request.
- */
-extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CertRequestGetExtensionAtIndex
- * INPUTS:
- *    inCertReq
- *        The Certificate request to operate on.
- *    index
- *        The index of the extension array whihc the user wants to access.
- * NOTES:
- * This function retrieves the extension at the index corresponding to the 
- * parameter "index" indicates.  Indexing is done like a C array.  
- * (0 ... numElements-1)
- *
- * Call CRMF_DestroyCertExtension when done using the return value.
- *
- * RETURN:
- *    A pointer to a copy of the extension at the desired index.  A NULL 
- *    return value indicates an invalid index or an error while copying 
- *    the extension.
- */
-extern CRMFCertExtension *
-       CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
-					   int              index);
-/*
- * FUNCTION: CRMF_CertExtensionGetOidTag
- * INPUTS:
- *    inExtension
-
- *        The extension to operate on.
- * RETURN:
- *    Returns the SECOidTag associated with the cert extension passed in.
- */
-extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension);
-
-/*
- * FUNCTION: CRMF_CertExtensionGetIsCritical
- * INPUT:
- *    inExt
- *        The cert extension to operate on.
- *
- * RETURN:
- * PR_TRUE if the extension is critical.
- * PR_FALSE if the extension is not critical.
- */
-extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt);
-             
-/*
- * FUNCTION: CRMF_CertExtensionGetValue
- * INPUT:
- *    inExtension
- *        The extension to operate on.
- * NOTES:
- * Caller is responsible for freeing the memory associated with the return
- * value.  Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return
- * value.
- *
- * RETURN:
- * A pointer to an item containig the value for the certificate extension.
- * A NULL return value indicates an error in copying the information.
- */
-extern SECItem*  CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey
- * INPUTS:
- *    inCertReqMsg
- *        The certificate request message to operate on.
- *    destKey
- *        A pointer to where the library can place a pointer to
- *        a copy of the Proof Of Possession Signing Key used 
- *        by the message.
- *
- * RETURN:
- * Get the POPOSigningKey associated with this CRMFCertReqMsg.  
- * If the CertReqMsg does not have a pop, the function returns
- * SECFailure and the value at *destKey is un-changed..
- *
- * If the CertReqMsg does have a pop, then the CertReqMsg's 
- * POPOSigningKey will be placed at *destKey.
- */
-extern SECStatus 
-       CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
-					CRMFPOPOSigningKey **destKey);
-
-/*
- * FUNCTION: CRMF_DestroyPOPOSigningKey
- * INPUTS:
- *    inKey
- *        The signing key to free.
- *
- * RETURN:
- * SECSuccess if freeing the memory was successful.  Any other return value
- * indicates an error while freeing memory.
- */
-extern SECStatus CRMF_DestroyPOPOSigningKey (CRMFPOPOSigningKey *inKey);
-
-/*
- * FUNCTION: CRMF_POPOSigningKeyGetAlgID
- * INPUTS:
- *    inSignKey
- *        The Signing Key to operate on.
- * RETURN:
- * Return the algorithmID used by the CRMFPOPOSigningKey.  User must
- * call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the
- * return value.
- */
-extern SECAlgorithmID* 
-       CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey);
-
-/*
- * FUNCTION: CRMF_POPOSigningKeyGetSignature
- * INPUTS:
- *    inSignKey
- *        The Signing Key to operate on.
- *
- * RETURN:        
- * Get the actual signature stored away in the CRMFPOPOSigningKey.  SECItem
- * returned is a BIT STRING, so the len field is the number of bits as opposed
- * to the total number of bytes allocatd.  User must call 
- * SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value.
- */
-extern SECItem* CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey);
-
-/*
- * FUNCTION: CRMF_POPOSigningKeyGetInput
- * INPUTS:
- *    inSignKey
- *        The Signing Key to operate on.
- * NOTES:
- * This function will return the der encoded input that was read in while 
- * decoding.  The API does not support this option when creating, so you
- * cannot add this field.
- *
- * RETURN:
- * Get the poposkInput that is part of the of the POPOSigningKey. If the
- * optional field is not part of the POPOSigningKey, the function returns
- * NULL.
- *
- * If the optional field is part of the POPOSingingKey, the function will
- * return a copy of the der encoded poposkInput.
- */
-extern SECItem* CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment
- * INPUTS:
- *    inCertReqMsg
- *        The certificate request message to operate on.
- *    destKey
- *        A pointer to where the library can place a pointer to a 
- *        copy of the POPOPrivKey representing Key Encipherment 
- *        Proof of Possession.
- *NOTES:
- * This function gets the POPOPrivKey associated with this CRMFCertReqMsg 
- * for Key Encipherment.  
- *
- * RETURN:
- * If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the
- * function returns SECFailure and the value at *destKey is un-changed.
- *
- * If the CertReqMsg did use Key Encipherment for ProofOfPossession, the
- * function returns SECSuccess and places the POPOPrivKey representing the
- * Key Encipherment Proof Of Possessin at *destKey.
- */
-extern SECStatus 
-       CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
-					    CRMFPOPOPrivKey **destKey);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement
- * INPUTS:
- *    inCertReqMsg
- *        The certificate request message to operate on.
- *    destKey
- *        A pointer to where the library can place a pointer to a 
- *        copy of the POPOPrivKey representing Key Agreement 
- *        Proof of Possession.
- * NOTES:
- * This function gets the POPOPrivKey associated with this CRMFCertReqMsg for 
- * Key Agreement.  
- *
- * RETURN:
- * If the CertReqMsg used Key Agreement for Proof Of Possession, the
- * function returns SECSuccess and the POPOPrivKey for Key Agreement
- * is placed at *destKey.
- *
- * If the CertReqMsg did not use Key Agreement for Proof Of Possession, the
- * function return SECFailure and the value at *destKey is unchanged.
- */
-extern SECStatus 
-       CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
-					 CRMFPOPOPrivKey **destKey);
-
-/* 
- * FUNCTION: CRMF_DestroyPOPOPrivKey
- * INPUTS:
- *    inPrivKey
- *        The POPOPrivKey to destroy.
- * NOTES:
- * Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or
- * CRMF_GetPOPKeyAgreement.
- *
- * RETURN:
- * SECSuccess on successful destruction of the POPOPrivKey.
- * Any other return value indicates an error in freeing the 
- * memory.
- */
-extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey);
-
-/* 
- * FUNCTION: CRMF_POPOPrivKeyGetChoice
- * INPUT:
- *    inKey
- *        The POPOPrivKey to operate on.
- * RETURN:
- * Returns which choice was used in constructing the POPPOPrivKey. Look at
- * the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return
- * values.
- */
-extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey);
-
-/*
- * FUNCTION: CRMF_POPOPrivKeyGetThisMessage
- * INPUTS:
- *    inKey
- *        The POPOPrivKey to operate on.
- *    destString
- *        A pointer to where the library can place a copy of the This Message
- *        field stored in the POPOPrivKey
- *
- * RETURN:
- * Returns the field thisMessage from the POPOPrivKey.  
- * If the POPOPrivKey did not use the field thisMessage, the function
- * returns SECFailure and the value at *destString is unchanged.
- *
- * If the POPOPrivKey did use the field thisMessage, the function returns
- * SECSuccess and the BIT STRING representing thisMessage is placed
- * at *destString. BIT STRING representation means the len field is the
- * number of valid bits as opposed to the total number of bytes.
- */
-extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
-						SECItem          *destString);
-
-/*
- * FUNCTION: CRMF_POPOPrivKeyGetSubseqMess
- * INPUTS:
- *    inKey
- *        The POPOPrivKey to operate on.
- *    destOpt
- *        A pointer to where the library can place the value of the 
- *        Subsequent Message option used by POPOPrivKey.
- *
- * RETURN:
- * Retrieves the field subsequentMessage from the POPOPrivKey.  
- * If the POPOPrivKey used the subsequentMessage option, the function 
- * returns SECSuccess and places the appropriate enumerated value at
- * *destMessageOption.
- *
- * If the POPOPrivKey did not use the subsequenMessage option, the function
- * returns SECFailure and the value at *destOpt is un-changed.
- */
-extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey       *inKey,
-					       CRMFSubseqMessOptions *destOpt);
-
-/*
- * FUNCTION: CRMF_POPOPrivKeyGetDHMAC
- * INPUTS:
- *    inKey
- *        The POPOPrivKey to operate on.
- *    destMAC
- *        A pointer to where the library can place a copy of the dhMAC
- *        field of the POPOPrivKey.
- *        
- * NOTES:
- * Returns the field dhMAC from the POPOPrivKey.  The populated SECItem 
- * is in BIT STRING format.
- *
- * RETURN:
- * If the POPOPrivKey used the dhMAC option, the function returns SECSuccess
- * and the BIT STRING for dhMAC will be placed at *destMAC.  The len field in
- * destMAC (ie destMAC->len) will be the valid number of bits as opposed to
- * the number of allocated bytes.
- *
- * If the POPOPrivKey did not use the dhMAC option, the function returns
- * SECFailure and the value at *destMAC is unchanged.
- * 
- */
-extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey,
-					  SECItem         *destMAC);
-
-/*
- * FUNCTION: CRMF_CertRequestGetNumControls
- * INPUTS: 
- *    inCertReq
- *        The Certificate Request to operate on.
- * RETURN:
- * Returns the number of Controls registered with this CertRequest.
- */
-extern int CRMF_CertRequestGetNumControls (CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CertRequestGetControlAtIndex
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    index
- *        The index of the control the user wants a copy of.
- * NOTES:
- * Function retrieves the Control at located at index.  The Controls 
- * are numbered like a traditional C array (0 ... numElements-1)
- *
- * RETURN:
- * Returns a copy of the control at the index specified.  This is a copy
- * so the user must call CRMF_DestroyControl after the return value is no 
- * longer needed.  A return value of NULL indicates an error while copying
- * the control or that the index was invalid.
- */
-extern CRMFControl* 
-       CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, 
-					 int              index);
-
-/*
- * FUNCTION: CRMF_DestroyControl
- * INPUTS:
- *    inControl
- *        The Control to destroy.
- * NOTES:
- * Destroy a CRMFControl allocated by CRMF_GetControlAtIndex.
- *
- * RETURN:
- * SECSuccess if freeing the memory was successful.  Any other return
- * value indicates an error while freeing the memory.
- */
-extern SECStatus CRMF_DestroyControl(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetControlType
- * INPUTS:
- *    inControl
- *        The control to operate on.
- * NOTES:
- * The function returns an enumertion which indicates the type of control
- * 'inControl'.
- *
- * RETURN:
- * Look in crmft.h at the definition of the enumerated type CRMFControlType
- * for the possible return values.
- */
-extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetRegTokenControlValue
- * INPUTS:
- *    inControl
- *        The Control to operate on.
- * NOTES:
- * The user must call SECITEM_FreeItem passing in the return value
- * after the returnvalue is no longer needed.
-
- * RETURN:
- * Return the value for a Registration Token Control.
- * The SECItem returned should be in UTF8 format.  A NULL
- * return value indicates there was no Registration Control associated
- * with the Control.
- * (This library will not verify format.  It assumes the client properly 
- * formatted the strings when adding it or the message decoded was properly 
- * formatted.  The library will just give back the bytes it was given.)
- */
-extern SECItem* CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetAuthenticatorControlValue
- * INPUTS:
- *    inControl
- *        The Control to operate on.
- * NOTES:
- * The user must call SECITEM_FreeItem passing in the return value
- * after the returnvalue is no longer needed.
- *
- * RETURN:
- * Return the value for the Authenticator Control.
- * The SECItem returned should be in UTF8 format.  A NULL
- * return value indicates there was no Authenticator Control associated
- * with the CRMFControl..
- * (This library will not verify format.  It assumes the client properly 
- * formatted the strings when adding it or the message decoded was properly 
- * formatted.  The library will just give back the bytes it was given.)
- */
-extern SECItem* CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetPKIArchiveOptions
- * INPUTS:inControl
- *    The Control tooperate on.
- * NOTES:
- * This function returns a copy of the PKIArchiveOptions.  The user must call
- * the function CRMF_DestroyPKIArchiveOptions when the return value is no
- * longer needed.
- *
- * RETURN:
- * Get the PKIArchiveOptions associated with the Control.  A return
- * value of NULL indicates the Control was not a PKIArchiveOptions 
- * Control.
- */
-extern CRMFPKIArchiveOptions* 
-       CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl);
-  
-/*
- * FUNCTION: CMRF_DestroyPKIArchiveOptions
- * INPUTS:
- *    inOptions
- *        The ArchiveOptions to destroy.
- * NOTE:
- * Destroy the CRMFPKIArchiveOptions structure.
- *
- * RETURN:
- * SECSuccess if successful in freeing all the memory associated with 
- * the PKIArchiveOptions.  Any other return value indicates an error while
- * freeing the PKIArchiveOptions.
- */
-extern SECStatus 
-       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetOptionType
- * INPUTS:
- *    inOptions
- *        The PKIArchiveOptions to operate on.
- * RETURN:
- * Returns the choice used for the PKIArchiveOptions.  Look at the definition
- * of CRMFPKIArchiveOptionsType in crmft.h for possible return values.
- */
-extern CRMFPKIArchiveOptionsType
-       CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey
- * INPUTS:
- *    inOpts
- *        The PKIArchiveOptions to operate on.
- * 
- * NOTES:
- * The user must call CRMF_DestroyEncryptedKey when done using this return
- * value.
- *
- * RETURN:
- * Get the encryptedPrivKey field of the PKIArchiveOptions structure.
- * A return value of NULL indicates that encryptedPrivKey was not used as
- * the choice for this PKIArchiveOptions.
- */
-extern CRMFEncryptedKey*
-      CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts);
-
-/*
- * FUNCTION: CRMF_EncryptedKeyGetChoice
- * INPUTS:
- *    inEncrKey
- *        The EncryptedKey to operate on.
- *
- * NOTES:
- * Get the choice used for representing the EncryptedKey.
- *
- * RETURN:
- * Returns the Choice used in representing the EncryptedKey.  Look in 
- * crmft.h at the definition of CRMFEncryptedKeyChoice for possible return
- * values.
- */
-extern CRMFEncryptedKeyChoice 
-       CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey);
-
-
-/*
- * FUNCTION: CRMF_EncryptedKeyGetEncryptedValue
- * INPUTS:
- *    inKey
- *        The EncryptedKey to operate on.
- *
- * NOTES:
- * The user must call CRMF_DestroyEncryptedValue passing in 
- * CRMF_GetEncryptedValue's return value.
- *
- * RETURN:
- * A pointer to a copy of the EncryptedValue contained as a member of
- * the EncryptedKey.
- */
-extern CRMFEncryptedValue* 
-       CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey);
-
-/*
- * FUNCTION: CRMF_DestroyEncryptedValue
- * INPUTS:
- *    inEncrValue
- *        The EncryptedValue to destroy.
- *
- * NOTES:
- * Free up all memory associated with 'inEncrValue'.
- *
- * RETURN:
- * SECSuccess if freeing up the memory associated with the EncryptedValue
- * is successful. Any other return value indicates an error while freeing the
- * memory.
- */
-extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue);
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetEncValue
- * INPUTS:
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Function retrieves the encValue from an EncryptedValue structure.
- *
- * RETURN:
- * A poiner to a SECItem containing the encValue of the EncryptedValue
- * structure.  The return value is in BIT STRING format, meaning the
- * len field of the return structure represents the number of valid bits
- * as opposed to the allocated number of bytes.
- * ANULL return value indicates an error in copying the encValue field.
- */
-extern SECItem* CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue);
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetIntendedAlg
- * INPUTS
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Retrieve the IntendedAlg field from the EncryptedValue structure.
- * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
- * the return value.  When present, this alogorithm is the alogrithm for
- * which the private key will be used.
- *
- * RETURN:
- * A Copy of the intendedAlg field.  A NULL return value indicates the
- * optional field was not present in the structure.
- */
-extern SECAlgorithmID* 
-       CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue  *inEncValue);
-
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetSymmAlg
- * INPUTS
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Retrieve the symmAlg field from the EncryptedValue structure.
- * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
- * the return value.  When present, this is algorithm used to
- * encrypt the encValue of the EncryptedValue.
- *
- * RETURN:
- * A Copy of the symmAlg field.  A NULL return value indicates the
- * optional field was not present in the structure.
- */
-extern SECAlgorithmID* 
-       CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue  *inEncValue);
-
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetKeyAlg
- * INPUTS
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Retrieve the keyAlg field from the EncryptedValue structure.
- * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
- * the return value.  When present, this is the algorithm used to encrypt
- * the symmetric key in the encSymmKey field of the EncryptedValue structure.
- *
- * RETURN:
- * A Copy of the keyAlg field.  A NULL return value indicates the
- * optional field was not present in the structure.
- */
-extern SECAlgorithmID* 
-       CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue);
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetValueHint
- * INPUTS:
- *    inEncValue
- *        The EncryptedValue to operate on.
- *
- * NOTES:
- * Return a copy of the der-encoded value hint.
- * User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the
- * return value.  When, present, this is a value that the client which
- * originally issued a certificate request can use to reproduce any data
- * it wants.  The RA does not know how to interpret this data.
- *
- * RETURN:
- * A copy of the valueHint field of the EncryptedValue.  A NULL return
- * value indicates the optional valueHint field is not present in the
- * EncryptedValue.
- */
-extern SECItem* 
-       CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue  *inEncValue);
-
-/*
- * FUNCTION: CRMF_EncrypteValueGetEncSymmKey
- * INPUTS: 
- *    inEncValue
- *        The EncryptedValue to operate on.
- *
- * NOTES:
- * Return a copy of the encSymmKey field. This field is the encrypted
- * symmetric key that the client uses in doing Public Key wrap of a private
- * key.  When present, this is the symmetric key that was used to wrap the
- * private key.  (The encrypted private key will be stored in encValue
- * of the same EncryptedValue structure.)  The user must call 
- * SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer
- * needed.
- *
- * RETURN:
- * A copy of the optional encSymmKey field of the EncryptedValue structure.
- * The return value will be in BIT STRING format, meaning the len field will
- * be the number of valid bits as opposed to the number of bytes. A return 
- * value of NULL means the optional encSymmKey field was not present in
- * the EncryptedValue structure.
- */
-extern SECItem* 
-       CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters
- * INPUTS:
- *    inOptions
- *        The PKiArchiveOptions to operate on.
- *
- * NOTES:
- * User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return 
- * value is no longer needed.
- *
- * RETURN:
- * Get the keyGenParameters field of the PKIArchiveOptions.
- * A NULL return value indicates that keyGenParameters was not 
- * used as the choice for this PKIArchiveOptions.
- *
- * The SECItem returned is in BIT STRING format (ie, the len field indicates
- * number of valid bits as opposed to allocated number of bytes.)
- */
-extern SECItem* 
-   CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey
- * INPUTS:
- *    inOpt
- *        The PKIArchiveOptions to operate on.
- *    destVal
- *        A pointer to where the library can place the value for 
- *        arciveRemGenPrivKey
- * RETURN:
- * If the PKIArchiveOptions used the archiveRemGenPrivKey field, the
- * function returns SECSuccess and fills the value at *destValue with either
- * PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a 
- * value. 
- *
- * If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the
- * function returns SECFailure and the value at *destValue is unchanged.
- */
-extern SECStatus 
-    CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt,
-						  PRBool             *destVal);
-
-/* Helper functions that can be used by other libraries. */
-/*
- * A quick helper funciton to get the best wrap mechanism.
- */
-extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); 
-
-/*
- * A helper function to get a randomly generated IV from a mechanism 
- * type.
- */
-extern SECItem* CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType);
- 
-SEC_END_PROTOS
-#endif /*_CRMF_H_*/
-
-
diff --git a/security/nss/lib/crmf/crmfcont.c b/security/nss/lib/crmf/crmfcont.c
deleted file mode 100644
index b6e197522..000000000
--- a/security/nss/lib/crmf/crmfcont.c
+++ /dev/null
@@ -1,1164 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "pk11func.h"
-#include "keyhi.h"
-#include "secoid.h"
-
-static SECStatus
-crmf_modify_control_array (CRMFCertRequest *inCertReq, int count)
-{
-    if (count > 0) {
-        void *dummy = PORT_Realloc(inCertReq->controls, 
-				   sizeof(CRMFControl*)*(count+2));
-	if (dummy == NULL) {
-	    return SECFailure;
-	}
-	inCertReq->controls = dummy;
-    } else {
-        inCertReq->controls = PORT_ZNewArray(CRMFControl*, 2);
-    }
-    return (inCertReq->controls == NULL) ? SECFailure : SECSuccess ;
-}
-
-static SECStatus
-crmf_add_new_control(CRMFCertRequest *inCertReq,SECOidTag inTag,
-		     CRMFControl **destControl)
-{
-    SECOidData  *oidData;
-    SECStatus    rv;
-    PRArenaPool *poolp;
-    int          numControls = 0;
-    CRMFControl *newControl;
-    CRMFControl **controls;
-    void        *mark;
-
-    poolp = inCertReq->poolp;
-    if (poolp == NULL) {
-        return SECFailure;
-    }
-    mark = PORT_ArenaMark(poolp);
-    if (inCertReq->controls != NULL) {
-        while (inCertReq->controls[numControls] != NULL)
-	    numControls++;
-    }
-    rv = crmf_modify_control_array(inCertReq, numControls);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    controls = inCertReq->controls;
-    oidData = SECOID_FindOIDByTag(inTag);
-    newControl = *destControl = PORT_ArenaZNew(poolp,CRMFControl);
-    if (newControl == NULL) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &oidData->oid);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    newControl->tag = inTag;
-    controls[numControls] = newControl;
-    controls[numControls+1] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    *destControl = NULL;
-    return SECFailure;
-			  
-}
-
-SECStatus
-crmf_add_secitem_control(CRMFCertRequest *inCertReq, SECItem *value,
-			 SECOidTag inTag)
-{
-    SECStatus    rv;
-    CRMFControl *newControl;
-    void        *mark;
-
-    rv = crmf_add_new_control(inCertReq, inTag, &newControl);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    mark = PORT_ArenaMark(inCertReq->poolp);
-    rv = SECITEM_CopyItem(inCertReq->poolp, &newControl->derValue, value);
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(inCertReq->poolp, mark);
-	return rv;
-    }
-    PORT_ArenaUnmark(inCertReq->poolp, mark);
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq, SECItem *value)
-{
-    return crmf_add_secitem_control(inCertReq, value, 
-				    SEC_OID_PKIX_REGCTRL_REGTOKEN);
-}
-
-SECStatus
-CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq, 
-					 SECItem         *value)
-{
-    return crmf_add_secitem_control(inCertReq, value, 
-				    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR);
-}
-
-SECStatus
-crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, PRBool freeit)
-{
-    if (inEncrValue != NULL) {
-        if (inEncrValue->intendedAlg) {
-	    SECOID_DestroyAlgorithmID(inEncrValue->intendedAlg, PR_TRUE);
-	}
-	if (inEncrValue->symmAlg) {
-	    SECOID_DestroyAlgorithmID(inEncrValue->symmAlg, PR_TRUE);
-	}
-        if (inEncrValue->encSymmKey.data) {
-	    PORT_Free(inEncrValue->encSymmKey.data);
-	}
-	if (inEncrValue->keyAlg) {
-	    SECOID_DestroyAlgorithmID(inEncrValue->keyAlg, PR_TRUE);
-	}
-	if (inEncrValue->valueHint.data) {
-	    PORT_Free(inEncrValue->valueHint.data);
-	}
-        if (inEncrValue->encValue.data) {
-	    PORT_Free(inEncrValue->encValue.data);
-	}
-	if (freeit) {
-	    PORT_Free(inEncrValue);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue)
-{
-    return crmf_destroy_encrypted_value(inEncrValue, PR_TRUE);
-}
-
-SECStatus
-crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
-				SECAlgorithmID  *srcAlgId,
-				SECAlgorithmID **destAlgId)
-{
-    SECAlgorithmID *newAlgId;
-
-    *destAlgId = newAlgId = (poolp != NULL) ?
-                            PORT_ArenaZNew(poolp, SECAlgorithmID) :
-                            PORT_ZNew(SECAlgorithmID);
-    if (newAlgId == NULL) {
-        return SECFailure;
-    }
-    
-    return SECOID_CopyAlgorithmID(poolp, newAlgId, srcAlgId);
-}
-
-SECStatus
-crmf_copy_encryptedvalue(PRArenaPool        *poolp,
-			 CRMFEncryptedValue *srcValue,
-			 CRMFEncryptedValue *destValue)
-{
-    SECStatus           rv;
-
-    if (srcValue->intendedAlg != NULL) {
-        rv = crmf_copy_encryptedvalue_secalg(poolp,
-					     srcValue->intendedAlg,
-					     &destValue->intendedAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->symmAlg != NULL) {
-        rv = crmf_copy_encryptedvalue_secalg(poolp, 
-					     srcValue->symmAlg,
-					     &destValue->symmAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->encSymmKey.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp, 
-				      &destValue->encSymmKey,
-				      &srcValue->encSymmKey);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->keyAlg != NULL) {
-        rv = crmf_copy_encryptedvalue_secalg(poolp,
-					     srcValue->keyAlg,
-					     &destValue->keyAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->valueHint.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, 
-			      &destValue->valueHint,
-			      &srcValue->valueHint);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->encValue.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp,
-				      &destValue->encValue,
-				      &srcValue->encValue);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return SECSuccess;
- loser:
-    if (poolp == NULL && destValue != NULL) {
-        crmf_destroy_encrypted_value(destValue, PR_TRUE);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-crmf_copy_encryptedkey(PRArenaPool       *poolp,
-		       CRMFEncryptedKey  *srcEncrKey,
-		       CRMFEncryptedKey  *destEncrKey)
-{
-    SECStatus          rv;
-    void              *mark;
-
-    if (poolp != NULL) {
-        mark = PORT_ArenaMark(poolp);
-    }
-
-    switch (srcEncrKey->encKeyChoice) {
-    case crmfEncryptedValueChoice:
-        rv = crmf_copy_encryptedvalue(poolp, 
-				      &srcEncrKey->value.encryptedValue,
-				      &destEncrKey->value.encryptedValue);
-	break;
-    case crmfEnvelopedDataChoice:
-        destEncrKey->value.envelopedData = 
-	    SEC_PKCS7CopyContentInfo(srcEncrKey->value.envelopedData);
-        rv = (destEncrKey->value.envelopedData != NULL) ? SECSuccess:
-	                                                  SECFailure;
-        break;
-    default:
-        rv = SECFailure;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    destEncrKey->encKeyChoice = srcEncrKey->encKeyChoice;
-    if (poolp != NULL) {
-    	PORT_ArenaUnmark(poolp, mark);
-    }
-    return SECSuccess;
-
- loser:
-    if (poolp != NULL) {
-        PORT_ArenaRelease(poolp, mark);
-    }
-    return SECFailure;
-}
-
-CRMFPKIArchiveOptions*
-crmf_create_encr_pivkey_option(CRMFEncryptedKey *inEncryptedKey)
-{
-    CRMFPKIArchiveOptions *newArchOpt;
-    SECStatus              rv;
-
-    newArchOpt = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newArchOpt == NULL) {
-        goto loser;
-    }
-
-    rv = crmf_copy_encryptedkey(NULL, inEncryptedKey,
-				&newArchOpt->option.encryptedKey);
-    
-    if (rv != SECSuccess) {
-      goto loser;
-    }
-    newArchOpt->archOption = crmfEncryptedPrivateKey;
-    return newArchOpt;
- loser:
-    if (newArchOpt != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newArchOpt);
-    }
-    return NULL;
-}
-
-static CRMFPKIArchiveOptions*
-crmf_create_keygen_param_option(SECItem *inKeyGenParams)
-{
-    CRMFPKIArchiveOptions *newArchOptions;
-    SECStatus              rv;
-
-    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newArchOptions == NULL) {
-        goto loser;
-    }
-    newArchOptions->archOption = crmfKeyGenParameters;
-    rv = SECITEM_CopyItem(NULL, &newArchOptions->option.keyGenParameters,
-			  inKeyGenParams);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newArchOptions;
- loser:
-    if (newArchOptions != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newArchOptions);
-    }
-    return NULL;
-}
-
-static CRMFPKIArchiveOptions*
-crmf_create_arch_rem_gen_privkey(PRBool archiveRemGenPrivKey)
-{
-    unsigned char          value;
-    SECItem               *dummy;
-    CRMFPKIArchiveOptions *newArchOptions;
-
-    value = (archiveRemGenPrivKey) ? hexTrue : hexFalse;
-    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newArchOptions == NULL) {
-        goto loser;
-    }
-    dummy = SEC_ASN1EncodeItem(NULL, 
-			       &newArchOptions->option.archiveRemGenPrivKey,
-			       &value, SEC_BooleanTemplate);
-    PORT_Assert (dummy == &newArchOptions->option.archiveRemGenPrivKey);
-    if (dummy != &newArchOptions->option.archiveRemGenPrivKey) {
-        SECITEM_FreeItem (dummy, PR_TRUE);
-	goto loser;
-    }
-    newArchOptions->archOption = crmfArchiveRemGenPrivKey;
-    return newArchOptions;
- loser:
-    if (newArchOptions != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newArchOptions);
-    }
-    return NULL;
-}
-
-CRMFPKIArchiveOptions*
-CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType inType, void *data)
-{
-    CRMFPKIArchiveOptions* retOptions;
-
-    PORT_Assert(data != NULL);
-    if (data == NULL) {
-        return NULL;
-    }
-    switch(inType) {
-    case crmfEncryptedPrivateKey:
-        retOptions = crmf_create_encr_pivkey_option((CRMFEncryptedKey*)data);
-	break;
-    case crmfKeyGenParameters:
-        retOptions = crmf_create_keygen_param_option((SECItem*)data);
-	break;
-    case crmfArchiveRemGenPrivKey:
-        retOptions = crmf_create_arch_rem_gen_privkey(*(PRBool*)data);
-	break;
-    default:
-        retOptions = NULL;
-    }
-    return retOptions;
-}
-
-static SECStatus
-crmf_destroy_encrypted_key(CRMFEncryptedKey *inEncrKey, PRBool freeit)
-{ 
-    PORT_Assert(inEncrKey != NULL);
-    if (inEncrKey != NULL) {
-        switch (inEncrKey->encKeyChoice){
-	case crmfEncryptedValueChoice:
-            crmf_destroy_encrypted_value(&inEncrKey->value.encryptedValue, 
-					 PR_FALSE);
-	    break;
-	case crmfEnvelopedDataChoice:
-	    SEC_PKCS7DestroyContentInfo(inEncrKey->value.envelopedData);
-            break;
-        default:
-            break;
-        }
-        if (freeit) {
-            PORT_Free(inEncrKey);
-        }
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions, 
-			       PRBool                 freeit)
-{
-    PORT_Assert(inArchOptions != NULL);
-    if (inArchOptions != NULL) {
-        switch (inArchOptions->archOption) {
-	case crmfEncryptedPrivateKey:
-	    crmf_destroy_encrypted_key(&inArchOptions->option.encryptedKey,
-				       PR_FALSE);
-	    break;
-	case crmfKeyGenParameters:
-	case crmfArchiveRemGenPrivKey:
-	    /* This is a union, so having a pointer to one is like
-	     * having a pointer to both.  
-	     */
-	    SECITEM_FreeItem(&inArchOptions->option.keyGenParameters, 
-			     PR_FALSE);
-	    break;
-        case crmfNoArchiveOptions:
-            break;
-	}
-	if (freeit) {
-	    PORT_Free(inArchOptions);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOptions) 
-{
-    return crmf_destroy_pkiarchiveoptions(inArchOptions, PR_TRUE);
-}
-
-static CK_MECHANISM_TYPE
-crmf_get_non_pad_mechanism(CK_MECHANISM_TYPE type)
-{
-    switch (type) {
-    case CKM_DES3_CBC_PAD:
-        return CKM_DES3_CBC;
-    case CKM_CAST5_CBC_PAD:
-        return CKM_CAST5_CBC;
-    case CKM_DES_CBC_PAD:
-        return CKM_DES_CBC;
-    case CKM_IDEA_CBC_PAD:
-        return CKM_IDEA_CBC;
-    case CKM_CAST3_CBC_PAD:
-        return CKM_CAST3_CBC;
-    case CKM_CAST_CBC_PAD:
-        return CKM_CAST_CBC;
-    case CKM_RC5_CBC_PAD:
-        return CKM_RC5_CBC;
-    case CKM_RC2_CBC_PAD:
-        return CKM_RC2_CBC;
-    case CKM_CDMF_CBC_PAD:
-        return CKM_CDMF_CBC;
-    }
-    return type;
-}
-
-static CK_MECHANISM_TYPE
-crmf_get_pad_mech_from_tag(SECOidTag oidTag)
-{
-    CK_MECHANISM_TYPE  mechType;
-    SECOidData        *oidData;
-
-    oidData = SECOID_FindOIDByTag(oidTag);
-    mechType = (CK_MECHANISM_TYPE)oidData->mechanism;
-    return PK11_GetPadMechanism(mechType);
-}
-
-static CK_MECHANISM_TYPE
-crmf_get_best_privkey_wrap_mechanism(PK11SlotInfo *slot) 
-{
-    CK_MECHANISM_TYPE privKeyPadMechs[] = { CKM_DES3_CBC_PAD,
-					    CKM_CAST5_CBC_PAD,
-					    CKM_DES_CBC_PAD,
-					    CKM_IDEA_CBC_PAD,
-					    CKM_CAST3_CBC_PAD,
-					    CKM_CAST_CBC_PAD,
-					    CKM_RC5_CBC_PAD,
-					    CKM_RC2_CBC_PAD,
-					    CKM_CDMF_CBC_PAD };
-    int mechCount = sizeof(privKeyPadMechs)/sizeof(privKeyPadMechs[0]);
-    int i;
-
-    for (i=0; i < mechCount; i++) {
-        if (PK11_DoesMechanism(slot, privKeyPadMechs[i])) {
-	    return privKeyPadMechs[i];
-	}
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-CK_MECHANISM_TYPE
-CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot)
-{
-    return crmf_get_best_privkey_wrap_mechanism(slot);
-}
-
-static SECItem*
-crmf_get_iv(CK_MECHANISM_TYPE mechType)
-{
-    int        iv_size = PK11_GetIVLength(mechType);
-    SECItem   *iv;
-    SECStatus  rv; 
-
-    iv = PORT_ZNew(SECItem);
-    if (iv == NULL) {
-        return NULL;
-    }
-    if (iv_size == 0) {
-        iv->data = NULL;
-	iv->len  = 0;
-	return iv;
-    }
-    iv->data = PORT_NewArray(unsigned char, iv_size);
-    if (iv->data == NULL) {
-        iv->len = 0;
-	return iv;
-    }
-    iv->len = iv_size;
-    rv = PK11_GenerateRandom(iv->data, iv->len);
-    if (rv != SECSuccess) {
-        PORT_Free(iv->data);
-	iv->data = NULL;
-	iv->len  = 0;
-    }
-    return iv;
-}
-
-SECItem*
-CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType)
-{
-    return crmf_get_iv(mechType);
-}
-
-CK_MECHANISM_TYPE
-crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey)
-{
-    CERTSubjectPublicKeyInfo *spki = NULL;
-    SECOidTag                 tag;
-    
-
-    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
-    if (spki == NULL) {
-        return CKM_INVALID_MECHANISM;
-    }
-    tag = SECOID_FindOIDTag(&spki->algorithm.algorithm);
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-    spki = NULL;
-    return PK11_AlgtagToMechanism(tag);
-}
-
-SECItem*
-crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest)
-{
-    SECItem *pubValue;
-
-    if (dest != NULL) {
-        pubValue = dest;
-    } else {
-        pubValue = PORT_ZNew(SECItem);
-    }
-    switch(pubKey->keyType) {
-        case dsaKey:
-	    SECITEM_CopyItem(NULL, pubValue, &pubKey->u.dsa.publicValue);
-            break;
-        case rsaKey:
-	    SECITEM_CopyItem(NULL, pubValue, &pubKey->u.rsa.modulus);
-            break;
-        case dhKey:
-	    SECITEM_CopyItem(NULL, pubValue, &pubKey->u.dh.publicValue);
-	    break;
-        default:
-	    if (dest == NULL) {
-	        PORT_Free(pubValue);
-	    }
-            pubValue = NULL;
-	    break;
-    }
-    return pubValue;
-}
-
-static SECItem*
-crmf_decode_params(SECItem *inParams)
-{
-    SECItem   *params;
-    SECStatus  rv;
-    
-    params = PORT_ZNew(SECItem);
-    rv = SEC_ASN1DecodeItem(NULL, params, SEC_OctetStringTemplate,
-			    inParams);
-    if (rv != SECSuccess) {
-        SECITEM_FreeItem(params, PR_TRUE);
-	return NULL;
-    }
-    return params;
-}
-
-int
-crmf_get_key_size_from_mech(CK_MECHANISM_TYPE mechType)
-{
-    CK_MECHANISM_TYPE keyGen = PK11_GetKeyGen(mechType);
-
-    switch (keyGen) {
-    case CKM_CDMF_KEY_GEN:
-    case CKM_DES_KEY_GEN:
-        return 8;
-    case CKM_DES2_KEY_GEN:
-	return 16;
-    case CKM_DES3_KEY_GEN:
-	return 24;
-    }
-    return 0;
-}
-
-SECStatus
-crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
-				     CRMFEncryptedValue *encValue,
-				     SECKEYPrivateKey   *privKey,
-				     SECKEYPublicKey    *newPubKey,
-				     SECItem            *nickname,
-				     PK11SlotInfo       *slot,
-				     unsigned char       keyUsage,
-				     SECKEYPrivateKey  **unWrappedKey,
-				     void               *wincx)
-{
-    PK11SymKey        *wrappingKey = NULL;
-    CK_MECHANISM_TYPE  wrapMechType;
-    SECOidTag          oidTag;
-    SECItem           *params = NULL, *publicValue = NULL;
-    int                keySize, origLen;
-    CK_KEY_TYPE        keyType;
-    CK_ATTRIBUTE_TYPE *usage;
-    CK_ATTRIBUTE_TYPE rsaUsage[] = {
-      CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
-    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
-    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
-    int usageCount;
-
-    oidTag = SECOID_GetAlgorithmTag(encValue->symmAlg);
-    wrapMechType = crmf_get_pad_mech_from_tag(oidTag);
-    keySize = crmf_get_key_size_from_mech(wrapMechType);
-    wrappingKey = PK11_PubUnwrapSymKey(privKey, &encValue->encSymmKey, 
-				       wrapMechType, CKA_UNWRAP, keySize);
-    if (wrappingKey == NULL) {
-        goto loser;
-    }/* Make the length a byte length instead of bit length*/
-    params = (encValue->symmAlg != NULL) ? 
-              crmf_decode_params(&encValue->symmAlg->parameters) : NULL;
-    origLen = encValue->encValue.len;
-    encValue->encValue.len = CRMF_BITS_TO_BYTES(origLen);
-    publicValue = crmf_get_public_value(newPubKey, NULL);
-    switch(newPubKey->keyType) {
-    default:
-    case rsaKey:
-        keyType = CKK_RSA;
-        switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
-        case KU_KEY_ENCIPHERMENT:
-            usage = rsaUsage;
-            usageCount = 2;
-            break;
-        case KU_DIGITAL_SIGNATURE:
-            usage = &rsaUsage[2];
-            usageCount = 2;
-            break;
-        case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
-        case 0: /* default to everything */
-            usage = rsaUsage;
-            usageCount = 4;
-            break;
-        }
-	break;
-    case dhKey:
-        keyType = CKK_DH;
-        usage = dhUsage;
-        usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
-        break;
-    case dsaKey:
-        keyType = CKK_DSA;
-        usage = dsaUsage;
-        usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
-        break;
-    }
-    *unWrappedKey = PK11_UnwrapPrivKey(slot, wrappingKey, wrapMechType, params,
-				       &encValue->encValue, nickname,
-				       publicValue, PR_TRUE,PR_TRUE, 
-				       keyType, usage, usageCount, wincx);
-    encValue->encValue.len = origLen;
-    if (*unWrappedKey == NULL) {
-        goto loser;
-    }
-    SECITEM_FreeItem (publicValue, PR_TRUE);
-    if (params!= NULL) {
-        SECITEM_FreeItem(params, PR_TRUE);
-    } 
-    PK11_FreeSymKey(wrappingKey);
-    return SECSuccess;
- loser:
-    *unWrappedKey = NULL;
-    return SECFailure;
-}
-
-CRMFEncryptedValue *
-crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
-					    SECKEYPublicKey    *inCAKey,
-					    CRMFEncryptedValue *destValue)
-{
-    SECItem                   wrappedPrivKey, wrappedSymKey;
-    SECItem                   encodedParam, *dummy;
-    SECStatus                 rv;
-    CK_MECHANISM_TYPE         pubMechType, symKeyType;
-    unsigned char            *wrappedSymKeyBits;
-    unsigned char            *wrappedPrivKeyBits;
-    SECItem                  *iv = NULL;
-    SECOidTag                 tag;
-    PK11SymKey               *symKey;
-    PK11SlotInfo             *slot;
-    SECAlgorithmID           *symmAlg;
-    CRMFEncryptedValue       *myEncrValue = NULL;
-
-    encodedParam.data = NULL;
-    wrappedSymKeyBits  = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
-    wrappedPrivKeyBits = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
-    if (wrappedSymKeyBits == NULL || wrappedPrivKeyBits == NULL) {
-        goto loser;
-    }
-    if (destValue == NULL) {
-        myEncrValue = destValue = PORT_ZNew(CRMFEncryptedValue);
-	if (destValue == NULL) {
-	    goto loser;
-	}
-    }
-
-    pubMechType = crmf_get_mechanism_from_public_key(inCAKey);
-    if (pubMechType == CKM_INVALID_MECHANISM) {
-        /* XXX I should probably do something here for non-RSA 
-	 *     keys that are in certs. (ie DSA)
-	 */
-        goto loser;
-    }
-    slot = inPrivKey->pkcs11Slot; 
-    PORT_Assert(slot != NULL);
-    symKeyType = crmf_get_best_privkey_wrap_mechanism(slot);
-    symKey = PK11_KeyGen(slot, symKeyType, NULL, 0, NULL);
-    if (symKey == NULL) {
-        goto loser;
-    }
-
-    wrappedSymKey.data = wrappedSymKeyBits;
-    wrappedSymKey.len  = MAX_WRAPPED_KEY_LEN;
-    rv = PK11_PubWrapSymKey(pubMechType, inCAKey, symKey, &wrappedSymKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* Make the length of the result a Bit String length. */
-    wrappedSymKey.len <<= 3;
-
-    wrappedPrivKey.data = wrappedPrivKeyBits;
-    wrappedPrivKey.len  = MAX_WRAPPED_KEY_LEN;
-    iv = crmf_get_iv(symKeyType);
-    rv = PK11_WrapPrivKey(slot, symKey, inPrivKey, symKeyType, iv, 
-			  &wrappedPrivKey, NULL);
-    PK11_FreeSymKey(symKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* Make the length of the result a Bit String length. */
-    wrappedPrivKey.len <<= 3;
-    rv = crmf_make_bitstring_copy(NULL, 
-				  &destValue->encValue, 
-				  &wrappedPrivKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_make_bitstring_copy(NULL,
-				  &destValue->encSymmKey, 
-				  &wrappedSymKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    destValue->symmAlg = symmAlg = PORT_ZNew(SECAlgorithmID);
-    if (symmAlg == NULL) {
-        goto loser;
-    }
-
-    dummy = SEC_ASN1EncodeItem(NULL, &encodedParam, iv, 
-			       SEC_OctetStringTemplate);
-    if (dummy != &encodedParam) {
-        SECITEM_FreeItem(dummy, PR_TRUE);
-	goto loser;
-    }
-
-    symKeyType = crmf_get_non_pad_mechanism(symKeyType);
-    tag = PK11_MechanismToAlgtag(symKeyType);
-    rv = SECOID_SetAlgorithmID(NULL, symmAlg, tag, &encodedParam);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_Free(encodedParam.data);
-    PORT_Free(wrappedPrivKeyBits);
-    PORT_Free(wrappedSymKeyBits);
-    if (iv->data != NULL) {
-        PORT_Free(iv->data);
-    }
-    PORT_Free(iv);
-    return destValue;
- loser:
-    if (iv != NULL) {
-        if (iv->data) {
-	    PORT_Free(iv->data);
-	}
-        PORT_Free(iv);
-    }
-    if (myEncrValue != NULL) {
-        crmf_destroy_encrypted_value(myEncrValue, PR_TRUE);
-    }
-    if (wrappedSymKeyBits != NULL) {
-        PORT_Free(wrappedSymKeyBits);
-    }
-    if (wrappedPrivKeyBits != NULL) {
-        PORT_Free(wrappedPrivKeyBits);
-    }
-    if (encodedParam.data != NULL) {
-        PORT_Free(encodedParam.data);
-    }
-    return NULL;
-}
-
-CRMFEncryptedKey*
-CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
-					   CERTCertificate  *inCACert)
-{
-    SECKEYPublicKey          *caPubKey = NULL;
-    CRMFEncryptedKey         *encKey = NULL;
-    CRMFEncryptedValue       *dummy;
-
-    PORT_Assert(inPrivKey != NULL && inCACert != NULL);
-    if (inPrivKey == NULL || inCACert == NULL) {
-        return NULL;
-    }
-
-    caPubKey = CERT_ExtractPublicKey(inCACert);
-    if (caPubKey == NULL) {
-        goto loser;
-    }
-
-    encKey = PORT_ZNew(CRMFEncryptedKey);
-    if (encKey == NULL) {
-        goto loser;
-    }
-    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey,
-							caPubKey,
-					       &encKey->value.encryptedValue);
-    PORT_Assert(dummy == &encKey->value.encryptedValue);
-    /* We won't add the der value here, but rather when it 
-     * becomes part of a certificate request.
-     */
-    SECKEY_DestroyPublicKey(caPubKey);
-    encKey->encKeyChoice = crmfEncryptedValueChoice;
-    return encKey;
- loser:
-    if (encKey != NULL) {
-        CRMF_DestroyEncryptedKey(encKey);
-    }
-    if (caPubKey != NULL) {
-        SECKEY_DestroyPublicKey(caPubKey);
-    }
-    return NULL;
-}
-
-SECStatus
-CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey)
-{
-    return crmf_destroy_encrypted_key(inEncrKey, PR_TRUE);
-}
-
-SECStatus
-crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp,
-			    CRMFPKIArchiveOptions *destOpt,
-			    CRMFPKIArchiveOptions *srcOpt)
-{
-    SECStatus rv;
-    destOpt->archOption = srcOpt->archOption;
-    switch (srcOpt->archOption) {
-    case crmfEncryptedPrivateKey:
-        rv = crmf_copy_encryptedkey(poolp,
-				    &srcOpt->option.encryptedKey,
-				    &destOpt->option.encryptedKey);
-        break;
-    case crmfKeyGenParameters:
-    case crmfArchiveRemGenPrivKey:
-        /* We've got a union, so having a pointer to one is just
-	 * like having a pointer to the other one.
-	 */
-        rv = SECITEM_CopyItem(poolp, 
-			      &destOpt->option.keyGenParameters,
-			      &srcOpt->option.keyGenParameters);
-	break;
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-static SECStatus
-crmf_check_and_adjust_archoption(CRMFControl *inControl)
-{
-    CRMFPKIArchiveOptions *options;
-
-    options = &inControl->value.archiveOptions;
-    if (options->archOption == crmfNoArchiveOptions) {
-        /* It hasn't been set, so figure it out from the 
-	 * der.
-	 */
-        switch (inControl->derValue.data[0] & 0x0f) {
-	case 0:
-	    options->archOption = crmfEncryptedPrivateKey;
-	    break;
-	case 1:
-	    options->archOption = crmfKeyGenParameters;
-	    break;
-	case 2:
-	    options->archOption = crmfArchiveRemGenPrivKey;
-	    break;
-	default:
-	    /* We've got bad DER.  Return an error. */
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-static const SEC_ASN1Template *
-crmf_get_pkiarchive_subtemplate(CRMFControl *inControl)
-{
-    const SEC_ASN1Template *retTemplate;
-    SECStatus               rv;
-    /*
-     * We could be in the process of decoding, in which case the
-     * archOption field will not be set.  Let's check it and set 
-     * it accordingly.
-     */
-
-    rv = crmf_check_and_adjust_archoption(inControl);
-    if (rv != SECSuccess) {
-        return NULL;
-    }
-
-    switch (inControl->value.archiveOptions.archOption) {
-    case crmfEncryptedPrivateKey:
-        retTemplate = CRMFEncryptedKeyWithEncryptedValueTemplate;
-	inControl->value.archiveOptions.option.encryptedKey.encKeyChoice =
-	  crmfEncryptedValueChoice;
-	break;
-    default:
-        retTemplate = NULL;
-    }
-    return retTemplate;
-}
-
-const SEC_ASN1Template*
-crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl)
-{
-    const SEC_ASN1Template *retTemplate;
-
-    switch (inControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-        retTemplate = SEC_UTF8StringTemplate;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        retTemplate = crmf_get_pkiarchive_subtemplate(inControl);
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-        /* We don't support these controls, so we fail for now.*/
-        retTemplate = NULL;
-	break;
-    default:
-        retTemplate = NULL;
-    }
-    return retTemplate;
-}
-
-static SECStatus
-crmf_encode_pkiarchiveoptions(PRArenaPool *poolp, CRMFControl *inControl)
-{
-    const SEC_ASN1Template *asn1Template;
-    SECStatus               rv;
-
-    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
-    /* We've got a union, so passing a pointer to one element of the 
-     * union, is the same as passing a pointer to any of the other
-     * members of the union.
-     */
-    SEC_ASN1EncodeItem(poolp, &inControl->derValue,
-                       &inControl->value.archiveOptions, asn1Template);
-
-    if (inControl->derValue.data == NULL) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
-				     CRMFPKIArchiveOptions *inOptions)
-{
-    CRMFControl *newControl;
-    PRArenaPool *poolp;
-    SECStatus    rv;
-    void        *mark;
-    
-    PORT_Assert(inCertReq != NULL && inOptions != NULL);
-    if (inCertReq == NULL || inOptions == NULL) {
-        return SECFailure;
-    }
-    poolp = inCertReq->poolp;
-    mark = PORT_ArenaMark(poolp);
-    rv = crmf_add_new_control(inCertReq, 
-			      SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
-			      &newControl);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_copy_pkiarchiveoptions(poolp, 
-				     &newControl->value.archiveOptions,
-				     inOptions);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_encode_pkiarchiveoptions(poolp, newControl); 
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus
-crmf_destroy_control(CRMFControl *inControl, PRBool freeit)
-{
-    PORT_Assert(inControl != NULL);
-    if (inControl != NULL) {
-        SECITEM_FreeItem(&inControl->derTag, PR_FALSE);
-        SECITEM_FreeItem(&inControl->derValue, PR_FALSE);
-	/* None of the other tags require special processing at 
-	 * the moment when freeing because they are not supported,
-	 * but if/when they are, add the necessary routines here.  
-	 * If all controls are supported, then every member of the 
-	 * union inControl->value will have a case that deals with 
-	 * it in the following switch statement.
-	 */
-	switch (inControl->tag) {
-	case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-	    crmf_destroy_pkiarchiveoptions(&inControl->value.archiveOptions,
-					   PR_FALSE);
-	    break;
-        default:
-           /* Put this here to get rid of all those annoying warnings.*/
-           break;
-	}
-	if (freeit) {
-	    PORT_Free(inControl);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyControl(CRMFControl *inControl)
-{
-    return crmf_destroy_control(inControl, PR_TRUE);
-}
-
-static SECOidTag
-crmf_controltype_to_tag(CRMFControlType inControlType)
-{
-    SECOidTag retVal;
-
-    switch(inControlType) {
-    case crmfRegTokenControl:
-      retVal = SEC_OID_PKIX_REGCTRL_REGTOKEN; 
-      break;
-    case crmfAuthenticatorControl:
-      retVal = SEC_OID_PKIX_REGCTRL_AUTHENTICATOR;
-      break;
-    case crmfPKIPublicationInfoControl:
-      retVal = SEC_OID_PKIX_REGCTRL_PKIPUBINFO;
-      break;
-    case crmfPKIArchiveOptionsControl:
-      retVal = SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
-      break;
-    case crmfOldCertIDControl:
-      retVal = SEC_OID_PKIX_REGCTRL_OLD_CERT_ID;
-      break;
-    case crmfProtocolEncrKeyControl:
-      retVal = SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
-      break;
-    default:
-      retVal = SEC_OID_UNKNOWN;
-      break;
-    }
-    return retVal;
-}
-
-PRBool
-CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
-				 CRMFControlType  inControlType)
-{
-    SECOidTag controlTag;
-    int       i;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL || inCertReq->controls == NULL) {
-        return PR_FALSE;
-    }
-    controlTag = crmf_controltype_to_tag(inControlType);
-    for (i=0; inCertReq->controls[i] != NULL; i++) {
-        if (inCertReq->controls[i]->tag == controlTag) {
-	    return PR_TRUE;
-	}
-    }
-    return PR_FALSE;
-}
-
diff --git a/security/nss/lib/crmf/crmfdec.c b/security/nss/lib/crmf/crmfdec.c
deleted file mode 100644
index cce945e6d..000000000
--- a/security/nss/lib/crmf/crmfdec.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "secitem.h"
-
-static CRMFPOPChoice
-crmf_get_popchoice_from_der(SECItem *derPOP)
-{
-    CRMFPOPChoice retChoice;
-
-    switch (derPOP->data[0] & 0x0f) {
-    case 0:
-        retChoice = crmfRAVerified;
-	break;
-    case 1:
-        retChoice = crmfSignature;
-	break;
-    case 2:
-        retChoice = crmfKeyEncipherment;
-	break;
-    case 3:
-        retChoice = crmfKeyAgreement;
-	break;
-    default:
-        retChoice = crmfNoPOPChoice;
-	break;
-    }
-    return retChoice;
-}
-
-static SECStatus
-crmf_decode_process_raverified(CRMFCertReqMsg *inCertReqMsg)
-{   
-    CRMFProofOfPossession *pop;
-    /* Just set up the structure so that the message structure
-     * looks like one that was created using the API
-     */
-    pop = inCertReqMsg->pop;
-    pop->popChoice.raVerified.data = NULL;
-    pop->popChoice.raVerified.len  = 0;
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_decode_process_signature(CRMFCertReqMsg *inCertReqMsg)
-{
-    return SEC_ASN1Decode(inCertReqMsg->poolp,
-			  &inCertReqMsg->pop->popChoice.signature,
-			  CRMFPOPOSigningKeyTemplate, 
-			  (const char*)inCertReqMsg->derPOP.data,
-			  inCertReqMsg->derPOP.len);
-}
-
-static CRMFPOPOPrivKeyChoice
-crmf_get_messagechoice_from_der(SECItem *derPOP)
-{
-    CRMFPOPOPrivKeyChoice retChoice;
-
-    switch (derPOP->data[2] & 0x0f) {
-    case 0:
-        retChoice = crmfThisMessage;
-	break;
-    case 1:
-        retChoice = crmfSubsequentMessage;
-	break;
-    case 2:
-        retChoice = crmfDHMAC;
-	break;
-    default:
-        retChoice = crmfNoMessage;
-    }
-    return retChoice;
-}
-
-static SECStatus
-crmf_decode_process_popoprivkey(CRMFCertReqMsg *inCertReqMsg)
-{
-    /* We've got a union, so a pointer to one POPOPrivKey
-     * struct is the same as having a pointer to the other 
-     * one.
-     */
-    CRMFPOPOPrivKey *popoPrivKey = 
-                    &inCertReqMsg->pop->popChoice.keyEncipherment;
-    SECItem         *derPOP, privKeyDer;
-    SECStatus        rv;
-
-    derPOP = &inCertReqMsg->derPOP;
-    popoPrivKey->messageChoice = crmf_get_messagechoice_from_der(derPOP);
-    if (popoPrivKey->messageChoice == crmfNoMessage) {
-        return SECFailure;
-    }
-    /* If we ever encounter BER encodings of this, we'll get in trouble*/
-    switch (popoPrivKey->messageChoice) {
-    case crmfThisMessage:
-    case crmfDHMAC:
-        privKeyDer.data = &derPOP->data[5];
-	privKeyDer.len  = derPOP->len - 5;
-	break;
-    case crmfSubsequentMessage:
-        privKeyDer.data = &derPOP->data[4];
-	privKeyDer.len  = derPOP->len - 4;
-	break;
-    default:
-        rv = SECFailure;
-    }
-
-    rv = SECITEM_CopyItem(inCertReqMsg->poolp, 
-			  &popoPrivKey->message.subsequentMessage,
-			  &privKeyDer);
-
-    if (rv != SECSuccess) {
-        return rv;
-    }
-
-    if (popoPrivKey->messageChoice == crmfThisMessage ||
-	popoPrivKey->messageChoice == crmfDHMAC) {
-
-        popoPrivKey->message.thisMessage.len = 
-	    CRMF_BYTES_TO_BITS(privKeyDer.len) - (int)derPOP->data[4];
-        
-    }
-    return SECSuccess;    
-}
-
-static SECStatus
-crmf_decode_process_keyagreement(CRMFCertReqMsg *inCertReqMsg)
-{
-    return crmf_decode_process_popoprivkey(inCertReqMsg);
-}
-
-static SECStatus
-crmf_decode_process_keyencipherment(CRMFCertReqMsg *inCertReqMsg)
-{
-    SECStatus rv;
-
-    rv = crmf_decode_process_popoprivkey(inCertReqMsg);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    if (inCertReqMsg->pop->popChoice.keyEncipherment.messageChoice == 
-	crmfDHMAC) {
-        /* Key Encipherment can not use the dhMAC option for
-	 * POPOPrivKey. 
-	 */
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_decode_process_pop(CRMFCertReqMsg *inCertReqMsg)
-{
-     SECItem               *derPOP;
-     PRArenaPool           *poolp;
-     CRMFProofOfPossession *pop;
-     void                  *mark;
-     SECStatus              rv;
-
-     derPOP = &inCertReqMsg->derPOP;
-     poolp  = inCertReqMsg->poolp;
-     if (derPOP->data == NULL) {
-         /* There is no Proof of Possession field in this message. */
-         return SECSuccess;
-     }
-     mark = PORT_ArenaMark(poolp);
-     pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-     if (pop == NULL) {
-         goto loser;
-     }
-     pop->popUsed = crmf_get_popchoice_from_der(derPOP);
-     if (pop->popUsed == crmfNoPOPChoice) {
-         /* A bad encoding of CRMF.  Not a valid tag was given to the
-	  * Proof Of Possession field.
-	  */
-         goto loser;
-     }
-     inCertReqMsg->pop = pop;
-     switch (pop->popUsed) {
-     case crmfRAVerified:
-         rv = crmf_decode_process_raverified(inCertReqMsg);
-	 break;
-     case crmfSignature:
-         rv = crmf_decode_process_signature(inCertReqMsg);
-	 break;
-     case crmfKeyEncipherment:
-         rv = crmf_decode_process_keyencipherment(inCertReqMsg);
-	 break;
-     case crmfKeyAgreement:
-         rv = crmf_decode_process_keyagreement(inCertReqMsg);
-	 break;
-     default:
-         rv = SECFailure;
-     }
-     if (rv != SECSuccess) {
-         goto loser;
-     }
-     PORT_ArenaUnmark(poolp, mark);
-     return SECSuccess;
-
- loser:
-     PORT_ArenaRelease(poolp, mark);
-     inCertReqMsg->pop = NULL;
-     return SECFailure;
-     
-}
-
-static SECStatus
-crmf_decode_process_single_control(PRArenaPool *poolp, 
-				   CRMFControl *inControl)
-{
-    const SEC_ASN1Template *asn1Template = NULL;
-
-    inControl->tag = SECOID_FindOIDTag(&inControl->derTag);
-    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
-
-    PORT_Assert (asn1Template != NULL);
-    /* We've got a union, so passing a pointer to one element of the
-     * union is the same as passing a pointer to any of the other
-     * members of the union.
-     */
-    return SEC_ASN1Decode(poolp, &inControl->value.archiveOptions, 
-			  asn1Template, (const char*)inControl->derValue.data,
-			  inControl->derValue.len);
-}
-
-static SECStatus 
-crmf_decode_process_controls(CRMFCertReqMsg *inCertReqMsg)
-{
-    int           i, numControls;
-    SECStatus     rv;
-    PRArenaPool  *poolp;
-    CRMFControl **controls;
-    
-    numControls = CRMF_CertRequestGetNumControls(inCertReqMsg->certReq);
-    controls = inCertReqMsg->certReq->controls;
-    poolp    = inCertReqMsg->poolp;
-    for (i=0; i < numControls; i++) {
-        rv = crmf_decode_process_single_control(poolp, controls[i]);
-	if (rv != SECSuccess) {
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_decode_process_single_reqmsg(CRMFCertReqMsg *inCertReqMsg)
-{
-    SECStatus rv;
-
-    rv = crmf_decode_process_pop(inCertReqMsg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_decode_process_controls(inCertReqMsg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    inCertReqMsg->certReq->certTemplate.numExtensions = 
-        CRMF_CertRequestGetNumberOfExtensions(inCertReqMsg->certReq);
-    inCertReqMsg->isDecoded = PR_TRUE;
-    rv = SECSuccess;
- loser:
-    return rv;
-}
-
-CRMFCertReqMsg*
-CRMF_CreateCertReqMsgFromDER (const char * buf, long len)
-{
-    PRArenaPool    *poolp;
-    CRMFCertReqMsg *certReqMsg;
-    SECStatus       rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    certReqMsg = PORT_ArenaZNew (poolp, CRMFCertReqMsg);
-    if (certReqMsg == NULL) {
-        goto loser;
-    }
-    certReqMsg->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, certReqMsg, CRMFCertReqMsgTemplate, buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_decode_process_single_reqmsg(certReqMsg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    return certReqMsg;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-CRMFCertReqMessages*
-CRMF_CreateCertReqMessagesFromDER(const char *buf, long len)
-{
-    long                 arenaSize;
-    int                  i;
-    SECStatus            rv;
-    PRArenaPool         *poolp;
-    CRMFCertReqMessages *certReqMsgs;
-
-    PORT_Assert (buf != NULL);
-    /* Wanna make sure the arena is big enough to store all of the requests
-     * coming in.  We'll guestimate according to the length of the buffer.
-     */
-    arenaSize = len * 1.5;
-    poolp = PORT_NewArena(arenaSize);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    certReqMsgs = PORT_ArenaZNew(poolp, CRMFCertReqMessages);
-    if (certReqMsgs == NULL) {
-        goto loser;
-    }
-    certReqMsgs->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, certReqMsgs, CRMFCertReqMessagesTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    for (i=0; certReqMsgs->messages[i] != NULL; i++) {
-        /* The sub-routines expect the individual messages to have 
-	 * an arena.  We'll give them one temporarily.
-	 */
-        certReqMsgs->messages[i]->poolp = poolp;
-        rv = crmf_decode_process_single_reqmsg(certReqMsgs->messages[i]);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-        certReqMsgs->messages[i]->poolp = NULL;
-    }
-    return certReqMsgs;
-
- loser:
-    PORT_FreeArena(poolp, PR_FALSE);
-    return NULL;
-}
diff --git a/security/nss/lib/crmf/crmfenc.c b/security/nss/lib/crmf/crmfenc.c
deleted file mode 100644
index f96041c96..000000000
--- a/security/nss/lib/crmf/crmfenc.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*- */
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "crmf.h"
-#include "crmfi.h"
-
-SECStatus 
-CRMF_EncodeCertReqMsg(CRMFCertReqMsg            *inCertReqMsg,
-		      CRMFEncoderOutputCallback  fn,
-		      void                      *arg)
-{
-    struct crmfEncoderOutput output;
-
-    output.fn        = fn;
-    output.outputArg = arg;
-    return SEC_ASN1Encode(inCertReqMsg,CRMFCertReqMsgTemplate, 
-			  crmf_encoder_out, &output);
-    
-}
-
-
-SECStatus
-CRMF_EncodeCertRequest(CRMFCertRequest           *inCertReq,
-		       CRMFEncoderOutputCallback  fn,
-		       void                      *arg)
-{
-    struct crmfEncoderOutput output;
-
-    output.fn        = fn;
-    output.outputArg = arg;
-    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
-			  crmf_encoder_out, &output);
-}
-
-SECStatus
-CRMF_EncodeCertReqMessages(CRMFCertReqMsg              **inCertReqMsgs,
-			   CRMFEncoderOutputCallback     fn,
-			   void                         *arg)
-{
-    struct crmfEncoderOutput output;
-    CRMFCertReqMessages msgs;
-    
-    output.fn        = fn;
-    output.outputArg = arg;
-    msgs.messages = inCertReqMsgs;
-    return SEC_ASN1Encode(&msgs, CRMFCertReqMessagesTemplate,
-			  crmf_encoder_out, &output);
-}
-
-
-
-
diff --git a/security/nss/lib/crmf/crmffut.h b/security/nss/lib/crmf/crmffut.h
deleted file mode 100644
index e4244f3e6..000000000
--- a/security/nss/lib/crmf/crmffut.h
+++ /dev/null
@@ -1,390 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * These functions to be implemented in the future if the features
- * which these functions would implement wind up being needed.
- */
-
-/*
- * Use this functionto create the CRMFSinglePubInfo* variables that will 
- * populate the inPubInfoArray paramter for the funciton
- * CRMF_CreatePKIPublicationInfo.
- *
- * "inPubMethod" specifies which publication method will be used
- * "pubLocation" is a representation of the location where 
- */
-extern CRMFSinglePubInfo* 
-      CRMF_CreateSinglePubInfo(CRMFPublicationMethod  inPubMethod,
-			       CRMFGeneralName       *pubLocation);
-
-/*
- * Create a PKIPublicationInfo that can later be passed to the function
- * CRMFAddPubInfoControl.
- */
-extern CRMFPKIPublicationInfo *
-     CRMF_CreatePKIPublicationInfo(CRMFPublicationAction  inAction,
-				   CRMFSinglePubInfo    **inPubInfoArray,
-				   int                    numPubInfo);
-
-/*
- * Only call this function on a CRMFPublicationInfo that was created by
- * CRMF_CreatePKIPublicationInfo that was passed in NULL for arena.
- */
-
-extern SECStatus 
-       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
-
-extern SECStatus CRMF_AddPubInfoControl(CRMFCertRequest        *inCertReq,
-					CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * This is to create a Cert ID Control which can later be added to 
- * a certificate request.
- */
-extern CRMFCertID* CRMF_CreateCertID(CRMFGeneralName *issuer,
-				     long             serialNumber);
-
-extern SECStatus CRMF_DestroyCertID(CRMFCertID* certID);
-
-extern SECStatus CRMF_AddCertIDControl(CRMFCertRequest *inCertReq,
-				       CRMFCertID      *certID);
-
-extern SECStatus 
-       CRMF_AddProtocolEncryptioKeyControl(CRMFCertRequest          *inCertReq,
-					   CERTSubjectPublicKeyInfo *spki);
-
-/*
- * Add the ASCII Pairs Registration Info to the Certificate Request.
- * The SECItem must be an OCTET string representation.
- */
-extern SECStatus
-       CRMF_AddUTF8PairsRegInfo(CRMFCertRequest *inCertReq,
-				 SECItem         *asciiPairs);
-
-/*
- * This takes a CertRequest and adds it to another CertRequest.  
- */
-extern SECStatus
-       CRMF_AddCertReqToRegInfo(CRMFCertRequest *certReqToAddTo,
-				CRMFCertRequest *certReqBeingAdded);
-
-/*
- * Returns which option was used for the authInfo field of POPOSigningKeyInput
- */
-extern CRMFPOPOSkiInputAuthChoice 
-       CRMF_GetSignKeyInputAuthChoice(CRMFPOPOSigningKeyInput *inKeyInput);
-
-/*
- * Gets the PKMACValue associated with the POPOSigningKeyInput.
- * If the POPOSigningKeyInput did not use authInfo.publicKeyMAC 
- * the function returns SECFailure and the value at *destValue is unchanged.
- *
- * If the POPOSigningKeyInput did use authInfo.publicKeyMAC, the function
- * returns SECSuccess and places the PKMACValue at *destValue.
- */
-extern SECStatus 
-       CRMF_GetSignKeyInputPKMACValue(CRMFPOPOSigningKeyInput *inKeyInput,
-				      CRMFPKMACValue          **destValue);
-/*
- * Gets the SubjectPublicKeyInfo from the POPOSigningKeyInput
- */
-extern CERTSubjectPublicKeyInfo *
-       CRMF_GetSignKeyInputPublicKey(CRMFPOPOSigningKeyInput *inKeyInput);
-
-
-/*
- * Return the value for the PKIPublicationInfo Control.
- * A return value of NULL indicates that the Control was 
- * not a PKIPublicationInfo Control.  Call 
- * CRMF_DestroyPKIPublicationInfo on the return value when done
- * using the pointer.
- */
-extern CRMFPKIPublicationInfo* CRMF_GetPKIPubInfo(CRMFControl *inControl);
-
-/*
- * Free up a CRMFPKIPublicationInfo structure.
- */
-extern SECStatus 
-       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * Get the choice used for action in this PKIPublicationInfo.
- */
-extern CRMFPublicationAction 
-       CRMF_GetPublicationAction(CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * Get the number of pubInfos are stored in the PKIPubicationInfo.
- */
-extern int CRMF_GetNumPubInfos(CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * Get the pubInfo at index for the given PKIPubicationInfo.
- * Indexing is done like a traditional C Array. (0 .. numElements-1)
- */
-extern CRMFSinglePubInfo* 
-       CRMF_GetPubInfoAtIndex(CRMFPKIPublicationInfo *inPubInfo,
-			      int                     index);
-
-/*
- * Destroy the CRMFSinglePubInfo.
- */
-extern SECStatus CRMF_DestroySinglePubInfo(CRMFSinglePubInfo *inPubInfo);
-
-/*
- * Get the pubMethod used by the SinglePubInfo.
- */
-extern CRMFPublicationMethod 
-       CRMF_GetPublicationMethod(CRMFSinglePubInfo *inPubInfo);
-
-/*
- * Get the pubLocation associated with the SinglePubInfo.
- * A NULL return value indicates there was no pubLocation associated
- * with the SinglePuInfo.
- */
-extern CRMFGeneralName* CRMF_GetPubLocation(CRMFSinglePubInfo *inPubInfo);
-
-/*
- * Get the authInfo.sender field out of the POPOSigningKeyInput.
- * If the POPOSigningKeyInput did not use the authInfo the function
- * returns SECFailure and the value at *destName is unchanged.
- *
- * If the POPOSigningKeyInput did use authInfo.sender, the function returns
- * SECSuccess and puts the authInfo.sender at *destName/
- */
-extern SECStatus CRMF_GetSignKeyInputSender(CRMFPOPOSigningKeyInput *keyInput,
-					    CRMFGeneralName        **destName);
-
-/**************** CMMF Functions that need to be added. **********************/
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
- * INPUTS:
- *    inDecKeyChall
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inRandom
- *        The random number to use when generating the challenge,
- *    inSender
- *        The GeneralName representation of the sender of the challenge.
- *    inPubKey
- *        The public key to use when encrypting the challenge.
- * NOTES:
- *    This function adds a challenge to the end of the list of challenges
- *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
- *    the random number passed in and the sender's GeneralName are used
- *    to generate the challenge and witness fields of the challenge.  This
- *    library will use SHA1 as the one-way function for generating the 
- *    witess field of the challenge.
- *
- * RETURN:
- *    SECSuccess if generating the challenge and adding to the end of list
- *    of challenges was successful.  Any other return value indicates an error
- *    while trying to generate the challenge.
- */
-extern SECStatus
-CMMF_POPODecKeyChallContentSetNextChallenge
-                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
-				    long                        inRandom,
-				    CERTGeneralName            *inSender,
-				    SECKEYPublicKey            *inPubKey);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
- * INPUTS:
- *    inKeyChallCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- * RETURN:
- *    This function returns the number of CMMFChallenges are contained in 
- *    the CMMFPOPODecKeyChallContent structure.
- */
-extern int CMMF_POPODecKeyChallContentGetNumChallenges
-                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
-
-/*
- * FUNCTION: CMMF_ChallengeGetRandomNumber
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- *    inDest
- *        A pointer to a user supplied buffer where the library
- *        can place a copy of the random integer contatained in the
- *        challenge.
- * NOTES:
- *    This function returns the value held in the decrypted Rand structure
- *    corresponding to the random integer.  The user must call 
- *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
- *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
- *    decrypted.
- *
- * RETURN:
- *    SECSuccess indicates the witness field has been previously decrypted
- *    and the value for the random integer was successfully placed at *inDest.
- *    Any other return value indicates an error and that the value at *inDest
- *    is not a valid value.
- */
-extern SECStatus CMMF_ChallengeGetRandomNumber(CMMFChallenge *inChallenge,
-					       long          *inDest);
-
-/*
- * FUNCTION: CMMF_ChallengeGetSender
- * INPUTS:
- *    inChallenge
- *        the CMMFChallenge to operate on.
- * NOTES:
- *    This function returns the value held in the decrypted Rand structure
- *    corresponding to the sender.  The user must call 
- *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
- *    CMMF_ChallengeIsDecrypted to find out if the witness field has been
- *    decrypted.  The user must call CERT_DestroyGeneralName after the return
- *    value is no longer needed.
- *
- * RETURN:
- *    A pointer to a copy of the sender CERTGeneralName.  A return value of
- *    NULL indicates an error in trying to copy the information or that the
- *    witness field has not been decrypted.
- */
-extern CERTGeneralName* CMMF_ChallengeGetSender(CMMFChallenge *inChallenge);
-
-/*
- * FUNCTION: CMMF_ChallengeGetAlgId
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- *    inDestAlgId
- *        A pointer to memory where a pointer to a copy of the algorithm
- *        id can be placed.
- * NOTES:
- *    This function retrieves the one way function algorithm identifier 
- *    contained within the CMMFChallenge if the optional field is present.
- *
- * RETURN:
- *    SECSucces indicates the function was able to place a pointer to a copy of
- *    the alogrithm id at *inAlgId.  If the value at *inDestAlgId is NULL, 
- *    that means there was no algorithm identifier present in the 
- *    CMMFChallenge.  Any other return value indicates the function was not 
- *    able to make a copy of the algorithm identifier.  In this case the value 
- *    at *inDestAlgId is not valid.
- */
-extern SECStatus CMMF_ChallengeGetAlgId(CMMFChallenge  *inChallenge,
-					SECAlgorithmID *inAlgId);
-
-/*
- * FUNCTION: CMMF_DestroyChallenge
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to free up.
- * NOTES:
- *    This function frees up all the memory associated with the CMMFChallenge 
- *    passed in.
- * RETURN:
- *    SECSuccess if freeing all the memory associated with the CMMFChallenge
- *    passed in is successful.  Any other return value indicates an error 
- *    while freeing the memory.
- */
-extern SECStatus CMMF_DestroyChallenge (CMMFChallenge *inChallenge);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
- * INPUTS:
- *    inDecKeyResp
- *        The CMMFPOPODecKeyRespContent structure to free.
- * NOTES:
- *    This function frees up all the memory associate with the 
- *    CMMFPOPODecKeyRespContent.
- *
- * RETURN:
- *    SECSuccess if freeint up all the memory associated with the
- *    CMMFPOPODecKeyRespContent structure is successful.  Any other
- *    return value indicates an error while freeing the memory.
- */
-extern SECStatus
-     CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
-
-/*
- * FUNCTION: CMMF_ChallengeDecryptWitness
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- *    inPrivKey
- *        The private key to use to decrypt the witness field.
- * NOTES:
- *    This function uses the private key to decrypt the challenge field
- *    contained in the CMMFChallenge.  Make sure the private key matches the
- *    public key that was used to encrypt the witness.  The creator of 
- *    the challenge will most likely be an RA that has the public key
- *    from a Cert request.  So the private key should be the private key
- *    associated with public key in that request.  This function will also
- *    verify the witness field of the challenge.
- *
- * RETURN:
- *    SECSuccess if decrypting the witness field was successful.  This does
- *    not indicate that the decrypted data is valid, since the private key 
- *    passed in may not be the actual key needed to properly decrypt the 
- *    witness field.  Meaning that there is a decrypted structure now, but
- *    may be garbage because the private key was incorrect.
- *    Any other return value indicates the function could not complete the
- *    decryption process.
- */
-extern SECStatus CMMF_ChallengeDecryptWitness(CMMFChallenge    *inChallenge,
-					      SECKEYPrivateKey *inPrivKey);
-
-/*
- * FUNCTION: CMMF_ChallengeIsDecrypted
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- * RETURN:
- *    This is a predicate function that returns PR_TRUE if the decryption 
- *    process has already been performed.  The function return PR_FALSE if 
- *    the decryption process has not been performed yet.
- */
-extern PRBool CMMF_ChallengeIsDecrypted(CMMFChallenge *inChallenge);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
- * INPUTS:
- *    inDecKeyCont
- *        The CMMFPOPODecKeyChallContent to free
- * NOTES:
- *    This function frees up all the memory associated with the 
- *    CMMFPOPODecKeyChallContent 
- * RETURN:
- *    SECSuccess if freeing up all the memory associatd with the 
- *    CMMFPOPODecKeyChallContent is successful.  Any other return value
- *    indicates an error while freeing the memory.
- *
- */
-extern SECStatus 
- CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
-
diff --git a/security/nss/lib/crmf/crmfget.c b/security/nss/lib/crmf/crmfget.c
deleted file mode 100644
index 11f27a72d..000000000
--- a/security/nss/lib/crmf/crmfget.c
+++ /dev/null
@@ -1,478 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "keyhi.h"
-#include "secder.h"
-
-
-CRMFPOPChoice
-CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg)
-{
-    PORT_Assert(inCertReqMsg != NULL);
-    if (inCertReqMsg != NULL && inCertReqMsg->pop != NULL) {
-        return inCertReqMsg->pop->popUsed;
-    }
-    return crmfNoPOPChoice;
-}
-
-static SECStatus
-crmf_destroy_validity(CRMFOptionalValidity *inValidity, PRBool freeit)
-{
-    if (inValidity != NULL){
-        if (inValidity->notBefore.data != NULL) {
-	    PORT_Free(inValidity->notBefore.data);
-	}
-	if (inValidity->notAfter.data != NULL) {
-	    PORT_Free(inValidity->notAfter.data);
-	}
-	if (freeit) {
-	    PORT_Free(inValidity);
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus 
-crmf_copy_cert_request_validity(PRArenaPool           *poolp,
-				CRMFOptionalValidity **destValidity,
-				CRMFOptionalValidity  *srcValidity)
-{
-    CRMFOptionalValidity *myValidity = NULL;
-    SECStatus             rv;
-
-    *destValidity = myValidity = (poolp == NULL) ?
-                                  PORT_ZNew(CRMFOptionalValidity) :
-                                  PORT_ArenaZNew(poolp, CRMFOptionalValidity);
-    if (myValidity == NULL) {
-        goto loser;
-    }
-    if (srcValidity->notBefore.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &myValidity->notBefore, 
-			      &srcValidity->notBefore);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValidity->notAfter.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &myValidity->notAfter, 
-			      &srcValidity->notAfter);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return SECSuccess;
- loser:
-    if (myValidity != NULL && poolp == NULL) {
-        crmf_destroy_validity(myValidity, PR_TRUE);
-    }
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_extensions(PRArenaPool        *poolp, 
-		     CRMFCertTemplate   *destTemplate,
-		     CRMFCertExtension **srcExt)
-{
-    int       numExt = 0, i;
-    CRMFCertExtension **myExtArray = NULL;
-
-    while (srcExt[numExt] != NULL) {
-        numExt++;
-    }
-    if (numExt == 0) {
-        /*No extensions to copy.*/
-        destTemplate->extensions = NULL;
-	destTemplate->numExtensions = 0;
-        return SECSuccess;
-    }
-    destTemplate->extensions = myExtArray = 
-                           PORT_NewArray(CRMFCertExtension*, numExt+1);
-    if (myExtArray == NULL) {
-        goto loser;
-    }
-     
-    for (i=0; i<numExt; i++) {
-        myExtArray[i] = crmf_copy_cert_extension(poolp, srcExt[i]);
-	if (myExtArray[i] == NULL) {
-	    goto loser;
-	}
-    }
-    destTemplate->numExtensions = numExt;
-    myExtArray[numExt] = NULL;
-    return SECSuccess;
- loser:
-    if (myExtArray != NULL) {
-        if (poolp == NULL) {
-	    for (i=0; myExtArray[i] != NULL; i++) {
-	        CRMF_DestroyCertExtension(myExtArray[i]);
-	    }
-	}
-	PORT_Free(myExtArray);
-    }
-    destTemplate->extensions = NULL;
-    destTemplate->numExtensions = 0;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_cert_request_template(PRArenaPool      *poolp, 
-				CRMFCertTemplate *destTemplate,
-				CRMFCertTemplate *srcTemplate)
-{
-    SECStatus rv;
-
-    if (srcTemplate->version.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &destTemplate->version, 
-			      &srcTemplate->version);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->serialNumber.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &destTemplate->serialNumber,
-			      &srcTemplate->serialNumber);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->signingAlg != NULL) {
-        rv = crmf_template_copy_secalg(poolp, &destTemplate->signingAlg,
-				       srcTemplate->signingAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->issuer != NULL) {
-        rv = crmf_copy_cert_name(poolp, &destTemplate->issuer,
-				 srcTemplate->issuer);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->validity != NULL) {
-        rv = crmf_copy_cert_request_validity(poolp, &destTemplate->validity,
-					     srcTemplate->validity);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->subject != NULL) {
-        rv = crmf_copy_cert_name(poolp, &destTemplate->subject, 
-				 srcTemplate->subject);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->publicKey != NULL) {
-        rv = crmf_template_add_public_key(poolp, &destTemplate->publicKey,
-					  srcTemplate->publicKey);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->issuerUID.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp, &destTemplate->issuerUID,
-				      &srcTemplate->issuerUID);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->subjectUID.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp, &destTemplate->subjectUID,
-				      &srcTemplate->subjectUID);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->extensions != NULL) {
-        rv = crmf_copy_extensions(poolp, destTemplate,
-				  srcTemplate->extensions);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return SECSuccess;
- loser:
-    return SECFailure;
-}
-
-static CRMFControl*
-crmf_copy_control(PRArenaPool *poolp, CRMFControl *srcControl)
-{
-    CRMFControl *newControl;
-    SECStatus    rv;
-
-    newControl = (poolp == NULL) ? PORT_ZNew(CRMFControl) :
-                                   PORT_ArenaZNew(poolp, CRMFControl);
-    if (newControl == NULL) {
-        goto loser;
-    }
-    newControl->tag = srcControl->tag;
-    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &srcControl->derTag);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &newControl->derValue, &srcControl->derValue);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* We only handle PKIArchiveOptions Control right now.  But if in
-     * the future, more controls that are part of the union are added,
-     * then they need to be handled here as well.
-     */
-    switch (newControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        rv = crmf_copy_pkiarchiveoptions(poolp, 
-					 &newControl->value.archiveOptions,
-					 &srcControl->value.archiveOptions);
-      break;
-    default:
-        rv = SECSuccess;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newControl;
-
- loser:
-    if (poolp == NULL && newControl != NULL) {
-        CRMF_DestroyControl(newControl);
-    }
-    return NULL;
-}
-
-static SECStatus
-crmf_copy_cert_request_controls(PRArenaPool     *poolp, 
-				CRMFCertRequest *destReq, 
-				CRMFCertRequest *srcReq)
-{
-    int           numControls, i;
-    CRMFControl **myControls = NULL;
-
-    numControls = CRMF_CertRequestGetNumControls(srcReq);
-    if (numControls == 0) {
-        /* No Controls To Copy*/
-        return SECSuccess;
-    }
-    myControls = destReq->controls = PORT_NewArray(CRMFControl*, 
-						   numControls+1);
-    if (myControls == NULL) {
-        goto loser;
-    }
-    for (i=0; i<numControls; i++) {
-        myControls[i] = crmf_copy_control(poolp, srcReq->controls[i]);
-	if (myControls[i] == NULL) {
-	    goto loser;
-	}
-    }
-    myControls[numControls] = NULL;
-    return SECSuccess;
- loser:
-    if (myControls != NULL) {
-        if (poolp == NULL) {
-	    for (i=0; myControls[i] != NULL; i++) {
-	        CRMF_DestroyControl(myControls[i]);
-	    }
-	}
-	PORT_Free(myControls);
-    }
-    return SECFailure;
-}
-
-
-CRMFCertRequest*
-crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq)
-{
-    CRMFCertRequest *newReq = NULL;
-    SECStatus        rv;
-
-    if (srcReq == NULL) {
-        return NULL;
-    }
-    newReq = (poolp == NULL) ? PORT_ZNew(CRMFCertRequest) :
-                               PORT_ArenaZNew(poolp, CRMFCertRequest);
-    if (newReq == NULL) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &newReq->certReqId, &srcReq->certReqId);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = crmf_copy_cert_request_template(poolp, &newReq->certTemplate, 
-					 &srcReq->certTemplate);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = crmf_copy_cert_request_controls(poolp, newReq, srcReq);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newReq;
- loser:
-    if (newReq != NULL && poolp == NULL) {
-        CRMF_DestroyCertRequest(newReq);
-    }
-    return NULL;
-}
-
-SECStatus 
-CRMF_DestroyGetValidity(CRMFGetValidity *inValidity)
-{
-    PORT_Assert(inValidity != NULL);
-    if (inValidity != NULL) {
-        if (inValidity->notAfter) {
-	    PORT_Free(inValidity->notAfter);
-	    inValidity->notAfter = NULL;
-	}
-	if (inValidity->notBefore) {
-	    PORT_Free(inValidity->notBefore);
-	    inValidity->notBefore = NULL;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, SECItem *src)
-{
-    int origLenBits;
-    int bytesToCopy;
-    SECStatus rv;
-
-    origLenBits = src->len;
-    bytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
-    src->len = bytesToCopy;         
-    rv = SECITEM_CopyItem(arena, dest, src);
-    src->len = origLenBits;
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    dest->len = origLenBits;
-    return SECSuccess;
-}
-
-int
-CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq)
-{
-    CRMFCertTemplate *certTemplate;
-    int count = 0;
-    
-    certTemplate = &inCertReq->certTemplate;
-    if (certTemplate->extensions) {
-        while (certTemplate->extensions[count] != NULL)
-	    count++;
-    }
-    return count;
-}
-
-SECOidTag
-CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension)
-{
-    PORT_Assert(inExtension != NULL);
-    if (inExtension == NULL) {
-        return SEC_OID_UNKNOWN;
-    }
-    return SECOID_FindOIDTag(&inExtension->id);
-}
-
-PRBool
-CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt)
-{
-    PORT_Assert(inExt != NULL);
-    if (inExt == NULL) {
-        return PR_FALSE;
-    }
-    return inExt->critical.data != NULL;
-}
-
-SECItem*
-CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension)
-{
-    PORT_Assert(inExtension != NULL);
-    if (inExtension == NULL) {
-        return NULL;
-    }
-    
-    return SECITEM_DupItem(&inExtension->value);
-}
-			  
-
-SECStatus
-CRMF_DestroyPOPOSigningKey(CRMFPOPOSigningKey *inKey)
-{
-    PORT_Assert(inKey != NULL);
-    if (inKey != NULL) {
-        if (inKey->derInput.data != NULL) {
-	    SECITEM_FreeItem(&inKey->derInput, PR_FALSE);
-	}
-	if (inKey->algorithmIdentifier != NULL) {
-	    SECOID_DestroyAlgorithmID(inKey->algorithmIdentifier, PR_TRUE);
-	}
-	if (inKey->signature.data != NULL) {
-	    SECITEM_FreeItem(&inKey->signature, PR_FALSE);
-	}
-	PORT_Free(inKey);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey)
-{
-    PORT_Assert(inPrivKey != NULL);
-    if (inPrivKey != NULL) {
-        SECITEM_FreeItem(&inPrivKey->message.thisMessage, PR_FALSE);
-	PORT_Free(inPrivKey);
-    }
-    return SECSuccess;
-}
-
-int
-CRMF_CertRequestGetNumControls(CRMFCertRequest *inCertReq)
-{
-    int              count = 0;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return 0;
-    }
-    if (inCertReq->controls) {
-        while (inCertReq->controls[count] != NULL)
-	    count++;
-    }
-    return count;
-}
-
diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h
deleted file mode 100644
index 2a950452d..000000000
--- a/security/nss/lib/crmf/crmfi.h
+++ /dev/null
@@ -1,186 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#ifndef _CRMFI_H_
-#define _CRMFI_H_
-/* This file will contain all declarations common to both 
- * encoding and decoding of CRMF Cert Requests.  This header 
- * file should only be included internally by CRMF implementation
- * files.
- */
-#include "secasn1.h"
-#include "crmfit.h"
-
-#define CRMF_DEFAULT_ARENA_SIZE   1024
-#define MAX_WRAPPED_KEY_LEN       2048
-
-
-#define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
-#define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
-
-struct crmfEncoderArg {
-    SECItem *buffer;
-    long     allocatedLen;
-};
-
-struct crmfEncoderOutput {
-    CRMFEncoderOutputCallback fn;
-    void *outputArg;
-};
-
-/*
- * This funciton is used by the API for encoding functions that are 
- * exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode*
- * functions.
- */
-extern void
-       crmf_encoder_out(void *arg, const char *buf, unsigned long len,
-                        int depth, SEC_ASN1EncodingPart data_kind);
-
-/*
- * This function is used when we want to encode something locally within
- * the library, ie the CertRequest so that we can produce its signature.
- */
-extern SECStatus 
-       crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
-				       SECItem               *derDest);
-
-/*
- * This is the callback function we feed to the ASN1 encoder when doing
- * internal DER-encodings.  ie, encoding the cert request so we can 
- * produce a signature.
- */
-extern void
-crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
-			      int depth, SEC_ASN1EncodingPart data_kind);
-
-/* The ASN1 templates that need to be seen by internal files
- * in order to implement CRMF.
- */
-extern const SEC_ASN1Template CRMFCertReqMsgTemplate[];
-extern const SEC_ASN1Template CRMFRAVerifiedTemplate[];
-extern const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[];
-extern const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[];
-extern const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[];
-extern const SEC_ASN1Template CRMFThisMessageTemplate[];
-extern const SEC_ASN1Template CRMFSubsequentMessageTemplate[];
-extern const SEC_ASN1Template CRMFDHMACTemplate[];
-extern const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate[];
-extern const SEC_ASN1Template CRMFEncryptedValueTemplate[];
-
-/*
- * Use these two values for encoding Boolean values.
- */
-extern const unsigned char hexTrue;
-extern const unsigned char hexFalse;
-/*
- * Prototypes for helper routines used internally by multiple files.
- */
-extern SECStatus crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, 
-				     long value);
-extern SECStatus crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, 
-					  SECItem *src);
-
-extern SECStatus crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp, 
-					     CRMFPKIArchiveOptions *destOpt,
-					     CRMFPKIArchiveOptions *srcOpt);
-extern SECStatus  
-       crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions,
-				      PRBool                 freeit);
-extern const SEC_ASN1Template*
-       crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl);
-
-extern SECStatus crmf_copy_encryptedkey(PRArenaPool       *poolp,
-					CRMFEncryptedKey  *srcEncrKey,
-					CRMFEncryptedKey  *destEncrKey);
-extern SECStatus
-crmf_copy_encryptedvalue(PRArenaPool        *poolp,
-			 CRMFEncryptedValue *srcValue,
-			 CRMFEncryptedValue *destValue);
-
-extern SECStatus
-crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
-				SECAlgorithmID  *srcAlgId,
-				SECAlgorithmID **destAlgId);
-
-extern SECStatus crmf_template_copy_secalg(PRArenaPool *poolp, 
-					   SECAlgorithmID **dest,
-					   SECAlgorithmID *src);
-
-extern SECStatus crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
-				     CERTName *src);
-
-extern SECStatus crmf_template_add_public_key(PRArenaPool               *poolp,
-					      CERTSubjectPublicKeyInfo **dest,
-					      CERTSubjectPublicKeyInfo  *pubKey);
-
-extern CRMFCertExtension* crmf_create_cert_extension(PRArenaPool *poolp, 
-						     SECOidTag    tag, 
-						     PRBool       isCritical,
-						     SECItem     *data);
-extern CRMFCertRequest*
-crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq);
-
-extern SECStatus crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, 
-					      PRBool freeit);
-
-extern CRMFEncryptedValue *
-crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
-					    SECKEYPublicKey    *inPubKey,
-					    CRMFEncryptedValue *destValue);
-
-extern CK_MECHANISM_TYPE 
-       crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey);
-
-extern SECStatus
-crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
-				     CRMFEncryptedValue *encValue,
-				     SECKEYPrivateKey   *privKey,
-				     SECKEYPublicKey    *newPubKey,
-				     SECItem            *nickname,
-				     PK11SlotInfo       *slot,
-				     unsigned char       keyUsage,
-				     SECKEYPrivateKey  **unWrappedKey,
-				     void               *wincx);
-
-extern SECItem*
-crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest);
-
-extern CRMFCertExtension*
-crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension);
-
-extern SECStatus
-crmf_create_prtime(SECItem *src, PRTime **dest);
-#endif /*_CRMFI_H_*/
diff --git a/security/nss/lib/crmf/crmfit.h b/security/nss/lib/crmf/crmfit.h
deleted file mode 100644
index 4cc95319a..000000000
--- a/security/nss/lib/crmf/crmfit.h
+++ /dev/null
@@ -1,216 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#ifndef _CRMFIT_H_
-#define _CRMFIT_H_
-
-struct CRMFCertReqMessagesStr {
-    CRMFCertReqMsg **messages;
-    PRArenaPool     *poolp;
-};
-
-struct CRMFCertExtensionStr {
-    SECItem id;
-    SECItem critical;
-    SECItem value;
-};
-
-
-struct CRMFOptionalValidityStr {
-    SECItem notBefore; 
-    SECItem notAfter;
-};
-
-struct CRMFCertTemplateStr {
-    SECItem                   version;
-    SECItem                   serialNumber;
-    SECAlgorithmID           *signingAlg;
-    CERTName                 *issuer;
-    CRMFOptionalValidity     *validity;
-    CERTName                 *subject;
-    CERTSubjectPublicKeyInfo *publicKey;
-    SECItem                   issuerUID;
-    SECItem                   subjectUID; 
-    CRMFCertExtension       **extensions;
-    int                       numExtensions;
-};
-
-struct CRMFCertIDStr {
-    SECItem issuer; /* General Name */
-    SECItem serialNumber; /*INTEGER*/
-};
-
-struct CRMFEncryptedValueStr {
-    SECAlgorithmID *intendedAlg;
-    SECAlgorithmID *symmAlg;
-    SECItem         encSymmKey; /*BIT STRING   */
-    SECAlgorithmID *keyAlg;
-    SECItem         valueHint;  /*OCTET STRING */
-    SECItem         encValue;   /*BIT STRING   */
-};
-
-/*
- * The field derValue will contain the actual der
- * to include in the encoding or that was read in
- * from a der blob. 
- */
-struct CRMFEncryptedKeyStr {
-    union {
-        SEC_PKCS7ContentInfo   *envelopedData;
-        CRMFEncryptedValue      encryptedValue; 
-    } value;
-    CRMFEncryptedKeyChoice encKeyChoice;
-    SECItem derValue;
-};
-
-/* ASN1 must only have one of the following 3 options. */
-struct CRMFPKIArchiveOptionsStr {
-    union {
-        CRMFEncryptedKey  encryptedKey;
-        SECItem           keyGenParameters;
-        SECItem           archiveRemGenPrivKey; /* BOOLEAN */
-    } option;
-    CRMFPKIArchiveOptionsType archOption;
-};
-
-struct CRMFPKIPublicationInfoStr {
-    SECItem action; /* Possible values                    */
-                    /* dontPublish (0), pleasePublish (1) */
-    CRMFSinglePubInfo **pubInfos; 
-};
-
-struct CRMFControlStr {
-    SECOidTag  tag;
-    SECItem    derTag;
-    SECItem    derValue;
-    /* These will be C structures used to represent the various 
-     * options.  Values that can't be stored as der right away.
-     * After creating these structures, we'll place their der
-     * encoding in derValue so the encoder knows how to get to
-     * it.
-     */
-    union {
-        CRMFCertID              oldCertId;
-        CRMFPKIArchiveOptions   archiveOptions;
-        CRMFPKIPublicationInfo  pubInfo;
-        CRMFProtocolEncrKey     protEncrKey; 
-    } value;
-};
-
-struct CRMFCertRequestStr {
-    SECItem            certReqId;
-    CRMFCertTemplate   certTemplate;
-    CRMFControl      **controls;
-    /* The following members are used by the internal implementation, but
-     * are not part of the encoding.
-     */
-    PRArenaPool *poolp;
-    long         requestID; /* This is the value that will be encoded into
-			     * the certReqId field.
-			     */
-};                                   
-
-struct CRMFAttributeStr {
-    SECItem derTag;
-    SECItem derValue;
-};
-
-struct CRMFCertReqMsgStr {
-    CRMFCertRequest            *certReq;
-    CRMFProofOfPossession      *pop;
-    CRMFAttribute             **regInfo;
-    SECItem                     derPOP;
-    /* This arena will be used for allocating memory when decoding.
-     */
-    PRArenaPool *poolp;
-    PRBool       isDecoded;
-};
-
-struct CRMFPOPOSigningKeyInputStr {
-    /* ASN1 must have only one of the next 2 options */
-    union {
-        SECItem          sender; /*General Name*/
-        CRMFPKMACValue  *publicKeyMAC;
-    }authInfo;
-    CERTSubjectPublicKeyInfo publicKey;
-};
-
-struct CRMFPOPOSigningKeyStr {
-    SECItem                  derInput; /*If in the future we support 
-                                        *POPOSigningKeyInput, this will
-                                        *a C structure representation
-                                        *instead.
-                                        */
-    SECAlgorithmID          *algorithmIdentifier;
-    SECItem                  signature; /* This is a BIT STRING. Remember */
-};                                      /* that when interpreting.        */
-
-/* ASN1 must only choose one of these members */
-struct CRMFPOPOPrivKeyStr {
-    union {
-        SECItem thisMessage; /* BIT STRING */
-        SECItem subsequentMessage; /*INTEGER*/ 
-        SECItem dhMAC; /*BIT STRING*/
-    } message;
-    CRMFPOPOPrivKeyChoice messageChoice;
-};
-
-/* ASN1 must only have one of these options. */
-struct CRMFProofOfPossessionStr {
-    union {
-        SECItem             raVerified;
-        CRMFPOPOSigningKey  signature;
-        CRMFPOPOPrivKey     keyEncipherment;
-        CRMFPOPOPrivKey     keyAgreement;
-    } popChoice;
-    CRMFPOPChoice       popUsed; /*Not part of encoding*/
-};
-
-struct CRMFPKMACValueStr {
-    SECAlgorithmID algID;
-    SECItem        value; /*BIT STRING*/
-};
-
-struct CRMFSinglePubInfoStr {
-    SECItem pubMethod; /* Possible Values:
-			*   dontCare (0)
-			*   x500     (1)
-			*   web      (2)
-			*   ldap     (3)
-			*/
-    CERTGeneralName *pubLocation; /* General Name */
-};
-
-#endif /* _CRMFIT_H_ */
diff --git a/security/nss/lib/crmf/crmfpop.c b/security/nss/lib/crmf/crmfpop.c
deleted file mode 100644
index d6ec26827..000000000
--- a/security/nss/lib/crmf/crmfpop.c
+++ /dev/null
@@ -1,604 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "secasn1.h"
-#include "keyhi.h"
-#include "cryptohi.h"
-
-#define CRMF_DEFAULT_ALLOC_SIZE 1024
-
-SECStatus
-crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg, 
-				SECItem               *derDest) 
-{
-    derDest->data = PORT_ZNewArray(unsigned char, CRMF_DEFAULT_ALLOC_SIZE);
-    if (derDest->data == NULL) {
-        return SECFailure;
-    }
-    derDest->len = 0;
-    encoderArg->allocatedLen = CRMF_DEFAULT_ALLOC_SIZE;
-    encoderArg->buffer = derDest;
-    return SECSuccess;
-
-}
-
-/* Caller should release or unmark the pool, instead of doing it here.
-** But there are NO callers of this function at present...
-*/
-SECStatus 
-CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
-{
-    SECItem               *dummy;
-    CRMFProofOfPossession *pop;
-    PRArenaPool           *poolp;
-    void                  *mark;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
-        return SECFailure;
-    }
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-    pop->popUsed = crmfRAVerified;
-    pop->popChoice.raVerified.data = NULL;
-    pop->popChoice.raVerified.len  = 0;
-    inCertReqMsg->pop = pop;
-    dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
-			       &(pop->popChoice.raVerified),
-			       CRMFRAVerifiedTemplate);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECOidTag
-crmf_map_keytag_to_signtag(SECOidTag inTag)
-{
-    switch (inTag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-        return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-    case SEC_OID_ANSIX9_DSA_SIGNATURE:
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_DSS:
-        return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-    default:
-        /* Put this in here to kill warnings. */
-        break;
-    }
-    return inTag;
-}
-
-SECOidTag
-crmf_get_key_sign_tag(SECKEYPublicKey *inPubKey)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    SECOidTag                 tag;
-
-    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
-    if (spki == NULL) {
-        return SEC_OID_UNKNOWN;
-    }
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-    return crmf_map_keytag_to_signtag(tag);
-}
-
-SECAlgorithmID*
-crmf_create_poposignkey_algid(PRArenaPool      *poolp,
-			      SECKEYPublicKey  *inPubKey)
-{
-    SECAlgorithmID *algID;
-    SECOidTag       tag;
-    SECStatus       rv;
-    void           *mark;
-
-    mark = PORT_ArenaMark(poolp);
-    algID = PORT_ArenaZNew(poolp, SECAlgorithmID);
-    if (algID == NULL) {
-        goto loser;
-    }
-    tag = crmf_get_key_sign_tag(inPubKey);
-    if (tag == SEC_OID_UNKNOWN) {
-        goto loser;
-    }
-    rv = SECOID_SetAlgorithmID(poolp, algID, tag, NULL);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return algID;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-static CRMFPOPOSigningKeyInput*
-crmf_create_poposigningkeyinput(PRArenaPool *poolp, CERTCertificate *inCert,
-				CRMFMACPasswordCallback fn, void *arg)
-{
-  /* PSM isn't going to do this, so we'll fail here for now.*/
-     return NULL;
-}
-
-void
-crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
-			      int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct crmfEncoderArg *encoderArg = (struct crmfEncoderArg*)arg;
-    unsigned char *cursor;
-    
-   if (encoderArg->buffer->len + len > encoderArg->allocatedLen) {
-        int newSize = encoderArg->buffer->len+CRMF_DEFAULT_ALLOC_SIZE;
-        void *dummy = PORT_Realloc(encoderArg->buffer->data, newSize);
-	if (dummy == NULL) {
-	    /* I really want to return an error code here */
-	    PORT_Assert(0);
-	    return;
-	}
-	encoderArg->buffer->data = dummy;
-	encoderArg->allocatedLen = newSize;
-    }
-    cursor = &(encoderArg->buffer->data[encoderArg->buffer->len]);
-    PORT_Memcpy (cursor, buf, len);
-    encoderArg->buffer->len += len;    
-}
-
-static SECStatus
-crmf_encode_certreq(CRMFCertRequest *inCertReq, SECItem *derDest)
-{
-    struct crmfEncoderArg encoderArg;
-    SECStatus             rv;
-  
-    rv = crmf_init_encoder_callback_arg (&encoderArg, derDest);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
-			  crmf_generic_encoder_callback, &encoderArg);
-}
-
-static SECStatus
-crmf_sign_certreq(PRArenaPool        *poolp, 
-		  CRMFPOPOSigningKey *crmfSignKey, 
-		  CRMFCertRequest    *certReq,
-		  SECKEYPrivateKey   *inKey,
-		  SECAlgorithmID     *inAlgId)
-{
-    SECItem                      derCertReq;
-    SECItem                      certReqSig;
-    SECStatus                    rv = SECSuccess;
-
-    rv = crmf_encode_certreq(certReq, &derCertReq);
-    if (rv != SECSuccess) {
-       goto loser;
-    }
-    rv = SEC_SignData(&certReqSig, derCertReq.data, derCertReq.len,
-		      inKey,SECOID_GetAlgorithmTag(inAlgId));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
- 
-    /* Now make it a part of the POPOSigningKey */
-    rv = SECITEM_CopyItem(poolp, &(crmfSignKey->signature), &certReqSig);
-    /* Convert this length to number of bits */
-    crmfSignKey->signature.len <<= 3; 
-   
- loser:
-    if (derCertReq.data != NULL) {
-        PORT_Free(derCertReq.data);
-    }
-    if (certReqSig.data != NULL) {
-        PORT_Free(certReqSig.data);
-    }
-    return rv;
-}
-
-static SECStatus
-crmf_create_poposignkey(PRArenaPool             *poolp, 
-			CRMFCertReqMsg          *inCertReqMsg, 
-			CRMFPOPOSigningKeyInput *signKeyInput, 
-			SECKEYPrivateKey        *inPrivKey,
-			SECAlgorithmID          *inAlgID,
-			CRMFPOPOSigningKey      *signKey) 
-{
-    CRMFCertRequest    *certReq;
-    void               *mark;
-    PRBool              useSignKeyInput;
-    SECStatus           rv;
-    
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL);
-    mark = PORT_ArenaMark(poolp);
-    if (signKey == NULL) {
-        goto loser;
-    }
-    certReq = inCertReqMsg->certReq;
-    useSignKeyInput = !(CRMF_DoesRequestHaveField(certReq,crmfSubject)  &&
-			CRMF_DoesRequestHaveField(certReq,crmfPublicKey));
-
-    if (useSignKeyInput) {
-        goto loser; 
-    } else {
-        rv = crmf_sign_certreq(poolp, signKey, certReq,inPrivKey, inAlgID);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    PORT_ArenaUnmark(poolp,mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp,mark);
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
-			       SECKEYPrivateKey *inPrivKey,
-			       SECKEYPublicKey  *inPubKey,
-			       CERTCertificate  *inCertForInput,
-			       CRMFMACPasswordCallback  fn,
-			       void                    *arg)
-{
-    SECAlgorithmID  *algID;
-    PRArenaPool     *poolp;
-    SECItem          derDest = {siBuffer, NULL, 0};
-    void            *mark;
-    SECStatus        rv;
-    CRMFPOPOSigningKeyInput *signKeyInput = NULL;
-    CRMFCertRequest         *certReq;
-    CRMFProofOfPossession   *pop;
-    struct crmfEncoderArg    encoderArg;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL &&
-		inCertReqMsg->pop == NULL);
-    certReq = inCertReqMsg->certReq;
-    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice || 
-	!CRMF_DoesRequestHaveField(certReq, crmfPublicKey)) {
-        return SECFailure;
-    } 
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    algID = crmf_create_poposignkey_algid(poolp, inPubKey);
-
-    if(!CRMF_DoesRequestHaveField(certReq,crmfSubject)) {
-        signKeyInput = crmf_create_poposigningkeyinput(poolp, inCertForInput,
-						       fn, arg);
-	if (signKeyInput == NULL) {
-	    goto loser;
-	}
-    }
-
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-    
-    rv = crmf_create_poposignkey(poolp, inCertReqMsg, 
-				 signKeyInput, inPrivKey, algID,
-				 &(pop->popChoice.signature));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    pop->popUsed = crmfSignature;
-    pop->popChoice.signature.algorithmIdentifier = algID;
-    inCertReqMsg->pop = pop;
-  
-    rv = crmf_init_encoder_callback_arg (&encoderArg, &derDest);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SEC_ASN1Encode(&pop->popChoice.signature, 
-			CRMFPOPOSigningKeyTemplate,
-			crmf_generic_encoder_callback, &encoderArg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &(inCertReqMsg->derPOP), &derDest);
-    PORT_Free (derDest.data);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp,mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp,mark);
-    if (derDest.data != NULL) {
-        PORT_Free(derDest.data);
-    }
-    return SECFailure;
-}
-
-static const SEC_ASN1Template*
-crmf_get_popoprivkey_subtemplate(CRMFPOPOPrivKey *inPrivKey) 
-{
-    const SEC_ASN1Template *retTemplate = NULL;
-
-    switch (inPrivKey->messageChoice) {
-    case crmfThisMessage:
-        retTemplate = CRMFThisMessageTemplate;
-	break;
-    case crmfSubsequentMessage:
-        retTemplate = CRMFSubsequentMessageTemplate;
-	break;
-    case crmfDHMAC:
-        retTemplate = CRMFDHMACTemplate;
-	break;
-    default:
-        retTemplate = NULL;
-    }
-    return retTemplate;
-}
-
-static SECStatus
-crmf_encode_popoprivkey(PRArenaPool            *poolp, 
-			CRMFCertReqMsg         *inCertReqMsg,
-			CRMFPOPOPrivKey        *popoPrivKey,
-			const SEC_ASN1Template *privKeyTemplate)
-{
-    struct crmfEncoderArg   encoderArg;
-    SECItem                 derDest; 
-    SECStatus               rv;
-    void                   *mark;
-    const SEC_ASN1Template *subDerTemplate;
-
-    mark = PORT_ArenaMark(poolp);
-    rv = crmf_init_encoder_callback_arg(&encoderArg, &derDest);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    subDerTemplate = crmf_get_popoprivkey_subtemplate(popoPrivKey);
-    /* We've got a union, so a pointer to one item is a pointer to 
-     * all the items in the union.
-     */
-    rv = SEC_ASN1Encode(&popoPrivKey->message.thisMessage, 
-			subDerTemplate,
-			crmf_generic_encoder_callback, &encoderArg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (encoderArg.allocatedLen > derDest.len+2) {
-        void *dummy = PORT_Realloc(derDest.data, derDest.len+2);
-	if (dummy == NULL) {
-	    goto loser;
-	}
-	derDest.data = dummy;
-    }
-    PORT_Memmove(&derDest.data[2], &derDest.data[0], derDest.len);
-    /* I couldn't figure out how to get the ASN1 encoder to implicitly
-     * tag an implicitly tagged der blob.  So I'm putting in the outter-
-     * most tag myself. -javi
-     */
-    derDest.data[0] = (unsigned char)privKeyTemplate->kind;
-    derDest.data[1] = (unsigned char)derDest.len;
-    derDest.len += 2;
-    rv = SECITEM_CopyItem(poolp, &inCertReqMsg->derPOP, &derDest);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_Free(derDest.data);
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    if (derDest.data) {
-        PORT_Free(derDest.data);
-    }
-    return SECFailure;
-}
-
-static const SEC_ASN1Template*
-crmf_get_template_for_privkey(CRMFPOPChoice inChoice) 
-{
-    switch (inChoice) {
-    case crmfKeyAgreement:
-        return CRMFPOPOKeyAgreementTemplate;
-    case crmfKeyEncipherment:
-        return CRMFPOPOKeyEnciphermentTemplate;
-    default:
-        break;
-    }
-    return NULL;
-}
-
-static SECStatus
-crmf_add_privkey_thismessage(CRMFCertReqMsg *inCertReqMsg, SECItem *encPrivKey,
-			     CRMFPOPChoice inChoice)
-{
-    PRArenaPool           *poolp;
-    void                  *mark;
-    CRMFPOPOPrivKey       *popoPrivKey;
-    CRMFProofOfPossession *pop;
-    SECStatus              rv;
-
-    PORT_Assert(inCertReqMsg != NULL && encPrivKey != NULL);
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-    pop->popUsed = inChoice;
-    /* popChoice is a union, so getting a pointer to one
-     * field gives me a pointer to the other fields as
-     * well.  This in essence points to both 
-     * pop->popChoice.keyEncipherment and
-     * pop->popChoice.keyAgreement
-     */
-    popoPrivKey = &pop->popChoice.keyEncipherment;
-
-    rv = SECITEM_CopyItem(poolp, &(popoPrivKey->message.thisMessage),
-			  encPrivKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    popoPrivKey->message.thisMessage.len <<= 3;
-    popoPrivKey->messageChoice = crmfThisMessage;
-    inCertReqMsg->pop = pop;
-    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
-				 crmf_get_template_for_privkey(inChoice));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-    
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-static SECStatus
-crmf_add_privkey_subseqmessage(CRMFCertReqMsg        *inCertReqMsg,
-			       CRMFSubseqMessOptions  subsequentMessage,
-			       CRMFPOPChoice          inChoice)
-{
-    void                  *mark;
-    PRArenaPool           *poolp;
-    CRMFProofOfPossession *pop;
-    CRMFPOPOPrivKey       *popoPrivKey;
-    SECStatus              rv;
-    const SEC_ASN1Template *privKeyTemplate;
-
-    if (subsequentMessage == crmfNoSubseqMess) {
-        return SECFailure;
-    }
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-
-    pop->popUsed = inChoice;
-    /* 
-     * We have a union, so a pointer to one member of the union
-     * is also a member to another member of that same union.
-     */
-    popoPrivKey = &pop->popChoice.keyEncipherment;
-
-    switch (subsequentMessage) {
-    case crmfEncrCert:
-        rv = crmf_encode_integer(poolp, 
-				 &(popoPrivKey->message.subsequentMessage),
-				 0);
-	break;
-    case crmfChallengeResp:
-        rv = crmf_encode_integer(poolp,
-				 &(popoPrivKey->message.subsequentMessage),
-				 1);
-	break;
-    default:
-        goto loser;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    popoPrivKey->messageChoice = crmfSubsequentMessage;
-    privKeyTemplate = crmf_get_template_for_privkey(inChoice);
-    inCertReqMsg->pop = pop;
-    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
-				 privKeyTemplate);
-
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
-				     CRMFPOPOPrivKeyChoice  inKeyChoice,
-				     CRMFSubseqMessOptions  subseqMess,
-				     SECItem               *encPrivKey)
-{
-    SECStatus rv;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
-    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
-        return SECFailure;
-    }
-    switch (inKeyChoice) {    
-    case crmfThisMessage:
-        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
-					  crmfKeyEncipherment);
-	break;
-    case crmfSubsequentMessage:
-        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
-					    crmfKeyEncipherment);
-        break;
-    case crmfDHMAC:
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus 
-CRMF_CertReqMsgSetKeyAgreementPOP (CRMFCertReqMsg        *inCertReqMsg,
-				   CRMFPOPOPrivKeyChoice  inKeyChoice,
-				   CRMFSubseqMessOptions  subseqMess,
-				   SECItem               *encPrivKey)
-{
-    SECStatus rv;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
-    switch (inKeyChoice) {    
-    case crmfThisMessage:
-        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
-					  crmfKeyAgreement);
-	break;
-    case crmfSubsequentMessage:
-        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
-					    crmfKeyAgreement);
-    case crmfDHMAC:
-        /* This case should be added in the future. */
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
diff --git a/security/nss/lib/crmf/crmfreq.c b/security/nss/lib/crmf/crmfreq.c
deleted file mode 100644
index 071d1bd26..000000000
--- a/security/nss/lib/crmf/crmfreq.c
+++ /dev/null
@@ -1,697 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "keyhi.h"
-#include "secder.h"
-
-/*
- * Macro that returns PR_TRUE if the pointer is not NULL.
- * If the pointer is NULL, then the macro will return PR_FALSE.
- */
-#define IS_NOT_NULL(ptr) ((ptr) == NULL) ? PR_FALSE : PR_TRUE
-
-const unsigned char hexTrue  = 0xff;
-const unsigned char hexFalse = 0x00;
-
-
-SECStatus
-crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, long value) 
-{
-    SECItem *dummy;
-
-    dummy = SEC_ASN1EncodeInteger(poolp, dest, value);
-    PORT_Assert (dummy == dest);
-    if (dummy == NULL) {
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
-{
-    return  SECITEM_CopyItem (poolp, dest, src); 
-}
-
-PRBool
-CRMF_DoesRequestHaveField (CRMFCertRequest       *inCertReq, 
-			   CRMFCertTemplateField  inField)
-{
-  
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return PR_FALSE;
-    }
-    switch (inField) {
-    case crmfVersion:
-        return inCertReq->certTemplate.version.data != NULL;
-    case crmfSerialNumber:
-        return inCertReq->certTemplate.serialNumber.data != NULL;
-    case crmfSigningAlg:
-        return inCertReq->certTemplate.signingAlg != NULL;
-    case crmfIssuer:
-        return inCertReq->certTemplate.issuer != NULL;
-    case crmfValidity:
-        return inCertReq->certTemplate.validity != NULL;
-    case crmfSubject:
-        return inCertReq->certTemplate.subject != NULL;
-    case crmfPublicKey:
-        return inCertReq->certTemplate.publicKey != NULL;
-    case crmfIssuerUID:
-        return inCertReq->certTemplate.issuerUID.data != NULL;
-    case crmfSubjectUID:
-        return inCertReq->certTemplate.subjectUID.data != NULL;
-    case crmfExtension:
-        return CRMF_CertRequestGetNumberOfExtensions(inCertReq) != 0;
-    }
-    return PR_FALSE;
-}
-
-CRMFCertRequest *
-CRMF_CreateCertRequest (long inRequestID) {
-    PRArenaPool     *poolp;
-    CRMFCertRequest *certReq;
-    SECStatus        rv;
-    
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    
-    certReq=PORT_ArenaZNew(poolp,CRMFCertRequest);
-    if (certReq == NULL) {
-        goto loser;
-    }
-
-    certReq->poolp = poolp;
-    certReq->requestID = inRequestID;
-    
-    rv = crmf_encode_integer(poolp, &(certReq->certReqId), inRequestID);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    return certReq;
- loser:
-    if (poolp) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq != NULL) {
-        if (inCertReq->certTemplate.extensions) {
-	    PORT_Free(inCertReq->certTemplate.extensions);
-	}
-	if (inCertReq->controls) {
-	    /* Right now we don't support EnveloppedData option,
-	     * so we won't go through and delete each occurrence of 
-	     * an EnveloppedData in the control.
-	     */
-	    PORT_Free(inCertReq->controls);
-	}
-	if (inCertReq->poolp) {
-	    PORT_FreeArena(inCertReq->poolp, PR_TRUE);
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_template_add_version(PRArenaPool *poolp, SECItem *dest, long version)
-{
-    return (crmf_encode_integer(poolp, dest, version));
-}
-
-static SECStatus
-crmf_template_add_serialnumber(PRArenaPool *poolp, SECItem *dest, long serial)
-{
-    return (crmf_encode_integer(poolp, dest, serial));
-}
-
-SECStatus
-crmf_template_copy_secalg (PRArenaPool *poolp, SECAlgorithmID **dest, 
-			   SECAlgorithmID* src)
-{
-    SECStatus         rv;
-    void             *mark;
-    SECAlgorithmID   *mySecAlg;
-
-    if (poolp != NULL) {
-        mark = PORT_ArenaMark(poolp);
-    }
-    *dest = mySecAlg = PORT_ArenaZNew(poolp, SECAlgorithmID);
-    if (mySecAlg == NULL) {
-        goto loser;
-    }
-    rv = SECOID_CopyAlgorithmID(poolp, mySecAlg, src);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (poolp != NULL) {
-        PORT_ArenaUnmark(poolp, mark);
-    }
-    return SECSuccess;
-
- loser:
-    *dest = NULL;
-    if (poolp != NULL) {
-        PORT_ArenaRelease(poolp, mark);
-    }
-    return SECFailure;
-}
-
-SECStatus
-crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
-		    CERTName *src)
-{
-    CERTName *newName;
-    SECStatus rv;
-    void     *mark;
-
-    mark = PORT_ArenaMark(poolp);
-    *dest = newName = PORT_ArenaZNew(poolp, CERTName);
-    if (newName == NULL) {
-        goto loser;
-    }
-
-    rv = CERT_CopyName(poolp, newName, src);
-    if (rv != SECSuccess) {
-      goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    *dest = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_template_add_issuer (PRArenaPool *poolp, CERTName **dest, 
-			  CERTName* issuerName)
-{
-    return crmf_copy_cert_name(poolp, dest, issuerName);
-}
-
-
-static SECStatus
-crmf_encode_utctime(PRArenaPool *poolp, SECItem *destTime, PRTime time)
-{
-    SECItem   tmpItem;
-    SECStatus rv;
-
-
-    rv = DER_TimeToUTCTime (&tmpItem, time);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    rv = SECITEM_CopyItem(poolp, destTime, &tmpItem);
-    PORT_Free(tmpItem.data);
-    return rv;
-}
-
-static SECStatus
-crmf_template_add_validity (PRArenaPool *poolp, CRMFOptionalValidity **dest,
-			    CRMFValidityCreationInfo *info)
-{
-    SECStatus             rv;
-    void                 *mark; 
-    CRMFOptionalValidity *myValidity;
-
-    /*First off, let's make sure at least one of the two fields is present*/
-    if (!info  || (!info->notBefore && !info->notAfter)) {
-        return SECFailure;
-    }
-    mark = PORT_ArenaMark (poolp);
-    *dest = myValidity = PORT_ArenaZNew(poolp, CRMFOptionalValidity);
-    if (myValidity == NULL) {
-        goto loser;
-    }
-
-    if (info->notBefore) {
-        rv = crmf_encode_utctime (poolp, &myValidity->notBefore, 
-				  *info->notBefore);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (info->notAfter) {
-        rv = crmf_encode_utctime (poolp, &myValidity->notAfter,
-				  *info->notAfter);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    *dest = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_template_add_subject (PRArenaPool *poolp, CERTName **dest,
-			   CERTName *subject)
-{
-    return crmf_copy_cert_name(poolp, dest, subject);
-}
-
-SECStatus
-crmf_template_add_public_key(PRArenaPool *poolp, 
-			     CERTSubjectPublicKeyInfo **dest,
-			     CERTSubjectPublicKeyInfo  *pubKey)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    SECStatus rv;
-
-    *dest = spki = (poolp == NULL) ?
-                              PORT_ZNew(CERTSubjectPublicKeyInfo) :
-                              PORT_ArenaZNew (poolp, CERTSubjectPublicKeyInfo);
-    if (spki == NULL) {
-        goto loser;
-    }
-    rv = SECKEY_CopySubjectPublicKeyInfo (poolp, spki, pubKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    if (poolp == NULL && spki != NULL) {
-        SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    *dest = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_bitstring (PRArenaPool *poolp, SECItem *dest, SECItem *src)
-{
-    SECStatus rv;
-    int origLenBits, numBytesToCopy;
-    
-    origLenBits = src->len;
-    numBytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
-    rv = crmf_copy_secitem(poolp, dest, src);
-    src->len = origLenBits;
-    dest->len = origLenBits;
-    return rv;
-}
-
-static SECStatus
-crmf_template_add_issuer_uid(PRArenaPool *poolp, SECItem *dest,
-			     SECItem *issuerUID)
-{
-    return crmf_copy_bitstring (poolp, dest, issuerUID);
-}
-
-static SECStatus
-crmf_template_add_subject_uid(PRArenaPool *poolp, SECItem *dest, 
-			      SECItem *subjectUID)
-{
-    return crmf_copy_bitstring (poolp, dest, subjectUID);
-}
-
-static void
-crmf_zeroize_new_extensions (CRMFCertExtension **extensions,
-			     int numToZeroize) 
-{
-    PORT_Memset((void*)extensions, 0, sizeof(CERTCertExtension*)*numToZeroize);
-}
-
-/*
- * The strategy for adding templates will differ from all the other
- * attributes in the template.  First, we want to allow the client
- * of this API to set extensions more than just once.  So we will
- * need the ability grow the array of extensions.  Since arenas don't
- * give us the realloc function, we'll use the generic PORT_* functions
- * to allocate the array of pointers *ONLY*.  Then we will allocate each
- * individual extension from the arena that comes along with the certReq
- * structure that owns this template.
- */
-static SECStatus
-crmf_template_add_extensions(PRArenaPool *poolp, CRMFCertTemplate *inTemplate,
-			     CRMFCertExtCreationInfo *extensions)
-{
-    void               *mark;
-    int                 newSize, oldSize, i;
-    SECStatus           rv;
-    CRMFCertExtension **extArray;
-    CRMFCertExtension  *newExt, *currExt;
-
-    mark = PORT_ArenaMark(poolp);
-    if (inTemplate->extensions == NULL) {
-        newSize = extensions->numExtensions;
-        extArray = PORT_ZNewArray(CRMFCertExtension*,newSize+1);
-    } else {
-        newSize = inTemplate->numExtensions + extensions->numExtensions;
-        extArray = PORT_Realloc(inTemplate->extensions, 
-				sizeof(CRMFCertExtension*)*(newSize+1));
-    }
-    if (extArray == NULL) {
-        goto loser;
-    }
-    oldSize                   = inTemplate->numExtensions;
-    inTemplate->extensions    = extArray;
-    inTemplate->numExtensions = newSize;
-    for (i=oldSize; i < newSize; i++) {
-        newExt = PORT_ArenaZNew(poolp, CRMFCertExtension);
-	if (newExt == NULL) {
-	    goto loser2;
-	}
-	currExt = extensions->extensions[i-oldSize];
-	rv = crmf_copy_secitem(poolp, &(newExt->id), &(currExt->id));
-	if (rv != SECSuccess) {
-	    goto loser2;
-	}
-	rv = crmf_copy_secitem(poolp, &(newExt->critical),
-			       &(currExt->critical));
-	if (rv != SECSuccess) {
-	    goto loser2;
-	}
-	rv = crmf_copy_secitem(poolp, &(newExt->value), &(currExt->value));
-	if (rv != SECSuccess) {
-	    goto loser2;
-	}
-	extArray[i] = newExt;
-    }
-    extArray[newSize] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser2:
-    crmf_zeroize_new_extensions (&(inTemplate->extensions[oldSize]),
-				 extensions->numExtensions);
-    inTemplate->numExtensions = oldSize;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
-				 CRMFCertTemplateField  inTemplateField,
-				 void                  *data)
-{
-    CRMFCertTemplate *certTemplate;
-    PRArenaPool      *poolp;
-    SECStatus         rv = SECFailure;
-    void             *mark;
-    
-
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-
-    certTemplate = &(inCertReq->certTemplate);
-
-    poolp = inCertReq->poolp;
-    mark = PORT_ArenaMark(poolp);
-    switch (inTemplateField) {
-    case crmfVersion:
-      rv = crmf_template_add_version(poolp,&(certTemplate->version), 
-				     *(long*)data);
-      break;
-    case crmfSerialNumber:
-      rv = crmf_template_add_serialnumber(poolp, 
-					  &(certTemplate->serialNumber),
-					  *(long*)data);
-      break;
-    case crmfSigningAlg:
-      rv = crmf_template_copy_secalg (poolp, &(certTemplate->signingAlg),
-				      (SECAlgorithmID*)data);
-      break;
-    case crmfIssuer:
-      rv = crmf_template_add_issuer (poolp, &(certTemplate->issuer), 
-				     (CERTName*)data);
-      break;
-    case crmfValidity:
-      rv = crmf_template_add_validity (poolp, &(certTemplate->validity),
-				       (CRMFValidityCreationInfo*)data);
-      break;
-    case crmfSubject:
-      rv = crmf_template_add_subject (poolp, &(certTemplate->subject),
-				      (CERTName*)data);
-      break;
-    case crmfPublicKey:
-      rv = crmf_template_add_public_key(poolp, &(certTemplate->publicKey),
-					(CERTSubjectPublicKeyInfo*)data);
-      break;
-    case crmfIssuerUID:
-      rv = crmf_template_add_issuer_uid(poolp, &(certTemplate->issuerUID),
-					(SECItem*)data);
-      break;
-    case crmfSubjectUID:
-      rv = crmf_template_add_subject_uid(poolp, &(certTemplate->subjectUID),
-					 (SECItem*)data);
-      break;
-    case crmfExtension:
-      rv = crmf_template_add_extensions(poolp, certTemplate, 
-					(CRMFCertExtCreationInfo*)data);
-      break;
-    }
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(poolp, mark);
-    } else {
-        PORT_ArenaUnmark(poolp, mark);
-    }
-    return rv;
-}
-
-SECStatus
-CRMF_CertReqMsgSetCertRequest (CRMFCertReqMsg  *inCertReqMsg, 
-			       CRMFCertRequest *inCertReq)
-{
-    PORT_Assert (inCertReqMsg != NULL && inCertReq != NULL);
-    if (inCertReqMsg == NULL || inCertReq == NULL) {
-        return SECFailure;
-    }
-    inCertReqMsg->certReq = crmf_copy_cert_request(inCertReqMsg->poolp,
-						   inCertReq);
-    return (inCertReqMsg->certReq == NULL) ? SECFailure : SECSuccess;
-}
-
-CRMFCertReqMsg*
-CRMF_CreateCertReqMsg(void)
-{
-    PRArenaPool    *poolp;
-    CRMFCertReqMsg *reqMsg;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    reqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
-    if (reqMsg == NULL) {
-        goto loser;
-    }
-    reqMsg->poolp = poolp;
-    return reqMsg;
-    
- loser:
-    if (poolp) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus 
-CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg)
-{
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->poolp != NULL);
-    if (!inCertReqMsg->isDecoded) {
-        if (inCertReqMsg->certReq->certTemplate.extensions != NULL) {
-	    PORT_Free(inCertReqMsg->certReq->certTemplate.extensions);
-	}
-	if (inCertReqMsg->certReq->controls != NULL) {
-	    PORT_Free(inCertReqMsg->certReq->controls);
-	}
-    }
-    PORT_FreeArena(inCertReqMsg->poolp, PR_TRUE);
-    return SECSuccess;
-}
-
-CRMFCertExtension*
-crmf_create_cert_extension(PRArenaPool *poolp, 
-			   SECOidTag    id,
-			   PRBool       isCritical,
-			   SECItem     *data)
-{
-    CRMFCertExtension *newExt;
-    SECOidData        *oidData;
-    SECStatus          rv;
-
-    newExt = (poolp == NULL) ? PORT_ZNew(CRMFCertExtension) :
-                               PORT_ArenaZNew(poolp, CRMFCertExtension);
-    if (newExt == NULL) {
-        goto loser;
-    }
-    oidData = SECOID_FindOIDByTag(id);
-    if (oidData == NULL || 
-	oidData->supportedExtension != SUPPORTED_CERT_EXTENSION) {
-       goto loser;
-    }
-
-    rv = SECITEM_CopyItem(poolp, &(newExt->id), &(oidData->oid));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    if (isCritical) {
-        newExt->critical.data = (poolp == NULL) ? 
-	                                PORT_New(unsigned char) :
-	                                PORT_ArenaNew(poolp, unsigned char);
-	if (newExt->critical.data == NULL) {
-	    goto loser;
-	}
-	newExt->critical.data[0] = hexTrue;
-	newExt->critical.len = 1;
-    }
-    return newExt;
- loser:
-    if (newExt != NULL && poolp == NULL) {
-        CRMF_DestroyCertExtension(newExt);
-    }
-    return NULL;
-}
-
-CRMFCertExtension *
-CRMF_CreateCertExtension(SECOidTag id,
-			 PRBool    isCritical,
-			 SECItem  *data) 
-{
-    return crmf_create_cert_extension(NULL, id, isCritical, data);
-}
-
-SECStatus
-crmf_destroy_cert_extension(CRMFCertExtension *inExtension, PRBool freeit)
-{
-    if (inExtension != NULL) {
-        SECITEM_FreeItem (&(inExtension->id), PR_FALSE);
-	SECITEM_FreeItem (&(inExtension->value), PR_FALSE);
-	SECITEM_FreeItem (&(inExtension->critical), PR_FALSE);
-	if (freeit) {
-	    PORT_Free(inExtension);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyCertExtension(CRMFCertExtension *inExtension)
-{
-    return crmf_destroy_cert_extension(inExtension, PR_TRUE);
-}
-
-SECStatus
-CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs) 
-{
-    PORT_Assert (inCertReqMsgs != NULL);
-    if (inCertReqMsgs != NULL) {
-        PORT_FreeArena(inCertReqMsgs->poolp, PR_TRUE);
-    }
-    return SECSuccess;
-}
-
-static PRBool
-crmf_item_has_data(SECItem *item)
-{
-    if (item != NULL && item->data != NULL) {
-        return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-PRBool
-CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
-			       CRMFCertTemplateField  inTemplateField)
-{
-    PRBool             retVal;
-    CRMFCertTemplate *certTemplate;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        /* This is probably some kind of error, but this is 
-	 * the safest return value for this function.
-	 */
-        return PR_FALSE;
-    }
-    certTemplate = &inCertReq->certTemplate;
-    switch (inTemplateField) {
-    case crmfVersion:
-      retVal = crmf_item_has_data(&certTemplate->version);
-      break;
-    case crmfSerialNumber:
-      retVal = crmf_item_has_data(&certTemplate->serialNumber);
-      break;
-    case crmfSigningAlg:
-      retVal = IS_NOT_NULL(certTemplate->signingAlg);
-      break;
-    case crmfIssuer:
-      retVal = IS_NOT_NULL(certTemplate->issuer);
-      break;
-    case crmfValidity:
-      retVal = IS_NOT_NULL(certTemplate->validity);
-      break;
-    case crmfSubject:
-      retVal = IS_NOT_NULL(certTemplate->subject);
-      break;
-    case crmfPublicKey:
-      retVal = IS_NOT_NULL(certTemplate->publicKey);
-      break;
-    case crmfIssuerUID:
-      retVal = crmf_item_has_data(&certTemplate->issuerUID);
-      break;
-    case crmfSubjectUID:
-      retVal = crmf_item_has_data(&certTemplate->subjectUID);
-      break;
-    case crmfExtension:
-      retVal = IS_NOT_NULL(certTemplate->extensions);
-      break;
-    default:
-      retVal = PR_FALSE;
-    }
-    return retVal;
-}
diff --git a/security/nss/lib/crmf/crmft.h b/security/nss/lib/crmf/crmft.h
deleted file mode 100644
index 574c7212e..000000000
--- a/security/nss/lib/crmf/crmft.h
+++ /dev/null
@@ -1,217 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-/* Header file with all of the structures and types that will be exported 
- * by the security library for implementation of CRMF.
- */
-
-#ifndef _CRMFT_H_
-#define _CRMFT_H_
-
-/* Use these enumerated values for adding fields to the certificate request */
-typedef enum {
-    crmfVersion,
-    crmfSerialNumber,
-    crmfSigningAlg,
-    crmfIssuer,
-    crmfValidity,
-    crmfSubject,
-    crmfPublicKey,
-    crmfIssuerUID,
-    crmfSubjectUID,
-    crmfExtension
-} CRMFCertTemplateField;
-
-/*
- * An enumeration for the different types of controls.
- */
-typedef enum {
-    crmfNoControl,
-    crmfRegTokenControl,
-    crmfAuthenticatorControl,
-    crmfPKIPublicationInfoControl,
-    crmfPKIArchiveOptionsControl,
-    crmfOldCertIDControl,
-    crmfProtocolEncrKeyControl
-} CRMFControlType;
-
-/*
- * The possible values that are passed into CRMF_CreatePKIPublicationInfo
- */
-typedef enum{
-    crmfDontPublish,
-    crmfPleasePublish
-} CRMFPublicationAction;
-
-/*
- * An enumeration for the possible for pubMethod which is a part of 
- * the SinglePubInfo ASN1 type.
- */
-typedef enum {
-    crmfDontCare,
-    crmfX500,
-    crmfWeb,
-    crmfLdap
-} CRMFPublicationMethod;
-
-/*
- * An enumeration for the different options for PKIArchiveOptions type.
- */
-typedef enum {
-    crmfNoArchiveOptions,
-    crmfEncryptedPrivateKey,
-    crmfKeyGenParameters,
-    crmfArchiveRemGenPrivKey
-} CRMFPKIArchiveOptionsType;
-
-/*
- * An enumeration for the different options for ProofOfPossession
- */
-typedef enum {
-    crmfNoPOPChoice,
-    crmfRAVerified,
-    crmfSignature,
-    crmfKeyEncipherment,
-    crmfKeyAgreement
-} CRMFPOPChoice;
-
-/*
- * An enumertion type for options for the authInfo field of the 
- * CRMFPOPOSigningKeyInput structure.
- */
-typedef enum {
-    crmfSender,
-    crmfPublicKeyMAC
-} CRMFPOPOSkiInputAuthChoice;
-
-/*
- * An enumeration for the SubsequentMessage Options.
- */
-typedef enum {
-    crmfNoSubseqMess,
-    crmfEncrCert,
-    crmfChallengeResp
-} CRMFSubseqMessOptions;
-
-/*
- * An enumeration for the choice used by POPOPrivKey.
- */
-typedef enum {
-    crmfNoMessage,
-    crmfThisMessage,
-    crmfSubsequentMessage,
-    crmfDHMAC
-} CRMFPOPOPrivKeyChoice;
-
-/*
- * An enumeration for the choices for the EncryptedKey type.
- */
-typedef enum {
-    crmfNoEncryptedKeyChoice,
-    crmfEncryptedValueChoice,
-    crmfEnvelopedDataChoice
-} CRMFEncryptedKeyChoice;
-
-/*
- * TYPE: CRMFEncoderOutputCallback
- *     This function type defines a prototype for a function that the CRMF
- *     library expects when encoding is performed.
- *
- * ARGUMENTS:
- *     arg
- *         This will be a pointer the user passed into an encoding function.
- *         The user of the library is free to use this pointer in any way.
- *         The most common use is to keep around a buffer for writing out
- *         the DER encoded bytes.
- *     buf
- *         The DER encoded bytes that should be written out.
- *     len
- *         The number of DER encoded bytes to write out.
- *
- */
-typedef void (*CRMFEncoderOutputCallback) (void *arg,
-					   const char *buf,
-					   unsigned long len);
-
-/*
- * Type for the function that gets a password.  Just in case we ever
- * need to support publicKeyMAC for POPOSigningKeyInput
- */
-typedef SECItem* (*CRMFMACPasswordCallback) (void *arg);
-
-typedef struct CRMFOptionalValidityStr      CRMFOptionalValidity;
-typedef struct CRMFValidityCreationInfoStr  CRMFGetValidity;
-typedef struct CRMFCertTemplateStr          CRMFCertTemplate;
-typedef struct CRMFCertRequestStr           CRMFCertRequest;
-typedef struct CRMFCertReqMsgStr            CRMFCertReqMsg;
-typedef struct CRMFCertReqMessagesStr       CRMFCertReqMessages;
-typedef struct CRMFProofOfPossessionStr     CRMFProofOfPossession;
-typedef struct CRMFPOPOSigningKeyStr        CRMFPOPOSigningKey;
-typedef struct CRMFPOPOSigningKeyInputStr   CRMFPOPOSigningKeyInput;
-typedef struct CRMFPOPOPrivKeyStr           CRMFPOPOPrivKey;
-typedef struct CRMFPKIPublicationInfoStr    CRMFPKIPublicationInfo;
-typedef struct CRMFSinglePubInfoStr         CRMFSinglePubInfo;
-typedef struct CRMFPKIArchiveOptionsStr     CRMFPKIArchiveOptions;
-typedef struct CRMFEncryptedKeyStr          CRMFEncryptedKey;
-typedef struct CRMFEncryptedValueStr        CRMFEncryptedValue;
-typedef struct CRMFCertIDStr                CRMFCertID;
-typedef struct CRMFCertIDStr                CRMFOldCertID;
-typedef CERTSubjectPublicKeyInfo            CRMFProtocolEncrKey;
-typedef struct CRMFValidityCreationInfoStr  CRMFValidityCreationInfo;
-typedef struct CRMFCertExtCreationInfoStr   CRMFCertExtCreationInfo;
-typedef struct CRMFPKMACValueStr            CRMFPKMACValue;
-typedef struct CRMFAttributeStr             CRMFAttribute;
-typedef struct CRMFControlStr               CRMFControl;
-typedef CERTGeneralName                     CRMFGeneralName;
-typedef struct CRMFCertExtensionStr         CRMFCertExtension;
-
-struct CRMFValidityCreationInfoStr {
-    PRTime *notBefore;
-    PRTime *notAfter;
-};
-
-struct CRMFCertExtCreationInfoStr {
-    CRMFCertExtension **extensions;
-    int numExtensions;
-};
-
-/*
- * Some ASN1 Templates that may be needed.
- */
-extern const SEC_ASN1Template CRMFCertReqMessagesTemplate[];
-extern const SEC_ASN1Template CRMFCertRequestTemplate[];
-
-
-#endif /*_CRMFT_H_*/
diff --git a/security/nss/lib/crmf/crmftmpl.c b/security/nss/lib/crmf/crmftmpl.c
deleted file mode 100644
index da660cd6e..000000000
--- a/security/nss/lib/crmf/crmftmpl.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*- */
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "secoid.h"
-#include "secasn1.h"
-
-
-/* 
- * It's all implicit tagging.
- */
-
-const SEC_ASN1Template CRMFControlTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFControl)},
-    { SEC_ASN1_OBJECT_ID, offsetof(CRMFControl, derTag)},
-    { SEC_ASN1_ANY, offsetof(CRMFControl, derValue) },
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFCertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CRMFCertExtension) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CRMFCertExtension,id) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,
-	  offsetof(CRMFCertExtension,critical) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CRMFCertExtension,value) },
-    { 0, }
-};
-
-static const SEC_ASN1Template CRMFSequenceOfCertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CRMFCertExtensionTemplate }
-};
-
-static const SEC_ASN1Template CRMFOptionalValidityTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFOptionalValidity) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 0, 
-      offsetof (CRMFOptionalValidity, notBefore),
-      SEC_UTCTimeTemplate},
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1, 
-      offsetof (CRMFOptionalValidity, notAfter),
-      SEC_UTCTimeTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template crmfPointerToNameTemplate[] = {
-    { SEC_ASN1_POINTER, 0, CERT_NameTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFCertTemplateTemplate[] = {
-   { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertTemplate) },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-     offsetof(CRMFCertTemplate, version), SEC_IntegerTemplate },
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1 ,
-     offsetof (CRMFCertTemplate, serialNumber), SEC_IntegerTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 2, 
-     offsetof (CRMFCertTemplate, signingAlg), SECOID_AlgorithmIDTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 3, 
-     offsetof (CRMFCertTemplate, issuer), crmfPointerToNameTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 4, 
-     offsetof (CRMFCertTemplate, validity), 
-     CRMFOptionalValidityTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 5, 
-     offsetof (CRMFCertTemplate, subject), crmfPointerToNameTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 6, 
-     offsetof (CRMFCertTemplate, publicKey), 
-     CERT_SubjectPublicKeyInfoTemplate }, 
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 7,
-     offsetof (CRMFCertTemplate, issuerUID), SEC_BitStringTemplate },
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 8,
-     offsetof (CRMFCertTemplate, subjectUID), SEC_BitStringTemplate },
-   { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | 
-     SEC_ASN1_CONTEXT_SPECIFIC | 9, 
-     offsetof (CRMFCertTemplate, extensions), 
-     CRMFSequenceOfCertExtensionTemplate },
-   { 0 }
-};
-
-static const SEC_ASN1Template CRMFAttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFAttribute)},
-    { SEC_ASN1_OBJECT_ID, offsetof(CRMFAttribute, derTag)},
-    { SEC_ASN1_ANY, offsetof(CRMFAttribute, derValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFCertRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFCertRequest) },
-    { SEC_ASN1_INTEGER, offsetof(CRMFCertRequest, certReqId)},
-    { SEC_ASN1_INLINE, offsetof(CRMFCertRequest, certTemplate), 
-      CRMFCertTemplateTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-      offsetof(CRMFCertRequest,controls), 
-      CRMFControlTemplate}, /* SEQUENCE SIZE (1...MAX)*/
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFCertReqMsgTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertReqMsg) },
-    { SEC_ASN1_POINTER, offsetof(CRMFCertReqMsg, certReq),
-      CRMFCertRequestTemplate },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-      offsetof(CRMFCertReqMsg, derPOP) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-      offsetof(CRMFCertReqMsg, regInfo), 
-      CRMFAttributeTemplate}, /* SEQUENCE SIZE (1...MAX)*/
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, offsetof(CRMFCertReqMessages, messages), 
-      CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
-};
-
-static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
-      offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
-    { SEC_ASN1_INLINE, offsetof(CRMFPOPOSigningKeyInput, publicKey), 
-      CERT_SubjectPublicKeyInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-      0,
-      SEC_NullTemplate },
-    { 0 }
-};
-
-
-/* This template will need to add POPOSigningKeyInput eventually, maybe*/
-static const SEC_ASN1Template crmfPOPOSigningKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPOPOSigningKey) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      offsetof(CRMFPOPOSigningKey, derInput), SEC_AnyTemplate},
-    { SEC_ASN1_POINTER, offsetof(CRMFPOPOSigningKey, algorithmIdentifier),
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING, offsetof(CRMFPOPOSigningKey, signature),
-      SEC_BitStringTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      0,
-      crmfPOPOSigningKeyTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFThisMessageTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      0,
-      SEC_BitStringTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFSubsequentMessageTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      0, 
-      SEC_IntegerTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFDHMACTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      0,
-      SEC_BitStringTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 2,
-      0,
-      SEC_AnyTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 3,
-      0,
-      SEC_AnyTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFEncryptedValueTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFEncryptedValue)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
-      offsetof(CRMFEncryptedValue, intendedAlg), 
-      SECOID_AlgorithmIDTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 1,
-      offsetof (CRMFEncryptedValue, symmAlg), 
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 2, 
-      offsetof(CRMFEncryptedValue, encSymmKey), SEC_BitStringTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 3,
-      offsetof(CRMFEncryptedValue, keyAlg), 
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 4,
-      offsetof(CRMFEncryptedValue, valueHint),
-      SEC_OctetStringTemplate},
-    { SEC_ASN1_BIT_STRING, offsetof(CRMFEncryptedValue, encValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      0,
-      CRMFEncryptedValueTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
-    { SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
-      offsetof(CRMFSinglePubInfo, pubLocation) },
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={ 
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
-    { SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
-    { SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
-      CRMFSinglePubInfoTemplate},
-    { 0 }
-};
diff --git a/security/nss/lib/crmf/encutil.c b/security/nss/lib/crmf/encutil.c
deleted file mode 100644
index 7862e1482..000000000
--- a/security/nss/lib/crmf/encutil.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*- */
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secasn1.h"
-#include "crmf.h"
-#include "crmfi.h"
-
-void
-crmf_encoder_out(void *arg, const char *buf, unsigned long len,
-		 int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct crmfEncoderOutput *output;
-
-    output = (struct crmfEncoderOutput*) arg;
-    output->fn (output->outputArg, buf, len);
-}
-
-SECStatus
-cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
-		 const SEC_ASN1Template *inTemplate)
-{
-    struct crmfEncoderOutput output;
-
-    PORT_Assert(src != NULL);
-    if (src == NULL) {
-        return SECFailure;
-    }
-    output.fn        = inCallback;
-    output.outputArg = inArg;
-    return SEC_ASN1Encode(src, inTemplate, crmf_encoder_out, &output);    
-}
-
diff --git a/security/nss/lib/crmf/manifest.mn b/security/nss/lib/crmf/manifest.mn
deleted file mode 100644
index 67e145d09..000000000
--- a/security/nss/lib/crmf/manifest.mn
+++ /dev/null
@@ -1,73 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-CORE_DEPTH = ../../..
-
-MODULE = security
-
-EXPORTS = \
-	crmf.h	\
-	crmft.h	\
-	cmmf.h  \
-	cmmft.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	crmfi.h   \
-	crmfit.h  \
-	cmmfi.h   \
-	cmmfit.h  \
-	$(NULL)
-
-CSRCS = crmfenc.c	\
-	crmftmpl.c	\
-	crmfreq.c	\
-	crmfpop.c	\
-	crmfdec.c	\
-	crmfget.c	\
-	crmfcont.c	\
-	cmmfasn1.c	\
-	cmmfresp.c	\
-	cmmfrec.c	\
-	cmmfchal.c	\
-	servget.c	\
-	encutil.c	\
-	respcli.c	\
-	respcmn.c	\
-	challcli.c	\
-	asn1cmn.c	\
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = crmf
diff --git a/security/nss/lib/crmf/respcli.c b/security/nss/lib/crmf/respcli.c
deleted file mode 100644
index 9dac74a5e..000000000
--- a/security/nss/lib/crmf/respcli.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-/*
- * This file will contain all routines needed by a client that has 
- * to parse a CMMFCertRepContent structure and retirieve the appropriate
- * data.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "crmf.h"
-#include "crmfi.h"
-#include "secitem.h"
-#include "secder.h"
-#include "secasn1.h"
-
-CMMFCertRepContent*
-CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
-				 long len)
-{
-    PRArenaPool        *poolp;
-    CMMFCertRepContent *certRepContent;
-    SECStatus           rv;
-    int                 i;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    certRepContent = PORT_ArenaZNew(poolp, CMMFCertRepContent);
-    if (certRepContent == NULL) {
-        goto loser;
-    }
-    certRepContent->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, certRepContent, CMMFCertRepContentTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (certRepContent->response != NULL) {
-        for (i=0; certRepContent->response[i] != NULL; i++) {
-	    rv = cmmf_decode_process_cert_response(poolp, db,
-					       certRepContent->response[i]);
-	    if (rv != SECSuccess) {
-	        goto loser;
-	    }
-	}
-    }
-    certRepContent->isDecoded = PR_TRUE;
-    return certRepContent;
- loser:
-    PORT_FreeArena(poolp, PR_FALSE);
-    return NULL;
-}
-
-long
-CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp == NULL) {
-        return -1;
-    }
-    return DER_GetInteger(&inCertResp->certReqId);
-}
-
-PRBool
-cmmf_CertRepContentIsIndexValid(CMMFCertRepContent *inCertRepContent,
-                                int                 inIndex)
-{
-    int numResponses;
-
-    PORT_Assert(inCertRepContent != NULL);
-    numResponses = CMMF_CertRepContentGetNumResponses(inCertRepContent);
-    return (PRBool)(inIndex >= 0 && inIndex < numResponses);
-}
-
-CMMFCertResponse*
-CMMF_CertRepContentGetResponseAtIndex(CMMFCertRepContent *inCertRepContent,
-				      int                 inIndex)
-{
-    CMMFCertResponse *certResponse;
-    SECStatus         rv;
-
-    PORT_Assert(inCertRepContent != NULL &&
-		cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex));
-    if (inCertRepContent == NULL ||
-	!cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)) {
-        return NULL;
-    }
-    certResponse = PORT_ZNew(CMMFCertResponse);
-    rv = cmmf_CopyCertResponse(NULL, certResponse, 
-			       inCertRepContent->response[inIndex]);
-    if (rv != SECSuccess) {
-        CMMF_DestroyCertResponse(certResponse);
-	certResponse = NULL;
-    }
-    return certResponse;
-}
-
-CMMFPKIStatus
-CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp == NULL) {
-        return cmmfNoPKIStatus;
-    }
-    return cmmf_PKIStatusInfoGetStatus(&inCertResp->status);
-}
-
-CERTCertificate*
-CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
-				CERTCertDBHandle *inCertdb)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp == NULL || inCertResp->certifiedKeyPair == NULL) {
-        return NULL;
-    }
-    
-    return cmmf_CertOrEncCertGetCertificate
-                                (&inCertResp->certifiedKeyPair->certOrEncCert,
-				 inCertdb);
-				   
-}
-
-CERTCertList*
-CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent)
-{
-    PORT_Assert (inCertRepContent != NULL);
-    if (inCertRepContent == NULL || inCertRepContent->caPubs == NULL) {
-        return NULL;
-    }
-    return cmmf_MakeCertList(inCertRepContent->caPubs);
-}
-
diff --git a/security/nss/lib/crmf/respcmn.c b/security/nss/lib/crmf/respcmn.c
deleted file mode 100644
index f40e5b334..000000000
--- a/security/nss/lib/crmf/respcmn.c
+++ /dev/null
@@ -1,414 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-
-SECStatus 
-cmmf_DestroyPKIStatusInfo (CMMFPKIStatusInfo *info, PRBool freeit)
-{
-    if (info->status.data != NULL) {
-        PORT_Free(info->status.data);
-    }
-    if (info->statusString.data != NULL) {
-        PORT_Free(info->statusString.data);
-    }
-    if (info->failInfo.data != NULL) {
-        PORT_Free(info->failInfo.data);
-    }
-    if (freeit) {
-        PORT_Free(info);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp != NULL) {
-        if (inCertResp->certReqId.data != NULL) {
-	    PORT_Free(inCertResp->certReqId.data);
-	}
-	cmmf_DestroyPKIStatusInfo(&inCertResp->status, PR_FALSE);
-	if (inCertResp->certifiedKeyPair != NULL) {
-	    CMMF_DestroyCertifiedKeyPair(inCertResp->certifiedKeyPair);
-	}
-	PORT_Free(inCertResp);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent)
-{
-    CMMFCertifiedKeyPair *certKeyPair;
-    int i;
-
-    PORT_Assert(inCertRepContent != NULL);
-    if (inCertRepContent != NULL && inCertRepContent->poolp != NULL) {
-	if (!inCertRepContent->isDecoded) {
-	  if (inCertRepContent->response != NULL) {
-	    for (i=0; inCertRepContent->response[i] != NULL; i++) {
-	        certKeyPair = inCertRepContent->response[i]->certifiedKeyPair;
-		if (certKeyPair != NULL                    &&
-		    certKeyPair->certOrEncCert.choice == cmmfCertificate &&
-		    certKeyPair->certOrEncCert.cert.certificate != NULL) {
-		    CERT_DestroyCertificate
-		                 (certKeyPair->certOrEncCert.cert.certificate);
-		}
-	    }
-	  }
-	  if (inCertRepContent->caPubs != NULL) {
-	    for (i=0; inCertRepContent->caPubs[i] != NULL; i++) {
-	        CERT_DestroyCertificate(inCertRepContent->caPubs[i]);
-	    }
-	  }
-	}
-        PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_DestroyPOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyCont)
-{
-    PORT_Assert(inDecKeyCont != NULL);
-    if (inDecKeyCont != NULL && inDecKeyCont->poolp) {
-        PORT_FreeArena(inDecKeyCont->poolp, PR_FALSE);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-crmf_create_prtime(SECItem *src, PRTime **dest)
-{
-   *dest = PORT_ZNew(PRTime);
-    return DER_UTCTimeToTime(*dest, src);
-}
-
-CRMFCertExtension*
-crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension)
-{
-    PRBool             isCritical;
-    SECOidTag          id;
-    SECItem           *data;
-    CRMFCertExtension *newExt;
-
-    PORT_Assert(inExtension != NULL);
-    if (inExtension == NULL) {
-        return NULL;
-    }
-    id         = CRMF_CertExtensionGetOidTag(inExtension);
-    isCritical = CRMF_CertExtensionGetIsCritical(inExtension);
-    data       = CRMF_CertExtensionGetValue(inExtension);
-    newExt = crmf_create_cert_extension(poolp, id, 
-					isCritical,
-					data);
-    SECITEM_FreeItem(data, PR_TRUE);
-    return newExt;    
-}
-
-static SECItem*
-cmmf_encode_certificate(CERTCertificate *inCert)
-{
-    return SEC_ASN1EncodeItem(NULL, NULL, inCert, 
-			      SEC_SignedCertificateTemplate);
-}
-
-CERTCertList*
-cmmf_MakeCertList(CERTCertificate **inCerts)
-{
-    CERTCertList    *certList;
-    CERTCertificate *currCert;
-    SECItem         *derCert, *freeCert = NULL;
-    SECStatus        rv;
-    int              i;
-
-    certList = CERT_NewCertList();
-    if (certList == NULL) {
-        return NULL;
-    }
-    for (i=0; inCerts[i] != NULL; i++) {
-        derCert = &inCerts[i]->derCert;
-	if (derCert->data == NULL) {
-	    derCert = freeCert = cmmf_encode_certificate(inCerts[i]);
-	}
-	currCert=CERT_DecodeDERCertificate(derCert, PR_TRUE, NULL);
-	if (freeCert != NULL) {
-	    SECITEM_FreeItem(freeCert, PR_TRUE);
-	    freeCert = NULL;
-	}
-	if (currCert == NULL) {
-	    goto loser;
-	}
-	rv = CERT_AddCertToListTail(certList, currCert);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return certList;
- loser:
-    CERT_DestroyCertList(certList);
-    return NULL;
-}
-
-CMMFPKIStatus
-cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus)
-{
-    long derVal;
-
-    derVal = DER_GetInteger(&inStatus->status);
-    if (derVal == -1 || derVal < cmmfGranted || derVal >= cmmfNumPKIStatus) {
-        return cmmfNoPKIStatus;
-    }
-    return (CMMFPKIStatus)derVal;
-}
-
-int
-CMMF_CertRepContentGetNumResponses(CMMFCertRepContent *inCertRepContent)
-{
-    int numResponses = 0;
-    PORT_Assert (inCertRepContent != NULL);
-    if (inCertRepContent != NULL && inCertRepContent->response != NULL) {
-        while (inCertRepContent->response[numResponses] != NULL) {
-	    numResponses++;
-	}
-    }
-    return numResponses;
-}
-
-
-SECStatus
-cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, PRBool freeit)
-{
-    switch (certOrEncCert->choice) {
-    case cmmfCertificate:
-        CERT_DestroyCertificate(certOrEncCert->cert.certificate);
-	break;
-    case cmmfEncryptedCert:
-        crmf_destroy_encrypted_value(certOrEncCert->cert.encryptedCert,
-				     PR_TRUE);
-	break;
-    default:
-        break;
-    }
-    if (freeit) {
-        PORT_Free(certOrEncCert);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
-{
-    SECStatus rv;
-
-    if (src->data != NULL) {
-        rv = SECITEM_CopyItem(poolp, dest, src);
-    } else {
-        dest->data = NULL;
-	dest->len  = 0;
-	rv = SECSuccess;
-    }
-    return rv;
-}
-
-SECStatus
-CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair)
-{
-    PORT_Assert(inCertKeyPair != NULL);
-    if (inCertKeyPair != NULL) {
-        cmmf_DestroyCertOrEncCert(&inCertKeyPair->certOrEncCert, PR_FALSE);
-    }
-    if (inCertKeyPair->privateKey) {
-        crmf_destroy_encrypted_value(inCertKeyPair->privateKey, PR_TRUE);
-    }
-    if (inCertKeyPair->derPublicationInfo.data) {
-        PORT_Free(inCertKeyPair->derPublicationInfo.data);
-    }
-    PORT_Free(inCertKeyPair);
-    return SECSuccess;
-}
-
-SECStatus
-cmmf_CopyCertResponse(PRArenaPool      *poolp, 
-		      CMMFCertResponse *dest,
-		      CMMFCertResponse *src)
-{
-    SECStatus rv;
-
-    if (src->certReqId.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &dest->certReqId, &src->certReqId);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    rv = cmmf_CopyPKIStatusInfo(poolp, &dest->status, &src->status);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    if (src->certifiedKeyPair != NULL) {
-        dest->certifiedKeyPair = (poolp == NULL) ?
-                                  PORT_ZNew(CMMFCertifiedKeyPair) :
-	                          PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
-	if (dest->certifiedKeyPair == NULL) {
-	    return SECFailure;
-	}
-        rv = cmmf_CopyCertifiedKeyPair(poolp, dest->certifiedKeyPair,
-				       src->certifiedKeyPair);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-cmmf_CopyCertOrEncCert(PRArenaPool *poolp, CMMFCertOrEncCert *dest,
-		       CMMFCertOrEncCert *src)
-{
-    SECStatus           rv = SECSuccess;
-    CRMFEncryptedValue *encVal;
-
-    dest->choice = src->choice;
-    rv = cmmf_copy_secitem(poolp, &dest->derValue, &src->derValue);
-    switch (src->choice) {
-    case cmmfCertificate:
-        dest->cert.certificate = CERT_DupCertificate(src->cert.certificate);
-	break;
-    case cmmfEncryptedCert:
-        dest->cert.encryptedCert = encVal = (poolp == NULL) ?
-	                             PORT_ZNew(CRMFEncryptedValue) :
-				     PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-	if (encVal == NULL) {
-	    return SECFailure;
-	}
-        rv = crmf_copy_encryptedvalue(poolp, src->cert.encryptedCert, encVal);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-	break;
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus
-cmmf_CopyCertifiedKeyPair(PRArenaPool *poolp, CMMFCertifiedKeyPair *dest,
-			  CMMFCertifiedKeyPair *src)
-{
-    SECStatus rv;
-
-    rv = cmmf_CopyCertOrEncCert(poolp, &dest->certOrEncCert, 
-				&src->certOrEncCert);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-
-    if (src->privateKey != NULL) {
-        CRMFEncryptedValue *encVal;
-
-	encVal = dest->privateKey = (poolp == NULL) ?
-	                             PORT_ZNew(CRMFEncryptedValue) :
-                                     PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-	if (encVal == NULL) {
-	    return SECFailure;
-	}
-        rv = crmf_copy_encryptedvalue(poolp, src->privateKey, 
-				      dest->privateKey);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    rv = cmmf_copy_secitem(poolp, &dest->derPublicationInfo, 
-			   &src->derPublicationInfo);
-    return rv;
-}
-
-SECStatus
-cmmf_CopyPKIStatusInfo(PRArenaPool *poolp, CMMFPKIStatusInfo *dest,
-		       CMMFPKIStatusInfo *src)
-{
-    SECStatus rv;
-
-    rv = cmmf_copy_secitem (poolp, &dest->status, &src->status);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    rv = cmmf_copy_secitem (poolp, &dest->statusString, &src->statusString);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    rv = cmmf_copy_secitem (poolp, &dest->failInfo, &src->failInfo);
-    return rv;
-}
-
-CERTCertificate*
-cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
-				 CERTCertDBHandle  *certdb)
-{
-    if (certOrEncCert->choice           != cmmfCertificate || 
-	certOrEncCert->cert.certificate == NULL) {
-        return NULL;
-    }
-    return CERT_NewTempCertificate(certdb,
-				   &certOrEncCert->cert.certificate->derCert,
-				   NULL, PR_FALSE, PR_TRUE);
-}
-
-SECStatus 
-cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
-			    PRArenaPool          *poolp,
-			    CMMFPKIStatus         inStatus)
-{
-    SECItem *dummy;
-    
-    if (inStatus <cmmfGranted || inStatus >= cmmfNumPKIStatus) {
-        return SECFailure;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(poolp, &statusInfo->status, inStatus); 
-    PORT_Assert(dummy == &statusInfo->status);
-    if (dummy != &statusInfo->status) {
-        SECITEM_FreeItem(dummy, PR_TRUE);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
diff --git a/security/nss/lib/crmf/servget.c b/security/nss/lib/crmf/servget.c
deleted file mode 100644
index b80454494..000000000
--- a/security/nss/lib/crmf/servget.c
+++ /dev/null
@@ -1,1007 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "keyhi.h"
-
-CRMFEncryptedKeyChoice
-CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey)
-{
-    PORT_Assert(inEncrKey != NULL);
-    if (inEncrKey == NULL) {
-        return crmfNoEncryptedKeyChoice;
-    }
-    return inEncrKey->encKeyChoice;
-}
-
-CRMFEncryptedValue*
-CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inEncrKey)
-{
-    CRMFEncryptedValue *newEncrValue = NULL;
-    SECStatus           rv;
-
-    PORT_Assert(inEncrKey != NULL);
-    if (inEncrKey == NULL ||
-	CRMF_EncryptedKeyGetChoice(inEncrKey) != crmfEncryptedValueChoice) {
-        goto loser;
-    }
-    newEncrValue = PORT_ZNew(CRMFEncryptedValue);
-    if (newEncrValue == NULL) {
-        goto loser;
-    }
-    rv = crmf_copy_encryptedvalue(NULL, &inEncrKey->value.encryptedValue,
-				  newEncrValue);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newEncrValue;
- loser:
-    if (newEncrValue != NULL) {
-        CRMF_DestroyEncryptedValue(newEncrValue);
-    }
-    return NULL;
-}
-
-static SECItem*
-crmf_get_encvalue_bitstring(SECItem *srcItem)
-{
-    SECItem   *newItem = NULL;
-    SECStatus rv;
-    
-    if (srcItem->data == NULL) {
-        return NULL;
-    }
-    newItem = PORT_ZNew(SECItem);
-    if (newItem == NULL) {
-        goto loser;
-    }
-    rv = crmf_make_bitstring_copy(NULL, newItem, srcItem);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newItem;
- loser:
-    if (newItem != NULL) {
-        SECITEM_FreeItem(newItem, PR_TRUE);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_bitstring(&inEncValue->encSymmKey);
-}
-
-SECItem*
-CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncrValue)
-{
-    if (inEncrValue == NULL || inEncrValue->encValue.data == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_bitstring(&inEncrValue->encValue);
-}
-
-static SECAlgorithmID*
-crmf_get_encvalue_algid(SECAlgorithmID *srcAlg)
-{
-    SECStatus       rv;
-    SECAlgorithmID *newAlgID;
-    
-    if (srcAlg == NULL) {
-        return NULL;
-    }
-    rv = crmf_copy_encryptedvalue_secalg(NULL, srcAlg, &newAlgID);
-    if (rv != SECSuccess) {
-        return NULL;
-    }
-    return newAlgID;
-}
-
-SECAlgorithmID*
-CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_algid(inEncValue->intendedAlg);
-}
-
-SECAlgorithmID*
-CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_algid(inEncValue->keyAlg);
-}
-
-SECAlgorithmID*
-CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_algid(inEncValue->symmAlg);
-}
-
-SECItem*
-CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL || inEncValue->valueHint.data == NULL) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inEncValue->valueHint);
-}
-
-SECStatus
-CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt, 
-					      PRBool                *destVal)
-{
-    if (inOpt == NULL || destVal == NULL ||
-	CRMF_PKIArchiveOptionsGetOptionType(inOpt) != crmfArchiveRemGenPrivKey){
-        return SECFailure;
-    }
-    *destVal = (inOpt->option.archiveRemGenPrivKey.data[0] == hexFalse) 
-                                                                 ? PR_FALSE:
-                                                                   PR_TRUE;
-    return SECSuccess;
-}
-			     
-CRMFEncryptedKey*
-CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts)
-{
-    CRMFEncryptedKey *newEncrKey = NULL;
-    SECStatus         rv;
-
-    PORT_Assert(inOpts != NULL);
-    if (inOpts == NULL ||
-	CRMF_PKIArchiveOptionsGetOptionType(inOpts) != crmfEncryptedPrivateKey){
-        return NULL;
-    }
-    newEncrKey = PORT_ZNew(CRMFEncryptedKey);
-    if (newEncrKey == NULL) {
-        goto loser;
-    }
-    rv = crmf_copy_encryptedkey(NULL, &inOpts->option.encryptedKey,
-				newEncrKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newEncrKey;
- loser:
-    if (newEncrKey != NULL) {
-        CRMF_DestroyEncryptedKey(newEncrKey);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions)
-{
-    if (inOptions == NULL ||
-	CRMF_PKIArchiveOptionsGetOptionType(inOptions) != crmfKeyGenParameters ||
-	inOptions->option.keyGenParameters.data == NULL) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inOptions->option.keyGenParameters);
-}
-
-CRMFPKIArchiveOptionsType
-CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions)
-{
-    PORT_Assert (inOptions != NULL);
-    if (inOptions == NULL) {
-        return crmfNoArchiveOptions;
-    }
-    return inOptions->archOption;
-}
-
-static SECStatus
-crmf_extract_long_from_item(SECItem *intItem, long *destLong)
-{
-    *destLong = DER_GetInteger(intItem);
-    return (*destLong == -1) ? SECFailure : SECSuccess;
-}
-
-SECStatus
-CRMF_POPOPrivGetKeySubseqMess(CRMFPOPOPrivKey       *inKey,
-			      CRMFSubseqMessOptions *destOpt)
-{
-    long      value;
-    SECStatus rv;
-
-    PORT_Assert(inKey != NULL);
-    if (inKey == NULL ||
-	inKey->messageChoice != crmfSubsequentMessage) {
-        return SECFailure;
-    }
-    rv = crmf_extract_long_from_item(&inKey->message.subsequentMessage,&value);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    switch (value) {
-    case 0:
-        *destOpt = crmfEncrCert;
-	break;
-    case 1:
-        *destOpt = crmfChallengeResp;
-	break;
-    default:
-        rv = SECFailure;
-    }
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    return SECSuccess;
-}
-
-CRMFPOPOPrivKeyChoice
-CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inPrivKey)
-{
-    PORT_Assert(inPrivKey != NULL);
-    if (inPrivKey != NULL) {
-        return inPrivKey->messageChoice;
-    }
-    return crmfNoMessage;
-}
-
-SECStatus
-CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey, SECItem *destMAC)
-{
-    PORT_Assert(inKey != NULL);
-    if (inKey == NULL || inKey->message.dhMAC.data == NULL) {
-        return SECFailure;
-    }
-    return crmf_make_bitstring_copy(NULL, destMAC, &inKey->message.dhMAC);
-}
-
-SECStatus
-CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
-			       SECItem          *destString)
-{
-    PORT_Assert(inKey != NULL);
-    if (inKey == NULL           ||
-	inKey->messageChoice != crmfThisMessage) {
-        return SECFailure;
-    }
-
-    return crmf_make_bitstring_copy(NULL, destString, 
-				    &inKey->message.thisMessage);
-}
-
-SECAlgorithmID*
-CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey)
-{
-    SECAlgorithmID *newAlgId = NULL;
-    SECStatus       rv;
-
-    PORT_Assert(inSignKey != NULL);
-    if (inSignKey == NULL) {
-        return NULL;
-    }
-    newAlgId = PORT_ZNew(SECAlgorithmID);
-    if (newAlgId == NULL) {
-        goto loser;
-    }
-    rv = SECOID_CopyAlgorithmID(NULL, newAlgId, 
-				inSignKey->algorithmIdentifier);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newAlgId;
-
- loser:
-    if (newAlgId != NULL) {
-        SECOID_DestroyAlgorithmID(newAlgId, PR_TRUE);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey)
-{
-    PORT_Assert(inSignKey != NULL);
-    if (inSignKey == NULL || inSignKey->derInput.data == NULL) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inSignKey->derInput);
-}
-
-SECItem*
-CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey)
-{
-    SECItem   *newSig = NULL;
-    SECStatus  rv;
-
-    PORT_Assert(inSignKey != NULL);
-    if (inSignKey == NULL) {
-        return NULL;
-    }
-    newSig = PORT_ZNew(SECItem);
-    if (newSig == NULL) {
-        goto loser;
-    }
-    rv = crmf_make_bitstring_copy(NULL, newSig, &inSignKey->signature);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newSig;
- loser:
-    if (newSig != NULL) {
-        SECITEM_FreeItem(newSig, PR_TRUE);
-    }
-    return NULL;
-}
-
-static SECStatus 
-crmf_copy_poposigningkey(PRArenaPool        *poolp, 
-			 CRMFPOPOSigningKey *inPopoSignKey,
-			 CRMFPOPOSigningKey *destPopoSignKey)
-{
-    SECStatus rv;
-
-    /* We don't support use of the POPOSigningKeyInput, so we'll only 
-     * store away the DER encoding.
-     */
-    if (inPopoSignKey->derInput.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &destPopoSignKey->derInput, 
-			      &inPopoSignKey->derInput);
-    }
-    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ? 
-                                         PORT_ZNew(SECAlgorithmID) :
-                                         PORT_ArenaZNew(poolp, SECAlgorithmID);
-
-    if (destPopoSignKey->algorithmIdentifier == NULL) {
-        goto loser;
-    }
-    rv = SECOID_CopyAlgorithmID(poolp, destPopoSignKey->algorithmIdentifier,
-				inPopoSignKey->algorithmIdentifier);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    
-    rv = crmf_make_bitstring_copy(poolp, &destPopoSignKey->signature, 
-				  &inPopoSignKey->signature);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    if (destPopoSignKey && poolp == NULL) {
-        CRMF_DestroyPOPOSigningKey(destPopoSignKey);
-    }
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_popoprivkey(PRArenaPool     *poolp,
-		      CRMFPOPOPrivKey *srcPrivKey,
-		      CRMFPOPOPrivKey *destPrivKey)
-{
-    SECStatus        rv;
-
-    destPrivKey->messageChoice = srcPrivKey->messageChoice;
-    switch (destPrivKey->messageChoice) {
-    case crmfThisMessage:
-    case crmfDHMAC:
-        /* I've got a union, so taking the address of one, will also give
-	 * me a pointer to the other (eg, message.dhMAC)
-	 */
-        rv = crmf_make_bitstring_copy(poolp, &destPrivKey->message.thisMessage,
-				      &srcPrivKey->message.thisMessage);
-	break;
-    case crmfSubsequentMessage:
-        rv = SECITEM_CopyItem(poolp, &destPrivKey->message.subsequentMessage,
-			      &srcPrivKey->message.subsequentMessage);
-	break;
-    default:
-        rv = SECFailure;
-    }
-
-    if (rv != SECSuccess) {
-        if (destPrivKey && poolp == NULL) {
-	    CRMF_DestroyPOPOPrivKey(destPrivKey);
-	}
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static CRMFProofOfPossession*
-crmf_copy_pop(PRArenaPool *poolp, CRMFProofOfPossession *srcPOP)
-{
-    CRMFProofOfPossession *newPOP;
-    SECStatus              rv;
-
-    /* 
-     * Proof Of Possession structures are always part of the Request
-     * message, so there will always be an arena for allocating memory.
-     */
-    if (poolp == NULL) {
-        return NULL;
-    }
-    newPOP = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (newPOP == NULL) {
-        return NULL;
-    }
-    switch (srcPOP->popUsed) {
-    case crmfRAVerified:
-        newPOP->popChoice.raVerified.data = NULL;
-	newPOP->popChoice.raVerified.len  = 0;
-	break;
-    case crmfSignature:
-        rv = crmf_copy_poposigningkey(poolp, &srcPOP->popChoice.signature,
-				      &newPOP->popChoice.signature);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	break;
-    case crmfKeyEncipherment:
-    case crmfKeyAgreement:
-        /* We've got a union, so a pointer to one, is a pointer to the
-	 * other one.
-	 */
-        rv = crmf_copy_popoprivkey(poolp, &srcPOP->popChoice.keyEncipherment,
-				   &newPOP->popChoice.keyEncipherment);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	break;
-    default:
-        goto loser;
-    }
-    newPOP->popUsed = srcPOP->popUsed;
-    return newPOP;
-
- loser:
-    return NULL;
-}
-
-static CRMFCertReqMsg*
-crmf_copy_cert_req_msg(CRMFCertReqMsg *srcReqMsg)
-{
-    CRMFCertReqMsg *newReqMsg;
-    PRArenaPool    *poolp;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    newReqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
-    newReqMsg->poolp = poolp;
-    if (newReqMsg == NULL) {
-        goto loser;
-    }
-    newReqMsg->certReq = crmf_copy_cert_request(poolp, srcReqMsg->certReq);
-    if (newReqMsg->certReq == NULL) {
-        goto loser;
-    }
-    newReqMsg->pop = crmf_copy_pop(poolp, srcReqMsg->pop);
-    if (newReqMsg->pop == NULL) {
-        goto loser;
-    }
-    /* None of my set/get routines operate on the regInfo field, so
-     * for now, that won't get copied over.
-     */
-    return newReqMsg;
-
- loser:
-    if (newReqMsg != NULL) {
-        CRMF_DestroyCertReqMsg(newReqMsg);
-    }
-    return NULL;
-}
-
-CRMFCertReqMsg*
-CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
-					 int                  index)
-{
-    int numMsgs;
-
-    PORT_Assert(inReqMsgs != NULL && index >= 0);
-    if (inReqMsgs == NULL) {
-        return NULL;
-    }
-    numMsgs = CRMF_CertReqMessagesGetNumMessages(inReqMsgs);
-    if (index < 0 || index >= numMsgs) {
-        return NULL;
-    }
-    return crmf_copy_cert_req_msg(inReqMsgs->messages[index]);
-}
-
-int
-CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs)
-{
-    int numMessages = 0;
-
-    PORT_Assert(inCertReqMsgs != NULL);
-    if (inCertReqMsgs == NULL) {
-        return 0;
-    }
-    while (inCertReqMsgs->messages[numMessages] != NULL) {
-        numMessages++;
-    }
-    return numMessages;
-}
-
-CRMFCertRequest*
-CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg)
-{
-    PRArenaPool     *poolp      = NULL;
-    CRMFCertRequest *newCertReq = NULL;
-
-    PORT_Assert(inCertReqMsg != NULL);
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    newCertReq = crmf_copy_cert_request(poolp, inCertReqMsg->certReq);
-    if (newCertReq == NULL) {
-        goto loser;
-    }
-    newCertReq->poolp = poolp;
-    return newCertReq;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, long *destID)
-{
-    PORT_Assert(inCertReqMsg != NULL && destID != NULL);
-    if (inCertReqMsg == NULL || inCertReqMsg->certReq == NULL) {
-        return SECFailure;
-    }
-    return crmf_extract_long_from_item(&inCertReqMsg->certReq->certReqId, 
-				       destID);
-}
-
-SECStatus
-CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
-				  CRMFPOPOPrivKey **destKey)
-{
-    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
-    if (inCertReqMsg == NULL || destKey == NULL ||
-	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyAgreement) {
-        return SECFailure;
-    }
-    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
-    if (*destKey == NULL) {
-        return SECFailure;
-    }
-    return crmf_copy_popoprivkey(NULL,
-				 &inCertReqMsg->pop->popChoice.keyAgreement,
-				 *destKey);
-}
-
-SECStatus
-CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
-				     CRMFPOPOPrivKey **destKey)
-{
-    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
-    if (inCertReqMsg == NULL || destKey == NULL ||
-	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyEncipherment) {
-        return SECFailure;
-    }
-    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
-    if (destKey == NULL) {
-       return SECFailure;
-    }
-    return crmf_copy_popoprivkey(NULL,
-				 &inCertReqMsg->pop->popChoice.keyEncipherment,
-				 *destKey);
-}
-
-SECStatus
-CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
-				 CRMFPOPOSigningKey **destKey)
-{
-    CRMFProofOfPossession *pop;
-    PORT_Assert(inCertReqMsg != NULL);
-    if (inCertReqMsg  == NULL) {
-        return SECFailure;
-    }
-    pop = inCertReqMsg->pop;;
-    if (pop->popUsed != crmfSignature) {
-        return SECFailure;
-    }
-    *destKey = PORT_ZNew(CRMFPOPOSigningKey);
-    if (*destKey == NULL) {
-        return SECFailure;
-    }
-    return crmf_copy_poposigningkey(NULL,&pop->popChoice.signature, *destKey);
-}
-
-static SECStatus
-crmf_copy_name(CERTName *destName, CERTName *srcName)
-{
-  PRArenaPool *poolp = NULL;
-  SECStatus rv;
-
-  if (destName->arena != NULL) {
-    poolp = destName->arena;
-  } else {
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-  }
-  if (poolp == NULL) {
-    return SECFailure;
-  }
-  /* Need to do this so that CERT_CopyName doesn't free out
-   * the arena from underneath us.
-   */
-  destName->arena = NULL;
-  rv = CERT_CopyName(poolp, destName, srcName); 
-  destName->arena = poolp;
-  return rv;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
-				      CERTName        *destIssuer)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuer)) {
-        return crmf_copy_name(destIssuer, 
-			      inCertReq->certTemplate.issuer);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
-					 SECItem         *destIssuerUID)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuerUID)) {
-        return crmf_make_bitstring_copy(NULL, destIssuerUID,
-					&inCertReq->certTemplate.issuerUID);
-    }
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest          *inCertReq,
-				       CERTSubjectPublicKeyInfo *destPublicKey)
-{
-    PORT_Assert (inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfPublicKey)) {
-        return SECKEY_CopySubjectPublicKeyInfo(NULL, destPublicKey,
-					inCertReq->certTemplate.publicKey);
-    }
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq,
-					    long            *serialNumber)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfSerialNumber)) {
-        return 
-	  crmf_extract_long_from_item(&inCertReq->certTemplate.serialNumber,
-				      serialNumber);
-    }
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
-					  SECAlgorithmID  *destAlg)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfSigningAlg)) {
-        return SECOID_CopyAlgorithmID(NULL, destAlg, 
-				      inCertReq->certTemplate.signingAlg);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateSubject(CRMFCertRequest *inCertReq,
-				       CERTName        *destSubject)
-{
-  PORT_Assert(inCertReq != NULL);
-  if (inCertReq == NULL) {
-      return SECFailure;
-  }
-  if (CRMF_DoesRequestHaveField(inCertReq, crmfSubject)) {
-      return crmf_copy_name(destSubject, inCertReq->certTemplate.subject);
-  }
-  return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
-					  SECItem         *destSubjectUID)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfSubjectUID)) {
-        return crmf_make_bitstring_copy(NULL, destSubjectUID, 
-					&inCertReq->certTemplate.subjectUID);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
-				       long            *version)
-{
-    PORT_Assert (inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfVersion)) {
-        return crmf_extract_long_from_item(&inCertReq->certTemplate.version,
-					   version);
-    } 
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_validity(CRMFGetValidity      *destValidity,
-		   CRMFOptionalValidity *src)
-{
-    SECStatus rv;
-    
-    destValidity->notBefore = destValidity->notAfter = NULL;
-    if (src->notBefore.data != NULL) {
-        rv = crmf_create_prtime(&src->notBefore, 
-				&destValidity->notBefore);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    if (src->notAfter.data != NULL) {
-        rv = crmf_create_prtime(&src->notAfter,
-				&destValidity->notAfter);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
-					CRMFGetValidity *destValidity)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfValidity)) {
-        return crmf_copy_validity(destValidity, 
-				  inCertReq->certTemplate.validity);
-    }
-    return SECFailure;
-}
-
-CRMFControl*
-CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, int index)
-{
-    CRMFControl *newControl, *srcControl;
-    int          numControls;
-    SECStatus    rv;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return NULL;
-    }
-    numControls = CRMF_CertRequestGetNumControls(inCertReq);
-    if (index >= numControls || index < 0) {
-        return NULL;
-    }
-    newControl = PORT_ZNew(CRMFControl);
-    if (newControl == NULL) {
-        return NULL;
-    }
-    srcControl = inCertReq->controls[index];
-    newControl->tag = srcControl->tag;
-    rv = SECITEM_CopyItem (NULL, &newControl->derTag, &srcControl->derTag);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = SECITEM_CopyItem(NULL, &newControl->derValue, 
-			  &srcControl->derValue);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* Copy over the PKIArchiveOptions stuff */
-    switch (srcControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-        /* No further processing necessary for these types. */
-        rv = SECSuccess;
-	break;
-    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-        /* These aren't supported yet, so no post-processing will
-	 * be done at this time.  But we don't want to fail in case
-	 * we read in DER that has one of these options.
-	 */
-        rv = SECSuccess;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        rv = crmf_copy_pkiarchiveoptions(NULL, 
-					 &newControl->value.archiveOptions,
-					 &srcControl->value.archiveOptions);
-	break;
-    default:
-        rv = SECFailure;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newControl;
- loser:
-    if (newControl != NULL) {
-        CRMF_DestroyControl(newControl);
-    }
-    return NULL;
-}
-
-static SECItem*
-crmf_copy_control_value(CRMFControl *inControl)
-{
-    return SECITEM_DupItem(&inControl->derValue);
-}
-
-SECItem*
-CRMF_ControlGetAuthenticatorControlValue(CRMFControl *inControl)
-{
-    PORT_Assert (inControl!= NULL);
-    if (inControl == NULL ||
-	CRMF_ControlGetControlType(inControl) != crmfAuthenticatorControl) {
-        return NULL;
-    }
-    return crmf_copy_control_value(inControl);
-}
-
-CRMFControlType
-CRMF_ControlGetControlType(CRMFControl *inControl)
-{
-    CRMFControlType retType;
-
-    PORT_Assert(inControl != NULL);
-    switch (inControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-        retType = crmfRegTokenControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-        retType = crmfAuthenticatorControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-        retType = crmfPKIPublicationInfoControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        retType = crmfPKIArchiveOptionsControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-        retType = crmfOldCertIDControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-        retType = crmfProtocolEncrKeyControl;
-	break;
-    default:
-        retType = crmfNoControl;
-    }
-    return retType;
-}
-
-CRMFPKIArchiveOptions*
-CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl)
-{
-    CRMFPKIArchiveOptions *newOpt = NULL;
-    SECStatus rv;
-
-    PORT_Assert(inControl != NULL);
-    if (inControl == NULL ||
-	CRMF_ControlGetControlType(inControl) != crmfPKIArchiveOptionsControl){
-        goto loser;
-    }
-    newOpt = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newOpt == NULL) {
-        goto loser;
-    }
-    rv = crmf_copy_pkiarchiveoptions(NULL, newOpt, 
-				     &inControl->value.archiveOptions);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
- loser:
-    if (newOpt != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newOpt);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl)
-{
-    PORT_Assert(inControl != NULL);
-    if (inControl == NULL ||
-	CRMF_ControlGetControlType(inControl) != crmfRegTokenControl) {
-        return NULL;
-    }
-    return crmf_copy_control_value(inControl);;
-}
-
-CRMFCertExtension*
-CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
-				    int              index)
-{
-    int numExtensions;
-
-    PORT_Assert(inCertReq != NULL);
-    numExtensions = CRMF_CertRequestGetNumberOfExtensions(inCertReq);
-    if (index >= numExtensions || index < 0) {
-        return NULL;
-    }
-    return 
-      crmf_copy_cert_extension(NULL, 
-			       inCertReq->certTemplate.extensions[index]);
-}
-
diff --git a/security/nss/lib/cryptohi/Makefile b/security/nss/lib/cryptohi/Makefile
deleted file mode 100644
index ced902117..000000000
--- a/security/nss/lib/cryptohi/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-export:: private_export
-
diff --git a/security/nss/lib/cryptohi/config.mk b/security/nss/lib/cryptohi/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/cryptohi/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
deleted file mode 100644
index 07d8057c7..000000000
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * crypto.h - public data structures and prototypes for the crypto library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _CRYPTOHI_H_
-#define _CRYPTOHI_H_
-
-#include "blapi.h"
-
-#include "mcom_db.h"
-
-#include "seccomon.h"
-#include "secrngt.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "cryptoht.h"
-#include "keyt.h"
-#include "certt.h"
-
-
-SEC_BEGIN_PROTOS
-
-
-/****************************************/
-/*
-** DER encode/decode DSA signatures
-*/
-
-/* ANSI X9.57 defines DSA signatures as DER encoded data.  Our DSA code (and
- * most of the rest of the world) just generates 40 bytes of raw data.  These
- * functions convert between formats.
- */
-extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src);
-extern SECItem *DSAU_DecodeDerSig(SECItem *item);
-
-
-
-/****************************************/
-/*
-** Signature creation operations
-*/
-
-/*
-** Create a new signature context used for signing a data stream.
-**	"alg" the signature algorithm to use (e.g. SEC_OID_RSA_WITH_MD5)
-**	"privKey" the private key to use
-*/
-extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);
-
-/*
-** Destroy a signature-context object
-**	"key" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit);
-
-/*
-** Reset the signing context "cx" to its initial state, preparing it for
-** another stream of data.
-*/
-extern SECStatus SGN_Begin(SGNContext *cx);
-
-/*
-** Update the signing context with more data to sign.
-**	"cx" the context
-**	"input" the input data to sign
-**	"inputLen" the length of the input data
-*/
-extern SECStatus SGN_Update(SGNContext *cx, unsigned char *input,
-			   unsigned int inputLen);
-
-/*
-** Finish the signature process. Use either k0 or k1 to sign the data
-** stream that was input using SGN_Update. The resulting signature is
-** formatted using PKCS#1 and then encrypted using RSA private or public
-** encryption.
-**	"cx" the context
-**	"result" the final signature data (memory is allocated)
-*/
-extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
-
-/*
-** Sign a single block of data using private key encryption and given
-** signature/hash algorithm.
-**	"result" the final signature data (memory is allocated)
-**	"buf" the input data to sign
-**	"len" the amount of data to sign
-**	"pk" the private key to encrypt with
-**	"algid" the signature/hash algorithm to sign with 
-**		(must be compatible with the key type).
-*/
-extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
-			     SECKEYPrivateKey *pk, SECOidTag algid);
-
-/*
-** Sign a pre-digested block of data using private key encryption, encoding
-**  The given signature/hash algorithm.
-**	"result" the final signature data (memory is allocated)
-**	"digest" the digest to sign
-**	"pk" the private key to encrypt with
-**	"algtag" The algorithm tag to encode (need for RSA only)
-*/
-extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
-                SECOidTag algtag, SECItem *result, SECItem *digest);
-
-/*
-** DER sign a single block of data using private key encryption and the
-** MD5 hashing algorithm. This routine first computes a digital signature
-** using SEC_SignData, then wraps it with an CERTSignedData and then der
-** encodes the result.
-**	"arena" is the memory arena to use to allocate data from
-** 	"result" the final der encoded data (memory is allocated)
-** 	"buf" the input data to sign
-** 	"len" the amount of data to sign
-** 	"pk" the private key to encrypt with
-*/
-extern SECStatus SEC_DerSignData(PRArenaPool *arena, SECItem *result,
-				unsigned char *buf, int len,
-				SECKEYPrivateKey *pk, SECOidTag algid);
-
-/*
-** Destroy a signed-data object.
-**	"sd" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit);
-
-/****************************************/
-/*
-** Signature verification operations
-*/
-
-/*
-** Create a signature verification context.
-**	"key" the public key to verify with
-**	"sig" the encrypted signature data
-**	"algid" specifies the signing algorithm to use.  This must match
-**	    the key type.
-**	"wincx" void pointer to the window context
-*/
-extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig,
-				     SECOidTag algid, void *wincx);
-
-/*
-** Destroy a verification-context object.
-**	"cx" the context to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit);
-
-extern SECStatus VFY_Begin(VFYContext *cx);
-
-/*
-** Update a verification context with more input data. The input data
-** is fed to a secure hash function (depending on what was in the
-** encrypted signature data).
-**	"cx" the context
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus VFY_Update(VFYContext *cx, unsigned char *input,
-			    unsigned int inputLen);
-
-/*
-** Finish the verification process. The return value is a status which
-** indicates success or failure. On success, the SECSuccess value is
-** returned. Otherwise, SECFailure is returned and the error code found
-** using PORT_GetError() indicates what failure occurred.
-** 	"cx" the context
-*/
-extern SECStatus VFY_End(VFYContext *cx);
-
-/*
-** Verify the signature on a block of data for which we already have
-** the digest. The signature data is an RSA private key encrypted
-** block of data formatted according to PKCS#1.
-** 	"dig" the digest
-** 	"key" the public key to check the signature with
-** 	"sig" the encrypted signature data
-**	"algid" specifies the signing algorithm to use.  This must match
-**	    the key type.
-**/
-extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key,
-				  SECItem *sig, SECOidTag algid, void *wincx);
-
-/*
-** Verify the signature on a block of data. The signature data is an RSA
-** private key encrypted block of data formatted according to PKCS#1.
-** 	"buf" the input data
-** 	"len" the length of the input data
-** 	"key" the public key to check the signature with
-** 	"sig" the encrypted signature data
-**	"algid" specifies the signing algorithm to use.  This must match
-**	    the key type.
-*/
-extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
-				SECKEYPublicKey *key, SECItem *sig,
-				SECOidTag algid, void *wincx);
-
-
-SEC_END_PROTOS
-
-#endif /* _CRYPTOHI_H_ */
diff --git a/security/nss/lib/cryptohi/cryptoht.h b/security/nss/lib/cryptohi/cryptoht.h
deleted file mode 100644
index 3116db279..000000000
--- a/security/nss/lib/cryptohi/cryptoht.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * cryptoht.h - public data structures for the crypto library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _CRYPTOHT_H_
-#define _CRYPTOHT_H_
-
-typedef struct SGNContextStr SGNContext;
-typedef struct VFYContextStr VFYContext;
-
-
-#endif /* _CRYPTOHT_H_ */
diff --git a/security/nss/lib/cryptohi/dsautil.c b/security/nss/lib/cryptohi/dsautil.c
deleted file mode 100644
index ed6f9cec8..000000000
--- a/security/nss/lib/cryptohi/dsautil.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "secasn1.h"
-#include "secitem.h"
-#include "prerr.h"
-
-#ifndef DSA_SUBPRIME_LEN
-#define DSA_SUBPRIME_LEN 20	/* bytes */
-#endif
-
-typedef struct {
-    SECItem r;
-    SECItem s;
-} DSA_ASN1Signature;
-
-const SEC_ASN1Template DSA_SignatureTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DSA_ASN1Signature) },
-    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,r) },
-    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,s) },
-    { 0, }
-};
-
-/* Input is variable length multi-byte integer, MSB first (big endian).
-** Most signficant bit of first byte is NOT treated as a sign bit. 
-** May be one or more leading bytes of zeros. 
-** Output is variable length multi-byte integer, MSB first (big endian).
-** Most significant bit of first byte will be zero (positive sign bit)
-** No more than one leading zero byte.
-** Caller supplies dest buffer, and assures that it is long enough,
-** e.g. at least one byte longer that src's buffer.
-*/
-void
-DSAU_ConvertUnsignedToSigned(SECItem *dest, SECItem *src)
-{
-    unsigned char *pSrc = src->data;
-    unsigned char *pDst = dest->data;
-    unsigned int   cntSrc = src->len;
-    unsigned int   cntDst = dest->len;
-    unsigned char  c;
-
-    /* skip any leading zeros. */
-    while (cntSrc && !(c = *pSrc)) { 
-    	pSrc++; 
-	cntSrc--;
-    }
-    if (!cntSrc) {
-    	*pDst = 0; 
-	dest->len = 1; 
-	return; 
-    }
-
-    if (c & 0x80)
-    	*pDst++ = 0;
-
-    PORT_Memcpy(pDst, pSrc, cntSrc);
-    dest->len = (pDst - dest->data) + cntSrc;
-}
-
-/*
-** src is a buffer holding a signed variable length integer.
-** dest is a buffer which will be filled with an unsigned integer,
-** MSB first (big endian) with leading zeros, so that the last byte
-** of src will be the LSB of the integer.  The result will be exactly
-** the length specified by the caller in dest->len.
-** src can be shorter than dest.  src can be longer than dst, but only
-** if the extra leading bytes are zeros.
-*/
-SECStatus
-DSAU_ConvertSignedToFixedUnsigned(SECItem *dest, SECItem *src)
-{
-    unsigned char *pSrc = src->data;
-    unsigned char *pDst = dest->data;
-    unsigned int   cntSrc = src->len;
-    unsigned int   cntDst = dest->len;
-    int            zCount = cntDst - cntSrc;
-
-    if (zCount > 0) {
-    	PORT_Memset(pDst, 0, zCount);
-	PORT_Memcpy(pDst + zCount, pSrc, cntSrc);
-	return SECSuccess;
-    }
-    if (zCount <= 0) {
-	/* Source is longer than destination.  Check for leading zeros. */
-	while (zCount++ < 0) {
-	    if (*pSrc++ != 0)
-		goto loser;
-	}
-    }
-    PORT_Memcpy(pDst, pSrc, cntDst);
-    return SECSuccess;
-
-loser:
-    PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
-    return SECFailure;
-}
-
-/* src is a "raw" DSA signature, 20 bytes of r followed by 20 bytes of s.
-** dest is the signature DER encoded. ?
-*/
-SECStatus
-DSAU_EncodeDerSig(SECItem *dest, SECItem *src)
-{
-    SECItem *         item;
-    SECItem           srcItem;
-    DSA_ASN1Signature sig;
-    unsigned char     signedR[DSA_SUBPRIME_LEN + 1];
-    unsigned char     signedS[DSA_SUBPRIME_LEN + 1];
-
-    PORT_Memset(&sig, 0, sizeof(sig));
-
-    PORT_Assert(src->len == 2 * DSA_SUBPRIME_LEN);
-    if (src->len != 2 * DSA_SUBPRIME_LEN) {
-    	PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
-	return SECFailure;
-    }
-
-    /* Must convert r and s from "unsigned" integers to "signed" integers.
-    ** If the high order bit of the first byte (MSB) is 1, then must
-    ** prepend with leading zero.  
-    ** Must remove all but one leading zero byte from numbers.
-    */
-    sig.r.data = signedR;
-    sig.r.len  = sizeof signedR;
-    sig.s.data = signedS;
-    sig.s.len  = sizeof signedR;
-
-    srcItem.data = src->data;
-    srcItem.len  = DSA_SUBPRIME_LEN;
-
-    DSAU_ConvertUnsignedToSigned(&sig.r, &srcItem);
-    srcItem.data += DSA_SUBPRIME_LEN;
-    DSAU_ConvertUnsignedToSigned(&sig.s, &srcItem);
-
-    item = SEC_ASN1EncodeItem(NULL, dest, &sig, DSA_SignatureTemplate);
-    if (item == NULL)
-	return SECFailure;
-
-    /* XXX leak item? */
-    return SECSuccess;
-}
-
-/* src is a DER-encoded DSA signature.
-** Returns a newly-allocated SECItem structure, pointing at a newly allocated
-** buffer containing the "raw" DSA signature, which is 20 bytes of r,
-** followed by 20 bytes of s.
-*/
-SECItem *
-DSAU_DecodeDerSig(SECItem *item)
-{
-    SECItem *         result = NULL;
-    SECStatus         status;
-    DSA_ASN1Signature sig;
-    SECItem           dst;
-
-    PORT_Memset(&sig, 0, sizeof(sig));
-
-    result = PORT_ZNew(SECItem);
-    if (result == NULL)
-	goto loser;
-
-    result->len  = 2 * DSA_SUBPRIME_LEN;
-    result->data = (unsigned char*)PORT_Alloc(2 * DSA_SUBPRIME_LEN);
-    if (result->data == NULL)
-	goto loser;
-
-    status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item);
-    if (status != SECSuccess)
-	goto loser;
-
-    /* Convert sig.r and sig.s from variable  length signed integers to 
-    ** fixed length unsigned integers.
-    */
-    dst.data = result->data;
-    dst.len  = DSA_SUBPRIME_LEN;
-    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.r);
-    if (status != SECSuccess)
-    	goto loser;
-
-    dst.data += DSA_SUBPRIME_LEN;
-    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.s);
-    if (status != SECSuccess)
-    	goto loser;
-
-done:
-    if (sig.r.data != NULL)
-	PORT_Free(sig.r.data);
-    if (sig.s.data != NULL)
-	PORT_Free(sig.s.data);
-
-    return result;
-
-loser:
-    if (result != NULL) {
-	SECITEM_FreeItem(result, PR_TRUE);
-	result = NULL;
-    }
-    goto done;
-}
diff --git a/security/nss/lib/cryptohi/hasht.h b/security/nss/lib/cryptohi/hasht.h
deleted file mode 100644
index 697520015..000000000
--- a/security/nss/lib/cryptohi/hasht.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * hasht.h - public data structures for the hashing library
- *
- * $Id$
- */
-
-#ifndef _HASHT_H_
-#define _HASHT_H_
-
-/* Opaque objects */
-typedef struct SECHashObjectStr SECHashObject;
-typedef struct HASHContextStr HASHContext;
-
-/*
- * The hash functions the security library supports
- * NOTE the order must match the definition of SECHashObjects[]!
- */
-typedef enum {
-    HASH_AlgNULL,
-    HASH_AlgMD2,
-    HASH_AlgMD5,
-    HASH_AlgSHA1,
-    HASH_AlgTOTAL
-} HASH_HashType;
-
-/*
- * Number of bytes each hash algorithm produces
- */
-#define MD2_LENGTH	16
-#define MD5_LENGTH	16
-#define SHA1_LENGTH	20
-
-/*
- * Structure to hold hash computation info and routines
- */
-struct SECHashObjectStr {
-    unsigned int length;
-    void * (*create)(void);
-    void * (*clone)(void *);
-    void (*destroy)(void *, PRBool);
-    void (*begin)(void *);
-    void (*update)(void *, const unsigned char *, unsigned int);
-    void (*end)(void *, unsigned char *, unsigned int *, unsigned int);
-};
-
-struct HASHContextStr {
-    struct SECHashObjectStr *hashobj;
-    void *hash_context;
-};
-
-extern SECHashObject SECHashObjects[];
-
-/*only those functions below the PKCS #11 line should use SECRawHashObjects*/
-extern SECHashObject SECRawHashObjects[];
-
-#endif /* _HASHT_H_ */
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
deleted file mode 100644
index 7e68cdb58..000000000
--- a/security/nss/lib/cryptohi/key.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * key.h - public data structures and prototypes for the private key library
- *
- * $Id$
- */
-
-#ifndef _KEY_H_
-#define _KEY_H_
-
-#include "keyhi.h"
-#include "keylow.h"
-
-#endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h
deleted file mode 100644
index 6c1a70546..000000000
--- a/security/nss/lib/cryptohi/keyhi.h
+++ /dev/null
@@ -1,211 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * key.h - public data structures and prototypes for the private key library
- *
- * $Id$
- */
-
-#ifndef _KEYHI_H_
-#define _KEYHI_H_
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "keythi.h"
-#include "certt.h"
-#include "secpkcs5.h"
-
-SEC_BEGIN_PROTOS
-
-
-/*
-** Destroy a subject-public-key-info object.
-*/
-extern void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki);
-
-/*
-** Copy subject-public-key-info "src" to "dst". "dst" is filled in
-** appropriately (memory is allocated for each of the sub objects).
-*/
-extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
-					     CERTSubjectPublicKeyInfo *dst,
-					     CERTSubjectPublicKeyInfo *src);
-
-/*
-** Update the PQG parameters for a cert's public key.
-** Only done for DSA and Fortezza certs
-*/
-extern SECStatus
-SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
-
-
-/* Compare the KEA parameters of two public keys.  
- * Only used by fortezza.      */
-
-extern SECStatus
-SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2);
-
-/*
-** Return the strength of the public key
-*/
-extern unsigned SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk);
-
-
-/*
-** Make a copy of the private key "privKey"
-*/
-extern SECKEYPrivateKey *SECKEY_CopyPrivateKey(SECKEYPrivateKey *privKey);
-
-/*
-** Make a copy of the public key "pubKey"
-*/
-extern SECKEYPublicKey *SECKEY_CopyPublicKey(SECKEYPublicKey *pubKey);
-
-/*
-** Convert a private key "privateKey" into a public key
-*/
-extern SECKEYPublicKey *SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privateKey);
-
-/*
- * create a new RSA key pair. The public Key is returned...
- */
-SECKEYPrivateKey *SECKEY_CreateRSAPrivateKey(int keySizeInBits,
-					   SECKEYPublicKey **pubk, void *cx);
-/*
-** Create a subject-public-key-info based on a public key.
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *k);
-
-/*
-** Decode a DER encoded public key into an SECKEYPublicKey structure.
-*/
-extern SECKEYPublicKey *SECKEY_DecodeDERPublicKey(SECItem *pubkder);
-
-/*
-** Convert a base64 ascii encoded DER public key to our internal format.
-*/
-extern SECKEYPublicKey *SECKEY_ConvertAndDecodePublicKey(char *pubkstr);
-
-/*
-** Convert a base64 ascii encoded DER public key and challenge to spki,
-** and verify the signature and challenge data are correct
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
-								void *cx);
-
-/*
-** Decode a DER encoded subject public key info into a
-** CERTSubjectPublicKeyInfo structure.
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider);
-
-/*
-** Convert a base64 ascii encoded DER subject public key info to our
-** internal format.
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr);
-
-/*
-** Destroy a private key object.
-**	"key" the object
-*/
-extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key);
-
-/*
-** Destroy a public key object.
-**	"key" the object
-*/
-extern void SECKEY_DestroyPublicKey(SECKEYPublicKey *key);
-
-/* Destroy and zero out a private key info structure.  for now this
- * function zero's out memory allocated in an arena for the key 
- * since PORT_FreeArena does not currently do this.  
- *
- * NOTE -- If a private key info is allocated in an arena, one should 
- * not call this function with freeit = PR_FALSE.  The function should 
- * destroy the arena.  
- */
-extern void
-SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, PRBool freeit);
-
-/* Destroy and zero out an encrypted private key info.
- *
- * NOTE -- If a encrypted private key info is allocated in an arena, one should 
- * not call this function with freeit = PR_FALSE.  The function should 
- * destroy the arena.  
- */
-extern void
-SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
-				      PRBool freeit);
-
-/* Copy private key info structure.  
- *  poolp is the arena into which the contents of from is to be copied.
- *	NULL is a valid entry.
- *  to is the destination private key info
- *  from is the source private key info
- * if either from or to is NULL or an error occurs, SECFailure is 
- * returned.  otherwise, SECSuccess is returned.
- */
-extern SECStatus
-SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
-			  SECKEYPrivateKeyInfo *to,
-			  SECKEYPrivateKeyInfo *from);
-
-/* Copy encrypted private key info structure.  
- *  poolp is the arena into which the contents of from is to be copied.
- *	NULL is a valid entry.
- *  to is the destination encrypted private key info
- *  from is the source encrypted private key info
- * if either from or to is NULL or an error occurs, SECFailure is 
- * returned.  otherwise, SECSuccess is returned.
- */
-extern SECStatus
-SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp,
-				   SECKEYEncryptedPrivateKeyInfo *to,
-				   SECKEYEncryptedPrivateKeyInfo *from);
-/*
- * Accessor functions for key type of public and private keys.
- */
-KeyType SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey);
-KeyType SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey);
-
-
-SEC_END_PROTOS
-
-#endif /* _KEYHI_H_ */
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
deleted file mode 100644
index f102c8a26..000000000
--- a/security/nss/lib/cryptohi/keyt.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * keyt.h - public data structures for the private key library
- *
- * $Id$
- */
-
-#ifndef _KEYT_H_
-#define _KEYT_H_
-
-#include "keytlow.h"
-#include "keytboth.h"
-#include "keythi.h"
-#include "keydbt.h"
-
-#endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h
deleted file mode 100644
index ba1aec401..000000000
--- a/security/nss/lib/cryptohi/keythi.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _KEYTHI_H_
-#define _KEYTHI_H_ 1
-
-#include "keytlow.h"
-#include "keytboth.h"
-#include "plarena.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-
-/*
-** A Generic  public key object.
-*/
-struct SECKEYPublicKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType;
-    PK11SlotInfo *pkcs11Slot;
-    CK_OBJECT_HANDLE pkcs11ID;
-    union {
-        RSAPublicKey rsa;
-	DSAPublicKey dsa;
-	DHPublicKey  dh;
-        KEAPublicKey kea;
-        FortezzaPublicKey fortezza;
-    } u;
-};
-typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
-
-/*
-** A generic key structure
-*/ 
-struct SECKEYPrivateKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType;
-    PK11SlotInfo *pkcs11Slot;	/* pkcs11 slot this key lives in */
-    CK_OBJECT_HANDLE pkcs11ID;  /* ID of pkcs11 object */
-    PRBool pkcs11IsTemp;	/* temp pkcs11 object, delete it when done */
-    void *wincx;		/* context for errors and pw prompts */
-};
-typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
-
-/* Despite the name, this struct isn't used by any pkcs5 code.
-** It's used by pkcs7 and pkcs12 code.
-*/
-typedef struct {
-    SECItem *pwitem;
-    PK11SymKey *key;
-    PK11SlotInfo *slot;
-    void *wincx;
-} SEC_PKCS5KeyAndPassword;
-
-#endif /* _KEYTHI_H_ */
diff --git a/security/nss/lib/cryptohi/manifest.mn b/security/nss/lib/cryptohi/manifest.mn
deleted file mode 100644
index a4a76a7df..000000000
--- a/security/nss/lib/cryptohi/manifest.mn
+++ /dev/null
@@ -1,64 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-MODULE = security
-
-REQUIRES = dbm
-
-LIBRARY_NAME = cryptohi
-
-EXPORTS = \
-	cryptohi.h \
-	cryptoht.h \
-	hasht.h   \
-	key.h     \
-	keyhi.h   \
-	keyt.h    \
-	keythi.h  \
-	sechash.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	$(NULL)
-
-LIBSRCS = \
-	sechash.c \
-	seckey.c  \
-	secsign.c \
-	secvfy.c  \
-	dsautil.c \
-	$(NULL)
-
-CSRCS = $(LIBSRCS)
-
diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c
deleted file mode 100644
index 94000f543..000000000
--- a/security/nss/lib/cryptohi/sechash.c
+++ /dev/null
@@ -1,274 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "sechash.h"
-#include "secoidt.h"
-#include "blapi.h"
-#include "pk11func.h"	/* for the PK11_ calls below. */
-
-static void *
-null_hash_new_context(void)
-{
-    return NULL;
-}
-
-static void *
-null_hash_clone_context(void *v)
-{
-    PORT_Assert(v == NULL);
-    return NULL;
-}
-
-static void
-null_hash_begin(void *v)
-{
-}
-
-static void
-null_hash_update(void *v, const unsigned char *input, unsigned int length)
-{
-}
-
-static void
-null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
-	      unsigned int maxOut)
-{
-    *outLen = 0;
-}
-
-static void
-null_hash_destroy_context(void *v, PRBool b)
-{
-    PORT_Assert(v == NULL);
-}
-
-
-static void *
-md2_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_MD2);
-}
-
-static void *
-md5_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_MD5);
-}
-
-static void *
-sha1_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
-}
-
-SECHashObject SECHashObjects[] = {
-  { 0,
-    (void * (*)(void)) null_hash_new_context,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) null_hash_destroy_context,
-    (void (*)(void *)) null_hash_begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) null_hash_end
-  },
-  { MD2_LENGTH,
-    (void * (*)(void)) md2_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal
-  },
-  { MD5_LENGTH,
-    (void * (*)(void)) md5_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal
-  },
-  { SHA1_LENGTH,
-    (void * (*)(void)) sha1_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal
-  },
-};
-
-unsigned int
-HASH_ResultLen(HASH_HashType type)
-{
-    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
-	return(0);
-    }
-    
-    return(SECHashObjects[type].length);
-}
-
-unsigned int
-HASH_ResultLenContext(HASHContext *context)
-{
-    return(context->hashobj->length);
-}
-
-
-
-SECStatus
-HASH_HashBuf(HASH_HashType type,
-	     unsigned char *dest,
-	     unsigned char *src,
-	     uint32 src_len)
-{
-    HASHContext *cx;
-    unsigned int part;
-    
-    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
-	return(SECFailure);
-    }
-    
-    cx = HASH_Create(type);
-    if ( cx == NULL ) {
-	return(SECFailure);
-    }
-    HASH_Begin(cx);
-    HASH_Update(cx, src, src_len);
-    HASH_End(cx, dest, &part, HASH_ResultLenContext(cx));
-    HASH_Destroy(cx);
-
-    return(SECSuccess);
-}
-
-HASHContext *
-HASH_Create(HASH_HashType type)
-{
-    void *hash_context = NULL;
-    HASHContext *ret = NULL;
-    
-    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
-	return(NULL);
-    }
-    
-    hash_context = (* SECHashObjects[type].create)();
-    if ( hash_context == NULL ) {
-	goto loser;
-    }
-
-    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
-    if ( ret == NULL ) {
-	goto loser;
-    }
-
-    ret->hash_context = hash_context;
-    ret->hashobj = &SECHashObjects[type];
-    
-    return(ret);
-    
-loser:
-    if ( hash_context != NULL ) {
-	(* SECHashObjects[type].destroy)(hash_context, PR_TRUE);
-    }
-    
-    return(NULL);
-}
-
-
-HASHContext *
-HASH_Clone(HASHContext *context)
-{
-    void *hash_context = NULL;
-    HASHContext *ret = NULL;
-    
-    hash_context = (* context->hashobj->clone)(context->hash_context);
-    if ( hash_context == NULL ) {
-	goto loser;
-    }
-
-    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
-    if ( ret == NULL ) {
-	goto loser;
-    }
-
-    ret->hash_context = hash_context;
-    ret->hashobj = context->hashobj;
-    
-    return(ret);
-    
-loser:
-    if ( hash_context != NULL ) {
-	(* context->hashobj->destroy)(hash_context, PR_TRUE);
-    }
-    
-    return(NULL);
-
-}
-
-void
-HASH_Destroy(HASHContext *context)
-{
-    (* context->hashobj->destroy)(context->hash_context, PR_TRUE);
-    PORT_Free(context);
-    return;
-}
-
-
-void
-HASH_Begin(HASHContext *context)
-{
-    (* context->hashobj->begin)(context->hash_context);
-    return;
-}
-
-
-void
-HASH_Update(HASHContext *context,
-	    const unsigned char *src,
-	    unsigned int len)
-{
-    (* context->hashobj->update)(context->hash_context, src, len);
-    return;
-}
-
-void
-HASH_End(HASHContext *context,
-	 unsigned char *result,
-	 unsigned int *result_len,
-	 unsigned int max_result_len)
-{
-    (* context->hashobj->end)(context->hash_context, result, result_len,
-			      max_result_len);
-    return;
-}
-
-
-
diff --git a/security/nss/lib/cryptohi/sechash.h b/security/nss/lib/cryptohi/sechash.h
deleted file mode 100644
index 6a4fb3e40..000000000
--- a/security/nss/lib/cryptohi/sechash.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef _HASH_H_
-#define _HASH_H_
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * hash.h - public data structures and prototypes for the hashing library
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "hasht.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Generic hash api.  
-*/
-
-extern unsigned int  HASH_ResultLen(HASH_HashType type);
-
-extern unsigned int  HASH_ResultLenContext(HASHContext *context);
-
-extern SECStatus     HASH_HashBuf(HASH_HashType type,
-				 unsigned char *dest,
-				 unsigned char *src,
-				 uint32 src_len);
-
-extern HASHContext * HASH_Create(HASH_HashType type);
-
-extern HASHContext * HASH_Clone(HASHContext *context);
-
-extern void          HASH_Destroy(HASHContext *context);
-
-extern void          HASH_Begin(HASHContext *context);
-
-extern void          HASH_Update(HASHContext *context,
-				const unsigned char *src,
-				unsigned int len);
-
-extern void          HASH_End(HASHContext *context,
-			     unsigned char *result,
-			     unsigned int *result_len,
-			     unsigned int max_result_len);
-
-SEC_END_PROTOS
-
-#endif /* _HASH_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
deleted file mode 100644
index 8262ad159..000000000
--- a/security/nss/lib/cryptohi/seckey.c
+++ /dev/null
@@ -1,1651 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "cryptohi.h"
-#include "keyhi.h"
-#include "secrng.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secder.h"
-#include "base64.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "secdig.h"
-#include "prtime.h"
-
-const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSubjectPublicKeyInfo) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSubjectPublicKeyInfo,algorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSubjectPublicKeyInfo,subjectPublicKey), },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPublicKeyAndChallenge) },
-    { SEC_ASN1_ANY, offsetof(CERTPublicKeyAndChallenge,spki) },
-    { SEC_ASN1_IA5_STRING, offsetof(CERTPublicKeyAndChallenge,challenge) },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.modulus), },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.publicExponent), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
-    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
-    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
-    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.publicValue), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPublicKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.prime), },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.base), },
-    /* XXX chrisk: this needs to be expanded for decoding of j and validationParms (RFC2459 7.3.2) */
-    { SEC_ASN1_SKIP_REST },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_FortezzaParameterTemplate[] = {
-    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(PQGParams) },
-    { SEC_ASN1_OCTET_STRING, offsetof(PQGParams,prime), },
-    { SEC_ASN1_OCTET_STRING, offsetof(PQGParams,subPrime), },
-    { SEC_ASN1_OCTET_STRING, offsetof(PQGParams,base), },
-    { 0 },
-};
- 
-const SEC_ASN1Template SECKEY_FortezzaDiffParameterTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DiffPQGParams) },
-    { SEC_ASN1_INLINE, offsetof(DiffPQGParams,DiffKEAParams), 
-                       SECKEY_FortezzaParameterTemplate},
-    { SEC_ASN1_INLINE, offsetof(DiffPQGParams,DiffDSAParams), 
-                       SECKEY_FortezzaParameterTemplate},
-    { 0 },
-};
-
-const SEC_ASN1Template SECKEY_FortezzaPreParamTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_CONTEXT_SPECIFIC | 1, offsetof(PQGDualParams,CommParams),
-                SECKEY_FortezzaParameterTemplate},
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_FortezzaAltPreParamTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(PQGDualParams,DiffParams),
-                SECKEY_FortezzaDiffParameterTemplate},
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_KEAPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.kea.publicValue), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_KEAParamsTemplate[] = {
-    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPublicKey,u.kea.params.hash), }, 
-    { 0, }
-};
-
-
-/*
- * NOTE: This only generates RSA Private Key's. If you need more,
- * We need to pass in some more params...
- */
-SECKEYPrivateKey *
-SECKEY_CreateRSAPrivateKey(int keySizeInBits,SECKEYPublicKey **pubk, void *cx)
-{
-    SECKEYPrivateKey *privk;
-    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx);
-    PK11RSAGenParams param;
-
-    param.keySizeInBits = keySizeInBits;
-    param.pe = 65537L;
-    
-    privk = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN,&param,pubk,
-					PR_FALSE, PR_TRUE, cx);
-    PK11_FreeSlot(slot);
-    return(privk);
-}
-
-void
-SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk)
-{
-    if (privk) {
-	if (privk->pkcs11Slot) {
-	    if (privk->pkcs11IsTemp) {
-	    	PK11_DestroyObject(privk->pkcs11Slot,privk->pkcs11ID);
-	    }
-	    PK11_FreeSlot(privk->pkcs11Slot);
-
-	}
-    	if (privk->arena) {
-	    PORT_FreeArena(privk->arena, PR_TRUE);
-	}
-    }
-}
-
-void
-SECKEY_DestroyPublicKey(SECKEYPublicKey *pubk)
-{
-    if (pubk) {
-	if (pubk->pkcs11Slot) {
-	    PK11_DestroyObject(pubk->pkcs11Slot,pubk->pkcs11ID);
-	    PK11_FreeSlot(pubk->pkcs11Slot);
-	}
-    	if (pubk->arena) {
-	    PORT_FreeArena(pubk->arena, PR_FALSE);
-	}
-    }
-}
-
-SECStatus
-SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
-			     CERTSubjectPublicKeyInfo *to,
-			     CERTSubjectPublicKeyInfo *from)
-{
-    SECStatus rv;
-
-    rv = SECOID_CopyAlgorithmID(arena, &to->algorithm, &from->algorithm);
-    if (rv == SECSuccess)
-	rv = SECITEM_CopyItem(arena, &to->subjectPublicKey, &from->subjectPublicKey);
-
-    return rv;
-}
-
-SECStatus
-SECKEY_KEASetParams(KEAParams * params, SECKEYPublicKey * pubKey) {
-
-    if (pubKey->keyType == fortezzaKey) {
-        /* the key is a fortezza V1 public key  */
-
-	/* obtain hash of pubkey->u.fortezza.params.prime.data +
-		          pubkey->u.fortezza.params.subPrime.data +
-			  pubkey->u.fortezza.params.base.data  */
-
-	/* store hash in params->hash */
-
-    } else if (pubKey->keyType == keaKey) {
-
-        /* the key is a new fortezza KEA public key. */
-        SECITEM_CopyItem(pubKey->arena, &params->hash, 
-	                 &pubKey->u.kea.params.hash );
-
-    } else {
-
-	/* the key has no KEA parameters */
-	return SECFailure;
-    }
-
-}
-
-
-SECStatus
-SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2) 
-{
-
-    SECStatus rv;
-    SECOidData *oid=NULL;
-    CERTSubjectPublicKeyInfo * subjectSpki=NULL;
-    CERTSubjectPublicKeyInfo * issuerSpki=NULL;
-    CERTCertificate *issuerCert = NULL;
-
-    SECKEYPublicKey *pubKey1 = 0;
-    SECKEYPublicKey *pubKey2 = 0;
-
-    KEAParams params1;
-    KEAParams params2;
-
-
-    rv = SECFailure;
-
-    /* get cert1's public key */
-    pubKey1 = CERT_ExtractPublicKey(cert1);
-    if ( !pubKey1 ) {
-	return(SECFailure);
-    }
-    
-
-    /* get cert2's public key */
-    pubKey2 = CERT_ExtractPublicKey(cert2);
-    if ( !pubKey2 ) {
-	return(SECFailure);
-    }
-
-    /* handle the case when both public keys are new
-     * fortezza KEA public keys.    */
-
-    if ((pubKey1->keyType == keaKey) &&
-        (pubKey2->keyType == keaKey) ) {
-
-        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash,
-	                         &pubKey2->u.kea.params.hash);
-	goto done;
-    }
-
-    /* handle the case when both public keys are old fortezza
-     * public keys.              */
-
-    if ((pubKey1->keyType == fortezzaKey) &&
-        (pubKey2->keyType == fortezzaKey) ) {
-
-        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime,
-	                         &pubKey2->u.fortezza.keaParams.prime);
-
-	if (rv == SECEqual) {
-	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime,
-	                             &pubKey2->u.fortezza.keaParams.subPrime);
-	}
-
-	if (rv == SECEqual) {
-	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base,
-	                             &pubKey2->u.fortezza.keaParams.base);
-	}
-	
-	goto done;
-    }
-
-
-    /* handle the case when the public keys are a mixture of 
-     * old and new.                          */
-
-    rv = SECKEY_KEASetParams(&params1, pubKey1);
-    if (rv != SECSuccess) return rv;
-
-    rv = SECKEY_KEASetParams(&params2, pubKey2);
-    if (rv != SECSuccess) return rv;
-
-    rv = (SECStatus)SECITEM_CompareItem(&params1.hash, &params2.hash);
-
-done:
-    SECKEY_DestroyPublicKey(pubKey1);
-    SECKEY_DestroyPublicKey(pubKey2);
-
-    return rv;   /* returns SECEqual if parameters are equal */
-
-}
-
-
-/* Procedure to update the pqg parameters for a cert's public key.
- * pqg parameters only need to be updated for DSA and fortezza certificates.
- * The procedure uses calls to itself recursively to update a certificate
- * issuer's pqg parameters.  Some important rules are:
- *    - Do nothing if the cert already has PQG parameters.
- *    - If the cert does not have PQG parameters, obtain them from the issuer.
- *    - A valid cert chain cannot have a DSA or Fortezza cert without
- *      pqg parameters that has a parent that is not a DSA or Fortezza cert.
- *    - pqg paramters are stored in two different formats: the standard
- *      DER encoded format and the fortezza-only wrapped format.  The params
- *      should be copied from issuer to subject cert without modifying the
- *      formats.  The public key extraction code will deal with the different
- *      formats at the time of extraction.  */
-
-SECStatus
-seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
-{
-    SECStatus rv, rvCompare;
-    SECOidData *oid=NULL;
-    int tag;
-    CERTSubjectPublicKeyInfo * subjectSpki=NULL;
-    CERTSubjectPublicKeyInfo * issuerSpki=NULL;
-    CERTCertificate *issuerCert = NULL;
-
-    rv = SECSuccess;
-
-    /* increment cert chain length counter*/
-    count++;
-
-    /* check if cert chain length exceeds the maximum length*/
-    if (count > CERT_MAX_CERT_CHAIN) {
-	return SECFailure;
-    }
-
-    oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);            
-    if (oid != NULL) {  
-        tag = oid->offset;
-             
-        /* Check if cert has a DSA or Fortezza public key. If not, return
-         * success since no PQG params need to be updated.  */
-
-	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
-	     (tag != SEC_OID_MISSI_DSS_OLD) &&
-             (tag != SEC_OID_MISSI_KEA_DSS) &&
-             (tag != SEC_OID_MISSI_DSS) &&               
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
-             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ) {
-            
-            return SECSuccess;
-        }
-    } else {
-        return SECFailure;  /* return failure if oid is NULL */  
-    }
-
-    /* if cert has PQG parameters, return success */
-
-    subjectSpki=&subjectCert->subjectPublicKeyInfo;
-
-    if (subjectSpki->algorithm.parameters.len != 0) {
-        return SECSuccess;
-    }
-
-    /* check if the cert is self-signed */
-    rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject,
-				    &subjectCert->derIssuer);
-	if (rvCompare == SECEqual) {
-	  /* fail since cert is self-signed and has no pqg params. */
-            return SECFailure;     
-	}
-     
-    /* get issuer cert */
-    issuerCert = CERT_FindCertIssuer(subjectCert, PR_Now(), certUsageAnyCA);
-	if ( ! issuerCert ) {
-            return SECFailure;
-	}
-
-    /* if parent is not DSA or fortezza, return failure since
-       we don't allow this case. */
-
-    oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
-    if (oid != NULL) {  
-        tag = oid->offset;
-             
-        /* Check if issuer cert has a DSA or Fortezza public key. If not,
-         * return failure.   */
-
-	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
-	     (tag != SEC_OID_MISSI_DSS_OLD) &&
-             (tag != SEC_OID_MISSI_KEA_DSS) &&
-             (tag != SEC_OID_MISSI_DSS) &&               
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
-             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ) {
-            
-            return SECFailure;
-        }
-    } else {
-        return SECFailure;  /* return failure if oid is NULL */  
-    }
-
-
-    /* at this point the subject cert has no pqg parameters and the
-     * issuer cert has a DSA or fortezza public key.  Update the issuer's
-     * pqg parameters with a recursive call to this same function. */
-
-    rv = seckey_UpdateCertPQGChain(issuerCert, count);
-    if (rv != SECSuccess) return rv;
-
-    /* ensure issuer has pqg parameters */
-
-    issuerSpki=&issuerCert->subjectPublicKeyInfo;
-    if (issuerSpki->algorithm.parameters.len == 0) {
-        rv = SECFailure; 
-    }
-
-    /* if update was successful and pqg params present, then copy the
-     * parameters to the subject cert's key. */
-
-    if (rv == SECSuccess) {
-        rv = SECITEM_CopyItem(subjectCert->arena,
-                              &subjectSpki->algorithm.parameters, 
-	   		      &issuerSpki->algorithm.parameters);
-    }
-
-    return rv;
-
-}
- 
-
-SECStatus
-SECKEY_UpdateCertPQG(CERTCertificate * subjectCert)
-{
-    return(seckey_UpdateCertPQGChain(subjectCert,0));
-}
-   
-
-/* Decode the PQG parameters.  The params could be stored in two
- * possible formats, the old fortezza-only wrapped format or
- * the standard DER encoded format.   Store the decoded parameters in an
- * old fortezza cert data structure */
- 
-SECStatus
-SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
-                              SECItem *params) {
-        SECStatus rv;
-	PQGDualParams dual_params;
-
-    if (params == NULL) return SECFailure; 
-    
-    if (params->data == NULL) return SECFailure;
-
-    /* Check if params use the standard format.
-     * The value 0xa1 will appear in the first byte of the parameter data
-     * if the PQG parameters are not using the standard format. This
-     * code should be changed to use a better method to detect non-standard
-     * parameters.    */
-
-    if ((params->data[0] != 0xa1) &&
-        (params->data[0] != 0xa0)) {
-
-            /* PQG params are in the standard format */
-
-	    /* Store DSA PQG parameters */
-            rv = SEC_ASN1DecodeItem(arena, &pubk->u.fortezza.params,
-                              SECKEY_PQGParamsTemplate,
-                              params);
-
-	    if (rv == SECSuccess) {
-
-	        /* Copy the DSA PQG parameters to the KEA PQG parameters. */
-	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
-                                      &pubk->u.fortezza.params.prime);
-                if (rv != SECSuccess) return rv;
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
-                                      &pubk->u.fortezza.params.subPrime);
-                if (rv != SECSuccess) return rv;
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
-                                      &pubk->u.fortezza.params.base);
-                if (rv != SECSuccess) return rv;
-            }
-
-    } else {
-
-	dual_params.CommParams.prime.len = 0;
-        dual_params.CommParams.subPrime.len = 0;
-	dual_params.CommParams.base.len = 0;
-	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
-        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
-	dual_params.DiffParams.DiffDSAParams.base.len = 0;
-
-        /* else the old fortezza-only wrapped format is used. */
-
-	if (params->data[0] == 0xa1) {
-            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
-				SECKEY_FortezzaPreParamTemplate, params);
-	} else {
-            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
-	   			    SECKEY_FortezzaAltPreParamTemplate, params);
-        }
-
-        if (rv < 0) return rv;
-	
-        if ( (dual_params.CommParams.prime.len > 0) &&
-             (dual_params.CommParams.subPrime.len > 0) && 
-             (dual_params.CommParams.base.len > 0) ) {
-            /* copy in common params */
-	    
-	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
-                                  &dual_params.CommParams.prime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
-                                  &dual_params.CommParams.subPrime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
-                                  &dual_params.CommParams.base);
-
-	    /* Copy the DSA PQG parameters to the KEA PQG parameters. */
-	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
-                                  &pubk->u.fortezza.params.prime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
-                                  &pubk->u.fortezza.params.subPrime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
-                                  &pubk->u.fortezza.params.base);
-            if (rv != SECSuccess) return rv;
-
-        } else {
-
-	    /* else copy in different params */
-
-	    /* copy DSA PQG parameters */
-	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
-                                  &dual_params.DiffParams.DiffDSAParams.prime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
-                                  &dual_params.DiffParams.DiffDSAParams.subPrime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
-                                  &dual_params.DiffParams.DiffDSAParams.base);
-
-	    /* copy KEA PQG parameters */
-
-	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
-                                  &dual_params.DiffParams.DiffKEAParams.prime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
-                                  &dual_params.DiffParams.DiffKEAParams.subPrime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
-                                  &dual_params.DiffParams.DiffKEAParams.base);
-        }
-       
-    }
-    return rv;
-}
-
-
-/* Decode the DSA PQG parameters.  The params could be stored in two
- * possible formats, the old fortezza-only wrapped format or
- * the normal standard format.  Store the decoded parameters in
- * a V3 certificate data structure.  */ 
-
-SECStatus
-SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) {
-        SECStatus rv;
-	PQGDualParams dual_params;
-
-    if (params == NULL) return SECFailure; 
-    
-    if (params->data == NULL) return SECFailure;
-
-    /* Check if params use the standard format.
-     * The value 0xa1 will appear in the first byte of the parameter data
-     * if the PQG parameters are not using the standard format.  This
-     * code should be changed to use a better method to detect non-standard
-     * parameters.    */
-
-    if ((params->data[0] != 0xa1) &&
-        (params->data[0] != 0xa0)) {
-    
-         /* PQG params are in the standard format */
-         rv = SEC_ASN1DecodeItem(arena, &pubk->u.dsa.params,
-                             SECKEY_PQGParamsTemplate,
-                             params);
-    } else {
-
-	dual_params.CommParams.prime.len = 0;
-        dual_params.CommParams.subPrime.len = 0;
-	dual_params.CommParams.base.len = 0;
-	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
-        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
-	dual_params.DiffParams.DiffDSAParams.base.len = 0;
-
-        /* else the old fortezza-only wrapped format is used. */
-        if (params->data[0] == 0xa1) {
-            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
-				SECKEY_FortezzaPreParamTemplate, params);
-	} else {
-            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
-	   			    SECKEY_FortezzaAltPreParamTemplate, params);
-        }
-
-        if (rv < 0) return rv;
-
-        if ( (dual_params.CommParams.prime.len > 0) &&
-             (dual_params.CommParams.subPrime.len > 0) && 
-             (dual_params.CommParams.base.len > 0) ) {
-            /* copy in common params */
-	    
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
-                                  &dual_params.CommParams.prime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
-                                  &dual_params.CommParams.subPrime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
-                                  &dual_params.CommParams.base);
-
-        } else {
-
-	    /* else copy in different params */
-
-	    /* copy DSA PQG parameters */
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
-                                  &dual_params.DiffParams.DiffDSAParams.prime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
-                                  &dual_params.DiffParams.DiffDSAParams.subPrime);
-            if (rv != SECSuccess) return rv;
-            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
-                                  &dual_params.DiffParams.DiffDSAParams.base);
-
-        }
-    }
-    return rv;
-}
-
-
-
-/* Decodes the DER encoded fortezza public key and stores the results in a
- * structure of type SECKEYPublicKey. */
-
-SECStatus
-SECKEY_FortezzaDecodeCertKey(PRArenaPool *arena, SECKEYPublicKey *pubk,
-                             SECItem *rawkey, SECItem *params) {
-
-	unsigned char *rawptr = rawkey->data;
-	unsigned char *end = rawkey->data + rawkey->len;
-	unsigned char *clearptr;
-
-	/* first march down and decode the raw key data */
-
-	/* version */	
-	pubk->u.fortezza.KEAversion = *rawptr++;
-	if (*rawptr++ != 0x01) {
-		return SECFailure;
-	}
-
-	/* KMID */
-	PORT_Memcpy(pubk->u.fortezza.KMID,rawptr,
-				sizeof(pubk->u.fortezza.KMID));
-	rawptr += sizeof(pubk->u.fortezza.KMID);
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	clearptr = rawptr;
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-
-	if (rawptr >= end) { return SECFailure; }
-	pubk->u.fortezza.clearance.len = rawptr - clearptr;
-	pubk->u.fortezza.clearance.data = 
-		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.clearance.len);
-	if (pubk->u.fortezza.clearance.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.clearance.data,clearptr,
-					pubk->u.fortezza.clearance.len);
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	clearptr = rawptr;
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return SECFailure; }
-	pubk->u.fortezza.KEApriviledge.len = rawptr - clearptr;
-	pubk->u.fortezza.KEApriviledge.data = 
-		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEApriviledge.len);
-	if (pubk->u.fortezza.KEApriviledge.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.KEApriviledge.data,clearptr,
-				pubk->u.fortezza.KEApriviledge.len);
-
-
-	/* now copy the key. The next to bytes are the key length, and the
-	 * key follows */
-	pubk->u.fortezza.KEAKey.len = (*rawptr << 8) | rawptr[1];
-
-	rawptr += 2;
-	if (rawptr+pubk->u.fortezza.KEAKey.len > end) { return SECFailure; }
-	pubk->u.fortezza.KEAKey.data = 
-			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEAKey.len);
-	if (pubk->u.fortezza.KEAKey.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.KEAKey.data,rawptr,
-					pubk->u.fortezza.KEAKey.len);
-	rawptr += pubk->u.fortezza.KEAKey.len;
-
-	/* shared key */
-	if (rawptr >= end) {
-	    pubk->u.fortezza.DSSKey.len = pubk->u.fortezza.KEAKey.len;
-	    /* this depends on the fact that we are going to get freed with an
-	     * ArenaFree call. We cannot free DSSKey and KEAKey separately */
-	    pubk->u.fortezza.DSSKey.data=
-					pubk->u.fortezza.KEAKey.data;
-	    pubk->u.fortezza.DSSpriviledge.len = 
-				pubk->u.fortezza.KEApriviledge.len;
-	    pubk->u.fortezza.DSSpriviledge.data =
-			pubk->u.fortezza.DSSpriviledge.data;
-	    goto done;
-	}
-		
-
-	/* DSS Version is next */
-	pubk->u.fortezza.DSSversion = *rawptr++;
-
-	if (*rawptr++ != 2) {
-		return SECFailure;
-	}
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	clearptr = rawptr;
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return SECFailure; }
-	pubk->u.fortezza.DSSpriviledge.len = rawptr - clearptr;
-	pubk->u.fortezza.DSSpriviledge.data = 
-		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSpriviledge.len);
-	if (pubk->u.fortezza.DSSpriviledge.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.DSSpriviledge.data,clearptr,
-				pubk->u.fortezza.DSSpriviledge.len);
-
-	/* finally copy the DSS key. The next to bytes are the key length,
-	 *  and the key follows */
-	pubk->u.fortezza.DSSKey.len = (*rawptr << 8) | rawptr[1];
-
-	rawptr += 2;
-	if (rawptr+pubk->u.fortezza.DSSKey.len > end){ return SECFailure; }
-	pubk->u.fortezza.DSSKey.data = 
-			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSKey.len);
-	if (pubk->u.fortezza.DSSKey.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.DSSKey.data,rawptr,
-					pubk->u.fortezza.DSSKey.len);
-
-	/* ok, now we decode the parameters */
-done:
-
-        return SECKEY_FortezzaDecodePQGtoOld(arena, pubk, params);
-}
-
-
-/* Function used to determine what kind of cert we are dealing with. */
-KeyType 
-CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki) {
-    int tag;
-    KeyType keyType;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    switch (tag) {
-      case SEC_OID_X500_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	keyType = rsaKey;
-	break;
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	keyType = dsaKey;
-	break;
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS_OLD:
-      case SEC_OID_MISSI_DSS:  
-	keyType = fortezzaKey;
-	break;
-      case SEC_OID_MISSI_KEA:
-      case SEC_OID_MISSI_ALT_KEA:
-	keyType = keaKey;
-	break;
-      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	keyType = dhKey;
-      default:
-	keyType = nullKey;
-    }
-    return keyType;
-}
-
-static SECKEYPublicKey *
-seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
-{
-    SECKEYPublicKey *pubk;
-    SECItem os;
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECOidTag tag;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	return NULL;
-
-    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-    if (pubk == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-
-    pubk->arena = arena;
-    pubk->pkcs11Slot = 0;
-    pubk->pkcs11ID = CK_INVALID_KEY;
-
-
-    /* Convert bit string length from bits to bytes */
-    os = spki->subjectPublicKey;
-    DER_ConvertBitString (&os);
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    switch ( tag ) {
-      case SEC_OID_X500_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	pubk->keyType = rsaKey;
-	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate, &os);
-	if (rv == SECSuccess)
-	    return pubk;
-	break;
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	pubk->keyType = dsaKey;
-	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &os);
-	if (rv != SECSuccess) break;
-
-        rv = SECKEY_DSADecodePQG(arena, pubk,
-                                 &spki->algorithm.parameters); 
-
-	if (rv == SECSuccess) return pubk;
-	break;
-      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	pubk->keyType = dhKey;
-	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DHPublicKeyTemplate, &os);
-	if (rv != SECSuccess) break;
-
-        rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate,
-                                 &spki->algorithm.parameters); 
-
-	if (rv == SECSuccess) return pubk;
-	break;
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS_OLD:
-      case SEC_OID_MISSI_DSS:
-	pubk->keyType = fortezzaKey;
-	rv = SECKEY_FortezzaDecodeCertKey(arena, pubk, &os,
-				          &spki->algorithm.parameters);
-	if (rv == SECSuccess)
-	    return pubk;
-	break;
-
-      case SEC_OID_MISSI_KEA:
-	pubk->keyType = keaKey;
-
-        rv = SEC_ASN1DecodeItem(arena, pubk,
-                                SECKEY_KEAPublicKeyTemplate, &os);
-        if (rv != SECSuccess) break;
-
-
-        rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
-                        &spki->algorithm.parameters);
-
-	if (rv == SECSuccess)
-	    return pubk;
-
-      break;
-
-      case SEC_OID_MISSI_ALT_KEA:
-	pubk->keyType = keaKey;
-
-        rv = SECITEM_CopyItem(arena,&pubk->u.kea.publicValue,&os);
-        if (rv != SECSuccess) break;
- 
-        rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
-                        &spki->algorithm.parameters);
-
-	if (rv == SECSuccess)
-	    return pubk;
-
-      break;
-
-
-      default:
-	rv = SECFailure;
-	break;
-    }
-
-    SECKEY_DestroyPublicKey (pubk);
-    return NULL;
-}
-
-SECKEYPublicKey *
-CERT_ExtractPublicKey(CERTCertificate *cert)
-{
-    SECStatus rv;
-
-    rv = SECKEY_UpdateCertPQG(cert);
-    if (rv != SECSuccess) return NULL;
-
-    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
-}
-
-/*
- * Get the public key for the fortezza KMID. NOTE this requires the
- * PQG paramters to be set. We probably should have a fortezza call that 
- * just extracts the kmid for us directly so this function can work
- * without having the whole cert chain
- */
-SECKEYPublicKey *
-CERT_KMIDPublicKey(CERTCertificate *cert)
-{
-    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
-}
-
-/* returns key strength in bytes (not bits) */
-unsigned
-SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk)
-{
-    unsigned char b0;
-
-    /* interpret modulus length as key strength... in
-     * fortezza that's the public key length */
-
-    switch (pubk->keyType) {
-    case rsaKey:
-    	b0 = pubk->u.rsa.modulus.data[0];
-    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
-    case dsaKey:
-    	b0 = pubk->u.dsa.publicValue.data[0];
-    	return b0 ? pubk->u.dsa.publicValue.len :
-	    pubk->u.dsa.publicValue.len - 1;
-    case dhKey:
-    	b0 = pubk->u.dh.publicValue.data[0];
-    	return b0 ? pubk->u.dh.publicValue.len :
-	    pubk->u.dh.publicValue.len - 1;
-    case fortezzaKey:
-	return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len);
-    default:
-	break;
-    }
-    return 0;
-}
-
-SECKEYPrivateKey *
-SECKEY_CopyPrivateKey(SECKEYPrivateKey *privk)
-{
-    SECKEYPrivateKey *copyk;
-    PRArenaPool *arena;
-    
-    if (privk == NULL) {
-	return NULL;
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    copyk = (SECKEYPrivateKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPrivateKey));
-    if (copyk) {
-	copyk->arena = arena;
-	copyk->keyType = privk->keyType;
-
-	/* copy the PKCS #11 parameters */
-	copyk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
-	/* if the key we're referencing was a temparary key we have just
-	 * created, that we want to go away when we're through, we need
-	 * to make a copy of it */
-	if (privk->pkcs11IsTemp) {
-	    copyk->pkcs11ID = 
-			PK11_CopyKey(privk->pkcs11Slot,privk->pkcs11ID);
-	    if (copyk->pkcs11ID == CK_INVALID_KEY) goto fail;
-	} else {
-	    copyk->pkcs11ID = privk->pkcs11ID;
-	}
-	copyk->pkcs11IsTemp = privk->pkcs11IsTemp;
-	copyk->wincx = privk->wincx;
-	return copyk;
-    } else {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-    }
-
-fail:
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-SECKEYPublicKey *
-SECKEY_CopyPublicKey(SECKEYPublicKey *pubk)
-{
-    SECKEYPublicKey *copyk;
-    PRArenaPool *arena;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    copyk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
-    if (copyk != NULL) {
-	SECStatus rv = SECSuccess;
-
-	copyk->arena = arena;
-	copyk->keyType = pubk->keyType;
-	copyk->pkcs11Slot = NULL;	/* go get own reference */
-	copyk->pkcs11ID = CK_INVALID_KEY;
-	switch (pubk->keyType) {
-	  case rsaKey:
-	    rv = SECITEM_CopyItem(arena, &copyk->u.rsa.modulus,
-				  &pubk->u.rsa.modulus);
-	    if (rv == SECSuccess) {
-		rv = SECITEM_CopyItem (arena, &copyk->u.rsa.publicExponent,
-				       &pubk->u.rsa.publicExponent);
-		if (rv == SECSuccess)
-		    return copyk;
-	    }
-	    break;
-	  case dsaKey:
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.publicValue,
-				  &pubk->u.dsa.publicValue);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.prime,
-				  &pubk->u.dsa.params.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.subPrime,
-				  &pubk->u.dsa.params.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.base,
-				  &pubk->u.dsa.params.base);
-	    break;
-          case keaKey:
-            rv = SECITEM_CopyItem(arena, &copyk->u.kea.publicValue,
-                                  &pubk->u.kea.publicValue);
-            if (rv != SECSuccess) break;
-            rv = SECITEM_CopyItem(arena, &copyk->u.kea.params.hash,
-                                  &pubk->u.kea.params.hash);
-            break;
-	  case fortezzaKey:
-	    copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion;
-	    copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion;
-	    PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID,
-			sizeof(pubk->u.fortezza.KMID));
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.clearance, 
-				  &pubk->u.fortezza.clearance);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEApriviledge, 
-				&pubk->u.fortezza.KEApriviledge);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSpriviledge, 
-				&pubk->u.fortezza.DSSpriviledge);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEAKey, 
-				&pubk->u.fortezza.KEAKey);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSKey, 
-				&pubk->u.fortezza.DSSKey);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.prime, 
-				  &pubk->u.fortezza.params.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.subPrime, 
-				&pubk->u.fortezza.params.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.base, 
-				&pubk->u.fortezza.params.base);
-            if (rv != SECSuccess) break;
-            rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.prime, 
-				  &pubk->u.fortezza.keaParams.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.subPrime, 
-				&pubk->u.fortezza.keaParams.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.base, 
-				&pubk->u.fortezza.keaParams.base);
-	    break;
-	  case dhKey:
-            rv = SECITEM_CopyItem(arena,&copyk->u.dh.prime,&pubk->u.dh.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena,&copyk->u.dh.base,&pubk->u.dh.base);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dh.publicValue, 
-				&pubk->u.dh.publicValue);
-	    break;
-	  case nullKey:
-	    return copyk;
-	  default:
-	    rv = SECFailure;
-	    break;
-	}
-	if (rv == SECSuccess)
-	    return copyk;
-
-	SECKEY_DestroyPublicKey (copyk);
-    } else {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-
-SECKEYPublicKey *
-SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
-{
-    SECKEYPublicKey *pubk;
-    PRArenaPool *arena;
-    CERTCertificate *cert;
-    SECStatus rv;
-
-    /*
-     * First try to look up the cert.
-     */
-    cert = PK11_GetCertFromPrivateKey(privk);
-    if (cert) {
-	pubk = CERT_ExtractPublicKey(cert);
-	CERT_DestroyCertificate(cert);
-	return pubk;
-    }
-
-    /* couldn't find the cert, build pub key by hand */
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena,
-						   sizeof (SECKEYPublicKey));
-    if (pubk == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-    pubk->keyType = privk->keyType;
-    pubk->pkcs11Slot = NULL;
-    pubk->pkcs11ID = CK_INVALID_KEY;
-    pubk->arena = arena;
-
-    /*
-     * fortezza is at the head of this switch, since we don't want to
-     * allocate an arena... CERT_ExtractPublicKey will to that for us.
-     */
-    switch(privk->keyType) {
-      case fortezzaKey:
-      case nullKey:
-      case dhKey:
-      case dsaKey:
-	/* Nothing to query, if the cert isn't there, we're done -- no way
-	 * to get the public key */
-	break;
-      case rsaKey:
-	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
-				CKA_MODULUS,arena,&pubk->u.rsa.modulus);
-	if (rv != SECSuccess)  break;
-	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
-			CKA_PUBLIC_EXPONENT,arena,&pubk->u.rsa.publicExponent);
-	if (rv != SECSuccess)  break;
-	return pubk;
-	break;
-    default:
-	break;
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-CERTSubjectPublicKeyInfo *
-SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    PRArenaPool *arena;
-    SECItem params = { siBuffer, NULL, 0 };
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    spki = (CERTSubjectPublicKeyInfo *) PORT_ArenaZAlloc(arena, sizeof (*spki));
-    if (spki != NULL) {
-	SECStatus rv;
-	SECItem *rv_item;
-	
-	spki->arena = arena;
-	switch(pubk->keyType) {
-	  case rsaKey:
-	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-				     SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
-	    if (rv == SECSuccess) {
-		/*
-		 * DER encode the public key into the subjectPublicKeyInfo.
-		 */
-		rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
-					     pubk, SECKEY_RSAPublicKeyTemplate);
-		if (rv_item != NULL) {
-		    /*
-		     * The stored value is supposed to be a BIT_STRING,
-		     * so convert the length.
-		     */
-		    spki->subjectPublicKey.len <<= 3;
-		    /*
-		     * We got a good one; return it.
-		     */
-		    return spki;
-		}
-	    }
-	    break;
-	  case dsaKey:
-	    /* DER encode the params. */
-	    rv_item = SEC_ASN1EncodeItem(arena, &params, &pubk->u.dsa.params,
-					 SECKEY_PQGParamsTemplate);
-	    if (rv_item != NULL) {
-		rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-					   SEC_OID_ANSIX9_DSA_SIGNATURE,
-					   &params);
-		if (rv == SECSuccess) {
-		    /*
-		     * DER encode the public key into the subjectPublicKeyInfo.
-		     */
-		    rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
-						 pubk,
-						 SECKEY_DSAPublicKeyTemplate);
-		    if (rv_item != NULL) {
-			/*
-			 * The stored value is supposed to be a BIT_STRING,
-			 * so convert the length.
-			 */
-			spki->subjectPublicKey.len <<= 3;
-			/*
-			 * We got a good one; return it.
-			 */
-			return spki;
-		    }
-		}
-	    }
-	    SECITEM_FreeItem(&params, PR_FALSE);
-	    break;
-	  case keaKey:
-	  case dhKey: /* later... */
-
-	  break;  
-	  case fortezzaKey:
-#ifdef notdef
-	    /* encode the DSS parameters (PQG) */
-	    rv = FortezzaBuildParams(&params,pubk);
-	    if (rv != SECSuccess) break;
-
-	    /* set the algorithm */
-	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-				       SEC_OID_MISSI_KEA_DSS, &params);
-	    PORT_Free(params.data);
-	    if (rv == SECSuccess) {
-		/*
-		 * Encode the public key into the subjectPublicKeyInfo.
-		 * Fortezza key material is not standard DER
-		 */
-		rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk);
-		if (rv == SECSuccess) {
-		    /*
-		     * The stored value is supposed to be a BIT_STRING,
-		     * so convert the length.
-		     */
-		    spki->subjectPublicKey.len <<= 3;
-
-		    /*
-		     * We got a good one; return it.
-		     */
-		    return spki;
-		}
-	    }
-#endif
-	    break;
-	  default:
-	    break;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-void
-SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki)
-{
-    if (spki && spki->arena) {
-	PORT_FreeArena(spki->arena, PR_FALSE);
-    }
-}
-
-/*
- * this only works for RSA keys... need to do something
- * similiar to CERT_ExtractPublicKey for other key times.
- */
-SECKEYPublicKey *
-SECKEY_DecodeDERPublicKey(SECItem *pubkder)
-{
-    PRArenaPool *arena;
-    SECKEYPublicKey *pubk;
-    SECStatus rv;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
-    if (pubk != NULL) {
-	pubk->arena = arena;
-	pubk->pkcs11Slot = NULL;
-	pubk->pkcs11ID = 0;
-	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate,
-				pubkder);
-	if (rv == SECSuccess)
-	    return pubk;
-	SECKEY_DestroyPublicKey (pubk);
-    } else {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-/*
- * Decode a base64 ascii encoded DER encoded public key.
- */
-SECKEYPublicKey *
-SECKEY_ConvertAndDecodePublicKey(char *pubkstr)
-{
-    SECKEYPublicKey *pubk;
-    SECStatus rv;
-    SECItem der;
-
-    rv = ATOB_ConvertAsciiToItem (&der, pubkstr);
-    if (rv != SECSuccess)
-	return NULL;
-
-    pubk = SECKEY_DecodeDERPublicKey (&der);
-
-    PORT_Free (der.data);
-    return pubk;
-}
-
-CERTSubjectPublicKeyInfo *
-SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider)
-{
-    PRArenaPool *arena;
-    CERTSubjectPublicKeyInfo *spki;
-    SECStatus rv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    spki = (CERTSubjectPublicKeyInfo *)
-		PORT_ArenaZAlloc(arena, sizeof (CERTSubjectPublicKeyInfo));
-    if (spki != NULL) {
-	spki->arena = arena;
-	rv = SEC_ASN1DecodeItem(arena,spki,
-				CERT_SubjectPublicKeyInfoTemplate,spkider);
-	if (rv == SECSuccess)
-	    return spki;
-	SECKEY_DestroySubjectPublicKeyInfo(spki);
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/*
- * Decode a base64 ascii encoded DER encoded subject public key info.
- */
-CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    SECStatus rv;
-    SECItem der;
-
-    rv = ATOB_ConvertAsciiToItem(&der, spkistr);
-    if (rv != SECSuccess)
-	return NULL;
-
-    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
-
-    PORT_Free(der.data);
-    return spki;
-}
-
-/*
- * Decode a base64 ascii encoded DER encoded public key and challenge
- * Verify digital signature and make sure challenge matches
- */
-CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
-								void *wincx)
-{
-    CERTSubjectPublicKeyInfo *spki = NULL;
-    CERTPublicKeyAndChallenge pkac;
-    SECStatus rv;
-    SECItem signedItem;
-    PRArenaPool *arena = NULL;
-    CERTSignedData sd;
-    SECItem sig;
-    SECKEYPublicKey *pubKey = NULL;
-    int len;
-    
-    signedItem.data = NULL;
-    
-    /* convert the base64 encoded data to binary */
-    rv = ATOB_ConvertAsciiToItem(&signedItem, pkacstr);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* create an arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    /* decode the outer wrapping of signed data */
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, &signedItem );
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* decode the public key and challenge wrapper */
-    PORT_Memset(&pkac, 0, sizeof(CERTPublicKeyAndChallenge));
-    rv = SEC_ASN1DecodeItem(arena, &pkac, CERT_PublicKeyAndChallengeTemplate, 
-			    &sd.data);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* decode the subject public key info */
-    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&pkac.spki);
-    if ( spki == NULL ) {
-	goto loser;
-    }
-    
-    /* get the public key */
-    pubKey = seckey_ExtractPublicKey(spki);
-    if ( pubKey == NULL ) {
-	goto loser;
-    }
-
-    /* check the signature */
-    sig = sd.signature;
-    DER_ConvertBitString(&sig);
-    rv = VFY_VerifyData(sd.data.data, sd.data.len, pubKey, &sig,
-			SECOID_GetAlgorithmTag(&(sd.signatureAlgorithm)), wincx);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    /* check the challenge */
-    if ( challenge ) {
-	len = PORT_Strlen(challenge);
-	/* length is right */
-	if ( len != pkac.challenge.len ) {
-	    goto loser;
-	}
-	/* actual data is right */
-	if ( PORT_Memcmp(challenge, pkac.challenge.data, len) != 0 ) {
-	    goto loser;
-	}
-    }
-    goto done;
-
-loser:
-    /* make sure that we return null if we got an error */
-    if ( spki ) {
-	SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    spki = NULL;
-    
-done:
-    if ( signedItem.data ) {
-	PORT_Free(signedItem.data);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if ( pubKey ) {
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-    
-    return spki;
-}
-
-void
-SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
-			     PRBool freeit)
-{
-    PRArenaPool *poolp;
-
-    if(pvk != NULL) {
-	if(pvk->arena) {
-	    poolp = pvk->arena;
-	    /* zero structure since PORT_FreeArena does not support
-	     * this yet.
-	     */
-	    PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
-	    PORT_Memset((char *)pvk, 0, sizeof(*pvk));
-	    if(freeit == PR_TRUE) {
-		PORT_FreeArena(poolp, PR_TRUE);
-	    } else {
-		pvk->arena = poolp;
-	    }
-	} else {
-	    SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
-	    SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
-	    SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
-	    PORT_Memset((char *)pvk, 0, sizeof(pvk));
-	    if(freeit == PR_TRUE) {
-		PORT_Free(pvk);
-	    }
-	}
-    }
-}
-
-void
-SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
-				      PRBool freeit)
-{
-    PRArenaPool *poolp;
-
-    if(epki != NULL) {
-	if(epki->arena) {
-	    poolp = epki->arena;
-	    /* zero structure since PORT_FreeArena does not support
-	     * this yet.
-	     */
-	    PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
-	    PORT_Memset((char *)epki, 0, sizeof(*epki));
-	    if(freeit == PR_TRUE) {
-		PORT_FreeArena(poolp, PR_TRUE);
-	    } else {
-		epki->arena = poolp;
-	    }
-	} else {
-	    SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
-	    SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
-	    PORT_Memset((char *)epki, 0, sizeof(epki));
-	    if(freeit == PR_TRUE) {
-		PORT_Free(epki);
-	    }
-	}
-    }
-}
-
-SECStatus
-SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
-			  SECKEYPrivateKeyInfo *to,
-			  SECKEYPrivateKeyInfo *from)
-{
-    SECStatus rv = SECFailure;
-
-    if((to == NULL) || (from == NULL)) {
-	return SECFailure;
-    }
-
-    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
-    if(rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &to->privateKey, &from->privateKey);
-    if(rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &to->version, &from->version);
-
-    return rv;
-}
-
-SECStatus
-SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp, 
-				   SECKEYEncryptedPrivateKeyInfo *to,
-				   SECKEYEncryptedPrivateKeyInfo *from)
-{
-    SECStatus rv = SECFailure;
-
-    if((to == NULL) || (from == NULL)) {
-	return SECFailure;
-    }
-
-    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
-    if(rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &to->encryptedData, &from->encryptedData);
-
-    return rv;
-}
-
-KeyType
-SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey)
-{
-   return privKey->keyType;
-}
-
-KeyType
-SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey)
-{
-   return pubKey->keyType;
-}
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
deleted file mode 100644
index 35af3f701..000000000
--- a/security/nss/lib/cryptohi/secsign.c
+++ /dev/null
@@ -1,497 +0,0 @@
-/*
- * Signature stuff.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include <stdio.h>
-#include "cryptohi.h"
-#include "sechash.h"
-#include "secder.h"
-#include "keyhi.h"
-#include "secoid.h"
-#include "secdig.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-struct SGNContextStr {
-    SECOidTag signalg;
-    SECOidTag hashalg;
-    void *hashcx;
-    SECHashObject *hashobj;
-    SECKEYPrivateKey *key;
-};
-
-SGNContext *
-SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
-{
-    SGNContext *cx;
-    SECOidTag hashalg, signalg;
-    KeyType keyType;
-
-    /* OK, map a PKCS #7 hash and encrypt algorithm into
-     * a standard hashing algorithm. Why did we pass in the whole
-     * PKCS #7 algTag if we were just going to change here you might
-     * ask. Well the answer is for some cards we may have to do the
-     * hashing on card. It may not support CKM_RSA_PKCS sign algorithm,
-     * it may just support CKM_RSA_PKCS_WITH_SHA1 and/or CKM_RSA_PKCS_WITH_MD5.
-     */
-    switch (alg) {
-      /* We probably shouldn't be generating MD2 signatures either */
-      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-	hashalg = SEC_OID_MD2;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-        hashalg = SEC_OID_MD5;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      /* what about normal DSA? */
-      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_ANSIX9_DSA_SIGNATURE;
-	keyType = dsaKey;
-	break;
-      case SEC_OID_MISSI_DSS:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_DSS_OLD:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_MISSI_DSS; /* XXX Is there a better algid? */
-	keyType = fortezzaKey;
-	break;
-      /* we don't implement MD4 hashes. 
-       * we *CERTAINLY* don't want to sign one! */
-      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return 0;
-    }
-
-    /* verify our key type */
-    if (key->keyType != keyType &&
-	!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
-	!((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return 0;
-    }
-
-    cx = (SGNContext*) PORT_ZAlloc(sizeof(SGNContext));
-    if (cx) {
-	cx->hashalg = hashalg;
-	cx->signalg = signalg;
-	cx->key = key;
-    }
-    return cx;
-}
-
-void
-SGN_DestroyContext(SGNContext *cx, PRBool freeit)
-{
-    if (cx) {
-	if (cx->hashcx != NULL) {
-	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	    cx->hashcx = NULL;
-	}
-	if (freeit) {
-	    PORT_ZFree(cx, sizeof(SGNContext));
-	}
-    }
-}
-
-SECStatus
-SGN_Begin(SGNContext *cx)
-{
-    if (cx->hashcx != NULL) {
-	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	cx->hashcx = NULL;
-    }
-
-    switch (cx->hashalg) {
-      case SEC_OID_MD2:
-	cx->hashobj = &SECHashObjects[HASH_AlgMD2];
-	break;
-      case SEC_OID_MD5:
-	cx->hashobj = &SECHashObjects[HASH_AlgMD5];
-	break;
-      case SEC_OID_SHA1:
-	cx->hashobj = &SECHashObjects[HASH_AlgSHA1];
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
-    }
-
-    cx->hashcx = (*cx->hashobj->create)();
-    if (cx->hashcx == NULL)
-	return SECFailure;
-
-    (*cx->hashobj->begin)(cx->hashcx);
-    return SECSuccess;
-}
-
-SECStatus
-SGN_Update(SGNContext *cx, unsigned char *input, unsigned inputLen)
-{
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
-    return SECSuccess;
-}
-
-SECStatus
-SGN_End(SGNContext *cx, SECItem *result)
-{
-    unsigned char digest[32];
-    unsigned part1, signatureLen;
-    SECStatus rv;
-    SECItem digder, sigitem;
-    PRArenaPool *arena = 0;
-    SECKEYPrivateKey *privKey = cx->key;
-    SGNDigestInfo *di = 0;
-
-
-    result->data = 0;
-    digder.data = 0;
-
-    /* Finish up digest function */
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest));
-
-
-    if (privKey->keyType == rsaKey) {
-
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if ( !arena ) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    
-	/* Construct digest info */
-	di = SGN_CreateDigestInfo(cx->hashalg, digest, part1);
-	if (!di) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* Der encode the digest as a DigestInfo */
-	rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	digder.data = digest;
-	digder.len = part1;
-    }
-
-    /*
-    ** Encrypt signature after constructing appropriate PKCS#1 signature
-    ** block
-    */
-    signatureLen = PK11_SignatureLen(privKey);
-    sigitem.len = signatureLen;
-    sigitem.data = (unsigned char*) PORT_Alloc(signatureLen);
-
-    if (sigitem.data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_Sign(privKey, &sigitem, &digder);
-    if (rv != SECSuccess) {
-	PORT_Free(sigitem.data);
-	sigitem.data = NULL;
-    }
-
-    if (cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) {
-	rv = DSAU_EncodeDerSig(result, &sigitem);
-	PORT_Free(sigitem.data);
-	if (rv != SECSuccess)
-	    goto loser;
-    } else {
-	result->len = sigitem.len;
-	result->data = sigitem.data;
-    }
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Sign a block of data returning in result a bunch of bytes that are the
-** signature. Returns zero on success, an error code on failure.
-*/
-SECStatus
-SEC_SignData(SECItem *res, unsigned char *buf, int len,
-	     SECKEYPrivateKey *pk, SECOidTag algid)
-{
-    SECStatus rv;
-    SGNContext *sgn;
-
-
-    sgn = SGN_NewContext(algid, pk);
-
-    if (sgn == NULL)
-	return SECFailure;
-
-    rv = SGN_Begin(sgn);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SGN_Update(sgn, buf, len);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SGN_End(sgn, res);
-
-  loser:
-    SGN_DestroyContext(sgn, PR_TRUE);
-    return rv;
-}
-
-/*
-** Sign the input file's contents returning in result a bunch of bytes
-** that are the signature. Returns zero on success, an error code on
-** failure.
-*/
-SECStatus
-SEC_SignFile(SECItem *result, FILE *input, 
-	     SECKEYPrivateKey *pk, SECOidTag algid)
-{
-    unsigned char buf[1024];
-    SECStatus rv;
-    int nb;
-    SGNContext *sgn;
-
-    sgn = SGN_NewContext(algid, pk);
-    if (sgn == NULL)
-	return SECFailure;
-    rv = SGN_Begin(sgn);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-    ** Now feed the contents of the input file into the digest
-    ** algorithm, one chunk at a time, until we have exhausted the
-    ** input
-    */
-    for (;;) {
-	if (feof(input)) break;
-	nb = fread(buf, 1, sizeof(buf), input);
-	if (nb == 0) {
-	    if (ferror(input)) {
-		PORT_SetError(SEC_ERROR_IO);
-		rv = SECFailure;
-		goto loser;
-	    }
-	    break;
-	}
-	rv = SGN_Update(sgn, buf, nb);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /* Sign the digest */
-    rv = SGN_End(sgn, result);
-    /* FALL THROUGH */
-
-  loser:
-    SGN_DestroyContext(sgn, PR_TRUE);
-    return rv;
-}
-
-/************************************************************************/
-    
-DERTemplate CERTSignedDataTemplate[] =
-{
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedData) },
-    { DER_ANY,
-	  offsetof(CERTSignedData,data), },
-    { DER_INLINE,
-	  offsetof(CERTSignedData,signatureAlgorithm),
-	  SECAlgorithmIDTemplate, },
-    { DER_BIT_STRING,
-	  offsetof(CERTSignedData,signature), },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_SignedDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedData) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTSignedData,data), },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedData,signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate, },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedData,signature), },
-    { 0, }
-};
-
-SECStatus
-SEC_DerSignData(PRArenaPool *arena, SECItem *result, 
-	unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
-{
-    SECItem it;
-    CERTSignedData sd;
-    SECStatus rv;
-
-    it.data = 0;
-
-    /* XXX We should probably have some asserts here to make sure the key type
-     * and algID match
-     */
-
-    if (algID == SEC_OID_UNKNOWN) {
-	switch(pk->keyType) {
-	  case rsaKey:
-	    algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-	    break;
-	  case dsaKey:
-	    algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	    break;
-	  default:
-	    return SECFailure;
-	    break;
-	}
-    }
-
-    /* Sign input buffer */
-    rv = SEC_SignData(&it, buf, len, pk, algID);
-    if (rv) goto loser;
-
-    /* Fill out SignedData object */
-    PORT_Memset(&sd, 0, sizeof(sd));
-    sd.data.data = buf;
-    sd.data.len = len;
-    sd.signature.data = it.data;
-    sd.signature.len = it.len << 3;		/* convert to bit string */
-    rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0);
-    if (rv) goto loser;
-
-    /* DER encode the signed data object */
-    rv = DER_Encode(arena, result, CERTSignedDataTemplate, &sd);
-    /* FALL THROUGH */
-
-  loser:
-    PORT_Free(it.data);
-    return rv;
-}
-
-SECStatus
-SGN_Digest(SECKEYPrivateKey *privKey,
-		SECOidTag algtag, SECItem *result, SECItem *digest)
-{
-    unsigned modulusLen;
-    SECStatus rv;
-    SECItem digder;
-    PRArenaPool *arena = 0;
-    SGNDigestInfo *di = 0;
-
-
-    result->data = 0;
-
-    if (privKey->keyType == rsaKey) {
-
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if ( !arena ) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    
-	/* Construct digest info */
-	di = SGN_CreateDigestInfo(algtag, digest->data, digest->len);
-	if (!di) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* Der encode the digest as a DigestInfo */
-	rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	digder.data = digest->data;
-	digder.len = digest->len;
-    }
-
-    /*
-    ** Encrypt signature after constructing appropriate PKCS#1 signature
-    ** block
-    */
-    modulusLen = PK11_SignatureLen(privKey);
-    result->len = modulusLen;
-    result->data = (unsigned char*) PORT_Alloc(modulusLen);
-
-    if (result->data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_Sign(privKey, result, &digder);
-    if (rv != SECSuccess) {
-	PORT_Free(result->data);
-	result->data = NULL;
-    }
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
deleted file mode 100644
index 6c2443e30..000000000
--- a/security/nss/lib/cryptohi/secvfy.c
+++ /dev/null
@@ -1,391 +0,0 @@
-/*
- * Verification stuff.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include <stdio.h>
-#include "cryptohi.h"
-#include "sechash.h"
-#include "keyhi.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secdig.h"
-#include "secerr.h"
-
-/*
-** Decrypt signature block using public key (in place)
-** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
-*/
-static SECStatus
-DecryptSigBlock(int *tagp, unsigned char *digest, SECKEYPublicKey *key,
-		SECItem *sig, char *wincx)
-{
-    SGNDigestInfo *di   = NULL;
-    unsigned char *dsig = NULL;
-    unsigned char *buf  = NULL;
-    SECStatus      rv;
-    SECOidTag      tag;
-    SECItem        it;
-
-    if (key == NULL) goto loser;
-
-    it.len  = SECKEY_PublicKeyStrength(key);
-    if (!it.len) goto loser;
-    it.data = buf = (unsigned char *)PORT_Alloc(it.len);
-    if (!buf) goto loser;
-
-    /* Decrypt signature block */
-    dsig = (unsigned char*) PORT_Alloc(sig->len);
-    if (dsig == NULL) goto loser;
-
-    /* decrypt the block */
-    rv = PK11_VerifyRecover(key, sig, &it, wincx);
-    if (rv != SECSuccess) goto loser;
-
-    di = SGN_DecodeDigestInfo(&it);
-    if (di == NULL) goto sigloser;
-
-    /*
-    ** Finally we have the digest info; now we can extract the algorithm
-    ** ID and the signature block
-    */
-    tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
-    /* XXX Check that tag is an appropriate algorithm? */
-    if (di->digest.len > 32) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	goto loser;
-    }
-    PORT_Memcpy(digest, di->digest.data, di->digest.len);
-    *tagp = tag;
-    goto done;
-
-  sigloser:
-    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-
-  loser:
-    rv = SECFailure;
-
-  done:
-    if (di   != NULL) SGN_DestroyDigestInfo(di);
-    if (dsig != NULL) PORT_Free(dsig);
-    if (buf  != NULL) PORT_Free(buf);
-    
-    return rv;
-}
-
-typedef enum { VFY_RSA, VFY_DSA} VerifyType;
-
-struct VFYContextStr {
-    int alg;
-    VerifyType type;
-    SECKEYPublicKey *key;
-    /* digest holds the full dsa signature... 40 bytes */
-    unsigned char digest[DSA_SIGNATURE_LEN];
-    void * wincx;
-    void *hashcx;
-    SECHashObject *hashobj;
-};
-
-VFYContext *
-VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag algid,
-		  void *wincx)
-{
-    VFYContext *cx;
-    SECStatus rv;
-    SECItem *dsasig = NULL;
-
-    cx = (VFYContext*) PORT_ZAlloc(sizeof(VFYContext));
-    if (cx) {
-        cx->wincx = cx;
-	switch (key->keyType) {
-	  case rsaKey:
-	    cx->type = VFY_RSA;
-	    cx->key = NULL; /* extra safety precautions */
-	    rv = DecryptSigBlock(&cx->alg, &cx->digest[0], key, sig, (char*)wincx);
-	    break;
-	  case fortezzaKey:
-	  case dsaKey:
-	    cx->type = VFY_DSA;
-	    cx->alg = SEC_OID_SHA1;
-	    cx->key = SECKEY_CopyPublicKey(key);
-	    /* if this is a DER encoded signature, decode it first */
-	    if ((algid == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) ||
-		(algid == SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ||
-		(algid == SEC_OID_ANSIX9_DSA_SIGNATURE)) {
-		dsasig = DSAU_DecodeDerSig(sig);
-		if ((dsasig == NULL) || (dsasig->len != DSA_SIGNATURE_LEN)) {
-		    goto loser;
-		}
-		PORT_Memcpy(&cx->digest[0], dsasig->data, dsasig->len);
-	    } else {
-		if (sig->len != DSA_SIGNATURE_LEN) {
-		    goto loser;
-		}
-		PORT_Memcpy(&cx->digest[0], sig->data, sig->len);
-	    }
-	    rv = SECSuccess;
-	    break;
-	  default:
-	    rv = SECFailure;
-	    break;
-	}
-	if (rv) goto loser;
-	switch (cx->alg) {
-	  case SEC_OID_MD2:
-	  case SEC_OID_MD5:
-	  case SEC_OID_SHA1:
-	    break;
-	  default:
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	    goto loser;
-	}
-    }
-    return cx;
-
-  loser:
-    if (dsasig != NULL)
-	SECITEM_FreeItem(dsasig, PR_TRUE);
-    VFY_DestroyContext(cx, PR_TRUE);
-    return 0;
-}
-
-void
-VFY_DestroyContext(VFYContext *cx, PRBool freeit)
-{
-    if (cx) {
-	if (cx->hashcx != NULL) {
-	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	    cx->hashcx = NULL;
-	}
-	if (cx->key) {
-	    SECKEY_DestroyPublicKey(cx->key);
-	}
-	if (freeit) {
-	    PORT_ZFree(cx, sizeof(VFYContext));
-	}
-    }
-}
-
-SECStatus
-VFY_Begin(VFYContext *cx)
-{
-    if (cx->hashcx != NULL) {
-	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	cx->hashcx = NULL;
-    }
-
-    switch (cx->alg) {
-      case SEC_OID_MD2:
-	cx->hashobj = &SECHashObjects[HASH_AlgMD2];
-	break;
-      case SEC_OID_MD5:
-	cx->hashobj = &SECHashObjects[HASH_AlgMD5];
-	break;
-      case SEC_OID_SHA1:
-	cx->hashobj = &SECHashObjects[HASH_AlgSHA1];
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
-    }
-
-    cx->hashcx = (*cx->hashobj->create)();
-    if (cx->hashcx == NULL)
-	return SECFailure;
-
-    (*cx->hashobj->begin)(cx->hashcx);
-    return SECSuccess;
-}
-
-SECStatus
-VFY_Update(VFYContext *cx, unsigned char *input, unsigned inputLen)
-{
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
-    return SECSuccess;
-}
-
-SECStatus
-VFY_End(VFYContext *cx)
-{
-    unsigned char final[32];
-    unsigned part;
-    SECItem hash,sig;
-
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
-    switch (cx->type) {
-      case VFY_DSA:
-	sig.data = cx->digest;
-	sig.len = DSA_SIGNATURE_LEN; /* magic size of dsa signature */
-	hash.data = final;
-	hash.len = part;
-	if (PK11_Verify(cx->key,&sig,&hash,cx->wincx) != SECSuccess) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		return SECFailure;
-	}
-	break;
-      case VFY_RSA:
-	if (PORT_Memcmp(final, cx->digest, part)) {
-	    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	    return SECFailure;
-	}
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	return SECFailure; /* shouldn't happen */
-    }
-    return SECSuccess;
-}
-
-/************************************************************************/
-/*
- * Verify that a previously-computed digest matches a signature.
- * XXX This should take a parameter that specifies the digest algorithm,
- * and we should compare that the algorithm found in the DigestInfo
- * matches it!
- */
-SECStatus
-VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig,
-		 SECOidTag algid, void *wincx)
-{
-    SECStatus rv;
-    VFYContext *cx;
-    SECItem dsasig;
-
-    rv = SECFailure;
-
-    cx = VFY_CreateContext(key, sig, algid, wincx);
-    if (cx != NULL) {
-	switch (key->keyType) {
-	case rsaKey:
-	    if (PORT_Memcmp(digest->data, cx->digest, digest->len)) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	    } else {
-		rv = SECSuccess;
-	    }
-	    break;
-	case fortezzaKey:
-	case dsaKey:
-	    dsasig.data = &cx->digest[0];
-	    dsasig.len = DSA_SIGNATURE_LEN; /* magic size of dsa signature */
-	    if (PK11_Verify(cx->key, &dsasig, digest, cx->wincx) != SECSuccess) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	    } else {
-		rv = SECSuccess;
-	    }
-	    break;
-	default:
-	    break;
-	}
-	VFY_DestroyContext(cx, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	       SECItem *sig, SECOidTag algid, void *wincx)
-{
-    SECStatus rv;
-    VFYContext *cx;
-
-    cx = VFY_CreateContext(key, sig, algid, wincx);
-    if (cx == NULL)
-	return SECFailure;
-
-    rv = VFY_Begin(cx);
-    if (rv == SECSuccess) {
-	rv = VFY_Update(cx, buf, len);
-	if (rv == SECSuccess)
-	    rv = VFY_End(cx);
-    }
-
-    VFY_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-SEC_VerifyFile(FILE *input, SECKEYPublicKey *key, SECItem *sig,
-	       SECOidTag algid, void *wincx)
-{
-    unsigned char buf[1024];
-    SECStatus rv;
-    int nb;
-    VFYContext *cx;
-
-    cx = VFY_CreateContext(key, sig, algid, wincx);
-    if (cx == NULL)
-	rv = SECFailure;
-
-    rv = VFY_Begin(cx);
-    if (rv == SECSuccess) {
-	/*
-	 * Now feed the contents of the input file into the digest algorithm,
-	 * one chunk at a time, until we have exhausted the input.
-	 */
-	for (;;) {
-	    if (feof(input))
-		break;
-	    nb = fread(buf, 1, sizeof(buf), input);
-	    if (nb == 0) {
-		if (ferror(input)) {
-		    PORT_SetError(SEC_ERROR_IO);
-		    VFY_DestroyContext(cx, PR_TRUE);
-		    return SECFailure;
-		}
-		break;
-	    }
-	    rv = VFY_Update(cx, buf, nb);
-	    if (rv != SECSuccess)
-		goto loser;
-	}
-    }
-
-    /* Verify the digest */
-    rv = VFY_End(cx);
-    /* FALL THROUGH */
-
-  loser:
-    VFY_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
diff --git a/security/nss/lib/fortcrypt/Makefile b/security/nss/lib/fortcrypt/Makefile
deleted file mode 100644
index 09b98c761..000000000
--- a/security/nss/lib/fortcrypt/Makefile
+++ /dev/null
@@ -1,164 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-
-CILIB                   = $(OBJDIR)/cilib.$(LIB_SUFFIX)
-ORIG_CILIB              = libci/$(OS_CONFIG).$(LIB_SUFFIX)
-
-ifeq ($(OS_ARCH), WINNT)
-ORIG_CILIB              = libci/tssp32.lib
-endif
-
-ifeq ($(OS_TARGET), WIN16)
-ORIG_CILIB              = libci/tssp.lib
-endif
-
-ifeq ($(OS_TARGET), WIN95)
-ORIG_CILIB              = libci/tssp32.lib
-endif
-
-ifeq ($(OS_ARCH), WINNT)
-STUBDLL                 = $(OBJDIR)/stub.$(DLL_SUFFIX)
-endif
-
-STUBLIB                 = $(OBJDIR)/stub.$(LIB_SUFFIX)
-
-ifeq ($(OS_TARGET), WIN16)
-W16LIBS         += $(CILIB)
-else
-EXTRA_LIBS      += $(CILIB)
-endif
-
-INST_JS                 = inst.js
-LIBCI_JAR               = $(OBJDIR)/libfort.jar
-LIBCI_JAR_SRC           = $(INST_JS) $(SHARED_LIBRARY)
-
-ifneq ($(OS_TARGET), WIN16)
-TARGETS : $(LIBCI_JAR) 
-endif
-
-ifeq ($(OS_TARGET), WIN16)
-# note that rules.mk is not included below for WIN16
-all:
-	@echo Skipping fortcrypt directory for 16-bit windows builds
-
-all_platforms alltags clean clobber clobber_all realclean: all
-
-boot export install libs program release: all
-
-endif
-
-$(SHARED_LIBRARY): $(CILIB) $(DIRS)
-
-$(CILIB):
-	@$(MAKE_OBJDIR)
-	@if test -f $(ORIG_CILIB); then \
-		echo "Copying $(ORIG_CILIB) to $@"; \
-		cp $(ORIG_CILIB) $@; \
-	else \
-		echo "Making empty stub $@"; \
-		$(MAKE) $(STUBLIB); \
-	fi
-	@$(RANLIB) $@
-
-$(STUBLIB): $(OBJDIR)/maci$(OBJ_SUFFIX)
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH), WINNT)
-	$(MAKE) $(STUBDLL)
-else
-	$(AR) $<
-endif
-	cp $@ $(CILIB)
-
-ifeq ($(OS_ARCH), WINNT)
-$(STUBDLL): $(OBJDIR)/maci.o
-	$(LINK_DLL) -MAP $(DLLBASE) $(OBJDIR)/maci.o $(OS_LIBS)
-
-$(OBJDIR)/maci.o: maci.c
-	$(CC) -Fo$@ -c $(CFLAGS) $<
-endif
-
-#
-# The following rules packages the shared library into a JAR,
-# ready to be signed
-#
-$(OBJDIR)/replace: replace.c
-	$(CC) -o $@ $<
-
-# ZIP options:
-# -5 means medium compression
-# -q means quiet
-# -j means do not store tree structure, all files go into one dir
-#
-$(LIBCI_JAR): $(DIRS) $(LIBCI_JAR_SRC)
-	@echo +++ building $@ from $(LIBCI_JAR_SRC)
-	@rm -f $@
-	zip -5qj $@ $(LIBCI_JAR_SRC) 
-
-force:
-	(cd swfort ; gmake)
-
-
-MD_FILES += $(LIBCI_JAR)
-
-# coreconf doesn't build the AIX shared library for FORTEZZA,
-# so I'm going to override their shared library command and build the shared
-# library the way config used to.
-#
-ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.1)
-DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
-EXTRA_DSO_LDOPTS        = -lc
-MKSHLIB                 = svld $(DSO_LDOPTS)
-
-$(SHARED_LIBRARY): $(OBJS)
-	@$(MAKE_OBJDIR)
-	rm -f $@
-	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
-	chmod +x $@
-endif
-
-ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.2)
-LD      += -G
-endif 
-
-
-ifneq ($(OS_TARGET), WIN16)
-include $(CORE_DEPTH)/coreconf/rules.mk
-endif
-
-export:: private_export
-
-
diff --git a/security/nss/lib/fortcrypt/config.mk b/security/nss/lib/fortcrypt/config.mk
deleted file mode 100644
index 1e8237ff2..000000000
--- a/security/nss/lib/fortcrypt/config.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-ifeq ($(OS_TARGET), WIN16)
-TARGETS        = all
-else
-TARGETS        = $(SHARED_LIBRARY)
-endif
-LIBRARY        =
-PURE_LIBRARY   =
-PROGRAM        =
-
-
-ifeq ($(OS_TARGET), WIN16)
-dummy:
-	@echo $(TARGETS)
-endif
diff --git a/security/nss/lib/fortcrypt/cryptint.h b/security/nss/lib/fortcrypt/cryptint.h
deleted file mode 100644
index c4de00ff2..000000000
--- a/security/nss/lib/fortcrypt/cryptint.h
+++ /dev/null
@@ -1,703 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/* @(#)cryptint.h	1.26\t10 Nov 1995 */
-/*****************************************************************************
-  Definitive Fortezza header file.
-  Application Level Interface to Fortezza CI Library.
-
-  Version for CI Library 1.52
-    November 8, 1995
-
-
-  NOTICE: Fortezza Export Policy
-
-    The Fortezza Cryptologic Interface (CI) Library (both source and 
-    object) and Fortezza CI Library based applications are defense 
-    articles, as defined in the International Traffic In Arms 
-    Regulations (ITAR), and are subject to export controls under the 
-    ITAR and the Arms Export Control Act. Any export to any country 
-    of (a) the Fortezza CI Library, related documentation, and 
-    technical data, or (b) your cryptographic application, process, 
-    or service that is the direct product of, or contains the 
-    Fortezza CI Library must comply with the requirements of the ITAR. 
-    If you or your customer intends to engage in such export, contact 
-    the United States Department of State, Office of Defense Trade 
-    Controls for specific guidance.
-
-
- ****************************************************************************/
-#ifndef __CRYPTINT_H
-#define __CRYPTINT_H
-
-#if __cplusplus__ || __cplusplus
-extern "C"
-{
-#endif /* C++ */
-
-#ifndef PROTO_LIST
-#ifdef _K_AND_R_
-#define PROTO_LIST(list)  ()
-#else
-#define PROTO_LIST(list)  list
-#endif /*_K_AND_R_ */
-#endif /* PROTO_LIST */
-
-
-#ifndef RETURN_TYPE
-#if defined( _WIN32 ) || defined( __WIN32__ )
-#define RETURN_TYPE  __declspec(dllimport) int
-#elif defined( _WINDOWS ) || defined( _Windows )
-#define RETURN_TYPE  extern int _far _pascal
-#else
-#define RETURN_TYPE  extern int
-#endif /* Windows */
-#endif /* RETURN_TYPE */
-
-/* MS Visual C++ defines _MSDOS and _WINDOWS    */
-/* Borland C/C++ defines __MSDOS__ and _Windows */
-#if defined( _WIN32 ) ||  defined ( __WIN32__ )
-#define CI_FAR
-#elif defined( _WINDOWS ) || defined( _Windows )
-#define CI_FAR  _far
-#else
-#define CI_FAR
-#endif /* MS DOS or Windows */
-
-
-/*****************************************************************************
-  Constants
- ****************************************************************************/
-#define CI_LIB_VERSION_VAL        0x0152    /* Version 1.52 */
-
-#define CI_CERT_SIZE              2048
-#define CI_CERT_FLAGS_SIZE        16
-#define CI_CERT_NAME_SIZE         32
-#define CI_CHALLENGE_SIZE         20
-
-#define CI_G_SIZE                 128
-
-#define CI_HASHVALUE_SIZE         20
-
-#define CI_IV_SIZE                24
-
-#define CI_KEY_SIZE               12
-#define CI_KS_SIZE                10
-
-#define CI_NAME_SIZE              32
-
-#define CI_PASSWORD_SIZE          24
-#define CI_PIN_SIZE               12
-#define CI_P_SIZE                 128
-
-#define CI_Q_SIZE                 20
-
-#define CI_R_SIZE                 40
-#define CI_RANDOM_NO_SIZE         20
-#define CI_RANDOM_SEED_SIZE       8
-#define CI_RA_SIZE                128
-#define CI_RB_SIZE                128
-#define CI_REG_FLAGS_SIZE         4
-
-#define CI_S_SIZE                 40
-#define CI_SAVE_DATA_SIZE         28
-#define CI_SERIAL_NUMBER_SIZE     8
-#define CI_SIGNATURE_SIZE         40
-#define CI_STATUS_FLAGS_SIZE      4
-
-#define CI_TIME_SIZE              16
-#define CI_TIMESTAMP_SIZE         16
-
-#define CI_WRAPPED_X_SIZE         24
-
-#define CI_Y_SIZE                 128
-
-#define CI_X_SIZE                 20
-
-
-/* Miscellaneous */
-#define CI_NULL_FLAG              0 
-#define CI_POWER_DOWN_FLAG        2
-#define CI_NO_LOG_OFF_FLAG        4
-#define CI_INITIATOR_FLAG         0
-#define CI_RECIPIENT_FLAG         1
-
-#define CI_BLOCK_LOCK_FLAG        1
-#define CI_SSO_LOGGED_ON          0x40
-#define CI_USER_LOGGED_ON         0x00
-#define CI_FAST_MODE              0x10
-#define CI_SLOW_MODE              0x00
-#define CI_WORST_CASE_MODE        0x40
-#define CI_TYPICAL_CASE_MODE      0x00
-
-/* Card Public Key Algorithms Types */
-#define CI_DSA_TYPE               0xA
-#define CI_KEA_TYPE               0x5
-#define CI_DSA_KEA_TYPE           0xF
-
-/* Fortezza Pin Types */
-#define CI_SSO_PIN                0x25
-#define CI_USER_PIN               0x2A
-
-/* Crypto Types */
-#define CI_ENCRYPT_TYPE           0
-#define CI_DECRYPT_TYPE           1
-#define CI_HASH_TYPE              2
-
-/* Save and Restore Types */
-#define CI_ENCRYPT_INT_TYPE       0x00      /* Internal Encryption */
-#define CI_ENCRYPT_EXT_TYPE       0x10      /* External Encryption */
-#define CI_DECRYPT_INT_TYPE       0x01      /* Internal Decryption */
-#define CI_DECRYPT_EXT_TYPE       0x11      /* External Decryption */
-#define CI_HASH_INT_TYPE          0x02      /* Internal Hash */
-#define CI_HASH_EXT_TYPE          0x12      /* External Hash */
-#define CI_TYPE_EXT_FLAG          0x10      /* Used to differentiate */
-
-/* Configuration types */
-#define CI_SET_SPEED_TYPE         1
-#define CI_SET_TIMING_TYPE        2
-
-/* Lock States */
-#define CI_SOCKET_UNLOCKED        0
-#define CI_HOLD_LOCK              1
-#define CI_SOCKET_LOCKED          2
-
-/* Fortezza Crypto Types Modes */
-#define CI_ECB64_MODE             0
-#define CI_CBC64_MODE             1
-#define CI_OFB64_MODE             2
-#define CI_CFB64_MODE             3
-#define CI_CFB32_MODE             4
-#define CI_CFB16_MODE             5
-#define CI_CFB8_MODE              6
-
-/* Card States */
-#define CI_POWER_UP               0
-#define CI_UNINITIALIZED          1
-#define CI_INITIALIZED            2
-#define CI_SSO_INITIALIZED        3
-#define CI_LAW_INITIALIZED        4
-#define CI_USER_INITIALIZED       5
-#define CI_STANDBY                6
-#define CI_READY                  7
-#define CI_ZEROIZE                8
-#define CI_INTERNAL_FAILURE       (-1)
-
-/* Flags for Firmware Update. */
-#define CI_NOT_LAST_BLOCK_FLAG    0x00000000UL
-#define CI_LAST_BLOCK_FLAG        0x80000000UL
-#define CI_DESTRUCTIVE_FLAG       0x000000FFUL
-#define CI_NONDESTRUCTIVE_FLAG    0x0000FF00UL
-
-
-/****************************************************************************
-  Fortezza Library Return Codes
- ***************************************************************************/
-
-/* Card Responses */
-#define CI_OK                     0
-#define CI_FAIL                   1
-#define CI_CHECKWORD_FAIL         2
-#define CI_INV_TYPE               3
-#define CI_INV_MODE               4
-#define CI_INV_KEY_INDEX          5
-#define CI_INV_CERT_INDEX         6
-#define CI_INV_SIZE               7
-#define CI_INV_HEADER             8
-#define CI_INV_STATE              9
-#define CI_EXEC_FAIL              10
-#define CI_NO_KEY                 11
-#define CI_NO_IV                  12
-#define CI_NO_X                   13
-
-#define CI_NO_SAVE                15
-#define CI_REG_IN_USE             16
-#define CI_INV_COMMAND            17
-#define CI_INV_POINTER            18
-#define CI_BAD_CLOCK              19
-#define CI_NO_DSA_PARMS           20
-
-/* Library Errors */
-#define CI_ERROR                  (-1)
-#define CI_LIB_NOT_INIT           (-2)
-#define CI_CARD_NOT_READY         (-3)
-#define CI_CARD_IN_USE            (-4)
-#define CI_TIME_OUT               (-5)
-#define CI_OUT_OF_MEMORY          (-6)
-#define CI_NULL_PTR               (-7)
-#define CI_BAD_SIZE               (-8)
-#define CI_NO_DECRYPT             (-9)
-#define CI_NO_ENCRYPT             (-10)
-#define CI_NO_EXECUTE             (-11)
-#define CI_BAD_PARAMETER          (-12)
-#define CI_OUT_OF_RESOURCES       (-13)
-
-#define CI_NO_CARD                (-20)
-#define CI_NO_DRIVER              (-21)
-#define CI_NO_CRDSRV              (-22)
-#define CI_NO_SCTSRV              (-23)
-
-#define CI_BAD_CARD               (-30)
-#define CI_BAD_IOCTL              (-31)
-#define CI_BAD_READ               (-32)
-#define CI_BAD_SEEK               (-33)
-#define CI_BAD_WRITE              (-34)
-#define CI_BAD_FLUSH              (-35)
-#define CI_BAD_IOSEEK             (-36)
-#define CI_BAD_ADDR               (-37)
-
-#define CI_INV_SOCKET_INDEX       (-40)
-#define CI_SOCKET_IN_USE          (-41)
-#define CI_NO_SOCKET              (-42)
-#define CI_SOCKET_NOT_OPENED      (-43)
-#define CI_BAD_TUPLES             (-44)
-#define CI_NOT_A_CRYPTO_CARD      (-45)
-
-#define CI_INVALID_FUNCTION       (-50)
-#define CI_LIB_ALRDY_INIT         (-51)
-#define CI_SRVR_ERROR             (-52)
-
-
-/*****************************************************************************
-  Data Structures
- ****************************************************************************/
-
-typedef unsigned char   CI_CERTIFICATE[CI_CERT_SIZE];
-
-typedef unsigned char   CI_CERT_FLAGS[CI_CERT_FLAGS_SIZE];
-
-typedef unsigned char   CI_CERT_STR[CI_CERT_NAME_SIZE+4];
-
-typedef unsigned char   CI_FAR *CI_DATA;
-
-typedef unsigned char   CI_G[CI_G_SIZE];
-
-typedef unsigned char   CI_HASHVALUE[CI_HASHVALUE_SIZE];
-
-typedef unsigned char   CI_IV[CI_IV_SIZE];
-
-typedef unsigned char   CI_KEY[CI_KEY_SIZE];
-
-typedef unsigned char   CI_KS[CI_KS_SIZE];
-
-typedef unsigned char   CI_P[CI_P_SIZE];
-
-typedef unsigned char   CI_PASSWORD[CI_PASSWORD_SIZE + 4];
-
-typedef unsigned char   CI_PIN[CI_PIN_SIZE + 4];
-
-typedef unsigned char   CI_Q[CI_Q_SIZE];
-
-typedef unsigned char   CI_RA[CI_RA_SIZE];
-
-typedef unsigned char   CI_RB[CI_RB_SIZE];
-
-typedef unsigned char   CI_RANDOM[CI_RANDOM_NO_SIZE];
-
-typedef unsigned char   CI_RANDSEED[CI_RANDOM_SEED_SIZE];
-
-typedef unsigned char   CI_REG_FLAGS[CI_REG_FLAGS_SIZE];
-
-typedef unsigned char   CI_SIGNATURE[CI_SIGNATURE_SIZE];
-
-typedef unsigned char   CI_SAVE_DATA[CI_SAVE_DATA_SIZE];
-
-typedef unsigned char   CI_SERIAL_NUMBER[CI_SERIAL_NUMBER_SIZE];
-
-typedef unsigned int    CI_STATE, CI_FAR *CI_STATE_PTR;
-
-typedef unsigned char   CI_TIME[CI_TIME_SIZE];
-
-typedef unsigned char   CI_TIMESTAMP[CI_TIMESTAMP_SIZE];
-
-typedef unsigned char   CI_WRAPPED_X[CI_WRAPPED_X_SIZE];
-
-typedef unsigned char   CI_Y[CI_Y_SIZE];
-
-typedef unsigned char   CI_X[CI_X_SIZE];
-
-typedef struct {
-    int     LibraryVersion;                 /* CI Library version */
-    int     ManufacturerVersion;            /* Card's hardware version */
-    char    ManufacturerName[CI_NAME_SIZE+4]; /* Card manufacturer's name*/
-    char    ProductName[CI_NAME_SIZE+4];    /* Card's product name */
-    char    ProcessorType[CI_NAME_SIZE+4];  /* Card's processor type */
-    unsigned long  UserRAMSize;             /* Amount of User RAM in bytes */
-    unsigned long  LargestBlockSize;        /* Largest block of data to pass in */
-    int     KeyRegisterCount;               /* Number of key registers */
-    int     CertificateCount;               /* Maximum number of personalities (# certs-1) */
-    int     CryptoCardFlag;                 /* A flag that if non-zero indicates that there is
-                                               a Crypto-Card in the socket. If this value is
-                                               zero then there is NOT a Crypto-Card in the
-                                               sockets. */
-    int     ICDVersion;                     /* The ICD compliance level */
-    int     ManufacturerSWVer;              /* The Manufacturer's Software Version */
-    int     DriverVersion;                  /* Driver Version */
-} CI_CONFIG, CI_FAR *CI_CONFIG_PTR;
-
-typedef struct {
-    int          CertificateIndex;          /* Index from 1 to CertificateCount */
-    CI_CERT_STR  CertLabel;                 /* The certificate label */
-} CI_PERSON, CI_FAR *CI_PERSON_PTR;
-
-typedef struct {
-     int    CurrentSocket;                  /* The currently selected socket */
-     int    LockState;                      /* Lock status of the current socket */
-     CI_SERIAL_NUMBER  SerialNumber;        /* Serial number of the Crypto Engine chip */
-     CI_STATE  CurrentState;                /* State of The Card */
-     int    DecryptionMode;                 /* Decryption mode of The Card */
-     int    EncryptionMode;                 /* Encryption mode of The Card */
-     int    CurrentPersonality;             /* Index of the current personality */
-     int    KeyRegisterCount;               /* No. of Key Register on The Card */
-     CI_REG_FLAGS   KeyRegisterFlags;       /* Bit Masks indicating Key Register use */
-     int    CertificateCount;               /* No. of Certificates on The Card */
-     CI_CERT_FLAGS  CertificateFlags;       /* Bit Mask indicating certificate use */
-     unsigned char  Flags[CI_STATUS_FLAGS_SIZE];  
-                                            /* Flag[0] : bit 6 for Condition mode */
-                                            /*           bit 4 for Clock mode */
-} CI_STATUS, CI_FAR *CI_STATUS_PTR;
-
-
-/*****************************************************************************
-  Function Call Prototypes
- ****************************************************************************/
-
-RETURN_TYPE
-CI_ChangePIN PROTO_LIST( (
-    int            PINType,
-    CI_PIN CI_FAR  pOldPIN,
-    CI_PIN CI_FAR  pNewPIN ) );
-
-RETURN_TYPE
-CI_CheckPIN PROTO_LIST( (
-    int            PINType,
-    CI_PIN CI_FAR  pPIN ) );
-
-RETURN_TYPE
-CI_Close PROTO_LIST( (
-    unsigned int  Flags,
-    int           SocketIndex ) );
-
-RETURN_TYPE
-CI_Decrypt PROTO_LIST( (
-    unsigned int  CipherSize,
-    CI_DATA       pCipher,
-    CI_DATA       pPlain ) );
-
-RETURN_TYPE
-CI_DeleteCertificate PROTO_LIST( (
-    int  CertificateIndex ) );
-
-RETURN_TYPE
-CI_DeleteKey PROTO_LIST( (
-    int  RegisterIndex ) );
-
-RETURN_TYPE
-CI_Encrypt PROTO_LIST( (
-    unsigned int  PlainSize,
-    CI_DATA       pPlain,
-    CI_DATA       pCipher ) );
-
-RETURN_TYPE
-CI_ExtractX PROTO_LIST( (
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) );
-
-RETURN_TYPE
-CI_FirmwareUpdate PROTO_LIST( (
-    unsigned long  Flags,
-    long           Cksum,
-    unsigned int   CksumLength,
-    unsigned int   DataSize,
-    CI_DATA        pData ) );
-
-RETURN_TYPE
-CI_GenerateIV PROTO_LIST( (
-    CI_IV CI_FAR  pIV ) );
-
-RETURN_TYPE
-CI_GenerateMEK PROTO_LIST( (
-    int  RegisterIndex,
-    int  Reserved ) );
-
-RETURN_TYPE
-CI_GenerateRa PROTO_LIST( (
-    CI_RA CI_FAR  pRa ) );
-
-RETURN_TYPE
-CI_GenerateRandom PROTO_LIST( (
-    CI_RANDOM CI_FAR  pRandom ) );
-
-RETURN_TYPE
-CI_GenerateTEK PROTO_LIST( (
-    int           Flags,
-    int           RegisterIndex,
-    CI_RA CI_FAR  pRa,
-    CI_RB CI_FAR  pRb,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) );
-
-RETURN_TYPE
-CI_GenerateX PROTO_LIST( (
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) );
-
-RETURN_TYPE
-CI_GetCertificate PROTO_LIST( (
-    int                    CertificateIndex,
-    CI_CERTIFICATE CI_FAR  pCertificate ) );
-
-RETURN_TYPE
-CI_GetConfiguration PROTO_LIST( (
-    CI_CONFIG_PTR  pConfiguration ) );
-
-RETURN_TYPE
-CI_GetHash PROTO_LIST( (
-    unsigned int         DataSize,
-    CI_DATA              pData,
-    CI_HASHVALUE CI_FAR  pHashValue ) );
-
-RETURN_TYPE
-CI_GetPersonalityList PROTO_LIST( (
-    int               EntryCount,
-    CI_PERSON CI_FAR  pPersonalityList[] ) );
-
-RETURN_TYPE
-CI_GetState PROTO_LIST( (
-    CI_STATE_PTR  pState ) );
-
-RETURN_TYPE
-CI_GetStatus PROTO_LIST( (
-    CI_STATUS_PTR  pStatus ) );
-
-RETURN_TYPE
-CI_GetTime PROTO_LIST( (
-    CI_TIME CI_FAR  pTime ) );
-
-RETURN_TYPE
-CI_Hash PROTO_LIST( (
-    unsigned int  DataSize,
-    CI_DATA       pData ) );
-
-RETURN_TYPE
-CI_Initialize PROTO_LIST( (
-    int CI_FAR  *SocketCount ) );
-
-RETURN_TYPE
-CI_InitializeHash PROTO_LIST( (
-    void ) );
-
-RETURN_TYPE
-CI_InstallX PROTO_LIST( (
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pWrappedX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) );
-
-RETURN_TYPE
-CI_LoadCertificate PROTO_LIST( (
-    int                    CertificateIndex,
-    CI_CERT_STR CI_FAR     pCertLabel,
-    CI_CERTIFICATE CI_FAR  pCertificate,
-    long                   Reserved ) );
-
-RETURN_TYPE
-CI_LoadDSAParameters PROTO_LIST( (
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG ) );
-
-RETURN_TYPE
-CI_LoadInitValues PROTO_LIST( (
-    CI_RANDSEED CI_FAR  pRandSeed,
-    CI_KS CI_FAR        pKs ) );
-
-RETURN_TYPE
-CI_LoadIV PROTO_LIST( (
-    CI_IV CI_FAR  pIV ) );
-
-RETURN_TYPE
-CI_LoadX PROTO_LIST( (
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    CI_X CI_FAR   pX,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) );
-
-RETURN_TYPE
-CI_Lock PROTO_LIST( (
-    int  Flags ) );
-
-RETURN_TYPE
-CI_Open PROTO_LIST( (
-    unsigned int  Flags,
-    int           SocketIndex ) );
-
-RETURN_TYPE
-CI_RelayX PROTO_LIST( (
-    CI_PASSWORD CI_FAR   pOldPassword,
-    unsigned int         OldYSize,
-    CI_Y CI_FAR          pOldY,
-    CI_RA CI_FAR         pOldRa,
-    CI_WRAPPED_X CI_FAR  pOldWrappedX,
-    CI_PASSWORD CI_FAR   pNewPassword,
-    unsigned int         NewYSize,
-    CI_Y CI_FAR          pNewY,
-    CI_RA CI_FAR         pNewRa,
-    CI_WRAPPED_X CI_FAR  pNewWrappedX ) );
-
-RETURN_TYPE
-CI_Reset PROTO_LIST( (
-    void ) );
-
-RETURN_TYPE
-CI_Restore PROTO_LIST( (
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) );
-
-RETURN_TYPE
-CI_Save PROTO_LIST( (
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) );
-
-RETURN_TYPE
-CI_Select PROTO_LIST( (
-    int  SocketIndex ) );
-
-RETURN_TYPE
-CI_SetConfiguration PROTO_LIST( (
-    int           Type,
-    unsigned int  DataSize,
-    CI_DATA       pData ) );
-
-RETURN_TYPE
-CI_SetKey PROTO_LIST( (
-    int  RegisterIndex ) );
-
-RETURN_TYPE
-CI_SetMode PROTO_LIST( (
-    int  CryptoType,
-    int  CryptoMode ) );
-
-RETURN_TYPE
-CI_SetPersonality PROTO_LIST( (
-    int  CertificateIndex ) );
-
-RETURN_TYPE
-CI_SetTime PROTO_LIST( (
-    CI_TIME CI_FAR  pTime ) );
-
-RETURN_TYPE
-CI_Sign PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature ) );
-
-RETURN_TYPE
-CI_Terminate PROTO_LIST( (
-    void ) );
-
-RETURN_TYPE
-CI_TimeStamp PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
-
-RETURN_TYPE
-CI_Unlock PROTO_LIST( (
-    void ) );
-
-RETURN_TYPE
-CI_UnwrapKey PROTO_LIST( (
-    int            UnwrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) );
-
-RETURN_TYPE
-CI_VerifySignature PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_SIGNATURE CI_FAR  pSignature ) );
-
-RETURN_TYPE
-CI_VerifyTimeStamp PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
-
-RETURN_TYPE
-CI_WrapKey PROTO_LIST( (
-    int            WrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) );
-
-RETURN_TYPE
-CI_Zeroize PROTO_LIST( (
-    void ) );
-
-#if __cplusplus__ || __cplusplus
-}
-#endif /* C++ */
-
-#endif /* CRYPTINT_H */
diff --git a/security/nss/lib/fortcrypt/fmutex.c b/security/nss/lib/fortcrypt/fmutex.c
deleted file mode 100644
index ad98c04b6..000000000
--- a/security/nss/lib/fortcrypt/fmutex.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "fmutex.h"
-#include "fpkmem.h"
-#include <stdio.h>
-
-typedef struct PKMutexFunctions {
-  CK_CREATEMUTEX  CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX    LockMutex;
-  CK_UNLOCKMUTEX  UnlockMutex;
-  int  useMutex;
-} PKMutexFunctions;
-
-static PKMutexFunctions   gMutex = {NULL, NULL, NULL, NULL, 0};
-static int gInit = 0;
-
-#define FMUTEX_CHECKS()                            \
-    if (gInit == 0) {                              \
-        return CKR_GENERAL_ERROR;                  \
-    }                                              \
-    if (!gMutex.useMutex) {                        \
-        return CKR_GENERAL_ERROR;                  \
-    }			 
-
-CK_RV FMUTEX_Init(CK_C_INITIALIZE_ARGS_PTR pArgs) {
-    if (gInit != 0) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    if (pArgs && pArgs->CreateMutex && pArgs->DestroyMutex &&
-	pArgs->LockMutex   && pArgs->UnlockMutex) {
-
-        gMutex.CreateMutex    = pArgs->CreateMutex;
-	gMutex.DestroyMutex   = pArgs->DestroyMutex;
-	gMutex.LockMutex      = pArgs->LockMutex;
-	gMutex.UnlockMutex    = pArgs->UnlockMutex;
-	gMutex.useMutex       = 1;
-	gInit                 = 1;
-    } else {
-        gInit = 0;
-	return CKR_GENERAL_ERROR;
-    }
-    
-    return CKR_OK;
-}
-
-
-CK_RV FMUTEX_Create(CK_VOID_PTR_PTR pMutex) {
-    CK_RV rv;
-    FMUTEX_CHECKS()
-
-    rv = gMutex.CreateMutex(pMutex);
-    return rv;
-}
-
-CK_RV FMUTEX_Destroy(CK_VOID_PTR pMutex) {
-    CK_RV rv;
-    FMUTEX_CHECKS()
-
-    rv = gMutex.DestroyMutex(pMutex);
-    return rv;
-}
-
-CK_RV FMUTEX_Lock(CK_VOID_PTR pMutex) {
-    CK_RV rv;
-    FMUTEX_CHECKS()
-
-    rv = gMutex.LockMutex(pMutex);
-    return rv;
-}
-
-CK_RV FMUTEX_Unlock(CK_VOID_PTR pMutex) {
-    CK_RV rv;
-    FMUTEX_CHECKS()
-
-    rv = gMutex.UnlockMutex(pMutex);
-    return rv;
-}
-
-int FMUTEX_MutexEnabled (void) {
-    return gMutex.useMutex;
-}
diff --git a/security/nss/lib/fortcrypt/fmutex.h b/security/nss/lib/fortcrypt/fmutex.h
deleted file mode 100644
index 589eea786..000000000
--- a/security/nss/lib/fortcrypt/fmutex.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _FMUTEX_H_
-#define _FMUTEX_H_ 1
-
-#include "fpkcs11t.h"
-
-/*
- * All of these functions will return CK_RV  values.
- */
-extern CK_RV FMUTEX_Init(CK_C_INITIALIZE_ARGS_PTR pArgs);
-
-
-extern CK_RV FMUTEX_Create(CK_VOID_PTR_PTR pMutex);
-
-extern CK_RV FMUTEX_Destroy(CK_VOID_PTR pMutex);
-
-extern CK_RV FMUTEX_Lock(CK_VOID_PTR pMutex);
-
-extern CK_RV FMUTEX_Unlock(CK_VOID_PTR pMutex);
-
-/* Returns 0 if mutexes have not been enabled.
- * Returns 1 if mutexes have been enabled.
- */
-extern int FMUTEX_MutexEnabled(void);
-
-#endif /*_FMUTEX_H_*/
diff --git a/security/nss/lib/fortcrypt/forsock.c b/security/nss/lib/fortcrypt/forsock.c
deleted file mode 100644
index 39a4f0420..000000000
--- a/security/nss/lib/fortcrypt/forsock.c
+++ /dev/null
@@ -1,815 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "fortsock.h"
-#include "fpkmem.h"
-#include "fmutex.h"
-#include <string.h>
-#include <stdlib.h>
-
-#define DEF_ENCRYPT_SIZE 0x8000
-
-static unsigned char Fortezza_mail_Rb[128] = { 
-0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,1,
-};
-
-int InitSocket (FortezzaSocket *inSocket, int inSlotID) {
-    int        ci_rv;
-    CK_RV      mrv;
-
-    if (inSocket == NULL)
-        return SOCKET_FAILURE;
-
-    inSocket->isLoggedIn          = PR_FALSE;
-    inSocket->personalitiesLoaded = PR_FALSE;
-    inSocket->isOpen              = PR_FALSE;
-    inSocket->personalityList     = NULL;
-    inSocket->keyRegisters        = NULL;
-    inSocket->keys                = NULL;
-    inSocket->numPersonalities    = 0;
-    inSocket->numKeyRegisters     = 0;
-    inSocket->hitCount            = 0;
-
-    inSocket->slotID = inSlotID;
-    ci_rv = MACI_GetSessionID(&(inSocket->maciSession));
-    if (ci_rv != CI_OK)
-      return SOCKET_FAILURE;
-
-    ci_rv = MACI_Open (inSocket->maciSession, 0, inSlotID);
-    if (ci_rv == CI_OK) { 
-        inSocket->isOpen = PR_TRUE;
-    }  else {
-        MACI_Close (inSocket->maciSession, CI_NULL_FLAG, inSlotID);
-    }
-
-    if (FMUTEX_MutexEnabled()) {
-        mrv = FMUTEX_Create(&inSocket->registersLock);
-	if (mrv != CKR_OK) {
-	    inSocket->registersLock = NULL;
-	}
-    } else {
-        inSocket->registersLock = NULL;
-    }
-
-    return SOCKET_SUCCESS;
-}
-
-int FreeSocket (FortezzaSocket *inSocket) {
-    if (inSocket->registersLock) {
-        FMUTEX_Destroy(inSocket->registersLock);
-    }
-    MACI_Close(inSocket->maciSession, CI_NULL_FLAG, inSocket->slotID);
-    return SOCKET_SUCCESS;
-}
-
-int LoginToSocket (FortezzaSocket *inSocket, int inUserType, CI_PIN inPin) {
-    int ci_rv, i;
-    CI_STATUS ciStatus;
-    CI_CONFIG ciConfig;
-    FortezzaKey **oldRegisters, **newRegisters;
-    int oldCount;
-    HSESSION hs;
-
-    if (inSocket == NULL || inSocket->isLoggedIn)
-        return SOCKET_FAILURE;
-
-    hs = inSocket->maciSession;
-    ci_rv = MACI_Select (hs, inSocket->slotID);
-    if (ci_rv != CI_OK)
-        return ci_rv;
-    
-    ci_rv = MACI_CheckPIN(hs, inUserType, inPin);
-
-    if (ci_rv != CI_OK) {
-        return ci_rv;
-    }
-
-    ci_rv = MACI_GetStatus(hs, &ciStatus);
-
-    if (ci_rv != CI_OK) {
-        if (ci_rv == CI_FAIL) {
-	    ci_rv = CI_EXEC_FAIL;
-	}
-	return ci_rv;
-    }
-
-    ci_rv = MACI_GetConfiguration(hs, &ciConfig);
-    if (ci_rv != CI_OK) {
-      return ci_rv;
-    }
-
-    inSocket->isLoggedIn  = PR_TRUE;
-    inSocket->hasLoggedIn = PR_TRUE;
-    PORT_Memcpy (inSocket->openCardSerial, ciStatus.SerialNumber, 
-		 sizeof (CI_SERIAL_NUMBER));
-    inSocket->openCardState = ciStatus.CurrentState;
-    inSocket->numPersonalities = ciStatus.CertificateCount;
-    inSocket->numKeyRegisters  = ciConfig.KeyRegisterCount;
-    newRegisters     = 
-     (FortezzaKey**)PORT_Alloc (sizeof(FortezzaKey)*ciConfig.KeyRegisterCount);
-
-    FMUTEX_Lock(inSocket->registersLock);
-    oldRegisters = inSocket->keyRegisters;
-    oldCount = inSocket->numKeyRegisters;
-    inSocket->keyRegisters = newRegisters;
-    if (oldRegisters) {
-	for (i=0; i<oldCount; i++) {
-	    if (oldRegisters[i]) {
-		oldRegisters[i]->keyRegister = KeyNotLoaded;
-	    }
-            oldRegisters[i] = NULL;
-	}
-	PORT_Free(oldRegisters);
-    }
-
-    if (inSocket->keyRegisters == NULL) {
-        FMUTEX_Unlock(inSocket->registersLock);
-        return SOCKET_FAILURE;
-    }
-
-    for (i=0; i<ciConfig.KeyRegisterCount; i++) {
-        inSocket->keyRegisters[i] = NULL;
-    }
-    FMUTEX_Unlock(inSocket->registersLock);
-
-    return SOCKET_SUCCESS;
-}
-
-int LogoutFromSocket (FortezzaSocket *inSocket) {
-    if (inSocket == NULL)
-        return SOCKET_FAILURE;
-
-    inSocket->isLoggedIn  = PR_FALSE;
-    inSocket->hasLoggedIn = PR_FALSE;
-    if (UnloadPersonalityList(inSocket) != SOCKET_SUCCESS)
-        return SOCKET_FAILURE;
-    
-
-    return SOCKET_SUCCESS;
-}
-
-
-int FetchPersonalityList(FortezzaSocket *inSocket) {
-    int rv;
-
-    if (inSocket == NULL || inSocket->numPersonalities == 0) {
-        return SOCKET_FAILURE;
-    }
-
-    rv = MACI_Select (inSocket->maciSession, inSocket->slotID);
-
-    inSocket->personalityList = 
-        (CI_PERSON*)PORT_Alloc (sizeof(CI_PERSON)*inSocket->numPersonalities);
-
-    if (inSocket->personalityList == NULL) {
-        return SOCKET_FAILURE;
-    }
-
-    rv = MACI_GetPersonalityList(inSocket->maciSession, 
-				 inSocket->numPersonalities, 
-				 inSocket->personalityList);
-
-    if (rv != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-
-    inSocket->personalitiesLoaded = PR_TRUE;
-    return SOCKET_SUCCESS;
-}
-
-int UnloadPersonalityList(FortezzaSocket *inSocket) {
-    if (inSocket == NULL)
-        return SOCKET_FAILURE;
-
-    inSocket->personalitiesLoaded = PR_FALSE;
-    if (inSocket->personalityList) {
-        PORT_Free(inSocket->personalityList);
-    }
-    inSocket->numPersonalities = 0;
-    inSocket->personalityList = NULL;
-
-    return SOCKET_SUCCESS;
-}
-
-PRBool SocketIsLoggedIn(CI_STATE status) {
-	
-    return (PRBool)((status == CI_READY) || (status == CI_STANDBY));
-}
-
-PRBool SocketStateUnchanged(FortezzaSocket* inSocket) {
-    CI_STATUS ciStatus;
-    int       ciRV;
-
-    ciRV = MACI_Select (inSocket->maciSession, inSocket->slotID);
-    if (ciRV != CI_OK)
-        return PR_FALSE;
-
-    if (inSocket->hasLoggedIn && !inSocket->isLoggedIn) 
-        return PR_FALSE;  /* User Logged out from the socket */
-
-    /*
-     * Some vendor cards are slow. so if we think we are logged in, 
-     * and the card still thinks we're logged in, we must have the same
-     * card.
-     */
-    if (inSocket->isLoggedIn) {
-	CI_STATE state;
-	ciRV = MACI_GetState(inSocket->maciSession, &state);
-	if (ciRV != CI_OK) return PR_FALSE;
-
-	return SocketIsLoggedIn(state);
-    }
-	
-    ciRV = MACI_GetStatus(inSocket->maciSession, &ciStatus);
-    if(ciRV != CI_OK) {
-        return PR_FALSE;
-    }
-    if (inSocket->isLoggedIn) {
- 	if (PORT_Memcmp(ciStatus.SerialNumber, inSocket->openCardSerial, 
-			sizeof (CI_SERIAL_NUMBER)) != 0)
-	  return PR_FALSE;  /* Serial Number of card in slot has changed */
-	                    /* Probably means there is a new card        */
-    }
-    
-    if (inSocket->isLoggedIn  && !SocketIsLoggedIn(ciStatus.CurrentState))
-        return PR_FALSE;  /* State of card changed.         */
-                         /* Probably re-inserted same card */ 
-
-    return PR_TRUE;  /* No change in the state of the socket */
-}
-
-/*
- * can we regenerate this key on the fly?
- */
-static PRBool
-FortezzaIsRegenerating(FortezzaKey *key) {
-    /* TEK's are the only type of key that can't be regenerated */
-    if (key->keyType != TEK) return PR_TRUE;
-    /* Client TEK's can never be regenerated */
-    if (key->keyData.tek.flags == CI_INITIATOR_FLAG) return PR_FALSE; 
-    /* Only Server TEK's that use the Mail protocol can be regenerated */
-    return ((PRBool)(memcmp(key->keyData.tek.Rb,Fortezza_mail_Rb,
-			sizeof(key->keyData.tek.Rb)) == 0));
-}
-
-int GetBestKeyRegister(FortezzaSocket *inSocket) {
-    int i, candidate = -1, candidate2 = 1;
-    CK_ULONG minHitCount = 0xffffffff;
-    CK_ULONG minRegHitCount = 0xffffffff;  
-    FortezzaKey **registers;
-
-    registers = inSocket->keyRegisters;
-    for (i=1; i< inSocket->numKeyRegisters; i++) {
-        if (registers[i] == NULL)
-	    return i;
-    }
-
-    for (i=1; i < inSocket->numKeyRegisters; i++) {
-        if (registers[i]->hitCount < minHitCount) {
-	    minHitCount = registers[i]->hitCount;
-	    candidate2 = i;
-	}
-
-	if (FortezzaIsRegenerating(registers[i]) &&
-	    (registers[i]->hitCount < minRegHitCount)) {
-	    minRegHitCount = registers[i]->hitCount;
-	    candidate = i;
-	}
-    }
-
-    if (candidate == -1)
-        candidate = candidate2;
-
-    return candidate;
-}
-
-int  SetFortezzaKeyHandle (FortezzaKey *inKey, CK_OBJECT_HANDLE inHandle) {
-    inKey->keyHandle = inHandle;
-    return SOCKET_SUCCESS;
-}
-
-void
-RemoveKey (FortezzaKey *inKey) {
-    if (inKey != NULL && inKey->keySocket->keyRegisters != NULL) {
-	if (inKey->keyRegister != KeyNotLoaded) {
-	    FortezzaKey **registers = inKey->keySocket->keyRegisters;
-	    registers[inKey->keyRegister] = NULL;
-	    MACI_DeleteKey(inKey->keySocket->maciSession, inKey->keyRegister);
-	}
-	
-	PORT_Free(inKey);
-    }
-}
-
-FortezzaKey *NewFortezzaKey(FortezzaSocket  *inSocket, 
-			    FortezzaKeyType  inKeyType,
-			    CreateTEKInfo   *TEKinfo,
-			    int              inKeyRegister) {
-    FortezzaKey  *newKey, *oldKey;
-    FortezzaKey **registers;
-    HSESSION      hs = inSocket->maciSession;
-    int ciRV;
-
-    newKey = (FortezzaKey*)PORT_Alloc (sizeof(FortezzaKey));
-    if (newKey == NULL) {
-        return NULL;
-    }
-
-    newKey->keyHandle    = 0;
-    newKey->keyRegister  = KeyNotLoaded;
-    newKey->keyType      = inKeyType;
-    newKey->keySocket    = inSocket;
-    newKey->hitCount     = 0;
-    newKey->id           = TEKinfo ? TEKinfo->personality : 0;
-
-    if (inKeyType != Ks && inSocket->keyRegisters) {
-	registers = inSocket->keyRegisters;
-	oldKey    = registers[inKeyRegister];
-	if (oldKey != NULL) {
-	    oldKey->keyRegister = KeyNotLoaded;
-	}
-
-	registers[inKeyRegister] = newKey;
-	newKey->hitCount = inSocket->hitCount++;
-
-	MACI_DeleteKey (hs, inKeyRegister);
-    }
-    newKey->keyRegister = inKeyRegister;
-
-    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
-    switch (inKeyType) {
-    case MEK:
-        ciRV = MACI_GenerateMEK (hs, inKeyRegister, 0);
-	if (ciRV != CI_OK) {
-	    RemoveKey(newKey);
-	    MACI_Unlock(hs);
-	    return NULL;
-        }
-	MACI_WrapKey(hs, 0, inKeyRegister, newKey->keyData.mek);
-	break;
-    case TEK:
-        PORT_Memcpy (newKey->keyData.tek.Rb, TEKinfo->Rb, TEKinfo->randomLen);
-	PORT_Memcpy (newKey->keyData.tek.Ra, TEKinfo->Ra, TEKinfo->randomLen);
-	PORT_Memcpy (newKey->keyData.tek.pY, TEKinfo->pY, TEKinfo->YSize);
-	newKey->keyData.tek.ySize = TEKinfo->YSize;
-	newKey->keyData.tek.randomLen = TEKinfo->randomLen;
-	newKey->keyData.tek.registerIndex = TEKinfo->personality;
-	newKey->keyData.tek.flags = TEKinfo->flag;
-
-	ciRV = MACI_SetPersonality(hs,TEKinfo->personality);
-	if (ciRV != CI_OK) {
-	    RemoveKey(newKey);
-	    MACI_Unlock(hs);
-	    return NULL;
-	}
-	ciRV = MACI_GenerateTEK(hs, TEKinfo->flag, inKeyRegister,
-			 newKey->keyData.tek.Ra, TEKinfo->Rb, 
-			 TEKinfo->YSize, TEKinfo->pY);
-	if (ciRV != CI_OK) {
-	    RemoveKey(newKey);
-	    MACI_Unlock(hs);
-	    return NULL;
-	}
-
-	
-        break;
-    case Ks:
-	break;
-    default:
-        RemoveKey(newKey);
-	MACI_Unlock(hs);
-	return NULL;
-    }
-    MACI_Unlock(hs);
-    return newKey;
-}
-
-FortezzaKey *NewUnwrappedKey(int inKeyRegister, int id,
-			     FortezzaSocket *inSocket) {
-    FortezzaKey *newKey;
-
-    newKey = (FortezzaKey*)PORT_Alloc (sizeof(FortezzaKey));
-    if (newKey == NULL) {
-        return NULL;
-    }
- 
-    newKey->keyRegister = inKeyRegister;
-    newKey->keyType     = UNWRAP;
-    newKey->keySocket   = inSocket;
-    newKey->id          = id;
-    newKey->hitCount    = inSocket->hitCount++; 
-    MACI_WrapKey(inSocket->maciSession,0 , inKeyRegister, newKey->keyData.mek);
-    inSocket->keyRegisters[inKeyRegister] = newKey;
-
-    return newKey;
-}
-
-int LoadKeyIntoRegister (FortezzaKey *inKey) {
-    int              registerIndex = GetBestKeyRegister(inKey->keySocket);
-    FortezzaSocket  *socket        = inKey->keySocket;
-    FortezzaKey    **registers     = socket->keyRegisters;
-    HSESSION         hs            = socket->maciSession;
-    FortezzaTEK     *tek           = &inKey->keyData.tek;
-    FortezzaKey     *oldKey;
-    int              rv = CI_FAIL;
-
-    if (inKey->keyRegister != KeyNotLoaded) {
-        return inKey->keyRegister;
-    }
-
-    oldKey = registers[registerIndex];
-
-    MACI_Select(hs, socket->slotID);
-    if (oldKey) {
-        oldKey->keyRegister = KeyNotLoaded;
-    }
-    MACI_DeleteKey (hs, registerIndex);
-
-    switch (inKey->keyType) {
-    case TEK:
-        if (!FortezzaIsRegenerating(inKey)) {
-	  return KeyNotLoaded;
-	}
-        if (MACI_SetPersonality(hs, tek->registerIndex) == CI_OK) {
-	    rv = MACI_GenerateTEK (hs, tek->flags, registerIndex, 
-				   tek->Ra, tek->Rb, tek->ySize, 
-				   tek->pY);   
-	} 
-	if (rv != CI_OK)
-	    return KeyNotLoaded;
-	break;
-    case MEK:
-    case UNWRAP:
-        rv = MACI_UnwrapKey (hs, 0, registerIndex, inKey->keyData.mek);
-	if (rv != CI_OK) 
-	    return KeyNotLoaded;
-	break;
-    default:
-        return KeyNotLoaded;
-    }
-    inKey->keyRegister = registerIndex;
-    registers[registerIndex] = inKey;
- 
-    return registerIndex;
-}
-
-int InitCryptoOperation (FortezzaContext *inContext, 
-			 CryptoType inCryptoOperation) {
-    inContext->cryptoOperation = inCryptoOperation;
-    return SOCKET_SUCCESS;
-}
-
-int EndCryptoOperation (FortezzaContext *inContext, 
-			CryptoType inCryptoOperation) {
-    if (inCryptoOperation != inContext->cryptoOperation) {
-      return SOCKET_FAILURE;
-    }
-    inContext->cryptoOperation = None;
-    return SOCKET_SUCCESS;
-}
-
-CryptoType GetCryptoOperation (FortezzaContext *inContext) {
-    return inContext->cryptoOperation;
-}
-
-void InitContext(FortezzaContext *inContext, FortezzaSocket *inSocket,
-		 CK_OBJECT_HANDLE hKey) {
-    inContext->fortezzaKey     = NULL;
-    inContext->fortezzaSocket  = inSocket;
-    inContext->session         = NULL;
-    inContext->mechanism       = NO_MECHANISM;
-    inContext->userRamSize     = 0;
-    inContext->cryptoOperation = None;
-    inContext->hKey            = hKey;
-}
-
-extern PRBool fort11_FortezzaIsUserCert(unsigned char *label);
-
-static int
-GetValidPersonality (FortezzaSocket *inSocket) {
-    int index;
-    int i;
-    PRBool unLoadList = PR_FALSE;
-    int numPersonalities;
-
-    if (!inSocket->personalitiesLoaded) {
-        numPersonalities = inSocket->numPersonalities;
-        FetchPersonalityList (inSocket);
-	unLoadList = PR_TRUE;
-    }
-
-    for (i=0; i<inSocket->numPersonalities; i++) {
-        if (fort11_FortezzaIsUserCert(inSocket->personalityList[i].CertLabel)) {
-	    index = inSocket->personalityList[i].CertificateIndex;
-	    break;
-	}
-    }
-
-    if (unLoadList) {
-        UnloadPersonalityList(inSocket);
-	/* UnloadPersonality sets numPersonalities to zero,
-	 * so we set it back to what it was when this function
-	 * was called.
-	 */
-	inSocket->numPersonalities = numPersonalities;
-    }
-    return index;
-}
-
-int RestoreState (FortezzaContext *inContext, CryptoType inType) {
-    FortezzaKey    *key    = inContext->fortezzaKey;
-    FortezzaSocket *socket = inContext->fortezzaSocket;
-    HSESSION        hs     = socket->maciSession; 
-    CI_IV           bogus_iv;
-    int             rv, cryptoType;
-    int             personality = inContext->fortezzaKey->id;
-
-    if (key == NULL)
-        return SOCKET_FAILURE;
-
-    if (personality == 0) {
-        personality = GetValidPersonality (socket);
-    }
-    rv = MACI_SetPersonality(hs, personality);
-    if (rv != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-    /*
-     * The cards need to have some state bits set because
-     * save and restore don't necessarily save all the state.
-     * Instead of fixing the cards, they decided to change the
-     * protocol :(.
-     */
-    switch (inType) {
-    case Encrypt:
-        rv = MACI_SetKey(hs, key->keyRegister);
-	if (rv != CI_OK)
-	    break;
-	rv = MACI_GenerateIV (hs, bogus_iv);
-	cryptoType = CI_ENCRYPT_EXT_TYPE;
-	break;
-    case Decrypt:
-	rv = MACI_SetKey(hs, key->keyRegister);
-        rv = MACI_LoadIV (hs, inContext->cardIV);
-	cryptoType = CI_DECRYPT_EXT_TYPE;
-	break;
-    default:
-      rv = CI_INV_POINTER;
-      break;
-    }
-
-    if (rv != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-
-    rv = MACI_Restore(hs, cryptoType, inContext->cardState);
-    if (rv != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-
-    return SOCKET_SUCCESS;
-}
-
-int SaveState (FortezzaContext *inContext, CI_IV inIV, 
-	       PK11Session *inSession, FortezzaKey *inKey,
-	       int inCryptoType, CK_MECHANISM_TYPE inMechanism){
-    int             ciRV;
-    FortezzaSocket *socket = inContext->fortezzaSocket;
-    HSESSION        hs     = socket->maciSession;
-    CI_CONFIG       ciConfig;
-
-    ciRV = MACI_Select (hs, socket->slotID);
-    if (ciRV != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-    inContext->session     = inSession;
-    inContext->fortezzaKey = inKey;
-    inContext->mechanism   = inMechanism;
-    PORT_Memcpy (inContext->cardIV, inIV, sizeof (CI_IV));
-    ciRV = MACI_Save(hs, inCryptoType, inContext->cardState);
-    if (ciRV != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-    ciRV = MACI_GetConfiguration (hs, &ciConfig);
-    if (ciRV == CI_OK) {
-      inContext->userRamSize = ciConfig.LargestBlockSize;
-    }
-
-    if (inContext->userRamSize == 0) inContext->userRamSize = 0x4000;
-    
-    return SOCKET_SUCCESS;
-}
-
-int SocketSaveState (FortezzaContext *inContext, int inCryptoType) {
-    int ciRV;
-
-    ciRV = MACI_Save (inContext->fortezzaSocket->maciSession, inCryptoType, 
-		      inContext->cardState);
-    if (ciRV != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-    return SOCKET_SUCCESS;
-}
-
-int DecryptData (FortezzaContext *inContext, 
-		 CK_BYTE_PTR inData,
-		 CK_ULONG inDataLen, 
-		 CK_BYTE_PTR inDest, 
-		 CK_ULONG inDestLen) {
-    FortezzaSocket *socket = inContext->fortezzaSocket;
-    FortezzaKey    *key    = inContext->fortezzaKey;
-    HSESSION        hs     = socket->maciSession;
-    CK_ULONG        defaultEncryptSize;
-    CK_ULONG        left = inDataLen;
-    CK_BYTE_PTR    loopin, loopout;
-    int             rv = CI_OK;    
-    
-    MACI_Select (hs, socket->slotID);
-
-    defaultEncryptSize = (inContext->userRamSize > DEF_ENCRYPT_SIZE) 
-                          ? DEF_ENCRYPT_SIZE : inContext->userRamSize;
-
-    if (key->keyRegister == KeyNotLoaded) {
-        rv = LoadKeyIntoRegister(key);
-	if (rv == KeyNotLoaded) {
-	    return SOCKET_FAILURE;
-	}
-    }
-
-    key->hitCount = socket->hitCount++;
-    loopin  = inData; 
-    loopout = inDest;
-    left    = inDataLen;
-    rv = CI_OK;
-
-    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
-    RestoreState (inContext, Decrypt);
-
-    while ((left > 0) && (rv  == CI_OK)) {
-        CK_ULONG current = (left > defaultEncryptSize) 
-	                         ? defaultEncryptSize : left;
-	rv = MACI_Decrypt(hs, current, loopin, loopout);
-	loopin  += current;
-	loopout += current;
-	left    -= current;
-    }
-
-    MACI_Unlock(hs);
-
-    if (rv != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-
-
-    rv = SocketSaveState (inContext, CI_DECRYPT_EXT_TYPE);
-    if (rv != SOCKET_SUCCESS) {
-      return rv;
-    }
-
-
-    return SOCKET_SUCCESS;
-}
-
-int EncryptData (FortezzaContext *inContext, 
-		 CK_BYTE_PTR inData,
-		 CK_ULONG inDataLen, 
-		 CK_BYTE_PTR inDest, 
-		 CK_ULONG inDestLen) {
-    FortezzaSocket *socket = inContext->fortezzaSocket;
-    FortezzaKey    *key    = inContext->fortezzaKey;
-    HSESSION        hs     = socket->maciSession;
-    CK_ULONG        defaultEncryptSize;
-    CK_ULONG        left = inDataLen;
-    CK_BYTE_PTR    loopin, loopout;
-    int             rv = CI_OK;
-    
-    MACI_Select (hs, socket->slotID);
-
-    defaultEncryptSize = (inContext->userRamSize > DEF_ENCRYPT_SIZE) 
-                          ? DEF_ENCRYPT_SIZE : inContext->userRamSize;
-    if (key->keyRegister == KeyNotLoaded) {
-        rv = LoadKeyIntoRegister(key);
-	if (rv == KeyNotLoaded) {
-	    return rv;
-	}
-    }
-
-    key->hitCount = socket->hitCount++;
-    loopin  = inData;
-    loopout = inDest;
-
-    RestoreState (inContext,Encrypt);
-
-    rv = CI_OK;
-    while ((left > 0) && (rv == CI_OK)) {
-      CK_ULONG current = (left > defaultEncryptSize) ? defaultEncryptSize : 
-	                                               left;
-      rv = MACI_Encrypt(hs, current, loopin, loopout);
-      loopin  += current;
-      loopout += current; 
-      left    -= current;
-    }
-
-    if (rv != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-
-    rv = SocketSaveState (inContext, CI_ENCRYPT_EXT_TYPE);
-    if (rv != SOCKET_SUCCESS) {
-      return rv;
-    }
-
-    return SOCKET_SUCCESS;
-}
-
-int WrapKey (FortezzaKey *wrappingKey, FortezzaKey *srcKey,
-	     CK_BYTE_PTR pDest, CK_ULONG ulDestLen) {
-    int ciRV;
-    HSESSION hs = wrappingKey->keySocket->maciSession;
-
-    if (wrappingKey->keyRegister == KeyNotLoaded) {
-      if (LoadKeyIntoRegister(wrappingKey) == KeyNotLoaded) {
-	  return SOCKET_FAILURE;
-      }
-    }
-
-    if (srcKey->id == 0) srcKey->id = wrappingKey->id;
-
-    ciRV = MACI_WrapKey (hs, wrappingKey->keyRegister, 
-			 srcKey->keyRegister, pDest);
-    if (ciRV != CI_OK) {
-        return SOCKET_FAILURE;
-    }
-
-    return SOCKET_SUCCESS;
-}
-
-int UnwrapKey (CK_BYTE_PTR inWrappedKey, FortezzaKey *inUnwrapKey) {
-    int newIndex;
-    int ciRV;
-    FortezzaSocket *socket = inUnwrapKey->keySocket;
-    HSESSION        hs     = socket->maciSession;
-    FortezzaKey    *oldKey;
-
-    if (inUnwrapKey->keyRegister == KeyNotLoaded) {
-        if (LoadKeyIntoRegister(inUnwrapKey) == KeyNotLoaded) {
-	    return KeyNotLoaded;
-	}
-    }
-
-    ciRV = MACI_Select(hs, socket->slotID);
-    if (ciRV != CI_OK) {
-        return KeyNotLoaded;
-    }
-
-    newIndex = GetBestKeyRegister(inUnwrapKey->keySocket);
-    oldKey = socket->keyRegisters[newIndex];
-
-    MACI_Select(hs, socket->slotID);
-    if (oldKey) {
-        oldKey->keyRegister = KeyNotLoaded;
-        socket->keyRegisters[newIndex] = NULL;
-    }
-    MACI_DeleteKey (hs, newIndex);
-    ciRV = MACI_UnwrapKey(hs,inUnwrapKey->keyRegister, newIndex, inWrappedKey);
-    if (ciRV != CI_OK) {
-        inUnwrapKey->keyRegister = KeyNotLoaded;
-	socket->keyRegisters[newIndex] = NULL;
-        return KeyNotLoaded;
-    }
-    
-    return newIndex;
-}
-
diff --git a/security/nss/lib/fortcrypt/fortinst.htm b/security/nss/lib/fortcrypt/fortinst.htm
deleted file mode 100644
index 649012c82..000000000
--- a/security/nss/lib/fortcrypt/fortinst.htm
+++ /dev/null
@@ -1,161 +0,0 @@
-<HTML>
-<TITLE>Generic PKCS #11 Installer</TITLE>
-<--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
--->
-
-<SCRIPT>
-// Crypto Mechanism Flags 
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-pkcs11MechanismFlags = 0;
-  
-
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1 // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5 // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
-
-var new_window;
-var has_new_window = 0;
-
-function HandleCipher(checkBox) {
-	if (checkBox.checked) {
-		pkcs11MechanismFlags |= checkBox.value;
-	} else {
-		pkcs11MechanismFlags &= ~checkBox.value;
-	}
-}
-
-function HandleSSL(checkBox) {
-	if (checkBox.checked) {
-		pkcs11CipherFlags |= checkBox.value;
-	} else {
-		pkcs11CipherFlags &= ~checkBox.value;
-	}
-}
-
-function colonize(string) {
-	len = string.length;
-	end = len -1;
-
-	if (len == 0) return string;
-
-
-	for (i=0; i < len; i++) {
-	   if (string.charAt(i) == "/") {
-		if (i == 0) {
-		    new_string = ":" + string.substring(1,len);
-		} else if (i == end) {
-		    new_string = string.substring(0,i)+':';
-		} else {
-		    new_string = string.substring(0,i)+':'+
-						string.substring(i+1,len);
-		}
-		string = new_string;
-	   }
-	}
-
-	if (string.charAt(0) == ":") string = string.substring(1,len);
-	return string;
-}
-
-function DoInstall(name,module) {
-	if ((navigator.platform == "MacPPC") 
-			|| (navigator.platform == "Mac68K")) {
-	    module = colonize(module);
-	}
-	result = pkcs11.addmodule(name, module, 
-			pkcs11MechanismFlags, pkcs11CipherFlags); 
-	if ( result < 0) { 
-	  window.alert("New module setup failed.  Error code: " + result); 
-	}
-	if (has_new_window) new_window.close();
-}
-
-default_name = "Netscape FORTEZZA Module"
-
-default_module = "D:/dogbert/ns/dist/WIN32_D.OBJ/bin/fort32.dll"
-document.writeln("<FORM name=instform target=_self> <H2>FORTEZZA PKCS #11 Installer version 1.5</H2>");
-document.writeln(" Module name: <Input Type=Text Name=modName value=\""+default_name+"\" size=50 required><br>");
-document.writeln(" Module Library: <Input Type=FILE required Name=module><br>");
-document.writeln("<i>Note: If you use the browse button, be sure to change the filter to show all the files (*), not just the HTML files (*.html).</i><p>");
-document.writeln("<hr>");
-document.write("<Input type=submit Name=Install Value=Install onclick=DoInstall(");
-document.writeln(  "document.instform.modName.value,document.instform.module.value) >");
-document.writeln("</FORM>");
-</SCRIPT>
diff --git a/security/nss/lib/fortcrypt/fortpk11.c b/security/nss/lib/fortcrypt/fortpk11.c
deleted file mode 100644
index 076db666e..000000000
--- a/security/nss/lib/fortcrypt/fortpk11.c
+++ /dev/null
@@ -1,4544 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * This file implements PKCS 11 for FORTEZZA using MACI
- *   drivers.  Except for the Mac.  They only have CI libraries, so
- *   that's what we use there.
- *
- *   For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *
- *   This implementations queries the MACI to figure out how 
- *    many slots exist on a given system.  There is an artificial boundary
- *    of 32 slots, because allocating slots dynamically caused memory
- *    problems in the client when first this module was first developed.
- *    Some how the heap was being corrupted and we couldn't find out where.
- *    Subsequent attempts to allocate dynamic memory caused no problem.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-
-#include "fpkmem.h"
-#include "seccomon.h"
-#include "fpkcs11.h"
-#include "fpkcs11i.h"
-#include "cryptint.h"
-#include "pk11func.h"
-#include "fortsock.h"
-#include "fmutex.h"
-#ifdef notdef
-#include <ctype.h>
-#include <stdio.h>
-#endif
-#ifdef XP_MAC 
-#ifndef __POWERPC__
-#include <A4Stuff.h>
-#endif
-/* This is not a 4.0 project, so I can't depend on
- * 4.0 defines, so instead I depend on CodeWarrior 
- * defines.  I define XP_MAC in fpkmem.h
- */
-#if __POWERPC__
-#elif __CFM68K__
-#else
-/* These include are taken fromn npmac.cpp which are used
- * by the plugin group to properly set-up a plug-in for 
- * dynamic loading on 68K.
- */
-
-#include <Quickdraw.h>
-
-/*
-** The Mixed Mode procInfos defined in npupp.h assume Think C-
-** style calling conventions.  These conventions are used by
-** Metrowerks with the exception of pointer return types, which
-** in Metrowerks 68K are returned in A0, instead of the standard
-** D0. Thus, since NPN_MemAlloc and NPN_UserAgent return pointers,
-** Mixed Mode will return the values to a 68K plugin in D0, but 
-** a 68K plugin compiled by Metrowerks will expect the result in
-** A0.  The following pragma forces Metrowerks to use D0 instead.
-*/
-#ifdef __MWERKS__
-#ifndef powerc
-#pragma pointers_in_D0
-#endif
-#endif
-
-#ifdef __MWERKS__
-#ifndef powerc
-#pragma pointers_in_A0
-#endif
-#endif
-
-/* The following fix for static initializers fixes a previous
-** incompatibility with some parts of PowerPlant.
-*/
-#ifdef __MWERKS__
-#ifdef __cplusplus
-    extern "C" {
-#endif
-#ifndef powerc
-    extern void	__InitCode__(void);
-#else
-    extern void __sinit(void);
-#endif
-    extern void	__destroy_global_chain(void);
-#ifdef __cplusplus
-    }
-#endif /* __cplusplus */
-#endif /* __MWERKS__ */
-
-#endif
-#endif
-
-
-typedef struct {
-   unsigned char *data;
-   int len;
-} CertItem;
-
-
-/*
- * ******************** Static data *******************************
- */
-
-/* The next three strings must be exactly 32 characters long */
-static char *manufacturerID      = "Netscape Communications Corp    ";
-static char *libraryDescription  = "Communicator Fortezza Crypto Svc";
-
-typedef enum {DSA_KEY, KEA_KEY, V1_KEY, INVALID_KEY } PrivKeyType;
-
-static PK11Slot           fort11_slot[NUM_SLOTS];
-static FortezzaSocket     fortezzaSockets[NUM_SLOTS];
-static PRBool             init = PR_FALSE;
-static CK_ULONG           kNumSockets    = 0;
-
-#define __PASTE(x,y)    x##y
- 
- 
-#undef CK_FUNC
-#undef CK_EXTERN
-#undef CK_NEED_ARG_LIST
-#undef _CK_RV
-
-#define fort11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
-#define fort11_SlotFromSession  pk11_SlotFromSession
-#define fort11_isToken          pk11_isToken
-
-static CK_FUNCTION_LIST fort11_funcList = {
-    { 2, 1 },
- 
-#undef CK_FUNC
-#undef CK_EXTERN
-#undef CK_NEED_ARG_LIST
-#undef _CK_RV
- 
-#define CK_EXTERN
-#define CK_FUNC(name) name,
-#define _CK_RV
- 
-#include "fpkcs11f.h"
- 
-};
- 
-#undef CK_FUNC
-#undef CK_EXTERN
-#undef _CK_RV
- 
- 
-#undef __PASTE
-#undef pk11_SlotFromSessionHandle
-#undef pk11_SlotFromID
-
-#define MAJOR_VERSION_MASK 0xFF00
-#define MINOR_VERSION_MASK 0x00FF
-
-/* Mechanisms */
-struct mechanismList {
-    CK_MECHANISM_TYPE	type;
-    CK_MECHANISM_INFO	domestic;
-    PRBool              privkey; 
-};
-
-static struct mechanismList mechanisms[] = {
-     {CKM_DSA,              {512,1024,CKF_SIGN},                 PR_TRUE},
-     {CKM_SKIPJACK_KEY_GEN, {92, 92, CKF_GENERATE},              PR_TRUE},
-     {CKM_SKIPJACK_CBC64,   {92, 92, CKF_ENCRYPT | CKF_DECRYPT}, PR_TRUE},
-     {CKM_SKIPJACK_WRAP,    {92, 92, CKF_WRAP},                  PR_TRUE},
-     {CKM_KEA_KEY_DERIVE,   {128, 128, CKF_DERIVE},              PR_TRUE},
-};
-static CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
-
-/*************Static function prototypes********************************/
-static PRBool          fort11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type);
-static void            fort11_FreeAttribute(PK11Attribute *attribute);
-static void            fort11_DestroyAttribute(PK11Attribute *attribute);
-static PK11Object*     fort11_NewObject(PK11Slot *slot);
-static PK11FreeStatus  fort11_FreeObject(PK11Object *object);
-static CK_RV           fort11_AddAttributeType(PK11Object *object,
-					     CK_ATTRIBUTE_TYPE type,
-					     void *valPtr,
-					     CK_ULONG length);
-static void            fort11_AddSlotObject(PK11Slot *slot, PK11Object *object);
-static PK11Attribute*  fort11_FindAttribute(PK11Object *object,
-					  CK_ATTRIBUTE_TYPE type);
-static PK11Attribute*  fort11_NewAttribute(CK_ATTRIBUTE_TYPE type, 
-					 CK_VOID_PTR value, CK_ULONG len);
-static void            fort11_DeleteAttributeType(PK11Object *object,
-						CK_ATTRIBUTE_TYPE type);
-static void            fort11_AddAttribute(PK11Object *object,
-					 PK11Attribute *attribute);
-static void            fort11_AddObject(PK11Session *session, 
-				      PK11Object *object);
-static PK11Object *    fort11_ObjectFromHandle(CK_OBJECT_HANDLE handle, 
-					     PK11Session *session);
-static void            fort11_DeleteObject(PK11Session *session,PK11Object *object);
-static CK_RV           fort11_DestroyObject(PK11Object *object);
-void   fort11_FreeSession(PK11Session *session);
-
-#define FIRST_SLOT_SESS_ID   0x00000100L
-#define ADD_NEXT_SESS_ID     0x00000100L
-#define SLOT_MASK            0x000000FFL
-
-#define FAILED CKR_FUNCTION_FAILED
-
-static void
-fort11_FreeFortezzaKey (void *inFortezzaKey) {
-    RemoveKey ((FortezzaKey*) inFortezzaKey);
-}
-
-static void
-fort11_DestroySlotObjects (PK11Slot *slot, PK11Session *session) {
-    PK11Object *currObject, *nextObject, *oldObject;
-    int i;
-
-    for (i=0; i<HASH_SIZE; i++) {
-      currObject = slot->tokObjects[i];
-      slot->tokObjects[i] = NULL;
-      do {
-	  FMUTEX_Lock(slot->sessionLock);
-
-	  if (currObject) {
-	      nextObject = currObject->next;
-	      FMUTEX_Lock(currObject->refLock);
-	      currObject->refCount++;
-	      FMUTEX_Unlock(currObject->refLock);
-	      fort11_DeleteObject(session, currObject);
-	  }
-	  FMUTEX_Unlock(slot->sessionLock);
-	  if (currObject) {
-	      oldObject = currObject;
-	      currObject = nextObject;
-	      fort11_FreeObject(oldObject);
-	  }
-      } while (currObject != NULL);
-    }
-}
-
-static void
-fort11_TokenRemoved(PK11Slot *slot, PK11Session *session) {
-    FortezzaSocket *socket = &fortezzaSockets[slot->slotID-1];
-
-    LogoutFromSocket (socket);
-    slot->isLoggedIn = PR_FALSE;
-    if (session && session->notify) { 
-        /*If no session pointer exists, lots of leaked memory*/
-        session->notify (session->handle, CKN_SURRENDER,
-			 session->appData);
-	fort11_FreeSession(session); /* Release the reference held
-				      * by the slot with the session
-				      */
-    }
-
-    fort11_DestroySlotObjects(slot, session);
-    fort11_FreeSession(session); /* Release the reference held
-				  * by the slot with the session
-				  */
-
-    /* All keys will have been freed at this point so we can
-     * NULL out this pointer
-     */
-    socket->keys = NULL;
-
-}
-
-PRBool
-fort11_FortezzaIsUserCert(unsigned char * label) {
-
-    if ( (!PORT_Memcmp(label, "KEAK", 4)) ||   /* v3 user certs */
-         (!PORT_Memcmp(label, "DSA1", 4)) ||
-	 (!PORT_Memcmp(label, "DSAI", 4)) ||
-         (!PORT_Memcmp(label, "DSAO", 4)) ||
-         (!PORT_Memcmp(label, "INKS", 4)) ||   /* v1 user certs */ 
-         (!PORT_Memcmp(label, "INKX", 4)) ||
-         (!PORT_Memcmp(label, "ONKS", 4)) ||
-         (!PORT_Memcmp(label, "ONKX", 4)) ||
-         (!PORT_Memcmp(label, "3IXS", 4)) ||   /* old v3 user certs */
-         (!PORT_Memcmp(label, "3OXS", 4)) ||
-         (!PORT_Memcmp(label, "3IKX", 4)) ) {  
-
-         return PR_TRUE;
-
-    } else { return PR_FALSE; }
-    
-}
-
-static PRBool
-fort11_FortezzaIsACert(unsigned char * label) {
-    if (label == NULL) return PR_FALSE;
-
-    if ( (!PORT_Memcmp(label, "DSA1", 4)) ||   /* v3 certs */
-         (!PORT_Memcmp(label, "DSAI", 4)) ||
-	 (!PORT_Memcmp(label, "DSAO", 4)) || 
-         (!PORT_Memcmp(label, "DSAX", 4)) ||
-         (!PORT_Memcmp(label, "KEAK", 4)) ||
-         (!PORT_Memcmp(label, "KEAX", 4)) ||
-         (!PORT_Memcmp(label, "CAX1", 4)) ||
-         (!PORT_Memcmp(label, "PCA1", 4)) ||
-         (!PORT_Memcmp(label, "PAA1", 4)) ||
-         (!PORT_Memcmp(label, "ICA1", 4)) ||
-
-         (!PORT_Memcmp(label, "3IXS", 4)) ||   /* old v3 certs */    
-         (!PORT_Memcmp(label, "3OXS", 4)) ||    
-         (!PORT_Memcmp(label, "3CAX", 4)) ||
-         (!PORT_Memcmp(label, "3IKX", 4)) ||
-         (!PORT_Memcmp(label, "3PCA", 4)) ||
-         (!PORT_Memcmp(label, "3PAA", 4)) ||
-         (!PORT_Memcmp(label, "3ICA", 4)) ||
-
-         (!PORT_Memcmp(label, "INKS", 4)) ||   /* v1 certs */    
-         (!PORT_Memcmp(label, "INKX", 4)) ||
-         (!PORT_Memcmp(label, "ONKS", 4)) ||
-         (!PORT_Memcmp(label, "ONKX", 4)) ||
-         (!PORT_Memcmp(label, "RRXX", 4)) ||
-         (!PORT_Memcmp(label, "RTXX", 4)) ||
-         (!PORT_Memcmp(label, "LAXX", 4)) ) {  
-
-         return PR_TRUE;
-
-    } 
-
-    return PR_FALSE; 
-}
- 
-static 
-int fort11_cert_length(unsigned char *buf, int length) {
-    unsigned char tag;
-    int used_length= 0;
-    int data_length;
-
-    tag = buf[used_length++];
-
-    /* blow out when we come to the end */
-    if (tag == 0) {
-	return 0;
-    }
-
-    data_length = buf[used_length++];
-
-    if (data_length&0x80) {
-	int  len_count = data_length & 0x7f;
-
-	data_length = 0;
-
-	while (len_count-- > 0) {
-	    data_length = (data_length << 8) | buf[used_length++];
-	} 
-    }
-
-    if (data_length > (length-used_length) ) {
-	return length;
-    }
-
-    return (data_length + used_length);	
-}
-
-unsigned char *fort11_data_start(unsigned char *buf, int length, 
-				 int *data_length, PRBool includeTag) {
-    unsigned char tag;
-    int used_length= 0;
-
-    tag = buf[used_length++];
-
-    /* blow out when we come to the end */
-    if (tag == 0) {
-	return NULL;
-    }
-
-    *data_length = buf[used_length++];
-
-    if (*data_length&0x80) {
-	int  len_count = *data_length & 0x7f;
-
-	*data_length = 0;
-
-	while (len_count-- > 0) {
-	    *data_length = (*data_length << 8) | buf[used_length++];
-	} 
-    }
-
-    if (*data_length > (length-used_length) ) {
-	*data_length = length-used_length;
-	return NULL;
-    }
-    if (includeTag) *data_length += used_length;
-
-    return (buf + (includeTag ? 0 : used_length));	
-}
-
-int
-fort11_GetCertFields(unsigned char *cert,int cert_length,CertItem *issuer,
-		     CertItem *serial,CertItem *subject)
-{
-	unsigned char *buf;
-	int buf_length;
-	unsigned char *date;
-	int datelen;
-
-	/* get past the signature wrap */
-	buf = fort11_data_start(cert,cert_length,&buf_length,PR_FALSE);
-	if (buf == NULL) return FAILED;
-	/* get into the raw cert data */
-	buf = fort11_data_start(buf,buf_length,&buf_length,PR_FALSE);
-	if (buf == NULL) return FAILED;
-	/* skip past any optional version number */
-        if ((buf[0] & 0xa0) == 0xa0) {
-            date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
-            if (date == NULL) return FAILED;
-            buf_length -= (date-buf) + datelen;
-            buf = date + datelen;
-        }
-        /* serial number */
-	serial->data = fort11_data_start(buf,buf_length,&serial->len,PR_FALSE);
-	if (serial->data == NULL) return FAILED;
-	buf_length -= (serial->data-buf) + serial->len;
-	buf = serial->data + serial->len;
-	/* skip the OID */
-	date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
-	if (date == NULL) return FAILED;
-	buf_length -= (date-buf) + datelen;
-	buf = date + datelen;
-	/* issuer */
-	issuer->data = fort11_data_start(buf,buf_length,&issuer->len,PR_TRUE);
-	if (issuer->data == NULL) return FAILED;
-	buf_length -= (issuer->data-buf) + issuer->len;
-	buf = issuer->data + issuer->len;
-	/* skip the date */
-	date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
-	if (date == NULL) return FAILED;
-	buf_length -= (date-buf) + datelen;
-	buf = date + datelen;
-	/*subject */
-	subject->data=fort11_data_start(buf,buf_length,&subject->len,PR_TRUE);
-	if (subject->data == NULL) return FAILED;
-	buf_length -= (subject->data-buf) + subject->len;
-	buf = subject->data +subject->len;
-	/*subject */
-	return CKR_OK;
-}
-
-/* quick tohex function to get rid of scanf */
-static
-int fort11_tohex(char *s) {
-    int val = 0;
-
-    for(;*s;s++) {
-	if ((*s >= '0') && (*s <= '9')) {
-	    val = (val << 4) + (*s - '0');
-	    continue;
-	} else if ((*s >= 'a') && (*s <= 'f')) {
-	    val = (val << 4) + (*s - 'a') + 10;
-	    continue;
-	} else if ((*s >= 'A') && (*s <= 'F')) {
-	    val = (val << 4) + (*s - 'A') + 10;
-	    continue;
-	}
-	break;
-    }
-    return val;
-}
-
-/* only should be called for V3 KEA cert labels. */
-
-static int
-fort11_GetSibling(CI_CERT_STR label)  {
-
-	int value = 0;
-        char s[3];
-
-        label +=4;
-
-        strcpy(s,"00");
-        memcpy(s, label, 2);
-	value = fort11_tohex(s);
-        
-	/*  sibling of 255 means no sibling */
-        if (value == 255) {
-	    value = -1;
-	}
-
-	return value;
-}
-
-
-static PrivKeyType
-fort11_GetKeyType(CI_CERT_STR label) { 
-    if (label == NULL) return INVALID_KEY;
-
-    if ( (!PORT_Memcmp(label, "DSA1", 4)) ||   /* v3 certs */ 
-         (!PORT_Memcmp(label, "DSAI", 4)) ||
-	 (!PORT_Memcmp(label, "DSAO", 4)) ||
-         (!PORT_Memcmp(label, "3IXS", 4)) ||   /* old v3 certs */ 
-         (!PORT_Memcmp(label, "3OXS", 4)) ) {
-
-        return DSA_KEY;
-    }
-
-
-    if ( (!PORT_Memcmp(label, "KEAK", 4)) || 
-         (!PORT_Memcmp(label, "3IKX", 4)) ) {
-        return KEA_KEY;
-    }
- 
-    if ( (!PORT_Memcmp(label, "INKS", 4)) ||  /* V1 Certs*/
-         (!PORT_Memcmp(label, "INKX", 4)) ||
-         (!PORT_Memcmp(label, "ONKS", 4)) ||
-         (!PORT_Memcmp(label, "ONKX", 4)) ||  
-         (!PORT_Memcmp(label, "RRXX", 4)) ||
-         (!PORT_Memcmp(label, "RTXX", 4)) ||
-         (!PORT_Memcmp(label, "LAXX", 4)) ) { 
-
-         return V1_KEY;
-    }
-
-    return INVALID_KEY;
-} 
-
-static CK_RV
-fort11_ConvertToDSAKey(PK11Object *privateKey, PK11Slot *slot) {
-    CK_KEY_TYPE     key_type  = CKK_DSA;
-    CK_BBOOL        cktrue    = TRUE;
-    CK_BBOOL        ckfalse   = FALSE;
-    CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
-    CK_CHAR         label[]   = "A DSA Private Key";
-
-
-    /* Fill in the common Default values */
-    if (fort11_AddAttributeType(privateKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_CLASS, &privClass, 
-			      sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_KEY_TYPE, &key_type, 
-			      sizeof(CK_KEY_TYPE)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType (privateKey, CKA_TOKEN, &cktrue, 
-			      sizeof (CK_BBOOL)) != CKR_OK) {
-       return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType (privateKey, CKA_LABEL, label,
-			       PORT_Strlen((char*)label)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_SENSITIVE, &cktrue, 
-			      sizeof (CK_BBOOL)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_SIGN, &cktrue, 
-			      sizeof (CK_BBOOL)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(privateKey, CKA_DERIVE, &cktrue,
-			      sizeof(cktrue)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_LOCAL, &ckfalse,
-			      sizeof(ckfalse)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_DECRYPT, &ckfalse,
-			      sizeof(ckfalse)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_SIGN_RECOVER, &ckfalse,
-			      sizeof(ckfalse)) != CKR_OK) {
- 	return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_UNWRAP, &ckfalse,
-			      sizeof(ckfalse)) != CKR_OK) {
- 	return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_EXTRACTABLE, &ckfalse,
-			      sizeof(ckfalse))  != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_ALWAYS_SENSITIVE, &cktrue,
-			      sizeof(cktrue)) != CKR_OK) {
-       return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_NEVER_EXTRACTABLE, &cktrue,
-			      sizeof(ckfalse)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_PRIME, NULL, 0) != CKR_OK){
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_SUBPRIME, NULL, 0) != CKR_OK){
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_BASE, NULL, 0) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_VALUE, NULL, 0) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_PRIVATE, &cktrue,
-			      sizeof(cktrue)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_MODIFIABLE,&ckfalse,
-			      sizeof(ckfalse)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    FMUTEX_Lock(slot->objectLock);
-    privateKey->handle = slot->tokenIDCount++;
-    privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    FMUTEX_Unlock(slot->objectLock);
-    privateKey->objclass = privClass;
-    privateKey->slot = slot;
-    privateKey->inDB = PR_TRUE;
-
-
-    return CKR_OK;
-}
-
-static int
-fort11_LoadRootPAAKey(PK11Slot *slot, PK11Session *session) {
-    CK_OBJECT_CLASS theClass   = CKO_SECRET_KEY;
-    int              id      = 0;
-    CK_BBOOL         True    = TRUE;
-    CK_BBOOL          False   = FALSE;
-    CK_CHAR          label[] = "Trusted Root PAA Key";
-    PK11Object      *rootKey;
-    FortezzaKey     *newKey;
-    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
-    
-    /*Don't know the key type.  Does is matter?*/
-
-    rootKey = fort11_NewObject(slot);
-
-    if (rootKey == NULL) {
-        return CKR_HOST_MEMORY;
-    }
-
-    if (fort11_AddAttributeType(rootKey, CKA_CLASS, &theClass,
-			      sizeof(theClass)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(rootKey, CKA_TOKEN, &True,
-			      sizeof(True)) != CKR_OK) {        
-	return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(rootKey, CKA_LABEL, label,
-			      sizeof(label)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(rootKey, CKA_PRIVATE, &True,
-			      sizeof (True)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(rootKey,CKA_MODIFIABLE, &False, 
-			      sizeof(False)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-    
-    if (fort11_AddAttributeType(rootKey, CKA_ID, &id,
-			      sizeof(int)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(rootKey, CKA_DERIVE, &True,
-			      sizeof(True)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_AddAttributeType(rootKey, CKA_SENSITIVE, &True,
-			      sizeof(True)) != CKR_OK) {
-	return CKR_GENERAL_ERROR;
-    }
-
-    FMUTEX_Lock(slot->objectLock);
-    rootKey->handle = slot->tokenIDCount++;
-    rootKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    FMUTEX_Unlock(slot->objectLock);
-
-    rootKey->objclass = theClass;
-    rootKey->slot = slot;
-    rootKey->inDB = PR_TRUE;
-
-    newKey = NewFortezzaKey(socket, Ks, NULL, 0);
-    if (newKey == NULL) {
-        fort11_FreeObject(rootKey);
-        return CKR_HOST_MEMORY;
-    }
-
-    rootKey->objectInfo = (void*)newKey;
-    rootKey->infoFree   = fort11_FreeFortezzaKey;
-    fort11_AddObject(session, rootKey);
-
-    return CKR_OK;
-}
-
-static CK_RV
-fort11_ConvertToKEAKey (PK11Object *privateKey, PK11Slot *slot) {
-    CK_OBJECT_CLASS theClass   = CKO_PRIVATE_KEY;
-    CK_KEY_TYPE     keyType = CKK_KEA;
-    CK_CHAR         label[] = "A KEA private key Object";
-    CK_BBOOL        True    = TRUE;
-    CK_BBOOL        False   = FALSE;
-
-    if (fort11_AddAttributeType(privateKey, CKA_CLASS, &theClass,
-			      sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_KEY_TYPE, &keyType,
-			      sizeof (CK_KEY_TYPE)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_TOKEN, &True, 
-			      sizeof(CK_BBOOL)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType (privateKey, CKA_LABEL, label,
-			       PORT_Strlen((char*)label)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType (privateKey, CKA_SENSITIVE, 
-			       &True, sizeof(CK_BBOOL)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }    
-    if (fort11_AddAttributeType (privateKey, CKA_DERIVE, 
-			       &True, sizeof(CK_BBOOL)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_PRIVATE, &True,
-			      sizeof(True)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_START_DATE, NULL, 0) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    } 
-    if (fort11_AddAttributeType(privateKey, CKA_END_DATE, NULL, 0) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-    if (fort11_AddAttributeType(privateKey, CKA_LOCAL, &False,
-			      sizeof(False)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    FMUTEX_Lock(slot->objectLock);
-    privateKey->handle = slot->tokenIDCount++;
-    privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    FMUTEX_Unlock(slot->objectLock);
-    privateKey->objclass = theClass;
-    privateKey->slot = slot;
-    privateKey->inDB = PR_TRUE;
-
-    return CKR_OK;
-}
-
-static CK_RV
-fort11_ConvertToV1Key (PK11Object* privateKey, PK11Slot *slot) {
-    CK_RV    rv;
-    CK_BBOOL True = TRUE;
-
-    rv = fort11_ConvertToDSAKey(privateKey, slot);
-    if (rv != CKR_OK) {
-        return rv;
-    }
-
-    if (fort11_AddAttributeType(privateKey, CKA_DERIVE, &True, 
-			      sizeof (CK_BBOOL)) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    return CKR_OK;
-}
-
-static CK_RV
-fort11_NewPrivateKey(PK11Object *privKeyObject, PK11Slot *slot,CI_PERSON currPerson) {
-  PrivKeyType keyType = fort11_GetKeyType(currPerson.CertLabel);
-  CK_RV       rv;
-
-  switch (keyType) {
-  case DSA_KEY:
-    rv = fort11_ConvertToDSAKey(privKeyObject, slot);
-    break;
-  case KEA_KEY:
-    rv = fort11_ConvertToKEAKey(privKeyObject, slot);
-    break;
-  case V1_KEY:
-    rv = fort11_ConvertToV1Key(privKeyObject, slot);
-    break;
-  default:
-    rv = CKR_GENERAL_ERROR;
-    break;
-  }
-  return rv;
-}
-
-
-PRBool
-fort11_LoadCertObjectForSearch(CI_PERSON currPerson, PK11Slot *slot, 
-			PK11Session *session, CI_PERSON *pers_array) {
-    PK11Object          *certObject, *privKeyObject;
-    PK11Attribute       *attribute, *newAttribute;
-    int                  ci_rv;
-    CI_CERTIFICATE       cert;
-    CK_OBJECT_CLASS      certClass = CKO_CERTIFICATE;
-    CK_CERTIFICATE_TYPE  certType  = CKC_X_509;
-    CK_BBOOL             cktrue    = TRUE;
-    CK_BBOOL             ckfalse   = FALSE;
-    CertItem             issuer, serial, subject;
-    int			 certSize;
-    char                 nickname[50];
-    char                *cursor; 
-    PrivKeyType		 priv_key;
-    int			 sibling;
-  
-
-    certObject = fort11_NewObject(slot);
-    if (certObject == NULL)
-        return PR_FALSE;
-
-    ci_rv = MACI_GetCertificate (fortezzaSockets[slot->slotID-1].maciSession,
-				 currPerson.CertificateIndex, cert);
-    if (ci_rv != CI_OK){
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-
-    ci_rv = fort11_GetCertFields(cert,CI_CERT_SIZE,&issuer,&serial,&subject);
-
-    if (ci_rv != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-
-    if (fort11_AddAttributeType(certObject, CKA_CLASS, &certClass,
-			      sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
-        fort11_FreeObject (certObject);
-	return PR_FALSE;
-    }
-    if (fort11_AddAttributeType(certObject, CKA_TOKEN, &cktrue,
-			      sizeof (CK_BBOOL)) != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-    if (fort11_AddAttributeType(certObject, CKA_PRIVATE, &ckfalse,
-			      sizeof (CK_BBOOL)) != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-
-    
-    /* check if the label represents a KEA key. if so, the
-       nickname should be made the same as the corresponding DSA
-       sibling cert. */
-        
-    priv_key = fort11_GetKeyType(currPerson.CertLabel);
-
-    if (priv_key == KEA_KEY) {
-	sibling = fort11_GetSibling(currPerson.CertLabel);
-
-	/* check for failure of fort11_GetSibling.  also check that
-	   the sibling is not zero.  */
-
-	if (sibling > 0) {
-	    /* assign the KEA cert label to be the same as the
-	       sibling DSA label */
-
-	    sprintf (nickname, "%s", &pers_array[sibling-1].CertLabel[8] );
-	} else {
-	    sprintf (nickname, "%s", &currPerson.CertLabel[8]);
-	}
-    } else {
-        sprintf (nickname, "%s", &currPerson.CertLabel[8]);
-    }
-
-    cursor = nickname+PORT_Strlen(nickname)-1;
-    while ((*cursor) == ' ') {
-        cursor--;
-    }
-    cursor[1] = '\0';
-    if (fort11_AddAttributeType(certObject, CKA_LABEL, nickname,
-			      PORT_Strlen(nickname)) != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-
- 
-
-    if (fort11_AddAttributeType(certObject, CKA_CERTIFICATE_TYPE, &certType,
-			      sizeof(CK_CERTIFICATE_TYPE)) != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-    certSize = fort11_cert_length(cert,CI_CERT_SIZE);
-    if (fort11_AddAttributeType (certObject, CKA_VALUE, cert, certSize)
-	                                                        != CI_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-    if (fort11_AddAttributeType(certObject, CKA_ISSUER, issuer.data,
-			  issuer.len) != CKR_OK) {
-        fort11_FreeObject (certObject);
-	return PR_FALSE;
-    }
-    if (fort11_AddAttributeType(certObject, CKA_SUBJECT, subject.data,
-			      subject.len) != CKR_OK) {
-        fort11_FreeObject (certObject);
-	return PR_FALSE;
-    }
-    if (fort11_AddAttributeType(certObject, CKA_SERIAL_NUMBER,
-			      serial.data, serial.len) != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-    /*Change this to a byte array later*/
-    if (fort11_AddAttributeType(certObject, CKA_ID, 
-				&currPerson.CertificateIndex,
-				sizeof(int)) != CKR_OK) {
-        fort11_FreeObject(certObject);
-	return PR_FALSE;
-    }
-    certObject->objectInfo = NULL;
-    certObject->infoFree   = NULL;
-
-    certObject->objclass = certClass;
-    certObject->slot  = slot;
-    certObject->inDB  = PR_TRUE;
-
-    FMUTEX_Lock(slot->objectLock);
-      
-    certObject->handle  = slot->tokenIDCount++;
-    certObject->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_CERT);
-
-    FMUTEX_Unlock(slot->objectLock);
-
-    if (fort11_FortezzaIsUserCert (currPerson.CertLabel)) {
-        privKeyObject = fort11_NewObject(slot);
-        if (fort11_NewPrivateKey(privKeyObject, slot, currPerson) != CKR_OK) {
-	    fort11_FreeObject(privKeyObject);
-	    fort11_FreeObject(certObject);
-	    return PR_FALSE;
-	}
-	if(fort11_AddAttributeType(privKeyObject,CKA_ID,
-				 &currPerson.CertificateIndex,
-				 sizeof(int)) != CKR_OK) {
-	    fort11_FreeObject(privKeyObject);
-	    fort11_FreeObject(certObject);
-	    return PR_FALSE;
-	}	    
-	attribute = fort11_FindAttribute(certObject,CKA_SUBJECT);
-	newAttribute=
-	  fort11_NewAttribute(pk11_attr_expand(&attribute->attrib));
-	fort11_FreeAttribute(attribute);
-	if (newAttribute != NULL) {
-	    fort11_DeleteAttributeType(privKeyObject,
-				     CKA_SUBJECT);
-	    fort11_AddAttribute(privKeyObject,
-			      newAttribute);
-	}
-	fort11_AddObject (session, privKeyObject);
-    }
-
-
-    fort11_AddObject (session, certObject);
-
-    
-    return PR_TRUE;
-}
-
-#define TRUSTED_PAA "00000000Trusted Root PAA"
-
-static int
-fort11_BuildCertObjects(FortezzaSocket *currSocket, PK11Slot *slot, 
-		       PK11Session *session) {
-		       
-    int i;
-    CI_PERSON rootPAA;
-
-    PORT_Memcpy (rootPAA.CertLabel, TRUSTED_PAA, 1+PORT_Strlen (TRUSTED_PAA));
-    rootPAA.CertificateIndex = 0;
-
-    if (!fort11_LoadCertObjectForSearch(rootPAA, slot, session, 
-				 currSocket->personalityList)) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    if (fort11_LoadRootPAAKey(slot, session) != CKR_OK) {
-        return CKR_GENERAL_ERROR;
-    }
-
-    for (i=0 ; i < currSocket->numPersonalities; i++) {
-        if (fort11_FortezzaIsACert (currSocket->personalityList[i].CertLabel)){
-	    if (!fort11_LoadCertObjectForSearch(currSocket->personalityList[i],
-						slot, session, 
-						currSocket->personalityList)){
-	        return CKR_GENERAL_ERROR;
-	}
-      }
-    }
-
-    return CKR_OK;
-}
-
-PK11Slot*
-fort11_SlotFromSessionHandle(CK_SESSION_HANDLE inHandle) {
- CK_SESSION_HANDLE whichSlot = inHandle & SLOT_MASK;
-
- if (whichSlot >= kNumSockets) return NULL_PTR;
-
- return &fort11_slot[whichSlot];
-}
-
-PK11Slot* 
-fort11_SlotFromID (CK_SLOT_ID inSlotID) {
-  if (inSlotID == 0 || inSlotID > kNumSockets)
-    return NULL;
-
-  return &fort11_slot[inSlotID-1];
-}
-
-CK_ULONG fort11_firstSessionID (int inSlotNum) {
-        return (CK_ULONG)(inSlotNum);
-}
-
-/*
- * Utility to convert passed in PIN to a CI_PIN
- */
-void fort11_convertToCIPin (CI_PIN ciPin,CK_CHAR_PTR pPin, CK_ULONG ulLen) {
-  unsigned long i;
-
-  for (i=0; i<ulLen; i++) {
-    ciPin[i] = pPin[i];
-  }
-  ciPin[ulLen] = '\0';
-}
-
-
-/*
- * return true if object has attribute
- */
-static PRBool
-fort11_hasAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
-    PK11Attribute *attribute;
-
-    FMUTEX_Lock(object->attributeLock);
-    pk11queue_find(attribute,type,object->head,HASH_SIZE);
-    FMUTEX_Unlock(object->attributeLock);
-
-    return (PRBool)(attribute != NULL);
-}
-
-/*
- * create a new attribute with type, value, and length. Space is allocated
- * to hold value.
- */
-static PK11Attribute *
-fort11_NewAttribute(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len) {
-    PK11Attribute *attribute;
-    CK_RV mrv;
-
-    attribute = (PK11Attribute*)PORT_Alloc(sizeof(PK11Attribute));
-    if (attribute == NULL) return NULL;
-
-    attribute->attrib.type = type;
-    if (value) {
-	attribute->attrib.pValue = (CK_VOID_PTR)PORT_Alloc(len);
-	if (attribute->attrib.pValue == NULL) {
-	    PORT_Free(attribute);
-	    return NULL;
-	}
-	PORT_Memcpy(attribute->attrib.pValue,value,len);
-	attribute->attrib.ulValueLen = len;
-    } else {
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    attribute->handle = type;
-    attribute->next = attribute->prev = NULL;
-    attribute->refCount = 1;
-    if (FMUTEX_MutexEnabled()) {
-        mrv = FMUTEX_Create (&attribute->refLock);
-	if (mrv != CKR_OK) {
-	    if (attribute->attrib.pValue) PORT_Free(attribute->attrib.pValue);
-	    PORT_Free(attribute);
-	    return NULL;
-	}
-    } else {
-        attribute->refLock = NULL;
-    }
-
-    return attribute;
-}
-
-/*
- * add an attribute to an object
- */
-static
-void fort11_AddAttribute(PK11Object *object,PK11Attribute *attribute) {
-    FMUTEX_Lock (object->attributeLock);
-    pk11queue_add(attribute,attribute->handle,object->head,HASH_SIZE);
-    FMUTEX_Unlock(object->attributeLock);
-}
-
-static CK_RV
-fort11_AddAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
-							CK_ULONG length) {
-    PK11Attribute *attribute;
-    attribute = fort11_NewAttribute(type,valPtr,length);
-    if (attribute == NULL) { return CKR_HOST_MEMORY; }
-    fort11_AddAttribute(object,attribute);
-    return CKR_OK;
-}
-
-
-
-/* Make sure a given attribute exists. If it doesn't, initialize it to
- * value and len
- */
-static CK_RV
-fort11_forceAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *value,
-							unsigned int len) {
-    if ( !fort11_hasAttribute(object, type)) {
-	return fort11_AddAttributeType(object,type,value,len);
-    }
-    return CKR_OK;
-}
-
-/*
- * look up and attribute structure from a type and Object structure.
- * The returned attribute is referenced and needs to be freed when 
- * it is no longer needed.
- */
-static PK11Attribute *
-fort11_FindAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
-    PK11Attribute *attribute;
-
-    FMUTEX_Lock(object->attributeLock);
-    pk11queue_find(attribute,type,object->head,HASH_SIZE);
-    if (attribute) {
-	/* atomic increment would be nice here */
-        FMUTEX_Lock(attribute->refLock);
-	attribute->refCount++;
-	FMUTEX_Unlock(attribute->refLock);
-    }
-    FMUTEX_Unlock(object->attributeLock);
-
-    return(attribute);
-}
-
-/*
- * this is only valid for CK_BBOOL type attributes. Return the state
- * of that attribute.
- */
-static PRBool
-fort11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
-    PK11Attribute *attribute;
-    PRBool tok = PR_FALSE;
-
-    attribute=fort11_FindAttribute(object,type);
-    if (attribute == NULL) { return PR_FALSE; }
-    tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
-    fort11_FreeAttribute(attribute);
-
-    return tok;
-}
-
-/*
- * add an object to a slot and session queue
- */
-static
-void fort11_AddSlotObject(PK11Slot *slot, PK11Object *object) {
-    FMUTEX_Lock(slot->objectLock);
-    pk11queue_add(object,object->handle,slot->tokObjects,HASH_SIZE);
-    FMUTEX_Unlock(slot->objectLock);
-}
-
-static
-void fort11_AddObject(PK11Session *session, PK11Object *object) {
-    PK11Slot *slot = fort11_SlotFromSession(session);
-
-    if (!fort11_isToken(object->handle)) {
-        FMUTEX_Lock(session->objectLock);
-	pk11queue_add(&object->sessionList,0,session->objects,0);
-	FMUTEX_Unlock(session->objectLock);
-    }
-    fort11_AddSlotObject(slot,object);
-} 
-
-/*
- * free all the data associated with an object. Object reference count must
- * be 'zero'.
- */
-static CK_RV
-fort11_DestroyObject(PK11Object *object) {
-    int i;
-    CK_RV crv = CKR_OK;
-/*    PORT_Assert(object->refCount == 0);*/
-
-    if (object->label) PORT_Free(object->label);
-
-    /* clean out the attributes */
-    /* since no one is referencing us, it's safe to walk the chain
-     * without a lock */
-    for (i=0; i < HASH_SIZE; i++) {
-	PK11Attribute *ap,*next;
-	for (ap = object->head[i]; ap != NULL; ap = next) {
-	    next = ap->next;
-	    /* paranoia */
-	    ap->next = ap->prev = NULL;
-	    fort11_FreeAttribute(ap);
-	}
-	object->head[i] = NULL;
-    }
-    FMUTEX_Destroy(object->attributeLock);
-    FMUTEX_Destroy(object->refLock);
-    if (object->objectInfo) {
-	(*object->infoFree)(object->objectInfo);
-    }
-    PORT_Free(object);
-    return crv;
-}
-
-
-/*
- * release a reference to an attribute structure
- */
-static void
-fort11_FreeAttribute(PK11Attribute *attribute) {
-    PRBool destroy = PR_FALSE;
-
-    FMUTEX_Lock(attribute->refLock);
-    if (attribute->refCount == 1) destroy = PR_TRUE;
-    attribute->refCount--;
-    FMUTEX_Unlock(attribute->refLock);
-
-    if (destroy) fort11_DestroyAttribute(attribute);
-}
-
-
-/*
- * release a reference to an object handle
- */
-static PK11FreeStatus
-fort11_FreeObject(PK11Object *object) {
-    PRBool destroy = PR_FALSE;
-    CK_RV crv;
-
-    FMUTEX_Lock(object->refLock);
-    if (object->refCount == 1) destroy = PR_TRUE;
-    object->refCount--;
-    FMUTEX_Unlock(object->refLock);
-      
-    if (destroy) {
-      crv = fort11_DestroyObject(object);
-      if (crv != CKR_OK) {
-	return PK11_DestroyFailure;
-      } 
-      return PK11_Destroyed;
-    }
-    return PK11_Busy;
-}
-
-static void
-fort11_update_state(PK11Slot *slot,PK11Session *session) {
-    if (slot->isLoggedIn) {
-	if (slot->ssoLoggedIn) {
-    	    session->info.state = CKS_RW_SO_FUNCTIONS;
-	} else if (session->info.flags & CKF_RW_SESSION) {
-    	    session->info.state = CKS_RW_USER_FUNCTIONS;
-	} else {
-    	    session->info.state = CKS_RO_USER_FUNCTIONS;
-	}
-    } else {
-	if (session->info.flags & CKF_RW_SESSION) {
-    	    session->info.state = CKS_RW_PUBLIC_SESSION;
-	} else {
-    	    session->info.state = CKS_RO_PUBLIC_SESSION;
-	}
-    }
-}
-
-/* update the state of all the sessions on a slot */
-static void
-fort11_update_all_states(PK11Slot *slot) {
-    int i;
-    PK11Session *session;
-
-    for (i=0; i < SESSION_HASH_SIZE; i++) {
-        FMUTEX_Lock(slot->sessionLock);
-	for (session = slot->head[i]; session; session = session->next) {
-	    fort11_update_state(slot,session);
-	}
-	FMUTEX_Unlock(slot->sessionLock);
-    }
-}
-
-
-/*
- * Create a new object
- */
-static PK11Object *
-fort11_NewObject(PK11Slot *slot) {
-    PK11Object *object;
-    CK_RV mrv;
-    int i;
-
-    object = (PK11Object*)PORT_Alloc(sizeof(PK11Object));
-    if (object == NULL) return NULL;
-
-    object->handle = 0;
-    object->next = object->prev = NULL;
-    object->sessionList.next = NULL;
-    object->sessionList.prev = NULL;
-    object->sessionList.parent = object;
-    object->inDB = PR_FALSE;
-    object->label = NULL;
-    object->refCount = 1;
-    object->session = NULL;
-    object->slot = slot;
-    object->objclass = 0xffff;
-    if (FMUTEX_MutexEnabled()) {
-        mrv = FMUTEX_Create(&object->refLock);
-	if (mrv != CKR_OK) {
-	    PORT_Free(object);
-	    return NULL;
-	}
-	mrv = FMUTEX_Create(&object->attributeLock);
-	if (mrv != CKR_OK) {
-	    FMUTEX_Destroy(object->refLock);
-	    PORT_Free(object);
-	    return NULL;
-	}
-    } else {
-        object->attributeLock = NULL;
-	object->refLock       = NULL;
-    }   
-    for (i=0; i < HASH_SIZE; i++) {
-	object->head[i] = NULL;
-    }
-    object->objectInfo = NULL;
-    object->infoFree = NULL;
-    return object;
-}
-
-/*
- * look up and object structure from a handle. OBJECT_Handles only make
- * sense in terms of a given session.  make a reference to that object
- * structure returned.
- */
-static PK11Object * fort11_ObjectFromHandle(CK_OBJECT_HANDLE handle, 
-					    PK11Session *session) {
-    PK11Object **head;
-    void *lock;
-    PK11Slot *slot = fort11_SlotFromSession(session);
-    PK11Object *object;
-
-    /*
-     * Token objects are stored in the slot. Session objects are stored
-     * with the session.
-     */
-    head = slot->tokObjects;
-    lock = slot->objectLock;
-
-    FMUTEX_Lock(lock);
-    pk11queue_find(object,handle,head,HASH_SIZE);
-    if (object) {
-        FMUTEX_Lock(object->refLock);
-	object->refCount++;
-	FMUTEX_Unlock(object->refLock);
-    }
-    FMUTEX_Unlock(lock);
-
-    return(object);
-}
-
-/*
- * add an object to a slot andsession queue
- */
-static
-void fort11_DeleteObject(PK11Session *session, PK11Object *object) {
-    PK11Slot *slot;
-    
-    if (session == NULL) 
-        return;
-    slot = fort11_SlotFromSession(session);
-    if (!fort11_isToken(object->handle)) {
-        FMUTEX_Lock(session->objectLock);
-	pk11queue_delete(&object->sessionList,0,session->objects,0);
-	FMUTEX_Unlock(session->objectLock);
-    }
-    FMUTEX_Lock(slot->objectLock);
-    pk11queue_delete(object,object->handle,slot->tokObjects,HASH_SIZE);
-    FMUTEX_Unlock(slot->objectLock);
-    fort11_FreeObject(object);
-}
-
-
-
-/*
- * ******************** Search Utilities *******************************
- */
-
-/* add an object to a search list */
-CK_RV
-fort11_AddToList(PK11ObjectListElement **list,PK11Object *object) {
-     PK11ObjectListElement *newelem = 
-	(PK11ObjectListElement *)PORT_Alloc(sizeof(PK11ObjectListElement));
-
-     if (newelem == NULL) return CKR_HOST_MEMORY;
-
-     newelem->next = *list;
-     newelem->object = object;
-     FMUTEX_Lock(object->refLock);
-     object->refCount++;
-     FMUTEX_Unlock(object->refLock);
-
-    *list = newelem;
-    return CKR_OK;
-}
-
-
-/*
- * free a single list element. Return the Next object in the list.
- */
-PK11ObjectListElement *
-fort11_FreeObjectListElement(PK11ObjectListElement *objectList) {
-    PK11ObjectListElement *ol = objectList->next;
-
-    fort11_FreeObject(objectList->object);
-    PORT_Free(objectList);
-    return ol;
-}
-
-/* free an entire object list */
-void
-fort11_FreeObjectList(PK11ObjectListElement *objectList) {
-    PK11ObjectListElement *ol;
-
-    for (ol= objectList; ol != NULL; ol = fort11_FreeObjectListElement(ol)) {}
-}
-
-/*
- * free a search structure
- */
-void
-fort11_FreeSearch(PK11SearchResults *search) {
-    if (search->handles) {
-	PORT_Free(search->handles);
-    }
-    PORT_Free(search);
-}
-
-
-/*
- * Free up all the memory associated with an attribute. Reference count
- * must be zero to call this.
- */
-static void
-fort11_DestroyAttribute(PK11Attribute *attribute) {
-    /*PORT_Assert(attribute->refCount == 0);*/
-    FMUTEX_Destroy(attribute->refLock);
-    if (attribute->attrib.pValue) {
-	 /* clear out the data in the attribute value... it may have been
-	  * sensitive data */
-	 PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
-	 PORT_Free(attribute->attrib.pValue);
-    }
-    PORT_Free(attribute);
-}
-        
-/*
- * delete an attribute from an object
- */
-static void
-fort11_DeleteAttribute(PK11Object *object, PK11Attribute *attribute) {
-    FMUTEX_Lock(object->attributeLock);
-    if (attribute->next || attribute->prev) {
-	pk11queue_delete(attribute,attribute->handle,
-						object->head,HASH_SIZE);
-    }
-    FMUTEX_Unlock(object->attributeLock);
-    fort11_FreeAttribute(attribute);
-}
-
-/*
- * decode when a particular attribute may be modified
- * 	PK11_NEVER: This attribute must be set at object creation time and
- *  can never be modified.
- *	PK11_ONCOPY: This attribute may be modified only when you copy the
- *  object.
- *	PK11_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
- *  FALSE to TRUE.
- *	PK11_ALWAYS: This attribute can always be modified.
- * Some attributes vary their modification type based on the class of the 
- *   object.
- */
-PK11ModifyType
-fort11_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) {
-    /* if we don't know about it, user user defined, always allow modify */
-    PK11ModifyType mtype = PK11_ALWAYS; 
-
-    switch(type) {
-    /* NEVER */
-    case CKA_CLASS:
-    case CKA_CERTIFICATE_TYPE:
-    case CKA_KEY_TYPE:
-    case CKA_MODULUS:
-    case CKA_MODULUS_BITS:
-    case CKA_PUBLIC_EXPONENT:
-    case CKA_PRIVATE_EXPONENT:
-    case CKA_PRIME:
-    case CKA_SUBPRIME:
-    case CKA_BASE:
-    case CKA_PRIME_1:
-    case CKA_PRIME_2:
-    case CKA_EXPONENT_1:
-    case CKA_EXPONENT_2:
-    case CKA_COEFFICIENT:
-    case CKA_VALUE_LEN:
-	mtype = PK11_NEVER;
-	break;
-
-    /* ONCOPY */
-    case CKA_TOKEN:
-    case CKA_PRIVATE:
-	mtype = PK11_ONCOPY;
-	break;
-
-    /* SENSITIVE */
-    case CKA_SENSITIVE:
-	mtype = PK11_SENSITIVE;
-	break;
-
-    /* ALWAYS */
-    case CKA_LABEL:
-    case CKA_APPLICATION:
-    case CKA_ID:
-    case CKA_SERIAL_NUMBER:
-    case CKA_START_DATE:
-    case CKA_END_DATE:
-    case CKA_DERIVE:
-    case CKA_ENCRYPT:
-    case CKA_DECRYPT:
-    case CKA_SIGN:
-    case CKA_VERIFY:
-    case CKA_SIGN_RECOVER:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-    case CKA_UNWRAP:
-	mtype = PK11_ALWAYS;
-	break;
-
-    /* DEPENDS ON CLASS */
-    case CKA_VALUE:
-	mtype = (inClass == CKO_DATA) ? PK11_ALWAYS : PK11_NEVER;
-	break;
-
-    case CKA_SUBJECT:
-	mtype = (inClass == CKO_CERTIFICATE) ? PK11_NEVER : PK11_ALWAYS;
-	break;
-    default:
-	break;
-    }
-    return mtype;
-}
-
-/* decode if a particular attribute is sensitive (cannot be read
- * back to the user of if the object is set to SENSITIVE) */
-PRBool
-fort11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) {
-    switch(type) {
-    /* ALWAYS */
-    case CKA_PRIVATE_EXPONENT:
-    case CKA_PRIME_1:
-    case CKA_PRIME_2:
-    case CKA_EXPONENT_1:
-    case CKA_EXPONENT_2:
-    case CKA_COEFFICIENT:
-	return PR_TRUE;
-
-    /* DEPENDS ON CLASS */
-    case CKA_VALUE:
-	/* PRIVATE and SECRET KEYS have SENSITIVE values */
-	return (PRBool)((inClass == CKO_PRIVATE_KEY) || 
-			(inClass == CKO_SECRET_KEY));
-
-    default:
-	break;
-    }
-    return PR_FALSE;
-}
-
-static void
-fort11_DeleteAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
-    PK11Attribute *attribute;
-    attribute = fort11_FindAttribute(object, type);
-    if (attribute == NULL) return ;
-    fort11_DeleteAttribute(object,attribute);
-}
-
-
-/*
- * create a new nession. NOTE: The session handle is not set, and the
- * session is not added to the slot's session queue.
- */
-static PK11Session *
-fort11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, 
-		  CK_VOID_PTR pApplication,
-		  CK_FLAGS flags) {
-    PK11Session *session;
-    PK11Slot *slot = &fort11_slot[slotID-1];
-    CK_RV mrv;
-
-    if (slot == NULL) return NULL;
-
-    session = (PK11Session*)PORT_Alloc(sizeof(PK11Session));
-    if (session == NULL) return NULL;
-
-    session->next = session->prev = NULL;
-    session->refCount = 1;
-    session->context = NULL;
-    session->search = NULL;
-    session->objectIDCount = 1;
-    session->fortezzaContext.fortezzaKey = NULL;
-    session->fortezzaContext.fortezzaSocket = NULL;
-
-    if (FMUTEX_MutexEnabled()) {
-        mrv = FMUTEX_Create(&session->refLock);
-	if (mrv != CKR_OK) {
-	    PORT_Free(session);
-	    return NULL;
-	}
-	mrv = FMUTEX_Create(&session->objectLock);
-	if (mrv != CKR_OK) {
-	    FMUTEX_Destroy(session->refLock);
-	    PORT_Free(session);
-	    return NULL;
-	}
-    } else {
-        session->refLock    = NULL;
-	session->objectLock = NULL;
-    }
-
-    session->objects[0] = NULL;
-
-    session->slot = slot;
-    session->notify = notify;
-    session->appData = pApplication;
-    session->info.flags = flags;
-    session->info.slotID = slotID;
-    fort11_update_state(slot,session);
-    return session;
-}
-
-
-/*
- * look up a session structure from a session handle
- * generate a reference to it.
- */
-PK11Session *
-fort11_SessionFromHandle(CK_SESSION_HANDLE handle, PRBool isCloseSession) {
-    PK11Slot	*slot = fort11_SlotFromSessionHandle(handle);
-    PK11Session *session;
-
-    if (!isCloseSession && 
-	!SocketStateUnchanged(&fortezzaSockets[slot->slotID-1]))
-        return NULL;
-
-    FMUTEX_Lock(slot->sessionLock);
-    pk11queue_find(session,handle,slot->head,SESSION_HASH_SIZE);
-    if (session) session->refCount++;
-    FMUTEX_Unlock(slot->sessionLock);
-
-    return (session);
-}
-
-/* free all the data associated with a session. */
-static void
-fort11_DestroySession(PK11Session *session)
-{
-    PK11ObjectList *op,*next;
-/*    PORT_Assert(session->refCount == 0);*/
-
-    /* clean out the attributes */
-    FMUTEX_Lock(session->objectLock);
-    for (op = session->objects[0]; op != NULL; op = next) {
-        next = op->next;
-        /* paranoia */
-	op->next = op->prev = NULL;
-	fort11_DeleteObject(session,op->parent);
-    }
-    FMUTEX_Unlock(session->objectLock);
-
-    FMUTEX_Destroy(session->objectLock);
-    FMUTEX_Destroy(session->refLock);
-
-    if (session->search) {
-	fort11_FreeSearch(session->search);
-    }
-
-    pk11queue_delete(session, session->handle, session->slot->head,
-		     SESSION_HASH_SIZE);
-
-    PORT_Free(session);
-}
-
-
-/*
- * release a reference to a session handle
- */
-void
-fort11_FreeSession(PK11Session *session) {
-    PRBool destroy = PR_FALSE;
-    PK11Slot *slot = NULL;
-
-    if (!session) return;  /*Quick fix to elminate crash*/
-                           /*Fix in later version       */
-
-    if (FMUTEX_MutexEnabled()) {
-        slot = fort11_SlotFromSession(session);
-	FMUTEX_Lock(slot->sessionLock);
-    }
-    if (session->refCount == 1) destroy = PR_TRUE;
-    session->refCount--;
-    if (FMUTEX_MutexEnabled()) {
-        FMUTEX_Unlock(slot->sessionLock);
-    }
-
-    if (destroy) {
-      fort11_DestroySession(session);
-    }
-}
-
-
-/* return true if the object matches the template */
-PRBool
-fort11_objectMatch(PK11Object *object,CK_ATTRIBUTE_PTR theTemplate,int count) {
-    int i;
-
-    for (i=0; i < count; i++) {
-	PK11Attribute *attribute = 
-	    fort11_FindAttribute(object,theTemplate[i].type);
-	if (attribute == NULL) {
-	    return PR_FALSE;
-	}
-	if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
-	    if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
-					theTemplate[i].ulValueLen) == 0) {
-                fort11_FreeAttribute(attribute);
-		continue;
-	    }
-	}
-        fort11_FreeAttribute(attribute);
-	return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-/* search through all the objects in the queue and return the template matches
- * in the object list.
- */
-CK_RV
-fort11_searchObjectList(PK11ObjectListElement **objectList,PK11Object **head,
-			void *lock, CK_ATTRIBUTE_PTR theTemplate, int count) {
-    int i;
-    PK11Object *object;
-    CK_RV rv;
-
-    for(i=0; i < HASH_SIZE; i++) {
-        /* We need to hold the lock to copy a consistant version of
-         * the linked list. */
-        FMUTEX_Lock(lock);
-	for (object = head[i]; object != NULL; object= object->next) {
-	    if (fort11_objectMatch(object,theTemplate,count)) {
-	        rv = fort11_AddToList(objectList,object);
-		if (rv != CKR_OK) {
-		    return rv;
-		}
-	    }
-	}
-	FMUTEX_Unlock(lock);
-    }
-    return CKR_OK;
-}
-
-static PRBool
-fort11_NotAllFuncsNULL (CK_C_INITIALIZE_ARGS_PTR pArgs) {
-    return (PRBool)(pArgs && pArgs->CreateMutex && pArgs->DestroyMutex &&
-		    pArgs->LockMutex   && pArgs->UnlockMutex);
-}
-
-static PRBool
-fort11_InArgCheck(CK_C_INITIALIZE_ARGS_PTR pArgs) {
-    PRBool rv;
-    /* The only check for now, is to make sure that all of the
-     * function pointers are either all NULL or all Non-NULL.
-     * We also need to make sure the pReserved field in pArgs is
-     * set to NULL.
-     */
-    if (pArgs == NULL) {
-        return  PR_TRUE; /* If the argument is NULL, no
-			  * inconsistencies can exist.
-			  */
-    }
-
-    if (pArgs->pReserved != NULL) {
-        return PR_FALSE;
-    }
-
-    if (pArgs->CreateMutex != NULL) {
-        rv = (PRBool) (pArgs->DestroyMutex != NULL &&
-		       pArgs->LockMutex    != NULL &&
-		       pArgs->UnlockMutex  != NULL);
-    } else { /*pArgs->CreateMutex == NULL*/
-        rv = (PRBool) (pArgs->DestroyMutex == NULL &&
-		       pArgs->LockMutex    == NULL &&
-		       pArgs->UnlockMutex  == NULL);
-    }
-    return rv;
-}
-
-
-
-/**********************************************************************
- *
- *     Start of PKCS 11 functions 
- *
- **********************************************************************/
- 
- 
-/**********************************************************************
- *
- * In order to get this to work on 68K, we have to do some special tricks,
- * First trick is that we need to make the module a Code Resource, and
- * all Code Resources on 68K have to have a main function.  So we 
- * define main to be a wrapper for C_GetFunctionList which will be the
- * first funnction called by any software that uses the PKCS11 module.
- *
- * The second trick is that whenever you access a global variable from
- * the Code Resource, it does funny things to the stack on 68K, so we 
- * need to call some macros that handle the stack for us.  First thing
- * you do is call EnterCodeResource() first thing in a function that 
- * accesses a global, right before you leave that function, you call 
- * ExitCodeResource.  This will take care of stack management.
- *
- * Third trick is to call __InitCode__() when we first enter the module
- * so that all of the global variables get initialized properly.
- *
- **********************************************************************/ 
- 
-#if defined(XP_MAC) && !defined(__POWERPC__)
-
-#define FORT11_RETURN(exp)  {ExitCodeResource(); return (exp);}
-#define FORT11_ENTER() EnterCodeResource();
-
-#else /*XP_MAC*/
-
-#define FORT11_RETURN(exp)  return (exp);
-#define FORT11_ENTER() 
-
-#endif /*XP_MAC*/
-
-#define CARD_OK(rv)   if ((rv) != CI_OK) FORT11_RETURN (CKR_DEVICE_ERROR); 
-#define SLOT_OK(slot) if ((slot) > kNumSockets) FORT11_RETURN (CKR_SLOT_ID_INVALID);
- 
-#ifdef XP_MAC 
-/* This is not a 4.0 project, so I can't depend on
- * 4.0 defines, so instead I depend on CodeWarrior 
- * defines.
- */
-#if __POWERPC__
-#elif __CFM68K__
-#else
-/* To get this to work on 68K, we need to have
- * the symbol main.  So we just make it a wrapper for C_GetFunctionList.
- */
-PR_PUBLIC_API(CK_RV) main(CK_FUNCTION_LIST_PTR *pFunctionList) {
-    FORT11_ENTER()
-    CK_RV rv;
-  
-    __InitCode__();
-  
-    rv = C_GetFunctionList(pFunctionList);
-    FORT11_RETURN (rv);
-}
-#endif
-
-#endif /*XP_MAC*/
-
-/* Return the function list */
-PR_PUBLIC_API(CK_RV) C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
-    /* No need to do a FORT11_RETURN as this function will never be directly
-     * called in the case where we need to do stack management.  
-     * The main function will call this after taking care of stack stuff.
-     */
-    *pFunctionList = &fort11_funcList;
-    return CKR_OK;
-}
-
-
-/* C_Initialize initializes the Cryptoki library. */
-PR_PUBLIC_API(CK_RV) C_Initialize(CK_VOID_PTR pReserved) {
-    FORT11_ENTER()
-    int i,j, tempNumSockets;
-    int rv = 1;
-    CK_C_INITIALIZE_ARGS_PTR pArgs = (CK_C_INITIALIZE_ARGS_PTR)pReserved;
-    CK_RV mrv;
-
-    /* intialize all the slots */
-    if (!init) {
-      init = PR_TRUE;
-
-      /* need to initialize locks before MACI_Initialize is called in
-       * software fortezza. */
-      if (pArgs) {
-	  if (!fort11_InArgCheck(pArgs)) {
-	      FORT11_RETURN (CKR_ARGUMENTS_BAD);
-	  }
-	  if (pArgs->flags & CKF_OS_LOCKING_OK){
-	      if (!fort11_NotAllFuncsNULL(pArgs)) {
-		  FORT11_RETURN (CKR_CANT_LOCK);
-	      }
-	  }
-	  if (fort11_NotAllFuncsNULL(pArgs)) {
-	      mrv = FMUTEX_Init(pArgs);
-	      if (mrv != CKR_OK) {
-		  return CKR_GENERAL_ERROR;
-	      }
-	  }
-      }
-      rv = MACI_Initialize (&tempNumSockets);
-      kNumSockets = (CK_ULONG)tempNumSockets;
-      
-      CARD_OK (rv);
-      for (i=0; i < (int) kNumSockets; i++) {
-	if (FMUTEX_MutexEnabled()) {
-	    mrv = FMUTEX_Create(&fort11_slot[i].sessionLock);
-	    if (mrv != CKR_OK) {
-	        FORT11_RETURN (CKR_GENERAL_ERROR);
-	    }
-	    mrv = FMUTEX_Create(&fort11_slot[i].objectLock);
-	    if (mrv != CKR_OK) {
-	        FMUTEX_Destroy(fort11_slot[i].sessionLock);
-	        FORT11_RETURN (CKR_GENERAL_ERROR);
-	    }
-	} else {
-	    fort11_slot[i].sessionLock = NULL;
-	    fort11_slot[i].objectLock  = NULL;
-	}
-	for(j=0; j < SESSION_HASH_SIZE; j++) {
-	  fort11_slot[i].head[j] = NULL;
-	}
-	for(j=0; j < HASH_SIZE; j++) {
-	  fort11_slot[i].tokObjects[j] = NULL;
-	}
-	fort11_slot[i].password = NULL;
-	fort11_slot[i].hasTokens = PR_FALSE;
-	fort11_slot[i].sessionIDCount = fort11_firstSessionID (i);
-	fort11_slot[i].sessionCount = 0;
-	fort11_slot[i].rwSessionCount = 0;
-	fort11_slot[i].tokenIDCount = 1;
-	fort11_slot[i].needLogin = PR_TRUE;
-	fort11_slot[i].isLoggedIn = PR_FALSE;
-	fort11_slot[i].ssoLoggedIn = PR_FALSE;
-	fort11_slot[i].DB_loaded = PR_FALSE;
-	fort11_slot[i].slotID= i+1;
-	InitSocket(&fortezzaSockets[i], i+1);
-      }
-    }
-    FORT11_RETURN (CKR_OK);
-}
-
-/*C_Finalize indicates that an application is done with the Cryptoki library.*/
-PR_PUBLIC_API(CK_RV) C_Finalize (CK_VOID_PTR pReserved) {
-    FORT11_ENTER()
-    int i;
-
-    for (i=0; i< (int) kNumSockets; i++) {
-        FreeSocket(&fortezzaSockets[i]);
-    }
-    MACI_Terminate(fortezzaSockets[0].maciSession);
-    init = PR_FALSE;
-    FORT11_RETURN (CKR_OK);
-}
-
-
-
-
-/* C_GetInfo returns general information about Cryptoki. */
-PR_PUBLIC_API(CK_RV)  C_GetInfo(CK_INFO_PTR pInfo) {
-    FORT11_ENTER()
-    pInfo->cryptokiVersion = fort11_funcList.version;
-    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-    pInfo->libraryVersion.major = 1;
-    pInfo->libraryVersion.minor = 7;
-    PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
-    pInfo->flags = 0;
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_GetSlotList obtains a list of slots in the system. */
-PR_PUBLIC_API(CK_RV) C_GetSlotList(CK_BBOOL	   tokenPresent,
-				   CK_SLOT_ID_PTR pSlotList, 
-				   CK_ULONG_PTR   pulCount) {
-    FORT11_ENTER()
-    int i;
-
-    if (pSlotList != NULL) {
-      if (*pulCount >= kNumSockets) {
-	for (i=0; i < (int) kNumSockets; i++) {
-	  pSlotList[i] = i+1; 
-	}
-      } else {
-	FORT11_RETURN (CKR_BUFFER_TOO_SMALL); 
-      }
-    } else {
-      *pulCount = kNumSockets;
-    }
-    FORT11_RETURN (CKR_OK);
-}
-	
-/* C_GetSlotInfo obtains information about a particular slot in the system. */
-PR_PUBLIC_API(CK_RV) C_GetSlotInfo(CK_SLOT_ID       slotID, 
-				   CK_SLOT_INFO_PTR pInfo) {
-  FORT11_ENTER()
-    int        rv;
-    CI_CONFIG  ciConfig;
-    CI_STATE   ciState;
-    HSESSION   maciSession;
-    char       slotDescription[65];
-    FortezzaSocket *socket;
-    
-
-    SLOT_OK(slotID);
-    
-    socket = &fortezzaSockets[slotID-1];
-    if (!socket->isOpen) {
-        InitSocket(socket, slotID);
-    }
-    maciSession = socket->maciSession;
-
-    rv = MACI_Select(maciSession, slotID);
-
-    CARD_OK (rv)
-
-    rv = MACI_GetConfiguration (maciSession, &ciConfig);
-
-
-    pInfo->firmwareVersion.major = 0;
-    pInfo->firmwareVersion.minor = 0;
-#ifdef SWFORT
-    PORT_Memcpy (pInfo->manufacturerID,"Netscape Communications Corp    ",32);
-    PORT_Memcpy (slotDescription,"Netscape Software Slot #        ",32);
-#define _local_BASE 24
-#else
-    PORT_Memcpy (pInfo->manufacturerID,"LITRONIC                        ",32);
-    PORT_Memcpy (slotDescription,"Litronic MACI Slot #            ",32);
-#define _local_BASE 20
-#endif
-    slotDescription[_local_BASE] = (char )((slotID < 10) ? slotID : 
-							slotID/10) + '0';
-    if (slotID >= 10) slotDescription[_local_BASE+1] = 
-						(char)(slotID % 10) + '0';
-    PORT_Memcpy (&slotDescription[32],"                                ",32);
-    PORT_Memcpy (pInfo->slotDescription, slotDescription          , 64);
-    if (rv == CI_OK) {
-        pInfo->hardwareVersion.major = 
-	    (ciConfig.ManufacturerVersion & MAJOR_VERSION_MASK) >> 8;
-	pInfo->hardwareVersion.minor = 
-	    ciConfig.ManufacturerVersion & MINOR_VERSION_MASK;
-	pInfo->flags = CKF_TOKEN_PRESENT;
-    } else {
-       pInfo->hardwareVersion.major = 0;
-       pInfo->hardwareVersion.minor = 0;
-       pInfo->flags = 0;
-    }
-#ifdef SWFORT
-    /* do we need to make it a removable device as well?? */
-    pInfo->flags |= CKF_REMOVABLE_DEVICE;
-#else
-    pInfo->flags |= (CKF_REMOVABLE_DEVICE | CKF_HW_SLOT);
-#endif
-    
-    rv = MACI_GetState(maciSession, &ciState);
- 
-    if (rv == CI_OK) {
-        switch (ciState) {
-	case CI_ZEROIZE:
-	case CI_INTERNAL_FAILURE:
-	    pInfo->flags &= (~CKF_TOKEN_PRESENT);
-	default:
-	    break;
-	}
-    } else {
-        pInfo->flags &= (~CKF_TOKEN_PRESENT);
-    }
-
-    FORT11_RETURN (CKR_OK);
-}
-
-#define CKF_THREAD_SAFE 0x8000 
-
-/* C_GetTokenInfo obtains information about a particular token
-   in the system. */
-PR_PUBLIC_API(CK_RV) C_GetTokenInfo(CK_SLOT_ID        slotID,
-				    CK_TOKEN_INFO_PTR pInfo) {
-	FORT11_ENTER()
-    CI_STATUS cardStatus;
-    CI_CONFIG ciConfig;
-    PK11Slot *slot;
-    int rv, i;
-    char tmp[33];
-    FortezzaSocket *socket;
-
-    SLOT_OK (slotID);
-    
-    slot = &fort11_slot[slotID-1];
-    
-    socket = &fortezzaSockets[slotID-1];
-    if (!socket->isOpen) {
-        InitSocket(socket, slotID);
-    }
-
-    rv = MACI_Select (socket->maciSession, slotID);
-    rv = MACI_GetStatus (socket->maciSession, &cardStatus);
-    if (rv != CI_OK) {
-        FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-#ifdef SWFORT
-    sprintf (tmp, "Software FORTEZZA Slot #%d", slotID);
-#else
-    sprintf (tmp, "FORTEZZA Slot #%d", slotID);
-#endif
-    
-    PORT_Memcpy (pInfo->label, tmp, PORT_Strlen(tmp)+1);
-
-    for (i=0; i<8; i++) {
-        int serNum;
-
-	serNum = (int)cardStatus.SerialNumber[i];
-	sprintf ((char*)&pInfo->serialNumber[2*i], "%.2x", serNum);
-    }
-
-    rv = MACI_GetTime (fortezzaSockets[slotID-1].maciSession, pInfo->utcTime);
-    if (rv == CI_OK) {
-      pInfo->flags = CKF_CLOCK_ON_TOKEN;  
-    } else {
-      switch (rv) {
-      case CI_LIB_NOT_INIT:
-      case CI_INV_POINTER:
-      case CI_NO_CARD:
-      case CI_NO_SOCKET:
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-      default:
-	pInfo->flags = 0;
-	break;
-      }
-    }
-    
-    rv = MACI_GetConfiguration (fortezzaSockets[slotID-1].maciSession, 
-				&ciConfig);
-
-    if (rv == CI_OK) {
-        PORT_Memcpy(pInfo->manufacturerID,ciConfig.ManufacturerName,
-		    PORT_Strlen(ciConfig.ManufacturerName));
-	for (i=PORT_Strlen(ciConfig.ManufacturerName); i<32; i++) {
-	    pInfo->manufacturerID[i] = ' ';
-	}
-	PORT_Memcpy(pInfo->model,ciConfig.ProcessorType,16);    
-    }
-    pInfo->ulMaxPinLen = CI_PIN_SIZE;
-    pInfo->ulMinPinLen = 0;
-    pInfo->ulTotalPublicMemory = 0;
-    pInfo->ulFreePublicMemory  = 0;
-    pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED| CKF_USER_PIN_INITIALIZED | 
-                    CKF_THREAD_SAFE | CKF_WRITE_PROTECTED;
-
-    pInfo->ulMaxSessionCount = 0; 
-    pInfo->ulSessionCount = slot->sessionCount; 
-    pInfo->ulMaxRwSessionCount = 0; 
-    pInfo->ulRwSessionCount = slot->rwSessionCount; 
-
-    if (rv == CI_OK) {    
-        pInfo->firmwareVersion.major = 
-	    (ciConfig.ManufacturerSWVer & MAJOR_VERSION_MASK) >> 8; 
-	pInfo->firmwareVersion.minor = 
-	    ciConfig.ManufacturerSWVer & MINOR_VERSION_MASK;
-	pInfo->hardwareVersion.major = 
-	    (ciConfig.ManufacturerVersion & MAJOR_VERSION_MASK) >> 8;
-	pInfo->hardwareVersion.minor = 
-	    ciConfig.ManufacturerVersion & MINOR_VERSION_MASK;
-    }
-    FORT11_RETURN (CKR_OK);
-}
-
-
-
-/* C_GetMechanismList obtains a list of mechanism types supported by a 
-   token. */
-PR_PUBLIC_API(CK_RV) C_GetMechanismList(CK_SLOT_ID            slotID,
-					CK_MECHANISM_TYPE_PTR pMechanismList, 
-					CK_ULONG_PTR          pulCount) {
-  FORT11_ENTER()
-  CK_RV rv = CKR_OK;
-  int i;
-  
-  SLOT_OK (slotID);
-
-  if (pMechanismList == NULL) {
-    *pulCount = mechanismCount;
-  } else {
-    if (*pulCount >= mechanismCount) {
-      *pulCount = mechanismCount;
-      for (i=0; i< (int)mechanismCount; i++) {
-	pMechanismList[i] = mechanisms[i].type;
-      }
-    } else {
-      rv = CKR_BUFFER_TOO_SMALL;
-    }
-  }
-  FORT11_RETURN (rv);
-}
-
-
-/* C_GetMechanismInfo obtains information about a particular mechanism 
- * possibly supported by a token. */
-PR_PUBLIC_API(CK_RV) C_GetMechanismInfo(CK_SLOT_ID            slotID, 
-					CK_MECHANISM_TYPE     type,
-					CK_MECHANISM_INFO_PTR pInfo) {
-  int i;
-  FORT11_ENTER()
-  SLOT_OK (slotID);
-
-  for (i=0; i< (int)mechanismCount; i++) {
-    if (type == mechanisms[i].type) {
-      PORT_Memcpy (pInfo, &mechanisms[i].domestic, sizeof (CK_MECHANISM_INFO));
-      FORT11_RETURN (CKR_OK);
-    }
-  }
-  FORT11_RETURN (CKR_MECHANISM_INVALID);
-}
-
-
-/* C_InitToken initializes a token. */
-PR_PUBLIC_API(CK_RV) C_InitToken(CK_SLOT_ID  slotID,
-				 CK_CHAR_PTR pPin,
-				 CK_ULONG    ulPinLen,
-				 CK_CHAR_PTR pLabel) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-PR_PUBLIC_API(CK_RV) C_InitPIN(CK_SESSION_HANDLE hSession,
-			       CK_CHAR_PTR       pPin, 
-			       CK_ULONG          ulPinLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_SetPIN modifies the PIN of user that is currently logged in. */
-/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
-PR_PUBLIC_API(CK_RV) C_SetPIN(CK_SESSION_HANDLE hSession, 
-			      CK_CHAR_PTR       pOldPin,
-			      CK_ULONG          ulOldLen, 
-			      CK_CHAR_PTR       pNewPin, 
-			      CK_ULONG          ulNewLen) {
-  FORT11_ENTER()
-#ifndef SWFORT
-  CI_PIN       ciOldPin, ciNewPin;
-#endif
-  PK11Session *session;
-  PK11Slot    *slot;
-  int          rv;
-
-  session = fort11_SessionFromHandle (hSession, PR_FALSE);
-
-  slot = fort11_SlotFromSession (session);
-  SLOT_OK(slot->slotID)
-
-  if (session == NULL) {
-      session = fort11_SessionFromHandle (hSession, PR_TRUE);
-      fort11_TokenRemoved(slot, session);
-      FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-  }
-
-  rv = MACI_Select (fortezzaSockets[slot->slotID-1].maciSession, slot->slotID);
-  CARD_OK (rv)
-  
-  if (slot->needLogin && session->info.state != CKS_RW_USER_FUNCTIONS) {
-    fort11_FreeSession (session);
-    FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-  }
-
-  fort11_FreeSession (session);
-
-  if (ulNewLen > CI_PIN_SIZE || ulOldLen > CI_PIN_SIZE) 
-    FORT11_RETURN (CKR_PIN_LEN_RANGE);
-
-#ifndef SWFORT
-  fort11_convertToCIPin (ciOldPin,pOldPin, ulOldLen);
-  fort11_convertToCIPin (ciNewPin,pNewPin, ulNewLen);
-
-  rv = MACI_ChangePIN (fortezzaSockets[slot->slotID-1].maciSession, 
-		       CI_USER_PIN, ciOldPin, ciNewPin);
-#else
-  rv = MACI_ChangePIN (fortezzaSockets[slot->slotID-1].maciSession, 
-		       CI_USER_PIN,  pOldPin, pNewPin);
-#endif
-
-  if (rv != CI_OK) {
-    switch (rv) {
-    case CI_FAIL:
-      FORT11_RETURN (CKR_PIN_INCORRECT);
-    default:
-      FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-  } 
-  FORT11_RETURN (CKR_OK);
-}
-
-/* C_OpenSession opens a session between an application and a token. */
-PR_PUBLIC_API(CK_RV) C_OpenSession(CK_SLOT_ID            slotID, 
-				   CK_FLAGS              flags,
-				   CK_VOID_PTR           pApplication,
-				   CK_NOTIFY             Notify,
-				   CK_SESSION_HANDLE_PTR phSession) {
-  FORT11_ENTER()
-  PK11Slot          *slot;
-  CK_SESSION_HANDLE  sessionID;
-  PK11Session       *session;
-  FortezzaSocket    *socket;
-
-  SLOT_OK (slotID)
-  slot = &fort11_slot[slotID-1];
-  socket = &fortezzaSockets[slotID-1];
-
-  if (!socket->isOpen) {
-      if (InitSocket(socket, slotID) != SOCKET_SUCCESS) {
-	  FORT11_RETURN (CKR_TOKEN_NOT_PRESENT);
-      }
-  }
-
-  session = fort11_NewSession (slotID, Notify, pApplication, 
-			       flags | CKF_SERIAL_SESSION);
-
-  if (session == NULL) FORT11_RETURN (CKR_HOST_MEMORY);
-
-  FMUTEX_Lock(slot->sessionLock);
-
-  slot->sessionIDCount += ADD_NEXT_SESS_ID;
-  sessionID = slot->sessionIDCount;
-  fort11_update_state (slot, session);
-  pk11queue_add (session, sessionID, slot->head, SESSION_HASH_SIZE);
-  slot->sessionCount++;
-  if (session->info.flags & CKF_RW_SESSION) {
-    slot->rwSessionCount++;
-  }
-  session->handle = sessionID;
-  session->info.ulDeviceError = 0;
-
-  FMUTEX_Unlock(slot->sessionLock);
-  
-  *phSession = sessionID;
-  FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_CloseSession closes a session between an application and a token. */
-PR_PUBLIC_API(CK_RV) C_CloseSession(CK_SESSION_HANDLE hSession) {
-  FORT11_ENTER()
-  PK11Slot    *slot;
-  PK11Session *session;
-  
-  session = fort11_SessionFromHandle  (hSession, PR_TRUE);
-  slot = fort11_SlotFromSessionHandle (hSession);
-
-  if (session == NULL) {
-      FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-  }
-  
-  FMUTEX_Lock(slot->sessionLock);
-  if (session->next || session->prev) {
-    session->refCount--;
-    if (session->info.flags & CKF_RW_SESSION) {
-      slot->rwSessionCount--;
-    }
-    if (slot->sessionCount == 0) {
-      slot->isLoggedIn = PR_FALSE;
-      slot->password = NULL;
-    }
-  }
-
-  FMUTEX_Unlock(slot->sessionLock);
-  
-  fort11_FreeSession (session);
-  FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-PR_PUBLIC_API(CK_RV) C_CloseAllSessions (CK_SLOT_ID slotID) {
-  FORT11_ENTER()
-  PK11Slot *slot;
-  PK11Session *session;
-  int i;
-  
-  
-  slot = fort11_SlotFromID(slotID);
-  if (slot == NULL) FORT11_RETURN (CKR_SLOT_ID_INVALID);
-  
-  /* first log out the card */
-  FMUTEX_Lock(slot->sessionLock);
-  slot->isLoggedIn = PR_FALSE;
-  slot->password = NULL;
-  FMUTEX_Unlock(slot->sessionLock);
-  
-  /* now close all the current sessions */
-  /* NOTE: If you try to open new sessions before C_CloseAllSessions
-   * completes, some of those new sessions may or may not be closed by
-   * C_CloseAllSessions... but any session running when this code starts
-   * will guarrenteed be close, and no session will be partially closed */
-  for (i=0; i < SESSION_HASH_SIZE; i++) {
-    do {
-      FMUTEX_Lock(slot->sessionLock);
-      session = slot->head[i];
-      /* hand deque */
-      /* this duplicates much of C_close session functionality, but because
-       * we know that we are freeing all the sessions, we and do some
-       * more efficient processing */
-      if (session) {
-	slot->head[i] = session->next;
-	if (session->next) session->next->prev = NULL;
-	session->next = session->prev = NULL;
-	slot->sessionCount--;
-	if (session->info.flags & CKF_RW_SESSION) {
-	  slot->rwSessionCount--;
-	}
-      }
-      FMUTEX_Unlock(slot->sessionLock);
-      if (session) fort11_FreeSession(session);
-    } while (session != NULL);
-  }
-  FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_GetSessionInfo obtains information about the session. */
-PR_PUBLIC_API(CK_RV) C_GetSessionInfo(CK_SESSION_HANDLE   hSession,
-				      CK_SESSION_INFO_PTR pInfo) {
-    FORT11_ENTER()
-    PK11Session    *session;
-    PK11Slot       *slot;
-    CI_STATE        cardState;
-    FortezzaSocket *socket;
-    int             ciRV;
-    
-    session = fort11_SessionFromHandle (hSession, PR_FALSE);
-    slot    = fort11_SlotFromSessionHandle(hSession);
-    socket  = &fortezzaSockets[slot->slotID-1];
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-    PORT_Memcpy (pInfo, &session->info, sizeof (CK_SESSION_INFO));
-    fort11_FreeSession(session);
-
-    ciRV = MACI_Select(socket->maciSession, slot->slotID);
-    CARD_OK(ciRV)
-
-    ciRV = MACI_GetState(socket->maciSession, &cardState);
-    CARD_OK(ciRV)
-
-    if (socket->isLoggedIn) { 
-        switch (cardState) {
-	case CI_POWER_UP:
-	case CI_UNINITIALIZED:
-	case CI_INITIALIZED:
-	case CI_SSO_INITIALIZED:
-	case CI_LAW_INITIALIZED:
-	case CI_USER_INITIALIZED:
-	  pInfo->state = CKS_RO_PUBLIC_SESSION;
-	  break;
-	case CI_STANDBY:
-	case CI_READY:
-	  pInfo->state = CKS_RO_USER_FUNCTIONS;
-	  break;
-	default:
-	  pInfo->state = CKS_RO_PUBLIC_SESSION;
-	  break;
-	}
-    } else {
-        pInfo->state = CKS_RO_PUBLIC_SESSION;
-    }
-
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_Login logs a user into a token. */
-PR_PUBLIC_API(CK_RV) C_Login(CK_SESSION_HANDLE hSession,
-			     CK_USER_TYPE      userType,
-			     CK_CHAR_PTR       pPin, 
-			     CK_ULONG          ulPinLen) {
-  FORT11_ENTER()
-  PK11Slot    *slot;
-  PK11Session *session;
-#ifndef SWFORT
-  CI_PIN       ciPin;
-#endif
-  int          rv, ciUserType;
-
-  slot = fort11_SlotFromSessionHandle (hSession);
-  session = fort11_SessionFromHandle(hSession, PR_FALSE);
-
-  if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-  }
-
-  fort11_FreeSession(session);
-
-  if (slot->isLoggedIn) FORT11_RETURN (CKR_USER_ALREADY_LOGGED_IN);
-  slot->ssoLoggedIn = PR_FALSE;
-
-#ifndef SWFORT
-  if (ulPinLen > CI_PIN_SIZE) FORT11_RETURN (CKR_PIN_LEN_RANGE);
-
-  fort11_convertToCIPin (ciPin, pPin, ulPinLen);
-#endif
-  switch (userType) {
-  case CKU_SO:
-    ciUserType = CI_SSO_PIN;
-    break;
-  case CKU_USER:
-    ciUserType = CI_USER_PIN;
-    break;
-  default:
-    FORT11_RETURN (CKR_USER_TYPE_INVALID);
-  }
-  
-#ifndef SWFORT
-  rv = LoginToSocket(&fortezzaSockets[slot->slotID-1], ciUserType, ciPin);
-#else
-  rv = LoginToSocket(&fortezzaSockets[slot->slotID-1], ciUserType, pPin);
-#endif
-
-  switch (rv) {
-  case SOCKET_SUCCESS:
-    break;
-  case CI_FAIL:
-    FORT11_RETURN (CKR_PIN_INCORRECT);
-  default:
-    FORT11_RETURN (CKR_DEVICE_ERROR);
-  }
-
-  FMUTEX_Lock(slot->sessionLock);
-  slot->isLoggedIn = PR_TRUE;
-  if (userType == CKU_SO) {
-    slot->ssoLoggedIn = PR_TRUE;
-  }
-  FMUTEX_Unlock(slot->sessionLock);
-  
-  fort11_update_all_states(slot);
-  FORT11_RETURN (CKR_OK);
-}
-
-/* C_Logout logs a user out from a token. */
-PR_PUBLIC_API(CK_RV) C_Logout(CK_SESSION_HANDLE hSession) {
-    FORT11_ENTER()
-    PK11Slot    *slot    = fort11_SlotFromSessionHandle(hSession);
-    PK11Session *session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (!slot->isLoggedIn)
-      FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-    
-    FMUTEX_Lock(slot->sessionLock);
-
-    slot->isLoggedIn  = PR_FALSE;
-    slot->ssoLoggedIn = PR_FALSE;
-    slot->password    = NULL;
-    LogoutFromSocket  (&fortezzaSockets[slot->slotID-1]);
-
-    FMUTEX_Unlock(slot->sessionLock);
-      
-    fort11_update_all_states(slot);
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_CreateObject creates a new object. */
-PR_PUBLIC_API(CK_RV) C_CreateObject(CK_SESSION_HANDLE    hSession,
-				    CK_ATTRIBUTE_PTR     pTemplate, 
-				    CK_ULONG             ulCount, 
-				    CK_OBJECT_HANDLE_PTR phObject) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_CopyObject copies an object, creating a new object for the copy. */
-PR_PUBLIC_API(CK_RV) C_CopyObject(CK_SESSION_HANDLE    hSession,
-				  CK_OBJECT_HANDLE     hObject, 
-				  CK_ATTRIBUTE_PTR     pTemplate, 
-				  CK_ULONG             ulCount,
-				  CK_OBJECT_HANDLE_PTR phNewObject) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_DestroyObject destroys an object. */
-PR_PUBLIC_API(CK_RV) C_DestroyObject(CK_SESSION_HANDLE hSession,
-				     CK_OBJECT_HANDLE  hObject) {
-    FORT11_ENTER()
-    PK11Slot *slot = fort11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    PK11Object *object;
-    PK11FreeStatus status;
-
-    /*
-     * This whole block just makes sure we really can destroy the
-     * requested object.
-     */
-    session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    object = fort11_ObjectFromHandle(hObject,session);
-    if (object == NULL) {
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OBJECT_HANDLE_INVALID);
-    }
-
-    /* don't destroy a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(fort11_isTrue(object,CKA_PRIVATE))) {
-	fort11_FreeSession(session);
-	fort11_FreeObject(object);
-	FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-    }
-
-    /* don't destroy a token object if we aren't in a rw session */
-
-    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
-				(fort11_isTrue(object,CKA_TOKEN))) {
-	fort11_FreeSession(session);
-	fort11_FreeObject(object);
-	FORT11_RETURN (CKR_SESSION_READ_ONLY);
-    }
-
-    /* ACTUALLY WE NEED TO DEAL WITH TOKEN OBJECTS AS WELL */
-    FMUTEX_Lock(session->objectLock);
-    fort11_DeleteObject(session,object);
-    FMUTEX_Unlock(session->objectLock);
-
-    fort11_FreeSession(session);
-
-    /*
-     * get some indication if the object is destroyed. Note: this is not
-     * 100%. Someone may have an object reference outstanding (though that
-     * should not be the case by here. Also now that the object is "half"
-     * destroyed. Our internal representation is destroyed, but it is still
-     * in the data base.
-     */
-    status = fort11_FreeObject(object);
-
-    FORT11_RETURN ((status != PK11_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR);
-}
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-PR_PUBLIC_API(CK_RV) C_GetObjectSize(CK_SESSION_HANDLE hSession,
-				     CK_OBJECT_HANDLE  hObject, 
-				     CK_ULONG_PTR      pulSize) {
-	/* For functions that don't access globals, we don't have to worry about the
-     * stack.
-     */	
-    *pulSize = 0;
-    return CKR_OK;
-}
-
-
-/* C_GetAttributeValue obtains the value of one or more object attributes. */
-PR_PUBLIC_API(CK_RV) C_GetAttributeValue(CK_SESSION_HANDLE hSession,
-					 CK_OBJECT_HANDLE  hObject,
-					 CK_ATTRIBUTE_PTR  pTemplate,
-					 CK_ULONG          ulCount) {
-    FORT11_ENTER()
-    PK11Slot *slot = fort11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    PK11Object *object;
-    PK11Attribute *attribute;
-    PRBool sensitive;
-    int i;
-
-    /*
-     * make sure we're allowed
-     */
-    session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    object = fort11_ObjectFromHandle(hObject,session);
-    fort11_FreeSession(session);
-    if (object == NULL) {
-	FORT11_RETURN (CKR_OBJECT_HANDLE_INVALID);
-    }
-
-    /* don't read a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(fort11_isTrue(object,CKA_PRIVATE))) {
-	fort11_FreeObject(object);
-	FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-    }
-
-    sensitive = fort11_isTrue(object,CKA_SENSITIVE);
-    for (i=0; i <  (int)ulCount; i++) {
-	/* Make sure that this attribute is retrievable */
-	if (sensitive && fort11_isSensitive(pTemplate[i].type,object->objclass)) {
-	    fort11_FreeObject(object);
-	    FORT11_RETURN (CKR_ATTRIBUTE_SENSITIVE);
-	}
-	attribute = fort11_FindAttribute(object,pTemplate[i].type);
-	if (attribute == NULL) {
-	    fort11_FreeObject(object);
-	    FORT11_RETURN (CKR_ATTRIBUTE_TYPE_INVALID);
-	}
-	if (pTemplate[i].pValue != NULL) {
-	    PORT_Memcpy(pTemplate[i].pValue,attribute->attrib.pValue,
-			attribute->attrib.ulValueLen);
-	}
-	pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
-	fort11_FreeAttribute(attribute);
-    }
-
-    fort11_FreeObject(object);
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_SetAttributeValue modifies the value of one or more object attributes */
-PR_PUBLIC_API(CK_RV) C_SetAttributeValue (CK_SESSION_HANDLE hSession,
-					  CK_OBJECT_HANDLE  hObject,
-					  CK_ATTRIBUTE_PTR  pTemplate,
-					  CK_ULONG          ulCount) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/* C_FindObjectsInit initializes a search for token and session objects 
- * that match a template. */
-PR_PUBLIC_API(CK_RV) C_FindObjectsInit(CK_SESSION_HANDLE hSession,
-				       CK_ATTRIBUTE_PTR  pTemplate,
-				       CK_ULONG          ulCount) {
-    FORT11_ENTER()
-    PK11Slot              *slot = fort11_SlotFromSessionHandle(hSession);
-    PK11Session           *session;
-    PK11ObjectListElement *objectList = NULL;
-    PK11ObjectListElement *olp;
-    PK11SearchResults     *search, *freeSearch;
-    FortezzaSocket        *currSocket;
-    int                    rv, count, i;
-
-    if (slot == NULL) {
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    
-    if ((!slot->isLoggedIn) && (slot->needLogin)) 
-        FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-
-    session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-    currSocket = &fortezzaSockets[slot->slotID-1];
-    if (currSocket->personalityList == NULL) {
-        rv = FetchPersonalityList(currSocket);
-	if (rv != SOCKET_SUCCESS) {
-	    fort11_FreeSession(session);
-	    FORT11_RETURN (CKR_DEVICE_ERROR);
-	}
-
-	rv = fort11_BuildCertObjects(currSocket, slot, session);
-
-	if (rv != CKR_OK) {
-	    fort11_FreeSession(session);
-	    FORT11_RETURN (rv);
-	}
-
-	
-    }
-    rv = fort11_searchObjectList(&objectList, slot->tokObjects, 
-				slot->objectLock, pTemplate, ulCount);
-    if (rv != CKR_OK) {
-      fort11_FreeObjectList(objectList);
-      fort11_FreeSession(session);
-      FORT11_RETURN (rv);
-    }
-
-    /*copy list to session*/
-
-    count = 0;
-    for(olp = objectList; olp != NULL; olp = olp->next) {
-      count++;
-    } 
-
-    search = (PK11SearchResults *)PORT_Alloc(sizeof(PK11SearchResults));
-    if (search != NULL) {
-	search->handles = (CK_OBJECT_HANDLE *)
-				PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * count);
-	if (search->handles != NULL) {
-	    for (i=0; i < count; i++) {
-		search->handles[i] = objectList->object->handle;
-		objectList = fort11_FreeObjectListElement(objectList);
-	    }
-	} else {
-	    PORT_Free(search);
-	    search = NULL;
-	}
-    }
-    if (search == NULL) {
-	fort11_FreeObjectList(objectList);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    /* store the search info */
-    search->index = 0;
-    search->size = count;
-    if ((freeSearch = session->search) != NULL) {
-	session->search = NULL;
-	fort11_FreeSearch(freeSearch);
-    }
-    session->search = search;
-    fort11_FreeSession(session);
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_FindObjects continues a search for token and session objects 
- * that match a template, obtaining additional object handles. */
-PR_PUBLIC_API(CK_RV) C_FindObjects(CK_SESSION_HANDLE    hSession,
-				   CK_OBJECT_HANDLE_PTR phObject,
-				   CK_ULONG             ulMaxObjectCount,
-				   CK_ULONG_PTR         pulObjectCount) {
-    FORT11_ENTER()
-    PK11Session       *session;
-    PK11SearchResults *search;
-    PK11Slot          *slot;
-    int	transfer;
-    unsigned long left;
-
-    *pulObjectCount = 0;
-    session = fort11_SessionFromHandle(hSession,PR_FALSE);
-    slot    = fort11_SlotFromSessionHandle(hSession);
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-    if (session->search == NULL) {
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-    search = session->search;
-    left = session->search->size - session->search->index;
-    transfer = (ulMaxObjectCount > left) ? left : ulMaxObjectCount;
-    PORT_Memcpy(phObject,&search->handles[search->index],
-					transfer*sizeof(CK_OBJECT_HANDLE_PTR));
-    search->index += transfer;
-    if (search->index == search->size) {
-	session->search = NULL;
-	fort11_FreeSearch(search);
-    }
-    fort11_FreeSession(session);
-    *pulObjectCount = transfer;
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_FindObjectsFinal finishes a search for token and session objects. */
-PR_PUBLIC_API(CK_RV) C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
-    FORT11_ENTER()
-    PK11Session       *session;
-    PK11SearchResults *search;
-    PK11Slot          *slot;
-
-    session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    slot    = fort11_SlotFromSessionHandle(hSession);
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-    search = session->search;
-    session->search = NULL;
-    if (search == NULL) {
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-    fort11_FreeSearch(search);
-
-    /* UnloadPersonalityList(&fortezzaSockets[session->slot->slotID-1]); */
-    fort11_FreeSession(session);
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_EncryptInit initializes an encryption operation. */
-PR_PUBLIC_API(CK_RV) C_EncryptInit(CK_SESSION_HANDLE hSession,
-				   CK_MECHANISM_PTR  pMechanism, 
-				   CK_OBJECT_HANDLE  hKey) {
-    FORT11_ENTER()
-    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
-    PK11Object      *keyObject;
-    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1];
-    FortezzaContext *context;
-    HSESSION         hs        = socket->maciSession;
-    FortezzaKey     *fortezzaKey;
-    CI_IV            fortezzaIV;
-    int              ciRV, registerIndex;
-    
-
-    if (pMechanism->mechanism != CKM_SKIPJACK_CBC64) {
-        if (session) {
-	    fort11_FreeSession(session);
-	}
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-    
-    keyObject = fort11_ObjectFromHandle (hKey, session);
-
-    if (keyObject == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    ciRV = MACI_Select (hs, slot->slotID);
-    if (ciRV != CI_OK) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    ciRV = MACI_SetMode(hs, CI_ENCRYPT_TYPE, CI_CBC64_MODE);
-    if (ciRV != CI_OK) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    /*Load the correct key into a key register*/
-    fortezzaKey = (FortezzaKey*)keyObject->objectInfo;
-    fort11_FreeObject (keyObject);
-    if (fortezzaKey == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    if (fortezzaKey->keyRegister == KeyNotLoaded) {
-        registerIndex = LoadKeyIntoRegister (fortezzaKey);
-    } else {
-        registerIndex = fortezzaKey->keyRegister;
-    }
-
-    if (registerIndex == KeyNotLoaded) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    ciRV = MACI_SetKey (hs,registerIndex);
-    if (ciRV != CI_OK) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    ciRV = MACI_GenerateIV(hs, fortezzaIV);
-    if (ciRV != CI_OK) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-    context = &session->fortezzaContext;
-    InitContext(context, socket, hKey);
-    ciRV = SaveState(context, fortezzaIV, session, fortezzaKey, 
-		     CI_ENCRYPT_EXT_TYPE, pMechanism->mechanism);
-    if (ciRV != SOCKET_SUCCESS) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    if (pMechanism->pParameter != NULL && 
-	pMechanism->ulParameterLen >= sizeof(CI_IV)) {
-        PORT_Memcpy (pMechanism->pParameter, fortezzaIV, sizeof(CI_IV));
-    }
-
-    InitCryptoOperation(context, Encrypt);
-    fort11_FreeSession(session);
-
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_Encrypt encrypts single-part data. */
-PR_PUBLIC_API(CK_RV) C_Encrypt (CK_SESSION_HANDLE hSession, 
-				CK_BYTE_PTR       pData,
-				CK_ULONG          ulDataLen, 
-				CK_BYTE_PTR       pEncryptedData,
-				CK_ULONG_PTR      pulEncryptedDataLen) {
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle (hSession, PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
-    FortezzaContext *context;
-    HSESSION         hs;
-    CK_RV            rv;
-
-    
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession , PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    context = &session->fortezzaContext;
-    if (GetCryptoOperation(context) != Encrypt) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
-    }
-
-    *pulEncryptedDataLen = ulDataLen;
-    if (pEncryptedData == NULL) {
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    hs = socket->maciSession;
-    FMUTEX_Lock(socket->registersLock);
-    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
-    rv = EncryptData (context, pData, ulDataLen, 
-		      pEncryptedData, *pulEncryptedDataLen);
-    MACI_Unlock(hs);
-    FMUTEX_Unlock(socket->registersLock);
-
-    if (rv != SOCKET_SUCCESS) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    EndCryptoOperation(context, Encrypt);
-    fort11_FreeSession(session);	      
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_EncryptUpdate continues a multiple-part encryption operation. */
-PR_PUBLIC_API(CK_RV) C_EncryptUpdate(CK_SESSION_HANDLE hSession,
-				     CK_BYTE_PTR       pPart, 
-				     CK_ULONG          ulPartLen, 
-				     CK_BYTE_PTR       pEncryptedPart,	
-				     CK_ULONG_PTR      pulEncryptedPartLen) {
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle(hSession,PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
-    FortezzaContext *context;
-    int              rv;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    context = &session->fortezzaContext;
-    
-    if (GetCryptoOperation(context) != Encrypt) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
-    }
-    
-    if (pEncryptedPart == NULL) {
-        *pulEncryptedPartLen = ulPartLen;
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    if (*pulEncryptedPartLen < ulPartLen) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
-    }
-
-    *pulEncryptedPartLen = ulPartLen;
-    
-    FMUTEX_Lock(socket->registersLock);
-    MACI_Lock(socket->maciSession, CI_BLOCK_LOCK_FLAG);
-    rv = EncryptData(context,pPart, ulPartLen, pEncryptedPart, 
-		     *pulEncryptedPartLen);
-    MACI_Unlock(socket->maciSession);
-    FMUTEX_Unlock(socket->registersLock);
-
-    fort11_FreeSession(session);
-    if (rv != SOCKET_SUCCESS) {
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_EncryptFinal finishes a multiple-part encryption operation. */
-PR_PUBLIC_API(CK_RV) C_EncryptFinal(CK_SESSION_HANDLE hSession,
-				    CK_BYTE_PTR       pLastEncryptedPart, 
-				    CK_ULONG_PTR      pulLastEncryptedPartLen){
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaContext *context;
-    int              rv;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-  
-    context = &session->fortezzaContext;
-
-    rv = EndCryptoOperation(context, Encrypt);
-    fort11_FreeSession(session);
-
-    FORT11_RETURN (CKR_OK);
-}
-/* C_DecryptInit initializes a decryption operation. */
-PR_PUBLIC_API(CK_RV) C_DecryptInit( CK_SESSION_HANDLE hSession,
-				    CK_MECHANISM_PTR  pMechanism, 
-				    CK_OBJECT_HANDLE  hKey) {
-    FORT11_ENTER()
-    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
-    PK11Object      *keyObject;
-    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1];
-    FortezzaContext *context;
-    HSESSION         hs        = socket->maciSession;
-    FortezzaKey     *fortezzaKey;
-    CI_IV            fortezzaIV;
-    int              ciRV, registerIndex;
-
-    if (pMechanism->mechanism != CKM_SKIPJACK_CBC64) {
-        if (session) fort11_FreeSession(session);
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);        
-    }
-
-    keyObject = fort11_ObjectFromHandle (hKey, session);
-
-    if (keyObject == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    fortezzaKey = (FortezzaKey*)keyObject->objectInfo;
-    fort11_FreeObject(keyObject);
-
-    if (fortezzaKey == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    ciRV = MACI_Select (hs, slot->slotID);
-    if (ciRV != CI_OK) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    ciRV = MACI_SetMode(hs, CI_DECRYPT_TYPE, CI_CBC64_MODE);
-    if (ciRV != CI_OK) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    FMUTEX_Lock(socket->registersLock);
-    if (fortezzaKey->keyRegister == KeyNotLoaded) {
-        registerIndex = LoadKeyIntoRegister(fortezzaKey);
-    } else {
-        registerIndex = fortezzaKey->keyRegister;
-    }
-
-    if (registerIndex == KeyNotLoaded) {
-        FMUTEX_Unlock(socket->registersLock);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    if (pMechanism->pParameter == NULL ||
-	pMechanism->ulParameterLen < sizeof (CI_IV)) {
-        FORT11_RETURN (CKR_MECHANISM_PARAM_INVALID);
-    }
-
-    PORT_Memcpy (fortezzaIV, pMechanism->pParameter, sizeof(CI_IV));
-
-    ciRV = MACI_SetKey (hs, registerIndex);
-    if (ciRV != CI_OK) {
-        FMUTEX_Unlock(socket->registersLock);
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    ciRV = MACI_LoadIV (hs, fortezzaIV);
-    if (ciRV != CI_OK) {
-        FMUTEX_Unlock(socket->registersLock);
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    context = &session->fortezzaContext;
-    InitContext(context, socket, hKey);
-    ciRV = SaveState (context, fortezzaIV, session, fortezzaKey, 
-		      CI_DECRYPT_EXT_TYPE, pMechanism->mechanism);
-
-    FMUTEX_Unlock(socket->registersLock);
-
-    if (ciRV != SOCKET_SUCCESS) {
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    InitCryptoOperation (context, Decrypt);
-    fort11_FreeSession (session);
-
-    FORT11_RETURN (CKR_OK);
-}
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-PR_PUBLIC_API(CK_RV) C_Decrypt(CK_SESSION_HANDLE hSession,
-			       CK_BYTE_PTR       pEncryptedData,
-			       CK_ULONG          ulEncryptedDataLen,
-			       CK_BYTE_PTR       pData, 
-			       CK_ULONG_PTR      pulDataLen) {
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle (hSession, PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
-    FortezzaContext *context;
-    HSESSION         hs;
-    CK_RV            rv;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    context = &session->fortezzaContext;
-
-    if (GetCryptoOperation(context) != Decrypt) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
-    }
-
-    *pulDataLen = ulEncryptedDataLen;
-    if (pData == NULL) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    hs = socket->maciSession;
-    FMUTEX_Lock(socket->registersLock);
-    MACI_Lock(hs, CI_NULL_FLAG);
-    rv = DecryptData (context, pEncryptedData, ulEncryptedDataLen, 
-		      pData, *pulDataLen);
-    MACI_Unlock(hs);
-    FMUTEX_Unlock(socket->registersLock);
-    if (rv != SOCKET_SUCCESS) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    EndCryptoOperation (context, Decrypt);
-    fort11_FreeSession(session);
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_DecryptUpdate continues a multiple-part decryption operation. */
-PR_PUBLIC_API(CK_RV) C_DecryptUpdate(CK_SESSION_HANDLE hSession, 
-				     CK_BYTE_PTR       pEncryptedPart, 
-				     CK_ULONG          ulEncryptedPartLen,
-				     CK_BYTE_PTR       pPart, 
-				     CK_ULONG_PTR      pulPartLen) {
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle(hSession,PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
-    FortezzaContext *context;
-    HSESSION         hs;
-    int              rv;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession (session);
-        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    context = &session->fortezzaContext;
-    hs = socket->maciSession;
-
-    if (GetCryptoOperation(context) != Decrypt) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
-    }
-
-    if (pPart == NULL) {
-        *pulPartLen = ulEncryptedPartLen;
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    *pulPartLen = ulEncryptedPartLen;
-    
-    FMUTEX_Lock(socket->registersLock);
-    MACI_Lock (hs, CI_NULL_FLAG);
-    rv = DecryptData (context, pEncryptedPart, ulEncryptedPartLen, pPart, 
-		      *pulPartLen);
-    MACI_Unlock(hs);
-    FMUTEX_Unlock(socket->registersLock);
-
-    fort11_FreeSession(session);
-
-    if (rv != SOCKET_SUCCESS) {
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_DecryptFinal finishes a multiple-part decryption operation. */
-PR_PUBLIC_API(CK_RV) C_DecryptFinal(CK_SESSION_HANDLE hSession, 
-				    CK_BYTE_PTR       pLastPart, 
-				    CK_ULONG_PTR      pulLastPartLen) {
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaContext *context;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    context = &session->fortezzaContext;
-    EndCryptoOperation (context, Decrypt);
-
-    fort11_FreeSession(session);
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/*
- ************** Crypto Functions:     Digest (HASH)  ************************
- */
-
-/* C_DigestInit initializes a message-digesting operation. */
-PR_PUBLIC_API(CK_RV) C_DigestInit(CK_SESSION_HANDLE hSession,
-				  CK_MECHANISM_PTR  pMechanism) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_Digest digests data in a single part. */
-PR_PUBLIC_API(CK_RV) C_Digest(CK_SESSION_HANDLE hSession, 
-			      CK_BYTE_PTR       pData, 
-			      CK_ULONG          ulDataLen, 
-			      CK_BYTE_PTR       pDigest,
-			      CK_ULONG_PTR      pulDigestLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting operation. */
-PR_PUBLIC_API(CK_RV) C_DigestUpdate(CK_SESSION_HANDLE hSession,
-				    CK_BYTE_PTR       pPart,
-				    CK_ULONG          ulPartLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting operation. */
-PR_PUBLIC_API(CK_RV) C_DigestFinal(CK_SESSION_HANDLE hSession,
-				   CK_BYTE_PTR       pDigest,
-				   CK_ULONG_PTR      pulDigestLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/*
- ************** Crypto Functions:     Sign  ************************
- */
-
-/* C_SignInit initializes a signature (private key encryption) operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-PR_PUBLIC_API(CK_RV) C_SignInit(CK_SESSION_HANDLE hSession,
-				CK_MECHANISM_PTR  pMechanism, 
-				CK_OBJECT_HANDLE  hKey) {
-    FORT11_ENTER()
-    PK11Session     *session   = fort11_SessionFromHandle (hSession, PR_FALSE);
-    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
-    PK11Object      *keyObject;
-    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1]; 
-    FortezzaContext *context;
-    PK11Attribute   *idAttribute;
-    int              personalityIndex;
-    HSESSION         hs = socket->maciSession;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (pMechanism->mechanism != CKM_DSA) {
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    keyObject = fort11_ObjectFromHandle (hKey, session);
-
-    if (keyObject == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    context = &session->fortezzaContext;
-    InitContext(context, socket, hKey);
-    InitCryptoOperation (context, Sign);
-    fort11_FreeSession(session);
-
-    idAttribute = fort11_FindAttribute(keyObject, CKA_ID);
-    fort11_FreeObject(keyObject);
-
-    if (idAttribute == NULL) {
-        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    personalityIndex = *(int*)(idAttribute->attrib.pValue);
-    fort11_FreeAttribute(idAttribute);
-    
-    MACI_Select (hs, slot->slotID);
-    if (MACI_SetPersonality (hs,personalityIndex) != CI_OK) {
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_Sign signs (encrypts with private key) data in a single part,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-PR_PUBLIC_API(CK_RV) C_Sign(CK_SESSION_HANDLE hSession, 
-			    CK_BYTE_PTR       pData,
-			    CK_ULONG          ulDataLen,
-			    CK_BYTE_PTR       pSignature,
-			    CK_ULONG_PTR      pulSignatureLen) {
-
-    FORT11_ENTER()
-    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
-    FortezzaContext *context;
-    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1];
-    HSESSION         hs        = socket->maciSession;
-    PK11Object      *keyObject;
-    PK11Attribute   *idAttribute;
-    int              ciRV, personalityIndex;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-	
-    context = &session->fortezzaContext;
-    if (GetCryptoOperation(context) != Sign) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
-    }
-
-    if (pSignature == NULL) {
-        *pulSignatureLen = 40;
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    if (ulDataLen > 20) {
-        FORT11_RETURN (CKR_DATA_LEN_RANGE);
-    }
-
-    if (*pulSignatureLen < 40) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
-    }
-    *pulSignatureLen = 40;
-
-    keyObject = fort11_ObjectFromHandle(context->hKey, session);
-    if (keyObject == NULL) {
-        fort11_FreeSession(session);
-	FORT11_RETURN(CKR_GENERAL_ERROR);
-    }
-
-    idAttribute = fort11_FindAttribute(keyObject, CKA_ID);
-    fort11_FreeObject(keyObject);
-
-    personalityIndex = *(int*)(idAttribute->attrib.pValue);
-    fort11_FreeAttribute(idAttribute);
-
-    MACI_Select(hs, slot->slotID);
-
-    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
-    ciRV = MACI_SetPersonality(hs, personalityIndex);
-    if (ciRV != CI_OK) {
-        MACI_Unlock(hs);
-        fort11_FreeSession(session);
-	FORT11_RETURN(CKR_DEVICE_ERROR);
-    }
-
-    ciRV = MACI_Sign (hs, pData, pSignature);
-    if (ciRV != CI_OK) {
-        MACI_Unlock(hs);
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    MACI_Unlock(hs);
-    EndCryptoOperation (context, Sign);
-    fort11_FreeSession(session);
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-PR_PUBLIC_API(CK_RV) C_SignUpdate(CK_SESSION_HANDLE hSession,
-				  CK_BYTE_PTR       pPart,
-				  CK_ULONG          ulPartLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_SignFinal finishes a multiple-part signature operation, 
- * FORT11_RETURNing the signature. */
-PR_PUBLIC_API(CK_RV) C_SignFinal(CK_SESSION_HANDLE hSession,
-				 CK_BYTE_PTR       pSignature,
-				 CK_ULONG_PTR      pulSignatureLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/*
- ************** Crypto Functions:     Sign Recover  ************************
- */
-/* C_SignRecoverInit initializes a signature operation,
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-PR_PUBLIC_API(CK_RV) C_SignRecoverInit(CK_SESSION_HANDLE hSession,
-				       CK_MECHANISM_PTR  pMechanism,
-				       CK_OBJECT_HANDLE  hKey) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_SignRecover signs data in a single operation
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-PR_PUBLIC_API(CK_RV) C_SignRecover(CK_SESSION_HANDLE hSession,
-				   CK_BYTE_PTR       pData,
-				   CK_ULONG          ulDataLen, 
-				   CK_BYTE_PTR       pSignature, 
-				   CK_ULONG_PTR      pulSignatureLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/*
- ************** Crypto Functions:     verify  ************************
- */
-
-/* C_VerifyInit initializes a verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature (e.g. DSA) */
-PR_PUBLIC_API(CK_RV) C_VerifyInit(CK_SESSION_HANDLE hSession,
-				  CK_MECHANISM_PTR  pMechanism,
-				  CK_OBJECT_HANDLE  hKey) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-PR_PUBLIC_API(CK_RV) C_Verify(CK_SESSION_HANDLE hSession, 
-			      CK_BYTE_PTR       pData,
-			      CK_ULONG          ulDataLen, 
-			      CK_BYTE_PTR       pSignature, 
-			      CK_ULONG          ulSignatureLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_VerifyUpdate continues a multiple-part verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-PR_PUBLIC_API(CK_RV) C_VerifyUpdate( CK_SESSION_HANDLE hSession, 
-				     CK_BYTE_PTR       pPart,
-				     CK_ULONG          ulPartLen) {
-   return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_VerifyFinal finishes a multiple-part verification operation, 
- * checking the signature. */
-PR_PUBLIC_API(CK_RV) C_VerifyFinal(CK_SESSION_HANDLE hSession,
-				   CK_BYTE_PTR       pSignature,
-				   CK_ULONG          ulSignatureLen) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/*
- ************** Crypto Functions:     Verify  Recover ************************
- */
-
-/* C_VerifyRecoverInit initializes a signature verification operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-PR_PUBLIC_API(CK_RV) C_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
-					 CK_MECHANISM_PTR  pMechanism,
-					 CK_OBJECT_HANDLE  hKey) {
-  /* For functions that don't access globals, we don't have to worry about the
-   * stack.
-   */	
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_VerifyRecover verifies a signature in a single-part operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-PR_PUBLIC_API(CK_RV) C_VerifyRecover(CK_SESSION_HANDLE hSession,
-				     CK_BYTE_PTR       pSignature,
-				     CK_ULONG          ulSignatureLen,
-				     CK_BYTE_PTR       pData,
-				     CK_ULONG_PTR      pulDataLen) {
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/*
- **************************** Key Functions:  ************************
- */
-
-#define MAX_KEY_LEN 256
-/* C_GenerateKey generates a secret key, creating a new key object. */
-PR_PUBLIC_API(CK_RV) C_GenerateKey(CK_SESSION_HANDLE    hSession, 
-				   CK_MECHANISM_PTR     pMechanism,
-				   CK_ATTRIBUTE_PTR     pTemplate,
-				   CK_ULONG             ulCount,
-				   CK_OBJECT_HANDLE_PTR phKey) {
-    FORT11_ENTER()
-    PK11Session    *session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot       *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
-    PK11Object     *key;
-    FortezzaKey    *newKey;
-    int             i, keyRegister;
-    CK_ULONG        key_length = 0;
-    CK_RV           crv        = CKR_OK;
-    CK_OBJECT_CLASS secretKey  = CKO_SECRET_KEY;
-    CK_BBOOL        False      = FALSE;
-    CK_BBOOL        cktrue     = TRUE;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-        fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-    if (pMechanism->mechanism != CKM_SKIPJACK_KEY_GEN) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    key = fort11_NewObject(slot);
-
-    if (key == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_HOST_MEMORY);
-    }
-
-    for (i=0; i < (int) ulCount; i++) {
-        if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
-	    continue;
-	}
-	crv = fort11_AddAttributeType (key, pk11_attr_expand (&pTemplate[i]));
-	if (crv != CKR_OK) 
-	  break;
-    } 
-
-    if (crv != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (crv);
-    }
-
-    /* make sure we don't have any class, key_type, or value fields */
-    fort11_DeleteAttributeType(key,CKA_CLASS);
-    fort11_DeleteAttributeType(key,CKA_KEY_TYPE);
-    fort11_DeleteAttributeType(key,CKA_VALUE);
-
-    if (MAX_KEY_LEN < key_length) {
-        crv = CKR_TEMPLATE_INCONSISTENT;
-    }
-
-    if (crv != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (crv);
-    }
-    
-    if (fort11_AddAttributeType(key, CKA_CLASS,&secretKey,
-			      sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    if (fort11_AddAttributeType(key, CKA_TOKEN, &False,
-			      sizeof(CK_BBOOL)) != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
- 
-    if (fort11_isTrue(key,CKA_SENSITIVE)) {
-	fort11_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,
-			      sizeof(CK_BBOOL));
-    }
-    if (!fort11_isTrue(key,CKA_EXTRACTABLE)) {
-	fort11_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,
-			    sizeof(CK_BBOOL));
-    }
-
-    FMUTEX_Lock(socket->registersLock);
-
-    keyRegister = GetBestKeyRegister(socket);
-    newKey = NewFortezzaKey(socket, MEK, NULL, keyRegister);
-
-    FMUTEX_Unlock(socket->registersLock);
-
-    if (newKey == NULL) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_HOST_MEMORY);
-    }
-
-    key->objectInfo = (void*)newKey;
-    key->infoFree   = fort11_FreeFortezzaKey;
-
-    FMUTEX_Lock(slot->objectLock);
-    key->handle = slot->tokenIDCount++;
-    key->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    FMUTEX_Unlock(slot->objectLock);
-
-    key->objclass = secretKey;
-    key->slot = slot;
-    key->inDB = PR_TRUE;
-
-    fort11_AddObject(session, key);
-    fort11_FreeSession(session);
-    SetFortezzaKeyHandle(newKey, key->handle);
-    *phKey = key->handle;
-
-    FORT11_RETURN (CKR_OK);
-    
-}
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
-PR_PUBLIC_API(CK_RV) C_GenerateKeyPair 
-                     (CK_SESSION_HANDLE    hSession,
-		      CK_MECHANISM_PTR     pMechanism, 
-		      CK_ATTRIBUTE_PTR     pPublicKeyTemplate,
-		      CK_ULONG             ulPublicKeyAttributeCount, 
-		      CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,
-		      CK_ULONG             ulPrivateKeyAttributeCount, 
-		      CK_OBJECT_HANDLE_PTR phPrivateKey,
-		      CK_OBJECT_HANDLE_PTR phPublicKey) {
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-PR_PUBLIC_API(CK_RV) C_WrapKey(CK_SESSION_HANDLE hSession,
-			       CK_MECHANISM_PTR  pMechanism, 
-			       CK_OBJECT_HANDLE  hWrappingKey,
-			       CK_OBJECT_HANDLE  hKey, 
-			       CK_BYTE_PTR       pWrappedKey,
-			       CK_ULONG_PTR      pulWrappedKeyLen) {
-    FORT11_ENTER()
-    PK11Session    *session = fort11_SessionFromHandle (hSession, PR_FALSE);
-    PK11Slot       *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
-    PK11Object     *wrapKey;
-    PK11Object     *srcKey;
-    FortezzaKey    *wrapFortKey;
-    FortezzaKey    *srcFortKey;
-    int             rv;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (!socket->isLoggedIn) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-    }
-
-    if (pMechanism->mechanism != CKM_SKIPJACK_WRAP) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    wrapKey = fort11_ObjectFromHandle (hWrappingKey, session);
-    if ((wrapKey == NULL) || (wrapKey->objectInfo == NULL)) {
-        if (wrapKey) 
-	    fort11_FreeObject(wrapKey);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    srcKey = fort11_ObjectFromHandle (hKey, session);
-    fort11_FreeSession(session);
-    if ((srcKey == NULL) || (srcKey->objectInfo == NULL)) {
-        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    wrapFortKey = (FortezzaKey*)wrapKey->objectInfo;
-    fort11_FreeObject(wrapKey);
-
-    srcFortKey = (FortezzaKey*)srcKey->objectInfo;
-    fort11_FreeObject(srcKey);
-
-    FMUTEX_Lock(socket->registersLock);
-    if (wrapFortKey->keyRegister == KeyNotLoaded) {
-      if (LoadKeyIntoRegister(wrapFortKey) == KeyNotLoaded) {
-	  FORT11_RETURN (CKR_DEVICE_ERROR);
-      }
-    }
-
-    if (srcFortKey->keyRegister == KeyNotLoaded) {
-      if (LoadKeyIntoRegister(srcFortKey) == KeyNotLoaded) {
-	  FMUTEX_Unlock(socket->registersLock);
-	  FORT11_RETURN (CKR_DEVICE_ERROR);
-      }
-    }
-
-    MACI_Lock(socket->maciSession, CI_BLOCK_LOCK_FLAG);
-    rv = WrapKey (wrapFortKey, srcFortKey, pWrappedKey, *pulWrappedKeyLen);
-    MACI_Unlock(socket->maciSession);
-    FMUTEX_Unlock(socket->registersLock);
-
-    if (rv != SOCKET_SUCCESS) {
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
-PR_PUBLIC_API(CK_RV) C_UnwrapKey(CK_SESSION_HANDLE    hSession,
-				 CK_MECHANISM_PTR     pMechanism, 
-				 CK_OBJECT_HANDLE     hUnwrappingKey,
-				 CK_BYTE_PTR          pWrappedKey, 
-				 CK_ULONG             ulWrappedKeyLen,
-				 CK_ATTRIBUTE_PTR     pTemplate, 
-				 CK_ULONG             ulAttributeCount,
-				 CK_OBJECT_HANDLE_PTR phKey) {
-    FORT11_ENTER()
-    PK11Session    *session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot       *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
-    PK11Object     *wrapKey;
-    PK11Object     *newKey;
-    FortezzaKey    *fortKey;
-    FortezzaKey    *unwrapFort;
-    CK_ULONG        key_length;
-    int             i, newKeyRegister;
-    CK_RV           crv = CKR_OK;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (pMechanism->mechanism != CKM_SKIPJACK_WRAP){
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    if (!socket->isLoggedIn) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
-    }    
-
-    wrapKey = fort11_ObjectFromHandle(hUnwrappingKey, session);
-    if (wrapKey == NULL || wrapKey->objectInfo == NULL) {
-        if (wrapKey)
-	    fort11_FreeObject(wrapKey);
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_UNWRAPPING_KEY_HANDLE_INVALID);
-    }
-
-    fortKey = (FortezzaKey*)wrapKey->objectInfo;
-    fort11_FreeObject(wrapKey);
-
-    newKey = fort11_NewObject(slot);
-    if (newKey == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_HOST_MEMORY);
-    }
-
-    for (i=0; i< (int)ulAttributeCount; i++) {
-        if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG*)pTemplate[i].pValue;
-	    continue;
-	}
-	crv=fort11_AddAttributeType(newKey,fort11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) {
-	    break;
-	}
-    }
-
-    if (crv != CKR_OK) {
-        fort11_FreeSession(session);
-        fort11_FreeObject(newKey);
-	FORT11_RETURN (crv);
-    }
-
-    /* make sure we don't have any class, key_type, or value fields */
-    if (!fort11_hasAttribute(newKey,CKA_CLASS)) {
-	fort11_FreeObject(newKey);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_TEMPLATE_INCOMPLETE);
-    }
-    if (!fort11_hasAttribute(newKey,CKA_KEY_TYPE)) {
-	fort11_FreeObject(newKey);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_TEMPLATE_INCOMPLETE);
-    }
-
-    FMUTEX_Lock(socket->registersLock);
-    newKeyRegister = UnwrapKey (pWrappedKey, fortKey);
-    if (newKeyRegister == KeyNotLoaded) {
-        /*Couldn't Unwrap the key*/
-        fort11_FreeObject(newKey);
-        fort11_FreeSession(session);
-	FMUTEX_Unlock(socket->registersLock);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    unwrapFort = NewUnwrappedKey(newKeyRegister, fortKey->id, socket);
-    FMUTEX_Unlock(socket->registersLock);
-
-    if (unwrapFort == NULL) {
-        fort11_FreeObject(newKey);
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_HOST_MEMORY);
-    }
-    newKey->objectInfo = unwrapFort;
-    newKey->infoFree   = fort11_FreeFortezzaKey;
-
-    FMUTEX_Lock(slot->objectLock);
-    newKey->handle = slot->tokenIDCount++;
-    newKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    FMUTEX_Unlock(slot->objectLock);
-    newKey->objclass = CKO_SECRET_KEY;
-    newKey->slot  = slot;
-    newKey->inDB  = PR_TRUE;
-
-    fort11_AddObject (session, newKey);
-    fort11_FreeSession(session);
-    
-    SetFortezzaKeyHandle(unwrapFort, newKey->handle);
-    *phKey = newKey->handle;
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key object. */
-PR_PUBLIC_API(CK_RV) C_DeriveKey( CK_SESSION_HANDLE    hSession,
-				  CK_MECHANISM_PTR     pMechanism, 
-				  CK_OBJECT_HANDLE     hBaseKey,
-				  CK_ATTRIBUTE_PTR     pTemplate, 
-				  CK_ULONG             ulAttributeCount, 
-				  CK_OBJECT_HANDLE_PTR phKey) {
-    FORT11_ENTER()
-    PK11Session     *session = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
-    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
-    PK11Object      *key, *sourceKey;
-    CK_ULONG         i;
-    CK_ULONG         key_length = 0;
-    CK_RV            crv        = 0;
-    CK_KEY_TYPE      keyType    = CKK_SKIPJACK;
-    CK_OBJECT_CLASS  classType  = CKO_SECRET_KEY;  
-    CK_BBOOL	     ckTrue     = TRUE;
-    CK_BBOOL         ckFalse    = FALSE;
-    int              ciRV;
-    int              personality;
-    PK11Attribute   *att;
-
-    CK_KEA_DERIVE_PARAMS_PTR  params;
-    FortezzaKey              *derivedKey;
-    CreateTEKInfo             tekInfo;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (pMechanism->mechanism != CKM_KEA_KEY_DERIVE) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_MECHANISM_INVALID);
-    }
-
-    key = fort11_NewObject (slot);
-
-    if (key == NULL) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_HOST_MEMORY);
-    }
-
-    for (i = 0; i < ulAttributeCount; i++) {
-        crv = fort11_AddAttributeType (key, fort11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) {
-	    break;
-	}
-	if (pTemplate[i].type == CKA_KEY_TYPE) {
-	    keyType = *(CK_KEY_TYPE*)pTemplate[i].pValue;
-	} else if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG*)pTemplate[i].pValue;
-	}	  
-    }
-
-    if (crv != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (crv);
-    }
-
-    if (key_length == 0) {
-        key_length = 12;
-    }
-
-    classType = CKO_SECRET_KEY;
-    crv = fort11_forceAttribute (key, CKA_CLASS, &classType, 
-				 sizeof(classType));
-    if (crv != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (crv);
-    }
-    crv = fort11_forceAttribute (key, CKA_SENSITIVE, &ckTrue, 
-				 sizeof(CK_BBOOL));
-    if (crv != CKR_OK) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (crv);
-    }
-    crv = fort11_forceAttribute (key, CKA_EXTRACTABLE, &ckFalse, 
-			       sizeof(CK_BBOOL));
-    if (crv != CKR_OK) {
-        fort11_FreeSession(session);
-	fort11_FreeObject(key);
-	FORT11_RETURN (crv);
-    }
-
-    sourceKey = fort11_ObjectFromHandle (hBaseKey, session);
-
-    if (sourceKey == NULL) {
-        fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-    }
-
-    att = fort11_FindAttribute(sourceKey,CKA_ID);
-    fort11_FreeObject(sourceKey);
-    if (att == NULL) {
-	fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_KEY_TYPE_INCONSISTENT);
-    }
-    personality = *(int *) att->attrib.pValue;
-    fort11_FreeAttribute(att);
-
-    params = (CK_KEA_DERIVE_PARAMS_PTR)pMechanism->pParameter;
-
-    if (params == NULL) {
-	fort11_FreeObject(key);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_MECHANISM_PARAM_INVALID);
-    }
-    
-    ciRV = MACI_SetPersonality(socket->maciSession,personality);
-    if (ciRV != CI_OK) {
-	fort11_FreeObject(key);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-    /*
-     * If we're sending, generate our own RA.
-     */
-    if (params->isSender) {
-	ciRV = MACI_GenerateRa(socket->maciSession,params->pRandomA);
-	if (ciRV != CI_OK) {
-	    fort11_FreeObject(key);
-	    fort11_FreeSession(session);
-	    FORT11_RETURN (CKR_DEVICE_ERROR);
-	}
-    }
-    PORT_Memcpy (tekInfo.Ra, params->pRandomA, params->ulRandomLen);
-    PORT_Memcpy (tekInfo.Rb, params->pRandomB, params->ulRandomLen);
-    tekInfo.randomLen = params->ulRandomLen;
-    tekInfo.personality = personality;
-    tekInfo.flag = (params->isSender) ? CI_INITIATOR_FLAG : CI_RECIPIENT_FLAG;
-    
-    PORT_Memcpy (tekInfo.pY, params->pPublicData, params->ulPublicDataLen);
-    tekInfo.YSize = params->ulPublicDataLen;
-
-    FMUTEX_Lock(socket->registersLock);
-    derivedKey = NewFortezzaKey(socket, TEK, &tekInfo, 
-				GetBestKeyRegister(socket));
-    FMUTEX_Unlock(socket->registersLock);
-
-    if (derivedKey == NULL) {
-	fort11_FreeObject(key);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_GENERAL_ERROR);
-    }
-
-    key->objectInfo = derivedKey;
-    key->infoFree   = fort11_FreeFortezzaKey;
-
-    FMUTEX_Lock(slot->objectLock);
-    key->handle = slot->tokenIDCount++;
-    key->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    FMUTEX_Unlock(slot->objectLock);
-    key->objclass = classType;
-    key->slot = slot;
-    key->inDB = PR_TRUE;
-
-    fort11_AddObject (session, key);
-    fort11_FreeSession(session);
-    
-    SetFortezzaKeyHandle(derivedKey, key->handle);
-    *phKey = key->handle;
-
-    FORT11_RETURN (CKR_OK);
-}
-
-/*
- **************************** Random Functions:  ************************
- */
-
-/* C_SeedRandom mixes additional seed material into the token's random number 
- * generator. */
-PR_PUBLIC_API(CK_RV) C_SeedRandom(CK_SESSION_HANDLE hSession, 
-				  CK_BYTE_PTR       pSeed,
-				  CK_ULONG          ulSeedLen) {
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_GenerateRandom generates random data. */
-PR_PUBLIC_API(CK_RV) C_GenerateRandom(CK_SESSION_HANDLE hSession,
-				      CK_BYTE_PTR	pRandomData, 
-				      CK_ULONG          ulRandomLen) {
-    FORT11_ENTER()
-    PK11Slot    *slot    = fort11_SlotFromSessionHandle(hSession);
-    PK11Session *session = fort11_SessionFromHandle(hSession,PR_FALSE);
-    CI_RANDOM    randomNum;
-    CK_ULONG     randomSize = sizeof (CI_RANDOM);
-    int          ciRV;
-    CK_ULONG     bytesCopied = 0, bytesToCopy;
-    CK_ULONG     bufferSize  = 0, bytesRemaining;
-
-    if (session == NULL) {
-        session = fort11_SessionFromHandle (hSession, PR_TRUE);
-	fort11_TokenRemoved(slot, session);
-	fort11_FreeSession(session);
-        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    fort11_FreeSession(session);
-    ciRV = MACI_Select(fortezzaSockets[slot->slotID-1].maciSession, 
-		       slot->slotID);
-    if (ciRV != CI_OK) {
-        FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-    
-    while (bytesCopied < ulRandomLen) {
-      bytesRemaining = ulRandomLen - bytesCopied;
-      if (bufferSize < bytesRemaining) {
-	  ciRV = 
-	    MACI_GenerateRandom(fortezzaSockets[slot->slotID-1].maciSession, 
-				randomNum);
-	  if (ciRV != CI_OK)
-	      FORT11_RETURN (CKR_DEVICE_ERROR);
-	  bufferSize = randomSize;
-      }
-      bytesToCopy = (bytesRemaining > randomSize) ? randomSize : 
-	                                            bytesRemaining;
-
-      PORT_Memcpy (&pRandomData[bytesCopied], 
-		   &randomNum[randomSize-bufferSize], bytesToCopy);
-
-      bytesCopied += bytesToCopy;
-      bufferSize  -= bytesToCopy; 
-    }
-
-    FORT11_RETURN (CKR_OK);
-}
-
-
-/* C_GetFunctionStatus obtains an updated status of a function running 
- * in parallel with an application. */
-PR_PUBLIC_API(CK_RV) C_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
-    return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_CancelFunction cancels a function running in parallel */
-PR_PUBLIC_API(CK_RV) C_CancelFunction(CK_SESSION_HANDLE hSession) {
-    return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/* C_GetOperationState saves the state of the cryptographic 
- *operation in a session. */
-PR_PUBLIC_API(CK_RV) C_GetOperationState(CK_SESSION_HANDLE hSession, 
-					 CK_BYTE_PTR       pOperationState, 
-					 CK_ULONG_PTR      pulOperationStateLen) {
-    FORT11_ENTER()
-    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
-    FortezzaContext *context;
-
-    if (session  == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (pOperationState == NULL) {
-        *pulOperationStateLen = sizeof (FortezzaContext);
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_OK);
-    }
-
-    if (*pulOperationStateLen < sizeof (FortezzaContext)) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
-    }
-
-    context = &session->fortezzaContext;
-    fort11_FreeSession(session);
-    PORT_Memcpy (pOperationState, context, sizeof(FortezzaContext));
-    ((FortezzaContext *)pOperationState)->session = NULL;
-    ((FortezzaContext *)pOperationState)->fortezzaKey = NULL;
-    *pulOperationStateLen = sizeof(FortezzaContext);
-    FORT11_RETURN (CKR_OK);
-}
-
-
-
-/* C_SetOperationState restores the state of the cryptographic operation in a session. */
-PR_PUBLIC_API(CK_RV) C_SetOperationState(CK_SESSION_HANDLE hSession, 
-					 CK_BYTE_PTR       pOperationState, 
-					 CK_ULONG          ulOperationStateLen,
-					 CK_OBJECT_HANDLE  hEncryptionKey, 
-					 CK_OBJECT_HANDLE  hAuthenticationKey){
-    FORT11_ENTER()
-    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
-    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
-    FortezzaContext *context;
-    FortezzaContext  passedInCxt;
-    PK11Object      *keyObject;
-    FortezzaKey     *fortKey;
-
-    if (session  == NULL) {
-        session = fort11_SessionFromHandle(hSession, PR_TRUE);
-	fort11_TokenRemoved (slot, session);
-	fort11_FreeSession(session);
-	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
-    }
-
-    if (ulOperationStateLen != sizeof(FortezzaContext)) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_SAVED_STATE_INVALID);
-    }
-
-    PORT_Memcpy(&passedInCxt, pOperationState, sizeof(FortezzaContext));
-    if (passedInCxt.fortezzaSocket->slotID != slot->slotID) {
-        fort11_FreeSession(session);
-        FORT11_RETURN (CKR_SAVED_STATE_INVALID);
-    }
-    passedInCxt.session = NULL;
-    passedInCxt.fortezzaKey = NULL;
-    
-    if (hEncryptionKey != 0) {
-        keyObject = fort11_ObjectFromHandle(hEncryptionKey, session);
-	if (keyObject == NULL) {
-	    fort11_FreeSession(session);
-	    FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
-	}
-	fortKey = (FortezzaKey*)keyObject->objectInfo;
-	fort11_FreeObject(keyObject);
-	if (fortKey == NULL) {
-	    fort11_FreeSession(session);
-	    FORT11_RETURN (CKR_SAVED_STATE_INVALID);
-	}
-	if (fortKey->keyRegister == KeyNotLoaded) {
-	    if (LoadKeyIntoRegister (fortKey) == KeyNotLoaded) {
-	        fort11_FreeSession(session);
-		FORT11_RETURN (CKR_DEVICE_ERROR);
-	    }
-	}
-	passedInCxt.fortezzaKey = fortKey;
-
-    } 
-    if (hAuthenticationKey != 0) {
-        fort11_FreeSession(session);
-	FORT11_RETURN (CKR_DEVICE_ERROR);
-    }
-
-    passedInCxt.session = session;
-    context = &session->fortezzaContext;
-    fort11_FreeSession (session);    
-    PORT_Memcpy (context, &passedInCxt, sizeof(passedInCxt));
-
-    FORT11_RETURN (CKR_OK);
-}
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting and 
-   encryption operation. */
-PR_PUBLIC_API(CK_RV) C_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, 
-					   CK_BYTE_PTR       pPart,
-					   CK_ULONG          ulPartLen, 
-					   CK_BYTE_PTR       pEncryptedPart,
-					   CK_ULONG_PTR      pulEncryptedPartLen){
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and digesting 
-   operation. */
-PR_PUBLIC_API(CK_RV) C_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
-					   CK_BYTE_PTR       pEncryptedPart, 
-					   CK_ULONG          ulEncryptedPartLen,
-					   CK_BYTE_PTR       pPart, 
-			    CK_ULONG_PTR      pulPartLen){
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and encryption
-   operation. */
-PR_PUBLIC_API(CK_RV) C_SignEncryptUpdate(CK_SESSION_HANDLE hSession, 
-					 CK_BYTE_PTR       pPart,
-					 CK_ULONG          ulPartLen, 
-					 CK_BYTE_PTR       pEncryptedPart,
-					 CK_ULONG_PTR      pulEncryptedPartLen){
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and verify 
-   operation. */
-PR_PUBLIC_API(CK_RV) C_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
-					   CK_BYTE_PTR       pEncryptedData, 
-					   CK_ULONG          ulEncryptedDataLen, 
-					   CK_BYTE_PTR       pData, 
-					   CK_ULONG_PTR      pulDataLen){
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-/* C_DigestKey continues a multi-part message-digesting operation,
- * by digesting the value of a secret key as part of the data already digested.
- */
-PR_PUBLIC_API(CK_RV) C_DigestKey(CK_SESSION_HANDLE hSession, 
-				 CK_OBJECT_HANDLE  hKey) {
-  return CKR_FUNCTION_NOT_SUPPORTED;
-}
-
-PR_PUBLIC_API(CK_RV) C_WaitForSlotEvent(CK_FLAGS flags,
-					CK_SLOT_ID_PTR pSlot,
-					CK_VOID_PTR pRserved) {
-  return CKR_FUNCTION_FAILED;
-}
-
diff --git a/security/nss/lib/fortcrypt/fortsock.h b/security/nss/lib/fortcrypt/fortsock.h
deleted file mode 100644
index f74fc80b8..000000000
--- a/security/nss/lib/fortcrypt/fortsock.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef FORSOCK_H_
-#define FORSOCK_H_
-
-#include "seccomon.h"
-#include "fpkcs11.h"
-#include "fpkcs11i.h"
-#include "fpkstrs.h"
-
-
-#ifndef prtypes_h___
-typedef enum { PR_FALSE, PR_TRUE }PRBool;
-#endif
-
-
-#define SOCKET_SUCCESS  0
-#define SOCKET_FAILURE  1
-
-#define KeyNotLoaded    -1
-#define NoCryptoType    -1
-#define NoCryptoMode    -1
-#define NO_MECHANISM    0xFFFFFFFFL
-
-
-/*Get the Fortezza context in here*/
-
-int InitSocket (FortezzaSocket *inSocket, int inSlotID);
-int FreeSocket (FortezzaSocket *inSocket);
-
-int FetchPersonalityList (FortezzaSocket *inSocket);
-int UnloadPersonalityList(FortezzaSocket *inSocket);
-
-int LoginToSocket (FortezzaSocket *inSocket, int inUserType, CI_PIN inPin); 
-
-int LogoutFromSocket (FortezzaSocket *inSocket);
-
-PRBool SocketStateUnchanged(FortezzaSocket* inSocket);
-
-int GetBestKeyRegister(FortezzaSocket *inSocket);
-
-FortezzaKey *NewFortezzaKey(FortezzaSocket  *inSocket, 
-			    FortezzaKeyType  inKeyType,
-			    CreateTEKInfo   *TEKinfo,
-			    int              inKeyRegister);
-FortezzaKey *NewUnwrappedKey(int inKeyRegister, int i, 
-			     FortezzaSocket *inSocket);
-
-int  LoadKeyIntoRegister (FortezzaKey *inKey);
-int  SetFortezzaKeyHandle (FortezzaKey *inKey, CK_OBJECT_HANDLE inHandle);
-void RemoveKey (FortezzaKey *inKey);
-
-void InitContext(FortezzaContext *inContext, FortezzaSocket *inSocket,
-		 CK_OBJECT_HANDLE hKey);
-int InitCryptoOperation (FortezzaContext *inContext, 
-			 CryptoType inCryptoOperation);
-int EndCryptoOperation  (FortezzaContext *inContext, 
-			 CryptoType inCryptoOperation);
-CryptoType GetCryptoOperation (FortezzaContext *inContext);
-int EncryptData (FortezzaContext *inContext, CK_BYTE_PTR inData,
-		 CK_ULONG inDataLen, CK_BYTE_PTR inDest, 
-		 CK_ULONG inDestLen);
-int DecryptData (FortezzaContext *inContext, CK_BYTE_PTR inData,
-		 CK_ULONG inDataLen, CK_BYTE_PTR inDest, 
-		 CK_ULONG inDestLen);
-
-int SaveState (FortezzaContext *inContext, CI_IV inIV, 
-	       PK11Session *inSession, FortezzaKey *inKey,
-	       int inCryptoType, CK_MECHANISM_TYPE inMechanism);
-
-int WrapKey (FortezzaKey *wrappingKey, FortezzaKey *srcKey,
-	     CK_BYTE_PTR pDest, CK_ULONG ulDestLen);
-int UnwrapKey (CK_BYTE_PTR inWrappedKey, FortezzaKey *inKey);
-
-#endif /*SOCKET_H_*/
diff --git a/security/nss/lib/fortcrypt/fpkcs11.h b/security/nss/lib/fortcrypt/fpkcs11.h
deleted file mode 100644
index 09f3dfe29..000000000
--- a/security/nss/lib/fortcrypt/fpkcs11.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* Define API */
-#ifndef _FPKCS11_H_
-#define _FPKCS11_H_ 1
-
-#include "seccomon.h"
-
-#ifndef FALSE
-#define FALSE 0
-#endif
-
-#ifndef TRUE
-#define TRUE (!FALSE)
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* All the various pkcs11 types and #define'd values are in the file */
-/* pkcs11t.h.  CK_PTR should be defined there, too; it's the recipe for */
-/* making pointers. */
-#include "fpkcs11t.h"
-
-#define __PASTE(x,y)	x##y
-
-/* ================================================================= */
-/* Define the "extern" form of all the entry points */
-
-#define CK_EXTERN	extern
-#define CK_FUNC(name)	CK_ENTRY name
-#define CK_NEED_ARG_LIST	1
-#define _CK_RV		PR_PUBLIC_API(CK_RV)
-
-/* pkcs11f.h has all the information about the PKCS #11 functions. */
-#include "fpkcs11f.h"
-
-#undef CK_FUNC
-#undef CK_EXTERN
-#undef CK_NEED_ARG_LIST
-#undef _CK_RV
-
-/* ================================================================= */
-/* Define the typedef form of all the entry points. */
-/* That is, for each Cryptoki function C_XXX, define a type CK_C_XXX */
-/* which is a pointer to that kind of function. */
-
-#define CK_EXTERN               typedef
-#define CK_FUNC(name)           CK_ENTRY (CK_PTR __PASTE(CK_,name))
-#define CK_NEED_ARG_LIST	1
-#define _CK_RV		        CK_RV
-
-#include "fpkcs11f.h"
-
-#undef CK_FUNC
-#undef CK_EXTERN
-#undef CK_NEED_ARG_LIST
-#undef _CK_RV
-
-/* =================================================================
- * Define structed vector of entry points.
- * The CK_FUNCTION_LIST contains a CK_VERSION indicating the PKCS #11
- * version, and then a whole slew of function pointers to the routines
- * in the library.  This type was declared, but not defined, in
- * pkcs11t.h. */
-
-
-/* These data types are platform/implementation dependent. */
-#if defined(XP_WIN) 
-#if defined(_WIN32)
-#define CK_ENTRY	
-#define CK_PTR		*	/* definition for Win32 */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#pragma pack(push, cryptoki, 1)
-#else /* win16 */
-#if defined(__WATCOMC__)
-#define CK_ENTRY	
-#define CK_PTR		*	/* definition for Win16 */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#pragma pack(push, 1)
-#else /* not Watcom 16-bit */
-#define CK_ENTRY	
-#define CK_PTR		*	/* definition for Win16 */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#pragma pack(1)
-#endif
-#endif
-#else /* not windows */
-#define CK_ENTRY
-#define CK_PTR		*	/* definition for UNIX */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#endif
-
-
-#define CK_EXTERN 
-#define CK_FUNC(name) __PASTE(CK_,name) name;
-#define _CK_RV
-
-struct CK_FUNCTION_LIST {
-
-    CK_VERSION		version;	/* PKCS #11 version */
-
-/* Pile all the function pointers into it. */
-#include "fpkcs11f.h"
-
-};
-
-#undef CK_FUNC
-#undef CK_EXTERN
-#undef _CK_RV
-
-
-#if defined(XP_WIN)
-#if defined(_WIN32)
-#pragma pack(pop, cryptoki)
-#else /* win16 */
-#if defined(__WATCOMC__)
-#pragma pack(pop)
-#else /* not Watcom 16-bit */
-#pragma pack()
-#endif
-#endif
-#endif
-
-
-#undef __PASTE
-/* ================================================================= */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/security/nss/lib/fortcrypt/fpkcs11f.h b/security/nss/lib/fortcrypt/fpkcs11f.h
deleted file mode 100644
index 6fa7e755d..000000000
--- a/security/nss/lib/fortcrypt/fpkcs11f.h
+++ /dev/null
@@ -1,953 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* This function contains pretty much everything about all */
-/* the PKCS #11 function prototypes. */
-
-/* General-purpose */
-
-/* C_Initialize initializes the PKCS #11 library. */
-CK_EXTERN _CK_RV CK_FUNC(C_Initialize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_Finalize indicates that an application is done with the PKCS #11
- * library. */
-CK_EXTERN _CK_RV CK_FUNC(C_Finalize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_GetInfo returns general information about PKCS #11. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_INFO_PTR   pInfo  /* location that receives the information */
-);
-#endif
-
-
-/* C_GetFunctionList returns the function list. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetFunctionList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives ptr to function
-list */
-);
-#endif
-
-
-
-/* Slot and token management */
-
-/* C_GetSlotList obtains a list of slots in the system. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetSlotList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_BBOOL       tokenPresent,  /* only slots with token present */
-  CK_SLOT_ID_PTR pSlotList,     /* receives the array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives the number of slots */
-);
-#endif
-
-
-/* C_GetSlotInfo obtains information about a particular slot in the
-system. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetSlotInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID       slotID,  /* the ID of the slot */
-  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-);
-#endif
-
-
-/* C_GetTokenInfo obtains information about a particular token in the
- * system. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetTokenInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-);
-#endif
-
-
-/* C_GetMechanismList obtains a list of mechanism types supported by
- * a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetMechanismList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,          /* ID of the token's slot */
-  CK_MECHANISM_TYPE_PTR pMechanismList,  /* receives mech. types array
-*/
-  CK_ULONG_PTR          pulCount         /* receives number of mechs. */
-);
-#endif
-
-
-/* C_GetMechanismInfo obtains information about a particular mechanism 
- * possibly supported by a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetMechanismInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism information */
-);
-#endif
-
-
-/* C_InitToken initializes a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_InitToken)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID,    /* ID of the token's slot */
-  CK_CHAR_PTR    pPin,      /* the SO's initial PIN */
-  CK_ULONG       ulPinLen,  /* length in bytes of the PIN */
-  CK_CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
-);
-#endif
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-CK_EXTERN _CK_RV CK_FUNC(C_InitPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_CHAR_PTR       pPin,      /* the normal user's PIN */
-  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-);
-#endif
-
-
-/* C_SetPIN modifies the PIN of user that is currently logged in. */
-CK_EXTERN _CK_RV CK_FUNC(C_SetPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_CHAR_PTR       pOldPin,   /* the old PIN */
-  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_CHAR_PTR       pNewPin,   /* the new PIN */
-  CK_ULONG          ulNewLen   /* length of the new PIN */
-);
-#endif
-
-
-
-/* Session management */
-
-/* C_OpenSession opens a session between an application and a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_OpenSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,        /* the slot's ID */
-  CK_FLAGS              flags,         /* defined in CK_SESSION_INFO */
-  CK_VOID_PTR           pApplication,  /* pointer passed to callback */
-  CK_NOTIFY             Notify,        /* notification callback function
-*/
-  CK_SESSION_HANDLE_PTR phSession      /* receives new session handle */
-);
-#endif
-
-
-/* C_CloseSession closes a session between an application and a token.
-*/
-CK_EXTERN _CK_RV CK_FUNC(C_CloseSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_CloseAllSessions)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID  /* the token's slot */
-);
-#endif
-
-
-/* C_GetSessionInfo obtains information about the session. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetSessionInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-  CK_SESSION_INFO_PTR pInfo      /* receives session information */
-);
-#endif
-
-
-/* C_GetOperationState obtains the state of the cryptographic operation
- * in a session. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,             /* the session's handle */
-  CK_BYTE_PTR       pOperationState,      /* location receiving state */
-  CK_ULONG_PTR      pulOperationStateLen  /* location receiving state
-length */
-);
-#endif
-
-
-/* C_SetOperationState restores the state of the cryptographic operation
- * in a session. */
-CK_EXTERN _CK_RV CK_FUNC(C_SetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR      pOperationState,      /* the location holding the
-state */
-  CK_ULONG         ulOperationStateLen,  /* location holding state
-length */
-  CK_OBJECT_HANDLE hEncryptionKey,       /* handle of en/decryption key
-*/
-  CK_OBJECT_HANDLE hAuthenticationKey    /* handle of sign/verify key */
-);
-#endif
-
-
-/* C_Login logs a user into a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_Login)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_USER_TYPE      userType,  /* the user type */
-  CK_CHAR_PTR       pPin,      /* the user's PIN */
-  CK_ULONG          ulPinLen   /* the length of the PIN */
-);
-#endif
-
-
-/* C_Logout logs a user out from a token. */
-CK_EXTERN _CK_RV CK_FUNC(C_Logout)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Object management */
-
-/* C_CreateObject creates a new object. */
-CK_EXTERN _CK_RV CK_FUNC(C_CreateObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-  CK_ULONG          ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phObject  /* receives new object's handle. */
-);
-#endif
-
-
-/* C_CopyObject copies an object, creating a new object for the copy. */
-CK_EXTERN _CK_RV CK_FUNC(C_CopyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-  CK_ULONG             ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-);
-#endif
-
-
-/* C_DestroyObject destroys an object. */
-CK_EXTERN _CK_RV CK_FUNC(C_DestroyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-);
-#endif
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetObjectSize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-  CK_ULONG_PTR      pulSize    /* receives size of object */
-);
-#endif
-
-
-/* C_GetAttributeValue obtains the value of one or more object
-attributes. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attributes, gets values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_SetAttributeValue modifies the value of one or more object
-attributes */
-CK_EXTERN _CK_RV CK_FUNC(C_SetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attributes and values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_FindObjectsInit initializes a search for token and session objects 
- * that match a template. */
-CK_EXTERN _CK_RV CK_FUNC(C_FindObjectsInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-  CK_ULONG          ulCount     /* attributes in search template */
-);
-#endif
-
-
-/* C_FindObjects continues a search for token and session objects 
- * that match a template, obtaining additional object handles. */
-CK_EXTERN _CK_RV CK_FUNC(C_FindObjects)
-#ifdef CK_NEED_ARG_LIST
-(
- CK_SESSION_HANDLE    hSession,          /* the session's handle */
- CK_OBJECT_HANDLE_PTR phObject,          /* receives object handle array
-*/
- CK_ULONG             ulMaxObjectCount,  /* max handles to be returned
-*/
- CK_ULONG_PTR         pulObjectCount     /* actual number returned */
-);
-#endif
-
-
-/* C_FindObjectsFinal finishes a search for token and session objects.
-*/
-CK_EXTERN _CK_RV CK_FUNC(C_FindObjectsFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Encryption and decryption */
-
-/* C_EncryptInit initializes an encryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_EncryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-);
-#endif
-
-
-/* C_Encrypt encrypts single-part data. */
-CK_EXTERN _CK_RV CK_FUNC(C_Encrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR       pData,               /* the plaintext data */
-  CK_ULONG          ulDataLen,           /* bytes of plaintext data */
-  CK_BYTE_PTR       pEncryptedData,      /* receives encrypted data */
-  CK_ULONG_PTR      pulEncryptedDataLen  /* receives encrypted byte
-count */
-);
-#endif
-
-
-/* C_EncryptUpdate continues a multiple-part encryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_EncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* the session's handle */
-  CK_BYTE_PTR       pPart,              /* the plaintext data */
-  CK_ULONG          ulPartLen,          /* bytes of plaintext data */
-  CK_BYTE_PTR       pEncryptedPart,     /* receives encrypted data */
-  CK_ULONG_PTR      pulEncryptedPartLen /* receives encrypted byte count
-*/
-);
-#endif
-
-
-/* C_EncryptFinal finishes a multiple-part encryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_EncryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,                /* the session's handle */
-  CK_BYTE_PTR       pLastEncryptedPart,      /* receives encrypted last
-part */
-  CK_ULONG_PTR      pulLastEncryptedPartLen  /* receives byte count */
-);
-#endif
-
-
-/* C_DecryptInit initializes a decryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DecryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of the decryption key */
-);
-#endif
-
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-CK_EXTERN _CK_RV CK_FUNC(C_Decrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* the session's handle */
-  CK_BYTE_PTR       pEncryptedData,     /* input encrypted data */
-  CK_ULONG          ulEncryptedDataLen, /* count of bytes of input */
-  CK_BYTE_PTR       pData,              /* receives decrypted output */
-  CK_ULONG_PTR      pulDataLen          /* receives decrypted byte count
-*/
-);
-#endif
-
-
-/* C_DecryptUpdate continues a multiple-part decryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DecryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* input encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* count of bytes of input */
-  CK_BYTE_PTR       pPart,               /* receives decrypted output */
-  CK_ULONG_PTR      pulPartLen           /* receives decrypted byte
-count */
-);
-#endif
-
-
-/* C_DecryptFinal finishes a multiple-part decryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DecryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pLastPart,      /* receives decrypted output */
-  CK_ULONG_PTR      pulLastPartLen  /* receives decrypted byte count */
-);
-#endif
-
-
-
-/* Message digesting */
-
-/* C_DigestInit initializes a message-digesting operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DigestInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-);
-#endif
-
-
-/* C_Digest digests data in a single part. */
-CK_EXTERN _CK_RV CK_FUNC(C_Digest)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pData,        /* data to be digested */
-  CK_ULONG          ulDataLen,    /* bytes of data to be digested */
-  CK_BYTE_PTR       pDigest,      /* receives the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* receives byte length of digest */
-);
-#endif
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting operation.
-*/
-CK_EXTERN _CK_RV CK_FUNC(C_DigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* data to be digested */
-  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-);
-#endif
-
-
-/* C_DigestKey continues a multi-part message-digesting operation, by
- * digesting the value of a secret key as part of the data already
-digested.
- */
-CK_EXTERN _CK_RV CK_FUNC(C_DigestKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hKey       /* handle of secret key to digest */
-);
-#endif
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting operation.
-*/
-CK_EXTERN _CK_RV CK_FUNC(C_DigestFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pDigest,      /* receives the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* receives byte count of digest */
-);
-#endif
-
-
-
-/* Signing and MACing */
-
-/* C_SignInit initializes a signature (private key encryption)
-operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_EXTERN _CK_RV CK_FUNC(C_SignInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of the signature key */
-);
-#endif
-
-
-/* C_Sign signs (encrypts with private key) data in a single part,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_EXTERN _CK_RV CK_FUNC(C_Sign)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data (digest) to be signed
-*/
-  CK_ULONG          ulDataLen,       /* count of bytes to be signed */
-  CK_BYTE_PTR       pSignature,      /* receives the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* receives byte count of signature
-*/
-);
-#endif
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_EXTERN _CK_RV CK_FUNC(C_SignUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* the data (digest) to be signed */
-  CK_ULONG          ulPartLen  /* count of bytes to be signed */
-);
-#endif
-
-
-/* C_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
-CK_EXTERN _CK_RV CK_FUNC(C_SignFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* receives the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* receives byte count of signature
-*/
-);
-#endif
-
-
-/* C_SignRecoverInit initializes a signature operation,
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-CK_EXTERN _CK_RV CK_FUNC(C_SignRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-);
-#endif
-
-
-/* C_SignRecover signs data in a single operation
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-CK_EXTERN _CK_RV CK_FUNC(C_SignRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data (digest) to be signed
-*/
-  CK_ULONG          ulDataLen,       /* count of bytes to be signed */
-  CK_BYTE_PTR       pSignature,      /* receives the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* receives byte count of signature
-*/
-);
-#endif
-
-
-
-/* Verifying signatures and MACs */
-
-/* C_VerifyInit initializes a verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature (e.g. DSA) */
-CK_EXTERN _CK_RV CK_FUNC(C_VerifyInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of the verification key */ 
-);
-#endif
-
-
-/* C_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_EXTERN _CK_RV CK_FUNC(C_Verify)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pData,          /* plaintext data (digest) to
-compare */
-  CK_ULONG          ulDataLen,      /* length of data (digest) in bytes
-*/
-  CK_BYTE_PTR       pSignature,     /* the signature to be verified */
-  CK_ULONG          ulSignatureLen  /* count of bytes of signature */
-);
-#endif
-
-
-/* C_VerifyUpdate continues a multiple-part verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_EXTERN _CK_RV CK_FUNC(C_VerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* plaintext data (digest) to compare */
-  CK_ULONG          ulPartLen  /* length of data (digest) in bytes */
-);
-#endif
-
-
-/* C_VerifyFinal finishes a multiple-part verification operation, 
- * checking the signature. */
-CK_EXTERN _CK_RV CK_FUNC(C_VerifyFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pSignature,     /* the signature to be verified */
-  CK_ULONG          ulSignatureLen  /* count of bytes of signature */
-);
-#endif
-
-
-/* C_VerifyRecoverInit initializes a signature verification operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-CK_EXTERN _CK_RV CK_FUNC(C_VerifyRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of the verification key */
-);
-#endif
-
-
-/* C_VerifyRecover verifies a signature in a single-part operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-CK_EXTERN _CK_RV CK_FUNC(C_VerifyRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* the signature to be verified */
-  CK_ULONG          ulSignatureLen,  /* count of bytes of signature */
-  CK_BYTE_PTR       pData,           /* receives decrypted data (digest)
-*/
-  CK_ULONG_PTR      pulDataLen       /* receives byte count of data */
-);
-#endif
-
-
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting and
-encryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DigestEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* bytes of plaintext data */
-  CK_BYTE_PTR       pEncryptedPart,      /* receives encrypted data */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* receives encrypted byte
-count */
-);
-#endif
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DecryptDigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* input encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* count of bytes of input */
-  CK_BYTE_PTR       pPart,               /* receives decrypted output */
-  CK_ULONG_PTR      pulPartLen           /* receives decrypted byte
-count */
-);
-#endif
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_SignEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* bytes of plaintext data */
-  CK_BYTE_PTR       pEncryptedPart,      /* receives encrypted data */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* receives encrypted byte
-count */
-);
-#endif
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation. */
-CK_EXTERN _CK_RV CK_FUNC(C_DecryptVerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* the session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* input encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* count of byes of input */
-  CK_BYTE_PTR       pPart,               /* receives decrypted output */
-  CK_ULONG_PTR      pulPartLen           /* receives decrypted byte
-count */
-);
-#endif
-
-
-
-/* Key management */
-
-/* C_GenerateKey generates a secret key, creating a new key object. */
-CK_EXTERN _CK_RV CK_FUNC(C_GenerateKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,  /* the key generation mechanism */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for the new key */
-  CK_ULONG             ulCount,     /* number of attributes in template
-*/
-  CK_OBJECT_HANDLE_PTR phKey        /* receives handle of new key */
-);
-#endif
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
-CK_EXTERN _CK_RV CK_FUNC(C_GenerateKeyPair)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,                    /* the session's
-handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* the key gen.
-mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* pub. attr.
-template */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # of pub. attrs.
-*/
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* priv. attr.
-template */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # of priv. attrs.
-*/
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key
-handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key
-handle */
-);
-#endif
-
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-CK_EXTERN _CK_RV CK_FUNC(C_WrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-  CK_OBJECT_HANDLE  hWrappingKey,    /* handle of the wrapping key */
-  CK_OBJECT_HANDLE  hKey,            /* handle of the key to be wrapped
-*/
-  CK_BYTE_PTR       pWrappedKey,     /* receives the wrapped key */
-  CK_ULONG_PTR      pulWrappedKeyLen /* receives byte size of wrapped
-key */
-);
-#endif
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key
-object. */
-CK_EXTERN _CK_RV CK_FUNC(C_UnwrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* the unwrapping mechanism */
-  CK_OBJECT_HANDLE     hUnwrappingKey,    /* handle of the unwrapping
-key */
-  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-  CK_ULONG             ulWrappedKeyLen,   /* bytes length of wrapped key
-*/
-  CK_ATTRIBUTE_PTR     pTemplate,         /* template for the new key */
-  CK_ULONG             ulAttributeCount,  /* # of attributes in template
-*/
-  CK_OBJECT_HANDLE_PTR phKey              /* gets handle of recovered
-key */
-);
-#endif
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key object.
-*/
-CK_EXTERN _CK_RV CK_FUNC(C_DeriveKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* the key derivation
-mechanism */
-  CK_OBJECT_HANDLE     hBaseKey,          /* handle of the base key */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* template for the new key */
-  CK_ULONG             ulAttributeCount,  /* # of attributes in template
-*/
-  CK_OBJECT_HANDLE_PTR phKey              /* gets handle of derived key
-*/
-);
-#endif
-
-
-
-/* Random number generation */
-
-/* C_SeedRandom mixes additional seed material into the token's random
-number 
- * generator. */
-CK_EXTERN _CK_RV CK_FUNC(C_SeedRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pSeed,     /* the seed material */
-  CK_ULONG          ulSeedLen  /* count of bytes of seed material */
-);
-#endif
-
-
-/* C_GenerateRandom generates random data. */
-CK_EXTERN _CK_RV CK_FUNC(C_GenerateRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_BYTE_PTR       RandomData,  /* receives the random data */
-  CK_ULONG          ulRandomLen  /* number of bytes to be generated */
-);
-#endif
-
-
-
-/* Parallel function management */
-
-/* C_GetFunctionStatus obtains an updated status of a function running 
- * in parallel with an application. */
-CK_EXTERN _CK_RV CK_FUNC(C_GetFunctionStatus)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CancelFunction cancels a function running in parallel. */
-CK_EXTERN _CK_RV CK_FUNC(C_CancelFunction)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Functions added in for PKCS #11 Version 2.01 or later */
-
-/* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur. */
-CK_EXTERN _CK_RV CK_FUNC(C_WaitForSlotEvent)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FLAGS flags,        /* blocking/nonblocking flag */
-  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-);
-#endif
diff --git a/security/nss/lib/fortcrypt/fpkcs11i.h b/security/nss/lib/fortcrypt/fpkcs11i.h
deleted file mode 100644
index 9359bb8d6..000000000
--- a/security/nss/lib/fortcrypt/fpkcs11i.h
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Internal data structures used by pkcs11.c
- */
-#ifndef _FPKCS11I_H_
-#define _FPKCS11I_H_ 1
-
-#include "fpkstrs.h"
-#ifdef SWFORT
-#ifndef RETURN_TYPE
-#define RETURN_TYPE int
-#endif
-#endif
-#include "genci.h"
-
-typedef struct PK11AttributeStr PK11Attribute;
-typedef struct PK11ObjectListStr PK11ObjectList;
-typedef struct PK11ObjectListElementStr PK11ObjectListElement;
-typedef struct PK11ObjectStr PK11Object;
-typedef struct PK11SessionStr PK11Session;
-typedef struct PK11SlotStr PK11Slot;
-typedef struct PK11SessionContextStr PK11SessionContext;
-typedef struct PK11SearchResultsStr PK11SearchResults;
-
-typedef void (*PK11Destroy)(void *, PRBool);
-typedef SECStatus (*PK11Cipher)(void *,void *,unsigned int *,unsigned int,
-					void *, unsigned int);
-typedef SECStatus (*PK11Verify)(void *,void *,unsigned int,void *,unsigned int);
-typedef void (*PK11Hash)(void *,void *,unsigned int);
-typedef void (*PK11End)(void *,void *,unsigned int *,unsigned int);
-typedef void (*PK11Free)(void *);
-
-#define HASH_SIZE 32
-#define SESSION_HASH_SIZE 64
-
-/* Value to tell if an attribute is modifiable or not.
- *    NEVER: attribute is only set on creation.
- *    ONCOPY: attribute is set on creation and can only be changed on copy.
- *    SENSITIVE: attribute can only be changed to TRUE.
- *    ALWAYS: attribute can always be changed.
- */
-typedef enum {
-	PK11_NEVER = 0,
-	PK11_ONCOPY = 1,
-	PK11_SENSITIVE = 2,
-	PK11_ALWAYS = 3
-} PK11ModifyType;
-
-/*
- * Free Status Enum... tell us more information when we think we're
- * deleting an object.
- */
-typedef enum {
-	PK11_DestroyFailure,
-	PK11_Destroyed,
-	PK11_Busy
-} PK11FreeStatus;
-
-/*
- * attribute values of an object.
- */
-struct PK11AttributeStr {
-    PK11Attribute  	*next;
-    PK11Attribute  	*prev;
-    int 		refCount;
-    void 		*refLock; 
-    /*must be called handle to make pk11queue_find work */
-    CK_ATTRIBUTE_TYPE	handle;
-    CK_ATTRIBUTE 	attrib;
-};
-
-struct PK11ObjectListStr {
-    PK11ObjectList *next;
-    PK11ObjectList *prev;
-    PK11Object	   *parent;
-};
-
-/*
- * PKCS 11 crypto object structure
- */
-struct PK11ObjectStr {
-    PK11Object *next;
-    PK11Object *prev;
-    PK11ObjectList sessionList;
-    CK_OBJECT_HANDLE handle;
-    int refCount;
-    void 		*refLock;
-    void		*attributeLock;
-    PK11Session   	*session;
-    PK11Slot	   	*slot;
-    CK_OBJECT_CLASS 	objclass;
-    void 		*objectInfo;
-    PK11Free 		infoFree;
-    char		*label;
-    PRBool		inDB;
-    PK11Attribute 	*head[HASH_SIZE];
-};
-
-/*
- * struct to deal with a temparary list of objects
- */
-struct PK11ObjectListElementStr {
-    PK11ObjectListElement	*next;
-    PK11Object 			*object;
-};
-
-/*
- * Area to hold Search results
- */
-struct PK11SearchResultsStr {
-    CK_OBJECT_HANDLE	*handles;
-    int			size;
-    int			index;
-};
-
-
-/* 
- * the universal crypto/hash/sign/verify context structure
- */
-typedef enum {
-    PK11_ENCRYPT,
-    PK11_DECRYPT,
-    PK11_HASH,
-    PK11_SIGN,
-    PK11_SIGN_RECOVER,
-    PK11_VERIFY,
-    PK11_VERIFY_RECOVER
-} PK11ContextType;
-
-
-struct PK11SessionContextStr {
-    PK11ContextType	type;
-    PRBool		multi; /* is multipart */
-    void		*cipherInfo;
-    unsigned int	cipherInfoLen;
-    CK_MECHANISM_TYPE	currentMech;
-    PK11Cipher		update;
-    PK11Hash		hashUpdate;
-    PK11End		end;
-    PK11Destroy		destroy;
-    PK11Verify		verify;
-    unsigned int	maxLen;
-};
-
-/*
- * Sessions (have objects)
- */
-struct PK11SessionStr {
-    PK11Session        *next;
-    PK11Session        *prev;
-    CK_SESSION_HANDLE	handle;
-    int			refCount;
-    void 		*refLock;
-    void		*objectLock;
-    int			objectIDCount;
-    CK_SESSION_INFO	info;
-    CK_NOTIFY		notify;
-    CK_VOID_PTR		appData;
-    PK11Slot		*slot;
-    PK11SearchResults	*search;
-    PK11SessionContext	*context;
-    PK11ObjectList	*objects[1];
-    FortezzaContext     fortezzaContext;
-};
-
-/*
- * slots (have sessions and objects)
- */
-struct PK11SlotStr {
-    CK_SLOT_ID		slotID;
-    void		*sessionLock;
-    void		*objectLock;
-    SECItem      	*password;
-    PRBool		hasTokens;
-    PRBool		isLoggedIn;
-    PRBool		ssoLoggedIn;
-    PRBool		needLogin;
-    PRBool		DB_loaded;
-    int			sessionIDCount;
-    int			sessionCount;
-    int			rwSessionCount;
-    int			tokenIDCount;
-    PK11Object		*tokObjects[HASH_SIZE];
-    PK11Session		*head[SESSION_HASH_SIZE];
-};
-
-/*
- * session handle modifiers
- */
-#define PK11_PRIVATE_KEY_FLAG	0x80000000L
-
-/*
- * object handle modifiers
- */
-#define PK11_TOKEN_MASK		0x80000000L
-#define PK11_TOKEN_MAGIC	0x80000000L
-#define PK11_TOKEN_TYPE_MASK	0x70000000L
-#define PK11_TOKEN_TYPE_CERT	0x00000000L
-#define PK11_TOKEN_TYPE_PRIV	0x10000000L
-
-/* how big a password/pin we can deal with */
-#define PK11_MAX_PIN	255
-
-/* slot helper macros */
-#define pk11_SlotFromSessionHandle(handle) (((handle) & PK11_PRIVATE_KEY_FLAG)\
-			 ? &pk11_slot[1] : &pk11_slot[0])
-#define PK11_TOSLOT1(handle) handle &= ~PK11_PRIVATE_KEY_FLAG
-#define PK11_TOSLOT2(handle) handle |= PK11_PRIVATE_KEY_FLAG
-#define pk11_SlotFromSession(sp) ((sp)->slot)
-#define pk11_SlotFromID(id) ((id) == NETSCAPE_SLOT_ID ? \
-	&pk11_slot[0] : (((id) == PRIVATE_KEY_SLOT_ID) ? &pk11_slot[1] : NULL))
-#define pk11_isToken(id) (((id) & PK11_TOKEN_MASK) == PK11_TOKEN_MAGIC)
-
-/* queueing helper macros */
-#define pk11_hash(value,size) ((value) & (size-1))/*size must be a power of 2*/
-#define pk11queue_add(element,id,head,hash_size) \
-	{ int tmp = pk11_hash(id,hash_size); \
-	(element)->next = (head)[tmp]; \
-	(element)->prev = NULL; \
-	if ((head)[tmp]) (head)[tmp]->prev = (element); \
-	(head)[tmp] = (element); }
-#define pk11queue_find(element,id,head,hash_size) \
-	for( (element) = (head)[pk11_hash(id,hash_size)]; (element) != NULL; \
-					 (element) = (element)->next) { \
-	    if ((element)->handle == (id)) { break; } }
-#define pk11queue_delete(element,id,head,hash_size) \
-	if ((element)->next) (element)->next->prev = (element)->prev; \
-	if ((element)->prev) (element)->prev->next = (element)->next; \
-	   else (head)[pk11_hash(id,hash_size)] = ((element)->next); \
-	(element)->next = NULL; \
-	(element)->prev = NULL; \
-
-/* expand an attribute & secitem structures out */
-#define pk11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
-#define pk11_item_expand(ip) (ip)->data,(ip)->len
-
-#endif
-	
diff --git a/security/nss/lib/fortcrypt/fpkcs11t.h b/security/nss/lib/fortcrypt/fpkcs11t.h
deleted file mode 100644
index f3c6b0470..000000000
--- a/security/nss/lib/fortcrypt/fpkcs11t.h
+++ /dev/null
@@ -1,1098 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-#ifndef _PKCS11T_H_
-#define _PKCS11T_H_ 1
-
-/* an unsigned 8-bit value */
-typedef unsigned char 	CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE 	CK_CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE		CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int	CK_LONG;
-
-/* at least 32 bits, each bit is a Boolean flag */
-typedef CK_ULONG 	CK_FLAGS;
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-/* these data types are platform/implementation dependent. */
-#if defined(XP_WIN) 
-#if defined(_WIN32)
-#define CK_ENTRY	
-#define CK_PTR		*	/* definition for Win32 */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#pragma pack(push, cryptoki, 1)
-#else /* win16 */
-#if defined(__WATCOMC__)
-#define CK_ENTRY
-#define CK_PTR		*	/* definition for Win16 */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#pragma pack(push, 1)
-#else /* not Watcom 16-bit */
-#define CK_ENTRY
-#define CK_PTR		*	/* definition for Win16 */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#pragma pack(1)
-#endif
-#endif
-#else /* not windows */
-#define CK_ENTRY
-#define CK_PTR		*	/* definition for UNIX */ 
-#define NULL_PTR 	0	/* NULL pointer */
-#endif
-
-
-typedef CK_BYTE     CK_PTR	CK_BYTE_PTR;     /* Pointer to a CK_BYTE */
-typedef CK_CHAR     CK_PTR	CK_CHAR_PTR;     /* Pointer to a CK_CHAR */
-typedef CK_ULONG    CK_PTR	CK_ULONG_PTR;    /* Pointer to a CK_ULONG */
-typedef void        CK_PTR	CK_VOID_PTR;     /* Pointer to a void */
-typedef CK_VOID_PTR CK_PTR      CK_VOID_PTR_PTR; /* Pointer to a CK_VOID_PTR */
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-typedef struct CK_VERSION {
-    CK_BYTE	major;	/* integer    portion of the version number */
-    CK_BYTE	minor;  /* hundredths portion of the version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR; /* points to a CK_VERSION */
-
-
-typedef struct CK_INFO {
-    CK_VERSION	cryptokiVersion;	/* PKCS #11 interface version number */
-    CK_CHAR	manufacturerID[32];	/* blank padded */
-    CK_FLAGS	flags;			/* must be zero */
-
-    /* libraryDescription and libraryVersion are new for v2.0 */
-    CK_CHAR	libraryDescription[32];	/* blank padded */
-    CK_VERSION	libraryVersion;		/* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR	CK_INFO_PTR;	/* points to a CK_INFO structure */
-
-
-/* CK_NOTIFICATION enumerates the types of notifications 
- * that PKCS #11 provides to an application.  */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER		0
-
-
-typedef CK_ULONG	CK_SLOT_ID;
-
-/* CK_SLOT_ID_PTR points to a CK_SLOT_ID.  */
-typedef CK_SLOT_ID CK_PTR	CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot. */
-typedef struct CK_SLOT_INFO {
-    CK_CHAR	slotDescription[64];	/* blank padded */
-    CK_CHAR	manufacturerID[32];	/* blank padded */
-    CK_FLAGS	flags;
-
-    /* hardwareVersion and firmwareVersion are new for v2.0 */
-    CK_VERSION	hardwareVersion;	/* version of hardware */
-    CK_VERSION  firmwareVersion;	/* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags:	bits flags that provide capabilities of the slot.
- *	Bit Flag		Mask		Meaning
- */
-#define CKF_TOKEN_PRESENT	0x00000001	/* a token is present in the slot */
-#define CKF_REMOVABLE_DEVICE	0x00000002	/* reader supports removable devices*/
-#define CKF_HW_SLOT		0x00000004	/* a hardware slot, not a "soft token"*/
-
-/* CK_SLOT_INFO_PTR points to a CK_SLOT_INFO. */
-typedef CK_SLOT_INFO CK_PTR	CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token. */
-typedef struct CK_TOKEN_INFO {
-    CK_CHAR	label[32];		/* blank padded */
-    CK_CHAR	manufacturerID[32];	/* blank padded */
-    CK_CHAR	model[16];		/* blank padded */
-    CK_CHAR	serialNumber[16];	/* blank padded */
-    CK_FLAGS	flags;			/* see below */
-
-    /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-     * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-     * changed from CK_USHORT to CK_ULONG for v2.0 */
-    CK_ULONG	ulMaxSessionCount;	/* max open sessions */
-    CK_ULONG	ulSessionCount;		/* sessions currently open */
-    CK_ULONG	ulMaxRwSessionCount;	/* max R/W sessions */
-    CK_ULONG	ulRwSessionCount;	/* R/W sessions currently open */
-    CK_ULONG	ulMaxPinLen;		/* in bytes */
-    CK_ULONG	ulMinPinLen;		/* in bytes */
-    CK_ULONG	ulTotalPublicMemory;	/* in bytes */
-    CK_ULONG	ulFreePublicMemory;	/* in bytes */
-    CK_ULONG	ulTotalPrivateMemory;	/* in bytes */
-    CK_ULONG	ulFreePrivateMemory;	/* in bytes */
-
-    /* hardwareVersion, firmwareVersion, and time are new for v2.0 */
-    CK_VERSION	hardwareVersion;	/* version of hardware */
-    CK_VERSION	firmwareVersion;	/* version of firmware */
-    CK_CHAR	utcTime[16];		/* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- * Table 7-2, Token Information Flags
- *	Bit Flag		Mask		Meaning 
- */
-#define CKF_RNG			       0x00000001  /* has random number generator */
-#define CKF_WRITE_PROTECTED	       0x00000002  /* token is write-protected */
-#define CKF_LOGIN_REQUIRED	       0x00000004  /* a user must be logged in  */
-#define CKF_USER_PIN_INITIALIZED       0x00000008  /* normal user's PIN is initialized */
-
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set, then that means */
-/* that *every* time the state of cryptographic operations of a session is */
-/* successfully saved, all keys needed to continue those operations are */
-/* stored in the state. */
-#define CKF_RESTORE_KEY_NOT_NEEDED   0x00000020  /* key always saved in saved sessions */
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, then that means that */
-/* the token has some sort of clock.  The time on that clock is returned in */
-/* the token info structure. */
-#define CKF_CLOCK_ON_TOKEN           0x00000040  /* token has a clock */
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is true, that means */
-/* that there is some way for the user to login without sending a PIN through */
-/* the PKCS #11 library itself. */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100  /* token has protected path */
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true, that
- * means that a single session with the token can perform dual
- * simultaneous cryptographic operations (digest and encrypt;
- * decrypt and digest; sign and encrypt; and decrypt and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200  /* dual crypto operations */
-
-/* CK_TOKEN_INFO_PTR points to a CK_TOKEN_INFO. */
-typedef CK_TOKEN_INFO CK_PTR	CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a PKCS #11-assigned value that identifies a session. */
-typedef CK_ULONG 	CK_SESSION_HANDLE;
-
-/* CK_SESSION_HANDLE_PTR points to a CK_SESSION_HANDLE. */
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 
-
-
-/* CK_USER_TYPE enumerates the types of PKCS #11 users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for v2.0 */
-typedef CK_ULONG	CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO		0
-/* Normal user */
-#define CKU_USER	1
-
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for v2.0 */
-typedef CK_ULONG	CK_STATE;
-#define CKS_RO_PUBLIC_SESSION	0
-#define CKS_RO_USER_FUNCTIONS	1
-#define CKS_RW_PUBLIC_SESSION	2
-#define CKS_RW_SO_FUNCTIONS	3
-#define CKS_RW_USER_FUNCTIONS	4
-
-
-/* CK_SESSION_INFO provides information about a session. */
-typedef struct CK_SESSION_INFO {
-    CK_SLOT_ID	slotID;
-    CK_STATE	state;
-    CK_FLAGS	flags;		/* see below */
-
-    /* ulDeviceError was changed from CK_USHORT to CK_ULONG for v2.0 */
-    CK_ULONG	ulDeviceError;	/* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table. */
-/* Table 7-3, Session Information Flags */
-/* 	Bit Flag		Mask	   Meaning
- */
-#define CKF_RW_SESSION		0x00000002 /* session is read/write; not R/O */
-#define CKF_SERIAL_SESSION	0x00000004 /* session doesn't support parallel */
-
-/* CK_SESSION_INFO_PTR points to a CK_SESSION_INFO. */
-typedef CK_SESSION_INFO CK_PTR	CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an object.  */
-typedef CK_ULONG 	CK_OBJECT_HANDLE;
-
-/* CK_OBJECT_HANDLE_PTR points to a CK_OBJECT_HANDLE. */
-typedef CK_OBJECT_HANDLE CK_PTR	CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or types) 
- * of objects that PKCS #11 recognizes.  It is defined as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG	CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA            0x00000000
-#define CKO_CERTIFICATE     0x00000001
-#define CKO_PUBLIC_KEY      0x00000002
-#define CKO_PRIVATE_KEY     0x00000003
-#define CKO_SECRET_KEY      0x00000004
-#define CKO_VENDOR_DEFINED  0x80000000L
-
-/* CK_OBJECT_CLASS_PTR points to a CK_OBJECT_CLASS structure. */
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-
-/* CK_KEY_TYPE is a value that identifies a key type. */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG 	CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA			0x00000000
-#define CKK_DSA			0x00000001
-#define CKK_DH			0x00000002
-
-/* CKK_ECDSA, and CKK_KEA are new for v2.0 */
-#define CKK_ECDSA		0x00000003
-#define CKK_KEA			0x00000005
-
-#define CKK_GENERIC_SECRET	0x00000010
-#define CKK_RC2			0x00000011
-#define CKK_RC4			0x00000012
-#define CKK_DES			0x00000013
-#define CKK_DES2		0x00000014
-#define CKK_DES3		0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST		0x00000016
-#define CKK_CAST3		0x00000017
-#define CKK_CAST5		0x00000018
-#define CKK_RC5			0x00000019
-#define CKK_IDEA		0x0000001A
-#define CKK_SKIPJACK		0x0000001B
-#define CKK_BATON		0x0000001C
-#define CKK_JUNIPER		0x0000001D
-#define CKK_CDMF		0x0000001E
-
-#define CKK_VENDOR_DEFINED	0x80000000L
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate type. */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG 	CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-#define CKC_X_509           0x00000000
-#define CKC_VENDOR_DEFINED  0x80000000L
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute type. */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG	CK_ATTRIBUTE_TYPE;
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, */
-/* and CKA_MODIFIABLE are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-#define CKA_MODIFIABLE         0x00000170
-
-#define CKA_VENDOR_DEFINED     0x80000000L
-
-/* CK_ATTRIBUTE is a structure that includes the type, length and value 
- * of an attribute.  */
-typedef struct CK_ATTRIBUTE {
-    CK_ATTRIBUTE_TYPE	type;
-    CK_VOID_PTR		pValue;
-
-    /* ulValueLen was changed from CK_USHORT to CK_ULONG for v2.0 */
-    CK_ULONG		ulValueLen;	/* in bytes */
-} CK_ATTRIBUTE;
-
-/* CK_ATTRIBUTE_PTR points to a CK_ATTRIBUTE. */
-typedef CK_ATTRIBUTE CK_PTR	CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date. */
-typedef struct CK_DATE{
-    CK_CHAR		year[4];	/* the year ("1900" - "9999")	*/
-    CK_CHAR		month[2];	/* the month ("01" - "12")	*/
-    CK_CHAR		day[2];		/* the day   ("01" - "31")	*/
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism type. */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG	CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS are */
-/* new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new to v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new to v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, */
-/* CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, CKM_CDMF_MAC_GENERAL, */
-/* and CKM_CDMF_CBC_PAD are new to v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new to v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new to v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new to v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* All the following mechanisms are new to v2.0 */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-
-#define CKM_VENDOR_DEFINED	       0x80000000L
-
-
-/* CK_MECHANISM_TYPE_PTR points to a CK_MECHANISM_TYPE structure. */
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular mechanism.  */
-typedef struct CK_MECHANISM {
-    CK_MECHANISM_TYPE	mechanism;
-    CK_VOID_PTR		pParameter;
-
-    /* ulParameterLen was changed from CK_USHORT to CK_ULONG for v2.0 */
-    CK_ULONG		ulParameterLen;	/* in bytes */
-} CK_MECHANISM;
-
-/* CK_MECHANISM_PTR points to a CK_MECHANISM structure. */
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular mechanism. */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG		ulMinKeySize;
-    CK_ULONG		ulMaxKeySize;
-    CK_FLAGS		flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows.
- *	Table 7-4, Mechanism Information FLags
- *	Bit Flag	Mask	Meaning */
-#define CKF_HW			0x00000001 /* performed by HW device; not SW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, CKG_SIGN_RECOVER, */
-/* CKF_VERIFY, CKF_VERIFY_RECOVER, CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, */
-/* CKF_UNWRAP, and CKF_DERIVE are new for v2.0 */
-#define CKF_ENCRYPT		0x00000100 /* can be used with C_EncryptInit */
-#define CKF_DECRYPT		0x00000200 /* can be used with C_DecryptInit */
-#define CKF_DIGEST		0x00000400 /* can be used with C_DigestInit */
-#define CKF_SIGN 		0x00000800 /* can be used with C_SignInit */
-#define CKF_SIGN_RECOVER	0x00001000 /* can use with C_SignRecoverInit */
-#define CKF_VERIFY		0x00002000 /* can be used with C_VerifyInit */
-#define CKF_VERIFY_RECOVER	0x00004000 /* can use w/ C_VerifyRecoverInit */
-#define CKF_GENERATE		0x00008000L /* can be used with C_GenerateKey */
-#define CKF_GENERATE_KEY_PAIR	0x00010000L /* can use with C_GenerateKeyPair */
-#define CKF_WRAP		0x00020000L /* can be used with C_WrapKey */
-#define CKF_UNWRAP		0x00040000L /* can be used with C_UnwrapKey */
-#define CKF_DERIVE		0x00080000L /* can be used with C_DeriveKey */
-
-#define CKF_EXTENSION		0x80000000L /* Must be FALSE for this version */
-
-/* CK_MECHANISM_INFO_PTR points to a CK_MECHANISM_INFO structure. */
-typedef CK_MECHANISM_INFO CK_PTR	CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a PKCS #11 function. */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are
- * new for v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and CKR_SESSION_READ_WRITE_SO_EXISTS
- * are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-#define CKR_INSERTION_CALLBACK_SET            0x00000140
-#define CKR_INSERTION_CALLBACK_NOT_SUPPORTED  0x00000141
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-#define CKR_VENDOR_DEFINED                    0x80000000L
-
-
-/* CK_NOTIFY is an application callback that processes events. */
-typedef CK_RV (CK_ENTRY CK_PTR CK_NOTIFY)(
-    CK_SESSION_HANDLE	hSession,	/* the session's handle */
-    CK_NOTIFICATION	event,
-    CK_VOID_PTR		pApplication	/* same as passed to C_OpenSession. */
-);
-
-/* CK_FUNCTION_LIST is going to be a structure holding a PKCS #11 spec */
-/* version and pointers of appropriate types to all the PKCS #11 functions. */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR	CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-/* CK_CREATEMUTEX is an application callback for creating a mutex */
-typedef CK_RV CK_ENTRY (CK_PTR CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive pointer to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a mutex */
-typedef CK_RV CK_ENTRY (CK_PTR CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_RV CK_ENTRY (CK_PTR CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a mutex */
-typedef CK_RV CK_ENTRY (CK_PTR CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to C_Initialize
-*/
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001 /* library may not
-                                                       * spawn its own
-                                                       * threads */
-#define CKF_OS_LOCKING_OK                  0x00000002 /* library can use
-                                                       * native operating
-                                                       * system thread
-                                                       * synchronization */
-
-/* CK_C_INITIALIZE_ARGS_PTR is a pointer to a CK_C_INITIALIZE_ARGS */
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the CKM_KEA_DERIVE 
- * mechanism. */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-    CK_BBOOL	isSender;
-    CK_ULONG	ulRandomLen;
-    CK_BYTE_PTR	pRandomA;
-    CK_BYTE_PTR	pRandomB;
-    CK_ULONG	ulPublicDataLen;
-    CK_BYTE_PTR	pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-/* CK_KEA_DERIVE_PARAMS_PTR points to a CK_KEA_DERIVE_PARAMS. */
-typedef CK_KEA_DERIVE_PARAMS CK_PTR	CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and CKM_RC2_MAC */
-/* mechanisms.  An instance of CK_RC2_PARAMS just holds the effective keysize. */
-typedef CK_ULONG	CK_RC2_PARAMS;
-
-
-/* CK_RC2_PARAMS_PTR points to a CK_RC2_PARAMS. */
-typedef CK_RC2_PARAMS CK_PTR	CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC mechanism. */
-typedef struct CK_RC2_CBC_PARAMS {
-    /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for v2.0 */
-    CK_ULONG	ulEffectiveBits;	/* effective bits (1-1024) */
-
-    CK_BYTE	iv[8];			/* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-/* CK_RC2_CBC_PARAMS_PTR points to a CK_RC2_CBC_PARAMS. */
-typedef CK_RC2_CBC_PARAMS CK_PTR	CK_RC2_CBC_PARAMS_PTR;
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the */
-/* CKM_RC2_MAC_GENERAL mechanism. */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-    CK_ULONG	ulEffectiveBits;	/* effective bits (1-1024) */
-    CK_ULONG	ulMacLength;	/* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR	CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and CKM_RC5_MAC */
-/* mechanisms. */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-    CK_ULONG	ulWordsize;		/* wordsize in bits */
-    CK_ULONG	ulRounds;		/* number of rounds */
-} CK_RC5_PARAMS;
-
-/* CK_RC5_PARAMS_PTR points to a CK_RC5_PARAMS. */
-typedef CK_RC5_PARAMS CK_PTR	CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC mechanism. */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-    CK_ULONG	ulWordsize;		/* wordsize in bits */
-    CK_ULONG	ulRounds;		/* number of rounds */
-    CK_BYTE_PTR	pIv;			/* pointer to IV */
-    CK_ULONG	ulIvLen;		/* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-/* CK_RC5_CBC_PARAMS_PTR points to a CK_RC5_CBC_PARAMS. */
-typedef CK_RC5_CBC_PARAMS CK_PTR	CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the */
-/* CKM_RC5_MAC_GENERAL mechanism. */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-    CK_ULONG	ulWordsize;		/* wordsize in bits */
-    CK_ULONG	ulRounds;		/* number of rounds */
-    CK_ULONG	ulMacLength;	        /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR	CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block ciphers' */
-/* MAC_GENERAL mechanisms.  Its value is the length of the MAC. */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG		CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR	CK_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR points to a 
- * CK_SKIPJACK_PRIVATE_WRAP_PARAMS */
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-/* CK_SKIPJACK_RELAYX_PARAMS_PTR points to a CK_SKIPJACK_RELAYX_PARAMS
-*/
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-typedef struct CK_PBE_PARAMS {
-    CK_CHAR_PTR		pInitVector;
-    CK_CHAR_PTR		pPassword;
-    CK_ULONG		ulPasswordLen;
-    CK_CHAR_PTR		pSalt;
-    CK_ULONG		ulSaltLen;
-    CK_ULONG		ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the */
-/* CKM_KEY_WRAP_SET_OAEP mechanism. */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-    CK_BYTE		bBC;			/* block contents byte */
-    CK_BYTE_PTR	pX;			/* extra data */
-    CK_ULONG	ulXLen;		/* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS_PTR points to a CK_KEY_WRAP_SET_OAEP_PARAMS. */
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR	CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-/* CK_BATON_PARAMS provides the parameters to the CKM_BATON_ECB128, */
-/* CKM_BATON_ECB96, CKM_BATON_CBC128, CKM_BATON_COUNTER, and */
-/* CKM_BATON_SHUFFLE mechanisms. */
-/* CK_BATON_PARAMS is new for v2.0 */
-typedef struct CK_BATON_PARAMS {
-    CK_BYTE	iv[24];
-} CK_BATON_PARAMS;
-
-/* CK_BATON_PARAMS_PTR points to a CK_BATON_PARAMS. */
-typedef CK_BATON_PARAMS CK_PTR		CK_BATON_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-/* The CK_DERIVATION_STRING_DATA is used for bunches of Deriviation 
- * Mechanisms. */
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-    CK_BYTE_PTR pData;
-    CK_ULONG ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-/* The CK_EXTRACT_PARAMS is used for the CKM_EXTRACT_KEY_FROM_KEY mechanism. */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-/* CK_EXTRACT_PARAMS_PTR points to a CK_EXTRACT_PARAMS. */
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-
-/* Do not attempt to use these. They are only used by NETSCAPE's internal
- * PKCS #11 interface. Most of these are place holders for other mechanism
- * and will change in the future.
- */
-#define CKM_NETSCAPE_PBE_KEY_GEN		0x80000001L
-#define CKM_NETSCAPE_PBE_SHA1_DES_CBC		0x80000002L
-#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC	0x80000003L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC	0x80000004L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC	0x80000005L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4	0x80000006L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4	0x80000007L
-#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC	0x80000008L
-#define CKM_TLS_MASTER_KEY_DERIVE		0x80000371L
-#define CKM_TLS_KEY_AND_MAC_DERIVE		0x80000372L
-
-/* define used to pass in the database key for DSA private keys */
-#define CKA_NETSCAPE_DB				0xD5A0DB00L
-#define CKA_NETSCAPE_TRUST			0x80000001L
-
-#if defined(XP_WIN)
-#if defined(_WIN32)
-#pragma pack(pop, cryptoki)
-#else /* win16 */
-#if defined(__WATCOMC__)
-#pragma pack(pop)
-#else /* not Watcom 16-bit */
-#pragma pack()
-#endif
-#endif
-#endif
-
-#endif
diff --git a/security/nss/lib/fortcrypt/fpkmem.h b/security/nss/lib/fortcrypt/fpkmem.h
deleted file mode 100644
index f0530dbcb..000000000
--- a/security/nss/lib/fortcrypt/fpkmem.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _FPKMEM_H_
-#define _FPKMEM_H_
-
-#define PORT_Free   free
-#define PORT_Alloc  malloc
-
-#define PORT_Memcmp memcmp
-#define PORT_Memcpy memcpy
-
-#define NUM_SLOTS   32
-
-#if !defined (XP_UNIX) && !defined (_WINDOWS)
-#define XP_MAC 1 /*Make sure we get this define in for Mac builds*/
-#endif
-
-#endif /*_FPKMEM_H_*/
diff --git a/security/nss/lib/fortcrypt/fpkstrs.h b/security/nss/lib/fortcrypt/fpkstrs.h
deleted file mode 100644
index 144ea1ee7..000000000
--- a/security/nss/lib/fortcrypt/fpkstrs.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _context_h_
-#define _context_h_
-
-#ifdef SWFORT
-#ifndef RETURN_TYPE
-#define RETURN_TYPE int
-#endif
-#endif
-#include "cryptint.h"
-#include "genci.h"
-#include "maci.h"
-
-typedef enum {NOKEY, TEK, MEK, UNWRAP, Ks} FortezzaKeyType;
-typedef enum {Encrypt, Decrypt, Sign, None} CryptoType;
-
-typedef struct FortezzaKeyStr *FortezzaKeyPtr;
-typedef struct FortezzaSocketStr *FortezzaSocketPtr;
-typedef struct FortezzaKeyStr FortezzaKey;
-typedef unsigned char FortezzaMEK[12]; 
-
-
-typedef struct CreateTEKInfoStr {
-    CI_RA         Ra;
-    CI_RB         Rb;
-    unsigned long randomLen;
-    int		  personality;
-    int           flag; /*Either CI_INITIATOR_FLAG or CI_RECIPIENT_FLAG*/ 
-    CI_Y          pY;
-    unsigned int  YSize; 
-} CreateTEKInfo;
-
-typedef struct FortezzaTEKStr {
-    CI_RA  Ra;  /*All the parameters necessary to create a TEK */
-    CI_RB  Rb;
-    unsigned long randomLen;
-    CI_Y   pY;
-    int    flags;
-    int    registerIndex;
-    unsigned int  ySize;
-} FortezzaTEK;
-
-struct FortezzaKeyStr {
-    FortezzaKeyPtr    next, prev;
-    CK_OBJECT_HANDLE  keyHandle;
-    int               keyRegister;
-    FortezzaKeyType   keyType;
-    FortezzaSocketPtr keySocket;
-    unsigned long     id;
-    unsigned long     hitCount;
-    union {
-        FortezzaTEK tek;
-        FortezzaMEK mek;
-    } keyData;
-};
-
-typedef struct FortezzaSocketStr {
-    PRBool            isOpen;
-    PRBool            isLoggedIn;
-    PRBool            hasLoggedIn;
-    PRBool            personalitiesLoaded;
-    unsigned long     slotID;
-    unsigned long     hitCount;
-    HSESSION          maciSession;
-    CI_SERIAL_NUMBER  openCardSerial;
-    CI_STATE          openCardState;
-    CI_PERSON        *personalityList;
-    int               numPersonalities;
-    int               numKeyRegisters;
-    FortezzaKey     **keyRegisters; /*Array of pointers to keys in registers*/
-    FortezzaKey      *keys;         /*Linked list of all the keys*/
-    void             *registersLock;
-} FortezzaSocket;
-
-typedef struct PK11SessionStr *PK11SessionPtr;
-
-typedef struct FortezzaConstextStr {
-    FortezzaKey         *fortezzaKey;
-    FortezzaSocket      *fortezzaSocket;
-    PK11SessionPtr       session;
-    CryptoType           cryptoOperation;
-    CK_MECHANISM_TYPE    mechanism;
-    CI_SAVE_DATA         cardState;
-    CI_IV                cardIV;
-    unsigned long        userRamSize;
-    CK_OBJECT_HANDLE     hKey;
-} FortezzaContext;
-
-
-
-#endif /*_context_h_*/
diff --git a/security/nss/lib/fortcrypt/genci.h b/security/nss/lib/fortcrypt/genci.h
deleted file mode 100644
index 7868e1853..000000000
--- a/security/nss/lib/fortcrypt/genci.h
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * the following header file switches between MACI and CI based on
- * compile options. That lest the rest of the source code operate
- * without change, even if it only suports CI_ calls, not MACI_ calls
- */
-#ifndef _GENCI_H_
-#define _GENCI_H_ 1
-#include "seccomon.h"
-
-#if defined (XP_UNIX) || defined (XP_WIN32)
-
-/*
- * On unix, NT, and Windows '95 we use full maci
- */
-#include "maci.h"
-
-#define MACI_SEL(x) 
-
-/*
- * for sec-for.c
- */
-#define CI_Initialize	MACI_Initialize
-#define CI_Terminate()  { HSESSION hs;\
-			  MACI_GetSessionID(&hs);\
-			  MACI_Terminate(hs); }
-
-#else
-
-/*
- * On Mac we use the original CI_LIB
- */
-#include "cryptint.h"
-
-/*
- * MACI specific values not defined for CI lib
- */
-#define MACI_SESSION_EXCEEDED     (-53)
-
-#ifndef HSESSION_DEFINE
-typedef unsigned int HSESSION;
-#define HSESSION_DEFINE
-#endif
-
-/*
- * Map MACI_ calls to CI_ calls. NOTE: this assumes the proper CI_Select
- * calls are issued in the CI_ case
- */
-#define MACI_ChangePIN(s,pin,old,new)		CI_ChangePIN(pin,old,new)
-#define MACI_CheckPIN(s,type,pin)   		CI_CheckPIN(type,pin)
-#define MACI_Close(s,flag,socket)		CI_Close(flag,socket)
-#define MACI_Decrypt(s,size,in,out)		CI_Decrypt(size,in,out)
-#define MACI_DeleteCertificate(s,cert)		CI_DeleteCertificate(cert)
-#define MACI_DeleteKey(s,index)			CI_DeleteKey(index)
-#define MACI_Encrypt(s,size,in,out)		CI_Encrypt(size,in,out)
-#define MACI_ExtractX(s,cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g) \
-		CI_ExtractX(cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g)
-#define MACI_FirmwareUpdate(s,flags,Cksum,len,size,data) \
-			CI_FirmwareUpdate(flags,Cksum,len,size,data)
-#define MACI_GenerateIV(s,iv)			CI_GenerateIV(iv)
-#define MACI_GenerateMEK(s,index,res)		CI_GenerateMEK(index,res)
-#define MACI_GenerateRa(s,Ra)			CI_GenerateRa(Ra)
-#define MACI_GenerateRandom(s,ran)		CI_GenerateRandom(ran)
-#define MACI_GenerateTEK(s,flag,index,Ra,Rb,size,Y) \
-				CI_GenerateTEK(flag,index,Ra,Rb,size,Y)
-#define MACI_GenerateX(s,cert,type,pgSize,qSize,p,q,g,ySize,y) \
-			CI_GenerateX(cert,type,pgSize,qSize,p,q,g,ySize,y)
-#define MACI_GetCertificate(s,cert,val)		CI_GetCertificate(cert,val)
-#define MACI_GetConfiguration(s,config)		CI_GetConfiguration(config)
-#define MACI_GetHash(s,size,data,val)		CI_GetHash(size,data,val)
-#define MACI_GetPersonalityList(s,cnt,list)	CI_GetPersonalityList(cnt,list)
-#define MACI_GetSessionID(s)			CI_OK
-#define MACI_GetState(s,state)			CI_GetState(state)
-#define MACI_GetStatus(s,status)		CI_GetStatus(status)
-#define MACI_GetTime(s,time)			CI_GetTime(time)
-#define MACI_Hash(s,size,data)			CI_Hash(size,data)
-#define MACI_Initialize(count)			CI_Initialize(count)
-#define MACI_InitializeHash(s)			CI_InitializeHash()
-#define MACI_InstallX(s,cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g) \
-		CI_InstallX(cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g)
-#define MACI_LoadCertificate(s,cert,label,data,res) \
-					CI_LoadCertificate(cert,label,data,res)
-#define MACI_LoadDSAParameters(s,pgSize,qSize,p,q,g) \
-				CI_LoadDSAParameters(pgSize,qSize,p,q,g)
-#define MACI_LoadInitValues(s,seed,Ks)		CI_LoadInitValues(seed,Ks)
-#define MACI_LoadIV(s,iv)			CI_LoadIV(iv)
-#define MACI_LoadX(s,cert,type,pgSize,qSize,p,q,g,x,ySize,y) \
-			CI_LoadX(cert,type,pgSize,qSize,p,q,g,x,ySize,y)
-#define MACI_Lock(s,flags)			CI_Lock(flags)
-#define MACI_Open(s,flags,index)		CI_Open(flags,index)
-#define MACI_RelayX(s,oPass,oSize,oY,oRa,oX,nPass,nSize,nY,nRa,nX) \
-			CI_RelayX(oPass,oSize,oY,oRa,oX,nPass,nSize,nY,nRa,nX)
-#define MACI_Reset(s)				CI_Reset()
-#define MACI_Restore(s,type,data)		CI_Restore(type,data)
-#define MACI_Save(s,type,data)			CI_Save(type,data)
-#define MACI_Select(s,socket)			CI_Select(socket)
-#define MACI_SetConfiguration(s,typ,sz,d)	CI_SetConfiguration(typ,sz,d)
-#define MACI_SetKey(s,key)			CI_SetKey(key)
-#define MACI_SetMode(s,type,mode)		CI_SetMode(type,mode)
-#define MACI_SetPersonality(s,index)		CI_SetPersonality(index)
-#define MACI_SetTime(s,time)			CI_SetTime(time)
-#define MACI_Sign(s,hash,sig)			CI_Sign(hash,sig)
-#define MACI_Terminate(s)			CI_Terminate()
-#define MACI_TimeStamp(s,val,sig,time)		CI_TimeStamp(val,sig,time)
-#define MACI_Unlock(s)				CI_Unlock()
-#define MACI_UnwrapKey(s,targ,wrap,key)		CI_UnwrapKey(targ,wrap,key)
-#define MACI_VerifySignature(s,h,siz,y,sig)	CI_VerifySignature(h,siz,y,sig)
-#define MACI_VerifyTimeStamp(s,hash,sig,tim)	CI_VerityTimeStap(hash,sig,tim)
-#define MACI_WrapKey(s,src,wrap,key)		CI_WrapKey(src,wrap,key)
-#define MACI_Zeroize(s)				CI_Zeroize()
-
-#define MACI_SEL(x)	CI_Select(x)
-#endif /* ! XP_UNIX */
-#endif /* _GENCI_H_ */
diff --git a/security/nss/lib/fortcrypt/globinst.htm b/security/nss/lib/fortcrypt/globinst.htm
deleted file mode 100644
index cd0a194d4..000000000
--- a/security/nss/lib/fortcrypt/globinst.htm
+++ /dev/null
@@ -1,139 +0,0 @@
-<HTML>
-<--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
--->
-<SCRIPT>
-
-
-// ---------------------- Configuration variables ----------------
-var pkcs11jar="fortpk11.jar";
-//var pkcs11base="file://d|/dogbert/ns/dist/";
-pkcs11base="";
-
-var comm_platforms = pk_init_array (
-	"Win32", "Win16", "Mac68k", "MacPPC", 
-	"AIX4.1", "HP-UXA.09", "HP-UXB.10", 
-	"SunOS4.1.3_U1", "SunOS5.4", "SunOS5.5.1" );
-var directories = pk_init_array (
-	"win32", "win16", "none", "macppc",
-	"aix", "hpux", "hpux",
-	"sunos", "sol24", 
-	"sol251" );
-
-function mapPlatform(InPlat)
-{
-	for (i=0; i < comm_platforms.length; i++) {
-	    if (InPlat == comm_platforms[i]) {
-		return directories[i];
-	    }
-	}
-	return InPlat;
-}
-
-
-function pk_init_array()
-{
-	var numArgs = pk_init_array.arguments.length;
-	var a = new Array(numArgs);
-
-	for (var i = 0; i < numArgs; i++) {
-	    a[i] = pk_init_array.arguments[i];
-	}
-	return a;
-}
-
-function getPlatform() {
-	return navigator.platform;
-//	var string = navigator.appVersion;
-//	start = string.indexOf("(",0);
-//	if (start == -1) {
-//	    return "unknown";
-//	}
-//	end = string.indexOf(";",start);
-//	if (end == -1) {
-//	    end = string.indexOf(")",start);
-//	}
-//	if (end == -1) {
-//	   end = string.length;
-//	}
-//	platform = string.substring(start+1,end);
-//	return platform;
-}
-
-function getURLPath() {
-	var string = window.location.href;
-	end = string.lastIndexOf("/");
-	if (end == -1) {
-	   end = string.length-1;
-	}
-	return string.substring(0,end+1);
-}
-
-
-
-plat=getPlatform();
-platDir = mapPlatform(plat);
-if (pkcs11base == "") pkcs11base=getURLPath();
-
-if (plat == "MacPPC") {
-   pkcs11jar= "macinst.htm"
-}
-
-function DoInstall(url) {
-	window.location.href = url;
-}
-
-function DoCancel() {
-	// set window.location.href to your home page if you wish
-	//alert('Cancel Installation?');
-	history.back();
-}
-
-// ------  Change the following for your own Message --------
-document.write("<CENTER><H1>Netscape Fortezza PKCS #11 Module Installer</H1>");
-document.write("</CENTER>");
-document.write("<Table><TR><TD>");
-document.write("<DD><p><IMG SRC=about:logo WIDTH=90 Height=77 NAME=LITRONIC></TD>");
-document.write("<TD VAlign=Center><i> Netscape Fortezza PKCS #11 Modules require Litronic's MACI drivers to be installed on your platform.");
-document.write(" If you haven't already installed theLitronic MACI drivers, please to do so now.</I>");
-document.write("</TD></TR></Table>");
-// ----- end of generic message section --------
-document.write("<p>Netscape has detected you are installing on <b>"+plat+"</b>.<br>");
-document.write("Installing: <b>"+pkcs11base+platDir+"/"+pkcs11jar+"</b><br>");
-document.write("<FORM>");
-document.write("<CENTER><Table><TR><TD><Input Type=Button name=install value='Install Now' onclick=DoInstall("+ "\"" +pkcs11base+platDir+"/"+pkcs11jar+"\""+")>");
-document.write("</TD><TD><Input type=Button name=cancel value=Cancel Onclick=DoCancel()>");
-document.write("</TD></TR></Table></CENTER>");
-document.write("</FORM>");
-document.close();
-</SCRIPT>
-</HTML>
diff --git a/security/nss/lib/fortcrypt/handinst.htm b/security/nss/lib/fortcrypt/handinst.htm
deleted file mode 100644
index f816432e1..000000000
--- a/security/nss/lib/fortcrypt/handinst.htm
+++ /dev/null
@@ -1,180 +0,0 @@
-<HTML>
-<TITLE>Generic PKCS #11 Installer</TITLE>
-<--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
--->
-<SCRIPT>
-// Crypto Mechanism Flags 
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
-  
-
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1 // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5 // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
-
-var new_window;
-var has_new_window = 0;
-
-function HandleCipher(checkBox) {
-	if (checkBox.checked) {
-		pkcs11MechanismFlags |= checkBox.value;
-	} else {
-		pkcs11MechanismFlags &= ~checkBox.value;
-	}
-}
-
-function HandleSSL(checkBox) {
-	if (checkBox.checked) {
-		pkcs11CipherFlags |= checkBox.value;
-	} else {
-		pkcs11CipherFlags &= ~checkBox.value;
-	}
-}
-
-function colonize(string) {
-	len = string.length;
-	end = len -1;
-
-	if (len == 0) return string;
-
-
-	for (i=0; i < len; i++) {
-	   if (string.charAt(i) == "/") {
-		if (i == 0) {
-		    new_string = ":" + string.substring(1,len);
-		} else if (i == end) {
-		    new_string = string.substring(0,i)+':';
-		} else {
-		    new_string = string.substring(0,i)+':'+
-						string.substring(i+1,len);
-		}
-		string = new_string;
-	   }
-	}
-
-	if (string.charAt(0) == ":") string = string.substring(1,len);
-	return string;
-}
-
-function DoInstall(name,module) {
-	if ((navigator.platform == "MacPPC") 
-			|| (navigator.platform == "Mac68K")) {
-	    module = colonize(module);
-	}
-	result = pkcs11.addmodule(name, module, 
-			pkcs11MechanismFlags, pkcs11CipherFlags); 
-	if ( result < 0) { 
-	  window.alert("New module setup failed.  Error code: " + result); 
-	}
-	if (has_new_window) new_window.close();
-}
-
-default_name = "Netscape FORTEZZA Module"
-
-default_module = "D:/dogbert/ns/dist/WIN32_D.OBJ/bin/fort32.dll"
-document.writeln("<FORM name=instform target=_self> <H2>PKCS #11 Installer</H2>");
-document.writeln(" Module name: <Input Type=Text Name=modName value=\""+default_name+"\" size=50 required><br>");
-document.writeln(" Module Library: <Input Type=FILE required Name=module><p>");
-document.writeln("<hr><TABLE><TR><TD>");
-document.writeln("<Input type=Checkbox name=RSA value="+PKCS11_MECH_RSA_FLAG+" onclick=HandleCipher(document.instform.RSA)> RSA<br>");
-document.writeln("<Input type=Checkbox name=DSA value="+PKCS11_MECH_DSA_FLAG+" onclick=HandleCipher(document.instform.DSA)> DSA<br>");
-document.writeln("<Input type=Checkbox name=RC2 value="+PKCS11_MECH_RC2_FLAG+" onclick=HandleCipher(document.instform.RC2)> RC2<br>");
-document.writeln("<Input type=Checkbox name=RC4 value="+PKCS11_MECH_RC4_FLAG+" onclick=HandleCipher(document.instform.RC4)> RC4<br>");
-document.writeln("</TD><TD>");
-document.writeln("<Input type=Checkbox name=DES value="+PKCS11_MECH_DES_FLAG+" onclick=HandleCipher(document.instform.DES)> DES<br>");
-document.writeln("<Input type=Checkbox name=DH value="+PKCS11_MECH_DH_FLAG+" onclick=HandleCipher(document.instform.DH)> DH<br>");
-document.writeln("<Input type=Checkbox name=SKIPJACK value="+PKCS11_MECH_SKIPJACK_FLAG+" onclick=HandleCipher(document.instform.SKIPJACK)> SKIPJACK<br>");
-document.writeln("<Input type=Checkbox name=RC5 value="+PKCS11_MECH_RC5_FLAG+" onclick=HandleCipher(document.instform.RC5)> RC5<br>");
-document.writeln("</TD><TD>");
-document.writeln("<Input type=Checkbox name=SHA1 value="+PKCS11_MECH_SHA1_FLAG+" onclick=HandleCipher(document.instform.SHA1)> SHA1<br>");
-document.writeln("<Input type=Checkbox name=MD5 value="+PKCS11_MECH_MD5_FLAG+" onclick=HandleCipher(document.instform.MD5)> MD5<br>");
-document.writeln("<Input type=Checkbox name=MD2 value="+PKCS11_MECH_MD2_FLAG+" onclick=HandleCipher(document.instform.MD2)> MD2<br>");
-document.writeln("</TD><TD>");
-document.writeln("<Input type=Checkbox name=Random value="+PKCS11_MECH_RANDOM_FLAG+" CHECKED onclick=HandleCipher(document.instform.Random)> Random Number Generation<br>");
-document.writeln("<Input type=Checkbox name=readCert value="+PKCS11_PUB_READABLE_CERT_FLAG+" onclick=HandleCipher(document.instform.ReadCert)> Public Readable Certificates<br>");
-document.writeln("<Input type=Checkbox name=Disable value="+PKCS11_DISABLE_FLAG+" onclick=HandleCipher(document.instform.Disable)> Disable<br>");
-document.writeln("</TD></TR></TABLE>");
-document.writeln("<hr>");
-document.writeln("<Input type=Checkbox name=fortssl value="+ PKCS11_CIPHER_FORTEZZA_FLAG +" checked onclick=HandleSSL(document.instform.fortssl)> Enable FORTEZZA menus<br>");
-document.writeln("<hr>");
-document.write("<Input type=submit Name=Install Value=Install onclick=DoInstall(");
-document.writeln(  "document.instform.modName.value,document.instform.module.value) >");
-document.writeln("</FORM>");
-</SCRIPT>
diff --git a/security/nss/lib/fortcrypt/homeinst.htm b/security/nss/lib/fortcrypt/homeinst.htm
deleted file mode 100644
index a0583fbc7..000000000
--- a/security/nss/lib/fortcrypt/homeinst.htm
+++ /dev/null
@@ -1,211 +0,0 @@
-<HTML>
-<--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
--->
-<SCRIPT>
-
-
-// ---------------------- Configuration variables ----------------
-var pkcs11jar="bin/fortWIN32.jar";
-var pkcs11base="ftp://sweetlou/products/client/dogbert/new";
-//pkcs11base="";
-win_file = "libfort.jar"
-unix = "libfort-v404b9."
-mac_file = "macinst.htm"
-
-
-var winDates = pk_init_array (
-	"oct_02a_404", "oct_01a_404" );
-
-var unixDates = pk_init_array (
-	"current", "Oct_02", "Oct_O1");
-	
-
-var comm_platforms = pk_init_array (
-	"Win32", "Win16", "Mac68k", "MacPPC", 
-	"AIX4.1", "HP-UXA.09", "HP-UXB.10", 
-	"SunOS4.1.3_U1", "SunOS5.4", "SunOS5.5.1", 
-	"BSD_3861.1","BSD_3862.1", "FreeBSD2", "IRIX5.3", "IRIX6.2",
-	"LinuxELF1.2","LinusELF2.0","NCR4.0","NEC4.2","OSF1V3","SCOOS5.0",
-	"SINIX-N5.42","SunOS5.4_i86pc","UNIXWARE2.1",
-	"OS23.0","OS24.0");
-var isSupport = pk_init_array ( 1, 1, 0, 1,
-	1, 1, 1,
-	1, 1, 1, 1,
-	0, 0, 0, 0, 0,
-	0, 0, 0, 0, 0, 0,
-	0, 0, 0,
-	0, 0 );
-var directories = pk_init_array (
-	"32bit/fortezza", "16bit/fortezza", "", "404-fortezza-items",
-	"aix4", "hpux", "hpux10",
-	"sunos4", "sol24", "sol251",
-	// not really supported
-	"bsdi", "bsdi2", "freebsd", "irix53", "irix62",
-	"linux12","linux20","ncr","nec","osf132","sco",
-	"sinix","solx86","unixware",
-	"" ,"" );
-var files = pk_init_array (
-	win_file, win_file, mac_file, mac_file,
-	unix+"rs6000-ibm-aix4.jar",unix+"hppa1.1-hp-hpux9.jar",
-	unix+"hppa1.1-hp-hpux10.jar",
-	unix+"sparc-sun-sunos4.1.3_U1.jar",unix+"sparc-sun-solaris2.4.jar",
-	unix+"sparc-sun-solaris2.5.1.jar",
-	unix+"x86-bsdi-bsd.jar",unix+"x86-bsdi-bsd2.jar",
-	unix+"x86-unknown-freebsd.jar",
-	unix+"mips-sgi-irix5.3.jar",unix+"mips-sgi-irix6.2.jar",
-	unix+"x86-unknown-linix1.2.jar",unix+"x86-unknown-linix2.0.jar",
-	unix+"x86-ncr-sysv5.jar",unix+"mips-nec-uxv4.2.jar",
-	unix+"alpha-dec-osf3.2.jar",unix+"x86-sco-opensv5.0.2",
-	unix+"mips-sni-reliantunix.jar",unix+"x86-sun-solaris2.4.jar",
-	unix+"x86-sco-unixware2.1.jar",
-	win_file, win_file );
-
-function isSupported(InPlat)
-{
-	for (i=0; i < comm_platforms.length; i++) {
-	    if (InPlat == comm_platforms[i]) {
-		return isSupport[i];
-	    }
-	}
-	return 0;
-}
-
-function mapPlatform(InPlat)
-{
-	for (i=0; i < comm_platforms.length; i++) {
-	    if (InPlat == comm_platforms[i]) {
-		return directories[i];
-	    }
-	}
-	return InPlat;
-}
-
-function mapFile(InPlat)
-{
-	for (i=0; i < comm_platforms.length; i++) {
-	    if (InPlat == comm_platforms[i]) {
-		return files[i];
-	    }
-	}
-	return unix+"unknown-unknown-unknown.jar";
-}
-
-function mapDate(platform) {
-	if ((platform == "MacPPC") || (platform == "Mac68K")) {
-	    return "";
-	} else if ((platform == "Win32") || (platform == "Win16")) {
-	    return "/oct_2a_404";
-	} else if ((platform == "OS23.0") || (platform == "OS24.0")) {
-	    return "";
-	}
-	return "/current/signed";
-}
-function mapBaseDir(platform) {
-	if ((platform == "MacPPC") || (platform == "Mac68K")) {
-	    return "mac";
-	} else if ((platform == "Win32") || (platform == "Win16")) {
-	    return "windows"
-	} else if ((platform == "OS23.0") || (platform == "OS24.0")) {
-	    return "os2";
-	}
-	return "unix/Fortezza";
-}
-
-function pk_init_array()
-{
-	var numArgs = pk_init_array.arguments.length;
-	var a = new Array(numArgs);
-
-	for (var i = 0; i < numArgs; i++) {
-	    a[i] = pk_init_array.arguments[i];
-	}
-	return a;
-}
-
-function getPlatform() {
-	return navigator.platform;
-}
-
-function getURLPath() {
-	var string = window.location.href;
-	end = string.lastIndexOf("/");
-	if (end == -1) {
-	   end = string.length-1;
-	}
-	return string.substring(0,end+1);
-}
-
-
-
-plat=getPlatform();
-platDir = mapPlatform(plat);
-platFile = mapFile(plat);
-platBase = mapBaseDir(plat);
-platDate = mapDate(plat);
-if (pkcs11base == "") pkcs11base=getURLPath();
-pkcs11loc=pkcs11base+"/"+platBase+"/"+platDir + platDate + "/" + platFile;
-
-
-
-function DoInstall(url) {
-	window.location.href = url;
-}
-
-function DoCancel() {
-	// set window.location.href to your home page if you wish
-	//alert('Cancel Installation?');
-	history.back();
-}
-
-// ------  Change the following for your own Message --------
-document.write("<CENTER><H1>Netscape Fortezza PKCS #11 Module Installer</H1>");
-document.write("</CENTER>");
-document.write("<Table><TR><TD>");
-document.write("<DD><p><IMG SRC=litronic.gif WIDTH=110 Height=63 NAME=LITRONIC></TD>");
-document.write("<TD VAlign=Center><i> Netscape Fortezza PKCS #11 Modules require Litronic's MACI drivers to be installed on your platform.");
-document.write(" If you haven't already installed theLitronic MACI drivers, please to do so now.</I>");
-document.write("</TD></TR></Table>");
-// ----- end of generic message section --------
-document.write("<p>Netscape has detected you are installing on <b>"+plat+"</b>.<br>");
-if (!isSupported(plat)) {
-	document.write("<b>This platform is currently not suppported for FORTEZZA</b><br>");
-}
-document.write("Installing: <b>"+pkcs11loc+"</b><br>");
-document.write("<FORM>");
-document.write("<CENTER><Table><TR><TD><Input Type=Button name=install value='Install Now' onclick=DoInstall("+ "\"" +pkcs11loc+"\""+")>");
-document.write("</TD><TD><Input type=Button name=cancel value=Cancel Onclick=DoCancel()>");
-document.write("</TD></TR></Table></CENTER>");
-document.write("</FORM>");
-document.close();
-</SCRIPT>
-</HTML>
diff --git a/security/nss/lib/fortcrypt/inst.js b/security/nss/lib/fortcrypt/inst.js
deleted file mode 100644
index 2c2b1ab64..000000000
--- a/security/nss/lib/fortcrypt/inst.js
+++ /dev/null
@@ -1,268 +0,0 @@
-//
-// The contents of this file are subject to the Mozilla Public
-// License Version 1.1 (the "License"); you may not use this file
-// except in compliance with the License. You may obtain a copy of
-// the License at http://www.mozilla.org/MPL/
-// 
-// Software distributed under the License is distributed on an "AS
-// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-// implied. See the License for the specific language governing
-// rights and limitations under the License.
-// 
-// The Original Code is the Netscape security libraries.
-// 
-// The Initial Developer of the Original Code is Netscape
-// Communications Corporation.  Portions created by Netscape are 
-// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-// Rights Reserved.
-// 
-// Contributor(s):
-// 
-// Alternatively, the contents of this file may be used under the
-// terms of the GNU General Public License Version 2 or later (the
-// "GPL"), in which case the provisions of the GPL are applicable 
-// instead of those above.  If you wish to allow use of your 
-// version of this file only under the terms of the GPL and not to
-// allow others to use your version of this file under the MPL,
-// indicate your decision by deleting the provisions above and
-// replace them with the notice and other provisions required by
-// the GPL.  If you do not delete the provisions above, a recipient
-// may use your version of this file under either the MPL or the
-// GPL.
-//
-////////////////////////////////////////////////////////////////////////////////////////
-// Crypto Mechanism Flags
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise,
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-var pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
-  
-////////////////////////////////////////////////////////////////////////////////////////
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-var pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-////////////////////////////////////////////////////////////////////////////////////////
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3; // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2; // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1; // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1; // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2; // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3; // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4; // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5; // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6; // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7; // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8; // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9; // The SSL, S/MIME cipher flags are invalid 
-JS_ERR_ADD_MODULE_DULICATE       =-10; // Module with the same name already installed
-
-////////////////////////////////////////////////////////////////////////////////////////
-// Find out which library is to be installed depending on the platform
-
-// pathname seperator is platform specific
-var sep = "/";
-var vendor = "netscape";
-var moduleName = "not_supported";
-var plat = navigator.platform;
- 
-var dir = "pkcs11/" + vendor + "/" + plat + "/";
-if (plat == "Win16") {
-    dir = "pkcs11/";
-}
-
-bAbort = false;
-if (plat == "Win32") {
-    moduleName = "fort32.dll";
-    sep = "\\";
-} else if (plat == "Win16") {
-    moduleName = "FORT16.DLL";
-    sep = "\\";
-} else if (plat == "MacPPC") {
-    moduleName = "FortPK11Lib";
-    sep = ":";
-} else if (plat == "AIX4.1") {
-    moduleName = "libfort_shr.a";
-} else if (plat == "SunOS4.1.3_U1") {
-    moduleName = "libfort.so.1.0";        
-} else if ((plat == "SunOS5.4") || (plat == "SunOS5.5.1")){
-    moduleName = "libfort.so";
-} else if ((plat == "HP-UXA.09") || (plat == "HP-UXB.10")){
-    moduleName = "libfort.sl";
-} else if (plat == "IRIX6.2"){
-    // The module only works on 6.3, but Communicator returns 6.2 even when
-    // running 6.3.  So in order to prevent the user from thinking
-    // the module actually works on 6.2, we will force the name to 
-    // say 6.3 instead of 6.2.  In the even the user tries to install
-    // on 6.2, the user will see 6.3 instead.  If they don't get it that
-    // it's not going to work at this point in time, then the entire install
-    // process wil just fail miserably, and that is OK.
-    plat = "IRIX6.3";
-    moduleName = "libfort.so";
-} else {
-    window.alert("Sorry, platform "+plat+" is not supported.");
-    bAbort = true;
-}
-
-////////////////////////////////////////////////////////////////////////////////////////
-// Installation Begins...
-if (!bAbort) {
-if (confirm("This script will install a security module. \nIt may over-write older files having the same name. \nDo you want to continue?")) { 
- // Step 1. Create a version object and a software update object 
- vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0); 
- su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
-                 // "Fortezza ... Module" is the logical name of the bundle 
-
- ////////////////////////////////////////
- // Step 2. Start the install process 
- bAbort = false; 
- err = su.StartInstall("NSfortezza", // NSfortezza is the component folder (logical) 
-                       vi, 
-                       netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
-                            
- bAbort = (err!=0); 
-
- if (err == 0) { 
-     ////////////////////////////////////////
-    // Step 3. Find out the physical location of the Program dir 
-    Folder = su.GetFolder("Program"); 
-
-     ////////////////////////////////////////
-    // Step 4. Install the files. Unpack them and list where they go 
-
-    err = su.AddSubcomponent("FortezzaLibrary_"+plat, //component name (logical) 
-                                    vi, // version info 
-                                    moduleName, // source file in JAR (physical) 
-                                    Folder, // target folder (physical) 
-                                    dir + moduleName, // target path & filename (physical) 
-                                    true); // forces update 
-    if (err != 0) {
-        if (err == -200) {
-             errmsg = "Bad Package Name.";
-        } else if (err == -201) {
-             errmsg = "Unexpected error.";
-        } else if (err == -203) {
-             errmsg = "Installation script was signed by more than one certificate.";
-        } else if (err == -204) {
-             errmsg = "Installation script was not signed."
-        } else if (err == -205) {
-             errmsg = "The file to be installed is not signed."
-        } else if (err == -206) {
-             errmsg = "The file to be installed is not present, or it was signed with a different certificate than the one used to sign the install script.";
-        } else if (err == -207) {
-             errmsg = "JAR archive has not been opened."
-        } else if (err == -208) {
-             errmsg = "Bad arguments to AddSubcomponent( )."
-        } else if (err == -209) {
-             errmsg = "Illegal relative path( )."
-        } else if (err == -210) {
-             errmsg = "User cancelled installation."
-        } else if (err == -211) {
-             errmsg = "A problem occurred with the StartInstall( )."
-        } else {
-             errmsg = "Unknown error";
-        }
-        window.alert("Error adding sub-component: "+"("+err+")"+errmsg); 
-        //window.alert("Aborting, Folder="+Folder+" module="+dir+moduleName);
-        bAbort = true;
-    }
- } 
-
- ////////////////////////////////////////
- // Step 5. Unless there was a problem, move files to final location 
- // and update the Client Version Registry 
- if (bAbort) { 
-    su.AbortInstall(); 
- } else { 
-    err = su.FinalizeInstall(); 
-
-    if (err != 0) {
-
-        if (err == -900) {
-             errmsg = "Restart the computer, and install again.";
-        } else if (err == -201) {
-             errmsg = "Unexpected error.";
-        } else if (err == -202) {
-             errmsg = "Access denied. Make sure you have the permissions to write to the disk.";    
-        } else if (err == -203) {
-             errmsg = "Installation script was signed by more than one certificate.";
-        } else if (err == -204) {
-             errmsg = "Installation script was not signed."
-        } else if (err == -205) {
-             errmsg = "The file to be installed is not signed."
-        } else if (err == -206) {
-             errmsg = "The file to be installed is not present, or it was signed with a different certificate than the one used to sign the install script." 
-        } else if (err == -207) {
-             errmsg = "JAR archive has not been opened."
-        } else if (err == -208) {
-             errmsg = "Bad arguments to AddSubcomponent( )."
-        } else if (err == -209) {
-             errmsg = "Illegal relative path( )."
-        } else if (err == -210) {
-             errmsg = "User cancelled installation."
-        } else if (err == -211) {
-             errmsg = "A problem occurred with the StartInstall( )."
-        } else {
-             errmsg = "\nIf you have FORTEZZA module already installed, try deleting it first.";
-        }
-        window.alert("Error Finalizing Install: "+"("+err+")"+errmsg); 
-        //window.alert("Aborting, Folder="+Folder+" module="+dir+moduleName);
-
-    } else {
-
-        // Platform specific full path 
-        if (plat=="Win16") { 
-            fullpath = Folder +  "pkcs11" + sep + moduleName; 
-        } else { 
-            fullpath = Folder +  "pkcs11" + sep + vendor + sep + plat + sep + moduleName; 
-        } 
- 
-         ////////////////////////////////////////
-        // Step 6: Call pkcs11.addmodule() to register the newly downloaded module
-        moduleCommonName = "Netscape FORTEZZA Module " + plat;
-        result = pkcs11.addmodule(moduleCommonName, 
-                              fullpath, 
-                              pkcs11MechanismFlags, 
-                              pkcs11CipherFlags); 
-       if (result == -10) {
-           window.alert("New module was copied to destination, \nbut setup failed because a module "
-                   +"with the same name has been installed. \nTry deleting the module "
-                   + moduleCommonName +" first.")
-       } else if (result < 0) {
-           window.alert("New module was copied to destination, but setup failed.  Error code: " + result); 
-       }           
-    } 
- } 
-}
-}
diff --git a/security/nss/lib/fortcrypt/inst_PPC.js b/security/nss/lib/fortcrypt/inst_PPC.js
deleted file mode 100644
index 490910fff..000000000
--- a/security/nss/lib/fortcrypt/inst_PPC.js
+++ /dev/null
@@ -1,134 +0,0 @@
-//
-// The contents of this file are subject to the Mozilla Public
-// License Version 1.1 (the "License"); you may not use this file
-// except in compliance with the License. You may obtain a copy of
-// the License at http://www.mozilla.org/MPL/
-// 
-// Software distributed under the License is distributed on an "AS
-// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-// implied. See the License for the specific language governing
-// rights and limitations under the License.
-// 
-// The Original Code is the Netscape security libraries.
-// 
-// The Initial Developer of the Original Code is Netscape
-// Communications Corporation.  Portions created by Netscape are 
-// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-// Rights Reserved.
-// 
-// Contributor(s):
-// 
-// Alternatively, the contents of this file may be used under the
-// terms of the GNU General Public License Version 2 or later (the
-// "GPL"), in which case the provisions of the GPL are applicable 
-// instead of those above.  If you wish to allow use of your 
-// version of this file only under the terms of the GPL and not to
-// allow others to use your version of this file under the MPL,
-// indicate your decision by deleting the provisions above and
-// replace them with the notice and other provisions required by
-// the GPL.  If you do not delete the provisions above, a recipient
-// may use your version of this file under either the MPL or the
-// GPL.
-//
-// Crypto Mechanism Flags 
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
-  
-
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1 // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5 // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
-  
-
-if (confirm("This script will install and configure a security module, do you want to continue?")) { 
- // Step 1. Create a version object and a software update object 
- vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0); 
- su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
-                 // "Fortezza ... Module" is the logical name of the bundle 
-
- // Step 2. Start the install process 
- bAbort = false; 
- err = su.StartInstall("NSfortezza", vi, netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
-                            // nsfortezza is the component folder (logical) 
-        bAbort = bAbort || (err !=0); 
-
- if (err == 0) { 
-
-    // Step 3. Find out the physical location of the Program dir 
-    Folder = su.GetFolder("Program"); 
-
-    // Step 4. Install the files. Unpack them and list where they go 
-    err = su.AddSubcomponent("FortezzaCardDLL", //component name (logical) 
-                                    vi, // version info 
-                                    "FortPK11Lib", // source file in JAR (physical) 
-                                    Folder, // target folder (physical) 
-                                    "FortPK11Lib", // target path & filename (physical) 
-                                    this.force); // forces update 
-    bAbort = bAbort || (err !=0); 
- } 
-
- // Step 5. Unless there was a problem, move files to final location 
- // and update the Client Version Registry 
- if (bAbort) { 
-    window.alert("Installation Aborted"); 
-    su.AbortInstall(); 
- } else { 
-    err = su.FinalizeInstall(); 
-    window.alert("Files have been installed.\nContinue to setup the newly isntalled module..."); 
-    // Add Module 
-    compFolder = su.GetComponentFolder("NSfortezza/FortezzaCardDLL") + "/FortPK11Lib"; 
-    result = pkcs11.addmodule("Netscape FORTEZZA Module", compFolder, pkcs11MechanismFlags, pkcs11CipherFlags); 
-           if ( result < 0) { 
-               window.alert("New module setup failed.  Error code: " + result); 
-           } else { 
-               window.alert("New module setup completed."); 
-           } 
- } 
-} 
diff --git a/security/nss/lib/fortcrypt/install.js b/security/nss/lib/fortcrypt/install.js
deleted file mode 100644
index e823e213b..000000000
--- a/security/nss/lib/fortcrypt/install.js
+++ /dev/null
@@ -1,134 +0,0 @@
-//
-// The contents of this file are subject to the Mozilla Public
-// License Version 1.1 (the "License"); you may not use this file
-// except in compliance with the License. You may obtain a copy of
-// the License at http://www.mozilla.org/MPL/
-// 
-// Software distributed under the License is distributed on an "AS
-// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-// implied. See the License for the specific language governing
-// rights and limitations under the License.
-// 
-// The Original Code is the Netscape security libraries.
-// 
-// The Initial Developer of the Original Code is Netscape
-// Communications Corporation.  Portions created by Netscape are 
-// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-// Rights Reserved.
-// 
-// Contributor(s):
-// 
-// Alternatively, the contents of this file may be used under the
-// terms of the GNU General Public License Version 2 or later (the
-// "GPL"), in which case the provisions of the GPL are applicable 
-// instead of those above.  If you wish to allow use of your 
-// version of this file only under the terms of the GPL and not to
-// allow others to use your version of this file under the MPL,
-// indicate your decision by deleting the provisions above and
-// replace them with the notice and other provisions required by
-// the GPL.  If you do not delete the provisions above, a recipient
-// may use your version of this file under either the MPL or the
-// GPL.
-//
-// Crypto Mechanism Flags 
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
-  
-
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1 // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5 // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
-  
-
-if (confirm("This script will install and configure a security module, do you want to continue?")) { 
- // Step 1. Create a version object and a software update object 
- vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0); 
- su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
-                 // "Fortezza ... Module" is the logical name of the bundle 
-
- // Step 2. Start the install process 
- bAbort = false; 
- err = su.StartInstall("NSfortezza", vi, netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
-                            // nsfortezza is the component folder (logical) 
-        bAbort = bAbort || (err !=0); 
-
- if (err == 0) { 
-
-    // Step 3. Find out the physical location of the Program dir 
-    Folder = su.GetFolder("Program"); 
-
-    // Step 4. Install the files. Unpack them and list where they go 
-    err = su.AddSubcomponent("FortezzaCardDLL", //component name (logical) 
-                                    vi, // version info 
-                                    "DUMMY_DLL", // source file in JAR (physical) 
-                                    Folder, // target folder (physical) 
-                                    "DUMMY_DLL", // target path & filename (physical) 
-                                    this.force); // forces update 
-    bAbort = bAbort || (err !=0); 
- } 
-
- // Step 5. Unless there was a problem, move files to final location 
- // and update the Client Version Registry 
- if (bAbort) { 
-    window.alert("Installation Aborted"); 
-    su.AbortInstall(); 
- } else { 
-    err = su.FinalizeInstall(); 
-    window.alert("Files have been installed.\nContinue to setup the newly isntalled module..."); 
-    // Add Module 
-    compFolder = su.GetComponentFolder("NSfortezza/FortezzaCardDLL") + "/DUMMY_DLL"; 
-    result = pkcs11.addmodule("Netscape FORTEZZA Module", compFolder, pkcs11MechanismFlags, pkcs11CipherFlags); 
-           if ( result < 0) { 
-               window.alert("New module setup failed.  Error code: " + result); 
-           } else { 
-               window.alert("New module setup completed."); 
-           } 
- } 
-} 
diff --git a/security/nss/lib/fortcrypt/maci.c b/security/nss/lib/fortcrypt/maci.c
deleted file mode 100644
index a0120b771..000000000
--- a/security/nss/lib/fortcrypt/maci.c
+++ /dev/null
@@ -1,901 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "seccomon.h"
-
-#if defined( _WIN32 ) || defined( __WIN32__ )
-#define RETURN_TYPE  extern _declspec( dllexport ) int _cdecl
-#endif /* Windows */
-#include "maci.h"
-
-
-RETURN_TYPE
-MACI_ChangePIN PROTO_LIST( (
-    HSESSION       hSession,
-    int            PINType,
-    CI_PIN CI_FAR  pOldPIN,
-    CI_PIN CI_FAR  pNewPIN ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_CheckPIN PROTO_LIST( (
-    HSESSION       hSession,
-    int            PINType,
-    CI_PIN CI_FAR  pPIN ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Close PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned int   Flags,
-    int            SocketIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Decrypt PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned int   CipherSize,
-    CI_DATA        pCipher,
-    CI_DATA        pPlain ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_DeleteCertificate PROTO_LIST( (
-    HSESSION       hSession,
-    int            CertificateIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_DeleteKey PROTO_LIST( (
-    HSESSION       hSession,
-    int            RegisterIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Encrypt PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned int   PlainSize,
-    CI_DATA        pPlain,
-    CI_DATA        pCipher ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_ExtractX PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_FirmwareUpdate PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned long  Flags,
-    long           Cksum,
-    unsigned int   CksumLength,
-    unsigned int   DataSize,
-    CI_DATA        pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GenerateIV PROTO_LIST( (
-    HSESSION       hSession,
-    CI_IV CI_FAR  pIV ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GenerateMEK PROTO_LIST( (
-    HSESSION       hSession,
-    int  RegisterIndex,
-    int  Reserved ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GenerateRa PROTO_LIST( (
-    HSESSION       hSession,
-    CI_RA CI_FAR   pRa ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GenerateRandom PROTO_LIST( (
-    HSESSION          hSession,
-    CI_RANDOM CI_FAR  pRandom ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GenerateTEK PROTO_LIST( (
-    HSESSION      hSession,
-    int           Flags,
-    int           RegisterIndex,
-    CI_RA CI_FAR  pRa,
-    CI_RB CI_FAR  pRb,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GenerateX PROTO_LIST( (
-    HSESSION      hSession,
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetCertificate PROTO_LIST( (
-    HSESSION               hSession,
-    int                    CertificateIndex,
-    CI_CERTIFICATE CI_FAR  pCertificate ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetConfiguration PROTO_LIST( (
-    HSESSION       hSession,
-    CI_CONFIG_PTR  pConfiguration ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetHash PROTO_LIST( (
-    HSESSION             hSession,
-    unsigned int         DataSize,
-    CI_DATA              pData,
-    CI_HASHVALUE CI_FAR  pHashValue ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetPersonalityList PROTO_LIST( (
-    HSESSION          hSession,
-    int               EntryCount,
-    CI_PERSON CI_FAR  pPersonalityList[] ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetSessionID PROTO_LIST( (
-    HSESSION     *hSession ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetState PROTO_LIST( (
-    HSESSION       hSession,
-    CI_STATE_PTR   pState ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetStatus PROTO_LIST( (
-    HSESSION       hSession,
-    CI_STATUS_PTR  pStatus ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_GetTime PROTO_LIST( (
-    HSESSION        hSession,
-    CI_TIME CI_FAR  pTime ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Hash PROTO_LIST( (
-    HSESSION      hSession,
-    unsigned int  DataSize,
-    CI_DATA       pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Initialize PROTO_LIST( (
-    int CI_FAR  *SocketCount ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_InitializeHash PROTO_LIST( (
-    HSESSION          hSession ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_InstallX PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pWrappedX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_LoadCertificate PROTO_LIST( (
-    HSESSION               hSession,
-    int                    CertificateIndex,
-    CI_CERT_STR CI_FAR     pCertLabel,
-    CI_CERTIFICATE CI_FAR  pCertificate,
-    long                   Reserved ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_LoadDSAParameters PROTO_LIST( (
-    HSESSION      hSession,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_LoadInitValues PROTO_LIST( (
-    HSESSION            hSession,
-    CI_RANDSEED CI_FAR  pRandSeed,
-    CI_KS CI_FAR        pKs ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_LoadIV PROTO_LIST( (
-    HSESSION      hSession,
-    CI_IV CI_FAR  pIV ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_LoadX PROTO_LIST( (
-    HSESSION      hSession,
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    CI_X CI_FAR   pX,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Lock PROTO_LIST( (
-    HSESSION  hSession,
-    int       Flags ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Open PROTO_LIST( (
-    HSESSION      hSession,
-    unsigned int  Flags,
-    int           SocketIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_RelayX PROTO_LIST( (
-    HSESSION             hSession,
-    CI_PASSWORD CI_FAR   pOldPassword,
-    unsigned int         OldYSize,
-    CI_Y CI_FAR          pOldY,
-    CI_RA CI_FAR         pOldRa,
-    CI_WRAPPED_X CI_FAR  pOldWrappedX,
-    CI_PASSWORD CI_FAR   pNewPassword,
-    unsigned int         NewYSize,
-    CI_Y CI_FAR          pNewY,
-    CI_RA CI_FAR         pNewRa,
-    CI_WRAPPED_X CI_FAR  pNewWrappedX ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Reset PROTO_LIST( (
-    HSESSION          hSession ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Restore PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Save PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Select PROTO_LIST( (
-    HSESSION  hSession,
-    int       SocketIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_SetConfiguration PROTO_LIST( (
-    HSESSION      hSession,
-    int           Type,
-    unsigned int  DataSize,
-    CI_DATA       pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_SetKey PROTO_LIST( (
-    HSESSION     hSession,
-    int  RegisterIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_SetMode PROTO_LIST( (
-    HSESSION hSession,
-    int      CryptoType,
-    int      CryptoMode ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_SetPersonality PROTO_LIST( (
-    HSESSION hSession,
-    int      CertificateIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_SetTime PROTO_LIST( (
-    HSESSION        hSession,
-    CI_TIME CI_FAR  pTime ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Sign PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Terminate PROTO_LIST( (
-    HSESSION          hSession ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_TimeStamp PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
-    return CI_ERROR;
-}
-  
-RETURN_TYPE
-MACI_Unlock PROTO_LIST( (
-    HSESSION          hSession)  ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_UnwrapKey PROTO_LIST( (
-    HSESSION       hSession,
-    int            UnwrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_VerifySignature PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_SIGNATURE CI_FAR  pSignature ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_VerifyTimeStamp PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_WrapKey PROTO_LIST( (
-    HSESSION       hSession,
-    int            WrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-MACI_Zeroize PROTO_LIST( (
-    HSESSION          hSession ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_ChangePIN PROTO_LIST( (
-    int            PINType,
-    CI_PIN CI_FAR  pOldPIN,
-    CI_PIN CI_FAR  pNewPIN ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_CheckPIN PROTO_LIST( (
-    int            PINType,
-    CI_PIN CI_FAR  pPIN ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Close PROTO_LIST( (
-    unsigned int   Flags,
-    int            SocketIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Decrypt PROTO_LIST( (
-    unsigned int   CipherSize,
-    CI_DATA        pCipher,
-    CI_DATA        pPlain ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_DeleteCertificate PROTO_LIST( (
-    int            CertificateIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_DeleteKey PROTO_LIST( (
-    int            RegisterIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Encrypt PROTO_LIST( (
-    unsigned int   PlainSize,
-    CI_DATA        pPlain,
-    CI_DATA        pCipher ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_ExtractX PROTO_LIST( (
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_FirmwareUpdate PROTO_LIST( (
-    unsigned long  Flags,
-    long           Cksum,
-    unsigned int   CksumLength,
-    unsigned int   DataSize,
-    CI_DATA        pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GenerateIV PROTO_LIST( (
-    CI_IV CI_FAR  pIV ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GenerateMEK PROTO_LIST( (
-    int  RegisterIndex,
-    int  Reserved ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GenerateRa PROTO_LIST( (
-    CI_RA CI_FAR   pRa ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GenerateRandom PROTO_LIST( (
-    CI_RANDOM CI_FAR  pRandom ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GenerateTEK PROTO_LIST( (
-    int           Flags,
-    int           RegisterIndex,
-    CI_RA CI_FAR  pRa,
-    CI_RB CI_FAR  pRb,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GenerateX PROTO_LIST( (
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GetCertificate PROTO_LIST( (
-    int                    CertificateIndex,
-    CI_CERTIFICATE CI_FAR  pCertificate ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GetConfiguration PROTO_LIST( (
-    CI_CONFIG_PTR  pConfiguration ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GetHash PROTO_LIST( (
-    unsigned int         DataSize,
-    CI_DATA              pData,
-    CI_HASHVALUE CI_FAR  pHashValue ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GetPersonalityList PROTO_LIST( (
-    int               EntryCount,
-    CI_PERSON CI_FAR  pPersonalityList[] ) ) {
-    return CI_ERROR;
-}
-
-
-RETURN_TYPE
-CI_GetState PROTO_LIST( (
-    CI_STATE_PTR   pState ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GetStatus PROTO_LIST( (
-    CI_STATUS_PTR  pStatus ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_GetTime PROTO_LIST( (
-    CI_TIME CI_FAR  pTime ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Hash PROTO_LIST( (
-    unsigned int  DataSize,
-    CI_DATA       pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Initialize PROTO_LIST( (
-    int CI_FAR  *SocketCount ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_InitializeHash PROTO_LIST( () ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_InstallX PROTO_LIST( (
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pWrappedX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_LoadCertificate PROTO_LIST( (
-    int                    CertificateIndex,
-    CI_CERT_STR CI_FAR     pCertLabel,
-    CI_CERTIFICATE CI_FAR  pCertificate,
-    long                   Reserved ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_LoadDSAParameters PROTO_LIST( (
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_LoadInitValues PROTO_LIST( (
-    CI_RANDSEED CI_FAR  pRandSeed,
-    CI_KS CI_FAR        pKs ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_LoadIV PROTO_LIST( (
-    CI_IV CI_FAR  pIV ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_LoadX PROTO_LIST( (
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    CI_X CI_FAR   pX,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Lock PROTO_LIST( (
-    int       Flags ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Open PROTO_LIST( (
-    unsigned int  Flags,
-    int           SocketIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_RelayX PROTO_LIST( (
-    CI_PASSWORD CI_FAR   pOldPassword,
-    unsigned int         OldYSize,
-    CI_Y CI_FAR          pOldY,
-    CI_RA CI_FAR         pOldRa,
-    CI_WRAPPED_X CI_FAR  pOldWrappedX,
-    CI_PASSWORD CI_FAR   pNewPassword,
-    unsigned int         NewYSize,
-    CI_Y CI_FAR          pNewY,
-    CI_RA CI_FAR         pNewRa,
-    CI_WRAPPED_X CI_FAR  pNewWrappedX ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Reset PROTO_LIST( ( ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Restore PROTO_LIST( (
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Save PROTO_LIST( (
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Select PROTO_LIST( (
-    int       SocketIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_SetConfiguration PROTO_LIST( (
-    int           Type,
-    unsigned int  DataSize,
-    CI_DATA       pData ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_SetKey PROTO_LIST( (
-    int  RegisterIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_SetMode PROTO_LIST( (
-    int      CryptoType,
-    int      CryptoMode ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_SetPersonality PROTO_LIST( (
-    int      CertificateIndex ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_SetTime PROTO_LIST( (
-    CI_TIME CI_FAR  pTime ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Sign PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_Terminate PROTO_LIST( ( ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_TimeStamp PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
-    return CI_ERROR;
-}
-  
-RETURN_TYPE
-CI_Unlock PROTO_LIST( ()  ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_UnwrapKey PROTO_LIST( (
-    int            UnwrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_VerifySignature PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_SIGNATURE CI_FAR  pSignature ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_VerifyTimeStamp PROTO_LIST( (
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
-    return CI_ERROR;
-}
-
-RETURN_TYPE
-CI_WrapKey PROTO_LIST( (
-    int            WrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) ) {
-    return CI_ERROR;
-}
-
diff --git a/security/nss/lib/fortcrypt/maci.h b/security/nss/lib/fortcrypt/maci.h
deleted file mode 100644
index eb38ff81c..000000000
--- a/security/nss/lib/fortcrypt/maci.h
+++ /dev/null
@@ -1,776 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/* @(#)maci.h	1.27\t05 Jan 1996 */
-/*****************************************************************************
-  Definitive Fortezza header file.
-  Application Level Interface to Fortezza MACI Library.
- 
-  Version for CI Library 1.52
-    January 5, 1996
-
-
-  NOTICE: Fortezza Export Policy
-
-    The Fortezza Cryptologic Interface (CI) Library (both source and 
-    object) and Fortezza CI Library based applications are defense 
-    articles, as defined in the International Traffic In Arms 
-    Regulations (ITAR), and are subject to export controls under the 
-    ITAR and the Arms Export Control Act. Any export to any country 
-    of (a) the Fortezza CI Library, related documentation, and 
-    technical data, or (b) your cryptographic application, process, 
-    or service that is the direct product of, or contains the 
-    Fortezza CI Library must comply with the requirements of the ITAR. 
-    If you or your customer intends to engage in such export, contact 
-    the United States Department of State, Office of Defense Trade 
-    Controls for specific guidance.
-
-
- ****************************************************************************/
-#ifndef __MACI_H
-#define __MACI_H
-
-#if __cplusplus__ || __cplusplus
-extern "C"
-{
-#endif /* C++ */
-
-
-#ifndef __CRYPTINT_H
-
-#ifndef PROTO_LIST
-#ifdef _K_AND_R_
-#define PROTO_LIST(list)  ()
-#else
-#define PROTO_LIST(list)  list
-#endif /*_K_AND_R_ */
-#endif /* PROTO_LIST */
-
-
-#ifndef RETURN_TYPE
-#if defined( _WIN32 ) || defined( __WIN32__ )
-#define RETURN_TYPE  extern _declspec( dllimport ) int _cdecl
-#elif defined( _WINDOWS ) || defined( _Windows )
-#define RETURN_TYPE  extern int _far _pascal
-#else
-#define RETURN_TYPE  extern int
-#endif /* Windows */
-#endif /* RETURN_TYPE */
-
-/* MS Visual C++ defines _MSDOS and _WINDOWS    */
-/* Borland C/C++ defines __MSDOS__ and _Windows */
-#if (defined( _WINDOWS ) || defined( _Windows )) && \
-    !(defined( _WIN32 ) || defined( __WIN32__ ))
-#define CI_FAR  _far
-#else
-#define CI_FAR
-#endif /* MS DOS or Windows */
-
-
-/*****************************************************************************
-  Constants
- ****************************************************************************/
-#define CI_LIB_VERSION_VAL        0x0152    /* Version 1.52 */
-
-#define CI_CERT_SIZE              2048
-#define CI_CERT_FLAGS_SIZE        16
-#define CI_CERT_NAME_SIZE         32
-#define CI_CHALLENGE_SIZE         20
-
-#define CI_G_SIZE                 128
-
-#define CI_HASHVALUE_SIZE         20
-
-#define CI_IV_SIZE                24
-
-#define CI_KEY_SIZE               12
-#define CI_KS_SIZE                10
-
-#define CI_NAME_SIZE              32
-
-#define CI_PASSWORD_SIZE          24
-#define CI_PIN_SIZE               12
-#define CI_P_SIZE                 128
-
-#define CI_Q_SIZE                 20
-
-#define CI_R_SIZE                 40
-#define CI_RANDOM_NO_SIZE         20
-#define CI_RANDOM_SEED_SIZE       8
-#define CI_RA_SIZE                128
-#define CI_RB_SIZE                128
-#define CI_REG_FLAGS_SIZE         4
-
-#define CI_S_SIZE                 40
-#define CI_SAVE_DATA_SIZE         28
-#define CI_SERIAL_NUMBER_SIZE     8
-#define CI_SIGNATURE_SIZE         40
-#define CI_STATUS_FLAGS_SIZE      4
-
-#define CI_TIME_SIZE              16
-#define CI_TIMESTAMP_SIZE         16
-
-#define CI_WRAPPED_X_SIZE         24
-
-#define CI_Y_SIZE                 128
-
-#define CI_X_SIZE                 20
-
-
-/* Miscellaneous */
-#define CI_NULL_FLAG              0 
-#define CI_POWER_DOWN_FLAG        2
-#define CI_NO_LOG_OFF_FLAG        4
-#define CI_INITIATOR_FLAG         0
-#define CI_RECIPIENT_FLAG         1
-
-#define CI_BLOCK_LOCK_FLAG        1
-#define CI_SSO_LOGGED_ON          0x40
-#define CI_USER_LOGGED_ON         0x00
-#define CI_FAST_MODE              0x10
-#define CI_SLOW_MODE              0x00
-#define CI_WORST_CASE_MODE        0x40
-#define CI_TYPICAL_CASE_MODE      0x00
-
-/* Card Public Key Algorithms Types */
-#define CI_DSA_TYPE               0xA
-#define CI_KEA_TYPE               0x5
-#define CI_DSA_KEA_TYPE           0xF
-
-/* Fortezza Pin Types */
-#define CI_SSO_PIN                0x25
-#define CI_USER_PIN               0x2A
-
-/* Crypto Types */
-#define CI_ENCRYPT_TYPE           0
-#define CI_DECRYPT_TYPE           1
-#define CI_HASH_TYPE              2
-
-/* Save and Restore Types */
-#define CI_ENCRYPT_INT_TYPE       0x00      /* Internal Encryption */
-#define CI_ENCRYPT_EXT_TYPE       0x10      /* External Encryption */
-#define CI_DECRYPT_INT_TYPE       0x01      /* Internal Decryption */
-#define CI_DECRYPT_EXT_TYPE       0x11      /* External Decryption */
-#define CI_HASH_INT_TYPE          0x02      /* Internal Hash */
-#define CI_HASH_EXT_TYPE          0x12      /* External Hash */
-#define CI_TYPE_EXT_FLAG          0x10      /* Used to differentiate */
-
-/* Configuration types */
-#define CI_SET_SPEED_TYPE         1
-#define CI_SET_TIMING_TYPE        2
-
-/* Lock States */
-#define CI_SOCKET_UNLOCKED        0
-#define CI_HOLD_LOCK              1
-#define CI_SOCKET_LOCKED          2
-   
-/* Fortezza Crypto Types Modes */
-#define CI_ECB64_MODE             0
-#define CI_CBC64_MODE             1
-#define CI_OFB64_MODE             2
-#define CI_CFB64_MODE             3
-#define CI_CFB32_MODE             4
-#define CI_CFB16_MODE             5
-#define CI_CFB8_MODE              6
-
-/* Card States */
-#define CI_POWER_UP               0
-#define CI_UNINITIALIZED          1
-#define CI_INITIALIZED            2
-#define CI_SSO_INITIALIZED        3
-#define CI_LAW_INITIALIZED        4
-#define CI_USER_INITIALIZED       5
-#define CI_STANDBY                6
-#define CI_READY                  7
-#define CI_ZEROIZE                8
-#define CI_INTERNAL_FAILURE       (-1)
-
-/* Flags for Firmware Update. */
-#if !defined( _K_AND_R_ )
-
-#define CI_NOT_LAST_BLOCK_FLAG    0x00000000UL
-#define CI_LAST_BLOCK_FLAG        0x80000000UL
-#define CI_DESTRUCTIVE_FLAG       0x000000FFUL
-#define CI_NONDESTRUCTIVE_FLAG    0x0000FF00UL
-
-#else
-
-#define CI_NOT_LAST_BLOCK_FLAG    0x00000000L
-#define CI_LAST_BLOCK_FLAG        0x80000000L
-#define CI_DESTRUCTIVE_FLAG       0x000000FFL
-#define CI_NONDESTRUCTIVE_FLAG    0x0000FF00L
-
-#endif /* _K_AND_R_ */
-
-/****************************************************************************
-  Fortezza Library Return Codes
- ***************************************************************************/
-
-/* Card Responses */
-#define CI_OK                     0
-#define CI_FAIL                   1
-#define CI_CHECKWORD_FAIL         2
-#define CI_INV_TYPE               3
-#define CI_INV_MODE               4
-#define CI_INV_KEY_INDEX          5
-#define CI_INV_CERT_INDEX         6
-#define CI_INV_SIZE               7
-#define CI_INV_HEADER             8
-#define CI_INV_STATE              9
-#define CI_EXEC_FAIL              10
-#define CI_NO_KEY                 11
-#define CI_NO_IV                  12
-#define CI_NO_X                   13
-
-#define CI_NO_SAVE                15
-#define CI_REG_IN_USE             16
-#define CI_INV_COMMAND            17
-#define CI_INV_POINTER            18
-#define CI_BAD_CLOCK              19
-#define CI_NO_DSA_PARMS           20
-
-/* Library Errors */
-#define CI_ERROR                  (-1)
-#define CI_LIB_NOT_INIT           (-2)
-#define CI_CARD_NOT_READY         (-3)
-#define CI_CARD_IN_USE            (-4)
-#define CI_TIME_OUT               (-5)
-#define CI_OUT_OF_MEMORY          (-6)
-#define CI_NULL_PTR               (-7)
-#define CI_BAD_SIZE               (-8)
-#define CI_NO_DECRYPT             (-9)
-#define CI_NO_ENCRYPT             (-10)
-#define CI_NO_EXECUTE             (-11)
-#define CI_BAD_PARAMETER          (-12)
-#define CI_OUT_OF_RESOURCES       (-13)
-
-#define CI_NO_CARD                (-20)
-#define CI_NO_DRIVER              (-21)
-#define CI_NO_CRDSRV              (-22)
-#define CI_NO_SCTSRV              (-23)
-
-#define CI_BAD_CARD               (-30)
-#define CI_BAD_IOCTL              (-31)
-#define CI_BAD_READ               (-32)
-#define CI_BAD_SEEK               (-33)
-#define CI_BAD_WRITE              (-34)
-#define CI_BAD_FLUSH              (-35)
-#define CI_BAD_IOSEEK             (-36)
-#define CI_BAD_ADDR               (-37)
-
-#define CI_INV_SOCKET_INDEX       (-40)
-#define CI_SOCKET_IN_USE          (-41)
-#define CI_NO_SOCKET              (-42)
-#define CI_SOCKET_NOT_OPENED      (-43)
-#define CI_BAD_TUPLES             (-44)
-#define CI_NOT_A_CRYPTO_CARD      (-45)
-
-#define CI_INVALID_FUNCTION       (-50)
-#define CI_LIB_ALRDY_INIT         (-51)
-#define CI_SRVR_ERROR             (-52)
-#define MACI_SESSION_EXCEEDED     (-53)
-
-
-/*****************************************************************************
-  Data Structures
- ****************************************************************************/
-
-
-typedef unsigned char   CI_CERTIFICATE[CI_CERT_SIZE];
-
-typedef unsigned char   CI_CERT_FLAGS[CI_CERT_FLAGS_SIZE];
-
-typedef unsigned char   CI_CERT_STR[CI_CERT_NAME_SIZE+4];
-
-typedef unsigned char   CI_FAR *CI_DATA;
-
-typedef unsigned char   CI_G[CI_G_SIZE];
-
-typedef unsigned char   CI_HASHVALUE[CI_HASHVALUE_SIZE];
-
-typedef unsigned char   CI_IV[CI_IV_SIZE];
-
-typedef unsigned char   CI_KEY[CI_KEY_SIZE];
-
-typedef unsigned char   CI_KS[CI_KS_SIZE];
-
-typedef unsigned char   CI_P[CI_P_SIZE];
-
-typedef unsigned char   CI_PASSWORD[CI_PASSWORD_SIZE + 4];
-
-typedef unsigned char   CI_PIN[CI_PIN_SIZE + 4];
-
-typedef unsigned char   CI_Q[CI_Q_SIZE];
-
-typedef unsigned char   CI_RA[CI_RA_SIZE];
-
-typedef unsigned char   CI_RB[CI_RB_SIZE];
-
-typedef unsigned char   CI_RANDOM[CI_RANDOM_NO_SIZE];
-
-typedef unsigned char   CI_RANDSEED[CI_RANDOM_SEED_SIZE];
-
-typedef unsigned char   CI_REG_FLAGS[CI_REG_FLAGS_SIZE];
-
-typedef unsigned char   CI_SIGNATURE[CI_SIGNATURE_SIZE];
-
-typedef unsigned char   CI_SAVE_DATA[CI_SAVE_DATA_SIZE];
-
-typedef unsigned char   CI_SERIAL_NUMBER[CI_SERIAL_NUMBER_SIZE];
-
-typedef unsigned int    CI_STATE, CI_FAR *CI_STATE_PTR;
-
-typedef unsigned char   CI_TIME[CI_TIME_SIZE];
-
-typedef unsigned char   CI_TIMESTAMP[CI_TIMESTAMP_SIZE];
-
-typedef unsigned char   CI_WRAPPED_X[CI_WRAPPED_X_SIZE];
-
-typedef unsigned char   CI_Y[CI_Y_SIZE];
-
-typedef unsigned char   CI_X[CI_X_SIZE];
-
-typedef struct {
-    int     LibraryVersion;                 /* CI Library version */
-    int     ManufacturerVersion;            /* Card's hardware version */
-    char    ManufacturerName[CI_NAME_SIZE+4]; /* Card manufacturer's name*/
-    char    ProductName[CI_NAME_SIZE+4];    /* Card's product name */
-    char    ProcessorType[CI_NAME_SIZE+4];  /* Card's processor type */
-    unsigned long  UserRAMSize;             /* Amount of User RAM in bytes */
-    unsigned long  LargestBlockSize;        /* Largest block of data to pass in */
-    int     KeyRegisterCount;               /* Number of key registers */
-    int     CertificateCount;               /* Maximum number of personalities (# certs-1) */
-    int     CryptoCardFlag;                 /* A flag that if non-zero indicates that there is
-                                               a Crypto-Card in the socket. If this value is
-                                               zero then there is NOT a Crypto-Card in the
-                                               sockets. */
-    int     ICDVersion;                     /* The ICD compliance level */
-    int     ManufacturerSWVer;              /* The Manufacturer's Software Version */
-    int     DriverVersion;                  /* Driver Version */
-} CI_CONFIG, CI_FAR *CI_CONFIG_PTR;
-
-typedef struct {
-    int          CertificateIndex;          /* Index from 1 to CertificateCount */
-    CI_CERT_STR  CertLabel;                 /* The certificate label */
-} CI_PERSON, CI_FAR *CI_PERSON_PTR;
-
-typedef struct {
-     int    CurrentSocket;                  /* The currently selected socket */
-     int    LockState;                      /* Lock status of the current socket */
-     CI_SERIAL_NUMBER  SerialNumber;        /* Serial number of the Crypto Engine chip */
-     CI_STATE  CurrentState;                /* State of The Card */
-     int    DecryptionMode;                 /* Decryption mode of The Card */
-     int    EncryptionMode;                 /* Encryption mode of The Card */
-     int    CurrentPersonality;             /* Index of the current personality */
-     int    KeyRegisterCount;               /* No. of Key Register on The Card */
-     CI_REG_FLAGS   KeyRegisterFlags;       /* Bit Masks indicating Key Register use */
-     int    CertificateCount;               /* No. of Certificates on The Card */
-     CI_CERT_FLAGS  CertificateFlags;       /* Bit Mask indicating certificate use */
-     unsigned char  Flags[CI_STATUS_FLAGS_SIZE];  
-                                            /* Flag[0] : bit 6 for Condition mode */
-                                            /*           bit 4 for Clock mode */
-} CI_STATUS, CI_FAR *CI_STATUS_PTR;
-
-#endif
-
-/*  Session constants */
-#ifndef HSESSION_DEFINE
-typedef unsigned int    HSESSION;
-#define HSESSION_DEFINE
-#endif
-#define MAXSESSION 100
-
-/*****************************************************************************
-  Function Call Prototypes
- ****************************************************************************/
-
-RETURN_TYPE
-MACI_ChangePIN PROTO_LIST( (
-    HSESSION       hSession,
-    int            PINType,
-    CI_PIN CI_FAR  pOldPIN,
-    CI_PIN CI_FAR  pNewPIN ) );
-
-RETURN_TYPE
-MACI_CheckPIN PROTO_LIST( (
-    HSESSION       hSession,
-    int            PINType,
-    CI_PIN CI_FAR  pPIN ) );
-
-RETURN_TYPE
-MACI_Close PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned int   Flags,
-    int            SocketIndex ) );
-
-RETURN_TYPE
-MACI_Decrypt PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned int   CipherSize,
-    CI_DATA        pCipher,
-    CI_DATA        pPlain ) );
-
-RETURN_TYPE
-MACI_DeleteCertificate PROTO_LIST( (
-    HSESSION       hSession,
-    int            CertificateIndex ) );
-
-RETURN_TYPE
-MACI_DeleteKey PROTO_LIST( (
-    HSESSION       hSession,
-    int            RegisterIndex ) );
-
-RETURN_TYPE
-MACI_Encrypt PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned int   PlainSize,
-    CI_DATA        pPlain,
-    CI_DATA        pCipher ) );
-
-RETURN_TYPE
-MACI_ExtractX PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) );
-
-RETURN_TYPE
-MACI_FirmwareUpdate PROTO_LIST( (
-    HSESSION       hSession,
-    unsigned long  Flags,
-    long           Cksum,
-    unsigned int   CksumLength,
-    unsigned int   DataSize,
-    CI_DATA        pData ) );
-
-RETURN_TYPE
-MACI_GenerateIV PROTO_LIST( (
-    HSESSION       hSession,
-    CI_IV CI_FAR  pIV ) );
-
-RETURN_TYPE
-MACI_GenerateMEK PROTO_LIST( (
-    HSESSION       hSession,
-    int  RegisterIndex,
-    int  Reserved ) );
-
-RETURN_TYPE
-MACI_GenerateRa PROTO_LIST( (
-    HSESSION       hSession,
-    CI_RA CI_FAR   pRa ) );
-
-RETURN_TYPE
-MACI_GenerateRandom PROTO_LIST( (
-    HSESSION          hSession,
-    CI_RANDOM CI_FAR  pRandom ) );
-
-RETURN_TYPE
-MACI_GenerateTEK PROTO_LIST( (
-    HSESSION      hSession,
-    int           Flags,
-    int           RegisterIndex,
-    CI_RA CI_FAR  pRa,
-    CI_RB CI_FAR  pRb,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) );
-
-RETURN_TYPE
-MACI_GenerateX PROTO_LIST( (
-    HSESSION      hSession,
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) );
-
-RETURN_TYPE
-MACI_GetCertificate PROTO_LIST( (
-    HSESSION               hSession,
-    int                    CertificateIndex,
-    CI_CERTIFICATE CI_FAR  pCertificate ) );
-
-RETURN_TYPE
-MACI_GetConfiguration PROTO_LIST( (
-    HSESSION       hSession,
-    CI_CONFIG_PTR  pConfiguration ) );
-
-RETURN_TYPE
-MACI_GetHash PROTO_LIST( (
-    HSESSION             hSession,
-    unsigned int         DataSize,
-    CI_DATA              pData,
-    CI_HASHVALUE CI_FAR  pHashValue ) );
-
-RETURN_TYPE
-MACI_GetPersonalityList PROTO_LIST( (
-    HSESSION          hSession,
-    int               EntryCount,
-    CI_PERSON CI_FAR  pPersonalityList[] ) );
-
-RETURN_TYPE
-MACI_GetSessionID PROTO_LIST( (
-    HSESSION     *hSession ) );
-
-RETURN_TYPE
-MACI_GetState PROTO_LIST( (
-    HSESSION       hSession,
-    CI_STATE_PTR   pState ) );
-
-RETURN_TYPE
-MACI_GetStatus PROTO_LIST( (
-    HSESSION       hSession,
-    CI_STATUS_PTR  pStatus ) );
-
-RETURN_TYPE
-MACI_GetTime PROTO_LIST( (
-    HSESSION        hSession,
-    CI_TIME CI_FAR  pTime ) );
-
-RETURN_TYPE
-MACI_Hash PROTO_LIST( (
-    HSESSION      hSession,
-    unsigned int  DataSize,
-    CI_DATA       pData ) );
-
-RETURN_TYPE
-MACI_Initialize PROTO_LIST( (
-    int CI_FAR  *SocketCount ) );
-
-RETURN_TYPE
-MACI_InitializeHash PROTO_LIST( (
-    HSESSION          hSession ) );
-
-RETURN_TYPE
-MACI_InstallX PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CertificateIndex,
-    int                  AlgorithmType,
-    CI_PASSWORD CI_FAR   pPassword,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_WRAPPED_X CI_FAR  pWrappedX,
-    CI_RA CI_FAR         pRa,
-    unsigned int         PandGSize,
-    unsigned int         QSize,
-    CI_P CI_FAR          pP,
-    CI_Q CI_FAR          pQ,
-    CI_G CI_FAR          pG ) );
-
-RETURN_TYPE
-MACI_LoadCertificate PROTO_LIST( (
-    HSESSION               hSession,
-    int                    CertificateIndex,
-    CI_CERT_STR CI_FAR     pCertLabel,
-    CI_CERTIFICATE CI_FAR  pCertificate,
-    long                   Reserved ) );
-
-RETURN_TYPE
-MACI_LoadDSAParameters PROTO_LIST( (
-    HSESSION      hSession,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG ) );
-
-RETURN_TYPE
-MACI_LoadInitValues PROTO_LIST( (
-    HSESSION            hSession,
-    CI_RANDSEED CI_FAR  pRandSeed,
-    CI_KS CI_FAR        pKs ) );
-
-RETURN_TYPE
-MACI_LoadIV PROTO_LIST( (
-    HSESSION      hSession,
-    CI_IV CI_FAR  pIV ) );
-
-RETURN_TYPE
-MACI_LoadX PROTO_LIST( (
-    HSESSION      hSession,
-    int           CertificateIndex,
-    int           AlgorithmType,
-    unsigned int  PandGSize,
-    unsigned int  QSize,
-    CI_P CI_FAR   pP,
-    CI_Q CI_FAR   pQ,
-    CI_G CI_FAR   pG,
-    CI_X CI_FAR   pX,
-    unsigned int  YSize,
-    CI_Y CI_FAR   pY ) );
-
-RETURN_TYPE
-MACI_Lock PROTO_LIST( (
-    HSESSION  hSession,
-    int       Flags ) );
-
-RETURN_TYPE
-MACI_Open PROTO_LIST( (
-    HSESSION      hSession,
-    unsigned int  Flags,
-    int           SocketIndex ) );
-
-RETURN_TYPE
-MACI_RelayX PROTO_LIST( (
-    HSESSION             hSession,
-    CI_PASSWORD CI_FAR   pOldPassword,
-    unsigned int         OldYSize,
-    CI_Y CI_FAR          pOldY,
-    CI_RA CI_FAR         pOldRa,
-    CI_WRAPPED_X CI_FAR  pOldWrappedX,
-    CI_PASSWORD CI_FAR   pNewPassword,
-    unsigned int         NewYSize,
-    CI_Y CI_FAR          pNewY,
-    CI_RA CI_FAR         pNewRa,
-    CI_WRAPPED_X CI_FAR  pNewWrappedX ) );
-
-RETURN_TYPE
-MACI_Reset PROTO_LIST( (
-    HSESSION          hSession ) );
-
-RETURN_TYPE
-MACI_Restore PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) );
-
-RETURN_TYPE
-MACI_Save PROTO_LIST( (
-    HSESSION             hSession,
-    int                  CryptoType,
-    CI_SAVE_DATA CI_FAR  pData ) );
-
-RETURN_TYPE
-MACI_Select PROTO_LIST( (
-    HSESSION  hSession,
-    int       SocketIndex ) );
-
-RETURN_TYPE
-MACI_SetConfiguration PROTO_LIST( (
-    HSESSION      hSession,
-    int           Type,
-    unsigned int  DataSize,
-    CI_DATA       pData ) );
-
-RETURN_TYPE
-MACI_SetKey PROTO_LIST( (
-    HSESSION     hSession,
-    int  RegisterIndex ) );
-
-RETURN_TYPE
-MACI_SetMode PROTO_LIST( (
-    HSESSION hSession,
-    int      CryptoType,
-    int      CryptoMode ) );
-
-RETURN_TYPE
-MACI_SetPersonality PROTO_LIST( (
-    HSESSION hSession,
-    int      CertificateIndex ) );
-
-RETURN_TYPE
-MACI_SetTime PROTO_LIST( (
-    HSESSION        hSession,
-    CI_TIME CI_FAR  pTime ) );
-
-RETURN_TYPE
-MACI_Sign PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature ) );
-
-RETURN_TYPE
-MACI_Terminate PROTO_LIST( (
-    HSESSION          hSession ) );
-
-RETURN_TYPE
-MACI_TimeStamp PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
-  
-RETURN_TYPE
-MACI_Unlock PROTO_LIST( (
-    HSESSION          hSession)  );
-
-RETURN_TYPE
-MACI_UnwrapKey PROTO_LIST( (
-    HSESSION       hSession,
-    int            UnwrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) );
-
-RETURN_TYPE
-MACI_VerifySignature PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    unsigned int         YSize,
-    CI_Y CI_FAR          pY,
-    CI_SIGNATURE CI_FAR  pSignature ) );
-
-RETURN_TYPE
-MACI_VerifyTimeStamp PROTO_LIST( (
-    HSESSION             hSession,
-    CI_HASHVALUE CI_FAR  pHashValue,
-    CI_SIGNATURE CI_FAR  pSignature,
-    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
-
-RETURN_TYPE
-MACI_WrapKey PROTO_LIST( (
-    HSESSION       hSession,
-    int            WrapIndex,
-    int            KeyIndex,
-    CI_KEY CI_FAR  pKey ) );
-
-RETURN_TYPE
-MACI_Zeroize PROTO_LIST( (
-    HSESSION          hSession ) );
-
-#if __cplusplus__ || __cplusplus
-}
-#endif /* C++ */
-
-#endif /* CRYPTINT_H */
-
diff --git a/security/nss/lib/fortcrypt/macinst.htm b/security/nss/lib/fortcrypt/macinst.htm
deleted file mode 100644
index cf3988157..000000000
--- a/security/nss/lib/fortcrypt/macinst.htm
+++ /dev/null
@@ -1,148 +0,0 @@
-<HTML>
-<--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
--->
-<TITLE>MAC Installer</TITLE>
-
-<SCRIPT>
-// Crypto Mechanism Flags 
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
-  
-
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1 // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5 // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
-
-var new_window;
-var has_new_window = 0;
-
-function colonize(string) {
-	len = string.length;
-	end = len -1;
-
-	if (len == 0) return string;
-
-
-	for (i=0; i < len; i++) {
-	   if (string.charAt(i) == "/") {
-		if (i == 0) {
-		    new_string = ":" + string.substring(1,len);
-		} else if (i == end) {
-		    new_string = string.substring(0,i)+':';
-		} else {
-		    new_string = string.substring(0,i)+':'+
-						string.substring(i+1,len);
-		}
-		string = new_string;
-	   }
-	}
-
-	if (string.charAt(0) == ":") string = string.substring(1,len);
-	return string;
-}
-
-function DoInstall(module) {
-	    module = colonize(module);
-	result = pkcs11.addmodule("Netscape FORTEZZA Module", module, pkcs11MechanismFlags, pkcs11CipherFlags); 
-	if ( result < 0) { 
-	  window.alert("New module setup failed.  Error code: " + result); 
-	}
-	if (has_new_window) new_window.close();
-}
-
-function DoUnpack(name) {
-	new_window = open(name,"unpacking","toolbar=no,location=no,status=yes,scrollbar=no,width=50,height=50");
-	has_new_window = 1;
-}
-
-filename=navigator.platform+".hqx"
-
-default_module = "D:/dogbert/ns/dist/WIN32_D.OBJ/bin/fort32.dll"
-document.writeln("<FORM name=instform target=_self> <H2>Mac Fortezza Installer</H2>");
-document.writeln("<I>You must first unpack the <b>"+filename+"</b> file.");
-document.writeln(" Do that by clicking on button below.</i><p>");
-document.writeln("<Input type=button value=Unpack name=unpack onclick=DoUnpack(\""+filename+"\"); ><p>");
-document.writeln("<I>Then move <b>FortPK11Lib</b> to an appropriate directory ");
-document.writeln(" enter that directory below, then click the Install button.</i><p>");
-document.writeln(" Module Name: <Input Type=FILE Name=module><p>");
-document.write("<Input type=submit Name=Install Value=Install onclick=DoInstall(");
-document.writeln(  "document.instform.module.value) >");
-document.writeln("</FORM>");
-</SCRIPT>
diff --git a/security/nss/lib/fortcrypt/manifest.mn b/security/nss/lib/fortcrypt/manifest.mn
deleted file mode 100644
index 6dc9019c4..000000000
--- a/security/nss/lib/fortcrypt/manifest.mn
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH		= ../../..
-
-MODULE		= security
-LIBRARY_NAME	= fort
-#LIBRARY_VERSION	= 32
-
-DIRS = swfort
-
-CSRCS		= forsock.c  \
-		  fortpk11.c \
-		  fmutex.c   \
-		  $(NULL)
-
-EXPORTS		= 
-PRIVATE_EXPORTS = maci.h cryptint.h
-
-REQUIRES	= security dbm
-
diff --git a/security/nss/lib/fortcrypt/replace.c b/security/nss/lib/fortcrypt/replace.c
deleted file mode 100644
index b4c5edd18..000000000
--- a/security/nss/lib/fortcrypt/replace.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-# include <stdio.h>
-# include <string.h>
-
-int main(int argc, char* argv[]) {
-    FILE *templ;
-    FILE *target;
-    unsigned char buffer[81];
-    unsigned char *find, *replace;
-    int matchcount = 0;
-    int ch;
-    int len;
-
-    buffer[0] = '\0';
-
-    if (argc != 5) {
-        fprintf(stderr, "usuage: replace template.js searchstring replacestring target.js \n");
-        return 1;
-    }
-
-    templ = fopen(argv[1], "r");
-    if (!templ) {
-        fprintf(stderr, "Cannot open template script %s\n", argv[1]);
-        return 2;
-    }
-
-    find = (unsigned char*) argv[2];
-    replace = (unsigned char*) argv[3];
-
-    target = fopen(argv[4], "w");
-    if (!target) {
-        fclose(templ);
-        fprintf(stderr, "Cannot write to target script %s\n", argv[4]);
-        return 3;
-    }
-
-    for (len = 0; find[len]!='\0'; len++);
-
-    if (len > 80) {
-        fprintf(stderr, "length of searchstring exceeds 80 chars");
-        return 4;
-    }
-
-    /* get a char from templ */
-    while ((int)(ch=fgetc(templ)) != EOF) {
-        if ((unsigned char)ch == find[matchcount]) {
-            /* if it matches find[matchcount], 
-             * then store one more char in buffer,
-             * increase match count, and checks if 
-             * the whole word has been found */
-            buffer[matchcount] = (unsigned char) ch;
-            buffer[++matchcount] = '\0';
-            
-            if (matchcount == len) {
-                matchcount = 0;
-                fprintf(target, "%s", replace);
-            } 
-        } else {
-            /* reset matchcount, flush buffer */
-            if (matchcount > 0) {
-                fprintf(target, "%s", buffer);
-                matchcount = 0;
-            }
-            fputc(ch, target);
-        }
-    }
-    fclose(templ);
-    fclose(target);
-    return 0;
-}
diff --git a/security/nss/lib/fortcrypt/secmodjar.html b/security/nss/lib/fortcrypt/secmodjar.html
deleted file mode 100644
index f093a5965..000000000
--- a/security/nss/lib/fortcrypt/secmodjar.html
+++ /dev/null
@@ -1,441 +0,0 @@
-<HTML>
-<--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
--->
-<HEAD>
-   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
-   <META NAME="Author" CONTENT="Hoi-Sheung Wilson So">
-   <META NAME="GENERATOR" CONTENT="Mozilla/4.02 [en] (WinNT; I) [Netscape]">
-   <TITLE>How to Package Your Security Module for use with SmartUpdate</TITLE>
-</HEAD>
-<BODY>
-<FONT SIZE=+2>Using
-JAR Installation Manager Technology to Install Your PKCS11 Security Module</FONT>
-
-<P>Table of contents
-<BR><A HREF="#intro">I. Introduction</A>
-<BR><A HREF="#procedure">II. How to Create a Security Module JAR</A>
-<BR><A HREF="#samplescript">III. Sample Installer Script</A>
-<BR><A HREF="#reference">IV. Programmers' Reference</A>
-<BR><A HREF="#copyright">VI. Copyright Notice</A>
-<BR><A NAME="intro"></A><FONT SIZE=+1>I. Introduction</FONT>
-<BR>This docuemnt describes how to prepare your security module so that
-users can download it from the Internet, verify its integrity, and install
-by only pointing and clicking mouses.&nbsp; The packaged module is a signed
-JAR archive. This JAR archive contains a dynamically-linked library which
-implements the Security Module and a pice of installer script (.js) that
-registers and configures the newly installed module.&nbsp; SmartUpdate
-allows users to download JAR archinve that has been signed digitally by
-the software vendor.&nbsp; SmartUpdate then decompresses the JAR file,
-verify the signature and validity of the files packaged into the archive.&nbsp;
-If the signature is valid, SmartUpdate will run the installer script found
-in the archive.&nbsp; The installer script will instruct SmartUpdate to
-move the downloaded security module library to a specified location.&nbsp;
-Next, the script will register the module with Navigator, and configure
-it.
-
-<P>This document does not describe how SmartUpdate works.&nbsp; For more
-information about SmartUpdate, check out <A HREF="http://developer.netscape.com/library/documentation/communicator/jarman/index.htm">JAR
-Installation Manager</A>.
-
-<P><A NAME="procedure"></A><FONT SIZE=+1>II. How to Create a Security Module
-JAR</FONT>
-<OL>
-<LI>
-Obtain a copy of PKCS#11: Cryptographic Token Interface Standard Version
-2.00, published by <A HREF="http://www.rsa.com">RSA Laboratories</A>, Redwood
-City, California.</LI>
-
-<LI>
-Implement a PKCS#11 library according to PKCS#11 standards.</LI>
-
-<LI>
-Write a installer script that will register the module with Navigator.</LI>
-
-<LI>
-Use either JAR Packager or command line tool to package the library and
-the script in a signed JAR archive.</LI>
-
-<LI>
-Publish the JAR file on the web, and notify users to install/upgrade their
-library.</LI>
-</OL>
-<A NAME="samplescript"></A><FONT SIZE=+1>III. Sample Installer Script</FONT>
-
-<P>Functions of the following installer script:
-<BR>1. Start SmartUpdate and declares the version and the name of the module
-to be installed.
-<BR>2. Extract a library called DUMMY_DLL from the JAR archive and install
-it under the Netscape Program folder.
-<BR>3. Register the installed module by calling pkcs11.addmodule( ) method
-with information about the capabilities of the module.
-<BR>4. Check to see if pkcs11.addmodule( ) has been successful, and display
-appropriate messages.
-
-<P><TT>// Crypto Mechanism Flags</TT>
-<BR><TT>PKCS11_MECH_RSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;0;</TT>
-<BR><TT>PKCS11_MECH_DSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;1;</TT>
-<BR><TT>PKCS11_MECH_RC2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;2;</TT>
-<BR><TT>PKCS11_MECH_RC4_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;3;</TT>
-<BR><TT>PKCS11_MECH_DES_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;4;</TT>
-<BR><TT>PKCS11_MECH_DH_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;5; //Diffie-Hellman</TT>
-<BR><TT>PKCS11_MECH_SKIPJACK_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =&nbsp;
-0x1&lt;&lt;6; //SKIPJACK algorithm as in Fortezza cards</TT>
-<BR><TT>PKCS11_MECH_RC5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;7;</TT>
-<BR><TT>PKCS11_MECH_SHA1_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;8;</TT>
-<BR><TT>PKCS11_MECH_MD5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;9;</TT>
-<BR><TT>PKCS11_MECH_MD2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;10;</TT>
-<BR><TT>PKCS11_MECH_RANDOM_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;27; //Random number generator</TT>
-<BR><TT>PKCS11_PUB_READABLE_CERT_FLAG&nbsp; =&nbsp; 0x1&lt;&lt;28; //Stored
-certs can be read off the token w/o logging in</TT>
-<BR><TT>PKCS11_DISABLE_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;30; //tell Navigator to disable this slot by default</TT>
-
-<P><TT>// Important:</TT>
-<BR><TT>// 0x1&lt;&lt;11, 0x1&lt;&lt;12, ... , 0x1&lt;&lt;26, and 0x1&lt;&lt;31
-are reserved</TT>
-<BR><TT>// for internal use in Navigator.</TT>
-<BR><TT>// Therefore, these bits should always be set to 0; otherwise,</TT>
-<BR><TT>// Navigator might exhibit unpredictable behavior.</TT>
-
-<P><TT>// These flags indicate which mechanisms should be turned on by</TT>
-<BR><TT>pkcs11MechanismFlags = PKCS11_MECH_DSA_FLAG | PKCS11_MECH_SKIPJACK_FLAG
-| PKCS11_MECH_RANDOM_FLAG;</TT>
-<BR><TT>&nbsp;</TT>
-
-<P><TT>// Ciphers that support SSL or S/MIME</TT>
-<BR><TT>PKCS11_CIPHER_FORTEZZA_FLAG&nbsp;&nbsp;&nbsp; = 0x1&lt;&lt;0;</TT>
-
-<P><TT>// Important:</TT>
-<BR><TT>// 0x1&lt;&lt;11, 0x1&lt;&lt;12, ... , 0x1&lt;&lt;26, 0x1&lt;&lt;29,
-and 0x1&lt;&lt;31 are reserved</TT>
-<BR><TT>// for internal use in Navigator.</TT>
-<BR><TT>// Therefore, these bits should ALWAYS be set to 0; otherwise,</TT>
-<BR><TT>// Navigator might exhibit unpredictable behavior.</TT>
-
-<P><TT>// These flags indicate which SSL ciphers are supported</TT>
-<BR><TT>pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG;</TT>
-<BR><TT>&nbsp;</TT>
-
-<P><TT>// Return values of pkcs11.addmodule() &amp; pkcs11.delmodule()</TT>
-<BR><TT>// success codes</TT>
-<BR><TT>JS_OK_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= 3 // Successfully added a module</TT>
-<BR><TT>JS_OK_DEL_EXTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= 2 // Successfully deleted ext. module</TT>
-<BR><TT>JS_OK_DEL_INTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= 1 // Successfully deleted int. module</TT>
-
-<P><TT>// failure codes</TT>
-<BR><TT>JS_ERR_OTHER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -1 // Other errors than the followings</TT>
-<BR><TT>JS_ERR_USER_CANCEL_ACTION&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -2 // User abort an action</TT>
-<BR><TT>JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect
-# of arguments</TT>
-<BR><TT>JS_ERR_DEL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -4 // Error deleting a module</TT>
-<BR><TT>JS_ERR_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -5 // Error adding a module</TT>
-<BR><TT>JS_ERR_BAD_MODULE_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -6 // The module name is invalid</TT>
-<BR><TT>JS_ERR_BAD_DLL_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -7 // The DLL name is bad</TT>
-<BR><TT>JS_ERR_BAD_MECHANISM_FLAGS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -8 // The mechanism flags are invalid</TT>
-<BR><TT>JS_ERR_BAD_CIPHER_ENABLE_FLAGS&nbsp;&nbsp; = -9 // The SSL, S/MIME
-cipher flags are invalid</TT>
-<BR>&nbsp;
-
-<P><TT>if (confirm("This script will install and configure a security module,
-do you want to continue?")) {</TT>
-<BR><TT>&nbsp;// Step 1. Create a version object and a software update
-object</TT>
-<BR><TT>&nbsp;vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0);</TT>
-<BR><TT>&nbsp;su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza
-Card PKCS#11 Module");</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-// "Fortezza ... Module" is the logical name of the bundle</TT>
-
-<P><TT>&nbsp;// Step 2. Start the install process</TT>
-<BR><TT>&nbsp;bAbort = false;</TT>
-<BR><TT>&nbsp;err = su.StartInstall("litronic", vi, netscape.softupdate.SoftwareUpdate.FULL_INSTALL);</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-// litronic is the component folder (logical)</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bAbort = bAbort || (err
-!=0);</TT>
-
-<P><TT>&nbsp;if (err == 0) {</TT>
-
-<P><TT>&nbsp;&nbsp;&nbsp; // Step 3. Find out the physical location of
-the Program dir</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; Folder = su.GetFolder("Program");</TT>
-
-<P><TT>&nbsp;&nbsp;&nbsp; // Step 4. Install the files. Unpack them and
-list where they go</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; err = su.AddSubcomponent("FortezzaCardDLL",
-//component name (logical)</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-vi, // version info</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-"DUMMY_DLL", // source file in JAR (physical)</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-Folder, // target folder (physical)</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-"DUMMY_DLL", // target path &amp; filename (physical)</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-this.force); // forces update</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; bAbort = bAbort || (err !=0);</TT>
-<BR><TT>&nbsp;}</TT>
-
-<P><TT>&nbsp;// Step 5. Unless there was a problem, move files to final
-location</TT>
-<BR><TT>&nbsp;// and update the Client Version Registry</TT>
-<BR><TT>&nbsp;if (bAbort) {</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; window.alert("Installation Aborted");</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; su.AbortInstall();</TT>
-<BR><TT>&nbsp;} else {</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; err = su.FinalizeInstall();</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; window.alert("Files have been installed.\nContinue
-to setup the newly isntalled module...");</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; // Add Module</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; compFolder = su.GetComponentFolder("litronic/FortezzaCardDLL")
-+ "/DUMMY_DLL";</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp; result = pkcs11.addmodule("Fortezza", compFolder,
-pkcs11MechanismFlags, pkcs11CipherFlags);</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if
-( result &lt; 0) {</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-window.alert("New module setup failed.&nbsp; Error code: " + result);</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }
-else {</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-window.alert("New module setup completed.");</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</TT>
-<BR><TT>&nbsp;}</TT>
-<BR><TT>}</TT>
-
-<P><A NAME="reference"></A><FONT SIZE=+1>IV. Appendix A: Programmers' Refernce</FONT>
-<UL>
-<LI>
-<A HREF="#delmodule">pkcs11.addmodule( )</A></LI>
-
-<LI>
-<A HREF="#delmodule">pkcs11.delmodule( )</A></LI>
-</UL>
-
-<HR ALIGN=LEFT WIDTH="70%">
-<BR><A NAME="addmodule"></A>Name
-<BR><TT>addmodule</TT>
-<BR>Adds a PKCS#11 security module to the security module database, and
-notifies Communicator which cryptographic mechanisms should be turned on
-by default, and which SSL or S/MIME ciphers are supported.&nbsp; For security
-reasons, it will pop up a dialog box to ask the user to confirm this action.&nbsp;
-It might pop up other dialog boxes if necessary.
-
-<P>Method of
-<BR><TT>pkcs11</TT>
-
-<P>Syntax
-<BR><TT>int pkcs11.addmodule( string ModuleName,</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-string LibraryFullPath,</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-int CryptoMechanismFlags,</TT>
-<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-int CipherFlags);</TT>
-<BR>&nbsp;
-<BR>Parameters
-<TABLE BORDER WIDTH="90%" >
-<TR>
-<TD><TT>ModuleName</TT></TD>
-
-<TD>Name of the module</TD>
-</TR>
-
-<TR>
-<TD><TT>LibraryFullPath</TT></TD>
-
-<TD>The filename of the library prepended with its full path</TD>
-</TR>
-
-<TR>
-<TD><TT>CryptoMechanismFlags</TT></TD>
-
-<TD>A bit vector indicating all cryptographic mechanisms should be turned
-on by default&nbsp; (See below)</TD>
-</TR>
-
-<TR>
-<TD><TT>CipherFlags</TT></TD>
-
-<TD>A bit vector indicating all SSL or S/MIME cipher functions supported
-by the module (Seel below)</TD>
-</TR>
-</TABLE>
-Cryptographic Mechanism Flags
-<BR><TT>PKCS11_MECH_RSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;0;</TT>
-<BR><TT>PKCS11_MECH_DSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;1;</TT>
-<BR><TT>PKCS11_MECH_RC2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;2;</TT>
-<BR><TT>PKCS11_MECH_RC4_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;3;</TT>
-<BR><TT>PKCS11_MECH_DES_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;4;</TT>
-<BR><TT>PKCS11_MECH_DH_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;5; //Diffie-Hellman</TT>
-<BR><TT>PKCS11_MECH_SKIPJACK_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =&nbsp;
-0x1&lt;&lt;6; //SKIPJACK algorithm as in Fortezza cards</TT>
-<BR><TT>PKCS11_MECH_RC5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;7;</TT>
-<BR><TT>PKCS11_MECH_SHA1_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;8;</TT>
-<BR><TT>PKCS11_MECH_MD5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;9;</TT>
-<BR><TT>PKCS11_MECH_MD2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;10;</TT>
-<BR><TT>PKCS11_MECH_RANDOM_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;27; //Random number generator</TT>
-<BR><TT>PKCS11_PUB_READABLE_CERT_FLAG&nbsp; =&nbsp; 0x1&lt;&lt;28; //Stored
-certs can be read off the token w/o logging in</TT>
-<BR><TT>PKCS11_DISABLE_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-=&nbsp; 0x1&lt;&lt;30; //tell Navigator to disable this slot by default</TT>
-
-<P>Supported SSL or S/MIME Ciphers
-<BR><TT>PKCS11_CIPHER_FORTEZZA_FLAG&nbsp;&nbsp;&nbsp; = 0x1&lt;&lt;0;</TT>
-
-<P>Important for CryptoMechanismFlags:
-<BR><TT>0x1&lt;&lt;11</TT>, <TT>0x1&lt;&lt;12</TT>, ... , <TT>0x1&lt;&lt;26</TT>,
-<TT>0x1&lt;&lt;29, </TT>and <TT>0x1&lt;&lt;31</TT> are reserved for internal
-use in Navigator.
-<BR>Therefore, these bits should always be set to 0; otherwise, Navigator
-might exhibit unpredictable behavior.
-
-<P>Important for CipherFlags:
-<BR><TT>0x1&lt;&lt;1</TT>, <TT>0x1&lt;&lt;2</TT>, ... , <TT>0x1&lt;&lt;31</TT>
-are reserved for internal use in Navigator.
-<BR>Therefore, these bits should ALWAYS be set to 0; otherwise, Navigator
-might exhibit unpredictable behavior.
-
-<P>Example of CryptoMechanismFlags and CipherFlags:
-<BR><TT>pkcs11MechanismFlags = PKCS11_MECH_DSA_FLAG | PKCS11_MECH_SKIPJACK_FLAG
-| PKCS11_MECH_RANDOM_FLAG;</TT>
-<BR><TT>pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG;</TT>
-<BR><TT>&nbsp;</TT>
-<BR>Return Values:
-<BR><TT>// Return values of pkcs11.addmod()</TT>
-<BR><TT>// success codes</TT>
-<BR><TT>JS_OK_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= 3 // Successfully added a module</TT>
-
-<P><TT>// failure codes</TT>
-<BR><TT>JS_ERR_OTHER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -1 // Other errors than the followings</TT>
-<BR><TT>JS_ERR_USER_CANCEL_ACTION&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -2 // User abort an action</TT>
-<BR><TT>JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect
-# of arguments</TT>
-<BR><TT>JS_ERR_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -5 // Error adding a module</TT>
-<BR><TT>JS_ERR_BAD_MODULE_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -6 // The module name is invalid</TT>
-<BR><TT>JS_ERR_BAD_DLL_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -7 // The DLL name is bad</TT>
-<BR><TT>JS_ERR_BAD_MECHANISM_FLAGS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -8 // The mechanism flags are invalid</TT>
-<BR><TT>JS_ERR_BAD_CIPHER_ENABLE_FLAGS&nbsp;&nbsp; = -9 // The SSL, S/MIME
-cipher flags are invalid</TT>
-<BR>&nbsp;
-<HR ALIGN=LEFT WIDTH="70%">
-<BR><A NAME="delmodule"></A>Name
-<BR><TT>delmodule</TT>
-<BR>Deletes a PKCS#11 security module from the module database, but does
-not physically remove the file.&nbsp; For security reasons, it will pop
-up a dialog box to ask the user to confirm this action.&nbsp; It might
-pop up other dialog boxes if necessary.
-
-<P>Method of
-<BR><TT>pkcs11</TT>
-
-<P>Syntax
-<BR><TT>int pkcs11.delmodule( string ModuleName);</TT>
-<BR>&nbsp;
-<BR>Parameters
-<TABLE BORDER WIDTH="90%" >
-<TR>
-<TD><TT>ModuleName</TT></TD>
-
-<TD>Name of the module</TD>
-</TR>
-</TABLE>
-<TT>&nbsp;</TT>
-<BR>Return Values:
-<BR><TT>// Return values of pkcs11.addmod() &amp; pkcs11.delmod()</TT>
-<BR><TT>// success codes</TT>
-<BR><TT>JS_OK_DEL_EXTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= 2 // Successfully deleted ext. module</TT>
-<BR><TT>JS_OK_DEL_INTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= 1 // Successfully deleted int. module</TT>
-
-<P><TT>// failure codes</TT>
-<BR><TT>JS_ERR_OTHER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -1 // Other errors than the followings</TT>
-<BR><TT>JS_ERR_USER_CANCEL_ACTION&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -2 // User abort an action</TT>
-<BR><TT>JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect
-# of arguments</TT>
-<BR><TT>JS_ERR_DEL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -4 // Error deleting a module</TT>
-<BR><TT>JS_ERR_BAD_MODULE_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-= -6 // The module name is invalid</TT>
-
-<P><A NAME="copyright"></A><FONT SIZE=+1>VI. Copyright Notice</FONT>
-<BR>&nbsp;
-
-<P><FONT SIZE=+4>XXX Don't know what to put here!!!</FONT>
-
-<P>Last modified 9/26/97
-</BODY>
-</HTML>
diff --git a/security/nss/lib/fortcrypt/swfort/.cvsignore b/security/nss/lib/fortcrypt/swfort/.cvsignore
deleted file mode 100644
index 46d9697ae..000000000
--- a/security/nss/lib/fortcrypt/swfort/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-nslib.c
diff --git a/security/nss/lib/fortcrypt/swfort/Makefile b/security/nss/lib/fortcrypt/swfort/Makefile
deleted file mode 100644
index 80b91c768..000000000
--- a/security/nss/lib/fortcrypt/swfort/Makefile
+++ /dev/null
@@ -1,82 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-nslib.c:: swflib.c nsmap.h
-	rm -f nslib.c
-	cat nsmap.h swflib.c > nslib.c
-
-export:: private_export
-
-
diff --git a/security/nss/lib/fortcrypt/swfort/config.mk b/security/nss/lib/fortcrypt/swfort/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/fortcrypt/swfort/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/fortcrypt/swfort/manifest.mn b/security/nss/lib/fortcrypt/swfort/manifest.mn
deleted file mode 100644
index 5445af13b..000000000
--- a/security/nss/lib/fortcrypt/swfort/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH		= ../../../..
-
-MODULE		= security
-LIBRARY_NAME	= swfci
-#LIBRARY_VERSION	= 12
-
-CSRCS		= swfalg.c  \
-		  swfparse.c \
-		  swflib.c   \
-		  nslib.c    \
-		  swfutl.c   \
-		  $(NULL)
-
-DIRS = pkcs11
-
-
-EXPORTS		= swfort.h swfortt.h
-PRIVATE_EXPORTS = swforti.h swfortti.h
-
-REQUIRES	= security dbm nspr
-
-GARBAGE = nslib.c
-
-
diff --git a/security/nss/lib/fortcrypt/swfort/nsmap.h b/security/nss/lib/fortcrypt/swfort/nsmap.h
deleted file mode 100644
index b5e1c2cda..000000000
--- a/security/nss/lib/fortcrypt/swfort/nsmap.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#define MACI_ChangePIN			NSCI_ChangePIN
-#define MACI_CheckPIN			NSCI_CheckPIN
-#define MACI_Close			NSCI_Close
-#define MACI_Decrypt			NSCI_Decrypt
-#define MACI_DeleteCertificate		NSCI_DeleteCertificate
-#define MACI_DeleteKey			NSCI_DeleteKey
-#define MACI_Encrypt			NSCI_Encrypt
-#define MACI_ExtractX 			NSCI_ExtractX
-#define MACI_FirmwareUpdate 		NSCI_FirmwareUpdate
-#define MACI_GenerateIV			NSCI_GenerateIV
-#define MACI_GenerateMEK		NSCI_GenerateMEK
-#define MACI_GenerateRa			NSCI_GenerateRa
-#define MACI_GenerateRandom		NSCI_GenerateRandom
-#define MACI_GenerateTEK 		NSCI_GenerateTEK
-#define MACI_GenerateX 			NSCI_GenerateX
-#define MACI_GetCertificate		NSCI_GetCertificate
-#define MACI_GetConfiguration		NSCI_GetConfiguration
-#define MACI_GetHash			NSCI_GetHash
-#define MACI_GetPersonalityList		NSCI_GetPersonalityList
-#define MACI_GetSessionID		NSCI_GetSessionID
-#define MACI_GetState			NSCI_GetState
-#define MACI_GetStatus			NSCI_GetStatus
-#define MACI_GetTime			NSCI_GetTime
-#define MACI_Hash			NSCI_Hash
-#define MACI_Initialize			NSCI_Initialize
-#define MACI_InitializeHash		NSCI_InitializeHash
-#define MACI_InstallX 			NSCI_InstallX
-#define MACI_LoadCertificate 		NSCI_LoadCertificate
-#define MACI_LoadDSAParameters	 	NSCI_LoadDSAParameters
-#define MACI_LoadInitValues		NSCI_LoadInitValues
-#define MACI_LoadIV			NSCI_LoadIV
-#define MACI_LoadX 			NSCI_LoadX
-#define MACI_Lock			NSCI_Lock
-#define MACI_Open			NSCI_Open
-#define MACI_RelayX 			NSCI_RelayX
-#define MACI_Reset			NSCI_Reset
-#define MACI_Restore			NSCI_Restore
-#define MACI_Save			NSCI_Save
-#define MACI_Select			NSCI_Select
-#define MACI_SetConfiguration		NSCI_SetConfiguration
-#define MACI_SetKey			NSCI_SetKey
-#define MACI_SetMode			NSCI_SetMode
-#define MACI_SetPersonality		NSCI_SetPersonality
-#define MACI_SetTime			NSCI_SetTime
-#define MACI_Sign			NSCI_Sign
-#define MACI_Terminate			NSCI_Terminate
-#define MACI_TimeStamp			NSCI_TimeStamp
-#define MACI_Unlock			NSCI_Unlock
-#define MACI_UnwrapKey			NSCI_UnwrapKey
-#define MACI_VerifySignature		NSCI_VerifySignature
-#define MACI_VerifyTimeStamp		NSCI_VerityTimeStap
-#define MACI_WrapKey			NSCI_WrapKey
-#define MACI_Zeroize			NSCI_Zeroize
-
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore b/security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore
deleted file mode 100644
index 6532d294d..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore
+++ /dev/null
@@ -1,15 +0,0 @@
-forsock.c
-cryptint.h
-fmutex.h
-fortsock.h
-fpkcs11.h
-fpkcs11f.h
-fpkcs11i.h
-fpkcs11t.h
-fpkmem.h
-fpkstrs.h
-genci.h
-maci.h
-fortpk11.c
-fmutex.c
-
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile b/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
deleted file mode 100644
index 9595d91fe..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
+++ /dev/null
@@ -1,183 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-
-
-#SWCILIB			= ../$(OBJDIR)/$(LIB_PREFIX)swfci.$(LIB_SUFFIX)
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq ($(OS_ARCH), WINNT)
-
-CRYPTO_LIBS = $(DIST)/lib/freebl.lib 
-
-ifdef MOZILLA_SECURITY_BUILD
-CRYPTO_LIBS += $(DIST)/lib/crypto.lib
-endif
-ifdef MOZILLA_BSAFE_BUILD
-CRYPTO_LIBS += $(DIST)/lib/bsafe41.lib
-endif
-
-#	$(DIST)/lib/dbm.lib 
-#	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib 
-EXTRA_LIBS = \
-	$(DIST)/lib/swfci.lib \
-	$(DIST)/lib/softoken.lib \
-	$(CRYPTO_LIBS) \
-	$(DIST)/lib/secutil.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4_s.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4_s.lib \
-	wsock32.lib \
-	winmm.lib \
-	$(NULL)
-
-else
-
-#	$(DIST)/lib/libdbm.a 
-#	$(DIST)/lib/libnspr3.a 
-# OSF 1 linker is very agressive. It includes the entire archive,
-# not just the .o's that we need from that archive.
-#
-ifneq ($(OS_ARCH), OSF1)
-
-CRYPTO_LIBS = $(DIST)/lib/libfreebl.a 
-
-ifdef MOZILLA_SECURITY_BUILD
-CRYPTO_LIBS += $(DIST)/lib/libcrypto.a
-endif
-ifdef MOZILLA_BSAFE_BUILD
-CRYPTO_LIBS += $(DIST)/lib/libbsafe.a
-endif
-
-EXTRA_LIBS += \
-	$(DIST)/lib/libswfci.a \
-	$(DIST)/lib/libsoftoken.a \
-	$(CRYPTO_LIBS) \
-	$(DIST)/lib/libsecutil.a \
-	$(DIST)/lib/libplc4.a \
-	$(DIST)/lib/libplds4.a \
-	$(NULL)
-
-endif
-endif
-
-#ifeq ($(OS_TARGET), WIN16)
-#W16LIBS         += $(SWCILIB)
-#else
-#OBJS      += $(SWCILIB)
-#endif
-
-INST_JS                 = inst.js
-LIBCI_JAR               = $(OBJDIR)/lib$(LIBRARY_NAME).jar
-LIBCI_JAR_SRC           = $(INST_JS) pk11inst $(SHARED_LIBRARY)
-
-ifneq ($(OS_TARGET), WIN16)
-TARGETS : $(LIBCI_JAR)
-endif
-
-ifeq ($(OS_TARGET), WIN16)
-# note that rules.mk is not included below for WIN16
-all:
-	@echo Skipping fortcrypt directory for 16-bit windows builds
-
-all_platforms alltags clean clobber clobber_all realclean: all
-
-boot export install libs program release: all
-
-endif
-
-#$(SHARED_LIBRARY): $(SWCILIB)
-
-forsock.c: ../../forsock.c $(CP_INCLUDES)
-	cp ../../forsock.c $(CP_INCLUDES) .
-
-fortpk11.c: ../../fortpk11.c
-	cp ../../fortpk11.c .
-
-fmutex.c: ../../fmutex.c
-	cp ../../fmutex.c  .
-
-
-#
-# The following rules packages the shared library into a JAR,
-# ready to be signed
-#
-$(OBJDIR)/replace: replace.c
-	$(CC) -o $@ $<
-
-# ZIP options:
-# -5 means medium compression
-# -q means quiet
-# -j means do not store tree structure, all files go into one dir
-#
-$(LIBCI_JAR): $(LIBCI_JAR_SRC)
-	@echo +++ building $@ from $(LIBCI_JAR_SRC)
-	@rm -f $@
-	zip -5qj $@ $(LIBCI_JAR_SRC) 
-
-$(LIBSWCI_JAR): $(LIBSWCI_JAR_SRC)
-	@echo +++ building $@ from $(LIBSWCI_JAR_SRC)
-	@rm -f $@
-	zip -5qj $@ $(LIBSWCI_JAR_SRC) 
-
-
-MD_FILES += $(LIBCI_JAR) $(LIBSWCI_JAR)
-
-# coreconf doesn't build the AIX shared library for FORTEZZA,
-# so I'm going to override their shared library command and build the shared
-# library the way config used to.
-#
-
-
-ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.1)
-DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
-EXTRA_DSO_LDOPTS        = -lc
-MKSHLIB                 = xlC $(DSO_LDOPTS)
-
-$(SHARED_LIBRARY): $(OBJS)
-	@$(MAKE_OBJDIR)
-	rm -f $@
-	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
-	chmod +x $@
-
-endif
-
-ifeq ($(OS_ARCH)$(OS_RELEASE), AIX4.2)
-LD      += -G
-endif 
-
-ifneq ($(OS_TARGET), WIN16)
-include $(CORE_DEPTH)/coreconf/rules.mk
-endif
-
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/config.mk b/security/nss/lib/fortcrypt/swfort/pkcs11/config.mk
deleted file mode 100644
index 9b1a488d2..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/config.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-ifeq ($(OS_TARGET), WIN16)
-TARGETS        = all
-else
-TARGETS        = $(SHARED_LIBRARY) $(SHARED_SW_LIBRARY) $(LIBCI_JAR) $(LIBCI_SW_JAR)
-endif
-LIBRARY        =
-PURE_LIBRARY   =
-PROGRAM        =
-
-
-ifeq ($(OS_TARGET), WIN16)
-dummy:
-	@echo $(TARGETS)
-endif
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/inst.js b/security/nss/lib/fortcrypt/swfort/pkcs11/inst.js
deleted file mode 100644
index 2f7574717..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/inst.js
+++ /dev/null
@@ -1,189 +0,0 @@
-//
-// The contents of this file are subject to the Mozilla Public
-// License Version 1.1 (the "License"); you may not use this file
-// except in compliance with the License. You may obtain a copy of
-// the License at http://www.mozilla.org/MPL/
-// 
-// Software distributed under the License is distributed on an "AS
-// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-// implied. See the License for the specific language governing
-// rights and limitations under the License.
-// 
-// The Original Code is the Netscape security libraries.
-// 
-// The Initial Developer of the Original Code is Netscape
-// Communications Corporation.  Portions created by Netscape are 
-// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-// Rights Reserved.
-// 
-// Contributor(s):
-// 
-// Alternatively, the contents of this file may be used under the
-// terms of the GNU General Public License Version 2 or later (the
-// "GPL"), in which case the provisions of the GPL are applicable 
-// instead of those above.  If you wish to allow use of your 
-// version of this file only under the terms of the GPL and not to
-// allow others to use your version of this file under the MPL,
-// indicate your decision by deleting the provisions above and
-// replace them with the notice and other provisions required by
-// the GPL.  If you do not delete the provisions above, a recipient
-// may use your version of this file under either the MPL or the
-// GPL.
-//
-////////////////////////////////////////////////////////////////////////////////////////
-// Crypto Mechanism Flags
-PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
-PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
-PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
-PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
-PKCS11_MECH_DES_FLAG           =  0x1<<4; 
-PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
-PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
-PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
-PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
-PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
-PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
-PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
-PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
-PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
-
-// Important: 
-// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should always be set to 0; otherwise,
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which mechanisms should be turned on by 
-var pkcs11MechanismFlags = 0;
-  
-////////////////////////////////////////////////////////////////////////////////////////
-// Ciphers that support SSL or S/MIME 
-PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
-
-// Important: 
-// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
-// for internal use in Navigator. 
-// Therefore, these bits should ALWAYS be set to 0; otherwise, 
-// Navigator might exhibit unpredictable behavior. 
-
-// These flags indicate which SSL ciphers are supported 
-var pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
-  
-////////////////////////////////////////////////////////////////////////////////////////
-// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
-// success codes 
-JS_OK_ADD_MODULE                 = 3; // Successfully added a module 
-JS_OK_DEL_EXTERNAL_MODULE        = 2; // Successfully deleted ext. module 
-JS_OK_DEL_INTERNAL_MODULE        = 1; // Successfully deleted int. module 
-
-// failure codes 
-JS_ERR_OTHER                     = -1; // Other errors than the followings 
-JS_ERR_USER_CANCEL_ACTION        = -2; // User abort an action 
-JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3; // Calling a method w/ incorrect # of arguments 
-JS_ERR_DEL_MODULE                = -4; // Error deleting a module 
-JS_ERR_ADD_MODULE                = -5; // Error adding a module 
-JS_ERR_BAD_MODULE_NAME           = -6; // The module name is invalid 
-JS_ERR_BAD_DLL_NAME              = -7; // The DLL name is bad 
-JS_ERR_BAD_MECHANISM_FLAGS       = -8; // The mechanism flags are invalid 
-JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9; // The SSL, S/MIME cipher flags are invalid 
-
-
-////////////////////////////////////////////////////////////////////////////////////////
-// Find out which library is to be installed depending on the platform
-
-// pathname seperator is platform specific
-var sep = "/";
-var vendor = "netscape";
-var moduleName = "not_supported";
-
-// platform-independent relative path
-var dir = "pkcs11/" + vendor + "/";
-
-var plat = navigator.platform;
-
-bAbort = false;
-progName = "instinit";
-if (plat == "Win32") {
-    moduleName = "swft32.dll";
-    // progName = "instinit.exe";
-    sep = "\\";
-} else if (plat == "AIX4.1") {
-    moduleName = "libswft.so";
-} else if (plat == "SunOS4.1.3_U1") {
-    moduleName = "libswft.so.1.0";        
-} else if ((plat == "SunOS5.4") || (plat == "SunOS5.5.1")){
-    moduleName = "libswft.so";
-} else if ((plat == "HP-UXA.09") || (plat == "HP-UXB.10")){
-    moduleName = "libswft.sl";
-} else {
-    window.alert("Sorry, platform "+plat+" is not supported.");
-    bAbort = true;
-}
-
-////////////////////////////////////////////////////////////////////////////////////////
-// Installation Begins...
-if (!bAbort) {
-if (confirm("This script will install and configure a security module, do you want to continue?")) { 
- // Step 1. Create a version object and a software update object 
- vi = new netscape.softupdate.VersionInfo(1, 5, 0, 0); 
- su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
-                 // "Fortezza ... Module" is the logical name of the bundle 
-
- ////////////////////////////////////////
- // Step 2. Start the install process 
- bAbort = false; 
- err = su.StartInstall("NSfortezza", // NSfortezza is the component folder (logical) 
-                       vi, 
-                       netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
-                            
- bAbort = bAbort || (err !=0); 
-
- if (err == 0) { 
-     ////////////////////////////////////////
-    // Step 3. Find out the physical location of the Program dir 
-    Folder = su.GetFolder("Program"); 
-
-     ////////////////////////////////////////
-    // Step 4. Install the files. Unpack them and list where they go 
-    err = su.AddSubcomponent("FortezzaLibrary", //component name (logical) 
-                                    vi, // version info 
-                                    moduleName, // source file in JAR (physical) 
-                                    Folder, // target folder (physical) 
-                                    dir + moduleName, // target path & filename (physical) 
-                                    this.force); // forces update 
-    bAbort = bAbort || (err !=0); 
-    if (err != 0) window.alert("Add sub err= "+ err);
- } 
-
- if (err == 0) {
-    /// Try installing the init program 
-    err = su.AddSubcomponent("FortezzaInitProg", vi, progName, Folder, progName,		this.force);
-    // don't fail because it didn't install, may just not be part of the package
-}
-
- ////////////////////////////////////////
- // Step 5. Unless there was a problem, move files to final location 
- // and update the Client Version Registry 
- if (bAbort) { 
-    window.alert("Aborting, Folder="+Folder+" module="+dir+moduleName);
-    su.AbortInstall(); 
- } else { 
-    err = su.FinalizeInstall(); 
-    // Platform specific full path 
-    fullpath = Folder +  "pkcs11" + sep + vendor + sep + moduleName;
-
-     ////////////////////////////////////////
-    // Step 6: Call pkcs11.addmodule() to register the newly downloaded module
-    result = pkcs11.addmodule("Netscape Software FORTEZZA Module", 
-                              fullpath, 
-                              pkcs11MechanismFlags, 
-                              pkcs11CipherFlags); 
-
-    if ( result < 0) { 
-       window.alert("New module setup failed.  Error code: " + result); 
-   } else { 
-       window.alert("New module setup completed."); 
-   } 
- } 
-} 
-}
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn b/security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn
deleted file mode 100644
index eca9b5ab3..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn
+++ /dev/null
@@ -1,73 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH		= ../../../../..
-
-MODULE		= security
-LIBRARY_NAME	= swft
-#LIBRARY_VERSION	= 32
-
-COPIED_CSRCS	= forsock.c  \
-		  fortpk11.c \
-		  fmutex.c   \
-		  $(NULL)
-
-CSRCS		= \
-		  $(COPIED_CSRCS) \
-		  stub.c \
-		  $(NULL)
-
-EXPORTS		= 
-
-REQUIRES	= security dbm
-
-CP_INCLUDES =  \
-	../../cryptint.h \
-	../../fmutex.h \
-	../../fortsock.h \
-	../../fpkcs11.h \
-	../../fpkcs11f.h \
-	../../fpkcs11i.h \
-	../../fpkcs11t.h \
-	../../fpkmem.h \
-	../../fpkstrs.h \
-	../../genci.h \
-	../../maci.h \
-	$(NULL)
-
-CFLAGS		+= -DSWFORT
-
-GARBAGE		= $(COPIED_CSRCS) cryptint.h fmutex.h fortsock.h fpkcs11.h \
-	fpkcs11f.h fpkcs11i.h fpkcs11t.h fpkmem.h fpkstrs.h genci.h maci.h 
-
-
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst b/security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst
deleted file mode 100755
index 31d73eb4a..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst
+++ /dev/null
@@ -1,49 +0,0 @@
-ForwardCompatible { HPUX:10:hppa1.1 Solaris:5.5.1:sparc AIX:4.1:rs6000 }
-    Platforms {
-	WINNT::x86 {
-	    ModuleName { "Netscape Software FORTEZZA Module" }
-	    ModuleFile { %root%/pkcs11/netscape/swft32.dll }
-	    DefaultMechanismFlags{0x0000}
-	    DefaultCipherFlags{0x0001}
-	    Files {
-		swft32.dll {
-                     RelativePath { %root%/pkcs11/netscape/swft32.dll }
-		}
-	    }
-	WIN95::x86 {
-	    EquivalentPlatform {WINNT::x86}
-	}
-	Solaris:5.5.1:sparc {
-	    ModuleName { "Netscape Software FORTEZZA Module" }
-	    ModuleFile { %root%/pkcs11/netscape/libswft.so }
-	    DefaultMechanismFlags{0x0000}
-	    DefaultCipherFlags{0x0001}
-	    Files {
-		libswft.so {
-                     RelativePath { %root%/pkcs11/netscape/libswft.so }
-		}
-	    }
-	}
-	AIX:4.1:rs6000 {
-	    ModuleName { "Netscape Software FORTEZZA Module" }
-	    ModuleFile { %root%/pkcs11/netscape/libswft.so }
-	    DefaultMechanismFlags{0x0000}
-	    DefaultCipherFlags{0x0001}
-	    Files {
-		libswft.so {
-                     RelativePath { %root%/pkcs11/netscape/libswft.so }
-		}
-	    }
-	}
-	HPUX:10:hppa1.1 {
-	    ModuleName { "Netscape Software FORTEZZA Module" }
-	    ModuleFile { %root%/pkcs11/netscape/libswft.sl }
-	    DefaultMechanismFlags{0x0000}
-	    DefaultCipherFlags{0x0001}
-	    Files {
-		libswft.so {
-                     RelativePath { %root%/pkcs11/netscape/libswft.sl }
-		}
-	    }
-	}
-    }
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c b/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
deleted file mode 100644
index 917eff386..000000000
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
+++ /dev/null
@@ -1,344 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * secport.c - portability interfaces for security libraries
- *
- * This file abstracts out libc functionality that libsec depends on
- * 
- * NOTE - These are not public interfaces. These stubs are to allow the 
- * SW FORTEZZA to link with some low level security functions without dragging
- * in NSPR.
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "prmem.h"
-#include "prerror.h"
-#include "plarena.h"
-#include "secerr.h"
-#include "prmon.h"
-#include "prbit.h"
-
-unsigned long port_allocFailures;
-
-/* locations for registering Unicode conversion functions.  
- *  Is this the appropriate location?  or should they be
- *     moved to client/server specific locations?
- */
-PORTCharConversionFunc ucs4Utf8ConvertFunc;
-PORTCharConversionFunc ucs2Utf8ConvertFunc;
-PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
-
-void *
-PORT_Alloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)malloc(bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-    }
-    return rv;
-}
-
-void *
-PORT_Realloc(void *oldptr, size_t bytes)
-{
-    void *rv;
-
-    rv = (void *)realloc(oldptr, bytes);
-    if (!rv) {
-	++port_allocFailures;
-    }
-    return rv;
-}
-
-void *
-PORT_ZAlloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)calloc(1, bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-    }
-    return rv;
-}
-
-void
-PORT_Free(void *ptr)
-{
-    if (ptr) {
-	free(ptr);
-    }
-}
-
-void
-PORT_ZFree(void *ptr, size_t len)
-{
-    if (ptr) {
-	memset(ptr, 0, len);
-	free(ptr);
-    }
-}
-
-void
-PORT_SetError(int value)
-{	
-    return;
-}
-
-int
-PORT_GetError(void)
-{
-    return(1);
-}
-
-/********************* Arena code follows *****************************/
-
-
-PLArenaPool *
-PORT_NewArena(unsigned long chunksize)
-{
-    PLArenaPool *arena;
-    
-    arena = (PLArenaPool*)PORT_ZAlloc(sizeof(PLArenaPool));
-    if ( arena != NULL ) {
-	PR_InitArenaPool(arena, "security", chunksize, sizeof(double));
-    }
-    return(arena);
-}
-
-void *
-PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    PL_ARENA_ALLOCATE(p, arena, size);
-    if (p == NULL) {
-	++port_allocFailures;
-    }
-
-    return(p);
-}
-
-void *
-PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    PL_ARENA_ALLOCATE(p, arena, size);
-    if (p == NULL) {
-	++port_allocFailures;
-    } else {
-	PORT_Memset(p, 0, size);
-    }
-
-    return(p);
-}
-
-/* need to zeroize!! */
-void
-PORT_FreeArena(PLArenaPool *arena, PRBool zero)
-{
-    PR_FinishArenaPool(arena);
-    PORT_Free(arena);
-}
-
-void *
-PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
-{
-    PORT_Assert(newsize >= oldsize);
-    
-    PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
-    
-    return(ptr);
-}
-
-void *
-PORT_ArenaMark(PLArenaPool *arena)
-{
-    void * result;
-
-    result = PL_ARENA_MARK(arena);
-    return result;
-}
-
-void
-PORT_ArenaRelease(PLArenaPool *arena, void *mark)
-{
-    PL_ARENA_RELEASE(arena, mark);
-}
-
-void
-PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
-{
-    /* do nothing */
-}
-
-char *
-PORT_ArenaStrdup(PLArenaPool *arena,char *str) {
-    int len = PORT_Strlen(str)+1;
-    char *newstr;
-
-    newstr = (char*)PORT_ArenaAlloc(arena,len);
-    if (newstr) {
-        PORT_Memcpy(newstr,str,len);
-    }
-    return newstr;
-}
-
-PR_IMPLEMENT(void)
-PR_Assert(const char *expr, const char *file, int line) {
-    return; 
-}
-
-PR_IMPLEMENT(void *)
-PR_Alloc(PRUint32 bytes) { return malloc(bytes); }
-
-PR_IMPLEMENT(void *)
-PR_Malloc(PRUint32 bytes) { return malloc(bytes); }
-
-PR_IMPLEMENT(void *)
-PR_Calloc(PRUint32 blocks, PRUint32 bytes) { return calloc(blocks,bytes); }
-
-PR_IMPLEMENT(void)
-PR_Free(void *ptr) { free(ptr); }
-
-
-/* Old template; want to expunge it eventually. */
-#include "secasn1.h"
-#include "secoid.h"
-
-const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECAlgorithmID) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SECAlgorithmID,algorithm), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(SECAlgorithmID,parameters), },
-    { 0, }
-};
-
-/* now make the RNG happy */ /* This is not atomic! */
-PR_IMPLEMENT(PRInt32) PR_AtomicIncrement(PRInt32 *val) { return ++(*val); }
-/* This is not atomic! */
-PR_IMPLEMENT(PRInt32) PR_AtomicDecrement(PRInt32 *val) { return --(*val); }
-
-PR_IMPLEMENT(PRStatus) PR_Sleep(PRIntervalTime ticks) { return PR_SUCCESS; }
-
-#include "prlock.h"
-#include "fmutex.h"
-PR_IMPLEMENT(PRLock *)
-PR_NewLock(void) {
-	PRLock *lock = NULL;
-
-	FMUTEX_Create(&lock);
-
-	/* if we don't have a lock, FMUTEX can deal with things */
-	if (lock == NULL) lock=(PRLock *) 1;
-	return lock;
-}
-
-PR_IMPLEMENT(void) 
-PR_DestroyLock(PRLock *lock) {
-	FMUTEX_Destroy(lock);
-}
-
-PR_IMPLEMENT(void) 
-PR_Lock(PRLock *lock) {
-	FMUTEX_Lock(lock);
-}
-
-PR_IMPLEMENT(PRStatus) 
-PR_Unlock(PRLock *lock) {
-	FMUTEX_Unlock(lock);
-	return PR_SUCCESS;
-}
-
-/* this implementation is here to satisfy the PRMonitor use in plarena.c.
-** It appears that it doesn't need re-entrant locks.  It could have used
-** PRLock instead of PRMonitor.  So, this implementation just uses 
-** PRLock for a PRMonitor.
-*/
-PR_IMPLEMENT(PRMonitor*) 
-PR_NewMonitor(void)
-{
-    return (PRMonitor *) PR_NewLock();
-}
-
-
-PR_IMPLEMENT(void) 
-PR_EnterMonitor(PRMonitor *mon)
-{
-    PR_Lock( (PRLock *)mon );
-}
-
-PR_IMPLEMENT(PRStatus) 
-PR_ExitMonitor(PRMonitor *mon)
-{
-    return PR_Unlock( (PRLock *)mon );
-}
-
-#include "prinit.h"
-
-/* This is NOT threadsafe.  It is merely a pseudo-functional stub.
-*/
-PR_IMPLEMENT(PRStatus) PR_CallOnce(
-    PRCallOnceType *once,
-    PRCallOnceFN    func)
-{
-    /* This is not really atomic! */
-    if (1 == PR_AtomicIncrement(&once->initialized)) {
-	once->status = (*func)();
-    }  else {
-    	/* Should wait to be sure that func has finished before returning. */
-    }
-    return once->status;
-}
-
-
-/*
-** Compute the log of the least power of 2 greater than or equal to n
-*/
-PRIntn PR_CeilingLog2(PRUint32 i) {
-	PRIntn log2;
-	PR_CEILING_LOG2(log2,i);
-	return log2;
-}
-
-/********************** end of arena functions ***********************/
-
diff --git a/security/nss/lib/fortcrypt/swfort/swfalg.c b/security/nss/lib/fortcrypt/swfort/swfalg.c
deleted file mode 100644
index 6f8ab9f6c..000000000
--- a/security/nss/lib/fortcrypt/swfort/swfalg.c
+++ /dev/null
@@ -1,506 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Software implementation of FORTEZZA skipjack primatives
- */
-#include "maci.h"
-#include "seccomon.h"
-#include "swforti.h" 
-
-/*
- * Xor the IV into the plaintext buffer either just before encryption, or
- * just after decryption.
- */
-static void
-fort_XorIV(unsigned char *obuffer, unsigned char *buffer, unsigned char *iv) {
-    int i;
-#ifdef USE_INT32
-    if ((buffer & 0x3) == 0) && ((iv & 0x3) == 0)) {
-	int32 *ibuffer = (int32 *)buffer;
-	int32 *iobuffer = (int32 *)obuffer;
-	int32 *iiv = (int32 *)iv;
-
-	iobuffer[0] = ibuffer[0] ^ iiv[0];
-	iobuffer[1] = ibuffer[1] ^ iiv[1];
-	return;
-    }
-#endif
-
-    for (i=0; i < SKIPJACK_BLOCK_SIZE; i++) {
-	obuffer[i] = buffer[i] ^ iv[i];
-    }
-}
-
-
-/* the F-table for Skipjack */
-unsigned char F[256] = { 
-    0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4,
-    0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9,
-    0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e,
-    0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28,
-    0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68,
-    0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53,
-    0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19,
-    0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2,
-    0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b,
-    0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8,
-    0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0,
-    0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90,
-    0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69,
-    0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76,
-    0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20,
-    0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d,
-    0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43,
-    0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18,
-    0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa,
-    0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4,
-    0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87,
-    0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40,
-    0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b,
-    0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5,
-    0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0,
-    0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2,
-    0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1,
-    0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8,
-    0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5,
-    0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac,
-    0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3,
-    0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46
-};
-
-typedef unsigned char fort_keysched[32*4];
-
-/* do the key schedule work once for efficency */
-static void
-fort_skipKeySchedule(FORTSkipjackKeyPtr key,fort_keysched keysched)
-{
-    unsigned char *keyptr = key;
-    unsigned char *first = keyptr +sizeof(FORTSkipjackKey)-1;
-    int i;
-
-    keyptr = first;
-
-    for (i=0; i < (32*4); i++) {
-	keysched[i] = *keyptr--;
-	if (keyptr < key) keyptr = first;
-    }
-    return;
-}
-
-static void
-fort_clearShedule(fort_keysched keysched)
-{
-    PORT_Memset(keysched, 0, sizeof(keysched));
-}
-
-
-static unsigned int 
-G(fort_keysched cv, int k, unsigned int wordIn)
-{
-    unsigned char g1, g2, g3, g4, g5, g6;
-
-    g1 = (unsigned char) (wordIn >> 8) & 0xff;
-    g2 = (unsigned char) wordIn & 0xff;
-
-    g3 = F[g2^cv[4*k]]^g1;
-    g4 = F[g3^cv[4*k+1]]^g2;
-    g5 = F[g4^cv[4*k+2]]^g3;
-    g6 = F[g5^cv[4*k+3]]^g4;
-
-    return ((g5<<8)+g6);
-}
-
-static unsigned int 
-G1(fort_keysched cv, int k, unsigned int wordIn)
-{
-    unsigned char g1, g2, g3, g4, g5, g6;
-
-    g5 = (unsigned char) (wordIn >> 8) & 0xff;
-    g6 = (unsigned char) wordIn & 0xff;
-
-    g4 = F[g5^cv[4*k+3]]^g6;
-    g3 = F[g4^cv[4*k+2]]^g5;
-    g2 = F[g3^cv[4*k+1]]^g4;
-    g1 = F[g2^cv[4*k]]^g3;
-
-    return ((g1<<8)+g2);
-}
-
-static void 
-ruleA(fort_keysched cv,int round,unsigned int *w)
-{
-    unsigned int w4;
-    int i;
-
-    for(i=0; i<8; i++) {
-	int k = round*16+i;
-	int counter = k+1;
-
-	w4 = w[4];
-	w[4] = w[3];
-	w[3] = w[2];
-	w[2] = G(cv,k,w[1]);
-	w[1] = G(cv,k,w[1]) ^ w4 ^ counter;
-    }
-    return;
-}
-
-static void 
-ruleB(fort_keysched cv,int round,unsigned int *w)
-{
-    unsigned int w4;
-    int i;
-
-    for(i=0; i<8; i++) {
-	int k = round*16+i+8;
-	int counter = k+1;
-
-	w4 = w[4];
-	w[4] = w[3];
-	w[3] = w[1] ^ w[2] ^ counter; 
-	w[2] = G(cv,k,w[1]);
-	w[1] = w4;
-    }
-    return;
-}
-
-static void 
-ruleA1(fort_keysched cv,int round,unsigned int *w)
-{
-    unsigned int w4;
-    int i;
-
-    for(i=7; i>=0; i--) {
-	int k = round*16+i;
-	int counter = k+1;
-
-	w4 = w[4];
-	w[4] = w[1] ^ w[2] ^ counter;
-	w[1] = G1(cv,k,w[2]);
-	w[2] = w[3];
-	w[3] = w4;
-    }
-    return;
-}
-
-static void 
-ruleB1(fort_keysched cv,int round,unsigned int *w)
-{
-    unsigned int w4;
-    int i;
-
-    for(i=7; i>=0; i--) {
-	int k = round*16+i+8;
-	int counter = k+1;
-
-	w4 = w[4];
-	w[4] = w[1];
-	w[1] = G1(cv,k,w[2]);
-	w[2] = G1(cv,k,w[2]) ^ w[3] ^ counter; 
-	w[3] = w4;
-    }
-    return;
-}
-
-
-static void 
-fort_doskipD(fort_keysched cv,unsigned char *cipherIn,
-						 unsigned char *plainOut) {
-  unsigned int w[5]; /* ignore w[0] so the code matches the doc */
-
-  /* initial byte swap */
-  w[1]=(cipherIn[7]<<8)+cipherIn[6];
-  w[2]=(cipherIn[5]<<8)+cipherIn[4];
-  w[3]=(cipherIn[3]<<8)+cipherIn[2];
-  w[4]=(cipherIn[1]<<8)+cipherIn[0];
-
-  ruleB1(cv,1,w);
-  ruleA1(cv,1,w);
-  ruleB1(cv,0,w);
-  ruleA1(cv,0,w);
-
-  /* final byte swap */
-  plainOut[0] = w[4] & 0xff;
-  plainOut[1] = (w[4] >> 8) & 0xff;
-  plainOut[2] = w[3] & 0xff;
-  plainOut[3] = (w[3] >> 8) & 0xff;
-  plainOut[4] = w[2] & 0xff;
-  plainOut[5] = (w[2] >> 8) & 0xff;
-  plainOut[6] = w[1] & 0xff;
-  plainOut[7] = (w[1] >> 8) & 0xff;
-  return;
-}
-
-static void 
-fort_doskipE(fort_keysched cv,unsigned char *cipherIn,
-						 unsigned char *plainOut) {
-  unsigned int w[5]; /* ignore w[0] so the code matches the doc */
-
-  /* initial byte swap */
-  w[1]=(cipherIn[7]<<8)+cipherIn[6];
-  w[2]=(cipherIn[5]<<8)+cipherIn[4];
-  w[3]=(cipherIn[3]<<8)+cipherIn[2];
-  w[4]=(cipherIn[1]<<8)+cipherIn[0];
-
-  ruleA(cv,0,w);
-  ruleB(cv,0,w);
-  ruleA(cv,1,w);
-  ruleB(cv,1,w);
-
-  /* final byte swap */
-  plainOut[0] = w[4] & 0xff;
-  plainOut[1] = (w[4] >> 8) & 0xff;
-  plainOut[2] = w[3] & 0xff;
-  plainOut[3] = (w[3] >> 8) & 0xff;
-  plainOut[4] = w[2] & 0xff;
-  plainOut[5] = (w[2] >> 8) & 0xff;
-  plainOut[6] = w[1] & 0xff;
-  plainOut[7] = (w[1] >> 8) & 0xff;
-  return;
-}
-
-/* Checksums are calculated by encrypted a fixed string with the key, then
- * taking 16 bytes of the result from the block */
-static int
-fort_CalcKeyChecksum(FORTSkipjackKeyPtr key, unsigned char *sum) {
-    unsigned char ckdata[8] = {
-		 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55 };
-    unsigned char ckres[8];
-    fort_keysched keysched;
-
-
-    fort_skipKeySchedule(key,keysched);
-
-    fort_doskipE(keysched,ckdata,ckres);
-    fort_clearShedule(keysched);
-    PORT_Memcpy(sum,&ckres[1],2);
-    return CI_OK;
-}
-
-/* These function actually implements skipjack CBC Decrypt */
-int
-fort_skipjackDecrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
-		unsigned long size, unsigned char *cipherIn, 
-						unsigned char *plainOut) {
-    unsigned char ivdata1[SKIPJACK_BLOCK_SIZE];
-    unsigned char ivdata2[SKIPJACK_BLOCK_SIZE];
-    unsigned char *lastiv, *nextiv, *tmpiv;
-    fort_keysched keysched;
-
-    /* do the key schedule work once for efficency */
-    fort_skipKeySchedule(key,keysched);
-
-    /* As we decrypt, we need to save the last block so that we can
-     * Xor it out of decrypted text to get the real plain text. We actually
-     * have to save it because cipherIn and plainOut may point to the same
-     * buffer. */
-    lastiv =ivdata1;
-    nextiv = ivdata2;
-    PORT_Memcpy(lastiv,iv,SKIPJACK_BLOCK_SIZE);
-    while (size >= SKIPJACK_BLOCK_SIZE) {
-	/* save the IV for the next block */
-	PORT_Memcpy(nextiv,cipherIn,SKIPJACK_BLOCK_SIZE);
-   	fort_doskipD(keysched,cipherIn,plainOut);
-	/* xor out the last IV */
-	fort_XorIV(plainOut,plainOut,lastiv);
-
-	/* swap the IV buffers */
-	tmpiv = lastiv;
-	lastiv = nextiv;
-	nextiv =tmpiv;
-
-	/* increment the loop pointers... be sure to get the input, output,
-	 * and size (decrement) each fortdoskipD operates on an entire block*/
-	cipherIn += SKIPJACK_BLOCK_SIZE;
-	plainOut += SKIPJACK_BLOCK_SIZE;
-	size -= SKIPJACK_BLOCK_SIZE;
-    }
-    fort_clearShedule(keysched); /* don't leave the key lying around the stack*/
-    if (size != 0) return CI_INV_SIZE;
-    return CI_OK;
-}
-
-/* These function actually implements skipjack CBC Encrypt */
-int
-fort_skipjackEncrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
-		unsigned long size, unsigned char *plainIn, 
-						unsigned char *cipherOut) {
-    unsigned char *tmpiv;
-    fort_keysched keysched;
-    unsigned char plain[SKIPJACK_BLOCK_SIZE];
-
-    fort_skipKeySchedule(key,keysched);
-    tmpiv = iv;
-    while (size >= SKIPJACK_BLOCK_SIZE) {
-	/* We Xor into a temp buffer because we don't want to modify plainIn,
-	 * doing so may make the caller very unhappy:). */
-	fort_XorIV(plain,plainIn,tmpiv);
-   	fort_doskipE(keysched,plain,cipherOut);
-	tmpiv = cipherOut;
-	cipherOut += SKIPJACK_BLOCK_SIZE;
-	plainIn += SKIPJACK_BLOCK_SIZE;
-	size -= SKIPJACK_BLOCK_SIZE;
-    }
-    fort_clearShedule(keysched); /* don't leave the key lying around the stack*/
-    if (size != 0) return CI_INV_SIZE;
-    return CI_OK;
-}
-
-   
-
-/*
- * unwrap is used for key generation and mixing
- */
-int
-fort_skipjackUnwrap(FORTSkipjackKeyPtr key,unsigned long len, 
-			unsigned char *cipherIn, unsigned char *plainOut) {
-    unsigned char low[10];
-    fort_keysched keysched;
-    int i,ret;
-
-    /* unwrap can only unwrap 80 bit symetric keys and 160 private keys 
-     * sometimes these values have checksums. When they do, we should verify
-     * those checksums. */
-    switch (len) {
-    case 20:	/* private key */
-    case 24:   /* private key with checksum */
-	ret = fort_skipjackUnwrap(key,len/2,cipherIn,plainOut);
-	if (ret != CI_OK) return ret;
-	ret = fort_skipjackUnwrap(key,len/2,&cipherIn[len/2],low);
-
-	/* unmunge the low word */
-	for (i=0; i < 10; i++) {
-	    low[i] = low[i] ^ plainOut[i];
-	}
-
-	/* the unwrap will fail above because the checkword is on
-	 * low, not low ^ high.
-	 */
-	if (ret == CI_CHECKWORD_FAIL) {
-	    unsigned char checksum[2];
-
-            ret = fort_CalcKeyChecksum(low,checksum);
-	    if (ret != CI_OK) return ret;
-	    if (PORT_Memcmp(checksum,&cipherIn[len-2],2) != 0) {
-		return CI_CHECKWORD_FAIL;
-	    }
-	}
-	if (ret != CI_OK) return ret;
-
-	/* re-order the low word */
-	PORT_Memcpy(&plainOut[10],&low[8],2);
-	PORT_Memcpy(&plainOut[12],&low[0],8);
-	return CI_OK;
-    case 10: /* 80 bit skipjack key */
-    case 12: /* 80 bit skipjack key with checksum */
-	fort_skipKeySchedule(key,keysched);
-	fort_doskipD(keysched,cipherIn,plainOut);
-	plainOut[8] = cipherIn[8] ^ plainOut[0];
-	plainOut[9] = cipherIn[9] ^ plainOut[1];
-	fort_doskipD(keysched,plainOut,plainOut);
-	fort_clearShedule(keysched); 
-	/* if we have a checkum, verify it */
-	if (len == 12) {
-	    unsigned char checksum[2];
-
-            ret = fort_CalcKeyChecksum(plainOut,checksum);
-	    if (ret != CI_OK) return ret;
-	    if (PORT_Memcmp(checksum,&cipherIn[10],2) != 0) {
-		return CI_CHECKWORD_FAIL;
-	    }
-        }
-	return CI_OK;
-    default:
-	break;
-    }
-    return CI_INV_SIZE;
-}
-
-/*
- * unwrap is used for key generation and mixing
- */
-int
-fort_skipjackWrap(FORTSkipjackKeyPtr key,unsigned long len, 
-			unsigned char *plainIn, unsigned char *cipherOut) {
-    unsigned char low[10];
-    unsigned char checksum[2];
-    fort_keysched keysched;
-    int i,ret;
-
-
-    /* NOTE: length refers to the target in the case of wrap */
-    /* Wrap can only Wrap 80 bit symetric keys and 160 private keys 
-     * sometimes these values have checksums. When they do, we should verify
-     * those checksums. */
-    switch (len) {
-    case 20:	/* private key */
-    case 24:   /* private key with checksum */
-	/* re-order the low word */
-	PORT_Memcpy(&low[8],&plainIn[10],2);
-	PORT_Memcpy(&low[0],&plainIn[12],8);
-	if (len == 24) {
-            ret = fort_CalcKeyChecksum(low,checksum);
-	    if (ret != CI_OK) return ret;
-	}
-	/* munge the low word */
-	for (i=0; i < 10; i++) {
-	    low[i] = low[i] ^ plainIn[i];
-	}
-	ret = fort_skipjackWrap(key,len/2,plainIn,cipherOut);
-	ret = fort_skipjackWrap(key,len/2,low,&cipherOut[len/2]);
-	if (len == 24) {
-	    PORT_Memcpy(&cipherOut[len - 2], checksum, sizeof(checksum));
-	}
-
-	return CI_OK;
-    case 10: /* 80 bit skipjack key */
-    case 12: /* 80 bit skipjack key with checksum */
-
-	fort_skipKeySchedule(key,keysched);
-	fort_doskipE(keysched,plainIn,cipherOut);
-	cipherOut[8] = plainIn[8] ^ cipherOut[0];
-	cipherOut[9] = plainIn[9] ^ cipherOut[1];
-	fort_doskipE(keysched,cipherOut,cipherOut);
-	fort_clearShedule(keysched); 
-	/* if we need a checkum, get it */
-	if (len == 12) {
-            ret = fort_CalcKeyChecksum(plainIn,&cipherOut[10]);
-	    if (ret != CI_OK) return ret;
-        }
-	return CI_OK;
-    default:
-	break;
-    }
-    return CI_INV_SIZE;
-}
-
diff --git a/security/nss/lib/fortcrypt/swfort/swflib.c b/security/nss/lib/fortcrypt/swfort/swflib.c
deleted file mode 100644
index cc4647006..000000000
--- a/security/nss/lib/fortcrypt/swfort/swflib.c
+++ /dev/null
@@ -1,1028 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * implement the MACI calls as Software Fortezza Calls.
- * only do the ones Nescape Needs. This provides a single software slot,
- * with 100 key registers, and 50 backup Ra private registers. Since we only
- * create one session per slot, this implementation only uses one session.
- * One future enhancement may be to try to improve on this for better threading
- * support.
- */
-
-#include "prtypes.h"
-#include "prio.h"
-
-#include "swforti.h"
-#include "keytlow.h"
-/* #include "dh.h" */
-#include "blapi.h"
-#include "maci.h"
-/* #include "dsa.h" */
-/* #include "hasht.h" */
-#include "secitem.h"
-#include "secrng.h"
-#include "keylow.h"
-#include "secder.h"
-
-#ifdef XP_UNIX
-#include <unistd.h>
-#endif
-
-#ifndef O_BINARY
-#define O_BINARY 0
-#endif
-
-
-/* currently we only support one software token. In the future we can use the
- * session to determin which of many possible tokens we are talking about.
- * all the calls which need tokens take a pointer to the software token as a
- * target.
- */
-static FORTSWToken *swtoken = NULL;
-
-#define SOCKET_ID 1
-
-
-/* can't change the pin on SW fortezza for now */
-int
-MACI_ChangePIN(HSESSION session, int PINType, CI_PIN CI_FAR pOldPIN,
-						 CI_PIN CI_FAR pNewPin)
-{
-    return CI_INV_STATE;
-}
-
-
-/*
- * Check pin checks the pin, then logs the user in or out depending on if
- * the pin succedes. The General implementation would support both SSO and 
- * User mode our's only needs User mode. Pins are checked by whether or not
- * they can produce our valid Ks for this 'card'.
- */
-int
-MACI_CheckPIN(HSESSION session, int PINType, CI_PIN CI_FAR pin)
-{
-    FORTSkipjackKeyPtr Ks;
-    FORTSWFile *config_file = NULL;
-    FORTSkipjackKey seed;
-    unsigned char pinArea[13];
-    unsigned char *padPin = NULL;
-
-    /* This SW module can only log in as USER */
-    if (PINType != CI_USER_PIN) return CI_INV_TYPE;
-
-    if (swtoken == NULL) return CI_NO_CARD;
-    /* we can't check a pin if we haven't been initialized yet */
-    if (swtoken->config_file == NULL) return CI_NO_CARD;
-    config_file = swtoken->config_file;
-
-    /* Make sure the pin value meets minimum lengths */
-    if (PORT_Strlen((char *)pin) < 12) {
-	PORT_Memset(pinArea, ' ', sizeof(pinArea));
-	PORT_Memcpy(pinArea,pin,PORT_Strlen((char *)pin));
-	pinArea[12] = 0;
-	padPin = pinArea;
-    }
-
-    /* get the Ks by unwrapping it from the memphrase with the pbe generated
-     * from the pin */
-    Ks = fort_CalculateKMemPhrase(config_file, 
-			&config_file->fortezzaPhrase, (char *)pin, NULL);
-
-    if (Ks == 0) {
-	Ks = fort_CalculateKMemPhrase(config_file, 
-		&config_file->fortezzaPhrase, (char *)padPin, NULL);
-	if (Ks == 0) {
-	    PORT_Memset(pinArea, 0, sizeof(pinArea));
-	    fort_Logout(swtoken);
-	    return CI_FAIL;
-	}
-    }
-
-    /* use Ks and hash to verify that pin is correct */
-    if (! fort_CheckMemPhrase(config_file, &config_file->fortezzaPhrase, 
-						(char *)pin, Ks) ) {
-	if ((padPin == NULL) ||
-    	   ! fort_CheckMemPhrase(config_file, &config_file->fortezzaPhrase, 
-						(char *)padPin, Ks) )  {
-	    PORT_Memset(pinArea, 0, sizeof(pinArea));
-	    fort_Logout(swtoken);
-	    return CI_FAIL;
-	}
-    }
-
-    PORT_Memset(pinArea, 0, sizeof(pinArea));
-
-
-    /* OK, add the random Seed value into the random number generator */
-    fort_skipjackUnwrap(Ks,config_file->wrappedRandomSeed.len,
-	config_file->wrappedRandomSeed.data,seed);
-    RNG_RandomUpdate(seed,sizeof(seed));
-
-    /* it is, go ahead and log in */
-    swtoken->login = PR_TRUE;
-    /* Ks is always stored in keyReg[0] when we log in */
-    PORT_Memcpy(swtoken->keyReg[0].data, Ks, sizeof (FORTSkipjackKey));
-    swtoken->keyReg[0].present = PR_TRUE;
-    PORT_Memset(Ks, 0, sizeof(FORTSkipjackKey));
-    PORT_Free(Ks);
-
-
-    return CI_OK;
-}
-
-/*
- * close an open socket. Power_Down flag is set when we want to reset the
- * cards complete state.
- */
-int
-MACI_Close(HSESSION session, unsigned int flags, int socket)
-{
-    if (socket != SOCKET_ID) return CI_BAD_CARD;
-    if (swtoken == NULL) return CI_BAD_CARD;
-
-    if (flags == CI_POWER_DOWN_FLAG) {
-	fort_Logout(swtoken);
-    }
-    return CI_OK;
-}
-
-/*
- * Decrypt keeps track of it's own IV.
- */
-int
-MACI_Decrypt(HSESSION session, unsigned int size, CI_DATA cipherIn,
-				 			CI_DATA plainOut)
-{
-    int ret;
-    unsigned char IV[SKIPJACK_BLOCK_SIZE];
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,swtoken->key,PR_TRUE)) != CI_OK)  return ret;
-
-    /*fort_AddNoise();*/
-
-    /* save the IV, before we potentially trash the new one when we decrypt.
-     * (it's permissible to decrypt into the cipher text buffer by passing the
-     * same buffers for both cipherIn and plainOut.
-     */
-    PORT_Memcpy(IV,swtoken->IV, sizeof(IV));
-    fort_UpdateIV(cipherIn,size,swtoken->IV);
-    return fort_skipjackDecrypt(swtoken->keyReg[swtoken->key].data,
-						IV,size,cipherIn,plainOut);
-}
-
-/*
- * Clear a key from one of the key registers (indicated by index).
- * return an error if no key exists.
- */
-int
-MACI_DeleteKey(HSESSION session, int index)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-
-    /* can't delete Ks */
-    if (index == 0) return CI_INV_KEY_INDEX;
-
-    if ((ret = fort_KeyOK(swtoken,index,PR_TRUE)) != CI_OK)  return ret;
-    fort_ClearKey(&swtoken->keyReg[index]);
-    return CI_OK;
-}
-
-
-/*
- * encrypt  some blocks of data and update the IV.
- */ 
-int
-MACI_Encrypt(HSESSION session, unsigned int size, CI_DATA plainIn,
-				 			CI_DATA cipherOut)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,swtoken->key,PR_TRUE)) != CI_OK)  return ret;
-
-    /*fort_AddNoise();*/
-
-    ret = fort_skipjackEncrypt(swtoken->keyReg[swtoken->key].data,
-				swtoken->IV,size,plainIn,cipherOut);
-    fort_UpdateIV(cipherOut,size,swtoken->IV);
-
-    return ret;
-
-}
-
-/*
- * create a new IV and encode it.
- */
-
-static char *leafbits="THIS IS NOT LEAF";
-
-int
-MACI_GenerateIV(HSESSION Session, CI_IV CI_FAR pIV)
-{
-    int ret;
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,swtoken->key,PR_TRUE)) != CI_OK)  return ret;
-
-    ret = fort_GenerateRandom(swtoken->IV,SKIPJACK_BLOCK_SIZE);
-    if (ret != CI_OK) return ret;
-
-    PORT_Memcpy(pIV,leafbits,SKIPJACK_LEAF_SIZE);
-    PORT_Memcpy(&pIV[SKIPJACK_LEAF_SIZE],swtoken->IV,SKIPJACK_BLOCK_SIZE);
-   
-    return CI_OK;
-}
-
-
-/*
- * create a new Key
- */
-int
-MACI_GenerateMEK(HSESSION session, int index, int reserved)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,index,PR_FALSE)) != CI_OK)  return ret;
-
-    ret = fort_GenerateRandom(swtoken->keyReg[index].data,
-					sizeof (swtoken->keyReg[index].data));
-    if (ret == CI_OK) swtoken->keyReg[index].present = PR_TRUE;
-
-    return ret;
-}
-
-/*
- * build a new Ra/ra pair for a KEA exchange.
- */
-int
-MACI_GenerateRa(HSESSION session, CI_RA CI_FAR pRa)
-{
-    int ret;
-    int counter;
-    int RaLen,raLen;
-    DSAPrivateKey *privKey = NULL;
-    PQGParams params;
-    SECStatus rv;
-    int crv = CI_EXEC_FAIL;
-    fortSlotEntry *certEntry = NULL;
-    unsigned char *unsignedRa = NULL;
-    unsigned char *unsignedra = NULL;
-    fortKeyInformation *key_info = NULL;
-	
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    /* make sure the personality is set */
-    if (swtoken->certIndex == 0) return CI_INV_STATE;
-
-    /* pick next Ra circular buffer */
-    counter = swtoken->nextRa;
-    swtoken->nextRa++;
-    if (swtoken->nextRa >= MAX_RA_SLOTS) swtoken->nextRa = 0;
-
-    /* now get the params for diffie -helman key gen */
-    certEntry = fort_GetCertEntry(swtoken->config_file,swtoken->certIndex);
-    if (certEntry == NULL) return CI_INV_CERT_INDEX;
-    if (certEntry->exchangeKeyInformation) {
-	key_info = certEntry->exchangeKeyInformation;
-    } else {
-	key_info = certEntry->signatureKeyInformation;
-    }
-    if (key_info == NULL) return CI_NO_X;
-   
-    /* Generate Diffie Helman key Pair -- but we use DSA key gen to do it */
-    rv = SECITEM_CopyItem(NULL,&params.prime,&key_info->p);
-    if (rv != SECSuccess) return CI_EXEC_FAIL;
-    rv = SECITEM_CopyItem(NULL,&params.subPrime,&key_info->q);
-    if (rv != SECSuccess) return CI_EXEC_FAIL;
-    rv = SECITEM_CopyItem(NULL,&params.base,&key_info->g);
-    if (rv != SECSuccess) return CI_EXEC_FAIL;
-
-    /* KEA uses DSA like key generation with short DSA keys that have to
-     * maintain a relationship to q */
-    rv = DSA_NewKey(&params, &privKey);
-    SECITEM_FreeItem(&params.prime,PR_FALSE);
-    SECITEM_FreeItem(&params.subPrime,PR_FALSE);
-    SECITEM_FreeItem(&params.base,PR_FALSE);
-    if (rv != SECSuccess) return CI_EXEC_FAIL;
-    
-    /* save private key, public key, and param in Ra Circular buffer */
-    unsignedRa = privKey->publicValue.data;
-    RaLen      = privKey->publicValue.len;
-    while ((unsignedRa[0] == 0) && (RaLen > CI_RA_SIZE)) {
-	unsignedRa++;
-	RaLen--;
-    }
-    if (RaLen > CI_RA_SIZE) goto loser;
-
-    unsignedra = privKey->privateValue.data;
-    raLen      = privKey->privateValue.len;
-    while ((unsignedra[0] == 0) && (raLen > sizeof(fortRaPrivate))) {
-	unsignedra++;
-	raLen--;
-    }
-
-    if (raLen > sizeof(fortRaPrivate)) goto loser;
-
-    PORT_Memset(swtoken->RaValues[counter].private, 0, sizeof(fortRaPrivate));
-    PORT_Memcpy(
-	&swtoken->RaValues[counter].private[sizeof(fortRaPrivate) - raLen],
-							unsignedra, raLen);
-    PORT_Memset(pRa, 0, CI_RA_SIZE);
-    PORT_Memcpy(&pRa[CI_RA_SIZE-RaLen], unsignedRa, RaLen);
-    PORT_Memcpy(swtoken->RaValues[counter].public, pRa, CI_RA_SIZE);
-    crv = CI_OK;
-
-loser:
-    PORT_FreeArena(privKey->params.arena, PR_TRUE);
-
-    return crv;
-}
-
-
-/*
- * return some random data.
- */
-int
-MACI_GenerateRandom(HSESSION session, CI_RANDOM CI_FAR random)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_FALSE)) != CI_OK) return ret;
-    return fort_GenerateRandom(random,sizeof (CI_RANDOM));
-}
-
-
-static CI_RA Remail = {
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
-};
-
-/*
- * build a new Token exchange key using KEA.
- */
-int
-MACI_GenerateTEK(HSESSION hSession, int flags, int target, 
-     CI_RA CI_FAR Ra, CI_RA CI_FAR Rb, unsigned int YSize, CI_Y CI_FAR pY )
-{
-    SECKEYLowPrivateKey *key 		= NULL;
-    fortSlotEntry *      certEntry;
-    unsigned char *      w		= NULL;
-    SECItem              *q;
-    SECStatus            rv;
-    int                  ret,i;
-    PRBool               email 		= PR_TRUE;
-    SECItem              R;		/* public */
-    SECItem              Y;		/* public */
-    SECItem              r;		/* private */
-    SECItem              x;		/* private */
-    SECItem              wItem;		/* derived secret */
-    fortRaPrivatePtr     ra;
-    FORTSkipjackKey      cover_key;
-
-    unsigned char pad[10] = { 0x72, 0xf1, 0xa8, 0x7e, 0x92,
-			      0x82, 0x41, 0x98, 0xab, 0x0b };
-
-    /* verify that everything is ok with the token, keys and certs */
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    /* make sure the personality is set */
-    if (swtoken->certIndex == 0) return CI_INV_STATE;
-    if ((ret = fort_KeyOK(swtoken,target,PR_FALSE)) != CI_OK)  return ret;
-
-    /* get the cert from the entry, then look up the key from that cert */
-    certEntry = fort_GetCertEntry(swtoken->config_file,swtoken->certIndex);
-    if (certEntry == NULL) return CI_INV_CERT_INDEX;
-    key = fort_GetPrivKey(swtoken,dhKey,certEntry);
-    if (key == NULL) return CI_NO_X; 
-
-    if (certEntry->exchangeKeyInformation) {
-	q = &certEntry->exchangeKeyInformation->q;
-    } else {
-	q = &certEntry->signatureKeyInformation->q;
-    }
-
-    email = (PORT_Memcmp(Rb,Remail,sizeof(Rb)) == 0) ? PR_TRUE: PR_FALSE;
-
-
-    /* load the common elements */
-    Y.data = pY;
-    Y.len = YSize;
-    x.data = key->u.dh.privateValue.data;
-    x.len = key->u.dh.privateValue.len;
-
-    /* now initialize the rest of the values */
-    if (flags == CI_INITIATOR_FLAG) {
-	if (email) { 
-	    R.data = Y.data;
-	    R.len = Y.len;
-	} else {
-	    R.data = Rb;
-	    R.len = sizeof(CI_RA);
-	}
-        ra = fort_LookupPrivR(swtoken,Ra);
-	if (ra == NULL) {
-	    ret = CI_EXEC_FAIL;
-	    goto loser;
-	}
-	r.data = ra;
-	r.len = sizeof(fortRaPrivate);
-    } else {
-	R.data = Ra;
-	R.len = sizeof(CI_RA);
-	if (email) {
-	    r.data = x.data;
-	    r.len = x.len;
-	} else {
-            ra = fort_LookupPrivR(swtoken,Rb);
-	    if (ra == NULL) {
-		ret = CI_EXEC_FAIL;
-		goto loser;
-	    }
-	    r.data = ra;
-	    r.len = sizeof(fortRaPrivate);
-	}
-    }
-
-
-    if (!KEA_Verify(&Y,&key->u.dh.prime,q)) {
-	ret = CI_EXEC_FAIL;
-	goto loser;
-    }
-    if (!KEA_Verify(&R,&key->u.dh.prime,q)) {
-	ret = CI_EXEC_FAIL;
-	goto loser;
-    }
-
-    /* calculate the base key */
-    rv = KEA_Derive(&key->u.dh.prime, &Y, &R, &r, &x, &wItem);
-    if (rv != SECSuccess) {
-	ret = CI_EXEC_FAIL;
-	goto loser;
-    }
-
-    w = wItem.data;
-    /* use the skipjack wrapping function to 'mix' the key up */
-    for (i=0; i < sizeof(FORTSkipjackKey); i++) 
-    	cover_key[i] = pad[i] ^ w[i];
-
-    ret = fort_skipjackWrap(cover_key,sizeof(FORTSkipjackKey),
-		&w[sizeof(FORTSkipjackKey)],swtoken->keyReg[target].data);
-    if (ret != CI_OK) goto loser;
-
-    swtoken->keyReg[target].present = PR_TRUE;
-
-    ret = CI_OK;
-loser:
-    if (w) PORT_Free(w);
-    if (key) SECKEY_LowDestroyPrivateKey(key);
-    
-    return ret;
-}
-
-
-/*
- * return the bytes of a certificate.
- */
-int
-MACI_GetCertificate(HSESSION hSession, int certIndex,
-						 CI_CERTIFICATE CI_FAR cert)
-{
-    int len;
-    int ret;
-    fortSlotEntry *certEntry = NULL;
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-
-    certEntry = fort_GetCertEntry(swtoken->config_file,certIndex);
-    if (certEntry == NULL) return CI_INV_CERT_INDEX;
-
-    len = certEntry->certificateData.dataEncryptedWithKs.len;
-    PORT_Memset(cert,0,sizeof(CI_CERTIFICATE));
-    PORT_Memcpy(cert, certEntry->certificateData.dataEncryptedWithKs.data,len);
-
-    /* Ks is always stored in keyReg[0] when we log in */
-    return fort_skipjackDecrypt(swtoken->keyReg[0].data,
-	&certEntry->certificateData.dataIV.data[SKIPJACK_LEAF_SIZE],
-						len,cert,cert);
-}
-
-
-/*
- * return out sofware configuration bytes. Those field not used by the PKCS #11
- * module may not be filled in exactly.
- */
-#define NETSCAPE "Netscape Communications Corp    "
-#define PRODUCT  "Netscape Software FORTEZZA Lib  "
-#define SOFTWARE "Software FORTEZZA Implementation"
-
-int
-MACI_GetConfiguration(HSESSION hSession, CI_CONFIG_PTR config)
-{
-    config->LibraryVersion = 0x0100;
-    config->ManufacturerVersion = 0x0100;
-    PORT_Memcpy(config->ManufacturerName,NETSCAPE,sizeof(NETSCAPE));
-    PORT_Memcpy(config->ProductName,PRODUCT,sizeof(PRODUCT));
-    PORT_Memcpy(config->ProcessorType,SOFTWARE,sizeof(SOFTWARE));
-    config->UserRAMSize = 0;
-    config->LargestBlockSize = 0x10000;
-    config->KeyRegisterCount = KEY_REGISTERS;
-    config->CertificateCount = 
-		swtoken ? fort_GetCertCount(swtoken->config_file): 0;
-    config->CryptoCardFlag = 0;
-    config->ICDVersion = 0;
-    config->ManufacturerSWVer = 0x0100;
-    config->DriverVersion = 0x0100;
-    return CI_OK;
-}
-
-/*
- * return a list of all the personalities (up to the value 'EntryCount')
- */
-int
-MACI_GetPersonalityList(HSESSION hSession, int EntryCount, 
-						CI_PERSON CI_FAR personList[])
-{
-    int count;
-    int i,ret;
-    FORTSWFile *config_file = NULL;
-    unsigned char tmp[32];
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    config_file = swtoken->config_file;
-
-    /* search for the index */
-    count= fort_GetCertCount(config_file);
-
-    /* don't return more than the user asked for */
-    if (count > EntryCount) count = EntryCount;
-    for (i=0; i < count ;i ++) {
-	int len, dataLen;
-	personList[i].CertificateIndex =
-				config_file->slotEntries[i]->certIndex;
-	len = config_file->slotEntries[i]->certificateLabel.
-						dataEncryptedWithKs.len;
-	if (len > sizeof(tmp)) len = sizeof(tmp);
-        PORT_Memset(personList[i].CertLabel, ' ',
-					sizeof(personList[i].CertLabel));
-        PORT_Memcpy(tmp, 
-	     config_file->slotEntries[i]->
-			certificateLabel.dataEncryptedWithKs.data,
-								len);
-	/* Ks is always stored in keyReg[0] when we log in */
-	ret = fort_skipjackDecrypt(swtoken->keyReg[0].data,
-	 &config_file->slotEntries[i]->
-			certificateLabel.dataIV.data[SKIPJACK_LEAF_SIZE],len,
-			tmp,tmp);
-	if (ret != CI_OK) return ret;
-	dataLen = DER_GetInteger(&config_file->slotEntries[i]->
-			certificateLabel.length);
-	if (dataLen > sizeof(tmp)) dataLen = sizeof(tmp);
-        PORT_Memcpy(personList[i].CertLabel, tmp, dataLen);
-        personList[i].CertLabel[32] = 0;
-        personList[i].CertLabel[33] = 0;
-        personList[i].CertLabel[34] = 0;
-        personList[i].CertLabel[35] = 0;
-    }
-    return CI_OK;
-}
-
-
-/*
- * get a new session ID. This function is only to make the interface happy,
- * the PKCS #11 module only uses one session per token.
- */
-int
-MACI_GetSessionID(HSESSION *session)
-{
-    *session = 1;
-    return CI_OK;
-}
-
-/*
- * return the current card state.
- */
-int
-MACI_GetState(HSESSION hSession, CI_STATE_PTR state)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_FALSE)) != CI_OK) return ret;
-    *state = fort_GetState(swtoken);
-    return CI_OK;
-}
-
-/*
- * return the status. NOTE that KeyRegisterFlags and CertificateFlags are never
- * really used by the PKCS #11 module, so they are not implemented.
- */
-int
-MACI_GetStatus(HSESSION hSession, CI_STATUS_PTR status)
-{
-    int ret;
-    FORTSWFile *config_file = NULL;
-
-    if ((ret = fort_CardExists(swtoken,PR_FALSE)) != CI_OK) return ret;
-    config_file = swtoken->config_file;
-    status->CurrentSocket = 1;
-    status->LockState = swtoken->lock;
-    PORT_Memcpy(status->SerialNumber,
-		config_file->serialID.data, config_file->serialID.len);
-    status->CurrentState = fort_GetState(swtoken);
-    status->DecryptionMode = CI_CBC64_MODE;
-    status->EncryptionMode = CI_CBC64_MODE;
-    status->CurrentPersonality = swtoken->certIndex;
-    status->KeyRegisterCount = KEY_REGISTERS;
-    /* our code doesn't use KeyRegisters, which is good, because there's not
-     * enough of them .... */
-    PORT_Memset(status->KeyRegisterFlags,0,sizeof(status->KeyRegisterFlags));
-    status->CertificateCount = fort_GetCertCount(config_file);
-    PORT_Memset(status->CertificateFlags,0,sizeof(status->CertificateFlags));
-    PORT_Memset(status->Flags,0,sizeof(status->Flags));
-
-    return CI_OK;
-}
-
-/*
- * add the time call because the PKCS #11 module calls it, but always pretend
- * the clock is bad, so it never uses the returned time.
- */
-int
-MACI_GetTime(HSESSION hSession, CI_TIME CI_FAR time)
-{
-   return CI_BAD_CLOCK;
-}
-
-
-/* This function is copied from NSPR so that the PKCS #11 module can be
- * independent of NSPR */
-PRInt32 local_getFileInfo(const char *fn, PRFileInfo *info);
-
-/*
- * initialize the SW module, and return the number of slots we support (1).
- */
-int
-MACI_Initialize(int CI_FAR *count)
-{
-    char *filename = NULL;
-    SECItem file;
-    FORTSignedSWFile *decode_file = NULL;
-    PRFileInfo info;
-    /*PRFileDesc *fd = NULL;*/
-    int fd = -1;
-    PRStatus err;
-    int ret = CI_OK;
-    int fcount;
-
-    file.data = NULL;
-    file.len = 0;
-
-    *count = 1;
-
-    /* allocate swtoken structure */
-    swtoken = PORT_ZNew(FORTSWToken);
-    if (swtoken == NULL) return CI_OUT_OF_MEMORY;
-
-    filename = (char *)fort_LookupFORTEZZAInitFile();
-    if (filename == NULL) {
-	ret = CI_BAD_READ;
-	goto failed;
-    }
-    
-    fd = open(filename,O_RDONLY|O_BINARY,0);
-    if (fd < 0) {
-	ret = CI_BAD_READ;
-	goto failed;
-    }
-
-    err = local_getFileInfo(filename,&info);
-    if ((err != 0) || (info.size == 0)) {
-	ret = CI_BAD_READ;
-	goto failed;
-    }
-
-    file.data = PORT_ZAlloc(info.size);
-    if (file.data == NULL) {
-	ret = CI_OUT_OF_MEMORY;
-	goto failed;
-    }
-
-    fcount = read(fd,file.data,info.size);
-    close(fd);  fd = -1;
-    if (fcount != (int)info.size) {
-	ret = CI_BAD_READ;
-	goto failed;
-    }
-
-    file.len = fcount;
-
-    decode_file = FORT_GetSWFile(&file);
-    if (decode_file == NULL) {
-	ret = CI_BAD_READ;
-	goto failed;
-    }
-    swtoken->config_file = &decode_file->file;
-
-    RNG_SystemInfoForRNG();
-    RNG_FileForRNG(filename);
-
-
-failed:
-    if (filename) PORT_Free(filename);
-    if (fd != -1) close(fd);
-    if (file.data) PORT_Free(file.data);
-    if (ret != CI_OK) {
-	if (decode_file) FORT_DestroySignedSWFile(decode_file);
-	if (swtoken) PORT_Free(swtoken);
-	swtoken = NULL;
-    }
-
-    return CI_OK;
-}
-
-/*
- * load an IV from an external source. We technically should check it with the
- * key we received.
- */
-int
-MACI_LoadIV(HSESSION session, CI_IV CI_FAR iv)
-{
-    int ret;
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    PORT_Memcpy(swtoken->IV,&iv[SKIPJACK_LEAF_SIZE],SKIPJACK_BLOCK_SIZE);
-    return CI_OK;
-}
-
-/* implement token lock (should call PR_Monitor here) */
-int
-MACI_Lock(HSESSION session, int flags)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    swtoken->lock = 1;
-
-    return CI_OK;
-}
-
-/* open a token. For software there isn't much to do that hasn't already been
- * done by initialize. */
-int
-MACI_Open(HSESSION session, unsigned int flags, int socket)
-{
-    if (socket != SOCKET_ID) return CI_NO_CARD;
-    if (swtoken == NULL) return CI_NO_CARD;
-    return CI_OK;
-}
-
-/*
- * Reset logs out the token...
- */
-int
-MACI_Reset(HSESSION session)
-{
-    if (swtoken) fort_Logout(swtoken);
-    return CI_OK;
-}
-
-/*
- * restore and encrypt/decrypt state. NOTE: there is no error checking in this
- * or the save function.
- */
-int
-MACI_Restore(HSESSION session, int type, CI_SAVE_DATA CI_FAR data)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    PORT_Memcpy(swtoken->IV,data, sizeof (swtoken->IV));
-    return CI_OK;
-}
-
-/*
- * save and encrypt/decrypt state. NOTE: there is no error checking in this
- * or the restore function.
- */
-int
-MACI_Save(HSESSION session, int type,CI_SAVE_DATA CI_FAR data)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    PORT_Memcpy(data,swtoken->IV, sizeof (swtoken->IV));
-    return CI_OK;
-}
-
-/*
- * picks a token to operate against. In our case there can be only one.
- */
-int
-MACI_Select(HSESSION session, int socket)
-{
-    if (socket == SOCKET_ID) return CKR_OK;
-    return CI_NO_CARD;
-}
-
-/*
- * set a register as the key to use for encrypt/decrypt operations.
- */
-int
-MACI_SetKey(HSESSION session, int index)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,index,PR_TRUE)) != CI_OK)  return ret;
-
-    swtoken->key = index;
-    return CI_OK;
-}
-
-/*
- * only CBC64 is supported. Keep setmode for compatibility */
-int
-MACI_SetMode(HSESSION session, int type, int mode)
-{
-    if (mode != CI_CBC64_MODE) return CI_INV_MODE;
-    return CI_OK;
-}
-
-/* set the personality to use for sign/verify */
-int
-MACI_SetPersonality(HSESSION session, int cert)
-{
-    int ret;
-    fortSlotEntry *certEntry = NULL;
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-
-    certEntry = fort_GetCertEntry(swtoken->config_file,cert);
-    if ((certEntry == NULL) ||
-	   ((certEntry->exchangeKeyInformation == NULL) &&
-			(certEntry->signatureKeyInformation == NULL)) )
-						 return CI_INV_CERT_INDEX;
-    swtoken->certIndex = cert;
-    return CI_OK;
-}
-
-
-/* DSA sign some data */
-int
-MACI_Sign(HSESSION session, CI_HASHVALUE CI_FAR hash, CI_SIGNATURE CI_FAR sig)
-{
-    SECKEYLowPrivateKey *key 		= NULL;
-    fortSlotEntry *      certEntry	= NULL;
-    int                  ret 		= CI_OK;
-    SECStatus            rv;
-    SECItem              signItem;
-    SECItem              hashItem;
-    unsigned char        random[DSA_SUBPRIME_LEN];
-
-    /* standard checks */
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    /* make sure the personality is set */
-    if (swtoken->certIndex == 0) return CI_INV_STATE;
-
-    /* get the current personality */
-    certEntry = fort_GetCertEntry(swtoken->config_file,swtoken->certIndex);
-    if (certEntry == NULL) return CI_INV_CERT_INDEX;
-
-    /* extract the private key from the personality */
-    ret = CI_OK;
-    key = fort_GetPrivKey(swtoken,dsaKey,certEntry);
-    if (key == NULL) {
-	ret = CI_NO_X;
-	goto loser;
-    }
-
-    /* create a random value for the signature */
-    ret = fort_GenerateRandom(random, sizeof(random));
-    if (ret != CI_OK) goto loser;
-
-    /* Sign with that private key */
-    signItem.data = sig;
-    signItem.len  = DSA_SIGNATURE_LEN;
-
-    hashItem.data = hash;
-    hashItem.len  = SHA1_LENGTH;
-
-    rv = DSA_SignDigestWithSeed(&key->u.dsa, &signItem, &hashItem, random);
-    if (rv != SECSuccess) {
-	ret = CI_EXEC_FAIL;
-    }
-
-    /* clean up */
-loser:
-    if (key != NULL) SECKEY_LowDestroyPrivateKey(key);
-
-    return ret;
-}
-
-/*
- * clean up after ourselves.
- */
-int
-MACI_Terminate(HSESSION session)
-{
-    if (swtoken == NULL) return CI_OUT_OF_MEMORY;
-
-    /* clear all the keys */
-    fort_Logout(swtoken);
-    
-    FORT_DestroySWFile(swtoken->config_file);
-    PORT_Free(swtoken);
-    swtoken = NULL;
-    return CI_OK;
-}
-
-
-
-/* implement token unlock (should call PR_Monitor here) */
-int
-MACI_Unlock(HSESSION session)
-{
-    int ret;
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    swtoken->lock = 0;
-    return CI_OK;
-}
-
-/*
- * unwrap a key into our software token. NOTE: this function does not
- * verify that the wrapping key is Ks or a TEK. This is because our higher
- * level software doesn't try to wrap MEKs with MEKs. If this API was exposed
- * generically, then we would have to worry about things like this.
- */
-int
-MACI_UnwrapKey(HSESSION session, int wrapKey, int target, 
-						CI_KEY CI_FAR keyData)
-{
-    int ret = CI_OK;
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,target,PR_FALSE)) != CI_OK)  return ret;
-    if ((ret = fort_KeyOK(swtoken,wrapKey,PR_TRUE)) != CI_OK)  return ret;
-    ret = fort_skipjackUnwrap(swtoken->keyReg[wrapKey].data,
-	sizeof(CI_KEY), keyData, swtoken->keyReg[target].data);
-    if (ret != CI_OK) goto loser;
-
-    swtoken->keyReg[target].present = PR_TRUE;
-
-loser:
-    return ret;
-}
-
-/*
- * Wrap a key out of our software token. NOTE: this function does not
- * verify that the wrapping key is Ks or a TEK, or that the source key is
- * a MEK. This is because our higher level software doesn't try to wrap MEKs 
- * with MEKs, or wrap out TEKS and Ks. If this API was exposed
- * generically, then we would have to worry about things like this.
- */
-int
-MACI_WrapKey(HSESSION session, int wrapKey, int source, CI_KEY CI_FAR keyData)
-{
-    int ret;
-
-    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
-    if ((ret = fort_KeyOK(swtoken,source,PR_TRUE)) != CI_OK)  return ret;
-    if ((ret = fort_KeyOK(swtoken,wrapKey,PR_TRUE)) != CI_OK)  return ret;
-    ret = fort_skipjackWrap(swtoken->keyReg[wrapKey].data,
-	sizeof(CI_KEY), swtoken->keyReg[source].data,keyData);
-
-    return ret;
-}
-
diff --git a/security/nss/lib/fortcrypt/swfort/swfort.h b/security/nss/lib/fortcrypt/swfort/swfort.h
deleted file mode 100644
index d0cefb098..000000000
--- a/security/nss/lib/fortcrypt/swfort/swfort.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Software implementation of FORTEZZA skipjack primatives
- */
-#ifndef _SWFORT_H_
-#define _SWFORT_H_
-
-#include "seccomon.h"
-#include "swfortt.h" 
-/*#include "genci.h"*/
-
-
-SEC_BEGIN_PROTOS
-
-FORTSignedSWFile *
-FORT_GetSWFile(SECItem *initBits);
-
-SECStatus
-FORT_CheckInitPhrase(FORTSignedSWFile *sw_init_file, char *initMemPhrase);
-
-SECStatus
-FORT_CheckUserPhrase(FORTSignedSWFile *sw_init_file, char *userMemPhrase);
-
-void
-FORT_DestroySWFile(FORTSWFile *file);
-
-void
-FORT_DestroySignedSWFile(FORTSignedSWFile *swfile);
-
-SECItem *
-FORT_GetDERCert(FORTSignedSWFile *swfile, int index);
-
-SECItem *
-FORT_PutSWFile(FORTSignedSWFile *sw_init_file);
-
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swforti.h b/security/nss/lib/fortcrypt/swfort/swforti.h
deleted file mode 100644
index c2156e2fc..000000000
--- a/security/nss/lib/fortcrypt/swfort/swforti.h
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Software implementation of FORTEZZA Skipjack primatives and helper functions.
- */
-#ifndef _SWFORTI_H_
-#define _SWFORTI_H_
-
-#ifndef RETURN_TYPE
-#define RETURN_TYPE int
-#endif
-
-#include "seccomon.h"
-#include "swfort.h"
-#include "swfortti.h"
-#include "maci.h"
-
-
-SEC_BEGIN_PROTOS
-/*
- * Check to see if the index is ok, and that key is appropriately present or
- * absent.
- */
-int fort_KeyOK(FORTSWToken *token, int index, PRBool isPresent);
-
-/*
- * clear out a key register
- */
-void fort_ClearKey(FORTKeySlot *key);
-
-/*
- * clear out an Ra register
- */
-void fort_ClearRaSlot(FORTRaRegisters *ra);
-
-/*
- * provide a helper function to do all the loggin out functions.
- * NOTE: Logging in only happens in MACI_CheckPIN
- */
-void fort_Logout(FORTSWToken *token);
-
-/*
- * update the new IV value based on the current cipherText (should be the last 
- * block of the cipher text).
- */
-int fort_UpdateIV(unsigned char *cipherText, unsigned int size,unsigned char *IV);
-
-
-/*
- * verify that we have a card initialized, and if necessary, logged in.
- */
-int fort_CardExists(FORTSWToken *token,PRBool needLogin);
-
-/*
- * walk down the cert slot entries, counting them.
- * return that count.
- */
-int fort_GetCertCount(FORTSWFile *file);
-
-/*
- * copy an unsigned SECItem to a signed SecItem. (if the high bit is on,
- * pad with a leading 0.
- */
-SECStatus fort_CopyUnsigned(PRArenaPool *arena, SECItem *to, const SECItem *from);
-
-/*
- * NOTE: these keys do not have the public values, and cannot be used to
- * extract the public key from the private key. Since we never do this in
- * this code, and this function is private, we're reasonably safe (as long as
- * any of your callees do not try to extract the public value as well).
- * Also -- the token must be logged in before this function is called.
- */
-SECKEYLowPrivateKey * fort_GetPrivKey(FORTSWToken *token,KeyType keyType,fortSlotEntry *certEntry);
-
-/*
- * find a particulare certificate entry from the config
- * file.
- */
-fortSlotEntry * fort_GetCertEntry(FORTSWFile *file,int index);
-
-/*
- * use the token to termine it's CI_State.
- */
-CI_STATE fort_GetState(FORTSWToken *token);
-
-/*
- * find the private ra value for a given public Ra value.
- */
-fortRaPrivatePtr fort_LookupPrivR(FORTSWToken *token,CI_RA Ra);
-
-/*
- * go add more noise to the random number generator
- */
-void fort_AddNoise(void);
-
-/*
- * Get a random number
- */
-int fort_GenerateRandom(unsigned char *buf, int bytes);
-
-
-/*
- * We're deep in the bottom of MACI and PKCS #11... We need to
- * find our fortezza key file. This function lets us search manual paths to 
- * find our key file.
- */
-char *fort_FindFileInPath(char *path, char *fn);
-
-
-char *fort_LookupFORTEZZAInitFile(void);
-
-
-FORTSkipjackKeyPtr fort_CalculateKMemPhrase(FORTSWFile *file, 
-  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey);
-
-
-PRBool fort_CheckMemPhrase(FORTSWFile *file, 
-  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey);
-
-
-/* These function actually implements skipjack CBC64 Decrypt */
-int fort_skipjackDecrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
-		unsigned long size, unsigned char *cipherIn, 
-						unsigned char *plainOut);
-
-/* These function actually implements skipjack CBC64 Encrypt */
-int fort_skipjackEncrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
-		unsigned long size, unsigned char *plainIn, 
-						unsigned char *cipherOut);
-
-/*
- * unwrap is used for key generation and mixing
- */
-int fort_skipjackUnwrap(FORTSkipjackKeyPtr key,unsigned long len, 
-			unsigned char *cipherIn, unsigned char *plainOut);
-
-/*
- * unwrap is used for key generation and mixing
- */
-int
-fort_skipjackWrap(FORTSkipjackKeyPtr key,unsigned long len, 
-			unsigned char *plainIn, unsigned char *cipherOut);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swfortt.h b/security/nss/lib/fortcrypt/swfort/swfortt.h
deleted file mode 100644
index a5ee7b2b5..000000000
--- a/security/nss/lib/fortcrypt/swfort/swfortt.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * All the data structures for Software fortezza are internal only.
- * The external API for Software fortezza is MACI (which is only used by
- * the PKCS #11 module.
- */
-
-#ifndef _SWFORTT_H_
-#define _SWFORTT_H_
-
-/* structure typedefs */
-typedef struct FORTKeySlotStr FORTKeySlot;
-typedef struct FORTRaRegistersStr  FORTRaRegisters;
-typedef struct FORTSWTokenStr  FORTSWToken;
-
-/* Der parsing typedefs */
-typedef struct fortKeyInformationStr fortKeyInformation;
-typedef struct fortProtectedDataStr fortProtectedData;
-typedef struct fortSlotEntryStr fortSlotEntry;
-typedef struct fortProtectedPhraseStr fortProtectedPhrase;
-typedef struct FORTSWFileStr FORTSWFile;
-typedef struct FORTSignedSWFileStr FORTSignedSWFile;
-
-
-#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swfortti.h b/security/nss/lib/fortcrypt/swfort/swfortti.h
deleted file mode 100644
index 2e6df4250..000000000
--- a/security/nss/lib/fortcrypt/swfort/swfortti.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * All the data structures for Software fortezza are internal only.
- * The external API for Software fortezza is MACI (which is only used by
- * the PKCS #11 module.
- */
-
-#ifndef _SWFORTTI_H_
-#define _SWFORTTI_H_
-
-#include "maci.h"
-#include "seccomon.h"
-#include "mcom_db.h"  /* really should be included by certt.h */
-#include "certt.h"
-#include "keyt.h"
-#include "swfortt.h"
-
-/* the following parameters are tunable. The bigger the key registers are,
- * the less likely the PKCS #11 module will thrash. */
-#define KEY_REGISTERS	100
-#define MAX_RA_SLOTS	20
-
-/* SKIPJACK algorithm constants */
-#define SKIPJACK_KEY_SIZE 10
-#define SKIPJACK_BLOCK_SIZE 8
-#define SKIPJACK_LEAF_SIZE 16
-
-/* private typedefs */
-typedef unsigned char FORTSkipjackKey[SKIPJACK_KEY_SIZE];
-typedef unsigned char *FORTSkipjackKeyPtr;
-typedef unsigned char fortRaPrivate[20];
-typedef unsigned char *fortRaPrivatePtr;
-
-/* save a public/private key pair */
-struct FORTRaRegistersStr {
-    CI_RA	public;
-    fortRaPrivate private;
-};
-
-/* FORTEZZA Key Register */
-struct FORTKeySlotStr {
-    FORTSkipjackKey data;
-    PRBool   present;
-};
-
-/* structure to hole private key information */
-struct fortKeyInformationStr {
-    SECItem	keyFlags;
-    SECItem	privateKeyWrappedWithKs;
-    SECItem     derPublicKey;
-    SECItem	p;
-    SECItem	g;
-    SECItem	q;
-};
-
-/* struture to hole Ks wrapped data */
-struct fortProtectedDataStr {
-    SECItem	length;
-    SECItem	dataIV;
-    SECItem	dataEncryptedWithKs;
-};
-
-/* This structure represents a fortezza personality */
-struct fortSlotEntryStr {
-    SECItem	trusted;
-    SECItem	certificateIndex;
-    int 	certIndex;
-    fortProtectedData certificateLabel;
-    fortProtectedData certificateData;
-    fortKeyInformation *exchangeKeyInformation;
-    fortKeyInformation *signatureKeyInformation;
-};
-
-/* this structure represents a K value wrapped by a protected pin */
-struct fortProtectedPhraseStr {
-    SECItem	kValueIV;
-    SECItem	wrappedKValue;
-    SECItem	memPhraseIV;
-    SECItem	hashedEncryptedMemPhrase;
-};
-
-
-/* This structure represents all the relevant data stored in a der encoded
- * fortezza slot file. */
-struct FORTSWFileStr {
-    PRArenaPool *arena;
-    SECItem	version;
-    SECItem	derIssuer;
-    SECItem	serialID;
-    fortProtectedPhrase initMemPhrase;
-#define fortezzaPhrase initMemPhrase 
-    fortProtectedPhrase ssoMemPhrase;
-    fortProtectedPhrase userMemPhrase;
-    fortProtectedPhrase ssoPinPhrase;
-    fortProtectedPhrase userPinPhrase;
-    SECItem	wrappedRandomSeed;
-    fortSlotEntry **slotEntries;
-};
-
-/* This data structed represents a signed data structure */
-struct FORTSignedSWFileStr {
-    FORTSWFile  file;
-    CERTSignedData signatureWrap;
-    FORTSkipjackKeyPtr Kinit;
-    FORTSkipjackKeyPtr Ks;
-};
-
-
-/* collect all the data that makes up a token */
-struct FORTSWTokenStr {
-    PRBool	login;		       /* has this token been logged in? */
-    int		lock;		       /* the current lock state */
-    int		certIndex;	       /* index of the current personality */
-    int		key;		       /* currently selected key */
-    int		nextRa;		       /* where the next Ra/ra pair will go */
-    FORTSWFile *config_file;           /* parsed Fortezza Config file */
-    unsigned char IV[SKIPJACK_BLOCK_SIZE];
-    FORTKeySlot keyReg[KEY_REGISTERS]; /* sw fortezza key slots */
-    FORTRaRegisters RaValues[MAX_RA_SLOTS];  /* Ra/ra values */
-};
-
-#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swfparse.c b/security/nss/lib/fortcrypt/swfort/swfparse.c
deleted file mode 100644
index e7ad6ffb6..000000000
--- a/security/nss/lib/fortcrypt/swfort/swfparse.c
+++ /dev/null
@@ -1,538 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * The following program decodes the FORTEZZA Init File, and stores the result
- * into the fortezza directory.
- */
-#include "secasn1.h"
-#include "swforti.h"
-#include "blapi.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secder.h"
-
-
-/*
- * templates for parsing the FORTEZZA Init File. These were taken from DER
- * definitions on SWF Initialization File Format Version 1.0 pp1-3.
- */
-
-/* Key info structure... There are up to two of these per slot entry  */
-static const SEC_ASN1Template fortKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(fortKeyInformation) },
-    { SEC_ASN1_INTEGER,
-          offsetof(fortKeyInformation,keyFlags) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortKeyInformation,privateKeyWrappedWithKs) },
-    { SEC_ASN1_ANY ,
-          offsetof(fortKeyInformation, derPublicKey) },
-    { SEC_ASN1_OCTET_STRING, offsetof(fortKeyInformation,p) },
-    { SEC_ASN1_OCTET_STRING, offsetof(fortKeyInformation,g) },
-    { SEC_ASN1_OCTET_STRING, offsetof(fortKeyInformation,q) },
-    { 0 }
-}; 
-
-/* This is data that has been wrapped by Ks */
-static const SEC_ASN1Template fortProtDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(fortProtectedData) },
-    { SEC_ASN1_INTEGER,
-          offsetof(fortProtectedData,length) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedData,dataIV) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedData,dataEncryptedWithKs) },
-    { 0 }
-};
-
-/* DER to describe each Certificate Slot ... there are an arbitrary number */
-static const SEC_ASN1Template fortSlotEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(fortSlotEntry) },
-    { SEC_ASN1_BOOLEAN,
-          offsetof(fortSlotEntry,trusted) },
-    { SEC_ASN1_INTEGER,
-          offsetof(fortSlotEntry,certificateIndex) },
-    { SEC_ASN1_INLINE,
-          offsetof(fortSlotEntry,certificateLabel), fortProtDataTemplate },
-    { SEC_ASN1_INLINE,
-          offsetof(fortSlotEntry,certificateData), fortProtDataTemplate },
-    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |  
-				SEC_ASN1_CONSTRUCTED | 0,
-          offsetof(fortSlotEntry, exchangeKeyInformation),
-						 fortKeyInfoTemplate },
-    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-				SEC_ASN1_CONSTRUCTED | 1,
-          offsetof(fortSlotEntry, signatureKeyInformation), 
-						 fortKeyInfoTemplate },
-    { 0 }
-};
-
-/* This data is used to check MemPhrases, and to generate Ks
- * each file has two mem phrases, one for SSO, one for User */
-static const SEC_ASN1Template fortProtectedMemPhrase[]  = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(fortProtectedPhrase) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,kValueIV) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,wrappedKValue) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,memPhraseIV) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,hashedEncryptedMemPhrase) },
-    { 0 }
-};
-
-/* This data is used to check the Mem Init Phrases, and to generate Kinit
- * each file has one mem init phrase, which is used only in transport of
- * this file */
-static const SEC_ASN1Template fortMemInitPhrase[]  = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(fortProtectedPhrase) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,wrappedKValue) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,memPhraseIV) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(fortProtectedPhrase,hashedEncryptedMemPhrase) },
-    { 0 }
-};
-
-static const SEC_ASN1Template fortSlotEntriesTemplate[]  = {
-    { SEC_ASN1_SEQUENCE_OF, 0, fortSlotEntryTemplate }
-};
-
-/* This is the complete file with all it's data, but has not been signed
- * yet. */
-static const SEC_ASN1Template fortSwFortezzaInitFileToSign[]  = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(FORTSWFile) },
-    { SEC_ASN1_INTEGER,
-          offsetof(FORTSWFile,version) },
-    { SEC_ASN1_ANY,
-          offsetof(FORTSWFile,derIssuer) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(FORTSWFile,serialID) },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSWFile,initMemPhrase), fortMemInitPhrase },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSWFile,ssoMemPhrase), fortProtectedMemPhrase },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSWFile,userMemPhrase), fortProtectedMemPhrase },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSWFile,ssoPinPhrase), fortProtectedMemPhrase },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSWFile,userPinPhrase), fortProtectedMemPhrase },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(FORTSWFile,wrappedRandomSeed) },
-    { SEC_ASN1_SEQUENCE_OF, offsetof(FORTSWFile,slotEntries),
-						 fortSlotEntryTemplate },
-    /* optional extentions to ignore here... */
-    { 0 }
-};
-
-/* The complete, signed init file */
-static const SEC_ASN1Template fortSwFortezzaInitFile[]  = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(FORTSignedSWFile) },
-    { SEC_ASN1_SAVE,
-          offsetof(FORTSignedSWFile,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSignedSWFile,file),
-          fortSwFortezzaInitFileToSign },
-    { SEC_ASN1_INLINE,
-          offsetof(FORTSignedSWFile,signatureWrap.signatureAlgorithm),
-          SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-          offsetof(FORTSignedSWFile,signatureWrap.signature) },
-    { 0 }
-};
-
-FORTSkipjackKeyPtr
-fort_CalculateKMemPhrase(FORTSWFile *file, 
-  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey)
-{
-    unsigned char *data = NULL;
-    unsigned char hashout[SHA1_LENGTH];
-    int data_len = prot_phrase->wrappedKValue.len;
-    int ret;
-    unsigned int len;
-    unsigned int version;
-    unsigned char enc_version[2];
-    FORTSkipjackKeyPtr Kout = NULL;
-    FORTSkipjackKey Kfek;
-    SHA1Context *sha;
-
-    data = (unsigned char *) PORT_ZAlloc(data_len);
-    if (data == NULL) goto fail;
-    
-    PORT_Memcpy(data,prot_phrase->wrappedKValue.data,data_len);
-
-    /* if it's a real protected mem phrase, it's been wrapped by kinit, which
-     * was passed to us. */
-    if (wrapKey) {
-	fort_skipjackDecrypt(wrapKey,
-		&prot_phrase->kValueIV.data[SKIPJACK_LEAF_SIZE],data_len,
-								data,data);
-	data_len = sizeof(CI_KEY);
-    }
-
-    /* now calculate the PBE key for fortezza */
-    sha = SHA1_NewContext();
-    if (sha == NULL) goto fail;
-    SHA1_Begin(sha);
-    version = DER_GetUInteger(&file->version);
-    enc_version[0] = (version >> 8) & 0xff;
-    enc_version[1] = version & 0xff;
-    SHA1_Update(sha,enc_version,sizeof(enc_version));
-    SHA1_Update(sha,file->derIssuer.data, file->derIssuer.len);
-    SHA1_Update(sha,file->serialID.data, file->serialID.len);
-    SHA1_Update(sha,(unsigned char *)phrase,strlen(phrase));
-    SHA1_End(sha,hashout,&len,SHA1_LENGTH);
-    SHA1_DestroyContext(sha, PR_TRUE);
-    PORT_Memcpy(Kfek,hashout,sizeof(FORTSkipjackKey));
-
-    /* now use that key to unwrap */
-    Kout = (FORTSkipjackKeyPtr) PORT_Alloc(sizeof(FORTSkipjackKey));
-    ret = fort_skipjackUnwrap(Kfek,data_len,data,Kout);
-    if (ret != CI_OK) {
-	PORT_Free(Kout);
-	Kout = NULL;
-    }
-
-fail:
-    PORT_Memset(&Kfek, 0, sizeof(FORTSkipjackKey));
-    if (data) PORT_ZFree(data,data_len);
-    return Kout;
-}
-
-
-PRBool
-fort_CheckMemPhrase(FORTSWFile *file, 
-  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey) 
-{
-    unsigned char *data = NULL;
-    unsigned char hashout[SHA1_LENGTH];
-    int data_len = prot_phrase->hashedEncryptedMemPhrase.len;
-    unsigned int len;
-    SHA1Context *sha;
-    PRBool pinOK = PR_FALSE;
-    unsigned char cw[4];
-    int i;
-
-
-    /* first, decrypt the hashed/Encrypted Memphrase */
-    data = (unsigned char *) PORT_ZAlloc(data_len);
-    if (data == NULL) goto failed;
-
-    PORT_Memcpy(data,prot_phrase->hashedEncryptedMemPhrase.data,data_len);
-    fort_skipjackDecrypt(wrapKey,
-		&prot_phrase->memPhraseIV.data[SKIPJACK_LEAF_SIZE],data_len,
-								data,data);
-
-    /* now build the hash for comparisons */
-    sha = SHA1_NewContext();
-    if (sha == NULL) goto failed;
-    SHA1_Begin(sha);
-    SHA1_Update(sha,(unsigned char *)phrase,strlen(phrase));
-    SHA1_End(sha,hashout,&len,SHA1_LENGTH);
-    SHA1_DestroyContext(sha, PR_TRUE);
-
-    /* hashes don't match... must not be the right pass mem */
-    if (PORT_Memcmp(data,hashout,len) != 0) goto failed;
-
-    /* now calcuate the checkword and compare it */
-    cw[0] = cw[1] = cw[2] = cw[3] = 0;
-    for (i=0; i <5 ; i++) {
-	cw[0] = cw[0] ^ hashout[i*4];
-	cw[1] = cw[1] ^ hashout[i*4+1];
-	cw[2] = cw[2] ^ hashout[i*4+2];
-	cw[3] = cw[3] ^ hashout[i*4+3];
-    }
-
-    /* checkword doesn't match, must not be the right pass mem */
-    if (PORT_Memcmp(data+len,cw,4) != 0) goto failed;
-
-    /* pased all our test, its OK */
-    pinOK = PR_TRUE;
-
-failed:
-    PORT_Free(data);
-
-    return pinOK;
-}
-
-/*
- * walk through the list of memphrases. This function allows us to use a
- * for loop to walk down them.
- */
-fortProtectedPhrase *
-fort_getNextPhrase( FORTSWFile *file, fortProtectedPhrase *last)
-{
-    if (last == &file->userMemPhrase) {
-	return &file->userPinPhrase;
-    }
-    /* we can add more test here if we want to support SSO mode someday. */
-
-    return NULL;
-}
-
-/*
- * decode the DER file data into our nice data structures, including turning
- * cert indexes into integers.
- */
-FORTSignedSWFile *
-FORT_GetSWFile(SECItem *initBits)
-{
-    FORTSignedSWFile *sw_init_file;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    int i, count;
-
-    /* get the local arena... be sure to free this at the end */
-
-    /* get the local arena... be sure to free this at the end */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto fail;
-
-    sw_init_file = (FORTSignedSWFile *)
-		PORT_ArenaZAlloc(arena,sizeof(FORTSignedSWFile));
-    if (sw_init_file == NULL) goto fail;
-
-    /* ANS1 decode the complete init file */
-    rv = SEC_ASN1DecodeItem(arena,sw_init_file,fortSwFortezzaInitFile,initBits);
-    if (rv != SECSuccess) {
-	goto fail;
-    }
-
-    /* count the certs */
-    count = 0;
-    while (sw_init_file->file.slotEntries[count]) count++;
-
-    for (i=0; i < count; i++) {
-	/* update the cert Index Pointers */
-	sw_init_file->file.slotEntries[i]->certIndex =
-		DER_GetInteger(&sw_init_file->
-				file.slotEntries[i]->certificateIndex );
-    }
-
-    /* now start checking the mem phrases and pins, as well as calculating the
-     * file's 'K' values. First we start with K(init). */
-    sw_init_file->file.arena = arena; 
-
-    return sw_init_file;
-    /* OK now that we've read in the init file, and now have Kinit, Ks, and the
-     * appropriate Pin Phrase, we need to build our database file. */
-   
-fail: 
-    if (arena) PORT_FreeArena(arena,PR_TRUE);
-    return NULL;
-}
-
-/*
- * Check the init memphrases and the user mem phrases. Remove all the init
- * memphrase wrappings. Save the Kinit and Ks values for use.
- */
-SECStatus
-FORT_CheckInitPhrase(FORTSignedSWFile *sw_init_file, char *initMemPhrase)
-{
-    SECStatus rv = SECFailure;
-
-    sw_init_file->Kinit = fort_CalculateKMemPhrase(&sw_init_file->file,
-		 &sw_init_file->file.initMemPhrase, initMemPhrase, NULL);
-    if (sw_init_file->Kinit == NULL)  goto fail;
-
-    /* now check the init Mem phrase */
-    if (!fort_CheckMemPhrase(&sw_init_file->file,
-			&sw_init_file->file.initMemPhrase, 
-				initMemPhrase, sw_init_file->Kinit)) {
-	goto fail;
-    }
-    rv = SECSuccess;
-
-fail:
-    return rv;
-}
-
-    /* now check user user mem phrase and calculate Ks */
-SECStatus
-FORT_CheckUserPhrase(FORTSignedSWFile *sw_init_file, char *userMemPhrase)
-{
-    SECStatus rv = SECFailure;
-    char tmp_data[13];
-    char *padMemPhrase = NULL;
-    fortProtectedPhrase *phrase_store;
-
-    if (strlen(userMemPhrase) < 12) {
-	PORT_Memset(tmp_data, ' ', sizeof(tmp_data));
-	PORT_Memcpy(tmp_data,userMemPhrase,strlen(userMemPhrase));
-	tmp_data[12] = 0;
-	padMemPhrase = tmp_data;
-    }
-
-    for (phrase_store = &sw_init_file->file.userMemPhrase; phrase_store;
-     phrase_store = fort_getNextPhrase(&sw_init_file->file,phrase_store)) {
-	sw_init_file->Ks = fort_CalculateKMemPhrase(&sw_init_file->file,
-		 phrase_store, userMemPhrase, sw_init_file->Kinit);
- 
-	if ((sw_init_file->Ks == NULL) && (padMemPhrase != NULL)) {
-		sw_init_file->Ks = fort_CalculateKMemPhrase(&sw_init_file->file,
-		     phrase_store, padMemPhrase, sw_init_file->Kinit);
-		userMemPhrase = padMemPhrase;
-	}
-	if (sw_init_file->Ks == NULL) {
-	    continue;
-	}
-
-	/* now check the User Mem phrase */
-	if (fort_CheckMemPhrase(&sw_init_file->file, phrase_store, 
-				userMemPhrase, sw_init_file->Ks)) {
-	    break;
-	}
-	PORT_Free(sw_init_file->Ks);
-	sw_init_file->Ks = NULL;
-    }
-
-
-    if (phrase_store == NULL) goto fail;
-
-    /* strip the Kinit wrapping */
-    fort_skipjackDecrypt(sw_init_file->Kinit,
-		&phrase_store->kValueIV.data[SKIPJACK_LEAF_SIZE],
-	phrase_store->wrappedKValue.len, phrase_store->wrappedKValue.data,
-	phrase_store->wrappedKValue.data);
-    phrase_store->wrappedKValue.len = 12;
-
-    PORT_Memset(phrase_store->kValueIV.data,0,phrase_store->kValueIV.len);
-
-    sw_init_file->file.initMemPhrase = *phrase_store;
-    sw_init_file->file.ssoMemPhrase = *phrase_store;
-    sw_init_file->file.ssoPinPhrase = *phrase_store;
-    sw_init_file->file.userMemPhrase = *phrase_store;
-    sw_init_file->file.userPinPhrase = *phrase_store;
-
-
-    rv = SECSuccess;
-   
-fail: 
-    /* don't keep the pin around */
-    PORT_Memset(tmp_data, 0, sizeof(tmp_data));
-    return rv;
-}
-
-void
-FORT_DestroySWFile(FORTSWFile *file)
-{
-    PORT_FreeArena(file->arena,PR_FALSE);
-}
-
-void
-FORT_DestroySignedSWFile(FORTSignedSWFile *swfile)
-{
-    FORT_DestroySWFile(&swfile->file);
-}
-
-
-SECItem *
-FORT_GetDERCert(FORTSignedSWFile *swfile,int index)
-{
-    SECItem *newItem = NULL;
-    unsigned char *cert = NULL;
-    int len,ret;
-    fortSlotEntry *certEntry = NULL;
-   
-
-    newItem = PORT_ZNew(SECItem);
-    if (newItem == NULL) return NULL;
-
-    certEntry = fort_GetCertEntry(&swfile->file,index);
-    if (certEntry == NULL) {
-	PORT_Free(newItem);
-	return NULL;
-    }
-
-    newItem->len = len = certEntry->certificateData.dataEncryptedWithKs.len;
-    newItem->data = cert = PORT_ZAlloc(len);
-    if (cert == NULL) {
-	PORT_Free(newItem);
-	return NULL;
-    }
-    newItem->len = DER_GetUInteger(&certEntry->certificateData.length);
-    
-
-    PORT_Memcpy(cert, certEntry->certificateData.dataEncryptedWithKs.data,len);
-
-    /* Ks is always stored in keyReg[0] when we log in */
-    ret = fort_skipjackDecrypt(swfile->Ks,
-	&certEntry->certificateData.dataIV.data[SKIPJACK_LEAF_SIZE],
-						len,cert,cert);
-    if (ret != CI_OK) {
-	SECITEM_FreeItem(newItem,PR_TRUE);
-	return NULL;
-    }
-    return newItem;
-}
-
-/*
- * decode the DER file data into our nice data structures, including turning
- * cert indexes into integers.
- */
-SECItem *
-FORT_PutSWFile(FORTSignedSWFile *sw_init_file)
-{
-    SECItem *outBits, *tmpBits;
-    PRArenaPool *arena = NULL;
-
-
-    /* get the local arena... be sure to free this at the end */
-    /* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); */
-    /* if (arena == NULL) goto fail; */
-
-    /*outBits = (SECItem *) PORT_ArenaZAlloc(arena,sizeof(SECItem)); */
-    outBits = PORT_ZNew(SECItem);
-    if (outBits == NULL) goto fail;
-
-    /* ANS1 encode the complete init file */
-    tmpBits = SEC_ASN1EncodeItem(NULL,outBits,sw_init_file,fortSwFortezzaInitFile);
-    if (tmpBits == NULL) {
-	goto fail;
-    }
-
-    return outBits;
-   
-fail: 
-    if (outBits) SECITEM_FreeItem(outBits,PR_TRUE);
-    return NULL;
-}
diff --git a/security/nss/lib/fortcrypt/swfort/swfutl.c b/security/nss/lib/fortcrypt/swfort/swfutl.c
deleted file mode 100644
index 740444c3a..000000000
--- a/security/nss/lib/fortcrypt/swfort/swfutl.c
+++ /dev/null
@@ -1,728 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This File includes utility functions used by cilib. and swfparse.c
- */
-
-#include "prtypes.h"
-#include "prsystem.h"
-#include "prio.h"
-
-#include "swforti.h"
-#include "keyt.h"
-/* #include "dh.h" */
-#include "maci.h"
-#include "secport.h"
-#include "secrng.h"
-
-#ifdef XP_WIN
-#include <windows.h>
-#include <winsock.h>
-#include <direct.h>
-#endif
-
-/* no platform seem to agree on where this function is defined */
-static char *local_index(char *source, char target) {
-   while ((*source != target) && (*source != 0)) {
-	*source++;
-   }
-   return (*source != 0) ? source : NULL;
-}
-
-/*
- * Check to see if the index is ok, and that key is appropriately present or
- * absent.
- */
-int
-fort_KeyOK(FORTSWToken *token, int index, PRBool isPresent)
-{
-    if (index < 0) return CI_INV_KEY_INDEX;
-    if (index >= KEY_REGISTERS) return CI_INV_KEY_INDEX;
-
-    return (token->keyReg[index].present == isPresent) ? CI_OK : 
-			(isPresent ? CI_NO_KEY : CI_REG_IN_USE);
-}
-
-/*
- * clear out a key register
- */
-void
-fort_ClearKey(FORTKeySlot *key)
-{
-    key->present = PR_FALSE;
-    PORT_Memset(key->data, 0, sizeof (key->data));
-    return;
-}
-
-/*
- * clear out an Ra register
- */
-void
-fort_ClearRaSlot(FORTRaRegisters *ra)
-{
-    PORT_Memset(ra->public, 0, sizeof(ra->public));
-    PORT_Memset(ra->private, 0, sizeof(ra->private));
-    return;
-}
-
-/*
- * provide a helper function to do all the loggin out functions.
- * NOTE: Logining in only happens in MACI_CheckPIN
- */
-void
-fort_Logout(FORTSWToken *token)
-{
-    int i;
-
-    /* ditch all the stored keys */
-    for (i=0; i < KEY_REGISTERS; i++) {
-	fort_ClearKey(&token->keyReg[i]);
-    }
-    for (i=0; i < MAX_RA_SLOTS; i++) {
-	fort_ClearRaSlot(&token->RaValues[i]);
-    }
-
-    /* mark as logged out */
-    token->login = PR_FALSE;
-    token->certIndex = 0;
-    token->key = 0;
-    return;
-}
-
-/*
- * update the new IV value based on the current cipherText (should be the last 
- * block of the cipher text).
- */
-int
-fort_UpdateIV(unsigned char *cipherText, unsigned int size,unsigned char *IV)
-{
-    if (size == 0) return CI_INV_SIZE;
-    if ((size & (SKIPJACK_BLOCK_SIZE-1)) != 0) return CI_INV_SIZE;
-    size -= SKIPJACK_BLOCK_SIZE;
-    PORT_Memcpy(IV,&cipherText[size],SKIPJACK_BLOCK_SIZE);
-    return CI_OK;
-}
-
-
-/*
- * verify that we have a card initialized, and if necessary, logged in.
- */
-int
-fort_CardExists(FORTSWToken *token,PRBool needLogin)
-{
-    if (token == NULL ) return CI_LIB_NOT_INIT; 
-    if (token->config_file == NULL) return CI_NO_CARD;
-    if (needLogin && !token->login) return CI_INV_STATE;
-    return CI_OK;
-}
-
-/*
- * walk down the cert slot entries, counting them.
- * return that count.
- */
-int
-fort_GetCertCount(FORTSWFile *file)
-{
-    int i;
-
-    if (file->slotEntries == NULL) return 0;
-
-    for (i=0; file->slotEntries[i]; i++) 
-	/* no body */ ;
-
-    return i;
-}
-
-/*
- * copy an unsigned SECItem to a signed SecItem. (if the high bit is on,
- * pad with a leading 0.
- */
-SECStatus
-fort_CopyUnsigned(PRArenaPool *arena, SECItem *to, const SECItem *from)
-{
-    int offset = 0;
-
-    if (from->data && from->len) {
-	if (from->data[0] & 0x80) offset = 1;
-	if ( arena ) {
-	    to->data = (unsigned char*) PORT_ArenaZAlloc(arena,
-							 from->len+offset);
-	} else {
-	    to->data = (unsigned char*) PORT_ZAlloc(from->len+offset);
-	}
-	
-	if (!to->data) {
-	    return SECFailure;
-	}
-	PORT_Memcpy(to->data+offset, from->data, from->len);
-	to->len = from->len+offset;
-    } else {
-	to->data = 0;
-	to->len = 0;
-    }
-    return SECSuccess;
-}
-
-/*
- * NOTE: these keys do not have the public values, and cannot be used to
- * extract the public key from the private key. Since we never do this in
- * this code, and this function is static, we're reasonably safe (as long as
- * any of your callees do not try to extract the public value as well).
- * Also -- the token must be logged in before this function is called.
- */
-SECKEYLowPrivateKey *
-fort_GetPrivKey(FORTSWToken *token,KeyType keyType,fortSlotEntry *certEntry)
-{
-    SECKEYLowPrivateKey *returnKey = NULL;
-    SECStatus rv = SECFailure;
-    PRArenaPool *poolp;
-    fortKeyInformation *keyInfo;
-    unsigned char *keyData;
-    int len, ret;
-
-
-    /* select the right keyinfo */
-    switch (keyType) {
-    case dsaKey:
-	keyInfo = certEntry->signatureKeyInformation;
-	if (keyInfo ==  NULL) keyInfo = certEntry->exchangeKeyInformation;
-	break;
-    case dhKey:
-	keyInfo = certEntry->exchangeKeyInformation;
-	if (keyInfo == NULL) keyInfo = certEntry->signatureKeyInformation;
-	break;
-    }
-
-    /* if we don't have any key information, blow out of here */
-    if (keyInfo == NULL) return NULL;
-
-    poolp = PORT_NewArena(2048);
-    if(!poolp) {
-	return NULL;
-    }
-
-    returnKey = (SECKEYLowPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(SECKEYLowPrivateKey));
-    if(!returnKey) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    returnKey->keyType = keyType;
-    returnKey->arena = poolp;
-
-    /*
-     * decrypt the private key
-     */
-    len = keyInfo->privateKeyWrappedWithKs.len;
-    keyData = PORT_ArenaZAlloc(poolp,len);
-    if (keyData == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    /* keys must be 160 bits (20 bytes) if that's not the case the Unwrap will
-     * fail.. */
-    ret = fort_skipjackUnwrap(token->keyReg[0].data, len, 
-			keyInfo->privateKeyWrappedWithKs.data, keyData);
-    if (ret != CI_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    switch(keyType) {
-	case dsaKey:
-	    returnKey->u.dsa.privateValue.data = keyData;
-	    returnKey->u.dsa.privateValue.len = 20;
-	    returnKey->u.dsa.params.arena = poolp;
-	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dsa.params.prime),
-					&(keyInfo->p));
-	    if(rv != SECSuccess) break;
-	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dsa.params.subPrime),
-					&(keyInfo->q));
-	    if(rv != SECSuccess) break;
-	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dsa.params.base),
-					&(keyInfo->g));
-	    if(rv != SECSuccess) break;
-	    break;
-	case dhKey:
-	    returnKey->u.dh.arena = poolp;
-	    returnKey->u.dh.privateValue.data = keyData;
-	    returnKey->u.dh.privateValue.len = 20;
-	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dh.prime),
-					&(keyInfo->p));
-	    if(rv != SECSuccess) break;
-	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dh.base),
-					&(keyInfo->g));
-	    if(rv != SECSuccess) break;
-	    rv = SECSuccess;
-	    break;
-	default:
-	    rv = SECFailure;
-    }
-
-loser:
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	returnKey = NULL;
-    }
-
-    return returnKey;
-}
-
-
-
-/*
- * find a particulare certificate entry from the config
- * file.
- */
-fortSlotEntry *
-fort_GetCertEntry(FORTSWFile *file,int index)
-{
-    /* search for the index */
-    int i,count= fort_GetCertCount(file);
-
-    /* make sure the given index exists & has key material */
-    for (i=0; i < count ;i ++) {
-	if (file->slotEntries[i]->certIndex == index) {
-	    return file->slotEntries[i];
-	}
-    }
-    return NULL;
-}
-
-/*
- * use the token to determine it's CI_State.
- */
-CI_STATE
-fort_GetState(FORTSWToken *token)
-{
-    /* no file? then the token has not been initialized */
-    if (!token->config_file) {
-	return CI_UNINITIALIZED;
-    }
-    /* we're initialized, are we logged in (CI_USER_INITIALIZED is not logged
-     * in) */
-    if (!token->login) {
-	return CI_USER_INITIALIZED;
-    }
-    /* We're logged in, do we have a personality set */
-    if (token->certIndex) {
-	return CI_READY;
-    }
-    /* We're logged in, with no personality set */
-    return CI_STANDBY;
-}
-
-/*
- * find the private ra value for a given public Ra value.
- */
-fortRaPrivatePtr
-fort_LookupPrivR(FORTSWToken *token,CI_RA Ra)
-{
-    int i;
-
-    /* probably a more efficient way of doing this would be to search first
-     * several entries before nextRa (or search backwards from next Ra)
-     */
-    for (i=0; i < MAX_RA_SLOTS; i++) {
-	if (PORT_Memcmp(token->RaValues[i].public,Ra,CI_RA_SIZE) == 0) {
-	    return token->RaValues[i].private;
-	}
-    }
-    return NULL;
-}
-
-/*
- * go add more noise to the random number generator
- */
-void
-fort_AddNoise(void)
-{
-    unsigned char seed[20];
-
-    /* note: GetNoise doesn't always get 20 bytes, but adding more
-     * random data from the stack doesn't subtract entropy from the
-     * Random number generator, so just send it all.
-     */
-    RNG_GetNoise(seed,sizeof(seed));
-    RNG_RandomUpdate(seed,sizeof(seed));
-}
-
-/*
- * Get a random number
- */
-int
-fort_GenerateRandom(unsigned char *buf, int bytes)
-{
-    SECStatus rv;
-
-    fort_AddNoise();
-    rv = RNG_GenerateGlobalRandomBytes(buf,bytes);
-    if (rv != SECSuccess) return CI_EXEC_FAIL;
-    return CI_OK;
-}
-
-/*
- * NOTE: that MAC is missing below.
- */
-#ifdef XP_UNIX
-#define NS_PATH_SEP ':'
-#define NS_DIR_SEP '/'
-#define NS_DEFAULT_PATH ".:/bin/netscape:/etc/netscape/:/etc"
-PRInt32
-local_getFileInfo(const char *fn, PRFileInfo *info)
-{
-    PRInt32 rv;
-    struct stat sb;
-
-    rv = stat(fn, &sb);
-    if (rv < 0)
-	return -1;
-    else if (NULL != info)
-    {
-        if (S_IFREG & sb.st_mode)
-            info->type = PR_FILE_FILE;
-        else if (S_IFDIR & sb.st_mode)
-            info->type = PR_FILE_DIRECTORY;
-        else
-            info->type = PR_FILE_OTHER;
-
-#if defined(OSF1)
-        if (0x7fffffffLL < sb.st_size)
-        {
-            return -1;
-        }
-#endif /* defined(OSF1) */
-        info->size = sb.st_size;
-
-    }
-    return rv;
-}
-#endif
-#ifdef XP_WIN
-#define NS_PATH_SEP ';'
-#define NS_DIR_SEP '\\'
-#define NS_DEFAULT_PATH ".;c:\\program files\\netscape\\communicator\\program\\pkcs11\\netscape;c:\\netscape\\communicator\\program\\pkcs11\\netscape;c:\\windows\\system"
-
-
-/*
- * Since we're a pkcs #11 module, we may get 
- * loaded into lots of different binaries, each with different or no versions
- * of NSPR running... so we copy the one function we need.
- */
-
-#define _PR_IS_SLASH(ch) ((ch) == '/' || (ch) == '\\')
-
-/*
- * IsRootDirectory --
- *
- * Return PR_TRUE if the pathname 'fn' is a valid root directory,
- * else return PR_FALSE.  The char buffer pointed to by 'fn' must
- * be writable.  During the execution of this function, the contents
- * of the buffer pointed to by 'fn' may be modified, but on return
- * the original contents will be restored.  'buflen' is the size of
- * the buffer pointed to by 'fn'.
- *
- * Root directories come in three formats:
- * 1. / or \, meaning the root directory of the current drive.
- * 2. C:/ or C:\, where C is a drive letter.
- * 3. \\<server name>\<share point name>\ or
- *    \\<server name>\<share point name>, meaning the root directory
- *    of a UNC (Universal Naming Convention) name.
- */
-
-static PRBool
-IsRootDirectory(char *fn, size_t buflen)
-{
-    char *p;
-    PRBool slashAdded = PR_FALSE;
-    PRBool rv = PR_FALSE;
-
-    if (_PR_IS_SLASH(fn[0]) && fn[1] == '\0') {
-        return PR_TRUE;
-    }
-
-    if (isalpha(fn[0]) && fn[1] == ':' && _PR_IS_SLASH(fn[2])
-            && fn[3] == '\0') {
-        rv = GetDriveType(fn) > 1 ? PR_TRUE : PR_FALSE;
-        return rv;
-    }
-
-    /* The UNC root directory */
-
-    if (_PR_IS_SLASH(fn[0]) && _PR_IS_SLASH(fn[1])) {
-        /* The 'server' part should have at least one character. */
-        p = &fn[2];
-        if (*p == '\0' || _PR_IS_SLASH(*p)) {
-            return PR_FALSE;
-        }
-
-        /* look for the next slash */
-        do {
-            p++;
-        } while (*p != '\0' && !_PR_IS_SLASH(*p));
-        if (*p == '\0') {
-            return PR_FALSE;
-        }
-
-        /* The 'share' part should have at least one character. */
-        p++;
-        if (*p == '\0' || _PR_IS_SLASH(*p)) {
-            return PR_FALSE;
-        }
-
-        /* look for the final slash */
-        do {
-            p++;
-        } while (*p != '\0' && !_PR_IS_SLASH(*p));
-        if (_PR_IS_SLASH(*p) && p[1] != '\0') {
-            return PR_FALSE;
-        }
-        if (*p == '\0') {
-            /*
-             * GetDriveType() doesn't work correctly if the
-             * path is of the form \\server\share, so we add
-             * a final slash temporarily.
-             */
-            if ((p + 1) < (fn + buflen)) {
-                *p++ = '\\';
-                *p = '\0';
-                slashAdded = PR_TRUE;
-            } else {
-                return PR_FALSE; /* name too long */
-            }
-        }
-        rv = GetDriveType(fn) > 1 ? PR_TRUE : PR_FALSE;
-        /* restore the 'fn' buffer */
-        if (slashAdded) {
-            *--p = '\0';
-        }
-    }
-    return rv;
-}
-
-PRInt32
-local_getFileInfo(const char *fn, PRFileInfo *info)
-{
-    HANDLE hFindFile;
-    WIN32_FIND_DATA findFileData;
-    char pathbuf[MAX_PATH + 1];
-    
-    if (NULL == fn || '\0' == *fn) {
-        return -1;
-    }
-
-    /*
-     * FindFirstFile() expands wildcard characters.  So
-     * we make sure the pathname contains no wildcard.
-     */
-    if (NULL != strpbrk(fn, "?*")) {
-        return -1;
-    }
-
-    hFindFile = FindFirstFile(fn, &findFileData);
-    if (INVALID_HANDLE_VALUE == hFindFile) {
-        DWORD len;
-        char *filePart;
-
-        /*
-         * FindFirstFile() does not work correctly on root directories.
-         * It also doesn't work correctly on a pathname that ends in a
-         * slash.  So we first check to see if the pathname specifies a
-         * root directory.  If not, and if the pathname ends in a slash,
-         * we remove the final slash and try again.
-         */
-
-        /*
-         * If the pathname does not contain ., \, and /, it cannot be
-         * a root directory or a pathname that ends in a slash.
-         */
-        if (NULL == strpbrk(fn, ".\\/")) {
-            return -1;
-        } 
-        len = GetFullPathName(fn, sizeof(pathbuf), pathbuf,
-                &filePart);
-        if (len > sizeof(pathbuf)) {
-            return -1;
-        }
-        if (IsRootDirectory(pathbuf, sizeof(pathbuf))) {
-            info->type = PR_FILE_DIRECTORY;
-            info->size = 0;
-            /*
-             * These timestamps don't make sense for root directories.
-             */
-            info->modifyTime = 0;
-            info->creationTime = 0;
-            return 0;
-        }
-        if (!((pathbuf[len - 1] == '/') || (pathbuf[len-1] == '\\'))) {
-            return -1;
-        } else {
-            pathbuf[len - 1] = '\0';
-            hFindFile = FindFirstFile(pathbuf, &findFileData);
-            if (INVALID_HANDLE_VALUE == hFindFile) {
-                return -1;
-            }
-        }
-    }
-
-    FindClose(hFindFile);
-
-    if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
-        info->type = PR_FILE_DIRECTORY;
-    } else {
-        info->type = PR_FILE_FILE;
-    }
-
-    info->size = findFileData.nFileSizeLow;
-
-    return 0;
-}
-
-#endif
-#ifdef XP_MAC
-#error Need to write fort_FindFileInPath for Mac
-#define NS_PATH_SEP ','
-#define NS_DIR_SEP ':'
-#define NS_DEFAULT_PATH ",System Folder,System Folder:Netscape f:pkcs11:netscape"
-#endif
-
-#define NETSCAPE_INIT_FILE "nsswft.swf"
-
-/*
- * OK, We're deep in the bottom of MACI and PKCS #11... We need to
- * find our fortezza key file. We have no clue of where the our binary lives
- * or where our key file lives. This function lets us search manual paths 
- * to find our key file.
- */
-char *fort_FindFileInPath(char *path, char *fn)
-{
-    char *next;
-    char *holdData;
-    char *ret = NULL;
-    int len = 0;
-    int fn_len = PORT_Strlen(fn)+1; /* include the NULL */
-    PRFileInfo info;
-    char dirSep = NS_DIR_SEP;
-
-    holdData = PORT_Alloc(strlen(path)+1+fn_len);
-
-    while ((next = local_index(path,NS_PATH_SEP)) != NULL) {
-	len = next - path;
-
-	PORT_Memcpy(holdData,path,len);
-	if ((len != 0) && (holdData[len-1] != dirSep)) {
-	  PORT_Memcpy(&holdData[len],&dirSep,1);
-	  len++;
-	}
-	PORT_Memcpy(&holdData[len],fn,fn_len);
-	
-	if ((local_getFileInfo(holdData,&info) == 0) &&
-		(info.type == PR_FILE_FILE) && (info.size != 0)) {
-	    ret = PORT_Strdup(holdData);
-	    PORT_Free(holdData);
-	    return ret;
-	}
-	path = next+1;
-    }
-
-    len = strlen(path);
-    PORT_Memcpy(holdData,path,len);
-    if ((len != 0) && (holdData[len-1] != dirSep)) {
-	  PORT_Memcpy(&holdData[len],&dirSep,1);
-	  len++;
-    }
-    PORT_Memcpy(&holdData[len],fn,fn_len);
-	
-    if ((local_getFileInfo(holdData,&info) == 0) &&
-		(info.type == PR_FILE_FILE) && (info.size != 0)) {
-	    ret = PORT_Strdup(holdData);
-    }
-    PORT_Free(holdData);
-    return ret;
-}
-
-static char *path_table[] = {
-   "PATH","LD_LIBRARY_PATH","LIBPATH"
-};
-
-static int path_table_size = sizeof(path_table)/sizeof(path_table[0]);
-
-char *fort_LookupFORTEZZAInitFile(void)
-{
-    char *fname = NULL;
-    char *home = NULL;
-#ifdef XP_UNIX
-    char unix_home[512];
-#endif
-    int i;
-
-    /* first try to get it from the environment */
-    fname = getenv("SW_FORTEZZA_FILE");
-    if (fname != NULL) {
-	return PORT_Strdup(fname);
-    }
-
-#ifdef XP_UNIX
-    home = getenv("HOME");
-    if (home) {
-	strncpy(unix_home,home, sizeof(unix_home)-sizeof("/.netscape"));
-	strcat(unix_home,"/.netscape");
-	fname = fort_FindFileInPath(unix_home,NETSCAPE_INIT_FILE);
-	if (fname) return fname;
-    }
-#endif
-#ifdef XP_WIN
-    home = getenv("windir");
-    if (home) {
-	fname = fort_FindFileInPath(home,NETSCAPE_INIT_FILE);
-	if (fname) return fname;
-    }
-#endif
-	
-    fname = fort_FindFileInPath(NS_DEFAULT_PATH,NETSCAPE_INIT_FILE);
-    if (fname) return fname;
-
-    /* now search the system paths */
-    for (i=0; i < path_table_size; i++) {
-    	char *path = getenv(path_table[i]);
-
-	if (path != NULL) {
-	    fname = fort_FindFileInPath(path,NETSCAPE_INIT_FILE);
-	    if (fname) return fname;
-	}
-    }
-
-
-    return NULL;
-}
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
deleted file mode 100644
index 712a0516a..000000000
--- a/security/nss/lib/freebl/Makefile
+++ /dev/null
@@ -1,87 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-ifdef MOZILLA_BSAFE_BUILD
-ifeq ($(OS_ARCH),WINNT)
-libbsafe=bsafe41.lib
-else
-libbsafe=libbsafe.a
-endif
-
-private_export::
-	$(NSINSTALL) -m 777 $(libbsafe) $(DIST)/lib; \
-
-endif
diff --git a/security/nss/lib/freebl/alg2268.c b/security/nss/lib/freebl/alg2268.c
deleted file mode 100644
index c053bce08..000000000
--- a/security/nss/lib/freebl/alg2268.c
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * alg2268.c - implementation of the algorithm in RFC 2268
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-
-#include "blapi.h"
-#include "secerr.h"
-#ifdef XP_UNIX_XXX
-#include <stddef.h>	/* for ptrdiff_t */
-#endif
-
-/*
-** RC2 symmetric block cypher
-*/
-
-typedef SECStatus (rc2Func)(RC2Context *cx, unsigned char *output,
-		           unsigned char *input, unsigned int inputLen);
-
-/* forward declarations */
-static rc2Func rc2_EncryptECB;
-static rc2Func rc2_DecryptECB;
-static rc2Func rc2_EncryptCBC;
-static rc2Func rc2_DecryptCBC;
-
-typedef union {
-    PRUint32	l[2];
-    PRUint16	s[4];
-    PRUint8	b[8];
-} RC2Block;
-
-struct RC2ContextStr {
-    union {
-    	PRUint8  Kb[128];
-	PRUint16 Kw[64];
-    } u;
-    RC2Block     iv;
-    rc2Func      *enc;
-    rc2Func      *dec;
-};
-
-#define B u.Kb
-#define K u.Kw
-#define BYTESWAP(x) ((x) << 8 | (x) >> 8)
-#define SWAPK(i)  cx->K[i] = (tmpS = cx->K[i], BYTESWAP(tmpS))
-#define RC2_BLOCK_SIZE 8
-
-#define LOAD_HARD(R) \
-    R[0] = (PRUint16)input[1] << 8 | input[0]; \
-    R[1] = (PRUint16)input[3] << 8 | input[2]; \
-    R[2] = (PRUint16)input[5] << 8 | input[4]; \
-    R[3] = (PRUint16)input[7] << 8 | input[6];
-#define LOAD_EASY(R) \
-    R[0] = ((PRUint16 *)input)[0]; \
-    R[1] = ((PRUint16 *)input)[1]; \
-    R[2] = ((PRUint16 *)input)[2]; \
-    R[3] = ((PRUint16 *)input)[3];
-#define STORE_HARD(R) \
-    output[0] =  (PRUint8)(R[0]);   output[1] = (PRUint8)(R[0] >> 8); \
-    output[2] =  (PRUint8)(R[1]);   output[3] = (PRUint8)(R[1] >> 8); \
-    output[4] =  (PRUint8)(R[2]);   output[5] = (PRUint8)(R[2] >> 8); \
-    output[6] =  (PRUint8)(R[3]);   output[7] = (PRUint8)(R[3] >> 8);
-#define STORE_EASY(R) \
-    ((PRUint16 *)output)[0] =  R[0]; \
-    ((PRUint16 *)output)[1] =  R[1]; \
-    ((PRUint16 *)output)[2] =  R[2]; \
-    ((PRUint16 *)output)[3] =  R[3];   
-
-#if defined (_X86_)
-#define LOAD(R)  LOAD_EASY(R)
-#define STORE(R) STORE_EASY(R)
-#elif !defined(IS_LITTLE_ENDIAN)
-#define LOAD(R)  LOAD_HARD(R)
-#define STORE(R) STORE_HARD(R)
-#else
-#define LOAD(R) if ((ptrdiff_t)input & 1) { LOAD_HARD(R) } else { LOAD_EASY(R) }
-#define STORE(R) if ((ptrdiff_t)input & 1) { STORE_HARD(R) } else { STORE_EASY(R) }
-#endif
-
-static const PRUint8 S[256] = {
-0331,0170,0371,0304,0031,0335,0265,0355,0050,0351,0375,0171,0112,0240,0330,0235,
-0306,0176,0067,0203,0053,0166,0123,0216,0142,0114,0144,0210,0104,0213,0373,0242,
-0027,0232,0131,0365,0207,0263,0117,0023,0141,0105,0155,0215,0011,0201,0175,0062,
-0275,0217,0100,0353,0206,0267,0173,0013,0360,0225,0041,0042,0134,0153,0116,0202,
-0124,0326,0145,0223,0316,0140,0262,0034,0163,0126,0300,0024,0247,0214,0361,0334,
-0022,0165,0312,0037,0073,0276,0344,0321,0102,0075,0324,0060,0243,0074,0266,0046,
-0157,0277,0016,0332,0106,0151,0007,0127,0047,0362,0035,0233,0274,0224,0103,0003,
-0370,0021,0307,0366,0220,0357,0076,0347,0006,0303,0325,0057,0310,0146,0036,0327,
-0010,0350,0352,0336,0200,0122,0356,0367,0204,0252,0162,0254,0065,0115,0152,0052,
-0226,0032,0322,0161,0132,0025,0111,0164,0113,0237,0320,0136,0004,0030,0244,0354,
-0302,0340,0101,0156,0017,0121,0313,0314,0044,0221,0257,0120,0241,0364,0160,0071,
-0231,0174,0072,0205,0043,0270,0264,0172,0374,0002,0066,0133,0045,0125,0227,0061,
-0055,0135,0372,0230,0343,0212,0222,0256,0005,0337,0051,0020,0147,0154,0272,0311,
-0323,0000,0346,0317,0341,0236,0250,0054,0143,0026,0001,0077,0130,0342,0211,0251,
-0015,0070,0064,0033,0253,0063,0377,0260,0273,0110,0014,0137,0271,0261,0315,0056,
-0305,0363,0333,0107,0345,0245,0234,0167,0012,0246,0040,0150,0376,0177,0301,0255
-};
-
-/*
-** Create a new RC2 context suitable for RC2 encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
-** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
-**	"effectiveKeyLen" in bytes, not bits.
-**
-** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
-** chaining" mode.
-*/
-RC2Context *
-RC2_CreateContext(unsigned char *key, unsigned int len,
-		  unsigned char *input, int mode, unsigned efLen8)
-{
-    RC2Context *cx;
-    PRUint8    *L,*L2;
-    int         i;
-    PRUint16    tmpS;
-    PRUint8     tmpB;
-
-    if (!key || len == 0 || len > (sizeof cx->B) || efLen8 > (sizeof cx->B)) {
-    	return NULL;
-    }
-    if (mode == NSS_RC2) {
-    	/* groovy */
-    } else if (mode == NSS_RC2_CBC) {
-    	if (!input) {
-	    return NULL;	/* not groovy */
-	}
-    } else {
-    	return NULL;
-    }
-
-    cx = PORT_ZNew(RC2Context);
-    if (!cx)
-    	return cx;
-
-    if (mode == NSS_RC2_CBC) {
-    	cx->enc = & rc2_EncryptCBC;
-	cx->dec = & rc2_DecryptCBC;
-	LOAD(cx->iv.s);
-    } else {
-    	cx->enc = & rc2_EncryptECB;
-	cx->dec = & rc2_DecryptECB;
-    }
-
-    /* Step 0. Copy key into table. */
-    memcpy(cx->B, key, len);
-
-    /* Step 1. Compute all values to the right of the key. */
-    L2 = cx->B;
-    L = L2 + len;
-    tmpB = L[-1];
-    for (i = (sizeof cx->B) - len; i > 0; --i) {
-	*L++ = tmpB = S[ (PRUint8)(tmpB + *L2++) ];
-    }
-
-    /* step 2. Adjust left most byte of effective key. */
-    i = (sizeof cx->B) - efLen8;
-    L = cx->B + i;
-    *L = tmpB = S[*L];				/* mask is always 0xff */
-
-    /* step 3. Recompute all values to the left of effective key. */
-    L2 = --L + efLen8;
-    while(L >= cx->B) {
-	*L-- = tmpB = S[ tmpB ^ *L2-- ];
-    }
-
-#if !defined(IS_LITTLE_ENDIAN)
-    for (i = 63; i >= 0; --i) {
-        SWAPK(i);		/* candidate for unrolling */
-    }
-#endif
-    return cx;
-}
-
-/*
-** Destroy an RC2 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-void 
-RC2_DestroyContext(RC2Context *cx, PRBool freeit)
-{
-    if (cx) {
-	memset(cx, 0, sizeof *cx);
-	if (freeit) {
-	    PORT_Free(cx);
-	}
-    }
-}
-
-#define ROL(x,k) (x << k | x >> (16-k))
-#define MIX(j) \
-    R0 = R0 + cx->K[ 4*j+0] + (R3 & R2) + (~R3 & R1);  R0 = ROL(R0,1);\
-    R1 = R1 + cx->K[ 4*j+1] + (R0 & R3) + (~R0 & R2);  R1 = ROL(R1,2);\
-    R2 = R2 + cx->K[ 4*j+2] + (R1 & R0) + (~R1 & R3);  R2 = ROL(R2,3);\
-    R3 = R3 + cx->K[ 4*j+3] + (R2 & R1) + (~R2 & R0);  R3 = ROL(R3,5)
-#define MASH \
-    R0 = R0 + cx->K[R3 & 63];\
-    R1 = R1 + cx->K[R0 & 63];\
-    R2 = R2 + cx->K[R1 & 63];\
-    R3 = R3 + cx->K[R2 & 63]
-
-/* Encrypt one block */
-static void 
-rc2_Encrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
-{
-    register PRUint16 R0, R1, R2, R3;
-
-    /* step 1. Initialize input. */
-    R0 = input->s[0];
-    R1 = input->s[1];
-    R2 = input->s[2];
-    R3 = input->s[3];
-
-    /* step 2.  Expand Key (already done, in context) */
-    /* step 3.  j = 0 */
-    /* step 4.  Perform 5 mixing rounds. */
-
-    MIX(0);
-    MIX(1);
-    MIX(2);
-    MIX(3);
-    MIX(4);
-
-    /* step 5. Perform 1 mashing round. */
-    MASH;
-
-    /* step 6. Perform 6 mixing rounds. */
-
-    MIX(5);
-    MIX(6);
-    MIX(7);
-    MIX(8);
-    MIX(9);
-    MIX(10);
-
-    /* step 7. Perform 1 mashing round. */
-    MASH;
-
-    /* step 8. Perform 5 mixing rounds. */
-
-    MIX(11);
-    MIX(12);
-    MIX(13);
-    MIX(14);
-    MIX(15);
-
-    /* output results */
-    output->s[0] = R0;
-    output->s[1] = R1;
-    output->s[2] = R2;
-    output->s[3] = R3;
-}
-
-#define ROR(x,k) (x >> k | x << (16-k))
-#define R_MIX(j) \
-    R3 = ROR(R3,5); R3 = R3 - cx->K[ 4*j+3] - (R2 & R1) - (~R2 & R0);  \
-    R2 = ROR(R2,3); R2 = R2 - cx->K[ 4*j+2] - (R1 & R0) - (~R1 & R3);  \
-    R1 = ROR(R1,2); R1 = R1 - cx->K[ 4*j+1] - (R0 & R3) - (~R0 & R2);  \
-    R0 = ROR(R0,1); R0 = R0 - cx->K[ 4*j+0] - (R3 & R2) - (~R3 & R1)
-#define R_MASH \
-    R3 = R3 - cx->K[R2 & 63];\
-    R2 = R2 - cx->K[R1 & 63];\
-    R1 = R1 - cx->K[R0 & 63];\
-    R0 = R0 - cx->K[R3 & 63]
-
-/* Encrypt one block */
-static void 
-rc2_Decrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
-{
-    register PRUint16 R0, R1, R2, R3;
-
-    /* step 1. Initialize input. */
-    R0 = input->s[0];
-    R1 = input->s[1];
-    R2 = input->s[2];
-    R3 = input->s[3];
-
-    /* step 2.  Expand Key (already done, in context) */
-    /* step 3.  j = 63 */
-    /* step 4.  Perform 5 r_mixing rounds. */
-    R_MIX(15);
-    R_MIX(14);
-    R_MIX(13);
-    R_MIX(12);
-    R_MIX(11);
-
-    /* step 5.  Perform 1 r_mashing round. */
-    R_MASH;
-
-    /* step 6.  Perform 6 r_mixing rounds. */
-    R_MIX(10);
-    R_MIX(9);
-    R_MIX(8);
-    R_MIX(7);
-    R_MIX(6);
-    R_MIX(5);
-
-    /* step 7.  Perform 1 r_mashing round. */
-    R_MASH;
-
-    /* step 8.  Perform 5 r_mixing rounds. */
-    R_MIX(4);
-    R_MIX(3);
-    R_MIX(2);
-    R_MIX(1);
-    R_MIX(0);
-
-    /* output results */
-    output->s[0] = R0;
-    output->s[1] = R1;
-    output->s[2] = R2;
-    output->s[3] = R3;
-}
-
-static SECStatus
-rc2_EncryptECB(RC2Context *cx, unsigned char *output,
-	       unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-
-    while (inputLen > 0) {
-    	LOAD(iBlock.s)
-	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-rc2_DecryptECB(RC2Context *cx, unsigned char *output,
-	       unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-
-    while (inputLen > 0) {
-    	LOAD(iBlock.s)
-	rc2_Decrypt1Block(cx, &iBlock, &iBlock);
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-rc2_EncryptCBC(RC2Context *cx, unsigned char *output,
-	       unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-
-    while (inputLen > 0) {
-
-	LOAD(iBlock.s)
-	iBlock.l[0] ^= cx->iv.l[0];
-	iBlock.l[1] ^= cx->iv.l[1];
-	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
-	cx->iv = iBlock;
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-rc2_DecryptCBC(RC2Context *cx, unsigned char *output,
-	       unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-    RC2Block  oBlock;
-
-    while (inputLen > 0) {
-	LOAD(iBlock.s)
-	rc2_Decrypt1Block(cx, &oBlock, &iBlock);
-	oBlock.l[0] ^= cx->iv.l[0];
-	oBlock.l[1] ^= cx->iv.l[1];
-	cx->iv = iBlock;
-	STORE(oBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-
-/*
-** Perform RC2 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
-		      unsigned int *outputLen, unsigned int maxOutputLen,
-		      unsigned char *input, unsigned int inputLen)
-{
-    SECStatus rv = SECSuccess;
-    if (inputLen) {
-	if (inputLen % RC2_BLOCK_SIZE) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    return SECFailure;
-	}
-	if (maxOutputLen < inputLen) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	rv = (*cx->enc)(cx, output, input, inputLen);
-    }
-    if (rv == SECSuccess) {
-    	*outputLen = inputLen;
-    }
-    return rv;
-}
-
-/*
-** Perform RC2 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
-		      unsigned int *outputLen, unsigned int maxOutputLen,
-		      unsigned char *input, unsigned int inputLen)
-{
-    SECStatus rv = SECSuccess;
-    if (inputLen) {
-	if (inputLen % RC2_BLOCK_SIZE) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    return SECFailure;
-	}
-	if (maxOutputLen < inputLen) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	rv = (*cx->dec)(cx, output, input, inputLen);
-    }
-    if (rv == SECSuccess) {
-	*outputLen = inputLen;
-    }
-    return rv;
-}
-
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
deleted file mode 100644
index 83bec367c..000000000
--- a/security/nss/lib/freebl/blapi.h
+++ /dev/null
@@ -1,735 +0,0 @@
-/*
- * crypto.h - public data structures and prototypes for the crypto library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _BLAPI_H_
-#define _BLAPI_H_
-
-#include "blapit.h"
-
-
-SEC_BEGIN_PROTOS
-
-/*
-** RSA encryption/decryption. When encrypting/decrypting the output
-** buffer must be at least the size of the public key modulus.
-*/
-
-/*
-** Generate and return a new RSA public and private key.
-**	Both keys are encoded in a single RSAPrivateKey structure.
-**	"cx" is the random number generator context
-**	"keySizeInBits" is the size of the key to be generated, in bits.
-**	   512, 1024, etc.
-**	"publicExponent" when not NULL is a pointer to some data that
-**	   represents the public exponent to use. The data is a byte
-**	   encoded integer, in "big endian" order.
-*/
-extern RSAPrivateKey *RSA_NewKey(int         keySizeInBits,
-				 SECItem *   publicExponent);
-
-/*
-** Perform a raw public-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-extern SECStatus RSA_PublicKeyOp(RSAPublicKey *   key,
-				 unsigned char *  output,
-				 unsigned char *  input);
-
-/*
-** Perform a raw private-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *  key,
-				  unsigned char *  output,
-				  unsigned char *  input);
-
-
-
-/********************************************************************
-** DSA signing algorithm
-*/
-
-/*
-** Generate and return a new DSA public and private key pair,
-**	both of which are encoded into a single DSAPrivateKey struct.
-**	"params" is a pointer to the PQG parameters for the domain
-**	Uses a random seed.
-*/
-extern SECStatus DSA_NewKey(PQGParams *           params, 
-		            DSAPrivateKey **      privKey);
-
-/* signature is caller-supplied buffer of at least 20 bytes.
-** On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-** On output, signature->len == size of signature in buffer.
-** Uses a random seed.
-*/
-extern SECStatus DSA_SignDigest(DSAPrivateKey *   key,
-				SECItem *         signature,
-				SECItem *         digest);
-
-/* signature is caller-supplied buffer of at least 20 bytes.
-** On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-*/
-extern SECStatus DSA_VerifyDigest(DSAPublicKey *  key,
-				  SECItem *       signature,
-				  SECItem *       digest);
-
-/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
-extern SECStatus DSA_NewKeyFromSeed(PQGParams *params, unsigned char * seed,
-                                    DSAPrivateKey **privKey);
-
-/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
-extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey * key,
-				        SECItem *       signature,
-				        SECItem *       digest,
-				        unsigned char * seed);
-
-/******************************************************
-** Diffie Helman key exchange algorithm 
-*/
-
-/* Generates parameters for Diffie-Helman key generation.
-**	primeLen is the length in bytes of prime P to be generated.
-*/
-extern SECStatus DH_GenParam(int primeLen, DHParams ** params);
-
-/* Generates a public and private key, both of which are encoded in a single
-**	DHPrivateKey struct. Params is input, privKey are output.  
-**	This is Phase 1 of Diffie Hellman.
-*/
-extern SECStatus DH_NewKey(DHParams *           params, 
-                           DHPrivateKey **	privKey);
-
-/* 
-** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 
-** other party's publicValue, and the prime and our privateValue.
-** maxOutBytes is the requested length of the generated secret in bytes.  
-** A zero value means produce a value of any length up to the size of 
-** the prime.   If successful, derivedSecret->data is set 
-** to the address of the newly allocated buffer containing the derived 
-** secret, and derivedSecret->len is the size of the secret produced.
-** The size of the secret produced will never be larger than the length
-** of the prime, and it may be smaller than maxOutBytes.
-** It is the caller's responsibility to free the allocated buffer 
-** containing the derived secret.
-*/
-extern SECStatus DH_Derive(SECItem *    publicValue, 
-		           SECItem *    prime, 
-			   SECItem *    privateValue, 
-			   SECItem *    derivedSecret,
-			   unsigned int maxOutBytes);
-
-/* 
-** KEA_CalcKey returns octet string with the private key for a dual
-** Diffie-Helman  key generation as specified for government key exchange.
-*/
-extern SECStatus KEA_Derive(SECItem *prime, 
-                            SECItem *public1, 
-                            SECItem *public2, 
-			    SECItem *private1, 
-			    SECItem *private2,
-			    SECItem *derivedSecret);
-
-/*
- * verify that a KEA or DSA public key is a valid key for this prime and
- * subprime domain.
- */
-extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime);
-
-
-/******************************************/
-/*
-** RC4 symmetric stream cypher
-*/
-
-/*
-** Create a new RC4 context suitable for RC4 encryption/decryption.
-**	"key" raw key data
-**	"len" the number of bytes of key data
-*/
-extern RC4Context *RC4_CreateContext(unsigned char *key, int len);
-
-/*
-** Destroy an RC4 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit);
-
-/*
-** Perform RC4 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform RC4 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/******************************************/
-/*
-** RC2 symmetric block cypher
-*/
-
-/*
-** Create a new RC2 context suitable for RC2 encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
-** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
-**	"effectiveKeyLen" is the effective key length (as specified in 
-**	    RFC 2268) in bytes (not bits).
-**
-** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
-** chaining" mode.
-*/
-extern RC2Context *RC2_CreateContext(unsigned char *key, unsigned int len,
-		     unsigned char *iv, int mode, unsigned effectiveKeyLen);
-
-/*
-** Destroy an RC2 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit);
-
-/*
-** Perform RC2 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform RC2 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    unsigned char *input, unsigned int inputLen);
-
-/******************************************/
-/*
-** RC5 symmetric block cypher -- 64-bit block size
-*/
-
-/*
-** Create a new RC5 context suitable for RC5 encryption/decryption.
-**      "key" raw key data
-**      "len" the number of bytes of key data
-**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
-**      "mode" one of NSS_RC5 or NSS_RC5_CBC
-**
-** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
-** chaining" mode.
-*/
-extern RC5Context *RC5_CreateContext(SECItem *key, unsigned int rounds,
-                     unsigned int wordSize, unsigned char *iv, int mode);
-
-/*
-** Destroy an RC5 encryption/decryption context.
-**      "cx" the context
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit);
-
-/*
-** Perform RC5 encryption.
-**      "cx" the context
-**      "output" the output buffer to store the encrypted data.
-**      "outputLen" how much data is stored in "output". Set by the routine
-**         after some data is stored in output.
-**      "maxOutputLen" the maximum amount of data that can ever be
-**         stored in "output"
-**      "input" the input data
-**      "inputLen" the amount of input data
-*/
-extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform RC5 decryption.
-**      "cx" the context
-**      "output" the output buffer to store the decrypted data.
-**      "outputLen" how much data is stored in "output". Set by the routine
-**         after some data is stored in output.
-**      "maxOutputLen" the maximum amount of data that can ever be
-**         stored in "output"
-**      "input" the input data
-**      "inputLen" the amount of input data
-*/
-
-extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            unsigned char *input, unsigned int inputLen);
-
-
-
-/******************************************/
-/*
-** DES symmetric block cypher
-*/
-
-/*
-** Create a new DES context suitable for DES encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is SEC_DES_CBC or
-** 	   mode is DES_EDE3_CBC)
-** 	"mode" one of SEC_DES, SEC_DES_CBC, SEC_DES_EDE3 or SEC_DES_EDE3_CBC
-**	"encrypt" is PR_TRUE if the context will be used for encryption
-**
-** When mode is set to SEC_DES_CBC or SEC_DES_EDE3_CBC then the DES
-** cipher is run in "cipher block chaining" mode.
-*/
-extern DESContext *DES_CreateContext(unsigned char *key, unsigned char *iv,
-				     int mode, PRBool encrypt);
-
-/*
-** Destroy an DES encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void DES_DestroyContext(DESContext *cx, PRBool freeit);
-
-/*
-** Perform DES encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-**
-** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
-*/
-extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform DES decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-**
-** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
-*/
-extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    unsigned char *input, unsigned int inputLen);
-
-
-
-
-/******************************************/
-/*
-** MD5 secure hash function
-*/
-
-/*
-** Hash a null terminated string "src" into "dest" using MD5
-*/
-extern SECStatus MD5_Hash(unsigned char *dest, const char *src);
-
-/*
-** Hash a non-null terminated string "src" into "dest" using MD5
-*/
-extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src,
-			     uint32 src_length);
-
-/*
-** Create a new MD5 context
-*/
-extern MD5Context *MD5_NewContext(void);
-
-
-/*
-** Destroy an MD5 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit);
-
-/*
-** Reset an MD5 context, preparing it for a fresh round of hashing
-*/
-extern void MD5_Begin(MD5Context *cx);
-
-/*
-** Update the MD5 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
-*/
-extern void MD5_Update(MD5Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
-
-/*
-** Finish the MD5 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
-*/
-extern void MD5_End(MD5Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
-/*
- * Return the the size of a buffer needed to flatten the MD5 Context into
- *    "cx" the context
- *  returns size;
- */
-extern unsigned int MD5_FlattenSize(MD5Context *cx);
-
-/*
- * Flatten the MD5 Context into a buffer:
- *    "cx" the context
- *    "space" the buffer to flatten to
- *  returns status;
- */
-extern SECStatus MD5_Flatten(MD5Context *cx,unsigned char *space);
-
-/*
- * Resurrect a flattened context into a MD5 Context
- *    "space" the buffer of the flattend buffer
- *    "arg" ptr to void used by cryptographic resurrect
- *  returns resurected context;
- */
-extern MD5Context * MD5_Resurrect(unsigned char *space, void *arg);
-
-/*
-** trace the intermediate state info of the MD5 hash.
-*/
-extern void MD5_TraceState(MD5Context *cx);
-
-
-/******************************************/
-/*
-** MD2 secure hash function
-*/
-
-/*
-** Hash a null terminated string "src" into "dest" using MD2
-*/
-extern SECStatus MD2_Hash(unsigned char *dest, const char *src);
-
-/*
-** Create a new MD2 context
-*/
-extern MD2Context *MD2_NewContext(void);
-
-
-/*
-** Destroy an MD2 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit);
-
-/*
-** Reset an MD2 context, preparing it for a fresh round of hashing
-*/
-extern void MD2_Begin(MD2Context *cx);
-
-/*
-** Update the MD2 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
-*/
-extern void MD2_Update(MD2Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
-
-/*
-** Finish the MD2 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
-*/
-extern void MD2_End(MD2Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
-
-/*
- * Return the the size of a buffer needed to flatten the MD2 Context into
- *    "cx" the context
- *  returns size;
- */
-extern unsigned int MD2_FlattenSize(MD2Context *cx);
-
-/*
- * Flatten the MD2 Context into a buffer:
- *    "cx" the context
- *    "space" the buffer to flatten to
- *  returns status;
- */
-extern SECStatus MD2_Flatten(MD2Context *cx,unsigned char *space);
-
-/*
- * Resurrect a flattened context into a MD2 Context
- *    "space" the buffer of the flattend buffer
- *    "arg" ptr to void used by cryptographic resurrect
- *  returns resurected context;
- */
-extern MD2Context * MD2_Resurrect(unsigned char *space, void *arg);
-
-/******************************************/
-/*
-** SHA-1 secure hash function
-*/
-
-/*
-** Hash a null terminated string "src" into "dest" using SHA-1
-*/
-extern SECStatus SHA1_Hash(unsigned char *dest, const char *src);
-
-/*
-** Hash a non-null terminated string "src" into "dest" using SHA-1
-*/
-extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
-
-/*
-** Create a new SHA-1 context
-*/
-extern SHA1Context *SHA1_NewContext(void);
-
-
-/*
-** Destroy a SHA-1 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit);
-
-/*
-** Reset a SHA-1 context, preparing it for a fresh round of hashing
-*/
-extern void SHA1_Begin(SHA1Context *cx);
-
-/*
-** Update the SHA-1 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
-*/
-extern void SHA1_Update(SHA1Context *cx, const unsigned char *input,
-			unsigned int inputLen);
-
-/*
-** Finish the SHA-1 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (20) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
-*/
-extern void SHA1_End(SHA1Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
-
-/*
-** trace the intermediate state info of the SHA1 hash.
-*/
-extern void SHA1_TraceState(MD5Context *cx);
-
-/*
- * Return the the size of a buffer needed to flatten the SHA-1 Context into
- *    "cx" the context
- *  returns size;
- */
-extern unsigned int SHA1_FlattenSize(SHA1Context *cx);
-
-/*
- * Flatten the SHA-1 Context into a buffer:
- *    "cx" the context
- *    "space" the buffer to flatten to
- *  returns status;
- */
-extern SECStatus SHA1_Flatten(SHA1Context *cx,unsigned char *space);
-
-/*
- * Resurrect a flattened context into a SHA-1 Context
- *    "space" the buffer of the flattend buffer
- *    "arg" ptr to void used by cryptographic resurrect
- *  returns resurected context;
- */
-extern SHA1Context * SHA1_Resurrect(unsigned char *space, void *arg);
-
-
-/******************************************/
-/*
-** Pseudo Random Number Generation.  FIPS compliance desirable.
-*/
-
-/*
-** Reset the random number generator to its initial state. The seed data
-** is not reset. This causes the random number generator to output the
-** exact same sequence of random numbers as it originally output.
-**	"cx" the context
-*/
-extern SECStatus RNG_RNGInit(void);
-
-/*
-** Update the global random number generator with more seeding
-** material
-*/
-extern SECStatus RNG_RandomUpdate(void *data, size_t bytes);
-
-/*
-** Generate some random bytes, using the global random number generator
-** object.
-*/
-extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len);
-
-
-extern void  RNG_RNGShutdown(void);
-
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of seed and length of h both equal length of P. 
- * All lengths are specified by "j", according to the table above.
- */
-extern SECStatus
-PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
-             PQGParams **pParams,  /* output: P Q and G returned here */
-	     PQGVerify **pVfy);    /* output: counter and seed. */
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of P specified by j.  Length of h will match length of P.
- * Length of SEED in bytes specified in seedBytes.
- * seedBbytes must be in the range [20..255] or an error will result.
- */
-extern SECStatus
-PQG_ParamGenSeedLen(
-             unsigned int j, 	     /* input : determines length of P. */
-	     unsigned int seedBytes, /* input : length of seed in bytes.*/
-             PQGParams **pParams,    /* output: P Q and G returned here */
-	     PQGVerify **pVfy);      /* output: counter and seed. */
-
-
-/*  Test PQGParams for validity as DSS PQG values.
- *  If vfy is non-NULL, test PQGParams to make sure they were generated
- *       using the specified seed, counter, and h values.
- *
- *  Return value indicates whether Verification operation ran succesfully
- *  to completion, but does not indicate if PQGParams are valid or not.
- *  If return value is SECSuccess, then *pResult has these meanings:
- *       SECSuccess: PQGParams are valid.
- *       SECFailure: PQGParams are invalid.
- *
- * Verify the following 12 facts about PQG counter SEED g and h
- * 1.  Q is 160 bits long.
- * 2.  P is one of the 9 valid lengths.
- * 3.  G < P
- * 4.  P % Q == 1
- * 5.  Q is prime
- * 6.  P is prime
- * Steps 7-12 are done only if the optional PQGVerify is supplied.
- * 7.  counter < 4096
- * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
- * 9.  Q generated from SEED matches Q in PQGParams.
- * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
- * 11. 1 < h < P-1
- * 12. G generated from h matches G in PQGParams.
- */
-
-extern SECStatus   PQG_VerifyParams(const PQGParams *params, 
-                                    const PQGVerify *vfy, SECStatus *result);
-
-
-/**************************************************************************
- *  Free the PQGParams struct and the things it points to.                *
- **************************************************************************/
-extern void PQG_DestroyParams(PQGParams *params);
-
-/**************************************************************************
- *  Free the PQGVerify struct and the things it points to.                *
- **************************************************************************/
-extern void PQG_DestroyVerify(PQGVerify *vfy);
-
-
-
-SEC_END_PROTOS
-
-#endif /* _BLAPI_H_ */
diff --git a/security/nss/lib/freebl/blapi_bsf.c b/security/nss/lib/freebl/blapi_bsf.c
deleted file mode 100644
index 9796acc33..000000000
--- a/security/nss/lib/freebl/blapi_bsf.c
+++ /dev/null
@@ -1,2086 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.	Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.	If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*****************************************************************************
-**
-**	Implementation of BLAPI using RSA BSAFE Crypto-C 4.1
-**
-******************************************************************************/
-
-/*
-**  Notes:
-**
-**  1.  SHA1, MD2, and MD5 are not implemented here.  This is because 
-**      BSAFE Crypto-C 4.1 does not provide a mechanism for saving and 
-**      restoring intermediate hash values.  BLAPI uses the functions 
-**      <hash>_Flatten and <hash>_Resurrect to accomplish this, so the 
-**      hashes are implemented elsewhere.
-**
-**  2.  The DSA and PQG functions which use seeds are not consistent across
-**      implementations.  In this BSAFE-dependent implementation of BLAPI, 
-**      the seed is understood to be an initial value sent to a random number 
-**      generator used during the key/param generation.  In the implementation
-**      used by Netscape-branded products, the seed is understood to be actual 
-**      bytes used for the creation of a key or parameters.  This means that 
-**      while the BSAFE-dependent implementation may be self-consistent (using 
-**      the same seed will produce the same key/parameters), it is not 
-**      consistent with the Netscape-branded implementation.  
-**      Also, according to the BSAFE Crypto-C 4.0 Library Reference Manual, the
-**      SHA1 Random Number Generator is implemented according to the X9.62
-**      Draft Standard.  Random number generation in the Netscape-branded
-**      implementation of BLAPI is compliant with FIPS-186, thus random
-**      numbers generated using the same seed will differ across 
-**      implementations.
-**
-**  3.  PQG_VerifyParams is not implemented here.  BSAFE Crypto-C 4.1 
-**      allows access to the seed and counter values used in generating
-**      p and q, but does not provide a mechanism for verifying that
-**      p, q, and g were generated from that seed and counter.  At this
-**      time, this implementation will set a PR_NOT_IMPLEMENTED_ERROR 
-**      in a call to PQG_VerifyParams.
-**
-*/
-
-#include "prerr.h"
-#include "secerr.h"
-
-/* BSAFE headers */
-#include "aglobal.h"
-#include "bsafe.h"
-
-/* BLAPI definition */
-#include "blapi.h"
-
-/* default block sizes for algorithms */
-#define DES_BLOCK_SIZE       8
-#define RC2_BLOCK_SIZE       8
-#define RC5_BLOCK_SIZE       8
-
-#define MAX_RC5_KEY_BYTES 255
-#define MAX_RC5_ROUNDS    255
-#define RC5_VERSION_NUMBER   0x10
-#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
-
-#define SECITEMFROMITEM(arena, to, from) \
-	tmp.data = from.data; tmp.len = from.len; to.type = siBuffer; \
-	if (SECITEM_CopyItem(arena, &to, &tmp) != SECSuccess) goto loser;
-
-#define ITEMFROMSECITEM(to, from) \
-	to.data = from.data; to.len = from.len;
-
-static const B_ALGORITHM_METHOD *rand_chooser[] = {
-	&AM_SHA_RANDOM,
-	(B_ALGORITHM_METHOD *)NULL_PTR
-};
-
-static B_ALGORITHM_OBJ 
-generateRandomAlgorithm(int numBytes, unsigned char *seedData)
-{
-	SECItem seed = { siBuffer, 0, 0 };
-	B_ALGORITHM_OBJ randomAlgorithm = NULL_PTR;
-	int status;
-
-	/*  Allocate space for random seed.  */
-	if (seedData) {
-		seed.len = numBytes;
-		seed.data = seedData;
-	} else {
-		if (SECITEM_AllocItem(NULL, &seed, numBytes) == NULL) {
-			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-			goto loser;
-		}
-		if ((status = RNG_GenerateGlobalRandomBytes(seed.data, seed.len)) 
-		     != 0) {
-			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-			goto loser;
-		}
-	}
-
-	/*  Generate the random seed.  */
-	if ((status = B_CreateAlgorithmObject(&randomAlgorithm)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(randomAlgorithm, AI_SHA1Random, 
-	                                 NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_RandomInit(randomAlgorithm, rand_chooser,
-	                           (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_RandomUpdate(randomAlgorithm, seed.data, seed.len,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-
-	if (seedData == NULL)
-		SECITEM_FreeItem(&seed, PR_FALSE);
-
-	return randomAlgorithm;
-
-loser:
-	if (randomAlgorithm != NULL_PTR)
-		B_DestroyAlgorithmObject(&randomAlgorithm);
-	if (seedData == NULL)
-		SECITEM_FreeItem(&seed, PR_FALSE);
-	return NULL_PTR;
-}
-
-/*****************************************************************************
-** BLAPI implementation of DES
-******************************************************************************/
-
-struct DESContextStr {
-    B_ALGORITHM_OBJ     algobj;
-	B_ALGORITHM_METHOD *alg_chooser[3];
-	B_KEY_OBJ           keyobj;
-};
-
-DESContext *
-DES_CreateContext(unsigned char *key, unsigned char *iv,
-                  int mode, PRBool encrypt)
-{
-    /* BLAPI */
-	DESContext *cx;
-	/* BSAFE */
-	B_BLK_CIPHER_W_FEEDBACK_PARAMS fbParams;
-	ITEM                           ivItem;
-	unsigned int                   blockLength = DES_BLOCK_SIZE;
-	int status;
-
-	cx = (DESContext *)PORT_ZAlloc(sizeof(DESContext));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-
-	/* Create an encryption object. */
-	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
-	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	/* Set the IV. */
-	ivItem.data = iv;
-	ivItem.len = DES_BLOCK_SIZE;
-
-	/* Create the key. */
-	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
-	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	/* Set fields common to all DES modes. */
-	fbParams.encryptionParams     = NULL_PTR;
-	fbParams.paddingMethodName    = (unsigned char *)"nopad";
-	fbParams.paddingParams        = NULL_PTR;
-
-	/* Set mode-specific fields. */
-	switch (mode) {
-	case NSS_DES:
-		fbParams.encryptionMethodName = (unsigned char *)"des";
-		fbParams.feedbackMethodName   = (unsigned char *)"ecb";
-		fbParams.feedbackParams       = (POINTER)&blockLength;
-		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES8Strong, (POINTER)key)) 
-		     != 0) {
-			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-			goto loser;
-		}
-		if (encrypt) {
-			cx->alg_chooser[0] = &AM_DES_ENCRYPT;
-			cx->alg_chooser[1] = &AM_ECB_ENCRYPT;
-		} else {
-			cx->alg_chooser[0] = &AM_DES_DECRYPT;
-			cx->alg_chooser[1] = &AM_ECB_DECRYPT;
-		}
-		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
-		break;
-
-	case NSS_DES_CBC:
-		fbParams.encryptionMethodName = (unsigned char *)"des";
-		fbParams.feedbackMethodName   = (unsigned char *)"cbc";
-		fbParams.feedbackParams       = (POINTER)&ivItem;
-		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES8Strong, (POINTER)key)) 
-		     != 0) {
-			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-			goto loser;
-		}
-		if (encrypt) {
-			cx->alg_chooser[0] = &AM_DES_ENCRYPT;
-			cx->alg_chooser[1] = &AM_CBC_ENCRYPT;
-		} else {
-			cx->alg_chooser[0] = &AM_DES_DECRYPT;
-			cx->alg_chooser[1] = &AM_CBC_DECRYPT;
-		}
-		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
-		break;
-
-	case NSS_DES_EDE3:
-		fbParams.encryptionMethodName = (unsigned char *)"des_ede";
-		fbParams.feedbackMethodName   = (unsigned char *)"ecb";
-		fbParams.feedbackParams       = (POINTER)&blockLength;
-		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES24Strong, (POINTER)key)) 
-		     != 0) {
-			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-			goto loser;
-		}
-		if (encrypt) {
-			cx->alg_chooser[0] = &AM_DES_EDE_ENCRYPT;
-			cx->alg_chooser[1] = &AM_ECB_ENCRYPT;
-		} else {
-			cx->alg_chooser[0] = &AM_DES_EDE_DECRYPT;
-			cx->alg_chooser[1] = &AM_ECB_DECRYPT;
-		}
-		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
-		break;
-
-	case NSS_DES_EDE3_CBC:
-		fbParams.encryptionMethodName = (unsigned char *)"des_ede";
-		fbParams.feedbackMethodName   = (unsigned char *)"cbc";
-		fbParams.feedbackParams       = (POINTER)&ivItem;
-		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES24Strong, (POINTER)key)) 
-		     != 0) {
-			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-			goto loser;
-		}
-		if (encrypt) {
-			cx->alg_chooser[0] = &AM_DES_EDE_ENCRYPT;
-			cx->alg_chooser[1] = &AM_CBC_ENCRYPT;
-		} else {
-			cx->alg_chooser[0] = &AM_DES_EDE_DECRYPT;
-			cx->alg_chooser[1] = &AM_CBC_DECRYPT;
-		}
-		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
-		break;
-
-	default:
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_FeedbackCipher,
-	                                 (POINTER)&fbParams)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	return cx;
-
-loser:
-	DES_DestroyContext(cx, PR_TRUE);
-	return NULL;
-}
-
-void 
-DES_DestroyContext(DESContext *cx, PRBool freeit)
-{
-	if (freeit) {
-		PORT_Assert(cx != NULL);
-		if (cx == NULL) {
-			PORT_SetError(SEC_ERROR_INVALID_ARGS);
-			return;
-		}
-		if (cx->keyobj != NULL_PTR)
-			B_DestroyKeyObject(&cx->keyobj);
-		if (cx->algobj != NULL_PTR)
-			B_DestroyAlgorithmObject(&cx->algobj);
-		PORT_ZFree(cx, sizeof(DESContext));
-	}
-}
-
-SECStatus 
-DES_Encrypt(DESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            unsigned char *input, unsigned int inputLen)
-{
-	unsigned int outputLenUpdate, outputLenFinal;
-	int status;
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert((inputLen & (DES_BLOCK_SIZE -1 )) == 0);
-	if (inputLen & (DES_BLOCK_SIZE -1 )) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen); /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_EncryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_EncryptFinal(cx->algobj, 
-	                             output + outputLenUpdate, 
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-SECStatus 
-DES_Decrypt(DESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            unsigned char *input, unsigned int inputLen)
-{
-	unsigned int outputLenUpdate, outputLenFinal;
-	int status;
-	ptrdiff_t inpptr;
-	unsigned char *inp = NULL;
-	PRBool cpybuffer = PR_FALSE;
-
-	/*  The BSAFE Crypto-C 4.1 library with which we tested on a Sun 
-	 *  UltraSparc crashed when the input to an DES CBC decryption operation
-	 *  was not 4-byte aligned.
-	 *  So, we work around this problem by aligning unaligned input in a
-	 *  temporary buffer.
-	 */
-	inpptr = (ptrdiff_t)input;
-	if (inpptr & 0x03) {
-		inp = PORT_ZAlloc(inputLen);
-		if (inp == NULL) {
-			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-			return SECFailure;
-		}
-		PORT_Memcpy(inp, input, inputLen);
-		cpybuffer = PR_TRUE;
-	} else {
-		inp = input;
-	}
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert((inputLen & (DES_BLOCK_SIZE - 1)) == 0);
-	if (inputLen & (DES_BLOCK_SIZE - 1)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_DecryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_DecryptFinal(cx->algobj, 
-	                             output + outputLenUpdate, 
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-/*****************************************************************************
-** BLAPI implementation of RC2
-******************************************************************************/
-
-struct RC2ContextStr
-{
-	B_ALGORITHM_OBJ     algobj;
-	B_ALGORITHM_METHOD *alg_chooser[6];
-	B_KEY_OBJ           keyobj;
-};
-
-RC2Context *
-RC2_CreateContext(unsigned char *key, unsigned int len,
-                  unsigned char *iv, int mode, unsigned effectiveKeyLen)
-{
-	/* BLAPI */
-	RC2Context *cx;
-	/* BSAFE */
-	B_BLK_CIPHER_W_FEEDBACK_PARAMS fbParams;
-	A_RC2_PARAMS                   rc2Params;
-	ITEM                           ivItem;
-	ITEM                           keyItem;
-	unsigned int                   blockLength = RC2_BLOCK_SIZE;
-	int status;
-
-	if (mode == NSS_RC2_CBC && iv == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return NULL;
-	}
-
-	cx = (RC2Context *)PORT_ZAlloc(sizeof(RC2Context));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
-	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
-	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	rc2Params.effectiveKeyBits = effectiveKeyLen * BITS_PER_BYTE;
-	ivItem.data = iv;
-	ivItem.len = RC2_BLOCK_SIZE;
-
-	fbParams.encryptionMethodName = (unsigned char *)"rc2";
-	fbParams.encryptionParams = (POINTER)&rc2Params;
-	fbParams.paddingMethodName = (unsigned char *)"nopad";
-	fbParams.paddingParams = NULL_PTR;
-	cx->alg_chooser[0] = &AM_RC2_ENCRYPT;
-	cx->alg_chooser[1] = &AM_RC2_DECRYPT;
-	cx->alg_chooser[4] = &AM_SHA_RANDOM;
-	cx->alg_chooser[5] = (B_ALGORITHM_METHOD *)NULL;
-
-	switch (mode) {
-	case NSS_RC2:
-		fbParams.feedbackMethodName = (unsigned char *)"ecb";
-		fbParams.feedbackParams = (POINTER)&blockLength;
-		cx->alg_chooser[2] = &AM_ECB_ENCRYPT;
-		cx->alg_chooser[3] = &AM_ECB_DECRYPT;
-		break;
-	case NSS_RC2_CBC:
-		fbParams.feedbackMethodName = (unsigned char *)"cbc";
-		fbParams.feedbackParams = (POINTER)&ivItem;
-		cx->alg_chooser[2] = &AM_CBC_ENCRYPT;
-		cx->alg_chooser[3] = &AM_CBC_DECRYPT;
-		break;
-	default:
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_FeedbackCipher,
-	                                 (POINTER)&fbParams)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	keyItem.len = len;
-	keyItem.data = key;
-	if ((status = B_SetKeyInfo(cx->keyobj, KI_Item, (POINTER)&keyItem)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	return cx;
-
-loser:
-	RC2_DestroyContext(cx, PR_TRUE);
-	return NULL;
-}
-
-void 
-RC2_DestroyContext(RC2Context *cx, PRBool freeit)
-{
-	if (freeit) {
-		PORT_Assert(cx != NULL);
-		if (cx == NULL) {
-			PORT_SetError(SEC_ERROR_INVALID_ARGS);
-			return;
-		}
-		if (cx->keyobj != NULL_PTR)
-			B_DestroyKeyObject(&cx->keyobj);
-		if (cx->algobj != NULL_PTR)
-			B_DestroyAlgorithmObject(&cx->algobj);
-		PORT_ZFree(cx, sizeof(RC2Context));
-	}
-}
-
-SECStatus 
-RC2_Encrypt(RC2Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            unsigned char *input, unsigned int inputLen)
-{
-	int status;
-	unsigned int outputLenUpdate, outputLenFinal;
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert((inputLen & (RC2_BLOCK_SIZE - 1)) == 0);
-	if (inputLen & (RC2_BLOCK_SIZE - 1)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_EncryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_EncryptFinal(cx->algobj, 
-	                             output + outputLenUpdate,
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-SECStatus 
-RC2_Decrypt(RC2Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            unsigned char *input, unsigned int inputLen)
-{
-	int status;
-	unsigned int outputLenUpdate, outputLenFinal;
-	ptrdiff_t inpptr;
-	unsigned char *inp = NULL;
-	PRBool cpybuffer = PR_FALSE;
-
-	/*  The BSAFE Crypto-C 4.1 library with which we tested on a Sun 
-	 *  UltraSparc crashed when the input to an RC2 CBC decryption operation
-	 *  was not 4-byte aligned.
-	 *  So, we work around this problem by aligning unaligned input in a
-	 *  temporary buffer.
-	 */
-	inpptr = (ptrdiff_t)input;
-	if (inpptr & 0x03) {
-		inp = PORT_ZAlloc(inputLen);
-		if (inp == NULL) {
-			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-			return SECFailure;
-		}
-		PORT_Memcpy(inp, input, inputLen);
-		cpybuffer = PR_TRUE;
-	} else {
-		inp = input;
-	}
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-	PORT_Assert((inputLen & (RC2_BLOCK_SIZE - 1)) == 0);
-	if (inputLen & (RC2_BLOCK_SIZE - 1)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-	if ((status = B_DecryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              inp,
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-	if ((status = B_DecryptFinal(cx->algobj, 
-	                             output + outputLenUpdate,
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-
-	if (cpybuffer)
-		PORT_ZFree(inp, inputLen);
-	return SECSuccess;
-
-loser:
-	if (cpybuffer)
-		PORT_ZFree(inp, inputLen);
-	return SECFailure;
-}
-
-/*****************************************************************************
-** BLAPI implementation of RC4
-******************************************************************************/
-
-struct RC4ContextStr
-{
-	B_ALGORITHM_OBJ     algobj;
-	B_ALGORITHM_METHOD *alg_chooser[3];
-	B_KEY_OBJ           keyobj;
-};
-
-RC4Context *
-RC4_CreateContext(unsigned char *key, int len)
-{
-	/* BLAPI */
-	RC4Context *cx;
-	/* BSAFE */
-	ITEM keyItem;
-	int status;
-
-	cx = (RC4Context *)PORT_ZAlloc(sizeof(RC4Context));
-	if (cx == NULL) {
-		/* set out of memory error */
-		return NULL;
-	}
-
-	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
-	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
-	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_RC4, NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	cx->alg_chooser[0] = &AM_RC4_ENCRYPT;
-	cx->alg_chooser[1] = &AM_RC4_DECRYPT;
-	cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL;
-
-	keyItem.len = len;
-	keyItem.data = key;
-	if ((status = B_SetKeyInfo(cx->keyobj, KI_Item, (POINTER)&keyItem)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	return cx;
-
-loser:
-	RC4_DestroyContext(cx, PR_TRUE);
-	return NULL;
-}
-
-void 
-RC4_DestroyContext(RC4Context *cx, PRBool freeit)
-{
-	if (freeit) {
-		PORT_Assert(cx != NULL);
-		if (cx == NULL) {
-			PORT_SetError(SEC_ERROR_INVALID_ARGS);
-			return;
-		}
-		if (cx->keyobj != NULL_PTR)
-			B_DestroyKeyObject(&cx->keyobj);
-		if (cx->algobj != NULL_PTR)
-			B_DestroyAlgorithmObject(&cx->algobj);
-		PORT_ZFree(cx, sizeof(RC4Context));
-	}
-}
-
-SECStatus 
-RC4_Encrypt(RC4Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-	int status;
-	unsigned int outputLenUpdate, outputLenFinal;
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_EncryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_EncryptFinal(cx->algobj, 
-	                             output + outputLenUpdate,
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-SECStatus 
-RC4_Decrypt(RC4Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-	int status;
-	unsigned int outputLenUpdate, outputLenFinal;
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_DecryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_DecryptFinal(cx->algobj, 
-	                             output + outputLenUpdate,
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-
-/*****************************************************************************
-** BLAPI implementation of RC5
-******************************************************************************/
-
-struct RC5ContextStr
-{
-	B_ALGORITHM_OBJ     algobj;
-	B_ALGORITHM_METHOD *alg_chooser[6];
-	B_KEY_OBJ           keyobj;
-	unsigned int        blocksize;
-};
-
-RC5Context *
-RC5_CreateContext(SECItem *key, unsigned int rounds,
-                  unsigned int wordSize, unsigned char *iv, int mode)
-{
-	/* BLAPI */
-	RC5Context *cx;
-	/* BSAFE */
-	B_BLK_CIPHER_W_FEEDBACK_PARAMS fbParams;
-	A_RC5_PARAMS                   rc5Params;
-	ITEM                           keyItem;
-	ITEM                           ivItem;
-	unsigned int                   blocksize;
-	int status;
-
-	if (rounds > MAX_RC5_ROUNDS) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return NULL;
-	}
-	if (key->len > MAX_RC5_KEY_BYTES) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return NULL;
-	}
-	if (mode == NSS_RC5_CBC && (iv == NULL)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return NULL;
-	}
-
-	cx = (RC5Context *)PORT_ZAlloc(sizeof(RC5Context));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
-	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
-	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	rc5Params.version = RC5_VERSION_NUMBER;
-	rc5Params.rounds = rounds;
-	rc5Params.wordSizeInBits = wordSize * BITS_PER_BYTE;
-	if (rc5Params.wordSizeInBits == 64) {
-		fbParams.encryptionMethodName = (unsigned char *)"rc5_64";
-		cx->alg_chooser[0] = &AM_RC5_64ENCRYPT;
-		cx->alg_chooser[1] = &AM_RC5_64DECRYPT;
-	} else {
-		fbParams.encryptionMethodName = (unsigned char *)"rc5";
-		cx->alg_chooser[0] = &AM_RC5_ENCRYPT;
-		cx->alg_chooser[1] = &AM_RC5_DECRYPT;
-	}
-	fbParams.encryptionParams = (POINTER)&rc5Params;
-	fbParams.paddingMethodName = (unsigned char *)"nopad";
-	fbParams.paddingParams = NULL_PTR;
-	cx->alg_chooser[4] = &AM_SHA_RANDOM;
-	cx->alg_chooser[5] = (B_ALGORITHM_METHOD *)NULL;
-	switch (mode) {
-	case NSS_RC5:  
-		blocksize = 2 * wordSize;
-		cx->blocksize = blocksize;
-		fbParams.feedbackMethodName = (unsigned char *)"ecb";
-		fbParams.feedbackParams = (POINTER)&blocksize;
-		cx->alg_chooser[2] = &AM_ECB_ENCRYPT;
-		cx->alg_chooser[3] = &AM_ECB_DECRYPT;
-		break;
-	case NSS_RC5_CBC: 
-		ivItem.len = 2 * wordSize;
-		ivItem.data = iv;
-		cx->blocksize = RC5_BLOCK_SIZE;
-		fbParams.feedbackMethodName = (unsigned char *)"cbc";
-		fbParams.feedbackParams = (POINTER)&ivItem;
-		cx->alg_chooser[2] = &AM_CBC_ENCRYPT;
-		cx->alg_chooser[3] = &AM_CBC_DECRYPT;
-		break;
-	default:
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_FeedbackCipher,
-	                                 (POINTER)&fbParams)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	keyItem.len = key->len;
-	keyItem.data = key->data;
-	if ((status = B_SetKeyInfo(cx->keyobj, KI_Item, (POINTER)&keyItem)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	return cx;
-
-loser:
-	RC5_DestroyContext(cx, PR_TRUE);
-	return NULL;
-}
-
-void RC5_DestroyContext(RC5Context *cx, PRBool freeit)
-{
-	if (freeit) {
-		PORT_Assert(cx != NULL);
-		if (cx == NULL) {
-			PORT_SetError(SEC_ERROR_INVALID_ARGS);
-			return;
-		}
-		if (cx->keyobj != NULL_PTR)
-			B_DestroyKeyObject(&cx->keyobj);
-		if (cx->algobj != NULL_PTR)
-			B_DestroyAlgorithmObject(&cx->algobj);
-		PORT_ZFree(cx, sizeof(RC5Context));
-	}
-}
-
-SECStatus 
-RC5_Encrypt(RC5Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            unsigned char *input, unsigned int inputLen)
-{
-	int status;
-	unsigned int outputLenUpdate, outputLenFinal;
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert((inputLen & (RC5_BLOCK_SIZE - 1)) == 0);
-	if (inputLen & (RC5_BLOCK_SIZE - 1)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_EncryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_EncryptFinal(cx->algobj, 
-	                             output + outputLenUpdate,
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-SECStatus 
-RC5_Decrypt(RC5Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            unsigned char *input, unsigned int inputLen)
-{
-	int status;
-	unsigned int outputLenUpdate, outputLenFinal;
-	ptrdiff_t inpptr;
-	unsigned char *inp = NULL;
-	PRBool cpybuffer = PR_FALSE;
-
-	/*  The BSAFE Crypto-C 4.1 library with which we tested on a Sun 
-	 *  UltraSparc crashed when the input to an RC5 CBC decryption operation
-	 *  was not 4-byte aligned.
-	 *  So, we work around this problem by aligning unaligned input in a
-	 *  temporary buffer.
-	 */
-	inpptr = (ptrdiff_t)input;
-	if (inpptr & 0x03) {
-		inp = PORT_ZAlloc(inputLen);
-		if (inp == NULL) {
-			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-			return SECFailure;
-		}
-		PORT_Memcpy(inp, input, inputLen);
-		cpybuffer = PR_TRUE;
-	} else {
-		inp = input;
-	}
-
-	PORT_Assert(cx != NULL);
-	if (cx == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert((inputLen & (cx->blocksize - 1)) == 0);
-	if (inputLen & (cx->blocksize - 1)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if ((status = B_DecryptUpdate(cx->algobj, 
-	                              output, 
-	                              &outputLenUpdate,
-	                              maxOutputLen, 
-	                              input, 
-	                              inputLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	if ((status = B_DecryptFinal(cx->algobj, 
-	                             output + outputLenUpdate,
-	                             &outputLenFinal, 
-	                             maxOutputLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	*outputLen = outputLenUpdate + outputLenFinal;
-	return SECSuccess;
-}
-
-/*****************************************************************************
-** BLAPI implementation of RSA
-******************************************************************************/
-
-static const SECItem defaultPublicExponent = 
-{
-	siBuffer,
-	(unsigned char *)"\001\000\001",
-	3
-};
-
-static const B_ALGORITHM_METHOD *rsa_alg_chooser[] = {
-	&AM_SHA_RANDOM,
-	&AM_RSA_KEY_GEN,
-	&AM_RSA_ENCRYPT,
-	&AM_RSA_DECRYPT,
-	&AM_RSA_CRT_ENCRYPT,
-	&AM_RSA_CRT_DECRYPT,
-	(B_ALGORITHM_METHOD *)NULL_PTR
-};
-
-static SECStatus
-rsaZFreePrivateKeyInfo(A_PKCS_RSA_PRIVATE_KEY *privateKeyInfo)
-{
-	PORT_ZFree(privateKeyInfo->modulus.data, privateKeyInfo->modulus.len);
-	PORT_ZFree(privateKeyInfo->publicExponent.data, 
-	           privateKeyInfo->publicExponent.len);
-	PORT_ZFree(privateKeyInfo->privateExponent.data, 
-	           privateKeyInfo->privateExponent.len);
-	PORT_ZFree(privateKeyInfo->prime[0].data, privateKeyInfo->prime[0].len);
-	PORT_ZFree(privateKeyInfo->prime[1].data, privateKeyInfo->prime[1].len);
-	PORT_ZFree(privateKeyInfo->primeExponent[0].data, 
-	           privateKeyInfo->primeExponent[0].len);
-	PORT_ZFree(privateKeyInfo->primeExponent[1].data, 
-	           privateKeyInfo->primeExponent[1].len);
-	PORT_ZFree(privateKeyInfo->coefficient.data, 
-	           privateKeyInfo->coefficient.len);
-	return SECSuccess;
-}
-
-static SECStatus
-rsaConvertKeyInfoToBLKey(A_PKCS_RSA_PRIVATE_KEY *keyInfo, RSAPrivateKey *key)
-{
-	PRArenaPool *arena = key->arena;
-	SECItem tmp;
-
-	SECITEMFROMITEM(arena, key->modulus,         keyInfo->modulus);
-	SECITEMFROMITEM(arena, key->publicExponent,  keyInfo->publicExponent);
-	SECITEMFROMITEM(arena, key->privateExponent, keyInfo->privateExponent);
-	SECITEMFROMITEM(arena, key->prime1,          keyInfo->prime[0]);
-	SECITEMFROMITEM(arena, key->prime2,          keyInfo->prime[1]);
-	SECITEMFROMITEM(arena, key->exponent1,       keyInfo->primeExponent[0]);
-	SECITEMFROMITEM(arena, key->exponent2,       keyInfo->primeExponent[1]);
-	SECITEMFROMITEM(arena, key->coefficient,     keyInfo->coefficient);
-	/* Version field is to be handled at a higher level. */
-	key->version.data = NULL;
-	key->version.len = 0;
-	return SECSuccess;
-
-loser:
-	PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-	return SECFailure;
-}
-
-static SECStatus
-rsaConvertBLKeyToKeyInfo(RSAPrivateKey *key, A_PKCS_RSA_PRIVATE_KEY *keyInfo)
-{
-	ITEMFROMSECITEM(keyInfo->modulus,          key->modulus);
-	ITEMFROMSECITEM(keyInfo->publicExponent,   key->publicExponent);
-	ITEMFROMSECITEM(keyInfo->privateExponent,  key->privateExponent);
-	ITEMFROMSECITEM(keyInfo->prime[0],         key->prime1);
-	ITEMFROMSECITEM(keyInfo->prime[1],         key->prime2);
-	ITEMFROMSECITEM(keyInfo->primeExponent[0], key->exponent1);
-	ITEMFROMSECITEM(keyInfo->primeExponent[1], key->exponent2);
-	ITEMFROMSECITEM(keyInfo->coefficient,      key->coefficient);
-	return SECSuccess;
-}
-
-RSAPrivateKey *
-RSA_NewKey(int         keySizeInBits,
-           SECItem *   publicExponent)
-{
-	/* BLAPI */
-	RSAPrivateKey *privateKey;
-	/* BSAFE */
-	A_RSA_KEY_GEN_PARAMS    keygenParams;
-	A_PKCS_RSA_PRIVATE_KEY *privateKeyInfo = (A_PKCS_RSA_PRIVATE_KEY *)NULL_PTR;
-	B_ALGORITHM_OBJ         keypairGenerator = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_ALGORITHM_OBJ         randomAlgorithm = NULL;
-	B_KEY_OBJ               publicKeyObj = (B_KEY_OBJ)NULL_PTR;
-	B_KEY_OBJ               privateKeyObj = (B_KEY_OBJ)NULL_PTR;
-	PRArenaPool *arena;
-	int status;
-
-	/*  Allocate space for key structure. */
-	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-	privateKey = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, 
-	                                               sizeof(RSAPrivateKey));
-	if (privateKey == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-	privateKey->arena = arena;
-
-	randomAlgorithm = generateRandomAlgorithm(keySizeInBits / BITS_PER_BYTE, 0);
-	if (randomAlgorithm == NULL_PTR) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateAlgorithmObject(&keypairGenerator)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if (publicExponent == NULL) publicExponent = &defaultPublicExponent;
-	keygenParams.modulusBits = keySizeInBits;
-	keygenParams.publicExponent.data = publicExponent->data;
-	keygenParams.publicExponent.len = publicExponent->len;
-
-	if ((status = B_SetAlgorithmInfo(keypairGenerator, AI_RSAKeyGen,
-	                                 (POINTER)&keygenParams)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_GenerateInit(keypairGenerator, rsa_alg_chooser,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_GenerateKeypair(keypairGenerator, publicKeyObj,
-	                                privateKeyObj, randomAlgorithm,
-	                                (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_GetKeyInfo((POINTER *)&privateKeyInfo, privateKeyObj,
-	                           KI_PKCS_RSAPrivate)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	/*  Convert the BSAFE key info to an RSAPrivateKey.  */
-	if ((status = rsaConvertKeyInfoToBLKey(privateKeyInfo, privateKey)) != 0) {
-		goto loser;
-	}
-
-	B_DestroyAlgorithmObject(&publicKeyObj);
-	B_DestroyKeyObject(&publicKeyObj);
-	B_DestroyKeyObject(&privateKeyObj);
-	rsaZFreePrivateKeyInfo(privateKeyInfo);
-	B_DestroyAlgorithmObject(&randomAlgorithm);
-	return privateKey;
-
-loser:
-	if (keypairGenerator != NULL_PTR)
-		B_DestroyAlgorithmObject(&keypairGenerator);
-	if (publicKeyObj != NULL_PTR)
-		B_DestroyKeyObject(&publicKeyObj);
-	if (privateKeyObj != NULL_PTR)
-		B_DestroyKeyObject(&privateKeyObj);
-	if (privateKeyInfo != (A_PKCS_RSA_PRIVATE_KEY *)NULL_PTR)
-		rsaZFreePrivateKeyInfo(privateKeyInfo);
-	if (randomAlgorithm != NULL_PTR)
-		B_DestroyAlgorithmObject(&randomAlgorithm);
-	PORT_FreeArena(arena, PR_TRUE);
-	return NULL;
-}
-
-static unsigned int
-rsa_modulusLen(SECItem *modulus)
-{
-	unsigned char byteZero = modulus->data[0];
-	unsigned int modLen = modulus->len - !byteZero;
-	return modLen;
-}
-
-SECStatus 
-RSA_PublicKeyOp(RSAPublicKey *   key,
-                unsigned char *  output,
-                unsigned char *  input)
-{
-	B_ALGORITHM_OBJ rsaPubKeyAlg = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_KEY_OBJ       publicKeyObj = (B_KEY_OBJ)NULL_PTR;
-	A_RSA_KEY       pubKeyInfo;
-	unsigned int outputLenUpdate;
-	unsigned int modulusLen;
-	int status;
-
-	PORT_Assert(key != NULL);
-	if (key == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	if ((status = B_CreateAlgorithmObject(&rsaPubKeyAlg)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(rsaPubKeyAlg, AI_RSAPublic,
-	                                 NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	modulusLen = rsa_modulusLen(&key->modulus);
-	pubKeyInfo.modulus.len = key->modulus.len;
-	pubKeyInfo.modulus.data = key->modulus.data;
-	pubKeyInfo.exponent.len = key->publicExponent.len;
-	pubKeyInfo.exponent.data = key->publicExponent.data;
-
-	if ((status = B_SetKeyInfo(publicKeyObj, KI_RSAPublic, 
-	                           (POINTER)&pubKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_EncryptInit(rsaPubKeyAlg, publicKeyObj, rsa_alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-	if ((status = B_EncryptUpdate(rsaPubKeyAlg,
-	                              output, 
-	                              &outputLenUpdate,
-	                              modulusLen, 
-	                              input, 
-	                              modulusLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-	if ((status = B_EncryptFinal(rsaPubKeyAlg,
-	                             output + outputLenUpdate,
-	                             &outputLenUpdate, 
-	                             modulusLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-
-	B_DestroyAlgorithmObject(&rsaPubKeyAlg);
-	B_DestroyAlgorithmObject(&publicKeyObj);
-	/*  Don't delete pubKeyInfo data -- it was a shallow copy.  */
-	return SECSuccess;
-
-loser:
-	if (rsaPubKeyAlg != NULL_PTR)
-		B_DestroyAlgorithmObject(&rsaPubKeyAlg);
-	if (publicKeyObj != NULL_PTR)
-		B_DestroyAlgorithmObject(&publicKeyObj);
-	return SECFailure;
-}
-
-SECStatus 
-RSA_PrivateKeyOp(RSAPrivateKey *  key,
-                 unsigned char *  output,
-                 unsigned char *  input)
-{
-	A_PKCS_RSA_PRIVATE_KEY privKeyInfo;
-	B_ALGORITHM_OBJ        rsaPrivKeyAlg = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_KEY_OBJ              privateKeyObj = (B_KEY_OBJ)NULL_PTR;
-	unsigned int outputLenUpdate;
-	unsigned int modulusLen;
-	int status;
-
-	if ((status = B_CreateAlgorithmObject(&rsaPrivKeyAlg)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(rsaPrivKeyAlg, AI_RSAPrivate,
-	                                 NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = rsaConvertBLKeyToKeyInfo(key, &privKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetKeyInfo(privateKeyObj, KI_PKCS_RSAPrivate,
-	                           (POINTER)&privKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	modulusLen = rsa_modulusLen(&key->modulus);
-
-	if ((status = B_DecryptInit(rsaPrivKeyAlg, privateKeyObj, rsa_alg_chooser,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-	if ((status = B_DecryptUpdate(rsaPrivKeyAlg,
-	                              output, 
-	                              &outputLenUpdate,
-	                              modulusLen, 
-	                              input, 
-	                              modulusLen,
-	                              (B_ALGORITHM_OBJ)NULL_PTR,
-	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-	if ((status = B_DecryptFinal(rsaPrivKeyAlg,
-	                             output + outputLenUpdate,
-	                             &outputLenUpdate, 
-	                             modulusLen - outputLenUpdate,
-	                             (B_ALGORITHM_OBJ)NULL_PTR,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-
-	B_DestroyAlgorithmObject(&rsaPrivKeyAlg);
-	B_DestroyAlgorithmObject(&privateKeyObj);
-	/*  Don't delete privKeyInfo data -- it was a shallow copy.  */
-	return SECSuccess;
-
-loser:
-	if (rsaPrivKeyAlg != NULL_PTR)
-		B_DestroyAlgorithmObject(&rsaPrivKeyAlg);
-	if (privateKeyObj != NULL_PTR)
-		B_DestroyAlgorithmObject(&privateKeyObj);
-	return SECFailure;
-}
-
-/*****************************************************************************
-** BLAPI implementation of DSA
-******************************************************************************/
-
-static const B_ALGORITHM_METHOD *dsa_pk_gen_chooser[] = {
-	&AM_SHA_RANDOM,
-	&AM_DSA_PARAM_GEN,
-	&AM_DSA_KEY_GEN,
-	(B_ALGORITHM_METHOD *)NULL_PTR
-};
-
-static SECStatus
-dsaConvertKeyInfoToBLKey(A_DSA_PRIVATE_KEY *privateKeyInfo, 
-                         A_DSA_PUBLIC_KEY *publicKeyInfo, 
-                         DSAPrivateKey *privateKey)
-{
-	PRArenaPool *arena;
-	SECItem tmp;
-
-	arena = privateKey->params.arena;
-	SECITEMFROMITEM(arena, privateKey->params.prime, 
-	                       privateKeyInfo->params.prime);
-	SECITEMFROMITEM(arena, privateKey->params.subPrime, 
-	                       privateKeyInfo->params.subPrime);
-	SECITEMFROMITEM(arena, privateKey->params.base, 
-	                       privateKeyInfo->params.base);
-	SECITEMFROMITEM(arena, privateKey->privateValue,
-	                       privateKeyInfo->x);
-	SECITEMFROMITEM(arena, privateKey->publicValue,
-	                       publicKeyInfo->y);
-
-	return SECSuccess;
-
-loser:
-	PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-	return SECFailure;
-}
-
-static SECStatus
-dsaConvertBLKeyToPrKeyInfo(DSAPrivateKey *privateKey,
-                           A_DSA_PRIVATE_KEY *privateKeyInfo)
-{
-	ITEMFROMSECITEM(privateKeyInfo->params.prime, privateKey->params.prime)
-	ITEMFROMSECITEM(privateKeyInfo->params.subPrime,
-	                privateKey->params.subPrime);
-	ITEMFROMSECITEM(privateKeyInfo->params.base, privateKey->params.base);
-	ITEMFROMSECITEM(privateKeyInfo->x, privateKey->privateValue);
-	return SECSuccess;
-}
-
-static SECStatus
-dsaConvertBLKeyToPubKeyInfo(DSAPublicKey *publicKey,
-                            A_DSA_PUBLIC_KEY *publicKeyInfo)
-{
-	ITEMFROMSECITEM(publicKeyInfo->params.prime, publicKey->params.prime)
-	ITEMFROMSECITEM(publicKeyInfo->params.subPrime,
-	                publicKey->params.subPrime);
-	ITEMFROMSECITEM(publicKeyInfo->params.base, publicKey->params.base);
-	ITEMFROMSECITEM(publicKeyInfo->y, publicKey->publicValue);
-	return SECSuccess;
-}
-
-static SECStatus
-dsaZFreeKeyInfoParams(A_DSA_PARAMS *params)
-{
-	PORT_ZFree(params->prime.data, 
-	           params->prime.len);
-	PORT_ZFree(params->subPrime.data, 
-	           params->subPrime.len);
-	PORT_ZFree(params->base.data, 
-	           params->base.len);
-	return SECSuccess;
-}
-
-static SECStatus
-dsaZFreePrivateKeyInfo(A_DSA_PRIVATE_KEY *privateKeyInfo)
-{
-	dsaZFreeKeyInfoParams(&privateKeyInfo->params);
-	PORT_ZFree(privateKeyInfo->x.data,
-	           privateKeyInfo->x.len);
-	return SECSuccess;
-}
-
-static SECStatus
-dsaZFreePublicKeyInfo(A_DSA_PUBLIC_KEY *publicKeyInfo)
-{
-	dsaZFreeKeyInfoParams(&publicKeyInfo->params);
-	PORT_ZFree(publicKeyInfo->y.data,
-	           publicKeyInfo->y.len);
-	return SECSuccess;
-}
-
-SECStatus 
-DSA_NewKey(PQGParams *           params, 
-           DSAPrivateKey **      privKey)
-{
-	return DSA_NewKeyFromSeed(params, NULL, privKey);
-}
-
-SECStatus 
-DSA_SignDigest(DSAPrivateKey *   key,
-               SECItem *         signature,
-               SECItem *         digest)
-{
-	return DSA_SignDigestWithSeed(key, signature, digest, NULL);
-}
-
-SECStatus 
-DSA_VerifyDigest(DSAPublicKey *  key,
-                 SECItem *       signature,
-                 SECItem *       digest)
-{
-	B_ALGORITHM_OBJ           dsaVerifier = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_KEY_OBJ                 publicKeyObj = (B_KEY_OBJ)NULL_PTR;
-	A_DSA_PUBLIC_KEY          publicKeyInfo;
-	const B_ALGORITHM_METHOD *dsa_verify_chooser[] = {
-	                            &AM_DSA_VERIFY,
-	                            (B_ALGORITHM_METHOD *)NULL_PTR
-	};
-	int status;
-
-	if ((status = B_CreateAlgorithmObject(&dsaVerifier)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = dsaConvertBLKeyToPubKeyInfo(key, &publicKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetKeyInfo(publicKeyObj, KI_DSAPublic, 
-	                           (POINTER)&publicKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(dsaVerifier, AI_DSA, NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_VerifyInit(dsaVerifier, publicKeyObj, dsa_verify_chooser,
-	                           (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_VerifyUpdate(dsaVerifier, digest->data, digest->len,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		goto loser;
-	}
-
-	if ((status = B_VerifyFinal(dsaVerifier, signature->data, signature->len,
-	                            (B_ALGORITHM_OBJ)NULL_PTR,
-	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		if (status == BE_SIGNATURE) {
-			PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		} else {
-			PORT_SetError(SEC_ERROR_BAD_DATA);
-			goto loser;
-		}
-	}
-
-	B_DestroyAlgorithmObject(&dsaVerifier);
-	B_DestroyKeyObject(&publicKeyObj);
-	/*  publicKeyInfo data is shallow copy */
-	return (status == BE_SIGNATURE) ? SECFailure : SECSuccess;
-
-loser:
-	if (dsaVerifier != NULL_PTR)
-		B_DestroyAlgorithmObject(&dsaVerifier);
-	if (publicKeyObj != NULL_PTR)
-		B_DestroyKeyObject(&publicKeyObj);
-	return SECFailure;
-}
-
-SECStatus 
-DSA_NewKeyFromSeed(PQGParams *params, unsigned char * seed,
-                   DSAPrivateKey **privKey)
-{
-	PRArenaPool *arena;
-	DSAPrivateKey *privateKey;
-	/* BSAFE */
-	B_ALGORITHM_OBJ           dsaKeyGenObj = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_ALGORITHM_OBJ           randomAlgorithm = NULL_PTR;
-	A_DSA_PRIVATE_KEY        *privateKeyInfo = (A_DSA_PRIVATE_KEY *)NULL_PTR;
-	A_DSA_PUBLIC_KEY         *publicKeyInfo = (A_DSA_PUBLIC_KEY *)NULL_PTR;
-	A_DSA_PARAMS              dsaParamInfo;
-	B_KEY_OBJ                 publicKeyObj = (B_KEY_OBJ)NULL_PTR;
-	B_KEY_OBJ                 privateKeyObj = (B_KEY_OBJ)NULL_PTR;
-	int status;
-
-	/*  Allocate space for key structure. */
-	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-	privateKey = (DSAPrivateKey *)
-	              PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
-	if (privateKey == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-	privateKey->params.arena = arena;
-
-	if ((status = B_CreateAlgorithmObject(&dsaKeyGenObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	randomAlgorithm = generateRandomAlgorithm(DSA_SUBPRIME_LEN, seed);
-	if (randomAlgorithm == NULL_PTR) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	ITEMFROMSECITEM(dsaParamInfo.prime,    params->prime);
-	ITEMFROMSECITEM(dsaParamInfo.subPrime, params->subPrime);
-	ITEMFROMSECITEM(dsaParamInfo.base,     params->base);
-
-	if ((status = B_SetAlgorithmInfo(dsaKeyGenObj, AI_DSAKeyGen, 
-	                                 (POINTER)&dsaParamInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_GenerateInit(dsaKeyGenObj, dsa_pk_gen_chooser,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_GenerateKeypair(dsaKeyGenObj, publicKeyObj, privateKeyObj,
-	                                randomAlgorithm,
-	                                (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_GetKeyInfo((POINTER *)&privateKeyInfo, privateKeyObj,
-	                           KI_DSAPrivate)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_GetKeyInfo((POINTER *)&publicKeyInfo, publicKeyObj,
-	                           KI_DSAPublic)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = dsaConvertKeyInfoToBLKey(privateKeyInfo, publicKeyInfo,
-	                                       privateKey)) != 0) {
-		goto loser;
-	}
-
-	B_DestroyAlgorithmObject(&dsaKeyGenObj);
-	B_DestroyAlgorithmObject(&randomAlgorithm);
-	B_DestroyKeyObject(&publicKeyObj);
-	B_DestroyKeyObject(&privateKeyObj);
-	dsaZFreePrivateKeyInfo(privateKeyInfo);
-	dsaZFreePublicKeyInfo(publicKeyInfo);
-	/* dsaParamInfo contains only public info, no need to ZFree */
-
-	*privKey = privateKey;
-	return SECSuccess;
-
-loser:
-	if (dsaKeyGenObj != NULL_PTR)
-		B_DestroyAlgorithmObject(&dsaKeyGenObj);
-	if (randomAlgorithm != NULL_PTR)
-		B_DestroyAlgorithmObject(&randomAlgorithm);
-	if (privateKeyObj != NULL_PTR)
-		B_DestroyKeyObject(&privateKeyObj);
-	if (publicKeyObj != NULL_PTR)
-		B_DestroyKeyObject(&publicKeyObj);
-	if (privateKeyInfo != (A_DSA_PRIVATE_KEY *)NULL_PTR)
-		dsaZFreePrivateKeyInfo(privateKeyInfo);
-	if (publicKeyInfo != (A_DSA_PUBLIC_KEY *)NULL_PTR)
-		dsaZFreePublicKeyInfo(publicKeyInfo);
-	if (arena != NULL)
-		PORT_FreeArena(arena, PR_TRUE);
-	*privKey = NULL;
-	return SECFailure;
-}
-
-SECStatus 
-DSA_SignDigestWithSeed(DSAPrivateKey * key,
-                       SECItem *       signature,
-                       SECItem *       digest,
-                       unsigned char * seed)
-{
-	B_ALGORITHM_OBJ           dsaSigner = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_ALGORITHM_OBJ           randomAlgorithm = NULL_PTR;
-	B_KEY_OBJ                 privateKeyObj = (B_KEY_OBJ)NULL_PTR;
-	A_DSA_PRIVATE_KEY         privateKeyInfo;
-	const B_ALGORITHM_METHOD *dsa_sign_chooser[] = {
-	                            &AM_DSA_SIGN,
-	                            (B_ALGORITHM_METHOD *)NULL_PTR
-	};
-	int status;
-	unsigned int siglen;
-
-	randomAlgorithm = generateRandomAlgorithm(DSA_SUBPRIME_LEN, seed);
-
-	if ((status = B_CreateAlgorithmObject(&dsaSigner)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = dsaConvertBLKeyToPrKeyInfo(key, &privateKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetKeyInfo(privateKeyObj, KI_DSAPrivate, 
-	                           (POINTER)&privateKeyInfo)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SetAlgorithmInfo(dsaSigner, AI_DSA, NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SignInit(dsaSigner, privateKeyObj, dsa_sign_chooser,
-	                         (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SignUpdate(dsaSigner, digest->data, digest->len,
-	                           (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_SignFinal(dsaSigner, signature->data, &siglen,
-	                          signature->len, randomAlgorithm,
-	                          (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	SECITEM_ReallocItem(NULL, signature, signature->len, siglen);
-	signature->len = siglen; /* shouldn't realloc do this? */
-
-	B_DestroyAlgorithmObject(&dsaSigner);
-	B_DestroyKeyObject(&privateKeyObj);
-	B_DestroyAlgorithmObject(&randomAlgorithm);
-	/*  privateKeyInfo is shallow copy */
-	return SECSuccess;
-
-loser:
-	if (dsaSigner != NULL_PTR)
-		B_DestroyAlgorithmObject(&dsaSigner);
-	if (privateKeyObj != NULL_PTR)
-		B_DestroyKeyObject(&privateKeyObj);
-	if (randomAlgorithm != NULL_PTR)
-		B_DestroyAlgorithmObject(&randomAlgorithm);
-	return SECFailure;
-}
-
-SECStatus
-PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
-             PQGParams **pParams,  /* output: P Q and G returned here */
-             PQGVerify **pVfy)     /* output: counter and seed. */
-{
-	return PQG_ParamGenSeedLen(j, DSA_SUBPRIME_LEN, pParams, pVfy);
-}
-
-SECStatus
-PQG_ParamGenSeedLen(
-                  unsigned int j,         /* input : determines length of P. */
-                  unsigned int seedBytes, /* input : length of seed in bytes.*/
-                  PQGParams **pParams,    /* output: P Q and G returned here */
-                  PQGVerify **pVfy)       /* output: counter and seed. */
-{
-	B_DSA_PARAM_GEN_PARAMS    dsaParams;
-	B_ALGORITHM_OBJ           dsaKeyGenObj = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_ALGORITHM_OBJ           dsaParamGenerator = (B_ALGORITHM_OBJ)NULL_PTR;
-	B_ALGORITHM_OBJ           randomAlgorithm = NULL_PTR;
-	A_DSA_PARAMS             *dsaParamInfo;
-	SECItem tmp;
-	PQGParams *params;
-	PRArenaPool *arena;
-	int status;
-
-	if (!pParams || j > 8) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-
-	/*  Allocate space for key structure. */
-	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-	params = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
-	if (params == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-	params->arena = arena;
-
-	if ((status = B_CreateAlgorithmObject(&dsaParamGenerator)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	if ((status = B_CreateAlgorithmObject(&dsaKeyGenObj)) != 0) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		goto loser;
-	}
-
-	randomAlgorithm = generateRandomAlgorithm(seedBytes, NULL);
-
-	dsaParams.primeBits = 512 + (j * 64);
-	if ((status = B_SetAlgorithmInfo(dsaParamGenerator, AI_DSAParamGen,
-	                                 (POINTER)&dsaParams)) != 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	}
-
-	if ((status = B_GenerateInit(dsaParamGenerator, dsa_pk_gen_chooser,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_GenerateParameters(dsaParamGenerator, dsaKeyGenObj,
-	                                   randomAlgorithm,
-	                                   (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	if ((status = B_GetAlgorithmInfo((POINTER *)&dsaParamInfo, dsaKeyGenObj,
-	                                 AI_DSAKeyGen)) != 0) {
-		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-		goto loser;
-	}
-
-	SECITEMFROMITEM(arena, params->prime,    dsaParamInfo->prime);
-	SECITEMFROMITEM(arena, params->subPrime, dsaParamInfo->subPrime);
-	SECITEMFROMITEM(arena, params->base,     dsaParamInfo->base);
-
-	B_DestroyAlgorithmObject(&dsaKeyGenObj);
-	B_DestroyAlgorithmObject(&dsaParamGenerator);
-	B_DestroyAlgorithmObject(&randomAlgorithm);
-	dsaZFreeKeyInfoParams(dsaParamInfo);
-
-	*pParams = params;
-	return SECSuccess;
-
-loser:
-	if (dsaParamGenerator != NULL_PTR)
-		B_DestroyAlgorithmObject(&dsaParamGenerator);
-	if (dsaKeyGenObj != NULL_PTR)
-		B_DestroyAlgorithmObject(&dsaKeyGenObj);
-	if (randomAlgorithm != NULL_PTR)
-		B_DestroyAlgorithmObject(&randomAlgorithm);
-	if (dsaParamInfo != NULL)
-		dsaZFreeKeyInfoParams(dsaParamInfo);
-	if (arena != NULL)
-		PORT_FreeArena(arena, PR_TRUE);
-	*pParams = NULL;
-	return SECFailure;
-}
-
-SECStatus
-PQG_VerifyParams(const PQGParams *params, 
-                 const PQGVerify *vfy, SECStatus *result)
-{
-	/*  BSAFE does not provide access to h.
-	 *  Verification is thus skipped.
-	 */
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-	return SECFailure;
-}
-
-/*  Destroy functions are implemented in util/pqgutil.c */
-
-/*****************************************************************************
-** BLAPI implementation of RNG
-******************************************************************************/
-
-static SECItem globalseed;
-static B_ALGORITHM_OBJ globalrng = NULL_PTR;
-
-SECStatus 
-RNG_RNGInit(void)
-{
-	int status;
-	PRInt32 nBytes;
-	if (globalrng == NULL) {
-		globalseed.len = 20;
-		globalseed.data = (unsigned char *)PORT_Alloc(globalseed.len);
-	} else {
-		B_DestroyAlgorithmObject(&globalrng);
-	}
-	nBytes = RNG_GetNoise(globalseed.data, globalseed.len);
-	globalrng = generateRandomAlgorithm(globalseed.len, globalseed.data);
-	if (globalrng == NULL_PTR) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return SECFailure;
-	}
-	return SECSuccess;
-}
-
-SECStatus 
-RNG_RandomUpdate(void *data, size_t bytes)
-{
-	int status;
-	if (data == NULL || bytes <= 0) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if (globalrng == NULL_PTR) {
-		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-		return SECFailure;
-	}
-	if ((status = B_RandomUpdate(globalrng, data, bytes,
-	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	return SECSuccess;
-}
-
-SECStatus 
-RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
-{
-	int status;
-	if (dest == NULL) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if (globalrng == NULL_PTR) {
-		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-		return SECFailure;
-	}
-	if ((status = B_GenerateRandomBytes(globalrng, dest, len,
-	                                    (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
-		PORT_SetError(SEC_ERROR_BAD_DATA);
-		return SECFailure;
-	}
-	return SECSuccess;
-}
-
-void 
-RNG_RNGShutdown(void)
-{
-	if (globalrng == NULL_PTR)
-		/* no-op */
-		return;
-	B_DestroyAlgorithmObject(&globalrng);
-	SECITEM_ZfreeItem(&globalseed, PR_FALSE);
-	globalrng = NULL_PTR;
-}
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
deleted file mode 100644
index 3a496d2ad..000000000
--- a/security/nss/lib/freebl/blapit.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * blapit.h - public data structures for the crypto library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _BLAPIT_H_
-#define _BLAPIT_H_
-
-#include "seccomon.h"
-#include "plarena.h"
-
-/* RC2 operation modes */
-#define NSS_RC2			0
-#define NSS_RC2_CBC		1
-
-/* RC5 operation modes */
-#define NSS_RC5                 0
-#define NSS_RC5_CBC             1
-
-/* DES operation modes */
-#define NSS_DES			0
-#define NSS_DES_CBC		1
-#define NSS_DES_EDE3		2
-#define NSS_DES_EDE3_CBC	3
-
-#define DES_KEY_LENGTH		8	/* Bytes */
-
-#define DSA_SIGNATURE_LEN 	40	/* Bytes */
-#define DSA_SUBPRIME_LEN	20	/* Bytes */
-
-/*
- * Number of bytes each hash algorithm produces
- */
-#define MD2_LENGTH		16	/* Bytes */
-#define MD5_LENGTH		16	/* Bytes */
-#define SHA1_LENGTH		20	/* Bytes */
-
-/*
- * The FIPS 186 algorithm for generating primes P and Q allows only 9
- * distinct values for the length of P, and only one value for the
- * length of Q.
- * The algorithm uses a variable j to indicate which of the 9 lengths
- * of P is to be used.
- * The following table relates j to the lengths of P and Q in bits.
- *
- *	j	bits in P	bits in Q
- *	_	_________	_________
- *	0	 512		160
- *	1	 576		160
- *	2	 640		160
- *	3	 704		160
- *	4	 768		160
- *	5	 832		160
- *	6	 896		160
- *	7	 960		160
- *	8	1024		160
- *
- * The FIPS-186 compliant PQG generator takes j as an input parameter.
- */
-
-
-/*
- * function takes desired number of bits in P,
- * returns index (0..8) or -1 if number of bits is invalid.
- */
-#define PQG_PBITS_TO_INDEX(bits) ((((bits)-512) % 64) ? -1 : ((bits)-512)/64)
-
-/*
- * function takes index (0-8)
- * returns number of bits in P for that index, or -1 if index is invalid.
- */
-#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
-
-
-/***************************************************************************
-** Opaque objects 
-*/
-
-struct DESContextStr        ;
-struct RC2ContextStr        ;
-struct RC4ContextStr        ;
-struct RC5ContextStr        ;
-struct MD2ContextStr        ;
-struct MD5ContextStr        ;
-struct SHA1ContextStr       ;
-
-typedef struct DESContextStr        DESContext;
-typedef struct RC2ContextStr        RC2Context;
-typedef struct RC4ContextStr        RC4Context;
-typedef struct RC5ContextStr        RC5Context;
-typedef struct MD2ContextStr        MD2Context;
-typedef struct MD5ContextStr        MD5Context;
-typedef struct SHA1ContextStr       SHA1Context;
-
-/***************************************************************************
-** RSA Public and Private Key structures
-*/
-
-/* member names from PKCS#1, section 7.1 */
-struct RSAPublicKeyStr {
-    PRArenaPool * arena;
-    SECItem modulus;
-    SECItem publicExponent;
-};
-typedef struct RSAPublicKeyStr RSAPublicKey;
-
-/* member names from PKCS#1, section 7.2 */
-struct RSAPrivateKeyStr {
-    PRArenaPool * arena;
-    SECItem version;
-    SECItem modulus;
-    SECItem publicExponent;
-    SECItem privateExponent;
-    SECItem prime1;
-    SECItem prime2;
-    SECItem exponent1;
-    SECItem exponent2;
-    SECItem coefficient;
-};
-typedef struct RSAPrivateKeyStr RSAPrivateKey;
-
-
-/***************************************************************************
-** DSA Public and Private Key and related structures
-*/
-
-struct PQGParamsStr {
-    PRArenaPool *arena;
-    SECItem prime;    /* p */
-    SECItem subPrime; /* q */
-    SECItem base;     /* g */
-    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
-};
-typedef struct PQGParamsStr PQGParams;
-
-struct PQGVerifyStr {
-    PRArenaPool * arena;	/* includes this struct, seed, & h. */
-    unsigned int  counter;
-    SECItem       seed;
-    SECItem       h;
-};
-typedef struct PQGVerifyStr PQGVerify;
-
-struct DSAPublicKeyStr {
-    PQGParams params;
-    SECItem publicValue;
-};
-typedef struct DSAPublicKeyStr DSAPublicKey;
-
-struct DSAPrivateKeyStr {
-    PQGParams params;
-    SECItem publicValue;
-    SECItem privateValue;
-};
-typedef struct DSAPrivateKeyStr DSAPrivateKey;
-
-/***************************************************************************
-** Diffie-Hellman Public and Private Key and related structures
-** Structure member names suggested by PKCS#3.
-*/
-
-struct DHParamsStr {
-    PRArenaPool * arena;
-    SECItem prime; /* p */
-    SECItem base; /* g */
-};
-typedef struct DHParamsStr DHParams;
-
-struct DHPublicKeyStr {
-    PRArenaPool * arena;
-    SECItem prime;
-    SECItem base;
-    SECItem publicValue;
-};
-typedef struct DHPublicKeyStr DHPublicKey;
-
-struct DHPrivateKeyStr {
-    PRArenaPool * arena;
-    SECItem prime;
-    SECItem base;
-    SECItem publicValue;
-    SECItem privateValue;
-};
-typedef struct DHPrivateKeyStr DHPrivateKey;
-
-
-#endif /* _BLAPIT_H_ */
diff --git a/security/nss/lib/freebl/config.mk b/security/nss/lib/freebl/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/freebl/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c
deleted file mode 100644
index f366363bf..000000000
--- a/security/nss/lib/freebl/dh.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.	Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.	If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "blapi.h"
-
-SECStatus 
-DH_GenParam(int primeLen, DHParams ** params)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-	return SECFailure;
-}
-
-SECStatus 
-DH_NewKey(DHParams *           params, 
-          DHPrivateKey **      privKey)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-	return SECFailure;
-}
-
-SECStatus 
-DH_Derive(SECItem *    publicValue, 
-          SECItem *    prime, 
-          SECItem *    privateValue, 
-          SECItem *    derivedSecret,
-          unsigned int maxOutBytes)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-	return SECFailure;
-}
-
-SECStatus 
-KEA_Derive(SECItem *prime, 
-           SECItem *public1, 
-           SECItem *public2, 
-           SECItem *private1, 
-           SECItem *private2,
-           SECItem *derivedSecret)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-	return SECFailure;
-}
-
-PRBool 
-KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-	return PR_FALSE;
-}
diff --git a/security/nss/lib/freebl/fblstdlib.c b/security/nss/lib/freebl/fblstdlib.c
deleted file mode 100755
index 7aeb8efef..000000000
--- a/security/nss/lib/freebl/fblstdlib.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.	Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.	If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <plstr.h>
-#include "aglobal.h"
-#include "bsafe.h"
-#include "secport.h"
-
-void CALL_CONV T_memset (p, c, count)
-POINTER p;
-int c;
-unsigned int count;
-{
-	if (count >= 0)
-		memset(p, c, count);
-}
-
-void CALL_CONV T_memcpy (d, s, count)
-POINTER d, s;
-unsigned int count;
-{
-	if (count >= 0)
-		memcpy(d, s, count);
-}
-
-void CALL_CONV T_memmove (d, s, count)
-POINTER d, s;
-unsigned int count;
-{
-	if (count >= 0)
-		PORT_Memmove(d, s, count);
-}
-
-int CALL_CONV T_memcmp (s1, s2, count)
-POINTER s1, s2;
-unsigned int count;
-{
-	if (count == 0)
-		return (0);
-	else
-		return(memcmp(s1, s2, count));
-}
-
-POINTER CALL_CONV T_malloc (size)
-unsigned int size;
-{
-	return((POINTER)PORT_Alloc(size == 0 ? 1 : size));
-}
-
-POINTER CALL_CONV T_realloc (p, size)
-POINTER p;
-unsigned int size;
-{
-	POINTER result;
-  
-	if (p == NULL_PTR)
-		return (T_malloc(size));
-
-	if ((result = (POINTER)PORT_Realloc(p, size == 0 ? 1 : size)) == NULL_PTR)
-		PORT_Free(p);
-  return (result);
-}
-
-void CALL_CONV T_free (p)
-POINTER p;
-{
-	if (p != NULL_PTR)
-		PORT_Free(p);
-}
-
-unsigned int CALL_CONV T_strlen(p)
-char *p;
-{
-    return PL_strlen(p);
-}
-
-void CALL_CONV T_strcpy(dest, src)
-char *dest;
-char *src;
-{
-    PL_strcpy(dest, src);
-}
-
-int CALL_CONV T_strcmp (a, b)
-char *a, *b;
-{
-  return (PL_strcmp (a, b));
-}
diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn
deleted file mode 100644
index 4b42913bf..000000000
--- a/security/nss/lib/freebl/manifest.mn
+++ /dev/null
@@ -1,66 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-MODULE = security
-
-LIBRARY_NAME = freebl
-
-REQUIRES = 
-
-EXPORTS = \
-	blapi.h \
-	blapit.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	$(NULL)
-
-ifdef MOZILLA_BSAFE_BUILD
-CSRCS = \
-	fblstdlib.c \
-	sha_fast.c \
-	md2.c \
-	md5.c \
-	dh.c \
-	blapi_bsf.c \
-	$(NULL)
-else
-CSRCS = \
-	sha_fast.c \
-	md2.c \
-	md5.c \
-	alg2268.c \
-	$(NULL)
-endif
-
diff --git a/security/nss/lib/freebl/md2.c b/security/nss/lib/freebl/md2.c
deleted file mode 100644
index 3f7427c14..000000000
--- a/security/nss/lib/freebl/md2.c
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.	Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.	If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-
-#include "blapi.h"
-
-#define MD2_DIGEST_LEN    16
-#define MD2_BUFSIZE       16
-#define MD2_X_SIZE        48  /* The X array, [CV | INPUT | TMP VARS] */
-#define MD2_CV             0  /* index into X for chaining variables */
-#define MD2_INPUT         16  /* index into X for input */
-#define MD2_TMPVARS       32  /* index into X for temporary variables */
-#define MD2_CHECKSUM_SIZE 16
-
-struct MD2ContextStr {
-	unsigned char checksum[MD2_BUFSIZE];
-	unsigned char X[MD2_X_SIZE];
-	PRUint8 unusedBuffer;
-};
-
-static const PRUint8 MD2S[256] = {
- 0051, 0056, 0103, 0311, 0242, 0330, 0174, 0001,
- 0075, 0066, 0124, 0241, 0354, 0360, 0006, 0023,
- 0142, 0247, 0005, 0363, 0300, 0307, 0163, 0214,
- 0230, 0223, 0053, 0331, 0274, 0114, 0202, 0312,
- 0036, 0233, 0127, 0074, 0375, 0324, 0340, 0026,
- 0147, 0102, 0157, 0030, 0212, 0027, 0345, 0022,
- 0276, 0116, 0304, 0326, 0332, 0236, 0336, 0111,
- 0240, 0373, 0365, 0216, 0273, 0057, 0356, 0172,
- 0251, 0150, 0171, 0221, 0025, 0262, 0007, 0077,
- 0224, 0302, 0020, 0211, 0013, 0042, 0137, 0041,
- 0200, 0177, 0135, 0232, 0132, 0220, 0062, 0047,
- 0065, 0076, 0314, 0347, 0277, 0367, 0227, 0003,
- 0377, 0031, 0060, 0263, 0110, 0245, 0265, 0321,
- 0327, 0136, 0222, 0052, 0254, 0126, 0252, 0306,
- 0117, 0270, 0070, 0322, 0226, 0244, 0175, 0266,
- 0166, 0374, 0153, 0342, 0234, 0164, 0004, 0361,
- 0105, 0235, 0160, 0131, 0144, 0161, 0207, 0040,
- 0206, 0133, 0317, 0145, 0346, 0055, 0250, 0002,
- 0033, 0140, 0045, 0255, 0256, 0260, 0271, 0366,
- 0034, 0106, 0141, 0151, 0064, 0100, 0176, 0017,
- 0125, 0107, 0243, 0043, 0335, 0121, 0257, 0072,
- 0303, 0134, 0371, 0316, 0272, 0305, 0352, 0046,
- 0054, 0123, 0015, 0156, 0205, 0050, 0204, 0011,
- 0323, 0337, 0315, 0364, 0101, 0201, 0115, 0122,
- 0152, 0334, 0067, 0310, 0154, 0301, 0253, 0372,
- 0044, 0341, 0173, 0010, 0014, 0275, 0261, 0112,
- 0170, 0210, 0225, 0213, 0343, 0143, 0350, 0155,
- 0351, 0313, 0325, 0376, 0073, 0000, 0035, 0071,
- 0362, 0357, 0267, 0016, 0146, 0130, 0320, 0344,
- 0246, 0167, 0162, 0370, 0353, 0165, 0113, 0012,
- 0061, 0104, 0120, 0264, 0217, 0355, 0037, 0032,
- 0333, 0231, 0215, 0063, 0237, 0021, 0203, 0024
-};
-
-SECStatus 
-MD2_Hash(unsigned char *dest, const char *src)
-{
-	unsigned int len;
-	MD2Context *cx = MD2_NewContext();
-	if (!cx) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return SECFailure;
-	}
-	MD2_Begin(cx);
-	MD2_Update(cx, (unsigned char *)src, PL_strlen(src));
-	MD2_End(cx, dest, &len, MD2_DIGEST_LEN);
-	MD2_DestroyContext(cx, PR_TRUE);
-	return SECSuccess;
-}
-
-MD2Context *
-MD2_NewContext(void)
-{
-	MD2Context *cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-	return cx;
-}
-
-void 
-MD2_DestroyContext(MD2Context *cx, PRBool freeit)
-{
-	if (freeit)
-		PORT_ZFree(cx, sizeof(*cx));
-}
-
-void 
-MD2_Begin(MD2Context *cx)
-{
-	memset(cx, 0, sizeof(*cx));
-	cx->unusedBuffer = MD2_BUFSIZE;
-}
-
-static void
-md2_compress(MD2Context *cx)
-{
-	int j;
-	unsigned char P;
-	P = cx->checksum[MD2_CHECKSUM_SIZE-1];
-	/* Compute the running checksum, and set the tmp variables to be 
-	 * CV[i] XOR input[i] 
-	 */
-#define CKSUMFN(n) \
-	P = cx->checksum[n] ^ MD2S[cx->X[MD2_INPUT+n] ^ P]; \
-	cx->checksum[n] = P; \
-	cx->X[MD2_TMPVARS+n] = cx->X[n] ^ cx->X[MD2_INPUT+n];
-	CKSUMFN(0);
-	CKSUMFN(1);
-	CKSUMFN(2);
-	CKSUMFN(3);
-	CKSUMFN(4);
-	CKSUMFN(5);
-	CKSUMFN(6);
-	CKSUMFN(7);
-	CKSUMFN(8);
-	CKSUMFN(9);
-	CKSUMFN(10);
-	CKSUMFN(11);
-	CKSUMFN(12);
-	CKSUMFN(13);
-	CKSUMFN(14);
-	CKSUMFN(15);
-	/* The compression function. */
-#define COMPRESS(n) \
-	P = cx->X[n] ^ MD2S[P]; \
-	cx->X[n] = P;
-	P = 0x00;
-	for (j=0; j<18; j++) {
-		COMPRESS(0);
-		COMPRESS(1);
-		COMPRESS(2);
-		COMPRESS(3);
-		COMPRESS(4);
-		COMPRESS(5);
-		COMPRESS(6);
-		COMPRESS(7);
-		COMPRESS(8);
-		COMPRESS(9);
-		COMPRESS(10);
-		COMPRESS(11);
-		COMPRESS(12);
-		COMPRESS(13);
-		COMPRESS(14);
-		COMPRESS(15);
-		COMPRESS(16);
-		COMPRESS(17);
-		COMPRESS(18);
-		COMPRESS(19);
-		COMPRESS(20);
-		COMPRESS(21);
-		COMPRESS(22);
-		COMPRESS(23);
-		COMPRESS(24);
-		COMPRESS(25);
-		COMPRESS(26);
-		COMPRESS(27);
-		COMPRESS(28);
-		COMPRESS(29);
-		COMPRESS(30);
-		COMPRESS(31);
-		COMPRESS(32);
-		COMPRESS(33);
-		COMPRESS(34);
-		COMPRESS(35);
-		COMPRESS(36);
-		COMPRESS(37);
-		COMPRESS(38);
-		COMPRESS(39);
-		COMPRESS(40);
-		COMPRESS(41);
-		COMPRESS(42);
-		COMPRESS(43);
-		COMPRESS(44);
-		COMPRESS(45);
-		COMPRESS(46);
-		COMPRESS(47);
-		P = (P + j) % 256;
-	}
-	cx->unusedBuffer = MD2_BUFSIZE;
-}
-
-void 
-MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
-{
-	PRUint32 bytesToConsume;
-	
-	/* Fill the remaining input buffer. */
-	if (cx->unusedBuffer != MD2_BUFSIZE) {
-		bytesToConsume = PR_MIN(inputLen, cx->unusedBuffer);
-		memcpy(&cx->X[MD2_INPUT + (MD2_BUFSIZE - cx->unusedBuffer)],
-		            input, bytesToConsume);
-		if (cx->unusedBuffer + bytesToConsume >= MD2_BUFSIZE)
-			md2_compress(cx);
-		inputLen -= bytesToConsume;
-		input += bytesToConsume;
-	}
-
-	/* Iterate over 16-byte chunks of the input. */
-	while (inputLen >= MD2_BUFSIZE) {
-		memcpy(&cx->X[MD2_INPUT], input, MD2_BUFSIZE);
-		md2_compress(cx);
-		inputLen -= MD2_BUFSIZE;
-		input += MD2_BUFSIZE;
-	}
-
-	/* Copy any input that remains into the buffer. */
-	if (inputLen)
-		memcpy(&cx->X[MD2_INPUT], input, inputLen);
-	cx->unusedBuffer = MD2_BUFSIZE - inputLen;
-}
-
-void 
-MD2_End(MD2Context *cx, unsigned char *digest,
-        unsigned int *digestLen, unsigned int maxDigestLen)
-{
-	PRUint8 padStart;
-	if (maxDigestLen < MD2_BUFSIZE) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return;
-	}
-	padStart = MD2_BUFSIZE - cx->unusedBuffer;
-	memset(&cx->X[MD2_INPUT + padStart], cx->unusedBuffer, 
-	            cx->unusedBuffer);
-	md2_compress(cx);
-	memcpy(&cx->X[MD2_INPUT], cx->checksum, MD2_BUFSIZE);
-	md2_compress(cx);
-	*digestLen = MD2_DIGEST_LEN;
-	memcpy(digest, &cx->X[MD2_CV], MD2_DIGEST_LEN);
-}
-
-unsigned int 
-MD2_FlattenSize(MD2Context *cx)
-{
-	return sizeof(*cx);
-}
-
-SECStatus 
-MD2_Flatten(MD2Context *cx, unsigned char *space)
-{
-	memcpy(space, cx, sizeof(*cx));
-	return SECSuccess;
-}
-
-MD2Context * 
-MD2_Resurrect(unsigned char *space, void *arg)
-{
-	MD2Context *cx = MD2_NewContext();
-	if (cx)
-		memcpy(cx, space, sizeof(*cx));
-	return cx;
-}
diff --git a/security/nss/lib/freebl/md5.c b/security/nss/lib/freebl/md5.c
deleted file mode 100644
index b0c0ed6a0..000000000
--- a/security/nss/lib/freebl/md5.c
+++ /dev/null
@@ -1,529 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.	Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.	If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "prlong.h"
-
-#include "blapi.h"
-
-#define MD5_HASH_LEN 16
-#define MD5_BUFFER_SIZE 64
-#define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8)
-
-#define CV0_1 0x67452301
-#define CV0_2 0xefcdab89
-#define CV0_3 0x98badcfe
-#define CV0_4 0x10325476
-
-#define T1_0  0xd76aa478
-#define T1_1  0xe8c7b756
-#define T1_2  0x242070db
-#define T1_3  0xc1bdceee
-#define T1_4  0xf57c0faf
-#define T1_5  0x4787c62a
-#define T1_6  0xa8304613
-#define T1_7  0xfd469501
-#define T1_8  0x698098d8
-#define T1_9  0x8b44f7af
-#define T1_10 0xffff5bb1
-#define T1_11 0x895cd7be
-#define T1_12 0x6b901122
-#define T1_13 0xfd987193
-#define T1_14 0xa679438e
-#define T1_15 0x49b40821
-
-#define T2_0  0xf61e2562
-#define T2_1  0xc040b340
-#define T2_2  0x265e5a51
-#define T2_3  0xe9b6c7aa
-#define T2_4  0xd62f105d
-#define T2_5  0x02441453
-#define T2_6  0xd8a1e681
-#define T2_7  0xe7d3fbc8
-#define T2_8  0x21e1cde6
-#define T2_9  0xc33707d6
-#define T2_10 0xf4d50d87
-#define T2_11 0x455a14ed
-#define T2_12 0xa9e3e905
-#define T2_13 0xfcefa3f8
-#define T2_14 0x676f02d9
-#define T2_15 0x8d2a4c8a
-
-#define T3_0  0xfffa3942
-#define T3_1  0x8771f681
-#define T3_2  0x6d9d6122
-#define T3_3  0xfde5380c
-#define T3_4  0xa4beea44
-#define T3_5  0x4bdecfa9
-#define T3_6  0xf6bb4b60
-#define T3_7  0xbebfbc70
-#define T3_8  0x289b7ec6
-#define T3_9  0xeaa127fa
-#define T3_10 0xd4ef3085
-#define T3_11 0x04881d05
-#define T3_12 0xd9d4d039
-#define T3_13 0xe6db99e5
-#define T3_14 0x1fa27cf8
-#define T3_15 0xc4ac5665
-
-#define T4_0  0xf4292244
-#define T4_1  0x432aff97
-#define T4_2  0xab9423a7
-#define T4_3  0xfc93a039
-#define T4_4  0x655b59c3
-#define T4_5  0x8f0ccc92
-#define T4_6  0xffeff47d
-#define T4_7  0x85845dd1
-#define T4_8  0x6fa87e4f
-#define T4_9  0xfe2ce6e0
-#define T4_10 0xa3014314
-#define T4_11 0x4e0811a1
-#define T4_12 0xf7537e82
-#define T4_13 0xbd3af235
-#define T4_14 0x2ad7d2bb
-#define T4_15 0xeb86d391
-
-#define R1B0  0
-#define R1B1  1
-#define R1B2  2
-#define R1B3  3
-#define R1B4  4
-#define R1B5  5
-#define R1B6  6
-#define R1B7  7
-#define R1B8  8
-#define R1B9  9
-#define R1B10 10
-#define R1B11 11
-#define R1B12 12
-#define R1B13 13
-#define R1B14 14
-#define R1B15 15
-
-#define R2B0  1
-#define R2B1  6
-#define R2B2  11
-#define R2B3  0
-#define R2B4  5
-#define R2B5  10
-#define R2B6  15
-#define R2B7  4
-#define R2B8  9
-#define R2B9  14
-#define R2B10 3 
-#define R2B11 8 
-#define R2B12 13
-#define R2B13 2 
-#define R2B14 7 
-#define R2B15 12
-
-#define R3B0  5
-#define R3B1  8
-#define R3B2  11
-#define R3B3  14
-#define R3B4  1
-#define R3B5  4
-#define R3B6  7
-#define R3B7  10
-#define R3B8  13
-#define R3B9  0
-#define R3B10 3 
-#define R3B11 6 
-#define R3B12 9 
-#define R3B13 12
-#define R3B14 15
-#define R3B15 2 
-
-#define R4B0  0
-#define R4B1  7
-#define R4B2  14
-#define R4B3  5
-#define R4B4  12
-#define R4B5  3
-#define R4B6  10
-#define R4B7  1
-#define R4B8  8
-#define R4B9  15
-#define R4B10 6 
-#define R4B11 13
-#define R4B12 4 
-#define R4B13 11
-#define R4B14 2 
-#define R4B15 9 
-
-#define S1_0 7
-#define S1_1 12
-#define S1_2 17
-#define S1_3 22
-
-#define S2_0 5
-#define S2_1 9
-#define S2_2 14
-#define S2_3 20
-
-#define S3_0 4
-#define S3_1 11
-#define S3_2 16
-#define S3_3 23
-
-#define S4_0 6
-#define S4_1 10
-#define S4_2 15
-#define S4_3 21
-
-struct MD5ContextStr {
-	PRUint32      lsbInput;
-	PRUint32      msbInput;
-	PRUint32      cv[4];
-	union {
-		PRUint8 b[64];
-		PRUint32 w[16];
-	} u;
-};
-
-#define inBuf u.b
-
-SECStatus 
-MD5_Hash(unsigned char *dest, const char *src)
-{
-	return MD5_HashBuf(dest, (unsigned char *)src, PL_strlen(src));
-}
-
-SECStatus 
-MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-	unsigned int len;
-	MD5Context *cx = MD5_NewContext();
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return SECFailure;
-	}
-	MD5_Begin(cx);
-	MD5_Update(cx, src, src_length);
-	MD5_End(cx, dest, &len, MD5_HASH_LEN);
-	MD5_DestroyContext(cx, PR_TRUE);
-	return SECSuccess;
-}
-
-MD5Context *
-MD5_NewContext(void)
-{
-	MD5Context *cx = (MD5Context *)PORT_ZAlloc(sizeof(MD5Context));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-	return cx;
-}
-
-void 
-MD5_DestroyContext(MD5Context *cx, PRBool freeit)
-{
-	if (freeit) {
-		PORT_ZFree(cx, sizeof(MD5Context));
-	}
-}
-
-void 
-MD5_Begin(MD5Context *cx)
-{
-	cx->lsbInput = 0;
-	cx->msbInput = 0;
-	memset(cx->inBuf, 0, sizeof(cx->inBuf));
-	cx->cv[0] = CV0_1;
-	cx->cv[1] = CV0_2;
-	cx->cv[2] = CV0_3;
-	cx->cv[3] = CV0_4;
-}
-
-#define cls(i32, s) (tmp = i32, tmp << s | tmp >> (32 - s))
-
-#define MASK 0x00ff00ff
-#ifdef IS_LITTLE_ENDIAN
-#define lendian(i32) \
-	(i32)
-#else
-#define lendian(i32) \
-	(tmp = i32 >> 16 | i32 << 16, (tmp & MASK) << 8 | tmp >> 8 & MASK)
-#endif
-
-#if defined(SOLARIS) || defined(HPUX)
-#define addto64(sumhigh, sumlow, addend) \
-	sumlow += addend; sumhigh += (sumlow < addend);
-#else
-#define addto64(sumhigh, sumlow, addend) \
-	sumlow += addend; if (sumlow < addend) ++sumhigh;
-#endif
-
-#define F(X, Y, Z) \
-	((X & Y) | ((~X) & Z))
-
-#define G(X, Y, Z) \
-	((X & Z) | (Y & (~Z)))
-
-#define H(X, Y, Z) \
-	(X ^ Y ^ Z)
-
-#define I(X, Y, Z) \
-	(Y ^ (X | (~Z)))
-
-#define FF(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + F(b, c, d) + bufint + ti, s)
-
-#define GG(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + G(b, c, d) + bufint + ti, s)
-
-#define HH(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + H(b, c, d) + bufint + ti, s)
-
-#define II(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + I(b, c, d) + bufint + ti, s)
-
-static void
-md5_compress(MD5Context *cx)
-{
-	PRUint32 a, b, c, d;
-	PRUint32 tmp;
-	a = cx->cv[0];
-	b = cx->cv[1];
-	c = cx->cv[2];
-	d = cx->cv[3];
-#ifndef IS_LITTLE_ENDIAN
-	cx->u.w[0] = lendian(cx->u.w[0]);
-	cx->u.w[1] = lendian(cx->u.w[1]);
-	cx->u.w[2] = lendian(cx->u.w[2]);
-	cx->u.w[3] = lendian(cx->u.w[3]);
-	cx->u.w[4] = lendian(cx->u.w[4]);
-	cx->u.w[5] = lendian(cx->u.w[5]);
-	cx->u.w[6] = lendian(cx->u.w[6]);
-	cx->u.w[7] = lendian(cx->u.w[7]);
-	cx->u.w[8] = lendian(cx->u.w[8]);
-	cx->u.w[9] = lendian(cx->u.w[9]);
-	cx->u.w[10] = lendian(cx->u.w[10]);
-	cx->u.w[11] = lendian(cx->u.w[11]);
-	cx->u.w[12] = lendian(cx->u.w[12]);
-	cx->u.w[13] = lendian(cx->u.w[13]);
-	cx->u.w[14] = lendian(cx->u.w[14]);
-	cx->u.w[15] = lendian(cx->u.w[15]);
-#endif
-	FF(a, b, c, d, cx->u.w[R1B0 ], S1_0, T1_0);
-	FF(d, a, b, c, cx->u.w[R1B1 ], S1_1, T1_1);
-	FF(c, d, a, b, cx->u.w[R1B2 ], S1_2, T1_2);
-	FF(b, c, d, a, cx->u.w[R1B3 ], S1_3, T1_3);
-	FF(a, b, c, d, cx->u.w[R1B4 ], S1_0, T1_4);
-	FF(d, a, b, c, cx->u.w[R1B5 ], S1_1, T1_5);
-	FF(c, d, a, b, cx->u.w[R1B6 ], S1_2, T1_6);
-	FF(b, c, d, a, cx->u.w[R1B7 ], S1_3, T1_7);
-	FF(a, b, c, d, cx->u.w[R1B8 ], S1_0, T1_8);
-	FF(d, a, b, c, cx->u.w[R1B9 ], S1_1, T1_9);
-	FF(c, d, a, b, cx->u.w[R1B10], S1_2, T1_10);
-	FF(b, c, d, a, cx->u.w[R1B11], S1_3, T1_11);
-	FF(a, b, c, d, cx->u.w[R1B12], S1_0, T1_12);
-	FF(d, a, b, c, cx->u.w[R1B13], S1_1, T1_13);
-	FF(c, d, a, b, cx->u.w[R1B14], S1_2, T1_14);
-	FF(b, c, d, a, cx->u.w[R1B15], S1_3, T1_15);
-	GG(a, b, c, d, cx->u.w[R2B0 ], S2_0, T2_0);
-	GG(d, a, b, c, cx->u.w[R2B1 ], S2_1, T2_1);
-	GG(c, d, a, b, cx->u.w[R2B2 ], S2_2, T2_2);
-	GG(b, c, d, a, cx->u.w[R2B3 ], S2_3, T2_3);
-	GG(a, b, c, d, cx->u.w[R2B4 ], S2_0, T2_4);
-	GG(d, a, b, c, cx->u.w[R2B5 ], S2_1, T2_5);
-	GG(c, d, a, b, cx->u.w[R2B6 ], S2_2, T2_6);
-	GG(b, c, d, a, cx->u.w[R2B7 ], S2_3, T2_7);
-	GG(a, b, c, d, cx->u.w[R2B8 ], S2_0, T2_8);
-	GG(d, a, b, c, cx->u.w[R2B9 ], S2_1, T2_9);
-	GG(c, d, a, b, cx->u.w[R2B10], S2_2, T2_10);
-	GG(b, c, d, a, cx->u.w[R2B11], S2_3, T2_11);
-	GG(a, b, c, d, cx->u.w[R2B12], S2_0, T2_12);
-	GG(d, a, b, c, cx->u.w[R2B13], S2_1, T2_13);
-	GG(c, d, a, b, cx->u.w[R2B14], S2_2, T2_14);
-	GG(b, c, d, a, cx->u.w[R2B15], S2_3, T2_15);
-	HH(a, b, c, d, cx->u.w[R3B0 ], S3_0, T3_0);
-	HH(d, a, b, c, cx->u.w[R3B1 ], S3_1, T3_1);
-	HH(c, d, a, b, cx->u.w[R3B2 ], S3_2, T3_2);
-	HH(b, c, d, a, cx->u.w[R3B3 ], S3_3, T3_3);
-	HH(a, b, c, d, cx->u.w[R3B4 ], S3_0, T3_4);
-	HH(d, a, b, c, cx->u.w[R3B5 ], S3_1, T3_5);
-	HH(c, d, a, b, cx->u.w[R3B6 ], S3_2, T3_6);
-	HH(b, c, d, a, cx->u.w[R3B7 ], S3_3, T3_7);
-	HH(a, b, c, d, cx->u.w[R3B8 ], S3_0, T3_8);
-	HH(d, a, b, c, cx->u.w[R3B9 ], S3_1, T3_9);
-	HH(c, d, a, b, cx->u.w[R3B10], S3_2, T3_10);
-	HH(b, c, d, a, cx->u.w[R3B11], S3_3, T3_11);
-	HH(a, b, c, d, cx->u.w[R3B12], S3_0, T3_12);
-	HH(d, a, b, c, cx->u.w[R3B13], S3_1, T3_13);
-	HH(c, d, a, b, cx->u.w[R3B14], S3_2, T3_14);
-	HH(b, c, d, a, cx->u.w[R3B15], S3_3, T3_15);
-	II(a, b, c, d, cx->u.w[R4B0 ], S4_0, T4_0);
-	II(d, a, b, c, cx->u.w[R4B1 ], S4_1, T4_1);
-	II(c, d, a, b, cx->u.w[R4B2 ], S4_2, T4_2);
-	II(b, c, d, a, cx->u.w[R4B3 ], S4_3, T4_3);
-	II(a, b, c, d, cx->u.w[R4B4 ], S4_0, T4_4);
-	II(d, a, b, c, cx->u.w[R4B5 ], S4_1, T4_5);
-	II(c, d, a, b, cx->u.w[R4B6 ], S4_2, T4_6);
-	II(b, c, d, a, cx->u.w[R4B7 ], S4_3, T4_7);
-	II(a, b, c, d, cx->u.w[R4B8 ], S4_0, T4_8);
-	II(d, a, b, c, cx->u.w[R4B9 ], S4_1, T4_9);
-	II(c, d, a, b, cx->u.w[R4B10], S4_2, T4_10);
-	II(b, c, d, a, cx->u.w[R4B11], S4_3, T4_11);
-	II(a, b, c, d, cx->u.w[R4B12], S4_0, T4_12);
-	II(d, a, b, c, cx->u.w[R4B13], S4_1, T4_13);
-	II(c, d, a, b, cx->u.w[R4B14], S4_2, T4_14);
-	II(b, c, d, a, cx->u.w[R4B15], S4_3, T4_15);
-	cx->cv[0] += a;
-	cx->cv[1] += b;
-	cx->cv[2] += c;
-	cx->cv[3] += d;
-}
-
-void 
-MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
-{
-	PRUint32 bytesToConsume;
-	PRUint32 inBufIndex = cx->lsbInput & 63;
-
-	/* Add the number of input bytes to the 64-bit input counter. */
-	addto64(cx->msbInput, cx->lsbInput, inputLen);
-	if (inBufIndex) {
-		/* There is already data in the buffer.  Fill with input. */
-		bytesToConsume = PR_MIN(inputLen, MD5_BUFFER_SIZE - inBufIndex);
-		memcpy(&cx->inBuf[inBufIndex], input, bytesToConsume);
-		if (inBufIndex + bytesToConsume >= MD5_BUFFER_SIZE)
-			/* The buffer is filled.  Run the compression function. */
-			md5_compress(cx);
-		/* Remaining input. */
-		inputLen -= bytesToConsume;
-		input += bytesToConsume;
-	}
-
-	/* Iterate over 64-byte chunks of the message. */
-	while (inputLen >= MD5_BUFFER_SIZE) {
-		memcpy(cx->inBuf, input, MD5_BUFFER_SIZE);
-		md5_compress(cx);
-		inputLen -= MD5_BUFFER_SIZE;
-		input += MD5_BUFFER_SIZE;
-	}
-
-	/* Tail of message (message bytes mod 64). */
-	if (inputLen)
-		memcpy(cx->inBuf, input, inputLen);
-}
-
-static const unsigned char padbytes[] = {
-	0x80, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00
-};
-
-void 
-MD5_End(MD5Context *cx, unsigned char *digest,
-        unsigned int *digestLen, unsigned int maxDigestLen)
-{
-	PRUint32 tmp;
-	PRUint32 lowInput, highInput;
-	PRUint32 inBufIndex = cx->lsbInput & 63;
-
-	if (maxDigestLen < MD5_HASH_LEN) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return;
-	}
-
-	/* Copy out the length of bits input before padding. */
-	lowInput = cx->lsbInput; 
-	highInput = (cx->msbInput << 3) | (lowInput >> 29);
-	lowInput <<= 3;
-
-	if (inBufIndex < MD5_END_BUFFER) {
-		MD5_Update(cx, padbytes, MD5_END_BUFFER - inBufIndex);
-	} else {
-		MD5_Update(cx, padbytes, 
-		           MD5_END_BUFFER + MD5_BUFFER_SIZE - inBufIndex);
-	}
-
-	/* Store the number of bytes input (before padding) in final 64 bits. */
-	cx->u.w[14] = lendian(lowInput);
-	cx->u.w[15] = lendian(highInput);
-
-	/* Final call to compress. */
-	md5_compress(cx);
-
-	/* Copy the resulting values out of the chain variables into return buf. */
-	*digestLen = MD5_HASH_LEN;
-#ifndef IS_LITTLE_ENDIAN
-	cx->cv[0] = lendian(cx->cv[0]);
-	cx->cv[1] = lendian(cx->cv[1]);
-	cx->cv[2] = lendian(cx->cv[2]);
-	cx->cv[3] = lendian(cx->cv[3]);
-#endif
-	memcpy(digest, cx->cv, MD5_HASH_LEN);
-}
-
-unsigned int 
-MD5_FlattenSize(MD5Context *cx)
-{
-	return sizeof(*cx);
-}
-
-SECStatus 
-MD5_Flatten(MD5Context *cx, unsigned char *space)
-{
-	memcpy(space, cx, sizeof(*cx));
-	return SECSuccess;
-}
-
-MD5Context * 
-MD5_Resurrect(unsigned char *space, void *arg)
-{
-	MD5Context *cx = MD5_NewContext();
-	if (cx)
-		memcpy(cx, space, sizeof(*cx));
-	return cx;
-}
-
-void 
-MD5_TraceState(MD5Context *cx)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-}
diff --git a/security/nss/lib/freebl/sha.c b/security/nss/lib/freebl/sha.c
deleted file mode 100644
index c8480c72c..000000000
--- a/security/nss/lib/freebl/sha.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is SHA 180-1 Reference Implementation (Compact version)
- * 
- * The Initial Developer of the Original Code is Paul Kocher of
- * Cryptography Research.  Portions created by Paul Kocher are 
- * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- *
- *     Paul Kocher
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "sha.h"
-
-static void shaHashBlock(SHA_CTX *ctx);
-
-void shaInit(SHA_CTX *ctx) {
-  int i;
-
-  ctx->lenW = 0;
-  ctx->sizeHi = ctx->sizeLo = 0;
-
-  /* Initialize H with the magic constants (see FIPS180 for constants)
-   */
-  ctx->H[0] = 0x67452301L;
-  ctx->H[1] = 0xefcdab89L;
-  ctx->H[2] = 0x98badcfeL;
-  ctx->H[3] = 0x10325476L;
-  ctx->H[4] = 0xc3d2e1f0L;
-
-  for (i = 0; i < 80; i++)
-    ctx->W[i] = 0;
-}
-
-
-void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len) {
-  int i;
-
-  /* Read the data into W and process blocks as they get full
-   */
-  for (i = 0; i < len; i++) {
-    ctx->W[ctx->lenW / 4] <<= 8;
-    ctx->W[ctx->lenW / 4] |= (unsigned long)dataIn[i];
-    if ((++ctx->lenW) % 64 == 0) {
-      shaHashBlock(ctx);
-      ctx->lenW = 0;
-    }
-    ctx->sizeLo += 8;
-    ctx->sizeHi += (ctx->sizeLo < 8);
-  }
-}
-
-
-void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]) {
-  unsigned char pad0x80 = 0x80;
-  unsigned char pad0x00 = 0x00;
-  unsigned char padlen[8];
-  int i;
-
-  /* Pad with a binary 1 (e.g. 0x80), then zeroes, then length
-   */
-  padlen[0] = (unsigned char)((ctx->sizeHi >> 24) & 255);
-  padlen[1] = (unsigned char)((ctx->sizeHi >> 16) & 255);
-  padlen[2] = (unsigned char)((ctx->sizeHi >> 8) & 255);
-  padlen[3] = (unsigned char)((ctx->sizeHi >> 0) & 255);
-  padlen[4] = (unsigned char)((ctx->sizeLo >> 24) & 255);
-  padlen[5] = (unsigned char)((ctx->sizeLo >> 16) & 255);
-  padlen[6] = (unsigned char)((ctx->sizeLo >> 8) & 255);
-  padlen[7] = (unsigned char)((ctx->sizeLo >> 0) & 255);
-  shaUpdate(ctx, &pad0x80, 1);
-  while (ctx->lenW != 56)
-    shaUpdate(ctx, &pad0x00, 1);
-  shaUpdate(ctx, padlen, 8);
-
-  /* Output hash
-   */
-  for (i = 0; i < 20; i++) {
-    hashout[i] = (unsigned char)(ctx->H[i / 4] >> 24);
-    ctx->H[i / 4] <<= 8;
-  }
-
-  /*
-   *  Re-initialize the context (also zeroizes contents)
-   */
-  shaInit(ctx);
-}
-
-
-void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]) {
-  SHA_CTX ctx;
-
-  shaInit(&ctx);
-  shaUpdate(&ctx, dataIn, len);
-  shaFinal(&ctx, hashout);
-}
-
-
-#define SHA_ROTL(X,n) (((X) << (n)) | ((X) >> (32-(n))))
-
-static void shaHashBlock(SHA_CTX *ctx) {
-  int t;
-  unsigned long A,B,C,D,E,TEMP;
-
-  for (t = 16; t <= 79; t++)
-    ctx->W[t] =
-      SHA_ROTL(ctx->W[t-3] ^ ctx->W[t-8] ^ ctx->W[t-14] ^ ctx->W[t-16], 1);
-
-  A = ctx->H[0];
-  B = ctx->H[1];
-  C = ctx->H[2];
-  D = ctx->H[3];
-  E = ctx->H[4];
-
-  for (t = 0; t <= 19; t++) {
-    TEMP = SHA_ROTL(A,5) + (((C^D)&B)^D)     + E + ctx->W[t] + 0x5a827999L;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-  for (t = 20; t <= 39; t++) {
-    TEMP = SHA_ROTL(A,5) + (B^C^D)           + E + ctx->W[t] + 0x6ed9eba1L;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-  for (t = 40; t <= 59; t++) {
-    TEMP = SHA_ROTL(A,5) + ((B&C)|(D&(B|C))) + E + ctx->W[t] + 0x8f1bbcdcL;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-  for (t = 60; t <= 79; t++) {
-    TEMP = SHA_ROTL(A,5) + (B^C^D)           + E + ctx->W[t] + 0xca62c1d6L;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-
-  ctx->H[0] += A;
-  ctx->H[1] += B;
-  ctx->H[2] += C;
-  ctx->H[3] += D;
-  ctx->H[4] += E;
-}
-
diff --git a/security/nss/lib/freebl/sha.h b/security/nss/lib/freebl/sha.h
deleted file mode 100644
index 0522a00b2..000000000
--- a/security/nss/lib/freebl/sha.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is SHA 180-1 Header File
- * 
- * The Initial Developer of the Original Code is Paul Kocher of
- * Cryptography Research.  Portions created by Paul Kocher are 
- * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- *
- *     Paul Kocher
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-typedef struct {
-  unsigned long H[5];
-  unsigned long W[80];
-  int lenW;
-  unsigned long sizeHi,sizeLo;
-} SHA_CTX;
-
-
-void shaInit(SHA_CTX *ctx);
-void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len);
-void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]);
-void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]);
-
diff --git a/security/nss/lib/freebl/sha_fast.c b/security/nss/lib/freebl/sha_fast.c
deleted file mode 100644
index 58e32b4d8..000000000
--- a/security/nss/lib/freebl/sha_fast.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is SHA 180-1 Reference Implementation (Optimized)
- * 
- * The Initial Developer of the Original Code is Paul Kocher of
- * Cryptography Research.  Portions created by Paul Kocher are 
- * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- *
- *     Paul Kocher
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include <memory.h>
-#include "blapi.h"
-
-#ifdef TRACING_SSL
-#include "ssl.h"
-#include "ssltrace.h"
-#endif
-
-struct SHA1ContextStr {
-  union {
-    PRUint32 w[80];		/* input buffer, plus 64 words */
-    PRUint8  b[320];
-  } u;
-  PRUint32 H[5];		/* 5 state variables */
-  PRUint32 sizeHi,sizeLo;	/* 64-bit count of hashed bytes. */
-};
-#define W u.w
-#define B u.b
-
-static void shaCompress(SHA1Context *ctx);
-
-#define SHA_MASK      0x00FF00FF
-#if defined(IS_LITTLE_ENDIAN)
-#define SHA_HTONL(x)  (A = (x), A = A << 16 | A >> 16, \
-                       (A & SHA_MASK) << 8 | (A >> 8) & SHA_MASK)
-#else
-#define SHA_HTONL(x)  (x)
-#endif
-#define SHA_BYTESWAP(x) x = SHA_HTONL(x)
-
-#define SHA_ROTL(X,n) (((X) << (n)) | ((X) >> (32-(n))))
-#define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
-#define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
-#define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
-#define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
-#define SHA_MIX(t)    ctx->W[t] = \
-  (A = ctx->W[t-3] ^ ctx->W[t-8] ^ ctx->W[t-14] ^ ctx->W[t-16], SHA_ROTL(A, 1))
-
-/*
- *  SHA: Zeroize and initialize context
- */
-void 
-SHA1_Begin(SHA1Context *ctx)
-{
-  memset(ctx, 0, sizeof(SHA1Context));
-
-  /*
-   *  Initialize H with constants from FIPS180-1.
-   */
-  ctx->H[0] = 0x67452301L;
-  ctx->H[1] = 0xefcdab89L;
-  ctx->H[2] = 0x98badcfeL;
-  ctx->H[3] = 0x10325476L;
-  ctx->H[4] = 0xc3d2e1f0L;
-
-}
-
-
-/*
- *  SHA: Add data to context.
- */
-void 
-SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len) 
-{
-  register unsigned int lenB = ctx->sizeLo & 63;
-  register unsigned int togo;
-
-  if (!len)
-    return;
-
-  /* accumulate the byte count. */
-  ctx->sizeLo += len;
-  ctx->sizeHi += (ctx->sizeLo < len);
-
-  /*
-   *  Read the data into W and process blocks as they get full
-   */
-  if (lenB > 0) {
-    togo = 64 - lenB;
-    if (len < togo)
-      togo = len;
-    memcpy(ctx->B + lenB, dataIn, togo);
-    len    -= togo;
-    dataIn += togo;
-    lenB    = (lenB + togo) & 63;
-    if (!lenB) {
-      shaCompress(ctx);
-    }
-  }
-  while (len >= 64) {
-    memcpy(ctx->B, dataIn, 64);
-    dataIn += 64;
-    len    -= 64;
-    shaCompress(ctx);
-  }
-  if (len) {
-    memcpy(ctx->B, dataIn, len);
-  }
-}
-
-
-/*
- *  SHA: Generate hash value from context
- */
-void 
-SHA1_End(SHA1Context *ctx, unsigned char *hashout,
-         unsigned int *pDigestLen, unsigned int maxDigestLen)
-{
-  register PRUint32 sizeHi, sizeLo, lenB;
-  static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
-          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
-#define A lenB
-
-  PORT_Assert (maxDigestLen >= SHA1_LENGTH);
-
-  /*
-   *  Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
-   */
-  sizeHi = ctx->sizeHi;
-  sizeLo = ctx->sizeLo;
-  lenB = sizeLo & 63;
-  SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
-  PORT_Assert((ctx->sizeLo & 63) == 56);
-
-  /* Convert size{Hi,Lo} from bytes to bits. */
-  sizeHi = (sizeHi << 3) | (sizeLo >> 29);
-  sizeLo <<= 3;
-
-  ctx->W[14] = SHA_HTONL(sizeHi);
-  ctx->W[15] = SHA_HTONL(sizeLo);
-  shaCompress(ctx);
-
-  /*
-   *  Output hash
-   */
-#if defined(IS_LITTLE_ENDIAN)
-  SHA_BYTESWAP(ctx->H[0]);
-  SHA_BYTESWAP(ctx->H[1]);
-  SHA_BYTESWAP(ctx->H[2]);
-  SHA_BYTESWAP(ctx->H[3]);
-  SHA_BYTESWAP(ctx->H[4]);
-#endif
-  memcpy(hashout, ctx->H, SHA1_LENGTH);
-  *pDigestLen = SHA1_LENGTH;
-
-  /*
-   *  Re-initialize the context (also zeroizes contents)
-   */
-  SHA1_Begin(ctx);
-}
-
-#undef A
-#undef B
-/*
- *  SHA: Compression function, unrolled.
- */
-static void 
-shaCompress(SHA1Context *ctx) 
-{
-  register PRUint32 A, B, C, D, E;
-
-#if defined(IS_LITTLE_ENDIAN)
-  SHA_BYTESWAP(ctx->W[0]);
-  SHA_BYTESWAP(ctx->W[1]);
-  SHA_BYTESWAP(ctx->W[2]);
-  SHA_BYTESWAP(ctx->W[3]);
-  SHA_BYTESWAP(ctx->W[4]);
-  SHA_BYTESWAP(ctx->W[5]);
-  SHA_BYTESWAP(ctx->W[6]);
-  SHA_BYTESWAP(ctx->W[7]);
-  SHA_BYTESWAP(ctx->W[8]);
-  SHA_BYTESWAP(ctx->W[9]);
-  SHA_BYTESWAP(ctx->W[10]);
-  SHA_BYTESWAP(ctx->W[11]);
-  SHA_BYTESWAP(ctx->W[12]);
-  SHA_BYTESWAP(ctx->W[13]);
-  SHA_BYTESWAP(ctx->W[14]);
-  SHA_BYTESWAP(ctx->W[15]);
-#endif
-
-  /*
-   *  This can be moved into the main code block below, but doing
-   *  so can cause some compilers to run out of registers and resort
-   *  to storing intermediates in RAM.
-   */
-
-               SHA_MIX(16); SHA_MIX(17); SHA_MIX(18); SHA_MIX(19);
-  SHA_MIX(20); SHA_MIX(21); SHA_MIX(22); SHA_MIX(23); SHA_MIX(24);
-  SHA_MIX(25); SHA_MIX(26); SHA_MIX(27); SHA_MIX(28); SHA_MIX(29);
-  SHA_MIX(30); SHA_MIX(31); SHA_MIX(32); SHA_MIX(33); SHA_MIX(34);
-  SHA_MIX(35); SHA_MIX(36); SHA_MIX(37); SHA_MIX(38); SHA_MIX(39);
-  SHA_MIX(40); SHA_MIX(41); SHA_MIX(42); SHA_MIX(43); SHA_MIX(44);
-  SHA_MIX(45); SHA_MIX(46); SHA_MIX(47); SHA_MIX(48); SHA_MIX(49);
-  SHA_MIX(50); SHA_MIX(51); SHA_MIX(52); SHA_MIX(53); SHA_MIX(54);
-  SHA_MIX(55); SHA_MIX(56); SHA_MIX(57); SHA_MIX(58); SHA_MIX(59);
-  SHA_MIX(60); SHA_MIX(61); SHA_MIX(62); SHA_MIX(63); SHA_MIX(64);
-  SHA_MIX(65); SHA_MIX(66); SHA_MIX(67); SHA_MIX(68); SHA_MIX(69);
-  SHA_MIX(70); SHA_MIX(71); SHA_MIX(72); SHA_MIX(73); SHA_MIX(74);
-  SHA_MIX(75); SHA_MIX(76); SHA_MIX(77); SHA_MIX(78); SHA_MIX(79);
-
-  A = ctx->H[0];
-  B = ctx->H[1];
-  C = ctx->H[2];
-  D = ctx->H[3];
-  E = ctx->H[4];
-
-  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[ 0]+0x5a827999L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[ 1]+0x5a827999L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[ 2]+0x5a827999L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[ 3]+0x5a827999L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[ 4]+0x5a827999L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[ 5]+0x5a827999L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[ 6]+0x5a827999L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[ 7]+0x5a827999L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[ 8]+0x5a827999L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[ 9]+0x5a827999L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[10]+0x5a827999L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[11]+0x5a827999L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[12]+0x5a827999L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[13]+0x5a827999L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[14]+0x5a827999L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[15]+0x5a827999L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[16]+0x5a827999L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[17]+0x5a827999L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[18]+0x5a827999L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[19]+0x5a827999L; C=SHA_ROTL(C,30); 
-
-  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[20]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[21]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[22]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[23]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[24]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[25]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[26]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[27]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[28]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[29]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[30]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[31]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[32]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[33]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[34]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[35]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[36]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[37]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[38]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[39]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
-
-  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[40]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[41]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[42]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[43]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[44]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[45]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[46]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[47]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[48]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[49]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[50]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[51]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[52]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[53]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[54]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[55]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[56]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[57]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[58]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[59]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
-
-  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[60]+0xca62c1d6L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[61]+0xca62c1d6L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[62]+0xca62c1d6L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[63]+0xca62c1d6L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[64]+0xca62c1d6L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[65]+0xca62c1d6L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[66]+0xca62c1d6L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[67]+0xca62c1d6L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[68]+0xca62c1d6L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[69]+0xca62c1d6L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[70]+0xca62c1d6L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[71]+0xca62c1d6L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[72]+0xca62c1d6L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[73]+0xca62c1d6L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[74]+0xca62c1d6L; C=SHA_ROTL(C,30); 
-  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[75]+0xca62c1d6L; B=SHA_ROTL(B,30); 
-  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[76]+0xca62c1d6L; A=SHA_ROTL(A,30); 
-  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[77]+0xca62c1d6L; E=SHA_ROTL(E,30); 
-  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[78]+0xca62c1d6L; D=SHA_ROTL(D,30); 
-  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[79]+0xca62c1d6L; C=SHA_ROTL(C,30); 
-
-  ctx->H[0] += A;
-  ctx->H[1] += B;
-  ctx->H[2] += C;
-  ctx->H[3] += D;
-  ctx->H[4] += E;
-}
-
-/*************************************************************************
-** Code below this line added to make SHA code support BLAPI interface
-*/
-
-SHA1Context *
-SHA1_NewContext(void)
-{
-    SHA1Context *cx;
-
-    cx = PORT_ZNew(SHA1Context);
-    return cx;
-}
-
-void
-SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
-{
-    if (freeit) {
-        PORT_ZFree(cx, sizeof(SHA1Context));
-    }
-}
-
-SECStatus
-SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SHA1Context ctx;
-    unsigned int outLen;
-
-    SHA1_Begin(&ctx);
-    SHA1_Update(&ctx, src, src_length);
-    SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
-
-    return SECSuccess;
-}
-
-/* Hash a null-terminated character string. */
-SECStatus
-SHA1_Hash(unsigned char *dest, const char *src)
-{
-    return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
-}
-
-/*
- * need to support save/restore state in pkcs11. Stores all the info necessary
- * for a structure into just a stream of bytes.
- */
-unsigned int
-SHA1_FlattenSize(SHA1Context *cx)
-{
-    return sizeof(SHA1Context);
-}
-
-SECStatus
-SHA1_Flatten(SHA1Context *cx,unsigned char *space)
-{
-    PORT_Memcpy(space,cx, sizeof(SHA1Context));
-    return SECSuccess;
-}
-
-SHA1Context *
-SHA1_Resurrect(unsigned char *space,void *arg)
-{
-    SHA1Context *cx = SHA1_NewContext();
-    if (cx == NULL) return NULL;
-
-    PORT_Memcpy(cx,space, sizeof(SHA1Context));
-    return cx;
-}
-
-#ifdef TRACING_SSL
-void
-SHA1_TraceState(SHA1Context *ctx)
-{
-    uint32        W;
-    int           i;
-    int           len;
-    int           fixWord = -1;
-    int           remainder;	/* bytes in last word */
-    unsigned char buf[64 * 4];
-
-    SSL_TRC(99, ("%d: SSL: SHA1 state: %08x %08x %08x %08x %08x", SSL_GETPID(), 
-	         ctx->H[0], ctx->H[1], ctx->H[2], ctx->H[3], ctx->H[4]));
-
-    len = (int)(ctx->sizeLo & 63);
-    remainder = len % 4;
-    if (remainder) 
-    	fixWord = len - remainder;
-    for (i = 0; i < len; i++) {
-	if (0 == (i % 4)) {
-	    W = ctx->W[i / 4];
-	    if (i == fixWord) {
-	        W <<= 8 * (4 - remainder);
-	    }
-	}
-	buf[i] = (unsigned char)(W >> 24);
-	W <<= 8;
-    }
-
-    PRINT_BUF(99, (0, "SHA1_TraceState: buffered input", buf, len));
-
-}
-#endif
diff --git a/security/nss/lib/jar/Makefile b/security/nss/lib/jar/Makefile
deleted file mode 100644
index 063e5daf7..000000000
--- a/security/nss/lib/jar/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-#! gmake
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
diff --git a/security/nss/lib/jar/config.mk b/security/nss/lib/jar/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/jar/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/jar/jar-ds.c b/security/nss/lib/jar/jar-ds.c
deleted file mode 100644
index f5a40cad5..000000000
--- a/security/nss/lib/jar/jar-ds.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "jar.h"
-
-/* These are old DS_* routines renamed to ZZ_* */
-
-ZZList *ZZ_NewList()
-  {
-  ZZList *list;
-
-  list = (ZZList *) PORT_ZAlloc (sizeof (ZZList));
-
-  if (list)
-    ZZ_InitList (list);
-
-  return list;
-  }
-
-ZZLink *ZZ_NewLink (JAR_Item *thing)
-  {
-  ZZLink *link;
-
-  link = (ZZLink *) PORT_ZAlloc (sizeof (ZZLink));
-
-  if (link)
-    link->thing = thing;
- 
-  return link;
-  }
-
-void ZZ_DestroyLink (ZZLink *link)
-  {
-  PORT_Free (link);
-  }
-
-void ZZ_DestroyList (ZZList *list)
-  {
-  PORT_Free (list);
-  }
diff --git a/security/nss/lib/jar/jar-ds.h b/security/nss/lib/jar/jar-ds.h
deleted file mode 100644
index 36716d97c..000000000
--- a/security/nss/lib/jar/jar-ds.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef __JAR_DS_h_
-#define __JAR_DS_h_
-
-/* Typedefs */
-typedef struct ZZLinkStr ZZLink;
-typedef struct ZZListStr ZZList;
-
-/*
-** Circular linked list. Each link contains a pointer to the object that
-** is actually in the list.
-*/ 
-struct ZZLinkStr 
-{
-    ZZLink *next;
-    ZZLink *prev;
-    JAR_Item *thing;
-};
-
-struct ZZListStr 
-{
-    ZZLink link;
-};
-
-#define ZZ_InitList(lst)	     \
-{				     \
-    (lst)->link.next = &(lst)->link; \
-    (lst)->link.prev = &(lst)->link; \
-    (lst)->link.thing = 0;	     \
-}
-
-#define ZZ_ListEmpty(lst) \
-    ((lst)->link.next == &(lst)->link)
-
-#define ZZ_ListHead(lst) \
-    ((lst)->link.next)
-
-#define ZZ_ListTail(lst) \
-    ((lst)->link.prev)
-
-#define ZZ_ListIterDone(lst,lnk) \
-    ((lnk) == &(lst)->link)
-
-#define ZZ_AppendLink(lst,lnk)	    \
-{				    \
-    (lnk)->next = &(lst)->link;	    \
-    (lnk)->prev = (lst)->link.prev; \
-    (lst)->link.prev->next = (lnk); \
-    (lst)->link.prev = (lnk);	    \
-}
-
-#define ZZ_InsertLink(lst,lnk)	    \
-{				    \
-    (lnk)->next = (lst)->link.next; \
-    (lnk)->prev = &(lst)->link;	    \
-    (lst)->link.next->prev = (lnk); \
-    (lst)->link.next = (lnk);	    \
-}
-
-#define ZZ_RemoveLink(lnk)	     \
-{				     \
-    (lnk)->next->prev = (lnk)->prev; \
-    (lnk)->prev->next = (lnk)->next; \
-    (lnk)->next = 0;		     \
-    (lnk)->prev = 0;		     \
-}
-
-extern ZZLink *ZZ_NewLink (JAR_Item *thing);
-extern void ZZ_DestroyLink (ZZLink *link);
-extern ZZList *ZZ_NewList (void);
-extern void ZZ_DestroyList (ZZList *list);
-
-
-#endif /* __JAR_DS_h_ */
diff --git a/security/nss/lib/jar/jar.c b/security/nss/lib/jar/jar.c
deleted file mode 100644
index 99ba4ca0b..000000000
--- a/security/nss/lib/jar/jar.c
+++ /dev/null
@@ -1,833 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JAR.C
- *
- *  Jarnature.
- *  Routines common to signing and validating.
- *
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-static void jar_destroy_list (ZZList *list);
-
-static int jar_find_first_cert 
-    (JAR_Signer *signer, int type, JAR_Item **it);
-
-/*
- *  J A R _ n e w 
- *
- *  Create a new instantiation of a manifest representation.
- *  Use this as a token to any calls to this API.
- *
- */
-
-JAR *JAR_new (void)
-  {
-  JAR *jar;
-
-  if ((jar = (JAR*)PORT_ZAlloc (sizeof (JAR))) == NULL)
-    goto loser;
-
-  if ((jar->manifest = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->hashes = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->phy = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->metainfo = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->signers = ZZ_NewList()) == NULL)
-    goto loser;
-
-  return jar;
-
-loser:
-
-  if (jar)
-    {
-    if (jar->manifest)
-      ZZ_DestroyList (jar->manifest);
-
-    if (jar->hashes)
-      ZZ_DestroyList (jar->hashes);
-
-    if (jar->phy)
-      ZZ_DestroyList (jar->phy);
-
-    if (jar->metainfo)
-      ZZ_DestroyList (jar->metainfo);
-
-    if (jar->signers)
-      ZZ_DestroyList (jar->signers);
-
-    PORT_Free (jar);
-    }
-
-  return NULL;
-  }
-
-/* 
- *  J A R _ d e s t r o y
- *
- *  Godzilla.
- *
- */
-
-void PR_CALLBACK JAR_destroy (JAR *jar)
-  {
-  JAR *z;
-
-  PORT_Assert( jar != NULL );
-
-  if (jar == NULL)
-    return;
-
-  if (jar->fp) JAR_FCLOSE ((PRFileDesc*)jar->fp);
-
-  if (jar->url)      PORT_Free (jar->url);
-  if (jar->filename) PORT_Free (jar->filename);
-
-  /* Free the linked list elements */
-
-  jar_destroy_list (jar->manifest);
-  ZZ_DestroyList (jar->manifest);
-
-  jar_destroy_list (jar->hashes);
-  ZZ_DestroyList (jar->hashes);
-
-  jar_destroy_list (jar->phy);
-  ZZ_DestroyList (jar->phy);
-
-  jar_destroy_list (jar->metainfo);
-  ZZ_DestroyList (jar->metainfo);
-
-  jar_destroy_list (jar->signers);
-  ZZ_DestroyList (jar->signers);
-
-  PORT_Free (jar);
-  }
-
-static void jar_destroy_list (ZZList *list)
-  {
-  ZZLink *link, *oldlink;
-
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-  JAR_Digest *dig;
-  JAR_Cert *fing;
-  JAR_Metainfo *met;
-  JAR_Signer *signer;
-
-  if (list && !ZZ_ListEmpty (list))
-    {
-    link = ZZ_ListHead (list);
-
-    while (!ZZ_ListIterDone (list, link))
-      {
-      it = link->thing;
-      if (!it) goto next;
-
-      if (it->pathname) PORT_Free (it->pathname);
- 
-      switch (it->type)
-        {
-        case jarTypeMeta:
-
-          met = (JAR_Metainfo *) it->data;
-          if (met)
-            {
-            if (met->header) PORT_Free (met->header);
-            if (met->info) PORT_Free (met->info);
-            PORT_Free (met);
-            }
-          break;
-
-	case jarTypePhy:
-
-          phy = (JAR_Physical *) it->data;
-          if (phy)
-            PORT_Free (phy);
-          break;
-
-        case jarTypeSign:
-
-          fing = (JAR_Cert *) it->data;
-          if (fing)
-            {
-            if (fing->cert)
-              CERT_DestroyCertificate (fing->cert);
-            if (fing->key)
-              PORT_Free (fing->key);
-            PORT_Free (fing);
-            }
-	  break;
-
-        case jarTypeSect:
-        case jarTypeMF:
-        case jarTypeSF:
-
-          dig = (JAR_Digest *) it->data;
-          if (dig)
-            {
-            PORT_Free (dig);
-            }
-          break;
-
-        case jarTypeOwner:
-
-          signer = (JAR_Signer *) it->data;
-
-          if (signer)
-            JAR_destroy_signer (signer);
-
-          break;
-
-        default:
-
-          /* PORT_Assert( 1 != 2 ); */
-          break;
-        }
-
-      PORT_Free (it);
-
-    next:
-
-      oldlink = link;
-      link = link->next;
-
-      ZZ_DestroyLink (oldlink);
-      }
-    }
-  }
-
-/*
- *  J A R _ g e t _ m e t a i n f o
- *
- *  Retrieve meta information from the manifest file.
- *  It doesn't matter whether it's from .MF or .SF, does it?
- *
- */
-
-int JAR_get_metainfo
-    (JAR *jar, char *name, char *header, void **info, unsigned long *length)
-  {
-  JAR_Item *it;
-
-  ZZLink *link;
-  ZZList *list;
-
-  JAR_Metainfo *met;
-
-  PORT_Assert( jar != NULL && header != NULL );
-
-  if (jar == NULL || header == NULL)
-    return JAR_ERR_PNF;
-
-  list = jar->metainfo;
-
-  if (ZZ_ListEmpty (list))
-    return JAR_ERR_PNF;
-
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeMeta)
-      {
-      if ((name && !it->pathname) || (!name && it->pathname))
-        continue;
-
-      if (name && it->pathname && strcmp (it->pathname, name))
-        continue;
-
-      met = (JAR_Metainfo *) it->data;
-
-      if (!PORT_Strcasecmp (met->header, header))
-        {
-        *info = PORT_Strdup (met->info);
-        *length = PORT_Strlen (met->info);
-        return 0;
-        }
-      }
-    }
-
-  return JAR_ERR_PNF;
-  }
-
-/*
- *  J A R _ f i n d
- *
- *  Establish the search pattern for use
- *  by JAR_find_next, to traverse the filenames
- *  or certificates in the JAR structure.
- *
- *  See jar.h for a description on how to use.
- *
- */
-
-JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type)
-  {
-  JAR_Context *ctx;
-
-  PORT_Assert( jar != NULL );
-
-  if (!jar)
-    return NULL;
-
-  ctx = (JAR_Context *) PORT_ZAlloc (sizeof (JAR_Context));
-
-  if (ctx == NULL)
-    return NULL;
-
-  ctx->jar = jar;
-
-  if (pattern)
-    {
-    if ((ctx->pattern = PORT_Strdup (pattern)) == NULL)
-      {
-      PORT_Free (ctx);
-      return NULL;
-      }
-    }
-
-  ctx->finding = type;
-
-  switch (type)
-    {
-    case jarTypeMF:     ctx->next = ZZ_ListHead (jar->hashes);
-                        break;
-
-    case jarTypeSF:
-    case jarTypeSign:   ctx->next = NULL;
-                        ctx->nextsign = ZZ_ListHead (jar->signers);
-                        break;
-
-    case jarTypeSect:   ctx->next = ZZ_ListHead (jar->manifest);
-                        break;
-
-    case jarTypePhy:    ctx->next = ZZ_ListHead (jar->phy);
-                        break;
-
-    case jarTypeOwner:  if (jar->signers)
-                          ctx->next = ZZ_ListHead (jar->signers);
-                        else
-                          ctx->next = NULL;
-                        break;
-
-    case jarTypeMeta:   ctx->next = ZZ_ListHead (jar->metainfo);
-                        break;
-
-    default:            PORT_Assert( 1 != 2);
-                        break;
-    }
-
-  return ctx;
-  }
-
-/*
- *  J A R _ f i n d _ e n d
- *
- *  Destroy the find iterator context.
- *
- */
-
-void JAR_find_end (JAR_Context *ctx)
-  {
-  PORT_Assert( ctx != NULL );
-
-  if (ctx)
-    {
-    if (ctx->pattern) 
-      PORT_Free (ctx->pattern);
-    PORT_Free (ctx);
-    }
-  }
-
-/*
- *  J A R _ f i n d _ n e x t
- *
- *  Return the next item of the given type
- *  from one of the JAR linked lists.
- *
- */
-
-int JAR_find_next (JAR_Context *ctx, JAR_Item **it)
-  {
-  JAR *jar;
-  ZZList *list;
-
-  int finding;
-
-  JAR_Signer *signer = NULL;
-
-  PORT_Assert( ctx != NULL );
-  PORT_Assert( ctx->jar != NULL );
-
-  jar = ctx->jar;
-
-  /* Internally, convert jarTypeSign to jarTypeSF, and return
-     the actual attached certificate later */
-
-  finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
-
-  if (ctx->nextsign)
-    {
-      if (ZZ_ListIterDone (jar->signers, ctx->nextsign))
-       {
-       *it = NULL;
-       return -1;
-       }
-    PORT_Assert (ctx->nextsign->thing != NULL);
-    signer = (JAR_Signer*)ctx->nextsign->thing->data;
-    }
-
-
-  /* Find out which linked list to traverse. Then if
-     necessary, advance to the next linked list. */
-
-  while (1)
-    {
-    switch (finding)
-      {
-      case jarTypeSign:    /* not any more */
-                           PORT_Assert( finding != jarTypeSign );
-                           list = signer->certs;
-                           break;
-
-      case jarTypeSect:    list = jar->manifest;
-                           break;
-
-      case jarTypePhy:     list = jar->phy;
-                           break;
-
-      case jarTypeSF:      /* signer, not jar */
-                           PORT_Assert( signer != NULL );
-                           list = signer->sf;
-                           break;
-
-      case jarTypeMF:      list = jar->hashes;
-                           break;
-
-      case jarTypeOwner:   list = jar->signers;
-                           break;
-
-      case jarTypeMeta:    list = jar->metainfo;
-                           break;
-
-      default:             PORT_Assert( 1 != 2 );
-                           break;
-      }
-
-    if (list == NULL)
-      {
-      *it = NULL;
-      return -1;
-      }
-
-    /* When looping over lists of lists, advance
-       to the next signer. This is done when multiple
-       signers are possible. */
-
-    if (ZZ_ListIterDone (list, ctx->next))
-      {
-      if (ctx->nextsign && jar->signers) 
-        {
-        ctx->nextsign = ctx->nextsign->next;
-        if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) 
-          {
-          PORT_Assert (ctx->nextsign->thing != NULL);
-
-          signer = (JAR_Signer*)ctx->nextsign->thing->data;
-          PORT_Assert( signer != NULL );
-
-          ctx->next = NULL;
-          continue;
-          }
-        }
-      *it = NULL;
-      return -1;
-      }
-
-    /* if the signer changed, still need to fill
-       in the "next" link */
-
-    if (ctx->nextsign && ctx->next == NULL)
-      {
-      switch (finding)
-        {
-        case jarTypeSF:
-
-          ctx->next = ZZ_ListHead (signer->sf);
-          break;
-
-        case jarTypeSign:
-
-          ctx->next = ZZ_ListHead (signer->certs);
-          break;
-        }
-      }
-
-    PORT_Assert( ctx->next != NULL );
-
-
-    while (!ZZ_ListIterDone (list, ctx->next))
-      {
-      *it = ctx->next->thing;
-      ctx->next = ctx->next->next;
-
-      if (!it || !*it || (*it)->type != finding)
-        continue;
-
-      if (ctx->pattern && *ctx->pattern)
-        {
-        if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
-          continue;
-        }
-
-      /* We have a valid match. If this is a jarTypeSign
-         return the certificate instead.. */
-
-      if (ctx->finding == jarTypeSign)
-        {
-        JAR_Item *itt;
-
-        /* just the first one for now */
-        if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) 
-           {
-           *it = itt;
-           return 0;
-           }
-
-        continue;      
-        }
-
-      return 0;
-      }
-
-    } /* end while */
-  }
-
-static int jar_find_first_cert 
-    (JAR_Signer *signer, int type, JAR_Item **it)
-  {
-  ZZLink *link;
-  ZZList *list;
-
-  int status = JAR_ERR_PNF;
-
-  list = signer->certs;
-
-  *it = NULL;
-
-  if (ZZ_ListEmpty (list))
-    {
-    /* empty list */
-    return JAR_ERR_PNF;
-    }
-
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    if (link->thing->type == type)
-      {
-      *it = link->thing;
-      status = 0;
-      break;
-      }
-    }
-
-  return status;
-  }
-
-JAR_Signer *JAR_new_signer (void)
-  {
-  JAR_Signer *signer;
-
-  signer = (JAR_Signer *) PORT_ZAlloc (sizeof (JAR_Signer));
-
-  if (signer == NULL)
-    goto loser;
-
-
-  /* certs */
-  signer->certs = ZZ_NewList();
-
-  if (signer->certs == NULL)
-    goto loser;
-
-
-  /* sf */
-  signer->sf = ZZ_NewList();
-
-  if (signer->sf == NULL)
-    goto loser;
-
-
-  return signer;
-
-
-loser:
-
-  if (signer)
-    {
-    if (signer->certs) 
-      ZZ_DestroyList (signer->certs);
-
-    if (signer->sf) 
-      ZZ_DestroyList (signer->sf);
-
-    PORT_Free (signer);
-    }
-
-  return NULL;
-  }
-
-void JAR_destroy_signer (JAR_Signer *signer)
-  {
-  if (signer)
-    {
-    if (signer->owner) PORT_Free (signer->owner);
-    if (signer->digest) PORT_Free (signer->digest);
-
-    jar_destroy_list (signer->sf);
-    ZZ_DestroyList (signer->sf);
-
-    jar_destroy_list (signer->certs);
-    ZZ_DestroyList (signer->certs);
-
-    PORT_Free (signer);
-    }
-  }
-
-JAR_Signer *jar_get_signer (JAR *jar, char *basename)
-  {
-  JAR_Item *it;
-  JAR_Context *ctx;
-
-  JAR_Signer *candidate;
-  JAR_Signer *signer = NULL;
-
-  ctx = JAR_find (jar, NULL, jarTypeOwner);
-
-  if (ctx == NULL)
-    return NULL;
-
-  while (JAR_find_next (ctx, &it) >= 0)
-    {
-    candidate = (JAR_Signer *) it->data;
-    if (*basename == '*' || !PORT_Strcmp (candidate->owner, basename))
-      {
-      signer = candidate;
-      break;
-      }
-    }
-
-  JAR_find_end (ctx);
-
-  return signer;
-  }
-
-/*
- *  J A R _ g e t _ f i l e n a m e
- *
- *  Returns the filename associated with
- *  a JAR structure.
- *
- */
-
-char *JAR_get_filename (JAR *jar)
-  {
-  return jar->filename;
-  }
-
-/*
- *  J A R _ g e t _ u r l
- *
- *  Returns the URL associated with
- *  a JAR structure. Nobody really uses this now.
- *
- */
-
-char *JAR_get_url (JAR *jar)
-  {
-  return jar->url;
-  }
-
-/*
- *  J A R _ s e t _ c a l l b a c k
- *
- *  Register some manner of callback function for this jar. 
- *
- */
-
-int JAR_set_callback (int type, JAR *jar, 
-      int (*fn) (int status, JAR *jar, 
-         const char *metafile, char *pathname, char *errortext))
-  {
-  if (type == JAR_CB_SIGNAL)
-    {
-    jar->signal = fn;
-    return 0;
-    }
-  else
-    return -1;
-  }
-
-/*
- *  Callbacks
- *
- */
-
-/* To return an error string */
-char *(*jar_fn_GetString) (int) = NULL;
-
-/* To return an MWContext for Java */
-void *(*jar_fn_FindSomeContext) (void) = NULL;
-
-/* To fabricate an MWContext for FE_GetPassword */
-void *(*jar_fn_GetInitContext) (void) = NULL;
-
-void
-JAR_init_callbacks
-     ( 
-     char *(*string_cb)(int), 
-     void *(*find_cx)(void), 
-     void *(*init_cx)(void) 
-     )
-  {
-  jar_fn_GetString = string_cb;
-  jar_fn_FindSomeContext = find_cx;
-  jar_fn_GetInitContext = init_cx;
-  }
-
-/*
- *  J A R _ g e t _ e r r o r
- *
- *  This is provided to map internal JAR errors to strings for
- *  the Java console. Also, a DLL may call this function if it does
- *  not have access to the XP_GetString function.
- *
- *  These strings aren't UI, since they are Java console only.
- *
- */
-
-char *JAR_get_error (int status)
-  { 
-  char *errstring = NULL;
-
-  switch (status)
-    {
-    case JAR_ERR_GENERAL:
-      errstring = "General JAR file error";
-      break;
-
-    case JAR_ERR_FNF:
-      errstring = "JAR file not found";
-      break;
-
-    case JAR_ERR_CORRUPT:
-      errstring = "Corrupt JAR file";
-      break;
-
-    case JAR_ERR_MEMORY:
-      errstring = "Out of memory";
-      break;
-
-    case JAR_ERR_DISK:
-      errstring = "Disk error (perhaps out of space)";
-      break;
-
-    case JAR_ERR_ORDER:
-      errstring = "Inconsistent files in META-INF directory";
-      break;
-
-    case JAR_ERR_SIG:
-      errstring = "Invalid digital signature file";
-      break;
-
-    case JAR_ERR_METADATA:
-      errstring = "JAR metadata failed verification";
-      break;
-
-    case JAR_ERR_ENTRY:
-      errstring = "No Manifest entry for this JAR entry";
-      break;
-
-    case JAR_ERR_HASH:
-      errstring = "Invalid Hash of this JAR entry";
-      break;
-
-    case JAR_ERR_PK7:
-      errstring = "Strange PKCS7 or RSA failure";
-      break;
-
-    case JAR_ERR_PNF:
-      errstring = "Path not found inside JAR file";
-      break;
-
-    default:
-      if (jar_fn_GetString)
-        {
-        errstring = jar_fn_GetString (status);
-        }
-      else
-        {
-        /* this is not a normal situation, and would only be
-           called in cases of improper initialization */
-
-        char *err;
-
-        err = (char*)PORT_Alloc (40);
-        if (err)
-          PR_snprintf (err, 39,  "Error %d\n", status);
-        else
-          err = "Error! Bad! Out of memory!";
-
-        return err;
-        }
-      break;
-    }
-
-  return errstring;
-  }
diff --git a/security/nss/lib/jar/jar.h b/security/nss/lib/jar/jar.h
deleted file mode 100644
index 1b21e6292..000000000
--- a/security/nss/lib/jar/jar.h
+++ /dev/null
@@ -1,477 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef __JAR_h_
-#define __JAR_h_
-
-/*
- *  In general, any functions that return pointers
- *  have memory owned by the caller.
- *
- */
-
-/* security includes */
-#include "cert.h"
-
-/* nspr 2.0 includes */
-#include "prio.h"
-
-#ifndef ZHUGEP
-#ifdef XP_WIN16
-#define ZHUGEP __huge
-#else
-#define ZHUGEP
-#endif
-#endif
-
-#include "stdio.h"
-
-/* various types */
-
-typedef enum
-  {
-  jarTypeMF = 2,
-  jarTypeSF = 3,
-  jarTypeMeta = 6,
-  jarTypePhy = 7,
-  jarTypeSign = 10,
-  jarTypeSect = 11,
-  jarTypeOwner = 13
-  }
-jarType;
-
-/* void data in ZZList's contain JAR_Item type */
-
-typedef struct JAR_Item_
-  {
-  char *pathname;        /* relative. inside zip file */
-  jarType type;          /* various types */
-  size_t size;           /* size of data below */
-  void *data;            /* totally opaque */
-  }
-JAR_Item;
-
-
-/* hashes */
-
-typedef enum
-  {
-  jarHashNone = 0,
-  jarHashBad = 1,
-  jarHashPresent = 2
-  }
-jarHash;
-
-typedef struct JAR_Digest_
-  {
-  jarHash md5_status;
-  unsigned char md5 [MD5_LENGTH];
-  jarHash sha1_status;
-  unsigned char sha1 [SHA1_LENGTH];
-  }
-JAR_Digest;
-
-
-/* physical archive formats */
-
-typedef enum
-  {
-  jarArchGuess = 0,
-  jarArchNone = 1,
-  jarArchZip = 2,
-  jarArchTar = 3
-  }
-jarArch;
-
-
-#include "jar-ds.h"
-
-/* jar object */
-
-typedef struct JAR_
-  {
-  jarArch format;       /* physical archive format */ 
-  char *url;            /* Where it came from */
-  char *filename;       /* Disk location */
-  FILE *fp;             /* For multiple extractions */    /* JAR_FILE */
-
-  /* various linked lists */
-
-  ZZList *manifest;     /* Digests of MF sections */
-  ZZList *hashes;       /* Digests of actual signed files */
-  ZZList *phy;          /* Physical layout of JAR file */
-  ZZList *metainfo;     /* Global metainfo */
-
-  JAR_Digest *globalmeta;  /* digest of .MF global portion */
-
-  /* Below will change to a linked list to support multiple sigs */
-
-  int pkcs7;            /* Enforced opaqueness */
-  int valid;            /* PKCS7 signature validated */
-
-  ZZList *signers;      /* the above, per signer */
-
-  /* Window context, very necessary for PKCS11 now */
-
-  void *mw;             /* MWContext window context */
-
-  /* Signal callback function */
-
-  int (*signal) (int status, struct JAR_ *jar, 
-     const char *metafile, char *pathname, char *errorstring);
-  }
-JAR;
-
-
-/*
- *  Iterator
- *
- *  Context for iterative operations. Certain operations
- *  require iterating multiple linked lists because of
- *  multiple signers. "nextsign" is used for this purpose.
- *
- */
-
-typedef struct JAR_Context_
-  {
-  JAR *jar;             /* Jar we are searching */
-  char *pattern;        /* Regular expression */
-  jarType finding;      /* Type of item to find */
-  ZZLink *next;         /* Next item in find */
-  ZZLink *nextsign;     /* Next signer, sometimes */
-  }
-JAR_Context;
-
-typedef struct JAR_Signer_
-  {
-  int pkcs7;            /* Enforced opaqueness */
-  int valid;            /* PKCS7 signature validated */
-  char *owner;          /* name of .RSA file */
-  JAR_Digest *digest;   /* of .SF file */
-  ZZList *sf;           /* Linked list of .SF file contents */
-  ZZList *certs;        /* Signing information */
-  }
-JAR_Signer;
-
-
-/* Meta informaton, or "policy", from the manifest file.
-   Right now just one tuple per JAR_Item. */
-
-typedef struct JAR_Metainfo_
-  {
-  char *header;
-  char *info;
-  }
-JAR_Metainfo;
-
-/* This should not be global */
-
-typedef struct JAR_Physical_
-  {
-  unsigned char compression;
-  unsigned long offset;
-  unsigned long length;
-  unsigned long uncompressed_length;
-#ifdef XP_UNIX
-  uint16 mode;
-#endif
-  }
-JAR_Physical;
-
-typedef struct JAR_Cert_
-  {
-  size_t length;
-  void *key;
-  CERTCertificate *cert;
-  }
-JAR_Cert;
-
-
-/* certificate stuff */
-
-typedef enum
-  {
-  jarCertCompany = 1,
-  jarCertCA = 2,
-  jarCertSerial = 3,
-  jarCertExpires = 4,
-  jarCertNickname = 5,
-  jarCertFinger = 6,
-  jarCertJavaHack = 100
-  }
-jarCert;
-
-/* callback types */
-
-#define JAR_CB_SIGNAL	1
-
-
-/* 
- *  This is the base for the JAR error codes. It will
- *  change when these are incorporated into allxpstr.c,
- *  but right now they won't let me put them there.
- *
- */
-
-#ifndef SEC_ERR_BASE
-#define SEC_ERR_BASE		(-0x2000)
-#endif
- 
-#define JAR_BASE		SEC_ERR_BASE + 300
-
-/* Jar specific error definitions */
-
-#define JAR_ERR_GENERAL         (JAR_BASE + 1)
-#define JAR_ERR_FNF		(JAR_BASE + 2)
-#define JAR_ERR_CORRUPT		(JAR_BASE + 3)
-#define JAR_ERR_MEMORY		(JAR_BASE + 4)
-#define JAR_ERR_DISK		(JAR_BASE + 5)
-#define JAR_ERR_ORDER           (JAR_BASE + 6)
-#define JAR_ERR_SIG		(JAR_BASE + 7)
-#define JAR_ERR_METADATA        (JAR_BASE + 8)
-#define JAR_ERR_ENTRY		(JAR_BASE + 9)
-#define JAR_ERR_HASH		(JAR_BASE + 10)
-#define JAR_ERR_PK7		(JAR_BASE + 11)
-#define JAR_ERR_PNF		(JAR_BASE + 12)
-
-
-/*
- *  Birth and death 
- *
- */
-
-extern JAR *JAR_new (void);
-
-extern void PR_CALLBACK JAR_destroy (JAR *jar);
-
-extern char *JAR_get_error (int status);
-
-extern int JAR_set_callback (int type, JAR *jar, 
-  int (*fn) (int status, JAR *jar, 
-  const char *metafile, char *pathname, char *errortext));
-
-extern void JAR_init_callbacks
-  ( char *(*string_cb)(int), void *(*find_cx)(void), void *(*init_cx)(void) );
-
-/*
- *  JAR_set_context
- *
- *  PKCS11 may require a password to be entered by the user
- *  before any crypto routines may be called. This will require
- *  a window context if used from inside Mozilla.
- *
- *  Call this routine with your context before calling 
- *  verifying or signing. If you have no context, call with NULL
- *  and one will be chosen for you.
- *
- */
-
-int JAR_set_context (JAR *jar, void /*MWContext*/ *mw);
-
-/*
- *  Iterative operations
- *
- *  JAR_find sets up for repeated calls with JAR_find_next.
- *  I never liked findfirst and findnext, this is nicer.
- *
- *  Pattern contains a relative pathname to match inside the
- *  archive. It is currently assumed to be "*".
- *
- *  To use:
- *
- *     JAR_Item *item;
- *     JAR_find (jar, "*.class", jarTypeMF);
- *     while (JAR_find_next (jar, &item) >= 0) 
- *       { do stuff }
- *
- */
-
-
-/* Replacement functions with an external context */
-
-extern JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type);
-
-extern int JAR_find_next (JAR_Context *ctx, JAR_Item **it);
-
-extern void JAR_find_end (JAR_Context *ctx);
-
-
-/*
- *  Function to parse manifest file:
- *
- *  Many signatures may be attached to a single filename located
- *  inside the zip file. We only support one.
- *
- *  Several manifests may be included in the zip file. 
- *
- *  You must pass the MANIFEST.MF file before any .SF files.
- *
- *  Right now this returns a big ole list, privately in the jar structure.
- *  If you need to traverse it, use JAR_find if possible.
- *
- *  The path is needed to determine what type of binary signature is
- *  being passed, though it is technically not needed for manifest files.
- *
- *  When parsing an ASCII file, null terminate the ASCII raw_manifest
- *  prior to sending it, and indicate a length of 0. For binary digital
- *  signatures only, indicate the true length of the signature.
- *  (This is legacy behavior.)
- *
- *  You may free the manifest after parsing it.
- *
- */
-
-extern int JAR_parse_manifest 
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-       long length, const char *path, const char *url);
-
-/*
- *  Verify data (nonstreaming). The signature is actually
- *  checked by JAR_parse_manifest or JAR_pass_archive.
- *
- */
-
-extern JAR_Digest * PR_CALLBACK JAR_calculate_digest 
-    (void ZHUGEP *data, long length);
-
-extern int PR_CALLBACK JAR_verify_digest
-    (JAR *jar, const char *name, JAR_Digest *dig);
-
-extern int JAR_digest_file (char *filename, JAR_Digest *dig);
-
-/*
- *  Get attribute from certificate:
- *
- *  Returns any special signed attribute associated with this cert
- *  or signature (passed in "data"). Attributes jarCert*. Most of the time
- *  this will return a zero terminated string.
- *
- */
-
-extern int PR_CALLBACK JAR_cert_attribute
-    (JAR *jar, jarCert attrib, long keylen, void *key, 
-       void **result, unsigned long *length);
-
-/*
- *  Meta information
- *
- *  Currently, since this call does not support passing of an owner
- *  (certificate, or physical name of the .sf file), it is restricted to
- *  returning information located in the manifest.mf file. 
- *
- *  Meta information is a name/value pair inside the archive file. Here,
- *  the name is passed in *header and value returned in **info.
- *
- *  Pass a NULL as the name to retrieve metainfo from the global section.
- *
- *  Data is returned in **info, of size *length. The return value
- *  will indicate if no data was found.
- *
- */
-
-extern int JAR_get_metainfo
-    (JAR *jar, char *name, char *header, void **info, unsigned long *length);
-
-extern char *JAR_get_filename (JAR *jar);
-
-extern char *JAR_get_url (JAR *jar);
-
-/*
- *  Return an HTML mockup of a certificate or signature.
- *
- *  Returns a zero terminated ascii string
- *  in raw HTML format.
- *
- */
-
-extern char *JAR_cert_html
-    (JAR *jar, int style, long keylen, void *key, int *result);
-
-/* save the certificate with this fingerprint in persistent
-   storage, somewhere, for retrieval in a future session when there 
-   is no corresponding JAR structure. */
-
-extern int PR_CALLBACK JAR_stash_cert
-        (JAR *jar, long keylen, void *key);
-
-/* retrieve a certificate presumably stashed with the above
-   function, but may be any certificate. Type is &CERTCertificate */
-
-void *JAR_fetch_cert (long length, void *key);
-
-/*
- *  New functions to handle archives alone
- *    (call JAR_new beforehand)
- *
- *  JAR_pass_archive acts much like parse_manifest. Certificates
- *  are returned in the JAR structure but as opaque data. When calling 
- *  JAR_verified_extract you still need to decide which of these 
- *  certificates to honor. 
- *
- *  Code to examine a JAR structure is in jarbert.c. You can obtain both 
- *  a list of filenames and certificates from traversing the linked list.
- *
- */
-
-extern int JAR_pass_archive
-    (JAR *jar, jarArch format, char *filename, const char *url);
-
-/*
- * Same thing, but don't check signatures
- */
-extern int JAR_pass_archive_unverified
-    (JAR *jar, jarArch format, char *filename, const char *url);
-
-/*
- *  Extracts a relative pathname from the archive and places it
- *  in the filename specified. 
- * 
- *  Call JAR_set_nailed if you want to keep the file descriptors
- *  open between multiple calls to JAR_verify_extract.
- *
- */
-
-extern int JAR_verified_extract
-    (JAR *jar, char *path, char *outpath);
-
-/*
- *  JAR_extract does no crypto checking. This can be used if you
- *  need to extract a manifest file or signature, etc.
- *
- */
-
-extern int JAR_extract
-    (JAR *jar, char *path, char *outpath);
-
-
-#endif /* __JAR_h_ */ 
diff --git a/security/nss/lib/jar/jarevil.c b/security/nss/lib/jar/jarevil.c
deleted file mode 100644
index feecd43b0..000000000
--- a/security/nss/lib/jar/jarevil.c
+++ /dev/null
@@ -1,571 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JAREVIL
- *
- *  Wrappers to callback in the mozilla thread
- *
- *  Certificate code is unsafe when called outside the
- *  mozilla thread. These functions push an event on the
- *  queue to cause the cert function to run in that thread. 
- *
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-#include "jarevil.h"
-
-/* from libevent.h */
-#ifdef MOZILLA_CLIENT
-typedef void (*ETVoidPtrFunc) (void * data);
-extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
-
-extern void *mozilla_event_queue;
-#endif
-
-
-/* Special macros facilitate running on Win 16 */
-#if defined(XP_PC) && !defined(_WIN32)   /* then we are win 16 */ 
-
-  /* 
-   * Allocate the data passed to the callback functions from the heap...
-   *
-   * This inter-thread structure cannot reside on a thread stack since the 
-   * thread's stack is swapped away with the thread under Win16...
-   */
-
- #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
-         type * pointer_var_name = PORT_ZAlloc (sizeof(type));               \
-         do {                                                                \
-           if (!pointer_var_name)                                            \
-             return (out_of_memory_return_value);                            \
-         } while (0)   /* and now a semicolon can follow :-) */
-
- #define FREE_IF_ALLOC_IS_USED(pointer_var_name) PORT_Free(pointer_var_name)
-
-#else /* not win 16... so we can alloc via auto variables */
-
- #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
-         type actual_structure_allocated_in_macro;                           \
-         type * pointer_var_name = &actual_structure_allocated_in_macro;     \
-         PORT_Memset (pointer_var_name, 0, sizeof (*pointer_var_name));      \
-         ((void) 0) /* and now a semicolon can follow  */
-
- #define FREE_IF_ALLOC_IS_USED(pointer_var_name) ((void) 0)
-
-#endif /* not Win 16 */
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_encode
- *
- *  Call SEC_PKCS7Encode inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_encode
-  {
-  int error;
-  SECStatus status;
-  SEC_PKCS7ContentInfo *cinfo;
-  SEC_PKCS7EncoderOutputCallback outputfn;
-  void *outputarg;
-  PK11SymKey *bulkkey;
-  SECKEYGetPasswordKey pwfn;
-  void *pwfnarg;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_encode_fn (void *data)
-  {
-  SECStatus status;
-  struct EVIL_encode *encode_data = (struct EVIL_encode *)data;
-
-  PORT_SetError (encode_data->error);
-
-  status = SEC_PKCS7Encode (encode_data->cinfo, encode_data->outputfn, 
-                            encode_data->outputarg, encode_data->bulkkey, 
-                            encode_data->pwfn, encode_data->pwfnarg);
-
-  encode_data->status = status;
-  encode_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-SECStatus jar_moz_encode
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SEC_PKCS7EncoderOutputCallback  outputfn,
-      void *outputarg,
-      PK11SymKey *bulkkey,
-      SECKEYGetPasswordKey pwfn,
-      void *pwfnarg
-      )
-  {
-  SECStatus ret;
-  ALLOC_OR_DEFINE(struct EVIL_encode, encode_data, SECFailure);
-
-  encode_data->error     = PORT_GetError();
-  encode_data->cinfo     = cinfo;
-  encode_data->outputfn  = outputfn;
-  encode_data->outputarg = outputarg;
-  encode_data->bulkkey   = bulkkey;
-  encode_data->pwfn      = pwfn;
-  encode_data->pwfnarg   = pwfnarg;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_encode_fn, encode_data);
-  else
-    jar_moz_encode_fn (encode_data);
-#else
-  jar_moz_encode_fn (encode_data);
-#endif
-
-  PORT_SetError (encode_data->error);
-  ret = encode_data->status;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(encode_data);
-  return ret;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_verify
- *
- *  Call SEC_PKCS7VerifyDetachedSignature inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_verify
-  {
-  int error;
-  SECStatus status;
-  SEC_PKCS7ContentInfo *cinfo;
-  SECCertUsage certusage;
-  SECItem *detached_digest;
-  HASH_HashType digest_type;
-  PRBool keepcerts;
-  };
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_verify_fn (void *data)
-  {
-	PRBool result;
-  struct EVIL_verify *verify_data = (struct EVIL_verify *)data;
-
-  PORT_SetError (verify_data->error);
-
-  result = SEC_PKCS7VerifyDetachedSignature
-        (verify_data->cinfo, verify_data->certusage, verify_data->detached_digest, 
-         verify_data->digest_type, verify_data->keepcerts);
-	
-
-  verify_data->status = result==PR_TRUE ? SECSuccess : SECFailure;
-  verify_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-SECStatus jar_moz_verify
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SECCertUsage certusage,
-      SECItem *detached_digest,
-      HASH_HashType digest_type,
-      PRBool keepcerts
-      )
-  {
-  SECStatus ret;
-  ALLOC_OR_DEFINE(struct EVIL_verify, verify_data, SECFailure);
-
-  verify_data->error           = PORT_GetError();
-  verify_data->cinfo           = cinfo;
-  verify_data->certusage       = certusage;
-  verify_data->detached_digest = detached_digest;
-  verify_data->digest_type     = digest_type;
-  verify_data->keepcerts       = keepcerts;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_verify_fn, verify_data);
-  else
-    jar_moz_verify_fn (verify_data);
-#else
-  jar_moz_verify_fn (verify_data);
-#endif
-
-  PORT_SetError (verify_data->error);
-  ret = verify_data->status;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(verify_data);
-  return ret;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_nickname
- *
- *  Call CERT_FindCertByNickname inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_nickname
-  {
-  int error;
-  CERTCertDBHandle *certdb;
-  char *nickname;
-  CERTCertificate *cert;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_nickname_fn (void *data)
-  {
-  CERTCertificate *cert;
-  struct EVIL_nickname *nickname_data = (struct EVIL_nickname *)data;
-
-  PORT_SetError (nickname_data->error);
-
-  cert = CERT_FindCertByNickname (nickname_data->certdb, nickname_data->nickname);
-
-  nickname_data->cert  = cert;
-  nickname_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_nickname (CERTCertDBHandle *certdb, char *nickname)
-  {
-  CERTCertificate *cert;
-  ALLOC_OR_DEFINE(struct EVIL_nickname, nickname_data, NULL );
-
-  nickname_data->error    = PORT_GetError();
-  nickname_data->certdb   = certdb;
-  nickname_data->nickname = nickname;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_nickname_fn, nickname_data);
-  else
-    jar_moz_nickname_fn (nickname_data);
-#else
-  jar_moz_nickname_fn (nickname_data);
-#endif
-
-  PORT_SetError (nickname_data->error);
-  cert = nickname_data->cert;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(nickname_data);
-  return cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_perm
- *
- *  Call CERT_AddTempCertToPerm inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_perm
-  {
-  int error;
-  SECStatus status;
-  CERTCertificate *cert;
-  char *nickname;
-  CERTCertTrust *trust;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_perm_fn (void *data)
-  {
-  SECStatus status;
-  struct EVIL_perm *perm_data = (struct EVIL_perm *)data;
-
-  PORT_SetError (perm_data->error);
-
-  status = CERT_AddTempCertToPerm (perm_data->cert, perm_data->nickname, perm_data->trust);
-
-  perm_data->status = status;
-  perm_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-SECStatus jar_moz_perm 
-    (CERTCertificate *cert, char *nickname, CERTCertTrust *trust)
-  {
-  SECStatus ret;
-  ALLOC_OR_DEFINE(struct EVIL_perm, perm_data, SECFailure);
-
-  perm_data->error    = PORT_GetError();
-  perm_data->cert     = cert;
-  perm_data->nickname = nickname;
-  perm_data->trust    = trust;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_perm_fn, perm_data);
-  else
-    jar_moz_perm_fn (perm_data);
-#else
-  jar_moz_perm_fn (perm_data);
-#endif
-
-  PORT_SetError (perm_data->error);
-  ret = perm_data->status;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(perm_data);
-  return ret;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_certkey
- *
- *  Call CERT_FindCertByKey inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_certkey
-  {
-  int error;
-  CERTCertificate *cert;
-  CERTCertDBHandle *certdb;
-  SECItem *seckey;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_certkey_fn (void *data)
-  {
-  CERTCertificate *cert;
-  struct EVIL_certkey *certkey_data = (struct EVIL_certkey *)data;
-
-  PORT_SetError (certkey_data->error);
-
-  cert = CERT_FindCertByKey (certkey_data->certdb, certkey_data->seckey);
-
-  certkey_data->cert = cert;
-  certkey_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_certkey (CERTCertDBHandle *certdb, SECItem *seckey)
-  {
-  CERTCertificate *cert;
-  ALLOC_OR_DEFINE(struct EVIL_certkey, certkey_data, NULL);
-
-  certkey_data->error  = PORT_GetError();
-  certkey_data->certdb = certdb;
-  certkey_data->seckey = seckey;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_certkey_fn, certkey_data);
-  else
-    jar_moz_certkey_fn (certkey_data);
-#else
-  jar_moz_certkey_fn (certkey_data);
-#endif
-
-  PORT_SetError (certkey_data->error);
-  cert = certkey_data->cert;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(certkey_data);
-  return cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_issuer
- *
- *  Call CERT_FindCertIssuer inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_issuer
-  {
-  int error;
-  CERTCertificate *cert;
-  CERTCertificate *issuer;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_issuer_fn (void *data)
-  {
-  CERTCertificate *issuer;
-  struct EVIL_issuer *issuer_data = (struct EVIL_issuer *)data;
-
-  PORT_SetError (issuer_data->error);
-
-  issuer = CERT_FindCertIssuer (issuer_data->cert, PR_Now(),
-				certUsageObjectSigner);
-
-  issuer_data->issuer = issuer;
-  issuer_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_issuer (CERTCertificate *cert)
-  {
-  CERTCertificate *issuer_cert;
-  ALLOC_OR_DEFINE(struct EVIL_issuer, issuer_data, NULL);
-
-  issuer_data->error = PORT_GetError();
-  issuer_data->cert  = cert;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_issuer_fn, issuer_data);
-  else
-    jar_moz_issuer_fn (issuer_data);
-#else
-  jar_moz_issuer_fn (issuer_data);
-#endif
-
-  PORT_SetError (issuer_data->error);
-  issuer_cert = issuer_data->issuer;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(issuer_data);
-  return issuer_cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_dup
- *
- *  Call CERT_DupCertificate inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_dup
-  {
-  int error;
-  CERTCertificate *cert;
-  CERTCertificate *return_cert;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_dup_fn (void *data)
-  {
-  CERTCertificate *return_cert;
-  struct EVIL_dup *dup_data = (struct EVIL_dup *)data;
-
-  PORT_SetError (dup_data->error);
-
-  return_cert = CERT_DupCertificate (dup_data->cert);
-
-  dup_data->return_cert = return_cert;
-  dup_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_dup (CERTCertificate *cert)
-  {
-  CERTCertificate *dup_cert;
-  ALLOC_OR_DEFINE(struct EVIL_dup, dup_data, NULL);
-
-  dup_data->error = PORT_GetError();
-  dup_data->cert  = cert;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_dup_fn, dup_data);
-  else
-    jar_moz_dup_fn (dup_data);
-#else
-  jar_moz_dup_fn (dup_data);
-#endif
-
-  PORT_SetError (dup_data->error);
-  dup_cert = dup_data->return_cert;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(dup_data);
-  return dup_cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
diff --git a/security/nss/lib/jar/jarevil.h b/security/nss/lib/jar/jarevil.h
deleted file mode 100644
index a7c835e6c..000000000
--- a/security/nss/lib/jar/jarevil.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  jarevil.h
- *
- *  dot H file for calls to mozilla thread
- *  from within jarver.c 
- *
- */
-
-#include "certt.h"
-#include "secpkcs7.h"
-
-extern SECStatus jar_moz_encode
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SEC_PKCS7EncoderOutputCallback  outputfn,
-      void *outputarg,
-      PK11SymKey *bulkkey,
-      SECKEYGetPasswordKey pwfn,
-      void *pwfnarg
-      );
-
-extern SECStatus jar_moz_verify
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SECCertUsage certusage,
-      SECItem *detached_digest,
-      HASH_HashType digest_type,
-      PRBool keepcerts
-      );
-
-extern CERTCertificate *jar_moz_nickname 
-   (CERTCertDBHandle *certdb, char *nickname);
-
-extern SECStatus jar_moz_perm 
-  (CERTCertificate *cert, char *nickname, CERTCertTrust *trust);
- 
-extern CERTCertificate *jar_moz_certkey 
-  (CERTCertDBHandle *certdb, SECItem *seckey);
-
-extern CERTCertificate *jar_moz_issuer (CERTCertificate *cert);
-
-extern CERTCertificate *jar_moz_dup (CERTCertificate *cert);
-
diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c
deleted file mode 100644
index 5f5b0e67f..000000000
--- a/security/nss/lib/jar/jarfile.c
+++ /dev/null
@@ -1,1149 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JARFILE
- *
- *  Parsing of a Jar file
- */
-
-#define JAR_SIZE 256
-
-#include "jar.h"
-
-#include "jarint.h"
-#include "jarfile.h"
-
-/* commercial compression */
-#include "jzlib.h"
-
-#ifdef XP_UNIX
-#include "sys/stat.h"
-#endif
-
-
-/* extracting */
-
-static int jar_guess_jar (char *filename, JAR_FILE fp);
-
-static int jar_inflate_memory 
-   (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data);
-
-static int jar_physical_extraction 
-   (JAR_FILE fp, char *outpath, long offset, long length);
-
-static int jar_physical_inflate
-   (JAR_FILE fp, char *outpath, long offset, 
-         long length, unsigned int method);
-
-static int jar_verify_extract 
-   (JAR *jar, char *path, char *physical_path);
-
-static JAR_Physical *jar_get_physical (JAR *jar, char *pathname);
-
-static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp);
-
-static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext);
-
-
-/* indexing */
-
-static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp);
-
-static int jar_listtar (JAR *jar, JAR_FILE fp);
-
-static int jar_listzip (JAR *jar, JAR_FILE fp);
-
-
-/* conversions */
-
-static int dosdate (char *date, char *s);
-
-static int dostime (char *time, char *s);
-
-static unsigned int xtoint (unsigned char *ii);
-
-static unsigned long xtolong (unsigned char *ll);
-
-static long atoo (char *s);
-
-/*
- *  J A R _ p a s s _ a r c h i v e
- *
- *  For use by naive clients. Slam an entire archive file
- *  into this function. We extract manifests, parse, index
- *  the archive file, and do whatever nastiness.
- *
- */
-
-int JAR_pass_archive
-    (JAR *jar, jarArch format, char *filename, const char *url)
-  {
-  JAR_FILE fp;
-  int status = 0;
-
-  if (filename == NULL)
-    return JAR_ERR_GENERAL;
-
-  if ((fp = JAR_FOPEN (filename, "rb")) != NULL)
-    {
-    if (format == jarArchGuess)
-      format = (jarArch)jar_guess_jar (filename, fp);
-
-    jar->format = format;
-    jar->url = url ? PORT_Strdup (url) : NULL;
-    jar->filename = PORT_Strdup (filename);
-
-    status = jar_gen_index (jar, format, fp);
-
-    if (status == 0)
-      status = jar_extract_manifests (jar, format, fp);
-
-    JAR_FCLOSE (fp);
-
-    if (status < 0)
-      return status;
-
-    /* people were expecting it this way */
-    return jar->valid;
-    }
-  else
-    {
-    /* file not found */
-    return JAR_ERR_FNF;
-    }
-  }
-
-/*
- *  J A R _ p a s s _ a r c h i v e _ u n v e r i f i e d
- *
- * Same as JAR_pass_archive, but doesn't parse signatures.
- *
- */
-int JAR_pass_archive_unverified
-        (JAR *jar, jarArch format, char *filename, const char *url)
-{
-        JAR_FILE fp;
-        int status = 0;
-
-        if (filename == NULL) {
-                return JAR_ERR_GENERAL;
-        }
-
-        if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
-                if (format == jarArchGuess) {
-                        format = (jarArch)jar_guess_jar (filename, fp);
-                }
-
-                jar->format = format;
-                jar->url = url ? PORT_Strdup (url) : NULL;
-                jar->filename = PORT_Strdup (filename);
-
-                status = jar_gen_index (jar, format, fp);
-
-                if (status == 0) {
-                        status = jar_extract_mf(jar, format, fp, "mf");
-                }
-
-                JAR_FCLOSE (fp);
-
-                if (status < 0) {
-                        return status;
-                }
-
-                /* people were expecting it this way */
-                return jar->valid;
-        } else {
-                /* file not found */
-                return JAR_ERR_FNF;
-        }
-}
-
-/*
- *  J A R _ v e r i f i e d _ e x t r a c t
- *
- *  Optimization: keep a file descriptor open
- *  inside the JAR structure, so we don't have to
- *  open the file 25 times to run java. 
- *
- */
-
-int JAR_verified_extract
-    (JAR *jar, char *path, char *outpath)
-  {
-  int status;
-
-  status = JAR_extract (jar, path, outpath);
-
-  if (status >= 0)
-    return jar_verify_extract (jar, path, outpath);
-  else
-    return status;
-  }
-
-int JAR_extract
-    (JAR *jar, char *path, char *outpath)
-  {
-  int result;
-
-  JAR_FILE fp;
-  JAR_Physical *phy;
-
-  if (jar->fp == NULL && jar->filename)
-    {
-    jar->fp = (FILE*)JAR_FOPEN (jar->filename, "rb");
-    }
-
-  if (jar->fp == NULL)
-    {
-    /* file not found */
-    return JAR_ERR_FNF;
-    }
-
-  phy = jar_get_physical (jar, path);
-
-  if (phy)
-    {
-    if (phy->compression != 0 && phy->compression != 8)
-      {
-      /* unsupported compression method */
-      result = JAR_ERR_CORRUPT;
-      }
-
-    if (phy->compression == 0)
-      {
-      result = jar_physical_extraction 
-         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length);
-      }
-    else
-      {
-      result = jar_physical_inflate 
-         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length, 
-            (unsigned int) phy->compression);
-      }
-
-#ifdef XP_UNIX
-    if (phy->mode)
-      chmod (outpath, 0400 | (mode_t) phy->mode);
-#endif
-    }
-  else
-    {
-    /* pathname not found in archive */
-    result = JAR_ERR_PNF;
-    }
-
-  return result;
-  }
-
-/* 
- *  p h y s i c a l _ e x t r a c t i o n
- *
- *  This needs to be done in chunks of say 32k, instead of
- *  in one bulk calloc. (Necessary under Win16 platform.)
- *  This is done for uncompressed entries only.
- *
- */
-
-#define CHUNK 32768
-
-static int jar_physical_extraction 
-     (JAR_FILE fp, char *outpath, long offset, long length)
-  {
-  JAR_FILE out;
-
-  char *buffer;
-  long at, chunk;
-
-  int status = 0;
-
-  buffer = (char *) PORT_ZAlloc (CHUNK);
-
-  if (buffer == NULL)
-    return JAR_ERR_MEMORY;
-
-  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
-    {
-    at = 0;
-
-    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
-
-    while (at < length)
-      {
-      chunk = (at + CHUNK <= length) ? CHUNK : length - at;
-
-      if (JAR_FREAD (fp, buffer, chunk) != chunk)
-        {
-        status = JAR_ERR_DISK;
-        break;
-        }
-
-      at += chunk;
-
-      if (JAR_FWRITE (out, buffer, chunk) < chunk)
-        {
-        /* most likely a disk full error */
-        status = JAR_ERR_DISK;
-        break;
-        }
-      }
-    JAR_FCLOSE (out);
-    }
-  else
-    {
-    /* error opening output file */
-    status = JAR_ERR_DISK;
-    }
-
-  PORT_Free (buffer);
-  return status;
-  }
-
-/*
- *  j a r _ p h y s i c a l _ i n f l a t e
- *
- *  Inflate a range of bytes in a file, writing the inflated
- *  result to "outpath". Chunk based.
- *
- */
-
-/* input and output chunks differ, assume 4x compression */
-
-#define ICHUNK 8192
-#define OCHUNK 32768
-
-static int jar_physical_inflate
-     (JAR_FILE fp, char *outpath, long offset, 
-          long length, unsigned int method)
-  {
-  z_stream zs;
-
-  JAR_FILE out;
-
-  long at, chunk;
-  char *inbuf, *outbuf;
-
-  int status = 0;
-
-  unsigned long prev_total, ochunk, tin;
-
-  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK)) == NULL)
-    return JAR_ERR_MEMORY;
-
-  if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
-    {
-    PORT_Free (inbuf);
-    return JAR_ERR_MEMORY;
-    }
-
-  PORT_Memset (&zs, 0, sizeof (zs));
-  status = inflateInit2 (&zs, -MAX_WBITS);
-
-  if (status != Z_OK)
-    return JAR_ERR_GENERAL;
-
-  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
-    {
-    at = 0;
-
-    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
-
-    while (at < length)
-      {
-      chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
-
-      if (JAR_FREAD (fp, inbuf, chunk) != chunk)
-        {
-        /* incomplete read */
-        return JAR_ERR_CORRUPT;
-        }
-
-      at += chunk;
-
-      zs.next_in = (Bytef *) inbuf;
-      zs.avail_in = chunk;
-      zs.avail_out = OCHUNK;
-
-      tin = zs.total_in;
-
-      while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
-        {
-        prev_total = zs.total_out;
-
-        zs.next_out = (Bytef *) outbuf;
-        zs.avail_out = OCHUNK;
-
-        status = inflate (&zs, Z_NO_FLUSH);
-
-        if (status != Z_OK && status != Z_STREAM_END)
-          {
-          /* error during decompression */
-          return JAR_ERR_CORRUPT;
-          }
-
-	ochunk = zs.total_out - prev_total;
-
-        if (JAR_FWRITE (out, outbuf, ochunk) < ochunk)
-          {
-          /* most likely a disk full error */
-          status = JAR_ERR_DISK;
-          break;
-          }
-
-        if (status == Z_STREAM_END)
-          break;
-        }
-      }
-
-    JAR_FCLOSE (out);
-    status = inflateEnd (&zs);
-    }
-  else
-    {
-    /* error opening output file */
-    status = JAR_ERR_DISK;
-    }
-
-  PORT_Free (inbuf);
-  PORT_Free (outbuf);
-
-  return status;
-  }
-
-/*
- *  j a r _ i n f l a t e _ m e m o r y
- *
- *  Call zlib to inflate the given memory chunk. It is re-XP_ALLOC'd, 
- *  and thus appears to operate inplace to the caller.
- *
- */
-
-static int jar_inflate_memory 
-     (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data)
-  {
-  int status;
-  z_stream zs;
-
-  long insz, outsz;
-
-  char *inbuf, *outbuf;
-
-  inbuf =  *data;
-  insz = *length;
-
-  outsz = expected_out_len;
-  outbuf = (char*)PORT_ZAlloc (outsz);
-
-  if (outbuf == NULL)
-    return JAR_ERR_MEMORY;
-
-  PORT_Memset (&zs, 0, sizeof (zs));
-
-  status = inflateInit2 (&zs, -MAX_WBITS);
-
-  if (status < 0)
-    {
-    /* error initializing zlib stream */
-    return JAR_ERR_GENERAL;
-    }
-
-  zs.next_in = (Bytef *) inbuf;
-  zs.next_out = (Bytef *) outbuf;
-
-  zs.avail_in = insz;
-  zs.avail_out = outsz;
-
-  status = inflate (&zs, Z_FINISH);
-
-  if (status != Z_OK && status != Z_STREAM_END)
-    {
-    /* error during deflation */
-    return JAR_ERR_GENERAL; 
-    }
-
-  status = inflateEnd (&zs);
-
-  if (status != Z_OK)
-    {
-    /* error during deflation */
-    return JAR_ERR_GENERAL;
-    }
-
-  PORT_Free (*data);
-
-  *data = outbuf;
-  *length = zs.total_out;
-
-  return 0;
-  }
-
-/*
- *  v e r i f y _ e x t r a c t
- *
- *  Validate signature on the freshly extracted file.
- *
- */
-
-static int jar_verify_extract (JAR *jar, char *path, char *physical_path)
-  {
-  int status;
-  JAR_Digest dig;
-
-  PORT_Memset (&dig, 0, sizeof (JAR_Digest));
-  status = JAR_digest_file (physical_path, &dig);
-
-  if (!status)
-    status = JAR_verify_digest (jar, path, &dig);
-
-  return status;
-  }
-
-/*
- *  g e t _ p h y s i c a l
- *
- *  Let's get physical.
- *  Obtains the offset and length of this file in the jar file.
- *
- */
-
-static JAR_Physical *jar_get_physical (JAR *jar, char *pathname)
-  {
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-
-  ZZLink *link;
-  ZZList *list;
-
-  list = jar->phy;
-
-  if (ZZ_ListEmpty (list))
-    return NULL;
-
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypePhy 
-          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
-      {
-      phy = (JAR_Physical *) it->data;
-      return phy;
-      }
-    }
-
-  return NULL;
-  }
-
-/*
- *  j a r _ e x t r a c t _ m a n i f e s t s
- *
- *  Extract the manifest files and parse them,
- *  from an open archive file whose contents are known.
- *
- */
-
-static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp)
-  {
-  int status;
-
-  if (format != jarArchZip && format != jarArchTar)
-    return JAR_ERR_CORRUPT;
-
-  if ((status = jar_extract_mf (jar, format, fp, "mf")) < 0)
-    return status;
-
-  if ((status = jar_extract_mf (jar, format, fp, "sf")) < 0)
-    return status;
-
-  if ((status = jar_extract_mf (jar, format, fp, "rsa")) < 0)
-    return status;
-
-  if ((status = jar_extract_mf (jar, format, fp, "dsa")) < 0)
-    return status;
-
-  return 0;
-  }
-
-/*
- *  j a r _ e x t r a c t _ m f
- *
- *  Extracts manifest files based on an extension, which 
- *  should be .MF, .SF, .RSA, etc. Order of the files is now no 
- *  longer important when zipping jar files.
- *
- */
-
-static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext)
-  {
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-
-  ZZLink *link;
-  ZZList *list;
-
-  char *fn, *e;
-  char ZHUGEP *manifest;
-
-  long length;
-  int status, ret = 0, num;
-
-  list = jar->phy;
-
-  if (ZZ_ListEmpty (list))
-    return JAR_ERR_PNF;
-
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypePhy 
-          && !PORT_Strncmp (it->pathname, "META-INF", 8))
-      {
-      phy = (JAR_Physical *) it->data;
-
-      if (PORT_Strlen (it->pathname) < 8)
-        continue;
-
-      fn = it->pathname + 8;
-      if (*fn == '/' || *fn == '\\') fn++;
-
-      if (*fn == 0)
-        {
-        /* just a directory entry */
-        continue;
-        }
-
-      /* skip to extension */
-      for (e = fn; *e && *e != '.'; e++)
-        /* yip */ ;
-
-      /* and skip dot */
-      if (*e == '.') e++;
-
-      if (PORT_Strcasecmp (ext, e))
-        {
-        /* not the right extension */
-        continue;
-        }
-
-      if (phy->length == 0)
-        {
-        /* manifest files cannot be zero length! */
-        return JAR_ERR_CORRUPT;
-        }
-
-      /* Read in the manifest and parse it */
-      /* FIX? Does this break on win16 for very very large manifest files? */
-
-#ifdef XP_WIN16
-      PORT_Assert( phy->length+1 < 0xFFFF );
-#endif
-
-      manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
-      if (manifest)
-        {
-        JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
-        num = JAR_FREAD (fp, manifest, phy->length);
-
-        if (num != phy->length)
-          {
-          /* corrupt archive file */
-          return JAR_ERR_CORRUPT;
-          }
-
-        if (phy->compression == 8)
-          {
-          length = phy->length;
-
-          status = jar_inflate_memory ((unsigned int) phy->compression, &length,  phy->uncompressed_length, &manifest);
-
-          if (status < 0)
-            return status;
-          }
-        else if (phy->compression)
-          {
-          /* unsupported compression method */
-          return JAR_ERR_CORRUPT;
-          }
-        else
-          length = phy->length;
-
-        status = JAR_parse_manifest 
-           (jar, manifest, length, it->pathname, "url");
-
-        PORT_Free (manifest);
-
-        if (status < 0 && ret == 0) ret = status;
-        }
-      else
-        return JAR_ERR_MEMORY;
-      }
-    else if (it->type == jarTypePhy)
-      {
-      /* ordinary file */
-      }
-    }
-
-  return ret;
-  }
-
-/*
- *  j a r _ g e n _ i n d e x
- *
- *  Generate an index for the various types of
- *  known archive files. Right now .ZIP and .TAR
- *
- */
-
-static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp)
-  {
-  int result = JAR_ERR_CORRUPT;
-  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
-
-  switch (format)
-    {
-    case jarArchZip:
-      result = jar_listzip (jar, fp);
-      break;
-
-    case jarArchTar:
-      result = jar_listtar (jar, fp);
-      break;
-    }
-
-  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
-  return result;
-  }
-
-
-/*
- *  j a r _ l i s t z i p
- *
- *  List the physical contents of a Phil Katz 
- *  style .ZIP file into the JAR linked list.
- *
- */
-
-static int jar_listzip (JAR *jar, JAR_FILE fp)
-  {
-  int err = 0;
-
-  long pos = 0L;
-  char filename [JAR_SIZE];
-
-  char date [9], time [9];
-  char sig [4];
-
-  unsigned int compression;
-  unsigned int filename_len, extra_len;
-
-  struct ZipLocal *Local;
-  struct ZipCentral *Central;
-  struct ZipEnd *End;
-
-  /* phy things */
-
-  ZZLink  *ent;
-  JAR_Item *it;
-  JAR_Physical *phy;
-
-  Local = (struct ZipLocal *) PORT_ZAlloc (30);
-  Central = (struct ZipCentral *) PORT_ZAlloc (46);
-  End = (struct ZipEnd *) PORT_ZAlloc (22);
-
-  if (!Local || !Central || !End)
-    {
-    /* out of memory */
-    err = JAR_ERR_MEMORY;
-    goto loser;
-    }
-
-  while (1)
-    {
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (JAR_FREAD (fp, (char *) sig, 4) != 4)
-      {
-      /* zip file ends prematurely */
-      err = JAR_ERR_CORRUPT;
-      goto loser;
-      }
-
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (xtolong ((unsigned char *)sig) == LSIG)
-      {
-      JAR_FREAD (fp, (char *) Local, 30);
-
-      filename_len = xtoint ((unsigned char *) Local->filename_len);
-      extra_len = xtoint ((unsigned char *) Local->extrafield_len);
-
-      if (filename_len >= JAR_SIZE)
-        {
-        /* corrupt zip file */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-      if (JAR_FREAD (fp, filename, filename_len) != filename_len)
-        {
-        /* truncated archive file */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-      filename [filename_len] = 0;
-
-      /* Add this to our jar chain */
-
-      phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
-
-      if (phy == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
-
-      /* We will index any file that comes our way, but when it comes
-         to actually extraction, compression must be 0 or 8 */
-
-      compression = xtoint ((unsigned char *) Local->method);
-      phy->compression = compression >= 0 && 
-              compression <= 255 ? compression : 222;
-
-      phy->offset = pos + 30 + filename_len + extra_len;
-      phy->length = xtolong ((unsigned char *) Local->size);
-      phy->uncompressed_length = xtolong((unsigned char *) Local->orglen);
-
-      dosdate (date, Local->date);
-      dostime (time, Local->time);
-
-      it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
-      if (it == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
-
-      it->pathname = PORT_Strdup (filename);
-
-      it->type = jarTypePhy;
-
-      it->data = (unsigned char *) phy;
-      it->size = sizeof (JAR_Physical);
-
-      ent = ZZ_NewLink (it);
-
-      if (ent == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
-
-      ZZ_AppendLink (jar->phy, ent);
- 
-      pos = phy->offset + phy->length;
-      }
-    else if (xtolong ( (unsigned char *)sig) == CSIG)
-      {
-      if (JAR_FREAD (fp, (char *) Central, 46) != 46)
-        {
-        /* apparently truncated archive */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-#ifdef XP_UNIX
-      /* with unix we need to locate any bits from 
-         the protection mask in the external attributes. */
-        {
-        unsigned int attr;
-
-        /* determined empirically */
-        attr = Central->external_attributes [2];
-
-        if (attr)
-          {
-          /* we have to read the filename, again */
-
-          filename_len = xtoint ((unsigned char *) Central->filename_len);
-
-          if (filename_len >= JAR_SIZE)
-            {
-            /* corrupt in central directory */
-            err = JAR_ERR_CORRUPT;
-            goto loser;
-            }
-
-          if (JAR_FREAD (fp, filename, filename_len) != filename_len)
-            {
-            /* truncated in central directory */
-            err = JAR_ERR_CORRUPT;
-            goto loser;
-            }
-
-          filename [filename_len] = 0;
-
-          /* look up this name again */
-          phy = jar_get_physical (jar, filename);
-
-          if (phy)
-            {
-            /* always allow access by self */
-            phy->mode = 0400 | attr;
-            }
-          }
-        }
-#endif
-
-      pos += 46 + xtoint ( (unsigned char *)Central->filename_len)
-                + xtoint ( (unsigned char *)Central->commentfield_len)
-                + xtoint ( (unsigned char *)Central->extrafield_len);
-      }
-    else if (xtolong ( (unsigned char *)sig) == ESIG)
-      {
-      if (JAR_FREAD (fp, (char *) End, 22) != 22)
-        {
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-      else
-        break;
-      }
-    else
-      {
-      /* garbage in archive */
-      err = JAR_ERR_CORRUPT;
-      goto loser;
-      }
-    }
-
-loser:
-
-  if (Local) PORT_Free (Local);
-  if (Central) PORT_Free (Central);
-  if (End) PORT_Free (End);
-
-  return err;
-  }
-
-/*
- *  j a r _ l i s t t a r
- *
- *  List the physical contents of a Unix 
- *  .tar file into the JAR linked list.
- *
- */
-
-static int jar_listtar (JAR *jar, JAR_FILE fp)
-  {
-  long pos = 0L;
-
-  long sz, mode;
-  time_t when;
-  union TarEntry tarball;
-
-  char *s;
-
-  /* phy things */
-
-  ZZLink  *ent;
-  JAR_Item *it;
-  JAR_Physical *phy;
-
-  while (1)
-    {
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (JAR_FREAD (fp, (char *) &tarball, 512) < 512)
-      break;
-
-    if (!*tarball.val.filename)
-      break;
-
-    when = atoo (tarball.val.time);
-    sz = atoo (tarball.val.size);
-    mode = atoo (tarball.val.mode);
-
-
-    /* Tag the end of filename */
-
-    s = tarball.val.filename;
-    while (*s && *s != ' ') s++;
-    *s = 0;
-
-
-    /* Add to our linked list */
-
-    phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
-
-    if (phy == NULL)
-      return JAR_ERR_MEMORY;
-
-    phy->compression = 0;
-    phy->offset = pos + 512;
-    phy->length = sz;
-
-    ADDITEM (jar->phy, jarTypePhy, 
-       tarball.val.filename, phy, sizeof (JAR_Physical));
-
-
-    /* Advance to next file entry */
-
-    sz += 511;
-    sz = (sz / 512) * 512;
-
-    pos += sz + 512;
-    }
-
-  return 0;
-  }
-
-/*
- *  d o s d a t e
- *
- *  Not used right now, but keep it in here because
- *  it will be needed. 
- *
- */
-
-static int dosdate (char *date, char *s)
-  {
-  int num = xtoint ( (unsigned char *)s);
-
-  PR_snprintf (date, 9, "%02d-%02d-%02d",
-     ((num >> 5) & 0x0F), (num & 0x1F), ((num >> 9) + 80));
-
-  return 0;
-  }
-
-/*
- *  d o s t i m e
- *
- *  Not used right now, but keep it in here because
- *  it will be needed. 
- *
- */
-
-static int dostime (char *time, char *s)
-  {
-  int num = xtoint ( (unsigned char *)s);
-
-  PR_snprintf (time, 6, "%02d:%02d",
-     ((num >> 11) & 0x1F), ((num >> 5) & 0x3F));
-
-  return 0;
-  }
-
-/*
- *  x t o i n t
- *
- *  Converts a two byte ugly endianed integer
- *  to our platform's integer.
- *
- */
-
-static unsigned int xtoint (unsigned char *ii)
-  {
-  return (int) (ii [0]) | ((int) ii [1] << 8);
-  }
-
-/*
- *  x t o l o n g
- *
- *  Converts a four byte ugly endianed integer
- *  to our platform's integer.
- *
- */
-
-static unsigned long xtolong (unsigned char *ll)
-  {
-  unsigned long ret;
-
-  ret =  (
-         (((unsigned long) ll [0]) <<  0) |
-         (((unsigned long) ll [1]) <<  8) |
-         (((unsigned long) ll [2]) << 16) |
-         (((unsigned long) ll [3]) << 24)
-         );
-
-  return ret;
-  }
-
-/*
- *  a t o o
- *
- *  Ascii octal to decimal.
- *  Used for integer encoding inside tar files.
- *
- */
-
-static long atoo (char *s)
-  {
-  long num = 0L;
-
-  while (*s == ' ') s++;
-
-  while (*s >= '0' && *s <= '7')
-    {
-    num <<= 3;
-    num += *s++ - '0';
-    }
-
-  return num;
-  }
-
-/*
- *  g u e s s _ j a r
- *
- *  Try to guess what kind of JAR file this is.
- *  Maybe tar, maybe zip. Look in the file for magic
- *  or at its filename.
- *
- */
-
-static int jar_guess_jar (char *filename, JAR_FILE fp)
-  {
-  char *ext;
-
-  ext = filename + PORT_Strlen (filename) - 4;
-
-  if (!PORT_Strcmp (ext, ".tar"))
-    return jarArchTar;
-
-  return jarArchZip;
-  }
diff --git a/security/nss/lib/jar/jarfile.h b/security/nss/lib/jar/jarfile.h
deleted file mode 100644
index d28b090fa..000000000
--- a/security/nss/lib/jar/jarfile.h
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JARFILE.H
- * 
- *  Certain constants and structures for the archive format.
- *
- */
-
-/* ZIP */
-
-struct ZipLocal
-  {
-  char signature [4];
-  char word [2];
-  char bitflag [2];
-  char method [2];
-  char time [2];
-  char date [2];
-  char crc32 [4];
-  char size [4];
-  char orglen [4];
-  char filename_len [2];
-  char extrafield_len [2];
-  };
-
-struct ZipCentral
-  {
-  char signature [4];
-  char version_made_by [2];
-  char version [2];
-  char bitflag [2];
-  char method [2];
-  char time [2];
-  char date [2];
-  char crc32 [4];
-  char size [4];
-  char orglen [4];
-  char filename_len [2];
-  char extrafield_len [2];
-  char commentfield_len [2];
-  char diskstart_number [2];
-  char internal_attributes [2];
-  char external_attributes [4];
-  char localhdr_offset [4];
-  };
-
-struct ZipEnd
-  {
-  char signature [4];
-  char disk_nr [2];
-  char start_central_dir [2];
-  char total_entries_disk [2];
-  char total_entries_archive [2];
-  char central_dir_size [4];
-  char offset_central_dir [4];
-  char commentfield_len [2];
-  };
-
-#define LSIG 0x04034B50l
-#define CSIG 0x02014B50l
-#define ESIG 0x06054B50l
-
-/* TAR */
-
-union TarEntry
-  {
-  struct header
-    {
-    char filename [100];
-    char mode [8];
-    char uid [8];
-    char gid [8];
-    char size [12];
-    char time [12];
-    char checksum [8];
-    char linkflag;
-    char linkname [100];
-    }
-  val;
-
-  char buffer [512];
-  };
diff --git a/security/nss/lib/jar/jarint.c b/security/nss/lib/jar/jarint.c
deleted file mode 100644
index 4c8da5986..000000000
--- a/security/nss/lib/jar/jarint.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Internal libjar routines.
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-/*-----------------------------------------------------------------------
- * JAR_FOPEN_to_PR_Open
- * Translate JAR_FOPEN arguments to PR_Open arguments
- */
-PRFileDesc*
-JAR_FOPEN_to_PR_Open(const char* name, const char *mode)
-{
-
-	PRIntn	prflags=0, prmode=0;
-
-	/* Get read/write flags */
-	if(strchr(mode, 'r') && !strchr(mode, '+')) {
-		prflags |= PR_RDONLY;
-	} else if( (strchr(mode, 'w') || strchr(mode, 'a')) &&
-			!strchr(mode,'+') ) {
-		prflags |= PR_WRONLY;
-	} else {
-		prflags |= PR_RDWR;
-	}
-
-	/* Create a new file? */
-	if(strchr(mode, 'w') || strchr(mode, 'a')) {
-		prflags |= PR_CREATE_FILE;
-	}
-
-	/* Append? */
-	if(strchr(mode, 'a')) {
-		prflags |= PR_APPEND;
-	}
-
-	/* Truncate? */
-	if(strchr(mode, 'w')) {
-		prflags |= PR_TRUNCATE;
-	}
-
-	/* We can't do umask because it isn't XP.  Choose some default
-	   mode for created files */
-	prmode = 0755;
-
-	return PR_Open(name, prflags, prmode);
-}
diff --git a/security/nss/lib/jar/jarint.h b/security/nss/lib/jar/jarint.h
deleted file mode 100644
index 7c437103c..000000000
--- a/security/nss/lib/jar/jarint.h
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/* JAR internal routines */
-
-#include "nspr.h"
-
-/* definitely required */
-#include "certdb.h"
-#include "key.h"
-#include "base64.h"
-
-extern CERTCertDBHandle *JAR_open_database (void);
-
-extern int JAR_close_database (CERTCertDBHandle *certdb);
-
-extern int jar_close_key_database (SECKEYKeyDBHandle *keydb);
-
-extern SECKEYKeyDBHandle *jar_open_key_database (void);
-
-extern JAR_Signer *JAR_new_signer (void);
-
-extern void JAR_destroy_signer (JAR_Signer *signer);
-
-extern JAR_Signer *jar_get_signer (JAR *jar, char *basename);
-
-extern int jar_append (ZZList *list, int type,
-   char *pathname, void *data, size_t size);
-
-/* Translate fopen mode arg to PR_Open flags and mode */
-PRFileDesc*
-JAR_FOPEN_to_PR_Open(const char *name, const char *mode);
-
-
-#define ADDITEM(list,type,pathname,data,size) \
-  { int err; err = jar_append (list, type, pathname, data, size); \
-    if (err < 0) return err; }
-
-/* Here is some ugliness in the event it is necessary to link
-   with NSPR 1.0 libraries, which do not include an FSEEK. It is 
-   difficult to fudge an FSEEK into 1.0 so we use stdio. */
-
-/* stdio */
-#if 0
-#define JAR_FILE FILE *
-#define JAR_FOPEN(fn,mode) fopen(fn,mode)
-#define JAR_FCLOSE fclose
-#define JAR_FSEEK fseek
-#define JAR_FREAD(fp,buf,siz) fread(buf,1,siz,fp)
-#define JAR_FWRITE(fp,buf,siz) fwrite(buf,1,siz,fp) 
-#endif
-
-#if 0
-/* nspr 1.0 suite */
-#define JAR_FILE PRFileHandle
-#define JAR_FOPEN(fn,mode) PR_OpenFile(fn,0,mode)
-#define JAR_FCLOSE PR_CLOSE
-#define JAR_FSEEK (no-equivalent)
-#define JAR_FREAD PR_READ
-#define JAR_FWRITE PR_WRITE
-#endif
-
-/* nspr 2.0 suite */
-#define JAR_FILE PRFileDesc *
-/* #define JAR_FOPEN(fn,mode) PR_Open(fn,0,0) */
-#define JAR_FOPEN(fn,mode) JAR_FOPEN_to_PR_Open(fn,mode)
-#define JAR_FCLOSE PR_Close
-#define JAR_FSEEK PR_Seek
-#define JAR_FREAD PR_Read
-#define JAR_FWRITE PR_Write
-
-#if 0
-/* nav XP suite, note argument order */
-#define JAR_FILE XP_File
-#define JAR_FOPEN(fn,mode) XP_FileOpen(fn,xpURL,mode)
-#define JAR_FCLOSE XP_FileClose
-#define JAR_FSEEK XP_FileSeek
-#define JAR_FREAD(fp,buf,siz) XP_FileRead(buf,siz,fp)
-#define JAR_FWRITE(fp,buf,siz) XP_FileWrite(buf,siz,fp)
-#endif
-
-int jar_create_pk7
-   (CERTCertDBHandle *certdb, SECKEYKeyDBHandle *keydb,
-       CERTCertificate *cert, char *password, JAR_FILE infp, 
-       JAR_FILE outfp);
-
diff --git a/security/nss/lib/jar/jarjart.c b/security/nss/lib/jar/jarjart.c
deleted file mode 100644
index e188da89b..000000000
--- a/security/nss/lib/jar/jarjart.c
+++ /dev/null
@@ -1,354 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JARJART
- *
- *  JAR functions used by Jartool
- */
-
-/* This allows manifest files above 64k to be
-   processed on non-win16 platforms */
-
-#include "jar.h"
-#include "jarint.h"
-#include "jarjart.h"
-#include "blapi.h"	/* JAR is supposed to be above the line!! */
-#include "pk11func.h"	/* PK11 wrapper funcs are all above the line. */
-
-/* from certdb.h */
-#define CERTDB_USER (1<<6)
-
-#if 0
-/* from certdb.h */
-typedef SECStatus (* PermCertCallback)(CERTCertificate *cert, SECItem *k, void *pdata);
-/* from certdb.h */
-SECStatus SEC_TraversePermCerts
-   (CERTCertDBHandle *handle, PermCertCallback certfunc, void *udata);
-#endif
-
-/*
- *  S O B _ l i s t _ c e r t s
- *
- *  Return a list of newline separated certificate nicknames
- *  (this function used by the Jartool)
- * 
- */
-
-static SECStatus jar_list_cert_callback 
-     (CERTCertificate *cert, SECItem *k, void *data)
-  {
-  char *name;
-  char **ugly_list;
-
-  int trusted;
-
-  ugly_list = (char **) data;
-
-  if (cert && cert->dbEntry)
-    {
-    /* name = cert->dbEntry->nickname; */
-    name = cert->nickname;
-
-    trusted = cert->trust->objectSigningFlags & CERTDB_USER;
-
-    /* Add this name or email to list */
-
-    if (name && trusted)
-      {
-      *ugly_list = (char*)PORT_Realloc
-           (*ugly_list, PORT_Strlen (*ugly_list) + PORT_Strlen (name) + 2);
-
-      if (*ugly_list)
-        {
-        if (**ugly_list)
-          PORT_Strcat (*ugly_list, "\n");
-
-        PORT_Strcat (*ugly_list, name);
-        }
-      }
-    }
-
-  return (SECSuccess);
-  }
-
-/*
- *  S O B _ J A R _ l i s t _ c e r t s
- *
- *  Return a linfeed separated ascii list of certificate
- *  nicknames for the Jartool.
- *
- */
-
-char *JAR_JAR_list_certs (void)
-  {
-  SECStatus status;
-  CERTCertDBHandle *certdb;
-
-  char *ugly_list;
-
-  certdb = JAR_open_database();
-
-  /* a little something */
-  ugly_list = (char*)PORT_ZAlloc (16);
-
-  if (ugly_list)
-    {
-    *ugly_list = 0;
-
-    status = SEC_TraversePermCerts 
-            (certdb, jar_list_cert_callback, (void *) &ugly_list);
-    }
-
-  JAR_close_database (certdb);
-
-  return status ? NULL : ugly_list;
-  }
-
-int JAR_JAR_validate_archive (char *filename)
-  {
-  JAR *jar;
-  int status = -1;
-
-  jar = JAR_new();
-
-  if (jar)
-    {
-    status = JAR_pass_archive (jar, jarArchGuess, filename, "");
-
-    if (status == 0)
-      status = jar->valid;
-
-    JAR_destroy (jar);
-    }
-
-  return status;
-  }
-
-char *JAR_JAR_get_error (int status)
-  {
-  return JAR_get_error (status);
-  }
-
-/*
- *  S O B _ J A R _  h a s h
- *
- *  Hash algorithm interface for use by the Jartool. Since we really
- *  don't know the private sizes of the context, and Java does need to
- *  know this number, allocate 512 bytes for it.
- *
- *  In april 1997 hashes in this file were changed to call PKCS11,
- *  as FIPS requires that when a smartcard has failed validation, 
- *  hashes are not to be performed. But because of the difficulty of
- *  preserving pointer context between calls to the JAR_JAR hashing
- *  functions, the hash routines are called directly, though after
- *  checking to see if hashing is allowed.
- *
- */
-
-void *JAR_JAR_new_hash (int alg)
-  {
-  void *context;
-
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
-    return NULL;
-
-  context = PORT_ZAlloc (512);
-
-  if (context)
-    {
-    switch (alg)
-      {
-      case 1:  /* MD5 */
-               md5 = (MD5Context *) context;
-               MD5_Begin (md5);
-               break;
-
-      case 2:  /* SHA1 */
-               sha1 = (SHA1Context *) context;
-               SHA1_Begin (sha1);
-               break;
-      }
-    }
-
-  return context;
-  }
-
-void *JAR_JAR_hash (int alg, void *cookie, int length, void *data)
-  {
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
-    return NULL;
-
-  if (length > 0)
-    {
-    switch (alg)
-      {
-      case 1:  /* MD5 */
-               md5 = (MD5Context *) cookie;
-               MD5_Update (md5, (unsigned char*)data, length);
-               break;
-
-      case 2:  /* SHA1 */
-               sha1 = (SHA1Context *) cookie;
-               SHA1_Update (sha1, (unsigned char*)data, length);
-               break;
-      }
-    }
-
-  return cookie;
-  }
-
-void *JAR_JAR_end_hash (int alg, void *cookie)
-  {
-  int length;
-  unsigned char *data;
-  char *ascii; 
-
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  unsigned int md5_length;
-  unsigned char md5_digest [MD5_LENGTH];
-
-  unsigned int sha1_length;
-  unsigned char sha1_digest [SHA1_LENGTH];
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1)) 
-    return NULL;
-
-  switch (alg)
-    {
-    case 1:  /* MD5 */
-
-             md5 = (MD5Context *) cookie;
-
-             MD5_End (md5, md5_digest, &md5_length, MD5_LENGTH);
-             /* MD5_DestroyContext (md5, PR_TRUE); */
-
-             data = md5_digest;
-             length = md5_length;
-
-             break;
-
-    case 2:  /* SHA1 */
-
-             sha1 = (SHA1Context *) cookie;
-
-             SHA1_End (sha1, sha1_digest, &sha1_length, SHA1_LENGTH);
-             /* SHA1_DestroyContext (sha1, PR_TRUE); */
-
-             data = sha1_digest;
-             length = sha1_length;
-
-             break;
-
-    default: return NULL;
-    }
-
-  /* Instead of destroy context, since we created it */
-  /* PORT_Free (cookie); */
-
-  ascii = BTOA_DataToAscii(data, length);
-
-  return ascii ? PORT_Strdup (ascii) : NULL;
-  }
-
-/*
- *  S O B _ J A R _ s i g n _ a r c h i v e
- *
- *  A simple API to sign a JAR archive.
- *
- */
-
-int JAR_JAR_sign_archive 
-      (char *nickname, char *password, char *sf, char *outsig)
-  {
-  char *out_fn;
-
-  int status = JAR_ERR_GENERAL;
-  JAR_FILE sf_fp; 
-  JAR_FILE out_fp;
-
-  CERTCertDBHandle *certdb;
-  SECKEYKeyDBHandle *keydb;
-
-  CERTCertificate *cert;
-
-  /* open cert and key databases */
-
-  certdb = JAR_open_database();
-  if (certdb == NULL)
-    return JAR_ERR_GENERAL;
-
-  keydb = jar_open_key_database();
-  if (keydb == NULL)
-    return JAR_ERR_GENERAL;
-
-  out_fn = PORT_Strdup (sf);
-
-  if (out_fn == NULL || PORT_Strlen (sf) < 5)
-    return JAR_ERR_GENERAL;
-
-  sf_fp = JAR_FOPEN (sf, "rb");
-  out_fp = JAR_FOPEN (outsig, "wb");
-
-  cert = CERT_FindCertByNickname (certdb, nickname);
-
-  if (cert && sf_fp && out_fp)
-    {
-    status = jar_create_pk7 (certdb, keydb, cert, password, sf_fp, out_fp);
-    }
-
-  /* remove password from prying eyes */
-  PORT_Memset (password, 0, PORT_Strlen (password));
-
-  JAR_FCLOSE (sf_fp);
-  JAR_FCLOSE (out_fp);
-
-  JAR_close_database (certdb);
-  jar_close_key_database (keydb);
-
-  return status;
-  }
diff --git a/security/nss/lib/jar/jarjart.h b/security/nss/lib/jar/jarjart.h
deleted file mode 100644
index bb4596e90..000000000
--- a/security/nss/lib/jar/jarjart.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  jarjart.h
- *
- *  Functions for the Jartool, which is written in Java and
- *  requires wrappers located elsewhere in the client.
- *
- *  Do not call these unless you are the Jartool, no matter
- *  how convenient they may appear.
- *
- */
-
-#ifndef _JARJART_H_
-#define _JARJART_H_
-
-/* return a list of certificate nicknames, separated by \n's */
-extern char *JAR_JAR_list_certs (void);
-
-/* validate archive, simple api */
-extern int JAR_JAR_validate_archive (char *filename);
-
-/* begin hash */
-extern void *JAR_JAR_new_hash (int alg);
-
-/* hash a streaming pile */
-extern void *JAR_JAR_hash (int alg, void *cookie, int length, void *data);
-
-/* end hash */
-extern void *JAR_JAR_end_hash (int alg, void *cookie);
-
-/* sign the archive (given an .SF file) with the given cert.
-   The password argument is a relic, PKCS11 now handles that. */
-
-extern int JAR_JAR_sign_archive 
-   (char *nickname, char *password, char *sf, char *outsig);
-
-/* convert status to text */
-extern char *JAR_JAR_get_error (int status);
-
-#endif
diff --git a/security/nss/lib/jar/jarnav.c b/security/nss/lib/jar/jarnav.c
deleted file mode 100644
index 2100948ab..000000000
--- a/security/nss/lib/jar/jarnav.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JARNAV.C
- *
- *  JAR stuff needed for client only.
- *
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-/* from proto.h */
-#ifdef MOZILLA_CLIENT
-extern MWContext *XP_FindSomeContext(void);
-#endif
-
-/* sigh */
-extern MWContext *FE_GetInitContext(void);
-
-/* To return an MWContext for Java */
-static MWContext *(*jar_fn_FindSomeContext) (void) = NULL;
-
-/* To fabricate an MWContext for FE_GetPassword */
-static MWContext *(*jar_fn_GetInitContext) (void) = NULL;
-
-/*
- *  J A R _ i n i t
- *
- *  Initialize the JAR functions.
- * 
- */
-
-void JAR_init (void)
-  {
-#ifdef MOZILLA_CLIENT
-  JAR_init_callbacks (XP_GetString, XP_FindSomeContext, FE_GetInitContext);
-#else
-  JAR_init_callbacks (XP_GetString, NULL, NULL);
-#endif
-  }
-
-/*
- *  J A R _ s e t _ c o n t e x t
- *
- *  Set the jar window context for use by PKCS11, since
- *  it may be needed to prompt the user for a password.
- *
- */
-
-int JAR_set_context (JAR *jar, MWContext *mw)
-  {
-  if (mw)
-    {
-    jar->mw = mw;
-    }
-  else
-    {
-    /* jar->mw = XP_FindSomeContext(); */
-    jar->mw = NULL;
-
-    /*
-     * We can't find a context because we're in startup state and none
-     * exist yet. go get an FE_InitContext that only works at initialization
-     * time.
-     */
-
-    /* Turn on the mac when we get the FE_ function */
-    if (jar->mw == NULL)
-      {
-      jar->mw = jar_fn_GetInitContext();
-      }
-   }
-
-  return 0;
-  }
diff --git a/security/nss/lib/jar/jarsign.c b/security/nss/lib/jar/jarsign.c
deleted file mode 100644
index 3518bfa26..000000000
--- a/security/nss/lib/jar/jarsign.c
+++ /dev/null
@@ -1,376 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JARSIGN
- *
- *  Routines used in signing archives.
- */
-
-#define USE_MOZ_THREAD
-
-#include "jar.h"
-#include "jarint.h"
-
-#ifdef USE_MOZ_THREAD
-#include "jarevil.h"
-#endif
-
-#include "pk11func.h"
-
-/* from libevent.h */
-typedef void (*ETVoidPtrFunc) (void * data);
-
-#ifdef MOZILLA_CLIENT
-
-extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
-
-/* from proto.h */
-/* extern MWContext *XP_FindSomeContext(void); */
-extern void *XP_FindSomeContext(void);
-
-#endif
-
-/* key database wrapper */
-
-/* static SECKEYKeyDBHandle *jar_open_key_database (void); */
-
-/* CHUNQ is our bite size */
-
-#define CHUNQ 64000
-#define FILECHUNQ 32768
-
-/*
- *  J A R _ c a l c u l a t e _ d i g e s t 
- *
- *  Quick calculation of a digest for
- *  the specified block of memory. Will calculate
- *  for all supported algorithms, now MD5.
- *
- *  This version supports huge pointers for WIN16.
- * 
- */
-
-JAR_Digest * PR_CALLBACK JAR_calculate_digest (void ZHUGEP *data, long length)
-  {
-  long chunq;
-  JAR_Digest *dig;
-
-  unsigned int md5_length, sha1_length;
-
-  PK11Context *md5  = 0;
-  PK11Context *sha1 = 0;
-
-  dig = (JAR_Digest *) PORT_ZAlloc (sizeof (JAR_Digest));
-
-  if (dig == NULL) 
-    {
-    /* out of memory allocating digest */
-    return NULL;
-    }
-
-#if defined(XP_WIN16)
-  PORT_Assert ( !IsBadHugeReadPtr(data, length) );
-#endif
-
-  md5  = PK11_CreateDigestContext (SEC_OID_MD5);
-  sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
-
-  if (length >= 0) 
-    {
-    PK11_DigestBegin (md5);
-    PK11_DigestBegin (sha1);
-
-    do {
-       chunq = length;
-
-#ifdef XP_WIN16
-       if (length > CHUNQ) chunq = CHUNQ;
-
-       /*
-        *  If the block of data crosses one or more segment 
-        *  boundaries then only pass the chunk of data in the 
-        *  first segment.
-        * 
-        *  This allows the data to be treated as FAR by the
-        *  PK11_DigestOp(...) routine.
-        *
-        */
-
-       if (OFFSETOF(data) + chunq >= 0x10000) 
-         chunq = 0x10000 - OFFSETOF(data);
-#endif
-
-       PK11_DigestOp (md5,  (unsigned char*)data, chunq);
-       PK11_DigestOp (sha1, (unsigned char*)data, chunq);
-
-       length -= chunq;
-       data = ((char ZHUGEP *) data + chunq);
-       } 
-    while (length > 0);
-
-    PK11_DigestFinal (md5,  dig->md5,  &md5_length,  MD5_LENGTH);
-    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
-
-    PK11_DestroyContext (md5,  PR_TRUE);
-    PK11_DestroyContext (sha1, PR_TRUE);
-    }
-
-  return dig;
-  }
-
-/*
- *  J A R _ d i g e s t _ f i l e
- *
- *  Calculates the MD5 and SHA1 digests for a file 
- *  present on disk, and returns these in JAR_Digest struct.
- *
- */
-
-int JAR_digest_file (char *filename, JAR_Digest *dig)
-    {
-    JAR_FILE fp;
-
-    int num;
-    unsigned char *buf;
-
-    PK11Context *md5 = 0;
-    PK11Context *sha1 = 0;
-
-    unsigned int md5_length, sha1_length;
-
-    buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
-    if (buf == NULL)
-      {
-      /* out of memory */
-      return JAR_ERR_MEMORY;
-      }
- 
-    if ((fp = JAR_FOPEN (filename, "rb")) == 0)
-      {
-      /* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
-      PORT_Free (buf);
-      return JAR_ERR_FNF;
-      }
-
-    md5 = PK11_CreateDigestContext (SEC_OID_MD5);
-    sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
-
-    if (md5 == NULL || sha1 == NULL) 
-      {
-      /* can't generate digest contexts */
-      PORT_Free (buf);
-      JAR_FCLOSE (fp);
-      return JAR_ERR_GENERAL;
-      }
-
-    PK11_DigestBegin (md5);
-    PK11_DigestBegin (sha1);
-
-    while (1)
-      {
-      if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
-        break;
-
-      PK11_DigestOp (md5, buf, num);
-      PK11_DigestOp (sha1, buf, num);
-      }
-
-    PK11_DigestFinal (md5, dig->md5, &md5_length, MD5_LENGTH);
-    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
-
-    PK11_DestroyContext (md5, PR_TRUE);
-    PK11_DestroyContext (sha1, PR_TRUE);
-
-    PORT_Free (buf);
-    JAR_FCLOSE (fp);
-
-    return 0;
-    }
-
-/*
- *  J A R _ o p e n _ k e y _ d a t a b a s e
- *
- */
-
-SECKEYKeyDBHandle *jar_open_key_database (void)
-  {
-  SECKEYKeyDBHandle *keydb;
-
-  keydb = SECKEY_GetDefaultKeyDB();
-
-  if (keydb == NULL)
-    { /* open by file if this fails, if jartool is to call this */ ; }
-
-  return keydb;
-  }
-
-int jar_close_key_database (SECKEYKeyDBHandle *keydb)
-  {
-  /* We never do close it */
-  return 0;
-  }
-
-
-/*
- *  j a r _ c r e a t e _ p k 7
- *
- */
-
-static void jar_pk7_out (void *arg, const char *buf, unsigned long len)
-  {
-  JAR_FWRITE ((JAR_FILE) arg, buf, len);
-  }
-
-int jar_create_pk7 
-   (CERTCertDBHandle *certdb, SECKEYKeyDBHandle *keydb, 
-       CERTCertificate *cert, char *password, JAR_FILE infp, JAR_FILE outfp)
-  {
-  int nb;
-  unsigned char buffer [4096], digestdata[32];
-  SECHashObject *hashObj;
-  void *hashcx;
-  unsigned int len;
-
-  int status = 0;
-  char *errstring;
-
-  SECItem digest;
-  SEC_PKCS7ContentInfo *cinfo;
-  SECStatus rv;
-
-  void /*MWContext*/ *mw;
-
-  if (outfp == NULL || infp == NULL || cert == NULL)
-    return JAR_ERR_GENERAL;
-
-  /* we sign with SHA */
-  hashObj = &SECHashObjects [HASH_AlgSHA1];
-
-  hashcx = (* hashObj->create)();
-  if (hashcx == NULL)
-    return JAR_ERR_GENERAL;
-
-  (* hashObj->begin)(hashcx);
-
-  while (1)
-    {
-    /* nspr2.0 doesn't support feof 
-       if (feof (infp)) break; */
-
-    nb = JAR_FREAD (infp, buffer, sizeof (buffer));
-    if (nb == 0) 
-      {
-#if 0
-      if (ferror(infp)) 
-        {
-        /* PORT_SetError(SEC_ERROR_IO); */ /* FIX */
-	(* hashObj->destroy) (hashcx, PR_TRUE);
-	return JAR_ERR_GENERAL;
-        }
-#endif
-      /* eof */
-      break;
-      }
-    (* hashObj->update) (hashcx, buffer, nb);
-    }
-
-  (* hashObj->end) (hashcx, digestdata, &len, 32);
-  (* hashObj->destroy) (hashcx, PR_TRUE);
-
-  digest.data = digestdata;
-  digest.len = len;
-
-  /* signtool must use any old context it can find since it's
-     calling from inside javaland. */
-
-#ifdef MOZILLA_CLIENT
-  mw = XP_FindSomeContext();
-#else
-  mw = NULL;
-#endif
-
-  PORT_SetError (0);
-
-  cinfo = SEC_PKCS7CreateSignedData 
-             (cert, certUsageObjectSigner, NULL, 
-                SEC_OID_SHA1, &digest, NULL, (void *) mw);
-
-  if (cinfo == NULL)
-    return JAR_ERR_PK7;
-
-  rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
-  if (rv != SECSuccess) 
-    {
-    status = PORT_GetError();
-    SEC_PKCS7DestroyContentInfo (cinfo);
-    return status;
-    }
-
-  /* Having this here forces signtool to always include
-     signing time. */
-
-  rv = SEC_PKCS7AddSigningTime (cinfo);
-  if (rv != SECSuccess)
-    {
-    /* don't check error */
-    }
-
-  PORT_SetError (0);
-
-#ifdef USE_MOZ_THREAD
-  /* if calling from mozilla */
-  rv = jar_moz_encode
-             (cinfo, jar_pk7_out, outfp, 
-                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw);
-#else
-  /* if calling from mozilla thread*/
-  rv = SEC_PKCS7Encode 
-             (cinfo, jar_pk7_out, outfp, 
-                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw):
-#endif
-
-  if (rv != SECSuccess)
-    status = PORT_GetError();
-
-  SEC_PKCS7DestroyContentInfo (cinfo);
-
-  if (rv != SECSuccess)
-    {
-    errstring = JAR_get_error (status);
-    /*XP_TRACE (("Jar signing failed (reason %d = %s)", status, errstring));*/
-    return status < 0 ? status : JAR_ERR_GENERAL;
-    }
-
-  return 0;
-  }
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
deleted file mode 100644
index 2f4f589fe..000000000
--- a/security/nss/lib/jar/jarver.c
+++ /dev/null
@@ -1,2029 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- *  JARVER
- *
- *  Jarnature Parsing & Verification
- */
-
-#define USE_MOZ_THREAD
-
-#include "jar.h"
-#include "jarint.h"
-
-#ifdef USE_MOZ_THREAD
-#include "jarevil.h"
-#endif
-#include "cdbhdl.h"
-
-/* to use huge pointers in win16 */
-
-#if !defined(XP_WIN16)
-#define xp_HUGE_MEMCPY PORT_Memcpy
-#define xp_HUGE_STRCPY PORT_Strcpy
-#define xp_HUGE_STRLEN PORT_Strlen
-#define xp_HUGE_STRNCASECMP PORT_Strncasecmp
-#else
-#define xp_HUGE_MEMCPY hmemcpy
-int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len);
-size_t xp_HUGE_STRLEN (char ZHUGEP *s);
-char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from);
-#endif
-
-/* from certdb.h */
-#define CERTDB_USER (1<<6)
-
-#if 0
-/* from certdb.h */
-extern PRBool SEC_CertNicknameConflict
-   (char *nickname, CERTCertDBHandle *handle);
-/* from certdb.h */
-extern SECStatus SEC_AddTempNickname
-   (CERTCertDBHandle *handle, char *nickname, SECItem *certKey);
-/* from certdb.h */
-typedef SECStatus (* PermCertCallback)(CERTCertificate *cert, SECItem *k, void *pdata);
-#endif
-
-/* from certdb.h */
-SECStatus SEC_TraversePermCerts
-   (CERTCertDBHandle *handle, PermCertCallback certfunc, void *udata);
-
-
-#define SZ 512
-
-static int jar_validate_pkcs7 
-     (JAR *jar, JAR_Signer *signer, char *data, long length);
-
-static int jar_decode (JAR *jar, char *data, long length);
-
-static void jar_catch_bytes
-     (void *arg, const char *buf, unsigned long len);
-
-static int jar_gather_signers
-     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
-
-static char ZHUGEP *jar_eat_line 
-     (int lines, int eating, char ZHUGEP *data, long *len);
-
-static JAR_Digest *jar_digest_section 
-     (char ZHUGEP *manifest, long length);
-
-static JAR_Digest *jar_get_mf_digest (JAR *jar, char *path);
-
-static int jar_parse_digital_signature 
-     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar);
-
-static int jar_add_cert
-     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
-
-static CERTCertificate *jar_get_certificate
-            (JAR *jar, long keylen, void *key, int *result);
-
-static char *jar_cert_element (char *name, char *tag, int occ);
-
-static char *jar_choose_nickname (CERTCertificate *cert);
-
-static char *jar_basename (const char *path);
-
-static int jar_signal 
-     (int status, JAR *jar, const char *metafile, char *pathname);
-
-static int jar_insanity_check (char ZHUGEP *data, long length);
-
-int jar_parse_mf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
-
-int jar_parse_sf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
-
-int jar_parse_sig
-    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length);
-
-int jar_parse_any
-    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
-
-static int jar_internal_digest 
-     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
-
-/*
- *  J A R _ p a r s e _ m a n i f e s t
- * 
- *  Pass manifest files to this function. They are
- *  decoded and placed into internal representations.
- * 
- *  Accepts both signature and manifest files. Use
- *  the same "jar" for both. 
- *
- */
-
-int JAR_parse_manifest 
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-
-#if defined(XP_WIN16)
-    PORT_Assert( !IsBadHugeReadPtr(raw_manifest, length) );
-#endif
-
-  /* fill in the path, if supplied. This is a the location
-     of the jar file on disk, if known */
-
-  if (jar->filename == NULL && path)
-    {
-    jar->filename = PORT_Strdup (path);
-    if (jar->filename == NULL)
-      return JAR_ERR_MEMORY;
-    }
-
-  /* fill in the URL, if supplied. This is the place
-     from which the jar file was retrieved. */
-
-  if (jar->url == NULL && url)
-    {
-    jar->url = PORT_Strdup (url);
-    if (jar->url == NULL)
-      return JAR_ERR_MEMORY;
-    }
-
-  /* Determine what kind of file this is from the META-INF 
-     directory. It could be MF, SF, or a binary RSA/DSA file */
-
-  if (!xp_HUGE_STRNCASECMP (raw_manifest, "Manifest-Version:", 17))
-    {
-    return jar_parse_mf (jar, raw_manifest, length, path, url);
-    }
-  else if (!xp_HUGE_STRNCASECMP (raw_manifest, "Signature-Version:", 18))
-    {
-    return jar_parse_sf (jar, raw_manifest, length, path, url);
-    }
-  else
-    {
-    /* This is probably a binary signature */
-    return jar_parse_sig (jar, path, raw_manifest, length);
-    }
-  }
-
-/*
- *  j a r _ p a r s e _ s i g
- *
- *  Pass some manner of RSA or DSA digital signature
- *  on, after checking to see if it comes at an appropriate state.
- *
- */
- 
-int jar_parse_sig
-    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length)
-  {
-  JAR_Signer *signer;
-  int status = JAR_ERR_ORDER;
-
-  if (length <= 128) 
-    {
-    /* signature is way too small */
-    return JAR_ERR_SIG;
-    }
-
-  /* make sure that MF and SF have already been processed */
-
-  if (jar->globalmeta == NULL)
-    return JAR_ERR_ORDER;
-
-#if 0
-  /* XXX Turn this on to disable multiple signers */
-  if (jar->digest == NULL)
-    return JAR_ERR_ORDER;
-#endif
-
-  /* Determine whether or not this RSA file has
-     has an associated SF file */
-
-  if (path)
-    {
-    char *owner;
-    owner = jar_basename (path);
-
-    if (owner == NULL)
-      return JAR_ERR_MEMORY;
-
-    signer = jar_get_signer (jar, owner);
-
-    PORT_Free (owner);
-    }
-  else
-    signer = jar_get_signer (jar, "*");
-
-  if (signer == NULL)
-    return JAR_ERR_ORDER;
-
-
-  /* Do not pass a huge pointer to this function,
-     since the underlying security code is unaware. We will
-     never pass >64k through here. */
-
-  if (length > 64000)
-    {
-    /* this digital signature is way too big */
-    return JAR_ERR_SIG;
-    }
-
-#ifdef XP_WIN16
-  /*
-   * For Win16, copy the portion of the raw_buffer containing the digital 
-   * signature into another buffer...  This insures that the data will
-   * NOT cross a segment boundary.  Therefore, 
-   * jar_parse_digital_signature(...) does NOT need to deal with HUGE 
-   * pointers...
-   */
-
-    {
-    unsigned char *manifest_copy;
-
-    manifest_copy = (unsigned char *) PORT_ZAlloc (length);
-    if (manifest_copy)
-      {
-      xp_HUGE_MEMCPY (manifest_copy, raw_manifest, length);
-
-      status = jar_parse_digital_signature 
-                  (manifest_copy, signer, length, jar);
-
-      PORT_Free (manifest_copy);
-      }
-    else
-      {
-      /* out of memory */
-      return JAR_ERR_MEMORY;
-      }
-    }
-#else
-  /* don't expense unneeded calloc overhead on non-win16 */
-  status = jar_parse_digital_signature 
-                (raw_manifest, signer, length, jar);
-#endif
-
-  return status;
-  }
-
-/*
- *  j a r _ p a r s e _ m f
- *
- *  Parse the META-INF/manifest.mf file, whose
- *  information applies to all signers.
- *
- */
-
-int jar_parse_mf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  if (jar->globalmeta)
-    {
-    /* refuse a second manifest file, if passed for some reason */
-    return JAR_ERR_ORDER;
-    }
-
-
-  /* remember a digest for the global section */
-
-  jar->globalmeta = jar_digest_section (raw_manifest, length);
-
-  if (jar->globalmeta == NULL)
-    return JAR_ERR_MEMORY;
-
-
-  return jar_parse_any 
-    (jar, jarTypeMF, NULL, raw_manifest, length, path, url);
-  }
-
-/*
- *  j a r _ p a r s e _ s f
- *
- *  Parse META-INF/xxx.sf, a digitally signed file
- *  pointing to a subset of MF sections. 
- *
- */
-
-int jar_parse_sf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  JAR_Signer *signer = NULL;
-  int status = JAR_ERR_MEMORY;
-
-  if (jar->globalmeta == NULL)
-    {
-    /* It is a requirement that the MF file be passed before the SF file */
-    return JAR_ERR_ORDER;
-    }
-
-  signer = JAR_new_signer();
-
-  if (signer == NULL)
-    goto loser;
-
-  if (path)
-    {
-    signer->owner = jar_basename (path);
-    if (signer->owner == NULL)
-      goto loser;
-    }
-
-
-  /* check for priors. When someone doctors a jar file
-     to contain identical path entries, prevent the second
-     one from affecting JAR functions */
-
-  if (jar_get_signer (jar, signer->owner))
-    {
-    /* someone is trying to spoof us */
-    status = JAR_ERR_ORDER;
-    goto loser;
-    }
-
-
-  /* remember its digest */
-
-  signer->digest = JAR_calculate_digest (raw_manifest, length);
-
-  if (signer->digest == NULL)
-    goto loser;
-
-  /* Add this signer to the jar */
-
-  ADDITEM (jar->signers, jarTypeOwner, 
-     signer->owner, signer, sizeof (JAR_Signer));
-
-
-  return jar_parse_any 
-    (jar, jarTypeSF, signer, raw_manifest, length, path, url);
-
-loser:
-
-  if (signer)
-    JAR_destroy_signer (signer);
-
-  return status;
-  }
-
-/* 
- *  j a r _ p a r s e _ a n y
- *
- *  Parse a MF or SF manifest file. 
- *
- */
- 
-int jar_parse_any
-    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  int status;
-
-  long raw_len;
-
-  JAR_Digest *dig, *mfdig = NULL;
-
-  char line [SZ];
-  char x_name [SZ], x_md5 [SZ], x_sha [SZ];
-
-  char *x_info;
-
-  char *sf_md5 = NULL, *sf_sha1 = NULL;
-
-  *x_name = 0;
-  *x_md5 = 0;
-  *x_sha = 0;
-
-  PORT_Assert( length > 0 );
-  raw_len = length;
-
-#ifdef DEBUG
-  if ((status = jar_insanity_check (raw_manifest, raw_len)) < 0)
-    return status;
-#endif
-
-
-  /* null terminate the first line */
-  raw_manifest = jar_eat_line (0, PR_TRUE, raw_manifest, &raw_len);
-
-
-  /* skip over the preliminary section */
-  /* This is one section at the top of the file with global metainfo */
-
-  while (raw_len)
-    {
-    JAR_Metainfo *met;
-
-    raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
-    if (!*raw_manifest) break;
-
-    met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
-    if (met == NULL)
-      return JAR_ERR_MEMORY;
-
-    /* Parse out the header & info */
-
-    if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
-      {
-      /* almost certainly nonsense */
-      continue;
-      }
-
-    xp_HUGE_STRCPY (line, raw_manifest);
-    x_info = line;
-
-    while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
-      x_info++;
-
-    if (*x_info) *x_info++ = 0;
-
-    while (*x_info == ' ' || *x_info == '\t')
-      x_info++;
-
-    /* metainfo (name, value) pair is now (line, x_info) */
-
-    met->header = PORT_Strdup (line);
-    met->info = PORT_Strdup (x_info);
-
-    if (type == jarTypeMF)
-      {
-      ADDITEM (jar->metainfo, jarTypeMeta, 
-         /* pathname */ NULL, met, sizeof (JAR_Metainfo));
-      }
-
-    /* For SF files, this metadata may be the digests
-       of the MF file, still in the "met" structure. */
-
-    if (type == jarTypeSF)
-      {
-      if (!PORT_Strcasecmp (line, "MD5-Digest"))
-        sf_md5 = (char *) met->info;
-
-      if (!PORT_Strcasecmp (line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
-        sf_sha1 = (char *) met->info;
-      }
-    }
-
-  if (type == jarTypeSF && jar->globalmeta)
-    {
-    /* this is a SF file which may contain a digest of the manifest.mf's 
-       global metainfo. */
-
-    int match = 0;
-    JAR_Digest *glob = jar->globalmeta;
-
-    if (sf_md5)
-      {
-      unsigned int md5_length;
-      unsigned char *md5_digest;
-
-      md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
-      PORT_Assert( md5_length == MD5_LENGTH );
-
-      if (md5_length != MD5_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      match = PORT_Memcmp (md5_digest, glob->md5, MD5_LENGTH);
-      }
-
-    if (sf_sha1 && match == 0)
-      {
-      unsigned int sha1_length;
-      unsigned char *sha1_digest;
-
-      sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
-      PORT_Assert( sha1_length == SHA1_LENGTH );
-
-      if (sha1_length != SHA1_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      match = PORT_Memcmp (sha1_digest, glob->sha1, SHA1_LENGTH);
-      }
-
-    if (match != 0)
-      {
-      /* global digest doesn't match, SF file therefore invalid */
-      jar->valid = JAR_ERR_METADATA;
-      return JAR_ERR_METADATA;
-      }
-    }
-
-  /* done with top section of global data */
-
-
-  while (raw_len)
-    {
-    *x_md5 = 0;
-    *x_sha = 0;
-    *x_name = 0;
-
-
-    /* If this is a manifest file, attempt to get a digest of the following section, 
-       without damaging it. This digest will be saved later. */
-
-    if (type == jarTypeMF)
-      {
-      char ZHUGEP *sec;
-      long sec_len = raw_len;
-
-      if (!*raw_manifest || *raw_manifest == '\n')
-        {     
-        /* skip the blank line */ 
-        sec = jar_eat_line (1, PR_FALSE, raw_manifest, &sec_len);
-        }
-      else
-        sec = raw_manifest;
-
-      if (!xp_HUGE_STRNCASECMP (sec, "Name:", 5))
-        {
-        if (type == jarTypeMF)
-          mfdig = jar_digest_section (sec, sec_len);
-        else
-          mfdig = NULL;
-        }
-      }
-
-
-    while (raw_len)
-      {
-      raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
-      if (!*raw_manifest) break; /* blank line, done with this entry */
-
-      if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
-        {
-        /* almost certainly nonsense */
-        continue;
-        }
-
-
-      /* Parse out the name/value pair */
-
-      xp_HUGE_STRCPY (line, raw_manifest);
-      x_info = line;
-
-      while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
-        x_info++;
-
-      if (*x_info) *x_info++ = 0;
-
-      while (*x_info == ' ' || *x_info == '\t') 
-        x_info++;
-
-
-      if (!PORT_Strcasecmp (line, "Name"))
-        PORT_Strcpy (x_name, x_info);
-
-      else if (!PORT_Strcasecmp (line, "MD5-Digest"))
-        PORT_Strcpy (x_md5, x_info);
-
-      else if (!PORT_Strcasecmp (line, "SHA1-Digest") 
-                  || !PORT_Strcasecmp (line, "SHA-Digest"))
-        {
-        PORT_Strcpy (x_sha, x_info);
-        }
-
-      /* Algorithm list is meta info we don't care about; keeping it out
-         of metadata saves significant space for large jar files */
-
-      else if (!PORT_Strcasecmp (line, "Digest-Algorithms")
-                    || !PORT_Strcasecmp (line, "Hash-Algorithms"))
-        {
-        continue;
-        }
-
-      /* Meta info is only collected for the manifest.mf file,
-         since the JAR_get_metainfo call does not support identity */
-
-      else if (type == jarTypeMF)
-        {
-        JAR_Metainfo *met;
-
-        /* this is meta-data */
-
-        met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
-
-        if (met == NULL)
-          return JAR_ERR_MEMORY;
-
-        /* metainfo (name, value) pair is now (line, x_info) */
-
-        if ((met->header = PORT_Strdup (line)) == NULL)
-          return JAR_ERR_MEMORY;
-
-        if ((met->info = PORT_Strdup (x_info)) == NULL)
-          return JAR_ERR_MEMORY;
-
-        ADDITEM (jar->metainfo, jarTypeMeta, 
-           x_name, met, sizeof (JAR_Metainfo));
-        }
-      }
-
-	if(!x_name || !*x_name) {
-		/* Whatever that was, it wasn't an entry, because we didn't get a name.
-		 * We don't really have anything, so don't record this. */
-		continue;
-	}
-
-    dig = (JAR_Digest*)PORT_ZAlloc (sizeof (JAR_Digest));
-    if (dig == NULL)
-      return JAR_ERR_MEMORY;
-
-    if (*x_md5 ) 
-      {
-      unsigned int binary_length;
-      unsigned char *binary_digest;
-
-      binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
-      PORT_Assert( binary_length == MD5_LENGTH );
-
-      if (binary_length != MD5_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      memcpy (dig->md5, binary_digest, MD5_LENGTH);
-      dig->md5_status = jarHashPresent;
-      }
-
-    if (*x_sha ) 
-      {
-      unsigned int binary_length;
-      unsigned char *binary_digest;
-
-      binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
-      PORT_Assert( binary_length == SHA1_LENGTH );
-
-      if (binary_length != SHA1_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
-      dig->sha1_status = jarHashPresent;
-      }
-
-    PORT_Assert( type == jarTypeMF || type == jarTypeSF );
-
-
-    if (type == jarTypeMF)
-      {
-      ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
-      }
-    else if (type == jarTypeSF)
-      {
-      ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
-      }
-    else
-      return JAR_ERR_ORDER;
-
-    /* we're placing these calculated digests of manifest.mf 
-       sections in a list where they can subsequently be forgotten */
-
-    if (type == jarTypeMF && mfdig)
-      {
-      ADDITEM (jar->manifest, jarTypeSect, 
-         x_name, mfdig, sizeof (JAR_Digest));
-
-      mfdig = NULL;
-      }
-
-
-    /* Retrieve our saved SHA1 digest from saved copy and check digests.
-       This is just comparing the digest of the MF section as indicated in
-       the SF file with the one we remembered from parsing the MF file */
-
-    if (type == jarTypeSF)
-      {
-      if ((status = jar_internal_digest (jar, path, x_name, dig)) < 0)
-        return status;
-      }
-    }
-
-  return 0;
-  }
-
-static int jar_internal_digest 
-     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
-  {
-  int cv;
-  int status;
-
-  JAR_Digest *savdig;
-
-  savdig = jar_get_mf_digest (jar, x_name);
-
-  if (savdig == NULL)
-    {
-    /* no .mf digest for this pathname */
-    status = jar_signal (JAR_ERR_ENTRY, jar, path, x_name);
-    if (status < 0) 
-      return 0; /* was continue; */
-    else 
-      return status;
-    }
-
-  /* check for md5 consistency */
-  if (dig->md5_status)
-    {
-    cv = PORT_Memcmp (savdig->md5, dig->md5, MD5_LENGTH);
-    /* md5 hash of .mf file is not what expected */
-    if (cv) 
-      {
-      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
-
-      /* bad hash, man */
-
-      dig->md5_status = jarHashBad;
-      savdig->md5_status = jarHashBad;
-
-      if (status < 0) 
-        return 0; /* was continue; */
-      else 
-        return status;
-      }
-    }
-
-  /* check for sha1 consistency */
-  if (dig->sha1_status)
-    {
-    cv = PORT_Memcmp (savdig->sha1, dig->sha1, SHA1_LENGTH);
-    /* sha1 hash of .mf file is not what expected */
-    if (cv) 
-      {
-      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
-
-      /* bad hash, man */
-
-      dig->sha1_status = jarHashBad;
-      savdig->sha1_status = jarHashBad;
-
-      if (status < 0)
-        return 0; /* was continue; */
-      else
-        return status;
-      }
-    }
-	return 0;
-  }
-
-#ifdef DEBUG
-/*
- *  j a r _ i n s a n i t y _ c h e c k
- *
- *  Check for illegal characters (or possibly so)
- *  in the manifest files, to detect potential memory
- *  corruption by our neighbors. Debug only, since
- *  not I18N safe.
- * 
- */
-
-static int jar_insanity_check (char ZHUGEP *data, long length)
-  {
-  int c;
-  long off;
-
-  for (off = 0; off < length; off++)
-    {
-    c = data [off];
-
-    if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
-      continue;
-
-    return JAR_ERR_CORRUPT;
-    }
-
-  return 0;
-  }
-#endif
-
-/*
- *  j a r _ p a r s e _ d i g i t a l _ s i g n a t u r e
- *
- *  Parse an RSA or DSA (or perhaps other) digital signature.
- *  Right now everything is PKCS7.
- *
- */
-
-static int jar_parse_digital_signature 
-     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar)
-  {
-#if defined(XP_WIN16)
-  PORT_Assert( LOWORD(raw_manifest) + length < 0xFFFF );
-#endif
-  return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
-  }
-
-/*
- *  j a r _ a d d _ c e r t
- * 
- *  Add information for the given certificate
- *  (or whatever) to the JAR linked list. A pointer
- *  is passed for some relevant reference, say
- *  for example the original certificate.
- *
- */
-
-static int jar_add_cert
-     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
-  {
-  JAR_Cert *fing;
-
-  if (cert == NULL)
-    return JAR_ERR_ORDER;
-
-  fing = (JAR_Cert*)PORT_ZAlloc (sizeof (JAR_Cert));
-
-  if (fing == NULL)
-    goto loser;
-
-#ifdef USE_MOZ_THREAD
-  fing->cert = jar_moz_dup (cert);
-#else
-  fing->cert = CERT_DupCertificate (cert);
-#endif
-
-  /* get the certkey */
-
-  fing->length = cert->certKey.len;
-
-  fing->key = (char *) PORT_ZAlloc (fing->length);
-
-  if (fing->key == NULL)
-    goto loser;
-
-  PORT_Memcpy (fing->key, cert->certKey.data, fing->length);
-
-  ADDITEM (signer->certs, type, 
-    /* pathname */ NULL, fing, sizeof (JAR_Cert));
-
-  return 0;
-
-loser:
-
-  if (fing)
-    {
-    if (fing->cert) 
-      CERT_DestroyCertificate (fing->cert);
-
-    PORT_Free (fing);
-    }
-
-  return JAR_ERR_MEMORY;
-  }
-
-/*
- *  e a t _ l i n e 
- *
- *  Consume an ascii line from the top of a file kept
- *  in memory. This destroys the file in place. This function
- *  handles PC, Mac, and Unix style text files.
- *
- */
-
-static char ZHUGEP *jar_eat_line 
-    (int lines, int eating, char ZHUGEP *data, long *len)
-  {
-  char ZHUGEP *ret;
-
-  ret = data;
-  if (!*len) return ret;
-
-  /* Eat the requisite number of lines, if any; 
-     prior to terminating the current line with a 0. */
-
-  for (/* yip */ ; lines; lines--)
-    {
-    while (*data && *data != '\n')
-      data++;
-
-    /* After the CR, ok to eat one LF */
-
-    if (*data == '\n')
-      data++;
-
-    /* If there are zeros, we put them there */
-
-    while (*data == 0 && data - ret < *len)
-      data++;
-    }
-
-  *len -= data - ret;
-  ret = data;
-
-  if (eating)
-    {
-    /* Terminate this line with a 0 */ 
-
-    while (*data && *data != '\n' && *data != '\r')
-      data++;
-
-    /* In any case we are allowed to eat CR */
-
-    if (*data == '\r')
-      *data++ = 0;
-
-    /* After the CR, ok to eat one LF */
-
-    if (*data == '\n')
-      *data++ = 0;
-    }
-
-  return ret;
-  }
-
-/*
- *  j a r _ d i g e s t _ s e c t i o n
- *
- *  Return the digests of the next section of the manifest file.
- *  Does not damage the manifest file, unlike parse_manifest.
- * 
- */
-
-static JAR_Digest *jar_digest_section 
-    (char ZHUGEP *manifest, long length)
-  {
-  long global_len;
-  char ZHUGEP *global_end;
-
-  global_end = manifest;
-  global_len = length;
-
-  while (global_len)
-    {
-    global_end = jar_eat_line (1, PR_FALSE, global_end, &global_len);
-    if (*global_end == 0 || *global_end == '\n')
-      break;
-    }
-
-  return JAR_calculate_digest (manifest, global_end - manifest);
-  }
-
-/*
- *  J A R _ v e r i f y _ d i g e s t
- *
- *  Verifies that a precalculated digest matches the
- *  expected value in the manifest.
- *
- */
-
-int PR_CALLBACK JAR_verify_digest
-    (JAR *jar, const char *name, JAR_Digest *dig)
-  {
-  JAR_Item *it;
-
-  JAR_Digest *shindig;
-
-  ZZLink *link;
-  ZZList *list;
-
-  int result1, result2;
-
-  list = jar->hashes;
-
-  result1 = result2 = 0;
-
-  if (jar->valid < 0)
-    {
-    /* signature not valid */
-    return JAR_ERR_SIG;
-    }
-
-  if (ZZ_ListEmpty (list))
-    {
-    /* empty list */
-    return JAR_ERR_PNF;
-    }
-
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeMF 
-           && it->pathname && !PORT_Strcmp (it->pathname, name))
-      {
-      shindig = (JAR_Digest *) it->data;
-
-      if (shindig->md5_status)
-        {
-        if (shindig->md5_status == jarHashBad)
-          return JAR_ERR_HASH;
-        else
-          result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
-        }
-
-      if (shindig->sha1_status)
-        {
-        if (shindig->sha1_status == jarHashBad)
-          return JAR_ERR_HASH;
-        else
-          result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
-        }
-
-      return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
-      }
-    }
-
-  return JAR_ERR_PNF;
-  }
-
-/* 
- *  J A R _ c e r t _ a t t r i b u t e
- *
- *  Return the named certificate attribute from the
- *  certificate specified by the given key.
- *
- */
-
-int PR_CALLBACK JAR_cert_attribute
-    (JAR *jar, jarCert attrib, long keylen, void *key, 
-        void **result, unsigned long *length)
-  {
-  int status = 0;
-  char *ret = NULL;
-
-  CERTCertificate *cert;
-
-  CERTCertDBHandle *certdb;
-
-  JAR_Digest *dig;
-  SECItem hexme;
-
-  *length = 0;
-
-  if (attrib == 0 || key == 0)
-    return JAR_ERR_GENERAL;
-
-  if (attrib == jarCertJavaHack)
-    {
-    cert = (CERTCertificate *) NULL;
-    certdb = JAR_open_database();
-
-    if (certdb)
-      {
-#ifdef USE_MOZ_THREAD
-      cert = jar_moz_nickname (certdb, (char*)key);
-#else
-      cert = CERT_FindCertByNickname (certdb, key);
-#endif
-
-      if (cert)
-        {
-        *length = cert->certKey.len;
-
-        *result = (void *) PORT_ZAlloc (*length);
-
-        if (*result)
-          PORT_Memcpy (*result, cert->certKey.data, *length);
-        else
-          return JAR_ERR_MEMORY;
-        }
-      JAR_close_database (certdb);
-      }
-
-    return cert ? 0 : JAR_ERR_GENERAL;
-    }
-
-  if (jar && jar->pkcs7 == 0)
-    return JAR_ERR_GENERAL;
-
-  cert = jar_get_certificate (jar, keylen, key, &status);
-
-  if (cert == NULL || status < 0)
-    return JAR_ERR_GENERAL;
-
-#define SEP " <br> "
-#define SEPLEN (PORT_Strlen(SEP))
-
-  switch (attrib)
-    {
-    case jarCertCompany:
-
-      ret = cert->subjectName;
-
-      /* This is pretty ugly looking but only used
-         here for this one purpose. */
-
-      if (ret)
-        {
-        int retlen = 0;
-
-        char *cer_ou1, *cer_ou2, *cer_ou3;
-	char *cer_cn, *cer_e, *cer_o, *cer_l;
-
-	cer_cn  = CERT_GetCommonName (&cert->subject);
-        cer_e   = CERT_GetCertEmailAddress (&cert->subject);
-        cer_ou3 = jar_cert_element (ret, "OU=", 3);
-        cer_ou2 = jar_cert_element (ret, "OU=", 2);
-        cer_ou1 = jar_cert_element (ret, "OU=", 1);
-        cer_o   = CERT_GetOrgName (&cert->subject);
-        cer_l   = CERT_GetCountryName (&cert->subject);
-
-        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
-        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
-        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
-        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
-        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
-        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
-        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
-
-        ret = (char *) PORT_ZAlloc (1 + retlen);
-
-        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
-        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
-        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
-        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
-        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
-        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
-        if (cer_l)     PORT_Strcat (ret, cer_l);
-
-	/* return here to avoid unsightly memory leak */
-
-        *result = ret;
-        *length = PORT_Strlen (ret);
-
-        return 0;
-        }
-      break;
-
-    case jarCertCA:
-
-      ret = cert->issuerName;
-
-      if (ret)
-        {
-        int retlen = 0;
-
-        char *cer_ou1, *cer_ou2, *cer_ou3;
-	char *cer_cn, *cer_e, *cer_o, *cer_l;
-
-        /* This is pretty ugly looking but only used
-           here for this one purpose. */
-
-	cer_cn  = CERT_GetCommonName (&cert->issuer);
-        cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
-        cer_ou3 = jar_cert_element (ret, "OU=", 3);
-        cer_ou2 = jar_cert_element (ret, "OU=", 2);
-        cer_ou1 = jar_cert_element (ret, "OU=", 1);
-        cer_o   = CERT_GetOrgName (&cert->issuer);
-        cer_l   = CERT_GetCountryName (&cert->issuer);
-
-        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
-        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
-        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
-        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
-        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
-        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
-        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
-
-        ret = (char *) PORT_ZAlloc (1 + retlen);
-
-        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
-        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
-        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
-        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
-        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
-        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
-        if (cer_l)     PORT_Strcat (ret, cer_l);
-
-	/* return here to avoid unsightly memory leak */
-
-        *result = ret;
-        *length = PORT_Strlen (ret);
-
-        return 0;
-        }
-
-      break;
-
-    case jarCertSerial:
-
-      ret = CERT_Hexify (&cert->serialNumber, 1);
-      break;
-
-    case jarCertExpires:
-
-      ret = DER_UTCDayToAscii (&cert->validity.notAfter);
-      break;
-
-    case jarCertNickname:
-
-      ret = jar_choose_nickname (cert);
-      break;
-
-    case jarCertFinger:
-
-      dig = JAR_calculate_digest 
-         ((char *) cert->derCert.data, cert->derCert.len);
-
-      if (dig)
-        {
-        hexme.len = sizeof (dig->md5);
-        hexme.data = dig->md5;
-        ret = CERT_Hexify (&hexme, 1);
-        }
-      break;
-
-    default:
-
-      return JAR_ERR_GENERAL;
-    }
-
-  *result = ret ? PORT_Strdup (ret) : NULL;
-  *length = ret ? PORT_Strlen (ret) : 0;
-
-  return 0;
-  }
-
-/* 
- *  j a r  _ c e r t _ e l e m e n t
- *
- *  Retrieve an element from an x400ish ascii
- *  designator, in a hackish sort of way. The right
- *  thing would probably be to sort AVATags.
- *
- */
-
-static char *jar_cert_element (char *name, char *tag, int occ)
-  {
-  if (name && tag)
-    {
-    char *s;
-    int found = 0;
-
-    while (occ--)
-      {
-      if (PORT_Strstr (name, tag))
-        {
-        name = PORT_Strstr (name, tag) + PORT_Strlen (tag);
-        found = 1;
-        }
-      else
-        {
-        name = PORT_Strstr (name, "=");
-        if (name == NULL) return NULL;
-        found = 0;
-        }
-      }
-
-    if (!found) return NULL;
-
-    /* must mangle only the copy */
-    name = PORT_Strdup (name);
-
-    /* advance to next equal */
-    for (s = name; *s && *s != '='; s++)
-      /* yip */ ;
-
-    /* back up to previous comma */
-    while (s > name && *s != ',') s--;
-
-    /* zap the whitespace and return */
-    *s = 0;
-    }
-
-  return name;
-  }
-
-/* 
- *  j a r _ c h o o s e _ n i c k n a m e
- *
- *  Attempt to determine a suitable nickname for
- *  a certificate with a computer-generated "tmpcertxxx" 
- *  nickname. It needs to be something a user can
- *  understand, so try a few things.
- *
- */
-
-static char *jar_choose_nickname (CERTCertificate *cert)
-  {
-  char *cert_cn;
-  char *cert_o;
-  char *cert_cn_o;
-
-  int cn_o_length;
-
-  /* is the existing name ok */
-
-  if (cert->nickname && PORT_Strncmp (cert->nickname, "tmpcert", 7))
-    return PORT_Strdup (cert->nickname);
-
-  /* we have an ugly name here people */
-
-  /* Try the CN */
-  cert_cn = CERT_GetCommonName (&cert->subject);
-
-  if (cert_cn)
-    {
-    /* check for duplicate nickname */
-
-#ifdef USE_MOZ_THREAD
-    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
-#else
-    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
-#endif
-      return cert_cn;
-
-    /* Try the CN plus O */
-    cert_o = CERT_GetOrgName (&cert->subject);
-
-    cn_o_length = PORT_Strlen (cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
-    cert_cn_o = (char*)PORT_ZAlloc (cn_o_length);
-
-    PR_snprintf (cert_cn_o, cn_o_length, 
-           "%s's %s Certificate", cert_cn, cert_o);
-
-#ifdef USE_MOZ_THREAD
-    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
-#else
-    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
-#endif
-      return cert_cn;
-    }
-
-  /* If all that failed, use the ugly nickname */
-  return cert->nickname ? PORT_Strdup (cert->nickname) : NULL;
-  }
-
-/*
- *  J A R _ c e r t _ h t m l 
- *
- *  Return an HTML representation of the certificate
- *  designated by the given fingerprint, in specified style.
- *
- *  JAR is optional, but supply it if you can in order
- *  to optimize.
- *
- */
-
-char *JAR_cert_html
-    (JAR *jar, int style, long keylen, void *key, int *result)
-  {
-  char *html;
-  CERTCertificate *cert;
-
-  *result = -1;
-
-  if (style != 0)
-    return NULL;
-
-  cert = jar_get_certificate (jar, keylen, key, result);
-
-  if (cert == NULL || *result < 0)
-    return NULL;
-
-  *result = 0;
-
-  html = CERT_HTMLCertInfo (cert, /* show images */ PR_TRUE,
-		/*show issuer*/PR_TRUE);
-
-  if (html == NULL)
-    *result = -1;
-
-  return html;
-  }
-
-/*
- *  J A R _ s t a s h _ c e r t
- *
- *  Stash the certificate pointed to by this
- *  fingerprint, in persistent storage somewhere.
- *
- */
-
-extern int PR_CALLBACK JAR_stash_cert
-    (JAR *jar, long keylen, void *key)
-  {
-  int result = 0;
-
-  char *nickname;
-  CERTCertTrust trust;
-
-  CERTCertDBHandle *certdb;
-  CERTCertificate *cert, *newcert;
-
-  cert = jar_get_certificate (jar, keylen, key, &result);
-
-  if (result < 0)
-    return result;
-
-  if (cert == NULL)
-    return JAR_ERR_GENERAL;
-
-  if ((certdb = JAR_open_database()) == NULL)
-    return JAR_ERR_GENERAL;
-
-  /* Attempt to give a name to the newish certificate */
-  nickname = jar_choose_nickname (cert);
-
-#ifdef USE_MOZ_THREAD
-  newcert = jar_moz_nickname (certdb, nickname);
-#else
-  newcert = CERT_FindCertByNickname (certdb, nickname);
-#endif
-
-  if (newcert && newcert->isperm) 
-    {
-    /* already in permanant database */
-    return 0;
-    }
-
-  if (newcert) cert = newcert;
-
-  /* FIX, since FindCert returns a bogus dbhandle
-     set it ourselves */
-
-  cert->dbhandle = certdb;
-
-#if 0
-  nickname = cert->subjectName;
-  if (nickname)
-    {
-    /* Not checking for a conflict here. But this should
-       be a new cert or it would have been found earlier. */
-
-    nickname = jar_cert_element (nickname, "CN=", 1);
-
-    if (SEC_CertNicknameConflict (nickname, cert->dbhandle))
-      {
-      /* conflict */
-      nickname = PORT_Realloc (&nickname, PORT_Strlen (nickname) + 3);
-
-      /* Beyond one copy, there are probably serious problems 
-         so we will stop at two rather than counting.. */
-
-      PORT_Strcat (nickname, " #2");
-      }
-    }
-#endif
-
-  if (nickname != NULL)
-    {
-    PORT_Memset ((void *) &trust, 0, sizeof(trust));
-
-#ifdef USE_MOZ_THREAD
-    if (jar_moz_perm (cert, nickname, &trust) != SECSuccess) 
-#else
-    if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) 
-#endif
-      {
-      /* XXX might want to call PORT_GetError here */
-      result = JAR_ERR_GENERAL;
-      }
-    }
-
-  JAR_close_database (certdb);
-
-  return result;
-  }
-
-/*
- *  J A R _ f e t c h _ c e r t
- *
- *  Given an opaque identifier of a certificate, 
- *  return the full certificate.
- *
- * The new function, which retrieves by key.
- *
- */
-
-void *JAR_fetch_cert (long length, void *key)
-  {
-  SECItem seckey;
-  CERTCertificate *cert = NULL;
-
-  CERTCertDBHandle *certdb;
-
-  certdb = JAR_open_database();
-
-  if (certdb)
-    {
-    seckey.len = length;
-    seckey.data = (unsigned char*)key;
-
-#ifdef USE_MOZ_THREAD
-    cert = jar_moz_certkey (certdb, &seckey);
-#else
-    cert = CERT_FindCertByKey (certdb, &seckey);
-#endif
-
-    JAR_close_database (certdb);
-    }
-
-  return (void *) cert;
-  }
-
-/*
- *  j a r _ g e t _ m f _ d i g e s t
- *
- *  Retrieve a corresponding saved digest over a section
- *  of the main manifest file. 
- *
- */
-
-static JAR_Digest *jar_get_mf_digest (JAR *jar, char *pathname)
-  {
-  JAR_Item *it;
-
-  JAR_Digest *dig;
-
-  ZZLink *link;
-  ZZList *list;
-
-  list = jar->manifest;
-
-  if (ZZ_ListEmpty (list))
-    return NULL;
-
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeSect 
-          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
-      {
-      dig = (JAR_Digest *) it->data;
-      return dig;
-      }
-    }
-
-  return NULL;
-  }
-
-/*
- *  j a r _ b a s e n a m e
- *
- *  Return the basename -- leading components of path stripped off,
- *  extension ripped off -- of a path.
- *
- */
-
-static char *jar_basename (const char *path)
-  {
-  char *pith, *e, *basename, *ext;
-
-  if (path == NULL)
-    return PORT_Strdup ("");
-
-  pith = PORT_Strdup (path);
-
-  basename = pith;
-
-  while (1)
-    {
-    for (e = basename; *e && *e != '/' && *e != '\\'; e++)
-      /* yip */ ;
-    if (*e) 
-      basename = ++e; 
-    else
-      break;
-    }
-
-  if ((ext = PORT_Strrchr (basename, '.')) != NULL)
-    *ext = 0;
-
-  /* We already have the space allocated */
-  PORT_Strcpy (pith, basename);
-
-  return pith;
-  }
-
-/*
- *  + + + + + + + + + + + + + + +
- *
- *  CRYPTO ROUTINES FOR JAR
- *
- *  The following functions are the cryptographic 
- *  interface to PKCS7 for Jarnatures.
- *
- *  + + + + + + + + + + + + + + +
- *
- */
-
-/*
- *  j a r _ c a t c h _ b y t e s
- *
- *  In the event signatures contain enveloped data, it will show up here.
- *  But note that the lib/pkcs7 routines aren't ready for it.
- *
- */
-
-static void jar_catch_bytes
-     (void *arg, const char *buf, unsigned long len)
-  {
-  /* Actually this should never be called, since there is
-     presumably no data in the signature itself. */
-  }
-
-/*
- *  j a r _ v a l i d a t e _ p k c s 7
- *
- *  Validate (and decode, if necessary) a binary pkcs7
- *  signature in DER format.
- *
- */
-
-static int jar_validate_pkcs7 
-     (JAR *jar, JAR_Signer *signer, char *data, long length)
-  {
-  SECItem detdig;
-
-  SEC_PKCS7ContentInfo *cinfo;
-  SEC_PKCS7DecoderContext *dcx;
-
-  int status = 0;
-  char *errstring = NULL;
-
-  PORT_Assert( jar != NULL && signer != NULL );
-
-  if (jar == NULL || signer == NULL)
-    return JAR_ERR_ORDER;
-
-  signer->valid = JAR_ERR_SIG;
-
-  /* We need a context if we can get one */
-
-#ifdef MOZILLA_CLIENT
-  if (jar->mw == NULL) {
-    JAR_set_context (jar, NULL);
-  }
-#endif
-
-
-  dcx = SEC_PKCS7DecoderStart
-           (jar_catch_bytes, NULL /*cb_arg*/, NULL /*getpassword*/, jar->mw,
-            NULL, NULL, NULL);
-
-  if (dcx != NULL) 
-    {
-    SEC_PKCS7DecoderUpdate (dcx, data, length);
-    cinfo = SEC_PKCS7DecoderFinish (dcx);
-    }
-
-  if (cinfo == NULL)
-    {
-    /* strange pkcs7 failure */
-    return JAR_ERR_PK7;
-    }
-
-  if (SEC_PKCS7ContentIsEncrypted (cinfo))
-    {
-    /* content was encrypted, fail */
-    return JAR_ERR_PK7;
-    }
-
-  if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE)
-    {
-    /* content was not signed, fail */
-    return JAR_ERR_PK7;
-    }
-
-  PORT_SetError (0);
-
-  /* use SHA1 only */
-
-  detdig.len = SHA1_LENGTH;
-  detdig.data = signer->digest->sha1;
-
-#ifdef USE_MOZ_THREAD
-  if (jar_moz_verify
-        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
-		SECSuccess)
-#else
-  if (SEC_PKCS7VerifyDetachedSignature 
-        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
-		PR_TRUE)
-#endif
-    {
-    /* signature is valid */
-    signer->valid = 0;
-    jar_gather_signers (jar, signer, cinfo);
-    }
-  else
-    {
-    status = PORT_GetError();
-
-    PORT_Assert( status < 0 );
-    if (status >= 0) status = JAR_ERR_SIG;
-
-    jar->valid = status;
-    signer->valid = status;
-
-    errstring = JAR_get_error (status);
-    /*XP_TRACE(("JAR signature invalid (reason %d = %s)", status, errstring));*/
-    }
-
-  jar->pkcs7 = PR_TRUE;
-  signer->pkcs7 = PR_TRUE;
-
-  SEC_PKCS7DestroyContentInfo (cinfo);
-
-  return status;
-  }
-
-/*
- *  j a r _ g a t h e r _ s i g n e r s
- *
- *  Add the single signer of this signature to the
- *  certificate linked list.
- *
- */
-
-static int jar_gather_signers
-     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
-  {
-  int result;
-
-  CERTCertificate *cert;
-  CERTCertDBHandle *certdb;
-
-  SEC_PKCS7SignedData *sdp;
-  SEC_PKCS7SignerInfo **pksigners, *pksigner;
-
-  sdp = cinfo->content.signedData;
-
-  if (sdp == NULL)
-    return JAR_ERR_PK7;
-
-  pksigners = sdp->signerInfos;
-
-  /* permit exactly one signer */
-
-  if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
-    return JAR_ERR_PK7;
-
-  pksigner = *pksigners;
-  cert = pksigner->cert;
-
-  if (cert == NULL)
-    return JAR_ERR_PK7;
-
-  certdb = JAR_open_database();
-
-  if (certdb == NULL)
-    return JAR_ERR_GENERAL;
-
-  result = jar_add_cert (jar, signer, jarTypeSign, cert);
-
-  JAR_close_database (certdb);
-
-  return result;
-  }
-
-/*
- *  j a r _ o p e n _ d a t a b a s e
- *
- *  Open the certificate database,
- *  for use by JAR functions.
- *
- */
-
-CERTCertDBHandle *JAR_open_database (void)
-  {
-  int keepcerts = 0;
-  CERTCertDBHandle *certdb;
-
-  /* local_certdb will only be used if calling from a command line tool */
-  static CERTCertDBHandle local_certdb;
-
-  certdb = CERT_GetDefaultCertDB();
-
-  if (certdb == NULL) 
-    {
-    if (CERT_OpenCertDBFilename (&local_certdb, NULL, (PRBool)!keepcerts) != 
-	                                                           SECSuccess)
-      {
-      return NULL;
-      }
-    certdb = &local_certdb;
-    }
-
-  return certdb;
-  }
-
-/*
- *  j a r _ c l o s e _ d a t a b a s e
- *
- *  Close the certificate database.
- *  For use by JAR functions.
- *
- */
-
-int JAR_close_database (CERTCertDBHandle *certdb)
-  {
-  CERTCertDBHandle *defaultdb;
-
-  /* This really just retrieves the handle, nothing more */
-  defaultdb = CERT_GetDefaultCertDB();
-
-  /* If there is no default db, it means we opened 
-     the permanent database for some reason */
-
-  if (defaultdb == NULL && certdb != NULL)
-    CERT_ClosePermCertDB (certdb);
-
-  return 0;
-  }
-
-/*
- *  j a r _ g e t _ c e r t i f i c a t e
- *
- *  Return the certificate referenced
- *  by a given fingerprint, or NULL if not found.
- *  Error code is returned in result.
- *
- */
-
-static CERTCertificate *jar_get_certificate
-      (JAR *jar, long keylen, void *key, int *result)
-  {
-  int found = 0;
-
-  JAR_Item *it;
-  JAR_Cert *fing;
-
-  JAR_Context *ctx;
-
-  if (jar == NULL) 
-    {
-    void *cert;
-    cert = JAR_fetch_cert (keylen, key);
-    *result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
-    return (CERTCertificate *) cert;
-    }
-
-  ctx = JAR_find (jar, NULL, jarTypeSign);
-
-  while (JAR_find_next (ctx, &it) >= 0)
-    {
-    fing = (JAR_Cert *) it->data;
-
-    if (keylen != fing->length)
-      continue;
-
-    PORT_Assert( keylen < 0xFFFF );
-    if (!PORT_Memcmp (fing->key, key, keylen))
-      {
-      found = 1;
-      break;
-      }
-    }
-
-  JAR_find_end (ctx);
-
-  if (found == 0)
-    {
-    *result = JAR_ERR_GENERAL;
-    return NULL;
-    }
-
-  *result = 0;
-  return fing->cert;
-  }
-
-/*
- *  j a r _ s i g n a l
- *
- *  Nonfatal errors come here to callback Java.
- *  
- */
-
-static int jar_signal 
-     (int status, JAR *jar, const char *metafile, char *pathname)
-  {
-  char *errstring;
-
-  errstring = JAR_get_error (status);
-
-  if (jar->signal)
-    {
-    (*jar->signal) (status, jar, metafile, pathname, errstring);
-    return 0;
-    }
-
-  return status;
-  }
-
-/*
- *  j a r _ a p p e n d
- *
- *  Tack on an element to one of a JAR's linked
- *  lists, with rudimentary error handling.
- *
- */
-
-int jar_append (ZZList *list, int type, 
-        char *pathname, void *data, size_t size)
-  {
-  JAR_Item *it;
-  ZZLink *entity;
-
-  it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
-
-  if (it == NULL)
-    goto loser;
-
-  if (pathname)
-    {
-    it->pathname = PORT_Strdup (pathname);
-    if (it->pathname == NULL)
-      goto loser;
-    }
-
-  it->type = (jarType)type;
-  it->data = (unsigned char *) data;
-  it->size = size;
-
-  entity = ZZ_NewLink (it);
-
-  if (entity)
-    {
-    ZZ_AppendLink (list, entity);
-    return 0;
-    }
-
-loser:
-
-  if (it)
-    {
-    if (it->pathname) PORT_Free (it->pathname);
-    PORT_Free (it);
-    }
-
-  return JAR_ERR_MEMORY;
-  }
-
-/* 
- *  W I N 1 6   s t u f f
- *
- *  These functions possibly belong in xp_mem.c, they operate 
- *  on huge string pointers for win16.
- *
- */
-
-#if defined(XP_WIN16)
-int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len)
-  {
-  while (len--) 
-    {
-    char c1, c2;
-
-    c1 = *buf++;
-    c2 = *key++;
-
-    if (c1 >= 'a' && c1 <= 'z') c1 -= ('a' - 'A');
-    if (c2 >= 'a' && c2 <= 'z') c2 -= ('a' - 'A');
-
-    if (c1 != c2) 
-      return (c1 < c2) ? -1 : 1;
-    }
-  return 0;
-  }
-
-size_t xp_HUGE_STRLEN (char ZHUGEP *s)
-  {
-  size_t len = 0L;
-  while (*s++) len++;
-  return len;
-  }
-
-char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from)
-  {
-  char *ret = to;
-
-  while (*from)
-    *to++ = *from++;
-  *to = 0;
-
-  return ret;
-  }
-#endif
diff --git a/security/nss/lib/jar/jzconf.h b/security/nss/lib/jar/jzconf.h
deleted file mode 100644
index 278aaa5d5..000000000
--- a/security/nss/lib/jar/jzconf.h
+++ /dev/null
@@ -1,190 +0,0 @@
-/* zconf.h -- configuration of the zlib compression library
- * Copyright (C) 1995-1996 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-/* This file was modified since it was taken from the zlib distribution */
-/* $Id$ */
-
-#ifndef _ZCONF_H
-#define _ZCONF_H
-
-/*
- * If you *really* need a unique prefix for all types and library functions,
- * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
- */
-#ifdef Z_PREFIX
-#  define deflateInit_	z_deflateInit_
-#  define deflate	z_deflate
-#  define deflateEnd	z_deflateEnd
-#  define inflateInit_ 	z_inflateInit_
-#  define inflate	z_inflate
-#  define inflateEnd	z_inflateEnd
-#  define deflateInit2_	z_deflateInit2_
-#  define deflateSetDictionary z_deflateSetDictionary
-#  define deflateCopy	z_deflateCopy
-#  define deflateReset	z_deflateReset
-#  define deflateParams	z_deflateParams
-#  define inflateInit2_	z_inflateInit2_
-#  define inflateSetDictionary z_inflateSetDictionary
-#  define inflateSync	z_inflateSync
-#  define inflateReset	z_inflateReset
-#  define compress	z_compress
-#  define uncompress	z_uncompress
-#  define adler32	z_adler32
-#  define crc32		z_crc32
-#  define get_crc_table z_get_crc_table
-
-#  define Byte		z_Byte
-#  define uInt		z_uInt
-#  define uLong		z_uLong
-#  define Bytef	        z_Bytef
-#  define charf		z_charf
-#  define intf		z_intf
-#  define uIntf		z_uIntf
-#  define uLongf	z_uLongf
-#  define voidpf	z_voidpf
-#  define voidp		z_voidp
-#endif
-
-#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32)
-#  define WIN32
-#endif
-#if defined(__GNUC__) || defined(WIN32) || defined(__386__) || defined(i386)
-#  ifndef __32BIT__
-#    define __32BIT__
-#  endif
-#endif
-#if defined(__MSDOS__) && !defined(MSDOS)
-#  define MSDOS
-#endif
-
-/*
- * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
- * than 64k bytes at a time (needed on systems with 16-bit int).
- */
-#if defined(MSDOS) && !defined(__32BIT__)
-#  define MAXSEG_64K
-#endif
-#ifdef MSDOS
-#  define UNALIGNED_OK
-#endif
-
-#if (defined(MSDOS) || defined(_WINDOWS) || defined(WIN32) || defined(XP_OS2))  && !defined(STDC)
-#  define STDC
-#endif
-#if (defined(__STDC__) || defined(__cplusplus)) && !defined(STDC)
-#  define STDC
-#endif
-
-#ifndef STDC
-#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
-#    define const
-#  endif
-#endif
-
-/* Some Mac compilers merge all .h files incorrectly: */
-#if defined(__MWERKS__) || defined(applec) ||defined(THINK_C) ||defined(__SC__)
-#  define NO_DUMMY_DECL
-#endif
-
-/* Maximum value for memLevel in deflateInit2 */
-#ifndef MAX_MEM_LEVEL
-#  ifdef MAXSEG_64K
-#    define MAX_MEM_LEVEL 8
-#  else
-#    define MAX_MEM_LEVEL 9
-#  endif
-#endif
-
-/* Maximum value for windowBits in deflateInit2 and inflateInit2 */
-#ifndef MAX_WBITS
-#  define MAX_WBITS   15 /* 32K LZ77 window */
-#endif
-
-/* The memory requirements for deflate are (in bytes):
-            1 << (windowBits+2)   +  1 << (memLevel+9)
- that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
- plus a few kilobytes for small objects. For example, if you want to reduce
- the default memory requirements from 256K to 128K, compile with
-     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
- Of course this will generally degrade compression (there's no free lunch).
-
-   The memory requirements for inflate are (in bytes) 1 << windowBits
- that is, 32K for windowBits=15 (default value) plus a few kilobytes
- for small objects.
-*/
-
-                        /* Type declarations */
-
-#ifndef OF /* function prototypes */
-#  ifdef STDC
-#    define OF(args)  args
-#  else
-#    define OF(args)  ()
-#  endif
-#endif
-
-/* The following definitions for FAR are needed only for MSDOS mixed
- * model programming (small or medium model with some far allocations).
- * This was tested only with MSC; for other MSDOS compilers you may have
- * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
- * just define FAR to be empty.
- */
-#if (defined(M_I86SM) || defined(M_I86MM)) && !defined(__32BIT__)
-   /* MSC small or medium model */
-#  define SMALL_MEDIUM
-#  ifdef _MSC_VER
-#    define FAR __far
-#  else
-#    define FAR far
-#  endif
-#endif
-#if defined(__BORLANDC__) && (defined(__SMALL__) || defined(__MEDIUM__))
-#  ifndef __32BIT__
-#    define SMALL_MEDIUM
-#    define FAR __far
-#  endif
-#endif
-#ifndef FAR
-#   define FAR
-#endif
-
-typedef unsigned char  Byte;  /* 8 bits */
-typedef unsigned int   uInt;  /* 16 bits or more */
-typedef unsigned long  uLong; /* 32 bits or more */
-
-#if defined(__BORLANDC__) && defined(SMALL_MEDIUM)
-   /* Borland C/C++ ignores FAR inside typedef */
-#  define Bytef Byte FAR
-#else
-   typedef Byte  FAR Bytef;
-#endif
-typedef char  FAR charf;
-typedef int   FAR intf;
-typedef uInt  FAR uIntf;
-typedef uLong FAR uLongf;
-
-#ifdef STDC
-   typedef void FAR *voidpf;
-   typedef void     *voidp;
-#else
-   typedef Byte FAR *voidpf;
-   typedef Byte     *voidp;
-#endif
-
-#ifdef MOZILLA_CLIENT
-#include "prtypes.h"
-#else
-/* Compile with -DZLIB_DLL for Windows DLL support */
-#if (defined(_WINDOWS) || defined(WINDOWS)) && defined(ZLIB_DLL)
-#  include <windows.h>
-#  define EXPORT  WINAPI
-#else
-#  define EXPORT
-#endif
-
-#define PR_PUBLIC_API(type) type
-
-#endif /* MOZILLA_CLIENT */
-
-#endif /* _ZCONF_H */
diff --git a/security/nss/lib/jar/jzlib.h b/security/nss/lib/jar/jzlib.h
deleted file mode 100644
index dd5b4d8e9..000000000
--- a/security/nss/lib/jar/jzlib.h
+++ /dev/null
@@ -1,896 +0,0 @@
-/* zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.0.4, Jul 24th, 1996.
-
-  Copyright (C) 1995-1996 Jean-loup Gailly and Mark Adler
-
-  This software is provided 'as-is', without any express or implied
-  warranty.  In no event will the authors be held liable for any damages
-  arising from the use of this software.
-
-  Permission is granted to anyone to use this software for any purpose,
-  including commercial applications, and to alter it and redistribute it
-  freely, subject to the following restrictions:
-
-  1. The origin of this software must not be misrepresented; you must not
-     claim that you wrote the original software. If you use this software
-     in a product, an acknowledgment in the product documentation would be
-     appreciated but is not required.
-  2. Altered source versions must be plainly marked as such, and must not be
-     misrepresented as being the original software.
-  3. This notice may not be removed or altered from any source distribution.
-
-  Jean-loup Gailly        Mark Adler
-  gzip@prep.ai.mit.edu    madler@alumni.caltech.edu
-
-
-  The data format used by the zlib library is described by RFCs (Request for
-  Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
-  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
-*/
-/* This file was modified since it was taken from the zlib distribution */
-
-#ifndef _ZLIB_H
-#define _ZLIB_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifdef MOZILLA_CLIENT
-#include "jzconf.h"
-#else
-#include "zconf.h"
-#endif
-
-#define ZLIB_VERSION "1.0.4"
-
-/* 
-     The 'zlib' compression library provides in-memory compression and
-  decompression functions, including integrity checks of the uncompressed
-  data.  This version of the library supports only one compression method
-  (deflation) but other algorithms may be added later and will have the same
-  stream interface.
-
-     For compression the application must provide the output buffer and
-  may optionally provide the input buffer for optimization. For decompression,
-  the application must provide the input buffer and may optionally provide
-  the output buffer for optimization.
-
-     Compression can be done in a single step if the buffers are large
-  enough (for example if an input file is mmap'ed), or can be done by
-  repeated calls of the compression function.  In the latter case, the
-  application must provide more input and/or consume the output
-  (providing more output space) before each call.
-
-     The library does not install any signal handler. It is recommended to
-  add at least a handler for SIGSEGV when decompressing; the library checks
-  the consistency of the input data whenever possible but may go nuts
-  for some forms of corrupted input.
-*/
-
-typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
-typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
-
-struct internal_state;
-
-typedef struct z_stream_s {
-    Bytef    *next_in;  /* next input byte */
-    uInt     avail_in;  /* number of bytes available at next_in */
-    uLong    total_in;  /* total nb of input bytes read so far */
-
-    Bytef    *next_out; /* next output byte should be put there */
-    uInt     avail_out; /* remaining free space at next_out */
-    uLong    total_out; /* total nb of bytes output so far */
-
-    char     *msg;      /* last error message, NULL if no error */
-    struct internal_state FAR *state; /* not visible by applications */
-
-    alloc_func zalloc;  /* used to allocate the internal state */
-    free_func  zfree;   /* used to free the internal state */
-    voidpf     opaque;  /* private data object passed to zalloc and zfree */
-
-    int     data_type;  /* best guess about the data type: ascii or binary */
-    uLong   adler;      /* adler32 value of the uncompressed data */
-    uLong   reserved;   /* reserved for future use */
-} z_stream;
-
-typedef z_stream FAR *z_streamp;
-
-/*
-   The application must update next_in and avail_in when avail_in has
-   dropped to zero. It must update next_out and avail_out when avail_out
-   has dropped to zero. The application must initialize zalloc, zfree and
-   opaque before calling the init function. All other fields are set by the
-   compression library and must not be updated by the application.
-
-   The opaque value provided by the application will be passed as the first
-   parameter for calls of zalloc and zfree. This can be useful for custom
-   memory management. The compression library attaches no meaning to the
-   opaque value.
-
-   zalloc must return Z_NULL if there is not enough memory for the object.
-   On 16-bit systems, the functions zalloc and zfree must be able to allocate
-   exactly 65536 bytes, but will not be required to allocate more than this
-   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
-   pointers returned by zalloc for objects of exactly 65536 bytes *must*
-   have their offset normalized to zero. The default allocation function
-   provided by this library ensures this (see zutil.c). To reduce memory
-   requirements and avoid any allocation of 64K objects, at the expense of
-   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
-
-   The fields total_in and total_out can be used for statistics or
-   progress reports. After compression, total_in holds the total size of
-   the uncompressed data and may be saved for use in the decompressor
-   (particularly if the decompressor wants to decompress everything in
-   a single step).
-*/
-
-                        /* constants */
-
-#define Z_NO_FLUSH      0
-#define Z_PARTIAL_FLUSH 1
-#define Z_SYNC_FLUSH    2
-#define Z_FULL_FLUSH    3
-#define Z_FINISH        4
-/* Allowed flush values; see deflate() below for details */
-
-#define Z_OK            0
-#define Z_STREAM_END    1
-#define Z_NEED_DICT     2
-#define Z_ERRNO        (-1)
-#define Z_STREAM_ERROR (-2)
-#define Z_DATA_ERROR   (-3)
-#define Z_MEM_ERROR    (-4)
-#define Z_BUF_ERROR    (-5)
-#define Z_VERSION_ERROR (-6)
-/* Return codes for the compression/decompression functions. Negative
- * values are errors, positive values are used for special but normal events.
- */
-
-#define Z_NO_COMPRESSION         0
-#define Z_BEST_SPEED             1
-#define Z_BEST_COMPRESSION       9
-#define Z_DEFAULT_COMPRESSION  (-1)
-/* compression levels */
-
-#define Z_FILTERED            1
-#define Z_HUFFMAN_ONLY        2
-#define Z_DEFAULT_STRATEGY    0
-/* compression strategy; see deflateInit2() below for details */
-
-#define Z_BINARY   0
-#define Z_ASCII    1
-#define Z_UNKNOWN  2
-/* Possible values of the data_type field */
-
-#define Z_DEFLATED   8
-/* The deflate compression method (the only one supported in this version) */
-
-#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
-
-#define zlib_version zlibVersion()
-/* for compatibility with versions < 1.0.2 */
-
-                        /* basic functions */
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern const char *) zlibVersion (void);
-#else
-extern const char * EXPORT zlibVersion OF((void));
-#endif
-/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
-   If the first character differs, the library code actually used is
-   not compatible with the zlib.h header file used by the application.
-   This check is automatically made by deflateInit and inflateInit.
- */
-
-/* 
-extern int EXPORT deflateInit OF((z_streamp strm, int level));
-
-     Initializes the internal stream state for compression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.
-   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
-   use default allocation functions.
-
-     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
-   1 gives best speed, 9 gives best compression, 0 gives no compression at
-   all (the input data is simply copied a block at a time).
-   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
-   compression (currently equivalent to level 6).
-
-     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
-   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
-   with the version assumed by the caller (ZLIB_VERSION).
-   msg is set to null if there is no error message.  deflateInit does not
-   perform any compression: this will be done by deflate().
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflate (z_streamp strm, int flush);
-#else
-extern int EXPORT deflate OF((z_streamp strm, int flush));
-#endif
-/*
-  Performs one or both of the following actions:
-
-  - Compress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in and avail_in are updated and
-    processing will resume at this point for the next call of deflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly. This action is forced if the parameter flush is non zero.
-    Forcing flush frequently degrades the compression ratio, so this parameter
-    should be set only when necessary (in interactive applications).
-    Some output may be provided even if flush is not set.
-
-  Before the call of deflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating avail_in or avail_out accordingly; avail_out
-  should never be zero before the call. The application can consume the
-  compressed output when it wants, for example when the output buffer is full
-  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
-  and with zero avail_out, it must be called again after making room in the
-  output buffer because there might be more output pending.
-
-    If the parameter flush is set to Z_PARTIAL_FLUSH, the current compression
-  block is terminated and flushed to the output buffer so that the
-  decompressor can get all input data available so far. For method 9, a future
-  variant on method 8, the current block will be flushed but not terminated.
-  Z_SYNC_FLUSH has the same effect as partial flush except that the compressed
-  output is byte aligned (the compressor can clear its internal bit buffer)
-  and the current block is always terminated; this can be useful if the
-  compressor has to be restarted from scratch after an interruption (in which
-  case the internal state of the compressor may be lost).
-    If flush is set to Z_FULL_FLUSH, the compression block is terminated, a
-  special marker is output and the compression dictionary is discarded; this
-  is useful to allow the decompressor to synchronize if one compressed block
-  has been damaged (see inflateSync below).  Flushing degrades compression and
-  so should be used only when necessary.  Using Z_FULL_FLUSH too often can
-  seriously degrade the compression. If deflate returns with avail_out == 0,
-  this function must be called again with the same value of the flush
-  parameter and more output space (updated avail_out), until the flush is
-  complete (deflate returns with non-zero avail_out).
-
-    If the parameter flush is set to Z_FINISH, pending input is processed,
-  pending output is flushed and deflate returns with Z_STREAM_END if there
-  was enough output space; if deflate returns with Z_OK, this function must be
-  called again with Z_FINISH and more output space (updated avail_out) but no
-  more input data, until it returns with Z_STREAM_END or an error. After
-  deflate has returned Z_STREAM_END, the only possible operations on the
-  stream are deflateReset or deflateEnd.
-  
-    Z_FINISH can be used immediately after deflateInit if all the compression
-  is to be done in a single step. In this case, avail_out must be at least
-  0.1% larger than avail_in plus 12 bytes.  If deflate does not return
-  Z_STREAM_END, then it must be called again as described above.
-
-    deflate() may update data_type if it can make a good guess about
-  the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered
-  binary. This field is only for information purposes and does not affect
-  the compression algorithm in any manner.
-
-    deflate() returns Z_OK if some progress has been made (more input
-  processed or more output produced), Z_STREAM_END if all input has been
-  consumed and all output has been produced (only when flush is set to
-  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
-  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible.
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateEnd (z_streamp strm);
-#else
-extern int EXPORT deflateEnd OF((z_streamp strm));
-#endif
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
-   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
-   prematurely (some input or output was discarded). In the error case,
-   msg may be set but then points to a static string (which must not be
-   deallocated).
-*/
-
-
-/* 
-extern int EXPORT inflateInit OF((z_streamp strm));
-
-     Initializes the internal stream state for decompression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.  If
-   zalloc and zfree are set to Z_NULL, inflateInit updates them to use default
-   allocation functions.
-
-     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_VERSION_ERROR if the zlib library version is incompatible
-   with the version assumed by the caller.  msg is set to null if there is no
-   error message. inflateInit does not perform any decompression: this will be
-   done by inflate().
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflate (z_streamp strm, int flush);
-#else
-extern int EXPORT inflate OF((z_streamp strm, int flush));
-#endif
-/*
-  Performs one or both of the following actions:
-
-  - Decompress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in is updated and processing
-    will resume at this point for the next call of inflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly.  inflate() provides as much output as possible, until there
-    is no more input data or no more space in the output buffer (see below
-    about the flush parameter).
-
-  Before the call of inflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating the next_* and avail_* values accordingly.
-  The application can consume the uncompressed output when it wants, for
-  example when the output buffer is full (avail_out == 0), or after each
-  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
-  must be called again after making room in the output buffer because there
-  might be more output pending.
-
-    If the parameter flush is set to Z_PARTIAL_FLUSH, inflate flushes as much
-  output as possible to the output buffer. The flushing behavior of inflate is
-  not specified for values of the flush parameter other than Z_PARTIAL_FLUSH
-  and Z_FINISH, but the current implementation actually flushes as much output
-  as possible anyway.
-
-    inflate() should normally be called until it returns Z_STREAM_END or an
-  error. However if all decompression is to be performed in a single step
-  (a single call of inflate), the parameter flush should be set to
-  Z_FINISH. In this case all pending input is processed and all pending
-  output is flushed; avail_out must be large enough to hold all the
-  uncompressed data. (The size of the uncompressed data may have been saved
-  by the compressor for this purpose.) The next operation on this stream must
-  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
-  is never required, but can be used to inform inflate that a faster routine
-  may be used for the single inflate() call.
-
-    inflate() returns Z_OK if some progress has been made (more input
-  processed or more output produced), Z_STREAM_END if the end of the
-  compressed data has been reached and all uncompressed output has been
-  produced, Z_NEED_DICT if a preset dictionary is needed at this point (see
-  inflateSetDictionary below), Z_DATA_ERROR if the input data was corrupted,
-  Z_STREAM_ERROR if the stream structure was inconsistent (for example if
-  next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
-  Z_BUF_ERROR if no progress is possible or if there was not enough room in
-  the output buffer when Z_FINISH is used. In the Z_DATA_ERROR case, the
-  application may then call inflateSync to look for a good compression block.
-  In the Z_NEED_DICT case, strm->adler is set to the Adler32 value of the
-  dictionary chosen by the compressor.
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateEnd (z_streamp strm);
-#else
-extern int EXPORT inflateEnd OF((z_streamp strm));
-#endif
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
-   was inconsistent. In the error case, msg may be set but then points to a
-   static string (which must not be deallocated).
-*/
-
-                        /* Advanced functions */
-
-/*
-    The following functions are needed only in some special applications.
-*/
-
-/*   
-extern int EXPORT deflateInit2 OF((z_streamp strm,
-                                   int  level,
-                                   int  method,
-                                   int  windowBits,
-                                   int  memLevel,
-                                   int  strategy));
-
-     This is another version of deflateInit with more compression options. The
-   fields next_in, zalloc, zfree and opaque must be initialized before by
-   the caller.
-
-     The method parameter is the compression method. It must be Z_DEFLATED in
-   this version of the library. (Method 9 will allow a 64K history buffer and
-   partial block flushes.)
-
-     The windowBits parameter is the base two logarithm of the window size
-   (the size of the history buffer).  It should be in the range 8..15 for this
-   version of the library (the value 16 will be allowed for method 9). Larger
-   values of this parameter result in better compression at the expense of
-   memory usage. The default value is 15 if deflateInit is used instead.
-
-     The memLevel parameter specifies how much memory should be allocated
-   for the internal compression state. memLevel=1 uses minimum memory but
-   is slow and reduces compression ratio; memLevel=9 uses maximum memory
-   for optimal speed. The default value is 8. See zconf.h for total memory
-   usage as a function of windowBits and memLevel.
-
-     The strategy parameter is used to tune the compression algorithm. Use the
-   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
-   filter (or predictor), or Z_HUFFMAN_ONLY to force Huffman encoding only (no
-   string match).  Filtered data consists mostly of small values with a
-   somewhat random distribution. In this case, the compression algorithm is
-   tuned to compress them better. The effect of Z_FILTERED is to force more
-   Huffman coding and less string matching; it is somewhat intermediate
-   between Z_DEFAULT and Z_HUFFMAN_ONLY. The strategy parameter only affects
-   the compression ratio but not the correctness of the compressed output even
-   if it is not set appropriately.
-
-     If next_in is not null, the library will use this buffer to hold also
-   some history information; the buffer must either hold the entire input
-   data, or have at least 1<<(windowBits+1) bytes and be writable. If next_in
-   is null, the library will allocate its own history buffer (and leave next_in
-   null). next_out need not be provided here but must be provided by the
-   application for the next call of deflate().
-
-     If the history buffer is provided by the application, next_in must
-   must never be changed by the application since the compressor maintains
-   information inside this buffer from call to call; the application
-   must provide more input only by increasing avail_in. next_in is always
-   reset by the library in this case.
-
-      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
-   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
-   an invalid method). msg is set to null if there is no error message.
-   deflateInit2 does not perform any compression: this will be done by
-   deflate(). 
-*/
-                            
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateSetDictionary (z_streamp strm,
-                                           const Bytef *dictionary,
-				           uInt  dictLength);
-#else
-extern int EXPORT deflateSetDictionary OF((z_streamp strm,
-                                           const Bytef *dictionary,
-				           uInt  dictLength));
-#endif
-/*
-     Initializes the compression dictionary (history buffer) from the given
-   byte sequence without producing any compressed output. This function must
-   be called immediately after deflateInit or deflateInit2, before any call
-   of deflate. The compressor and decompressor must use exactly the same
-   dictionary (see inflateSetDictionary).
-     The dictionary should consist of strings (byte sequences) that are likely
-   to be encountered later in the data to be compressed, with the most commonly
-   used strings preferably put towards the end of the dictionary. Using a
-   dictionary is most useful when the data to be compressed is short and
-   can be predicted with good accuracy; the data can then be compressed better
-   than with the default empty dictionary. In this version of the library,
-   only the last 32K bytes of the dictionary are used.
-     Upon return of this function, strm->adler is set to the Adler32 value
-   of the dictionary; the decompressor may later use this value to determine
-   which dictionary has been used by the compressor. (The Adler32 value
-   applies to the whole dictionary even if only a subset of the dictionary is
-   actually used by the compressor.)
-
-     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state
-   is inconsistent (for example if deflate has already been called for this
-   stream). deflateSetDictionary does not perform any compression: this will
-   be done by deflate(). 
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateCopy (z_streamp dest, z_streamp source);
-#else
-extern int EXPORT deflateCopy OF((z_streamp dest, z_streamp source));
-#endif
-/*
-     Sets the destination stream as a complete copy of the source stream.  If
-   the source stream is using an application-supplied history buffer, a new
-   buffer is allocated for the destination stream.  The compressed output
-   buffer is always application-supplied. It's the responsibility of the
-   application to provide the correct values of next_out and avail_out for the
-   next call of deflate.
-
-     This function can be useful when several compression strategies will be
-   tried, for example when there are several ways of pre-processing the input
-   data with a filter. The streams that will be discarded should then be freed
-   by calling deflateEnd.  Note that deflateCopy duplicates the internal
-   compression state which can be quite large, so this strategy is slow and
-   can consume lots of memory.
-
-     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
-   destination.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateReset (z_streamp strm);
-#else
-extern int EXPORT deflateReset OF((z_streamp strm));
-#endif
-/*
-     This function is equivalent to deflateEnd followed by deflateInit,
-   but does not free and reallocate all the internal compression state.
-   The stream will keep the same compression level and any other attributes
-   that may have been set by deflateInit2.
-
-      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateParams (z_streamp strm, int level, int strategy);
-#else
-extern int EXPORT deflateParams OF((z_streamp strm, int level, int strategy));
-#endif
-/*
-     Dynamically update the compression level and compression strategy.
-   This can be used to switch between compression and straight copy of
-   the input data, or to switch to a different kind of input data requiring
-   a different strategy. If the compression level is changed, the input
-   available so far is compressed with the old level (and may be flushed);
-   the new level will take effect only at the next call of deflate().
-
-     Before the call of deflateParams, the stream state must be set as for
-   a call of deflate(), since the currently available input may have to
-   be compressed and flushed. In particular, strm->avail_out must be non-zero.
-
-     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
-   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
-   if strm->avail_out was zero.
-*/
-
-/*   
-extern int EXPORT inflateInit2 OF((z_streamp strm,
-                                   int  windowBits));
-
-     This is another version of inflateInit with more compression options. The
-   fields next_out, zalloc, zfree and opaque must be initialized before by
-   the caller.
-
-     The windowBits parameter is the base two logarithm of the maximum window
-   size (the size of the history buffer).  It should be in the range 8..15 for
-   this version of the library (the value 16 will be allowed soon). The
-   default value is 15 if inflateInit is used instead. If a compressed stream
-   with a larger window size is given as input, inflate() will return with
-   the error code Z_DATA_ERROR instead of trying to allocate a larger window.
-
-     If next_out is not null, the library will use this buffer for the history
-   buffer; the buffer must either be large enough to hold the entire output
-   data, or have at least 1<<windowBits bytes.  If next_out is null, the
-   library will allocate its own buffer (and leave next_out null). next_in
-   need not be provided here but must be provided by the application for the
-   next call of inflate().
-
-     If the history buffer is provided by the application, next_out must
-   never be changed by the application since the decompressor maintains
-   history information inside this buffer from call to call; the application
-   can only reset next_out to the beginning of the history buffer when
-   avail_out is zero and all output has been consumed.
-
-      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
-   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
-   windowBits < 8). msg is set to null if there is no error message.
-   inflateInit2 does not perform any decompression: this will be done by
-   inflate().
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateSetDictionary (z_streamp strm,
-				           const Bytef *dictionary,
-					   uInt  dictLength);
-#else
-extern int EXPORT inflateSetDictionary OF((z_streamp strm,
-				           const Bytef *dictionary,
-					   uInt  dictLength));
-#endif
-/*
-     Initializes the decompression dictionary (history buffer) from the given
-   uncompressed byte sequence. This function must be called immediately after
-   a call of inflate if this call returned Z_NEED_DICT. The dictionary chosen
-   by the compressor can be determined from the Adler32 value returned by this
-   call of inflate. The compressor and decompressor must use exactly the same
-   dictionary (see deflateSetDictionary).
-
-     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
-   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
-   expected one (incorrect Adler32 value). inflateSetDictionary does not
-   perform any decompression: this will be done by subsequent calls of
-   inflate().
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateSync (z_streamp strm);
-#else
-extern int EXPORT inflateSync OF((z_streamp strm));
-#endif
-/* 
-    Skips invalid compressed data until the special marker (see deflate()
-  above) can be found, or until all available input is skipped. No output
-  is provided.
-
-    inflateSync returns Z_OK if the special marker has been found, Z_BUF_ERROR
-  if no more input was provided, Z_DATA_ERROR if no marker has been found,
-  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
-  case, the application may save the current current value of total_in which
-  indicates where valid compressed data was found. In the error case, the
-  application may repeatedly call inflateSync, providing more input each time,
-  until success or end of the input data.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateReset (z_streamp strm);
-#else
-extern int EXPORT inflateReset OF((z_streamp strm));
-#endif
-/*
-     This function is equivalent to inflateEnd followed by inflateInit,
-   but does not free and reallocate all the internal decompression state.
-   The stream will keep attributes that may have been set by inflateInit2.
-
-      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-
-                        /* utility functions */
-
-/*
-     The following utility functions are implemented on top of the
-   basic stream-oriented functions. To simplify the interface, some
-   default options are assumed (compression level, window size,
-   standard memory allocation functions). The source code of these
-   utility functions can easily be modified if you need special options.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) compress (Bytef *dest,   uLongf *destLen,
-			       const Bytef *source, uLong sourceLen);
-#else
-extern int EXPORT compress OF((Bytef *dest,   uLongf *destLen,
-			       const Bytef *source, uLong sourceLen));
-#endif
-/*
-     Compresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be at least 0.1% larger than
-   sourceLen plus 12 bytes. Upon exit, destLen is the actual size of the
-   compressed buffer.
-     This function can be used to compress a whole file at once if the
-   input file is mmap'ed.
-     compress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) uncompress (Bytef *dest,   uLongf *destLen,
-				 const Bytef *source, uLong sourceLen);
-#else
-extern int EXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
-				 const Bytef *source, uLong sourceLen));
-#endif
-/*
-     Decompresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be large enough to hold the
-   entire uncompressed data. (The size of the uncompressed data must have
-   been saved previously by the compressor and transmitted to the decompressor
-   by some mechanism outside the scope of this compression library.)
-   Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
-
-     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer, or Z_DATA_ERROR if the input data was corrupted.
-*/
-
-
-typedef voidp gzFile;
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern gzFile) gzopen  (const char *path, const char *mode);
-#else
-extern gzFile EXPORT gzopen  OF((const char *path, const char *mode));
-#endif
-/*
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb") but can also include a compression level
-   ("wb9").  gzopen can be used to read a file which is not in gzip format;
-   in this case gzread will directly read from the file without decompression.
-     gzopen returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern gzFile) gzdopen  (int fd, const char *mode);
-#else
-extern gzFile EXPORT gzdopen  OF((int fd, const char *mode));
-#endif
-/*
-     gzdopen() associates a gzFile with the file descriptor fd.  File
-   descriptors are obtained from calls like open, dup, creat, pipe or
-   fileno (in the file has been previously opened with fopen).
-   The mode parameter is as in gzopen.
-     The next call of gzclose on the returned gzFile will also close the
-   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
-   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
-     gzdopen returns NULL if there was insufficient memory to allocate
-   the (de)compression state.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzread  (gzFile file, voidp buf, unsigned len);
-#else
-extern int EXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
-#endif
-/*
-     Reads the given number of uncompressed bytes from the compressed file.
-   If the input file was not in gzip format, gzread copies the given number
-   of bytes into the buffer.
-     gzread returns the number of uncompressed bytes actually read (0 for
-   end of file, -1 for error). */
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzwrite (gzFile file, const voidp buf, unsigned len);
-#else
-extern int EXPORT    gzwrite OF((gzFile file, const voidp buf, unsigned len));
-#endif
-/*
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of uncompressed bytes actually written
-   (0 in case of error).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzflush (gzFile file, int flush);
-#else
-extern int EXPORT    gzflush OF((gzFile file, int flush));
-#endif
-/*
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function. The return value is the zlib
-   error number (see function gzerror below). gzflush returns Z_OK if
-   the flush parameter is Z_FINISH and all output could be flushed.
-     gzflush should be called only when strictly necessary because it can
-   degrade compression.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzclose (gzFile file);
-#else
-extern int EXPORT    gzclose OF((gzFile file));
-#endif
-/*
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state. The return value is the zlib
-   error number (see function gzerror below).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern const char *) gzerror (gzFile file, int *errnum);
-#else
-extern const char * EXPORT gzerror OF((gzFile file, int *errnum));
-#endif
-/*
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
-*/
-
-                        /* checksum functions */
-
-/*
-     These functions are not related to compression but are exported
-   anyway because they might be useful in applications using the
-   compression library.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern uLong) adler32 (uLong adler, const Bytef *buf, uInt len);
-#else
-extern uLong EXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
-#endif
-
-/*
-     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
-   return the updated checksum. If buf is NULL, this function returns
-   the required initial value for the checksum.
-   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
-   much faster. Usage example:
-
-     uLong adler = adler32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       adler = adler32(adler, buffer, length);
-     }
-     if (adler != original_adler) error();
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern uLong) crc32   (uLong crc, const Bytef *buf, uInt len);
-#else
-extern uLong EXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
-#endif
-/*
-     Update a running crc with the bytes buf[0..len-1] and return the updated
-   crc. If buf is NULL, this function returns the required initial value
-   for the crc. Pre- and post-conditioning (one's complement) is performed
-   within this function so it shouldn't be done by the application.
-   Usage example:
-
-     uLong crc = crc32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       crc = crc32(crc, buffer, length);
-     }
-     if (crc != original_crc) error();
-*/
-
-
-                        /* various hacks, don't look :) */
-
-/* deflateInit and inflateInit are macros to allow checking the zlib version
- * and the compiler's view of z_stream:
- */
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateInit_ (z_streamp strm, int level, const char *version, 
-					int stream_size);
-PR_PUBLIC_API(extern int) inflateInit_ (z_streamp strm, const char *version, 
-					int stream_size);
-PR_PUBLIC_API(extern int) deflateInit2_ (z_streamp strm, int  level, int  method, 
-					 int windowBits, int memLevel, int strategy, 
-					 const char *version, int stream_size);
-PR_PUBLIC_API(extern int) inflateInit2_ (z_streamp strm, int  windowBits, 
-					 const char *version, int stream_size);
-#else
-extern int EXPORT deflateInit_ OF((z_streamp strm, int level, const char *version, 
-				   int stream_size));
-extern int EXPORT inflateInit_ OF((z_streamp strm, const char *version, 
-				   int stream_size));
-extern int EXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method, 
-				    int windowBits, int memLevel, int strategy, 
-				    const char *version, int stream_size));
-extern int EXPORT inflateInit2_ OF((z_streamp strm, int  windowBits, 
-				    const char *version, int stream_size));
-#endif /* MOZILLA_CLIENT */
-
-
-#define deflateInit(strm, level) \
-        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit(strm) \
-        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
-#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
-        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
-		      (strategy),           ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit2(strm, windowBits) \
-        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
-
-#if !defined(_Z_UTIL_H) && !defined(NO_DUMMY_DECL)
-    struct internal_state {int dummy;}; /* hack for buggy compilers */
-#endif
-
-uLongf *get_crc_table OF((void)); /* can be used by asm versions of crc32() */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _ZLIB_H */
diff --git a/security/nss/lib/jar/manifest.mn b/security/nss/lib/jar/manifest.mn
deleted file mode 100644
index 9a47b1558..000000000
--- a/security/nss/lib/jar/manifest.mn
+++ /dev/null
@@ -1,53 +0,0 @@
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-
-MODULE = security
-
-LIBRARY_NAME = jar
-
-CORE_DEPTH = ../../..
-
-CSRCS =	\
-	jarver.c \
-	jarsign.c \
-	jar.c \
-	jar-ds.c \
-	jarfile.c \
-	jarevil.c \
-	jarjart.c \
-	jarint.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-EXPORTS	 = jar.h jar-ds.h jarfile.h
-
-DEFINES = -DMOZILLA_CLIENT=1
diff --git a/security/nss/lib/macbuild/NSS/NSS/NSS.mcp b/security/nss/lib/macbuild/NSS/NSS/NSS.mcp
deleted file mode 100644
index 99a1dd3de..000000000
--- a/security/nss/lib/macbuild/NSS/NSS/NSS.mcp
+++ /dev/null
diff --git a/security/nss/lib/macbuild/SecurityLib.mcp b/security/nss/lib/macbuild/SecurityLib.mcp
deleted file mode 100644
index 3efcf8c2d..000000000
--- a/security/nss/lib/macbuild/SecurityLib.mcp
+++ /dev/null
diff --git a/security/nss/lib/manifest.mn b/security/nss/lib/manifest.mn
deleted file mode 100644
index 1c699b99c..000000000
--- a/security/nss/lib/manifest.mn
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../..
-DEPTH      = ../..
-
-DIRS = pkcs7 ssl nss crmf jar \
-    certhigh pk11wrap cryptohi \
-    softoken certdb crypto \
-    util freebl pkcs12 fortcrypt \
-    smime
-#
-# these dirs are not built at the moment
-#
-#NOBUILD_DIRS = jar
diff --git a/security/nss/lib/nss/Makefile b/security/nss/lib/nss/Makefile
deleted file mode 100644
index 1a5c66ef4..000000000
--- a/security/nss/lib/nss/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/arch.mk
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include config.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/nss/config.mk b/security/nss/lib/nss/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/nss/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/nss/manifest.mn b/security/nss/lib/nss/manifest.mn
deleted file mode 100644
index 344a64b23..000000000
--- a/security/nss/lib/nss/manifest.mn
+++ /dev/null
@@ -1,47 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	nss.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	nssinit.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = nss
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
deleted file mode 100644
index 157f110e0..000000000
--- a/security/nss/lib/nss/nss.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * NSS utility functions
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef __nss_h_
-#define __nss_h_
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-/*
- * Open the Cert, Key, and Security Module databases.
- * Initialize the Random Number Generator.
- * Does not initialize the cipher policies or enables.
- * Default policy settings disallow all ciphers.
- */
-extern SECStatus NSS_Init(const char *configdir);
-
-/* 
- * Close the Cert, Key databases.
- */
-extern void NSS_Shutdown(void);
-
-SEC_END_PROTOS
-
-#endif /* __nss_h_ */
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
deleted file mode 100644
index 92d009fc9..000000000
--- a/security/nss/lib/nss/nssinit.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * NSS utility functions
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- # $Id$
- */
-
-#include "seccomon.h"
-#include "prprf.h"
-#include "prmem.h"
-#include "cert.h"
-#include "key.h"
-#include "ssl.h"
-#include "sslproto.h"
-#include "secmod.h"
-#include "nss.h"
-#include "secrng.h"
-#include "cdbhdl.h"	/* ??? */
-
-
-
-static char *
-nss_certdb_name_cb(void *arg, int dbVersion)
-{
-    const char *configdir = (const char *)arg;
-    const char *dbver;
-
-    switch (dbVersion) {
-      case 7:
-	dbver = "7";
-	break;
-      case 6:
-	dbver = "6";
-	break;
-      case 5:
-	dbver = "5";
-	break;
-      case 4:
-      default:
-	dbver = "";
-	break;
-    }
-
-    return PR_smprintf("%s/cert%s.db", configdir, dbver);
-}
-    
-char *
-nss_keydb_name_cb(void *arg, int dbVersion)
-{
-    const char *configdir = (const char *)arg;
-    const char *dbver;
-    
-    switch (dbVersion) {
-      case 3:
-	dbver = "3";
-	break;
-      case 2:
-      default:
-	dbver = "";
-	break;
-    }
-
-    return PR_smprintf("%s/key%s.db", configdir, dbver);
-}
-
-SECStatus 
-nss_OpenCertDB(const char * configdir)
-{
-    CERTCertDBHandle *certdb;
-    SECStatus         status;
-
-    certdb = CERT_GetDefaultCertDB();
-    if (certdb)
-    	return SECSuccess;	/* idempotency */
-
-    certdb = (CERTCertDBHandle*)PORT_ZAlloc(sizeof(CERTCertDBHandle));
-    if (certdb == NULL) 
-    	goto loser;
-
-    status = CERT_OpenCertDB(certdb, PR_TRUE, nss_certdb_name_cb, (void *)configdir);
-    if (status == SECSuccess)
-	CERT_SetDefaultCertDB(certdb);
-    else {
-	PR_Free(certdb);
-loser: 
-	status = SECFailure;
-    }
-    return status;
-}
-
-SECStatus
-nss_OpenKeyDB(const char * configdir)
-{
-    SECKEYKeyDBHandle *keydb;
-
-    keydb = SECKEY_GetDefaultKeyDB();
-    if (keydb)
-    	return SECSuccess;
-    keydb = SECKEY_OpenKeyDB(PR_TRUE, nss_keydb_name_cb, (void *)configdir);
-    if (keydb == NULL)
-	return SECFailure;
-    SECKEY_SetDefaultKeyDB(keydb);
-    return SECSuccess;
-}
-
-SECStatus
-nss_OpenSecModDB(const char * configdir)
-{
-    static char *secmodname;
-
-    /* XXX
-     * For idempotency, this should check to see if the secmodDB is alredy open
-     * but no function exists to make that determination.
-     */
-    if (secmodname)
-    	return SECSuccess;
-    secmodname = PR_smprintf("%s/secmod.db", configdir);
-    if (secmodname == NULL)
-	return SECFailure;
-    SECMOD_init(secmodname);
-    return SECSuccess;
-}
-
-SECStatus
-NSS_Init(const char *configdir)
-{
-    SECStatus status;
-    SECStatus rv      = SECFailure;
-
-    RNG_RNGInit();     		/* initialize random number generator */
-    RNG_SystemInfoForRNG();
-
-    status = nss_OpenCertDB(configdir);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = nss_OpenKeyDB(configdir);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = nss_OpenSecModDB(configdir);
-    if (status != SECSuccess)
-	goto loser;
-
-    rv = SECSuccess;
-
-loser:
-    if (rv != SECSuccess) 
-	NSS_Shutdown();
-    return rv;
-}
-
-void
-NSS_Shutdown(void)
-{
-    CERTCertDBHandle *certHandle;
-    SECKEYKeyDBHandle *keyHandle;
-
-    certHandle = CERT_GetDefaultCertDB();
-    if (certHandle)
-    	CERT_ClosePermCertDB(certHandle);
-
-    keyHandle = SECKEY_GetDefaultKeyDB();
-    if (keyHandle)
-    	SECKEY_CloseKeyDB(keyHandle);
-
-    /* XXX
-     * This should also close the secmod DB, 
-     * but there's no secmod function to close the DB.
-     */
-}
diff --git a/security/nss/lib/pk11wrap/Makefile b/security/nss/lib/pk11wrap/Makefile
deleted file mode 100644
index 774e68762..000000000
--- a/security/nss/lib/pk11wrap/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-
diff --git a/security/nss/lib/pk11wrap/config.mk b/security/nss/lib/pk11wrap/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/pk11wrap/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn
deleted file mode 100644
index 0eddc6696..000000000
--- a/security/nss/lib/pk11wrap/manifest.mn
+++ /dev/null
@@ -1,64 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	secmod.h \
-	secmodt.h \
-	pk11func.h \
-	pk11sdr.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	secmodi.h \
-	secmodti.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	pk11cert.c \
-	pk11err.c  \
-	pk11load.c \
-	pk11slot.c \
-	pk11db.c \
-	pk11list.c \
-	pk11skey.c \
-	pk11kea.c \
-	pk11util.c \
-	pk11sdr.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = pk11wrap
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
deleted file mode 100644
index 5304b1248..000000000
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ /dev/null
@@ -1,2413 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This file implements the Symkey wrapper and the PKCS context
- * Interfaces.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "prlock.h"
-#include "secmodi.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "secitem.h"
-#include "key.h"
-#include "hasht.h"
-#include "secoid.h"
-#include "pkcs7t.h"
-#include "cmsreclist.h"
-
-#include "certdb.h"
-#include "secerr.h"
-#include "sslerr.h"
-
-#define PK11_SEARCH_CHUNKSIZE 10
-
-CK_OBJECT_HANDLE
-pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx);
-
-/*
- * build a cert nickname based on the token name and the label of the 
- * certificate If the label in NULL, build a label based on the ID.
- */
-static int toHex(int x) { return (x < 10) ? (x+'0') : (x+'a'-10); }
-#define MAX_CERT_ID 4
-#define DEFAULT_STRING "Cert ID "
-static char *
-pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label,
-			CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id)
-{
-    int prefixLen = PORT_Strlen(slot->token_name);
-    int suffixLen = 0;
-    char *suffix = NULL;
-    char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2];
-    char *next,*nickname;
-
-    if (slot->isInternal) {
-	return NULL;
-    }
-
-    if ((cert_label) && (cert_label->pValue)) {
-	suffixLen = cert_label->ulValueLen;
-	suffix = (char*)cert_label->pValue;
-    } else if (key_label && (key_label->pValue)) {
-	suffixLen = key_label->ulValueLen;
-	suffix = (char*)key_label->pValue;
-    } else if ((cert_id) && cert_id->pValue) {
-	int i,first = cert_id->ulValueLen - MAX_CERT_ID;
-	int offset = sizeof(DEFAULT_STRING);
-	char *idValue = (char *)cert_id->pValue;
-
-	PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1);
-	next = buildNew + offset;
-	if (first < 0) first = 0;
-	for (i=first; i < (int) cert_id->ulValueLen; i++) {
-		*next++ = toHex((idValue[i] >> 4) & 0xf);
-		*next++ = toHex(idValue[i] & 0xf);
-	}
-	*next++ = 0;
-	suffix = buildNew;
-	suffixLen = PORT_Strlen(buildNew);
-    } else {
-	PORT_SetError( SEC_ERROR_LIBRARY_FAILURE );
-	return NULL;
-    }
-
-    next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1);
-    if (nickname == NULL) return NULL;
-
-    PORT_Memcpy(next,slot->token_name,prefixLen);
-    next += prefixLen;
-    *next++ = ':';
-    PORT_Memcpy(next,suffix,suffixLen);
-    next += suffixLen;
-    *next++ = 0;
-    return nickname;
-}
-
-/*
- * return the object handle that matches the template
- */
-CK_OBJECT_HANDLE
-pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize)
-{
-    CK_OBJECT_HANDLE object;
-    CK_RV crv;
-    CK_ULONG objectCount;
-
-    /*
-     * issue the find
-     */
-    PK11_EnterSlotMonitor(slot);
-    crv=PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, theTemplate, tsize);
-    if (crv != CKR_OK) {
-        PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return CK_INVALID_KEY;
-    }
-
-    crv=PK11_GETTAB(slot)->C_FindObjects(slot->session,&object,1,&objectCount);
-    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
-    PK11_ExitSlotMonitor(slot);
-    if ((crv != CKR_OK) || (objectCount < 1)) {
-	/* shouldn't use SSL_ERROR... here */
-	PORT_SetError( crv != CKR_OK ? PK11_MapError(crv) :
-						  SSL_ERROR_NO_CERTIFICATE);
-	return CK_INVALID_KEY;
-    }
-
-    /* blow up if the PKCS #11 module returns us and invalid object handle */
-    PORT_Assert(object != CK_INVALID_KEY);
-    return object;
-} 
-
-/*
- * return all the object handles that matches the template
- */
-CK_OBJECT_HANDLE *
-pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
-		CK_ATTRIBUTE *findTemplate,int findCount,int *object_count) {
-    CK_OBJECT_HANDLE *objID = NULL;
-    CK_ULONG returned_count = 0;
-    CK_RV crv;
-
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, findTemplate, 
-								findCount);
-    if (crv != CKR_OK) {
-	PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	*object_count = -1;
-	return NULL;
-    }
-
-
-    /*
-     * collect all the Matching Objects
-     */
-    do {
-	CK_OBJECT_HANDLE *oldObjID = objID;
-
-	if (objID == NULL) {
-    	    objID = (CK_OBJECT_HANDLE *) PORT_Alloc(sizeof(CK_OBJECT_HANDLE)*
-				(*object_count+ PK11_SEARCH_CHUNKSIZE));
-	} else {
-    	    objID = (CK_OBJECT_HANDLE *) PORT_Realloc(objID,
-		sizeof(CK_OBJECT_HANDLE)*(*object_count+PK11_SEARCH_CHUNKSIZE));
-	}
-
-	if (objID == NULL) {
-	    if (oldObjID) PORT_Free(oldObjID);
-	    break;
-	}
-    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
-		&objID[*object_count],PK11_SEARCH_CHUNKSIZE,&returned_count);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    PORT_Free(objID);
-	    objID = NULL;
-	    break;
-    	}
-	*object_count += returned_count;
-    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
-
-    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
-    PK11_ExitSlotMonitor(slot);
-
-    if (objID && (*object_count == 0)) {
-	PORT_Free(objID);
-	return NULL;
-    }
-    if (objID == NULL) *object_count = -1;
-    return objID;
-}
-/*
- * given a PKCS #11 object, match it's peer based on the KeyID. searchID
- * is typically a privateKey or a certificate while the peer is the opposite
- */
-CK_OBJECT_HANDLE
-PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID,
-				 		CK_OBJECT_CLASS matchclass)
-{
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    CK_ATTRIBUTE *keyclass = &theTemplate[1];
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    /* if you change the array, change the variable below as well */
-    CK_OBJECT_HANDLE peerID;
-    CK_OBJECT_HANDLE parent;
-    PRArenaPool *arena;
-    CK_RV crv;
-
-    /* now we need to create space for the public key */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return CK_INVALID_KEY;
-
-    crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize);
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	PORT_SetError( PK11_MapError(crv) );
-	return CK_INVALID_KEY;
-    }
-
-    /*
-     * issue the find
-     */
-    parent = *(CK_OBJECT_CLASS *)(keyclass->pValue);
-    *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass;
-
-    peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-    PORT_FreeArena(arena,PR_FALSE);
-
-    return peerID;
-}
-
-PRBool
-PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
-						CK_OBJECT_HANDLE certID)
-{
-    CK_OBJECT_CLASS theClass;
-
-    if (slot == NULL) return PR_FALSE;
-    if (cert == NULL) return PR_FALSE;
-
-    theClass = CKO_PRIVATE_KEY;
-    if (!PK11_IsLoggedIn(slot,NULL) && PK11_NeedLogin(slot)) {
-	theClass = CKO_PUBLIC_KEY;
-    }
-    if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_KEY) {
-	return PR_TRUE;
-    }
-
-   if (theClass == CKO_PUBLIC_KEY) {
-	SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert);
-	CK_ATTRIBUTE theTemplate;
-
-	if (pubKey == NULL) {
-	   return PR_FALSE;
-	}
-
-	PK11_SETATTRS(&theTemplate,0,NULL,0);
-	switch (pubKey->keyType) {
-	case rsaKey:
-	    PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
-						pubKey->u.rsa.modulus.len);
-	    break;
-	case dsaKey:
-	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data,
-						pubKey->u.dsa.publicValue.len);
-	case dhKey:
-	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
-						pubKey->u.dh.publicValue.len);
-	    break;
-	}
-
-	if (theTemplate.ulValueLen == 0) {
-	    SECKEY_DestroyPublicKey(pubKey);
-	    return PR_FALSE;
-	}
-	pk11_SignedToUnsigned(&theTemplate);
-	if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_KEY) {
-	    SECKEY_DestroyPublicKey(pubKey);
-	    return PR_TRUE;
-	}
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-    return PR_FALSE;
-}
-
-/*
- * Check out if a cert has ID of zero. This is a magic ID that tells
- * NSS that this cert may be an automagically trusted cert.
- * The Cert has to be self signed as well. That check is done elsewhere.
- *  
- */
-PRBool
-pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID)
-{
-    CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0};
-    PRBool isZero = PR_FALSE;
-    int i;
-    CK_RV crv;
-
-
-    crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1);
-    if (crv != CKR_OK) {
-	return isZero;
-    }
-
-    if (keyID.ulValueLen != 0) {
-	char *value = (char *)keyID.pValue;
-	isZero = PR_TRUE; /* ID exists, may be zero */
-	for (i=0; i < (int) keyID.ulValueLen; i++) {
-	    if (value[i] != 0) {
-		isZero = PR_FALSE; /* nope */
-		break;
-	    }
-	}
-    }
-    PORT_Free(keyID.pValue);
-    return isZero;
-
-}
-     
-CERTCertificate
-*pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, 
-			CK_ATTRIBUTE *privateLabel, char **nickptr)
-{
-    CK_ATTRIBUTE certTemp[] = {
-	{ CKA_ID, NULL, 0 },
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_LABEL, NULL, 0 }
-    };
-    CK_ATTRIBUTE *id = &certTemp[0];
-    CK_ATTRIBUTE *certDER = &certTemp[1];
-    CK_ATTRIBUTE *label = &certTemp[2];
-    SECItem derCert;
-    int csize = sizeof(certTemp)/sizeof(certTemp[0]);
-    PRArenaPool *arena;
-    char *nickname;
-    CERTCertificate *cert;
-    CK_RV crv;
-
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-    /*
-     * grab the der encoding
-     */
-    crv = PK11_GetAttributes(arena,slot,certID,certTemp,csize);
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    /*
-     * build a certificate out of it
-     */
-    derCert.data = (unsigned char*)certDER->pValue;
-    derCert.len = certDER->ulValueLen;
-
-    /* figure out the nickname.... */
-    nickname = pk11_buildNickname(slot,label,privateLabel,id);
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert, nickname,
-							PR_FALSE, PR_TRUE);
-    if (nickptr) {
-	*nickptr = nickname;
-    } else {
-	if (nickname) PORT_Free(nickname);
-    }
-    PORT_FreeArena(arena,PR_FALSE);
-    return cert;
-}
-
-/*
- * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
- * Must be a CertObject. This code does not explicitly checks that.
- */
-CERTCertificate *
-PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
-						CK_ATTRIBUTE *privateLabel)
-{
-    char * nickname = NULL;
-    CERTCertificate *cert = NULL;
-    CERTCertTrust *trust;
-    PRBool isFortezzaRootCA = PR_FALSE;
-    PRBool swapNickname = PR_FALSE;
-
-    cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
-    if (cert == NULL) goto loser;
-	
-    if (nickname) {
-	if (cert->nickname != NULL) {
-		cert->dbnickname = cert->nickname;
-	} 
-	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
-	PORT_Free(nickname);
-	nickname = NULL;
-	swapNickname = PR_TRUE;
-    }
-
-    /* remember where this cert came from.... If we have just looked
-     * it up from the database and it already has a slot, don't add a new
-     * one. */
-    if (cert->slot == NULL) {
-	cert->slot = PK11_ReferenceSlot(slot);
-	cert->pkcs11ID = certID;
-	cert->ownSlot = PR_TRUE;
-    }
-
-    if (cert->trust == NULL) {
-	unsigned int type;
-
-	trust = 
-	  (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
-	if (trust == NULL) goto loser;
-
-	PORT_Memset(trust,0, sizeof(CERTCertTrust));
-	cert->trust = trust;
-	/* build some cert trust flags */
-	if (CERT_IsCACert(cert, &type)) {
-	    unsigned int trustflags = CERTDB_VALID_CA;
-	   
-	    /* Allow PKCS #11 modules to give us trusted CA's. We only accept
-	     * valid CA's which are self-signed here. They must have an object
-	     * ID of '0'.  */ 
-	    if (pk11_isID0(slot,certID) && 
-		SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer)
-							   == SECEqual) {
-		trustflags |= CERTDB_TRUSTED_CA;
-		/* is the slot a fortezza card? allow the user or
-		 * admin to turn on objectSigning, but don't turn
-		 * full trust on explicitly */
-		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
-		    trust->objectSigningFlags |= CERTDB_VALID_CA;
-		    isFortezzaRootCA = PR_TRUE;
-		}
-	    }
-	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
-		trust->sslFlags |= trustflags;
-	    }
-	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
-		trust->emailFlags |= trustflags;
-	    }
-	    if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) 
-					== NS_CERT_TYPE_OBJECT_SIGNING_CA) {
-		trust->objectSigningFlags |= trustflags;
-	    }
-	}
-    } else  {
-	trust = cert->trust;
-    }
-
-    if (PK11_IsUserCert(slot,cert,certID)) {
-	trust->sslFlags |= CERTDB_USER;
-	trust->emailFlags |= CERTDB_USER;
-	/*    trust->objectSigningFlags |= CERTDB_USER; */
-    }
-
-
-    /* if fortezza, write the root cert to the DB */
-    if ((isFortezzaRootCA) && (!cert->isperm)) {
-	char *name = NULL;
-	if (swapNickname) {
-	    nickname = cert->nickname;
-	    cert->nickname = cert->dbnickname;
-	}
-	if (cert->nickname) {
-	     name = PORT_Strdup(cert->nickname);
-	}
-	if (name == NULL) name = CERT_MakeCANickname(cert);
-	CERT_AddTempCertToPerm(cert,name,cert->trust);
-	if (name) PORT_Free(name);
-	if (swapNickname) {
-	    if (cert->nickname != NULL) {
-		cert->dbnickname = cert->nickname;
-	    }
-	    cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
-	}
-
-    }
-
-    return cert;
-
-loser:
-    if (nickname) PORT_Free(nickname);
-    if (cert) CERT_DestroyCertificate(cert);
-    return NULL;
-}
-
-	
-/*
- * Build get a certificate from a private key
- */
-CERTCertificate *
-PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey)
-{
-    PK11SlotInfo *slot = privKey->pkcs11Slot;
-    CK_OBJECT_HANDLE certID = 
-		PK11_MatchItem(slot,privKey->pkcs11ID,CKO_CERTIFICATE);
-    SECStatus rv;
-    CERTCertificate *cert;
-
-    if (certID == CK_INVALID_KEY) {
-	/* couldn't find it on the card, look in our data base */
-	SECItem derSubject;
-
-	rv = PK11_ReadAttribute(slot, privKey->pkcs11ID, CKA_SUBJECT, NULL,
-					&derSubject);
-	if (rv != SECSuccess) {
-	    PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
-	    return NULL;
-	}
-
-	cert = CERT_FindCertByName(CERT_GetDefaultCertDB(),&derSubject);
-	PORT_Free(derSubject.data);
-	return cert;
-    }
-    cert = PK11_MakeCertFromHandle(slot,certID,NULL);
-    return (cert);
-
-}
-
-/*
- * destroy a private key if there are no matching certs.
- * this function also frees the privKey structure.
- */
-SECStatus
-PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey)
-{
-    CERTCertificate *cert=PK11_GetCertFromPrivateKey(privKey);
-
-    /* found a cert matching the private key?. */
-    if (cert != NULL) {
-	/* yes, don't delete the key */
-        CERT_DestroyCertificate(cert);
-	SECKEY_DestroyPrivateKey(privKey);
-	return SECWouldBlock;
-    }
-    /* now, then it's safe for the key to go away */
-    PK11_DestroyTokenObject(privKey->pkcs11Slot,privKey->pkcs11ID);
-    SECKEY_DestroyPrivateKey(privKey);
-    return SECSuccess;
-}
-
-
-/*
- * delete a cert and it's private key (if no other certs are pointing to the
- * private key.
- */
-SECStatus
-PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx)
-{
-    SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx);
-    CK_OBJECT_HANDLE pubKey;
-    PK11SlotInfo *slot = NULL;
-
-    pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx);
-    if (privKey) {
-    	PK11_DestroyTokenObject(cert->slot,cert->pkcs11ID);
-	PK11_DeleteTokenPrivateKey(privKey);
-    }
-    if ((pubKey != CK_INVALID_KEY) && (slot != NULL)) { 
-    	PK11_DestroyTokenObject(slot,pubKey);
-        PK11_FreeSlot(slot);
-    }
-    return SECSuccess;
-}
-
-/*
- * count the number of objects that match the template.
- */
-int
-PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, 
-							int templateCount)
-{
-    CK_OBJECT_HANDLE objID[PK11_SEARCH_CHUNKSIZE];
-    int object_count = 0;
-    CK_ULONG returned_count = 0;
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session,
-					findTemplate, templateCount);
-    if (crv != CKR_OK) {
-        PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return 0;
-    }
-
-    /*
-     * collect all the Matching Objects
-     */
-    do {
-    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
-				objID,PK11_SEARCH_CHUNKSIZE,&returned_count);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    break;
-    	}
-	object_count += returned_count;
-    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
-
-    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
-    PK11_ExitSlotMonitor(slot);
-    return object_count;
-}
-
-/*
- * cert callback structure
- */
-typedef struct pk11DoCertCallbackStr {
-	SECStatus(* callback)(PK11SlotInfo *slot, CERTCertificate*, void *);
-	SECStatus(* noslotcallback)(CERTCertificate*, void *);
-	void *callbackArg;
-} pk11DoCertCallback;
-
-/*
- * callback to map object handles to certificate structures.
- */
-SECStatus
-pk11_DoCerts(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, void *arg)
-{
-    CERTCertificate *cert;
-    pk11DoCertCallback *certcb = (pk11DoCertCallback *) arg;
-
-    cert = PK11_MakeCertFromHandle(slot, certID, NULL);
-
-    if (cert == NULL) {
-	return SECFailure;
-    }
-
-    if (certcb ) {
-	if (certcb->callback) {
-	    (*certcb->callback)(slot, cert, certcb->callbackArg);
-	}
-	if (certcb->noslotcallback) {
-	    (*certcb->noslotcallback)(cert, certcb->callbackArg);
-	}
-    }
-
-    CERT_DestroyCertificate(cert);
-	    
-    return SECSuccess;
-}
-
-
-/*
- * key call back structure.
- */
-typedef struct pk11KeyCallbackStr {
-	SECStatus (* callback)(SECKEYPrivateKey *,void *);
-	void *callbackArg;
-	void *wincx;
-} pk11KeyCallback;
-
-/*
- * callback to map Object Handles to Private Keys;
- */
-SECStatus
-pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg)
-{
-    SECStatus rv = SECSuccess;
-    SECKEYPrivateKey *privKey;
-    pk11KeyCallback *keycb = (pk11KeyCallback *) arg;
-
-    privKey = PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,keycb->wincx);
-
-    if (privKey == NULL) {
-	return SECFailure;
-    }
-
-    if (keycb && (keycb->callback)) {
-	rv = (*keycb->callback)(privKey,keycb->callbackArg);
-    }
-
-    SECKEY_DestroyPrivateKey(privKey);	    
-    return rv;
-}
-
-
-/* Traverse slots callback */
-typedef struct pk11TraverseSlotStr {
-    SECStatus (*callback)(PK11SlotInfo *,CK_OBJECT_HANDLE, void *);
-    void *callbackArg;
-    CK_ATTRIBUTE *findTemplate;
-    int templateCount;
-} pk11TraverseSlotCert;
-
-/*
- * Extract all the certs on a card from a slot.
- */
-SECStatus
-PK11_TraverseSlot(PK11SlotInfo *slot, void *arg)
-{
-    int i;
-    CK_OBJECT_HANDLE *objID = NULL;
-    int object_count = 0;
-    CK_ULONG returned_count = 0;
-    pk11TraverseSlotCert *slotcb = (pk11TraverseSlotCert *) arg;
-
-    objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate,
-		slotcb->templateCount,&object_count);
-
-    /*Actually this isn't a failure... there just were no objs to be found*/
-    if (object_count == 0) {
-	return SECSuccess;
-    }
-
-    if (objID == NULL) {
-	return SECFailure;
-    }
-
-    for (i=0; i < object_count; i++) {
-	(*slotcb->callback)(slot,objID[i],slotcb->callbackArg);
-    }
-    PORT_Free(objID);
-    return SECSuccess;
-}
-
-typedef struct pk11CertCallbackStr {
-	SECStatus(* callback)(CERTCertificate*,SECItem *,void *);
-	void *callbackArg;
-} pk11CertCallback;
-
-static SECStatus
-pk11_SaveCert(PK11SlotInfo *slot, CERTCertificate *cert, void *arg)
-{
-    pk11CertCallback *certcb = (pk11CertCallback *)arg;
-    SECStatus rv = SECSuccess;
-
-    if (slot->cert_count == slot->array_size) return CKR_OK;
-
-    slot->cert_array[slot->cert_count] = CERT_DupCertificate(cert);
-    if (slot->cert_array[slot->cert_count] == NULL) {
-	return SECFailure;
-    }
-    /* now the slot has a hold of the cert, free the slot's element in the
-     * cert.. */
-    if (cert->ownSlot && (slot == cert->slot)) {
-        PK11_FreeSlot(cert->slot);
-	cert->ownSlot = PR_FALSE;
-    }
-    slot->cert_count++;
-
-    if (certcb->callback) {
-	rv = (*certcb->callback)(cert, NULL, certcb->callbackArg);
-    }
-    return rv;
-}
-
-
-/* free the slots */
-void
-PK11_FreeSlotCerts(PK11SlotInfo *slot)
-{
-    int i;
-
-    if (slot->cert_array) {
-	for (i=0; i < slot->cert_count; i++) {
-	    /* if we point the cert on our array, the cert doesn't have a
-	     * reference to use (otherwise you would never be able to free
-	     * a slot :) */
-	    if ((slot->cert_array[i]->slot == slot) && 
-					(!slot->cert_array[i]->ownSlot)) {
-			 slot->cert_array[i]->slot = NULL;
-	    }
-	    CERT_DestroyCertificate(slot->cert_array[i]);
-	}
-	PORT_Free(slot->cert_array);
-	slot->cert_array = NULL;
-	slot->cert_count = 0;
-    }
-    return;
-}
-
-/*
- *  Update PQG parameters for all the certs on a slot.
- */
-static SECStatus
-pk11_UpdateSlotPQG(PK11SlotInfo *slot)
-{
-    int i, tag;
-    CERTCertificate * cert;
-    SECOidData *oid;
-    SECStatus rv1 = SECSuccess;
-    SECStatus rv2 = SECSuccess;
-
-    if (slot->cert_array) {
-	for (i=0; i < slot->cert_count; i++) {
-
-            cert = slot->cert_array[i];
-
-            oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
-            
-	    if (oid != NULL) {  
-	        tag = oid->offset;
-             
-                /* Check if cert has a DSA or Fortezza public key */
-	        if ( (tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
-	             (tag == SEC_OID_MISSI_DSS_OLD) ||
-                     (tag == SEC_OID_MISSI_KEA_DSS) ||
-                     (tag == SEC_OID_MISSI_DSS) ||               
-                     (tag == SEC_OID_ANSIX9_DSA_SIGNATURE) ||
-                     (tag == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) ||
-                     (tag == SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ) {
-
-                    /* update PQG parameters */
-                    
-                    rv1 = SECKEY_UpdateCertPQG(cert);
-                    if (rv1 == SECFailure) {
-                        rv2 = rv1;
-                    }	     
-	        }
-	    }     /* end of if oid != NULL */ 
-        }      /* end of for loop */
-    }
-    return rv2;
-}
-
-
-/*
- * Extract all the certs on a card from a slot.
- */
-static SECStatus
-pk11_ExtractCertsFromSlot(PK11SlotInfo *slot, void *arg)
-{
-    pk11TraverseSlotCert *slotcb = (pk11TraverseSlotCert *) arg;
-    int object_count;
-    SECStatus rv;
-
-    rv = SECSuccess;
-
-    PK11_FreeSlotCerts(slot);
-
-    object_count = PK11_NumberObjectsFor(slot,slotcb->findTemplate, 
-						slotcb->templateCount);
-
-    /*Actually this isn't a failure... there just were no certs to be found*/
-    if (object_count == 0) {
-	return SECSuccess;
-    }
-
-    slot->cert_array = (CERTCertificate **)
-			PORT_Alloc(sizeof(CERTCertificate *)*object_count);
-    if (slot->cert_array == NULL) {
-	return SECFailure;
-    }
-    slot->cert_count = 0;
-    slot->array_size = object_count;
-    PK11_TraverseSlot(slot,arg);
-
-    /* Update the PQG parameters for the extracted certs. */
-    rv = pk11_UpdateSlotPQG(slot);
-
-    return rv;
-}
-
-/*
- * read all the certs from a slot
- */
-SECStatus
-PK11_ReadSlotCerts(PK11SlotInfo *slot)
-{
-
-    /* build slot list */
-    pk11CertCallback caller;
-    pk11DoCertCallback saver;
-    pk11TraverseSlotCert creater;
-    CK_ATTRIBUTE theTemplate;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-
-    PK11_SETATTRS(&theTemplate, CKA_CLASS, &certClass, sizeof(certClass));
-
-    caller.callback = NULL;
-    caller.callbackArg = NULL;
-    saver.callback = pk11_SaveCert;
-    saver.noslotcallback = NULL;
-    saver.callbackArg = (void *) & caller;
-    creater.callback = pk11_DoCerts;
-    creater.callbackArg = (void *) & saver;
-    creater.findTemplate = &theTemplate;
-    creater.templateCount = 1;
-
-    return pk11_ExtractCertsFromSlot(slot, &creater);
-}
-
-/*
- * Extract all the certs on a card from a slot.
- */
-static SECStatus
-pk11_TraverseAllSlots(PRBool loadCerts,
-	SECStatus (*callback)(PK11SlotInfo *,void *),void *arg,void *wincx) {
-
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    SECStatus rv;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,loadCerts,wincx);
-    if (list == NULL) return SECFailure;
-
-    /* look at each slot and authenticate as necessary */
-    for (le = list->head ; le; le = le->next) {
-	/* don't nab internal slots */
-	if ((!loadCerts) && le->slot->isInternal == PR_TRUE) {
-	    continue;
-	}
-	if (loadCerts || !PK11_IsFriendly(le->slot)) {
-             rv = PK11_Authenticate(le->slot, loadCerts, wincx);
-             if (rv != SECSuccess) continue;
-	}
-	(*callback)(le->slot,arg);
-    }
-
-    PK11_FreeSlotList(list);
-
-    return SECSuccess;
-}
-
-/*
- * Extract all the certs on a card from a slot.
- */
-SECStatus
-PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
-						void *arg, void *wincx) {
-    pk11CertCallback caller;
-    pk11DoCertCallback saver;
-    pk11TraverseSlotCert creater;
-    CK_ATTRIBUTE theTemplate;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-
-    PK11_SETATTRS(&theTemplate, CKA_CLASS, &certClass, sizeof(certClass));
-
-    caller.callback = callback;
-    caller.callbackArg = arg;
-    saver.callback = pk11_SaveCert;
-    saver.noslotcallback = NULL;
-    saver.callbackArg = (void *) & caller;
-    creater.callback = pk11_DoCerts;
-    creater.callbackArg = (void *) & saver;
-    creater.findTemplate = &theTemplate;
-    creater.templateCount = 1;
-
-    return pk11_TraverseAllSlots(PR_FALSE, pk11_ExtractCertsFromSlot, 
-							&creater, wincx);
-}
-
-CK_OBJECT_HANDLE *
-PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr,
-			CK_OBJECT_CLASS objclass, int *returnCount, void *wincx) {
-    char *tokenName;
-    char *delimit;
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE *objID;
-    CK_ATTRIBUTE findTemplate[] = {
-	 { CKA_LABEL, NULL, 0},
-	 { CKA_CLASS, NULL, 0},
-    };
-    int findCount = sizeof(findTemplate)/sizeof(findTemplate[0]);
-    SECStatus rv;
-    PK11_SETATTRS(&findTemplate[1], CKA_CLASS, &objclass, sizeof(objclass));
-
-    *slotptr = slot = NULL;
-    *returnCount = 0;
-    /* first find the slot associated with this nickname */
-    if ((delimit = PORT_Strchr(nickname,':')) != NULL) {
-	int len = delimit - nickname;
-	tokenName = (char*)PORT_Alloc(len+1);
-	PORT_Memcpy(tokenName,nickname,len);
-	tokenName[len] = 0;
-
-        slot = *slotptr = PK11_FindSlotByName(tokenName);
-        PORT_Free(tokenName);
-	/* if we couldn't find a slot, assume the nickname is an internal cert
-	 * with no proceding slot name */
-	if (slot == NULL) {
-		slot = *slotptr = PK11_GetInternalKeySlot();
-	} else {
-		nickname = delimit+1;
-	}
-    } else {
-	*slotptr = slot = PK11_GetInternalKeySlot();
-    }
-    if (slot == NULL) {
-        return CK_INVALID_KEY;
-    }
-
-    if (!PK11_IsFriendly(slot)) {
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) {
-	    PK11_FreeSlot(slot);
-	    *slotptr = NULL;
-	    return CK_INVALID_KEY;
-	 }
-    }
-
-    findTemplate[0].pValue = nickname;
-    findTemplate[0].ulValueLen = PORT_Strlen(nickname);
-    objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,returnCount);
-    if (objID == NULL) {
-	/* PKCS #11 isn't clear on whether or not the NULL is
-	 * stored in the template.... try the find again with the
-	 * full null terminated string. */
-    	findTemplate[0].ulValueLen += 1;
-        objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,
-								returnCount);
-	if (objID == NULL) {
-	    /* Well that's the best we can do. It's just not here */
-	    /* what about faked nicknames? */
-	    PK11_FreeSlot(slot);
-	    *slotptr = NULL;
-	    *returnCount = 0;
-	}
-    }
-
-    return objID;
-}
-
-   
-CERTCertificate *
-PK11_FindCertFromNickname(char *nickname, void *wincx) {
-    PK11SlotInfo *slot;
-    int count=0;
-    CK_OBJECT_HANDLE *certID = PK11_FindObjectsFromNickname(nickname,&slot,
-				 		CKO_CERTIFICATE, &count, wincx);
-    CERTCertificate *cert;
-
-    if (certID == CK_INVALID_KEY) return NULL;
-    cert = PK11_MakeCertFromHandle(slot,certID[0],NULL);
-    PK11_FreeSlot(slot);
-    PORT_Free(certID);
-    return cert;
-}
-
-CERTCertList *
-PK11_FindCertsFromNickname(char *nickname, void *wincx) {
-    PK11SlotInfo *slot;
-    int i,count = 0;
-    CK_OBJECT_HANDLE *certID = PK11_FindObjectsFromNickname(nickname,&slot,
-				 		CKO_CERTIFICATE, &count, wincx);
-    CERTCertList *certList = NULL;
-
-    if (certID == NULL) return NULL;
-
-    certList= CERT_NewCertList();
-
-    for (i=0; i < count; i++) {
-    	CERTCertificate *cert = PK11_MakeCertFromHandle(slot,certID[i],NULL);
-
-	if (cert) CERT_AddCertToListTail(certList,cert);
-    }
-
-    if (CERT_LIST_HEAD(certList) == NULL) {
-	CERT_DestroyCertList(certList);
-	certList = NULL;
-    }
-    PK11_FreeSlot(slot);
-    PORT_Free(certID);
-    return certList;
-}
-
-/*
- * extract a key ID for a certificate...
- * NOTE: We call this function from PKCS11.c If we ever use
- * pkcs11 to extract the public key (we currently do not), this will break.
- */
-SECItem *
-PK11_GetPubIndexKeyID(CERTCertificate *cert) {
-    SECKEYPublicKey *pubk;
-    SECItem *newItem = NULL;
-
-    pubk = CERT_ExtractPublicKey(cert);
-    if (pubk == NULL) return NULL;
-
-    switch (pubk->keyType) {
-    case rsaKey:
-	newItem = SECITEM_DupItem(&pubk->u.rsa.modulus);
-	break;
-    case dsaKey:
-        newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue);
-	break;
-    case dhKey:
-        newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
-    case fortezzaKey:
-    default:
-	newItem = NULL; /* Fortezza Fix later... */
-    }
-    SECKEY_DestroyPublicKey(pubk);
-    /* make hash of it */
-    return newItem;
-}
-
-/*
- * generate a CKA_ID from a certificate.
- */
-SECItem *
-pk11_mkcertKeyID(CERTCertificate *cert) {
-    SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
-    SECItem *certCKA_ID;
-
-    if (pubKeyData == NULL) return NULL;
-    
-    certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData);
-    SECITEM_FreeItem(pubKeyData,PR_TRUE);
-    return certCKA_ID;
-}
-
-
-/*
- * Generate a CKA_ID from the relevant public key data. The CKA_ID is generated
- * from the pubKeyData by SHA1_Hashing it to produce a smaller CKA_ID (to make
- * smart cards happy.
- */
-SECItem *
-PK11_MakeIDFromPubKey(SECItem *pubKeyData) {
-    PK11Context *context;
-    SECItem *certCKA_ID;
-    SECStatus rv;
-
-    context = PK11_CreateDigestContext(SEC_OID_SHA1);
-    if (context == NULL) {
-	return NULL;
-    }
-
-    rv = PK11_DigestBegin(context);
-    if (rv == SECSuccess) {
-    	rv = PK11_DigestOp(context,pubKeyData->data,pubKeyData->len);
-    }
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-
-    certCKA_ID = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if (certCKA_ID == NULL) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-
-    certCKA_ID->len = SHA1_LENGTH;
-    certCKA_ID->data = (unsigned char*)PORT_Alloc(certCKA_ID->len);
-    if (certCKA_ID->data == NULL) {
-	PORT_Free(certCKA_ID);
-	PK11_DestroyContext(context,PR_TRUE);
-        return NULL;
-    }
-
-    rv = PK11_DigestFinal(context,certCKA_ID->data,&certCKA_ID->len,
-								SHA1_LENGTH);
-    PK11_DestroyContext(context,PR_TRUE);
-    if (rv != SECSuccess) {
-    	SECITEM_FreeItem(certCKA_ID,PR_TRUE);
-	return NULL;
-    }
-
-    return certCKA_ID;
-}
-
-/*
- * Write the cert into the token.
- */
-SECStatus
-PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, 
-		CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) {
-    int len = 0;
-    SECItem *keyID = pk11_mkcertKeyID(cert);
-    CK_ATTRIBUTE keyAttrs[] = {
-	{ CKA_LABEL, NULL, 0},
-	{ CKA_SUBJECT, NULL, 0},
-    };
-    CK_OBJECT_CLASS certc = CKO_CERTIFICATE;
-    CK_CERTIFICATE_TYPE certType = CKC_X_509;
-    CK_OBJECT_HANDLE certID;
-    CK_SESSION_HANDLE rwsession;
-    CK_BBOOL cktrue = CK_TRUE;
-    SECStatus rv = SECFailure;
-    CK_ATTRIBUTE certAttrs[] = {
-	{ CKA_ID, NULL, 0 },
-	{ CKA_LABEL, NULL, 0},
-	{ CKA_CLASS,  NULL, 0},
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_CERTIFICATE_TYPE, NULL, 0},
-	{ CKA_SUBJECT, NULL, 0},
-	{ CKA_ISSUER, NULL, 0},
-	{ CKA_SERIAL_NUMBER,  NULL, 0},
-	{ CKA_VALUE,  NULL, 0},
-	{ CKA_NETSCAPE_TRUST,  NULL, 0},
-    };
-    int certCount = sizeof(certAttrs)/sizeof(certAttrs[0]), keyCount = 2;
-    CK_ATTRIBUTE *attrs;
-    CK_RV crv;
-    SECCertUsage *certUsage = NULL;
-
-    if (keyID == NULL) {
-	PORT_SetError(SEC_ERROR_ADDING_CERT);
-	return rv;
-    }
-
-    len = ((nickname) ? PORT_Strlen(nickname) : 0);
-    
-    attrs = certAttrs;
-    PK11_SETATTRS(attrs,CKA_ID, keyID->data, keyID->len); attrs++;
-    if(nickname) {
-	PK11_SETATTRS(attrs,CKA_LABEL, nickname, len ); attrs++;
-    }
-    PK11_SETATTRS(attrs,CKA_CLASS, &certc, sizeof(certc) ); attrs++;
-    PK11_SETATTRS(attrs,CKA_TOKEN, &cktrue, sizeof(cktrue) ); attrs++;
-    PK11_SETATTRS(attrs,CKA_CERTIFICATE_TYPE, &certType,
-						sizeof(certType)); attrs++;
-    PK11_SETATTRS(attrs,CKA_SUBJECT, cert->derSubject.data,
-					 cert->derSubject.len ); attrs++;
-    PK11_SETATTRS(attrs,CKA_ISSUER, cert->derIssuer.data,
-					 cert->derIssuer.len ); attrs++;
-    PK11_SETATTRS(attrs,CKA_SERIAL_NUMBER, cert->serialNumber.data,
-					 cert->serialNumber.len); attrs++;
-    PK11_SETATTRS(attrs,CKA_VALUE, cert->derCert.data, cert->derCert.len);
-    if(includeTrust && PK11_IsInternal(slot)) {
-	attrs++;
-	certUsage = (SECCertUsage*)PORT_Alloc(sizeof(SECCertUsage));
-	if(!certUsage) {
-	    SECITEM_FreeItem(keyID,PR_TRUE);
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return rv;
-	}
-	*certUsage = certUsageUserCertImport;
-	PK11_SETATTRS(attrs,CKA_NETSCAPE_TRUST, certUsage, sizeof(SECCertUsage));
-    } else {
-	certCount--;
-    }
-
-    attrs = keyAttrs;
-    if(nickname) {
-	PK11_SETATTRS(attrs,CKA_LABEL, nickname, len ); attrs++;
-    }
-    PK11_SETATTRS(attrs,CKA_SUBJECT, cert->derSubject.data,
-					 cert->derSubject.len );
-
-    if(!nickname) {
-	certCount--;
-	keyCount--;
-    }
-
-    rwsession = PK11_GetRWSession(slot);
-    crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession,key,keyAttrs,
-								keyCount);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto done;
-    }
-
-    crv = PK11_GETTAB(slot)->
-			C_CreateObject(rwsession,certAttrs,certCount,&certID);
-    if (crv == CKR_OK) {
-	rv = SECSuccess;
-    } else {
-	PORT_SetError( PK11_MapError(crv) );
-    }
-
-done:
-    SECITEM_FreeItem(keyID,PR_TRUE);
-    PK11_RestoreROSession(slot,rwsession);
-    if(certUsage) {
-	PORT_Free(certUsage);
-    }
-    return rv;
-
-}
-
-/*
- * get a certificate handle, look at the cached handle first..
- */
-CK_OBJECT_HANDLE
-pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, 
-					CK_ATTRIBUTE *theTemplate,int tsize)
-{
-    CK_OBJECT_HANDLE certh;
-
-    if (cert->slot == slot) {
-	certh = cert->pkcs11ID;
-	if (certh == CK_INVALID_KEY) {
-    	     certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-	     cert->pkcs11ID = certh;
-	}
-    } else {
-    	certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-    }
-    return certh;
-}
-
-/*
- * return the private key From a given Cert
- */
-SECKEYPrivateKey *
-PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
-								 void *wincx) {
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE certh;
-    CK_OBJECT_HANDLE keyh;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
-						cert->derCert.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-
-    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
-    if (certh == CK_INVALID_KEY) {
-	return NULL;
-    }
-    keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
-    if (keyh == CK_INVALID_KEY) { return NULL; }
-    return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx);
-} 
-
-
-/*
- * return the private key with the given ID
- */
-static CK_OBJECT_HANDLE
-pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID)  {
-    CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 },
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_ATTRIBUTE *attrs = theTemplate;
-
-    PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len ); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &privKey, sizeof(privKey));
-
-    return pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-} 
-
-/*
- * import a cert for a private key we have already generated. Set the label
- * on both to be the nickname. This is for the Key Gen, orphaned key case.
- */
-PK11SlotInfo *
-PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, 
-								void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    SECItem *keyID;
-    CK_OBJECT_HANDLE key;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    keyID = pk11_mkcertKeyID(cert);
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if ((keyID == NULL) || (list == NULL)) {
-	if (keyID) SECITEM_FreeItem(keyID,PR_TRUE);
-	if (list) PK11_FreeSlotList(list);
-    	return NULL;
-    }
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) continue;
-	
-	key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
-	if (key != CK_INVALID_KEY) {
-	    slot = PK11_ReferenceSlot(le->slot);
-	    if (keyPtr) *keyPtr = key;
-	    break;
-	}
-    }
-
-    SECITEM_FreeItem(keyID,PR_TRUE);
-    PK11_FreeSlotList(list);
-    return slot;
-
-}
-
-PK11SlotInfo *
-PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) {
-    PK11SlotInfo *slot = NULL;
-    CK_OBJECT_HANDLE key;
-
-    slot = PK11_KeyForCertExists(cert,&key,wincx);
-
-    if (slot) {
-	if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) {
-	    PK11_FreeSlot(slot);
-	    slot = NULL;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_ADDING_CERT);
-    }
-
-    return slot;
-}
-
-static CK_OBJECT_HANDLE
-pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, 
-		CK_ATTRIBUTE *searchTemplate, int count, void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    *slotPtr = NULL;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if (list == NULL) {
-	if (list) PK11_FreeSlotList(list);
-    	return CK_INVALID_KEY;
-    }
-
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
- 	if (!PK11_IsFriendly(le->slot)) {
-	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-	    if (rv != SECSuccess) continue;
-	}
-
-	certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count);
-	if (certHandle != CK_INVALID_KEY) {
-	    slot = PK11_ReferenceSlot(le->slot);
-	    break;
-	}
-    }
-
-    PK11_FreeSlotList(list);
-
-    if (slot == NULL) {
-	return CK_INVALID_KEY;
-    }
-    *slotPtr = slot;
-    return certHandle;
-}
-
-
-/*
- * We're looking for a cert which we have the private key for that's on the
- * list of recipients. This searches one slot.
- * this is the new version for NSS SMIME code
- * this stuff should REALLY be in the SMIME code, but some things in here are not public
- * (they should be!)
- */
-static CK_OBJECT_HANDLE
-pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_OBJECT_CLASS peerClass ;
-    CK_ATTRIBUTE searchTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_ISSUER, NULL, 0 },
-	{ CKA_SERIAL_NUMBER, NULL, 0}
-    };
-    int count = sizeof(searchTemplate)/sizeof(CK_ATTRIBUTE);
-    NSSCMSRecipient *ri = NULL;
-    CK_ATTRIBUTE *attrs;
-    int i;
-
-    peerClass = CKO_PRIVATE_KEY;
-    if (!PK11_IsLoggedIn(slot,NULL) && PK11_NeedLogin(slot)) {
-	peerClass = CKO_PUBLIC_KEY;
-    }
-
-    for (i=0; (ri = recipientlist[i]) != NULL; i++) {
-	/* XXXXX fixme - not yet implemented! */
-	if (ri->kind == RLSubjKeyID)
-	    continue;
-
-    	attrs = searchTemplate;
-
-	PK11_SETATTRS(attrs, CKA_CLASS, &certClass,sizeof(certClass)); attrs++;
-	PK11_SETATTRS(attrs, CKA_ISSUER, ri->id.issuerAndSN->derIssuer.data, 
-				ri->id.issuerAndSN->derIssuer.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_SERIAL_NUMBER, 
-	  ri->id.issuerAndSN->serialNumber.data,ri->id.issuerAndSN->serialNumber.len);
-
-	certHandle = pk11_FindObjectByTemplate(slot,searchTemplate,count);
-	if (certHandle != CK_INVALID_KEY) {
-	    CERTCertificate *cert = pk11_fastCert(slot,certHandle,NULL,NULL);
-	    if (PK11_IsUserCert(slot,cert,certHandle)) {
-		/* we've found a cert handle, now let's see if there is a key
-	         * associated with it... */
-		ri->slot = PK11_ReferenceSlot(slot);
-		*rlIndex = i;
-	
-		CERT_DestroyCertificate(cert);       
-		return certHandle;
-	    }
-	    CERT_DestroyCertificate(cert);       
-	}
-    }
-    *rlIndex = -1;
-    return CK_INVALID_KEY;
-}
-
-/*
- * This function is the same as above, but it searches all the slots.
- * this is the new version for NSS SMIME code
- * this stuff should REALLY be in the SMIME code, but some things in here are not public
- * (they should be!)
- */
-static CK_OBJECT_HANDLE
-pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *wincx, int *rlIndex)
-{
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if (list == NULL) {
-	if (list) PK11_FreeSlotList(list);
-    	return CK_INVALID_KEY;
-    }
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	if ( !PK11_IsFriendly(le->slot)) {
-	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-	    if (rv != SECSuccess) continue;
-	}
-
-	certHandle = pk11_FindCertObjectByRecipientNew(le->slot, recipientlist, rlIndex);
-	if (certHandle != CK_INVALID_KEY)
-	    break;
-    }
-
-    PK11_FreeSlotList(list);
-
-    return (le == NULL) ? CK_INVALID_KEY : certHandle;
-}
-
-/*
- * We're looking for a cert which we have the private key for that's on the
- * list of recipients. This searches one slot.
- */
-static CK_OBJECT_HANDLE
-pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, 
-	SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_OBJECT_CLASS peerClass ;
-    CK_ATTRIBUTE searchTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_ISSUER, NULL, 0 },
-	{ CKA_SERIAL_NUMBER, NULL, 0}
-    };
-    int count = sizeof(searchTemplate)/sizeof(CK_ATTRIBUTE);
-    SEC_PKCS7RecipientInfo *ri = NULL;
-    CK_ATTRIBUTE *attrs;
-    int i;
-
-
-    peerClass = CKO_PRIVATE_KEY;
-    if (!PK11_IsLoggedIn(slot,NULL) && PK11_NeedLogin(slot)) {
-	peerClass = CKO_PUBLIC_KEY;
-    }
-
-    for (i=0; (ri = recipientArray[i]) != NULL; i++) {
-    	attrs = searchTemplate;
-
-	PK11_SETATTRS(attrs, CKA_CLASS, &certClass,sizeof(certClass)); attrs++;
-	PK11_SETATTRS(attrs, CKA_ISSUER, ri->issuerAndSN->derIssuer.data, 
-				ri->issuerAndSN->derIssuer.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_SERIAL_NUMBER, 
-	  ri->issuerAndSN->serialNumber.data,ri->issuerAndSN->serialNumber.len);
-
-	certHandle = pk11_FindObjectByTemplate(slot,searchTemplate,count);
-	if (certHandle != CK_INVALID_KEY) {
-	    CERTCertificate *cert = pk11_fastCert(slot,certHandle,NULL,NULL);
-	    if (PK11_IsUserCert(slot,cert,certHandle)) {
-		/* we've found a cert handle, now let's see if there is a key
-	         * associated with it... */
-		*rip = ri;
-	
-		CERT_DestroyCertificate(cert);       
-		return certHandle;
-	    }
-	    CERT_DestroyCertificate(cert);       
-	}
-    }
-    *rip = NULL;
-    return CK_INVALID_KEY;
-}
-
-/*
- * This function is the same as above, but it searches all the slots.
- */
-static CK_OBJECT_HANDLE
-pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, 
-	SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip,
-							void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    *slotPtr = NULL;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if (list == NULL) {
-	if (list) PK11_FreeSlotList(list);
-    	return CK_INVALID_KEY;
-    }
-
-    *rip = NULL;
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	if ( !PK11_IsFriendly(le->slot)) {
-	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-	    if (rv != SECSuccess) continue;
-	}
-
-	certHandle = pk11_FindCertObjectByRecipient(le->slot,
-							recipientArray,rip);
-	if (certHandle != CK_INVALID_KEY) {
-	    slot = PK11_ReferenceSlot(le->slot);
-	    break;
-	}
-    }
-
-    PK11_FreeSlotList(list);
-
-    if (slot == NULL) {
-	return CK_INVALID_KEY;
-    }
-    *slotPtr = slot;
-    return certHandle;
-}
-
-/*
- * We need to invert the search logic for PKCS 7 because if we search for
- * each cert on the list over all the slots, we wind up with lots of spurious
- * password prompts. This way we get only one password prompt per slot, at
- * the max, and most of the time we can find the cert, and only prompt for
- * the key...
- */
-CERTCertificate *
-PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr, 
-	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
-				SECKEYPrivateKey**privKey, void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
-    CK_OBJECT_HANDLE keyHandle = CK_INVALID_KEY;
-    PK11SlotInfo *slot = NULL;
-    CERTCertificate *cert = NULL;
-    SECStatus rv;
-
-    *privKey = NULL;
-    certHandle = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx);
-    if (certHandle == CK_INVALID_KEY) {
-	return NULL;
-    }
-
-    rv = PK11_Authenticate(*slotPtr,PR_TRUE,wincx);
-    if (rv != SECSuccess) {
-	PK11_FreeSlot(*slotPtr);
-	*slotPtr = NULL;
-	return NULL;
-    }
-
-    keyHandle = PK11_MatchItem(*slotPtr,certHandle,CKO_PRIVATE_KEY);
-    if (keyHandle == CK_INVALID_KEY) { 
-	PK11_FreeSlot(*slotPtr);
-	*slotPtr = NULL;
-	return NULL;
-    }
-
-    *privKey =  PK11_MakePrivKey(*slotPtr, nullKey, PR_TRUE, keyHandle, wincx);
-    if (*privKey == NULL) {
-	PK11_FreeSlot(*slotPtr);
-	*slotPtr = NULL;
-	return NULL;
-    }
-    cert = PK11_MakeCertFromHandle(*slotPtr,certHandle,NULL);
-    if (cert == NULL) {
-	PK11_FreeSlot(*slotPtr);
-	SECKEY_DestroyPrivateKey(*privKey);
-	*slotPtr = NULL;
-	*privKey = NULL;
-	return NULL;
-    }
-    return cert;
-}
-
-/*
- * This is the new version of the above function for NSS SMIME code
- * this stuff should REALLY be in the SMIME code, but some things in here are not public
- * (they should be!)
- */
-int
-PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
-    CK_OBJECT_HANDLE keyHandle = CK_INVALID_KEY;
-    SECStatus rv;
-    NSSCMSRecipient *rl;
-    int rlIndex;
-
-    certHandle = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex);
-    if (certHandle == CK_INVALID_KEY) {
-	return NULL;
-    }
-
-    rl = recipientlist[rlIndex];
-
-    /* at this point, rl->slot is set */
-
-    /* authenticate to the token */
-    if (PK11_Authenticate(rl->slot, PR_TRUE, wincx) != SECSuccess) {
-	PK11_FreeSlot(rl->slot);
-	rl->slot = NULL;
-	return -1;
-    }
-
-    /* try to get a private key handle for the cert we found */
-    keyHandle = PK11_MatchItem(rl->slot, certHandle, CKO_PRIVATE_KEY);
-    if (keyHandle == CK_INVALID_KEY) { 
-	PK11_FreeSlot(rl->slot);
-	rl->slot = NULL;
-	return -1;
-    }
-
-    /* make a private key out of the handle */
-    rl->privkey = PK11_MakePrivKey(rl->slot, nullKey, PR_TRUE, keyHandle, wincx);
-    if (rl->privkey == NULL) {
-	PK11_FreeSlot(rl->slot);
-	rl->slot = NULL;
-	return -1;
-    }
-    /* make a cert from the cert handle */
-    rl->cert = PK11_MakeCertFromHandle(rl->slot, certHandle, NULL);
-    if (rl->cert == NULL) {
-	PK11_FreeSlot(rl->slot);
-	SECKEY_DestroyPrivateKey(rl->privkey);
-	rl->slot = NULL;
-	rl->privkey = NULL;
-	return NULL;
-    }
-    return rlIndex;
-}
-
-CERTCertificate *
-PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN,
-							 void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CERTCertificate *cert = NULL;
-    CK_ATTRIBUTE searchTemplate[] = {
-	{ CKA_ISSUER, NULL, 0 },
-	{ CKA_SERIAL_NUMBER, NULL, 0}
-    };
-    int count = sizeof(searchTemplate)/sizeof(CK_ATTRIBUTE);
-    CK_ATTRIBUTE *attrs = searchTemplate;
-
-    PK11_SETATTRS(attrs, CKA_ISSUER, issuerSN->derIssuer.data, 
-					issuerSN->derIssuer.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_SERIAL_NUMBER, issuerSN->serialNumber.data, 
-						issuerSN->serialNumber.len);
-
-    certHandle = pk11_FindCertObjectByTemplate
-					(slotPtr,searchTemplate,count,wincx);
-    if (certHandle == CK_INVALID_KEY) {
-	return NULL;
-    }
-    cert = PK11_MakeCertFromHandle(*slotPtr,certHandle,NULL);
-    if (cert == NULL) {
-	PK11_FreeSlot(*slotPtr);
-	return NULL;
-    }
-    return cert;
-}
-
-CK_OBJECT_HANDLE
-PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_ATTRIBUTE searchTemplate	= { CKA_VALUE, NULL, 0 };
-    
-    PK11_SETATTRS(&searchTemplate, CKA_VALUE, cert->derCert.data,
-		  cert->derCert.len);
-
-    if (cert->slot) {
-	certHandle = pk11_getcerthandle(cert->slot,cert,&searchTemplate,1);
-	if (certHandle != CK_INVALID_KEY) {
-	    *pSlot = PK11_ReferenceSlot(cert->slot);
-	    return certHandle;
-	}
-    }
-
-    certHandle = pk11_FindCertObjectByTemplate(pSlot,&searchTemplate,1,wincx);
-    if (certHandle != CK_INVALID_KEY) {
-	if (cert->slot == NULL) {
-	    cert->slot = PK11_ReferenceSlot(*pSlot);
-	    cert->pkcs11ID = certHandle;
-	    cert->ownSlot = PR_FALSE;
-	}
-    }
-
-    return(certHandle);
-}
-
-SECKEYPrivateKey *
-PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_OBJECT_HANDLE keyHandle;
-    PK11SlotInfo *slot = NULL;
-    SECKEYPrivateKey *privKey;
-    SECStatus rv;
-
-    certHandle = PK11_FindObjectForCert(cert, wincx, &slot);
-    if (certHandle == CK_INVALID_KEY) {
-	 return NULL;
-    }
-    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	PK11_FreeSlot(slot);
-	return NULL;
-    }
-    keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
-    if (keyHandle == CK_INVALID_KEY) { 
-	PK11_FreeSlot(slot);
-	return NULL;
-    }
-    privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
-    PK11_FreeSlot(slot);
-    return privKey;
-}
-
-CK_OBJECT_HANDLE
-pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_OBJECT_HANDLE keyHandle;
-
-    certHandle = PK11_FindObjectForCert(cert, wincx, slot);
-    if (certHandle == CK_INVALID_KEY) {
-	 return CK_INVALID_KEY;
-    }
-    keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY);
-    if (keyHandle == CK_INVALID_KEY) { 
-	PK11_FreeSlot(*slot);
-	return CK_INVALID_KEY;
-    }
-    return keyHandle;
-}
-
-SECKEYPrivateKey *
-PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx)
-{
-    CK_OBJECT_HANDLE keyHandle;
-    SECKEYPrivateKey *privKey;
-
-    keyHandle = pk11_FindPrivateKeyFromCertID(slot, keyID);
-    if (keyHandle == CK_INVALID_KEY) { 
-	return NULL;
-    }
-    privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
-    return privKey;
-}
-
-/*
- * find the number of certs in the slot with the same subject name
- */
-int
-PK11_NumberCertsForCertSubject(CERTCertificate *cert)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attr = theTemplate;
-   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-
-    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
-    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
-
-    if ((cert->slot == NULL) || (cert->slot->isInternal)) {
-	return 0;
-    }
-
-    return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize);
-}
-
-/*
- *  Walk all the certs with the same subject
- */
-SECStatus
-PK11_TraverseCertsForSubject(CERTCertificate *cert,
-        SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    if(!cert) {
-	return SECFailure;
-    }
-
-    return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg);
-}
-
-SECStatus
-PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
-	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    pk11DoCertCallback caller;
-    pk11TraverseSlotCert callarg;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attr = theTemplate;
-   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-
-    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
-    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
-
-    if ((slot == NULL) || (slot->isInternal)) {
-	return SECSuccess;
-    }
-    caller.noslotcallback = callback;
-    caller.callback = NULL;
-    caller.callbackArg = arg;
-    callarg.callback = pk11_DoCerts;
-    callarg.callbackArg = (void *) & caller;
-    callarg.findTemplate = theTemplate;
-    callarg.templateCount = templateSize;
-    
-    return PK11_TraverseSlot(slot, &callarg);
-}
-
-SECStatus
-PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
-	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    pk11DoCertCallback caller;
-    pk11TraverseSlotCert callarg;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_LABEL, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attr = theTemplate;
-    int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-
-    if(!nickname) {
-	return SECSuccess;
-    }
-
-    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
-    PK11_SETATTRS(attr,CKA_LABEL,nickname->data,nickname->len);
-
-    if ((slot == NULL) || (slot->isInternal)) {
-	return SECSuccess;
-    }
-
-    caller.noslotcallback = callback;
-    caller.callback = NULL;
-    caller.callbackArg = arg;
-    callarg.callback = pk11_DoCerts;
-    callarg.callbackArg = (void *) & caller;
-    callarg.findTemplate = theTemplate;
-    callarg.templateCount = templateSize;
-
-    return PK11_TraverseSlot(slot, &callarg);
-}
-
-SECStatus
-PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
-	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    pk11DoCertCallback caller;
-    pk11TraverseSlotCert callarg;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attr = theTemplate;
-    int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-
-    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
-
-    if (slot == NULL) {
-	return SECSuccess;
-    }
-
-    caller.noslotcallback = callback;
-    caller.callback = NULL;
-    caller.callbackArg = arg;
-    callarg.callback = pk11_DoCerts;
-    callarg.callbackArg = (void *) & caller;
-    callarg.findTemplate = theTemplate;
-    callarg.templateCount = templateSize;
-
-    return PK11_TraverseSlot(slot, &callarg);
-}
-
-/*
- * return the certificate associated with a derCert 
- */
-CERTCertificate *
-PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
-								 void *wincx)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE certh;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
-						cert->derCert.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    if ( !PK11_IsFriendly(slot)) {
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) return NULL;
-    }
-
-    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
-    if (certh == CK_INVALID_KEY) {
-	return NULL;
-    }
-    return PK11_MakeCertFromHandle(slot, certh, NULL);
-} 
-
-/*
- * return the certificate associated with a derCert 
- */
-CERTCertificate *
-PK11_FindCertFromDERSubjectAndNickname(PK11SlotInfo *slot, 
-					CERTCertificate *cert, 
-					char *nickname, void *wincx)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_SUBJECT, NULL, 0 },
-	{ CKA_LABEL, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE certh;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_SUBJECT, cert->derSubject.data, 
-						cert->derSubject.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_LABEL, nickname, PORT_Strlen(nickname));
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    if ( !PK11_IsFriendly(slot)) {
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) return NULL;
-    }
-
-    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
-    if (certh == CK_INVALID_KEY) {
-	return NULL;
-    }
-
-    return PK11_MakeCertFromHandle(slot, certh, NULL);
-}
-
-/*
- * import a cert for a private key we have already generated. Set the label
- * on both to be the nickname.
- */
-static CK_OBJECT_HANDLE 
-pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
-								void *wincx)
-{
-    SECItem *keyID;
-    CK_OBJECT_HANDLE key;
-    SECStatus rv;
-
-    if((slot == NULL) || (cert == NULL)) {
-	return CK_INVALID_KEY;
-    }
-
-    keyID = pk11_mkcertKeyID(cert);
-    if(keyID == NULL) {
-	return CK_INVALID_KEY;
-    }
-
-    key = CK_INVALID_KEY;
-
-    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) goto loser;
-
-    key = pk11_FindPrivateKeyFromCertID(slot, keyID);
-
-loser:
-    SECITEM_ZfreeItem(keyID, PR_TRUE);
-    return key;
-}
-
-SECKEYPrivateKey *
-PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
-								void *wincx)
-{
-    CK_OBJECT_HANDLE keyHandle;
-
-    if((slot == NULL) || (cert == NULL)) {
-	return NULL;
-    }
-
-    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
-    if (keyHandle == CK_INVALID_KEY) {
-	return NULL;
-    }
-
-    return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx);
-}
-
-SECStatus
-PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, 
-						char *nickname, 
-						PRBool addCertUsage,void *wincx)
-{
-    CK_OBJECT_HANDLE keyHandle;
-
-    if((slot == NULL) || (cert == NULL) || (nickname == NULL)) {
-	return SECFailure;
-    }
-
-    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
-    if (keyHandle == CK_INVALID_KEY) {
-	return SECFailure;
-    }
-
-    return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage);
-}   
-
-
-/* remove when the real version comes out */
-#define SEC_OID_MISSI_KEA 300  /* until we have v3 stuff merged */
-PRBool
-KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
-
-    if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) {
-        return PR_TRUE;
-    } else {
-	return PR_FALSE;
-    }
-}
-
-PRBool
-PK11_FortezzaHasKEA(CERTCertificate *cert) {
-   /* look at the subject and see if it is a KEA for MISSI key */
-   SECOidData *oid;
-
-   if ((cert->trust == NULL) ||
-       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
-       return PR_FALSE;
-   }
-
-   oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
-
-
-   return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || 
-		(oid->offset == SEC_OID_MISSI_KEA_DSS) ||
-				(oid->offset == SEC_OID_MISSI_KEA)) ;
-}
-
-/*
- * Find a kea cert on this slot that matches the domain of it's peer
- */
-static CERTCertificate
-*pk11_GetKEAMate(PK11SlotInfo *slot,CERTCertificate *peer)
-{
-    int i;
-    CERTCertificate *returnedCert = NULL;
-
-    for (i=0; i < slot->cert_count; i++) {
-	CERTCertificate *cert = slot->cert_array[i];
-
-	if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) {
-		returnedCert = CERT_DupCertificate(cert);
-		break;
-	}
-    }
-    return returnedCert;
-}
-
-/*
- * The following is a FORTEZZA only Certificate request. We call this when we
- * are doing a non-client auth SSL connection. We are only interested in the
- * fortezza slots, and we are only interested in certs that share the same root
- * key as the server.
- */
-CERTCertificate *
-PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
-{
-    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
-							PR_FALSE,PR_TRUE,wincx);
-    PK11SlotListElement *le;
-    CERTCertificate *returnedCert = NULL;
-    SECStatus rv;
-
-    /* loop through all the fortezza tokens */
-    for (le = keaList->head; le; le = le->next) {
-        rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-        if (rv != SECSuccess) continue;
-	if (le->slot->session == CK_INVALID_SESSION) {
-	    continue;
-	}
-	returnedCert = pk11_GetKEAMate(le->slot,server);
-	if (returnedCert) break;
-    }
-    PK11_FreeSlotList(keaList);
-
-    return returnedCert;
-}
-
-/*
- * find a matched pair of kea certs to key exchange parameters from one 
- * fortezza card to another as necessary.
- */
-SECStatus
-PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
-	CERTCertificate **cert1, CERTCertificate **cert2)
-{
-    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
-							PR_FALSE,PR_TRUE,NULL);
-    CERTCertificate *returnedCert = NULL;
-    int i;
-
-    for (i=0; i < slot1->cert_count; i++) {
-	CERTCertificate *cert = slot1->cert_array[i];
-
-	if (PK11_FortezzaHasKEA(cert)) {
-	    returnedCert = pk11_GetKEAMate(slot2,cert);
-	    if (returnedCert != NULL) {
-		*cert2 = returnedCert;
-		*cert1 = CERT_DupCertificate(cert);
-		return SECSuccess;
-	    }
-	}
-    }
-    return SECFailure;
-}
-
-SECOidTag 
-PK11_FortezzaMapSig(SECOidTag algTag)
-{
-    switch (algTag) {
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_DSS:
-    case SEC_OID_MISSI_DSS_OLD:
-    case SEC_OID_MISSI_KEA_DSS_OLD:
-    case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-	return SEC_OID_ANSIX9_DSA_SIGNATURE;
-    default:
-	break;
-    }
-    return algTag;
-}
-
-/*
- * return the private key From a given Cert
- */
-CK_OBJECT_HANDLE
-PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
-						cert->derCert.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	return CK_INVALID_KEY;
-    }
-
-    return pk11_getcerthandle(slot,cert,theTemplate,tsize);
-}
-
-SECItem *
-PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx)
-{
-    CK_OBJECT_HANDLE handle;
-    PK11SlotInfo *slot = NULL;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-    };
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    SECItem *item = NULL;
-    CK_RV crv;
-
-    handle = PK11_FindObjectForCert(cert,wincx,&slot);
-    if (handle == CK_INVALID_KEY) {
-	goto loser;
-    }
-
-
-    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-    item = PORT_ZNew(SECItem);
-    if (item) {
-        item->data = theTemplate[0].pValue;
-        item->len = theTemplate[0].ulValueLen;
-    }
-
-
-loser:
-    PK11_FreeSlot(slot);
-    return item;
-}
-
-SECItem *
-PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx)
-{
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-    };
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    SECItem *item = NULL;
-    CK_RV crv;
-
-    crv = PK11_GetAttributes(NULL,key->pkcs11Slot,key->pkcs11ID,
-							theTemplate,tsize);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-    item = PORT_ZNew(SECItem);
-    if (item) {
-        item->data = theTemplate[0].pValue;
-        item->len = theTemplate[0].ulValueLen;
-    }
-
-
-loser:
-    return item;
-}
diff --git a/security/nss/lib/pk11wrap/pk11db.c b/security/nss/lib/pk11wrap/pk11db.c
deleted file mode 100644
index 1e073075e..000000000
--- a/security/nss/lib/pk11wrap/pk11db.c
+++ /dev/null
@@ -1,645 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/* 
- *  The following code handles the storage of PKCS 11 modules used by the
- * NSS. This file is written to abstract away how the modules are
- * stored so we can deside that later.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "prlock.h"
-#include "pkcs11.h"
-#include "secmodi.h"
-#include "pk11func.h"
-#include "mcom_db.h"
-
-/* create a new module */
-SECMODModule *SECMOD_NewModule(void) {
-    SECMODModule *newMod;
-    PRArenaPool *arena;
-
-
-    /* create an arena in which dllName and commonName can be
-     * allocated.
-     */
-    arena = PORT_NewArena(512);
-    if (arena == NULL) {
-	return NULL;
-    }
-
-    newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
-    if (newMod == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-
-    /*
-     * initialize of the fields of the module
-     */
-    newMod->arena = arena;
-    newMod->internal = PR_FALSE;
-    newMod->loaded = PR_FALSE;
-    newMod->isFIPS = PR_FALSE;
-    newMod->dllName = NULL;
-    newMod->commonName = NULL;
-    newMod->library = NULL;
-    newMod->functionList = NULL;
-    newMod->slotCount = 0;
-    newMod->slots = NULL;
-    newMod->slotInfo = NULL;
-    newMod->slotInfoCount = 0;
-    newMod->refCount = 1;
-    newMod->ssl[0] = 0;
-    newMod->ssl[1] = 0;
-#ifdef PKCS11_USE_THREADS
-    newMod->refLock = (void *)PR_NewLock();
-    if (newMod->refLock == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-#else
-    newMod->refLock = NULL;
-#endif
-    return newMod;
-    
-}
-
-/* create a new ModuleListElement */
-SECMODModuleList *SECMOD_NewModuleListElement(void) {
-    SECMODModuleList *newModList;
-
-    newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList));
-    if (newModList) {
-	newModList->next = NULL;
-	newModList->module = NULL;
-    }
-    return newModList;
-}
-
-static unsigned long internalFlags = SECMOD_RSA_FLAG|SECMOD_DSA_FLAG|
-	SECMOD_RC2_FLAG| SECMOD_RC4_FLAG|SECMOD_DES_FLAG|SECMOD_RANDOM_FLAG|
-	SECMOD_SHA1_FLAG|SECMOD_MD5_FLAG|SECMOD_MD2_FLAG|SECMOD_SSL_FLAG|
-	SECMOD_TLS_FLAG;
-
-/* create a Internal  module */
-SECMODModule *SECMOD_NewInternal(void) {
-    SECMODModule *intern;
-    static PK11PreSlotInfo internSlotInfo =
-	{ 1, SECMOD_RSA_FLAG|SECMOD_DSA_FLAG|SECMOD_RC2_FLAG|
-	SECMOD_RC4_FLAG|SECMOD_DES_FLAG|SECMOD_RANDOM_FLAG|
-	SECMOD_SHA1_FLAG|SECMOD_MD5_FLAG|SECMOD_MD2_FLAG|
-	SECMOD_SSL_FLAG|SECMOD_TLS_FLAG, -1, 30 };
-
-    intern = SECMOD_NewModule();
-    if (intern == NULL) {
-	return NULL;
-    }
-
-    /*
-     * make this module an internal module
-     */
-    intern->commonName = "Netscape Internal PKCS #11 Module";
-    intern->internal = PR_TRUE;
-    intern->slotInfoCount = 1;
-    intern->slotInfo = &internSlotInfo;
-
-    return (intern);
-}
-
-/* create a FIPS Internal  module */
-SECMODModule *SECMOD_GetFIPSInternal(void) {
-    SECMODModule *intern;
-
-    intern = SECMOD_NewInternal();
-    if (intern == NULL) {
-	return NULL;
-    }
-
-    /*
-     * make this module a FIPS internal module
-     */
-    intern->slotInfo[0].slotID = 3; /* FIPS slot */
-    intern->commonName = "Netscape Internal FIPS PKCS #11 Module";
-    intern->isFIPS = PR_TRUE;
-
-    return (intern);
-}
-
-SECMODModule *SECMOD_DupModule(SECMODModule *old) {
-    SECMODModule *newMod;
-
-    newMod = SECMOD_NewModule();
-    if (newMod == NULL) {
-	return NULL;
-    }
-
-    /*
-     * initialize of the fields of the module
-     */
-    newMod->dllName = PORT_ArenaStrdup(newMod->arena,old->dllName);
-    newMod->commonName = PORT_ArenaStrdup(newMod->arena,old->commonName);;
-
-    return newMod;
-    
-}
-
-/*
- * make a new reference to a module so It doesn't go away on us
- */
-SECMODModule *
-SECMOD_ReferenceModule(SECMODModule *module) {
-    PK11_USE_THREADS(PR_Lock((PRLock *)module->refLock);)
-    PORT_Assert(module->refCount > 0);
-
-    module->refCount++;
-    PK11_USE_THREADS(PR_Unlock((PRLock*)module->refLock);)
-    return module;
-}
-
-
-/* destroy an existing module */
-void
-SECMOD_DestroyModule(SECMODModule *module) {
-    PRBool willfree = PR_FALSE;
-    int slotCount;
-    int i;
-
-    PK11_USE_THREADS(PR_Lock((PRLock *)module->refLock);)
-    if (module->refCount-- == 1) {
-	willfree = PR_TRUE;
-    }
-    PORT_Assert(willfree || (module->refCount > 0));
-    PK11_USE_THREADS(PR_Unlock((PRLock *)module->refLock);)
-
-    if (!willfree) {
-	return;
-    }
-
-    /* slots can't really disappear until our module starts freeing them,
-     * so this check is safe */
-    slotCount = module->slotCount;
-    if (slotCount == 0) {
-	SECMOD_SlotDestroyModule(module,PR_FALSE);
-	return;
-    }
-
-    /* now free all out slots, when they are done, they will cause the
-     * module to disappear altogether */
-    for (i=0 ; i < slotCount; i++) {
-	if (!module->slots[i]->disabled) {
-		PK11_ClearSlotList(module->slots[i]);
-	}
-	PK11_FreeSlot(module->slots[i]);
-    }
-    /* WARNING: once the last slot has been freed is it possible (even likely)
-     * that module is no more... touching it now is a good way to go south */
-}
-
-
-/* we can only get here if we've destroyed the module, or some one has
- * erroneously freed a slot that wasn't referenced. */
-void
-SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) {
-    PRBool willfree = PR_FALSE;
-    if (fromSlot) {
-        PORT_Assert(module->refCount == 0);
-	PK11_USE_THREADS(PR_Lock((PRLock *)module->refLock);)
-	if (module->slotCount-- == 1) {
-	    willfree = PR_TRUE;
-	}
-	PORT_Assert(willfree || (module->slotCount > 0));
-	PK11_USE_THREADS(PR_Unlock((PRLock *)module->refLock);)
-        if (!willfree) return;
-    }
-    if (module->loaded) {
-	SECMOD_UnloadModule(module);
-    }
-    PK11_USE_THREADS(PR_DestroyLock((PRLock *)module->refLock);)
-    PORT_FreeArena(module->arena,PR_FALSE);
-}
-
-/* destroy a list element
- * this destroys a single element, and returns the next element
- * on the chain. It makes it easy to implement for loops to delete
- * the chain. It also make deleting a single element easy */
-SECMODModuleList *
-SECMOD_DestroyModuleListElement(SECMODModuleList *element) {
-    SECMODModuleList *next = element->next;
-
-    if (element->module) {
-	SECMOD_DestroyModule(element->module);
-	element->module = NULL;
-    }
-    PORT_Free(element);
-    return next;
-}
-
-
-/*
- * Destroy an entire module list
- */
-void
-SECMOD_DestroyModuleList(SECMODModuleList *list) {
-    SECMODModuleList *lp;
-
-    for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
-}
-
-
-/* Construct a database key for a given module */
-static SECStatus secmod_MakeKey(DBT *key, SECMODModule * module) {
-    int len = 0;
-
-    len = PORT_Strlen(module->commonName);
-    key->data = module->commonName;
-    key->size = len;
-    return SECSuccess;
-}
-
-/* free out constructed database key */
-static void secmod_FreeKey(DBT *key) {
-    key->data = NULL;
-    key->size = 0;
-}
-
-typedef struct secmodDataStr secmodData;
-typedef struct secmodSlotDataStr secmodSlotData;
-struct secmodDataStr {
-    unsigned char major;
-    unsigned char minor;
-    unsigned char nameStart[2];
-    unsigned char slotOffset[2];
-    unsigned char internal;
-    unsigned char fips;
-    unsigned char ssl[8];
-    unsigned char names[4];	/* enough space for the length fields */
-};
-
-struct secmodSlotDataStr {
-    unsigned char slotID[4];
-    unsigned char defaultFlags[4];
-    unsigned char timeout[4];
-    unsigned char askpw;
-    unsigned char reserved[19]; /* this makes it a round 32 bytes */
-};
-
-#define SECMOD_DB_VERSION_MAJOR 0
-#define SECMOD_DB_VERSION_MINOR 4
-#define SECMOD_DB_NOUI_VERSION_MAJOR 0
-#define SECMOD_DB_NOUI_VERSION_MINOR 3
-
-#define SECMOD_PUTSHORT(dest,src) \
-	(dest)[1] = (unsigned char) ((src)&0xff); \
-	(dest)[0] = (unsigned char) (((src) >> 8) & 0xff);
-#define SECMOD_PUTLONG(dest,src) \
-	(dest)[3] = (unsigned char) ((src)&0xff); \
-	(dest)[2] = (unsigned char) (((src) >> 8) & 0xff); \
-	(dest)[1] = (unsigned char) (((src) >> 16) & 0xff); \
-	(dest)[0] = (unsigned char) (((src) >> 24) & 0xff);
-#define SECMOD_GETSHORT(src) \
-	((unsigned short) (((src)[0] << 8) | (src)[1]))
-#define SECMOD_GETLONG(src) \
-	((unsigned long) (( (unsigned long) (src)[0] << 24) | \
-			( (unsigned long) (src)[1] << 16)  | \
-			( (unsigned long) (src)[2] << 8) | \
-			(unsigned long) (src)[3]))
-/*
- * build a data base entry from a module 
- */
-static SECStatus secmod_EncodeData(DBT *data, SECMODModule * module) {
-    secmodData *encoded;
-    secmodSlotData *slot;
-    unsigned char *dataPtr;
-    unsigned short len, len2 = 0,count = 0;
-    unsigned short offset;
-    int dataLen, i, si;
-
-    len = PORT_Strlen(module->commonName);
-    if (module->dllName) {
-    	len2 = PORT_Strlen(module->dllName);
-    }
-    if (module->slotCount != 0) {
-	for (i=0; i < module->slotCount; i++) {
-	    if (module->slots[i]->defaultFlags != 0) {
-		count++;
-	    }
-	}
-    } else {
-	count = module->slotInfoCount;
-    }
-    dataLen = sizeof(secmodData) + len + len2 + 2 +
-				 count*sizeof(secmodSlotData);
-
-    data->data = (unsigned char *)
-			PORT_Alloc(dataLen);
-    encoded = (secmodData *)data->data;
-    dataPtr = (unsigned char *) data->data;
-    data->size = dataLen;
-
-    if (encoded == NULL) return SECFailure;
-
-    encoded->major = SECMOD_DB_VERSION_MAJOR;
-    encoded->minor = SECMOD_DB_VERSION_MINOR;
-    encoded->internal = (unsigned char) (module->internal ? 1 : 0);
-    encoded->fips = (unsigned char) (module->isFIPS ? 1 : 0);
-    SECMOD_PUTLONG(encoded->ssl,module->ssl[0]);
-    SECMOD_PUTLONG(&encoded->ssl[4],module->ssl[1]);
-
-    offset = (unsigned long) &(((secmodData *)0)->names[0]);
-    SECMOD_PUTSHORT(encoded->nameStart,offset);
-    offset = offset +len + len2 + 4;
-    SECMOD_PUTSHORT(encoded->slotOffset,offset);
-
-
-    SECMOD_PUTSHORT(&dataPtr[offset],count);
-    slot = (secmodSlotData *)(dataPtr+offset+2);
-
-    SECMOD_PUTSHORT(encoded->names,len);
-    PORT_Memcpy(&encoded->names[2],module->commonName,len);
-
-
-    SECMOD_PUTSHORT(&encoded->names[len+2],len2);
-    if (len2) PORT_Memcpy(&encoded->names[len+4],module->dllName,len2);
-
-    if (module->slotCount) {
-      for (i=0,si=0; i < module->slotCount; i++) {
-	if (module->slots[i]->defaultFlags) {
-	    SECMOD_PUTLONG(slot[si].slotID, module->slots[i]->slotID);
-	    SECMOD_PUTLONG(slot[si].defaultFlags,
-					     module->slots[i]->defaultFlags);
-	    SECMOD_PUTLONG(slot[si].timeout,module->slots[i]->timeout);
-	    slot[si].askpw = module->slots[i]->askpw;
-	    PORT_Memset(slot[si].reserved, 0, sizeof(slot[si].reserved));
-	    si++;
-	}
-      }
-    } else {
-	for (i=0; i < module->slotInfoCount; i++) {
-	    SECMOD_PUTLONG(slot[i].slotID, module->slotInfo[i].slotID);
-	    SECMOD_PUTLONG(slot[i].defaultFlags,
-					module->slotInfo[i].defaultFlags);
-	    SECMOD_PUTLONG(slot[i].timeout,module->slotInfo[i].timeout);
-	    slot[i].askpw = module->slotInfo[i].askpw;
-	    PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved));
-	}
-    }
-
-    return SECSuccess;
-
-}
-
-static void secmod_FreeData(DBT *data) {
-    if (data->data) {
-	PORT_Free(data->data);
-    }
-}
-
-
-/*
- * build a module from the data base entry.
- */
-static SECMODModule *secmod_DecodeData(DBT *data) {
-    SECMODModule * module;
-    secmodData *encoded;
-    secmodSlotData *slots;
-    unsigned char *names;
-    unsigned short len,len1;
-    unsigned long slotCount;
-    unsigned short offset;
-    PRBool isOldVersion  = PR_FALSE;
-    int i;
-
-    encoded = (secmodData *)data->data;
-    names = (unsigned char *)data->data;
-    offset = SECMOD_GETSHORT(encoded->slotOffset);
-    slots = (secmodSlotData *) (names + offset + 2);
-    slotCount = SECMOD_GETSHORT(names + offset);
-    names += SECMOD_GETSHORT(encoded->nameStart);
-
-    module = SECMOD_NewModule();
-    if (module == NULL) return NULL;
-
-    module->internal = (encoded->internal != 0) ? PR_TRUE: PR_FALSE;
-    module->isFIPS = (encoded->fips != 0) ? PR_TRUE: PR_FALSE;
-    len = SECMOD_GETSHORT(names);
-
-    if (module->internal && (encoded->major == SECMOD_DB_NOUI_VERSION_MAJOR) &&
- 	(encoded->minor <= SECMOD_DB_NOUI_VERSION_MINOR)) {
-	isOldVersion = PR_TRUE;
-    }
-
-    /* decode the common name */
-    module->commonName = (char*)PORT_ArenaAlloc(module->arena,len+1);
-    if (module->commonName == NULL) {
-	SECMOD_DestroyModule(module);
-	return NULL;
-    }
-    PORT_Memcpy(module->commonName,&names[2],len);
-    module->commonName[len] = 0;
-
-    /* decode the DLL name */
-    len1 = (names[len+2] << 8) | names[len+3];
-    if (len1) {
-	module->dllName = (char*)PORT_ArenaAlloc(module->arena,len1 + 1);
-	if (module->dllName == NULL) {
-	    SECMOD_DestroyModule(module);
-	    return NULL;
-	}
-	PORT_Memcpy(module->dllName,&names[len+4],len1);
-	module->dllName[len1] = 0;
-    }
-
-    module->slotInfoCount = slotCount;
-    module->slotInfo = (PK11PreSlotInfo *) PORT_ArenaAlloc(module->arena,
-				slotCount * sizeof(PK11PreSlotInfo));
-    for (i=0; i < (int) slotCount; i++) {
-	module->slotInfo[i].slotID = SECMOD_GETLONG(slots[i].slotID);
-	module->slotInfo[i].defaultFlags = 
-				SECMOD_GETLONG(slots[i].defaultFlags);
-	if (isOldVersion && module->internal && 
-				(module->slotInfo[i].slotID != 2)) {
-		module->slotInfo[i].defaultFlags |= internalFlags;
-	}
-	module->slotInfo[i].timeout = SECMOD_GETLONG(slots[i].timeout);
-	module->slotInfo[i].askpw = slots[i].askpw;
-	if (module->slotInfo[i].askpw == 0xff) {
-	   module->slotInfo[i].askpw = -1;
-	}
-    }
-
-    /* decode SSL cipher enable flags */
-    module->ssl[0] = SECMOD_GETLONG(encoded->ssl);
-    module->ssl[1] = SECMOD_GETLONG(&encoded->ssl[4]);
-
-    return (module);
-}
-
-/*
- * open the PKCS #11 data base.
- */
-static char *pkcs11dbName = NULL;
-void SECMOD_InitDB(char *dbname) {
-    pkcs11dbName = PORT_Strdup(dbname);
-}
-
-
-static DB *secmod_OpenDB(PRBool readOnly) {
-    DB *pkcs11db = NULL;
-    char *dbname;
-
-    if (pkcs11dbName == NULL) return NULL;
-    dbname = pkcs11dbName;
-   
-    /* I'm sure we should do more checks here sometime... */
-    pkcs11db = dbopen(dbname, readOnly ? O_RDONLY : O_RDWR, 0600, DB_HASH, 0);
-
-    /* didn't exist? create it */
-    if (pkcs11db == NULL) {
-	 if (readOnly) return NULL;
-
-	 pkcs11db = dbopen( dbname,
-                             O_RDWR | O_CREAT | O_TRUNC, 0600, DB_HASH, 0 );
-	 if (pkcs11db) (* pkcs11db->sync)(pkcs11db, 0);
-    }
-    return pkcs11db;
-}
-
-static void secmod_CloseDB(DB *pkcs11db) {
-     (*pkcs11db->close)(pkcs11db);
-}
-
-/*
- * Read all the existing modules in
- */
-SECMODModuleList *
-SECMOD_ReadPermDB(void) {
-    DBT key,data;
-    int ret;
-    DB *pkcs11db = NULL;
-    SECMODModuleList *newmod = NULL,*mod = NULL;
-
-    pkcs11db = secmod_OpenDB(PR_TRUE);
-    if (pkcs11db == NULL) {
-	return NULL;
-    }
-
-    /* read and parse the file or data base */
-    ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST);
-    if (ret)  goto done;
-
-    do {
-        /* allocate space for modules */
-	newmod = SECMOD_NewModuleListElement();
-	if (newmod == NULL) break;
-	newmod->module = secmod_DecodeData(&data);
-	if (newmod->module == NULL) {
-	    SECMOD_DestroyModuleListElement(newmod);
-	    break;
-	}
-	newmod->next = mod;
-	mod = newmod;
-    } while ( (*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0);
-
-done:
-    secmod_CloseDB(pkcs11db);
-    return mod;
-}
-
-/*
- * Delete a module from the Data Base
- */
-SECStatus
-SECMOD_DeletePermDB(SECMODModule * module) {
-    DBT key;
-    SECStatus rv = SECFailure;
-    DB *pkcs11db = NULL;
-    int ret;
-
-    /* make sure we have a db handle */
-    pkcs11db = secmod_OpenDB(PR_FALSE);
-    if (pkcs11db == NULL) {
-	return SECFailure;
-    }
-
-    rv = secmod_MakeKey(&key,module);
-    if (rv != SECSuccess) goto done;
-    rv = SECFailure;
-    ret = (*pkcs11db->del)(pkcs11db, &key, 0);
-    secmod_FreeKey(&key);
-    if (ret != 0) goto done;
-
-
-    ret = (*pkcs11db->sync)(pkcs11db, 0);
-    if (ret == 0) rv = SECSuccess;
-
-done:
-    secmod_CloseDB(pkcs11db);
-    return rv;
-}
-
-/*
- * Add a module to the Data base 
- */
-SECStatus
-SECMOD_AddPermDB(SECMODModule *module) {
-    DBT key,data;
-    SECStatus rv = SECFailure;
-    DB *pkcs11db = NULL;
-    int ret;
-
-    /* make sure we have a db handle */
-    pkcs11db = secmod_OpenDB(PR_FALSE);
-    if (pkcs11db == NULL) {
-	return SECFailure;
-    }
-
-    rv = secmod_MakeKey(&key,module);
-    if (rv != SECSuccess) goto done;
-    rv = secmod_EncodeData(&data,module);
-    if (rv != SECSuccess) {
-	secmod_FreeKey(&key);
-	goto done;
-    }
-    rv = SECFailure;
-    ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0);
-    secmod_FreeKey(&key);
-    secmod_FreeData(&data);
-    if (ret != 0) goto done;
-
-    ret = (*pkcs11db->sync)(pkcs11db, 0);
-    if (ret == 0) rv = SECSuccess;
-
-done:
-    secmod_CloseDB(pkcs11db);
-    return rv;
-}
diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c
deleted file mode 100644
index b6846af84..000000000
--- a/security/nss/lib/pk11wrap/pk11err.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/* 
- * this file maps PKCS11 Errors into SECErrors
- *  This is an information reducing process, since most errors are reflected
- *  back to the user (the user doesn't care about invalid flags, or active
- *  operations). If any of these errors need more detail in the upper layers
- *  which call PK11 library functions, we can add more SEC_ERROR_XXX functions
- *  and change there mappings here.
- */
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-#ifdef PK11_ERROR_USE_ARRAY 
-
-/*
- * build a static array of entries...
- */
-static struct {
-	CK_RV pk11_error;
-	int   sec_error;
-} pk11_error_map = {
-#define MAPERROR(x,y) {x, y},
-
-#else
-
-/* the default is to use a big switch statement */
-int
-PK11_MapError(CK_RV rv) {
-
-	switch (rv) {
-#define MAPERROR(x,y) case x: return y;
-
-#endif
-
-/* the guts mapping */
-	MAPERROR(CKR_OK, 0)
-	MAPERROR(CKR_CANCEL, SEC_ERROR_IO)
-	MAPERROR(CKR_HOST_MEMORY, SEC_ERROR_NO_MEMORY)
-	MAPERROR(CKR_SLOT_ID_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_ATTRIBUTE_READ_ONLY, SEC_ERROR_READ_ONLY)
-	MAPERROR(CKR_ATTRIBUTE_SENSITIVE, SEC_ERROR_IO) /* XX SENSITIVE */
-	MAPERROR(CKR_ATTRIBUTE_TYPE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_ATTRIBUTE_VALUE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_DATA_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_DEVICE_ERROR, SEC_ERROR_IO)
-	MAPERROR(CKR_DEVICE_MEMORY, SEC_ERROR_NO_MEMORY)
-	MAPERROR(CKR_DEVICE_REMOVED, SEC_ERROR_NO_TOKEN)
-	MAPERROR(CKR_ENCRYPTED_DATA_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_ENCRYPTED_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_FUNCTION_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_FUNCTION_NOT_PARALLEL, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_MECHANISM_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_MECHANISM_PARAM_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_OBJECT_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_OPERATION_ACTIVE, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_OPERATION_NOT_INITIALIZED,SEC_ERROR_LIBRARY_FAILURE )
-	MAPERROR(CKR_PIN_INCORRECT, SEC_ERROR_BAD_PASSWORD)
-	MAPERROR(CKR_PIN_INVALID, SEC_ERROR_BAD_PASSWORD)
-	MAPERROR(CKR_PIN_LEN_RANGE, SEC_ERROR_BAD_PASSWORD)
-	MAPERROR(CKR_SESSION_CLOSED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_SESSION_COUNT, SEC_ERROR_NO_MEMORY) /* XXXX? */
-	MAPERROR(CKR_SESSION_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_SESSION_PARALLEL_NOT_SUPPORTED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_SESSION_READ_ONLY, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_SIGNATURE_INVALID, SEC_ERROR_BAD_SIGNATURE)
-	MAPERROR(CKR_SIGNATURE_LEN_RANGE, SEC_ERROR_BAD_SIGNATURE)
-	MAPERROR(CKR_TEMPLATE_INCOMPLETE, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_TEMPLATE_INCONSISTENT, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_TOKEN_NOT_PRESENT, SEC_ERROR_NO_TOKEN)
-	MAPERROR(CKR_TOKEN_NOT_RECOGNIZED, SEC_ERROR_IO)
-	MAPERROR(CKR_TOKEN_WRITE_PROTECTED, SEC_ERROR_READ_ONLY)
-	MAPERROR(CKR_UNWRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0)
-	MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_LIBRARY_FAILURE) /* XXXX */
-	MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN)
-	MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPED_KEY_LEN_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_VENDOR_DEFINED, SEC_ERROR_LIBRARY_FAILURE)
-
-
-#ifdef PK11_ERROR_USE_ARRAY 
-
-int
-PK11_MapError(CK_RV rv) {
-    int size = sizeof(pk11_error_map)/sizeof(pk11_error_map[0]);
-
-    for (i=0; i < size; i++) {
-	if (pk11_error_map[i].pk11_error == rv) {
-	    return pk11_error_map[i].sec_error;
-	}
-    }
-    return SEC_ERROR_IO;
- }
-
-
-#else
-
-    default:
-	break;
-    }
-    return SEC_ERROR_IO;
-}
-
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
deleted file mode 100644
index 47d06d0f5..000000000
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ /dev/null
@@ -1,449 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * PKCS #11 Wrapper functions which handles authenticating to the card's
- * choosing the best cards, etc.
- */
-#ifndef _PK11FUNC_H_
-#define _PK11FUNC_H_
-#include "plarena.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "keyt.h"
-#include "certt.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-#include "seccomon.h"
-#include "pkcs7t.h"
-#include "cmsreclist.h"
-
-SEC_BEGIN_PROTOS
-
-/************************************************************
- * Generic Slot Lists Management
- ************************************************************/
-PK11SlotList * PK11_NewSlotList(void);
-void PK11_FreeSlotList(PK11SlotList *list);
-SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
-SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
-PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
-PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, 
-				PK11SlotListElement *le, PRBool restart);
-PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
-							PK11SlotInfo *slot);
-
-/************************************************************
- * Generic Slot Management
- ************************************************************/
-PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
-PK11SlotInfo *PK11_FindSlotByID(SECMODModuleID modID,CK_SLOT_ID slotID);
-void PK11_FreeSlot(PK11SlotInfo *slot);
-SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
-SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
-CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
-SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-         CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result);
-CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-         CK_ATTRIBUTE_TYPE type);
-PK11SlotInfo *PK11_GetInternalKeySlot(void);
-PK11SlotInfo *PK11_GetInternalSlot(void);
-char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
-								int stringLen);
-int PK11_MapError(CK_RV error);
-CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
-void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
-PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
-					 CK_SESSION_HANDLE session_handle);
-PK11SlotInfo *PK11_NewSlotInfo(void);
-SECStatus PK11_Logout(PK11SlotInfo *slot);
-void PK11_LogoutAll(void);
-void PK11_EnterSlotMonitor(PK11SlotInfo *);
-void PK11_ExitSlotMonitor(PK11SlotInfo *);
-void PK11_CleanKeyList(PK11SlotInfo *slot);
-
-
-
-/************************************************************
- *  Slot Password Management
- ************************************************************/
-void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
-void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
-SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
-SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw);
-SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
-PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
-SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
-SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd);
-SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw);
-void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
-void PK11_SetPasswordFunc(PK11PasswordFunc func);
-void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
-void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
-int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
-SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
-
-/************************************************************
- * Manage the built-In Slot Lists
- ************************************************************/
-SECStatus PK11_InitSlotLists(void);
-PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
-void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
-void PK11_ClearSlotList(PK11SlotInfo *slot);
-
-
-/******************************************************************
- *           Slot initialization
- ******************************************************************/
-PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
-  CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
-PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
-SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
-SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
-SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
-void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
-
-
-/******************************************************************
- *           Slot info functions
- ******************************************************************/
-PK11SlotInfo *PK11_FindSlotByName(char *name);
-PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
-PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
-PRBool PK11_IsInternal(PK11SlotInfo *slot);
-char * PK11_GetTokenName(PK11SlotInfo *slot);
-char * PK11_GetSlotName(PK11SlotInfo *slot);
-PRBool PK11_NeedLogin(PK11SlotInfo *slot);
-PRBool PK11_IsFriendly(PK11SlotInfo *slot);
-PRBool PK11_IsHW(PK11SlotInfo *slot);
-PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
-int PK11_GetSlotSeries(PK11SlotInfo *slot);
-int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
-unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
-CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
-SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
-SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
-SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
-PRBool PK11_IsDisabled(PK11SlotInfo *slot);
-PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
-/* Prevents the slot from being used, and set disable reason to user-disable */
-/* NOTE: Mechanisms that were ON continue to stay ON */
-/*       Therefore, when the slot is enabled, it will remember */
-/*       what mechanisms needs to be turned on */
-PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
-/* Allow all mechanisms that are ON before UserDisableSlot() */
-/* was called to be available again */
-PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
-
-PRBool PK11_NeedPWInit(void);
-PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
-PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
-SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
-PRBool PK11_IsFIPS(void);
-SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
-
-/*********************************************************************
- *            Slot mapping utility functions.
- *********************************************************************/
-PRBool PK11_IsPresent(PK11SlotInfo *slot);
-PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
-PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
-					PRBool loadCerts, void *wincx);
-PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
-						PRBool needRW,void *wincx);
-PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
-							void *wincx);
-PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
-CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
-int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
-
-/*********************************************************************
- *       Mechanism Mapping functions
- *********************************************************************/
-void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
-		 	CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
-CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
-CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
-int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
-int PK11_GetIVLength(CK_MECHANISM_TYPE type);
-SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
-unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
-SECItem * PK11_BlockData(SECItem *data,unsigned long size);
-
-/* PKCS #11 to DER mapping functions */
-SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
-SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
-CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
-SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
-SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
-SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
-                                   PRArenaPool *arena, SECAlgorithmID *algid);
-SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
-SECStatus PK11_RandomUpdate(void *data, size_t bytes);
-SECStatus PK11_GenerateRandom(unsigned char *data,int len);
-CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
-					    CK_MECHANISM_PTR pCryptoMechanism,
-					    SECItem *pbe_pwd, PRBool bad3DES);
-CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
-
-/**********************************************************************
- *                   Symetric, Public, and Private Keys 
- **********************************************************************/
-PK11SymKey *PK11_CreateSymKey(PK11SlotInfo *slot, 
-					CK_MECHANISM_TYPE type, void *wincx);
-void PK11_FreeSymKey(PK11SymKey *key);
-PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
-PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-    PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx);
-PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
-    PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, 
-    PRBool owner, void *wincx);
-PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
-			      CK_MECHANISM_TYPE type,int series, void *wincx);
-void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
-CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
-CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, 
-				SECKEYPublicKey *pubKey, PRBool isToken);
-PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-				SECItem *param,	int keySize,void *wincx);
-
-/* Key Generation specialized for SDR (fixed DES3 key) */
-PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
-
-SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
-				PK11SymKey *symKey, SECItem *wrappedKey);
-SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
-	 PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
-PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
-   			SECItem *param, CK_MECHANISM_TYPE target, 
-		        CK_ATTRIBUTE_TYPE operation, int keySize);
-PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, 
-	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
-	CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
-PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, 
- SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
- CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
-		 CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
-PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, 
-	CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,  
-	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
-PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, 
-	CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
-	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
-	CK_FLAGS flags);
-PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
-	 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
-PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
-						SECItem *keyID, void *wincx);
-SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey);
-SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
-
-/* size to hold key in bytes */
-unsigned int PK11_GetKeyLength(PK11SymKey *key);
-/* size of actual secret parts of key in bits */
-/* algid is because RC4 strength is determined by the effective bits as well
- * as the key bits */
-unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
-SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
-SECItem * PK11_GetKeyData(PK11SymKey *symKey);
-PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
-void *PK11_GetWindow(PK11SymKey *symKey);
-SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
-   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
-		 	    PRBool isPerm, PRBool isSensitive, void *wincx);
-SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
-                        PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx);
-SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
-				 	CERTCertificate *cert, void *wincx);
-SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
-SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
-				       void *wincx);
-CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
-					void *wincx, PK11SlotInfo **pSlot);
-int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); 
-SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
-   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
-/* The encrypt version of the above function */
-SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-                unsigned char *data, unsigned dataLen, void *wincx);
-SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, 
-		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
-		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
-		unsigned int usage, void *wincx);
-SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, 
-		SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
-		SECItem *nickname, SECItem *publicValue, PRBool isPerm,
-		PRBool isPrivate, KeyType type, 
-		unsigned int usage, void *wincx);
-SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
-		CERTCertificate *cert, void *wincx);
-SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
-		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
-		CERTCertificate *cert, int iteration, void *wincx);
-SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, 
-					CERTCertificate *cert, void *wincx);
-SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
-SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
-PRBool PK11_VerifyKeyOK(PK11SymKey *key);
-SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, 
-		PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
-		SECItem *param, SECItem *wrappedKey, SECItem *label, 
-		SECItem *publicValue, PRBool token, PRBool sensitive,
-		CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
-		void *wincx);
-SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
-			   SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
-			   SECItem *param, SECItem *wrappedKey, void *wincx);
-PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
-SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx);
-SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx);
-
-/**********************************************************************
- *                   Certs
- **********************************************************************/
-SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
-CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
-SECStatus PK11_TraverseSlotCerts(
-     SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
-                                                void *arg, void *wincx);
-CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
-CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
-SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
-PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
-								void *wincx);
-CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
-	PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, 
-								void *wincx);
-PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
-					CK_OBJECT_HANDLE *keyPtr, void *wincx);
-CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
-						CK_OBJECT_CLASS o_class); 
-CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
-					CERTIssuerAndSN *sn, void *wincx);
-CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
-	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
-				SECKEYPrivateKey**privKey, void *wincx);
-int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
-				void *wincx);
-CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
-			       CK_OBJECT_HANDLE id,
-			       CK_ATTRIBUTE_TYPE type );
-CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
-			 CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
-int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
-SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, 
-	SECStatus(*callback)(CERTCertificate *, void *), void *arg);
-SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
-	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
-	void *arg);
-CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, 
-					  CERTCertificate *cert, void *wincx);
-CERTCertificate *PK11_FindCertFromDERSubjectAndNickname(
-					PK11SlotInfo *slot, 
-					CERTCertificate *cert, char *nickname,
-					void *wincx);
-SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
-					char *nickname, PRBool addUsage,
-					void *wincx);
-CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
-SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
-   PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
-PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
-CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
-				     void *wincx);
-SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
-	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
-	void *arg);
-SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
-       SECStatus(* callback)(CERTCertificate*, void *), void *arg);
-
-
-/**********************************************************************
- *                   Sign/Verify 
- **********************************************************************/
-int PK11_SignatureLen(SECKEYPrivateKey *key);
-PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
-SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
-SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
-						 SECItem *dsig, void * wincx);
-SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, 
-						SECItem *hash, void *wincx);
-
-
-
-/**********************************************************************
- *                   Crypto Contexts
- **********************************************************************/
-void PK11_DestroyContext(PK11Context *context, PRBool freeit);
-PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, 
-    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
-			 	SECItem *key, SECItem *param, void *wincx);
-PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
-	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
-PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
-PK11Context *PK11_CloneContext(PK11Context *old);
-SECStatus PK11_DigestBegin(PK11Context *cx);
-SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
-					int32 len);
-SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, 
-                        unsigned len);
-SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
-				int maxout, unsigned char *in, int inlen);
-SECStatus PK11_Finalize(PK11Context *context);
-SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, 
-				unsigned int *outLen, unsigned int length);
-PRBool PK11_HashOK(SECOidTag hashAlg);
-SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
-						int *len, int saveLength);
-SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
-SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
-SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
-void PK11_FreeSlotCerts(PK11SlotInfo *slot);
-void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
-
-
-/**********************************************************************
- *                   PBE functions 
- **********************************************************************/
-SECAlgorithmID *
-PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
-PK11SymKey *
-PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid,  SECItem *pwitem,
-	       PRBool faulty3DES, void *wincx);
-SECItem *
-PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
deleted file mode 100644
index ef9fe2aef..000000000
--- a/security/nss/lib/pk11wrap/pk11kea.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This file implements the Symkey wrapper and the PKCS context
- * Interfaces.
- */
-
-#include "seccomon.h"
-#include "secmod.h"
-#include "prlock.h"
-#include "secmodi.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "key.h"
-#include "secasn1.h"
-#include "sechash.h"
-#include "cert.h"
-#include "secerr.h"
-
-/*
- * find an RSA public key on a card
- */
-static CK_OBJECT_HANDLE
-pk11_FindRSAPubKey(PK11SlotInfo *slot)
-{
-    CK_KEY_TYPE key_type = CKK_RSA;
-    CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
-    CK_ATTRIBUTE theTemplate[2];
-    int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_ATTRIBUTE *attrs = theTemplate;
-
-    PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++;
-    PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++;
-    template_count = attrs - theTemplate;
-    PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
-
-    return pk11_FindObjectByTemplate(slot,theTemplate,template_count);
-}
-
-SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
-					 CK_OBJECT_HANDLE id);
-
-PK11SymKey *
-pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
-{
-    PK11SymKey *newSymKey = NULL;
-    SECStatus rv;
-    /* performance improvement can go here --- use a generated key to as a
-     * per startup wrapping key. If it exists, use it, otherwise do a full
-     * key exchange. */
-
-    /* find a common Key Exchange algorithm */
-    /* RSA */
-    if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && 
-				PK11_DoesMechanism(slot,CKM_RSA_PKCS)) {
-	CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_KEY;
-	CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_KEY;
-	SECKEYPublicKey *pubKey = NULL;
-	SECKEYPrivateKey *privKey = NULL;
-	SECItem wrapData;
-
-	wrapData.data = NULL;
-
-	/* find RSA Public Key on target */
-	pubKeyHandle = pk11_FindRSAPubKey(slot);
-	if (pubKeyHandle != CK_INVALID_KEY) {
-	    privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY);
-	}
-
-	/* if no key exits, generate a key pair */
-	if (privKeyHandle == CK_INVALID_KEY) {
-	    unsigned int     keyLength = PK11_GetKeyLength(symKey);
-	    PK11RSAGenParams rsaParams;
-
-	    rsaParams.keySizeInBits = 
-		((keyLength == 0) || (keyLength > 16)) ? 512 : 256;
-	    rsaParams.pe  = 0x10001;
-	    privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, 
-		&rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
-	} else {
-	    /* if key's exist, build SECKEY data structures for them */
-	    privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle,
-					symKey->cx);
-	    if (privKey != NULL) {
-    		pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
-		if (pubKey && pubKey->pkcs11Slot) {
-		    PK11_FreeSlot(pubKey->pkcs11Slot);
-		    pubKey->pkcs11Slot = NULL;
-		    pubKey->pkcs11ID = CK_INVALID_KEY;
-		}
-	    }
-	}
-	if (privKey == NULL) goto rsa_failed;
-	if (pubKey == NULL)  goto rsa_failed;
-
-        wrapData.len  = SECKEY_PublicKeyStrength(pubKey);
-        if (!wrapData.len) goto rsa_failed;
-        wrapData.data = PORT_Alloc(wrapData.len);
-        if (wrapData.data == NULL) goto rsa_failed;
-
-	/* now wrap the keys in and out */
-	rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
-	if (rv == SECSuccess) {
-	    newSymKey = PK11_PubUnwrapSymKey(privKey,&wrapData,type,operation,
-							symKey->size);
-	}
-rsa_failed:
-	if (wrapData.data != NULL) PORT_Free(wrapData.data);
-	if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey);
-	if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey);
-
-	return  newSymKey;
-    }
-    /* KEA */
-    if (PK11_DoesMechanism(symKey->slot, CKM_KEA_KEY_DERIVE) && 
-				PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
-	CERTCertificate *certSource = NULL;
-	CERTCertificate *certTarget = NULL;
-	SECKEYPublicKey *pubKeySource = NULL;
-	SECKEYPublicKey *pubKeyTarget = NULL;
-	SECKEYPrivateKey *privKeySource = NULL;
-	SECKEYPrivateKey *privKeyTarget = NULL;
-	PK11SymKey *tekSource = NULL;
-	PK11SymKey *tekTarget = NULL;
-	SECItem Ra,wrap;
-
-	/* can only exchange skipjack keys */
-	if (type != CKM_SKIPJACK_CBC64) {
-    	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    goto kea_failed;
-	}
-
-	/* find a pair of certs we can use */
-	rv = PK11_GetKEAMatchedCerts(symKey->slot,slot,&certSource,&certTarget);
-	if (rv != SECSuccess) goto kea_failed;
-
-	/* get all the key pairs */
-	pubKeyTarget = CERT_ExtractPublicKey(certSource);
-	pubKeySource = CERT_ExtractPublicKey(certTarget);
-	privKeySource = 
-		PK11_FindKeyByDERCert(symKey->slot,certSource,symKey->cx);
-	privKeyTarget = 
-		PK11_FindKeyByDERCert(slot,certTarget,symKey->cx);
-
-	if ((pubKeySource == NULL) || (pubKeyTarget == NULL) ||
-	  (privKeySource == NULL) || (privKeyTarget == NULL)) goto kea_failed;
-
-	/* generate the wrapping TEK's */
-	Ra.data = (unsigned char*)PORT_Alloc(128 /* FORTEZZA RA MAGIC */);
-	Ra.len = 128;
-	if (Ra.data == NULL) goto kea_failed;
-
-	tekSource = PK11_PubDerive(privKeySource,pubKeyTarget,PR_TRUE,&Ra,NULL,
-		CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx);
-	tekTarget = PK11_PubDerive(privKeyTarget,pubKeySource,PR_FALSE,&Ra,NULL,
-		CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx);
-	PORT_Free(Ra.data);
-
-	if ((tekSource == NULL) || (tekTarget == NULL)) { goto kea_failed; }
-
-	/* wrap the key out of Source into target */
-	wrap.data = (unsigned char*)PORT_Alloc(12); /* MAGIC SKIPJACK LEN */
-	wrap.len = 12;
-
-	/* paranoia to prevent infinite recursion on bugs */
-	PORT_Assert(tekSource->slot == symKey->slot);
-	if (tekSource->slot != symKey->slot) {
-    	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    goto kea_failed;
-	}
-
-	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP,NULL,tekSource,symKey,&wrap);
-	if (rv == SECSuccess) {
-	    newSymKey = PK11_UnwrapSymKey(tekTarget, CKM_SKIPJACK_WRAP, NULL,
-			&wrap, type, operation, symKey->size);
-	}
-	PORT_Free(wrap.data);
-kea_failed:
-	if (certSource == NULL) CERT_DestroyCertificate(certSource);
-	if (certTarget == NULL) CERT_DestroyCertificate(certTarget);
-	if (pubKeySource == NULL) SECKEY_DestroyPublicKey(pubKeySource);
-	if (pubKeyTarget == NULL) SECKEY_DestroyPublicKey(pubKeyTarget);
-	if (privKeySource == NULL) SECKEY_DestroyPrivateKey(privKeySource);
-	if (privKeyTarget == NULL) SECKEY_DestroyPrivateKey(privKeyTarget);
-	if (tekSource == NULL) PK11_FreeSymKey(tekSource);
-	if (tekTarget == NULL) PK11_FreeSymKey(tekTarget);
-	return newSymKey;
-    }
-    PORT_SetError( SEC_ERROR_NO_MODULE );
-    return NULL;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11list.c b/security/nss/lib/pk11wrap/pk11list.c
deleted file mode 100644
index 35a68d8a2..000000000
--- a/security/nss/lib/pk11wrap/pk11list.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Locking and queue management primatives
- *
- */
-
-#include "seccomon.h"
-#include "prlock.h"
-#include "prmon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "prlong.h"
-
-#define ISREADING 1
-#define ISWRITING 2
-#define WANTWRITE 4
-#define ISLOCKED 3
-
-/*
- * create a new lock for a Module List
- */
-SECMODListLock *SECMOD_NewListLock() {
-    SECMODListLock *modLock;
-
-    modLock = (SECMODListLock*)PORT_Alloc(sizeof(SECMODListLock));
-#ifdef PKCS11_USE_THREADS
-    modLock->mutex = NULL;
-    modLock->monitor = PR_NewMonitor();
-#else
-    modLock->mutex = NULL;
-    modLock->monitor = NULL;
-#endif
-    modLock->state = 0;
-    modLock->count = 0;
-    return modLock;
-}
-
-/*
- * destroy the lock
- */
-void SECMOD_DestroyListLock(SECMODListLock *lock) {
-    PK11_USE_THREADS(PR_DestroyMonitor(lock->monitor);)
-    PORT_Free(lock);
-}
-
-
-/*
- * Lock the List for Read: NOTE: this assumes the reading isn't so common
- * the writing will be starved.
- */
-void SECMOD_GetReadLock(SECMODListLock *modLock) {
-#ifdef PKCS11_USE_THREADS
-    PR_EnterMonitor(modLock->monitor);
-    while (modLock->state & ISWRITING) {
-	PR_Wait(modLock->monitor,PR_INTERVAL_NO_TIMEOUT); /* wait until woken up */
-    }
-    modLock->state |= ISREADING;
-    modLock->count++;
-    PR_ExitMonitor(modLock->monitor);
-#endif
-}
-
-/*
- * Release the Read lock
- */
-void SECMOD_ReleaseReadLock(SECMODListLock *modLock) {
-#ifdef PKCS11_USE_THREADS
-    PR_EnterMonitor(modLock->monitor);
-    modLock->count--;
-    if (modLock->count == 0) {
-	modLock->state &= ~ISREADING;
-	if (modLock->state & WANTWRITE) {
-	    PR_Notify(modLock->monitor);  /* only one writer at a time */
-	}
-    }
-    PR_ExitMonitor(modLock->monitor);
-#endif
-}
-
-
-/*
- * lock the list for Write
- */
-void SECMOD_GetWriteLock(SECMODListLock *modLock) {
-#ifdef PKCS11_USE_THREADS
-    PR_EnterMonitor(modLock->monitor);
-    while (modLock->state & ISLOCKED) {
-	modLock->state |= WANTWRITE;
-	PR_Wait(modLock->monitor,PR_INTERVAL_NO_TIMEOUT); /* wait until woken up */
-    }
-    modLock->state = ISWRITING;
-    PR_ExitMonitor(modLock->monitor);
-#endif
-}
-
-
-/*
- * Release the Write Lock: NOTE, this code is pretty inefficient if you have
- * lots of write collisions.
- */
-void SECMOD_ReleaseWriteLock(SECMODListLock *modLock) {
-#ifdef PKCS11_USE_THREADS
-    PR_EnterMonitor(modLock->monitor);
-    modLock->state = 0;
-    PR_NotifyAll(modLock->monitor); /* enable all the readers */
-    PR_ExitMonitor(modLock->monitor);
-#endif
-}
-
-
-/*
- * must Hold the Write lock
- */
-void
-SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) {
-    *parent = child->next;
-    child->next = NULL;
-}
-
-/*
- * if lock is not specified, it must already be held
- */
-void
-SECMOD_AddList(SECMODModuleList *parent, SECMODModuleList *child, 
-							SECMODListLock *lock) {
-    if (lock) { SECMOD_GetWriteLock(lock); }
-
-    child->next = parent->next;
-    parent->next = child;
-
-   if (lock) { SECMOD_ReleaseWriteLock(lock); }
-}
-
-
diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c
deleted file mode 100644
index 65d898e6e..000000000
--- a/security/nss/lib/pk11wrap/pk11load.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * The following handles the loading, unloading and management of
- * various PCKS #11 modules
- */
-#include "seccomon.h"
-#include "pkcs11.h"
-#include "secmod.h"
-#include "prlink.h"
-#include "pk11func.h"
-#include "secmodi.h"
-#include "prlock.h"
-
-extern void FC_GetFunctionList(void);
-extern void NSC_GetFunctionList(void);
-
-
-/* build the PKCS #11 2.01 lock files */
-CK_RV PR_CALLBACK secmodCreateMutext(CK_VOID_PTR_PTR pmutex) {
-    *pmutex = (CK_VOID_PTR) PR_NewLock();
-    if ( *pmutex ) return CKR_OK;
-    return CKR_HOST_MEMORY;
-}
-
-CK_RV PR_CALLBACK secmodDestroyMutext(CK_VOID_PTR mutext) {
-    PR_DestroyLock((PRLock *)mutext);
-    return CKR_OK;
-}
-
-CK_RV PR_CALLBACK secmodLockMutext(CK_VOID_PTR mutext) {
-    PR_Lock((PRLock *)mutext);
-    return CKR_OK;
-}
-
-CK_RV PR_CALLBACK secmodUnlockMutext(CK_VOID_PTR mutext) {
-    PR_Unlock((PRLock *)mutext);
-    return CKR_OK;
-}
-
-static SECMODModuleID  nextModuleID = 1;
-static CK_C_INITIALIZE_ARGS secmodLockFunctions = {
-    secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, 
-    secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS|
-	CKF_OS_LOCKING_OK
-    ,NULL
-};
-
-/*
- * load a new module into our address space and initialize it.
- */
-SECStatus
-SECMOD_LoadModule(SECMODModule *mod) {
-    PRLibrary *library = NULL;
-    CK_C_GetFunctionList entry;
-    char * full_name;
-    CK_INFO info;
-    CK_ULONG slotCount = 0;
-
-
-    if (mod->loaded) return SECSuccess;
-
-    /* intenal modules get loaded from their internal list */
-    if (mod->internal) {
-	/* internal, statically get the C_GetFunctionList function */
-	if (mod->isFIPS) {
-	    entry = (CK_C_GetFunctionList) FC_GetFunctionList;
-	} else {
-	    entry = (CK_C_GetFunctionList) NSC_GetFunctionList;
-	}
-    } else {
-	/* Not internal, load the DLL and look up C_GetFunctionList */
-	if (mod->dllName == NULL) {
-	    return SECFailure;
-	}
-
-#ifdef notdef
-	/* look up the library name */
-	full_name = PR_GetLibraryName(PR_GetLibraryPath(),mod->dllName);
-	if (full_name == NULL) {
-	    return SECFailure;
-	}
-#else
-	full_name = PORT_Strdup(mod->dllName);
-#endif
-
-	/* load the library. If this succeeds, then we have to remember to
-	 * unload the library if anything goes wrong from here on out...
-	 */
-	library = PR_LoadLibrary(full_name);
-	mod->library = (void *)library;
-	PORT_Free(full_name);
-	if (library == NULL) {
-	    return SECFailure;
-	}
-
-	/*
-	 * now we need to get the entry point to find the function pointers
-	 */
-	entry = (CK_C_GetFunctionList)
-			PR_FindSymbol(library, "C_GetFunctionList");
-	if (entry == NULL) {
-	    PR_UnloadLibrary(library);
-	    return SECFailure;
-	}
-    }
-
-    /*
-     * We need to get the function list
-     */
-    if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) 
-								goto fail;
-
-    mod->isThreadSafe = PR_TRUE;
-    /* Now we initialize the module */
-    if (PK11_GETTAB(mod)->C_Initialize(&secmodLockFunctions) != CKR_OK) {
-	mod->isThreadSafe = PR_FALSE;
-    	if (PK11_GETTAB(mod)->C_Initialize(NULL) != CKR_OK) goto fail;
-    }
-
-    /* check the version number */
-    if (PK11_GETTAB(mod)->C_GetInfo(&info) != CKR_OK) goto fail2;
-    if (info.cryptokiVersion.major != 2) goto fail2;
-    /* all 2.0 are a priori *not* thread safe */
-    if (info.cryptokiVersion.minor < 1) mod->isThreadSafe = PR_FALSE;
-
-
-    /* If we don't have a common name, get it from the PKCS 11 module */
-    if ((mod->commonName == NULL) || (mod->commonName[0] == 0)) {
-	mod->commonName = PK11_MakeString(mod->arena,NULL,
-	   (char *)info.libraryDescription, sizeof(info.libraryDescription));
-	if (mod->commonName == NULL) goto fail2;
-    }
-    
-
-    /* initialize the Slots */
-    if (PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, NULL, &slotCount) == CKR_OK) {
-	CK_SLOT_ID *slotIDs;
-	int i;
-	CK_RV rv;
-
-	mod->slots = (PK11SlotInfo **)PORT_ArenaAlloc(mod->arena,
-					sizeof(PK11SlotInfo *) * slotCount);
-	if (mod->slots == NULL) goto fail2;
-
-	slotIDs = (CK_SLOT_ID *) PORT_Alloc(sizeof(CK_SLOT_ID)*slotCount);
-	if (slotIDs == NULL) {
-	    goto fail2;
-	}  
-	rv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount);
-	if (rv != CKR_OK) {
-	    PORT_Free(slotIDs);
-	    goto fail2;
-	}
-
-	/* Initialize each slot */
-	for (i=0; i < (int)slotCount; i++) {
-	    mod->slots[i] = PK11_NewSlotInfo();
-	    PK11_InitSlot(mod,slotIDs[i],mod->slots[i]);
-	    /* look down the slot info table */
-	    PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
-	}
-	mod->slotCount = slotCount;
-	mod->slotInfoCount = 0;
-	PORT_Free(slotIDs);
-    }
-	
-
-
-    
-    mod->loaded = PR_TRUE;
-    mod->moduleID = nextModuleID++;
-    return SECSuccess;
-fail2:
-    PK11_GETTAB(mod)->C_Finalize(NULL);
-fail:
-    mod->functionList = NULL;
-    if (library) PR_UnloadLibrary(library);
-    return SECFailure;
-}
-
-SECStatus
-SECMOD_UnloadModule(SECMODModule *mod) {
-    PRLibrary *library;
-
-    if (!mod->loaded) {
-	return SECFailure;
-    }
-
-    PK11_GETTAB(mod)->C_Finalize(NULL);
-    mod->moduleID = 0;
-    mod->loaded = PR_FALSE;
-    
-    /* do we want the semantics to allow unloading the internal library?
-     * if not, we should change this to SECFailure and move it above the
-     * mod->loaded = PR_FALSE; */
-    if (mod->internal) {
-	return SECSuccess;
-    }
-
-    library = (PRLibrary *)mod->library;
-    /* paranoia */
-    if (library == NULL) {
-	return SECFailure;
-    }
-
-    PR_UnloadLibrary(library);
-    return SECSuccess;
-}
diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c
deleted file mode 100644
index c72914543..000000000
--- a/security/nss/lib/pk11wrap/pk11sdr.c
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- *   thayes@netscape.com
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * PKCS #11 Wrapper functions which handles authenticating to the card's
- * choosing the best cards, etc.
- */
-
-#include "seccomon.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "pk11sdr.h"
-
-/*
- * Data structure and template for encoding the result of an SDR operation
- *  This is temporary.  It should include the algorithm ID of the encryption mechanism
- */
-struct SDRResult
-{
-  SECItem keyid;
-  SECAlgorithmID alg;
-  SECItem data;
-};
-typedef struct SDRResult SDRResult;
-
-static SEC_ASN1Template template[] = {
-  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) },
-  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) },
-  { SEC_ASN1_INLINE, offsetof(SDRResult, alg), SECOID_AlgorithmIDTemplate },
-  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) },
-  { 0 }
-};
-
-static unsigned char keyID[] = {
-  0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
-};
-
-static SECItem keyIDItem = {
-  0,
-  keyID,
-  sizeof keyID
-};
-
-/* local utility function for padding an incoming data block
- * to the mechanism block size.
- */
-static SECStatus
-padBlock(SECItem *data, int blockSize, SECItem *result)
-{
-  SECStatus rv = SECSuccess;
-  int padLength;
-  unsigned int i;
-
-  result->data = 0;
-  result->len = 0;
-
-  /* This algorithm always adds to the block (to indicate the number
-   * of pad bytes).  So allocate a block large enough.
-   */
-  padLength = blockSize - (data->len % blockSize);
-  result->len = data->len + padLength;
-  result->data = (unsigned char *)PORT_Alloc(result->len);
-
-  /* Copy the data */
-  PORT_Memcpy(result->data, data->data, data->len);
-
-  /* Add the pad values */
-  for(i = data->len; i < result->len; i++)
-    result->data[i] = (unsigned char)padLength;
-
-  return rv;
-}
-
-static SECStatus
-unpadBlock(SECItem *data, int blockSize, SECItem *result)
-{
-  SECStatus rv = SECSuccess;
-  int padLength;
-
-  result->data = 0;
-  result->len = 0;
-
-  /* Remove the padding from the end if the input data */
-  if (data->len == 0 || data->len % blockSize  != 0) { rv = SECFailure; goto loser; }
-
-  padLength = data->data[data->len-1];
-  if (padLength > blockSize) { rv = SECFailure; goto loser; }
-
-  result->len = data->len - padLength;
-  result->data = (unsigned char *)PORT_Alloc(result->len);
-  if (!result->data) { rv = SECFailure; goto loser; }
-
-  PORT_Memcpy(result->data, data->data, result->len);
-
-loser:
-  return rv;
-}
-
-/*
- * PK11SDR_Encrypt
- *  Encrypt a block of data using the symmetric key identified.  The result
- *  is an ASN.1 (DER) encoded block of keyid, params and data.
- */
-SECStatus
-PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx)
-{
-  SECStatus rv = SECSuccess;
-  PK11SlotInfo *slot = 0;
-  PK11SymKey *key = 0;
-  SECItem *params = 0;
-  PK11Context *ctx = 0;
-  CK_MECHANISM_TYPE type;
-  SDRResult sdrResult;
-  SECItem paddedData;
-  SECItem *pKeyID;
-  PLArenaPool *arena = 0;
-
-  /* Initialize */
-  paddedData.len = 0;
-  paddedData.data = 0;
-
-  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-  if (!arena) { rv = SECFailure; goto loser; }
-
-  /* 1. Locate the requested keyid, or the default key (which has a keyid)
-   * 2. Create an encryption context
-   * 3. Encrypt
-   * 4. Encode the results (using ASN.1)
-   */
-
-  slot = PK11_GetInternalKeySlot();
-  if (!slot) { rv = SECFailure; goto loser; }
-
-  /* Use triple-DES */
-  type = CKM_DES3_CBC;
-
-  /* Find the key to use */
-  pKeyID = keyid;
-  if (pKeyID->len == 0) {
-	  pKeyID = &keyIDItem;  /* Use default value */
-
-	  /* Try to find the key */
-	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
-	  
-	  /* If the default key doesn't exist yet, try to create it */
-	  if (!key) key = PK11_GenDES3TokenKey(slot, pKeyID, cx);
-  } else {
-	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
-  }
-
-  if (!key) { rv = SECFailure; goto loser; }
-
-  params = PK11_GenerateNewParam(type, key);
-  if (!params) { rv = SECFailure; goto loser; }
-
-  ctx = PK11_CreateContextBySymKey(type, CKA_ENCRYPT, key, params);
-  if (!ctx) { rv = SECFailure; goto loser; }
-
-  rv = padBlock(data, PK11_GetBlockSize(type, 0), &paddedData);
-  if (rv != SECSuccess) goto loser;
-
-  sdrResult.data.len = paddedData.len;
-  sdrResult.data.data = (unsigned char *)PORT_ArenaAlloc(arena, sdrResult.data.len);
-
-  rv = PK11_CipherOp(ctx, sdrResult.data.data, &sdrResult.data.len, sdrResult.data.len,
-                     paddedData.data, paddedData.len);
-  if (rv != SECSuccess) goto loser;
-
-  PK11_Finalize(ctx);
-
-  sdrResult.keyid = *pKeyID;
-
-  rv = PK11_ParamToAlgid(SEC_OID_DES_EDE3_CBC, params, arena, &sdrResult.alg);
-  if (rv != SECSuccess) goto loser;
-
-  if (!SEC_ASN1EncodeItem(0, result, &sdrResult, template)) { rv = SECFailure; goto loser; }
-
-loser:
-  SECITEM_ZfreeItem(&paddedData, PR_FALSE);
-  if (arena) PORT_FreeArena(arena, PR_TRUE);
-  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
-  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
-  if (key) PK11_FreeSymKey(key);
-  if (slot) PK11_FreeSlot(slot);
-
-  return rv;
-}
-
-/*
- * PK11SDR_Decrypt
- *  Decrypt a block of data produced by PK11SDR_Encrypt.  The key used is identified
- *  by the keyid field within the input.
- */
-SECStatus
-PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx)
-{
-  SECStatus rv = SECSuccess;
-  PK11SlotInfo *slot = 0;
-  PK11SymKey *key = 0;
-  PK11Context *ctx = 0;
-  CK_MECHANISM_TYPE type;
-  SDRResult sdrResult;
-  SECItem *params = 0;
-  SECItem paddedResult;
-  PLArenaPool *arena = 0;
-
-  paddedResult.len = 0;
-  paddedResult.data = 0;
-
-  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-  if (!arena) { rv = SECFailure; goto loser; }
-
-  /* Decode the incoming data */
-  memset(&sdrResult, 0, sizeof sdrResult);
-  rv = SEC_ASN1DecodeItem(arena, &sdrResult, template, data);
-  if (rv != SECSuccess) goto loser;  /* Invalid format */
-
-  /* Find the slot and key for the given keyid */
-  slot = PK11_GetInternalKeySlot();
-  if (!slot) { rv = SECFailure; goto loser; }
-
-  /* Use triple-DES (Should look up the algorithm) */
-  type = CKM_DES3_CBC;
-  key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx);
-  if (!key) { rv = SECFailure; goto loser; }
-
-  /* Get the parameter values from the data */
-  params = PK11_ParamFromAlgid(&sdrResult.alg);
-  if (!params) { rv = SECFailure; goto loser; }
-
-  ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params);
-  if (!ctx) { rv = SECFailure; goto loser; }
-
-  paddedResult.len = sdrResult.data.len;
-  paddedResult.data = PORT_ArenaAlloc(arena, result->len);
-
-  rv = PK11_CipherOp(ctx, paddedResult.data, &paddedResult.len, paddedResult.len,
-                     sdrResult.data.data, sdrResult.data.len);
-  if (rv != SECSuccess) goto loser;
-
-  PK11_Finalize(ctx);
-
-  /* Remove the padding */
-  rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result);
-  if (rv) goto loser;
-
-loser:
-  /* SECITEM_ZfreeItem(&paddedResult, PR_FALSE); */
-  if (arena) PORT_FreeArena(arena, PR_TRUE);
-  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
-  if (key) PK11_FreeSymKey(key);
-  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
-  if (slot) PK11_FreeSlot(slot);
-
-  return rv;
-}
diff --git a/security/nss/lib/pk11wrap/pk11sdr.h b/security/nss/lib/pk11wrap/pk11sdr.h
deleted file mode 100644
index 652098cad..000000000
--- a/security/nss/lib/pk11wrap/pk11sdr.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * PKCS #11 Wrapper functions which handles authenticating to the card's
- * choosing the best cards, etc.
- */
-
-#ifndef _PK11SDR_H_
-#define _PK11SDR_H_
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * PK11SDR_Encrypt - encrypt data using the specified key id or SDR default
- *
- */
-SECStatus
-PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx);
-
-/*
- * PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt
- */
-SECStatus
-PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
deleted file mode 100644
index 4d65b15a8..000000000
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ /dev/null
@@ -1,4854 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This file implements the Symkey wrapper and the PKCS context
- * Interfaces.
- */
-
-#include "seccomon.h"
-#include "secmod.h"
-#include "prlock.h"
-#include "secmodi.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "key.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "sechash.h"
-#include "cert.h"
-#include "secerr.h"
-
-#define PAIRWISE_SECITEM_TYPE			siBuffer
-#define PAIRWISE_DIGEST_LENGTH			SHA1_LENGTH /* 160-bits */
-#define PAIRWISE_MESSAGE_LENGTH			20          /* 160-bits */
-
-/* forward static declarations. */
-static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, 
-	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
-	CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, 
-	unsigned int numAttrs);
-
-
-/*
- * strip leading zero's from key material
- */
-void
-pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) {
-    char *ptr = (char *)attrib->pValue;
-    unsigned long len = attrib->ulValueLen;
-
-    while (len && (*ptr == 0)) {
-	len--;
-	ptr++;
-    }
-    attrib->pValue = ptr;
-    attrib->ulValueLen = len;
-}
-
-/*
- * get a new session on a slot. If we run out of session, use the slot's
- * 'exclusive' session. In this case owner becomes false.
- */
-static CK_SESSION_HANDLE
-pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner)
-{
-    CK_SESSION_HANDLE session;
-    *owner =  PR_TRUE;
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, 
-			slot,pk11_notify,&session) != CKR_OK) {
-	*owner = PR_FALSE;
-	session = slot->session;
-    }
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-
-    return session;
-}
-
-static void
-pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner)
-{
-    if (!owner) return;
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    (void) PK11_GETTAB(slot)->C_CloseSession(session);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-}
-
-
-SECStatus
-PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
-				CK_ATTRIBUTE *theTemplate, int count, 
-				PRBool token, CK_OBJECT_HANDLE *objectID)
-{
-	CK_SESSION_HANDLE rwsession;
-	CK_RV crv;
-	SECStatus rv = SECSuccess;
-
-	rwsession = session;
-	if (rwsession == CK_INVALID_SESSION) {
-	    if (token) {
-		rwsession =  PK11_GetRWSession(slot);
-	    } else { 
-		rwsession =  slot->session;
-		PK11_EnterSlotMonitor(slot);
-	    }
-	}
-	crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate,
-							count,objectID);
-	if(crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    rv = SECFailure;
-	}
-
-	if (session == CK_INVALID_SESSION) {
-	    if (token) {
-		PK11_RestoreROSession(slot, rwsession);
-	    } else {
-		PK11_ExitSlotMonitor(slot);
-	    }
-        }
-
-	return rv;
-}
-
-static void
-pk11_EnterKeyMonitor(PK11SymKey *symKey) {
-    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
-	PK11_EnterSlotMonitor(symKey->slot);
-}
-
-static void
-pk11_ExitKeyMonitor(PK11SymKey *symKey) {
-    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
-    	PK11_ExitSlotMonitor(symKey->slot);
-}
-
-
-static PK11SymKey *pk11SymKeyHead = NULL;
-static PK11SymKey *
-pk11_getKeyFromList(PK11SlotInfo *slot) {
-    PK11SymKey *symKey;
-
-
-    PK11_USE_THREADS(PR_Lock(slot->freeListLock);)
-    if (slot->freeSymKeysHead) {
-    	symKey = slot->freeSymKeysHead;
-	slot->freeSymKeysHead = symKey->next;
-	slot->keyCount--;
-    }
-    PK11_USE_THREADS(PR_Unlock(slot->freeListLock);)
-    if (symKey) {
-	symKey->next = NULL;
-	return symKey;
-    }
-
-    symKey = (PK11SymKey *)PORT_ZAlloc(sizeof(PK11SymKey));
-    if (symKey == NULL) {
-	return NULL;
-    }
-    symKey->refLock = PR_NewLock();
-    if (symKey->refLock == NULL) {
-	PORT_Free(symKey);
-	return NULL;
-    }
-    symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
-    symKey->next = NULL;
-    return symKey;
-}
-
-void
-PK11_CleanKeyList(PK11SlotInfo *slot)
-{
-    PK11SymKey *symKey = NULL;
-
-    while (slot->freeSymKeysHead) {
-    	symKey = slot->freeSymKeysHead;
-	slot->freeSymKeysHead = symKey->next;
-	pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner);
-	PK11_USE_THREADS(PR_DestroyLock(symKey->refLock);)
-	PORT_Free(symKey);
-    };
-    return;
-}
-
-/*
- * create a symetric key:
- *      Slot is the slot to create the key in.
- *      type is the mechainism type 
- */
-PK11SymKey *
-PK11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, void *wincx)
-{
-
-    PK11SymKey *symKey = pk11_getKeyFromList(slot);
-
-
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->type = type;
-    symKey->data.data = NULL;
-    symKey->data.len = 0;
-    symKey->owner = PR_TRUE;
-    symKey->objectID = CK_INVALID_KEY;
-    symKey->slot = slot;
-    symKey->series = slot->series;
-    symKey->cx = wincx;
-    symKey->size = 0;
-    symKey->refCount = 1;
-    symKey->origin = PK11_OriginNULL;
-    symKey->origin = PK11_OriginNULL;
-    PK11_ReferenceSlot(slot);
-    return symKey;
-}
-
-/*
- * destroy a symetric key
- */
-void
-PK11_FreeSymKey(PK11SymKey *symKey)
-{
-    PRBool destroy = PR_FALSE;
-    PK11SlotInfo *slot;
-    PRBool freeit = PR_TRUE;
-
-    PK11_USE_THREADS(PR_Lock(symKey->refLock);)
-     if (symKey->refCount-- == 1) {
-	destroy= PR_TRUE;
-    }
-    PK11_USE_THREADS(PR_Unlock(symKey->refLock);)
-    if (destroy) {
-	if ((symKey->owner) && symKey->objectID != CK_INVALID_KEY) {
-	    pk11_EnterKeyMonitor(symKey);
-	    (void) PK11_GETTAB(symKey->slot)->
-		C_DestroyObject(symKey->session, symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-	}
-	if (symKey->data.data) {
-	    PORT_Memset(symKey->data.data, 0, symKey->data.len);
-	    PORT_Free(symKey->data.data);
-	}
-        slot = symKey->slot;
-        PK11_USE_THREADS(PR_Lock(slot->freeListLock);)
-	if (slot->keyCount < slot->maxKeyCount) {
-	   symKey->next = slot->freeSymKeysHead;
-	   slot->freeSymKeysHead = symKey;
-	   slot->keyCount++;
-	   symKey->slot = NULL;
-	   freeit = PR_FALSE;
-        }
-	PK11_USE_THREADS(PR_Unlock(slot->freeListLock);)
-        if (freeit) {
-	    pk11_CloseSession(symKey->slot, symKey->session,
-							symKey->sessionOwner);
-	    PK11_USE_THREADS(PR_DestroyLock(symKey->refLock);)
-	    PORT_Free(symKey);
-	}
-	PK11_FreeSlot(slot);
-    }
-}
-
-PK11SymKey *
-PK11_ReferenceSymKey(PK11SymKey *symKey)
-{
-    PK11_USE_THREADS(PR_Lock(symKey->refLock);)
-    symKey->refCount++;
-    PK11_USE_THREADS(PR_Unlock(symKey->refLock);)
-    return symKey;
-}
-
-/*
- * turn key handle into an appropriate key object
- */
-PK11SymKey *
-PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
-    CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx)
-{
-    PK11SymKey *symKey;
-
-    if (keyID == CK_INVALID_KEY) {
-	return NULL;
-    }
-
-    symKey = PK11_CreateSymKey(slot,type,wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->objectID = keyID;
-    symKey->origin = origin;
-    symKey->owner = owner;
-
-    /* adopt the parent's session */
-    /* This is only used by SSL. What we really want here is a session
-     * structure with a ref count so  the session goes away only after all the
-     * keys do. */
-    if (owner && parent) {
-	pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner);
-	symKey->sessionOwner = parent->sessionOwner;
-	symKey->session = parent->session;
-	parent->sessionOwner = PR_FALSE;
-    }
-
-    return symKey;
-}
-
-/*
- * turn key handle into an appropriate key object
- */
-PK11SymKey *
-PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,
-						    int series, void *wincx)
-{
-    PK11SymKey *symKey = NULL;
-
-    if (slot->series != series) return NULL;
-    if (slot->refKeys[wrap] == CK_INVALID_KEY) return NULL;
-    if (type == CKM_INVALID_MECHANISM) type = slot->wrapMechanism;
-
-    symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
-		 slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx);
-    return symKey;
-}
-
-void
-PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
-{
-    /* save the handle and mechanism for the wrapping key */
-    /* mark the key and session as not owned by us to they don't get freed
-     * when the key goes way... that lets us reuse the key later */
-    slot->refKeys[wrap] = wrapKey->objectID;
-    wrapKey->owner = PR_FALSE;
-    wrapKey->sessionOwner = PR_FALSE;
-    slot->wrapMechanism = wrapKey->type;
-}
-
-CK_MECHANISM_TYPE
-PK11_GetMechanism(PK11SymKey *symKey)
-{
-    return symKey->type;
-}
-
-/*
- * figure out if a key is still valid or if it is stale.
- */
-PRBool
-PK11_VerifyKeyOK(PK11SymKey *key) {
-    if (!PK11_IsPresent(key->slot)) {
-	return PR_FALSE;
-    }
-    return (PRBool)(key->series == key->slot->series);
-}
-
-static PK11SymKey *
-pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-                  PK11Origin origin, CK_ATTRIBUTE *keyTemplate, 
-		  unsigned int templateCount, SECItem *key, void *wincx)
-{
-    PK11SymKey *    symKey;
-    CK_RV           crv;
-
-    symKey = PK11_CreateSymKey(slot,type,wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->size = key->len;
-
-    if (SECITEM_CopyItem(NULL,&symKey->data,key) != SECSuccess) {
-	PK11_FreeSymKey(symKey);
-	return NULL;
-    }
-
-    symKey->origin = origin;
-
-    /* import the keys */
-    crv = PK11_CreateNewObject(slot, symKey->session, keyTemplate,
-		 	templateCount, PR_FALSE, &symKey->objectID);
-    if ( crv != CKR_OK) {
-	PK11_FreeSymKey(symKey);
-	PORT_SetError( PK11_MapError(crv));
-	return NULL;
-    }
-
-    return symKey;
-}
-
-/*
- * turn key bits into an appropriate key object
- */
-PK11SymKey *
-PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx)
-{
-    PK11SymKey *    symKey;
-    unsigned int    templateCount = 0;
-    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
-    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
-    CK_ATTRIBUTE    keyTemplate[5];
-    CK_ATTRIBUTE *  attrs 	= keyTemplate;
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-    PK11_SETATTRS(attrs, CKA_VALUE, key->data, key->len); attrs++;
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-    keyType = PK11_GetKeyType(type,key->len);
-    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, keyTemplate, 
-    					templateCount, key, wincx);
-    return symKey;
-}
-
-/*
- * import a public key into the desired slot
- */
-CK_OBJECT_HANDLE
-PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, 
-								PRBool isToken)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
-    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-    CK_OBJECT_HANDLE objectID;
-    CK_ATTRIBUTE theTemplate[10];
-    CK_ATTRIBUTE *signedattr = NULL;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    int signedcount = 0;
-    int templateCount = 0;
-    CK_RV crv;
-
-    /* if we already have an object in the desired slot, use it */
-    if (!isToken && pubKey->pkcs11Slot == slot) {
-	return pubKey->pkcs11ID;
-    }
-
-    /* free the existing key */
-    if (pubKey->pkcs11Slot != NULL) {
-	PK11SlotInfo *oSlot = pubKey->pkcs11Slot;
-	PK11_EnterSlotMonitor(oSlot);
-	(void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session,
-							pubKey->pkcs11ID);
-	PK11_ExitSlotMonitor(oSlot);
-	PK11_FreeSlot(oSlot);
-	pubKey->pkcs11Slot = NULL;
-    }
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse,
-						 sizeof(CK_BBOOL) ); attrs++;
-
-    /* now import the key */
-    {
-        switch (pubKey->keyType) {
-        case rsaKey:
-	    keyType = CKK_RSA;
-	    PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, 
-						sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data,
-					 pubKey->u.rsa.modulus.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
-	     	pubKey->u.rsa.publicExponent.data,
-				 pubKey->u.rsa.publicExponent.len); attrs++;
-	    break;
-        case dsaKey:
-	    keyType = CKK_DSA;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dsa.params.prime.data,
-				pubKey->u.dsa.params.prime.len); attrs++;
-	    PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data,
-				pubKey->u.dsa.params.subPrime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dsa.params.base.data,
-					pubKey->u.dsa.params.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dsa.publicValue.data, 
-					pubKey->u.dsa.publicValue.len); attrs++;
-	    break;
-	case fortezzaKey:
-	    keyType = CKK_DSA;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data,
-				pubKey->u.fortezza.params.prime.len); attrs++;
-	    PK11_SETATTRS(attrs,CKA_SUBPRIME,
-				pubKey->u.fortezza.params.subPrime.data,
-				pubKey->u.fortezza.params.subPrime.len);attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.fortezza.params.base.data,
-				pubKey->u.fortezza.params.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, 
-				pubKey->u.fortezza.DSSKey.len); attrs++;
-            break;
-        case dhKey:
-	    keyType = CKK_DH;
-	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dh.prime.data,
-				pubKey->u.dh.prime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dh.base.data,
-					pubKey->u.dh.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dh.publicValue.data, 
-					pubKey->u.dh.publicValue.len); attrs++;
-	    break;
-	/* what about fortezza??? */
-	default:
-	    PORT_SetError( SEC_ERROR_BAD_KEY );
-	    return CK_INVALID_KEY;
-	}
-
-	templateCount = attrs - theTemplate;
-	signedcount = attrs - signedattr;
-	PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)));
-	for (attrs=signedattr; signedcount; attrs++, signedcount--) {
-		pk11_SignedToUnsigned(attrs);
-	} 
-        crv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
-				 	templateCount, isToken, &objectID);
-	if ( crv != CKR_OK) {
-	    PORT_SetError (PK11_MapError(crv));
-	    return CK_INVALID_KEY;
-	}
-    }
-
-    pubKey->pkcs11ID = objectID;
-    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
-
-    return objectID;
-}
-
-
-/*
- * return the slot associated with a symetric key
- */
-PK11SlotInfo *
-PK11_GetSlotFromKey(PK11SymKey *symKey)
-{
-    return PK11_ReferenceSlot(symKey->slot);
-}
-
-PK11SymKey *
-PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID,
-								void *wincx)
-{
-    CK_ATTRIBUTE findTemp[4];
-    CK_ATTRIBUTE *attrs;
-    CK_BBOOL ckTrue = CK_TRUE;
-    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
-    int tsize = 0;
-    CK_OBJECT_HANDLE key_id;
-
-    attrs = findTemp;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
-    if (keyID) {
-        PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
-    }
-    tsize = attrs - findTemp;
-    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
-
-    key_id = pk11_FindObjectByTemplate(slot,findTemp,tsize);
-    if (key_id == CK_INVALID_KEY) {
-	return NULL;
-    }
-    return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
-		 				PR_FALSE, wincx);
-}
-
-void *
-PK11_GetWindow(PK11SymKey *key)
-{
-   return key->cx;
-}
-    
-
-/*
- * extract a symetric key value. NOTE: if the key is sensitive, we will
- * not be able to do this operation. This function is used to move
- * keys from one token to another */
-SECStatus
-PK11_ExtractKeyValue(PK11SymKey *symKey)
-{
-
-    if (symKey->data.data != NULL) return SECSuccess;
-
-    if (symKey->slot == NULL) {
-	PORT_SetError( SEC_ERROR_INVALID_KEY );
-	return SECFailure;
-    }
-
-    return PK11_ReadAttribute(symKey->slot,symKey->objectID,CKA_VALUE,NULL,
-				&symKey->data);
-}
-
-SECItem *
-PK11_GetKeyData(PK11SymKey *symKey)
-{
-    return &symKey->data;
-}
-
-/*
- * take an attribute and copy it into a secitem, converting unsigned to signed.
- */
-static CK_RV
-pk11_Attr2SecItem(PRArenaPool *arena, CK_ATTRIBUTE *attr, SECItem *item) {
-    unsigned char *dataPtr;
-
-    item->len = attr->ulValueLen;
-    dataPtr = (unsigned char*) PORT_ArenaAlloc(arena, item->len+1);
-    if ( dataPtr == NULL) {
-	return CKR_HOST_MEMORY;
-    } 
-    *dataPtr = 0;
-    item->data = dataPtr+1;
-    PORT_Memcpy(item->data,attr->pValue,item->len);
-    if (item->data[0] & 0x80) {
-	item->data = item->data-1;
-	item->len++;
-    }
-    return CKR_OK;
-}
-/*
- * extract a public key from a slot and id
- */
-SECKEYPublicKey *
-PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id)
-{
-    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
-    PRArenaPool *arena;
-    PRArenaPool *tmp_arena;
-    SECKEYPublicKey *pubKey;
-    int templateCount = 0;
-    CK_KEY_TYPE pk11KeyType;
-    CK_RV crv;
-    CK_ATTRIBUTE template[8];
-    CK_ATTRIBUTE *attrs= template;
-    CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value;
-
-    /* if we didn't know the key type, get it */
-    if (keyType== nullKey) {
-
-        pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE);
-	if (pk11KeyType ==  CK_UNAVAILABLE_INFORMATION) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    return NULL;
-	}
-	switch (pk11KeyType) {
-	case CKK_RSA:
-	    keyType = rsaKey;
-	    break;
-	case CKK_DSA:
-	    keyType = dsaKey;
-	    break;
-	case CKK_DH:
-	    keyType = dhKey;
-	    break;
-	default:
-	    PORT_SetError( SEC_ERROR_BAD_KEY );
-	    return NULL;
-	}
-    }
-
-
-    /* now we need to create space for the public key */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-    tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (tmp_arena == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-
-
-    pubKey = (SECKEYPublicKey *) 
-			PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-    if (pubKey == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	PORT_FreeArena (tmp_arena, PR_FALSE);
-	return NULL;
-    }
-
-    pubKey->arena = arena;
-    pubKey->keyType = keyType;
-    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
-    pubKey->pkcs11ID = id;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, 
-						sizeof(keyClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, 
-						sizeof(pk11KeyType) ); attrs++;
-    switch (pubKey->keyType) {
-    case rsaKey:
-	modulus = attrs;
-	PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; 
-	exponent = attrs;
-	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; 
-
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-	crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent);
-	if (crv != CKR_OK) break;
-	break;
-    case dsaKey:
-	prime = attrs;
-	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
-	subprime = attrs;
-	PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; 
-	base = attrs;
-	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
-	value = attrs;
-	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue);
-	if (crv != CKR_OK) break;
-	break;
-    case dhKey:
-	prime = attrs;
-	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
-	base = attrs;
-	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
-	value =attrs;
-	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue);
-	if (crv != CKR_OK) break;
-	break;
-    case fortezzaKey:
-    case nullKey:
-    default:
-	crv = CKR_OBJECT_HANDLE_INVALID;
-	break;
-    }
-
-    PORT_FreeArena(tmp_arena,PR_FALSE);
-
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	PK11_FreeSlot(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    return pubKey;
-}
-
-/*
- * Build a Private Key structure from raw PKCS #11 information.
- */
-SECKEYPrivateKey *
-PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
-			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx)
-{
-    PRArenaPool *arena;
-    SECKEYPrivateKey *privKey;
-
-    /* don't know? look it up */
-    if (keyType == nullKey) {
-	CK_KEY_TYPE pk11Type = CKK_RSA;
-
-	pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
-	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
-	switch (pk11Type) {
-	case CKK_RSA: keyType = rsaKey; break;
-	case CKK_DSA: keyType = dsaKey; break;
-	case CKK_DH: keyType = dhKey; break;
-	case CKK_KEA: keyType = fortezzaKey; break;
-	default:
-		break;
-	}
-    }
-
-    /* now we need to create space for the private key */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-
-    privKey = (SECKEYPrivateKey *) 
-			PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey));
-    if (privKey == NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return NULL;
-    }
-
-    privKey->arena = arena;
-    privKey->keyType = keyType;
-    privKey->pkcs11Slot = PK11_ReferenceSlot(slot);
-    privKey->pkcs11ID = privID;
-    privKey->pkcs11IsTemp = isTemp;
-    privKey->wincx = wincx;
-
-    return privKey;
-}
-
-/* return the keylength if possible.  '0' if not */
-unsigned int
-PK11_GetKeyLength(PK11SymKey *key)
-{
-   if (key->size != 0) return key->size ;
-   if (key->data.data == NULL) {
-	PK11_ExtractKeyValue(key);
-   }
-   /* key is probably secret. Look up it's type and length */
-   /*  this is new PKCS #11 version 2.0 functionality. */
-   if (key->size == 0) {
-	CK_ULONG keyLength;
-
-	keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN);
-	/* doesn't have a length field, check the known PKCS #11 key types,
-	 * which don't have this field */
-	if (keyLength == CK_UNAVAILABLE_INFORMATION) {
-	    CK_KEY_TYPE keyType;
-	    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
-	    switch (keyType) {
-	    case CKK_DES: key->size = 8; break;
-	    case CKK_DES2: key->size = 16; break;
-	    case CKK_DES3: key->size = 24; break;
-	    case CKK_SKIPJACK: key->size = 10; break;
-	    case CKK_BATON: key->size = 20; break;
-	    case CKK_JUNIPER: key->size = 20; break;
-	    case CKK_GENERIC_SECRET:
-		if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
-		    key->size=48;
-		}
-		break;
-	    default: break;
-	    }
-	} else {
-	    key->size = (unsigned int)keyLength;
-	}
-    }
-	
-   return key->size;
-}
-
-/* return the strength of a key. This is different from length in that
- * 1) it returns the size in bits, and 2) it returns only the secret portions
- * of the key minus any checksums or parity.
- */
-unsigned int
-PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) 
-{
-     int size=0;
-     CK_MECHANISM_TYPE mechanism= CKM_INVALID_MECHANISM; /* RC2 only */
-     SECItem *param = NULL; /* RC2 only */
-     CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */
-     unsigned int effectiveBits = 0; /* RC2 ONLY */
-
-     switch (PK11_GetKeyType(key->type,0)) {
-     case CKK_CDMF:
-	return 40;
-     case CKK_DES:
-	return 56;
-     case CKK_DES3:
-     case CKK_DES2:
-	size = PK11_GetKeyLength(key);
-	if (size == 16) {
-	   /* double des */
-	   return 112; /* 16*7 */
-	}
-	return 168;
-    /*
-     * RC2 has is different than other ciphers in that it allows the user
-     * to deprecating keysize while still requiring all the bits for the 
-     * original key. The info
-     * on what the effective key strength is in the parameter for the key.
-     * In S/MIME this parameter is stored in the DER encoded algid. In Our 
-     * other uses of RC2, effectiveBits == keyBits, so this code functions
-     * correctly without an algid.
-     */
-    case CKK_RC2:
-	/* if no algid was provided, fall through to default */
-        if (!algid) {
-	    break; 
-	}
-	/* verify that the algid is for RC2 */
-	mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid));
-	if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) {
-	    break;
-	}
-
-	/* now get effective bits from the algorithm ID. */
-	param = PK11_ParamFromAlgid(algid);
-	/* if we couldn't get memory just use key length */
-	if (param == NULL) {
-	    break;
-	}
-
-	rc2_params = (CK_RC2_CBC_PARAMS *) param->data;
-	/* paranoia... shouldn't happen */
-	PORT_Assert(param->data != NULL);
-	if (param->data == NULL) {
-	    SECITEM_FreeItem(param,PR_TRUE);
-	    break;
-	}
-	effectiveBits = (unsigned int)rc2_params->ulEffectiveBits;
-	SECITEM_FreeItem(param,PR_TRUE);
-	param = NULL; rc2_params=NULL; /* paranoia */
-
-	/* we have effective bits, is and allocated memory is free, now
-	 * we need to return the smaller of effective bits and keysize */
-	size = PK11_GetKeyLength(key);
-	if ((unsigned int)size*8 > effectiveBits) {
-	    return effectiveBits;
-	}
-
-	return size*8; /* the actual key is smaller, the strength can't be
-			* greater than the actual key size */
-	
-    default:
-	break;
-    }
-    return PK11_GetKeyLength(key) * 8;
-}
-
-/* Make a Key type to an appropriate signing/verification mechanism */
-static CK_MECHANISM_TYPE
-pk11_mapSignKeyType(KeyType keyType)
-{
-    switch (keyType) {
-    case rsaKey:
-	return CKM_RSA_PKCS;
-    case fortezzaKey:
-    case dsaKey:
-	return CKM_DSA;
-    case dhKey:
-    default:
-	break;
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-static CK_MECHANISM_TYPE
-pk11_mapWrapKeyType(KeyType keyType)
-{
-    switch (keyType) {
-    case rsaKey:
-	return CKM_RSA_PKCS;
-    /* Add fortezza?? */
-    default:
-	break;
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-/*
- * Some non-compliant PKCS #11 vendors do not give us the modulus, so actually
- * set up a signature to get the signaure length.
- */
-static int
-pk11_backupGetSignLength(SECKEYPrivateKey *key)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_ULONG len;
-    CK_RV crv;
-    unsigned char h_data[20]  = { 0 };
-    unsigned char buf[20]; /* obviously to small */
-    CK_ULONG smallLen = sizeof(buf);
-
-    mech.mechanism = pk11_mapSignKeyType(key->keyType);
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return -1;
-    }
-    len = 0;
-    crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data),
-					NULL, &len);
-    /* now call C_Sign with too small a buffer to clear the session state */
-    (void) PK11_GETTAB(slot)->
-			C_Sign(session,h_data,sizeof(h_data),buf,&smallLen);
-	
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return -1;
-    }
-    return len;
-}
-/*
- * get the length of a signature object based on the key
- */
-int
-PK11_SignatureLen(SECKEYPrivateKey *key)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    int val;
-
-    switch (key->keyType) {
-    case rsaKey:
-	val = PK11_GetPrivateModulusLen(key);
-	if (val == -1) {
-	    break;			/* failed */
-	}
-	return (unsigned long) val;
-	
-    case fortezzaKey:
-    case dsaKey:
-	return 40;
-
-    default:
-	break;
-    }
-    PORT_SetError( SEC_ERROR_INVALID_KEY );
-    return 0;
-}
-
-PK11SlotInfo *
-PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    slot = PK11_ReferenceSlot(slot);
-    return slot;
-}
-
-/*
- * Get the modulus length for raw parsing
- */
-int
-PK11_GetPrivateModulusLen(SECKEYPrivateKey *key)
-{
-    CK_ATTRIBUTE theTemplate = { CKA_MODULUS, NULL, 0 };
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_RV crv;
-    int length;
-
-    switch (key->keyType) {
-    case rsaKey:
-	crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    return -1;
-	}
-	length = theTemplate.ulValueLen;
-	if ( *(unsigned char *)theTemplate.pValue == 0) {
-	    length--;
-	}
-	if (theTemplate.pValue != NULL)
-	    PORT_Free(theTemplate.pValue);
-	return (int) length;
-	
-    case fortezzaKey:
-    case dsaKey:
-    case dhKey:
-    default:
-	break;
-    }
-    if (theTemplate.pValue != NULL)
-	PORT_Free(theTemplate.pValue);
-    PORT_SetError( SEC_ERROR_INVALID_KEY );
-    return -1;
-}
-
-/*
- * copy a key (or any other object) on a token
- */
-CK_OBJECT_HANDLE
-PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject)
-{
-    CK_OBJECT_HANDLE destObject;
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0,
-				&destObject);
-    PK11_ExitSlotMonitor(slot);
-    if (crv == CKR_OK) return destObject;
-    PORT_SetError( PK11_MapError(crv) );
-    return CK_INVALID_KEY;
-}
-
-
-PK11SymKey *
-pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
-
-/*
- * The next two utilities are to deal with the fact that a given operation
- * may be a multi-slot affair. This creates a new key object that is copied
- * into the new slot.
- */
-PK11SymKey *
-pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
-{
-    SECStatus rv;
-    PK11SymKey *newKey = NULL;
-
-    /* Extract the raw key data if possible */
-    if (symKey->data.data == NULL) {
-	rv = PK11_ExtractKeyValue(symKey);
-	/* KEY is sensitive, we're try key exchanging it. */
-	if (rv != SECSuccess) {
-	    return pk11_KeyExchange(slot, type, operation, symKey);
-	}
-    }
-    newKey = PK11_ImportSymKey(slot, type, symKey->origin, operation, 
-						&symKey->data, symKey->cx);
-    if (newKey == NULL) newKey = pk11_KeyExchange(slot,type,operation,symKey);
-    return newKey;
-}
-
-/*
- * Make sure the slot we are in the correct slot for the operation
- */
-static PK11SymKey *
-pk11_ForceSlot(PK11SymKey *symKey,CK_MECHANISM_TYPE type,
-						CK_ATTRIBUTE_TYPE operation)
-{
-    PK11SlotInfo *slot = symKey->slot;
-    PK11SymKey *newKey = NULL;
-
-    if ((slot== NULL) || !PK11_DoesMechanism(slot,type)) {
-	slot = PK11_GetBestSlot(type,symKey->cx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-	newKey = pk11_CopyToSlot(slot, type, operation, symKey);
-	PK11_FreeSlot(slot);
-    }
-    return newKey;
-}
-
-/*
- * Use the token to Generate a key. keySize must be 'zero' for fixed key
- * length algorithms. NOTE: this means we can never generate a DES2 key
- * from this interface!
- */
-PK11SymKey *
-PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
-    int keySize, SECItem *keyid, PRBool isToken, void *wincx)
-{
-    PK11SymKey *symKey;
-    CK_ATTRIBUTE genTemplate[4];
-    CK_ATTRIBUTE *attrs = genTemplate;
-    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
-    CK_SESSION_HANDLE session;
-    CK_MECHANISM mechanism;
-    CK_RV crv;
-    PRBool weird = PR_FALSE;   /* hack for fortezza */
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL cktrue = CK_TRUE;
-
-    if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) {
-	weird = PR_TRUE;
-	keySize = 0;
-    }
-
-    /* TNH: Isn't this redundant, since "handleKey" will set defaults? */
-    PK11_SETATTRS(attrs, (!weird) 
-	? CKA_ENCRYPT : CKA_DECRYPT, &cktrue, sizeof(CK_BBOOL)); attrs++;
-    
-    if (keySize != 0) {
-        CK_ULONG key_size = keySize; /* Convert to PK11 type */
-
-        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
-							attrs++;
-    }
-
-    /* Include key id value if provided */
-    if (keyid) {
-        PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++;
-    }
-
-    if (isToken) {
-        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue));  attrs++;
-    }
-
-    count = attrs - genTemplate;
-    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
-
-    /* find a slot to generate the key into */
-    /* Only do slot management if this is not a token key */
-    if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) {
-        PK11SlotInfo *bestSlot;
-
-        bestSlot = PK11_GetBestSlot(type,wincx); /* TNH: references the slot? */
-        if (bestSlot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-
-        symKey = PK11_CreateSymKey(bestSlot,type,wincx);
-
-        PK11_FreeSlot(bestSlot);
-    } else {
-	symKey = PK11_CreateSymKey(slot, type, wincx);
-    }
-    if (symKey == NULL) return NULL;
-
-    symKey->size = keySize;
-    symKey->origin = (!weird) ? PK11_OriginGenerated : PK11_OriginFortezzaHack;
-
-    /* Initialize the Key Gen Mechanism */
-    mechanism.mechanism = PK11_GetKeyGen(type);
-    if (mechanism.mechanism == CKM_FAKE_RANDOM) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return NULL;
-    }
-
-    /* Set the parameters for the key gen if provided */
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    }
-
-    /* Get session and perform locking */
-    if (isToken) {
-        session = PK11_GetRWSession(symKey->slot);  /* Should always be original slot */
-    } else {
-        session = symKey->session;
-        pk11_EnterKeyMonitor(symKey);
-    }
-
-    crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session,
-			 &mechanism, genTemplate, count, &symKey->objectID);
-
-    /* Release lock and session */
-    if (isToken) {
-        PK11_RestoreROSession(symKey->slot, session);
-    } else {
-        pk11_ExitKeyMonitor(symKey);
-    }
-
-    if (crv != CKR_OK) {
-	PK11_FreeSymKey(symKey);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    return symKey;
-}
-
-PK11SymKey *
-PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
-						int keySize, void *wincx)
-{
-    return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx);
-}
-
-/* --- */
-PK11SymKey *
-PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx)
-{
-  return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx);
-}
-
-/*
- * PKCS #11 pairwise consistency check utilized to validate key pair.
- */
-static SECStatus
-pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey, 
-	SECKEYPrivateKey *privKey, CK_MECHANISM *mech, void* wincx )
-{
-    /* Variables used for Encrypt/Decrypt functions. */
-    unsigned char *known_message = (unsigned char *)"Known Crypto Message";
-    CK_BBOOL isEncryptable = CK_FALSE;
-    CK_BBOOL canSignVerify = CK_FALSE;
-    CK_BBOOL isDerivable = CK_FALSE;
-    unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
-    CK_ULONG bytes_decrypted;
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE id;
-    unsigned char *ciphertext;
-    unsigned char *text_compared;
-    CK_ULONG max_bytes_encrypted;
-    CK_ULONG bytes_encrypted;
-    CK_ULONG bytes_compared;
-    CK_RV crv;
-
-    /* Variables used for Signature/Verification functions. */
-    unsigned char *known_digest = (unsigned char *)"Mozilla Rules World!";
-    SECItem  signature;
-    SECItem  digest;    /* always uses SHA-1 digest */
-    int signature_length;
-    SECStatus rv;
-
-    /**************************************************/
-    /* Pairwise Consistency Check of Encrypt/Decrypt. */
-    /**************************************************/
-
-    isEncryptable = PK11_HasAttributeSet( privKey->pkcs11Slot, 
-					privKey->pkcs11ID, CKA_DECRYPT );
-
-    /* If the encryption attribute is set; attempt to encrypt */
-    /* with the public key and decrypt with the private key.  */
-    if( isEncryptable ) {
-	/* Find a module to encrypt against */
-	slot = PK11_GetBestSlot(pk11_mapWrapKeyType(privKey->keyType),wincx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return SECFailure;
-	}
-
-	id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
-	if (id == CK_INVALID_KEY) {
-	    PK11_FreeSlot(slot);
-	    return SECFailure;
-	}
-
-        /* Compute max bytes encrypted from modulus length of private key. */
-	max_bytes_encrypted = PK11_GetPrivateModulusLen( privKey );
-
-
-	/* Prepare for encryption using the public key. */
-        PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB( slot )->C_EncryptInit( slot->session,
-						  mech, id );
-        if( crv != CKR_OK ) {
-	    PK11_ExitSlotMonitor(slot);
-	    PORT_SetError( PK11_MapError( crv ) );
-	    PK11_FreeSlot(slot);
-	    return SECFailure;
-	}
-
-	/* Allocate space for ciphertext. */
-	ciphertext = (unsigned char *) PORT_Alloc( max_bytes_encrypted );
-	if( ciphertext == NULL ) {
-	    PK11_ExitSlotMonitor(slot);
-	    PORT_SetError( SEC_ERROR_NO_MEMORY );
-	    PK11_FreeSlot(slot);
-	    return SECFailure;
-	}
-
-	/* Initialize bytes encrypted to max bytes encrypted. */
-	bytes_encrypted = max_bytes_encrypted;
-
-	/* Encrypt using the public key. */
-	crv = PK11_GETTAB( slot )->C_Encrypt( slot->session,
-					      known_message,
-					      PAIRWISE_MESSAGE_LENGTH,
-					      ciphertext,
-					      &bytes_encrypted );
-	PK11_ExitSlotMonitor(slot);
-	PK11_FreeSlot(slot);
-	if( crv != CKR_OK ) {
-	    PORT_SetError( PK11_MapError( crv ) );
-	    PORT_Free( ciphertext );
-	    return SECFailure;
-	}
-
-	/* Always use the smaller of these two values . . . */
-	bytes_compared = ( bytes_encrypted > PAIRWISE_MESSAGE_LENGTH )
-			 ? PAIRWISE_MESSAGE_LENGTH
-			 : bytes_encrypted;
-
-	/* If there was a failure, the plaintext */
-	/* goes at the end, therefore . . .      */
-	text_compared = ( bytes_encrypted > PAIRWISE_MESSAGE_LENGTH )
-			? (ciphertext + bytes_encrypted -
-			  PAIRWISE_MESSAGE_LENGTH )
-			: ciphertext;
-
-	/* Check to ensure that ciphertext does */
-	/* NOT EQUAL known input message text   */
-	/* per FIPS PUB 140-1 directive.        */
-	if( ( bytes_encrypted != max_bytes_encrypted ) ||
-	    ( PORT_Memcmp( text_compared, known_message,
-			   bytes_compared ) == 0 ) ) {
-	    /* Set error to Invalid PRIVATE Key. */
-	    PORT_SetError( SEC_ERROR_INVALID_KEY );
-	    PORT_Free( ciphertext );
-	    return SECFailure;
-	}
-
-	slot = privKey->pkcs11Slot;
-	/* Prepare for decryption using the private key. */
-        PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB( slot )->C_DecryptInit( slot->session,
-						  mech,
-						  privKey->pkcs11ID );
-	if( crv != CKR_OK ) {
-	    PK11_ExitSlotMonitor(slot);
-	    PORT_SetError( PK11_MapError(crv) );
-	    PORT_Free( ciphertext );
-	    PK11_FreeSlot(slot);
-	    return SECFailure;
-	}
-
-	/* Initialize bytes decrypted to be the */
-	/* expected PAIRWISE_MESSAGE_LENGTH.    */
-	bytes_decrypted = PAIRWISE_MESSAGE_LENGTH;
-
-	/* Decrypt using the private key.   */
-	/* NOTE:  No need to reset the      */
-	/*        value of bytes_encrypted. */
-	crv = PK11_GETTAB( slot )->C_Decrypt( slot->session,
-					      ciphertext,
-					      bytes_encrypted,
-					      plaintext,
-					      &bytes_decrypted );
-	PK11_ExitSlotMonitor(slot);
-
-	/* Finished with ciphertext; free it. */
-	PORT_Free( ciphertext );
-
-	if( crv != CKR_OK ) {
-	   PORT_SetError( PK11_MapError(crv) );
-	    PK11_FreeSlot(slot);
-	   return SECFailure;
-	}
-
-	/* Check to ensure that the output plaintext */
-	/* does EQUAL known input message text.      */
-	if( ( bytes_decrypted != PAIRWISE_MESSAGE_LENGTH ) ||
-	    ( PORT_Memcmp( plaintext, known_message,
-			   PAIRWISE_MESSAGE_LENGTH ) != 0 ) ) {
-	    /* Set error to Bad PUBLIC Key. */
-	    PORT_SetError( SEC_ERROR_BAD_KEY );
-	    PK11_FreeSlot(slot);
-	    return SECFailure;
-	}
-      }
-
-    /**********************************************/
-    /* Pairwise Consistency Check of Sign/Verify. */
-    /**********************************************/
-
-    canSignVerify = PK11_HasAttributeSet ( privKey->pkcs11Slot, 
-					  privKey->pkcs11ID, CKA_VERIFY);
-    
-    if (canSignVerify)
-      {
-	/* Initialize signature and digest data. */
-	signature.data = NULL;
-	digest.data = NULL;
-	
-	/* Determine length of signature. */
-	signature_length = PK11_SignatureLen( privKey );
-	if( signature_length == 0 )
-	  goto failure;
-	
-	/* Allocate space for signature data. */
-	signature.data = (unsigned char *) PORT_Alloc( signature_length );
-	if( signature.data == NULL ) {
-	  PORT_SetError( SEC_ERROR_NO_MEMORY );
-	  goto failure;
-	}
-	
-	/* Allocate space for known digest data. */
-	digest.data = (unsigned char *) PORT_Alloc( PAIRWISE_DIGEST_LENGTH );
-	if( digest.data == NULL ) {
-	  PORT_SetError( SEC_ERROR_NO_MEMORY );
-	  goto failure;
-	}
-	
-	/* "Fill" signature type and length. */
-	signature.type = PAIRWISE_SECITEM_TYPE;
-	signature.len  = signature_length;
-	
-	/* "Fill" digest with known SHA-1 digest parameters. */
-	digest.type = PAIRWISE_SECITEM_TYPE;
-	PORT_Memcpy( digest.data, known_digest, PAIRWISE_DIGEST_LENGTH );
-	digest.len = PAIRWISE_DIGEST_LENGTH;
-	
-	/* Sign the known hash using the private key. */
-	rv = PK11_Sign( privKey, &signature, &digest );
-	if( rv != SECSuccess )
-	  goto failure;
-	
-	/* Verify the known hash using the public key. */
-	rv = PK11_Verify( pubKey, &signature, &digest, wincx );
-    if( rv != SECSuccess )
-      goto failure;
-	
-	/* Free signature and digest data. */
-	PORT_Free( signature.data );
-	PORT_Free( digest.data );
-      }
-
-
-
-    /**********************************************/
-    /* Pairwise Consistency Check for Derivation  */
-    /**********************************************/
-
-    isDerivable = PK11_HasAttributeSet ( privKey->pkcs11Slot, 
-					  privKey->pkcs11ID, CKA_DERIVE);
-    
-    if (isDerivable)
-      {   
-	/* 
-	 * We are not doing consistency check for Diffie-Hellman Key - 
-	 * otherwise it would be here
-	 */
-
-      }
-
-    return SECSuccess;
-
-failure:
-    if( signature.data != NULL )
-	PORT_Free( signature.data );
-    if( digest.data != NULL )
-	PORT_Free( digest.data );
-
-    return SECFailure;
-}
-
-
-
-/*
- * take a private key in one pkcs11 module and load it into another:
- *  NOTE: the source private key is a rare animal... it can't be sensitive.
- *  This is used to do a key gen using one pkcs11 module and storing the
- *  result into another.
- */
-SECKEYPrivateKey *
-pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
-		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
-{
-    CK_ATTRIBUTE privTemplate[] = {
-        /* class must be first */
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_KEY_TYPE, NULL, 0 },
-	/* these three must be next */
-	{ CKA_TOKEN, NULL, 0 },
-	{ CKA_PRIVATE, NULL, 0 },
-	{ CKA_SENSITIVE, NULL, 0 },
-	{ CKA_ID, NULL, 0 },
-#ifdef notdef
-	{ CKA_LABEL, NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 },
-#endif
-	/* RSA */
-	{ CKA_MODULUS, NULL, 0 },
-	{ CKA_PRIVATE_EXPONENT, NULL, 0 },
-	{ CKA_PUBLIC_EXPONENT, NULL, 0 },
-	{ CKA_PRIME_1, NULL, 0 },
-	{ CKA_PRIME_2, NULL, 0 },
-	{ CKA_EXPONENT_1, NULL, 0 },
-	{ CKA_EXPONENT_2, NULL, 0 },
-	{ CKA_COEFFICIENT, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attrs = NULL, *ap;
-    int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]);
-    PRArenaPool *arena;
-    CK_OBJECT_HANDLE objectID;
-    int i, count = 0;
-    int extra_count = 0;
-    CK_RV crv;
-    SECStatus rv;
-
-    for (i=0; i < templateSize; i++) {
-	if (privTemplate[i].type == CKA_MODULUS) {
-	    attrs= &privTemplate[i];
-	    count = i;
-	    break;
-	}
-    }
-    PORT_Assert(attrs != NULL);
-    if (attrs == NULL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-    }
-
-    ap = attrs;
-
-    switch (privKey->keyType) {
-    case rsaKey:
-	count = templateSize;
-	extra_count = templateSize - (attrs - privTemplate);
-	break;
-    case dsaKey:
-	ap->type = CKA_PRIME; ap++; count++; extra_count++;
-	ap->type = CKA_SUBPRIME; ap++; count++; extra_count++;
-	ap->type = CKA_BASE; ap++; count++; extra_count++;
-	ap->type = CKA_VALUE; ap++; count++; extra_count++;
-	break;
-    case dhKey:
-	ap->type = CKA_PRIME; ap++; count++; extra_count++;
-	ap->type = CKA_BASE; ap++; count++; extra_count++;
-	ap->type = CKA_VALUE; ap++; count++; extra_count++;
-	break;
-     default:
-	count = 0;
-	extra_count = 0;
-	break;
-     }
-
-     if (count == 0) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-     }
-
-     arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-     if (arena == NULL) return NULL;
-     /*
-      * read out the old attributes.
-      */
-     crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID,
-		privTemplate,count);
-     if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	PORT_FreeArena(arena, PR_TRUE);
-	return NULL;
-     }
-
-     /* Reset sensitive, token, and private */
-     *(CK_BBOOL *)(privTemplate[2].pValue) = token ? CK_TRUE : CK_FALSE;
-     *(CK_BBOOL *)(privTemplate[3].pValue) = token ? CK_TRUE : CK_FALSE;
-     *(CK_BBOOL *)(privTemplate[4].pValue) = sensitive ? CK_TRUE : CK_FALSE;
-
-     /* Not everyone can handle zero padded key values, give
-      * them the raw data as unsigned */
-     for (ap=attrs; extra_count; ap++, extra_count--) {
-	pk11_SignedToUnsigned(ap);
-     }
-
-     /* now Store the puppies */
-     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, 
-						count, token, &objectID);
-     PORT_FreeArena(arena, PR_TRUE);
-     if (rv != SECSuccess) {
-	return NULL;
-     }
-
-     /* try loading the public key as a token object */
-     if (pubKey) {
-	PK11_ImportPublicKey(slot, pubKey, PR_TRUE);
-	if (pubKey->pkcs11Slot) {
-	    PK11_FreeSlot(pubKey->pkcs11Slot);
-	    pubKey->pkcs11Slot = NULL;
-	    pubKey->pkcs11ID = CK_INVALID_KEY;
-	}
-     }
-
-     /* build new key structure */
-     return PK11_MakePrivKey(slot, privKey->keyType, (PRBool)!token, 
-						objectID, privKey->wincx);
-}
-
-
-/*
- * Use the token to Generate a key. keySize must be 'zero' for fixed key
- * length algorithms. NOTE: this means we can never generate a DES2 key
- * from this interface!
- */
-SECKEYPrivateKey *
-PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
-   void *param, SECKEYPublicKey **pubKey, PRBool token, 
-					PRBool sensitive, void *wincx)
-{
-    /* we have to use these native types because when we call PKCS 11 modules
-     * we have to make sure that we are using the correct sizes for all the
-     * parameters. */
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_ULONG modulusBits;
-    CK_BYTE publicExponent[4];
-    CK_ATTRIBUTE privTemplate[] = {
-	{ CKA_SENSITIVE, NULL, 0},
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_PRIVATE,  NULL, 0},
-	{ CKA_DERIVE,  NULL, 0},
-	{ CKA_UNWRAP,  NULL, 0},
-	{ CKA_SIGN,  NULL, 0},
-	{ CKA_DECRYPT,  NULL, 0},
-    };
-    CK_ATTRIBUTE rsaPubTemplate[] = {
-	{ CKA_MODULUS_BITS, NULL, 0},
-	{ CKA_PUBLIC_EXPONENT, NULL, 0},
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_DERIVE,  NULL, 0},
-	{ CKA_WRAP,  NULL, 0},
-	{ CKA_VERIFY,  NULL, 0},
-	{ CKA_VERIFY_RECOVER,  NULL, 0},
-	{ CKA_ENCRYPT,  NULL, 0},
-    };
-    CK_ATTRIBUTE dsaPubTemplate[] = {
-	{ CKA_PRIME, NULL, 0 },
-	{ CKA_SUBPRIME, NULL, 0 },
-	{ CKA_BASE, NULL, 0 },
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_DERIVE,  NULL, 0},
-	{ CKA_WRAP,  NULL, 0},
-	{ CKA_VERIFY,  NULL, 0},
-	{ CKA_VERIFY_RECOVER,  NULL, 0},
-	{ CKA_ENCRYPT,  NULL, 0},
-    };
-    CK_ATTRIBUTE dhPubTemplate[] = {
-      { CKA_PRIME, NULL, 0 }, 
-      { CKA_BASE, NULL, 0 }, 
-      { CKA_TOKEN,  NULL, 0},
-      { CKA_DERIVE,  NULL, 0},
-      { CKA_WRAP,  NULL, 0},
-      { CKA_VERIFY,  NULL, 0},
-      { CKA_VERIFY_RECOVER,  NULL, 0},
-      { CKA_ENCRYPT,  NULL, 0},
-    };
-
-    int dsaPubCount = sizeof(dsaPubTemplate)/sizeof(dsaPubTemplate[0]);
-    /*CK_ULONG key_size = 0;*/
-    CK_ATTRIBUTE *pubTemplate;
-    int privCount = sizeof(privTemplate)/sizeof(privTemplate[0]);
-    int rsaPubCount = sizeof(rsaPubTemplate)/sizeof(rsaPubTemplate[0]);
-    int dhPubCount = sizeof(dhPubTemplate)/sizeof(dhPubTemplate[0]);
-    int pubCount = 0;
-    PK11RSAGenParams *rsaParams;
-    PQGParams *dsaParams;
-    DHParams * dhParams;
-    CK_MECHANISM mechanism;
-    CK_MECHANISM test_mech;
-    CK_SESSION_HANDLE session_handle;
-    CK_RV crv;
-    CK_OBJECT_HANDLE privID,pubID;
-    SECKEYPrivateKey *privKey;
-    KeyType keyType;
-    PRBool restore;
-    int peCount,i;
-    CK_ATTRIBUTE *attrs;
-    CK_ATTRIBUTE *privattrs;
-    SECItem *pubKeyIndex;
-    CK_ATTRIBUTE setTemplate;
-    SECStatus rv;
-    CK_MECHANISM_INFO mechanism_info;
-    CK_OBJECT_CLASS keyClass;
-    SECItem *cka_id;
-    PRBool haslock = PR_FALSE;
-    PRBool pubIsToken = PR_FALSE;
-
-    PORT_Assert(slot != NULL);
-    if (slot == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MODULE);
-	return NULL;
-    }
-
-    /* if our slot really doesn't do this mechanism, Generate the key
-     * in our internal token and write it out */
-    if (!PK11_DoesMechanism(slot,type)) {
-	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	/* don't loop forever looking for a slot */
-	if (slot == int_slot) {
-	    PK11_FreeSlot(int_slot);
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return NULL;
-	}
-
-	/* if there isn't a suitable slot, then we can't do the keygen */
-	if (int_slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-
-	/* generate the temporary key to load */
-	privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, 
-							PR_FALSE, wincx);
-	PK11_FreeSlot(int_slot);
-
-	/* if successful, load the temp key into the new token */
-	if (privKey != NULL) {
-	    SECKEYPrivateKey *newPrivKey = pk11_loadPrivKey(slot,privKey,
-						*pubKey,token,sensitive);
-	    SECKEY_DestroyPrivateKey(privKey);
-	    if (newPrivKey == NULL) {
-		SECKEY_DestroyPublicKey(*pubKey);
-		*pubKey = NULL;
-	    }
-	    return newPrivKey;
-	}
-	return NULL;
-   }
-
-
-    mechanism.mechanism = type;
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-    test_mech.pParameter = NULL;
-    test_mech.ulParameterLen = 0;
-
-    /* set up the private key template */
-    privattrs = privTemplate;
-    PK11_SETATTRS(privattrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse, 
-					sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_TOKEN, token ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-
-    /* set up the mechanism specific info */
-    switch (type) {
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-	rsaParams = (PK11RSAGenParams *)param;
-	modulusBits = rsaParams->keySizeInBits;
-	peCount = 0;
-
-	/* convert pe to a PKCS #11 string */
-	for (i=0; i < 4; i++) {
-	    if (peCount || (rsaParams->pe & 
-				((unsigned long)0xff000000L >> (i*8)))) {
-		publicExponent[peCount] = 
-				(CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff);
-		peCount++;
-	    }
-	}
-	PORT_Assert(peCount != 0);
-	attrs = rsaPubTemplate;
-	PK11_SETATTRS(attrs, CKA_MODULUS_BITS, 
-				&modulusBits, sizeof(modulusBits)); attrs++;
-	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
-				publicExponent, peCount);attrs++;
-	pubTemplate = rsaPubTemplate;
-	pubCount = rsaPubCount;
-	keyType = rsaKey;
-	test_mech.mechanism = CKM_RSA_PKCS;
-	break;
-    case CKM_DSA_KEY_PAIR_GEN:
-	dsaParams = (PQGParams *)param;
-	attrs = dsaPubTemplate;
-	PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
-				dsaParams->prime.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data,
-					dsaParams->subPrime.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data,
-						dsaParams->base.len); attrs++;
-	pubTemplate = dsaPubTemplate;
-	pubCount = dsaPubCount;
-	keyType = dsaKey;
-	test_mech.mechanism = CKM_DSA;
-	break;
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-        dhParams = (DHParams *)param;
-        attrs = dhPubTemplate;
-        PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
-                      dhParams->prime.len);   attrs++;
-        PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data,
-                      dhParams->base.len);    attrs++;
-        pubTemplate = dhPubTemplate;
-	pubCount = dhPubCount;
-        keyType = dhKey;
-        test_mech.mechanism = CKM_DH_PKCS_DERIVE;
-	break;
-    default:
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return NULL;
-    }
-
-    /* now query the slot to find out how "good" a key we can generate */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
-				test_mech.mechanism,&mechanism_info);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if ((crv != CKR_OK) || (mechanism_info.flags == 0)) {
-	/* must be old module... guess what it should be... */
-	switch (test_mech.mechanism) {
-	case CKM_RSA_PKCS:
-		mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | 
-			CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP);;
-		break;
-	case CKM_DSA:
-		mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
-		break;
-	case CKM_DH_PKCS_DERIVE:
-		mechanism_info.flags = CKF_DERIVE;
-		break;
-	default:
-	       break;
-	}
-    }
-    /* set the public key objects */
-    PK11_SETATTRS(attrs, CKA_TOKEN, token ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_DERIVE, 
-		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_WRAP, 
-		mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_VERIFY, 
-		mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, 
-		mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_ENCRYPT, 
-		mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(privattrs, CKA_DERIVE, 
-		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_UNWRAP, 
-		mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_SIGN, 
-		mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_DECRYPT, 
-		mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-
-    if (token) {
-	session_handle = PK11_GetRWSession(slot);
-	haslock = PK11_RWSessionHasLock(slot,session_handle);
-	restore = PR_TRUE;
-    } else {
-        PK11_EnterSlotMonitor(slot); /* gross!! */
-	session_handle = slot->session;
-	restore = PR_FALSE;
-	haslock = PR_TRUE;
-    }
-
-    crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism,
-	pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID);
-
-
-    if (crv != CKR_OK) {
-	if (restore)  {
-	    PK11_RestoreROSession(slot,session_handle);
-	} else PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-    /* This locking code is dangerous and needs to be more thought
-     * out... the real problem is that we're holding the mutex open this long
-     */
-    if (haslock) { PK11_ExitSlotMonitor(slot); }
-
-    /* swap around the ID's for older PKCS #11 modules */
-    keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS);
-    if (keyClass != CKO_PUBLIC_KEY) {
-	CK_OBJECT_HANDLE tmp = pubID;
-	pubID = privID;
-	privID = tmp;
-    }
-
-    *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID);
-    if (*pubKey == NULL) {
-	if (restore)  {
-	    /* we may have to restore the mutex so it get's exited properly
-	     * in RestoreROSession */
-            if (haslock)  PK11_EnterSlotMonitor(slot); 
-	    PK11_RestoreROSession(slot,session_handle);
-	} 
-	PK11_DestroyObject(slot,pubID);
-	PK11_DestroyObject(slot,privID);
-	return NULL;
-    }
-
-    /* set the ID to the public key so we can find it again */
-    pubKeyIndex =  NULL;
-    switch (type) {
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.rsa.modulus;
-      break;
-    case CKM_DSA_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.dsa.publicValue;
-      break;
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.dh.publicValue;
-      break;      
-    }
-    PORT_Assert(pubKeyIndex != NULL);
-
-    cka_id = PK11_MakeIDFromPubKey(pubKeyIndex);
-    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
-
-    PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
-
-    if (haslock) { PK11_EnterSlotMonitor(slot); }
-    crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
-		&setTemplate, 1);
-   
-    if (crv == CKR_OK && pubIsToken) {
-    	crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID,
-		&setTemplate, 1);
-    }
-
-
-    if (restore) {
-	PK11_RestoreROSession(slot,session_handle);
-    } else {
-	PK11_ExitSlotMonitor(slot);
-    }
-    SECITEM_FreeItem(cka_id,PR_TRUE);
-
-
-    if (crv != CKR_OK) {
-	PK11_DestroyObject(slot,pubID);
-	PK11_DestroyObject(slot,privID);
-	PORT_SetError( PK11_MapError(crv) );
-	*pubKey = NULL;
-	return NULL;
-    }
-
-    privKey = PK11_MakePrivKey(slot,keyType,(PRBool)!token,privID,wincx);
-    if (privKey == NULL) {
-	SECKEY_DestroyPublicKey(*pubKey);
-	PK11_DestroyObject(slot,privID);
-	*pubKey = NULL;
-	return NULL;  /* due to pairwise consistency check */
-    }
-
-    /* Perform PKCS #11 pairwise consistency check. */
-    rv = pk11_PairwiseConsistencyCheck( *pubKey, privKey, &test_mech, wincx );
-    if( rv != SECSuccess ) {
-	SECKEY_DestroyPublicKey( *pubKey );
-	SECKEY_DestroyPrivateKey( privKey );
-	*pubKey = NULL;
-	privKey = NULL;
-	return NULL;
-    }
-
-    return privKey;
-}
-
-/*
- * This function does a straight public key wrap (which only RSA can do).
- * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
- * Diffie-Hellman Ciphers. */
-SECStatus
-PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
-				PK11SymKey *symKey, SECItem *wrappedKey)
-{
-    PK11SlotInfo *slot;
-    CK_ULONG len =  wrappedKey->len;
-    PK11SymKey *newKey = NULL;
-    CK_OBJECT_HANDLE id;
-    CK_MECHANISM mechanism;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    /* if this slot doesn't support the mechanism, go to a slot that does */
-    newKey = pk11_ForceSlot(symKey,type,CKA_ENCRYPT);
-    if (newKey != NULL) {
-	symKey = newKey;
-    }
-
-    if ((symKey == NULL) || (symKey->slot == NULL)) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return SECFailure;
-    }
-
-    slot = symKey->slot;
-    mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-
-    id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_WrapKey(session,&mechanism,
-		id,symKey->objectID,wrappedKey->data,&len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (newKey) {
-	PK11_FreeSymKey(newKey);
-    }
-
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    wrappedKey->len = len;
-    return SECSuccess;
-} 
-
-/*
- * this little function uses the Encrypt function to wrap a key, just in
- * case we have problems with the wrap implementation for a token.
- */
-static SECStatus
-pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type,
-			 SECItem *inKey, SECItem *outKey)
-{
-    PK11SlotInfo *slot;
-    CK_ULONG len;
-    SECItem *data;
-    CK_MECHANISM mech;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    slot = wrappingKey->slot;
-    /* use NULL IV's for wrapping */
-    mech.mechanism = type;
-    if (param) {
-	mech.pParameter = param->data;
-	mech.ulParameterLen = param->len;
-    } else {
-	mech.pParameter = NULL;
-	mech.ulParameterLen = 0;
-    }
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,
-							wrappingKey->objectID);
-    if (crv != CKR_OK) {
-        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-        pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-
-    /* keys are almost always aligned, but if we get this far,
-     * we've gone above and beyond anyway... */
-    data = PK11_BlockData(inKey,PK11_GetBlockSize(type,param));
-    if (data == NULL) {
-        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-        pk11_CloseSession(slot,session,owner);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    len = outKey->len;
-    crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len,
-							   outKey->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    SECITEM_FreeItem(data,PR_TRUE);
-    outKey->len = len;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * This function does a symetric based wrap.
- */
-SECStatus
-PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, 
-	PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey)
-{
-    PK11SlotInfo *slot;
-    CK_ULONG len = wrappedKey->len;
-    PK11SymKey *newKey = NULL;
-    SECItem *param_save = NULL;
-    CK_MECHANISM mechanism;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* if this slot doesn't support the mechanism, go to a slot that does */
-    /* Force symKey and wrappingKey into the same slot */
-    if ((wrappingKey->slot == NULL) || (symKey->slot != wrappingKey->slot)) {
-	/* first try copying the wrapping Key to the symKey slot */
-	if (symKey->slot && PK11_DoesMechanism(symKey->slot,type)) {
-	    newKey = pk11_CopyToSlot(symKey->slot,type,CKA_WRAP,wrappingKey);
-	}
-	/* Nope, try it the other way */
-	if (newKey == NULL) {
-	    if (wrappingKey->slot) {
-	        newKey = pk11_CopyToSlot(wrappingKey->slot,
-					symKey->type, CKA_ENCRYPT, symKey);
-	    }
-	    /* just not playing... one last thing, can we get symKey's data?
-	     * If it's possible, we it should already be in the 
-	     * symKey->data.data pointer because pk11_CopyToSlot would have
-	     * tried to put it there. */
-	    if (newKey == NULL) {
-		/* Can't get symKey's data: Game Over */
-		if (symKey->data.data == NULL) {
-		    PORT_SetError( SEC_ERROR_NO_MODULE );
-		    return SECFailure;
-		}
-		if (param == NULL) {
-		    param_save = param = PK11_ParamFromIV(type,NULL);
-		}
-		rv = pk11_HandWrap(wrappingKey, param, type,
-						&symKey->data,wrappedKey);
-		if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
-		return rv;
-	    }
-	    /* we successfully moved the sym Key */
-	    symKey = newKey;
-	} else {
-	    /* we successfully moved the wrapping Key */
-	    wrappingKey = newKey;
-	}
-    }
-
-    /* at this point both keys are in the same token */
-    slot = wrappingKey->slot;
-    mechanism.mechanism = type;
-    /* use NULL IV's for wrapping */
-    if (param == NULL) {
-    	param_save = param = PK11_ParamFromIV(type,NULL);
-    }
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-
-    len = wrappedKey->len;
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
-		 wrappingKey->objectID, symKey->objectID, 
-						wrappedKey->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    rv = SECSuccess;
-    if (crv != CKR_OK) {
-	/* can't wrap it? try hand wrapping it... */
-	do {
-	    if (symKey->data.data == NULL) {
-		rv = PK11_ExtractKeyValue(symKey);
-		if (rv != SECSuccess) break;
-	    }
-	    rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data,
-								 wrappedKey);
-	} while (PR_FALSE);
-    } else {
-        wrappedKey->len = len;
-    }
-    if (newKey) PK11_FreeSymKey(newKey);
-    if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
-    return rv;
-} 
-
-/*
- * This Generates a new key based on a symetricKey
- */
-PK11SymKey *
-PK11_Derive( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, 
-             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
-	     int keySize)
-{
-    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
-				   keySize, NULL, 0);
-}
-
-#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
-
-/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
-#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
-
-static unsigned int
-pk11_FlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue)
-{
-
-    const static CK_ATTRIBUTE_TYPE attrTypes[12] = {
-	CKA_ENCRYPT,      CKA_DECRYPT, 0 /* DIGEST */,     CKA_SIGN,
-	CKA_SIGN_RECOVER, CKA_VERIFY,  CKA_VERIFY_RECOVER, 0 /* GEN */,
-	0 /* GEN PAIR */, CKA_WRAP,    CKA_UNWRAP,         CKA_DERIVE 
-    };
-
-    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
-          CK_ATTRIBUTE      *attr	= attrs;
-          CK_FLAGS          test	= CKF_ENCRYPT;
-
-
-    PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS));
-    flags &= CKF_KEY_OPERATION_FLAGS;
-
-    for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) {
-    	if (test & flags) {
-	    flags ^= test;
-	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
-	    ++attr;
-	}
-    }
-    return (attr - attrs);
-}
-
-PK11SymKey *
-PK11_DeriveWithFlags( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
-	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	int keySize, CK_FLAGS flags)
-{
-    CK_BBOOL        ckTrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    unsigned int    templateCount;
-
-    templateCount = pk11_FlagsToAttributes(flags, keyTemplate, &ckTrue);
-    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
-				   keySize, keyTemplate, templateCount);
-}
-
-static PRBool
-pk11_FindAttrInTemplate(CK_ATTRIBUTE *    attr, 
-                        unsigned int      numAttrs,
-			CK_ATTRIBUTE_TYPE target)
-{
-    for (; numAttrs > 0; ++attr, --numAttrs) {
-    	if (attr->type == target)
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-static PK11SymKey *
-pk11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
-	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs)
-{
-    PK11SlotInfo *  slot	= baseKey->slot;
-    PK11SymKey *    symKey;
-    PK11SymKey *    newBaseKey	= NULL;
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
-    CK_ULONG        valueLen	= 0;
-    CK_MECHANISM    mechanism; 
-    CK_RV           crv;
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE *  attrs	= keyTemplate;
-    unsigned int    templateCount;
-
-    if (numAttrs > MAX_TEMPL_ATTRS) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* first copy caller attributes in. */
-    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
-    	*attrs++ = *userAttr++;
-    }
-
-    /* We only add the following attributes to the template if the caller
-    ** didn't already supply them.
-    */
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
-	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
-	attrs++;
-    }
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
-	keyType = PK11_GetKeyType(target, keySize);
-	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
-	attrs++;
-    }
-    if (keySize > 0 &&
-    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
-	valueLen = (CK_ULONG)keySize;
-	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
-	attrs++;
-    }
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
-	PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); attrs++;
-    }
-
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS);
-
-    /* move the key to a slot that can do the function */
-    if (!PK11_DoesMechanism(slot,derive)) {
-	/* get a new base key & slot */
-	PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
-
-	if (newSlot == NULL) return NULL;
-
-        newBaseKey = pk11_CopyToSlot (newSlot, derive, CKA_DERIVE, 
-				     baseKey);
-	PK11_FreeSlot(newSlot);
-	if (newBaseKey == NULL) return NULL;	
-	baseKey = newBaseKey;
-	slot = baseKey->slot;
-    }
-
-
-    /* get our key Structure */
-    symKey = PK11_CreateSymKey(slot,target,baseKey->cx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->size = keySize;
-
-    mechanism.mechanism = derive;
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-    symKey->origin=PK11_OriginDerive;
-
-    pk11_EnterKeyMonitor(symKey);
-    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
-	     baseKey->objectID, keyTemplate, templateCount, &symKey->objectID);
-    pk11_ExitKeyMonitor(symKey);
-
-    if (newBaseKey) PK11_FreeSymKey(newBaseKey);
-    if (crv != CKR_OK) {
-	PK11_FreeSymKey(symKey);
-	return NULL;
-    }
-    return symKey;
-}
-
-/* build a public KEA key from the public value */
-SECKEYPublicKey *
-PK11_MakeKEAPubKey(unsigned char *keyData,int length)
-{
-    SECKEYPublicKey *pubk;
-    SECItem pkData;
-    SECStatus rv;
-    PRArenaPool *arena;
-
-    pkData.data = keyData;
-    pkData.len = length;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	return NULL;
-
-    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-    if (pubk == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-
-    pubk->arena = arena;
-    pubk->pkcs11Slot = 0;
-    pubk->pkcs11ID = CK_INVALID_KEY;
-    pubk->keyType = fortezzaKey;
-    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
-    if (rv != SECSuccess) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-    return pubk;
-}
-	
-
-/*
- * This Generates a wrapping key based on a privateKey, publicKey, and two
- * random numbers. For Mail usage RandomB should be NULL. In the Sender's
- * case RandomA is generate, outherwize it is passed.
- */
-static unsigned char *rb_email = NULL;
-
-PK11SymKey *
-PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
-   PRBool isSender, SECItem *randomA, SECItem *randomB, 
-    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
-			CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx)
-{
-    PK11SlotInfo *slot = privKey->pkcs11Slot;
-    CK_MECHANISM mechanism;
-    PK11SymKey *symKey;
-    CK_RV crv;
-
-
-    if (rb_email == NULL) {
-	rb_email = PORT_ZAlloc(128);
-	if (rb_email == NULL) {
-	    return NULL;
-	}
-	rb_email[127] = 1;
-    }
-
-    /* get our key Structure */
-    symKey = PK11_CreateSymKey(slot,target,wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->origin = PK11_OriginDerive;
-
-    switch (privKey->keyType) {
-    case rsaKey:
-    case nullKey:
-	PORT_SetError(SEC_ERROR_BAD_KEY);
-	break;
-    /* case keaKey: */
-    case dsaKey:
-    case fortezzaKey:
-	{
-	    CK_KEA_DERIVE_PARAMS param;
-	    param.isSender = (CK_BBOOL) isSender;
-	    param.ulRandomLen = randomA->len;
-	    param.pRandomA = randomA->data;
-	    param.pRandomB = rb_email;
-	    if (randomB)
-		 param.pRandomB = randomB->data;
-	    if (pubKey->keyType == fortezzaKey) {
-		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
-		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
-	    } else {
-		/* assert type == keaKey */
-		/* XXX change to match key key types */
-		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
-		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
-	    }
-
-	    mechanism.mechanism = derive;
-	    mechanism.pParameter = &param;
-	    mechanism.ulParameterLen = sizeof(param);
-
-	    /* get a new symKey structure */
-	    pk11_EnterKeyMonitor(symKey);
-	    crv=PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
-			privKey->pkcs11ID, NULL, 0, &symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-	    if (crv == CKR_OK) return symKey;
-	    PORT_SetError( PK11_MapError(crv) );
-	}
-	break;
-    case dhKey:
-	{
-	    CK_BBOOL cktrue = CK_TRUE;
-	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
-	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-	    CK_ULONG key_size = 0;
-	    CK_ATTRIBUTE keyTemplate[4];
-	    int templateCount;
-	    CK_ATTRIBUTE *attrs = keyTemplate;
-
-	    if (pubKey->keyType != dhKey) {
-		PORT_SetError(SEC_ERROR_BAD_KEY);
-		break;
-	    }
-
-	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
-	    attrs++;
-	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
-	    attrs++;
-	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
-	    attrs++;
-	    templateCount =  attrs - keyTemplate;
-	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-	    keyType = PK11_GetKeyType(target,keySize);
-	    key_size = keySize;
-	    symKey->size = keySize;
-	    if (key_size == 0) templateCount--;
-
-	    mechanism.mechanism = derive;
-
-	    /* we can undefine these when we define diffie-helman keys */
-	    mechanism.pParameter = pubKey->u.dh.publicValue.data; 
-	    mechanism.ulParameterLen = pubKey->u.dh.publicValue.len;
-		
-	    pk11_EnterKeyMonitor(symKey);
-	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
-	     privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-	    if (crv == CKR_OK) return symKey;
-	    PORT_SetError( PK11_MapError(crv) );
-	}
-	break;
-   }
-
-   PK11_FreeSymKey(symKey);
-   return NULL;
-}
-
-/*
- * this little function uses the Decrypt function to unwrap a key, just in
- * case we are having problem with unwrap. NOTE: The key size may
- * not be preserved properly for some algorithms!
- */
-static PK11SymKey *
-pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
-                CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, 
-		CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, 
-		int key_size, void * wincx)
-{
-    CK_ULONG len;
-    SECItem outKey;
-    PK11SymKey *symKey;
-    CK_RV crv;
-    PRBool owner = PR_TRUE;
-    PRBool bool = PR_TRUE;
-    CK_SESSION_HANDLE session;
-
-    /* keys are almost always aligned, but if we get this far,
-     * we've gone above and beyond anyway... */
-    outKey.data = (unsigned char*)PORT_Alloc(inKey->len);
-    if (outKey.data == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MEMORY );
-	return NULL;
-    }
-    len = inKey->len;
-
-    /* use NULL IV's for wrapping */
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_DecryptInit(session,mech,wrappingKey);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_Free(outKey.data);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-    crv = PK11_GETTAB(slot)->C_Decrypt(session,inKey->data,inKey->len,
-							   outKey.data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (crv != CKR_OK) {
-	PORT_Free(outKey.data);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    outKey.len = (key_size == 0) ? len : key_size;
-
-    if (PK11_DoesMechanism(slot,target)) {
-	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
-	                                    keyTemplate, templateCount, 
-					    &outKey, wincx);
-    } else {
-	slot = PK11_GetBestSlot(target,wincx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    PORT_Free(outKey.data);
-	    return NULL;
-	}
-	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
-	                                    keyTemplate, templateCount, 
-					    &outKey, wincx);
-	PK11_FreeSlot(slot);
-    }
-    PORT_Free(outKey.data);
-    return symKey;
-}
-
-/*
- * The wrap/unwrap function is pretty much the same for private and
- * public keys. It's just getting the Object ID and slot right. This is
- * the combined unwrap function.
- */
-static PK11SymKey *
-pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
-    CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
-    CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
-    void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs)
-{
-    PK11SymKey *    symKey;
-    SECItem *       param_free	= NULL;
-    CK_BBOOL        ckfalse	= CK_FALSE; 
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
-    CK_ULONG        valueLen	= 0;
-    CK_MECHANISM    mechanism;
-    CK_RV           crv;
-    CK_MECHANISM_INFO mechanism_info;
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE *  attrs	= keyTemplate;
-    unsigned int    templateCount;
-
-    if (numAttrs > MAX_TEMPL_ATTRS) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* first copy caller attributes in. */
-    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
-    	*attrs++ = *userAttr++;
-    }
-
-    /* We only add the following attributes to the template if the caller
-    ** didn't already supply them.
-    */
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
-	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
-	attrs++;
-    }
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
-	keyType = PK11_GetKeyType(target, keySize);
-	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
-	attrs++;
-    }
-    if (keySize > 0 &&
-    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
-	valueLen = (CK_ULONG)keySize;
-	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
-	attrs++;
-    }
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
-	PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-    }
-
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-
-    /* find out if we can do wrap directly. Because the RSA case if *very*
-     * common, cache the results for it. */
-    if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
-	mechanism_info.flags = slot->RSAInfoFlags;
-    } else {
-	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,wrapType,
-				 &mechanism_info);
-    	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    	if (crv != CKR_OK) {
-	     mechanism_info.flags = 0;
-    	}
-        if (wrapType == CKM_RSA_PKCS) {
-	    slot->RSAInfoFlags = mechanism_info.flags;
-	    slot->hasRSAInfo = PR_TRUE;
-	}
-    }
-
-    /* initialize the mechanism structure */
-    mechanism.mechanism = wrapType;
-    /* use NULL IV's for wrapping */
-    if (param == NULL) param = param_free = PK11_ParamFromIV(wrapType,NULL);
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-
-    if ((mechanism_info.flags & CKF_DECRYPT)  
-				&& !PK11_DoesMechanism(slot,target)) {
-	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
-	                         target, keyTemplate, templateCount, keySize, 
-				 wincx);
-	if (symKey) {
-	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-	    return symKey;
-	}
-	/* fall through, maybe they incorrectly set CKF_DECRYPT */
-    }
-
-    /* get our key Structure */
-    symKey = PK11_CreateSymKey(slot,target,wincx);
-    if (symKey == NULL) {
-	if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-	return NULL;
-    }
-
-    symKey->size = keySize;
-    symKey->origin = PK11_OriginUnwrap;
-
-    pk11_EnterKeyMonitor(symKey);
-    crv = PK11_GETTAB(slot)->C_UnwrapKey(symKey->session,&mechanism,wrappingKey,
-		wrappedKey->data, wrappedKey->len, keyTemplate, templateCount, 
-							  &symKey->objectID);
-    pk11_ExitKeyMonitor(symKey);
-    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-    if (crv != CKR_OK) {
-	/* try hand Unwrapping */
-	PK11_FreeSymKey(symKey);
-	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
-	                         target, keyTemplate, templateCount, keySize, 
-				 wincx);
-   }
-
-   return symKey;
-}
-
-/* use a symetric key to unwrap another symetric key */
-PK11SymKey *
-PK11_UnwrapSymKey( PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
-                   SECItem *param, SECItem *wrappedKey, 
-		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-		   int keySize)
-{
-    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
-		    wrapType, param, wrappedKey, target, operation, keySize, 
-		    wrappingKey->cx, NULL, 0);
-}
-
-/* use a symetric key to unwrap another symetric key */
-PK11SymKey *
-PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
-                   SECItem *param, SECItem *wrappedKey, 
-		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-		   int keySize, CK_FLAGS flags)
-{
-    CK_BBOOL        ckTrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    unsigned int    templateCount;
-
-    templateCount = pk11_FlagsToAttributes(flags, keyTemplate, &ckTrue);
-    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
-		    wrapType, param, wrappedKey, target, operation, keySize, 
-		    wrappingKey->cx, keyTemplate, templateCount);
-}
-
-
-/* unwrap a symetric key with a private key. */
-PK11SymKey *
-PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
-	  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
-{
-    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
-
-    PK11_HandlePasswordCheck(wrappingKey->pkcs11Slot,wrappingKey->wincx);
-    
-    return pk11_AnyUnwrapKey(wrappingKey->pkcs11Slot, wrappingKey->pkcs11ID,
-	wrapType, NULL, wrappedKey, target, operation, keySize, 
-	wrappingKey->wincx, NULL, 0);
-}
-
-/*
- * Recover the Signed data. We need this because our old verify can't
- * figure out which hash algorithm to use until we decryptted this.
- */
-SECStatus
-PK11_VerifyRecover(SECKEYPublicKey *key,
-			 	SECItem *sig, SECItem *dsig, void *wincx)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_OBJECT_HANDLE id = key->pkcs11ID;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_ULONG len;
-    CK_RV crv;
-
-    mech.mechanism = pk11_mapSignKeyType(key->keyType);
-
-    if (slot == NULL) {
-	slot = PK11_GetBestSlot(mech.mechanism,wincx);
-	if (slot == NULL) {
-	    	PORT_SetError( SEC_ERROR_NO_MODULE );
-		return SECFailure;
-	}
-	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    len = dsig->len;
-    crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data,
-						sig->len, dsig->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    dsig->len = len;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * verify a signature from its hash.
- */
-SECStatus
-PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    PK11SlotInfo *tmpslot = key->pkcs11Slot;
-    CK_OBJECT_HANDLE id = key->pkcs11ID;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    mech.mechanism = pk11_mapSignKeyType(key->keyType);
-
-    if (slot == NULL) {
-        if (mech.mechanism == CKM_DSA) {
-            slot = PK11_GetInternalSlot(); /* use internal slot for 
-                                              DSA verify  */
-        } else { 
-	    slot = PK11_GetBestSlot(mech.mechanism,wincx);
-        };
-       
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return SECFailure;
-	}
-	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
-            
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_Verify(session,hash->data,
-					hash->len, sig->data, sig->len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * sign a hash. The algorithm is determined by the key.
- */
-SECStatus
-PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_ULONG len;
-    CK_RV crv;
-
-    mech.mechanism = pk11_mapSignKeyType(key->keyType);
-
-    PK11_HandlePasswordCheck(slot, key->wincx);
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    len = sig->len;
-    crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
-					hash->len, sig->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    sig->len = len;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
- * RSA keys, or they'll fail. We do the checks up front. If anyone comes
- * up with a meaning for rawdecrypt for any other public key operation,
- * then we need to move this check into some of PK11_PubDecrypt callers,
- * (namely SSL 2.0).
- */
-SECStatus
-PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-							 unsigned encLen)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
-    CK_ULONG out = maxLen;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    if (key->keyType != rsaKey) {
-	PORT_SetError( SEC_ERROR_INVALID_KEY );
-	return SECFailure;
-    }
-
-    /* Why do we do a PK11_handle check here? for simple
-     * decryption? .. because the user may have asked for 'ask always'
-     * and this is a private key operation. In practice, thought, it's mute
-     * since only servers wind up using this function */
-    PK11_HandlePasswordCheck(slot, key->wincx);
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_DecryptInit(session,&mech,key->pkcs11ID);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen,
-								data, &out);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    *outLen = out;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* The encrypt version of the above function */
-SECStatus
-PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-		unsigned char *data, unsigned dataLen, void *wincx)
-{
-    PK11SlotInfo *slot;
-    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
-    CK_OBJECT_HANDLE id;
-    CK_ULONG out = dataLen;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    if (key->keyType != rsaKey) {
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return SECFailure;
-    }
-
-    slot = PK11_GetBestSlot(mech.mechanism, wincx);
-    if (slot == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return SECFailure;
-    }
-
-    id = PK11_ImportPublicKey(slot,key,PR_FALSE);
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,id);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-	
-/**********************************************************************
- *
- *                   Now Deal with Crypto Contexts
- *
- **********************************************************************/
-
-/*
- * the monitors...
- */
-void
-PK11_EnterContextMonitor(PK11Context *cx) {
-    /* if we own the session and our slot is ThreadSafe, only monitor
-     * the Context */
-    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
-	/* Should this use monitors instead? */
-	PR_Lock(cx->sessionLock);
-    } else {
-	PK11_EnterSlotMonitor(cx->slot);
-    }
-}
-
-void
-PK11_ExitContextMonitor(PK11Context *cx) {
-    /* if we own the session and our slot is ThreadSafe, only monitor
-     * the Context */
-    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
-	/* Should this use monitors instead? */
-	PR_Unlock(cx->sessionLock);
-    } else {
-	PK11_ExitSlotMonitor(cx->slot);
-    }
-}
-
-/*
- * Free up a Cipher Context
- */
-void
-PK11_DestroyContext(PK11Context *context, PRBool freeit)
-{
-    pk11_CloseSession(context->slot,context->session,context->ownSession);
-    /* initialize the critical fields of the context */
-    if (context->savedData != NULL ) PORT_Free(context->savedData);
-    if (context->key) PK11_FreeSymKey(context->key);
-    if (context->param) SECITEM_FreeItem(context->param, PR_TRUE);
-    if (context->sessionLock) PR_DestroyLock(context->sessionLock);
-    PK11_FreeSlot(context->slot);
-    if (freeit) PORT_Free(context);
-}
-
-/*
- * save the current context. Allocate Space if necessary.
- */
-static void *
-pk11_saveContextHelper(PK11Context *context, void *space, 
-	unsigned long *savedLength, PRBool staticBuffer, PRBool recurse)
-{
-    CK_ULONG length;
-    CK_RV crv;
-
-    if (staticBuffer) PORT_Assert(space != NULL);
-
-    if (space == NULL) {
-	crv =PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
-				NULL,&length);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    return NULL;
-	}
-	space = PORT_Alloc(length);
-	if (space == NULL) return NULL;
-	*savedLength = length;
-    }
-    crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
-					(CK_BYTE_PTR)space,savedLength);
-    if (!staticBuffer && !recurse && (crv == CKR_BUFFER_TOO_SMALL)) {
-	if (!staticBuffer) PORT_Free(space);
-	return pk11_saveContextHelper(context, NULL, 
-					savedLength, PR_FALSE, PR_TRUE);
-    }
-    if (crv != CKR_OK) {
-	if (!staticBuffer) PORT_Free(space);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-    return space;
-}
-
-void *
-pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength)
-{
-	return pk11_saveContextHelper(context, space, 
-					savedLength, PR_FALSE, PR_FALSE);
-}
-
-/*
- * restore the current context
- */
-SECStatus
-pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength)
-{
-    CK_RV crv;
-    CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID:
-			CK_INVALID_KEY;
-
-    PORT_Assert(space != NULL);
-    if (space == NULL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session,
-        (CK_BYTE_PTR)space, savedLength, objectID, 0);
-    if (crv != CKR_OK) {
-       PORT_SetError( PK11_MapError(crv));
-       return SECFailure;
-   }
-   return SECSuccess;
-}
-
-SECStatus pk11_Finalize(PK11Context *context);
-
-/*
- * Context initialization. Used by all flavors of CreateContext
- */
-static SECStatus 
-pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info)
-{
-    CK_RV crv;
-    PK11SymKey *symKey = context->key;
-    SECStatus rv = SECSuccess;
-
-    switch (context->operation) {
-    case CKA_ENCRYPT:
-	crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_DECRYPT:
-	if (context->fortezzaHack) {
-	    CK_ULONG count = 0;;
-	    /* generate the IV for fortezza */
-	    crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
-				mech_info, symKey->objectID);
-	    if (crv != CKR_OK) break;
-	    PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
-				NULL, &count);
-	}
-	crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session,
-				mech_info);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        return SECFailure;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    return rv;
-}
-
-
-/*
- * Common Helper Function do come up with a new context.
- */
-static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type,
-     PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey,
-							     SECItem *param)
-{
-    CK_MECHANISM mech_info;
-    PK11Context *context;
-    SECStatus rv;
-	
-    context = (PK11Context *) PORT_Alloc(sizeof(PK11Context));
-    if (context == NULL) {
-	return NULL;
-    }
-
-    /* now deal with the fortezza hack... the fortezza hack is an attempt
-     * to get around the issue of the card not allowing you to do a FORTEZZA
-     * LoadIV/Encrypt, which was added because such a combination could be
-     * use to circumvent the key escrow system. Unfortunately SSL needs to
-     * do this kind of operation, so in SSL we do a loadIV (to verify it),
-     * Then GenerateIV, and through away the first 8 bytes on either side
-     * of the connection.*/
-    context->fortezzaHack = PR_FALSE;
-    if (type == CKM_SKIPJACK_CBC64) {
-	if (symKey->origin == PK11_OriginFortezzaHack) {
-	    context->fortezzaHack = PR_TRUE;
-	}
-    }
-
-    /* initialize the critical fields of the context */
-    context->operation = operation;
-    context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL;
-    context->slot = PK11_ReferenceSlot(slot);
-    context->session = pk11_GetNewSession(slot,&context->ownSession);
-    context->cx = symKey ? symKey->cx : NULL;
-    /* get our session */
-    context->savedData = NULL;
-
-    /* save the parameters so that some digesting stuff can do multiple
-     * begins on a single context */
-    context->type = type;
-    context->param = SECITEM_DupItem(param);
-    context->init = PR_FALSE;
-    context->sessionLock = PR_NewLock();
-    if ((context->param == NULL) || (context->sessionLock == NULL)) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-
-    mech_info.mechanism = type;
-    mech_info.pParameter = param->data;
-    mech_info.ulParameterLen = param->len;
-    PK11_EnterContextMonitor(context);
-    rv = pk11_context_init(context,&mech_info);
-    PK11_ExitContextMonitor(context);
-
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-    context->init = PR_TRUE;
-    return context;
-}
-
-
-/*
- * put together the various PK11_Create_Context calls used by different
- * parts of libsec.
- */
-PK11Context *
-PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
-						SECItem *param, void *wincx)
-{
-    PK11SymKey *symKey;
-    PK11Context *context;
-
-    /* first get a slot */
-    if (slot == NULL) {
-	slot = PK11_GetBestSlot(type,wincx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-    } else {
-	PK11_ReferenceSlot(slot);
-    }
-
-    /* now import the key */
-    symKey = PK11_ImportSymKey(slot, type, origin, operation,  key, wincx);
-    if (symKey == NULL) return NULL;
-
-    context = PK11_CreateContextBySymKey(type, operation, symKey, param);
-
-    PK11_FreeSymKey(symKey);
-    PK11_FreeSlot(slot);
-
-    return context;
-}
-
-
-/*
- * Create a context from a key. We really should make sure we aren't using
- * the same key in multiple session!
- */
-PK11Context *
-PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation,
-			PK11SymKey *symKey, SECItem *param)
-{
-    PK11SymKey *newKey;
-    PK11Context *context;
-
-    /* if this slot doesn't support the mechanism, go to a slot that does */
-    newKey = pk11_ForceSlot(symKey,type,operation);
-    if (newKey == NULL) {
-	PK11_ReferenceSymKey(symKey);
-    } else {
-	symKey = newKey;
-    }
-
-
-    /* Context Adopts the symKey.... */
-    context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey,
-							     param);
-    PK11_FreeSymKey(symKey);
-    return context;
-}
-
-/*
- * Digest contexts don't need keys, but the do need to find a slot.
- * Macing should use PK11_CreateContextBySymKey.
- */
-PK11Context *
-PK11_CreateDigestContext(SECOidTag hashAlg)
-{
-    /* digesting has to work without authentication to the slot */
-    CK_MECHANISM_TYPE type;
-    PK11SlotInfo *slot;
-    PK11Context *context;
-    SECItem param;
-
-    type = PK11_AlgtagToMechanism(hashAlg);
-    slot = PK11_GetBestSlot(type, NULL);
-    if (slot == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return NULL;
-    }
-
-    /* maybe should really be PK11_GenerateNewParam?? */
-    param.data = NULL;
-    param.len = 0;
-
-    context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, &param);
-    PK11_FreeSlot(slot);
-    return context;
-}
-
-/*
- * create a new context which is the clone of the state of old context.
- */
-PK11Context * PK11_CloneContext(PK11Context *old)
-{
-     PK11Context *newcx;
-     PRBool needFree = PR_FALSE;
-     SECStatus rv = SECSuccess;
-     void *data;
-     unsigned long len;
-
-     newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation,
-						old->key, old->param);
-     if (newcx == NULL) return NULL;
-
-     /* now clone the save state. First we need to find the save state
-      * of the old session. If the old context owns it's session,
-      * the state needs to be saved, otherwise the state is in saveData. */
-     if (old->ownSession) {
-        PK11_EnterContextMonitor(old);
-	data=pk11_saveContext(old,NULL,&len);
-        PK11_ExitContextMonitor(old);
-	needFree = PR_TRUE;
-     } else {
-	data = old->savedData;
-	len = old->savedLength;
-     }
-
-     if (data == NULL) {
-	PK11_DestroyContext(newcx,PR_TRUE);
-	return NULL;
-     }
-
-     /* now copy that state into our new context. Again we have different
-      * work if the new context owns it's own session. If it does, we
-      * restore the state gathered above. If it doesn't, we copy the
-      * saveData pointer... */
-     if (newcx->ownSession) {
-        PK11_EnterContextMonitor(newcx);
-	rv = pk11_restoreContext(newcx,data,len);
-        PK11_ExitContextMonitor(newcx);
-     } else {
-	PORT_Assert(newcx->savedData != NULL);
-	if ((newcx->savedData == NULL) || (newcx->savedLength < len)) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    rv = SECFailure;
-	} else {
-	    PORT_Memcpy(newcx->savedData,data,len);
-	    newcx->savedLength = len;
-	}
-    }
-
-    if (needFree) PORT_Free(data);
-
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(newcx,PR_TRUE);
-	return NULL;
-    }
-    return newcx;
-}
-
-/*
- * save the current context state into a variable. Required to make FORTEZZA
- * work.
- */
-SECStatus
-PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength)
-{
-    unsigned char * data = NULL;
-    CK_ULONG length = saveLength;
-
-    if (cx->ownSession) {
-        PK11_EnterContextMonitor(cx);
-	data = (unsigned char*)pk11_saveContextHelper(cx,save,&length,
-							PR_FALSE,PR_FALSE);
-        PK11_ExitContextMonitor(cx);
-	if (data) *len = length;
-    } else if (saveLength >= cx->savedLength) {
-	data = (unsigned char*)cx->savedData;
-	if (cx->savedData) {
-	    PORT_Memcpy(save,cx->savedData,cx->savedLength);
-	}
-	*len = cx->savedLength;
-    }
-    return (data != NULL) ? SECSuccess : SECFailure;
-}
-
-/*
- * restore the context state into a new running context. Also required for
- * FORTEZZA .
- */
-SECStatus
-PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len)
-{
-    SECStatus rv = SECSuccess;
-    if (cx->ownSession) {
-        PK11_EnterContextMonitor(cx);
-	pk11_Finalize(cx);
-	rv = pk11_restoreContext(cx,save,len);
-        PK11_ExitContextMonitor(cx);
-    } else {
-	PORT_Assert(cx->savedData != NULL);
-	if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    rv = SECFailure;
-	} else {
-	    PORT_Memcpy(cx->savedData,save,len);
-	    cx->savedLength = len;
-	}
-    }
-    return rv;
-}
-
-/*
- * This is  to get FIPS compliance until we can convert
- * libjar to use PK11_ hashing functions. It returns PR_FALSE
- * if we can't get a PK11 Context.
- */
-PRBool
-PK11_HashOK(SECOidTag algID) {
-    PK11Context *cx;
-
-    cx = PK11_CreateDigestContext(algID);
-    if (cx == NULL) return PR_FALSE;
-    PK11_DestroyContext(cx, PR_TRUE);
-    return PR_TRUE;
-}
-
-
-
-/*
- * start a new digesting or Mac'ing operation on this context
- */
-SECStatus PK11_DigestBegin(PK11Context *cx)
-{
-    CK_MECHANISM mech_info;
-    SECStatus rv;
-
-    if (cx->init == PR_TRUE) {
-	return SECSuccess;
-    }
-
-    /*
-     * make sure the old context is clear first
-     */
-    PK11_EnterContextMonitor(cx);
-    pk11_Finalize(cx);
-
-    mech_info.mechanism = cx->type;
-    mech_info.pParameter = cx->param->data;
-    mech_info.ulParameterLen = cx->param->len;
-    rv = pk11_context_init(cx,&mech_info);
-    PK11_ExitContextMonitor(cx);
-
-    if (rv != SECSuccess) {
-	return SECFailure;
-    }
-    cx->init = PR_TRUE;
-    return SECSuccess;
-}
-
-SECStatus
-PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, 
-								int32 len) {
-    PK11Context *context;
-    unsigned int max_length;
-    unsigned int out_length;
-    SECStatus rv;
-
-    context = PK11_CreateDigestContext(hashAlg);
-    if (context == NULL) return SECFailure;
-
-    rv = PK11_DigestBegin(context);
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context, PR_TRUE);
-	return rv;
-    }
-
-    rv = PK11_DigestOp(context, in, len);
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context, PR_TRUE);
-	return rv;
-    }
-
-    /* we need the output length ... maybe this should be table driven...*/
-    switch (hashAlg) {
-    case  SEC_OID_SHA1: max_length = SHA1_LENGTH; break;
-    case  SEC_OID_MD2: max_length = MD2_LENGTH; break;
-    case  SEC_OID_MD5: max_length = MD5_LENGTH; break;
-    default: max_length = 16; break;
-    }
-
-    rv = PK11_DigestFinal(context,out,&out_length,max_length);
-    PK11_DestroyContext(context, PR_TRUE);
-    return rv;
-}
-
-
-/*
- * execute a bulk encryption operation
- */
-SECStatus
-PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
-				int maxout, unsigned char *in, int inlen)
-{
-    CK_RV crv = CKR_OK;
-    CK_ULONG length = maxout;
-    CK_ULONG offset =0;
-    PK11SymKey *symKey = context->key;
-    SECStatus rv = SECSuccess;
-    unsigned char *saveOut = out;
-    unsigned char *allocOut = NULL;
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-	    return rv;
-	}
-    }
-
-    /*
-     * The fortezza hack is to send 8 extra bytes on the first encrypted and
-     * loose them on the first decrypt.
-     */
-    if (context->fortezzaHack) {
-	unsigned char random[8];
-	if (context->operation == CKA_ENCRYPT) {
-	    PK11_ExitContextMonitor(context);
-	    rv = PK11_GenerateRandom(random,sizeof(random));
-    	    PK11_EnterContextMonitor(context);
-
-	    /* since we are offseting the output, we can't encrypt back into
-	     * the same buffer... allocate a temporary buffer just for this
-	     * call. */
-	    allocOut = out = (unsigned char*)PORT_Alloc(maxout);
-	    if (out == NULL) {
-		PK11_ExitContextMonitor(context);
-		return SECFailure;
-	    }
-	    crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
-		random,sizeof(random),out,&length);
-
-	    out += length;
-	    maxout -= length;
-	    offset = length;
-	} else if (context->operation == CKA_DECRYPT) {
-	    length = sizeof(random);
-	    crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
-		in,sizeof(random),random,&length);
-	    inlen -= length;
-	    in += length;
-	    context->fortezzaHack = PR_FALSE;
-	}
-    }
-
-    switch (context->operation) {
-    case CKA_ENCRYPT:
-	length = maxout;
-	crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
-						in, inlen, out, &length);
-	length += offset;
-	break;
-    case CKA_DECRYPT:
-	length = maxout;
-	crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
-						in, inlen, out, &length);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	*outlen = 0;
-        rv = SECFailure;
-    } else {
-    	*outlen = length;
-    }
-
-    if (context->fortezzaHack) {
-	if (context->operation == CKA_ENCRYPT) {
-	    PORT_Assert(allocOut);
-	    PORT_Memcpy(saveOut, allocOut, length);
-	    PORT_Free(allocOut);
-	}
-	context->fortezzaHack = PR_FALSE;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    PK11_ExitContextMonitor(context);
-    return rv;
-}
-
-/*
- * execute a digest/signature operation
- */
-SECStatus
-PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) 
-{
-    CK_RV crv = CKR_OK;
-    SECStatus rv = SECSuccess;
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    context->init = PR_FALSE;
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-	    return rv;
-	}
-    }
-
-    switch (context->operation) {
-    /* also for MAC'ing */
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session,
-						     (unsigned char *)in, 
-						     inLen);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session,
-						       (unsigned char *)in, 
-						       inLen);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
-						       (unsigned char *)in, 
-						       inLen);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        rv = SECFailure;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    PK11_ExitContextMonitor(context);
-    return rv;
-}
-
-/*
- * Digest a key if possible./
- */
-SECStatus
-PK11_DigestKey(PK11Context *context, PK11SymKey *key)
-{
-    CK_RV crv = CKR_OK;
-    SECStatus rv = SECSuccess;
-    PK11SymKey *newKey = NULL;
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    if (context->slot != key->slot) {
-	newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key);
-    } else {
-	newKey = PK11_ReferenceSymKey(key);
-    }
-
-    context->init = PR_FALSE;
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-            PK11_FreeSymKey(newKey);
-	    return rv;
-	}
-    }
-
-
-    if (newKey == NULL) {
-	crv = CKR_KEY_TYPE_INCONSISTENT;
-	if (key->data.data) {
-	    crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
-					key->data.data,key->data.len);
-	}
-    } else {
-	crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session,
-							newKey->objectID);
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        rv = SECFailure;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    PK11_ExitContextMonitor(context);
-    if (newKey) PK11_FreeSymKey(newKey);
-    return rv;
-}
-
-/*
- * externally callable version of the lowercase pk11_finalize().
- */
-SECStatus
-PK11_Finalize(PK11Context *context) {
-    SECStatus rv;
-
-    PK11_EnterContextMonitor(context);
-    rv = pk11_Finalize(context);
-    PK11_ExitContextMonitor(context);
-    return rv;
-}
-
-/*
- * clean up a cipher operation, so the session can be used by
- * someone new.
- */
-SECStatus
-pk11_Finalize(PK11Context *context)
-{
-    CK_ULONG count = 0;
-    CK_RV crv;
-
-    if (!context->ownSession) {
-	return SECSuccess;
-    }
-
-    switch (context->operation) {
-    case CKA_ENCRYPT:
-	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
-				NULL,&count);
-	break;
-    case CKA_DECRYPT:
-	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
-				NULL,&count);
-	break;
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
-				NULL,&count);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
-				NULL,count);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
-				NULL,&count);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- *  Return the final digested or signed data...
- *  this routine can either take pre initialized data, or allocate data
- *  either out of an arena or out of the standard heap.
- */
-SECStatus
-PK11_DigestFinal(PK11Context *context,unsigned char *data, 
-			unsigned int *outLen, unsigned int length)
-{
-    CK_ULONG len;
-    CK_RV crv;
-    SECStatus rv;
-
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-	    return rv;
-	}
-    }
-
-    len = length;
-    switch (context->operation) {
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
-				data,&len);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
-				data,len);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
-				data,&len);
-	break;
-    case CKA_ENCRYPT:
-	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
-				data, &len);
-	break;
-    case CKA_DECRYPT:
-	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
-				data, &len);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-    PK11_ExitContextMonitor(context);
-
-    *outLen = (unsigned int) len;
-    context->init = PR_FALSE; /* allow Begin to start up again */
-
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/****************************************************************************
- *
- * Now Do The PBE Functions Here...
- *
- ****************************************************************************/
-
-SECAlgorithmID *
-PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt)
-{
-    SECAlgorithmID *algid;
-
-    algid = SEC_PKCS5CreateAlgorithmID(algorithm, salt, iteration);
-    return algid;
-}
-
-PK11SymKey *
-PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
-	       					PRBool faulty3DES, void *wincx)
-{
-    /* pbe stuff */
-    CK_PBE_PARAMS *pbe_params;
-    CK_MECHANISM_TYPE type;
-    SECItem *mech;
-    PK11SymKey *symKey;
-
-    mech = PK11_ParamFromAlgid(algid);
-    type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
-    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
-	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
-    }
-    if(mech == NULL) {
-	return NULL;
-    }
-
-    pbe_params = (CK_PBE_PARAMS *)mech->data;
-    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwitem->len);
-    if(pbe_params->pPassword != NULL) {
-	PORT_Memcpy(pbe_params->pPassword, pwitem->data, pwitem->len);
-	pbe_params->ulPasswordLen = pwitem->len;
-    } else {
-	SECITEM_ZfreeItem(mech, PR_TRUE);
-	return NULL;
-    }
-
-    symKey = PK11_KeyGen(slot, type, mech, 0, wincx);
-
-    PORT_ZFree(pbe_params->pPassword, pwitem->len);
-    SECITEM_ZfreeItem(mech, PR_TRUE);
-    return symKey;
-}
-
-
-SECStatus 
-PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
-			SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
-			SECItem *nickname, SECItem *publicValue, PRBool isPerm,
-			PRBool isPrivate, KeyType keyType, unsigned int keyUsage,
-			void *wincx)
-{
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *pbe_param, crypto_param;
-    PK11SymKey *key = NULL;
-    SECStatus rv = SECSuccess;
-    CK_MECHANISM cryptoMech, pbeMech;
-    CK_RV crv;
-    SECKEYPrivateKey *privKey = NULL;
-    PRBool faulty3DES = PR_FALSE;
-    int usageCount;
-    CK_KEY_TYPE key_type;
-    CK_ATTRIBUTE_TYPE *usage;
-    CK_ATTRIBUTE_TYPE rsaUsage[] = {
-		 CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
-    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
-    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
-
-    if((epki == NULL) || (pwitem == NULL))
-	return SECFailure;
-
-    crypto_param.data = NULL;
-
-    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
-					&epki->algorithm.algorithm));
-
-    switch (keyType) {
-    default:
-    case rsaKey:
-	key_type = CKK_RSA;
-	switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
-	case KU_KEY_ENCIPHERMENT:
-	    usage = rsaUsage;
-	    usageCount = 2;
-	    break;
-	case KU_DIGITAL_SIGNATURE:
-	    usage = &rsaUsage[2];
-	    usageCount = 2;
-	    break;
-	case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
-	case 0: /* default to everything */
-	    usage = rsaUsage;
-	    usageCount = 4;
-	    break;
-	}
-        break;
-    case dhKey:
-	key_type = CKK_DH;
-	usage = dhUsage;
-	usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
-	break;
-    case dsaKey:
-	key_type = CKK_DSA;
-	usage = dsaUsage;
-	usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
-	break;
-    }
-
-try_faulty_3des:
-    pbe_param = PK11_ParamFromAlgid(&epki->algorithm);
-
-    key = PK11_PBEKeyGen(slot, &epki->algorithm, pwitem, faulty3DES, wincx);
-    if((key == NULL) || (pbe_param == NULL)) {
-	rv = SECFailure;
-	goto done;
-    }
-
-    pbeMech.mechanism = mechanism;
-    pbeMech.pParameter = pbe_param->data;
-    pbeMech.ulParameterLen = pbe_param->len;
-
-    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
-					        pwitem, faulty3DES);
-    if(crv != CKR_OK) {
-	rv = SECFailure;
-	goto done;
-    }
-
-    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
-    crypto_param.data = (unsigned char*)cryptoMech.pParameter;
-    crypto_param.len = cryptoMech.ulParameterLen;
-
-    privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism, 
-				 &crypto_param, &epki->encryptedData, 
-				 nickname, publicValue, isPerm, isPrivate,
-				 key_type, usage, usageCount, wincx);
-    if(privKey) {
-	SECKEY_DestroyPrivateKey(privKey);
-	privKey = NULL;
-	rv = SECSuccess;
-	goto done;
-    }
-
-    /* if we are unable to import the key and the mechanism is 
-     * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
-     * the encrypted blob was created with a buggy key generation method
-     * which is described in the PKCS 12 implementation notes.  So we
-     * need to try importing via that method.
-     */ 
-    if((mechanism == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
-	/* clean up after ourselves before redoing the key generation. */
-
-	PK11_FreeSymKey(key);
-	key = NULL;
-
-	if(pbe_param) {
-	    SECITEM_ZfreeItem(pbe_param, PR_TRUE);
-	    pbe_param = NULL;
-	}
-
-	if(crypto_param.data) {
-	    SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
-	    crypto_param.data = NULL;
-	    cryptoMech.pParameter = NULL;
-	    crypto_param.len = cryptoMech.ulParameterLen = 0;
-	}
-
-	faulty3DES = PR_TRUE;
-	goto try_faulty_3des;
-    }
-
-    /* key import really did fail */
-    rv = SECFailure;
-
-done:
-    if(pbe_param != NULL) {
-	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
-	pbe_param = NULL;
-    }
-
-    if(crypto_param.data != NULL) {
-	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
-    }
-
-    if(key != NULL) {
-    	PK11_FreeSymKey(key);
-    }
-
-    return rv;
-}
-
-/*
- * import a private key info into the desired slot
- */
-SECStatus
-PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
-    CK_KEY_TYPE keyType = CKK_RSA;
-    CK_OBJECT_HANDLE objectID;
-    CK_ATTRIBUTE theTemplate[20];
-    int templateCount = 0;
-    SECStatus rv = SECFailure;
-    SECKEYLowPrivateKey *lpk = NULL;
-    const SEC_ASN1Template *keyTemplate, *paramTemplate;
-    void *paramDest = NULL;
-    PRArenaPool *arena;
-    CK_ATTRIBUTE *attrs;
-    CK_ATTRIBUTE *signedattr = NULL;
-    int signedcount = 0;
-    CK_ATTRIBUTE *ap;
-    SECItem *ck_id = NULL;
-
-    arena = PORT_NewArena(2048);
-    if(!arena) {
-	return SECFailure;
-    }
-
-    /* need to change this to use RSA/DSA keys */
-    lpk = (SECKEYLowPrivateKey *)PORT_ArenaZAlloc(arena,
-						  sizeof(SECKEYLowPrivateKey));
-    if(lpk == NULL) {
-	goto loser;
-    }
-    lpk->arena = arena;
-
-    attrs = theTemplate;
-    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    keyTemplate = SECKEY_RSAPrivateKeyTemplate;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    lpk->keyType = rsaKey;
-	    keyType = CKK_RSA;
-	    break;
-	case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	    if(!publicValue) {
-		goto loser;
-	    }
-	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
-	    paramTemplate = SECKEY_PQGParamsTemplate;
-	    paramDest = &(lpk->u.dsa.params);
-	    lpk->keyType = dsaKey;
-	    keyType = CKK_DSA;
-	    break;
-	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	    if(!publicValue) {
-		goto loser;
-	    }
-	    keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    lpk->keyType = dhKey;
-	    keyType = CKK_DH;
-	    break;
-
-	default:
-	    keyTemplate   = NULL;
-	    paramTemplate = NULL;
-	    paramDest     = NULL;
-	    break;
-    }
-
-    if(!keyTemplate) {
-	goto loser;
-    }
-
-    /* decode the private key and any algorithm parameters */
-    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-    if(paramDest && paramTemplate) {
-	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
-				 &(pki->algorithm.parameters));
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, 
-						sizeof(CK_BBOOL) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, 
-						sizeof(CK_BBOOL) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
-						 sizeof(CK_BBOOL) ); attrs++;
-
-    switch (lpk->keyType) {
-    case rsaKey:
-	    PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? 
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, 
-				(keyUsage & KU_DIGITAL_SIGNATURE) ? 
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
-	    if (ck_id == NULL) {
-		goto loser;
-	    }
-	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
-	    if (nickname) {
-		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++; 
-	    } 
-	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
-						lpk->u.rsa.modulus.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
-	     			lpk->u.rsa.publicExponent.data,
-				lpk->u.rsa.publicExponent.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, 
-	     			lpk->u.rsa.privateExponent.data,
-				lpk->u.rsa.privateExponent.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PRIME_1, 
-	     			lpk->u.rsa.prime1.data,
-				lpk->u.rsa.prime1.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PRIME_2, 
-	     			lpk->u.rsa.prime2.data,
-				lpk->u.rsa.prime2.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_EXPONENT_1, 
-	     			lpk->u.rsa.exponent1.data,
-				lpk->u.rsa.exponent1.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_EXPONENT_2, 
-	     			lpk->u.rsa.exponent2.data,
-				lpk->u.rsa.exponent2.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_COEFFICIENT, 
-	     			lpk->u.rsa.coefficient.data,
-				lpk->u.rsa.coefficient.len); attrs++;
-	    break;
-    case dsaKey:
-	    /* To make our intenal PKCS #11 module work correctly with 
-	     * our database, we need to pass in the public key value for 
-	     * this dsa key. We have a netscape only CKA_ value to do this.
-	     * Only send it to internal slots */
-	    if (PK11_IsInternal(slot)) {
-	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
-				publicValue->data, publicValue->len); attrs++;
-	    }
-	    PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
-	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
-	    if(nickname) {
-		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
-		attrs++; 
-	    } 
-	    ck_id = PK11_MakeIDFromPubKey(publicValue);
-	    if (ck_id == NULL) {
-		goto loser;
-	    }
-	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
-	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dsa.params.prime.data,
-				lpk->u.dsa.params.prime.len); attrs++;
-	    PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
-				lpk->u.dsa.params.subPrime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dsa.params.base.data,
-					lpk->u.dsa.params.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dsa.privateValue.data, 
-					lpk->u.dsa.privateValue.len); attrs++;
-	    break;
-     case dhKey:
-	    /* To make our intenal PKCS #11 module work correctly with 
-	     * our database, we need to pass in the public key value for 
-	     * this dh key. We have a netscape only CKA_ value to do this.
-	     * Only send it to internal slots */
-	    if (PK11_IsInternal(slot)) {
-	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
-				publicValue->data, publicValue->len); attrs++;
-	    }
-	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
-	    if(nickname) {
-		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
-		attrs++; 
-	    } 
-	    ck_id = PK11_MakeIDFromPubKey(publicValue);
-	    if (ck_id == NULL) {
-		goto loser;
-	    }
-	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
-	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dh.prime.data,
-				lpk->u.dh.prime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dh.base.data,
-					lpk->u.dh.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dh.privateValue.data, 
-					lpk->u.dh.privateValue.len); attrs++;
-	    break;
-	/* what about fortezza??? */
-    default:
-	    PORT_SetError(SEC_ERROR_BAD_KEY);
-	    goto loser;
-    }
-    templateCount = attrs - theTemplate;
-    PR_ASSERT(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
-    signedcount = attrs - signedattr;
-
-    for (ap=signedattr; signedcount; ap++, signedcount--) {
-	pk11_SignedToUnsigned(ap);
-    }
-
-    rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
-			theTemplate, templateCount, isPerm, &objectID);
-
-    if (ck_id) {
-	SECITEM_ZfreeItem(ck_id, PR_TRUE);
-    }
-
-loser:
-    if (lpk!= NULL) {
-	SECKEY_LowDestroyPrivateKey(lpk);
-    }
-
-    return rv;
-}
-
-SECKEYPrivateKeyInfo *
-PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
-{
-    return NULL;
-}
-
-static int
-pk11_private_key_encrypt_buffer_length(SECKEYPrivateKey *key)
-				
-{
-    CK_ATTRIBUTE rsaTemplate = { CKA_MODULUS, NULL, 0 };
-    CK_ATTRIBUTE dsaTemplate = { CKA_PRIME, NULL, 0 };
-    CK_ATTRIBUTE_PTR pTemplate;
-    CK_RV crv;
-    int length;
-
-    if(!key) {
-	return -1;
-    }
-
-    switch (key->keyType) {
-	case rsaKey:
-	    pTemplate = &rsaTemplate;
-	    break;
-	case dsaKey:
-	case dhKey:
-	    pTemplate = &dsaTemplate;
-	    break;
-	case fortezzaKey:
-	default:
-	    pTemplate = NULL;
-    }
-
-    if(!pTemplate) {
-	return -1;
-    }
-
-    crv = PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID, 
-								pTemplate, 1);
-    if(crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return -1;
-    }
-
-    length = pTemplate->ulValueLen;
-    length *= 10;
-
-    if(pTemplate->pValue != NULL) {
-	PORT_Free(pTemplate->pValue);
-    }
-
-    return length;
-}
-
-SECKEYEncryptedPrivateKeyInfo * 
-PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
-   SECItem *pwitem, CERTCertificate *cert, int iteration, void *wincx)
-{
-    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-    SECKEYPrivateKey *pk;
-    PRArenaPool *arena = NULL;
-    SECAlgorithmID *algid;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *pbe_param = NULL, crypto_param;
-    PK11SymKey *key = NULL;
-    SECStatus rv = SECSuccess;
-    CK_MECHANISM pbeMech, cryptoMech;
-    CK_RV crv;
-    SECItem encryptedKey = {siBuffer,NULL,0};
-    int encryptBufLen;
-
-    if(!pwitem)
-	return NULL;
-
-    crypto_param.data = NULL;
-
-    arena = PORT_NewArena(2048);
-    epki = (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(arena, 
-    		sizeof(SECKEYEncryptedPrivateKeyInfo));
-    if(epki == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    epki->arena = arena;
-    algid = SEC_PKCS5CreateAlgorithmID(algTag, NULL, iteration);
-    if(algid == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
-    pbe_param = PK11_ParamFromAlgid(algid);
-    pbeMech.mechanism = mechanism;
-    pbeMech.pParameter = pbe_param->data;
-    pbeMech.ulParameterLen = pbe_param->len;
-    key = PK11_PBEKeyGen(slot, algid, pwitem, PR_FALSE, wincx);
-
-    if((key == NULL) || (pbe_param == NULL)) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
-						pwitem, PR_FALSE);
-    if(crv != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
-    crypto_param.data = (unsigned char *)cryptoMech.pParameter;
-    crypto_param.len = cryptoMech.ulParameterLen;
-
-    pk = PK11_FindKeyByAnyCert(cert, wincx);
-    if(pk == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    encryptBufLen = pk11_private_key_encrypt_buffer_length(pk); 
-    if(encryptBufLen == -1) {
-	rv = SECFailure;
-	goto loser;
-    }
-    encryptedKey.len = (unsigned int)encryptBufLen;
-    encryptedKey.data = (unsigned char *)PORT_ZAlloc(encryptedKey.len);
-    if(!encryptedKey.data) {
-	rv = SECFailure;
-	goto loser;
-    }
-	
-    /* we are extracting an encrypted privateKey structure.
-     * which needs to be freed along with the buffer into which it is
-     * returned.  eventually, we should retrieve an encrypted key using
-     * pkcs8/pkcs5.
-     */
-    PK11_EnterSlotMonitor(pk->pkcs11Slot);
-    crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, 
-    		&cryptoMech, key->objectID, pk->pkcs11ID, encryptedKey.data, 
-		(CK_ULONG_PTR)(&encryptedKey.len)); 
-    PK11_ExitSlotMonitor(pk->pkcs11Slot);
-    if(crv != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(!encryptedKey.len) {
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    rv = SECITEM_CopyItem(arena, &epki->encryptedData, &encryptedKey);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid);
-
-loser:
-    if(pbe_param != NULL) {
-	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
-	pbe_param = NULL;
-    }
-
-    if(crypto_param.data != NULL) {
-	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
-	crypto_param.data = NULL;
-    }
-
-    if(key != NULL) {
-    	PK11_FreeSymKey(key);
-    }
-
-    if(rv == SECFailure) {
-	if(arena != NULL) {
-	    PORT_FreeArena(arena, PR_TRUE);
-	}
-	epki = NULL;
-    }
-
-    return epki;
-}
-
-
-/*
- * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4
- * working. This function simply gets a valid IV for the keys.
- */
-SECStatus
-PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len)
-{
-    CK_MECHANISM mech_info;
-    CK_ULONG count = 0;
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-
-    mech_info.mechanism = CKM_SKIPJACK_CBC64;
-    mech_info.pParameter = iv;
-    mech_info.ulParameterLen = len;
-
-    /* generate the IV for fortezza */
-    PK11_EnterSlotMonitor(symKey->slot);
-    crv=PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session,
-				&mech_info, symKey->objectID);
-    if (crv == CKR_OK) {
-	PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, 
-								NULL, &count);
-	rv = SECSuccess;
-    }
-    PK11_ExitSlotMonitor(symKey->slot);
-    return rv;
-}
-
-SECKEYPrivateKey *
-PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
-		   CK_MECHANISM_TYPE wrapType, SECItem *param, 
-		   SECItem *wrappedKey, SECItem *label, 
-		   SECItem *idValue, PRBool perm, PRBool sensitive,
-		   CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
-		   void *wincx)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
-    CK_ATTRIBUTE keyTemplate[15] ;
-    int templateCount = 0;
-    CK_OBJECT_HANDLE privKeyID;
-    CK_MECHANISM mechanism;
-    CK_ATTRIBUTE *attrs = keyTemplate;
-    SECItem *param_free = NULL, *ck_id;
-    CK_RV crv;
-    CK_SESSION_HANDLE rwsession;
-    PK11SymKey *newKey = NULL;
-    int i;
-
-    if(!slot || !wrappedKey || !idValue) {
-	/* SET AN ERROR!!! */
-	return NULL;
-    }
-
-    ck_id = PK11_MakeIDFromPubKey(idValue);
-    if(!ck_id) {
-	return NULL;
-    }
-
-    PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse,
-					 sizeof(cktrue)); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
-    PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
-					 sizeof(cktrue)); attrs++;
-    PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse,
-					sizeof(cktrue)); attrs++;
-    PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++;
-    PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++;
-    for (i=0; i < usageCount; i++) {
-    	PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++;
-    }
-
-    if (PK11_IsInternal(slot)) {
-	PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, 
-		      idValue->len); attrs++;
-    }
-
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) );
-
-    mechanism.mechanism = wrapType;
-    if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL);
-    if(param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-
-    if (wrappingKey->slot != slot) {
-	newKey = pk11_CopyToSlot(slot,wrapType,CKA_WRAP,wrappingKey);
-    } else {
-	newKey = PK11_ReferenceSymKey(wrappingKey);
-    }
-
-    if (newKey) {
-	if (perm) {
-	    rwsession = PK11_GetRWSession(slot);
-	} else {
-	    rwsession = slot->session;
-	}
-	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, 
-					 newKey->objectID,
-					 wrappedKey->data, 
-					 wrappedKey->len, keyTemplate, 
-					 templateCount, &privKeyID);
-
-	if (perm) PK11_RestoreROSession(slot, rwsession);
-	PK11_FreeSymKey(newKey);
-    } else {
-	crv = CKR_FUNCTION_NOT_SUPPORTED;
-    }
-
-    if(ck_id) {
-	SECITEM_FreeItem(ck_id, PR_TRUE);
-	ck_id = NULL;
-    }
-
-    if (crv != CKR_OK) {
-	/* we couldn't unwrap the key, use the internal module to do the
-	 * unwrap, then load the new key into the token */
-	 PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	if (int_slot && (slot != int_slot)) {
-	    SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot,
-			wrappingKey, wrapType, param, wrappedKey, label,
-			idValue, PR_FALSE, PR_FALSE, 
-			keyType, usage, usageCount, wincx);
-	    if (privKey) {
-		SECKEYPrivateKey *newPrivKey = pk11_loadPrivKey(slot,privKey,
-						NULL,perm,sensitive);
-		SECKEY_DestroyPrivateKey(privKey);
-		PK11_FreeSlot(int_slot);
-		return newPrivKey;
-	    }
-	}
-	if (int_slot) PK11_FreeSlot(int_slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-    return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);
-}
-
-#define ALLOC_BLOCK  10
-
-/*
- * Now we're going to wrap a SECKEYPrivateKey with a PK11SymKey
- * The strategy is to get both keys to reside in the same slot,
- * one that can perform the desired crypto mechanism and then
- * call C_WrapKey after all the setup has taken place.
- */
-SECStatus
-PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, 
-		 SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, 
-		 SECItem *param, SECItem *wrappedKey, void *wincx)
-{
-    PK11SlotInfo     *privSlot   = privKey->pkcs11Slot; /* The slot where
-							 * the private key
-							 * we are going to
-							 * wrap lives.
-							 */
-    PK11SymKey       *newSymKey  = NULL;
-    SECKEYPrivateKey *newPrivKey = NULL;
-    SECItem          *param_free = NULL;
-    CK_ULONG          len        = wrappedKey->len;
-    CK_MECHANISM      mech;
-    CK_RV             crv;
-
-    if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) {
-        /* Figure out a slot that does the mechanism and try to import
-	 * the private key onto that slot.
-	 */
-        PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	privSlot = int_slot; /* The private key has a new home */
-	newPrivKey = pk11_loadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE);
-	if (newPrivKey == NULL) {
-	    PK11_FreeSlot (int_slot);
-	    return SECFailure;
-	}
-	privKey = newPrivKey;
-    }
-
-    if (privSlot != wrappingKey->slot) {
-        newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, 
-				     wrappingKey);
-	wrappingKey = newSymKey;
-    }
-
-    if (wrappingKey == NULL) {
-        if (newPrivKey) {
-		SECKEY_DestroyPrivateKey(newPrivKey);
-	}
-	return SECFailure;
-    }
-    mech.mechanism = wrapType;
-    if (!param) {
-        param = param_free = PK11_ParamFromIV(wrapType, NULL);
-    }
-    if (param) {
-        mech.pParameter     = param->data;
-	mech.ulParameterLen = param->len;
-    } else {
-        mech.pParameter     = NULL;
-	mech.ulParameterLen = 0;
-    }
-
-    PK11_EnterSlotMonitor(privSlot);
-    crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, 
-					   wrappingKey->objectID, 
-					   privKey->pkcs11ID,
-					   wrappedKey->data, &len);
-    PK11_ExitSlotMonitor(privSlot);
-
-    if (newSymKey) {
-        PK11_FreeSymKey(newSymKey);
-    }
-    if (newPrivKey) {
-        SECKEY_DestroyPrivateKey(newPrivKey);
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-
-    wrappedKey->len = len;
-    return SECSuccess;
-}
-    
-void   
-PK11_SetFortezzaHack(PK11SymKey *symKey) { 
-   symKey->origin = PK11_OriginFortezzaHack;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
deleted file mode 100644
index 6c7cb4296..000000000
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ /dev/null
@@ -1,4312 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Deal with PKCS #11 Slots.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "prlock.h"
-#include "secmodi.h"
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "key.h"
-#include "secitem.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "prtime.h"
-#include "prlong.h"
-#include "secerr.h"
-
-/*************************************************************
- * local static and global data
- *************************************************************/
-
-/*
- * This array helps parsing between names, mechanisms, and flags.
- * to make the config files understand more entries, add them
- * to this table. (NOTE: we need function to export this table and it's size)
- */
-PK11DefaultArrayEntry PK11_DefaultArray[] = {
-	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
-	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
-	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
-	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
-	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
-	{ "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
-	{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
-	{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
-	{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
-	{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
-	{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
-	{ "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
-	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
-	{ "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
-	{ "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
-};
-int num_pk11_default_mechanisms = sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
-
-/*
- * These  slotlists are lists of modules which provide default support for
- *  a given algorithm or mechanism.
- */
-static PK11SlotList pk11_desSlotList,
-    pk11_rc4SlotList,
-    pk11_rc2SlotList,
-    pk11_rc5SlotList,
-    pk11_sha1SlotList,
-    pk11_md5SlotList,
-    pk11_md2SlotList,
-    pk11_rsaSlotList,
-    pk11_dsaSlotList,
-    pk11_dhSlotList,
-    pk11_ideaSlotList,
-    pk11_sslSlotList,
-    pk11_tlsSlotList,
-    pk11_randomSlotList;
-
-/*
- * Tables used for Extended mechanism mapping (currently not used)
- */
-typedef struct {
-	CK_MECHANISM_TYPE keyGen;
-	CK_KEY_TYPE keyType;
-	CK_MECHANISM_TYPE type;
-	int blockSize;
-	int iv;
-} pk11MechanismData;
-	
-static pk11MechanismData pk11_default = 
-  { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, CKM_FAKE_RANDOM, 8, 8 };
-static pk11MechanismData *pk11_MechanismTable = NULL;
-static int pk11_MechTableSize = 0;
-static int pk11_MechEntrySize = 0;
-
-/*
- * list of mechanisms we're willing to wrap secret keys with.
- * This list is ordered by preference.
- */
-CK_MECHANISM_TYPE wrapMechanismList[] = {
-    CKM_DES3_ECB,
-    CKM_CAST5_ECB,
-    CKM_DES_ECB,
-    CKM_KEY_WRAP_LYNKS,
-    CKM_IDEA_ECB,
-    CKM_CAST3_ECB,
-    CKM_CAST_ECB,
-    CKM_RC5_ECB,
-    CKM_RC2_ECB,
-    CKM_CDMF_ECB,
-    CKM_SKIPJACK_WRAP,
-};
-
-int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]);
-
-/*
- * This structure keeps track of status that spans all the Slots.
- * NOTE: This is a global data structure. It semantics expect thread crosstalk
- * be very careful when you see it used. 
- *  It's major purpose in life is to allow the user to log in one PER 
- * Tranaction, even if a transaction spans threads. The problem is the user
- * may have to enter a password one just to be able to look at the 
- * personalities/certificates (s)he can use. Then if Auth every is one, they
- * may have to enter the password again to use the card. See PK11_StartTransac
- * and PK11_EndTransaction.
- */
-static struct PK11GlobalStruct {
-   int transaction;
-   PRBool inTransaction;
-   char *(*getPass)(PK11SlotInfo *,PRBool,void *);
-   PRBool (*verifyPass)(PK11SlotInfo *,void *);
-   PRBool (*isLoggedIn)(PK11SlotInfo *,void *);
-} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
- 
-/************************************************************
- * Generic Slot List and Slot List element manipulations
- ************************************************************/
-
-/*
- * allocate a new list 
- */
-PK11SlotList *
-PK11_NewSlotList(void)
-{
-    PK11SlotList *list;
- 
-    list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList));
-    if (list == NULL) return NULL;
-    list->head = NULL;
-    list->tail = NULL;
-#ifdef PKCS11_USE_THREADS
-    list->lock = PR_NewLock();
-    if (list->lock == NULL) {
-	PORT_Free(list);
-	return NULL;
-    }
-#else
-    list->lock = NULL;
-#endif
-
-    return list;
-}
-
-/*
- * free a list element when all the references go away.
- */
-static void
-pk11_FreeListElement(PK11SlotList *list, PK11SlotListElement *le)
-{
-    PRBool freeit = PR_FALSE;
-
-    PK11_USE_THREADS(PR_Lock((PRLock *)(list->lock));)
-    if (le->refCount-- == 1) {
-	freeit = PR_TRUE;
-    }
-    PK11_USE_THREADS(PR_Unlock((PRLock *)(list->lock));)
-    if (freeit) {
-    	PK11_FreeSlot(le->slot);
-	PORT_Free(le);
-    }
-}
-
-/*
- * if we are freeing the list, we must be the only ones with a pointer
- * to the list.
- */
-void
-PK11_FreeSlotList(PK11SlotList *list)
-{
-    PK11SlotListElement *le, *next ;
-    if (list == NULL) return;
-
-    for (le = list->head ; le; le = next) {
-	next = le->next;
-	pk11_FreeListElement(list,le);
-    }
-    PK11_USE_THREADS(PR_DestroyLock((PRLock *)(list->lock));)
-    PORT_Free(list);
-}
-
-/*
- * add a slot to a list
- */
-SECStatus
-PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot)
-{
-    PK11SlotListElement *le;
-
-    le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
-    if (le == NULL) return SECFailure;
-
-    le->slot = PK11_ReferenceSlot(slot);
-    le->prev = NULL;
-    le->refCount = 1;
-    PK11_USE_THREADS(PR_Lock((PRLock *)(list->lock));)
-    if (list->head) list->head->prev = le; else list->tail = le;
-    le->next = list->head;
-    list->head = le;
-    PK11_USE_THREADS(PR_Unlock((PRLock *)(list->lock));)
-
-    return SECSuccess;
-}
-
-/*
- * remove a slot entry from the list
- */
-SECStatus
-PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le)
-{
-    PK11_USE_THREADS(PR_Lock((PRLock *)(list->lock));)
-    if (le->prev) le->prev->next = le->next; else list->head = le->next;
-    if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
-    le->next = le->prev = NULL;
-    PK11_USE_THREADS(PR_Unlock((PRLock *)(list->lock));)
-    pk11_FreeListElement(list,le);
-    return SECSuccess;
-}
-
-/*
- * Move a list to the end of the target list. NOTE: There is no locking
- * here... This assumes BOTH lists are private copy lists.
- */
-SECStatus
-PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
-{
-    if (src->head == NULL) return SECSuccess;
-
-    if (target->tail == NULL) {
-	target->head = src->head;
-    } else {
-	target->tail->next = src->head;
-    }
-    src->head->prev = target->tail;
-    target->tail = src->tail;
-    src->head = src->tail = NULL;
-    return SECSuccess;
-}
-
-/*
- * get an element from the list with a reference. You must own the list.
- */
-PK11SlotListElement *
-PK11_GetFirstRef(PK11SlotList *list)
-{
-    PK11SlotListElement *le;
-
-    le = list->head;
-    if (le != NULL) (le)->refCount++;
-    return le;
-}
-
-/*
- * get the next element from the list with a reference. You must own the list.
- */
-PK11SlotListElement *
-PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
-{
-    PK11SlotListElement *new_le;
-    new_le = le->next;
-    if (new_le) new_le->refCount++;
-    pk11_FreeListElement(list,le);
-    return new_le;
-}
-
-/*
- * get an element safely from the list. This just makes sure that if
- * this element is not deleted while we deal with it.
- */
-PK11SlotListElement *
-PK11_GetFirstSafe(PK11SlotList *list)
-{
-    PK11SlotListElement *le;
-
-    PK11_USE_THREADS(PR_Lock((PRLock *)(list->lock));)
-    le = list->head;
-    if (le != NULL) (le)->refCount++;
-    PK11_USE_THREADS(PR_Unlock((PRLock *)(list->lock));)
-    return le;
-}
-
-/*
- * NOTE: if this element gets deleted, we can no longer safely traverse using
- * it's pointers. We can either terminate the loop, or restart from the
- * beginning. This is controlled by the restart option.
- */
-PK11SlotListElement *
-PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
-{
-    PK11SlotListElement *new_le;
-    PK11_USE_THREADS(PR_Lock((PRLock *)(list->lock));)
-    new_le = le->next;
-    if (le->next == NULL) {
-	/* if the prev and next fields are NULL then either this element
-	 * has been removed and we need to walk the list again (if restart
-	 * is true) or this was the only element on the list */
-	if ((le->prev == NULL) && restart &&  (list->head != le)) {
-	    new_le = list->head;
-	}
-    }
-    if (new_le) new_le->refCount++;
-    PK11_USE_THREADS(PR_Unlock((PRLock *)(list->lock));)
-    pk11_FreeListElement(list,le);
-    return new_le;
-}
-
-
-/*
- * Find the element that holds this slot
- */
-PK11SlotListElement *
-PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot)
-{
-    PK11SlotListElement *le;
-
-    for (le = PK11_GetFirstSafe(list); le;
-			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
-	if (le->slot == slot) return le;
-    }
-    return NULL;
-}
-
-/************************************************************
- * Generic Slot Utilities
- ************************************************************/
-/*
- * Create a new slot structure
- */
-PK11SlotInfo *
-PK11_NewSlotInfo(void)
-{
-    PK11SlotInfo *slot;
-
-    slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
-    if (slot == NULL) return slot;
-
-#ifdef PKCS11_USE_THREADS
-    slot->refLock = PR_NewLock();
-    if (slot->refLock == NULL) {
-	PORT_Free(slot);
-	return slot;
-    }
-    slot->sessionLock = PR_NewLock();
-    if (slot->sessionLock == NULL) {
-	PR_DestroyLock(slot->refLock);
-	PORT_Free(slot);
-	return slot;
-    }
-    slot->freeListLock = PR_NewLock();
-    if (slot->freeListLock == NULL) {
-	PR_DestroyLock(slot->sessionLock);
-	PR_DestroyLock(slot->refLock);
-	PORT_Free(slot);
-	return slot;
-    }
-#else
-    slot->sessionLock = NULL;
-    slot->refLock = NULL;
-    slot->freeListLock = NULL;
-#endif
-    slot->freeSymKeysHead = NULL;
-    slot->keyCount = 0;
-    slot->maxKeyCount = 0;
-    slot->functionList = NULL;
-    slot->needTest = PR_TRUE;
-    slot->isPerm = PR_FALSE;
-    slot->isHW = PR_FALSE;
-    slot->isInternal = PR_FALSE;
-    slot->isThreadSafe = PR_FALSE;
-    slot->disabled = PR_FALSE;
-    slot->series = 0;
-    slot->wrapKey = 0;
-    slot->wrapMechanism = CKM_INVALID_MECHANISM;
-    slot->refKeys[0] = CK_INVALID_KEY;
-    slot->reason = PK11_DIS_NONE;
-    slot->readOnly = PR_TRUE;
-    slot->needLogin = PR_FALSE;
-    slot->hasRandom = PR_FALSE;
-    slot->defRWSession = PR_FALSE;
-    slot->flags = 0;
-    slot->session = CK_INVALID_SESSION;
-    slot->slotID = 0;
-    slot->defaultFlags = 0;
-    slot->refCount = 1;
-    slot->askpw = 0;
-    slot->timeout = 0;
-    slot->mechanismList = NULL;
-    slot->mechanismCount = 0;
-    slot->cert_array = NULL;
-    slot->cert_count = 0;
-    slot->slot_name[0] = 0;
-    slot->token_name[0] = 0;
-    PORT_Memset(slot->serial,' ',sizeof(slot->serial));
-    slot->module = NULL;
-    slot->authTransact = 0;
-    slot->authTime = LL_ZERO;
-    slot->minPassword = 0;
-    slot->maxPassword = 0;
-    return slot;
-}
-    
-/* create a new reference to a slot so it doesn't go away */
-PK11SlotInfo *
-PK11_ReferenceSlot(PK11SlotInfo *slot)
-{
-    PK11_USE_THREADS(PR_Lock(slot->refLock);)
-    slot->refCount++;
-    PK11_USE_THREADS(PR_Unlock(slot->refLock);)
-    return slot;
-}
-
-/* Destroy all info on a slot we have built up */
-void
-PK11_DestroySlot(PK11SlotInfo *slot)
-{
-   /* first free up all the sessions on this slot */
-   if (slot->functionList) {
-	PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
-   }
-
-   /* now free up all the certificates we grabbed on this slot */
-   PK11_FreeSlotCerts(slot);
-
-   /* free up the cached keys and sessions */
-   PK11_CleanKeyList(slot);
-
-   /* finally Tell our parent module that we've gone away so it can unload */
-   if (slot->module) {
-	SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
-   }
-#ifdef PKCS11_USE_THREADS
-   if (slot->refLock) {
-	PR_DestroyLock(slot->refLock);
-	slot->refLock = NULL;
-   }
-   if (slot->sessionLock) {
-	PR_DestroyLock(slot->sessionLock);
-	slot->sessionLock = NULL;
-   }
-   if (slot->freeListLock) {
-	PR_DestroyLock(slot->freeListLock);
-	slot->freeListLock = NULL;
-   }
-#endif
-
-   /* ok, well not quit finally... now we free the memory */
-   PORT_Free(slot);
-}
-
-
-/* We're all done with the slot, free it */
-void
-PK11_FreeSlot(PK11SlotInfo *slot)
-{
-    PRBool freeit = PR_FALSE;
-
-    PK11_USE_THREADS(PR_Lock(slot->refLock);)
-    if (slot->refCount-- == 1) freeit = PR_TRUE;
-    PK11_USE_THREADS(PR_Unlock(slot->refLock);)
-
-    if (freeit) PK11_DestroySlot(slot);
-}
-
-void
-PK11_EnterSlotMonitor(PK11SlotInfo *slot) {
-    PR_Lock(slot->sessionLock);
-}
-
-void
-PK11_ExitSlotMonitor(PK11SlotInfo *slot) {
-    PR_Unlock(slot->sessionLock);
-}
-
-/***********************************************************
- * Functions to find specific slots.
- ***********************************************************/
-PK11SlotInfo *
-PK11_FindSlotByName(char *name)
-{
-   SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-   int i;
-   PK11SlotInfo *slot = NULL;
-
-   if ((name == NULL) || (*name == 0)) {
-	return PK11_GetInternalKeySlot();
-   }
-
-   /* work through all the slots */
-   SECMOD_GetReadLock(moduleLock);
-   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-	    if (PK11_IsPresent(tmpSlot)) {
-		if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
-		    slot = PK11_ReferenceSlot(tmpSlot);
-		    break;
-		}
-	    }
-	}
-	if (slot != NULL) break;
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if (slot == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-    }
-
-    return slot;
-}
-
-
-PK11SlotInfo *
-PK11_FindSlotBySerial(char *serial)
-{
-   SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-   int i;
-   PK11SlotInfo *slot = NULL;
-
-   /* work through all the slots */
-   SECMOD_GetReadLock(moduleLock);
-   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-	    if (PK11_IsPresent(tmpSlot)) {
-		if (PORT_Memcmp(tmpSlot->serial,serial,
-					sizeof(tmpSlot->serial)) == 0) {
-		    slot = PK11_ReferenceSlot(tmpSlot);
-		    break;
-		}
-	    }
-	}
-	if (slot != NULL) break;
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if (slot == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-    }
-
-    return slot;
-}
-
-
-
-
-/***********************************************************
- * Password Utilities
- ***********************************************************/
-/*
- * Check the user's password. Log into the card if it's correct.
- * succeed if the user is already logged in.
- */
-SECStatus
-pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
-{
-    int len = PORT_Strlen(pw);
-    CK_RV crv;
-    SECStatus rv;
-    int64 currtime = PR_Now();
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
-						(unsigned char *)pw,len);
-    PK11_ExitSlotMonitor(slot);
-    switch (crv) {
-    /* if we're already logged in, we're good to go */
-    case CKR_OK:
-	slot->authTransact = PK11_Global.transaction;
-    case CKR_USER_ALREADY_LOGGED_IN:
-	slot->authTime = currtime;
-	rv = SECSuccess;
-	break;
-    case CKR_PIN_INCORRECT:
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
-	break;
-    default:
-	PORT_SetError(PK11_MapError(crv));
-	rv = SECFailure; /* some failure we can't fix by retrying */
-    }
-    return rv;
-}
-
-/*
- * Check the user's password. Logout before hand to make sure that
- * we are really checking the password.
- */
-SECStatus
-PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw)
-{
-    int len = PORT_Strlen(pw);
-    CK_RV crv;
-    SECStatus rv;
-    int64 currtime = PR_Now();
-
-    /* force a logout */
-    PK11_EnterSlotMonitor(slot);
-    PK11_GETTAB(slot)->C_Logout(slot->session);
-
-    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
-					(unsigned char *)pw,len);
-    PK11_ExitSlotMonitor(slot);
-    switch (crv) {
-    /* if we're already logged in, we're good to go */
-    case CKR_OK:
-	slot->authTransact = PK11_Global.transaction;
-	slot->authTime = currtime;
-	rv = SECSuccess;
-	break;
-    case CKR_PIN_INCORRECT:
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
-	break;
-    default:
-	PORT_SetError(PK11_MapError(crv));
-	rv = SECFailure; /* some failure we can't fix by retrying */
-    }
-    return rv;
-}
-
-SECStatus
-PK11_Logout(PK11SlotInfo *slot)
-{
-    CK_RV crv;
-
-    /* force a logout */
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_Logout(slot->session);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return  SECSuccess;
-}
-
-/*
- * transaction stuff is for when we test for the need to do every
- * time auth to see if we already did it for this slot/transaction
- */
-void PK11_StartAuthTransaction(void)
-{
-PK11_Global.transaction++;
-PK11_Global.inTransaction = PR_TRUE;
-}
-
-void PK11_EndAuthTransaction(void)
-{
-PK11_Global.transaction++;
-PK11_Global.inTransaction = PR_FALSE;
-}
-
-/*
- * before we do a private key op, we check to see if we
- * need to reauthenticate.
- */
-void
-PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
-{
-    int askpw = slot->askpw;
-    PRBool NeedAuth = PR_FALSE;
-
-    if (!slot->needLogin) return;
-
-    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
-	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
-
-	if (def_slot) {
-	    askpw = def_slot->askpw;
-	    PK11_FreeSlot(def_slot);
-	}
-    }
-
-    /* timeouts are handled by isLoggedIn */
-    if (!PK11_IsLoggedIn(slot,wincx)) {
-	NeedAuth = PR_TRUE;
-    } else if (slot->askpw == -1) {
-	if (!PK11_Global.inTransaction	||
-			 (PK11_Global.transaction != slot->authTransact)) {
-    	    PK11_EnterSlotMonitor(slot);
-	    PK11_GETTAB(slot)->C_Logout(slot->session);
-    	    PK11_ExitSlotMonitor(slot);
-	    NeedAuth = PR_TRUE;
-	}
-    }
-    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
-}
-
-void
-PK11_SlotDBUpdate(PK11SlotInfo *slot)
-{
-    SECMOD_AddPermDB(slot->module);
-}
-
-/*
- * set new askpw and timeout values
- */
-void
-PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
-{
-        slot->askpw = askpw;
-        slot->timeout = timeout;
-        slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
-        PK11_SlotDBUpdate(slot);
-}
-
-/*
- * Get the askpw and timeout values for this slot
- */
-void
-PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
-{
-    *askpw = slot->askpw;
-    *timeout = slot->timeout;
-
-    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
-	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
-
-	if (def_slot) {
-	    *askpw = def_slot->askpw;
-	    *timeout = def_slot->timeout;
-	    PK11_FreeSlot(def_slot);
-	}
-    }
-}
-
-/*
- * make sure a slot is authenticated...
- */
-SECStatus
-PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
-    if (slot->needLogin && !PK11_IsLoggedIn(slot,wincx)) {
-	return PK11_DoPassword(slot,loadCerts,wincx);
-    }
-    return SECSuccess;
-}
-
-/*
- * notification stub. If we ever get interested in any events that
- * the pkcs11 functions may pass back to use, we can catch them here...
- * currently pdata is a slotinfo structure.
- */
-CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
-							 CK_VOID_PTR pdata)
-{
-    return CKR_OK;
-}
-
-
-/*
- * grab a new RW session
- * !!! has a side effect of grabbing the Monitor if either the slot's default
- * session is RW or the slot is not thread safe. Monitor is release in function
- * below
- */
-CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot)
-{
-    CK_SESSION_HANDLE rwsession;
-    CK_RV crv;
-
-    if (!slot->isThreadSafe || slot->defRWSession) PK11_EnterSlotMonitor(slot);
-    if (slot->defRWSession) return slot->session;
-
-    crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-				CKF_RW_SESSION|CKF_SERIAL_SESSION,
-				  	  slot, pk11_notify,&rwsession);
-    if (crv == CKR_SESSION_COUNT) {
-	PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	slot->session = CK_INVALID_SESSION;
-    	crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-				CKF_RW_SESSION|CKF_SERIAL_SESSION,
-				  	  slot,pk11_notify,&rwsession);
-    }
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	if (slot->session == CK_INVALID_SESSION) {
-    	    PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION,
-				  	 slot,pk11_notify,&slot->session);
-	}
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	return CK_INVALID_SESSION;
-    }
-
-    return rwsession;
-}
-
-PRBool
-PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) {
-    return (PRBool)(!slot->isThreadSafe || slot->defRWSession);
-}
-
-/*
- * close the rwsession and restore our readonly session
- * !!! has a side effect of releasing the Monitor if either the slot's default
- * session is RW or the slot is not thread safe.
- */
-void
-PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
-{
-    if (slot->defRWSession) {
-	PK11_ExitSlotMonitor(slot);
-	return;
-    }
-    PK11_GETTAB(slot)->C_CloseSession(rwsession);
-    if (slot->session == CK_INVALID_SESSION) {
-    	 PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION,
-				  	 slot,pk11_notify,&slot->session);
-    }
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-}
-
-/*
- * NOTE: this assumes that we are logged out of the card before hand
- */
-SECStatus
-PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
-{
-    CK_SESSION_HANDLE rwsession;
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    int len = PORT_Strlen(ssopw);
-
-    /* get a rwsession */
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) return rv;
-
-    /* check the password */
-    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
-						(unsigned char *)ssopw,len);
-    switch (crv) {
-    /* if we're already logged in, we're good to go */
-    case CKR_OK:
-	rv = SECSuccess;
-	break;
-    case CKR_PIN_INCORRECT:
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
-	break;
-    default:
-	PORT_SetError(PK11_MapError(crv));
-	rv = SECFailure; /* some failure we can't fix by retrying */
-    }
-    PK11_GETTAB(slot)->C_Logout(rwsession);
-    /* release rwsession */
-    PK11_RestoreROSession(slot,rwsession);
-    return rv;
-}
-
-/*
- * make sure the password conforms to your token's requirements.
- */
-SECStatus
-PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
-{
-    int len = PORT_Strlen(pw);
-
-    if ((slot->minPassword > len) || (slot->maxPassword < len)) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * initialize a user PIN Value
- */
-SECStatus
-PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *userpw)
-{
-    CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    int len;
-    int ssolen;
-
-    if (userpw == NULL) userpw = "";
-    if (ssopw == NULL) ssopw = "";
-
-    len = PORT_Strlen(userpw);
-    ssolen = PORT_Strlen(ssopw);
-
-    /* get a rwsession */
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) goto done;
-
-    /* check the password */
-    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, 
-					  (unsigned char *)ssopw,ssolen);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	goto done;
-    }
-
-    crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-    } else {
-    	rv = SECSuccess;
-    }
-
-done:
-    PK11_GETTAB(slot)->C_Logout(rwsession);
-    PK11_RestoreROSession(slot,rwsession);
-    if (rv == SECSuccess) {
-        /* update our view of the world */
-        PK11_InitToken(slot,PR_TRUE);
-	PK11_EnterSlotMonitor(slot);
-    	PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
-						(unsigned char *)userpw,len);
-	PK11_ExitSlotMonitor(slot);
-    }
-    return rv;
-}
-
-/*
- * Change an existing user password
- */
-SECStatus
-PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw)
-{
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    int newLen;
-    int oldLen;
-    CK_SESSION_HANDLE rwsession;
-
-    if (newpw == NULL) newpw = "";
-    if (oldpw == NULL) oldpw = "";
-    newLen = PORT_Strlen(newpw);
-    oldLen = PORT_Strlen(oldpw);
-
-    /* get a rwsession */
-    rwsession = PK11_GetRWSession(slot);
-
-    crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
-		(unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
-    if (crv == CKR_OK) {
-	rv = SECSuccess;
-    } else {
-	PORT_SetError(PK11_MapError(crv));
-    }
-
-    PK11_RestoreROSession(slot,rwsession);
-
-    /* update our view of the world */
-    PK11_InitToken(slot,PR_TRUE);
-    return rv;
-}
-
-static char *
-pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
-{
-    if (PK11_Global.getPass == NULL) return NULL;
-    return (*PK11_Global.getPass)(slot, retry, wincx);
-}
-
-void
-PK11_SetPasswordFunc(PK11PasswordFunc func)
-{
-    PK11_Global.getPass = func;
-}
-
-void
-PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
-{
-    PK11_Global.verifyPass = func;
-}
-
-void
-PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
-{
-    PK11_Global.isLoggedIn = func;
-}
-
-
-/*
- * authenticate to a slot. This loops until we can't recover, the user
- * gives up, or we succeed. If we're already logged in and this function
- * is called we will still prompt for a password, but we will probably
- * succeed no matter what the password was (depending on the implementation
- * of the PKCS 11 module.
- */
-SECStatus
-PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
-{
-    SECStatus rv = SECFailure;
-    char * password;
-    PRBool attempt = PR_FALSE;
-
-    if (PK11_NeedUserInit(slot)) {
-	PORT_SetError(SEC_ERROR_IO);
-	return SECFailure;
-    }
-
-
-    /*
-     * Central server type applications which control access to multiple
-     * slave applications to single crypto devices need to virtuallize the
-     * login state. This is done by a callback out of PK11_IsLoggedIn and
-     * here. If we are actually logged in, then we got here because the
-     * higher level code told us that the particular client application may
-     * still need to be logged in. If that is the case, we simply tell the
-     * server code that it should now verify the clients password and tell us
-     * the results.
-     */
-    if (PK11_IsLoggedIn(slot,NULL) && 
-    			(PK11_Global.verifyPass != NULL)) {
-	if (!PK11_Global.verifyPass(slot,wincx)) {
-	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	    return SECFailure;
-	}
-	return SECSuccess;
-    }
-
-    /* get the password. This can drop out of the while loop
-     * for the following reasons:
-     * 	(1) the user refused to enter a password. 
-     *			(return error to caller)
-     *	(2) the token user password is disabled [usually due to
-     *	   too many failed authentication attempts].
-     *			(return error to caller)
-     *	(3) the password was successful.
-     */
-    while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
-	attempt = PR_TRUE;
-	rv = pk11_CheckPassword(slot,password);
-	PORT_Memset(password, 0, PORT_Strlen(password));
-	PORT_Free(password);
-	if (rv != SECWouldBlock) break;
-    }
-    if (rv == SECSuccess) {
-	if ((loadCerts) && (!slot->isInternal) && (slot->cert_count == 0)) {
-	    PK11_ReadSlotCerts(slot);
-	}
-	rv = pk11_CheckVerifyTest(slot);
-    } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-    return rv;
-}
-
-void PK11_LogoutAll(void)
-{
-    SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
-    SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
-    SECMODModuleList *mlp = NULL;
-    int i;
-
-    SECMOD_GetReadLock(lock);
-    /* find the number of entries */
-    for (mlp = modList; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11_Logout(mlp->module->slots[i]);
-	}
-    }
-
-    SECMOD_ReleaseReadLock(lock);
-}
-
-int
-PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
-{
-    return ((int)slot->minPassword);
-}
-
-/************************************************************
- * Manage the built-In Slot Lists
- ************************************************************/
-
-/* Init the static built int slot list (should actually integrate
- * with PK11_NewSlotList */
-static void
-pk11_initSlotList(PK11SlotList *list)
-{
-#ifdef PKCS11_USE_THREADS
-    list->lock = PR_NewLock();
-#else
-    list->lock = NULL;
-#endif
-    list->head = NULL;
-}
-
-/* initialize the system slotlists */
-SECStatus
-PK11_InitSlotLists(void)
-{
-    pk11_initSlotList(&pk11_desSlotList);
-    pk11_initSlotList(&pk11_rc4SlotList);
-    pk11_initSlotList(&pk11_rc2SlotList);
-    pk11_initSlotList(&pk11_rc5SlotList);
-    pk11_initSlotList(&pk11_md5SlotList);
-    pk11_initSlotList(&pk11_md2SlotList);
-    pk11_initSlotList(&pk11_sha1SlotList);
-    pk11_initSlotList(&pk11_rsaSlotList);
-    pk11_initSlotList(&pk11_dsaSlotList);
-    pk11_initSlotList(&pk11_dhSlotList);
-    pk11_initSlotList(&pk11_ideaSlotList);
-    pk11_initSlotList(&pk11_sslSlotList);
-    pk11_initSlotList(&pk11_tlsSlotList);
-    pk11_initSlotList(&pk11_randomSlotList);
-    return SECSuccess;
-}
-
-/* return a system slot list based on mechanism */
-PK11SlotList *
-PK11_GetSlotList(CK_MECHANISM_TYPE type)
-{
-    switch (type) {
-    case CKM_DES_CBC:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_DES3_CBC:
-	return &pk11_desSlotList;
-    case CKM_RC4:
-	return &pk11_rc4SlotList;
-    case CKM_RC5_CBC:
-	return &pk11_rc5SlotList;
-    case CKM_SHA_1:
-	return &pk11_sha1SlotList;
-    case CKM_MD5:
-	return &pk11_md5SlotList;
-    case CKM_MD2:
-	return &pk11_md2SlotList;
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-	return &pk11_rc2SlotList;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-    case CKM_RSA_X_509:
-	return &pk11_rsaSlotList;
-    case CKM_DSA:
-	return &pk11_dsaSlotList;
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-    case CKM_DH_PKCS_DERIVE:
-	return &pk11_dhSlotList;
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_SHA1_MAC:
-    case CKM_SSL3_MD5_MAC:
-	return &pk11_sslSlotList;
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-	return &pk11_tlsSlotList;
-    case CKM_IDEA_CBC:
-    case CKM_IDEA_ECB:
-	return &pk11_ideaSlotList;
-    case CKM_FAKE_RANDOM:
-	return &pk11_randomSlotList;
-    }
-    return NULL;
-}
-
-/*
- * load the static SlotInfo structures used to select a PKCS11 slot.
- * preSlotInfo has a list of all the default flags for the slots on this
- * module.
- */
-void
-PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
-{
-    int i;
-
-    for (i=0; i < count; i++) {
-	if (psi[i].slotID == slot->slotID)
-	    break;
-    }
-
-    if (i == count) return;
-
-    slot->defaultFlags = psi[i].defaultFlags;
-    slot->askpw = psi[i].askpw;
-    slot->timeout = psi[i].timeout;
-
-    /* if the slot is already disabled, don't load them into the
-     * default slot lists. We get here so we can save the default
-     * list value. */
-    if (slot->disabled) return;
-
-    /* if the user has disabled us, don't load us in */
-    if (slot->defaultFlags & PK11_DISABLE_FLAG) {
-	slot->disabled = PR_TRUE;
-	slot->reason = PK11_DIS_USER_SELECTED;
-	/* free up sessions and things?? */
-	return;
-    }
-
-    for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
-								i++) {
-	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
-	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
-	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
-
-	    if (slotList) PK11_AddSlotToList(slotList,slot);
-	}
-    }
-
-    return;
-}
-
-
-/*
- * update a slot to its new attribute according to the slot list
- * returns: SECSuccess if nothing to do or add/delete is successful
- */
-SECStatus
-PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
-                        PRBool add)  
-                        /* add: PR_TRUE if want to turn on */
-{
-    SECStatus result = SECSuccess;
-    PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
-
-    if (add) { /* trying to turn on a mechanism */
-                 
-        /* turn on the default flag in the slot */
-        slot->defaultFlags |= entry->flag;
-        
-        /* add this slot to the list */
-        if (slotList!=NULL)
-            result = PK11_AddSlotToList(slotList, slot);
-        
-    } else { /* trying to turn off */
-            
-        /* turn OFF the flag in the slot */ 
-        slot->defaultFlags &= ~entry->flag;
-        
-        if (slotList) {
-            /* find the element in the list & delete it */
-            PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
-
-            /* remove the slot from the list */
-            if (le)
-                result = PK11_DeleteSlotFromList(slotList, le);
-        }
-    }
-    return result;
-}
-
-/*
- * clear a slot off of all of it's default list
- */
-void
-PK11_ClearSlotList(PK11SlotInfo *slot)
-{
-    int i;
-
-    if (slot->disabled) return;
-    if (slot->defaultFlags == 0) return;
-
-    for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
-								i++) {
-	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
-	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
-	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
-	    PK11SlotListElement *le = NULL;
-
-	    if (slotList) le = PK11_FindSlotElement(slotList,slot);
-
-	    if (le) {
-		PK11_DeleteSlotFromList(slotList,le);
-		pk11_FreeListElement(slotList,le);
-	    }
-	}
-    }
-}
-
-
-/******************************************************************
- *           Slot initialization
- ******************************************************************/
-/*
- * turn a PKCS11 Static Label into a string
- */
-char *
-PK11_MakeString(PRArenaPool *arena,char *space,
-					char *staticString,int stringLen)
-{
-	int i;
-	char *newString;
-	for(i=(stringLen-1); i >= 0; i--) {
-	  if (staticString[i] != ' ') break;
-	}
-	/* move i to point to the last space */
-	i++;
-	if (arena) {
-	    newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */);
-	} else if (space) {
-	    newString = space;
-	} else {
-	    newString = (char*)PORT_Alloc(i+1 /* space for NULL */);
-	}
-	if (newString == NULL) return NULL;
-
-	if (i) PORT_Memcpy(newString,staticString, i);
-	newString[i] = 0;
-
-	return newString;
-}
-
-/*
- * verify that slot implements Mechanism mech properly by checking against
- * our internal implementation
- */
-PRBool
-PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
-  CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv)
-{
-    PK11Context *test = NULL, *reference = NULL;
-    PK11SymKey *symKey = NULL, *testKey = NULL;
-    SECItem *param = NULL;
-    unsigned char encTest[8];
-    unsigned char encRef[8];
-    int outLenTest,outLenRef;
-    int key_size = 0;
-    SECStatus rv;
-
-    if ((mech == CKM_RC2_CBC) || (mech == CKM_RC2_ECB) || (mech == CKM_RC4)) {
-	key_size = 16;
-    }
-
-    /* initialize the mechanism parameter */
-    param = PK11_ParamFromIV(mech,iv);
-    if (param == NULL) goto loser;
-
-    /* load the keys and contexts */
-    symKey = PK11_KeyGen(intern,mech,NULL, key_size, NULL);
-    if (symKey == NULL) goto loser;
-
-    reference = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symKey, param);
-    if (reference == NULL) goto loser;
-
-    testKey = pk11_CopyToSlot(slot, mech, CKA_ENCRYPT, symKey);
-    if (testKey == NULL) goto loser;
-
-    test = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, testKey, param);
-    if (test == NULL) goto loser;
-    SECITEM_FreeItem(param,PR_TRUE); param = NULL;
-
-    /* encrypt the test data */
-    rv = PK11_CipherOp(test,encTest,&outLenTest,sizeof(encTest),
-							data->data,data->len);
-    if (rv != SECSuccess) goto loser;
-    rv = PK11_CipherOp(reference,encRef,&outLenRef,sizeof(encRef),
-							data->data,data->len);
-    if (rv != SECSuccess) goto loser;
-
-    PK11_DestroyContext(reference,PR_TRUE); reference = NULL;
-    PK11_DestroyContext(test,PR_TRUE); test = NULL;
-
-    if (outLenTest != outLenRef) goto loser;
-    if (PORT_Memcmp(encTest, encRef, outLenTest) != 0) goto loser;
-
-    return PR_TRUE;
-
-loser:
-    if (test) PK11_DestroyContext(test,PR_TRUE);
-    if (symKey) PK11_FreeSymKey(symKey);
-    if (testKey) PK11_FreeSymKey(testKey);
-    if (reference) PK11_DestroyContext(reference,PR_TRUE);
-    if (param) SECITEM_FreeItem(param,PR_TRUE);
-
-    return PR_FALSE;
-}
-
-/*
- * this code verifies that the advertised mechanisms are what they
- * seem to be.
- */
-#define MAX_MECH_LIST_SIZE 30	/* we only know of about 30 odd mechanisms */
-PRBool
-PK11_VerifySlotMechanisms(PK11SlotInfo *slot)
-{
-    CK_MECHANISM_TYPE mechListArray[MAX_MECH_LIST_SIZE];
-    CK_MECHANISM_TYPE *mechList = mechListArray;
-    static SECItem data;
-    static SECItem iv;
-    static SECItem key;
-    static unsigned char dataV[8];
-    static unsigned char ivV[8];
-    static unsigned char keyV[8];
-    static PRBool generated = PR_FALSE;
-    CK_ULONG count;
-    int i;
-    CK_RV crv;
-
-    PRBool alloced = PR_FALSE;
-    PK11SlotInfo *intern = PK11_GetInternalSlot();
-
-    /* if we couldn't initialize an internal module, 
-     * we can't check external ones */
-    if (intern == NULL) return PR_FALSE;
-
-    /* first get the count of mechanisms */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PK11_FreeSlot(intern);
-	return PR_FALSE;
-    }
-
-
-    /* don't blow up just because the card supports more mechanisms than
-     * we know about, just alloc space for them */
-    if (count > MAX_MECH_LIST_SIZE) {
-    	mechList = (CK_MECHANISM_TYPE *)
-			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
-	alloced = PR_TRUE;
-	if (mechList == NULL) return PR_FALSE;
-    }
-    /* get the list */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv =PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, mechList, &count);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	if (alloced) PORT_Free(mechList);
-	PK11_FreeSlot(intern);
-	return PR_FALSE;
-    }
-
-    if (!generated) {
-	data.data = dataV;
-	data.len = sizeof(dataV);
-	iv.data = ivV;
-	iv.len = sizeof(ivV);
-	/* ok, this is a cheat, we know our internal random number generater
-	 * is thread safe */
-	PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
-							data.data, data.len);
-	PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
-							iv.data, iv.len);
-    }
-    for (i=0; i < (int) count; i++) {
-	switch (mechList[i]) {
-	case CKM_DES_CBC:
-	case CKM_DES_ECB:
-	case CKM_RC4:
-	case CKM_RC2_CBC:
-	case CKM_RC2_ECB:
-	    if (!PK11_VerifyMechanism(slot,intern,mechList[i],&data,&iv)){
-		if (alloced) PORT_Free(mechList);
-    		PK11_FreeSlot(intern);
-		return PR_FALSE;
-	    }
-	}
-    }
-    if (alloced) PORT_Free(mechList);
-    PK11_FreeSlot(intern);
-    return PR_TRUE;
-}
-
-/*
- * See if we need to run the verify test, do so if necessary. If we fail,
- * disable the slot.
- */    
-SECStatus
-pk11_CheckVerifyTest(PK11SlotInfo *slot)
-{
-    PK11_EnterSlotMonitor(slot);
-    if (slot->needTest) {
-	slot->needTest = PR_FALSE; 
-    	PK11_ExitSlotMonitor(slot);
-	if (!PK11_VerifySlotMechanisms(slot)) {
-	    (void)PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    slot->session = CK_INVALID_SESSION;
-	    PK11_ClearSlotList(slot);
-	    slot->disabled = PR_TRUE;
-	    slot->reason = PK11_DIS_TOKEN_VERIFY_FAILED;
-	    slot->needTest = PR_TRUE;
-	    PORT_SetError(SEC_ERROR_IO);
-	    return SECFailure;
-	}
-    } else {
-    	PK11_ExitSlotMonitor(slot);
-    }
-    return SECSuccess;
-}
-
-/*
- * Reads in the slots mechanism list for later use
- */
-SECStatus
-PK11_ReadMechanismList(PK11SlotInfo *slot)
-{
-    CK_ULONG count;
-    CK_RV crv;
-
-    if (slot->mechanismList) {
-	PORT_Free(slot->mechanismList);
-	slot->mechanismList = NULL;
-    }
-    slot->mechanismCount = 0;
-
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
-    if (crv != CKR_OK) {
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-
-    slot->mechanismList = (CK_MECHANISM_TYPE *)
-			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
-    if (slot->mechanismList == NULL) {
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
-						slot->mechanismList, &count);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_Free(slot->mechanismList);
-	slot->mechanismList = NULL;
-	PORT_SetError(PK11_MapError(crv));
-	return SECSuccess;
-    }
-    slot->mechanismCount = count;
-    return SECSuccess;
-}
-
-/*
- * initialize a new token
- * unlike initialize slot, this can be called multiple times in the lifetime
- * of NSS. It reads the information associated with a card or token,
- * that is not going to change unless the card or token changes.
- */
-SECStatus
-PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
-{
-    CK_TOKEN_INFO tokenInfo;
-    CK_RV crv;
-    char *tmp;
-    SECStatus rv;
-
-    /* set the slot flags to the current token values */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-
-    /* set the slot flags to the current token values */
-    slot->series++; /* allow other objects to detect that the 
-		      * slot is different */
-    slot->flags = tokenInfo.flags;
-    slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? 
-							PR_TRUE : PR_FALSE);
-    slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? 
-							PR_TRUE : PR_FALSE);
-    slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
-    tmp = PK11_MakeString(NULL,slot->token_name,
-			(char *)tokenInfo.label, sizeof(tokenInfo.label));
-    slot->minPassword = tokenInfo.ulMinPinLen;
-    slot->maxPassword = tokenInfo.ulMaxPinLen;
-    PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
-
-    slot->defRWSession = (PRBool)((!slot->readOnly) && 
-					(tokenInfo.ulMaxSessionCount == 1));
-    rv = PK11_ReadMechanismList(slot);
-    if (rv != SECSuccess) return rv;
-
-    slot->hasRSAInfo = PR_FALSE;
-    slot->RSAInfoFlags = 0;
-
-    /* initialize the maxKeyCount value */
-    if (tokenInfo.ulMaxSessionCount == 0) {
-	slot->maxKeyCount = 300; /* should be #define or a config param */
-    } else if (tokenInfo.ulMaxSessionCount < 20) {
-	/* don't have enough sessions to keep that many keys around */
-	slot->maxKeyCount = 0;
-    } else {
-	slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
-    }
-
-    /* Make sure our session handle is valid */
-    if (slot->session == CK_INVALID_SESSION) {
-	/* we know we don't have a valid session, go get one */
-	CK_SESSION_HANDLE session;
-
-	/* session should be Readonly, serial */
-	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
-				  slot,pk11_notify,&session);
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	if (crv != CKR_OK) {
-	    PORT_SetError(PK11_MapError(crv));
-	    return SECFailure;
-	}
-	slot->session = session;
-    } else {
-	/* The session we have may be defunct (the token associated with it)
-	 * has been removed   */
-	CK_SESSION_INFO sessionInfo;
-
-	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
-        if (crv == CKR_DEVICE_ERROR) {
-	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    crv = CKR_SESSION_CLOSED;
-	}
-	if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
-	    crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
-					slot,pk11_notify,&slot->session);
-	    if (crv != CKR_OK) {
-	        PORT_SetError(PK11_MapError(crv));
-		slot->session = CK_INVALID_SESSION;
-		if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-		return SECFailure;
-	    }
-	}
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    }
-
-    /*if we have cached slotcerts, free them they are almost certainly stale*/
-    PK11_FreeSlotCerts(slot);
-
-    if (loadCerts && (!slot->isInternal) && 
-       ((!slot->needLogin) || (slot->defaultFlags & SECMOD_FRIENDLY_FLAG))) {
-	PK11_ReadSlotCerts(slot);
-    }
-
-    if (!(slot->needLogin)) {
-	return pk11_CheckVerifyTest(slot);
-    }
-
-
-    if (!(slot->isInternal) && (slot->hasRandom)) {
-	/* if this slot has a random number generater, use it to add entropy
-	 * to the internal slot. */
-	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	if (int_slot) {
-	    unsigned char random_bytes[32];
-
-	    /* if this slot can issue random numbers, get some entropy from
-	     * that random number generater and give it to our internal token.
-	     */
-	    PK11_EnterSlotMonitor(slot);
-	    crv = PK11_GETTAB(slot)->C_GenerateRandom
-			(slot->session,random_bytes, sizeof(random_bytes));
-	    PK11_ExitSlotMonitor(slot);
-	    if (crv == CKR_OK) {
-	        PK11_EnterSlotMonitor(int_slot);
-		PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
-					random_bytes, sizeof(random_bytes));
-	        PK11_ExitSlotMonitor(int_slot);
-	    }
-
-	    /* Now return the favor and send entropy to the token's random 
-	     * number generater */
-	    PK11_EnterSlotMonitor(int_slot);
-	    crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
-					random_bytes, sizeof(random_bytes));
-	    PK11_ExitSlotMonitor(int_slot);
-	    if (crv == CKR_OK) {
-	        PK11_EnterSlotMonitor(slot);
-		PK11_GETTAB(slot)->C_SeedRandom(slot->session,
-					random_bytes, sizeof(random_bytes));
-	        PK11_ExitSlotMonitor(slot);
-	    }
-	}
-    }
-	
-    return SECSuccess;
-}
-
-/*
- * Initialize the slot :
- * This initialization code is called on each slot a module supports when
- * it is loaded. It does the bringup initialization. The difference between
- * this and InitToken is Init slot does those one time initialization stuff,
- * usually associated with the reader, while InitToken may get called multiple
- * times as tokens are removed and re-inserted.
- */
-void
-PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
-{
-    SECStatus rv;
-    char *tmp;
-    CK_SLOT_INFO slotInfo;
-
-    slot->functionList = mod->functionList;
-    slot->isInternal = mod->internal;
-    slot->slotID = slotID;
-    slot->isThreadSafe = mod->isThreadSafe;
-    slot->hasRSAInfo = PR_FALSE;
-    
-    if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) {
-	slot->disabled = PR_TRUE;
-	slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
-	return;
-    }
-
-    /* test to make sure claimed mechanism work */
-    slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
-    slot->module = mod; /* NOTE: we don't make a reference here because
-			 * modules have references to their slots. This
-			 * works because modules keep implicit references
-			 * from their slots, and won't unload and disappear
-			 * until all their slots have been freed */
-    tmp = PK11_MakeString(NULL,slot->slot_name,
-	 (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
-    slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
-    if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
-	slot->isPerm = PR_TRUE;
-	/* permanment slots must have the token present always */
-	if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
-	    slot->disabled = PR_TRUE;
-	    slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
-	    return; /* nothing else to do */
-	}
-    }
-    /* if the token is present, initialize it */
-    if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
-	rv = PK11_InitToken(slot,PR_TRUE);
-	/* the only hard failures are on permanent devices, or function
-	 * verify failures... function verify failures are already handled
-	 * by tokenInit */
-	if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
-	    slot->disabled = PR_TRUE;
-	    slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
-	}
-    }
-}
-
-	
-
-/*********************************************************************
- *            Slot mapping utility functions.
- *********************************************************************/
-
-/*
- * determine if the token is present. If the token is present, make sure
- * we have a valid session handle. Also set the value of needLogin 
- * appropriately.
- */
-static PRBool
-pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
-{
-    CK_SLOT_INFO slotInfo;
-    CK_SESSION_INFO sessionInfo;
-    CK_RV crv;
-
-    /* disabled slots are never present */
-    if (slot->disabled) {
-	return PR_FALSE;
-    }
-
-    /* permanent slots are always present */
-    if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) {
-	return PR_TRUE;
-    }
-
-    /* removable slots have a flag that says they are present */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) {
-        if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	return PR_FALSE;
-    }
-    if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
-	/* if the slot is no longer present, close the session */
-	if (slot->session != CK_INVALID_SESSION) {
-	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    slot->session = CK_INVALID_SESSION;
-	    /* force certs to be freed */
-	    PK11_FreeSlotCerts(slot);
-	}
-        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	return PR_FALSE;
-    }
-
-    /* use the session Info to determine if the card has been removed and then
-     * re-inserted */
-    if (slot->session != CK_INVALID_SESSION) {
-	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
-	if (crv != CKR_OK) {
-	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    slot->session = CK_INVALID_SESSION;
-	    PK11_FreeSlotCerts(slot);
-	}
-    }
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-
-    /* card has not been removed, current token info is correct */
-    if (slot->session != CK_INVALID_SESSION) return PR_TRUE;
-
-    /* initialize the token info state */
-    if (PK11_InitToken(slot,loadCerts) != SECSuccess) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/*
- * old version of the routine
- */
-PRBool
-PK11_IsPresent(PK11SlotInfo *slot) {
-   return pk11_IsPresentCertLoad(slot,PR_TRUE);
-}
-
-/* is the slot disabled? */
-PRBool
-PK11_IsDisabled(PK11SlotInfo *slot)
-{
-    return slot->disabled;
-}
-
-/* and why? */
-PK11DisableReasons
-PK11_GetDisabledReason(PK11SlotInfo *slot)
-{
-    return slot->reason;
-}
-
-/* returns PR_TRUE if successfully disable the slot */
-/* returns PR_FALSE otherwise */
-PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) {
-
-    slot->defaultFlags |= PK11_DISABLE_FLAG;
-    slot->disabled = PR_TRUE;
-    slot->reason = PK11_DIS_USER_SELECTED;
-    
-    return PR_TRUE;
-}
-
-PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) {
-
-    slot->defaultFlags &= ~PK11_DISABLE_FLAG;
-    slot->disabled = PR_FALSE;
-    slot->reason = PK11_DIS_NONE;
-    return PR_TRUE;
-}
-
-/* Get the module this slot is attatched to */
-SECMODModule *
-PK11_GetModule(PK11SlotInfo *slot)
-{
-	return slot->module;
-}
-
-/* returnt the default flags of a slot */
-unsigned long
-PK11_GetDefaultFlags(PK11SlotInfo *slot)
-{
-	return slot->defaultFlags;
-}
-
-/*
- * we can initialize the password if 1) The toke is not inited 
- * (need login == true and see need UserInit) or 2) the token has
- * a NULL password. (slot->needLogin = false & need user Init = false).
- */
-PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
-{
-    if (slot->needLogin && PK11_NeedUserInit(slot)) {
-	return PR_TRUE;
-    }
-    if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-PRBool PK11_NeedPWInit()
-{
-    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
-    PRBool ret = PK11_NeedPWInitForSlot(slot);
-
-    PK11_FreeSlot(slot);
-    return ret;
-}
-
-/*
- * The following wrapper functions allow us to export an opaque slot
- * function to the rest of libsec and the world... */
-PRBool
-PK11_IsReadOnly(PK11SlotInfo *slot)
-{
-    return slot->readOnly;
-}
-
-PRBool
-PK11_IsHW(PK11SlotInfo *slot)
-{
-    return slot->isHW;
-}
-
-PRBool
-PK11_IsInternal(PK11SlotInfo *slot)
-{
-    return slot->isInternal;
-}
-
-PRBool
-PK11_NeedLogin(PK11SlotInfo *slot)
-{
-    return slot->needLogin;
-}
-
-PRBool
-PK11_IsFriendly(PK11SlotInfo *slot)
-{
-    /* internal slot always has public readable certs */
-    return (PRBool)(slot->isInternal || 
-		    ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == 
-		     SECMOD_FRIENDLY_FLAG));
-}
-
-char *
-PK11_GetTokenName(PK11SlotInfo *slot)
-{
-     return slot->token_name;
-}
-
-char *
-PK11_GetSlotName(PK11SlotInfo *slot)
-{
-     return slot->slot_name;
-}
-
-int
-PK11_GetSlotSeries(PK11SlotInfo *slot)
-{
-    return slot->series;
-}
-
-int
-PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
-{
-    return slot->wrapKey;
-}
-
-CK_SLOT_ID
-PK11_GetSlotID(PK11SlotInfo *slot)
-{
-    return slot->slotID;
-}
-
-SECMODModuleID
-PK11_GetModuleID(PK11SlotInfo *slot)
-{
-    return slot->module->moduleID;
-}
-
-
-/* return the slot info structure */
-SECStatus
-PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info)
-{
-    CK_RV crv;
-
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*  return the token info structure */
-SECStatus
-PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info)
-{
-    CK_RV crv;
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Find out if we need to initialize the user's pin */
-PRBool
-PK11_NeedUserInit(PK11SlotInfo *slot)
-{
-    return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0);
-}
-
-/* get the internal key slot. FIPS has only one slot for both key slots and
- * default slots */
-PK11SlotInfo *
-PK11_GetInternalKeySlot(void)
-{
-	SECMODModule *mod = SECMOD_GetInternalModule();
-	return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
-}
-
-/* get the internal default slot */
-PK11SlotInfo *
-PK11_GetInternalSlot(void) 
-{
-	return PK11_ReferenceSlot(SECMOD_GetInternalModule()->slots[0]);
-}
-
-/*
- * Determine if the token is logged in. We have to actually query the token,
- * because it's state can change without intervention from us.
- */
-PRBool
-PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
-{
-    CK_SESSION_INFO sessionInfo;
-    int askpw = slot->askpw;
-    int timeout = slot->timeout;
-    CK_RV crv;
-
-    /* If we don't have our own password default values, use the system
-     * ones */
-    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
-	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
-
-	if (def_slot) {
-	    askpw = def_slot->askpw;
-	    timeout = def_slot->timeout;
-	    PK11_FreeSlot(def_slot);
-	}
-    }
-
-    if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
-	(*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
-
-
-    /* forget the password if we've been inactive too long */
-    if (askpw == 1) {
-	int64 currtime = PR_Now();
-	int64 result;
-	int64 mult;
-	
-	LL_I2L(result, timeout);
-	LL_I2L(mult, 60*1000*1000);
-	LL_MUL(result,result,mult);
-	LL_ADD(result, result, slot->authTime);
-	if (LL_CMP(result, <, currtime) ) {
-	    PK11_EnterSlotMonitor(slot);
-	    PK11_GETTAB(slot)->C_Logout(slot->session);
-	    PK11_ExitSlotMonitor(slot);
-	} else {
-	    slot->authTime = currtime;
-	}
-    }
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
-    PK11_ExitSlotMonitor(slot);
-    /* if we can't get session info, something is really wrong */
-    if (crv != CKR_OK) {
-	slot->session = CK_INVALID_SESSION;
-	return PR_FALSE;
-    }
-
-    switch (sessionInfo.state) {
-    case CKS_RW_PUBLIC_SESSION:
-    case CKS_RO_PUBLIC_SESSION:
-    default:
-	break; /* fail */
-    case CKS_RW_USER_FUNCTIONS:
-    case CKS_RW_SO_FUNCTIONS:
-    case CKS_RO_USER_FUNCTIONS:
-	return PR_TRUE;
-    }
-    return PR_FALSE; 
-}
-
-
-/*
- * check if a given slot supports the requested mechanism
- */
-PRBool
-PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
-{
-    int i;
-
-    /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
-     * tell us we're looking form someone that has implemented get
-     * random bits */
-    if (type == CKM_FAKE_RANDOM) {
-	return slot->hasRandom;
-    }
-
-    for (i=0; i < (int) slot->mechanismCount; i++) {
-	if (slot->mechanismList[i] == type) return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/*
- * Return true if a token that can do the desired mechanism exists.
- * This allows us to have hardware tokens that can do function XYZ magically
- * allow SSL Ciphers to appear if they are plugged in.
- */
-PRBool
-PK11_TokenExists(CK_MECHANISM_TYPE type)
-{
-    SECMODModuleList *mlp;
-    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    PK11SlotInfo *slot;
-    PRBool found = PR_FALSE;
-    int i;
-
-    /* we only need to know if there is a token that does this mechanism.
-     * check the internal module first because it's fast, and supports 
-     * almost everything. */
-    slot = PK11_GetInternalSlot();
-    if (slot) {
-    	found = PK11_DoesMechanism(slot,type);
-	PK11_FreeSlot(slot);
-    }
-    if (found) return PR_TRUE; /* bypass getting module locks */
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    slot = mlp->module->slots[i];
-	    if (PK11_IsPresent(slot)) {
-		if (PK11_DoesMechanism(slot,type)) {
-		    found = PR_TRUE;
-		    break;
-		}
-	    }
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-    return found;
-}
-
-/*
- * get all the currently available tokens in a list.
- * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
- * get all the tokens. Make sure tokens that need authentication are put at
- * the end of this list.
- */
-PK11SlotList *
-PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, 
-                  void *wincx)
-{
-    PK11SlotList *     list         = PK11_NewSlotList();
-    PK11SlotList *     loginList    = PK11_NewSlotList();
-    PK11SlotList *     friendlyList = PK11_NewSlotList();
-    SECMODModuleList * mlp;
-    SECMODModuleList * modules      = SECMOD_GetDefaultModuleList();
-    SECMODListLock *   moduleLock   = SECMOD_GetDefaultModuleListLock();
-    int                i;
-#if defined( XP_WIN32 ) 
-    int                j            = 0;
-    PRInt32            waste[16];
-#endif
-
-    if ((list == NULL)  || (loginList == NULL) || (friendlyList == NULL)) {
-	if (list) PK11_FreeSlotList(list);
-	if (loginList) PK11_FreeSlotList(loginList);
-	if (friendlyList) PK11_FreeSlotList(friendlyList);
-	return NULL;
-    }
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-
-#if defined( XP_WIN32 ) 
-	/* This is works around some horrible cache/page thrashing problems 
-	** on Win32.  Without this, this loop can take up to 6 seconds at 
-	** 100% CPU on a Pentium-Pro 200.  The thing this changes is to 
-	** increase the size of the stack frame and modify it.  
-	** Moving the loop code itself seems to have no effect.
-	** Dunno why this combination makes a difference, but it does.
-	*/
-	waste[ j & 0xf] = j++; 
-#endif
-
-	for (i = 0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *slot = mlp->module->slots[i];
-
-	    if (pk11_IsPresentCertLoad(slot, loadCerts)) {
-		if (needRW &&  slot->readOnly) continue;
-		if ((type == CKM_INVALID_MECHANISM) 
-					|| PK11_DoesMechanism(slot, type)) {
-		    if (slot->needLogin && !PK11_IsLoggedIn(slot, wincx)) {
-			if (PK11_IsFriendly(slot)) {
-			    PK11_AddSlotToList(friendlyList, slot);
-			} else {
-			    PK11_AddSlotToList(loginList, slot);
-			}
-		    } else {
-			PK11_AddSlotToList(list, slot);
-		    }
-		}
-	    }
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    PK11_MoveListToList(list,friendlyList);
-    PK11_FreeSlotList(friendlyList);
-    PK11_MoveListToList(list,loginList);
-    PK11_FreeSlotList(loginList);
-
-    return list;
-}
-
-/*
- * NOTE: This routine is working from a private List generated by 
- * PK11_GetAllTokens. That is why it does not need to lock.
- */
-PK11SlotList *
-PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx)
-{
-    PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx);
-    PK11SlotListElement *le, *next ;
-    SECStatus rv;
-
-    if (list == NULL) return list;
-
-    for (le = list->head ; le; le = next) {
-	next = le->next; /* save the pointer here in case we have to 
-			  * free the element later */
-        rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
-	if (rv != SECSuccess) {
-	    PK11_DeleteSlotFromList(list,le);
-	    continue;
-	}
-    }
-    return list;
-}
-
-
-/*
- * find the best slot which supports the given
- * Mechanism. In normal cases this should grab the first slot on the list
- * with no fuss.
- */
-PK11SlotInfo *
-PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
-{
-    PK11SlotList *list = NULL;
-    PK11SlotListElement *le ;
-    PK11SlotInfo *slot = NULL;
-    PRBool freeit = PR_FALSE;
-    PRBool listNeedLogin = PR_FALSE;
-    int i;
-    SECStatus rv;
-
-    list = PK11_GetSlotList(type[0]);
-
-    if ((list == NULL) || (list->head == NULL)) {
-	/* We need to look up all the tokens for the mechanism */
-	list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
-	freeit = PR_TRUE;
-    }
-
-    /* no one can do it! */
-    if (list == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-	return NULL;
-    }
-
-    PORT_SetError(0);
-
-
-    listNeedLogin = PR_FALSE;
-    for (i=0; i < mech_count; i++) {
-	if ((type[i] != CKM_FAKE_RANDOM) && (type[i] != CKM_SHA_1) &&
-			(type[i] != CKM_MD5) && (type[i] != CKM_MD2)) {
-	    listNeedLogin = PR_TRUE;
-	    break;
-	}
-    }
-
-    for (le = PK11_GetFirstSafe(list); le;
-			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
-	if (PK11_IsPresent(le->slot)) {
-	    PRBool doExit = PR_FALSE;
-	    for (i=0; i < mech_count; i++) {
-	    	if (!PK11_DoesMechanism(le->slot,type[i])) {
-		    doExit = PR_TRUE;
-		    break;
-		}
-	    }
-	    if (doExit) continue;
-	      
-	    if (listNeedLogin && le->slot->needLogin) {
-		rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
-		if (rv != SECSuccess) continue;
-	    }
-	    slot = le->slot;
-	    PK11_ReferenceSlot(slot);
-	    pk11_FreeListElement(list,le);
-	    if (freeit) { PK11_FreeSlotList(list); }
-	    return slot;
-	}
-    }
-    if (freeit) { PK11_FreeSlotList(list); }
-    if (PORT_GetError() == 0) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-    }
-    return NULL;
-}
-
-/* original get best slot now calls the multiple version with only one type */
-PK11SlotInfo *
-PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
-{
-    return PK11_GetBestSlotMultiple(&type, 1, wincx);
-}
-
-/*
- * find the best key wrap mechanism for this slot.
- */
-CK_MECHANISM_TYPE
-PK11_GetBestWrapMechanism(PK11SlotInfo *slot)
-{
-    int i;
-    for (i=0; i < wrapMechanismCount; i++) {
-	if (PK11_DoesMechanism(slot,wrapMechanismList[i])) {
-	    return wrapMechanismList[i];
-	}
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-int
-PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
-{
-    CK_MECHANISM_INFO mechanism_info;
-    CK_RV crv;
-
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
-                               mechanism,&mechanism_info);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) return 0;
-
-    if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) 
-		return 0;
-    return mechanism_info.ulMaxKeySize;
-}
-
-
-/*********************************************************************
- *       Mechanism Mapping functions
- *********************************************************************/
-
-/*
- * lookup an entry in the mechanism table. If none found, return the
- * default structure.
- */
-static pk11MechanismData *
-pk11_lookup(CK_MECHANISM_TYPE type)
-{
-    int i;
-    for (i=0; i < pk11_MechEntrySize; i++) {
-	if (pk11_MechanismTable[i].type == type) {
-	     return (&pk11_MechanismTable[i]);
-	}
-    }
-    return &pk11_default;
-}
-
-/*
- * NOTE: This is not thread safe. Called at init time, and when loading
- * a new Entry. It is reasonably safe as long as it is not re-entered
- * (readers will always see a consistant table)
- *
- * This routine is called to add entries to the mechanism table, once there,
- * they can not be removed.
- */
-void
-PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
-		 	CK_MECHANISM_TYPE keyGen, int ivLen, int blockSize)
-{
-    int tableSize = pk11_MechTableSize;
-    int size = pk11_MechEntrySize;
-    int entry = size++;
-    pk11MechanismData *old = pk11_MechanismTable;
-    pk11MechanismData *newt = pk11_MechanismTable;
-
-	
-    if (size > tableSize) {
-	int oldTableSize = tableSize;
-	tableSize += 10;
-	newt = (pk11MechanismData *)
-				PORT_Alloc(tableSize*sizeof(pk11MechanismData));
-	if (newt == NULL) return;
-
-	if (old) PORT_Memcpy(newt,old,oldTableSize*sizeof(pk11MechanismData));
-    } else old = NULL;
-
-    newt[entry].type = type;
-    newt[entry].keyType = key;
-    newt[entry].keyGen = keyGen;
-    newt[entry].iv = ivLen;
-    newt[entry].blockSize = blockSize;
-
-    pk11_MechanismTable = newt;
-    pk11_MechTableSize = tableSize;
-    pk11_MechEntrySize = size;
-    if (old) PORT_Free(old);
-}
-
-/*
- * Get the key type needed for the given mechanism
- */
-CK_MECHANISM_TYPE
-PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
-{
-    switch (type) {
-    case CKM_DES_ECB:
-    case CKM_DES_CBC:
-    case CKM_DES_MAC:
-    case CKM_DES_MAC_GENERAL:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES_KEY_GEN:
-    case CKM_KEY_WRAP_LYNKS:
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-	return CKK_DES;
-    case CKM_DES3_ECB:
-    case CKM_DES3_CBC:
-    case CKM_DES3_MAC:
-    case CKM_DES3_MAC_GENERAL:
-    case CKM_DES3_CBC_PAD:
-	return (len == 128) ? CKK_DES2 : CKK_DES3;
-    case CKM_DES2_KEY_GEN:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-	return CKK_DES2;
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_DES3_KEY_GEN:
-	return CKK_DES3;
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-    case CKM_CDMF_MAC:
-    case CKM_CDMF_MAC_GENERAL:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CDMF_KEY_GEN:
-	return CKK_CDMF;
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-    case CKM_RC2_MAC:
-    case CKM_RC2_MAC_GENERAL:
-    case CKM_RC2_CBC_PAD:
-    case CKM_RC2_KEY_GEN:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-	return CKK_RC2;
-    case CKM_RC4:
-    case CKM_RC4_KEY_GEN:
-	return CKK_RC4;
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-    case CKM_RC5_MAC:
-    case CKM_RC5_MAC_GENERAL:
-    case CKM_RC5_CBC_PAD:
-    case CKM_RC5_KEY_GEN:
-	return CKK_RC5;
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_SKIPJACK_KEY_GEN:
-    case CKM_SKIPJACK_WRAP:
-    case CKM_SKIPJACK_PRIVATE_WRAP:
-	return CKK_SKIPJACK;
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_BATON_WRAP:
-    case CKM_BATON_KEY_GEN:
-	return CKK_BATON;
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-    case CKM_JUNIPER_WRAP:
-    case CKM_JUNIPER_KEY_GEN:
-	return CKK_JUNIPER;
-    case CKM_IDEA_CBC:
-    case CKM_IDEA_ECB:
-    case CKM_IDEA_MAC:
-    case CKM_IDEA_MAC_GENERAL:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_IDEA_KEY_GEN:
-	return CKK_IDEA;
-    case CKM_CAST_ECB:
-    case CKM_CAST_CBC:
-    case CKM_CAST_MAC:
-    case CKM_CAST_MAC_GENERAL:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST_KEY_GEN:
-    case CKM_PBE_MD5_CAST_CBC:
-	return CKK_CAST;
-    case CKM_CAST3_ECB:
-    case CKM_CAST3_CBC:
-    case CKM_CAST3_MAC:
-    case CKM_CAST3_MAC_GENERAL:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST3_KEY_GEN:
-    case CKM_PBE_MD5_CAST3_CBC:
-	return CKK_CAST3;
-    case CKM_CAST5_ECB:
-    case CKM_CAST5_CBC:
-    case CKM_CAST5_MAC:
-    case CKM_CAST5_MAC_GENERAL:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_CAST5_KEY_GEN:
-    case CKM_PBE_MD5_CAST5_CBC:
-	return CKK_CAST5;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-    case CKM_MD2_RSA_PKCS:
-    case CKM_MD5_RSA_PKCS:
-    case CKM_SHA1_RSA_PKCS:
-    case CKM_KEY_WRAP_SET_OAEP:
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-	return CKK_RSA;
-    case CKM_DSA:
-    case CKM_DSA_SHA1:
-    case CKM_DSA_KEY_PAIR_GEN:
-	return CKK_DSA;
-    case CKM_DH_PKCS_DERIVE:
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-	return CKK_DH;
-    case CKM_KEA_KEY_DERIVE:
-    case CKM_KEA_KEY_PAIR_GEN:
-	return CKK_KEA;
-    case CKM_ECDSA_KEY_PAIR_GEN:
-    case CKM_ECDSA:
-    case CKM_ECDSA_SHA1:
-	return CKK_ECDSA;
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-    case CKM_GENERIC_SECRET_KEY_GEN:
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_KEY_AND_MAC_DERIVE:
-    case CKM_SSL3_SHA1_MAC:
-    case CKM_SSL3_MD5_MAC:
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-    case CKM_SHA_1_HMAC:
-    case CKM_SHA_1_HMAC_GENERAL:
-    case CKM_MD2_HMAC:
-    case CKM_MD2_HMAC_GENERAL:
-    case CKM_MD5_HMAC:
-    case CKM_MD5_HMAC_GENERAL:
-    case CKM_TLS_PRF_GENERAL:
-	return CKK_GENERIC_SECRET;
-    default:
-	return pk11_lookup(type)->keyType;
-    }
-}
-
-/*
- * Get the Key Gen Mechanism needed for the given 
- * crypto mechanism
- */
-CK_MECHANISM_TYPE
-PK11_GetKeyGen(CK_MECHANISM_TYPE type)
-{
-    switch (type) {
-    case CKM_DES_ECB:
-    case CKM_DES_CBC:
-    case CKM_DES_MAC:
-    case CKM_DES_MAC_GENERAL:
-    case CKM_KEY_WRAP_LYNKS:
-    case CKM_DES_CBC_PAD:
-	return CKM_DES_KEY_GEN;
-    case CKM_DES3_ECB:
-    case CKM_DES3_CBC:
-    case CKM_DES3_MAC:
-    case CKM_DES3_MAC_GENERAL:
-    case CKM_DES3_CBC_PAD:
-	return CKM_DES3_KEY_GEN;
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-    case CKM_CDMF_MAC:
-    case CKM_CDMF_MAC_GENERAL:
-    case CKM_CDMF_CBC_PAD:
-	return CKM_CDMF_KEY_GEN;
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-    case CKM_RC2_MAC:
-    case CKM_RC2_MAC_GENERAL:
-    case CKM_RC2_CBC_PAD:
-	return CKM_RC2_KEY_GEN;
-    case CKM_RC4:
-	return CKM_RC4_KEY_GEN;
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-    case CKM_RC5_MAC:
-    case CKM_RC5_MAC_GENERAL:
-    case CKM_RC5_CBC_PAD:
-	return CKM_RC5_KEY_GEN;
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_SKIPJACK_WRAP:
-	return CKM_SKIPJACK_KEY_GEN;
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_BATON_WRAP:
-	return CKM_BATON_KEY_GEN;
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-    case CKM_JUNIPER_WRAP:
-	return CKM_JUNIPER_KEY_GEN;
-    case CKM_IDEA_CBC:
-    case CKM_IDEA_ECB:
-    case CKM_IDEA_MAC:
-    case CKM_IDEA_MAC_GENERAL:
-    case CKM_IDEA_CBC_PAD:
-	return CKM_IDEA_KEY_GEN;
-    case CKM_CAST_ECB:
-    case CKM_CAST_CBC:
-    case CKM_CAST_MAC:
-    case CKM_CAST_MAC_GENERAL:
-    case CKM_CAST_CBC_PAD:
-	return CKM_CAST_KEY_GEN;
-    case CKM_CAST3_ECB:
-    case CKM_CAST3_CBC:
-    case CKM_CAST3_MAC:
-    case CKM_CAST3_MAC_GENERAL:
-    case CKM_CAST3_CBC_PAD:
-	return CKM_CAST3_KEY_GEN;
-    case CKM_CAST5_ECB:
-    case CKM_CAST5_CBC:
-    case CKM_CAST5_MAC:
-    case CKM_CAST5_MAC_GENERAL:
-    case CKM_CAST5_CBC_PAD:
-	return CKM_CAST5_KEY_GEN;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-    case CKM_MD2_RSA_PKCS:
-    case CKM_MD5_RSA_PKCS:
-    case CKM_SHA1_RSA_PKCS:
-    case CKM_KEY_WRAP_SET_OAEP:
-	return CKM_RSA_PKCS_KEY_PAIR_GEN;
-    case CKM_DSA:
-    case CKM_DSA_SHA1:
-	return CKM_DSA_KEY_PAIR_GEN;
-    case CKM_DH_PKCS_DERIVE:
-	return CKM_DH_PKCS_KEY_PAIR_GEN;
-    case CKM_KEA_KEY_DERIVE:
-	return CKM_KEA_KEY_PAIR_GEN;
-    case CKM_ECDSA:
-	return CKM_ECDSA_KEY_PAIR_GEN;
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_KEY_AND_MAC_DERIVE:
-    case CKM_SSL3_SHA1_MAC:
-    case CKM_SSL3_MD5_MAC:
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-	return CKM_SSL3_PRE_MASTER_KEY_GEN;
-    case CKM_SHA_1_HMAC:
-    case CKM_SHA_1_HMAC_GENERAL:
-    case CKM_MD2_HMAC:
-    case CKM_MD2_HMAC_GENERAL:
-    case CKM_MD5_HMAC:
-    case CKM_MD5_HMAC_GENERAL:
-    case CKM_TLS_PRF_GENERAL:
-	return CKM_GENERIC_SECRET_KEY_GEN;
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    	return type;
-    default:
-	return pk11_lookup(type)->keyGen;
-    }
-}
-
-/*
- * get the mechanism block size
- */
-int
-PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params)
-{
-    CK_RC5_PARAMS *rc5_params;
-    CK_RC5_CBC_PARAMS *rc5_cbc_params;
-    switch (type) {
-    case CKM_RC5_ECB:
-	if ((params) && (params->data)) {
-	    rc5_params = (CK_RC5_PARAMS *) params->data;
-	    return (rc5_params->ulWordsize)*2;
-	}
-	return 8;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	if ((params) && (params->data)) {
-	    rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data;
-	    return (rc5_cbc_params->ulWordsize)*2;
-	}
-	return 8;
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RC2_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-    case CKM_RC2_CBC:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_RC2_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-	return 8;
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-	return 4;
-    case CKM_BATON_ECB128:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	return 16;
-    case CKM_BATON_ECB96:
-	return 12;
-    case CKM_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	return 0;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-	/*actually it's the modulus length of the key!*/
-	return -1;	/* failure */
-    default:
-	return pk11_lookup(type)->blockSize;
-    }
-}
-
-/*
- * get the iv length
- */
-int
-PK11_GetIVLength(CK_MECHANISM_TYPE type)
-{
-    switch (type) {
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RC2_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_SKIPJACK_WRAP:
-    case CKM_BATON_WRAP:
-    case CKM_RC5_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	return 0;
-    case CKM_RC2_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_RC5_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_RC2_CBC_PAD:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_RC5_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-	return 8;
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	return 24;
-    case CKM_RC4:
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	return 0;
-    default:
-	return pk11_lookup(type)->iv;
-    }
-}
-
-
-/* These next two utilities are here to help facilitate future
- * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions
- * like SSL and S-MIME to automatically add them.
- */
-SECItem *
-PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv)
-{
-    CK_RC2_CBC_PARAMS *rc2_params = NULL;
-    CK_RC2_PARAMS *rc2_ecb_params = NULL;
-    CK_RC5_PARAMS *rc5_params = NULL;
-    CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL;
-    SECItem *param;
-
-    param = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if (param == NULL) return NULL;
-    param->data = NULL;
-    param->len = 0;
-    switch (type) {
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-    case CKM_RSA_9796:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-    case CKM_RC4:
-	break;
-    case CKM_RC2_ECB:
-	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
-	if (rc2_ecb_params == NULL) break;
-	/*  Maybe we should pass the key size in too to get this value? */
-	*rc2_ecb_params = 128;
-	param->data = (unsigned char *) rc2_ecb_params;
-	param->len = sizeof(CK_RC2_PARAMS);
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
-	if (rc2_params == NULL) break;
-	/* Maybe we should pass the key size in too to get this value? */
-	rc2_params->ulEffectiveBits = 128;
-	if (iv && iv->data)
-	    PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv));
-	param->data = (unsigned char *) rc2_params;
-	param->len = sizeof(CK_RC2_CBC_PARAMS);
-	break;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
-		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0));
-	if (rc5_cbc_params == NULL) break;
-	if (iv && iv->data) {
-	    rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params) 
-						+ sizeof(CK_RC5_CBC_PARAMS);
-	    PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len);
-	    rc5_cbc_params->ulIvLen = iv->len;
-	    rc5_cbc_params->ulWordsize = iv->len/2;
-	} else {
-	    rc5_cbc_params->ulWordsize = 4;
-	    rc5_cbc_params->pIv = NULL;
-	    rc5_cbc_params->ulIvLen = iv->len;
-	}
-	rc5_cbc_params->ulRounds = 16;
-	param->data = (unsigned char *) rc5_cbc_params;
-	param->len = sizeof(CK_RC5_CBC_PARAMS);
-	break;
-    case CKM_RC5_ECB:
-	rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
-	if (rc5_params == NULL) break;
-	if (iv && iv->data && iv->len) {
-	    rc5_params->ulWordsize = iv->len/2;
-	} else {
-	    rc5_params->ulWordsize = 4;
-	}
-	rc5_params->ulRounds = 16;
-	param->data = (unsigned char *) rc5_params;
-	param->len = sizeof(CK_RC5_PARAMS);
-	break;
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	if ((iv == NULL) || (iv->data == NULL)) break;
-	param->data = (unsigned char*)PORT_Alloc(iv->len);
-	if (param->data != NULL) {
-	    PORT_Memcpy(param->data,iv->data,iv->len);
-	    param->len = iv->len;
-	}
-	break;
-     /* unknown mechanism, pass IV in if it's there */
-     default:
-	if (pk11_lookup(type)->iv == 0) {
-	    break;
-	}
-	if ((iv == NULL) || (iv->data == NULL)) {
-	    break;
-	}
-	param->data = (unsigned char*)PORT_Alloc(iv->len);
-	if (param->data != NULL) {
-	    PORT_Memcpy(param->data,iv->data,iv->len);
-	    param->len = iv->len;
-	}
-	break;
-     }
-     return param;
-}
-
-unsigned char *
-PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len)
-{
-    CK_RC2_CBC_PARAMS *rc2_params;
-    CK_RC5_CBC_PARAMS *rc5_cbc_params;
-
-    *len = 0;
-    switch (type) {
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-    case CKM_RSA_9796:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-    case CKM_RC4:
-	return NULL;
-    case CKM_RC2_ECB:
-	return NULL;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
-        *len = sizeof(rc2_params->iv);
-	return &rc2_params->iv[0];
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data;
-	*len = rc5_cbc_params->ulIvLen;
-	return rc5_cbc_params->pIv;
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	break;
-     /* unknown mechanism, pass IV in if it's there */
-     default:
-	break;
-     }
-     if (param->data) {
-	*len = param->len;
-     }
-     return param->data;
-}
-
-typedef struct sec_rc5cbcParameterStr {
-    SECItem version;
-    SECItem rounds;
-    SECItem blockSizeInBits;
-    SECItem iv;
-} sec_rc5cbcParameter;
-
-static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc5cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,version) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,rounds) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
-    { 0 }
-};
-
-static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc5cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,version) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,rounds) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(sec_rc5cbcParameter,iv) },
-    { 0 }
-};
-
-typedef struct sec_rc2cbcParameterStr {
-    SECItem rc2ParameterVersion;
-    SECItem iv;
-} sec_rc2cbcParameter;
-
-static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc2cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(sec_rc2cbcParameter,iv) },
-    { 0 }
-};
-
-static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc2cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
-    { 0 }
-};
-
-/* S/MIME picked id values to represent differnt keysizes */
-/* I do have a formula, but it ain't pretty, and it only works because you
- * can always match three points to a parabola:) */
-static unsigned char  rc2_map(SECItem *version)
-{
-    long x;
-
-    x = DER_GetInteger(version);
-    
-    switch (x) {
-        case 58: return 128;
-        case 120: return 64;
-        case 160: return 40;
-    }
-    return 128; 
-}
-
-static unsigned long  rc2_unmap(unsigned long x)
-{
-    switch (x) {
-        case 128: return 58;
-        case 64: return 120;
-        case 40: return 160;
-    }
-    return 58; 
-}
-
-
-/*
- * Helper function to decode a PKCS5 DER encode paramter block into a PKCS #11
- * PBE_Parameter structure.
- */
-SECStatus
-pk11_pbe_decode(SECAlgorithmID *algid, SECItem *mech)
-{
-    CK_PBE_PARAMS *pbe_params = NULL;
-    SEC_PKCS5PBEParameter *p5_param;
-    SECItem *p5_misc = NULL;
-    int paramSize = 0;
-
-    p5_param = SEC_PKCS5GetPBEParameter(algid);
-    if(p5_param == NULL) {
-	return SECFailure;
-    }
-
-        
-    p5_misc = &p5_param->salt;
-    paramSize = sizeof(CK_PBE_PARAMS);
-
-    pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(paramSize);
-    if (pbe_params == NULL) {
-	SEC_PKCS5DestroyPBEParameter(p5_param);
-	return SECFailure;
-    }
-
-    /* get salt */
-    pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(p5_misc->len);
-    if (pbe_params->pSalt == CK_NULL_PTR) {
-	goto loser;
-    }
-    PORT_Memcpy(pbe_params->pSalt, p5_misc->data, p5_misc->len);
-    pbe_params->ulSaltLen = (CK_ULONG) p5_misc->len;
-
-    /* get iteration count */
-    p5_misc = &p5_param->iteration;
-    pbe_params->ulIteration = (CK_ULONG) DER_GetInteger(p5_misc);
-
-    /* copy into the mechanism sec item */
-    mech->data = (unsigned char *)pbe_params;
-    mech->len = paramSize;
-    SEC_PKCS5DestroyPBEParameter(p5_param);
-    return SECSuccess;
-
-loser:
-    if (pbe_params->pSalt != CK_NULL_PTR) {
-	PORT_Free(pbe_params->pSalt);
-    }
-    PORT_Free(pbe_params);
-    SEC_PKCS5DestroyPBEParameter(p5_param);
-    return SECFailure;
-}
-
-/* Generate a mechaism param from a type, and iv. */
-SECItem *
-PK11_ParamFromAlgid(SECAlgorithmID *algid) {
-    CK_RC2_CBC_PARAMS *rc2_params = NULL;
-    CK_RC2_PARAMS *rc2_ecb_params = NULL;
-    CK_RC5_CBC_PARAMS *rc5_params_cbc;
-    CK_RC5_PARAMS *rc5_params_ecb;
-    SECItem iv;
-    sec_rc2cbcParameter rc2;
-    sec_rc5cbcParameter rc5;
-    SECItem *mech;
-    CK_MECHANISM_TYPE type;
-    SECOidTag algtag;
-    SECStatus rv;
-
-    algtag = SECOID_GetAlgorithmTag(algid);
-    type = PK11_AlgtagToMechanism(algtag);
-
-    mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
-    if (mech == NULL) return NULL;
-
-
-    /* handle the complicated cases */
-    switch (type) {
-    case CKM_RC2_ECB:
-        rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2ecb_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
-	if (rc2_ecb_params == NULL) {
-	    PORT_Free(rc2.rc2ParameterVersion.data);
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	*rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion);
-	PORT_Free(rc2.rc2ParameterVersion.data);
-	mech->data = (unsigned char *) rc2_ecb_params;
-	mech->len = sizeof(CK_RC2_PARAMS);
-	return mech;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-        rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2cbc_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
-	if (rc2_params == NULL) {
-	    PORT_Free(rc2.iv.data);
-	    PORT_Free(rc2.rc2ParameterVersion.data);
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc2_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion);
-	PORT_Free(rc2.rc2ParameterVersion.data);
-	PORT_Memcpy(rc2_params->iv,rc2.iv.data,sizeof(rc2_params->iv));
-	PORT_Free(rc2.iv.data);
-	mech->data = (unsigned char *) rc2_params;
-	mech->len = sizeof(CK_RC2_CBC_PARAMS);
-	return mech;
-    case CKM_RC5_ECB:
-        rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5ecb_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc5_params_ecb=(CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
-	PORT_Free(rc5.version.data);
-	if (rc5_params_ecb == NULL) {
-	    PORT_Free(rc5.rounds.data);
-	    PORT_Free(rc5.blockSizeInBits.data);
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc5_params_ecb->ulRounds = DER_GetInteger(&rc5.rounds);
-	rc5_params_ecb->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
-	PORT_Free(rc5.rounds.data);
-	PORT_Free(rc5.blockSizeInBits.data);
-	mech->data = (unsigned char *) rc5_params_ecb;
-	mech->len = sizeof(CK_RC5_PARAMS);
-	return mech;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-        rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5cbc_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc5_params_cbc = (CK_RC5_CBC_PARAMS *)
-		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len);
-	PORT_Free(rc5.version.data);
-	if (rc2_params == NULL) {
-	    PORT_Free(rc5.iv.data);
-	    PORT_Free(rc5.rounds.data);
-	    PORT_Free(rc5.blockSizeInBits.data);
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	rc5_params_cbc->ulRounds = DER_GetInteger(&rc5.rounds);
-	rc5_params_cbc->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
-	PORT_Free(rc5.rounds.data);
-	PORT_Free(rc5.blockSizeInBits.data);
-        rc5_params_cbc->pIv = ((CK_BYTE_PTR)rc5_params_cbc)
-						+ sizeof(CK_RC5_CBC_PARAMS);
-	PORT_Memcpy(rc5_params_cbc->pIv,rc5.iv.data,rc5.iv.len);
-        rc5_params_cbc->ulIvLen = rc5.iv.len;
-	PORT_Free(rc5.iv.data);
-	mech->data = (unsigned char *) rc5_params_cbc;
-	mech->len = sizeof(CK_RC5_CBC_PARAMS);
-	return mech;
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	rv = pk11_pbe_decode(algid,mech);
-	if (rv != SECSuccess) {
-	    PORT_Free(mech);
-	    return NULL;
-	}
-	return mech;
-    default:
-	/* must be a simple case */
-	break;
-    }
-
-    /* simple cases are simpley Octect encoded IV's */
-    rv = SEC_ASN1DecodeItem(NULL, &iv, SEC_OctetStringTemplate, 
-							&(algid->parameters));
-    if (rv !=  SECSuccess) {
-	iv.data = NULL;
-	iv.len = 0;
-    }
-
-    rv = SECSuccess;
-    switch (type) {
-    case CKM_RC4:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	mech->data = NULL;
-	mech->len = 0;
-	break;
-    default:
-	if (pk11_lookup(type)->iv == 0) {
-	    mech->data = NULL;
-	    mech->len = 0;
-	    break;
-	}
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	if (iv.data ==  NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	mech->data = (unsigned char*)PORT_Alloc(iv.len);
-	if (mech->data == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	PORT_Memcpy(mech->data,iv.data,iv.len);
-	mech->len = iv.len;
-	break;
-    }
-    if (iv.data) PORT_Free(iv.data);
-    if (rv !=  SECSuccess) {
-	SECITEM_FreeItem(mech,PR_TRUE);
-	return NULL;
-    }
-    return mech;
-}
-
-SECStatus
-PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,data, (CK_ULONG)len);
-    PK11_ExitSlotMonitor(slot);
-    return (crv != CKR_OK) ? SECFailure : SECSuccess;
-}
-
-/* Attempts to update the Best Slot for "FAKE RANDOM" generation.
-** If that's not the internal slot, then it also attempts to update the
-** internal slot.
-** The return value indicates if the INTERNAL slot was updated OK.
-*/
-SECStatus
-PK11_RandomUpdate(void *data, size_t bytes)
-{
-    PK11SlotInfo *slot;
-    PRBool        bestIsInternal;
-    SECStatus     status;
-
-    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL);
-    if (slot == NULL) {
-	slot = PK11_GetInternalSlot();
-	if (!slot)
-	    return SECFailure;
-    }
-
-    bestIsInternal = PK11_IsInternal(slot);
-    status = PK11_SeedRandom(slot, data, bytes);
-    PK11_FreeSlot(slot);
-
-    if (!bestIsInternal) {
-    	/* do internal slot, too. */
-    	slot = PK11_GetInternalSlot();	/* can't fail */
-	status = PK11_SeedRandom(slot, data, bytes);
-	PK11_FreeSlot(slot);
-    }
-    return status;
-}
-
-
-SECStatus
-PK11_GenerateRandom(unsigned char *data,int len) {
-    PK11SlotInfo *slot;
-    CK_RV crv;
-
-    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL);
-    if (slot == NULL) return SECFailure;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, 
-							(CK_ULONG)len);
-    PK11_ExitSlotMonitor(slot);
-    PK11_FreeSlot(slot);
-    return (crv != CKR_OK) ? SECFailure : SECSuccess;
-}
-
-/*
- * Generate an IV for the given mechanism 
- */
-static SECStatus
-pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) {
-    int iv_size = PK11_GetIVLength(type);
-    SECStatus rv;
-
-    iv->len = iv_size;
-    if (iv_size == 0) { 
-	iv->data = NULL;
-	return SECSuccess;
-    }
-
-    iv->data = (unsigned char *) PORT_Alloc(iv_size);
-    if (iv->data == NULL) {
-	iv->len = 0;
-	return SECFailure;
-    }
-
-    rv = PK11_GenerateRandom(iv->data,iv->len);
-    if (rv != SECSuccess) {
-	PORT_Free(iv->data);
-	iv->data = NULL; iv->len = 0;
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-/*
- * create a new paramter block from the passed in MECHANISM and the
- * key. Use Netscape's S/MIME Rules for the New param block.
- */
-SECItem *
-PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { 
-    CK_RC2_CBC_PARAMS *rc2_params;
-    CK_RC2_PARAMS *rc2_ecb_params;
-    SECItem *mech;
-    SECItem iv;
-    SECStatus rv;
-
-
-    mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
-    if (mech == NULL) return NULL;
-
-    rv = SECSuccess;
-    switch (type) {
-    case CKM_RC4:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	mech->data = NULL;
-	mech->len = 0;
-	break;
-    case CKM_RC2_ECB:
-	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
-	if (rc2_ecb_params == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
-	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
-	*rc2_ecb_params = PK11_GetKeyLength(key)*8;
-	mech->data = (unsigned char *) rc2_ecb_params;
-	mech->len = sizeof(CK_RC2_PARAMS);
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rv = pk11_GenIV(type,&iv);
-	if (rv != SECSuccess) {
-	    break;
-	}
-	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
-	if (rc2_params == NULL) {
-	    PORT_Free(iv.data);
-	    rv = SECFailure;
-	    break;
-	}
-	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
-	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
-	rc2_params->ulEffectiveBits = PK11_GetKeyLength(key)*8;
-	if (iv.data)
-	    PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv));
-	mech->data = (unsigned char *) rc2_params;
-	mech->len = sizeof(CK_RC2_CBC_PARAMS);
-	PORT_Free(iv.data);
-	break;
-    case CKM_RC5_ECB:
-        PORT_Free(mech);
-	return PK11_ParamFromIV(type,NULL);
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rv = pk11_GenIV(type,&iv);
-	if (rv != SECSuccess) {
-	    break;
-	}
-        PORT_Free(mech);
-	return PK11_ParamFromIV(type,&iv);
-    default:
-	if (pk11_lookup(type)->iv == 0) {
-	    mech->data = NULL;
-	    mech->len = 0;
-	    break;
-	}
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	rv = pk11_GenIV(type,&iv);
-	if (rv != SECSuccess) {
-	    break;
-	}
-	mech->data = (unsigned char*)PORT_Alloc(iv.len);
-	if (mech->data == NULL) {
-	    PORT_Free(iv.data);
-	    rv = SECFailure;
-	    break;
-	}
-	PORT_Memcpy(mech->data,iv.data,iv.len);
-	mech->len = iv.len;
-        PORT_Free(iv.data);
-	break;
-    }
-    if (rv !=  SECSuccess) {
-	SECITEM_FreeItem(mech,PR_TRUE);
-	return NULL;
-    }
-    return mech;
-
-}
-
-#define RC5_V10 0x10
-
-/* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */
-SECStatus
-PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, 
-				PRArenaPool *arena, SECAlgorithmID *algid) {
-    CK_RC2_CBC_PARAMS *rc2_params;
-    sec_rc2cbcParameter rc2;
-    CK_RC5_CBC_PARAMS *rc5_params;
-    sec_rc5cbcParameter rc5;
-    CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(algTag);
-    SECItem *newParams = NULL;
-    SECStatus rv = SECFailure;
-    unsigned long rc2version;
-
-    rv = SECSuccess;
-    switch (type) {
-    case CKM_RC4:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	newParams = NULL;
-	rv = SECSuccess;
-	break;
-    case CKM_RC2_ECB:
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
-	rc2version = rc2_unmap(rc2_params->ulEffectiveBits);
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion),
-					   rc2version) == NULL)
-	    break;
-	rc2.iv.data = rc2_params->iv;
-	rc2.iv.len = sizeof(rc2_params->iv);
-	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2,
-                                         sec_rc2cbc_parameter_template);
-        PORT_Free(rc2.rc2ParameterVersion.data);
-	if (newParams == NULL)
-	    break;
-	rv = SECSuccess;
-	break;
-
-    case CKM_RC5_ECB: /* well not really... */
-	break;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rc5_params = (CK_RC5_CBC_PARAMS *)param->data;
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL)
-	    break;
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits, 
-					rc5_params->ulWordsize*8) == NULL) {
-            PORT_Free(rc5.version.data);
-	    break;
-	}
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds, 
-					rc5_params->ulWordsize*8) == NULL) {
-            PORT_Free(rc5.blockSizeInBits.data);
-            PORT_Free(rc5.version.data);
-	    break;
-	}
-	rc5.iv.data = rc5_params->pIv;
-	rc5.iv.len = rc5_params->ulIvLen;
-	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5,
-                                         sec_rc5cbc_parameter_template);
-        PORT_Free(rc5.version.data);
-        PORT_Free(rc5.blockSizeInBits.data);
-        PORT_Free(rc5.rounds.data);
-	if (newParams == NULL)
-	    break;
-	rv = SECSuccess;
-	break;
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	return PBE_PK11ParamToAlgid(algTag, param, arena, algid);
-    default:
-	if (pk11_lookup(type)->iv == 0) {
-	    rv = SECSuccess;
-	    newParams = NULL;
-	    break;
-	}
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	newParams = SEC_ASN1EncodeItem(NULL,NULL,param,
-						SEC_OctetStringTemplate);
-	rv = SECSuccess;
-	break;
-    }
-
-    if (rv !=  SECSuccess) {
-	if (newParams) SECITEM_FreeItem(newParams,PR_TRUE);
-	return rv;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams);
-    SECITEM_FreeItem(newParams,PR_TRUE);
-    return rv;
-}
-
-/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to
- * map OID's directly into the PKCS #11 mechanism we want to call. We find
- * this mapping in our standard OID table */
-CK_MECHANISM_TYPE
-PK11_AlgtagToMechanism(SECOidTag algTag) {
-    SECOidData *oid = SECOID_FindOIDByTag(algTag);
-
-    if (oid) return (CK_MECHANISM_TYPE) oid->mechanism;
-    return CKM_INVALID_MECHANISM;
-}
-
-/* turn a mechanism into an oid. */
-SECOidTag
-PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) {
-    SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type);
-
-    if (oid) return oid->offset;
-    return SEC_OID_UNKNOWN;
-}
-
-/* Determine appropriate blocking mechanism, used when wrapping private keys
- * which require PKCS padding.  If the mechanism does not map to a padding
- * mechanism, we simply return the mechanism.
- */
-CK_MECHANISM_TYPE
-PK11_GetPadMechanism(CK_MECHANISM_TYPE type) {
-    switch(type) {
-	case CKM_DES_CBC:
-	    return CKM_DES_CBC_PAD;
-	case CKM_DES3_CBC:
-	    return CKM_DES3_CBC_PAD;
-	case CKM_RC2_CBC:
-	    return CKM_RC2_CBC_PAD;
-	case CKM_CDMF_CBC:
-	    return CKM_CDMF_CBC_PAD;
-	case CKM_CAST_CBC:
-	    return CKM_CAST_CBC_PAD;
-	case CKM_CAST3_CBC:
-	    return CKM_CAST3_CBC_PAD;
-	case CKM_CAST5_CBC:
-	    return CKM_CAST5_CBC_PAD;
-	case CKM_RC5_CBC:
-	    return CKM_RC5_CBC_PAD; 
-	case CKM_IDEA_CBC:
-	    return CKM_IDEA_CBC_PAD; 
-	default:
-	    break;
-    }
-
-    return type;
-}
-	    
-/*
- * Build a block big enough to hold the data
- */
-SECItem *
-PK11_BlockData(SECItem *data,unsigned long size) {
-    SECItem *newData;
-
-    newData = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if (newData == NULL) return NULL;
-
-    newData->len = (data->len + (size-1))/size;
-    newData->len *= size;
-
-    newData->data = (unsigned char *) PORT_ZAlloc(newData->len); 
-    if (newData->data == NULL) {
-	PORT_Free(newData);
-	return NULL;
-    }
-    PORT_Memset(newData->data,newData->len-data->len,newData->len); 
-    PORT_Memcpy(newData->data,data->data,data->len);
-    return newData;
-}
-
-
-SECStatus
-PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-    CK_SESSION_HANDLE rwsession;
-
-    
-    rwsession = PK11_GetRWSession(slot);
-
-    crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object);
-    if (crv != CKR_OK) {
-	rv = SECFailure;
-	PORT_SetError(PK11_MapError(crv));
-    }
-    PK11_RestoreROSession(slot,rwsession);
-    return rv;
-}
-
-/*
- * Read in a single attribute into a SECItem. Allocate space for it with 
- * PORT_Alloc unless an arena is supplied. In the latter case use the arena
- * to allocate the space.
- */
-SECStatus
-PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-	 CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result) {
-    CK_ATTRIBUTE attr = { 0, NULL, 0 };
-    CK_RV crv;
-
-    attr.type = type;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
-    if (crv != CKR_OK) {
-	PK11_ExitSlotMonitor(slot);
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    if (arena) {
-    	attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen);
-    } else {
-    	attr.pValue = PORT_Alloc(attr.ulValueLen);
-    }
-    if (attr.pValue == NULL) return SECFailure;
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	if (!arena) PORT_Free(attr.pValue);
-	return SECFailure;
-    }
-
-    result->data = (unsigned char*)attr.pValue;
-    result->len = attr.ulValueLen;
-
-    return SECSuccess;
-}
-
-/*
- * Read in a single attribute into As a Ulong. 
- */
-CK_ULONG
-PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-	 CK_ATTRIBUTE_TYPE type) {
-    CK_ATTRIBUTE attr;
-    CK_ULONG value = CK_UNAVAILABLE_INFORMATION;
-    CK_RV crv;
-
-    PK11_SETATTRS(&attr,type,&value,sizeof(value));
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-    }
-    return value;
-}
-
-/*
- * check to see if a bool has been set.
- */
-CK_BBOOL
-PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-				                      CK_ATTRIBUTE_TYPE type )
-{
-    CK_BBOOL ckvalue = CK_FALSE;
-    CK_ATTRIBUTE theTemplate;
-    CK_RV crv;
-
-    /* Prepare to retrieve the attribute. */
-    PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
-
-    /* Retrieve attribute value. */
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
-                                                    &theTemplate, 1 );
-    PK11_ExitSlotMonitor(slot);
-    if( crv != CKR_OK ) {
-        PORT_SetError( PK11_MapError( crv ) );
-        return CK_FALSE;
-    }
-
-    return ckvalue;
-}
-
-/*
- * returns a full list of attributes. Allocate space for them. If an arena is
- * provided, allocate space out of the arena.
- */
-CK_RV
-PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
-			CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count)
-{
-    int i;
-    /* make pedantic happy... note that it's only used arena != NULL */ 
-    void *mark = NULL; 
-    CK_RV crv;
-
-    /*
-     * first get all the lengths of the parameters.
-     */
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
-    if (crv != CKR_OK) {
-	PK11_ExitSlotMonitor(slot);
-	return crv;
-    }
-
-    if (arena) {
-    	mark = PORT_ArenaMark(arena);
-	if (mark == NULL) return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * now allocate space to store the results.
-     */
-    for (i=0; i < count; i++) {
-	if (arena) {
-	    attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen);
-	    if (attr[i].pValue == NULL) {
-		/* arena failures, just release the mark */
-		PORT_ArenaRelease(arena,mark);
-		PK11_ExitSlotMonitor(slot);
-		return CKR_HOST_MEMORY;
-	    }
-	} else {
-	    attr[i].pValue = PORT_Alloc(attr[i].ulValueLen);
-	    if (attr[i].pValue == NULL) {
-		/* Separate malloc failures, loop to release what we have 
-		 * so far */
-		int j;
-		for (j= 0; j < i; j++) { 
-		    PORT_Free(attr[j].pValue);
-		    /* don't give the caller pointers to freed memory */
-		    attr[j].pValue = NULL; 
-		}
-		PK11_ExitSlotMonitor(slot);
-		return CKR_HOST_MEMORY;
-	    }
-	}
-    }
-
-    /*
-     * finally get the results.
-     */
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	if (arena) {
-	    PORT_ArenaRelease(arena,mark);
-	} else {
-	    for (i= 0; i < count; i++) {
-		PORT_Free(attr[i].pValue);
-		/* don't give the caller pointers to freed memory */
-		attr[i].pValue = NULL;
-	    }
-	}
-    } else if (arena && mark) {
-	PORT_ArenaUnmark(arena,mark);
-    }
-    return crv;
-}
-
-/*
- * Reset the token to it's initial state. For the internal module, this will
- * Purge your keydb, and reset your cert db certs to USER_INIT.
- */
-SECStatus 
-PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
-{
-    unsigned char tokenName[32];
-    int tokenNameLen;
-    CK_RV crv;
-
-    /* reconstruct the token name */
-    tokenNameLen = PORT_Strlen(slot->token_name);
-    if (tokenNameLen > sizeof(tokenName)) {
-	tokenNameLen = sizeof(tokenName);
-    }
-
-    PORT_Memcpy(tokenName,slot->token_name,tokenNameLen);
-    if (tokenNameLen < sizeof(tokenName)) {
-	PORT_Memset(&tokenName[tokenNameLen],' ',
-					 sizeof(tokenName)-tokenNameLen);
-    }
-
-    /* initialize the token */    
-    PK11_EnterSlotMonitor(slot);
-
-    /* first shutdown the token. Existing sessions will get closed here */
-    PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
-    slot->session = CK_INVALID_SESSION;
-    PK11_FreeSlotCerts(slot);
-
-    /* now re-init the token */ 
-    crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID,
-	(unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName);
-
-    /* finally bring the token back up */
-    PK11_InitToken(slot,PR_TRUE);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-
-
-static SECOidTag
-pk11_MapPBEMechanismTypeToAlgtag(CK_MECHANISM_TYPE mech)
-{
-    switch(mech) {
-	case CKM_PBE_MD2_DES_CBC:
-	    return SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC;
-	case CKM_PBE_MD5_DES_CBC:
-	    return SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC;
-	case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-	    return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
-	case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-	    return SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-	case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-	    return SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-	    return SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4;
-	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-	    return SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4;
-	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-	    return SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-	    return SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-	case CKM_PBE_SHA1_RC2_128_CBC:
-	    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-	case CKM_PBE_SHA1_RC2_40_CBC:
-	    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-	case CKM_PBE_SHA1_RC4_40:
-	    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4;
-	case CKM_PBE_SHA1_RC4_128:
-	    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4;
-	case CKM_PBE_SHA1_DES3_EDE_CBC:
-	    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
-	case CKM_PBE_SHA1_DES2_EDE_CBC:
-	    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC;
-	default:
-	    break;
-    }
-    return SEC_OID_UNKNOWN;
-}
-
-CK_RV
-PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, 
-				      CK_MECHANISM_PTR pCryptoMechanism,
-				      SECItem *pbe_pwd, PRBool faulty3DES)
-{
-    int iv_len = 0;
-    CK_PBE_PARAMS_PTR pPBEparams;
-    CK_RC2_CBC_PARAMS_PTR rc2_params;
-    CK_ULONG rc2_key_len;
-    SECStatus rv = SECFailure;
-    SECAlgorithmID temp_algid;
-    SECItem param, *iv;
-
-    if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) {
-	return CKR_HOST_MEMORY;
-    }
-
-    pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter;
-    iv_len = PK11_GetIVLength(pPBEMechanism->mechanism);
-
-    if(pPBEparams->pInitVector == CK_NULL_PTR) {
-	pPBEparams->pInitVector = (CK_CHAR_PTR)PORT_ZAlloc(iv_len);
-	if(pPBEparams->pInitVector == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	param.data = (unsigned char*)pPBEMechanism->pParameter;
-	param.len = pPBEMechanism->ulParameterLen;
-	rv = PK11_ParamToAlgid(pk11_MapPBEMechanismTypeToAlgtag(
-				  pPBEMechanism->mechanism),
-				&param, NULL, &temp_algid);
-	if(rv != SECSuccess) {
-	    SECOID_DestroyAlgorithmID(&temp_algid, PR_FALSE);
-	    return CKR_HOST_MEMORY;
-	} else {
-	    iv = SEC_PKCS5GetIV(&temp_algid, pbe_pwd, faulty3DES);
-	    if((iv == NULL) && (iv_len != 0)) {
-	        SECOID_DestroyAlgorithmID(&temp_algid, PR_FALSE);
-		return CKR_HOST_MEMORY;
-	    }
-	    SECOID_DestroyAlgorithmID(&temp_algid, PR_FALSE);
-	    if(iv != NULL) {
-		PORT_Memcpy((char *)pPBEparams->pInitVector,
-	    		    (char *)iv->data,
-	    		    iv->len);
-		SECITEM_ZfreeItem(iv, PR_TRUE);
-	    }
-	}
-    }
-
-    switch(pPBEMechanism->mechanism) {
-	case CKM_PBE_MD2_DES_CBC:
-	case CKM_PBE_MD5_DES_CBC:
-	case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-	    pCryptoMechanism->mechanism = CKM_DES_CBC;
-	    goto have_crypto_mechanism;
-	case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-	case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-	case CKM_PBE_SHA1_DES3_EDE_CBC:
-	case CKM_PBE_SHA1_DES2_EDE_CBC:
-	    pCryptoMechanism->mechanism = CKM_DES3_CBC;
-have_crypto_mechanism:
-	    pCryptoMechanism->pParameter = PORT_Alloc(iv_len);
-	    pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len;
-	    if(pCryptoMechanism->pParameter == NULL) {
-		return CKR_HOST_MEMORY;
-	    }
-	    PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter),
-			(unsigned char *)(pPBEparams->pInitVector),
-			iv_len);
-	    break;
-	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-	case CKM_PBE_SHA1_RC4_40:
-	case CKM_PBE_SHA1_RC4_128:
-	    pCryptoMechanism->mechanism = CKM_RC4;
-	    pCryptoMechanism->ulParameterLen = 0;
-	    pCryptoMechanism->pParameter = CK_NULL_PTR;
-	    break;
-	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-	case CKM_PBE_SHA1_RC2_40_CBC:
-	    rc2_key_len = 40;
-	    goto have_key_len;
-	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-	    rc2_key_len = 128;
-have_key_len:
-	    pCryptoMechanism->mechanism = CKM_RC2_CBC;
-	    pCryptoMechanism->ulParameterLen = (CK_ULONG)sizeof(CK_RC2_CBC_PARAMS);
-	    pCryptoMechanism->pParameter = 
-		(CK_RC2_CBC_PARAMS_PTR)PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS));
-	    if(pCryptoMechanism->pParameter == NULL) {
-		return CKR_HOST_MEMORY;
-	    }
-	    rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter;
-	    PORT_Memcpy((unsigned char *)rc2_params->iv,
-	    		(unsigned char *)pPBEparams->pInitVector,
-	    		iv_len);
-	    rc2_params->ulEffectiveBits = rc2_key_len;
-	    break;
-	default:
-	    return CKR_MECHANISM_INVALID;
-    }
-
-    return CKR_OK;
-}
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
deleted file mode 100644
index 709bf32c8..000000000
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ /dev/null
@@ -1,518 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Initialize the PCKS 11 subsystem
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "prlock.h"
-#include "secmodi.h"
-#include "pk11func.h"
-
-/* these are for displaying error messages */
-
-static  SECMODModuleList *modules = NULL;
-static  SECMODModule *internalModule = NULL;
-static SECMODListLock *moduleLock = NULL;
-
-extern SECStatus
-PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
-                        PRBool add);
-                        
-
-extern int XP_SEC_MODULE_NO_LIB;
-
-extern PK11DefaultArrayEntry PK11_DefaultArray[];
-extern int num_pk11_default_mechanisms;
-
-void SECMOD_init(char *dbname) {
-    SECMODModuleList *thisModule;
-    int found=0;
-    SECStatus rv = SECFailure;
-
-
-    /* don't initialize twice */
-    if (modules) return;
-
-    PK11_InitSlotLists();
-
-    SECMOD_InitDB(dbname);
-
-    /*
-     * read in the current modules from the database
-     */
-    modules = SECMOD_ReadPermDB();
-
-    /* make sure that the internal module is loaded */
-    for (thisModule = modules; thisModule ; thisModule = thisModule->next) {
-	if (thisModule->module->internal) {
-	    found++;
-	    internalModule = SECMOD_ReferenceModule(thisModule->module);
-	    break;
-	}
-    }
-
-    if (!found) {
-	thisModule = modules;
-	modules = SECMOD_NewModuleListElement();
-	modules->module = SECMOD_NewInternal();
-	PORT_Assert(modules->module != NULL);
-	modules->next = thisModule;
-	SECMOD_AddPermDB(modules->module);
-	internalModule = SECMOD_ReferenceModule(modules->module);
-    }
-
-    /* load it first... we need it to verify the external modules
-     * which we are loading.... */
-    rv = SECMOD_LoadModule(internalModule);
-    if( rv != SECSuccess )
-        internalModule = NULL;
-
-    /* Load each new module */
-    for (thisModule = modules; thisModule ; thisModule = thisModule->next) {
-        if( !( thisModule->module->internal ) )
-	    SECMOD_LoadModule(thisModule->module);
-    }
-
-    moduleLock = SECMOD_NewListLock();
-}
-
-/*
- * retrieve the internal module
- */
-SECMODModule *
-SECMOD_GetInternalModule(void) {
-   return internalModule;
-}
-
-/* called from  security/cmd/swfort/instinit, which doesn't need a full 
- * security LIBRARY (it used the swfortezza code, but it does have to verify
- * cert chains against it's own list of certs. We need to initialize the 
- * security code without any database.
- */
-void
-secmod_GetInternalModule( SECMODModule *mod) {
-   internalModule = SECMOD_ReferenceModule(mod);
-}
-
-/*
- * get the list of PKCS11 modules that are available.
- */
-SECMODModuleList *SECMOD_GetDefaultModuleList() { return modules; }
-SECMODListLock *SECMOD_GetDefaultModuleListLock() { return moduleLock; }
-
-
-
-/*
- * find a module by name, and add a reference to it.
- * return that module.
- */
-SECMODModule *SECMOD_FindModule(char *name) {
-    SECMODModuleList *mlp;
-    SECMODModule *module = NULL;
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
-	    module = mlp->module;
-	    SECMOD_ReferenceModule(module);
-	    break;
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    return module;
-}
-
-/*
- * find a module by ID, and add a reference to it.
- * return that module.
- */
-SECMODModule *SECMOD_FindModuleByID(SECMODModuleID id) {
-    SECMODModuleList *mlp;
-    SECMODModule *module = NULL;
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	if (id == mlp->module->moduleID) {
-	    module = mlp->module;
-	    SECMOD_ReferenceModule(module);
-	    break;
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    return module;
-}
-
-/*
- * lookup the Slot module based on it's module ID and slot ID.
- */
-PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID moduleID,CK_SLOT_ID slotID) {
-    int i;
-    SECMODModule *module;
-
-    module = SECMOD_FindModuleByID(moduleID);
-    if (module == NULL) return NULL;
-
-    for (i=0; i < module->slotCount; i++) {
-	PK11SlotInfo *slot = module->slots[i];
-
-	if (slot->slotID == slotID) {
-	    SECMOD_DestroyModule(module);
-	    return PK11_ReferenceSlot(slot);
-	}
-    }
-    SECMOD_DestroyModule(module);
-    return NULL;
-}
-
-
-/*
- * find a module by name and delete it of the module list
- */
-SECStatus
-SECMOD_DeleteModule(char *name, int *type) {
-    SECMODModuleList *mlp;
-    SECMODModuleList **mlpp;
-    SECStatus rv = SECFailure;
-
-
-    *type = SECMOD_EXTERNAL;
-
-    SECMOD_GetWriteLock(moduleLock);
-    for(mlpp = &modules,mlp = modules; 
-				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
-	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
-	    /* don't delete the internal module */
-	    if (!mlp->module->internal) {
-		SECMOD_RemoveList(mlpp,mlp);
-		/* delete it after we release the lock */
-		rv = SECSuccess;
-	    } else if (mlp->module->isFIPS) {
-		*type = SECMOD_FIPS;
-	    } else {
-		*type = SECMOD_INTERNAL;
-	    }
-	    break;
-	}
-    }
-    SECMOD_ReleaseWriteLock(moduleLock);
-
-
-    if (rv == SECSuccess) {
- 	SECMOD_DeletePermDB(mlp->module);
-	SECMOD_DestroyModuleListElement(mlp);
-    }
-    return rv;
-}
-
-/*
- * find a module by name and delete it of the module list
- */
-SECStatus
-SECMOD_DeleteInternalModule(char *name) {
-    SECMODModuleList *mlp;
-    SECMODModuleList **mlpp;
-    SECStatus rv = SECFailure;
-
-    SECMOD_GetWriteLock(moduleLock);
-    for(mlpp = &modules,mlp = modules; 
-				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
-	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
-	    /* don't delete the internal module */
-	    if (mlp->module->internal) {
-		rv = SECSuccess;
-		SECMOD_RemoveList(mlpp,mlp);
-	    } 
-	    break;
-	}
-    }
-    SECMOD_ReleaseWriteLock(moduleLock);
-
-    if (rv == SECSuccess) {
-	SECMODModule *newModule,*oldModule;
-
-	if (mlp->module->isFIPS) {
-	    newModule = SECMOD_NewInternal();
-	} else {
-	    newModule = SECMOD_GetFIPSInternal();
-	}
-	if (newModule == NULL) {
-	    SECMODModuleList *last,*mlp2;
-	   /* we're in pretty deep trouble if this happens...Security
-	    * not going to work well... try to put the old module back on
-	    * the list */
-	   SECMOD_GetWriteLock(moduleLock);
-	   for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) {
-		last = mlp2;
-	   }
-
-	   if (last == NULL) {
-		modules = mlp;
-	   } else {
-		SECMOD_AddList(last,mlp,NULL);
-	   }
-	   SECMOD_ReleaseWriteLock(moduleLock);
-	   return SECFailure; 
-	}
-	oldModule = internalModule;
-	internalModule = SECMOD_ReferenceModule(newModule);
-	SECMOD_AddModule(internalModule);
-	SECMOD_DestroyModule(oldModule);
- 	SECMOD_DeletePermDB(mlp->module);
-	SECMOD_DestroyModuleListElement(mlp);
-    }
-    return rv;
-}
-
-SECStatus
-SECMOD_AddModule(SECMODModule *newModule) {
-    SECStatus rv;
-    SECMODModuleList *mlp, *newListElement, *last = NULL;
-
-    /* Test if a module w/ the same name already exists */
-    /* and return SECWouldBlock if so. */
-    /* We should probably add a new return value such as */
-    /* SECDublicateModule, but to minimize ripples, I'll */
-    /* give SECWouldBlock a new meaning */
-    if (SECMOD_FindModule(newModule->commonName)) {
-        return SECWouldBlock;
-        /* module already exists. */
-    }
-
-    rv = SECMOD_LoadModule(newModule);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    newListElement = SECMOD_NewModuleListElement();
-    if (newListElement == NULL) {
-	return SECFailure;
-    }
-
-    SECMOD_AddPermDB(newModule);
-
-    newListElement->module = newModule;
-
-    SECMOD_GetWriteLock(moduleLock);
-    /* Added it to the end (This is very inefficient, but Adding a module
-     * on the fly should happen maybe 2-3 times through the life this program
-     * on a given computer, and this list should be *SHORT*. */
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	last = mlp;
-    }
-
-    if (last == NULL) {
-	modules = newListElement;
-    } else {
-	SECMOD_AddList(last,newListElement,NULL);
-    }
-    SECMOD_ReleaseWriteLock(moduleLock);
-    return SECSuccess;
-}
-
-PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,char *name) {
-    int i;
-    char *string;
-
-    for (i=0; i < module->slotCount; i++) {
-	PK11SlotInfo *slot = module->slots[i];
-
-	if (PK11_IsPresent(slot)) {
-	    string = PK11_GetTokenName(slot);
-	} else {
-	    string = PK11_GetSlotName(slot);
-	}
-	if (PORT_Strcmp(name,string) == 0) {
-	    return PK11_ReferenceSlot(slot);
-	}
-    }
-    return NULL;
-}
-
-SECStatus
-PK11_GetModInfo(SECMODModule *mod,CK_INFO *info) {
-    CK_RV crv;
-
-    if (mod->functionList == NULL) return SECFailure;
-    crv = PK11_GETTAB(mod)->C_GetInfo(info);
-    return (crv == CKR_OK) ? SECSuccess : SECFailure;
-}
-
-/* Determine if we have the FIP's module loaded as the default
- * module to trigger other bogus FIPS requirements in PKCS #12 and
- * SSL
- */
-PRBool
-PK11_IsFIPS(void)
-{
-    SECMODModule *mod = SECMOD_GetInternalModule();
-
-    if (mod && mod->internal) {
-	return mod->isFIPS;
-    }
-
-    return PR_FALSE;
-}
-
-/* combines NewModule() & AddModule */
-/* give a string for the module name & the full-path for the dll, */
-/* installs the PKCS11 module & update registry */
-SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags) {
-    SECMODModule *module;
-    SECStatus result;
-    int s,i;
-    PK11SlotInfo* slot;
-
-    module = SECMOD_NewModule();
-    
-    if (moduleName) {	
-        module->commonName=PORT_ArenaStrdup(module->arena,moduleName);
-    } else {
-        module->commonName=NULL;
-    }
-
-    if (dllPath) {
-        module->dllName=PORT_ArenaStrdup(module->arena,dllPath);
-    } else {
-        module->dllName=NULL;
-    }
-
-    if (module->dllName != NULL) {
-        if (module->dllName[0] != 0) {
-           SECStatus rv = SECMOD_AddModule(module);
-            if (rv != SECSuccess) {
-                /* SECFailure: failed to add module, corrupt or missing module etc. */
-                /* SECBlock: a module with the same name already exists */
-                return rv;
-            } else { /* successfully added module */
-                /* turn on SSL cipher enable flags */
-                module->ssl[0] = cipherEnableFlags;
-
-                /* check each slot to turn on appropriate mechanisms */
-                for (s = 0; s < module->slotCount; s++) {
-                    slot = (module->slots)[s];
-                    /* for each possible mechanism */
-                    for (i=0; i < num_pk11_default_mechanisms; i++) {
-                        /* we are told to turn it on by default ? */
-                        if (PK11_DefaultArray[i].flag & defaultMechanismFlags) {                            
-                            /* it ignores if slot attribute update failes */
-                            result = PK11_UpdateSlotAttribute(slot, &(PK11_DefaultArray[i]), PR_TRUE);
-                        } else { /* turn this mechanism of the slot off by default */
-                            result = PK11_UpdateSlotAttribute(slot, &(PK11_DefaultArray[i]), PR_FALSE);
-                        }
-                    } /* for each mechanism */
-                    /* disable each slot if the defaultFlags say so */
-                    if (defaultMechanismFlags & PK11_DISABLE_FLAG) {
-                        PK11_UserDisableSlot(slot);
-                    }
-                } /* for each slot of this module */
-
-                /* delete and re-add module in order to save changes to the module */
-                result = SECMOD_DeletePermDB(module);
-                
-                if (result == SECSuccess) {          
-                    result = SECMOD_AddPermDB(module);
-                    if (result == SECSuccess) {
-                        return SECSuccess;
-                    }                    
-                }
-                
-            }
-        }
-    }
-    SECMOD_DestroyModule(module);
-    return SECFailure;
-}
-
-/* Public & Internal(Security Library)  representation of
- * encryption mechanism flags conversion */
-
-/* Currently, the only difference is that internal representation 
- * puts RANDOM_FLAG at bit 31 (Most-significant bit), but
- * public representation puts this bit at bit 28
- */
-unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags) {
-    unsigned long internalFlags = publicFlags;
-
-    if (publicFlags & PUBLIC_MECH_RANDOM_FLAG) {
-        internalFlags &= ~PUBLIC_MECH_RANDOM_FLAG;
-        internalFlags |= SECMOD_RANDOM_FLAG;
-    }
-    return internalFlags;
-}
-
-unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) {
-    unsigned long publicFlags = internalFlags;
-
-    if (internalFlags & SECMOD_RANDOM_FLAG) {
-        publicFlags &= ~SECMOD_RANDOM_FLAG;
-        publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
-    }
-    return publicFlags;
-}
-
-
-/* Public & Internal(Security Library)  representation of */
-/* cipher flags conversion */
-/* Note: currently they are just stubs */
-unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags) {
-    return publicFlags;
-}
-
-unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags) {
-    return internalFlags;
-}
-
-/* Funtion reports true if module of modType is installed/configured */
-PRBool 
-SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
-{
-    PRBool result = PR_FALSE;
-    SECMODModuleList *mods = SECMOD_GetDefaultModuleList();
-    SECMODListLock *modsLock = SECMOD_GetDefaultModuleListLock();
-    SECMOD_GetReadLock(moduleLock);
-
-
-    for ( ; mods != NULL; mods = mods->next) {
-        if (mods->module->ssl[0] & SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) {
-            result = PR_TRUE;
-        }
-    }
-
-    SECMOD_ReleaseReadLock(moduleLock);
-    return result;
-}
diff --git a/security/nss/lib/pk11wrap/secmod.h b/security/nss/lib/pk11wrap/secmod.h
deleted file mode 100644
index f93279536..000000000
--- a/security/nss/lib/pk11wrap/secmod.h
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * Definition of Security Module Data Structure. There is a separate data
- * structure for each loaded PKCS #11 module.
- */
-#ifndef _SECMOD_H_
-#define _SEDMOD_H_
-#include "seccomon.h"
-#include "secmodt.h"
-
-#define PKCS11_USE_THREADS
-
-/* These mechanisms flags are visible to all other libraries. */
-/* They must be converted to internal SECMOD_*_FLAG */
-/* if used inside the functions of the security library */
-#define PUBLIC_MECH_RSA_FLAG         0x00000001ul
-#define PUBLIC_MECH_DSA_FLAG         0x00000002ul
-#define PUBLIC_MECH_RC2_FLAG         0x00000004ul
-#define PUBLIC_MECH_RC4_FLAG         0x00000008ul
-#define PUBLIC_MECH_DES_FLAG         0x00000010ul
-#define PUBLIC_MECH_DH_FLAG          0x00000020ul
-#define PUBLIC_MECH_FORTEZZA_FLAG    0x00000040ul
-#define PUBLIC_MECH_RC5_FLAG         0x00000080ul
-#define PUBLIC_MECH_SHA1_FLAG        0x00000100ul
-#define PUBLIC_MECH_MD5_FLAG         0x00000200ul
-#define PUBLIC_MECH_MD2_FLAG         0x00000400ul
-#define PUBLIC_MECH_SSL_FLAG         0x00000800ul
-#define PUBLIC_MECH_TLS_FLAG         0x00001000ul
-
-#define PUBLIC_MECH_RANDOM_FLAG      0x08000000ul
-#define PUBLIC_MECH_FRIENDLY_FLAG    0x10000000ul
-#define PUBLIC_OWN_PW_DEFAULTS       0X20000000ul
-#define PUBLIC_DISABLE_FLAG          0x40000000ul
-
-/* warning: reserved means reserved */
-#define PUBLIC_MECH_RESERVED_FLAGS   0x87FFE000ul
-
-/* These cipher flags are visible to all other libraries, */
-/* But they must be converted before used in functions */
-/* withing the security module */
-#define PUBLIC_CIPHER_FORTEZZA_FLAG  0x00000001ul
-
-/* warning: reserved means reserved */
-#define PUBLIC_CIPHER_RESERVED_FLAGS 0xFFFFFFFEul
-
-SEC_BEGIN_PROTOS
-
-/* protoypes */
-extern void SECMOD_init(char *dbname);
-extern SECMODModuleList *SECMOD_GetDefaultModuleList(void);
-extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
-
-/* lock management */
-extern SECMODListLock *SECMOD_NewListLock(void);
-extern void SECMOD_DestroyListLock(SECMODListLock *);
-extern void SECMOD_GetReadLock(SECMODListLock *);
-extern void SECMOD_ReleaseReadLock(SECMODListLock *);
-extern void SECMOD_GetWriteLock(SECMODListLock *);
-extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
-
-/* list managment */
-extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
-extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
-
-/* Operate on modules by name */
-extern SECMODModule *SECMOD_FindModule(char *name);
-extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
-extern SECStatus SECMOD_DeleteModule(char *name, int *type);
-extern SECStatus SECMOD_DeleteInternalModule(char *name);
-extern SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags);
-/* database/memory management */
-extern SECMODModule *SECMOD_NewModule(void);
-extern SECMODModuleList *SECMOD_NewModuleListElement(void);
-extern SECMODModule *SECMOD_GetInternalModule(void);
-extern SECMODModule *SECMOD_GetFIPSInternal(void);
-extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module);
-extern void SECMOD_DestroyModule(SECMODModule *module);
-extern SECMODModuleList *SECMOD_DestroyModuleListElement(SECMODModuleList *);
-extern void SECMOD_DestroyModuleList(SECMODModuleList *);
-extern SECMODModule *SECMOD_DupModule(SECMODModule *old);
-extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
-extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,char *name);
-extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module,
-							unsigned long slotID);
-SECStatus  SECMOD_DeletePermDB(SECMODModule *);
-SECStatus  SECMOD_AddPermDB(SECMODModule *);
-
-/* Funtion reports true if at least one of the modules */
-/* of modType has been installed */
-PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
-
-/* Functions used to convert between internal & public representation
- * of Mechanism Flags and Cipher Enable Flags */
-extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
-extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
-
-extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
-extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
deleted file mode 100644
index e2ea081d2..000000000
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Internal header file included only by files in pkcs11 dir, or in
- * pkcs11 specific client and server files.
- */
-#ifndef _SECMODI_H_
-#define _SECMODI_H_ 1
-#include "pkcs11.h"
-#include "prlock.h"
-#include "mcom_db.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "certt.h"
-#include "secmodti.h"
-
-#ifdef PKCS11_USE_THREADS
-#define PK11_USE_THREADS(x) x
-#else
-#define PK11_USE_THREADS(x)
-#endif
-
-SEC_BEGIN_PROTOS
-
-/* proto-types */
-SECMODModule * SECMOD_NewModule(void); /* create a new module */
-SECMODModule * SECMOD_NewInternal(void); /* create an internal module */
-
-/* Data base functions */
-void SECMOD_InitDB(char *);
-SECMODModuleList * SECMOD_ReadPermDB(void);
-
-/*void SECMOD_ReferenceModule(SECMODModule *); */
-
-/* Library functions */
-SECStatus SECMOD_LoadModule(SECMODModule *);
-SECStatus SECMOD_UnloadModule(SECMODModule *);
-
-void SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot);
-CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
-                                                         CK_VOID_PTR pdata);
-void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib);
-CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot,
-					CK_ATTRIBUTE *inTemplate,int tsize);
-SEC_END_PROTOS
-
-#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
-#endif
-
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
deleted file mode 100644
index fde43bbb0..000000000
--- a/security/nss/lib/pk11wrap/secmodt.h
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * Definition of Security Module Data Structure. There is a separate data
- * structure for each loaded PKCS #11 module.
- */
-#ifndef _SECMODT_H_
-#define _SECMODT_H_ 1
-
-/* PKCS11 needs to be included */
-typedef struct SECMODModuleStr SECMODModule;
-typedef struct SECMODModuleListStr SECMODModuleList;
-typedef struct SECMODListLockStr SECMODListLock; /* defined in secmodi.h */
-typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
-typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
-typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
-typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
-typedef struct PK11SlotListStr PK11SlotList;
-typedef struct PK11SlotListElementStr PK11SlotListElement;
-typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
-typedef unsigned long SECMODModuleID;
-typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
-
-struct SECMODModuleStr {
-    PRArenaPool	*arena;
-    PRBool	internal;	/* true of internally linked modules, false
-				 * for the loaded modules */
-    PRBool	loaded;		/* Set to true if module has been loaded */
-    PRBool	isFIPS;		/* Set to true if module is finst internal */
-    char	*dllName;	/* name of the shared library which implements
-				 * this module */
-    char	*commonName;	/* name of the module to display to the user */
-    void	*library;	/* pointer to the library. opaque. used only by
-				 * pk11load.c */
-    void	*functionList; /* The PKCS #11 function table */
-    void	*refLock;	/* only used pk11db.c */
-    int		refCount;	/* Module reference count */
-    PK11SlotInfo **slots;	/* array of slot points attatched to this mod*/
-    int		slotCount;	/* count of slot in above array */
-    PK11PreSlotInfo *slotInfo;	/* special info about slots default settings */
-    int		slotInfoCount;  /* count */
-    SECMODModuleID moduleID;	/* ID so we can find this module again */
-    PRBool	isThreadSafe;
-    unsigned long ssl[2];	/* SSL cipher enable flags */
-};
-
-struct SECMODModuleListStr {
-    SECMODModuleList	*next;
-    SECMODModule	*module;
-};
-
-struct PK11SlotListStr {
-    PK11SlotListElement *head;
-    PK11SlotListElement *tail;
-    void *lock;
-};
-
-struct PK11SlotListElementStr {
-    PK11SlotListElement *next;
-    PK11SlotListElement *prev;
-    PK11SlotInfo *slot;
-    int refCount;
-};
-
-struct PK11RSAGenParamsStr {
-    int keySizeInBits;
-    unsigned long pe;
-};
-
-/*
- * Entry into the Array which lists all the legal bits for the default flags
- * in the slot, their definition, and the PKCS #11 mechanism the represent
- * Always Statically allocated. 
- */
-struct PK11DefaultArrayEntryStr {
-    char *name;
-    unsigned long flag;
-    unsigned long mechanism; /* this is a long so we don't include the 
-			      * whole pkcs 11 world to use this header */
-};
-
-
-#define SECMOD_RSA_FLAG 	0x00000001L
-#define SECMOD_DSA_FLAG 	0x00000002L
-#define SECMOD_RC2_FLAG 	0x00000004L
-#define SECMOD_RC4_FLAG 	0x00000008L
-#define SECMOD_DES_FLAG 	0x00000010L
-#define SECMOD_DH_FLAG	 	0x00000020L
-#define SECMOD_FORTEZZA_FLAG	0x00000040L
-#define SECMOD_RC5_FLAG		0x00000080L
-#define SECMOD_SHA1_FLAG	0x00000100L
-#define SECMOD_MD5_FLAG		0x00000200L
-#define SECMOD_MD2_FLAG		0x00000400L
-#define SECMOD_SSL_FLAG		0x00000800L
-#define SECMOD_TLS_FLAG		0x00001000L
-/* reserved bit for future, do not use */
-#define SECMOD_RESERVED_FLAG    0X08000000L
-#define SECMOD_FRIENDLY_FLAG	0x10000000L
-#define SECMOD_RANDOM_FLAG	0x80000000L
-
-/* need to make SECMOD and PK11 prefixes consistant. */
-#define PK11_OWN_PW_DEFAULTS 0x20000000L
-#define PK11_DISABLE_FLAG    0x40000000L
-
-/* FAKE PKCS #11 defines */
-#define CKM_FAKE_RANDOM       0x80000efeL
-#define CKM_INVALID_MECHANISM 0xffffffffL
-#define CKA_DIGEST            0x81000000L
-#define CK_INVALID_KEY 0
-#define CK_INVALID_SESSION 0
-
-/* Cryptographic module types */
-#define SECMOD_EXTERNAL	0	/* external module */
-#define SECMOD_INTERNAL 1	/* internal default module */
-#define SECMOD_FIPS	2	/* internal fips module */
-
-/*
- * What is the origin of a given Key. Normally this doesn't matter, but
- * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
- * hack.
- */
-typedef enum {
-	PK11_OriginNULL,	/* There is not key, it's a null SymKey */
-	PK11_OriginDerive,	/* Key was derived from some other key */
-	PK11_OriginGenerated,	/* Key was generated (also PBE keys) */
-	PK11_OriginFortezzaHack,/* Key was marked for fortezza hack */
-	PK11_OriginUnwrap	/* Key was unwrapped or decrypted */
-} PK11Origin;
-
-/* PKCS #11 disable reasons */
-typedef enum {
-    PK11_DIS_NONE = 0,
-    PK11_DIS_USER_SELECTED,
-    PK11_DIS_COULD_NOT_INIT_TOKEN,
-    PK11_DIS_TOKEN_VERIFY_FAILED,
-    PK11_DIS_TOKEN_NOT_PRESENT
-} PK11DisableReasons;
-
-/* function pointer type for password callback function.
- * This type is passed in to PK11_SetPasswordFunc() 
- */
-typedef char *(*PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
-typedef PRBool (*PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
-typedef PRBool (*PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
-
-#endif /*_SECMODT_H_ */
diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h
deleted file mode 100644
index d97059a9b..000000000
--- a/security/nss/lib/pk11wrap/secmodti.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Internal header file included only by files in pkcs11 dir, or in
- * pkcs11 specific client and server files.
- */
-
-#include "prmon.h"
-#include "prtypes.h"
-
-/* internal data structures */
-
-/* structure to allow us to implement the read/write locks for our
- * module lists  */
-struct SECMODListLockStr {
-    PRLock	*mutex;	    /*general mutex to protect this data structure*/
-    PRMonitor	*monitor;   /* monitor to allow us to signal */
-    int		state;	    /* read/write/waiting state */
-    int		count;	    /* how many waiters on this lock */
-};
-
-/* represent a pkcs#11 slot reference counted. */
-struct PK11SlotInfoStr {
-    /* the PKCS11 function list for this slot */
-    void *functionList;
-    SECMODModule *module; /* our parent module */
-    /* Boolean to indicate the current state of this slot */
-    PRBool needTest;	/* Has this slot been tested for Export complience */
-    PRBool isPerm;	/* is this slot a permanment device */
-    PRBool isHW;	/* is this slot a hardware device */
-    PRBool isInternal;  /* is this slot one of our internal PKCS #11 devices */
-    PRBool disabled;	/* is this slot disabled... */
-    PK11DisableReasons reason; 	/* Why this slot is disabled */
-    PRBool readOnly;	/* is the token in this slot read-only */
-    PRBool needLogin;	/* does the token of the type that needs 
-			 * authentication (still true even if token is logged 
-			 * in) */
-    PRBool hasRandom;   /* can this token generated random numbers */
-    PRBool defRWSession; /* is the default session RW (we open our default 
-			  * session rw if the token can only handle one session
-			  * at a time. */
-    PRBool isThreadSafe; /* copied from the module */
-    /* The actual flags (many of which are distilled into the above PRBools) */
-    CK_FLAGS flags;      /* flags from PKCS #11 token Info */
-    /* a default session handle to do quick and dirty functions */
-    CK_SESSION_HANDLE session; 
-    PRLock *sessionLock; /* lock for this session */
-    /* our ID */
-    CK_SLOT_ID slotID;
-    /* persistant flags saved from startup to startup */
-    unsigned long defaultFlags;
-    /* keep track of who is using us so we don't accidently get freed while
-     * still in use */
-    int refCount;
-    PRLock *refLock;
-    PRLock *freeListLock;
-    PK11SymKey *freeSymKeysHead;
-    int keyCount;
-    int maxKeyCount;
-    /* Password control functions for this slot. many of these are only
-     * active if the appropriate flag is on in defaultFlags */
-    int askpw;		/* what our password options are */
-    int timeout;	/* If we're ask_timeout, what is our timeout time is 
-			 * seconds */
-    int authTransact;   /* allow multiple authentications off one password if
-		         * they are all part of the same transaction */
-    int64 authTime;     /* when were we last authenticated */
-    int minPassword;	/* smallest legal password */
-    int maxPassword;	/* largest legal password */
-    uint16 series;	/* break up the slot info into various groups of 
-			 * inserted tokens so that keys and certs can be
-			 * invalidated */
-    uint16 wrapKey;	/* current wrapping key for SSL master secrets */
-    CK_MECHANISM_TYPE wrapMechanism;
-			/* current wrapping mechanism for current wrapKey */
-    CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */
-    CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
-				       * token */
-    int mechanismCount;
-    /* cache the certificates stored on the token of this slot */
-    CERTCertificate **cert_array;
-    int array_size;
-    int cert_count;
-    char serial[16];
-    /* since these are odd sizes, keep them last. They are odd sizes to 
-     * allow them to become null terminated strings */
-    char slot_name[65];
-    char token_name[33];
-    PRBool hasRSAInfo;
-    CK_FLAGS RSAInfoFlags;
-};
-
-/* hold slot default flags until we initialize a slot. This structure is only
- * useful between the time we define a module (either by hand or from the
- * database) and the time the module is loaded. Not reference counted  */
-struct PK11PreSlotInfoStr {
-    CK_SLOT_ID slotID;  	/* slot these flags are for */
-    unsigned long defaultFlags; /* bit mask of default implementation this slot
-				 * provides */
-    int askpw;			/* slot specific password bits */
-    long timeout;		/* slot specific timeout value */
-};
-
-/* Symetric Key structure. Reference Counted */
-struct PK11SymKeyStr {
-    CK_MECHANISM_TYPE type;	/* type of operation this key was created for*/
-    CK_OBJECT_HANDLE  objectID; /* object id of this key in the slot */
-    PK11SlotInfo      *slot;    /* Slot this key is loaded into */
-    void	      *cx;	/* window context in case we need to loggin */
-    PK11SymKey		*next;
-    PRBool	owner;
-    SECItem	data;		/* raw key data if available */
-    CK_SESSION_HANDLE session;
-    PRBool	sessionOwner;
-    int		refCount;	/* number of references to this key */
-    PRLock	*refLock;
-    int		size;		/* key size in bytes */
-    PK11Origin	origin;		/* where this key came from 
-						(see def in secmodt.h) */
-    uint16 series;		/* break up the slot info into various groups of 
-			 * inserted tokens so that keys and certs can be
-			 * invalidated */
-};
-
-
-/*
- * hold a hash, encryption or signing context for multi-part operations.
- * hold enough information so that multiple contexts can be interleaved
- * if necessary. ... Not RefCounted.
- */
-struct PK11ContextStr {
-    CK_ATTRIBUTE_TYPE	operation; /* type of operation this context is doing
-				    * (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */
-    PK11SymKey  	*key;	   /* symetric key used in this context */
-    PK11SlotInfo	*slot;	   /* slot this context is operationing on */
-    CK_SESSION_HANDLE	session;   /* session this context is using */
-    PRLock		*sessionLock; /* lock before accessing a PKCS #11 
-				       * session */
-    PRBool		ownSession;/* do we own the session? */
-    void 		*cx;	   /* window context in case we need to loggin*/
-    void		*savedData;/* save data when we are multiplexing on a
-				    * single context */
-    unsigned long	savedLength; /* length of the saved context */
-    SECItem		*param;	    /* mechanism parameters used to build this
-								context */
-    PRBool		init;	    /* has this contexted been initialized */
-    CK_MECHANISM_TYPE	type;	    /* what is the PKCS #11 this context is
-				     * representing (usually what algorithm is
-				     * being used (CKM_RSA_PKCS, CKM_DES,
-				     * CKM_SHA, etc.*/
-    PRBool		fortezzaHack; /*Fortezza SSL has some special
-				       * non-standard semantics*/
-};
-
diff --git a/security/nss/lib/pkcs12/Makefile b/security/nss/lib/pkcs12/Makefile
deleted file mode 100644
index 5742208b5..000000000
--- a/security/nss/lib/pkcs12/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/pkcs12/config.mk b/security/nss/lib/pkcs12/config.mk
deleted file mode 100644
index 1684cf3fa..000000000
--- a/security/nss/lib/pkcs12/config.mk
+++ /dev/null
@@ -1,45 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/pkcs12/manifest.mn b/security/nss/lib/pkcs12/manifest.mn
deleted file mode 100644
index c8b4981d3..000000000
--- a/security/nss/lib/pkcs12/manifest.mn
+++ /dev/null
@@ -1,58 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-# 
-
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	pkcs12t.h \
-	pkcs12.h \
-	p12plcy.h \
-	p12.h \
-	p12t.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	p12local.c \
-	p12creat.c \
-	p12dec.c \
-	p12plcy.c \
-	p12tmpl.c \
-	p12e.c \
-	p12d.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = pkcs12
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
deleted file mode 100644
index eac067c93..000000000
--- a/security/nss/lib/pkcs12/p12.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#ifndef _P12_H_
-#define _P12_H_
-
-#include "secoid.h"
-#include "key.h"
-#include "secpkcs7.h"
-#include "p12t.h"
-
-typedef int (* PKCS12OpenFunction)(void *arg);
-typedef int (* PKCS12ReadFunction)(void *arg, unsigned char *buffer, 
-				   unsigned int *lenRead, unsigned int maxLen);
-typedef int (* PKCS12WriteFunction)(void *arg, unsigned char *buffer, 
-				    unsigned int *bufLen, unsigned int *lenWritten);
-typedef int (* PKCS12CloseFunction)(void *arg);
-typedef SECStatus (* PKCS12UnicodeConvertFunction)(PRArenaPool *arena,
-						   SECItem *dest, SECItem *src,
-						   PRBool toUnicode, 
-						   PRBool swapBytes);
-typedef void (* SEC_PKCS12EncoderOutputCallback)(void *arg, const char *buf,
-						 unsigned long len);
-typedef void (* SEC_PKCS12DecoderOutputCallback)(void *arg, const char *buf,
-						 unsigned long len);
-typedef SECItem * (* SEC_PKCS12NicknameCollisionCallback)(SECItem *old_nickname,
-							  PRBool *cancel,
-							  void *arg);
-
-
-
-
-typedef SECStatus (*digestOpenFn)(void *arg, PRBool readData);
-typedef SECStatus (*digestCloseFn)(void *arg, PRBool removeFile);
-typedef int (*digestIOFn)(void *arg, unsigned char *buf, 
-			  unsigned long len);
-
-typedef struct SEC_PKCS12ExportContextStr SEC_PKCS12ExportContext;
-typedef struct SEC_PKCS12SafeInfoStr SEC_PKCS12SafeInfo;
-typedef struct SEC_PKCS12DecoderContextStr SEC_PKCS12DecoderContext;
-
-struct sec_PKCS12PasswordModeInfo {
-    SECItem	*password;
-    SECOidTag	algorithm;
-};
-
-struct sec_PKCS12PublicKeyModeInfo {
-    CERTCertificate	*cert;
-    CERTCertDBHandle *certDb;
-    SECOidTag	algorithm;
-    int keySize;
-};
-
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
-				    CERTCertDBHandle *certDb,
-				    CERTCertificate *signer,
-				    CERTCertificate **recipients,
-				    SECOidTag algorithm, int keysize);
-
-extern SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
-				 SECItem *pwitem, SECOidTag privAlg);
-
-extern SEC_PKCS12SafeInfo *
-SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt);
-
-extern SECStatus
-SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-			       SECItem *pwitem, SECOidTag integAlg);
-extern SECStatus
-SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-				CERTCertificate *cert, CERTCertDBHandle *certDb,
-				SECOidTag algorithm, int keySize);
-
-extern SEC_PKCS12ExportContext *
-SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
-			      PK11SlotInfo *slot, void *wincx);
-
-extern SECStatus
-SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, 
-		  SEC_PKCS12SafeInfo *safe, void *nestedDest,
-		  CERTCertificate *cert, CERTCertDBHandle *certDb,
-		  SECItem *keyId, PRBool includeCertChain);
-
-extern SECStatus
-SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, 
-			SEC_PKCS12SafeInfo *safe, 
-			void *nestedDest, CERTCertificate *cert,
-			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
-			SECItem *keyId, SECItem *nickName);
-
-extern SECStatus
-SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
-			void *certSafe, void *certNestedDest, 
-			CERTCertificate *cert, CERTCertDBHandle *certDb,
-			void *keySafe, void *keyNestedDest, 
-			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm);
-
-extern SECStatus
-SEC_PKCS12AddDERCertAndEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
-			void *certSafe, void *certNestedDest, SECItem *derCert,
-			void *keySafe, void *keyNestedDest, 
-			SECKEYEncryptedPrivateKeyInfo *epki, char *nickname);
-
-extern void *
-SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
-				   void *baseSafe, void *nestedDest);
-
-extern SECStatus
-SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
-		 SEC_PKCS12EncoderOutputCallback output, void *outputarg);
-
-extern void
-SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12exp);
-
-extern SEC_PKCS12DecoderContext *
-SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
-		       digestOpenFn dOpen, digestCloseFn dClose,
-		       digestIOFn dRead, digestIOFn dWrite, void *dArg);
-
-extern SECStatus
-SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx, unsigned char *data,
-			unsigned long len);
-
-extern void
-SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx);
-
-extern SECStatus
-SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx);
-
-extern SECStatus
-SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
-			      SEC_PKCS12NicknameCollisionCallback nicknameCb);
-
-extern SECStatus
-SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx);
-
-CERTCertList *
-SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx);
-
-#endif
diff --git a/security/nss/lib/pkcs12/p12creat.c b/security/nss/lib/pkcs12/p12creat.c
deleted file mode 100644
index 65678b299..000000000
--- a/security/nss/lib/pkcs12/p12creat.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "pkcs12.h"
-#include "secitem.h"
-#include "secport.h"
-#include "secder.h"
-#include "secoid.h"
-#include "p12local.h"
-#include "secerr.h"
-
-
-/* allocate space for a PFX structure and set up initial
- * arena pool.  pfx structure is cleared and a pointer to
- * the new structure is returned.
- */
-SEC_PKCS12PFXItem *
-sec_pkcs12_new_pfx(void)
-{
-    SEC_PKCS12PFXItem   *pfx = NULL;
-    PRArenaPool     *poolp = NULL;
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);	/* XXX Different size? */
-    if(poolp == NULL)
-	goto loser;
-
-    pfx = (SEC_PKCS12PFXItem *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12PFXItem));
-    if(pfx == NULL)
-	goto loser;
-    pfx->poolp = poolp;
-
-    return pfx;
-
-loser:
-    PORT_FreeArena(poolp, PR_TRUE);
-    return NULL;
-}
-
-/* allocate space for a PFX structure and set up initial
- * arena pool.  pfx structure is cleared and a pointer to
- * the new structure is returned.
- */
-SEC_PKCS12AuthenticatedSafe *
-sec_pkcs12_new_asafe(PRArenaPool *poolp)
-{
-    SEC_PKCS12AuthenticatedSafe  *asafe = NULL;
-    void *mark;
-
-    mark = PORT_ArenaMark(poolp);
-    asafe = (SEC_PKCS12AuthenticatedSafe *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12AuthenticatedSafe));
-    if(asafe == NULL)
-	goto loser;
-    asafe->poolp = poolp;
-    PORT_Memset(&asafe->old_baggage, 0, sizeof(SEC_PKCS7ContentInfo));
-
-    PORT_ArenaUnmark(poolp, mark);
-    return asafe;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/* create a safe contents structure with a list of
- * length 0 with the first element being NULL 
- */
-SEC_PKCS12SafeContents *
-sec_pkcs12_create_safe_contents(PRArenaPool *poolp)
-{
-    SEC_PKCS12SafeContents *safe;
-    void *mark;
-
-    if(poolp == NULL)
-	return NULL;
-
-    /* allocate structure */
-    mark = PORT_ArenaMark(poolp);
-    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12SafeContents));
-    if(safe == NULL)
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    /* init list */
-    safe->contents = (SEC_PKCS12SafeBag**)PORT_ArenaZAlloc(poolp, 
-						  sizeof(SEC_PKCS12SafeBag *));
-    if(safe->contents == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-    safe->contents[0] = NULL;
-    safe->poolp       = poolp;
-    safe->safe_size   = 0;
-    PORT_ArenaUnmark(poolp, mark);
-    return safe;
-}
-
-/* create a new external bag which is appended onto the list
- * of bags in baggage.  the bag is created in the same arena
- * as baggage
- */
-SEC_PKCS12BaggageItem *
-sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage)
-{
-    void *dummy, *mark;
-    SEC_PKCS12BaggageItem *bag;
-
-    if(luggage == NULL) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(luggage->poolp);
-
-    /* allocate space for null terminated bag list */
-    if(luggage->bags == NULL) {
-	luggage->bags=(SEC_PKCS12BaggageItem**)PORT_ArenaZAlloc(luggage->poolp, 
-					sizeof(SEC_PKCS12BaggageItem *));
-	if(luggage->bags == NULL) {
-	    goto loser;
-	}
-	luggage->luggage_size = 0;
-    }
-
-    /* grow the list */    
-    dummy = PORT_ArenaGrow(luggage->poolp, luggage->bags,
-    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 1),
-    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 2));
-    if(dummy == NULL) {
-	goto loser;
-    }
-    luggage->bags = (SEC_PKCS12BaggageItem**)dummy;
-
-    luggage->bags[luggage->luggage_size] = 
-    		(SEC_PKCS12BaggageItem *)PORT_ArenaZAlloc(luggage->poolp,
-    							sizeof(SEC_PKCS12BaggageItem));
-    if(luggage->bags[luggage->luggage_size] == NULL) {
-	goto loser;
-    }
-
-    /* create new bag and append it to the end */
-    bag = luggage->bags[luggage->luggage_size];
-    bag->espvks = (SEC_PKCS12ESPVKItem **)PORT_ArenaZAlloc(
-    						luggage->poolp,
-    						sizeof(SEC_PKCS12ESPVKItem *));
-    bag->unencSecrets = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(
-    						luggage->poolp,
-    						sizeof(SEC_PKCS12SafeBag *));
-    if((bag->espvks == NULL) || (bag->unencSecrets == NULL)) {
-	goto loser;
-    }
-
-    bag->poolp = luggage->poolp;
-    luggage->luggage_size++;
-    luggage->bags[luggage->luggage_size] = NULL;
-    bag->espvks[0] = NULL;
-    bag->unencSecrets[0] = NULL;
-    bag->nEspvks = bag->nSecrets = 0;
-
-    PORT_ArenaUnmark(luggage->poolp, mark);
-    return bag;
-
-loser:
-    PORT_ArenaRelease(luggage->poolp, mark);
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return NULL;
-}
-
-/* creates a baggage witha NULL terminated 0 length list */
-SEC_PKCS12Baggage *
-sec_pkcs12_create_baggage(PRArenaPool *poolp)
-{
-    SEC_PKCS12Baggage *luggage;
-    void *mark;
-
-    if(poolp == NULL)
-	return NULL;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* allocate bag */
-    luggage = (SEC_PKCS12Baggage *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12Baggage));
-    if(luggage == NULL)
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    /* init list */
-    luggage->bags = (SEC_PKCS12BaggageItem **)PORT_ArenaZAlloc(poolp,
-    					sizeof(SEC_PKCS12BaggageItem *));
-    if(luggage->bags == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    luggage->bags[0] = NULL;
-    luggage->luggage_size = 0;
-    luggage->poolp = poolp;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return luggage;
-}
-
-/* free pfx structure and associated items in the arena */
-void 
-SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx)
-{
-    if (pfx != NULL && pfx->poolp != NULL)
-    {
-	PORT_FreeArena(pfx->poolp, PR_TRUE);
-    }
-}
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
deleted file mode 100644
index aea26a9e9..000000000
--- a/security/nss/lib/pkcs12/p12d.c
+++ /dev/null
@@ -1,3224 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "p12t.h"
-#include "p12.h"
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "p12plcy.h"
-#include "p12local.h"
-#include "alghmac.h"
-#include "secder.h"
-#include "secport.h"
-
-#include "certdb.h"
-
-#include "prcpucfg.h"
-
-typedef struct sec_PKCS12SafeContentsContextStr sec_PKCS12SafeContentsContext;
-
-/* Opaque structure for decoding SafeContents.  These are used
- * for each authenticated safe as well as any nested safe contents.
- */
-struct sec_PKCS12SafeContentsContextStr {
-    /* the parent decoder context */
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    /* memory arena to allocate space from */
-    PRArenaPool *arena;
-
-    /* decoder context and destination for decoding safe contents */
-    SEC_ASN1DecoderContext *safeContentsDcx;
-    sec_PKCS12SafeContents safeContents;
-
-    /* information for decoding safe bags within the safe contents.
-     * these variables are updated for each safe bag decoded.
-     */
-    SEC_ASN1DecoderContext *currentSafeBagDcx;
-    sec_PKCS12SafeBag *currentSafeBag;
-    PRBool skipCurrentSafeBag;
-
-    /* if the safe contents is nested, the parent is pointed to here. */
-    sec_PKCS12SafeContentsContext *nestedCtx;
-};
-
-/* opaque decoder context structure.  information for decoding a pkcs 12
- * PDU are stored here as well as decoding pointers for intermediary 
- * structures which are part of the PKCS 12 PDU.  Upon a successful
- * decode, the safe bags containing certificates and keys encountered.
- */  
-struct SEC_PKCS12DecoderContextStr {
-    PRArenaPool *arena;
-    PK11SlotInfo *slot;
-    void *wincx;
-    PRBool error;
-    int errorValue;
-
-    /* password */
-    SECItem *pwitem;
-
-    /* used for decoding the PFX structure */
-    SEC_ASN1DecoderContext *pfxDcx;
-    sec_PKCS12PFXItem pfx;
-
-    /* safe bags found during decoding */  
-    sec_PKCS12SafeBag **safeBags;
-    unsigned int safeBagCount;
-
-    /* state variables for decoding authenticated safes. */
-    SEC_PKCS7DecoderContext *currentASafeP7Dcx;
-    SEC_PKCS5KeyAndPassword *currentASafeKeyPwd;
-    SEC_ASN1DecoderContext *aSafeDcx;
-    SEC_PKCS7DecoderContext *aSafeP7Dcx;
-    sec_PKCS12AuthenticatedSafe authSafe;
-    SEC_PKCS7ContentInfo *aSafeCinfo;
-    sec_PKCS12SafeContents safeContents;
-
-    /* safe contents info */
-    unsigned int safeContentsCnt;
-    sec_PKCS12SafeContentsContext **safeContentsList;
-
-    /* HMAC info */
-    sec_PKCS12MacData	macData;
-    SEC_ASN1DecoderContext *hmacDcx;
-
-    /* routines for reading back the data to be hmac'd */
-    digestOpenFn dOpen;
-    digestCloseFn dClose;
-    digestIOFn dRead, dWrite;
-    void *dArg;
-
-    /* helper functions */
-    SECKEYGetPasswordKey pwfn;
-    void *pwfnarg;
-    PRBool swapUnicodeBytes;
-
-    /* import information */
-    PRBool bagsVerified;
-};
-
-
-/* make sure that the PFX version being decoded is a version
- * which we support.
- */
-static PRBool
-sec_pkcs12_proper_version(sec_PKCS12PFXItem *pfx)
-{
-    /* if no version, assume it is not supported */
-    if(pfx->version.len == 0) {
-	return PR_FALSE;
-    }
-
-    if(DER_GetInteger(&pfx->version) > SEC_PKCS12_VERSION) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/* retrieve the key for decrypting the safe contents */ 
-static PK11SymKey *
-sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid)
-{
-    SEC_PKCS5KeyAndPassword *keyPwd = 
-        (SEC_PKCS5KeyAndPassword *)arg;
-
-    if(!keyPwd) {
-	return NULL;
-    }
-
-    /* if no slot specified, use the internal key slot */
-    if(!keyPwd->slot) {
-	keyPwd->slot = PK11_GetInternalKeySlot();
-    }
-
-    /* retrieve the key */
-    if(!keyPwd->key) {
-	keyPwd->key = PK11_PBEKeyGen(keyPwd->slot, algid, 
-				     keyPwd->pwitem, PR_FALSE, keyPwd->wincx);
-    }
-
-    return (PK11SymKey *)keyPwd;
-}
-
-/* XXX this needs to be modified to handle enveloped data.  most
- * likely, it should mirror the routines for SMIME in that regard.
- */
-static PRBool
-sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid, 
-				      PK11SymKey *bulkkey)
-{
-    PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid);
-
-    if(!decryptionAllowed) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/* when we encounter a new safe bag during the decoding, we need
- * to allocate space for the bag to be decoded to and set the 
- * state variables appropriately.  all of the safe bags are allocated
- * in a buffer in the outer SEC_PKCS12DecoderContext, however,
- * a pointer to the safeBag is also used in the sec_PKCS12SafeContentsContext
- * for the current bag.
- */
-static SECStatus
-sec_pkcs12_decoder_init_new_safe_bag(sec_PKCS12SafeContentsContext 
-						*safeContentsCtx)
-{
-    void *mark = NULL;
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    /* make sure that the structures are defined, and there has
-     * not been an error in the decoding 
-     */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error) {
-	return SECFailure;
-    }
-
-    p12dcx = safeContentsCtx->p12dcx;
-    mark = PORT_ArenaMark(p12dcx->arena);
-
-    /* allocate a new safe bag, if bags already exist, grow the 
-     * list of bags, otherwise allocate a new list.  the list is
-     * NULL terminated.
-     */
-    if(p12dcx->safeBagCount) {
-	p12dcx->safeBags = 
-	    (sec_PKCS12SafeBag**)PORT_ArenaGrow(p12dcx->arena,p12dcx->safeBags,
-			(p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
-			(p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
-    } else {
-	p12dcx->safeBags = (sec_PKCS12SafeBag**)PORT_ArenaZAlloc(p12dcx->arena,
-					    2 * sizeof(sec_PKCS12SafeBag *));
-    }
-    if(!p12dcx->safeBags) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* append the bag to the end of the list and update the reference
-     * in the safeContentsCtx.
-     */
-    p12dcx->safeBags[p12dcx->safeBagCount] = 
-        (sec_PKCS12SafeBag*)PORT_ArenaZAlloc(p12dcx->arena,
-					     sizeof(sec_PKCS12SafeBag));
-    safeContentsCtx->currentSafeBag = p12dcx->safeBags[p12dcx->safeBagCount];
-    p12dcx->safeBags[++p12dcx->safeBagCount] = NULL;
-    if(!safeContentsCtx->currentSafeBag) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    safeContentsCtx->currentSafeBag->slot = safeContentsCtx->p12dcx->slot;
-    safeContentsCtx->currentSafeBag->pwitem = safeContentsCtx->p12dcx->pwitem;
-    safeContentsCtx->currentSafeBag->swapUnicodeBytes = 
-				safeContentsCtx->p12dcx->swapUnicodeBytes;
-    safeContentsCtx->currentSafeBag->arena = safeContentsCtx->p12dcx->arena;
-
-    PORT_ArenaUnmark(p12dcx->arena, mark);
-    return SECSuccess;
-
-loser:
-
-    /* if an error occurred, release the memory and set the error flag
-     * the only possible errors triggered by this function are memory 
-     * related.
-     */
-    if(mark) {
-	PORT_ArenaRelease(p12dcx->arena, mark);
-    }
-
-    p12dcx->error = PR_TRUE;
-    return SECFailure;
-}
-
-/* A wrapper for updating the ASN1 context in which a safeBag is
- * being decoded.  This function is called as a callback from
- * secasn1d when decoding SafeContents structures.
- */
-static void
-sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
-				   unsigned long len, int depth, 
-				   SEC_ASN1EncodingPart data_kind)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    /* make sure that we are not skipping the current safeBag,
-     * and that there are no errors.  If so, just return rather
-     * than continuing to process.
-     */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error 
-		|| safeContentsCtx->skipCurrentSafeBag) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagDcx, data, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    return;
-
-loser:
-    /* set the error, and finish the decoder context.  because there 
-     * is not a way of returning an error message, it may be worth
-     * while to do a check higher up and finish any decoding contexts
-     * that are still open.
-     */
-    p12dcx->error = PR_TRUE;
-    SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
-    safeContentsCtx->currentSafeBagDcx = NULL;
-    return;
-}
-
-/* forward declarations of functions that are used when decoding
- * safeContents bags which are nested and when decoding the 
- * authenticatedSafes.
- */
-static SECStatus
-sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
-							*safeContentsCtx);
-static SECStatus
-sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
-							*safeContentsCtx);
-static void
-sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
-				   unsigned long len, int depth, 
-				   SEC_ASN1EncodingPart data_kind);
-
-/* notify function for decoding safeBags.  This function is
- * used to filter safeBag types which are not supported,
- * initiate the decoding of nested safe contents, and decode
- * safeBags in general.  this function is set when the decoder
- * context for the safeBag is first created.
- */
-static void
-sec_pkcs12_decoder_safe_bag_notify(void *arg, PRBool before,
-				   void *dest, int real_depth)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    sec_PKCS12SafeBag *bag;
-    PRBool after;
-
-    /* if an error is encountered, return */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
-		safeContentsCtx->p12dcx->error) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    /* to make things more readable */
-    if(before)
-	after = PR_FALSE;
-    else 
-	after = PR_TRUE;
-
-    /* have we determined the safeBagType yet? */
-    bag = safeContentsCtx->currentSafeBag;
-    if(bag->bagTypeTag == NULL) {
-	if(after && (dest == &(bag->safeBagType))) {
-	    bag->bagTypeTag = SECOID_FindOID(&(bag->safeBagType));
-	    if(bag->bagTypeTag == NULL) {
-		p12dcx->error = PR_TRUE;
-		p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	    }
-	}
-	return;
-    }
-
-    /* process the safeBag depending on it's type.  those
-     * which we do not support, are ignored.  we start a decoding
-     * context for a nested safeContents.
-     */
-    switch(bag->bagTypeTag->offset) {
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    break;
-	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
-	    /* if we are just starting to decode the safeContents, initialize
-	     * a new safeContentsCtx to process it.
-	     */
-	    if(before && (dest == &(bag->safeBagContent))) {
-		sec_pkcs12_decoder_begin_nested_safe_contents(safeContentsCtx);
-	    } else if(after && (dest == &(bag->safeBagContent))) {
-		/* clean up the nested decoding */
-		sec_pkcs12_decoder_finish_nested_safe_contents(safeContentsCtx);
-	    }
-	    break;
-	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
-	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
-	default:
-	    /* skip any safe bag types we don't understand or handle */
-	    safeContentsCtx->skipCurrentSafeBag = PR_TRUE;
-	    break;
-    }
-
-    return;
-}
-
-/* notify function for decoding safe contents.  each entry in the
- * safe contents is a safeBag which needs to be allocated and
- * the decoding context initialized at the beginning and then
- * the context needs to be closed and finished at the end.
- *
- * this function is set when the safeContents decode context is
- * initialized.
- */
-static void
-sec_pkcs12_decoder_safe_contents_notify(void *arg, PRBool before,
-					void *dest, int real_depth)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext*)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    /* if there is an error we don't want to continue processing,
-     * just return and keep going.
-     */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    /* if we are done with the current safeBag, then we need to
-     * finish the context and set the state variables appropriately.
-     */
-    if(!before) {
-	SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
-	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
-	safeContentsCtx->currentSafeBagDcx = NULL;
-	safeContentsCtx->skipCurrentSafeBag = PR_FALSE;
-    } else {
-	/* we are starting a new safe bag.  we need to allocate space
-	 * for the bag and initialize the decoding context.
-	 */
-	rv = sec_pkcs12_decoder_init_new_safe_bag(safeContentsCtx);
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-
-	/* set up the decoder context */
-	safeContentsCtx->currentSafeBagDcx = SEC_ASN1DecoderStart(p12dcx->arena,
-						safeContentsCtx->currentSafeBag,
-						sec_PKCS12SafeBagTemplate);
-	if(!safeContentsCtx->currentSafeBagDcx) {
-	    p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	    goto loser;
-	}
-
-	/* set the notify and filter procs so that the safe bag
-	 * data gets sent to the proper location when decoding.
-	 */
-	SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->currentSafeBagDcx, 
-				 sec_pkcs12_decoder_safe_bag_notify, 
-				 safeContentsCtx);
-	SEC_ASN1DecoderSetFilterProc(safeContentsCtx->safeContentsDcx, 
-				 sec_pkcs12_decoder_safe_bag_update, 
-				 safeContentsCtx, PR_TRUE);
-    }
-
-    return;
-
-loser:
-    /* in the event of an error, we want to close the decoding
-     * context and clear the filter and notify procedures.
-     */
-    p12dcx->error = PR_TRUE;
-
-    if(safeContentsCtx->currentSafeBagDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
-	safeContentsCtx->currentSafeBagDcx = NULL;
-    }
-
-    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->safeContentsDcx);
-    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
-
-    return;
-}
-
-/* initialize the safeContents for decoding.  this routine
- * is used for authenticatedSafes as well as nested safeContents.
- */
-static sec_PKCS12SafeContentsContext *
-sec_pkcs12_decoder_safe_contents_init_decode(SEC_PKCS12DecoderContext *p12dcx,
-					     PRBool nestedSafe)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = NULL;
-    const SEC_ASN1Template *theTemplate;
-
-    if(!p12dcx || p12dcx->error) {
-	return NULL;
-    }
-
-    /* allocate a new safeContents list or grow the existing list and
-     * append the new safeContents onto the end.
-     */
-    if(!p12dcx->safeContentsCnt) {
-	p12dcx->safeContentsList = 
-	    (sec_PKCS12SafeContentsContext**)PORT_ArenaZAlloc(p12dcx->arena, 
-	       			 sizeof(sec_PKCS12SafeContentsContext *));
-    } else {
-	p12dcx->safeContentsList = 
-	   (sec_PKCS12SafeContentsContext **) PORT_ArenaGrow(p12dcx->arena,
-			p12dcx->safeContentsList,
-			(p12dcx->safeContentsCnt * 
-				sizeof(sec_PKCS12SafeContentsContext *)),
-			(1 + p12dcx->safeContentsCnt * 
-				sizeof(sec_PKCS12SafeContentsContext *)));
-    }
-    if(!p12dcx->safeContentsList) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    p12dcx->safeContentsList[p12dcx->safeContentsCnt] = 
-        (sec_PKCS12SafeContentsContext*)PORT_ArenaZAlloc(
-					p12dcx->arena,
-					sizeof(sec_PKCS12SafeContentsContext));
-    p12dcx->safeContentsList[p12dcx->safeContentsCnt+1] = NULL;
-    if(!p12dcx->safeContentsList[p12dcx->safeContentsCnt]) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* set up the state variables */
-    safeContentsCtx = p12dcx->safeContentsList[p12dcx->safeContentsCnt];
-    p12dcx->safeContentsCnt++;
-    safeContentsCtx->p12dcx = p12dcx;
-    safeContentsCtx->arena = p12dcx->arena;
-
-    /* begin the decoding -- the template is based on whether we are
-     * decoding a nested safeContents or not.
-     */
-    if(nestedSafe == PR_TRUE) {
-	theTemplate = sec_PKCS12NestedSafeContentsDecodeTemplate;
-    } else {
-	theTemplate = sec_PKCS12SafeContentsDecodeTemplate;
-    }
-
-    /* start the decoder context */
-    safeContentsCtx->safeContentsDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
-					&safeContentsCtx->safeContents,
-					theTemplate);
-	
-    if(!safeContentsCtx->safeContentsDcx) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* set the safeContents notify procedure to look for
-     * and start the decode of safeBags.
-     */
-    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->safeContentsDcx, 
-				sec_pkcs12_decoder_safe_contents_notify,
-				safeContentsCtx);
-
-    return safeContentsCtx;
-
-loser:
-    /* in the case of an error, we want to finish the decoder
-     * context and set the error flag.
-     */
-    if(safeContentsCtx && safeContentsCtx->safeContentsDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
-	safeContentsCtx->safeContentsDcx = NULL;
-    }
-
-    p12dcx->error = PR_TRUE;
-
-    return NULL;
-}
-
-/* wrapper for updating safeContents.  this is set as the filter of
- * safeBag when there is a nested safeContents.
- */
-static void
-sec_pkcs12_decoder_nested_safe_contents_update(void *arg, const char *buf,
-					  unsigned long len, int depth,
-					  SEC_ASN1EncodingPart data_kind)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    /* check for an error */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-			|| safeContentsCtx->p12dcx->error) {
-	return;
-    }
-
-    /* no need to update if no data sent in */
-    if(!len || !buf) {
-	return;
-    }
-
-    /* update the decoding context */
-    p12dcx = safeContentsCtx->p12dcx;
-    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    return;
-
-loser:
-    /* handle any errors.  If a decoding context is open, close it. */
-    p12dcx->error = PR_TRUE;
-    if(safeContentsCtx->safeContentsDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
-	safeContentsCtx->safeContentsDcx = NULL;
-    }
-}
-
-/* whenever a new safeContentsSafeBag is encountered, we need
- * to init a safeContentsContext.  
- */
-static SECStatus  
-sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
-							*safeContentsCtx)
-{
-    /* check for an error */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
-		safeContentsCtx->p12dcx->error) {
-	return SECFailure;
-    }
-
-    safeContentsCtx->nestedCtx = sec_pkcs12_decoder_safe_contents_init_decode(
-						safeContentsCtx->p12dcx,
-						PR_TRUE);
-    if(!safeContentsCtx->nestedCtx) {
-	return SECFailure;
-    }
-
-    /* set up new filter proc */
-    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx,
-				 sec_pkcs12_decoder_safe_contents_notify,
-				 safeContentsCtx->nestedCtx);
-    SEC_ASN1DecoderSetFilterProc(safeContentsCtx->currentSafeBagDcx,
-				 sec_pkcs12_decoder_nested_safe_contents_update,
-				 safeContentsCtx->nestedCtx, PR_TRUE);
-
-    return SECSuccess;
-}
-
-/* when the safeContents is done decoding, we need to reset the
- * proper filter and notify procs and close the decoding context 
- */
-static SECStatus
-sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
-							*safeContentsCtx)
-{
-    /* check for error */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
-		safeContentsCtx->p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* clean up */	
-    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->currentSafeBagDcx);
-    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx);
-    SEC_ASN1DecoderFinish(safeContentsCtx->nestedCtx->safeContentsDcx);
-    safeContentsCtx->nestedCtx->safeContentsDcx = NULL;
-    safeContentsCtx->nestedCtx = NULL;
-
-    return SECSuccess;
-}
-
-/* wrapper for updating safeContents.  This is used when decoding
- * the nested safeContents and any authenticatedSafes.
- */
-static void
-sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf,
-					  unsigned long len)
-{
-    SECStatus rv;
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    /* check for error */  
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    /* update the decoder */
-    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	goto loser;
-    }
-
-    return;
-
-loser:
-    /* set the error and finish the context */
-    p12dcx->error = PR_TRUE;
-    if(safeContentsCtx->safeContentsDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
-	safeContentsCtx->safeContentsDcx = NULL;
-    }
-
-    return;
-}
-
-/* this is a wrapper for the ASN1 decoder to call SEC_PKCS7DecoderUpdate
- */
-static void
-sec_pkcs12_decoder_wrap_p7_update(void *arg, const char *data,
-				  unsigned long len, int depth,
-				  SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS7DecoderContext *p7dcx = (SEC_PKCS7DecoderContext *)arg;
-
-    SEC_PKCS7DecoderUpdate(p7dcx, data, len);
-}
-
-/* notify function for decoding aSafes.  at the beginning,
- * of an authenticatedSafe, we start a decode of a safeContents.
- * at the end, we clean up the safeContents decoder context and
- * reset state variables 
- */
-static void
-sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest, 
-			       int real_depth)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-    sec_PKCS12SafeContentsContext *safeContentsCtx;
-
-    /* make sure no error occurred. */
-    p12dcx = (SEC_PKCS12DecoderContext *)arg;
-    if(!p12dcx || p12dcx->error) {
-	return;
-    }
-
-    if(before) {
-
-	/* init a new safeContentsContext */
-	safeContentsCtx = sec_pkcs12_decoder_safe_contents_init_decode(p12dcx, 
-								PR_FALSE);
-	if(!safeContentsCtx) {
-	    goto loser;
-	}
-
-	/* set up password and encryption key information */
-	p12dcx->currentASafeKeyPwd = 
-	    (SEC_PKCS5KeyAndPassword*)PORT_ArenaZAlloc(p12dcx->arena, 
-					      sizeof(SEC_PKCS5KeyAndPassword));
-	if(!p12dcx->currentASafeKeyPwd) {
-	    p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	    goto loser;
-	}
-	p12dcx->currentASafeKeyPwd->pwitem = p12dcx->pwitem;
-	p12dcx->currentASafeKeyPwd->slot = p12dcx->slot;
-	p12dcx->currentASafeKeyPwd->wincx = p12dcx->wincx;
-
-	/* initiate the PKCS7ContentInfo decode */
-	p12dcx->currentASafeP7Dcx = SEC_PKCS7DecoderStart(
-				sec_pkcs12_decoder_safe_contents_callback,
-				safeContentsCtx, 
-				p12dcx->pwfn, p12dcx->pwfnarg,
-				sec_pkcs12_decoder_get_decrypt_key, 
-				p12dcx->currentASafeKeyPwd, 
-				sec_pkcs12_decoder_decryption_allowed);
-	if(!p12dcx->currentASafeP7Dcx) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-	SEC_ASN1DecoderSetFilterProc(p12dcx->aSafeDcx, 
-				     sec_pkcs12_decoder_wrap_p7_update,
-				     p12dcx->currentASafeP7Dcx, PR_TRUE);
-    }
-
-    if(!before) {
-	/* if one is being decoded, finish the decode */
-	if(p12dcx->currentASafeP7Dcx != NULL) {
-	    if(!SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx)) {
-		p12dcx->currentASafeP7Dcx = NULL;
-		p12dcx->errorValue = PORT_GetError();
-		goto loser;
-	    }
-	    p12dcx->currentASafeP7Dcx = NULL;
-	}
-	p12dcx->currentASafeP7Dcx = NULL;
-	if(p12dcx->currentASafeKeyPwd->key != NULL) {
-	    p12dcx->currentASafeKeyPwd->key = NULL;
-	}
-    }
-
-
-    return;
-
-loser:
-    /* set the error flag */
-    p12dcx->error = PR_TRUE;
-    return;
-}
-
-/* wrapper for updating asafes decoding context.  this function
- * writes data being decoded to disk, so that a mac can be computed
- * later.  
- */
-static void
-sec_pkcs12_decoder_asafes_callback(void *arg, const char *buf, 
-				  unsigned long len)
-{
-    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error) {
-	return;
-    }
-
-    /* update the context */
-    rv = SEC_ASN1DecoderUpdate(p12dcx->aSafeDcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->error = (PRBool)SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* if we are writing to a file, write out the new information */
-    if(p12dcx->dWrite) {
-	unsigned long writeLen = (*p12dcx->dWrite)(p12dcx->dArg, 	
-						   (unsigned char *)buf, len);
-	if(writeLen != len) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-    }
-
-    return;
-
-loser:
-    /* set the error flag */
-    p12dcx->error = PR_TRUE;
-    SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
-    p12dcx->aSafeDcx = NULL;
-
-    return;
-}
-   
-/* start the decode of an authenticatedSafe contentInfo.
- */ 
-static SECStatus
-sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx)
-{
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* start the decode context */
-    p12dcx->aSafeDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
-    					&p12dcx->authSafe,
-    					sec_PKCS12AuthenticatedSafeTemplate);
-    if(!p12dcx->aSafeDcx) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-   	goto loser;
-    }
-
-    /* set the notify function */
-    SEC_ASN1DecoderSetNotifyProc(p12dcx->aSafeDcx,
-    				 sec_pkcs12_decoder_asafes_notify, p12dcx);
-
-    /* begin the authSafe decoder context */
-    p12dcx->aSafeP7Dcx = SEC_PKCS7DecoderStart(
-    				sec_pkcs12_decoder_asafes_callback, p12dcx,
-    				p12dcx->pwfn, p12dcx->pwfnarg, NULL, NULL, NULL);
-    if(!p12dcx->aSafeP7Dcx) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-  
-    /* open the temp file for writing, if the filter functions were set */ 
-    if(p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE) 
-				!= SECSuccess) {
-	p12dcx->errorValue = PORT_GetError();
-	goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-    p12dcx->error = PR_TRUE;
-
-    if(p12dcx->aSafeDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
-	p12dcx->aSafeDcx = NULL;
-    } 
-
-    if(p12dcx->aSafeP7Dcx) {
-	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-	p12dcx->aSafeP7Dcx = NULL;
-    }
-
-    return SECFailure;
-}
-
-/* wrapper for updating the safeContents.  this function is used as
- * a filter for the pfx when decoding the authenticated safes 
- */
-static void 
-sec_pkcs12_decode_asafes_cinfo_update(void *arg, const char *buf,
-				      unsigned long len, int depth,
-				      SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    p12dcx = (SEC_PKCS12DecoderContext*)arg;
-    if(!p12dcx || p12dcx->error) {
-	return;
-    }
-
-    /* update the safeContents decoder */
-    rv = SEC_PKCS7DecoderUpdate(p12dcx->aSafeP7Dcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	goto loser;
-    }
-
-    return;
-
-loser:
-
-    /* did we find an error?  if so, close the context and set the 
-     * error flag.
-     */
-    SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-    p12dcx->aSafeP7Dcx = NULL;
-    p12dcx->error = PR_TRUE;
-}
-
-/* notify procedure used while decoding the pfx.  When we encounter
- * the authSafes, we want to trigger the decoding of authSafes as well
- * as when we encounter the macData, trigger the decoding of it.  we do
- * this because we we are streaming the decoder and not decoding in place.
- * the pfx which is the destination, only has the version decoded into it.
- */
-static void 
-sec_pkcs12_decoder_pfx_notify_proc(void *arg, PRBool before, void *dest,
-				   int real_depth)
-{
-    SECStatus rv;
-    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext*)arg;
-
-    /* if an error occurrs, clear the notifyProc and the filterProc 
-     * and continue. 
-     */
-    if(p12dcx->error) {
-	SEC_ASN1DecoderClearNotifyProc(p12dcx->pfxDcx);
-	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
-	return;
-    }
-
-    if(before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
-
-	/* we want to make sure this is a version we support */
-	if(!sec_pkcs12_proper_version(&p12dcx->pfx)) {
-	    p12dcx->errorValue = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
-	    goto loser;
-	}
-
-	/* start the decode of the aSafes cinfo... */
-	rv = sec_pkcs12_decode_start_asafes_cinfo(p12dcx);
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-
-	/* set the filter proc to update the authenticated safes. */
-	SEC_ASN1DecoderSetFilterProc(p12dcx->pfxDcx,
-				     sec_pkcs12_decode_asafes_cinfo_update,
-				     p12dcx, PR_TRUE);
-    }
-
-    if(!before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
-
-	/* we are done decoding the authenticatedSafes, so we need to 
-	 * finish the decoderContext and clear the filter proc
-	 * and close the hmac callback, if present
-	 */
-	p12dcx->aSafeCinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-	p12dcx->aSafeP7Dcx = NULL;
-	if(!p12dcx->aSafeCinfo) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
-	if(p12dcx->dClose && ((*p12dcx->dClose)(p12dcx->dArg, PR_FALSE) 
-				!= SECSuccess)) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-
-    }
-
-    return;
-
-loser:
-    p12dcx->error = PR_TRUE;
-}
-
-/* SEC_PKCS12DecoderStart
- *	Creates a decoder context for decoding a PKCS 12 PDU objct.
- *	This function sets up the initial decoding context for the
- *	PFX and sets the needed state variables.
- *
- *	pwitem - the password for the hMac and any encoded safes.
- *		 this should be changed to take a callback which retrieves
- *		 the password.  it may be possible for different safes to
- *		 have different passwords.  also, the password is already
- *		 in unicode.  it should probably be converted down below via
- *		 a unicode conversion callback.
- *	slot - the slot to import the dataa into should multiple slots 
- *		 be supported based on key type and cert type?
- *	dOpen, dClose, dRead, dWrite - digest routines for writing data
- *		 to a file so it could be read back and the hmack recomputed
- *		 and verified.  doesn't seem to be away for both encoding
- *		 and decoding to be single pass, thus the need for these
- *		 routines.
- *	dArg - the argument for dOpen, etc.
- *
- *	This function returns the decoder context, if it was successful.
- *	Otherwise, null is returned.
- */
-SEC_PKCS12DecoderContext *
-SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
-		       digestOpenFn dOpen, digestCloseFn dClose, 
-		       digestIOFn dRead, digestIOFn dWrite, void *dArg)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-    PRArenaPool *arena;
-
-    arena = PORT_NewArena(2048); /* different size? */
-    if(!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* allocate the decoder context and set the state variables */
-    p12dcx = (SEC_PKCS12DecoderContext*)PORT_ArenaZAlloc(arena, sizeof(SEC_PKCS12DecoderContext));
-    if(!p12dcx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    p12dcx->arena = arena;
-    p12dcx->pwitem = pwitem;
-    p12dcx->slot = (slot ? slot : PK11_GetInternalKeySlot());
-    p12dcx->wincx = wincx;
-#ifdef IS_LITTLE_ENDIAN
-    p12dcx->swapUnicodeBytes = PR_TRUE;
-#else
-    p12dcx->swapUnicodeBytes = PR_FALSE;
-#endif
-    p12dcx->errorValue = 0;
-    p12dcx->error = PR_FALSE;
-
-    /* a slot is *required */
-    if(!slot) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* start the decoding of the PFX and set the notify proc
-     * for the PFX item.
-     */
-    p12dcx->pfxDcx = SEC_ASN1DecoderStart(p12dcx->arena, &p12dcx->pfx,
-    					  sec_PKCS12PFXItemTemplate);
-    if(!p12dcx->pfxDcx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY); 
-	goto loser;
-    }
-
-    SEC_ASN1DecoderSetNotifyProc(p12dcx->pfxDcx, 
-				 sec_pkcs12_decoder_pfx_notify_proc,
-    				 p12dcx); 
-    
-    /* set up digest functions */
-    p12dcx->dOpen = dOpen;
-    p12dcx->dWrite = dWrite;
-    p12dcx->dClose = dClose;
-    p12dcx->dRead = dRead;
-    p12dcx->dArg = dArg;
-
-    return p12dcx;
-
-loser:
-    PORT_FreeArena(arena, PR_TRUE);
-    return NULL;
-}
-
-/* SEC_PKCS12DecoderUpdate 
- *	Streaming update sending more data to the decoder.  If 
- *	an error occurs, SECFailure is returned.
- *
- *	p12dcx - the decoder context 
- *	data, len - the data buffer and length of data to send to 
- *		the update functions.
- */
-SECStatus
-SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx,
-			unsigned char *data, unsigned long len)
-{
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* update the PFX decoder context */
-    rv = SEC_ASN1DecoderUpdate(p12dcx->pfxDcx, (const char *)data, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-
-    p12dcx->error = PR_TRUE;
-    return SECFailure;
-}
-
-/* IN_BUF_LEN should be larger than SHA1_LENGTH */
-#define IN_BUF_LEN		80
-
-/* verify the hmac by reading the data from the temporary file
- * using the routines specified when the decodingContext was 
- * created and return SECSuccess if the hmac matches.
- */
-static SECStatus
-sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
-{
-    SECStatus rv = SECFailure;
-    PBEBitGenContext *pbeCtxt = NULL;
-    SECItem *hmacKey = NULL, hmacRes;
-    unsigned char buf[IN_BUF_LEN];
-    void *hmacCx;
-    unsigned int bufLen;
-    int iteration;
-    
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* generate hmac key */
-    if(p12dcx->macData.iter.data) {
-	iteration = (int)DER_GetInteger(&p12dcx->macData.iter);
-    } else {
-	iteration = 1;
-    }
-    pbeCtxt = PBE_CreateContext(SECOID_GetAlgorithmTag(
-				&p12dcx->macData.safeMac.digestAlgorithm),
-				pbeBitGenIntegrityKey, p12dcx->pwitem,
-				&p12dcx->macData.macSalt, 160, iteration);
-    if(!pbeCtxt) {
-	return SECFailure;
-    }
-    hmacKey = PBE_GenerateBits(pbeCtxt);
-    PBE_DestroyContext(pbeCtxt);
-    pbeCtxt = NULL;
-    if(!hmacKey) {
-	return SECFailure;
-    }
-
-    /* init hmac */
-    hmacCx = HMAC_Create(SECOID_GetAlgorithmTag(
-				&p12dcx->macData.safeMac.digestAlgorithm),
-			 hmacKey->data, hmacKey->len);
-    SECITEM_ZfreeItem(hmacKey, PR_TRUE);
-    hmacKey = NULL;
-    if(!hmacCx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    HMAC_Begin((HMACContext*)hmacCx);
-
-    /* try to open the data for readback */
-    if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE) 
-			!= SECSuccess)) {
-	goto loser;
-    }
-
-    /* read the data back IN_BUF_LEN bytes at a time and recompute
-     * the hmac.  if fewer bytes are read than are requested, it is
-     * assumed that the end of file has been reached. if bytesRead
-     * is returned as -1, then an error occured reading from the 
-     * file.
-     */
-    while(1) {
-	int bytesRead = (*p12dcx->dRead)(p12dcx->dArg, buf, IN_BUF_LEN);
-	if(bytesRead == -1) {
-	    goto loser;
-	}
-
-	HMAC_Update((HMACContext*)hmacCx, buf, bytesRead);
-	if(bytesRead < IN_BUF_LEN) {
-	    break;
-	}
-    }
-
-    /* finish the hmac context */
-    HMAC_Finish((HMACContext*)hmacCx, buf, &bufLen, IN_BUF_LEN);
-    HMAC_Destroy((HMACContext*)hmacCx);
-    hmacCx = NULL;
-
-    hmacRes.data = buf;
-    hmacRes.len = bufLen;
-
-    /* is the hmac computed the same as the hmac which was decoded? */
-    rv = SECSuccess;
-    if(SECITEM_CompareItem(&hmacRes, &p12dcx->macData.safeMac.digest) 
-			!= SECEqual) {
-	PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
-	rv = SECFailure;
-    }
-
-loser:
-    /* close the file and remove it */
-    if(p12dcx->dClose) {
-	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
-    }
-
-    if(hmacCx) {
-	HMAC_Destroy((HMACContext*)hmacCx);
-    }
-
-    if(hmacKey) {
-	SECITEM_ZfreeItem(hmacKey, PR_TRUE);
-    }
-
-    return rv;
-}
-
-/* SEC_PKCS12DecoderVerify
- * 	Verify the macData or the signature of the decoded PKCS 12 PDU.
- *	If the signature or the macData do not match, SECFailure is
- *	returned.
- *
- * 	p12dcx - the decoder context 
- */
-SECStatus
-SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx)
-{
-    SECStatus rv = SECSuccess;
-
-    /* make sure that no errors have occured... */
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* check the signature or the mac depending on the type of
-     * integrity used.
-     */
-    if(p12dcx->pfx.encodedMacData.len) {
-	rv = SEC_ASN1DecodeItem(p12dcx->arena, &p12dcx->macData,
-				sec_PKCS12MacDataTemplate,
-				&p12dcx->pfx.encodedMacData);
-	if(rv == SECSuccess) {
-	    return sec_pkcs12_decoder_verify_mac(p12dcx);
-	} else {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	}
-    } else {
-	if(SEC_PKCS7VerifySignature(p12dcx->aSafeCinfo, certUsageEmailSigner,
-				    PR_FALSE)) {
-	    return SECSuccess;
-	} else {
-	    PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
-	}
-    }
-
-    return SECFailure;
-}
-
-/* SEC_PKCS12DecoderFinish
- *	Free any open ASN1 or PKCS7 decoder contexts and then
- *	free the arena pool which everything should be allocated
- *	from.  This function should be called upon completion of
- *	decoding and installing of a pfx pdu.  This should be
- *	called even if an error occurs.
- *
- *	p12dcx - the decoder context
- */
-void
-SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx)
-{
-    void *freedCtxt = NULL;
-
-    if(!p12dcx) {
-	return;
-    }
-
-    if(p12dcx->pfxDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->pfxDcx);
-	p12dcx->pfxDcx = NULL;
-    }
-
-    if(p12dcx->aSafeDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
-	p12dcx->aSafeDcx = NULL;
-    }
-
-    if(p12dcx->currentASafeP7Dcx) {
-	SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
-	p12dcx->currentASafeP7Dcx = NULL;
-    }
-
-    if(p12dcx->aSafeP7Dcx) {
-	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-    }
-
-    if(p12dcx->hmacDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->hmacDcx);
-	p12dcx->hmacDcx = NULL;
-    }
-
-    if(p12dcx->arena) {
-	PORT_FreeArena(p12dcx->arena, PR_TRUE);
-    }
-}
-
-static SECStatus
-sec_pkcs12_decoder_set_attribute_value(sec_PKCS12SafeBag *bag,
-			       SECOidTag attributeType,
-			       SECItem *attrValue)
-{
-    int i = 0;
-    SECOidData *oid;
-
-    if(!bag || !attrValue) {
-	return SECFailure;
-    }
-
-    oid = SECOID_FindOIDByTag(attributeType);
-    if(!oid) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    if(!bag->attribs) {
-	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
-					sizeof(sec_PKCS12Attribute *) * 2);
-    } else {
-	while(bag->attribs[i]) i++;
-	bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
-				      bag->attribs, 
-				      (i + 1) * sizeof(sec_PKCS12Attribute *),
-				      (i + 2) * sizeof(sec_PKCS12Attribute *));
-    }
-
-    if(!bag->attribs) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    bag->attribs[i] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(sec_PKCS12Attribute));
-    if(!bag->attribs) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    bag->attribs[i]->attrValue = (SECItem**)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(SECItem *) * 2);
-    if(!bag->attribs[i]->attrValue) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    bag->attribs[i+1] = NULL;
-    bag->attribs[i]->attrValue[0] = attrValue;
-    bag->attribs[i]->attrValue[1] = NULL;
-
-    if(SECITEM_CopyItem(bag->arena, &bag->attribs[i]->attrType, &oid->oid)
-			!= SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-static SECItem *
-sec_pkcs12_get_attribute_value(sec_PKCS12SafeBag *bag,
-			       SECOidTag attributeType)
-{
-    int i = 0;
-
-    if(!bag->attribs) {
-	return NULL;
-    }
-
-    while(bag->attribs[i] != NULL) {
-	if(SECOID_FindOIDTag(&bag->attribs[i]->attrType) 
-			== attributeType) {
-	    return bag->attribs[i]->attrValue[0];
-	}
-	i++;
-    }
-
-    return NULL;
-}
-
-/* For now, this function will merely remove any ":"
- * in the nickname which the PK11 functions may have
- * placed there.  This will keep dual certs from appearing
- * twice under "Your" certificates when imported onto smart
- * cards.  Once with the name "Slot:Cert" and another with
- * the nickname "Slot:Slot:Cert"
- */
-static void
-sec_pkcs12_sanitize_nickname(PK11SlotInfo *slot, SECItem *nick)
-{
-    char *nickname;
-    char *delimit;
-    int delimitlen;
- 
-    nickname = (char*)nick->data; /*Mac breaks without this type cast*/
-    if ((delimit = PORT_Strchr(nickname, ':')) != NULL) {
-        char *slotName;
-	int slotNameLen;
-
-	slotNameLen = delimit-nickname;
-	slotName = PORT_NewArray(char, (slotNameLen+1));
-	PORT_Assert(slotName);
-	if (slotName == NULL) {
-	  /* What else can we do?*/
-	  return;
-	}
-	PORT_Memcpy(slotName, nickname, slotNameLen);
-	slotName[slotNameLen] = '\0';
-	if (PORT_Strcmp(PK11_GetTokenName(slot), slotName) == 0) {
-	  delimitlen = PORT_Strlen(delimit+1);
-	  PORT_Memmove(nickname, delimit+1, delimitlen+1);
-	  nick->len = delimitlen;
-	}
-	PORT_Free(slotName);
-    }
- 
-}
-
-static SECItem *
-sec_pkcs12_get_nickname(sec_PKCS12SafeBag *bag)
-{
-    SECItem *src, *dest;
-
-    if(!bag) {
-	bag->problem = PR_TRUE;
-	bag->error = SEC_ERROR_NO_MEMORY;
-	return NULL;
-    }
-
-    src = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
-    if(!src) {
-	return NULL;
-    }
-
-    dest = (SECItem*)PORT_ZAlloc(sizeof(SECItem));
-    if(!dest) { 
-	goto loser;
-    }
-    if(!sec_pkcs12_convert_item_to_unicode(NULL, dest, src, PR_FALSE, 
-				PR_FALSE, PR_FALSE)) {
-	goto loser;
-    }
-
-    sec_pkcs12_sanitize_nickname(bag->slot, dest);
-
-    return dest;
-
-loser:
-    if(dest) {
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-    }
-
-    bag->problem = PR_TRUE;
-    bag->error = PORT_GetError();
-    return NULL;
-}
-
-static SECStatus
-sec_pkcs12_set_nickname(sec_PKCS12SafeBag *bag, SECItem *name)
-{
-    int i = 0;
-    sec_PKCS12Attribute *attr = NULL;
-    SECOidData *oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_FRIENDLY_NAME);
-
-    if(!bag || !bag->arena || !name) {
-	return SECFailure;
-    }
-	
-    if(!bag->attribs) {
-	if(!oid) {
-	    goto loser;
-	}
-
-	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
-					     sizeof(sec_PKCS12Attribute *)*2);
-	if(!bag->attribs) {
-	    goto loser;
-	}
-	bag->attribs[0] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(sec_PKCS12Attribute));
-	if(!bag->attribs[0]) {
-	    goto loser;
-	}
-	bag->attribs[1] = NULL;
-
-	attr = bag->attribs[0];
-	if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
-			!= SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	while(bag->attribs[i]) {
-	    if(SECOID_FindOIDTag(&bag->attribs[i]->attrType)
-			== SEC_OID_PKCS9_FRIENDLY_NAME) {
-		attr = bag->attribs[i];
-		goto have_attrib;
-		
-	    }
-	    i++;
-	}
-	if(!attr) {
-	    bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
-								  bag->attribs,
-					(i+1) * sizeof(sec_PKCS12Attribute *),
-					(i+2) * sizeof(sec_PKCS12Attribute *));
-	    if(!bag->attribs) {
-		goto loser;
-	    }
-	    bag->attribs[i] = 
-	        (sec_PKCS12Attribute *)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(sec_PKCS12Attribute));
-	    if(!bag->attribs[i]) {
-		goto loser;
-	    }
-	    bag->attribs[i+1] = NULL;
-	    attr = bag->attribs[i];
-	    if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
-				!= SECSuccess) {
-		goto loser;
-	    }
-	}
-    }
-have_attrib:
-    PORT_Assert(attr);
-    if(!attr->attrValue) {
-	attr->attrValue = (SECItem **)PORT_ArenaZAlloc(bag->arena, 
-						       sizeof(SECItem *) * 2);
-	if(!attr->attrValue) {
-	    goto loser;
-	}
-	attr->attrValue[0] = (SECItem*)PORT_ArenaZAlloc(bag->arena, 
-							sizeof(SECItem));
-	if(!attr->attrValue[0]) {
-	    goto loser;
-	}
-	attr->attrValue[1] = NULL;
-    }
-
-    name->len = PORT_Strlen((char *)name->data);
-    if(!sec_pkcs12_convert_item_to_unicode(bag->arena, attr->attrValue[0],
-				name, PR_FALSE, PR_FALSE, PR_TRUE)) {
-	goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-    bag->problem = PR_TRUE;
-    bag->error = SEC_ERROR_NO_MEMORY;
-    return SECFailure;
-}
-	
-static SECStatus
-sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key) 
-{
-    int i = 0;
-    SECKEYPrivateKeyInfo *pki = NULL;
-
-    if(!key) {
-	return SECFailure;
-    }
-
-    /* if the bag does *not* contain an unencrypted PrivateKeyInfo 
-     * then we cannot convert the attributes.  We are propagating
-     * attributes within the PrivateKeyInfo to the SafeBag level.
-     */
-    if(SECOID_FindOIDTag(&(key->safeBagType)) != 
-			SEC_OID_PKCS12_V1_KEY_BAG_ID) {
-	return SECSuccess;
-    }
-
-    pki = key->safeBagContent.pkcs8KeyBag;
-
-    if(!pki || !pki->attributes) {
-	return SECSuccess;
-    }
-
-    while(pki->attributes[i]) {
-	SECItem *attrValue = NULL;
-
-	if(SECOID_FindOIDTag(&pki->attributes[i]->attrType) == 
-			SEC_OID_PKCS9_LOCAL_KEY_ID) {
-	    attrValue = sec_pkcs12_get_attribute_value(key, 
-						 SEC_OID_PKCS9_LOCAL_KEY_ID);
-	    if(!attrValue) {
-		if(sec_pkcs12_decoder_set_attribute_value(key, 
-					SEC_OID_PKCS9_LOCAL_KEY_ID,
-					pki->attributes[i]->attrValue[0])
-					!= SECSuccess) {
-		    key->problem = PR_TRUE;
-		    key->error = SEC_ERROR_NO_MEMORY;
-		    return SECFailure;
-		}
-	    }
-	}
-
-	if(SECOID_FindOIDTag(&pki->attributes[i]->attrType) == 
-			SEC_OID_PKCS9_FRIENDLY_NAME) {
-	    attrValue = sec_pkcs12_get_attribute_value(key, 
-						SEC_OID_PKCS9_FRIENDLY_NAME);
-	    if(!attrValue) {
-		if(sec_pkcs12_decoder_set_attribute_value(key, 
-					SEC_OID_PKCS9_FRIENDLY_NAME,
-					pki->attributes[i]->attrValue[0])
-					!= SECSuccess) {
-		    key->problem = PR_TRUE;
-		    key->error = SEC_ERROR_NO_MEMORY;
-		    return SECFailure;
-		}
-	    }
-	}
-
-	i++;
-    }
-
-    return SECSuccess;
-}
-
-/* retrieve the nickname for the certificate bag.  first look
- * in the cert bag, otherwise get it from the key.
- */
-static SECItem *
-sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
-				 sec_PKCS12SafeBag *key, 
-				 void *wincx)
-{
-    SECItem *nickname;
-
-    if(!cert) {
-	return NULL;
-    }
-
-    nickname = sec_pkcs12_get_nickname(cert);
-    if(nickname) {
-	return nickname;
-    }
-
-    if(key) {
-	nickname = sec_pkcs12_get_nickname(key);
-	
-        if(nickname && sec_pkcs12_set_nickname(cert, nickname)
-			!= SECSuccess) {
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	    cert->problem = PR_TRUE;
-	    if(nickname) { 
-		SECITEM_ZfreeItem(nickname, PR_TRUE);
-	    }
-	    return NULL;
-	}
-    }
-
-    return nickname;
-}
-
-/* set the nickname for the certificate */
-static SECStatus
-sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, 
-				 sec_PKCS12SafeBag *key, 
-				 SECItem *nickname, 
-				 void *wincx)
-{
-    if(!nickname || !cert) {
-	return SECFailure;
-    }
-
-    if(sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) {
-	cert->error = SEC_ERROR_NO_MEMORY;
-	cert->problem = PR_TRUE;
-	return SECFailure;
-    }
-
-    if(key) {
-	if(sec_pkcs12_set_nickname(key, nickname) != SECSuccess) {
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	    cert->problem = PR_TRUE;
-	    return SECFailure;
-	}
-    }
-
-    return SECSuccess;
-}
-
-/* retrieve the DER cert from the cert bag */
-static SECItem *
-sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert) 
-{
-    if(!cert) {
-	return NULL;
-    }
-
-    if(SECOID_FindOIDTag(&cert->safeBagType) != SEC_OID_PKCS12_V1_CERT_BAG_ID) {
-	return NULL;
-    }
-
-    /* only support X509 certs not SDSI */
-    if(SECOID_FindOIDTag(&cert->safeBagContent.certBag->bagID) 
-			!= SEC_OID_PKCS9_X509_CERT) {
-	return NULL;
-    }
-			
-    return SECITEM_DupItem(&(cert->safeBagContent.certBag->value.x509Cert));
-}
-
-struct certNickInfo {
-    PRArenaPool *arena;
-    unsigned int nNicks;
-    SECItem **nickList;
-    unsigned int error;
-};
-
-/* callback for traversing certificates to gather the nicknames 
- * used in a particular traversal.  for instance, when using
- * CERT_TraversePermCertsForSubject, gather the nicknames and
- * store them in the certNickInfo for a particular DN.
- * 
- * this handles the case where multiple nicknames are allowed
- * for the same dn, which is not currently allowed, but may be
- * in the future.
- */ 
-static SECStatus
-gatherNicknames(CERTCertificate *cert, void *arg)
-{
-    struct certNickInfo *nickArg = (struct certNickInfo *)arg;
-    SECItem tempNick;
-    unsigned int i;
-
-    if(!cert || !nickArg || nickArg->error) {
-	return SECFailure;
-    }
-
-    if(!cert->nickname) {
-	return SECSuccess;
-    }
-
-    tempNick.data = (unsigned char *)cert->nickname;
-    tempNick.len = PORT_Strlen(cert->nickname) + 1;
-
-    /* do we already have the nickname in the list? */
-    if(nickArg->nNicks > 0) {
-
-	/* nicknames have been encountered, but there is no list -- bad */
-	if(!nickArg->nickList) {
-	    nickArg->error = SEC_ERROR_NO_MEMORY;
-	    return SECFailure;
-	}
-
-	for(i = 0; i < nickArg->nNicks; i++) {
-	    if(SECITEM_CompareItem(nickArg->nickList[i], &tempNick) 
-				== SECEqual) {
-		return SECSuccess;
-	    }
-	}
-    }
-
-    /* add the nickname to the list */
-    if(nickArg->nNicks == 0) {
-	nickArg->nickList = (SECItem **)PORT_ArenaZAlloc(nickArg->arena, 
-					     2 * sizeof(SECItem *));
-    } else {
-	nickArg->nickList = (SECItem **)PORT_ArenaGrow(nickArg->arena,
-				nickArg->nickList, 
-				(nickArg->nNicks + 1) * sizeof(SECItem *),
-				(nickArg->nNicks + 2) * sizeof(SECItem *));
-    }
-    if(!nickArg->nickList) {
-	nickArg->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-
-    nickArg->nickList[nickArg->nNicks] = 
-        (SECItem *)PORT_ArenaZAlloc(nickArg->arena, sizeof(SECItem));
-    if(!nickArg->nickList[nickArg->nNicks]) {
-	nickArg->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-    
-
-    if(SECITEM_CopyItem(nickArg->arena, nickArg->nickList[nickArg->nNicks],
-			&tempNick) != SECSuccess) {
-	nickArg->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-
-    nickArg->nNicks++;
-
-    return SECSuccess;
-}
-
-/* traverses the certs in the data base or in the token for the
- * DN to see if any certs currently have a nickname set.
- * If so, return it. 
- */
-static SECItem *
-sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert, void *wincx)
-{
-    struct certNickInfo *nickArg = NULL;
-    SECItem *derCert, *returnDn = NULL;
-    PRArenaPool *arena = NULL;
-    CERTCertificate *tempCert;
-
-    if(!cert) {
-	return NULL;
-    }
-
-    derCert = sec_pkcs12_get_der_cert(cert);
-    if(!derCert) {
-	return NULL;
-    }
-
-    tempCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), derCert, NULL,
-				   PR_FALSE, PR_TRUE);
-    if(!tempCert) {
-	returnDn = NULL;
-	goto loser;
-    }
-
-    arena = PORT_NewArena(1024);
-    if(!arena) {
-	returnDn = NULL;
-	goto loser;
-    }
-    nickArg = (struct certNickInfo *)PORT_ArenaZAlloc(arena, 
-						 sizeof(struct certNickInfo));
-    if(!nickArg) {
-	returnDn = NULL;
-	goto loser;
-    }
-    nickArg->error = 0;
-    nickArg->nNicks = 0;
-    nickArg->nickList = NULL;
-    nickArg->arena = arena;
-
-    /* if the token is local, first traverse the cert database 
-     * then traverse the token.
-     */
-    if(PK11_IsInternal(cert->slot)) {
-	if(CERT_TraversePermCertsForSubject(CERT_GetDefaultCertDB(), 
-					&tempCert->derSubject, gatherNicknames,
-					nickArg) != SECSuccess) {
-	    returnDn = NULL;
-	    goto loser;
-	}
-    }
-
-    if(PK11_TraverseCertsForSubjectInSlot(tempCert, cert->slot, gatherNicknames,
-			(void *)nickArg) != SECSuccess) {
-	returnDn = NULL;
-	goto loser;
-    }
-
-    if(nickArg->error) {
-	/* XXX do we want to set the error? */
-	returnDn = NULL;
-	goto loser;
-    }
-		
-    if(nickArg->nNicks == 0) {
-	returnDn = NULL;
-	goto loser;
-    }
-
-    /* set it to the first name, for now.  handle multiple names? */
-    returnDn = SECITEM_DupItem(nickArg->nickList[0]);
-
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    if(tempCert) {
-	CERT_DestroyCertificate(tempCert);
-    }
-
-    if(derCert) {
-	SECITEM_FreeItem(derCert, PR_TRUE);
-    }
-
-    return (returnDn);
-}
-
-/* counts certificates found for a given traversal function */
-static SECStatus
-countCertificate(CERTCertificate *cert, void *arg)
-{
-    unsigned int *nCerts = (unsigned int *)arg;
-
-    if(!cert || !arg) {
-	return SECFailure;
-    }
-
-    (*nCerts)++;
-    return SECSuccess;
-}
-
-static PRBool
-sec_pkcs12_certs_for_nickname_exist(SECItem *nickname, PK11SlotInfo *slot)
-{
-    unsigned int nCerts = 0;
-
-    if(!nickname || !slot) {
-	return PR_TRUE;
-    }
-
-    /* we want to check the local database first if we are importing to it */
-    if(PK11_IsInternal(slot)) {
-	CERT_TraversePermCertsForNickname(CERT_GetDefaultCertDB(), 
-				      (char *)nickname->data,
-				      countCertificate, (void *)&nCerts);
-    }
-
-    PK11_TraverseCertsForNicknameInSlot(nickname, slot, countCertificate, 
-					(void *)&nCerts);
-    if(nCerts) return PR_TRUE;
-
-    return PR_FALSE;
-}
-
-/* validate cert nickname such that there is a one-to-one relation
- * between nicknames and dn's.  we want to enforce the case that the
- * nickname is non-NULL and that there is only one nickname per DN.
- * 
- * if there is a problem with a nickname or the nickname is not present, 
- * the user will be prompted for it.
- */
-static void
-sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
-				sec_PKCS12SafeBag *key,
-				SEC_PKCS12NicknameCollisionCallback nicknameCb,
-				void *wincx)
-{
-    SECItem *certNickname, *existingDNNick;
-    PRBool setNickname = PR_FALSE, cancel = PR_FALSE;
-    SECItem *newNickname = NULL;
-
-    if(!cert || !cert->hasKey) {
-	return;
-    }
-
-    if(!nicknameCb) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    if(cert->hasKey && !key) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    certNickname = sec_pkcs12_get_nickname_for_cert(cert, key, wincx);
-    existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert, wincx);
-
-    /* nickname is already used w/ this dn, so it is safe to return */
-    if(certNickname && existingDNNick &&
-		SECITEM_CompareItem(certNickname, existingDNNick) == SECEqual) {
-	goto loser;
-    }
-
-    /* nickname not set in pkcs 12 bags, but a nick is already used for
-     * this dn.  set the nicks in the p12 bags and finish.
-     */
-    if(existingDNNick) {
-	if(sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick, wincx)
-			!= SECSuccess) {
-	    cert->problem = PR_TRUE;
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	}
-	goto loser;
-    }
-
-    /* at this point, we have a certificate for which the DN is not located
-     * on the token.  the nickname specified may or may not be NULL.  if it
-     * is not null, we need to make sure that there are no other certificates
-     * with this nickname in the token for it to be valid.  this imposes a 
-     * one to one relationship between DN and nickname.  
-     *
-     * if the nickname is null, we need the user to enter a nickname for
-     * the certificate.
-     *
-     * once we have a nickname, we make sure that the nickname is unique
-     * for the DN.  if it is not, the user is reprompted to enter a new 
-     * nickname.  
-     *
-     * in order to exit this loop, the nickname entered is either unique
-     * or the user hits cancel and the certificate is not imported.
-     */
-    setNickname = PR_FALSE;
-    while(1) {
-	if(certNickname && certNickname->data) {
-	    /* we will use the nickname so long as no other certs have the
-	     * same nickname.  and the nickname is not NULL.
-	     */		
-	    if(!sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) {
-		if(setNickname) {
-		    if(sec_pkcs12_set_nickname_for_cert(cert, key, certNickname,
-					wincx) != SECSuccess) {
-			cert->problem = PR_TRUE;
-			cert->error = SEC_ERROR_NO_MEMORY;
-		    }
-		}
-		goto loser;
-	    }
-	}
-
-	setNickname = PR_FALSE;
-	newNickname = (*nicknameCb)(certNickname, &cancel, wincx);
-	if(cancel) {
-	    cert->problem = PR_TRUE;
-	    cert->error = SEC_ERROR_USER_CANCELLED;
-	    goto loser;
-	}
-
-	if(!newNickname) {
-	    cert->problem = PR_TRUE;
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	    goto loser;
-	}
-
-	/* at this point we have a new nickname, if we have an existing
-	 * certNickname, we need to free it and assign the new nickname
-	 * to it to avoid a memory leak.  happy?
-	 */
-	if(certNickname) {
-	    SECITEM_ZfreeItem(certNickname, PR_TRUE);
-	    certNickname = NULL;
-	}
-
-	certNickname = newNickname;
-	setNickname = PR_TRUE;
-	/* go back and recheck the new nickname */
-    }
-
-loser:
-    if(certNickname) {
-	SECITEM_ZfreeItem(certNickname, PR_TRUE);
-    }
-
-    if(existingDNNick) {
-	SECITEM_ZfreeItem(existingDNNick, PR_TRUE);
-    }
-}
-
-static void 
-sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
-			 sec_PKCS12SafeBag *key,
-			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
-			 void *wincx)
-{
-    CERTCertificate *leafCert, *testCert;
-
-    if(!cert) {
-	return;
-    }
-    
-    cert->validated = PR_TRUE;
-
-    if(!nicknameCb) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	cert->noInstall = PR_TRUE;
-	return;
-    }
-
-    if(!cert->safeBagContent.certBag) {
-	cert->noInstall = PR_TRUE;
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	return;
-    }
-
-    cert->noInstall = PR_FALSE;
-    cert->removeExisting = PR_FALSE;
-    cert->problem = PR_FALSE;
-    cert->error = 0;
-
-    leafCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-				&cert->safeBagContent.certBag->value.x509Cert,
-				NULL, PR_FALSE, PR_TRUE);
-    if(!leafCert) {
-	cert->noInstall = PR_TRUE;
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    testCert = PK11_FindCertFromDERCert(cert->slot, leafCert, wincx);
-    CERT_DestroyCertificate(leafCert);
-    /* if we can't find the certificate through the PKCS11 interface,
-     * we should check the cert database directly, if we are
-     * importing to an internal slot.
-     */
-    if(!testCert && PK11_IsInternal(cert->slot)) {
-	testCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
-				 &cert->safeBagContent.certBag->value.x509Cert);
-    }
-
-    if(testCert) {
-	if(!testCert->nickname) {
-	    cert->removeExisting = PR_TRUE;
-	} else {
-	    cert->noInstall = PR_TRUE;
-	}
-	CERT_DestroyCertificate(testCert);
-	if(cert->noInstall && !cert->removeExisting) {
-	    return;
-	}
-    }
-
-    sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, wincx);
-}
-
-static void
-sec_pkcs12_validate_key_by_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key,
-				void *wincx)
-{
-    CERTCertificate *leafCert;
-    SECKEYPrivateKey *privk;
-
-    if(!key) {
-	return;
-    }
-
-    key->validated = PR_TRUE;
-
-    if(!cert) {
-	key->problem = PR_TRUE;
-	key->noInstall = PR_TRUE;
-	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-	return;
-    }
-
-    leafCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-				&(cert->safeBagContent.certBag->value.x509Cert),
-				NULL, PR_FALSE, PR_TRUE);
-    if(!leafCert) {
-	key->problem = PR_TRUE;
-	key->noInstall = PR_TRUE;
-	key->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    privk = PK11_FindPrivateKeyFromCert(key->slot, leafCert, wincx);
-    if(!privk) {
-	privk = PK11_FindKeyByDERCert(key->slot, leafCert, wincx);
-    }
- 
-    if(privk) {
-	SECKEY_DestroyPrivateKey(privk);
-	key->noInstall = PR_TRUE;
-    } 
-
-    CERT_DestroyCertificate(leafCert);
-}
-
-static SECStatus
-sec_pkcs12_remove_existing_cert(sec_PKCS12SafeBag *cert, 
-				void *wincx)
-{
-    SECItem *derCert = NULL;
-    CERTCertificate *tempCert = NULL;
-    CK_OBJECT_HANDLE certObj;
-    PK11SlotInfo *slot = NULL;
-    PRBool removed = PR_FALSE;
-
-    if(!cert) {
-	return SECFailure;
-    }
-
-    PORT_Assert(cert->removeExisting);
-
-    cert->removeExisting = PR_FALSE;
-    derCert = &cert->safeBagContent.certBag->value.x509Cert;
-    tempCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), derCert,
-				       NULL, PR_FALSE, PR_TRUE);
-    if(!tempCert) {
-	return SECFailure;
-    }
-
-    certObj = PK11_FindCertInSlot(cert->slot, tempCert, wincx);
-    CERT_DestroyCertificate(tempCert);
-    tempCert = NULL;
-
-    if(certObj != CK_INVALID_KEY) {
-	PK11_DestroyObject(cert->slot, certObj);
-	removed = PR_TRUE;
-    } else if(PK11_IsInternal(cert->slot)) {
-	tempCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), derCert);
-	if(tempCert) {
-	    if(SEC_DeletePermCertificate(tempCert) == SECSuccess) {
-		removed = PR_TRUE;
-	    } 
-	    CERT_DestroyCertificate(tempCert);
-	    tempCert = NULL;
-	}
-    }
-
-    if(!removed) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	cert->noInstall = PR_TRUE;
-    }
-	
-    if(tempCert) {
-	CERT_DestroyCertificate(tempCert);
-    }
-
-    return ((removed) ? SECSuccess : SECFailure);
-}
-
-static SECStatus
-sec_pkcs12_add_cert(sec_PKCS12SafeBag *cert, PRBool keyExists, void *wincx)
-{
-    SECItem *derCert, *nickName;
-    char *nickData = NULL;
-    SECStatus rv;
-
-    if(!cert) {
-	return SECFailure;
-    }
-
-    if(cert->problem || cert->noInstall || cert->installed) {
-	return SECSuccess;
-    }
-
-    derCert = &cert->safeBagContent.certBag->value.x509Cert;
-    if(cert->removeExisting) {
-	if(sec_pkcs12_remove_existing_cert(cert, wincx) 
-			!= SECSuccess) {
-	    return SECFailure;
-	}
-	cert->removeExisting = PR_FALSE;
-    }
-
-    PORT_Assert(!cert->problem && !cert->removeExisting && !cert->noInstall);
-
-    nickName = sec_pkcs12_get_nickname(cert);
-    if(nickName) {
-	nickData = (char *)nickName->data;
-    }
-
-    if(keyExists) {
-	CERTCertificate *newCert;
-
-	newCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-					  derCert, NULL, PR_FALSE, PR_TRUE);
-	if(!newCert) {
-	     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
-	     cert->error = SEC_ERROR_NO_MEMORY;
-	     cert->problem = PR_TRUE;
-	     return SECFailure;
-	}
-
-	rv = PK11_ImportCertForKeyToSlot(cert->slot, newCert, nickData, 
-					 PR_TRUE, wincx);
-	CERT_DestroyCertificate(newCert);
-    } else {
-	SECItem *certList[2];
-	certList[0] = derCert;
-	certList[1] = NULL;
-	rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport,
-			      1, certList, NULL, PR_TRUE, PR_FALSE, nickData);
-    }
-
-    cert->installed = PR_TRUE;
-    if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
-    return rv;
-}
-
-static SECStatus
-sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECItem *publicValue, 
-			KeyType keyType, unsigned int keyUsage, void *wincx)
-{
-    SECStatus rv;
-    SECItem *nickName;
-
-    if(!key) {
-	return SECFailure;
-    }
-
-    if(key->removeExisting) {
-	key->problem = PR_TRUE;
-	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-	return SECFailure;
-    }
-
-    if(key->problem || key->noInstall) {
-	return SECSuccess;
-    }
-
-    nickName = sec_pkcs12_get_nickname(key);
-
-    switch(SECOID_FindOIDTag(&key->safeBagType))
-    {
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    rv = PK11_ImportPrivateKeyInfo(key->slot, 
-			  key->safeBagContent.pkcs8KeyBag, 
-			  nickName, publicValue, PR_TRUE, PR_TRUE,
-			  keyUsage,  wincx);
-	    break;
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
-					key->safeBagContent.pkcs8ShroudedKeyBag,
-					key->pwitem, nickName, publicValue, 
-					PR_TRUE, PR_TRUE, keyType, keyUsage,
-					wincx);
-	    break;
-	default:
-	    key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
-	    key->problem = PR_TRUE;
-	    if(nickName) {
-		SECITEM_ZfreeItem(nickName, PR_TRUE);
-	    }
-	    return SECFailure;
-    }
-
-    key->installed = PR_TRUE;
-
-    if(nickName) {
-	SECITEM_ZfreeItem(nickName, PR_TRUE);
-    }
-					
-    if(rv != SECSuccess) {
-	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-	key->problem = PR_TRUE;
-    } else {
-	key->installed = PR_TRUE;
-    }
-
-    return rv;
-}
-
-static SECStatus
-sec_pkcs12_add_item_to_bag_list(sec_PKCS12SafeBag ***bagList, 
-				sec_PKCS12SafeBag *bag)
-{
-    int i = 0;
-
-    if(!bagList || !bag) {
-	return SECFailure;
-    }
-
-    if(!(*bagList)) {
-	(*bagList) = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(bag->arena, 
-				      sizeof(sec_PKCS12SafeBag *) * 2);
-    } else {
-	while((*bagList)[i]) i++;
-	(*bagList) = (sec_PKCS12SafeBag **)PORT_ArenaGrow(bag->arena, *bagList,
-				sizeof(sec_PKCS12SafeBag *) * (i + 1),
-				sizeof(sec_PKCS12SafeBag *) * (i + 2));
-    }
-
-    if(!(*bagList)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    (*bagList)[i] = bag;
-    (*bagList)[i+1] = NULL;
-
-    return SECSuccess;
-}
-
-static sec_PKCS12SafeBag **
-sec_pkcs12_find_certs_for_key(sec_PKCS12SafeBag **safeBags, sec_PKCS12SafeBag *key ) 
-{
-    sec_PKCS12SafeBag **certList = NULL;
-    SECItem *keyId;
-    int i;
-
-    if(!safeBags || !safeBags[0]) {
-	return NULL;
-    }
-
-    keyId = sec_pkcs12_get_attribute_value(key, SEC_OID_PKCS9_LOCAL_KEY_ID);
-    if(!keyId) {
-	return NULL;
-    }
-
-    i = 0;
-    certList = NULL;
-    while(safeBags[i]) {
-	if(SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
-				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
-	    SECItem *certKeyId = sec_pkcs12_get_attribute_value(safeBags[i],
-						SEC_OID_PKCS9_LOCAL_KEY_ID);
-
-	    if(certKeyId && (SECITEM_CompareItem(certKeyId, keyId) 
-				== SECEqual)) {
-		if(sec_pkcs12_add_item_to_bag_list(&certList, safeBags[i])
-				!= SECSuccess) {
-		    return NULL;
-		}
-	    }
-	}
-	i++;
-    }
-
-    return certList;
-}
-
-CERTCertList *
-SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx)
-{
-    CERTCertList *certList = NULL;
-    sec_PKCS12SafeBag **safeBags = p12dcx->safeBags;
-    int i;
-
-    if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) {
-	return NULL;
-    }
-
-    safeBags = p12dcx->safeBags;
-    i = 0;
-    certList = CERT_NewCertList();
-
-    if (certList == NULL) {
-	 return NULL;
-    }
-
-    while(safeBags[i]) {
-	if (SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
-				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
-		SECItem *derCert = sec_pkcs12_get_der_cert(safeBags[i]) ;
-		CERTCertificate *tempCert = NULL;
-
-		if (derCert == NULL) continue;
-    		tempCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
-			derCert, NULL, PR_FALSE, PR_TRUE);
-
-		if (tempCert) {
-		    CERT_AddCertToListTail(certList,tempCert);
-		}
-		SECITEM_FreeItem(derCert,PR_TRUE);
-	}
-	i++;
-    }
-
-    return certList;
-}
-static sec_PKCS12SafeBag **
-sec_pkcs12_get_key_bags(sec_PKCS12SafeBag **safeBags)
-{
-    int i;
-    sec_PKCS12SafeBag **keyList = NULL;
-    SECOidTag bagType;
-
-    if(!safeBags || !safeBags[0]) {
-	return NULL;
-    }
-
-    i = 0;
-    while(safeBags[i]) {
-	bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
-	switch(bagType) {
-	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-		if(sec_pkcs12_add_item_to_bag_list(&keyList, safeBags[i])
-				!= SECSuccess) {
-		    return NULL;
-		}
-		break;
-	    default:
-		break;
-	}
-	i++;
-    }
-
-    return keyList;
-}
-
-static SECStatus 
-sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, 
-			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
-			 void *wincx)
-{
-    sec_PKCS12SafeBag **keyList;
-    int i;
-
-    if(!safeBags || !nicknameCb) {
-	return SECFailure;
-    }
-
-    if(!safeBags[0]) {
-	return SECSuccess;
-    }
-
-    keyList = sec_pkcs12_get_key_bags(safeBags);
-    if(keyList) {
-	i = 0;
-
-	while(keyList[i]) {
-	    sec_PKCS12SafeBag **certList = sec_pkcs12_find_certs_for_key(
-							safeBags, keyList[i]);
-	    if(certList) {
-		int j = 0;
-
-		if(SECOID_FindOIDTag(&(keyList[i]->safeBagType)) == 
-					SEC_OID_PKCS12_V1_KEY_BAG_ID) {
-		    /* if it is an unencrypted private key then make sure
-		     * the attributes are propageted to the appropriate 
-		     * level 
-		     */
-		    if(sec_pkcs12_get_key_info(keyList[i]) != SECSuccess) {
-			keyList[i]->problem = PR_TRUE;
-			keyList[i]->error = SEC_ERROR_NO_MEMORY;
-			return SECFailure;
-		     }
-		}
-	
-		sec_pkcs12_validate_key_by_cert(certList[0], keyList[i], wincx);
-		while(certList[j]) {
-		    certList[j]->hasKey = PR_TRUE;
-		    if(keyList[i]->problem) {
-			certList[j]->problem = PR_TRUE;
-			certList[j]->error = keyList[i]->error;
-		    } else {
-			sec_pkcs12_validate_cert(certList[j], keyList[i],
-						 nicknameCb, wincx);
-			if(certList[j]->problem) {
-			    keyList[i]->problem = certList[j]->problem;
-			    keyList[i]->error = certList[j]->error;
-			}
-		    }
-		    j++;
-		}
-	    }
-
-	    i++;
-	}
-    }
-
-    i = 0;
-    while(safeBags[i]) {
-	if(!safeBags[i]->validated) {
-	    SECOidTag bagType = SECOID_FindOIDTag(&safeBags[i]->safeBagType);
-
-	    switch(bagType) {
-		case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-		    sec_pkcs12_validate_cert(safeBags[i], NULL, nicknameCb, 
-					     wincx);
-		    break;
-		case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-		case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-		    safeBags[i]->noInstall = PR_TRUE;
-		    safeBags[i]->problem = PR_TRUE;	
-		    safeBags[i]->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-		    break;
-		default:
-		    safeBags[i]->noInstall = PR_TRUE;
-	    }
-	}
-	i++;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
-			      SEC_PKCS12NicknameCollisionCallback nicknameCb)
-{
-    SECStatus rv;
-    int i, noInstallCnt, probCnt, bagCnt, errorVal = 0;
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    rv = sec_pkcs12_validate_bags(p12dcx->safeBags, nicknameCb, p12dcx->wincx);
-    if(rv == SECSuccess) {
-	p12dcx->bagsVerified = PR_TRUE;
-    }
-
-    noInstallCnt = probCnt = bagCnt = 0;
-    i = 0;
-    while(p12dcx->safeBags[i]) {
-	bagCnt++;
-	if(p12dcx->safeBags[i]->noInstall) noInstallCnt++;
-	if(p12dcx->safeBags[i]->problem) {
-	    probCnt++;
-	    errorVal = p12dcx->safeBags[i]->error;
-	}
-	i++;
-    }
-
-    if(bagCnt == noInstallCnt) {
-	PORT_SetError(SEC_ERROR_PKCS12_DUPLICATE_DATA);
-	return SECFailure;
-    }
-
-    if(probCnt) {
-	PORT_SetError(errorVal);
-	return SECFailure;
-    }
-
-    return rv;
-}
-
-static SECItem *
-sec_pkcs12_get_public_value_and_type(sec_PKCS12SafeBag *certBag,
-					KeyType *type, unsigned int *usage)
-{
-    SECKEYPublicKey *pubKey = NULL;
-    CERTCertificate *cert = NULL;
-    SECItem *pubValue;
-
-    *type = nullKey;
-    *usage = 0;
-
-    if(!certBag) {
-	return NULL;
-    }
-
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
-			&certBag->safeBagContent.certBag->value.x509Cert,
-			NULL, PR_FALSE, PR_FALSE);
-    if(!cert) {
-	return NULL;
-    }
-
-    *usage = cert->keyUsage;
-    pubKey = CERT_ExtractPublicKey(cert);
-    CERT_DestroyCertificate(cert);
-    if(!pubKey) {
-	return NULL;
-    }
-
-    *type = pubKey->keyType;
-    switch(pubKey->keyType) {
-	case dsaKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.dsa.publicValue);
-	    break;
-	case dhKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.dh.publicValue);
-	    break;
-	case rsaKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.rsa.modulus);
-	    break;
-	default:
-	    pubValue = NULL;
-    }
-
-    SECKEY_DestroyPublicKey(pubKey);
-
-    return pubValue;
-}
-
-static SECStatus 
-sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, 
-			void *wincx)
-{
-    sec_PKCS12SafeBag **keyList, **certList;
-    int i;
-
-    if(!safeBags) {
-	return SECFailure;
-    }
-
-    if(!safeBags[0]) {
-	return SECSuccess;
-    }
-
-    keyList = sec_pkcs12_get_key_bags(safeBags);
-    if(keyList) {
-	i = 0;
-
-	while(keyList[i]) {
-	    SECStatus rv;
-	    SECItem *publicValue = NULL;
-	    KeyType keyType;
-	    unsigned int keyUsage;
-
-	    if(keyList[i]->problem) {
-		goto next_key_bag;
-	    }
-
-	    certList = sec_pkcs12_find_certs_for_key(safeBags,
-						     keyList[i]);
-	    if(certList) {
-		publicValue = sec_pkcs12_get_public_value_and_type(certList[0],
-							&keyType, &keyUsage);
-	    }
-	    rv = sec_pkcs12_add_key(keyList[i], publicValue, keyType, keyUsage,
-									wincx);
-	    if(publicValue) {
-		SECITEM_FreeItem(publicValue, PR_TRUE);
-	    }
-	    if(rv != SECSuccess) {
-		PORT_SetError(keyList[i]->error);
-		return SECFailure;
-	    }
-
-	    if(certList) {
-		int j = 0;
-
-		while(certList[j]) {
-		    SECStatus certRv;
-
-		    if(rv != SECSuccess) {
-			certList[j]->problem = keyList[i]->problem;
-			certList[j]->error = keyList[i]->error;	
-			certList[j]->noInstall = PR_TRUE;
-			goto next_cert_bag;
-		    }
-
-		    certRv = sec_pkcs12_add_cert(certList[j], 
-						 certList[j]->hasKey, wincx);
-		    if(certRv != SECSuccess) {
-			keyList[i]->problem = certList[j]->problem;
-			keyList[i]->error = certList[j]->error;
-			PORT_SetError(certList[j]->error);
-			return SECFailure;
-		    }
-next_cert_bag:
-		    j++;
-		}
-	    }
-
-next_key_bag:
-	    i++;
-	}
-    }
-
-    i = 0;
-    while(safeBags[i]) {
-	if(!safeBags[i]->installed) {
-	    SECStatus rv;
-	    SECOidTag bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
-
-	    switch(bagType) {
-		case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-		    rv = sec_pkcs12_add_cert(safeBags[i], safeBags[i]->hasKey,
-					     wincx);
-		    if(rv != SECSuccess) {
-			PORT_SetError(safeBags[i]->error);
-			return SECFailure;
-		    }
-		    break;
-		case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-		case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-		default:
-		    break;
-	    }
-	}
-	i++;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
-{
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    if(!p12dcx->bagsVerified) {
-	return SECFailure;
-    }
-
-    return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
-}
-
-static SECStatus
-sec_pkcs12_decoder_append_bag_to_context(SEC_PKCS12DecoderContext *p12dcx,
-					 sec_PKCS12SafeBag *bag)
-{
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    if(!p12dcx->safeBagCount) {
-	p12dcx->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
-					    sizeof(sec_PKCS12SafeBag *) * 2);
-    } else {
-	p12dcx->safeBags = 
-	  (sec_PKCS12SafeBag **)PORT_ArenaGrow(p12dcx->arena, p12dcx->safeBags,
-		     (p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
-		     (p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
-    }
-
-    if(!p12dcx->safeBags) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    p12dcx->safeBags[p12dcx->safeBagCount] = bag;
-    p12dcx->safeBags[p12dcx->safeBagCount+1] = NULL;
-    p12dcx->safeBagCount++;
-
-    return SECSuccess;
-}
-
-static sec_PKCS12SafeBag *
-sec_pkcs12_decoder_convert_old_key(SEC_PKCS12DecoderContext *p12dcx,
-				   void *key, PRBool isEspvk)
-{
-    sec_PKCS12SafeBag *keyBag;
-    SECOidData *oid;
-    SECOidTag keyTag;
-    SECItem *keyID, *nickName, *newNickName;
-
-    if(!p12dcx || p12dcx->error || !key) {
-	return NULL;
-    }
-
-    newNickName =(SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
-    keyBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
-						   sizeof(sec_PKCS12SafeBag));
-    if(!keyBag || !newNickName) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    keyBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
-    keyBag->slot = p12dcx->slot;
-    keyBag->arena = p12dcx->arena;
-    keyBag->pwitem = p12dcx->pwitem;
-    keyBag->oldBagType = PR_TRUE;
-
-    keyTag = (isEspvk) ? SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID :
-			 SEC_OID_PKCS12_V1_KEY_BAG_ID;
-    oid = SECOID_FindOIDByTag(keyTag);
-    if(!oid) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    if(SECITEM_CopyItem(p12dcx->arena, &keyBag->safeBagType, &oid->oid) 
-			!= SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    if(isEspvk) {
-	SEC_PKCS12ESPVKItem *espvk = (SEC_PKCS12ESPVKItem *)key;
-	keyBag->safeBagContent.pkcs8ShroudedKeyBag  = 
-					espvk->espvkCipherText.pkcs8KeyShroud;
-	nickName = &(espvk->espvkData.uniNickName); 
-	if(!espvk->espvkData.assocCerts || !espvk->espvkData.assocCerts[0]) {
-	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	    return NULL;
-	}
-	keyID = &espvk->espvkData.assocCerts[0]->digest;
-    } else {
-	SEC_PKCS12PrivateKey *pk = (SEC_PKCS12PrivateKey *)key;
-	keyBag->safeBagContent.pkcs8KeyBag = &pk->pkcs8data;
-	nickName= &(pk->pvkData.uniNickName);
-	if(!pk->pvkData.assocCerts || !pk->pvkData.assocCerts[0]) {
-	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	    return NULL;
-	}
-	keyID = &pk->pvkData.assocCerts[0]->digest;
-    }
-
-    if(nickName->len) {
-	if(nickName->len >= 2) {
-	    if(nickName->data[0] && nickName->data[1]) {
-		if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
-					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
-		    PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    return NULL;
-		}
-		nickName = newNickName;
-	    } else if(nickName->data[0] && !nickName->data[1]) {
-		unsigned int j = 0;
-		unsigned char t;
-		for(j = 0; j < nickName->len; j+=2) {
-		    t = nickName->data[j+1];
-		    nickName->data[j+1] = nickName->data[j];
-		    nickName->data[j] = t;
-		}
-	    }
-	} else {
-	    if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
-					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		return NULL;
-	    }
-	    nickName = newNickName;
-	}
-    }
-
-    if(sec_pkcs12_decoder_set_attribute_value(keyBag,
-					      SEC_OID_PKCS9_FRIENDLY_NAME,
-					      nickName) != SECSuccess) {
-	return NULL;
-    }
-	
-    if(sec_pkcs12_decoder_set_attribute_value(keyBag,SEC_OID_PKCS9_LOCAL_KEY_ID,
-					keyID) != SECSuccess) {
-	return NULL;
-    }
-
-    return keyBag;
-}
-
-static sec_PKCS12SafeBag *
-sec_pkcs12_decoder_create_cert(SEC_PKCS12DecoderContext *p12dcx,
-			       SECItem *derCert)
-{
-    sec_PKCS12SafeBag *certBag;
-    SECOidData *oid;
-    SGNDigestInfo *digest;
-    SECItem *keyId;
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error || !derCert) {
-	return NULL;
-    }
-
-    keyId = (SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
-    if(!keyId) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    digest = sec_pkcs12_compute_thumbprint(derCert);
-    if(!digest) {
-	return NULL;
-    }
-
-    rv = SECITEM_CopyItem(p12dcx->arena, keyId, &digest->digest);
-    SGN_DestroyDigestInfo(digest);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    oid = SECOID_FindOIDByTag(SEC_OID_PKCS12_V1_CERT_BAG_ID);
-    certBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
-						    sizeof(sec_PKCS12SafeBag));
-    if(!certBag || !oid || (SECITEM_CopyItem(p12dcx->arena, 
-			&certBag->safeBagType, &oid->oid) != SECSuccess)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    certBag->slot = p12dcx->slot;
-    certBag->pwitem = p12dcx->pwitem;
-    certBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
-    certBag->arena = p12dcx->arena;
-
-    oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_X509_CERT);
-    certBag->safeBagContent.certBag = 
-        (sec_PKCS12CertBag *)PORT_ArenaZAlloc(p12dcx->arena, 
-					      sizeof(sec_PKCS12CertBag));
-    if(!certBag->safeBagContent.certBag || !oid ||
-			(SECITEM_CopyItem(p12dcx->arena, 
-				 &certBag->safeBagContent.certBag->bagID,
-				 &oid->oid) != SECSuccess)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-      
-    if(SECITEM_CopyItem(p12dcx->arena, 
-			 &(certBag->safeBagContent.certBag->value.x509Cert),
-			 derCert) != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    if(sec_pkcs12_decoder_set_attribute_value(certBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-					keyId) != SECSuccess) {
-	return NULL;
-    }
-
-    return certBag;
-}
-
-static sec_PKCS12SafeBag **
-sec_pkcs12_decoder_convert_old_cert(SEC_PKCS12DecoderContext *p12dcx,
-				    SEC_PKCS12CertAndCRL *oldCert)
-{
-    sec_PKCS12SafeBag **certList;
-    SECItem **derCertList;
-    int i, j;
-
-    if(!p12dcx || p12dcx->error || !oldCert) {
-	return NULL;
-    }
-
-    derCertList = SEC_PKCS7GetCertificateList(&oldCert->value.x509->certOrCRL);
-    if(!derCertList) {
-	return NULL;
-    }
-
-    i = 0;
-    while(derCertList[i]) i++;
-
-    certList = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
-				(i + 1) * sizeof(sec_PKCS12SafeBag *));
-    if(!certList) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    for(j = 0; j < i; j++) {
-	certList[j] = sec_pkcs12_decoder_create_cert(p12dcx, derCertList[j]);
-	if(!certList[j]) {
-	    return NULL;
-	}
-    }
-
-    return certList;
-}   
-
-static SECStatus
-sec_pkcs12_decoder_convert_old_key_and_certs(SEC_PKCS12DecoderContext *p12dcx,
-					     void *oldKey, PRBool isEspvk,
-					     SEC_PKCS12SafeContents *safe,
-					     SEC_PKCS12Baggage *baggage)
-{
-    sec_PKCS12SafeBag *key, **certList;
-    SEC_PKCS12CertAndCRL *oldCert;
-    SEC_PKCS12PVKSupportingData *pvkData;
-    int i;
-    SECItem *keyName;
-
-    if(!p12dcx || !oldKey) {
-	return SECFailure;
-    }
-
-    if(isEspvk) {
-	pvkData = &((SEC_PKCS12ESPVKItem *)(oldKey))->espvkData;
-    } else {
-	pvkData = &((SEC_PKCS12PrivateKey *)(oldKey))->pvkData;
-    }
-
-    if(!pvkData->assocCerts || !pvkData->assocCerts[0]) {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	return SECFailure;
-    }
-
-    oldCert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage, 
-				     SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, NULL,
-				     pvkData->assocCerts[0]);
-    if(!oldCert) {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	return SECFailure;
-    }
-	
-    key = sec_pkcs12_decoder_convert_old_key(p12dcx,oldKey, isEspvk);
-    certList = sec_pkcs12_decoder_convert_old_cert(p12dcx, oldCert);
-    if(!key || !certList) {
-	return SECFailure;
-    }
-
-    if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, key) != SECSuccess) {
-	return SECFailure;
-    }
-
-    keyName = sec_pkcs12_get_nickname(key);
-    if(!keyName) {
-	return SECFailure;
-    }
-
-    i = 0;
-    while(certList[i]) {
-	if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, certList[i]) 
-				!= SECSuccess) {
-	    return SECFailure;
-	}
-	i++;
-    }
-
-    certList = sec_pkcs12_find_certs_for_key(p12dcx->safeBags, key);
-    if(!certList) {
-	return SECFailure;
-    }
-
-    i = 0;
-    while(certList[i] != 0) {
-	if(sec_pkcs12_set_nickname(certList[i], keyName) != SECSuccess) {
-	    return SECFailure;
-	}
-	i++;
-    }
-				
-    return SECSuccess;
-}
-	
-static SECStatus
-sec_pkcs12_decoder_convert_old_safe_to_bags(SEC_PKCS12DecoderContext *p12dcx,
-					    SEC_PKCS12SafeContents *safe,
-					    SEC_PKCS12Baggage *baggage)
-{
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    if(safe && safe->contents) {
-	int i = 0;
-	while(safe->contents[i] != NULL) {
-	    if(SECOID_FindOIDTag(&safe->contents[i]->safeBagType) 
-				== SEC_OID_PKCS12_KEY_BAG_ID) {
-		int j = 0;
-		SEC_PKCS12PrivateKeyBag *privBag = 
-					safe->contents[i]->safeContent.keyBag;
-		
-		while(privBag->privateKeys[j] != NULL) {
-		    SEC_PKCS12PrivateKey *pk = privBag->privateKeys[j];
-		    rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx,pk,
-						PR_FALSE, safe, baggage);
-		    if(rv != SECSuccess) {
-			goto loser;
-		    }
-		    j++;
-		}
-	    }
-	    i++;
-	}
-    }
-
-    if(baggage && baggage->bags) {
-	int i = 0;
-	while(baggage->bags[i] != NULL) {
-	    SEC_PKCS12BaggageItem *bag = baggage->bags[i];
-	    int j = 0;
-
-	    if(!bag->espvks) {
-		i++;
-		continue;
-	    }
-
-	    while(bag->espvks[j] != NULL) {
-		SEC_PKCS12ESPVKItem *espvk = bag->espvks[j];
-		rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, espvk,
-							PR_TRUE, safe, baggage);
-		if(rv != SECSuccess) {
-		    goto loser;
-		}
-		j++;
-	    }
-	    i++;
-	}
-    }
-
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-SEC_PKCS12DecoderContext *
-sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot, 
-			      PRBool swapUnicode, SECItem *pwitem,
-			      void *wincx, SEC_PKCS12SafeContents *safe,
-			      SEC_PKCS12Baggage *baggage)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    if(!arena || !slot || !pwitem) {
-	return NULL;
-    }
-
-    if(!safe && !baggage) {
-	return NULL;
-    }
-
-    p12dcx = (SEC_PKCS12DecoderContext *)PORT_ArenaZAlloc(arena, 
-					    sizeof(SEC_PKCS12DecoderContext));
-    if(!p12dcx) {
-	return NULL;
-    }
-
-    p12dcx->arena = arena;
-    p12dcx->slot = slot;
-    p12dcx->wincx = wincx;
-    p12dcx->error = PR_FALSE;
-    p12dcx->swapUnicodeBytes = swapUnicode; 
-    p12dcx->pwitem = pwitem;
-    
-    if(sec_pkcs12_decoder_convert_old_safe_to_bags(p12dcx, safe, baggage) 
-				!= SECSuccess) {
-	p12dcx->error = PR_TRUE;
-	return NULL;
-    }
-
-    return p12dcx;
-}
diff --git a/security/nss/lib/pkcs12/p12dec.c b/security/nss/lib/pkcs12/p12dec.c
deleted file mode 100644
index 024a61dae..000000000
--- a/security/nss/lib/pkcs12/p12dec.c
+++ /dev/null
@@ -1,692 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "pkcs12.h"
-#include "plarena.h"
-#include "secpkcs7.h"
-#include "p12local.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secport.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "secerr.h"
-#include "cert.h"
-#include "certdb.h"
-#include "p12plcy.h"
-#include "p12.h"
-
-/* PFX extraction and validation routines */
-
-/* decode the DER encoded PFX item.  if unable to decode, check to see if it
- * is an older PFX item.  If that fails, assume the file was not a valid
- * pfx file.
- * the returned pfx structure should be destroyed using SEC_PKCS12DestroyPFX
- */
-static SEC_PKCS12PFXItem *
-sec_pkcs12_decode_pfx(SECItem *der_pfx)
-{
-    SEC_PKCS12PFXItem *pfx;
-    SECStatus rv;
-
-    if(der_pfx == NULL) {
-	return NULL;
-    }
-
-    /* allocate the space for a new PFX item */
-    pfx = sec_pkcs12_new_pfx();
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate, 
-    			    der_pfx);
-
-    /* if a failure occurred, check for older version...
-     * we also get rid of the old pfx structure, because we don't
-     * know where it failed and what data in may contain
-     */
-    if(rv != SECSuccess) {
-	SEC_PKCS12DestroyPFX(pfx);
-	pfx = sec_pkcs12_new_pfx();
-	if(pfx == NULL) {
-	    return NULL;
-	}
-	rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate_OLD, 
-				der_pfx);
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_PKCS12_DECODING_PFX);
-	    PORT_FreeArena(pfx->poolp, PR_TRUE);
-	    return NULL;
-	}
-	pfx->old = PR_TRUE;
-	SGN_CopyDigestInfo(pfx->poolp, &pfx->macData.safeMac, &pfx->old_safeMac);
-	SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, &pfx->old_macSalt);
-    } else {
-	pfx->old = PR_FALSE;
-    }
-
-    /* convert bit string from bits to bytes */
-    pfx->macData.macSalt.len /= 8;
-
-    return pfx;
-}
-
-/* validate the integrity MAC used in the PFX.  The MAC is generated
- * per the PKCS 12 document.  If the MAC is incorrect, it is most likely
- * due to an invalid password.
- * pwitem is the integrity password
- * pfx is the decoded pfx item
- */
-static PRBool 
-sec_pkcs12_check_pfx_mac(SEC_PKCS12PFXItem *pfx,
-			 SECItem *pwitem)
-{
-    SECItem *key = NULL, *mac = NULL, *data = NULL;
-    SECItem *vpwd = NULL;
-    SECOidTag algorithm;
-    PRBool ret = PR_FALSE;
-
-    if(pfx == NULL) {
-	return PR_FALSE;
-    }
-
-    algorithm = SECOID_GetAlgorithmTag(&pfx->macData.safeMac.digestAlgorithm);
-    switch(algorithm) {
-	/* only SHA1 hashing supported as a MACing algorithm */
-	case SEC_OID_SHA1:
-	    if(pfx->old == PR_FALSE) {
-		pfx->swapUnicode = PR_FALSE;
-	    }
-
-recheckUnicodePassword:
-	    vpwd = sec_pkcs12_create_virtual_password(pwitem, 
-	    					&pfx->macData.macSalt, 
-						pfx->swapUnicode);
-	    if(vpwd == NULL) {
-		return PR_FALSE;
-	    }
-
-	    key = sec_pkcs12_generate_key_from_password(algorithm,
-						&pfx->macData.macSalt, 
-						(pfx->old ? pwitem : vpwd));
-	    /* free vpwd only for newer PFX */
-	    if(vpwd) {
-		SECITEM_ZfreeItem(vpwd, PR_TRUE);
-	    }
-	    if(key == NULL) {
-		return PR_FALSE;
-	    }
-
-	    data = SEC_PKCS7GetContent(&pfx->authSafe);
-	    if(data == NULL) {
-		break;
-	    }
-
-	    /* check MAC */
-	    mac = sec_pkcs12_generate_mac(key, data, pfx->old);
-	    ret = PR_TRUE;
-	    if(mac) {
-		SECItem *safeMac = &pfx->macData.safeMac.digest;
-		if(SECITEM_CompareItem(mac, safeMac) != SECEqual) {
-
-		    /* if we encounter an invalid mac, lets invert the
-		     * password in case of unicode changes 
-		     */
-		    if(((!pfx->old) && pfx->swapUnicode) || (pfx->old)){
-			PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
-			ret = PR_FALSE;
-		    } else {
-			SECITEM_ZfreeItem(mac, PR_TRUE);
-			pfx->swapUnicode = PR_TRUE;
-			goto recheckUnicodePassword;
-		    }
-		} 
-		SECITEM_ZfreeItem(mac, PR_TRUE);
-	    } else {
-		ret = PR_FALSE;
-	    }
-	    break;
-	default:
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM);
-	    ret = PR_FALSE;
-	    break;
-    }
-
-    /* let success fall through */
-    if(key != NULL)
-	SECITEM_ZfreeItem(key, PR_TRUE);
-
-    return ret;
-}
-
-/* check the validity of the pfx structure.  we currently only support
- * password integrity mode, so we check the MAC.
- */
-static PRBool 
-sec_pkcs12_validate_pfx(SEC_PKCS12PFXItem *pfx, 
-			SECItem *pwitem)
-{
-    SECOidTag contentType;
-
-    contentType = SEC_PKCS7ContentType(&pfx->authSafe);
-    switch(contentType)
-    {
-	case SEC_OID_PKCS7_DATA:
-	    return sec_pkcs12_check_pfx_mac(pfx, pwitem);
-	    break;
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	default:
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
-	    break;
-    }
-
-    return PR_FALSE;
-}
-
-/* decode and return the valid PFX.  if the PFX item is not valid,
- * NULL is returned.
- */
-static SEC_PKCS12PFXItem *
-sec_pkcs12_get_pfx(SECItem *pfx_data, 
-		   SECItem *pwitem)
-{
-    SEC_PKCS12PFXItem *pfx;
-    PRBool valid_pfx;
-
-    if((pfx_data == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    pfx = sec_pkcs12_decode_pfx(pfx_data);
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    valid_pfx = sec_pkcs12_validate_pfx(pfx, pwitem);
-    if(valid_pfx != PR_TRUE) {
-	SEC_PKCS12DestroyPFX(pfx);
-	pfx = NULL;
-    }
-
-    return pfx;
-}
-
-/* authenticated safe decoding, validation, and access routines
- */
-
-/* convert dogbert beta 3 authenticated safe structure to a post
- * beta three structure, so that we don't have to change more routines.
- */
-static SECStatus
-sec_pkcs12_convert_old_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    SEC_PKCS12Baggage *baggage;
-    SEC_PKCS12BaggageItem *bag;
-    SECStatus rv = SECSuccess;
-
-    if(asafe->old_baggage.espvks == NULL) {
-	/* XXX should the ASN1 engine produce a single NULL element list
-	 * rather than setting the pointer to NULL?  
-	 * There is no need to return an error -- assume that the list
-	 * was empty.
-	 */
-	return SECSuccess;
-    }
-
-    baggage = sec_pkcs12_create_baggage(asafe->poolp);
-    if(!baggage) {
-	return SECFailure;
-    }
-    bag = sec_pkcs12_create_external_bag(baggage);
-    if(!bag) {
-	return SECFailure;
-    }
-
-    PORT_Memcpy(&asafe->baggage, baggage, sizeof(SEC_PKCS12Baggage));
-
-    /* if there are shrouded keys, append them to the bag */
-    rv = SECSuccess;
-    if(asafe->old_baggage.espvks[0] != NULL) {
-	int nEspvk = 0;
-	rv = SECSuccess;
-	while((asafe->old_baggage.espvks[nEspvk] != NULL) && 
-		(rv == SECSuccess)) {
-	    rv = sec_pkcs12_append_shrouded_key(bag, 
-	    				asafe->old_baggage.espvks[nEspvk]);
-	    nEspvk++;
-	}
-    }
-
-    return rv;
-}    
-
-/* decodes the authenticated safe item.  a return of NULL indicates
- * an error.  however, the error will have occured either in memory
- * allocation or in decoding the authenticated safe.
- *
- * if an old PFX item has been found, we want to convert the
- * old authenticated safe to the new one.
- */
-static SEC_PKCS12AuthenticatedSafe *
-sec_pkcs12_decode_authenticated_safe(SEC_PKCS12PFXItem *pfx) 
-{
-    SECItem *der_asafe = NULL;
-    SEC_PKCS12AuthenticatedSafe *asafe = NULL;
-    SECStatus rv;
-
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    der_asafe = SEC_PKCS7GetContent(&pfx->authSafe);
-    if(der_asafe == NULL) {
-	/* XXX set error ? */
-	goto loser;
-    }
-
-    asafe = sec_pkcs12_new_asafe(pfx->poolp);
-    if(asafe == NULL) {
-	goto loser;
-    }
-
-    if(pfx->old == PR_FALSE) {
-	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
-			 	SEC_PKCS12AuthenticatedSafeTemplate, 
-			 	der_asafe);
-	asafe->old = PR_FALSE;
-	asafe->swapUnicode = pfx->swapUnicode;
-    } else {
-	/* handle beta exported files */
-	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
-				SEC_PKCS12AuthenticatedSafeTemplate_OLD,
-				der_asafe);
-	asafe->safe = &(asafe->old_safe);
-	rv = sec_pkcs12_convert_old_auth_safe(asafe);
-	asafe->old = PR_TRUE;
-    }
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    asafe->poolp = pfx->poolp;
-    
-    return asafe;
-
-loser:
-    return NULL;
-}
-
-/* validates the safe within the authenticated safe item.  
- * in order to be valid:
- *  1.  the privacy salt must be present
- *  2.  the encryption algorithm must be supported (including
- *	export policy)
- * PR_FALSE indicates an error, PR_TRUE indicates a valid safe
- */
-static PRBool 
-sec_pkcs12_validate_encrypted_safe(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    PRBool valid = PR_FALSE;
-    SECAlgorithmID *algid;
-
-    if(asafe == NULL) {
-	return PR_FALSE;
-    }
-
-    /* if mode is password privacy, then privacySalt is assumed
-     * to be non-zero.
-     */
-    if(asafe->privacySalt.len != 0) {
-	valid = PR_TRUE;
-	asafe->privacySalt.len /= 8;
-    } else {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	return PR_FALSE;
-    }
-
-    /* until spec changes, content will have between 2 and 8 bytes depending
-     * upon the algorithm used if certs are unencrypted...
-     * also want to support case where content is empty -- which we produce 
-     */ 
-    if(SEC_PKCS7IsContentEmpty(asafe->safe, 8) == PR_TRUE) {
-	asafe->emptySafe = PR_TRUE;
-	return PR_TRUE;
-    }
-
-    asafe->emptySafe = PR_FALSE;
-
-    /* make sure that a pbe algorithm is being used */
-    algid = SEC_PKCS7GetEncryptionAlgorithm(asafe->safe);
-    if(algid != NULL) {
-	if(SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	    valid = SEC_PKCS12DecryptionAllowed(algid);
-
-	    if(valid == PR_FALSE) {
-		PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
-	    }
-	} else {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
-	    valid = PR_FALSE;
-	}
-    } else {
-	valid = PR_FALSE;
-	PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
-    }
-
-    return valid;
-}
-
-/* validates authenticates safe:
- *  1.  checks that the version is supported
- *  2.  checks that only password privacy mode is used (currently)
- *  3.  further, makes sure safe has appropriate policies per above function
- * PR_FALSE indicates failure.
- */
-static PRBool 
-sec_pkcs12_validate_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    PRBool valid = PR_TRUE;
-    SECOidTag safe_type;
-    int version;
-
-    if(asafe == NULL) {
-	return PR_FALSE;
-    }
-
-    /* check version, since it is default it may not be present.
-     * therefore, assume ok
-     */
-    if((asafe->version.len > 0) && (asafe->old == PR_FALSE)) {
-	version = DER_GetInteger(&asafe->version);
-	if(version > SEC_PKCS12_PFX_VERSION) {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION);
-	    return PR_FALSE;
-	}
-    }
-
-    /* validate password mode is being used */
-    safe_type = SEC_PKCS7ContentType(asafe->safe);
-    switch(safe_type)
-    {
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    valid = sec_pkcs12_validate_encrypted_safe(asafe);
-	    break;
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	default:
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
-	    valid = PR_FALSE;
-	    break;
-    }
-
-    return valid;
-}
-
-/* retrieves the authenticated safe item from the PFX item
- *  before returning the authenticated safe, the validity of the
- *  authenticated safe is checked and if valid, returned.
- * a return of NULL indicates that an error occured.
- */
-static SEC_PKCS12AuthenticatedSafe *
-sec_pkcs12_get_auth_safe(SEC_PKCS12PFXItem *pfx)
-{
-    SEC_PKCS12AuthenticatedSafe *asafe;
-    PRBool valid_safe;
-
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    asafe = sec_pkcs12_decode_authenticated_safe(pfx);
-    if(asafe == NULL) {
-	return NULL;
-    }
-
-    valid_safe = sec_pkcs12_validate_auth_safe(asafe);
-    if(valid_safe != PR_TRUE) {
-	asafe = NULL;
-    } else if(asafe) {
-	asafe->baggage.poolp = asafe->poolp;
-    }
-
-    return asafe;
-}
-
-/* decrypts the authenticated safe.
- * a return of anything but SECSuccess indicates an error.  the
- * password is not known to be valid until the call to the 
- * function sec_pkcs12_get_safe_contents.  If decoding the safe
- * fails, it is assumed the password was incorrect and the error
- * is set then.  any failure here is assumed to be due to 
- * internal problems in SEC_PKCS7DecryptContents or below.
- */
-static SECStatus
-sec_pkcs12_decrypt_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe, 
-			     SECItem *pwitem,
-			     void *wincx)
-{
-    SECStatus rv = SECFailure;
-    SECItem *vpwd = NULL;
-
-    if((asafe == NULL) || (pwitem == NULL)) {
-	return SECFailure;
-    }
-
-    if(asafe->old == PR_FALSE) {
-	vpwd = sec_pkcs12_create_virtual_password(pwitem, &asafe->privacySalt,
-						 asafe->swapUnicode);
-	if(vpwd == NULL) {
-	    return SECFailure;
-	}
-    }
-
-    rv = SEC_PKCS7DecryptContents(asafe->poolp, asafe->safe, 
-    				  (asafe->old ? pwitem : vpwd), wincx);
-
-    if(asafe->old == PR_FALSE) {
-	SECITEM_ZfreeItem(vpwd, PR_TRUE);
-    }
-
-    return rv;
-}
-
-/* extract the safe from the authenticated safe.
- *  if we are unable to decode the safe, then it is likely that the 
- *  safe has not been decrypted or the password used to decrypt
- *  the safe was invalid.  we assume that the password was invalid and
- *  set an error accordingly.
- * a return of NULL indicates that an error occurred.
- */
-static SEC_PKCS12SafeContents *
-sec_pkcs12_get_safe_contents(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    SECItem *src = NULL;
-    SEC_PKCS12SafeContents *safe = NULL;
-    SECStatus rv = SECFailure;
-
-    if(asafe == NULL) {
-	return NULL;
-    }
-
-    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(asafe->poolp, 
-	    					sizeof(SEC_PKCS12SafeContents));
-    if(safe == NULL) {
-	return NULL;
-    }
-    safe->poolp = asafe->poolp;
-    safe->old = asafe->old;
-    safe->swapUnicode = asafe->swapUnicode;
-
-    src = SEC_PKCS7GetContent(asafe->safe);
-    if(src != NULL) {
-	const SEC_ASN1Template *theTemplate;
-	if(asafe->old != PR_TRUE) {
-	    theTemplate = SEC_PKCS12SafeContentsTemplate;
-	} else {
-	    theTemplate = SEC_PKCS12SafeContentsTemplate_OLD;
-	}
-
-	rv = SEC_ASN1DecodeItem(asafe->poolp, safe, theTemplate, src);
-
-	/* if we could not decode the item, password was probably invalid */
-	if(rv != SECSuccess) {
-	    safe = NULL;
-	    PORT_SetError(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT);
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	rv = SECFailure;
-    }
-
-    return safe;
-}
-
-/* import PFX item 
- * der_pfx is the der encoded pfx structure
- * pbef and pbearg are the integrity/encryption password call back
- * ncCall is the nickname collision calllback
- * slot is the destination token
- * wincx window handler
- *
- * on error, error code set and SECFailure returned 
- */
-SECStatus
-SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
-		 SEC_PKCS12NicknameCollisionCallback ncCall,
-		 PK11SlotInfo *slot,
-		 void *wincx)
-{
-    SEC_PKCS12PFXItem *pfx;
-    SEC_PKCS12AuthenticatedSafe *asafe;
-    SEC_PKCS12SafeContents *safe_contents = NULL;
-    SECStatus rv;
-
-    if(!der_pfx || !pwitem || !slot) {
-	return SECFailure;
-    }
-
-    /* decode and validate each section */
-    rv = SECFailure;
-
-    pfx = sec_pkcs12_get_pfx(der_pfx, pwitem);
-    if(pfx != NULL) {
-	asafe = sec_pkcs12_get_auth_safe(pfx);
-	if(asafe != NULL) {
-
-	    /* decrypt safe -- only if not empty */
-	    if(asafe->emptySafe != PR_TRUE) {
-		rv = sec_pkcs12_decrypt_auth_safe(asafe, pwitem, wincx);
-		if(rv == SECSuccess) {
-		    safe_contents = sec_pkcs12_get_safe_contents(asafe);
-		    if(safe_contents == NULL) {
-			rv = SECFailure;
-		    }
-		}
-	    } else {
-		safe_contents = sec_pkcs12_create_safe_contents(asafe->poolp);
-		safe_contents->swapUnicode = pfx->swapUnicode;
-		if(safe_contents == NULL) {
-		    rv = SECFailure;
-		} else {
-		    rv = SECSuccess;
-		}
-	    }
-
-	    /* get safe contents and begin import */
-	    if(rv == SECSuccess) {
-		SEC_PKCS12DecoderContext *p12dcx;
-
-		p12dcx = sec_PKCS12ConvertOldSafeToNew(pfx->poolp, slot,
-					pfx->swapUnicode,
-					pwitem, wincx, safe_contents,
-					&asafe->baggage);
-		if(!p12dcx) {
-		    rv = SECFailure;
-		    goto loser;
-		}
-
-		if(SEC_PKCS12DecoderValidateBags(p12dcx, ncCall) 
-				!= SECSuccess) {
-		    rv = SECFailure;
-		    goto loser;
-		}
-
-		rv = SEC_PKCS12DecoderImportBags(p12dcx);
-	    }
-
-	}
-    }
-
-loser:
-
-    if(pfx) {
-	SEC_PKCS12DestroyPFX(pfx);
-    }
-
-    return rv;
-}
-
-PRBool 
-SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength)
-{
-    int lengthLength;
-
-    PRBool valid = PR_FALSE;
-
-    if(buf == NULL) {
-	return PR_FALSE;
-    }
-
-    /* check for constructed sequence identifier tag */
-    if(*buf == (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) {
-	totalLength--;   /* header byte taken care of */
-	buf++;
-
-	lengthLength = (long int)SEC_ASN1LengthLength(totalLength - 1);
-	if(totalLength > 0x7f) {
-	    lengthLength--;
-	    *buf &= 0x7f;  /* remove bit 8 indicator */
-	    if((*buf - (char)lengthLength) == 0) {
-		valid = PR_TRUE;
-	    }
-	} else {
-	    lengthLength--;
-	    if((*buf - (char)lengthLength) == 0) {
-		valid = PR_TRUE;
-	    }
-	}
-    }
-
-    return valid;
-}
diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c
deleted file mode 100644
index 8cc683667..000000000
--- a/security/nss/lib/pkcs12/p12e.c
+++ /dev/null
@@ -1,2254 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "p12t.h"
-#include "p12.h"
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "p12plcy.h"
-#include "p12local.h"
-#include "alghmac.h"
-#include "prcpucfg.h"
-
-/*********************************
- * Structures used in exporting the PKCS 12 blob
- *********************************/
-
-/* A SafeInfo is used for each ContentInfo which makes up the
- * sequence of safes in the AuthenticatedSafe portion of the
- * PFX structure.
- */
-struct SEC_PKCS12SafeInfoStr {
-    PRArenaPool *arena;
-
-    /* information for setting up password encryption */
-    SECItem pwitem;
-    SECOidTag algorithm;
-    PK11SymKey *encryptionKey;
-
-    /* how many items have been stored in this safe,
-     * we will skip any safe which does not contain any
-     * items
-      */
-    unsigned int itemCount;
-
-    /* the content info for the safe */
-    SEC_PKCS7ContentInfo *cinfo;
-
-    sec_PKCS12SafeContents *safe;
-};
-
-/* An opaque structure which contains information needed for exporting
- * certificates and keys through PKCS 12.
- */
-struct SEC_PKCS12ExportContextStr {
-    PRArenaPool *arena;
-    PK11SlotInfo *slot;
-    void *wincx;
-
-    /* integrity information */
-    PRBool integrityEnabled;
-    PRBool	pwdIntegrity;
-    union {
-	struct sec_PKCS12PasswordModeInfo pwdInfo;
-	struct sec_PKCS12PublicKeyModeInfo pubkeyInfo;
-    } integrityInfo; 
-
-    /* helper functions */
-    /* retrieve the password call back */
-    SECKEYGetPasswordKey pwfn;
-    void *pwfnarg;
-
-    /* safe contents bags */
-    SEC_PKCS12SafeInfo **safeInfos;
-    unsigned int safeInfoCount;
-
-    /* the sequence of safes */
-    sec_PKCS12AuthenticatedSafe authSafe;
-
-    /* information needing deletion */
-    CERTCertificate **certList;
-};
-
-/* structures for passing information to encoder callbacks when processing
- * data through the ASN1 engine.
- */
-struct sec_pkcs12_encoder_output {
-    SEC_PKCS12EncoderOutputCallback outputfn;
-    void *outputarg;
-};
-
-struct sec_pkcs12_hmac_and_output_info {
-    void *arg;
-    struct sec_pkcs12_encoder_output output;
-};
-
-/* An encoder context which is used for the actual encoding
- * portion of PKCS 12. 
- */
-typedef struct sec_PKCS12EncoderContextStr {
-    PRArenaPool *arena;
-    SEC_PKCS12ExportContext *p12exp;
-    PK11SymKey *encryptionKey;
-
-    /* encoder information - this is set up based on whether 
-     * password based or public key pased privacy is being used
-     */
-    SEC_ASN1EncoderContext *ecx;
-    union {
-	struct sec_pkcs12_hmac_and_output_info hmacAndOutputInfo;
-	struct sec_pkcs12_encoder_output encOutput;
-    } output;
-
-    /* structures for encoding of PFX and MAC */
-    sec_PKCS12PFXItem pfx;
-    sec_PKCS12MacData mac;
-
-    /* authenticated safe encoding tracking information */
-    SEC_PKCS7ContentInfo *aSafeCinfo;
-    SEC_PKCS7EncoderContext *aSafeP7Ecx;
-    SEC_ASN1EncoderContext *aSafeEcx;
-    unsigned int currentSafe;
-
-    /* hmac context */
-    void *hmacCx;
-} sec_PKCS12EncoderContext;
-
-
-/*********************************
- * Export setup routines
- *********************************/
-
-/* SEC_PKCS12CreateExportContext 
- *   Creates an export context and sets the unicode and password retrieval
- *   callbacks.  This is the first call which must be made when exporting
- *   a PKCS 12 blob.
- *
- * pwfn, pwfnarg - password retrieval callback and argument.  these are
- * 		   required for password-authentication mode.
- */
-SEC_PKCS12ExportContext *
-SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
-			      PK11SlotInfo *slot, void *wincx)
-{
-    PRArenaPool *arena = NULL;
-    SEC_PKCS12ExportContext *p12ctxt = NULL;
-
-    /* allocate the arena and create the context */
-    arena = PORT_NewArena(4096);
-    if(!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    p12ctxt = (SEC_PKCS12ExportContext *)PORT_ArenaZAlloc(arena, 
-					sizeof(SEC_PKCS12ExportContext));
-    if(!p12ctxt) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* password callback for key retrieval */
-    p12ctxt->pwfn = pwfn;
-    p12ctxt->pwfnarg = pwfnarg;
-
-    p12ctxt->integrityEnabled = PR_FALSE;
-    p12ctxt->arena = arena;
-    p12ctxt->wincx = wincx;
-    p12ctxt->slot = (slot) ? slot : PK11_GetInternalSlot();
-
-    return p12ctxt;
-
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    return NULL;
-}
-
-/* 
- * Adding integrity mode
- */
-
-/* SEC_PKCS12AddPasswordIntegrity 
- *	Add password integrity to the exported data.  If an integrity method
- *	has already been set, then return an error.
- *	
- *	p12ctxt - the export context
- * 	pwitem - the password for integrity mode
- *	integAlg - the integrity algorithm to use for authentication.
- */
-SECStatus
-SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-			       SECItem *pwitem, SECOidTag integAlg) 
-{			       
-    if(!p12ctxt || p12ctxt->integrityEnabled) {
-	return SECFailure;
-    }
-   
-    /* set up integrity information */
-    p12ctxt->pwdIntegrity = PR_TRUE;
-    p12ctxt->integrityInfo.pwdInfo.password = 
-        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
-    if(!p12ctxt->integrityInfo.pwdInfo.password) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    if(SECITEM_CopyItem(p12ctxt->arena, 
-			p12ctxt->integrityInfo.pwdInfo.password, pwitem)
-		!= SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    p12ctxt->integrityInfo.pwdInfo.algorithm = integAlg;
-    p12ctxt->integrityEnabled = PR_TRUE;
-
-    return SECSuccess;
-}
-
-/* SEC_PKCS12AddPublicKeyIntegrity
- *	Add public key integrity to the exported data.  If an integrity method
- *	has already been set, then return an error.  The certificate must be
- *	allowed to be used as a signing cert.
- *	
- *	p12ctxt - the export context
- *	cert - signer certificate
- *	certDb - the certificate database
- *	algorithm - signing algorithm
- *	keySize - size of the signing key (?)
- */
-SECStatus
-SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-				CERTCertificate *cert, CERTCertDBHandle *certDb,
-				SECOidTag algorithm, int keySize)
-{
-    if(!p12ctxt) {
-	return SECFailure;
-    }
-    
-    p12ctxt->integrityInfo.pubkeyInfo.cert = cert;
-    p12ctxt->integrityInfo.pubkeyInfo.certDb = certDb;
-    p12ctxt->integrityInfo.pubkeyInfo.algorithm = algorithm;
-    p12ctxt->integrityInfo.pubkeyInfo.keySize = keySize;
-    p12ctxt->integrityEnabled = PR_TRUE;
-
-    return SECSuccess;
-}
-
-
-/*
- * Adding safes - encrypted (password/public key) or unencrypted
- *	Each of the safe creation routines return an opaque pointer which
- *	are later passed into the routines for exporting certificates and
- *	keys.
- */
-
-/* append the newly created safeInfo to list of safeInfos in the export
- * context.  
- */
-static SECStatus
-sec_pkcs12_append_safe_info(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *info)
-{
-    void *mark = NULL, *dummy1 = NULL, *dummy2 = NULL;
-
-    if(!p12ctxt || !info) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* if no safeInfos have been set, create the list, otherwise expand it. */
-    if(!p12ctxt->safeInfoCount) {
-	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)PORT_ArenaZAlloc(p12ctxt->arena, 
-					      2 * sizeof(SEC_PKCS12SafeInfo *));
-	dummy1 = p12ctxt->safeInfos;
-	p12ctxt->authSafe.encodedSafes = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
-					2 * sizeof(SECItem *));
-	dummy2 = p12ctxt->authSafe.encodedSafes;
-    } else {
-	dummy1 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->safeInfos, 
-			       (p12ctxt->safeInfoCount + 1) * sizeof(SEC_PKCS12SafeInfo *),
-			       (p12ctxt->safeInfoCount + 2) * sizeof(SEC_PKCS12SafeInfo *));
-	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)dummy1;
-	dummy2 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->authSafe.encodedSafes, 
-			       (p12ctxt->authSafe.safeCount + 1) * sizeof(SECItem *),
-			       (p12ctxt->authSafe.safeCount + 2) * sizeof(SECItem *));
-	p12ctxt->authSafe.encodedSafes = (SECItem**)dummy2;
-    }
-    if(!dummy1 || !dummy2) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* append the new safeInfo and null terminate the list */
-    p12ctxt->safeInfos[p12ctxt->safeInfoCount] = info;
-    p12ctxt->safeInfos[++p12ctxt->safeInfoCount] = NULL;
-    p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount] = 
-        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
-    if(!p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount]) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    p12ctxt->authSafe.encodedSafes[++p12ctxt->authSafe.safeCount] = NULL;
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return SECFailure;
-}
-
-/* SEC_PKCS12CreatePasswordPrivSafe
- *	Create a password privacy safe to store exported information in.
- *
- * 	p12ctxt - export context
- *	pwitem - password for encryption
- *	privAlg - pbe algorithm through which encryption is done.
- */
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
-				 SECItem *pwitem, SECOidTag privAlg)
-{
-    SEC_PKCS12SafeInfo *safeInfo = NULL;
-    void *mark = NULL;
-    PK11SlotInfo *slot;
-    SECAlgorithmID *algId;
-    SECItem uniPwitem = {siBuffer, NULL, 0};
-
-    if(!p12ctxt) {
-	return NULL;
-    }
-
-    /* allocate the safe info */
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    						sizeof(SEC_PKCS12SafeInfo));
-    if(!safeInfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	return NULL;
-    }
-
-    safeInfo->itemCount = 0;
-
-    /* create the encrypted safe */
-    safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, 
-    						   p12ctxt->pwfnarg);
-    if(!safeInfo->cinfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    safeInfo->arena = p12ctxt->arena;
-
-    /* convert the password to unicode */ 
-    if(!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
-					       PR_TRUE, PR_TRUE, PR_TRUE)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    if(SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* generate the encryption key */
-    slot = p12ctxt->slot;
-    if(!slot) {
-	slot = PK11_GetInternalKeySlot();
-	if(!slot) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-    }
-
-    algId = SEC_PKCS7GetEncryptionAlgorithm(safeInfo->cinfo);
-    safeInfo->encryptionKey = PK11_PBEKeyGen(slot, algId, &uniPwitem, 
-					     PR_FALSE, p12ctxt->wincx);
-    if(!safeInfo->encryptionKey) {
-	goto loser;
-    }
-
-    safeInfo->arena = p12ctxt->arena;
-    safeInfo->safe = NULL;
-    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
-	goto loser;
-    }
-
-    if(uniPwitem.data) {
-	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-    }
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return safeInfo;
-
-loser:
-    if(safeInfo->cinfo) {
-	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
-    }
-
-    if(uniPwitem.data) {
-	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-    }
-
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-}
-
-/* SEC_PKCS12CreateUnencryptedSafe 
- *	Creates an unencrypted safe within the export context.
- *
- *	p12ctxt - the export context 
- */
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt)
-{
-    SEC_PKCS12SafeInfo *safeInfo = NULL;
-    void *mark = NULL;
-
-    if(!p12ctxt) {
-	return NULL;
-    }
-
-    /* create the safe info */
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    					      sizeof(SEC_PKCS12SafeInfo));
-    if(!safeInfo) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    safeInfo->itemCount = 0;
-
-    /* create the safe content */
-    safeInfo->cinfo = SEC_PKCS7CreateData();
-    if(!safeInfo->cinfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return safeInfo;
-
-loser:
-    if(safeInfo->cinfo) {
-	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
-    }
-
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-}
-
-/* SEC_PKCS12CreatePubKeyEncryptedSafe
- *	Creates a safe which is protected by public key encryption.  
- *
- *	p12ctxt - the export context
- *	certDb - the certificate database
- *	signer - the signer's certificate
- *	recipients - the list of recipient certificates.
- *	algorithm - the encryption algorithm to use
- *	keysize - the algorithms key size (?)
- */
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
-				    CERTCertDBHandle *certDb,
-				    CERTCertificate *signer,
-				    CERTCertificate **recipients,
-				    SECOidTag algorithm, int keysize) 
-{
-    SEC_PKCS12SafeInfo *safeInfo = NULL;
-    void *mark = NULL;
-
-    if(!p12ctxt || !signer || !recipients || !(*recipients)) {
-	return NULL;
-    }
-
-    /* allocate the safeInfo */
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    						      sizeof(SEC_PKCS12SafeInfo));
-    if(!safeInfo) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    safeInfo->itemCount = 0;
-    safeInfo->arena = p12ctxt->arena;
-
-    /* create the enveloped content info using certUsageEmailSigner currently.
-     * XXX We need to eventually use something other than certUsageEmailSigner
-     */
-    safeInfo->cinfo = SEC_PKCS7CreateEnvelopedData(signer, certUsageEmailSigner,
-					certDb, algorithm, keysize, 
-					p12ctxt->pwfn, p12ctxt->pwfnarg);
-    if(!safeInfo->cinfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* add recipients */
-    if(recipients) {
-	unsigned int i = 0;
-	while(recipients[i] != NULL) {
-	    SECStatus rv = SEC_PKCS7AddRecipient(safeInfo->cinfo, recipients[i],
-					       certUsageEmailRecipient, certDb);
-	    if(rv != SECSuccess) {
-		goto loser;
-	    }
-	    i++;
-	}
-    }
-
-    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return safeInfo;
-
-loser:
-    if(safeInfo->cinfo) {
-	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
-	safeInfo->cinfo = NULL;
-    }
-
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-} 
-
-/*********************************
- * Routines to handle the exporting of the keys and certificates
- *********************************/
-
-/* creates a safe contents which safeBags will be appended to */
-sec_PKCS12SafeContents *
-sec_PKCS12CreateSafeContents(PRArenaPool *arena)
-{
-    sec_PKCS12SafeContents *safeContents;
-
-    if(arena == NULL) {
-	return NULL; 
-    }
-
-    /* create the safe contents */
-    safeContents = (sec_PKCS12SafeContents *)PORT_ArenaZAlloc(arena,
-					    sizeof(sec_PKCS12SafeContents));
-    if(!safeContents) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* set up the internal contents info */
-    safeContents->safeBags = NULL;
-    safeContents->arena = arena;
-    safeContents->bagCount = 0;
-
-    return safeContents;
-
-loser:
-    return NULL;
-}   
-
-/* appends a safe bag to a safeContents using the specified arena. 
- */
-SECStatus
-sec_pkcs12_append_bag_to_safe_contents(PRArenaPool *arena, 
-				       sec_PKCS12SafeContents *safeContents,
-				       sec_PKCS12SafeBag *safeBag)
-{
-    void *mark = NULL, *dummy = NULL;
-
-    if(!arena || !safeBag || !safeContents) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(arena);
-    if(!mark) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* allocate space for the list, or reallocate to increase space */
-    if(!safeContents->safeBags) {
-	safeContents->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(arena, 
-						(2 * sizeof(sec_PKCS12SafeBag *)));
-	dummy = safeContents->safeBags;
-	safeContents->bagCount = 0;
-    } else {
-	dummy = PORT_ArenaGrow(arena, safeContents->safeBags, 
-			(safeContents->bagCount + 1) * sizeof(sec_PKCS12SafeBag *),
-			(safeContents->bagCount + 2) * sizeof(sec_PKCS12SafeBag *));
-	safeContents->safeBags = (sec_PKCS12SafeBag **)dummy;
-    }
-
-    if(!dummy) {
-	PORT_ArenaRelease(arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* append the bag at the end and null terminate the list */
-    safeContents->safeBags[safeContents->bagCount++] = safeBag;
-    safeContents->safeBags[safeContents->bagCount] = NULL;
-
-    PORT_ArenaUnmark(arena, mark);
-
-    return SECSuccess;
-}
-
-/* appends a safeBag to a specific safeInfo.
- */
-SECStatus
-sec_pkcs12_append_bag(SEC_PKCS12ExportContext *p12ctxt, 
-		      SEC_PKCS12SafeInfo *safeInfo, sec_PKCS12SafeBag *safeBag)
-{
-    sec_PKCS12SafeContents *dest;
-    SECStatus rv = SECFailure;
-
-    if(!p12ctxt || !safeBag || !safeInfo) {
-	return SECFailure;
-    }
-
-    if(!safeInfo->safe) {
-	safeInfo->safe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
-	if(!safeInfo->safe) {
-	    return SECFailure;
-	}
-    }
-
-    dest = safeInfo->safe;
-    rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, dest, safeBag);
-    if(rv == SECSuccess) {
-	safeInfo->itemCount++;
-    }
-    
-    return rv;
-} 
-
-/* Creates a safeBag of the specified type, and if bagData is specified,
- * the contents are set.  The contents could be set later by the calling
- * routine.
- */
-sec_PKCS12SafeBag *
-sec_PKCS12CreateSafeBag(SEC_PKCS12ExportContext *p12ctxt, SECOidTag bagType, 
-			void *bagData)
-{
-    sec_PKCS12SafeBag *safeBag;
-    PRBool setName = PR_TRUE;
-    void *mark = NULL;
-    SECStatus rv = SECSuccess;
-    SECOidData *oidData = NULL;
-
-    if(!p12ctxt) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    if(!mark) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    safeBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    						    sizeof(sec_PKCS12SafeBag));
-    if(!safeBag) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* set the bags content based upon bag type */
-    switch(bagType) {
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    safeBag->safeBagContent.pkcs8KeyBag =
-	        (SECKEYPrivateKeyInfo *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-	    safeBag->safeBagContent.certBag = (sec_PKCS12CertBag *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
-	    safeBag->safeBagContent.crlBag = (sec_PKCS12CRLBag *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
-	    safeBag->safeBagContent.secretBag = (sec_PKCS12SecretBag *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    safeBag->safeBagContent.pkcs8ShroudedKeyBag = 
-	        (SECKEYEncryptedPrivateKeyInfo *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
-	    safeBag->safeBagContent.safeContents = 
-	        (sec_PKCS12SafeContents *)bagData;
-	    setName = PR_FALSE;
-	    break;
-	default:
-	    goto loser;
-    }
-
-    oidData = SECOID_FindOIDByTag(bagType);
-    if(oidData) {
-	rv = SECITEM_CopyItem(p12ctxt->arena, &safeBag->safeBagType, &oidData->oid);
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-    } else {
-	goto loser;
-    }
-    
-    safeBag->arena = p12ctxt->arena;
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-
-    return safeBag;
-
-loser:
-    if(mark) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    }
-
-    return NULL;
-}
-
-/* Creates a new certificate bag and returns a pointer to it.  If an error
- * occurs NULL is returned.
- */
-sec_PKCS12CertBag *
-sec_PKCS12NewCertBag(PRArenaPool *arena, SECOidTag certType)
-{
-    sec_PKCS12CertBag *certBag = NULL;
-    SECOidData *bagType = NULL;
-    SECStatus rv;
-    void *mark = NULL;
-
-    if(!arena) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(arena);
-    certBag = (sec_PKCS12CertBag *)PORT_ArenaZAlloc(arena, 
-    						    sizeof(sec_PKCS12CertBag));
-    if(!certBag) {
-	PORT_ArenaRelease(arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    bagType = SECOID_FindOIDByTag(certType);
-    if(!bagType) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = SECITEM_CopyItem(arena, &certBag->bagID, &bagType->oid);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-	
-    PORT_ArenaUnmark(arena, mark);
-    return certBag;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-/* Creates a new CRL bag and returns a pointer to it.  If an error
- * occurs NULL is returned.
- */
-sec_PKCS12CRLBag *
-sec_PKCS12NewCRLBag(PRArenaPool *arena, SECOidTag crlType)
-{
-    sec_PKCS12CRLBag *crlBag = NULL;
-    SECOidData *bagType = NULL;
-    SECStatus rv;
-    void *mark = NULL;
-
-    if(!arena) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(arena);
-    crlBag = (sec_PKCS12CRLBag *)PORT_ArenaZAlloc(arena, 
-    						  sizeof(sec_PKCS12CRLBag));
-    if(!crlBag) {
-	PORT_ArenaRelease(arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    bagType = SECOID_FindOIDByTag(crlType);
-    if(!bagType) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = SECITEM_CopyItem(arena, &crlBag->bagID, &bagType->oid);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-	
-    PORT_ArenaUnmark(arena, mark);
-    return crlBag;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-/* sec_PKCS12AddAttributeToBag
- * adds an attribute to a safeBag.  currently, the only attributes supported
- * are those which are specified within PKCS 12.  
- *
- *	p12ctxt - the export context 
- *	safeBag - the safeBag to which attributes are appended
- *	attrType - the attribute type
- * 	attrData - the attribute data
- */
-SECStatus
-sec_PKCS12AddAttributeToBag(SEC_PKCS12ExportContext *p12ctxt, 
-			    sec_PKCS12SafeBag *safeBag, SECOidTag attrType,
-			    SECItem *attrData)
-{
-    sec_PKCS12Attribute *attribute;
-    void *mark = NULL, *dummy = NULL;
-    SECOidData *oiddata = NULL;
-    SECItem unicodeName = { siBuffer, NULL, 0};
-    void *src = NULL;
-    unsigned int nItems = 0;
-    SECStatus rv;
-
-    if(!safeBag || !p12ctxt) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(safeBag->arena);
-
-    /* allocate the attribute */
-    attribute = (sec_PKCS12Attribute *)PORT_ArenaZAlloc(safeBag->arena, 
-    						sizeof(sec_PKCS12Attribute));
-    if(!attribute) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* set up the attribute */
-    oiddata = SECOID_FindOIDByTag(attrType);
-    if(!oiddata) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    if(SECITEM_CopyItem(p12ctxt->arena, &attribute->attrType, &oiddata->oid) !=
-    		SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    nItems = 1;
-    switch(attrType) {
-	case SEC_OID_PKCS9_LOCAL_KEY_ID:
-	    {
-		src = attrData;
-		break;
-	    }
-	case SEC_OID_PKCS9_FRIENDLY_NAME:
-	    {
-		if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, 
-					&unicodeName, attrData, PR_FALSE, 
-					PR_FALSE, PR_TRUE)) {
-		    goto loser;
-		}
-		src = &unicodeName;
-		break;
-	    }
-	default:
-	    goto loser;
-    }
-
-    /* append the attribute to the attribute value list  */
-    attribute->attrValue = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
-    					    ((nItems + 1) * sizeof(SECItem *)));
-    if(!attribute->attrValue) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* XXX this will need to be changed if attributes requiring more than
-     * one element are ever used.
-     */
-    attribute->attrValue[0] = (SECItem *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    							  sizeof(SECItem));
-    if(!attribute->attrValue[0]) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    attribute->attrValue[1] = NULL;
-
-    rv = SECITEM_CopyItem(p12ctxt->arena, attribute->attrValue[0], 
-			  (SECItem*)src);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* append the attribute to the safeBag attributes */
-    if(safeBag->nAttribs) {
-	dummy = PORT_ArenaGrow(p12ctxt->arena, safeBag->attribs, 
-			((safeBag->nAttribs + 1) * sizeof(sec_PKCS12Attribute *)),
-			((safeBag->nAttribs + 2) * sizeof(sec_PKCS12Attribute *)));
-	safeBag->attribs = (sec_PKCS12Attribute **)dummy;
-    } else {
-	safeBag->attribs = (sec_PKCS12Attribute **)PORT_ArenaZAlloc(p12ctxt->arena, 
-						2 * sizeof(sec_PKCS12Attribute *));
-	dummy = safeBag->attribs;
-    }
-    if(!dummy) {
-	goto loser;
-    }
-
-    safeBag->attribs[safeBag->nAttribs] = attribute;
-    safeBag->attribs[++safeBag->nAttribs] = NULL;
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    if(mark) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    }
-
-    return SECFailure;
-}
-
-/* SEC_PKCS12AddCert
- * 	Adds a certificate to the data being exported.  
- *
- *	p12ctxt - the export context
- *	safe - the safeInfo to which the certificate is placed 
- *	nestedDest - if the cert is to be placed within a nested safeContents then,
- *		     this value is to be specified with the destination
- *	cert - the cert to export
- *	certDb - the certificate database handle
- *	keyId - a unique identifier to associate a certificate/key pair
- *	includeCertChain - PR_TRUE if the certificate chain is to be included.
- */
-SECStatus
-SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
-		  void *nestedDest, CERTCertificate *cert, 
-		  CERTCertDBHandle *certDb, SECItem *keyId,
-		  PRBool includeCertChain)
-{
-    sec_PKCS12CertBag *certBag;
-    sec_PKCS12SafeBag *safeBag;
-    void *mark;
-    SECStatus rv;
-    SECItem nick = {siBuffer, NULL,0};
-
-    if(!p12ctxt || !cert) {
-	return SECFailure;
-    }
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* allocate the cert bag */
-    certBag = sec_PKCS12NewCertBag(p12ctxt->arena, 
-    				   SEC_OID_PKCS9_X509_CERT);
-    if(!certBag) {
-	goto loser;
-    }
-
-    if(SECITEM_CopyItem(p12ctxt->arena, &certBag->value.x509Cert, 
-    			&cert->derCert) != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* if the cert chain is to be included, we should only be exporting
-     * the cert from our internal database.
-     */
-    if(includeCertChain) {
-	CERTCertificateList *certList = CERT_CertChainFromCert(cert,
-							       certUsageSSLClient,
-							       PR_TRUE);
-	unsigned int count = 0;
-	if(!certList) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-
-	/* add cert chain */
-	for(count = 0; count < (unsigned int)certList->len; count++) {
-	    if(SECITEM_CompareItem(&certList->certs[count], &cert->derCert)
-	    			!= SECEqual) {
-	    	CERTCertificate *tempCert;
-
-		/* decode the certificate */
-	    	tempCert = CERT_NewTempCertificate(certDb, 
-	    					&certList->certs[count], NULL,
-	    					PR_FALSE, PR_TRUE);
-	    	if(!tempCert) {
-		    CERT_DestroyCertificateList(certList);
-		    goto loser;
-		}
-
-		/* add the certificate */
-	    	if(SEC_PKCS12AddCert(p12ctxt, safe, nestedDest, tempCert, certDb,
-				     NULL, PR_FALSE) != SECSuccess) {
-		    CERT_DestroyCertificate(tempCert);
-		    CERT_DestroyCertificateList(certList);
-		    goto loser;
-		}
-		CERT_DestroyCertificate(tempCert);
-	    }
-	}
-	CERT_DestroyCertificateList(certList);
-    }
-
-    /* if the certificate has a nickname, we will set the friendly name
-     * to that.
-     */
-    if(cert->nickname) {
-        if (cert->slot && !PK11_IsInternal(cert->slot)) {
-	  /*
-	   * The cert is coming off of an external token, 
-	   * let's strip the token name from the nickname
-	   * and only add what comes after the colon as the
-	   * nickname. -javi
-	   */
-	    char *delimit;
-	    
-	    delimit = PORT_Strchr(cert->nickname,':');
-	    if (delimit == NULL) {
-	        nick.data = (unsigned char *)cert->nickname;
-		nick.len = PORT_Strlen(cert->nickname);
-	    } else {
-	        delimit++;
-	        nick.data = (unsigned char *)PORT_ArenaStrdup(p12ctxt->arena,
-							      delimit);
-		nick.len = PORT_Strlen(delimit);
-	    }
-	} else {
-	    nick.data = (unsigned char *)cert->nickname;
-	    nick.len = PORT_Strlen(cert->nickname);
-	}
-    }
-
-    safeBag = sec_PKCS12CreateSafeBag(p12ctxt, SEC_OID_PKCS12_V1_CERT_BAG_ID, 
-    				      certBag);
-    if(!safeBag) {
-	goto loser;
-    }
-
-    /* add the friendly name and keyId attributes, if necessary */
-    if(nick.data) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, 
-				       SEC_OID_PKCS9_FRIENDLY_NAME, &nick) 
-				       != SECSuccess) {
-	    goto loser;
-	}
-    }
-	   
-    if(keyId) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-				       keyId) != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    /* append the cert safeBag */
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
-					  (sec_PKCS12SafeContents*)nestedDest, 
-					   safeBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, safe, safeBag);
-    }
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    if(mark) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    }
-
-    return SECFailure;
-}
-
-/* SEC_PKCS12AddEncryptedKey
- *	Extracts the key associated with a particular certificate and exports
- *	it.
- *
- *	p12ctxt - the export context 
- *	safe - the safeInfo to place the key in
- *	nestedDest - the nested safeContents to place a key
- *	cert - the certificate which the key belongs to
- *	shroudKey - encrypt the private key for export.  This value should 
- *		always be true.  lower level code will not allow the export
- *		of unencrypted private keys.
- *	algorithm - the algorithm with which to encrypt the private key
- *	pwitem - the password to encrypted the private key with
- *	keyId - the keyID attribute
- *	nickName - the nickname attribute
- */
-static SECStatus
-SEC_PKCS12AddEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
-		SECKEYEncryptedPrivateKeyInfo *epki, SEC_PKCS12SafeInfo *safe,
-		void *nestedDest, SECItem *keyId, SECItem *nickName)
-{
-    void *mark;
-    void *keyItem;
-    SECOidTag keyType;
-    SECStatus rv = SECFailure;
-    sec_PKCS12SafeBag *returnBag;
-
-    if(!p12ctxt || !safe || !epki) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
-				sizeof(SECKEYEncryptedPrivateKeyInfo));
-    if(!keyItem) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
-					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
-					epki);
-    keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-	
-    /* create the safe bag and set any attributes */
-    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
-    if(!returnBag) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(nickName) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
-				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
-				       != SECSuccess) {
-	    goto loser;
-	}
-    }
-	   
-    if(keyId) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-				       keyId) != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
-					   (sec_PKCS12SafeContents*)nestedDest,
-					   returnBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
-    }
-
-loser:
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    } else {
-	PORT_ArenaUnmark(p12ctxt->arena, mark);
-    }
-
-    return rv;
-}
-
-/* SEC_PKCS12AddKeyForCert
- *	Extracts the key associated with a particular certificate and exports
- *	it.
- *
- *	p12ctxt - the export context 
- *	safe - the safeInfo to place the key in
- *	nestedDest - the nested safeContents to place a key
- *	cert - the certificate which the key belongs to
- *	shroudKey - encrypt the private key for export.  This value should 
- *		always be true.  lower level code will not allow the export
- *		of unencrypted private keys.
- *	algorithm - the algorithm with which to encrypt the private key
- *	pwitem - the password to encrypt the private key with
- *	keyId - the keyID attribute
- *	nickName - the nickname attribute
- */
-SECStatus
-SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
-			void *nestedDest, CERTCertificate *cert,
-			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
-			SECItem *keyId, SECItem *nickName)
-{
-    void *mark;
-    void *keyItem;
-    SECOidTag keyType;
-    SECStatus rv = SECFailure;
-    SECItem nickname = {siBuffer,NULL,0}, uniPwitem = {siBuffer, NULL, 0};
-    sec_PKCS12SafeBag *returnBag;
-
-    if(!p12ctxt || !cert || !safe) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* retrieve the key based upon the type that it is and 
-     * specify the type of safeBag to store the key in
-     */	   
-    if(!shroudKey) {
-
-	/* extract the key unencrypted.  this will most likely go away */
-	SECKEYPrivateKeyInfo *pki = PK11_ExportPrivateKeyInfo(cert, 
-							      p12ctxt->wincx);
-	if(!pki) {
-	    PORT_ArenaRelease(p12ctxt->arena, mark);
-	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	    return SECFailure;
-	}   
-	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECKEYPrivateKeyInfo));
-	if(!keyItem) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	rv = SECKEY_CopyPrivateKeyInfo(p12ctxt->arena, 
-				       (SECKEYPrivateKeyInfo *)keyItem, pki);
-	keyType = SEC_OID_PKCS12_V1_KEY_BAG_ID;
-	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
-    } else {
-
-	/* extract the key encrypted */
-	SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-	PK11SlotInfo *slot = p12ctxt->slot;
-
-	if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
-				 pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-
-	/* we want to make sure to take the key out of the key slot */
-	if(PK11_IsInternal(p12ctxt->slot)) {
-	    slot = PK11_GetInternalKeySlot();
-	}
-
-	epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, 
-						  &uniPwitem, cert, 1, 
-						  p12ctxt->wincx);
-	if(PK11_IsInternal(p12ctxt->slot)) {
-	    PK11_FreeSlot(slot);
-	}
-	
-	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
-				  sizeof(SECKEYEncryptedPrivateKeyInfo));
-	if(!keyItem) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	if(!epki) {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	    return SECFailure;
-	}   
-	rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
-					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
-					epki);
-	keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
-	SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
-    }
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-	
-    /* if no nickname specified, let's see if the certificate has a 
-     * nickname.
-     */					  
-    if(!nickName) {
-	if(cert->nickname) {
-	    nickname.data = (unsigned char *)cert->nickname;
-	    nickname.len = PORT_Strlen(cert->nickname);
-	    nickName = &nickname;
-	}
-    }
-
-    /* create the safe bag and set any attributes */
-    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
-    if(!returnBag) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(nickName) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
-				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
-				       != SECSuccess) {
-	    goto loser;
-	}
-    }
-	   
-    if(keyId) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-				       keyId) != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena,
-					  (sec_PKCS12SafeContents*)nestedDest, 
-					  returnBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
-    }
-
-loser:
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    } else {
-	PORT_ArenaUnmark(p12ctxt->arena, mark);
-    }
-
-    return rv;
-}
-
-/* SEC_PKCS12AddCertAndEncryptedKey
- *	Add a certificate and key pair to be exported.
- *
- *	p12ctxt - the export context 
- * 	certSafe - the safeInfo where the cert is stored
- *	certNestedDest - the nested safeContents to store the cert
- *	keySafe - the safeInfo where the key is stored
- *	keyNestedDest - the nested safeContents to store the key
- *	shroudKey - extract the private key encrypted?
- *	pwitem - the password with which the key is encrypted
- *	algorithm - the algorithm with which the key is encrypted
- */
-SECStatus
-SEC_PKCS12AddDERCertAndEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
-		void *certSafe, void *certNestedDest, 
-		SECItem *derCert, void *keySafe, 
-		void *keyNestedDest, SECKEYEncryptedPrivateKeyInfo *epki,
-		char *nickname)
-{		
-    SECStatus rv = SECFailure;
-    SGNDigestInfo *digest = NULL;
-    void *mark = NULL;
-    CERTCertificate *cert;
-    SECItem nick = {siBuffer, NULL,0}, *nickPtr = NULL; 
-
-    if(!p12ctxt || !certSafe || !keySafe || !derCert) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), derCert,
-				   NULL, PR_FALSE, PR_TRUE);
-    if(!cert) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    cert->nickname = nickname;
-
-    /* generate the thumbprint of the cert to use as a keyId */
-    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
-    if(!digest) {
-	CERT_DestroyCertificate(cert);
-	return SECFailure;
-    }
-
-    /* add the certificate */
-    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
-			   certNestedDest, cert, NULL,
-    			   &digest->digest, PR_FALSE);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    if(nickname) {
-	nick.data = (unsigned char *)nickname;
-	nick.len = PORT_Strlen(nickname);
-	nickPtr = &nick;
-    } else {
-	nickPtr = NULL;
-    }
-
-    /* add the key */
-    rv = SEC_PKCS12AddEncryptedKey(p12ctxt, epki, (SEC_PKCS12SafeInfo*)keySafe,
-				   keyNestedDest, &digest->digest, nickPtr );
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    SGN_DestroyDigestInfo(digest);
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    SGN_DestroyDigestInfo(digest);
-    CERT_DestroyCertificate(cert);
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    
-    return SECFailure; 
-}
-
-/* SEC_PKCS12AddCertAndKey
- *	Add a certificate and key pair to be exported.
- *
- *	p12ctxt - the export context 
- * 	certSafe - the safeInfo where the cert is stored
- *	certNestedDest - the nested safeContents to store the cert
- *	keySafe - the safeInfo where the key is stored
- *	keyNestedDest - the nested safeContents to store the key
- *	shroudKey - extract the private key encrypted?
- *	pwitem - the password with which the key is encrypted
- *	algorithm - the algorithm with which the key is encrypted
- */
-SECStatus
-SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
-			void *certSafe, void *certNestedDest, 
-			CERTCertificate *cert, CERTCertDBHandle *certDb,
-			void *keySafe, void *keyNestedDest, 
-			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm)
-{		
-    SECStatus rv = SECFailure;
-    SGNDigestInfo *digest = NULL;
-    void *mark = NULL;
-
-    if(!p12ctxt || !certSafe || !keySafe || !cert) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* generate the thumbprint of the cert to use as a keyId */
-    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
-    if(!digest) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	return SECFailure;
-    }
-
-    /* add the certificate */
-    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
-			   (SEC_PKCS12SafeInfo*)certNestedDest, cert, certDb,
-    			   &digest->digest, PR_TRUE);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* add the key */
-    rv = SEC_PKCS12AddKeyForCert(p12ctxt, (SEC_PKCS12SafeInfo*)keySafe, 
-				 keyNestedDest, cert, 
-    				 shroudKey, algorithm, pwitem, 
-    				 &digest->digest, NULL );
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    SGN_DestroyDigestInfo(digest);
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    SGN_DestroyDigestInfo(digest);
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    
-    return SECFailure; 
-}
-
-/* SEC_PKCS12CreateNestedSafeContents
- * 	Allows nesting of safe contents to be implemented.  No limit imposed on 
- *	depth.  
- *
- *	p12ctxt - the export context 
- *	baseSafe - the base safeInfo 
- *	nestedDest - a parent safeContents (?)
- */
-void *
-SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
-				   void *baseSafe, void *nestedDest)
-{
-    sec_PKCS12SafeContents *newSafe;
-    sec_PKCS12SafeBag *safeContentsBag;
-    void *mark;
-    SECStatus rv;
-
-    if(!p12ctxt || !baseSafe) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    newSafe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
-    if(!newSafe) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* create the safeContents safeBag */
-    safeContentsBag = sec_PKCS12CreateSafeBag(p12ctxt, 
-					SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
-					newSafe);
-    if(!safeContentsBag) {
-	goto loser;
-    }
-
-    /* append the safeContents to the appropriate area */
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
-					   (sec_PKCS12SafeContents*)nestedDest,
-					   safeContentsBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, (SEC_PKCS12SafeInfo*)baseSafe, 
-				   safeContentsBag);
-    }
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return newSafe;
-
-loser:
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-}
-
-/*********************************
- * Encoding routines
- *********************************/
-
-/* set up the encoder context based on information in the export context
- * and return the newly allocated enocoder context.  A return of NULL 
- * indicates an error occurred. 
- */
-sec_PKCS12EncoderContext *
-sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
-{
-    sec_PKCS12EncoderContext *p12enc = NULL;
-    unsigned int i, nonEmptyCnt;
-
-    if(!p12exp || !p12exp->safeInfos) {
-	return NULL;
-    }
-
-    /* check for any empty safes and skip them */
-    i = nonEmptyCnt = 0;
-    while(p12exp->safeInfos[i]) {
-	if(p12exp->safeInfos[i]->itemCount) {
-	    nonEmptyCnt++;
-	}
-	i++;
-    }
-    if(nonEmptyCnt == 0) {
-	return NULL;
-    }
-    p12exp->authSafe.encodedSafes[nonEmptyCnt] = NULL;
-
-    /* allocate the encoder context */
-    p12enc = (sec_PKCS12EncoderContext*)PORT_ArenaZAlloc(p12exp->arena, 
-    			      sizeof(sec_PKCS12EncoderContext));
-    if(!p12enc) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    p12enc->arena = p12exp->arena;
-    p12enc->p12exp = p12exp;
-
-    /* set up the PFX version and information */
-    PORT_Memset(&p12enc->pfx, 0, sizeof(sec_PKCS12PFXItem));
-    if(!SEC_ASN1EncodeInteger(p12exp->arena, &(p12enc->pfx.version), 
-    			      SEC_PKCS12_VERSION) ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    	goto loser;
-    }
-
-    /* set up the authenticated safe content info based on the 
-     * type of integrity being used.  this should be changed to
-     * enforce integrity mode, but will not be implemented until
-     * it is confirmed that integrity must be in place
-     */
-    if(p12exp->integrityEnabled && !p12exp->pwdIntegrity) {
-	SECStatus rv;
-
-	/* create public key integrity mode */
-	p12enc->aSafeCinfo = SEC_PKCS7CreateSignedData(
-				p12exp->integrityInfo.pubkeyInfo.cert,
-				certUsageEmailSigner,
-				p12exp->integrityInfo.pubkeyInfo.certDb,
-				p12exp->integrityInfo.pubkeyInfo.algorithm,
-				NULL,
-				p12exp->pwfn,
-				p12exp->pwfnarg);
-	if(!p12enc->aSafeCinfo) {
-	    goto loser;
-	}
-	if(SEC_PKCS7IncludeCertChain(p12enc->aSafeCinfo,NULL) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
-	    goto loser;
-	}
-	rv = SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo);
-	PORT_Assert(rv == SECSuccess);
-    } else {
-	p12enc->aSafeCinfo = SEC_PKCS7CreateData();
-
-	/* init password pased integrity mode */
-	if(p12exp->integrityEnabled) {
-	    SECItem  pwd = {siBuffer,NULL, 0}, *key;
-	    SECItem *salt = sec_pkcs12_generate_salt();
-	    PBEBitGenContext *pbeCtxt = NULL;
-
-	    /* zero out macData and set values */
-	    PORT_Memset(&p12enc->mac, 0, sizeof(sec_PKCS12MacData));
-
-	    if(!salt) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    if(SECITEM_CopyItem(p12exp->arena, &(p12enc->mac.macSalt), salt) 
-			!= SECSuccess) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }   
-	    SECITEM_ZfreeItem(salt, PR_TRUE);
-
-	    /* generate HMAC key */
-	    if(!sec_pkcs12_convert_item_to_unicode(p12exp->arena, &pwd, 
-			p12exp->integrityInfo.pwdInfo.password, PR_TRUE, 
-			PR_TRUE, PR_TRUE)) {
-		goto loser;
-	    }
-	    pbeCtxt = PBE_CreateContext(p12exp->integrityInfo.pwdInfo.algorithm,
-					pbeBitGenIntegrityKey, &pwd, 
-					&(p12enc->mac.macSalt), 160, 1);
-	    if(!pbeCtxt) {
-		goto loser;
-	    }
-	    key = PBE_GenerateBits(pbeCtxt);
-	    PBE_DestroyContext(pbeCtxt);
-	    if(!key) {
-		goto loser;
-	    }
-
-	    /* initialize hmac */
-	    p12enc->hmacCx = HMAC_Create(
-				p12exp->integrityInfo.pwdInfo.algorithm,
-				key->data, key->len);
-	    SECITEM_ZfreeItem(key, PR_TRUE);
-	    if(!p12enc->hmacCx) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    HMAC_Begin((HMACContext*)p12enc->hmacCx);
-	}
-    }
-
-    if(!p12enc->aSafeCinfo) {
-	goto loser;
-    }
-
-    return p12enc;
-
-loser:
-    if(p12enc) {
-	if(p12enc->aSafeCinfo) {
-	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
-	}
-
-	PORT_Free(p12enc);
-    }
-
-    return NULL;
-}
-
-/* callback wrapper to allow the ASN1 engine to call the PKCS 12 
- * output routines.
- */
-static void
-sec_pkcs12_encoder_out(void *arg, const char *buf, unsigned long len,
-		       int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct sec_pkcs12_encoder_output *output;
-
-    output = (struct sec_pkcs12_encoder_output*)arg;
-    (* output->outputfn)(output->outputarg, buf, len);
-}
-
-/* callback wrapper to wrap SEC_PKCS7EncoderUpdate for ASN1 encoder
- */
-static void 
-sec_pkcs12_wrap_pkcs7_encoder_update(void *arg, const char *buf, 
-				     unsigned long len, int depth, 
-				     SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS7EncoderContext *ecx;
-    if(!buf || !len) {
-	return;
-    }
-
-    ecx = (SEC_PKCS7EncoderContext*)arg;
-    SEC_PKCS7EncoderUpdate(ecx, buf, len);
-}
-
-/* callback wrapper to wrap SEC_ASN1EncoderUpdate for PKCS 7 encoding
- */
-static void
-sec_pkcs12_wrap_asn1_update_for_p7_update(void *arg, const char *buf,
-					  unsigned long len)
-{
-    if(!buf && !len) return;
-
-    SEC_ASN1EncoderUpdate((SEC_ASN1EncoderContext*)arg, buf, len);
-}
-
-/* callback wrapper which updates the HMAC and passes on bytes to the 
- * appropriate output function.
- */
-static void
-sec_pkcs12_asafe_update_hmac_and_encode_bits(void *arg, const char *buf,
-				      unsigned long len, int depth,
-				      SEC_ASN1EncodingPart data_kind)
-{
-    sec_PKCS12EncoderContext *p12ecx;
-
-    p12ecx = (sec_PKCS12EncoderContext*)arg;
-    HMAC_Update((HMACContext*)p12ecx->hmacCx, (unsigned char *)buf, len);
-    sec_pkcs12_wrap_pkcs7_encoder_update(p12ecx->aSafeP7Ecx, buf, len,
-    					 depth, data_kind);
-}
-
-/* this function encodes content infos which are part of the
- * sequence of content infos labeled AuthenticatedSafes 
- */
-static SECStatus 
-sec_pkcs12_encoder_asafe_process(sec_PKCS12EncoderContext *p12ecx)
-{ 
-    SECStatus rv = SECSuccess;
-    SEC_PKCS5KeyAndPassword keyPwd;
-    SEC_PKCS7EncoderContext *p7ecx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_ASN1EncoderContext *ecx = NULL;
-
-    void *arg = NULL;
-
-    if(p12ecx->currentSafe < p12ecx->p12exp->authSafe.safeCount) {
-	SEC_PKCS12SafeInfo *safeInfo;
-	SECOidTag cinfoType;
-
-	safeInfo = p12ecx->p12exp->safeInfos[p12ecx->currentSafe];
-
-	/* skip empty safes */
-	if(safeInfo->itemCount == 0) {
-	    return SECSuccess;
-	}
-
-	cinfo = safeInfo->cinfo;
-	cinfoType = SEC_PKCS7ContentType(cinfo);
-
-	/* determine the safe type and set the appropriate argument */
-	switch(cinfoType) {
-	    case SEC_OID_PKCS7_DATA:
-		arg = NULL;
-		break;
-	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-		keyPwd.pwitem = &safeInfo->pwitem;
-		keyPwd.key = safeInfo->encryptionKey;
-		arg = &keyPwd;
-		break;
-	    case SEC_OID_PKCS7_ENVELOPED_DATA:
-		arg = NULL;
-		break;
-	    default:
-		return SECFailure;
-
-	}
-
-	/* start the PKCS7 encoder */
-	p7ecx = SEC_PKCS7EncoderStart(cinfo, 
-				      sec_pkcs12_wrap_asn1_update_for_p7_update,
-				      p12ecx->aSafeEcx, (PK11SymKey *)arg);
-	if(!p7ecx) {
-	    goto loser;
-	}
-
-	/* encode safe contents */
-	ecx = SEC_ASN1EncoderStart(safeInfo->safe, sec_PKCS12SafeContentsTemplate,
-				   sec_pkcs12_wrap_pkcs7_encoder_update, p7ecx);
-	if(!ecx) {
-	    goto loser;
-	}   
-	rv = SEC_ASN1EncoderUpdate(ecx, NULL, 0);
-	SEC_ASN1EncoderFinish(ecx);
-	ecx = NULL;
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-
-
-	/* finish up safe content info */
-	rv = SEC_PKCS7EncoderFinish(p7ecx, p12ecx->p12exp->pwfn, 
-				    p12ecx->p12exp->pwfnarg);
-    }
-
-    return SECSuccess;
-
-loser:
-    if(p7ecx) {
-	SEC_PKCS7EncoderFinish(p7ecx, p12ecx->p12exp->pwfn, 
-			       p12ecx->p12exp->pwfnarg);
-    }
-
-    if(ecx) {
-	SEC_ASN1EncoderFinish(ecx);
-    }
-
-    return SECFailure;
-}
-
-/* finish the HMAC and encode the macData so that it can be
- * encoded.
- */
-static SECStatus
-sec_pkcs12_update_mac(sec_PKCS12EncoderContext *p12ecx)
-{
-    SECItem hmac = { siBuffer, NULL, 0 };
-    SECStatus rv;
-    SGNDigestInfo *di = NULL;
-    void *dummy;
-
-    if(!p12ecx) {
-	return SECFailure;
-    }
-
-    /* make sure we are using password integrity mode */
-    if(!p12ecx->p12exp->integrityEnabled) {
-	return SECSuccess;
-    }
-
-    if(!p12ecx->p12exp->pwdIntegrity) {
-	return SECSuccess;
-    }
-
-    /* finish the hmac */
-    hmac.data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
-    if(!hmac.data) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    rv = HMAC_Finish((HMACContext*)p12ecx->hmacCx,
-    		     hmac.data, &hmac.len, SHA1_LENGTH);
-
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* create the digest info */
-    di = SGN_CreateDigestInfo(p12ecx->p12exp->integrityInfo.pwdInfo.algorithm,
-    			      hmac.data, hmac.len);
-    if(!di) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SGN_CopyDigestInfo(p12ecx->arena, &p12ecx->mac.safeMac, di);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* encode the mac data */
-    dummy = SEC_ASN1EncodeItem(p12ecx->arena, &p12ecx->pfx.encodedMacData, 
-    			    &p12ecx->mac, sec_PKCS12MacDataTemplate);
-    if(!dummy) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-    }
-
-loser:
-    if(di) {
-	SGN_DestroyDigestInfo(di);
-    }
-    if(hmac.data) {
-	SECITEM_ZfreeItem(&hmac, PR_FALSE);
-    }
-    HMAC_Destroy((HMACContext*)p12ecx->hmacCx);
-    p12ecx->hmacCx = NULL;
-
-    return rv;
-}
-
-/* wraps the ASN1 encoder update for PKCS 7 encoder */
-static void
-sec_pkcs12_wrap_asn1_encoder_update(void *arg, const char *buf, 
-				    unsigned long len)
-{
-    SEC_ASN1EncoderContext *cx;
-
-    cx = (SEC_ASN1EncoderContext*)arg;
-    SEC_ASN1EncoderUpdate(cx, buf, len);
-}
-
-/* pfx notify function for ASN1 encoder.  we want to stop encoding, once we reach
- * the authenticated safe.  at that point, the encoder will be updated via streaming
- * as the authenticated safe is  encoded. 
- */
-static void
-sec_pkcs12_encoder_pfx_notify(void *arg, PRBool before, void *dest, int real_depth)
-{
-    sec_PKCS12EncoderContext *p12ecx;
-
-    if(!before) {
-	return;
-    }
-
-    /* look for authenticated safe */
-    p12ecx = (sec_PKCS12EncoderContext*)arg;
-    if(dest != &p12ecx->pfx.encodedAuthSafe) {
-	return;
-    }
-
-    SEC_ASN1EncoderSetTakeFromBuf(p12ecx->ecx);
-    SEC_ASN1EncoderSetStreaming(p12ecx->ecx);
-    SEC_ASN1EncoderClearNotifyProc(p12ecx->ecx);
-}
-
-/* SEC_PKCS12Encode
- *	Encodes the PFX item and returns it to the output function, via
- *	callback.  the output function must be capable of multiple updates.
- *	
- *	p12exp - the export context 
- *	output - the output function callback, will be called more than once,
- *		 must be able to accept streaming data.
- *	outputarg - argument for the output callback.
- */
-SECStatus
-SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
-		 SEC_PKCS12EncoderOutputCallback output, void *outputarg)
-{
-    sec_PKCS12EncoderContext *p12enc;
-    struct sec_pkcs12_encoder_output outInfo;
-    SECStatus rv;
-
-    if(!p12exp || !output) {
-	return SECFailure;
-    }
-
-    /* get the encoder context */
-    p12enc = sec_pkcs12_encoder_start_context(p12exp);
-    if(!p12enc) {
-	return SECFailure;
-    }
-
-    outInfo.outputfn = output;
-    outInfo.outputarg = outputarg;
-
-    /* set up PFX encoder.  Set it for streaming */
-    p12enc->ecx = SEC_ASN1EncoderStart(&p12enc->pfx, sec_PKCS12PFXItemTemplate,
-				       sec_pkcs12_encoder_out, 
-				       &outInfo);
-    if(!p12enc->ecx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-	goto loser;
-    }
-    SEC_ASN1EncoderSetStreaming(p12enc->ecx);
-    SEC_ASN1EncoderSetNotifyProc(p12enc->ecx, sec_pkcs12_encoder_pfx_notify, p12enc);
-    rv = SEC_ASN1EncoderUpdate(p12enc->ecx, NULL, 0);
-    if(rv != SECSuccess) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /* set up asafe cinfo - the output of the encoder feeds the PFX encoder */
-    p12enc->aSafeP7Ecx = SEC_PKCS7EncoderStart(p12enc->aSafeCinfo, 
-    					       sec_pkcs12_wrap_asn1_encoder_update,
-    					       p12enc->ecx, NULL);
-    if(!p12enc->aSafeP7Ecx) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /* encode asafe */
-    if(p12enc->p12exp->integrityEnabled && p12enc->p12exp->pwdIntegrity) {
-	p12enc->aSafeEcx = SEC_ASN1EncoderStart(&p12enc->p12exp->authSafe,
-					sec_PKCS12AuthenticatedSafeTemplate, 
-					sec_pkcs12_asafe_update_hmac_and_encode_bits,
-    					p12enc);
-    } else {
-	p12enc->aSafeEcx = SEC_ASN1EncoderStart(&p12enc->p12exp->authSafe,
-				sec_PKCS12AuthenticatedSafeTemplate,
-				sec_pkcs12_wrap_pkcs7_encoder_update,
-				p12enc->aSafeP7Ecx);
-    }
-    if(!p12enc->aSafeEcx) {
-	rv = SECFailure;
-	goto loser;
-    }
-    SEC_ASN1EncoderSetStreaming(p12enc->aSafeEcx);
-    SEC_ASN1EncoderSetTakeFromBuf(p12enc->aSafeEcx); 
-	
-    /* encode each of the safes */			 
-    while(p12enc->currentSafe != p12enc->p12exp->safeInfoCount) {
-	sec_pkcs12_encoder_asafe_process(p12enc);
-	p12enc->currentSafe++;
-    }
-    SEC_ASN1EncoderClearTakeFromBuf(p12enc->aSafeEcx);
-    SEC_ASN1EncoderClearStreaming(p12enc->aSafeEcx);
-    SEC_ASN1EncoderUpdate(p12enc->aSafeEcx, NULL, 0);
-    SEC_ASN1EncoderFinish(p12enc->aSafeEcx);
-
-    /* finish the encoding of the authenticated safes */
-    rv = SEC_PKCS7EncoderFinish(p12enc->aSafeP7Ecx, p12exp->pwfn, 
-    				p12exp->pwfnarg);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    SEC_ASN1EncoderClearTakeFromBuf(p12enc->ecx);
-    SEC_ASN1EncoderClearStreaming(p12enc->ecx);
-
-    /* update the mac, if necessary */
-    rv = sec_pkcs12_update_mac(p12enc);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-   
-    /* finish encoding the pfx */ 
-    rv = SEC_ASN1EncoderUpdate(p12enc->ecx, NULL, 0);
-
-    SEC_ASN1EncoderFinish(p12enc->ecx);
-
-loser:
-    return rv;
-}
-
-void
-SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12ecx)
-{
-    int i = 0;
-
-    if(!p12ecx) {
-	return;
-    }
-
-    if(p12ecx->safeInfos) {
-	i = 0;
-	while(p12ecx->safeInfos[i] != NULL) {
-	    if(p12ecx->safeInfos[i]->encryptionKey) {
-		PK11_FreeSymKey(p12ecx->safeInfos[i]->encryptionKey);
-	    }
-	    if(p12ecx->safeInfos[i]->cinfo) {
-		SEC_PKCS7DestroyContentInfo(p12ecx->safeInfos[i]->cinfo);
-	    }
-	    i++;
-	}
-    }
-
-    PORT_FreeArena(p12ecx->arena, PR_TRUE);
-}
-
-
-/*********************************
- * All-in-one routines for exporting certificates 
- *********************************/
-struct inPlaceEncodeInfo {
-    PRBool error;
-    SECItem outItem;
-};
-
-static void 
-sec_pkcs12_in_place_encoder_output(void *arg, const char *buf, unsigned long len)
-{
-    struct inPlaceEncodeInfo *outInfo = (struct inPlaceEncodeInfo*)arg;
-
-    if(!outInfo || !len || outInfo->error) {
-	return;
-    }
-
-    if(!outInfo->outItem.data) {
-	outInfo->outItem.data = (unsigned char*)PORT_ZAlloc(len);
-	outInfo->outItem.len = 0;
-    } else {
-	if(!PORT_Realloc(&(outInfo->outItem.data), (outInfo->outItem.len + len))) {
-	    SECITEM_ZfreeItem(&(outInfo->outItem), PR_FALSE);
-	    outInfo->outItem.data = NULL;
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    outInfo->error = PR_TRUE;
-	    return;
-	}
-    }
-
-    PORT_Memcpy(&(outInfo->outItem.data[outInfo->outItem.len]), buf, len);
-    outInfo->outItem.len += len;
-
-    return;
-}
-
-/*
- * SEC_PKCS12ExportCertifcateAndKeyUsingPassword
- *	Exports a certificate/key pair using password-based encryption and
- *	authentication.
- *
- * pwfn, pwfnarg - password function and argument for the key database
- * cert - the certificate to export
- * certDb - certificate database
- * pwitem - the password to use
- * shroudKey - encrypt the key externally, 
- * keyShroudAlg - encryption algorithm for key
- * encryptionAlg - the algorithm with which data is encrypted
- * integrityAlg - the algorithm for integrity
- */
-SECItem *
-SEC_PKCS12ExportCertificateAndKeyUsingPassword(
-				SECKEYGetPasswordKey pwfn, void *pwfnarg,
-				CERTCertificate *cert, PK11SlotInfo *slot,
-				CERTCertDBHandle *certDb, SECItem *pwitem,
-				PRBool shroudKey, SECOidTag shroudAlg,
-				PRBool encryptCert, SECOidTag certEncAlg,
-				SECOidTag integrityAlg, void *wincx)
-{
-    struct inPlaceEncodeInfo outInfo;
-    SEC_PKCS12ExportContext *p12ecx = NULL;
-    SEC_PKCS12SafeInfo *keySafe, *certSafe;
-    SECItem *returnItem = NULL;
-
-    if(!cert || !pwitem || !slot) {
-	return NULL;
-    }
-
-    outInfo.error = PR_FALSE;
-    outInfo.outItem.data = NULL;
-    outInfo.outItem.len = 0;
-
-    p12ecx = SEC_PKCS12CreateExportContext(pwfn, pwfnarg, slot, wincx);
-    if(!p12ecx) {
-	return NULL;
-    }
-
-    /* set up cert safe */
-    if(encryptCert) {
-	certSafe = SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certEncAlg);
-    } else {
-	certSafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
-    }
-    if(!certSafe) {
-	goto loser;
-    }
-
-    /* set up key safe */
-    if(shroudKey) {
-	keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
-    } else {
-	keySafe = certSafe;
-    }
-    if(!keySafe) {
-	goto loser;
-    }
-
-    /* add integrity mode */
-    if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, integrityAlg) 
-		!= SECSuccess) {
-	goto loser;
-    }
-
-    /* add cert and key pair */
-    if(SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert, certDb, 
-			       keySafe, NULL, shroudKey, pwitem, shroudAlg)
-		!= SECSuccess) {
-	goto loser;
-    }
-
-    /* encode the puppy */
-    if(SEC_PKCS12Encode(p12ecx, sec_pkcs12_in_place_encoder_output, &outInfo)
-		!= SECSuccess) {
-	goto loser;
-    }
-    if(outInfo.error) {
-	goto loser;
-    }
-
-    SEC_PKCS12DestroyExportContext(p12ecx);
-	
-    returnItem = SECITEM_DupItem(&outInfo.outItem);
-    SECITEM_ZfreeItem(&outInfo.outItem, PR_FALSE);
-
-    return returnItem;
-
-loser:
-    if(outInfo.outItem.data) {
-	SECITEM_ZfreeItem(&(outInfo.outItem), PR_TRUE);
-    }
-
-    if(p12ecx) {
-	SEC_PKCS12DestroyExportContext(p12ecx);
-    }
-
-    return NULL;
-}
-
-
diff --git a/security/nss/lib/pkcs12/p12exp.c b/security/nss/lib/pkcs12/p12exp.c
deleted file mode 100644
index 242d98288..000000000
--- a/security/nss/lib/pkcs12/p12exp.c
+++ /dev/null
@@ -1,1407 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "pkcs12.h"
-#include "p12local.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "p12plcy.h"
-
-/* release the memory taken up by the list of nicknames */
-static void
-sec_pkcs12_destroy_nickname_list(SECItem **nicknames)
-{
-    int i = 0;
-
-    if(nicknames == NULL) {
-	return;
-    }
-
-    while(nicknames[i] != NULL) {
-	SECITEM_FreeItem(nicknames[i], PR_FALSE);
-	i++;
-    }
-
-    PORT_Free(nicknames);
-}
-   
-/* release the memory taken up by the list of certificates */ 
-static void
-sec_pkcs12_destroy_certificate_list(CERTCertificate **ref_certs)
-{
-    int i = 0;
-
-    if(ref_certs == NULL) {
-	return;
-    }
-
-    while(ref_certs[i] != NULL) {
-	CERT_DestroyCertificate(ref_certs[i]);
-	i++;
-    }
-}
-
-static void
-sec_pkcs12_destroy_cinfos_for_cert_bags(SEC_PKCS12CertAndCRLBag *certBag)
-{
-    int j = 0;
-    j = 0;
-    while(certBag->certAndCRLs[j] != NULL) {
-	SECOidTag certType = SECOID_FindOIDTag(&certBag->certAndCRLs[j]->BagID);
-	if(certType == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
-	    SEC_PKCS12X509CertCRL *x509;
-	    x509 = certBag->certAndCRLs[j]->value.x509;
-	    SEC_PKCS7DestroyContentInfo(&x509->certOrCRL);
-	}
-	j++;
-    }
-}
-
-/* destroy all content infos since they were not allocated in common
- * pool
- */
-static void
-sec_pkcs12_destroy_cert_content_infos(SEC_PKCS12SafeContents *safe,
-				      SEC_PKCS12Baggage *baggage)
-{
-    int i, j;
-
-    if((safe != NULL) && (safe->contents != NULL)) {
-	i = 0;
-	while(safe->contents[i] != NULL) {
-	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
-	    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
-		SEC_PKCS12CertAndCRLBag *certBag;
-		certBag = safe->contents[i]->safeContent.certAndCRLBag;
-		sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
-	    }
-	    i++;
-	}
-    }
-
-    if((baggage != NULL) && (baggage->bags != NULL)) {
-	i = 0;
-	while(baggage->bags[i] != NULL) { 
-	    if(baggage->bags[i]->unencSecrets != NULL) {
-		j = 0;
-		while(baggage->bags[i]->unencSecrets[j] != NULL) {
-		    SECOidTag bagType;
-		    bagType = SECOID_FindOIDTag(&baggage->bags[i]->unencSecrets[j]->safeBagType);
-		    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
-			SEC_PKCS12CertAndCRLBag *certBag;
-			certBag = baggage->bags[i]->unencSecrets[j]->safeContent.certAndCRLBag;
-			sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
-		    }
-		    j++;
-		}
-	    }
-	    i++;
-	}
-    }
-}
-
-/* convert the nickname list from a NULL termincated Char list
- * to a NULL terminated SECItem list
- */
-static SECItem **
-sec_pkcs12_convert_nickname_list(char **nicknames)
-{
-    SECItem **nicks;
-    int i, j;
-    PRBool error = PR_FALSE;
-
-    if(nicknames == NULL) {
-	return NULL;
-    }
-
-    i = j = 0;
-    while(nicknames[i] != NULL) {
-	i++;
-    }
-
-    /* allocate the space and copy the data */	
-    nicks = (SECItem **)PORT_ZAlloc(sizeof(SECItem *) * (i + 1));
-    if(nicks != NULL) {
-	for(j = 0; ((j < i) && (error == PR_FALSE)); j++) {
-	    nicks[j] = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	    if(nicks[j] != NULL) {
-		nicks[j]->data = 
-		    (unsigned char *)PORT_ZAlloc(PORT_Strlen(nicknames[j])+1);
-		if(nicks[j]->data != NULL) {
-		    nicks[j]->len = PORT_Strlen(nicknames[j]);
-		    PORT_Memcpy(nicks[j]->data, nicknames[j], nicks[j]->len);
-		    nicks[j]->data[nicks[j]->len] = 0;
-		} else {
-		    error = PR_TRUE;
-		}
-	    } else {
-	       error = PR_TRUE;
-	    }
-	}
-    }
-
-    if(error == PR_TRUE) {
-        for(i = 0; i < j; i++) { 
-	    SECITEM_FreeItem(nicks[i], PR_TRUE);
-	}
-	PORT_Free(nicks);
-	nicks = NULL;
-    }
-
-    return nicks;
-}
-
-/* package the certificate add_cert into PKCS12 structures,
- * retrieve the certificate chain for the cert and return
- * the packaged contents.
- * poolp -- common memory pool;
- * add_cert -- certificate to package up
- * nickname for the certificate 
- * a return of NULL indicates an error
- */
-static SEC_PKCS12CertAndCRL *
-sec_pkcs12_get_cert(PRArenaPool *poolp,
-		       CERTCertificate *add_cert, 
-		       SECItem *nickname)
-{
-    SEC_PKCS12CertAndCRL *cert;
-    SEC_PKCS7ContentInfo *cinfo;
-    SGNDigestInfo *t_di;
-    void *mark;
-    SECStatus rv;
-
-    if((poolp == NULL) || (add_cert == NULL) || (nickname == NULL)) {
-    	return NULL;
-    }
-    mark = PORT_ArenaMark(poolp);
-
-    cert = sec_pkcs12_new_cert_crl(poolp, SEC_OID_PKCS12_X509_CERT_CRL_BAG);
-    if(cert != NULL) {
-
-	/* copy the nickname */
-	rv = SECITEM_CopyItem(poolp, &cert->nickname, nickname);
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    cert = NULL;
-	} else {
-
-	    /* package the certificate and cert chain into a NULL signer
-	     * PKCS 7 SignedData content Info and prepare it for encoding 
-	     * since we cannot use DER_ANY_TEMPLATE
-	     */
-	    cinfo = SEC_PKCS7CreateCertsOnly(add_cert, PR_TRUE, NULL);
-	    rv = SEC_PKCS7PrepareForEncode(cinfo, NULL, NULL, NULL);
-
-	    /* thumbprint the certificate */
-	    if((cinfo != NULL) && (rv == SECSuccess))
-	    {
-		PORT_Memcpy(&cert->value.x509->certOrCRL, cinfo, sizeof(*cinfo));
-		t_di = sec_pkcs12_compute_thumbprint(&add_cert->derCert);
-		if(t_di != NULL)
-		{
-		    /* test */
-		    rv = SGN_CopyDigestInfo(poolp, &cert->value.x509->thumbprint,
-		    			    t_di);
-		    if(rv != SECSuccess) {
-			cert = NULL;
-			PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    }
-		    SGN_DestroyDigestInfo(t_di);
-		}
-		else
-		    cert = NULL;
-	    }
-	}
-    }
-
-    if (cert == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-
-    return cert;
-}
-
-/* package the private key associated with the certificate and 
- * return the appropriate PKCS 12 structure 
- * poolp common memory pool
- * nickname key nickname
- * cert -- cert to look up
- * wincx -- window handle 
- * an error is indicated by a return of NULL
- */
-static SEC_PKCS12PrivateKey *
-sec_pkcs12_get_private_key(PRArenaPool *poolp,
-			   SECItem *nickname,
-			   CERTCertificate *cert,
-			   void *wincx)
-{
-    SECKEYPrivateKeyInfo *pki;
-    SEC_PKCS12PrivateKey *pk;
-    SECStatus rv;
-    void *mark;
-
-    if((poolp == NULL) || (nickname == NULL)) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* retrieve key from the data base */
-    pki = PK11_ExportPrivateKeyInfo(nickname, cert, wincx);
-    if(pki == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	return NULL;
-    }
-
-    pk = (SEC_PKCS12PrivateKey *)PORT_ArenaZAlloc(poolp,
-						  sizeof(SEC_PKCS12PrivateKey));
-    if(pk != NULL) {
-	rv = sec_pkcs12_init_pvk_data(poolp, &pk->pvkData);
-
-	if(rv == SECSuccess) {
-	    /* copy the key into poolp memory space */
-	    rv = SECKEY_CopyPrivateKeyInfo(poolp, &pk->pkcs8data, pki);
-	    if(rv == SECSuccess) {
-		rv = SECITEM_CopyItem(poolp, &pk->pvkData.nickname, nickname);
-	    }
-	}
-
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    pk = NULL;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY); 
-    }
-
-    /* destroy private key, zeroing out data */
-    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
-    if (pk == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-
-    return pk;
-}
-
-/* get a shrouded key item associated with a certificate
- * return the appropriate PKCS 12 structure 
- * poolp common memory pool
- * nickname key nickname
- * cert -- cert to look up
- * wincx -- window handle 
- * an error is indicated by a return of NULL
- */
-static SEC_PKCS12ESPVKItem *
-sec_pkcs12_get_shrouded_key(PRArenaPool *poolp,
-			    SECItem *nickname,
-			    CERTCertificate *cert,
-			    SECOidTag algorithm, 
-			    SECItem *pwitem,
-			    PKCS12UnicodeConvertFunction unicodeFn,
-			    void *wincx)
-{
-    SECKEYEncryptedPrivateKeyInfo *epki;
-    SEC_PKCS12ESPVKItem *pk;
-    void *mark;
-    SECStatus rv;
-    PK11SlotInfo *slot = NULL;
-    PRBool swapUnicodeBytes = PR_FALSE;
-
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicodeBytes = PR_TRUE;
-#endif
-
-    if((poolp == NULL) || (nickname == NULL))
-	return NULL;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* use internal key slot */
-    slot = PK11_GetInternalKeySlot();
-
-    /* retrieve encrypted prviate key */
-    epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, pwitem, 
-    					      nickname, cert, 1, 0, NULL);
-    PK11_FreeSlot(slot);
-    if(epki == NULL) {
-	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    /* create a private key and store the data into the poolp memory space */
-    pk = sec_pkcs12_create_espvk(poolp, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING);
-    if(pk != NULL) {
-	rv = sec_pkcs12_init_pvk_data(poolp, &pk->espvkData);
-	rv = SECITEM_CopyItem(poolp, &pk->espvkData.nickname, nickname);
-	pk->espvkCipherText.pkcs8KeyShroud = 
-	    (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp,
-					sizeof(SECKEYEncryptedPrivateKeyInfo));
-	if((pk->espvkCipherText.pkcs8KeyShroud != NULL)  && (rv == SECSuccess)) {
-	    rv = SECKEY_CopyEncryptedPrivateKeyInfo(poolp, 
-					pk->espvkCipherText.pkcs8KeyShroud, epki);
-	    if(rv == SECSuccess) {
-		rv = (*unicodeFn)(poolp, &pk->espvkData.uniNickName, nickname, 
-				  PR_TRUE, swapUnicodeBytes);
-	    }
-	}
-
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    pk = NULL;
-	}
-    }
-
-    SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
-    if(pk == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-	
-    return pk;
-}
-
-/* add a thumbprint to a private key associated certs list 
- * pvk is the area where the list is stored
- * thumb is the thumbprint to copy
- * a return of SECFailure indicates an error 
- */
-static SECStatus 
-sec_pkcs12_add_thumbprint(SEC_PKCS12PVKSupportingData *pvk,
-			  SGNDigestInfo *thumb)
-{
-    SGNDigestInfo **thumb_list = NULL;
-    int nthumbs, size;
-    void *mark, *dummy;
-    SECStatus rv = SECFailure;
-
-    if((pvk == NULL) || (thumb == NULL)) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(pvk->poolp);
-
-    thumb_list = pvk->assocCerts;
-    nthumbs = pvk->nThumbs;
-
-    /* allocate list space needed -- either growing or allocating 
-     * list must be NULL terminated 
-     */
-    size = sizeof(SGNDigestInfo *);
-    dummy = PORT_ArenaGrow(pvk->poolp, thumb_list, (size * (nthumbs + 1)),
-    			   (size * (nthumbs + 2)));
-    thumb_list = dummy;
-    if(dummy != NULL) {
-	thumb_list[nthumbs] = (SGNDigestInfo *)PORT_ArenaZAlloc(pvk->poolp, 
-						sizeof(SGNDigestInfo));
-	if(thumb_list[nthumbs] != NULL) {
-	    SGN_CopyDigestInfo(pvk->poolp, thumb_list[nthumbs], thumb);
-	    nthumbs += 1;
-	    thumb_list[nthumbs] = 0;
-	} else {
-	    dummy = NULL;
-	}
-    }
-
-    if(dummy == NULL) {
-    	PORT_ArenaRelease(pvk->poolp, mark);
-	return SECFailure;
-    } 
-
-    pvk->assocCerts = thumb_list;
-    pvk->nThumbs = nthumbs;
-
-    PORT_ArenaUnmark(pvk->poolp, mark);
-    return SECSuccess;
-}
-
-/* search the list of shrouded keys in the baggage for the desired
- * name.  return a pointer to the item.  a return of NULL indicates
- * that no match was present or that an error occurred.
- */
-static SEC_PKCS12ESPVKItem *
-sec_pkcs12_get_espvk_by_name(SEC_PKCS12Baggage *luggage, 
-			     SECItem *name)
-{
-    PRBool found = PR_FALSE;
-    SEC_PKCS12ESPVKItem *espvk = NULL;
-    int i, j;
-    SECComparison rv = SECEqual;
-    SECItem *t_name;
-    SEC_PKCS12BaggageItem *bag;
-
-    if((luggage == NULL) || (name == NULL)) {
-	return NULL;
-    }
-
-    i = 0;
-    while((found == PR_FALSE) && (i < luggage->luggage_size)) {
-	j = 0;
-	bag = luggage->bags[i];
-	while((found == PR_FALSE) && (j < bag->nEspvks)) {
-	    espvk = bag->espvks[j];
-	    if(espvk->poolp == NULL) {
-		espvk->poolp = luggage->poolp;
-	    }
-	    t_name = SECITEM_DupItem(&espvk->espvkData.nickname);
-	    if(t_name != NULL) {
-		rv = SECITEM_CompareItem(name, t_name);
-		if(rv == SECEqual) {
-		    found = PR_TRUE;
-		}
-		SECITEM_FreeItem(t_name, PR_TRUE);
-	    } else {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		return NULL;
-	    }
-	    j++;
-	}
-	i++;
-    }
-
-    if(found != PR_TRUE) {
-	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
-	return NULL;
-    }
-
-    return espvk;
-}
-
-/* locates a certificate and copies the thumbprint to the
- * appropriate private key
- */
-static SECStatus 
-sec_pkcs12_propagate_thumbprints(SECItem **nicknames,
-				 CERTCertificate **ref_certs,
-				 SEC_PKCS12SafeContents *safe,
-				 SEC_PKCS12Baggage *baggage)
-{
-    SEC_PKCS12CertAndCRL *cert;
-    SEC_PKCS12PrivateKey *key;
-    SEC_PKCS12ESPVKItem *espvk;
-    int i;
-    PRBool error = PR_FALSE;
-    SECStatus rv = SECFailure;
-
-    if((nicknames == NULL) || (safe == NULL)) {
-	return SECFailure;
-    }
-
-    i = 0;
-    while((nicknames[i] != NULL) && (error == PR_FALSE)) {
-	/* process all certs */
-	cert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage,
-					SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
-					nicknames[i], NULL);
-	if(cert != NULL) {
-	    /* locate key and copy thumbprint */
-	    key = (SEC_PKCS12PrivateKey *)sec_pkcs12_find_object(safe, baggage,
-	    				SEC_OID_PKCS12_KEY_BAG_ID,
-	    				nicknames[i], NULL);
-	    if(key != NULL) {
-		key->pvkData.poolp = key->poolp;
-		rv = sec_pkcs12_add_thumbprint(&key->pvkData, 
-			&cert->value.x509->thumbprint);
-		if(rv == SECFailure)
-		    error = PR_TRUE;  /* XXX Set error? */
-	    }
-
-	    /* look in the baggage as well...*/
-	    if((baggage != NULL) && (error == PR_FALSE)) {
-		espvk = sec_pkcs12_get_espvk_by_name(baggage, nicknames[i]);
-		if(espvk != NULL) {
-		    espvk->espvkData.poolp = espvk->poolp;
-		    rv = sec_pkcs12_add_thumbprint(&espvk->espvkData,
-			&cert->value.x509->thumbprint);
-		    if(rv == SECFailure)
-			error = PR_TRUE;  /* XXX Set error? */
-		}
-	    }
-	}
-	i++;
-    }
-
-    if(error == PR_TRUE) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-/* append a safe bag to the end of the safe contents list */
-SECStatus 
-sec_pkcs12_append_safe_bag(SEC_PKCS12SafeContents *safe,
-			   SEC_PKCS12SafeBag *bag)
-{
-    int size;
-    void *mark = NULL, *dummy = NULL;
-
-    if((bag == NULL) || (safe == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(safe->poolp);
-
-    size = (safe->safe_size * sizeof(SEC_PKCS12SafeBag *));
-    
-    if(safe->safe_size > 0) {
-	dummy = (SEC_PKCS12SafeBag **)PORT_ArenaGrow(safe->poolp, 
-	    				safe->contents, 
-	    				size, 
-	    				(size + sizeof(SEC_PKCS12SafeBag *)));
-	safe->contents = dummy;
-    } else {
-	safe->contents = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(safe->poolp, 
-	    (2 * sizeof(SEC_PKCS12SafeBag *)));
-	dummy = safe->contents;
-    }
-
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    safe->contents[safe->safe_size] = bag;
-    safe->safe_size++;
-    safe->contents[safe->safe_size] = NULL;
-
-    PORT_ArenaUnmark(safe->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(safe->poolp, mark);
-    return SECFailure;
-}
-
-/* append a certificate onto the end of a cert bag */
-static SECStatus 
-sec_pkcs12_append_cert_to_bag(PRArenaPool *arena,
-			      SEC_PKCS12SafeBag *safebag,
-			      CERTCertificate *cert,
-			      SECItem *nickname)
-{
-    int size;
-    void *dummy = NULL, *mark = NULL;
-    SEC_PKCS12CertAndCRL *p12cert;
-    SEC_PKCS12CertAndCRLBag *bag;
-
-    if((arena == NULL) || (safebag == NULL) || 
-    	(cert == NULL) || (nickname == NULL)) {
-	return SECFailure;
-    }
-
-    bag = safebag->safeContent.certAndCRLBag;
-    if(bag == NULL) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(arena);
-
-    p12cert = sec_pkcs12_get_cert(arena, cert, nickname);
-    if(p12cert == NULL) {
-	PORT_ArenaRelease(bag->poolp, mark);
-	return SECFailure;
-    }
-
-    size = bag->bag_size * sizeof(SEC_PKCS12CertAndCRL *);
-    if(bag->bag_size > 0) {
-	dummy = (SEC_PKCS12CertAndCRL **)PORT_ArenaGrow(bag->poolp,
-	    bag->certAndCRLs, size, size + sizeof(SEC_PKCS12CertAndCRL *));
-	bag->certAndCRLs = dummy;
-    } else {
-	bag->certAndCRLs = (SEC_PKCS12CertAndCRL **)PORT_ArenaZAlloc(bag->poolp,
-	    (2 * sizeof(SEC_PKCS12CertAndCRL *)));
-	dummy = bag->certAndCRLs;
-    }
-
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->certAndCRLs[bag->bag_size] = p12cert;
-    bag->bag_size++;
-    bag->certAndCRLs[bag->bag_size] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* append a key onto the end of a list of keys in a key bag */
-SECStatus 
-sec_pkcs12_append_key_to_bag(SEC_PKCS12SafeBag *safebag,
-			     SEC_PKCS12PrivateKey *pk)
-{
-    void *mark, *dummy;
-    SEC_PKCS12PrivateKeyBag *bag;
-    int size;
-
-    if((safebag == NULL) || (pk == NULL))
-	return SECFailure;
-
-    bag = safebag->safeContent.keyBag;
-    if(bag == NULL) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(bag->poolp);
-
-    size = (bag->bag_size * sizeof(SEC_PKCS12PrivateKey *));
-
-    if(bag->bag_size > 0) {
-	dummy = (SEC_PKCS12PrivateKey **)PORT_ArenaGrow(bag->poolp,
-					bag->privateKeys, 
-					size, 
-					size + sizeof(SEC_PKCS12PrivateKey *));
-	bag->privateKeys = dummy;
-    } else {
-	bag->privateKeys = (SEC_PKCS12PrivateKey **)PORT_ArenaZAlloc(bag->poolp,
-	    (2 * sizeof(SEC_PKCS12PrivateKey *)));
-	dummy = bag->privateKeys;
-    }
-
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->privateKeys[bag->bag_size] = pk;
-    bag->bag_size++;
-    bag->privateKeys[bag->bag_size] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    /* XXX Free memory? */
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* append a safe bag to the baggage area */
-static SECStatus 
-sec_pkcs12_append_unshrouded_bag(SEC_PKCS12BaggageItem *bag,
-				 SEC_PKCS12SafeBag *u_bag)
-{
-    int size;
-    void *mark = NULL, *dummy = NULL;
-
-    if((bag == NULL) || (u_bag == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(bag->poolp);
-
-    /* dump things into the first bag */
-    size = (bag->nSecrets + 1) * sizeof(SEC_PKCS12SafeBag *);
-    dummy = PORT_ArenaGrow(bag->poolp,
-	    		bag->unencSecrets, size, 
-	    		size + sizeof(SEC_PKCS12SafeBag *));
-    bag->unencSecrets = dummy;
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->unencSecrets[bag->nSecrets] = u_bag;
-    bag->nSecrets++;
-    bag->unencSecrets[bag->nSecrets] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* gather up all certificates and keys and package them up
- * in the safe, baggage, or both.
- * nicknames is the list of nicknames and corresponding certs in ref_certs
- * ref_certs a null terminated list of certificates
- * rSafe, rBaggage -- return areas for safe and baggage
- * shroud_keys -- store keys externally
- * pwitem -- password for computing integrity mac and encrypting contents
- * wincx -- window handle
- *
- * if a failure occurs, an error is set and SECFailure returned.
- */
-static SECStatus
-sec_pkcs12_package_certs_and_keys(SECItem **nicknames,
-				  CERTCertificate **ref_certs,
-				  PRBool unencryptedCerts,
-				  SEC_PKCS12SafeContents **rSafe,
-				  SEC_PKCS12Baggage **rBaggage,
-				  PRBool shroud_keys, 
-				  SECOidTag shroud_alg,
-				  SECItem *pwitem,
-				  PKCS12UnicodeConvertFunction unicodeFn,
-				  void *wincx)
-{
-    PRArenaPool *permArena;
-    SEC_PKCS12SafeContents *safe = NULL;
-    SEC_PKCS12Baggage *baggage = NULL;
-
-    SECStatus rv = SECFailure;
-    PRBool problem = PR_FALSE;
-
-    SEC_PKCS12ESPVKItem *espvk = NULL;
-    SEC_PKCS12PrivateKey *pk = NULL;
-    CERTCertificate *add_cert = NULL;
-    SEC_PKCS12SafeBag *certbag = NULL, *keybag = NULL;
-    SEC_PKCS12BaggageItem *external_bag = NULL;
-    int ncerts = 0, nkeys = 0;
-    int i;
-
-    if((nicknames == NULL) || (rSafe == NULL) || (rBaggage == NULL)) {
-	return SECFailure;
-    }
-	
-    *rBaggage = baggage;
-    *rSafe = safe;
-
-    permArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(permArena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-     }
-
-    /* allocate structures */
-    safe = sec_pkcs12_create_safe_contents(permArena);
-    if(safe == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    certbag = sec_pkcs12_create_safe_bag(permArena, 
-					 SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID);
-    if(certbag == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(shroud_keys != PR_TRUE) {
-	keybag = sec_pkcs12_create_safe_bag(permArena, 
-					    SEC_OID_PKCS12_KEY_BAG_ID);
-	if(keybag == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    }
-
-    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
-	baggage = sec_pkcs12_create_baggage(permArena);
-    	if(baggage == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	external_bag = sec_pkcs12_create_external_bag(baggage);
-    }
-
-    /* package keys and certs */
-    i = 0;
-    while((nicknames[i] != NULL) && (problem == PR_FALSE)) {
-	if(ref_certs[i] != NULL) {
-	    /* append cert to bag o certs */
-	    rv = sec_pkcs12_append_cert_to_bag(permArena, certbag, 
-	    				       ref_certs[i],
-	    				       nicknames[i]);
-	    if(rv == SECFailure) {
-		problem = PR_FALSE;
-	    } else {
-		ncerts++;
-	    }
-
-	    if(rv == SECSuccess) {
-		/* package up them keys */
-		if(shroud_keys == PR_TRUE) {
-	    	    espvk = sec_pkcs12_get_shrouded_key(permArena, 
-							nicknames[i],
-	    	    					ref_certs[i],
-							shroud_alg, 
-							pwitem, unicodeFn,
-							wincx);
-		    if(espvk != NULL) {
-			rv = sec_pkcs12_append_shrouded_key(external_bag, espvk);
-			SECITEM_CopyItem(permArena, &espvk->derCert,
-					 &ref_certs[i]->derCert);
-		    } else {
-			rv = SECFailure;
-		    }
-		} else {
-		    pk = sec_pkcs12_get_private_key(permArena, nicknames[i], 
-		    				    ref_certs[i], wincx);
-		    if(pk != NULL) {
-			rv = sec_pkcs12_append_key_to_bag(keybag, pk);
-			SECITEM_CopyItem(permArena, &espvk->derCert,
-					 &ref_certs[i]->derCert);
-		    } else {
-			rv = SECFailure;
-		    }
-		}
-	
-		if(rv == SECFailure) {
-		    problem = PR_TRUE;
-		} else {
-		    nkeys++;
-		}
-	    }
-	} else {
-	    /* handle only keys here ? */
-	    problem = PR_TRUE;
-	}
-	i++;
-    }
-
-    /* let success fall through */
-loser:
-    if(problem == PR_FALSE) {
-	/* if we have certs, we want to append the cert bag to the 
-	 * appropriate area 
-	 */
-	if(ncerts > 0) {
-	    if(unencryptedCerts != PR_TRUE) {
-		rv = sec_pkcs12_append_safe_bag(safe, certbag);
-	    } else {
-		rv = sec_pkcs12_append_unshrouded_bag(external_bag, certbag);
-	    }
-	} else {
-	    rv = SECSuccess;
-	}
-
-	/* append key bag, if they are stored in safe contents */
-	if((rv == SECSuccess) && (shroud_keys == PR_FALSE) && (nkeys > 0)) {
-	    rv = sec_pkcs12_append_safe_bag(safe, keybag);
-	}
-    } else {
-	rv = SECFailure;
-    }
-
-    /* if baggage not used, NULLify it */
-    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
-	if(((unencryptedCerts == PR_TRUE) && (ncerts == 0)) &&
-	   ((shroud_keys == PR_TRUE) && (nkeys == 0)))
-		baggage = NULL;
-    } else {
-	baggage = NULL;
-    }
-
-    if((problem == PR_TRUE) || (rv == SECFailure)) {
-	PORT_FreeArena(permArena, PR_TRUE);
-	rv = SECFailure;
-	baggage = NULL;
-	safe = NULL;
-    }
-
-    *rBaggage = baggage;
-    *rSafe = safe;
-
-    return rv;
-}
-
-/* DER encode the safe contents and return a SECItem.  if an error
- * occurs, NULL is returned.
- */
-static SECItem *
-sec_pkcs12_encode_safe_contents(SEC_PKCS12SafeContents *safe)
-{
-    SECItem *dsafe = NULL, *tsafe;
-    void *dummy = NULL;
-    PRArenaPool *arena;
-
-    if(safe == NULL) {
-	return NULL;
-    }
-
-/*    rv = sec_pkcs12_prepare_for_der_code_safe(safe, PR_TRUE);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }*/
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(arena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    tsafe = (SECItem *)PORT_ArenaZAlloc(arena, sizeof(SECItem));
-    if(tsafe != NULL) {
-	dummy = SEC_ASN1EncodeItem(arena, tsafe, safe, 
-	    SEC_PKCS12SafeContentsTemplate);
-	if(dummy != NULL) {
-	    dsafe = SECITEM_DupItem(tsafe);
-	} else {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(arena, PR_TRUE);
-
-    return dsafe;
-}
-
-/* prepare the authenicated safe for encoding and encode it.  
- *   baggage is copied to the appropriate area, safe is encoded and
- *   encrypted.  the version and transport mode are set on the asafe.
- *   the whole ball of wax is then der encoded and packaged up into
- *   data content info 
- * safe -- container of certs and keys, is encrypted.
- * baggage -- container of certs and keys, keys assumed to be encrypted by 
- *    another method, certs are in the clear
- * algorithm -- algorithm by which to encrypt safe
- * pwitem -- password for encryption
- * wincx - window handle
- *
- * return of NULL is an error condition.
- */
-static SEC_PKCS7ContentInfo *
-sec_pkcs12_get_auth_safe(SEC_PKCS12SafeContents *safe, 
-			 SEC_PKCS12Baggage *baggage,  
-			 SECOidTag algorithm, 
-			 SECItem *pwitem,
-			 PKCS12UnicodeConvertFunction unicodeFn,
-			 void *wincx)
-{
-    SECItem *src = NULL, *dest = NULL, *psalt = NULL;
-    PRArenaPool *poolp;
-    SEC_PKCS12AuthenticatedSafe *asafe;
-    SEC_PKCS7ContentInfo *safe_cinfo = NULL;
-    SEC_PKCS7ContentInfo *asafe_cinfo = NULL;
-    void *dummy;
-    SECStatus rv = SECSuccess;
-    PRBool swapUnicodeBytes = PR_FALSE;
-
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicodeBytes = PR_TRUE;
-#endif
-    
-    if(((safe != NULL) && (pwitem == NULL)) && (baggage == NULL))
-	return NULL;
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(poolp == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* prepare authenticated safe for encode */
-    asafe = sec_pkcs12_new_asafe(poolp);
-    if(asafe != NULL) {
-
-	/* set version */
-	dummy = SEC_ASN1EncodeInteger(asafe->poolp, &asafe->version,
-				      SEC_PKCS12_PFX_VERSION);
-	if(dummy == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* generate the privacy salt used to create virtual pwd */
-	psalt = sec_pkcs12_generate_salt();
-	if(psalt != NULL) {
-	    rv = SECITEM_CopyItem(asafe->poolp, &asafe->privacySalt,
-				  psalt);
-	    if(rv == SECSuccess) {
-		asafe->privacySalt.len *= 8;
-	    } 
-	    else {
-		SECITEM_ZfreeItem(psalt, PR_TRUE);
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	} 
-
-	if((psalt == NULL) || (rv == SECFailure)) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* package up safe contents */
-	if(safe != NULL) 
-	{
-	    safe_cinfo = SEC_PKCS7CreateEncryptedData(algorithm, NULL, wincx);
-	    if((safe_cinfo != NULL) && (safe->safe_size > 0)) {
-		/* encode the safe and encrypt the contents of the 
-		 * content info
-		 */
-		src = sec_pkcs12_encode_safe_contents(safe);
-
-		if(src != NULL) {
-		    rv = SEC_PKCS7SetContent(safe_cinfo, (char *)src->data, src->len);
-		    SECITEM_ZfreeItem(src, PR_TRUE);
-		    if(rv == SECSuccess) {
-			SECItem *vpwd;
-			vpwd = sec_pkcs12_create_virtual_password(pwitem, psalt,
-						unicodeFn, swapUnicodeBytes);
-			if(vpwd != NULL) {
-			    rv = SEC_PKCS7EncryptContents(NULL, safe_cinfo,
-							  vpwd, wincx);
-			    SECITEM_ZfreeItem(vpwd, PR_TRUE);
-			} else {
-			    rv = SECFailure;
-			    PORT_SetError(SEC_ERROR_NO_MEMORY);
-			}
-		    } else {
-			PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    }
-		} else {
-		    rv = SECFailure;
-		}
-	    } else if(safe->safe_size > 0) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    } else {
-	    	/* case where there is NULL content in the safe contents */
-		rv = SEC_PKCS7SetContent(safe_cinfo, NULL, 0);
-		if(rv != SECFailure) {
-		    PORT_SetError(SEC_ERROR_NO_MEMORY);
-		}
-	    }
-
-	    if(rv != SECSuccess) {
-		SEC_PKCS7DestroyContentInfo(safe_cinfo);
-		safe_cinfo = NULL;
-		goto loser;
-	    }
-
-	    asafe->safe = safe_cinfo;	
-	    /*
-	    PORT_Memcpy(&asafe->safe, safe_cinfo, sizeof(*safe_cinfo));
-	    */
-	}
-
-	/* copy the baggage to the authenticated safe baggage if present */
-	if(baggage != NULL) {
-	    PORT_Memcpy(&asafe->baggage, baggage, sizeof(*baggage));
-	}
-
-	/* encode authenticated safe and store it in a Data content info */
-	dest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem));
-	if(dest != NULL) {
-	    dummy = SEC_ASN1EncodeItem(poolp, dest, asafe, 
-				SEC_PKCS12AuthenticatedSafeTemplate);
-	    if(dummy != NULL) {
-		asafe_cinfo = SEC_PKCS7CreateData();
-		if(asafe_cinfo != NULL) {
-		    rv = SEC_PKCS7SetContent(asafe_cinfo, 
-					 	(char *)dest->data, 
-						dest->len);
-		    if(rv != SECSuccess) {
-			PORT_SetError(SEC_ERROR_NO_MEMORY);
-			SEC_PKCS7DestroyContentInfo(asafe_cinfo);
-			asafe_cinfo = NULL;
-		    }
-		}
-	    } else {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		rv = SECFailure;
-	    }
-	}
-    }
-
-loser:
-    PORT_FreeArena(poolp, PR_TRUE);
-    if(safe_cinfo != NULL) {
-    	SEC_PKCS7DestroyContentInfo(safe_cinfo);
-    }
-    if(psalt != NULL) {
-	SECITEM_ZfreeItem(psalt, PR_TRUE);
-    }
-
-    if(rv == SECFailure) {
-	return NULL;
-    }
-	
-    return asafe_cinfo;
-}
-
-/* generates the PFX and computes the mac on the authenticated safe 
- * NULL implies an error
- */
-static SEC_PKCS12PFXItem *
-sec_pkcs12_get_pfx(SEC_PKCS7ContentInfo *cinfo, 
-		   PRBool do_mac, 
-		   SECItem *pwitem, PKCS12UnicodeConvertFunction unicodeFn)
-{
-    SECItem *dest = NULL, *mac = NULL, *salt = NULL, *key = NULL;
-    SEC_PKCS12PFXItem *pfx;
-    SECStatus rv = SECFailure;
-    SGNDigestInfo *di;
-    SECItem *vpwd;
-    PRBool swapUnicodeBytes = PR_FALSE;
-
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicodeBytes = PR_TRUE;
-#endif
-
-    if((cinfo == NULL) || ((do_mac == PR_TRUE) && (pwitem == NULL))) {
-	return NULL;
-    }
-
-    /* allocate new pfx structure */
-    pfx = sec_pkcs12_new_pfx();
-    if(pfx == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    PORT_Memcpy(&pfx->authSafe, cinfo, sizeof(*cinfo));
-    if(do_mac == PR_TRUE) {
-
-    	/* salt for computing mac */
-	salt = sec_pkcs12_generate_salt();
-	if(salt != NULL) {
-	    rv = SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, salt);
-	    pfx->macData.macSalt.len *= 8;
-
-	    vpwd = sec_pkcs12_create_virtual_password(pwitem, salt,
-						unicodeFn, swapUnicodeBytes);
-	    if(vpwd == NULL) {
-		rv = SECFailure;
-		key = NULL;
-	    } else {
-		key = sec_pkcs12_generate_key_from_password(SEC_OID_SHA1,
-							salt, vpwd);
-		SECITEM_ZfreeItem(vpwd, PR_TRUE);
-	    }
-
-	    if((key != NULL) && (rv == SECSuccess)) {
-		dest = SEC_PKCS7GetContent(cinfo);
-		if(dest != NULL) {
-
-		    /* compute mac on data -- for password integrity mode */
-		    mac = sec_pkcs12_generate_mac(key, dest, PR_FALSE);
-		    if(mac != NULL) {
-			di = SGN_CreateDigestInfo(SEC_OID_SHA1, 
-			    			  mac->data, mac->len);
-			if(di != NULL) {
-			    rv = SGN_CopyDigestInfo(pfx->poolp, 
-						    &pfx->macData.safeMac, di);
-			    SGN_DestroyDigestInfo(di);
-			} else {
-			    PORT_SetError(SEC_ERROR_NO_MEMORY);
-			}
-			SECITEM_ZfreeItem(mac, PR_TRUE);
-		    }
-		} else {
-		    rv = SECFailure;
-		}
-	    } else {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		rv = SECFailure;
-	    }
-
-	    if(key != NULL) {
-		SECITEM_ZfreeItem(key, PR_TRUE);
-	    }
-	    SECITEM_ZfreeItem(salt, PR_TRUE);
-	}
-    }
-
-    if(rv == SECFailure) {
-	SEC_PKCS12DestroyPFX(pfx);
-	pfx = NULL;
-    }
-
-    return pfx;
-}
-
-/* der encode the pfx */
-static SECItem *
-sec_pkcs12_encode_pfx(SEC_PKCS12PFXItem *pfx)
-{
-    SECItem *dest;
-    void *dummy;
-
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    dummy = SEC_ASN1EncodeItem(NULL, dest, pfx, SEC_PKCS12PFXItemTemplate);
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-	dest = NULL;
-    }
-
-    return dest;
-}
-
-SECItem *
-SEC_PKCS12GetPFX(char **nicknames,
-		 CERTCertificate **ref_certs,
-		 PRBool shroud_keys, 
-		 SEC_PKCS5GetPBEPassword pbef, 
-		 void *pbearg,
-		 PKCS12UnicodeConvertFunction unicodeFn,
-		 void *wincx)
-{
-    SECItem **nicks = NULL;
-    SEC_PKCS12PFXItem *pfx = NULL;
-    SEC_PKCS12Baggage *baggage = NULL;
-    SEC_PKCS12SafeContents *safe = NULL;
-    SEC_PKCS7ContentInfo *cinfo = NULL;
-    SECStatus rv = SECFailure;
-    SECItem *dest = NULL, *pwitem = NULL;
-    PRBool problem = PR_FALSE;
-    PRBool unencryptedCerts;
-    SECOidTag shroud_alg, safe_alg;
-
-    /* how should we encrypt certs ? */
-    unencryptedCerts = !SEC_PKCS12IsEncryptionAllowed();
-    if(!unencryptedCerts) {
-	safe_alg = SEC_PKCS12GetPreferredEncryptionAlgorithm();
-	if(safe_alg == SEC_OID_UNKNOWN) {
-	    safe_alg = SEC_PKCS12GetStrongestAllowedAlgorithm();
-	}
-	if(safe_alg == SEC_OID_UNKNOWN) {
-	    unencryptedCerts = PR_TRUE;
-	    /* for export where no encryption is allowed, we still need
-	     * to encrypt the NULL contents per the spec.  encrypted info
-	     * is known plaintext, so it shouldn't be a problem.
-	     */
-	    safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-	}
-    } else {
-	/* for export where no encryption is allowed, we still need
-	 * to encrypt the NULL contents per the spec.  encrypted info
-	 * is known plaintext, so it shouldn't be a problem.
-	 */
-	safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-    }
-
-    /* keys are always stored with triple DES */
-    shroud_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-
-    /* check for FIPS, if so, do not encrypt certs */
-    if(PK11_IsFIPS() && !unencryptedCerts) {
-	unencryptedCerts = PR_TRUE;
-    }
-
-    if((nicknames == NULL) || (pbef == NULL) || (ref_certs == NULL)) {
-	problem = PR_TRUE;
-	goto loser;
-    }
-
-
-    /* get password */
-    pwitem = (*pbef)(pbearg);
-    if(pwitem == NULL) {
-	problem = PR_TRUE;
-	goto loser;
-    }
-    nicks = sec_pkcs12_convert_nickname_list(nicknames);
-
-    /* get safe and baggage */
-    rv = sec_pkcs12_package_certs_and_keys(nicks, ref_certs, unencryptedCerts,
-    					   &safe, &baggage, shroud_keys,
-    					   shroud_alg, pwitem, unicodeFn, wincx);
-    if(rv == SECFailure) {
-	problem = PR_TRUE;
-    }
-
-    if((safe != NULL) && (problem == PR_FALSE)) {
-	/* copy thumbprints */
-	rv = sec_pkcs12_propagate_thumbprints(nicks, ref_certs, safe, baggage);
-
-	/* package everything up into AuthenticatedSafe */
-	cinfo = sec_pkcs12_get_auth_safe(safe, baggage, 
-					 safe_alg, pwitem, unicodeFn, wincx);
-
-	sec_pkcs12_destroy_cert_content_infos(safe, baggage);
-
-	/* get the pfx and mac it */
-	if(cinfo != NULL) {
-	    pfx = sec_pkcs12_get_pfx(cinfo, PR_TRUE, pwitem, unicodeFn);
-	    if(pfx != NULL) {
-		dest = sec_pkcs12_encode_pfx(pfx);
-		SEC_PKCS12DestroyPFX(pfx);
-	    }
-	    SEC_PKCS7DestroyContentInfo(cinfo);
-	}
-
-	if(safe != NULL) {
-	    PORT_FreeArena(safe->poolp, PR_TRUE);
-	}
-    } else {
-	if(safe != NULL) {
-	    PORT_FreeArena(safe->poolp, PR_TRUE);
-	}
-    }
-
-loser:
-    if(nicks != NULL) {
-	sec_pkcs12_destroy_nickname_list(nicks);
-    }
-
-    if(ref_certs != NULL) {
-	sec_pkcs12_destroy_certificate_list(ref_certs);
-    }
-
-    if(pwitem != NULL) {
-	SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    }
-
-    if(problem == PR_TRUE) {
-	dest = NULL;
-    }
-
-    return dest;
-}
diff --git a/security/nss/lib/pkcs12/p12local.c b/security/nss/lib/pkcs12/p12local.c
deleted file mode 100644
index d6e02ad02..000000000
--- a/security/nss/lib/pkcs12/p12local.c
+++ /dev/null
@@ -1,1325 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "pkcs12.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "seccomon.h"
-#include "secoid.h"
-#include "sechash.h"
-#include "secitem.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "p12local.h"
-#include "alghmac.h"
-#include "p12.h"
-
-#define SALT_LENGTH	16
-
-/* helper functions */
-/* returns proper bag type template based upon object type tag */
-const SEC_ASN1Template *
-sec_pkcs12_choose_bag_type_old(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12SafeBag *safebag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
-
-    oiddata = safebag->safeBagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&safebag->safeBagType);
-	safebag->safeBagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
-	    break;
-	case SEC_OID_PKCS12_KEY_BAG_ID:
-	    theTemplate = SEC_PointerToPKCS12KeyBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
-	    theTemplate = SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD;
-	    break;
-        case SEC_OID_PKCS12_SECRET_BAG_ID:
-	    theTemplate = SEC_PointerToPKCS12SecretBagTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-const SEC_ASN1Template *
-sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12SafeBag *safebag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
-
-    oiddata = safebag->safeBagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&safebag->safeBagType);
-	safebag->safeBagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	case SEC_OID_PKCS12_KEY_BAG_ID:
-	    theTemplate = SEC_PKCS12PrivateKeyBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
-	    theTemplate = SEC_PKCS12CertAndCRLBagTemplate;
-	    break;
-        case SEC_OID_PKCS12_SECRET_BAG_ID:
-	    theTemplate = SEC_PKCS12SecretBagTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-/* returns proper cert crl template based upon type tag */
-const SEC_ASN1Template *
-sec_pkcs12_choose_cert_crl_type_old(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12CertAndCRL *certbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
-    oiddata = certbag->BagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&certbag->BagID);
-	certbag->BagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
-	    break;
-	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
-	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate_OLD;
-	    break;
-	case SEC_OID_PKCS12_SDSI_CERT_BAG:
-	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-const SEC_ASN1Template *
-sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12CertAndCRL *certbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
-    oiddata = certbag->BagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&certbag->BagID);
-	certbag->BagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
-	    break;
-	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
-	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate;
-	    break;
-	case SEC_OID_PKCS12_SDSI_CERT_BAG:
-	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-/* returns appropriate shroud template based on object type tag */
-const SEC_ASN1Template *
-sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12ESPVKItem *espvk;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    espvk = (SEC_PKCS12ESPVKItem*)src_or_dest;
-    oiddata = espvk->espvkTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&espvk->espvkOID);
- 	espvk->espvkTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
-	    break;
-	case SEC_OID_PKCS12_PKCS8_KEY_SHROUDING:
-	   theTemplate = 
-		SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-/* generate SALT  placing it into the character array passed in.
- * it is assumed that salt_dest is an array of appropriate size
- * XXX We might want to generate our own random context
- */
-SECItem *
-sec_pkcs12_generate_salt(void)
-{
-    SECItem *salt;
-
-    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(salt == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) * 
-					      SALT_LENGTH);
-    salt->len = SALT_LENGTH;
-    if(salt->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	SECITEM_ZfreeItem(salt, PR_TRUE);
-	return NULL;
-    }
-
-    PK11_GenerateRandom(salt->data, salt->len);
-
-    return salt;
-}
-
-/* generate KEYS -- as per PKCS12 section 7.  
- * only used for MAC
- */
-SECItem *
-sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
-				      SECItem *salt, 
-				      SECItem *password) 
-{
-    unsigned char *pre_hash=NULL;
-    unsigned char *hash_dest=NULL;
-    SECStatus res;
-    PRArenaPool *poolp;
-    SECItem *key = NULL;
-    int key_len = 0;
-
-    if((salt == NULL) || (password == NULL)) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(poolp == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    pre_hash = (unsigned char *)PORT_ArenaZAlloc(poolp, sizeof(char) * 
-						 (salt->len+password->len));
-    if(pre_hash == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    hash_dest = (unsigned char *)PORT_ArenaZAlloc(poolp, 
-					sizeof(unsigned char) * SHA1_LENGTH);
-    if(hash_dest == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    PORT_Memcpy(pre_hash, salt->data, salt->len);
-    /* handle password of 0 length case */
-    if(password->len > 0) {
-	PORT_Memcpy(&(pre_hash[salt->len]), password->data, password->len);
-    }
-
-    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, pre_hash, 
-                       (salt->len+password->len));
-    if(res == SECFailure) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    switch(algorithm) {
-	case SEC_OID_SHA1:
-	    if(key_len == 0)
-		key_len = 16;
-	    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	    if(key == NULL) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) 
-						     * key_len);
-	    if(key->data == NULL) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    key->len = key_len;
-	    PORT_Memcpy(key->data, &hash_dest[SHA1_LENGTH-key->len], key->len);
-	    break;
-	default:
-	    goto loser;
-	    break;
-    }
-
-    PORT_FreeArena(poolp, PR_TRUE);
-    return key;
-
-loser:
-    PORT_FreeArena(poolp, PR_TRUE);
-    if(key != NULL) {
-	SECITEM_ZfreeItem(key, PR_TRUE);
-    }
-    return NULL;
-}
-
-/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
- * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
- * because it is not known how long the message actually is.  String
- * manipulation routines will not necessarily work because msg may have
- * imbedded NULLs
- */
-static SECItem *
-sec_pkcs12_generate_old_mac(SECItem *key, 
-			    SECItem *msg)
-{
-    SECStatus res;
-    PRArenaPool *temparena = NULL;
-    unsigned char *hash_dest=NULL, *hash_src1=NULL, *hash_src2 = NULL;
-    int i;
-    SECItem *mac = NULL;
-
-    if((key == NULL) || (msg == NULL))
-        goto loser;
-
-    /* allocate return item */
-    mac = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(mac == NULL)
-    	return NULL;
-    mac->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char)
-    	* SHA1_LENGTH);
-    mac->len = SHA1_LENGTH;
-    if(mac->data == NULL)
-	goto loser;
-
-    /* allocate temporary items */
-    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(temparena == NULL)
-	goto loser;
-
-    hash_src1 = (unsigned char *)PORT_ArenaZAlloc(temparena,
-    	sizeof(unsigned char) * (16+msg->len));
-    if(hash_src1 == NULL)
-        goto loser;
-
-    hash_src2 = (unsigned char *)PORT_ArenaZAlloc(temparena,
-   	sizeof(unsigned char) * (SHA1_LENGTH+16));
-    if(hash_src2 == NULL)
-        goto loser;
-
-    hash_dest = (unsigned char *)PORT_ArenaZAlloc(temparena, 
-   	sizeof(unsigned char) * SHA1_LENGTH);
-    if(hash_dest == NULL)
-        goto loser;
-
-    /* perform mac'ing as per PKCS 12 */
-
-    /* first round of hashing */
-    for(i = 0; i < 16; i++)
-	hash_src1[i] = key->data[i] ^ 0x36;
-    PORT_Memcpy(&(hash_src1[16]), msg->data, msg->len);
-    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, hash_src1, (16+msg->len));
-    if(res == SECFailure)
-	goto loser;
-
-    /* second round of hashing */
-    for(i = 0; i < 16; i++)
-	hash_src2[i] = key->data[i] ^ 0x5c;
-    PORT_Memcpy(&(hash_src2[16]), hash_dest, SHA1_LENGTH);
-    res = PK11_HashBuf(SEC_OID_SHA1, mac->data, hash_src2, SHA1_LENGTH+16);
-    if(res == SECFailure)
-	goto loser;
-
-    PORT_FreeArena(temparena, PR_TRUE);
-    return mac;
-
-loser:
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-    if(mac != NULL)
-	SECITEM_ZfreeItem(mac, PR_TRUE);
-    return NULL;
-}
-
-/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
- * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
- * because it is not known how long the message actually is.  String
- * manipulation routines will not necessarily work because msg may have
- * imbedded NULLs
- */
-SECItem *
-sec_pkcs12_generate_mac(SECItem *key, 
-			SECItem *msg,
-			PRBool old_method)
-{
-    SECStatus res = SECFailure;
-    SECItem *mac = NULL;
-    HMACContext *cx;
-
-    if((key == NULL) || (msg == NULL)) {
-	return NULL;
-    }
-
-    if(old_method == PR_TRUE) {
-	return sec_pkcs12_generate_old_mac(key, msg);
-    }
-
-    /* allocate return item */
-    mac = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(mac == NULL) {
-    	return NULL;
-    }
-    mac->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char)
-    					     * SHA1_LENGTH);
-    mac->len = SHA1_LENGTH;
-    if(mac->data == NULL) {
-	PORT_Free(mac);
-	return NULL;
-    }
-
-    /* compute MAC using HMAC */
-    cx = HMAC_Create(SEC_OID_SHA1, key->data, key->len);
-    if(cx != NULL) {
-	HMAC_Begin(cx);
-	HMAC_Update(cx, msg->data, msg->len);
-	res = HMAC_Finish(cx, mac->data, &mac->len, SHA1_LENGTH);
-	HMAC_Destroy(cx);
-    }
-
-
-    if(res != SECSuccess) {
-	SECITEM_ZfreeItem(mac, PR_TRUE);
-	mac = NULL;
-    }
-
-    return mac;
-}
-
-/* compute the thumbprint of the DER cert and create a digest info
- * to store it in and return the digest info.
- * a return of NULL indicates an error.
- */
-SGNDigestInfo *
-sec_pkcs12_compute_thumbprint(SECItem *der_cert)
-{
-    SGNDigestInfo *thumb = NULL;
-    SECItem digest;
-    PRArenaPool *temparena = NULL;
-    SECStatus rv = SECFailure;
-
-    if(der_cert == NULL)
-	return NULL;
-
-    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(temparena == NULL) {
-	return NULL;
-    }
-
-    digest.data = (unsigned char *)PORT_ArenaZAlloc(temparena,
-						    sizeof(unsigned char) * 
-						    SHA1_LENGTH);
-    /* digest data and create digest info */
-    if(digest.data != NULL) {
-	digest.len = SHA1_LENGTH;
-	rv = PK11_HashBuf(SEC_OID_SHA1, digest.data, der_cert->data, 
-	                  der_cert->len);
-	if(rv == SECSuccess) {
-	    thumb = SGN_CreateDigestInfo(SEC_OID_SHA1, 
-					 digest.data, 
-					 digest.len);
-	} else {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(temparena, PR_TRUE);
-
-    return thumb;
-}
-
-/* create a virtual password per PKCS 12, the password is converted
- * to unicode, the salt is prepended to it, and then the whole thing
- * is returned */
-SECItem *
-sec_pkcs12_create_virtual_password(SECItem *password, SECItem *salt,
-				   PRBool swap)
-{
-    SECItem uniPwd = {siBuffer, NULL,0}, *retPwd = NULL;
-
-    if((password == NULL) || (salt == NULL)) {
-	return NULL;
-    }
-
-    if(password->len == 0) {
-	uniPwd.data = (unsigned char*)PORT_ZAlloc(2);
-	uniPwd.len = 2;
-	if(!uniPwd.data) {
-	    return NULL;
-	}
-    } else {
-	uniPwd.data = (unsigned char*)PORT_ZAlloc(password->len * 3);
-	uniPwd.len = password->len * 3;
-	if(!PORT_UCS2_ASCIIConversion(PR_TRUE, password->data, password->len,
-				uniPwd.data, uniPwd.len, &uniPwd.len, swap)) {
-	    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
-	    return NULL;
-	}
-    }
-
-    retPwd = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(retPwd == NULL) {
-	goto loser;
-    }
-
-    /* allocate space and copy proper data */
-    retPwd->len = uniPwd.len + salt->len;
-    retPwd->data = (unsigned char *)PORT_Alloc(retPwd->len);
-    if(retPwd->data == NULL) {
-	PORT_Free(retPwd);
-	goto loser;
-    }
-
-    PORT_Memcpy(retPwd->data, salt->data, salt->len);
-    PORT_Memcpy((retPwd->data + salt->len), uniPwd.data, uniPwd.len);
-
-    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
-
-    return retPwd;
-
-loser:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
-    return NULL;
-}
-
-/* appends a shrouded key to a key bag.  this is used for exporting
- * to store externally wrapped keys.  it is used when importing to convert
- * old items to new
- */
-SECStatus 
-sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
-				SEC_PKCS12ESPVKItem *espvk)
-{
-    int size;
-    void *mark = NULL, *dummy = NULL;
-
-    if((bag == NULL) || (espvk == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(bag->poolp);
-
-    /* grow the list */
-    size = (bag->nEspvks + 1) * sizeof(SEC_PKCS12ESPVKItem *);
-    dummy = (SEC_PKCS12ESPVKItem **)PORT_ArenaGrow(bag->poolp,
-	    				bag->espvks, size, 
-	    				size + sizeof(SEC_PKCS12ESPVKItem *));
-    bag->espvks = (SEC_PKCS12ESPVKItem**)dummy;
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->espvks[bag->nEspvks] = espvk;
-    bag->nEspvks++;
-    bag->espvks[bag->nEspvks] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* search a certificate list for a nickname, a thumbprint, or both
- * within a certificate bag.  if the certificate could not be
- * found or an error occurs, NULL is returned;
- */
-static SEC_PKCS12CertAndCRL *
-sec_pkcs12_find_cert_in_certbag(SEC_PKCS12CertAndCRLBag *certbag,
-				SECItem *nickname, SGNDigestInfo *thumbprint)
-{
-    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
-    int i, j;
-
-    if((certbag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
-	return NULL;
-    }
-
-    if(thumbprint && nickname) {
-	search_both = PR_TRUE;
-    }
-
-    if(nickname) {
-	search_nickname = PR_TRUE;
-    }
-
-search_again:  
-    i = 0;
-    while(certbag->certAndCRLs[i] != NULL) {
-	SEC_PKCS12CertAndCRL *cert = certbag->certAndCRLs[i];
-
-	if(SECOID_FindOIDTag(&cert->BagID) == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
-
-	    /* check nicknames */
-	    if(search_nickname) {
-		if(SECITEM_CompareItem(nickname, &cert->nickname) == SECEqual) {
-		    return cert;
-		}
-	    } else {
-	    /* check thumbprints */
-		SECItem **derCertList;
-
-		/* get pointer to certificate list, does not need to
-		 * be freed since it is within the arena which will
-		 * be freed later.
-		 */
-		derCertList = SEC_PKCS7GetCertificateList(&cert->value.x509->certOrCRL);
-		j = 0;
-		if(derCertList != NULL) {
-		    while(derCertList[j] != NULL) {
-			SECComparison eq;
-			SGNDigestInfo *di;
-			di = sec_pkcs12_compute_thumbprint(derCertList[j]);
-			if(di) {
-			    eq = SGN_CompareDigestInfo(thumbprint, di);
-			    SGN_DestroyDigestInfo(di);
-			    if(eq == SECEqual) {
-				/* copy the derCert for later reference */
-				cert->value.x509->derLeafCert = derCertList[j];
-				return cert;
-			    }
-			} else {
-			    /* an error occurred */
-			    return NULL;
-			}
-			j++;
-		    }
-		}
-	    }
-	}
-
-	i++;
-    }
-
-    if(search_both) {
-	search_both = PR_FALSE;
-	search_nickname = PR_FALSE;
-	goto search_again;
-    }
-
-    return NULL;
-}
-
-/* search a key list for a nickname, a thumbprint, or both
- * within a key bag.  if the key could not be
- * found or an error occurs, NULL is returned;
- */
-static SEC_PKCS12PrivateKey *
-sec_pkcs12_find_key_in_keybag(SEC_PKCS12PrivateKeyBag *keybag,
-			      SECItem *nickname, SGNDigestInfo *thumbprint)
-{
-    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
-    int i, j;
-
-    if((keybag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
-	return NULL;
-    }
-
-    if(keybag->privateKeys == NULL) {
-	return NULL;
-    }
-
-    if(thumbprint && nickname) {
-	search_both = PR_TRUE;
-    }
-
-    if(nickname) {
-	search_nickname = PR_TRUE;
-    }
-
-search_again:  
-    i = 0;
-    while(keybag->privateKeys[i] != NULL) {
-	SEC_PKCS12PrivateKey *key = keybag->privateKeys[i];
-
-	/* check nicknames */
-	if(search_nickname) {
-	    if(SECITEM_CompareItem(nickname, &key->pvkData.nickname) == SECEqual) {
-		return key;
-	    }
-	} else {
-	    /* check digests */
-	    SGNDigestInfo **assocCerts = key->pvkData.assocCerts;
-	    if((assocCerts == NULL) || (assocCerts[0] == NULL)) {
-		return NULL;
-	    }
-
-	    j = 0;
-	    while(assocCerts[j] != NULL) {
-		SECComparison eq;
-		eq = SGN_CompareDigestInfo(thumbprint, assocCerts[j]);
-		if(eq == SECEqual) {
-		    return key;
-		}
-		j++;
-	    }
-	}
-	i++;
-    }
-
-    if(search_both) {
-	search_both = PR_FALSE;
-	search_nickname = PR_FALSE;
-	goto search_again;
-    }
-
-    return NULL;
-}
-
-/* seach the safe first then try the baggage bag 
- *  safe and bag contain certs and keys to search
- *  objType is the object type to look for
- *  bagType is the type of bag that was found by sec_pkcs12_find_object
- *  index is the entity in safe->safeContents or bag->unencSecrets which
- *    is being searched
- *  nickname and thumbprint are the search criteria
- * 
- * a return of null indicates no match
- */
-static void *
-sec_pkcs12_try_find(SEC_PKCS12SafeContents *safe,
-		  SEC_PKCS12BaggageItem *bag,
-		  SECOidTag objType, SECOidTag bagType, int index,
-		  SECItem *nickname, SGNDigestInfo *thumbprint)
-{
-    PRBool searchSafe;
-    int i = index;
-
-    if((safe == NULL) && (bag == NULL)) {
-	return NULL;
-    }
-
-    searchSafe = (safe == NULL ? PR_FALSE : PR_TRUE);
-    switch(objType) {
-	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
-	    if(objType == bagType) {
-		SEC_PKCS12CertAndCRLBag *certBag;
-
-		if(searchSafe) {
-		    certBag = safe->contents[i]->safeContent.certAndCRLBag;
-		} else {
-		    certBag = bag->unencSecrets[i]->safeContent.certAndCRLBag;
-		}
-		return sec_pkcs12_find_cert_in_certbag(certBag, nickname, 
-							thumbprint);
-	    }
-	    break;
-	case SEC_OID_PKCS12_KEY_BAG_ID:
-	    if(objType == bagType) {
-		SEC_PKCS12PrivateKeyBag *keyBag;
-
-		if(searchSafe) {
-		    keyBag = safe->contents[i]->safeContent.keyBag;
-		} else {
-		    keyBag = bag->unencSecrets[i]->safeContent.keyBag;
-		}
-		return sec_pkcs12_find_key_in_keybag(keyBag, nickname, 
-							 thumbprint);
-	    }
-	    break;
-	default:
-	    break;
-    }
-
-    return NULL;
-}
-
-/* searches both the baggage and the safe areas looking for
- * object of specified type matching either the nickname or the 
- * thumbprint specified.
- *
- * safe and baggage store certs and keys
- * objType is the OID for the bag type to be searched:
- *   SEC_OID_PKCS12_KEY_BAG_ID, or 
- *   SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
- * nickname and thumbprint are the search criteria
- * 
- * if no match found, NULL returned and error set
- */
-void *
-sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
-			SEC_PKCS12Baggage *baggage,
-			SECOidTag objType,
-			SECItem *nickname,
-			SGNDigestInfo *thumbprint)
-{
-    int i, j;
-    void *retItem;
-   
-    if(((safe == NULL) && (thumbprint == NULL)) ||
-       ((nickname == NULL) && (thumbprint == NULL))) {
-	return NULL;
-    }    
-
-    i = 0;
-    if((safe != NULL) && (safe->contents != NULL)) {
-	while(safe->contents[i] != NULL) {
-	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
-	    retItem = sec_pkcs12_try_find(safe, NULL, objType, bagType, i,
-	    				  nickname, thumbprint);
-	    if(retItem != NULL) {
-		return retItem;
-	    }
-	    i++;
-	}
-    }
-
-    if((baggage != NULL) && (baggage->bags != NULL)) {
-	i = 0;
-	while(baggage->bags[i] != NULL) {
-	    SEC_PKCS12BaggageItem *xbag = baggage->bags[i];
-	    j = 0;
-	    if(xbag->unencSecrets != NULL) {
-		while(xbag->unencSecrets[j] != NULL) {
-		    SECOidTag bagType;
-		    bagType = SECOID_FindOIDTag(&xbag->unencSecrets[j]->safeBagType);
-		    retItem = sec_pkcs12_try_find(NULL, xbag, objType, bagType,
-		    				  j, nickname, thumbprint);
-		    if(retItem != NULL) {
-			return retItem;
-		    }
-		    j++;
-		}
-	    }
-	    i++;
-	}
-    }
-
-    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
-    return NULL;
-}
-
-/* this function converts a password to unicode and encures that the 
- * required double 0 byte be placed at the end of the string
- */
-PRBool
-sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
-				   SECItem *src, PRBool zeroTerm,
-				   PRBool asciiConvert, PRBool toUnicode)
-{
-    PRBool success = PR_FALSE;
-    if(!src || !dest) {
-	return PR_FALSE;
-    }
-
-    dest->len = src->len * 3 + 2;
-    if(arena) {
-	dest->data = (unsigned char*)PORT_ArenaZAlloc(arena, dest->len);
-    } else {
-	dest->data = (unsigned char*)PORT_ZAlloc(dest->len);
-    }
-
-    if(!dest->data) {
-	dest->len = 0;
-	return PR_FALSE;
-    }
-
-    if(!asciiConvert) {
-	success = PORT_UCS2_UTF8Conversion(toUnicode, src->data, src->len, dest->data,
-					   dest->len, &dest->len);
-    } else {
-#ifndef IS_LITTLE_ENDIAN
-	PRBool swapUnicode = PR_FALSE;
-#else
-	PRBool swapUnicode = PR_TRUE;
-#endif
-	success = PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len, dest->data,
-					    dest->len, &dest->len, swapUnicode);
-    }
-
-    if(!success) {
-	if(!arena) {
-	    PORT_Free(dest->data);
-	    dest->data = NULL;
-	    dest->len = 0;
-	}
-	return PR_FALSE;
-    }
-
-    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
-	if(dest->len + 2 > 3 * src->len) {
-	    if(arena) {
-		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
-						     dest->data, dest->len,
-						     dest->len + 2);
-	    } else {
-		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
-							  dest->len + 2);
-	    }
-
-	    if(!dest->data) {
-		return PR_FALSE;
-	    }
-	}
-	dest->len += 2;
-	dest->data[dest->len-1] = dest->data[dest->len-2] = 0;
-    }
-
-    return PR_TRUE;
-}
-
-/* pkcs 12 templates */
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_shroud_chooser =
-    sec_pkcs12_choose_shroud_type;
-
-const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_ANY, offsetof(SEC_PKCS12SafeBag, derSafeContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
-    { SEC_ASN1_ANY, offsetof(SEC_PKCS12CertAndCRL, derValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
-	SEC_PKCS12CodedCertBagTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[] = 
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
-	SEC_PKCS12PVKSupportingDataTemplate_OLD },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
-	&sec_pkcs12_shroud_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[] = 
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
-	SEC_PKCS12PVKSupportingDataTemplate },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
-	&sec_pkcs12_shroud_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PVKAdditionalDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKAdditionalData) },
-    { SEC_ASN1_OBJECT_ID, 
-	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalType) },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
-	sgn_DigestInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
-	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
-    { SEC_ASN1_PRINTABLE_STRING, 
-	offsetof(SEC_PKCS12PVKSupportingData, nickname) },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
-	sgn_DigestInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
-	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
-    { SEC_ASN1_BMP_STRING, 
-	offsetof(SEC_PKCS12PVKSupportingData, uniNickName) },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12BaggageItemTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12BaggageItem) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, espvks),
-	SEC_PKCS12ESPVKItemTemplate },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
-	SEC_PKCS12SafeBagTemplate },
-    /*{ SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
-	SEC_PKCS12CodedSafeBagTemplate }, */
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12BaggageTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage, bags),
-	SEC_PKCS12BaggageItemTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage_OLD, espvks),
-	SEC_PKCS12ESPVKItemTemplate_OLD },
-};
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_bag_chooser =
-	sec_pkcs12_choose_bag_type;
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_bag_chooser_old =
-	sec_pkcs12_choose_bag_type_old;
-
-const SEC_ASN1Template SEC_PKCS12SafeBagTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-	SEC_ASN1_CONTEXT_SPECIFIC | 0,
-        offsetof(SEC_PKCS12SafeBag, safeContent),
-	&sec_pkcs12_bag_chooser_old },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER,
-        offsetof(SEC_PKCS12SafeBag, safeContent),
-	&sec_pkcs12_bag_chooser },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BMP_STRING,
-	offsetof(SEC_PKCS12SafeBag, uniSafeBagName) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[] =
-{
-    { SEC_ASN1_SET_OF,
-	offsetof(SEC_PKCS12SafeContents, contents),
-	SEC_PKCS12SafeBagTemplate_OLD }
-};
-
-const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[] =
-{
-    { SEC_ASN1_SET_OF,
-	offsetof(SEC_PKCS12SafeContents, contents),
-	SEC_PKCS12SafeBagTemplate }  /* here */
-};
-
-const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKey) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pvkData),
-	SEC_PKCS12PVKSupportingDataTemplate },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pkcs8data),
-	SECKEY_PrivateKeyInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKeyBag) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PrivateKeyBag, privateKeys),
-	SEC_PKCS12PrivateKeyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
-	sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, thumbprint),
-	sgn_DigestInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
-    { SEC_ASN1_IA5_STRING, offsetof(SEC_PKCS12SDSICert, value) },
-    { 0 }
-};
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_cert_crl_chooser_old =
-	sec_pkcs12_choose_cert_crl_type_old;
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_cert_crl_chooser =
-	sec_pkcs12_choose_cert_crl_type;
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT |
-	SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | 0,
-	offsetof(SEC_PKCS12CertAndCRL, value),
-	&sec_pkcs12_cert_crl_chooser_old },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12CertAndCRL, value),
-	&sec_pkcs12_cert_crl_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
-	SEC_PKCS12CertAndCRLTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRLBag) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
-	SEC_PKCS12CertAndCRLTemplate_OLD },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SecretAdditional) },
-    { SEC_ASN1_OBJECT_ID,
-	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalType) },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT,
-	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
-    { SEC_ASN1_BMP_STRING, offsetof(SEC_PKCS12Secret, uniSecretName) },
-    { SEC_ASN1_ANY, offsetof(SEC_PKCS12Secret, value) },
-    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12Secret, secretAdditional),
-	SEC_PKCS12SecretAdditionalTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[] = 
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
-    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(SEC_PKCS12SecretItem, secret), SEC_PKCS12SecretTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(SEC_PKCS12SecretItem, subFolder), SEC_PKCS12SafeBagTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12SecretBag, secrets),
-	SEC_PKCS12SecretItemTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12MacDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12MacData, safeMac),
-	sgn_DigestInfoTemplate },
-    { SEC_ASN1_BIT_STRING, offsetof(SEC_PKCS12MacData, macSalt) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_OPTIONAL |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12PFXItem, macData), SEC_PKCS12MacDataTemplate },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-	offsetof(SEC_PKCS12PFXItem, authSafe), 
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_OPTIONAL |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12PFXItem, old_safeMac), sgn_DigestInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING,
-	offsetof(SEC_PKCS12PFXItem, old_macSalt) },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-	offsetof(SEC_PKCS12PFXItem, authSafe), 
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OBJECT_ID,
-	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SET_OF, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, baggage.bags), 
-	SEC_PKCS12BaggageItemTemplate },
-    { SEC_ASN1_POINTER,
-	offsetof(SEC_PKCS12AuthenticatedSafe, safe),
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
-	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
-    { SEC_ASN1_BIT_STRING,
-	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-    	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, old_baggage), 
-	SEC_PKCS12BaggageTemplate_OLD },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(SEC_PKCS12AuthenticatedSafe, old_safe),
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12PrivateKeyBagTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate_OLD }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12SecretBagTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate_OLD }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12SDSICertTemplate }
-};
-
-
diff --git a/security/nss/lib/pkcs12/p12local.h b/security/nss/lib/pkcs12/p12local.h
deleted file mode 100644
index af56d9ceb..000000000
--- a/security/nss/lib/pkcs12/p12local.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#ifndef _P12LOCAL_H_
-#define _P12LOCAL_H_
-
-#include "plarena.h"
-#include "secoidt.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "certt.h"
-#include "secpkcs7.h"
-#include "pkcs12.h"
-#include "p12.h"
-
-/* helper functions */
-extern const SEC_ASN1Template *
-sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding);
-extern const SEC_ASN1Template *
-sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding);
-extern const SEC_ASN1Template *
-sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding);
-extern SECItem *sec_pkcs12_generate_salt(void);
-extern SECItem *sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
-	SECItem *salt, SECItem *password);
-extern SECItem *sec_pkcs12_generate_mac(SECItem *key, SECItem *msg, 
-					PRBool old_method);
-extern SGNDigestInfo *sec_pkcs12_compute_thumbprint(SECItem *der_cert);
-extern SECItem *sec_pkcs12_create_virtual_password(SECItem *password, 
-			SECItem *salt, PRBool swapUnicodeBytes);
-extern SECStatus sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
-						 SEC_PKCS12ESPVKItem *espvk);
-extern void *sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
-				SEC_PKCS12Baggage *baggage, SECOidTag objType,
-				SECItem *nickname, SGNDigestInfo *thumbprint);
-extern PRBool sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
-						 SECItem *src, PRBool zeroTerm,
-						 PRBool asciiConvert, PRBool toUnicode);
-
-/* create functions */
-extern SEC_PKCS12PFXItem *sec_pkcs12_new_pfx(void);
-extern SEC_PKCS12SafeContents *sec_pkcs12_create_safe_contents(
-	PRArenaPool *poolp);
-extern SEC_PKCS12Baggage *sec_pkcs12_create_baggage(PRArenaPool *poolp);
-extern SEC_PKCS12BaggageItem *sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage);
-extern void SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx);
-extern SEC_PKCS12AuthenticatedSafe *sec_pkcs12_new_asafe(PRArenaPool *poolp);
-
-/* conversion from old to new */
-extern SEC_PKCS12DecoderContext *
-sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot,
-			      PRBool swapUnicode, SECItem *pwitem,
-			      void *wincx, SEC_PKCS12SafeContents *safe,
-			      SEC_PKCS12Baggage *baggage);
-	
-#endif
diff --git a/security/nss/lib/pkcs12/p12plcy.c b/security/nss/lib/pkcs12/p12plcy.c
deleted file mode 100644
index e9616ade0..000000000
--- a/security/nss/lib/pkcs12/p12plcy.c
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#include "p12plcy.h"
-#include "secoid.h"
-#include "secport.h"
-#include "secpkcs5.h" /* LOTS of PKCS5 calls below.  XXX EVIL. */
-
-#define PKCS12_NULL  0x0000
-
-typedef struct pkcs12SuiteMapStr {
-    SECOidTag		algTag;
-    unsigned int	keyLengthBits;	/* in bits */
-    unsigned long	suite;
-    PRBool 		allowed;
-    PRBool		preferred;
-} pkcs12SuiteMap;
-
-static pkcs12SuiteMap pkcs12SuiteMaps[] = {
-    { SEC_OID_RC4,		40,	PKCS12_RC4_40,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_RC4,	       128,	PKCS12_RC4_128,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_RC2_CBC,		40,	PKCS12_RC2_CBC_40,	PR_FALSE,	PR_TRUE},
-    { SEC_OID_RC2_CBC,	       128,	PKCS12_RC2_CBC_128,	PR_FALSE,	PR_FALSE},
-    { SEC_OID_DES_CBC,		64,	PKCS12_DES_56,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_DES_EDE3_CBC,    192,	PKCS12_DES_EDE3_168,	PR_FALSE,	PR_FALSE},
-    { SEC_OID_UNKNOWN,		 0,	PKCS12_NULL,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_UNKNOWN,		 0,	0L,			PR_FALSE,	PR_FALSE}
-};
-
-/* determine if algid is an algorithm which is allowed */
-PRBool 
-SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid)
-{
-    unsigned int keyLengthBits;
-    SECOidTag algId;
-    int i;
-   
-    algId = SEC_PKCS5GetCryptoAlgorithm(algid);
-    if(algId == SEC_OID_UNKNOWN) {
-	return PR_FALSE;
-    }
-    
-    keyLengthBits = (unsigned int)(SEC_PKCS5GetKeyLength(algid) * 8);
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if((pkcs12SuiteMaps[i].algTag == algId) && 
-	   (pkcs12SuiteMaps[i].keyLengthBits == keyLengthBits)) {
-
-	    return pkcs12SuiteMaps[i].allowed;
-	}
-	i++;
-    }
-
-    return PR_FALSE;
-}
-
-/* is any encryption allowed? */
-PRBool
-SEC_PKCS12IsEncryptionAllowed(void)
-{
-    int i;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if(pkcs12SuiteMaps[i].allowed == PR_TRUE) {
-	    return PR_TRUE;
-	} 
-	i++;
-    }
-
-    return PR_FALSE;
-}
-
-/* get the preferred algorithm.
- */
-SECOidTag
-SEC_PKCS12GetPreferredEncryptionAlgorithm(void)
-{
-    int i;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if((pkcs12SuiteMaps[i].preferred == PR_TRUE) && 
-	   (pkcs12SuiteMaps[i].allowed == PR_TRUE)) {
-	    return SEC_PKCS5GetPBEAlgorithm(pkcs12SuiteMaps[i].algTag,
-	    				    pkcs12SuiteMaps[i].keyLengthBits);
-	}
-	i++;
-    }
-
-    return SEC_OID_UNKNOWN;
-}
-
-/* return the strongest algorithm allowed */
-SECOidTag
-SEC_PKCS12GetStrongestAllowedAlgorithm(void)
-{
-    int i, keyLengthBits = 0;
-    SECOidTag algorithm = SEC_OID_UNKNOWN;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if((pkcs12SuiteMaps[i].allowed == PR_TRUE) && 
-	   (pkcs12SuiteMaps[i].keyLengthBits > (unsigned int)keyLengthBits) &&
-	   (pkcs12SuiteMaps[i].algTag != SEC_OID_RC4)) {
-	    algorithm = pkcs12SuiteMaps[i].algTag;
-	    keyLengthBits = pkcs12SuiteMaps[i].keyLengthBits;
-	}
-	i++;
-    }
-
-    if(algorithm == SEC_OID_UNKNOWN) {
-	return SEC_OID_UNKNOWN;
-    }
-
-    return SEC_PKCS5GetPBEAlgorithm(algorithm, keyLengthBits);
-}
-
-SECStatus
-SEC_PKCS12EnableCipher(long which, int on) 
-{
-    int i;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].suite != 0L) {
-	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
-	    if(on) {
-		pkcs12SuiteMaps[i].allowed = PR_TRUE;
-	    } else {
-		pkcs12SuiteMaps[i].allowed = PR_FALSE;
-	    }
-	    return SECSuccess;
-	}
-	i++;
-    }
-
-    return SECFailure;
-}
-
-SECStatus
-SEC_PKCS12SetPreferredCipher(long which, int on)
-{
-    int i;
-    PRBool turnedOff = PR_FALSE;
-    PRBool turnedOn = PR_FALSE;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].suite != 0L) {
-	if(pkcs12SuiteMaps[i].preferred == PR_TRUE) {
-	    pkcs12SuiteMaps[i].preferred = PR_FALSE;
-	    turnedOff = PR_TRUE;
-	}
-	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
-	    pkcs12SuiteMaps[i].preferred = PR_TRUE;
-	    turnedOn = PR_TRUE;
-	}
-	i++;
-    }
-
-    if((turnedOn) && (turnedOff)) {
-	return SECSuccess;
-    }
-
-    return SECFailure;
-}
-
diff --git a/security/nss/lib/pkcs12/p12plcy.h b/security/nss/lib/pkcs12/p12plcy.h
deleted file mode 100644
index 1a3a9ee2f..000000000
--- a/security/nss/lib/pkcs12/p12plcy.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _P12PLCY_H_
-#define _P12PLCY_H_
-
-#include "secoid.h"
-#include "ciferfam.h"
-
-/* for the algid specified, can we decrypt it ? */
-extern PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid);
-
-/* is encryption allowed? */
-extern PRBool SEC_PKCS12IsEncryptionAllowed(void);
-
-/* get the preferred encryption algorithm */
-extern SECOidTag SEC_PKCS12GetPreferredEncryptionAlgorithm(void);
-
-/* get the stronget crypto allowed (based on order in the table */
-extern SECOidTag SEC_PKCS12GetStrongestAllowedAlgorithm(void);
-
-/* enable a cipher for encryption/decryption */
-extern SECStatus SEC_PKCS12EnableCipher(long which, int on);
-
-/* return the preferred cipher for encryption */
-extern SECStatus SEC_PKCS12SetPreferredCipher(long which, int on);
-
-#endif
diff --git a/security/nss/lib/pkcs12/p12t.h b/security/nss/lib/pkcs12/p12t.h
deleted file mode 100644
index 6b9d3da1b..000000000
--- a/security/nss/lib/pkcs12/p12t.h
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _P12T_H_
-#define _P12T_H_
-
-#include "secoid.h"
-#include "key.h"
-#include "pkcs11.h"
-#include "secpkcs7.h"
-#include "secdig.h"	/* for SGNDigestInfo */
-
-#define SEC_PKCS12_VERSION	3
-
-/* structure declarations */
-typedef struct sec_PKCS12PFXItemStr sec_PKCS12PFXItem;
-typedef struct sec_PKCS12MacDataStr sec_PKCS12MacData;
-typedef struct sec_PKCS12AuthenticatedSafeStr sec_PKCS12AuthenticatedSafe;
-typedef struct sec_PKCS12SafeContentsStr sec_PKCS12SafeContents;
-typedef struct sec_PKCS12SafeBagStr sec_PKCS12SafeBag;
-typedef struct sec_PKCS12PKCS8ShroudedKeyBagStr sec_PKCS12PKCS8ShroudedKeyBag;
-typedef struct sec_PKCS12CertBagStr sec_PKCS12CertBag;
-typedef struct sec_PKCS12CRLBagStr sec_PKCS12CRLBag;
-typedef struct sec_PKCS12SecretBag sec_PKCS12SecretBag;
-typedef struct sec_PKCS12AttributeStr sec_PKCS12Attribute;
-
-struct sec_PKCS12CertBagStr {
-    /* what type of cert is stored? */
-    SECItem bagID;
-
-    /* certificate information */
-    union {
-	SECItem x509Cert;
-	SECItem SDSICert;
-    } value;
-};
-
-struct sec_PKCS12CRLBagStr {
-    /* what type of cert is stored? */
-    SECItem bagID;
-
-    /* certificate information */
-    union {
-	SECItem x509CRL;
-    } value;
-};
-
-struct sec_PKCS12SecretBag {
-    /* what type of secret? */
-    SECItem secretType;
-
-    /* secret information.  ssshhhh be vewy vewy quiet. */
-    SECItem secretContent;
-};
-
-struct sec_PKCS12AttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-
-struct sec_PKCS12SafeBagStr {
-
-    /* What type of bag are we using? */
-    SECItem safeBagType;
-
-    /* Dependent upon the type of bag being used. */
-    union {
-	SECKEYPrivateKeyInfo *pkcs8KeyBag;
-	SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
-	sec_PKCS12CertBag *certBag;
-	sec_PKCS12CRLBag *crlBag;
-	sec_PKCS12SecretBag *secretBag;
-	sec_PKCS12SafeContents *safeContents;
-    } safeBagContent;
-
-    sec_PKCS12Attribute **attribs;
-
-    /* used locally */
-    SECOidData *bagTypeTag;
-    PRArenaPool *arena;
-    unsigned int nAttribs;
-
-    /* used for validation/importing */
-    PRBool problem, noInstall, validated, hasKey, removeExisting, installed;
-    int error;
-
-    PRBool swapUnicodeBytes;
-    PK11SlotInfo *slot;
-    SECItem *pwitem;
-    PRBool oldBagType;
-};
-    
-struct sec_PKCS12SafeContentsStr {
-    sec_PKCS12SafeBag **safeBags;
-    SECItem **encodedSafeBags;
-    
-    /* used locally */
-    PRArenaPool *arena;
-    unsigned int bagCount;
-};
-
-struct sec_PKCS12MacDataStr {
-    SGNDigestInfo safeMac;
-    SECItem macSalt;
-    SECItem iter;
-};
-
-struct sec_PKCS12PFXItemStr {
-
-    SECItem version;
-
-    /* Content type will either be Data (password integrity mode)
-     * or signedData (public-key integrity mode)
-     */
-    SEC_PKCS7ContentInfo *authSafe;
-    SECItem encodedAuthSafe;
-
-    /* Only present in password integrity mode */
-    sec_PKCS12MacData macData;
-    SECItem encodedMacData;
-};
-
-struct sec_PKCS12AuthenticatedSafeStr {
-    /* Content type will either be encryptedData (password privacy mode)
-     * or envelopedData (public-key privacy mode)
-     */
-    SEC_PKCS7ContentInfo **safes;
-    SECItem **encodedSafes;
-
-    /* used locally */
-    unsigned int safeCount;
-    SECItem dummySafe;
-};
-
-extern const SEC_ASN1Template sec_PKCS12PFXItemTemplate[];
-extern const SEC_ASN1Template sec_PKCS12MacDataTemplate[];
-extern const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12CertBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12CRLBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SecretBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[];
-extern const SEC_ASN1Template sec_PKCS12AttributeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SafeBagTemplate[];
-
-#endif
diff --git a/security/nss/lib/pkcs12/p12tmpl.c b/security/nss/lib/pkcs12/p12tmpl.c
deleted file mode 100644
index ebaed1183..000000000
--- a/security/nss/lib/pkcs12/p12tmpl.c
+++ /dev/null
@@ -1,315 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "p12t.h"
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12SafeBag *safeBag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    safeBag = (sec_PKCS12SafeBag*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&safeBag->safeBagType);
-    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    theTemplate = SECKEY_PointerToPrivateKeyInfoTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-	    theTemplate = sec_PKCS12PointerToCertBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
-	    theTemplate = sec_PKCS12PointerToCRLBagTemplate;
-	    break;
-        case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
-	    theTemplate = sec_PKCS12PointerToSecretBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    theTemplate = SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
-	    if(encoding) {
-		theTemplate = sec_PKCS12PointerToSafeContentsTemplate;
-	    } else {
-		theTemplate = SEC_PointerToAnyTemplate;
-	    }
-	    break;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_crl_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12CRLBag *crlbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    crlbag = (sec_PKCS12CRLBag*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&crlbag->bagID);
-    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	case SEC_OID_PKCS9_X509_CRL:
-	    theTemplate = SEC_OctetStringTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_cert_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12CertBag *certbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    certbag = (sec_PKCS12CertBag*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&certbag->bagID);
-    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	case SEC_OID_PKCS9_X509_CERT:
-	    theTemplate = SEC_OctetStringTemplate;
-	    break;
-	case SEC_OID_PKCS9_SDSI_CERT:
-	    theTemplate = SEC_IA5StringTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_attr_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12Attribute *attr;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    attr = (sec_PKCS12Attribute*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&attr->attrType);
-    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	case SEC_OID_PKCS9_FRIENDLY_NAME:
-	    theTemplate = SEC_BMPStringTemplate;
-	    break;
-	case SEC_OID_PKCS9_LOCAL_KEY_ID:
-	    theTemplate = SEC_OctetStringTemplate;
-	    break;
-	case SEC_OID_PKCS12_KEY_USAGE:
-	    theTemplate = SEC_BitStringTemplate;
-	    break;
-    }
-
-    return theTemplate;
-}
-
-
-const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, sec_PKCS7ContentInfoTemplate }
-};
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_crl_bag_chooser =
-    sec_pkcs12_choose_crl_bag_type;
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_cert_bag_chooser =
-    sec_pkcs12_choose_cert_bag_type;
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_safe_bag_chooser =
-    sec_pkcs12_choose_safe_bag_type;
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_attr_chooser =
-    sec_pkcs12_choose_attr_type;
-
-const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12CertBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12CRLBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12SecretBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12SafeContentsTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PFXItemTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
-	sizeof(sec_PKCS12PFXItem) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
-	offsetof(sec_PKCS12PFXItem, version) },
-    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12PFXItem, encodedAuthSafe) },
-    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM,
-	offsetof(sec_PKCS12PFXItem, encodedMacData) },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12MacDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12MacData) },
-    { SEC_ASN1_INLINE, offsetof(sec_PKCS12MacData, safeMac),
-	sgn_DigestInfoTemplate },
-    { SEC_ASN1_OCTET_STRING, offsetof(sec_PKCS12MacData, macSalt) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, offsetof(sec_PKCS12MacData, iter) },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12AuthenticatedSafe, encodedSafes), SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12SafeBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
-	sizeof(sec_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED |
-	SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(sec_PKCS12SafeBag, safeBagContent), 
-	&sec_pkcs12_safe_bag_chooser },
-    { SEC_ASN1_SET_OF | SEC_ASN1_OPTIONAL, offsetof(sec_PKCS12SafeBag, attribs),
-	sec_PKCS12AttributeTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12SafeContents, safeBags),
-	sec_PKCS12SafeBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12SequenceOfAnyTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 0,
-	SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
-	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
-	sec_PKCS12SequenceOfAnyTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
-	SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12CRLBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CRLBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CRLBag, bagID) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER, 
-	offsetof(sec_PKCS12CRLBag, value), &sec_pkcs12_crl_bag_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12CertBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CertBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CertBag, bagID) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
-	SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(sec_PKCS12CertBag, value), &sec_pkcs12_cert_bag_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12SecretBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12SecretBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SecretBag, secretType) },
-    { SEC_ASN1_ANY, offsetof(sec_PKCS12SecretBag, secretContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12Attribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12Attribute, attrType) },
-    { SEC_ASN1_SET_OF | SEC_ASN1_DYNAMIC, 
-	offsetof(sec_PKCS12Attribute, attrValue),
-	&sec_pkcs12_attr_chooser },
-    { 0 }
-};
diff --git a/security/nss/lib/pkcs12/pkcs12.h b/security/nss/lib/pkcs12/pkcs12.h
deleted file mode 100644
index dd9d99594..000000000
--- a/security/nss/lib/pkcs12/pkcs12.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-
-#ifndef _PKCS12_H_
-#define _PKCS12_H_
-
-#include "pkcs12t.h"
-#include "p12.h"
-
-typedef SECItem * (* SEC_PKCS12GetPassword)(void *arg);
-
-/* Decode functions */
-/* Import a PFX item.  
- *	der_pfx is the der-encoded pfx item to import.
- *	pbef, and pbefarg are used to retrieve passwords for the HMAC,
- *	    and any passwords needed for passing to PKCS5 encryption 
- *	    routines.
- *	algorithm is the algorithm by which private keys are stored in
- *	    the key database.  this could be a specific algorithm or could
- *	    be based on a global setting.
- *	slot is the slot to where the certificates will be placed.  if NULL,
- *	    the internal key slot is used.
- * If the process is successful, a SECSuccess is returned, otherwise
- * a failure occurred.
- */ 
-SECStatus
-SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
-		 SEC_PKCS12NicknameCollisionCallback ncCall,
-		 PK11SlotInfo *slot, void *wincx);
-
-/* check the first two bytes of a file to make sure that it matches
- * the desired header for a PKCS 12 file
- */
-PRBool SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength);
-
-#endif
diff --git a/security/nss/lib/pkcs12/pkcs12t.h b/security/nss/lib/pkcs12/pkcs12t.h
deleted file mode 100644
index 53c36c3f7..000000000
--- a/security/nss/lib/pkcs12/pkcs12t.h
+++ /dev/null
@@ -1,386 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _PKCS12T_H_
-#define _PKCS12T_H_
-
-#include "seccomon.h"
-#include "secoid.h"
-#include "cert.h"
-#include "key.h"
-#include "plarena.h"
-#include "secpkcs7.h"
-#include "secdig.h"	/* for SGNDigestInfo */
-
-/* PKCS12 Structures */
-typedef struct SEC_PKCS12PFXItemStr SEC_PKCS12PFXItem;
-typedef struct SEC_PKCS12MacDataStr SEC_PKCS12MacData;
-typedef struct SEC_PKCS12AuthenticatedSafeStr SEC_PKCS12AuthenticatedSafe;
-typedef struct SEC_PKCS12BaggageItemStr SEC_PKCS12BaggageItem;
-typedef struct SEC_PKCS12BaggageStr SEC_PKCS12Baggage;
-typedef struct SEC_PKCS12Baggage_OLDStr SEC_PKCS12Baggage_OLD;
-typedef struct SEC_PKCS12ESPVKItemStr SEC_PKCS12ESPVKItem;
-typedef struct SEC_PKCS12PVKSupportingDataStr SEC_PKCS12PVKSupportingData;
-typedef struct SEC_PKCS12PVKAdditionalDataStr SEC_PKCS12PVKAdditionalData;
-typedef struct SEC_PKCS12SafeContentsStr SEC_PKCS12SafeContents;
-typedef struct SEC_PKCS12SafeBagStr SEC_PKCS12SafeBag;
-typedef struct SEC_PKCS12PrivateKeyStr SEC_PKCS12PrivateKey;
-typedef struct SEC_PKCS12PrivateKeyBagStr SEC_PKCS12PrivateKeyBag;
-typedef struct SEC_PKCS12CertAndCRLBagStr SEC_PKCS12CertAndCRLBag;
-typedef struct SEC_PKCS12CertAndCRLStr SEC_PKCS12CertAndCRL;
-typedef struct SEC_PKCS12X509CertCRLStr SEC_PKCS12X509CertCRL;
-typedef struct SEC_PKCS12SDSICertStr SEC_PKCS12SDSICert;
-typedef struct SEC_PKCS12SecretStr SEC_PKCS12Secret;
-typedef struct SEC_PKCS12SecretAdditionalStr SEC_PKCS12SecretAdditional;
-typedef struct SEC_PKCS12SecretItemStr SEC_PKCS12SecretItem;
-typedef struct SEC_PKCS12SecretBagStr SEC_PKCS12SecretBag;
-
-typedef SECItem *(* SEC_PKCS12PasswordFunc)(SECItem *args);
-
-/* PKCS12 types */
-
-/* stores shrouded keys */
-struct SEC_PKCS12BaggageStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12BaggageItem **bags;
-
-    int luggage_size;		/* used locally */
-};
-
-/* additional data to be associated with keys.	currently there
- * is nothing defined to be stored here.  allows future expansion.
- */
-struct SEC_PKCS12PVKAdditionalDataStr
-{
-    PRArenaPool	*poolp;
-    SECOidData	*pvkAdditionalTypeTag;	/* used locally */
-    SECItem     pvkAdditionalType;
-    SECItem     pvkAdditionalContent;
-};
-
-/* cert and other supporting data for private keys.  used
- * for both shrouded and non-shrouded keys.
- */
-struct SEC_PKCS12PVKSupportingDataStr
-{
-    PRArenaPool		*poolp;
-    SGNDigestInfo 	**assocCerts;
-    SECItem		regenerable;
-    SECItem         	nickname;
-    SEC_PKCS12PVKAdditionalData     pvkAdditional;
-    SECItem		pvkAdditionalDER;
-
-    SECItem		uniNickName;
-    /* used locally */
-    int			nThumbs;
-};
-
-/* shrouded key structure.  supports only pkcs8 shrouding
- * currently.
- */
-struct SEC_PKCS12ESPVKItemStr
-{
-    PRArenaPool *poolp;		/* used locally */
-    SECOidData	*espvkTag;	/* used locally */
-    SECItem	espvkOID;
-    SEC_PKCS12PVKSupportingData espvkData;
-    union
-    {
-	SECKEYEncryptedPrivateKeyInfo *pkcs8KeyShroud;
-    } espvkCipherText;
-
-    PRBool duplicate;	/* used locally */
-    PRBool problem_cert; 	/* used locally */
-    PRBool single_cert;		/* used locally */
-    int nCerts;			/* used locally */
-    SECItem derCert;		/* used locally */
-};
-
-/* generic bag store for the safe.  safeBagType identifies
- * the type of bag stored.
- */
-struct SEC_PKCS12SafeBagStr
-{
-    PRArenaPool *poolp;
-    SECOidData	*safeBagTypeTag;	/* used locally */
-    SECItem     safeBagType;
-    union
-    {
-	SEC_PKCS12PrivateKeyBag	*keyBag;
-	SEC_PKCS12CertAndCRLBag *certAndCRLBag;
-	SEC_PKCS12SecretBag     *secretBag;
-    } safeContent;
-
-    SECItem	derSafeContent;
-    SECItem 	safeBagName;
-
-    SECItem	uniSafeBagName;
-};
-
-/* stores private keys and certificates in a list.  each safebag
- * has an ID identifying the type of content stored.
- */
-struct SEC_PKCS12SafeContentsStr
-{
-    PRArenaPool     	*poolp;
-    SEC_PKCS12SafeBag	**contents;
-
-    /* used for tracking purposes */
-    int safe_size;
-    PRBool old;
-    PRBool swapUnicode;
-    PRBool possibleSwapUnicode;
-};
-
-/* private key structure which holds encrypted private key and
- * supporting data including nickname and certificate thumbprint.
- */
-struct SEC_PKCS12PrivateKeyStr
-{
-    PRArenaPool *poolp;
-    SEC_PKCS12PVKSupportingData pvkData;
-    SECKEYPrivateKeyInfo	pkcs8data;   /* borrowed from PKCS 8 */
-
-    PRBool duplicate;	/* used locally */
-    PRBool problem_cert;/* used locally */
-    PRBool single_cert;	/* used locally */
-    int nCerts;		/* used locally */
-    SECItem derCert;	/* used locally */
-};
-
-/* private key bag, holds a (null terminated) list of private key
- * structures.
- */
-struct SEC_PKCS12PrivateKeyBagStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12PrivateKey 	**privateKeys;
-
-    int bag_size;	/* used locally */
-};
-
-/* container to hold certificates.  currently supports x509
- * and sdsi certificates
- */
-struct SEC_PKCS12CertAndCRLStr
-{
-    PRArenaPool     *poolp;
-    SECOidData	    *BagTypeTag;    /* used locally */
-    SECItem         BagID;
-    union
-    {
-    	SEC_PKCS12X509CertCRL	*x509;
-    	SEC_PKCS12SDSICert	*sdsi;
-    } value;
-
-    SECItem derValue;
-    SECItem nickname;		/* used locally */
-    PRBool duplicate;		/* used locally */
-};
-
-/* x509 certificate structure.	typically holds the der encoding
- * of the x509 certificate.  thumbprint contains a digest of the
- * certificate
- */
-struct SEC_PKCS12X509CertCRLStr
-{
-    PRArenaPool     		*poolp;
-    SEC_PKCS7ContentInfo	certOrCRL;
-    SGNDigestInfo		thumbprint;
-
-    SECItem *derLeafCert;	/* used locally */
-};
-
-/* sdsi certificate structure.	typically holds the der encoding
- * of the sdsi certificate.  thumbprint contains a digest of the
- * certificate
- */
-struct SEC_PKCS12SDSICertStr
-{
-    PRArenaPool     *poolp;
-    SECItem         value;
-    SGNDigestInfo   thumbprint;
-};
-
-/* contains a null terminated list of certs and crls */
-struct SEC_PKCS12CertAndCRLBagStr
-{
-    PRArenaPool     		*poolp;
-    SEC_PKCS12CertAndCRL	**certAndCRLs;
-
-    int bag_size;	/* used locally */
-};
-
-/* additional secret information.  currently no information
- * stored in this structure.
- */
-struct SEC_PKCS12SecretAdditionalStr
-{
-    PRArenaPool     *poolp;
-    SECOidData	    *secretTypeTag;         /* used locally */
-    SECItem         secretAdditionalType;
-    SECItem         secretAdditionalContent;
-};
-
-/* secrets container.  this will be used to contain currently
- * unspecified secrets.  (it's a secret)
- */
-struct SEC_PKCS12SecretStr
-{
-    PRArenaPool     *poolp;
-    SECItem	secretName;
-    SECItem	value;
-    SEC_PKCS12SecretAdditional	secretAdditional;
-
-    SECItem	uniSecretName;
-};
-
-struct SEC_PKCS12SecretItemStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12Secret	secret;
-    SEC_PKCS12SafeBag	subFolder;
-};    
-
-/* a bag of secrets.  holds a null terminated list of secrets.
- */
-struct SEC_PKCS12SecretBagStr
-{
-    PRArenaPool     	*poolp;
-    SEC_PKCS12SecretItem	**secrets;
-
-    int bag_size;	/* used locally */
-};
-
-struct SEC_PKCS12MacDataStr
-{
-    SGNDigestInfo	safeMac;
-    SECItem		macSalt;
-};
-
-/* outer transfer unit */
-struct SEC_PKCS12PFXItemStr
-{
-    PRArenaPool		*poolp;
-    SEC_PKCS12MacData	macData;
-    SEC_PKCS7ContentInfo	authSafe; 
-
-    /* for compatibility with beta */
-    PRBool		old;
-    SGNDigestInfo 	old_safeMac;
-    SECItem		old_macSalt;
-
-    /* compatibility between platforms for unicode swapping */
-    PRBool		swapUnicode;
-};
-
-struct SEC_PKCS12BaggageItemStr {
-    PRArenaPool	    *poolp;
-    SEC_PKCS12ESPVKItem	**espvks;
-    SEC_PKCS12SafeBag	**unencSecrets;
-
-    int nEspvks;
-    int nSecrets; 
-};
-    
-/* stores shrouded keys */
-struct SEC_PKCS12Baggage_OLDStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12ESPVKItem **espvks;
-
-    int luggage_size;		/* used locally */
-};
-
-/* authenticated safe, stores certs, keys, and shrouded keys */
-struct SEC_PKCS12AuthenticatedSafeStr
-{
-    PRArenaPool     *poolp;
-    SECItem         version;
-    SECOidData	    *transportTypeTag;	/* local not part of encoding*/
-    SECItem         transportMode;
-    SECItem         privacySalt;
-    SEC_PKCS12Baggage	  baggage;
-    SEC_PKCS7ContentInfo  *safe;
-
-    /* used for beta compatibility */
-    PRBool old;
-    PRBool emptySafe;
-    SEC_PKCS12Baggage_OLD old_baggage;
-    SEC_PKCS7ContentInfo old_safe;
-    PRBool swapUnicode;
-};
-#define SEC_PKCS12_PFX_VERSION		1		/* what we create */
-
-
-
-/* PKCS 12 Templates */
-extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12MacDataTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PVKAdditionalTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[];
-extern const SEC_ASN1Template SGN_DigestInfoTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[];
-#endif
diff --git a/security/nss/lib/pkcs7/Makefile b/security/nss/lib/pkcs7/Makefile
deleted file mode 100644
index cb85677bc..000000000
--- a/security/nss/lib/pkcs7/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/pkcs7/config.mk b/security/nss/lib/pkcs7/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/pkcs7/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/pkcs7/manifest.mn b/security/nss/lib/pkcs7/manifest.mn
deleted file mode 100644
index b2b0e45d9..000000000
--- a/security/nss/lib/pkcs7/manifest.mn
+++ /dev/null
@@ -1,59 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	secmime.h \
-	secpkcs7.h \
-	pkcs7t.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	p7local.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	p7common.c \
-	p7create.c \
-	p7decode.c \
-	p7encode.c \
-	p7local.c  \
-	secmime.c  \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = pkcs7
diff --git a/security/nss/lib/pkcs7/p7common.c b/security/nss/lib/pkcs7/p7common.c
deleted file mode 100644
index e11a7f586..000000000
--- a/security/nss/lib/pkcs7/p7common.c
+++ /dev/null
@@ -1,738 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * PKCS7 implementation -- the exported parts that are used whether
- * creating or decoding.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secpkcs5.h"
-#include "pk11func.h"
-
-/*
- * Find out (saving pointer to lookup result for future reference)
- * and return the inner content type.
- */
-SECOidTag
-SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo)
-{
-    if (cinfo->contentTypeTag == NULL)
-	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-
-    if (cinfo->contentTypeTag == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return cinfo->contentTypeTag->offset;
-}
-
-
-/*
- * Destroy a PKCS7 contentInfo and all of its sub-pieces.
- */
-void
-SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-    CERTCertificate **certs;
-    CERTCertificateList **certlists;
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7RecipientInfo **recipientinfos;
-
-    PORT_Assert (cinfo->refCount > 0);
-    if (cinfo->refCount <= 0)
-	return;
-
-    cinfo->refCount--;
-    if (cinfo->refCount > 0)
-	return;
-
-    certs = NULL;
-    certlists = NULL;
-    recipientinfos = NULL;
-    signerinfos = NULL;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *edp;
-
-	    edp = cinfo->content.envelopedData;
-	    if (edp != NULL) {
-		recipientinfos = edp->recipientInfos;
-	    }
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    if (sdp != NULL) {
-		certs = sdp->certs;
-		certlists = sdp->certLists;
-		signerinfos = sdp->signerInfos;
-	    }
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    if (saedp != NULL) {
-		certs = saedp->certs;
-		certlists = saedp->certLists;
-		recipientinfos = saedp->recipientInfos;
-		signerinfos = saedp->signerInfos;
-		if (saedp->sigKey != NULL)
-		    PK11_FreeSymKey (saedp->sigKey);
-	    }
-	}
-	break;
-      default:
-	/* XXX Anything else that needs to be "manually" freed/destroyed? */
-	break;
-    }
-
-    if (certs != NULL) {
-	CERTCertificate *cert;
-
-	while ((cert = *certs++) != NULL) {
-	    CERT_DestroyCertificate (cert);
-	}
-    }
-
-    if (certlists != NULL) {
-	CERTCertificateList *certlist;
-
-	while ((certlist = *certlists++) != NULL) {
-	    CERT_DestroyCertificateList (certlist);
-	}
-    }
-
-    if (recipientinfos != NULL) {
-	SEC_PKCS7RecipientInfo *ri;
-
-	while ((ri = *recipientinfos++) != NULL) {
-	    if (ri->cert != NULL)
-		CERT_DestroyCertificate (ri->cert);
-	}
-    }
-
-    if (signerinfos != NULL) {
-	SEC_PKCS7SignerInfo *si;
-
-	while ((si = *signerinfos++) != NULL) {
-	    if (si->cert != NULL)
-		CERT_DestroyCertificate (si->cert);
-	    if (si->certList != NULL)
-		CERT_DestroyCertificateList (si->certList);
-	}
-    }
-
-    if (cinfo->poolp != NULL) {
-	PORT_FreeArena (cinfo->poolp, PR_FALSE);	/* XXX clear it? */
-    }
-}
-
-
-/*
- * Return a copy of the given contentInfo.  The copy may be virtual
- * or may be real -- either way, the result needs to be passed to
- * SEC_PKCS7DestroyContentInfo later (as does the original).
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *cinfo)
-{
-    if (cinfo == NULL)
-	return NULL;
-
-    PORT_Assert (cinfo->refCount > 0);
-
-    if (cinfo->created) {
-	/*
-	 * Want to do a real copy of these; otherwise subsequent
-	 * changes made to either copy are likely to be a surprise.
-	 * XXX I suspect that this will not actually be called for yet,
-	 * which is why the assert, so to notice if it is...
-	 */
-	PORT_Assert (0);
-	/*
-	 * XXX Create a new pool here, and copy everything from
-	 * within.  For cert stuff, need to call the appropriate
-	 * copy functions, etc.
-	 */
-    }
-
-    cinfo->refCount++;
-    return cinfo;
-}
-
-
-/*
- * Return a pointer to the actual content.  In the case of those types
- * which are encrypted, this returns the *plain* content.
- * XXX Needs revisiting if/when we handle nested encrypted types.
- */
-SECItem *
-SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_DATA:
-	return cinfo->content.data;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	{
-	    SEC_PKCS7DigestedData *digd;
-
-	    digd = cinfo->content.digestedData;
-	    if (digd == NULL)
-		break;
-	    return SEC_PKCS7GetContent (&(digd->contentInfo));
-	}
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	{
-	    SEC_PKCS7EncryptedData *encd;
-
-	    encd = cinfo->content.encryptedData;
-	    if (encd == NULL)
-		break;
-	    return &(encd->encContentInfo.plainContent);
-	}
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *envd;
-
-	    envd = cinfo->content.envelopedData;
-	    if (envd == NULL)
-		break;
-	    return &(envd->encContentInfo.plainContent);
-	}
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sigd;
-
-	    sigd = cinfo->content.signedData;
-	    if (sigd == NULL)
-		break;
-	    return SEC_PKCS7GetContent (&(sigd->contentInfo));
-	}
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saed;
-
-	    saed = cinfo->content.signedAndEnvelopedData;
-	    if (saed == NULL)
-		break;
-	    return &(saed->encContentInfo.plainContent);
-	}
-      default:
-	PORT_Assert(0);
-	break;
-    }
-
-    return NULL;
-}
-
-
-/*
- * XXX Fix the placement and formatting of the
- * following routines (i.e. make them consistent with the rest of
- * the pkcs7 code -- I think some/many belong in other files and
- * they all need a formatting/style rehaul)
- */
-
-/* retrieve the algorithm identifier for encrypted data.  
- * the identifier returned is a copy of the algorithm identifier
- * in the content info and needs to be freed after being used.
- *
- *   cinfo is the content info for which to retrieve the
- *     encryption algorithm.
- *
- * if the content info is not encrypted data or an error 
- * occurs NULL is returned.
- */
-SECAlgorithmID *
-SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo)
-{
-  SECAlgorithmID *alg = 0;
-  switch (SEC_PKCS7ContentType(cinfo))
-    {
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      alg = &cinfo->content.encryptedData->encContentInfo.contentEncAlg;
-      break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-      alg = &cinfo->content.envelopedData->encContentInfo.contentEncAlg;
-      break;
-    case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-      alg = &cinfo->content.signedAndEnvelopedData
-	->encContentInfo.contentEncAlg;
-      break;
-    default:
-      alg = 0;
-      break;
-    }
-
-    return alg;
-}
-
-/* set the content of the content info.  For data content infos,
- * the data is set.  For encrytped content infos, the plainContent
- * is set, and is expected to be encrypted later.
- *  
- * cinfo is the content info where the data will be set
- *
- * buf is a buffer of the data to set
- *
- * len is the length of the data being set.
- *
- * in the event of an error, SECFailure is returned.  SECSuccess 
- * indicates the content was successfully set.
- */
-SECStatus 
-SEC_PKCS7SetContent(SEC_PKCS7ContentInfo *cinfo,
-		    const char *buf, 
-		    unsigned long len)
-{
-    SECOidTag cinfo_type;
-    SECStatus rv;
-    SECItem content;
-    SECOidData *contentTypeTag = NULL;
-
-    content.data = (unsigned char *)buf;
-    content.len = len;
-
-    cinfo_type = SEC_PKCS7ContentType(cinfo);
-
-    /* set inner content */
-    switch(cinfo_type)
-    {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    if(content.len > 0) {
-		/* we "leak" the old content here, but as it's all in the pool */
-		/* it does not really matter */
-
-		/* create content item if necessary */
-		if (cinfo->content.signedData->contentInfo.content.data == NULL)
-		    cinfo->content.signedData->contentInfo.content.data = SECITEM_AllocItem(cinfo->poolp, NULL, 0);
-		rv = SECITEM_CopyItem(cinfo->poolp, 
-			cinfo->content.signedData->contentInfo.content.data,
-			&content);
-	    } else {
-		cinfo->content.signedData->contentInfo.content.data->data = NULL;
-		cinfo->content.signedData->contentInfo.content.data->len = 0;
-		rv = SECSuccess;
-	    }
-	    if(rv == SECFailure)
-		goto loser;
-	    
-	    break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    /* XXX this forces the inner content type to be "data" */
-	    /* do we really want to override without asking or reason? */
-	    contentTypeTag = SECOID_FindOIDByTag(SEC_OID_PKCS7_DATA);
-	    if(contentTypeTag == NULL)
-		goto loser;
-	    rv = SECITEM_CopyItem(cinfo->poolp, 
-		&(cinfo->content.encryptedData->encContentInfo.contentType),
-		&(contentTypeTag->oid));
-	    if(rv == SECFailure)
-		goto loser;
-	    if(content.len > 0) {
-		rv = SECITEM_CopyItem(cinfo->poolp, 
-			&(cinfo->content.encryptedData->encContentInfo.plainContent),
-			&content);
-	    } else {
-		cinfo->content.encryptedData->encContentInfo.plainContent.data = NULL;
-		cinfo->content.encryptedData->encContentInfo.encContent.data = NULL;
-		cinfo->content.encryptedData->encContentInfo.plainContent.len = 0;
-		cinfo->content.encryptedData->encContentInfo.encContent.len = 0;
-		rv = SECSuccess;
-	    }
-	    if(rv == SECFailure)
-		goto loser;
-	    break;
-	case SEC_OID_PKCS7_DATA:
-	    cinfo->content.data = (SECItem *)PORT_ArenaZAlloc(cinfo->poolp,
-		sizeof(SECItem));
-	    if(cinfo->content.data == NULL)
-		goto loser;
-	    if(content.len > 0) {
-		rv = SECITEM_CopyItem(cinfo->poolp,
-			cinfo->content.data, &content);
-	    } else {
-	    	/* handle case with NULL content */
-		rv = SECSuccess;
-	    }
-	    if(rv == SECFailure)
-		goto loser;
-	    break;
-	default:
-	    goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-	
-    return SECFailure;
-}
-
-/* the content of an encrypted data content info is encrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "plainContent" field of the content info.
- *
- * cinfo is the content info to encrypt
- *
- * key is the key with which to perform the encryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-SECStatus 
-SEC_PKCS7EncryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo,
-			 SECItem *key,
-			 void *wincx)
-{
-    SECAlgorithmID *algid 	= NULL;
-    SECItem *       result 	= NULL;
-    SECItem *       src;
-    SECItem *       dest;
-    SECItem *       blocked_data = NULL;
-    void *          mark;
-    void *          cx;
-    PK11SymKey *    eKey 	= NULL;
-    PK11SlotInfo *  slot 	= NULL;
-
-    CK_MECHANISM    pbeMech;
-    CK_MECHANISM    cryptoMech;
-    int             bs;
-    SECOidTag       algtag;
-    SECStatus       rv 		= SECFailure;
-    SECItem         c_param;
-
-    if((cinfo == NULL) || (key == NULL))
-	return SECFailure;
-
-    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
-	return SECFailure;
-
-    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
-    if(algid == NULL)
-	return SECFailure;
-
-    if(poolp == NULL)
-	poolp = cinfo->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-    
-    src = &cinfo->content.encryptedData->encContentInfo.plainContent;
-    dest = &cinfo->content.encryptedData->encContentInfo.encContent;
-    algtag = SECOID_GetAlgorithmTag(algid);
-    c_param.data = NULL;
-    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
-    dest->len = (src->len + 64);
-    if(dest->data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    slot = PK11_GetInternalKeySlot();
-    if(slot == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    eKey = PK11_PBEKeyGen(slot, algid, key, PR_FALSE, wincx);
-    if(eKey == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-    result = PK11_ParamFromAlgid(algid);
-    pbeMech.pParameter = result->data;
-    pbeMech.ulParameterLen = result->len;
-    if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key, 
-			PR_FALSE) != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-    c_param.data = (unsigned char *)cryptoMech.pParameter;
-    c_param.len = cryptoMech.ulParameterLen;
-
-    /* block according to PKCS 8 */
-    bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param);
-    rv = SECSuccess;
-    if(bs) {
-	char pad_char;
-	pad_char = (char)(bs - (src->len % bs));
-	if(src->len % bs) {
-	    rv = SECSuccess;
-	    blocked_data = PK11_BlockData(src, bs);
-	    if(blocked_data) {
-		PORT_Memset((blocked_data->data + blocked_data->len - (int)pad_char), 
-			    pad_char, (int)pad_char);
-	    } else {
-		rv = SECFailure;
-		goto loser;
-	    }
-	} else {
-	    blocked_data = SECITEM_DupItem(src);
-	    if(blocked_data) {
-		blocked_data->data = (unsigned char*)PORT_Realloc(
-						  blocked_data->data,
-						  blocked_data->len + bs);
-		if(blocked_data->data) {
-		    blocked_data->len += bs;
-		    PORT_Memset((blocked_data->data + src->len), (char)bs, bs);
-		} else {
-		    rv = SECFailure;
-		    goto loser;
-		}
-	    } else {
-		rv = SECFailure;
-		goto loser;
-	    }
-	 }
-    } else {
-	blocked_data = SECITEM_DupItem(src);
-	if(!blocked_data) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    }
-
-    cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_ENCRYPT,
-		    		    eKey, &c_param);
-    if(cx == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
-		       (int)(src->len + 64), blocked_data->data, 
-		       (int)blocked_data->len);
-    PK11_DestroyContext((PK11Context*)cx, PR_TRUE);
-
-loser:
-    /* let success fall through */
-    if(blocked_data != NULL)
-	SECITEM_ZfreeItem(blocked_data, PR_TRUE);
-
-    if(result != NULL)
-	SECITEM_ZfreeItem(result, PR_TRUE);
-
-    if(rv == SECFailure)
-	PORT_ArenaRelease(poolp, mark);
-    else 
-	PORT_ArenaUnmark(poolp, mark);
-
-    if(eKey != NULL)
-	PK11_FreeSymKey(eKey);
-
-    if(slot != NULL)
-	PK11_FreeSlot(slot);
-
-    if(c_param.data != NULL) 
-	SECITEM_ZfreeItem(&c_param, PR_FALSE);
-	
-    return rv;
-}
-
-/* the content of an encrypted data content info is decrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "encContent" field of the content info.
- *
- * cinfo is the content info to decrypt
- *
- * key is the key with which to perform the decryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-SECStatus 
-SEC_PKCS7DecryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo,
-			 SECItem *key,
-			 void *wincx)
-{
-    SECAlgorithmID *algid = NULL;
-    SECOidTag algtag;
-    SECStatus rv = SECFailure;
-    SECItem *result = NULL, *dest, *src;
-    void *mark;
-
-    PK11SymKey *eKey = NULL;
-    PK11SlotInfo *slot = NULL;
-    CK_MECHANISM pbeMech, cryptoMech;
-    void *cx;
-    SECItem c_param;
-    int bs;
-
-    if((cinfo == NULL) || (key == NULL))
-	return SECFailure;
-
-    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
-	return SECFailure;
-
-    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
-    if(algid == NULL)
-	return SECFailure;
-
-    if(poolp == NULL)
-	poolp = cinfo->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-    
-    src = &cinfo->content.encryptedData->encContentInfo.encContent;
-    dest = &cinfo->content.encryptedData->encContentInfo.plainContent;
-    algtag = SECOID_GetAlgorithmTag(algid);
-    c_param.data = NULL;
-    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
-    dest->len = (src->len + 64);
-    if(dest->data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    slot = PK11_GetInternalKeySlot();
-    if(slot == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    eKey = PK11_PBEKeyGen(slot, algid, key, PR_FALSE, wincx);
-    if(eKey == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-    result = PK11_ParamFromAlgid(algid);
-    pbeMech.pParameter = result->data;
-    pbeMech.ulParameterLen = result->len;
-    if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key,
-			PR_FALSE) != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-    c_param.data = (unsigned char *)cryptoMech.pParameter;
-    c_param.len = cryptoMech.ulParameterLen;
-
-    cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_DECRYPT,
-		    		    eKey, &c_param);
-    if(cx == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
-		       (int)(src->len + 64), src->data, (int)src->len);
-    PK11_DestroyContext((PK11Context *)cx, PR_TRUE);
-
-    bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param);
-    if(bs) {
-	/* check for proper badding in block algorithms.  this assumes
-	 * RC2 cbc or a DES cbc variant.  and the padding is thus defined
-	 */
-	if(((int)dest->data[dest->len-1] <= bs) && 
-	   ((int)dest->data[dest->len-1] > 0)) {
-	    dest->len -= (int)dest->data[dest->len-1];
-	} else {
-	    rv = SECFailure;
-	    /* set an error ? */
-	}
-    } 
-
-loser:
-    /* let success fall through */
-    if(result != NULL)
-	SECITEM_ZfreeItem(result, PR_TRUE);
-
-    if(rv == SECFailure)
-	PORT_ArenaRelease(poolp, mark);
-    else
-	PORT_ArenaUnmark(poolp, mark);
-
-    if(eKey != NULL)
-	PK11_FreeSymKey(eKey);
-
-    if(slot != NULL)
-	PK11_FreeSlot(slot);
-
-    if(c_param.data != NULL) 
-	SECITEM_ZfreeItem(&c_param, PR_FALSE);
-	
-    return rv;
-}
-
-SECItem **
-SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo)
-{
-    switch(SEC_PKCS7ContentType(cinfo))
-    {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    return cinfo->content.signedData->rawCerts;
-	    break;
-	default:
-	    return NULL;
-	    break;
-    }
-}
-
-
-int
-SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo)
-{
-  if (cinfo->contentTypeTag->offset == SEC_OID_PKCS7_ENVELOPED_DATA)
-    return cinfo->content.envelopedData->encContentInfo.keysize;
-  else
-    return 0;
-}
-
diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c
deleted file mode 100644
index 665d8495c..000000000
--- a/security/nss/lib/pkcs7/p7create.c
+++ /dev/null
@@ -1,1320 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * PKCS7 creation.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cert.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secpkcs5.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-static SECStatus
-sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PRArenaPool *poolp,
-			     SECOidTag kind, PRBool detached)
-{
-    void *thing;
-    int version;
-    SECItem *versionp;
-    SECStatus rv;
-
-    PORT_Assert (cinfo != NULL && poolp != NULL);
-    if (cinfo == NULL || poolp == NULL)
-	return SECFailure;
-
-    cinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
-    PORT_Assert (cinfo->contentTypeTag
-		 && cinfo->contentTypeTag->offset == kind);
-
-    rv = SECITEM_CopyItem (poolp, &(cinfo->contentType),
-			   &(cinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
-	return rv;
-
-    if (detached)
-	return SECSuccess;
-
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SECItem));
-	cinfo->content.data = (SECItem*)thing;
-	versionp = NULL;
-	version = -1;
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7DigestedData));
-	cinfo->content.digestedData = (SEC_PKCS7DigestedData*)thing;
-	versionp = &(cinfo->content.digestedData->version);
-	version = SEC_PKCS7_DIGESTED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EncryptedData));
-	cinfo->content.encryptedData = (SEC_PKCS7EncryptedData*)thing;
-	versionp = &(cinfo->content.encryptedData->version);
-	version = SEC_PKCS7_ENCRYPTED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EnvelopedData));
-	cinfo->content.envelopedData = 
-	  (SEC_PKCS7EnvelopedData*)thing;
-	versionp = &(cinfo->content.envelopedData->version);
-	version = SEC_PKCS7_ENVELOPED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7SignedData));
-	cinfo->content.signedData = 
-	  (SEC_PKCS7SignedData*)thing;
-	versionp = &(cinfo->content.signedData->version);
-	version = SEC_PKCS7_SIGNED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	thing = PORT_ArenaZAlloc(poolp,sizeof(SEC_PKCS7SignedAndEnvelopedData));
-	cinfo->content.signedAndEnvelopedData = 
-	  (SEC_PKCS7SignedAndEnvelopedData*)thing;
-	versionp = &(cinfo->content.signedAndEnvelopedData->version);
-	version = SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION;
-	break;
-    }
-
-    if (thing == NULL)
-	return SECFailure;
-
-    if (versionp != NULL) {
-	SECItem *dummy;
-
-	PORT_Assert (version >= 0);
-	dummy = SEC_ASN1EncodeInteger (poolp, versionp, version);
-	if (dummy == NULL)
-	    return SECFailure;
-	PORT_Assert (dummy == versionp);
-    }
-
-    return SECSuccess;
-}
-
-
-static SEC_PKCS7ContentInfo *
-sec_pkcs7_create_content_info (SECOidTag kind, PRBool detached,
-			       SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    PRArenaPool *poolp;
-    SECStatus rv;
-
-    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
-    if (poolp == NULL)
-	return NULL;
-
-    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
-    if (cinfo == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    cinfo->poolp = poolp;
-    cinfo->pwfn = pwfn;
-    cinfo->pwfn_arg = pwfn_arg;
-    cinfo->created = PR_TRUE;
-    cinfo->refCount = 1;
-
-    rv = sec_pkcs7_init_content_info (cinfo, poolp, kind, detached);
-    if (rv != SECSuccess) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Add a signer to a PKCS7 thing, verifying the signature cert first.
- * Any error returns SECFailure.
- *
- * XXX Right now this only adds the *first* signer.  It fails if you try
- * to add a second one -- this needs to be fixed.
- */
-static SECStatus
-sec_pkcs7_add_signer (SEC_PKCS7ContentInfo *cinfo,
-		      CERTCertificate *     cert,
-		      SECCertUsage          certusage,
-		      CERTCertDBHandle *    certdb,
-		      SECOidTag             digestalgtag,
-		      SECItem *             digestdata)
-{
-    SEC_PKCS7SignerInfo *signerinfo, **signerinfos, ***signerinfosp;
-    SECAlgorithmID      *digestalg,  **digestalgs,  ***digestalgsp;
-    SECItem             *digest,     **digests,     ***digestsp;
-    SECItem *            dummy;
-    void *               mark;
-    SECStatus            rv;
-    SECOidTag            kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    digestalgsp = &(sdp->digestAlgorithms);
-	    digestsp = &(sdp->digests);
-	    signerinfosp = &(sdp->signerInfos);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    digestalgsp = &(saedp->digestAlgorithms);
-	    digestsp = &(saedp->digests);
-	    signerinfosp = &(saedp->signerInfos);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    /*
-     * XXX I think that CERT_VerifyCert should do this if *it* is passed
-     * a NULL database.
-     */
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL)
-	    return SECFailure;		/* XXX set an error? */
-    }
-
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
-			 cinfo->pwfn_arg, NULL) != SECSuccess)
-	{
-	/* XXX Did CERT_VerifyCert set an error? */
-	return SECFailure;
-    }
-
-    /*
-     * XXX This is the check that we do not already have a signer.
-     * This is not what we really want -- we want to allow this
-     * and *add* the new signer.
-     */
-    PORT_Assert (*signerinfosp == NULL
-		 && *digestalgsp == NULL && *digestsp == NULL);
-    if (*signerinfosp != NULL || *digestalgsp != NULL || *digestsp != NULL)
-	return SECFailure;
-
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    signerinfo = (SEC_PKCS7SignerInfo*)PORT_ArenaZAlloc (cinfo->poolp, 
-						  sizeof(SEC_PKCS7SignerInfo));
-    if (signerinfo == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &signerinfo->version,
-				   SEC_PKCS7_SIGNER_INFO_VERSION);
-    if (dummy == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    PORT_Assert (dummy == &signerinfo->version);
-
-    signerinfo->cert = CERT_DupCertificate (cert);
-    if (signerinfo->cert == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    signerinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
-    if (signerinfo->issuerAndSN == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    rv = SECOID_SetAlgorithmID (cinfo->poolp, &signerinfo->digestAlg,
-				digestalgtag, NULL);
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    /*
-     * Okay, now signerinfo is all set.  We just need to put it and its
-     * companions (another copy of the digest algorithm, and the digest
-     * itself if given) into the main structure.
-     *
-     * XXX If we are handling more than one signer, the following code
-     * needs to look through the digest algorithms already specified
-     * and see if the same one is there already.  If it is, it does not
-     * need to be added again.  Also, if it is there *and* the digest
-     * is not null, then the digest given should match the digest already
-     * specified -- if not, that is an error.  Finally, the new signerinfo
-     * should be *added* to the set already found.
-     */
-
-    signerinfos = (SEC_PKCS7SignerInfo**)PORT_ArenaAlloc (cinfo->poolp,
-				   2 * sizeof(SEC_PKCS7SignerInfo *));
-    if (signerinfos == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    signerinfos[0] = signerinfo;
-    signerinfos[1] = NULL;
-
-    digestalg = PORT_ArenaZAlloc (cinfo->poolp, sizeof(SECAlgorithmID));
-    digestalgs = PORT_ArenaAlloc (cinfo->poolp, 2 * sizeof(SECAlgorithmID *));
-    if (digestalg == NULL || digestalgs == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    rv = SECOID_SetAlgorithmID (cinfo->poolp, digestalg, digestalgtag, NULL);
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    digestalgs[0] = digestalg;
-    digestalgs[1] = NULL;
-
-    if (digestdata != NULL) {
-	digest = (SECItem*)PORT_ArenaAlloc (cinfo->poolp, sizeof(SECItem));
-	digests = (SECItem**)PORT_ArenaAlloc (cinfo->poolp, 
-					      2 * sizeof(SECItem *));
-	if (digest == NULL || digests == NULL) {
-	    PORT_ArenaRelease (cinfo->poolp, mark);
-	    return SECFailure;
-	}
-	rv = SECITEM_CopyItem (cinfo->poolp, digest, digestdata);
-	if (rv != SECSuccess) {
-	    PORT_ArenaRelease (cinfo->poolp, mark);
-	    return SECFailure;
-	}
-	digests[0] = digest;
-	digests[1] = NULL;
-    } else {
-	digests = NULL;
-    }
-
-    *signerinfosp = signerinfos;
-    *digestalgsp = digestalgs;
-    *digestsp = digests;
-
-    PORT_ArenaUnmark(cinfo->poolp, mark);
-    return SECSuccess;
-}
-
-
-/*
- * Helper function for creating an empty signedData.
- */
-static SEC_PKCS7ContentInfo *
-sec_pkcs7_create_signed_data (SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7SignedData *sigd;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_SIGNED_DATA, PR_FALSE,
-					   pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    sigd = cinfo->content.signedData;
-    PORT_Assert (sigd != NULL);
-
-    /*
-     * XXX Might we want to allow content types other than data?
-     * If so, via what interface?
-     */
-    rv = sec_pkcs7_init_content_info (&(sigd->contentInfo), cinfo->poolp,
-				      SEC_OID_PKCS7_DATA, PR_TRUE);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Start a PKCS7 signing context.
- *
- * "cert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "signing" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * The return value can be passed to functions which add things to
- * it like attributes, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateSignedData (CERTCertificate *cert,
-			   SECCertUsage certusage,
-			   CERTCertDBHandle *certdb,
-			   SECOidTag digestalg,
-			   SECItem *digest,
- 			   SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_signed_data (pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    rv = sec_pkcs7_add_signer (cinfo, cert, certusage, certdb,
-			       digestalg, digest);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-static SEC_PKCS7Attribute *
-sec_pkcs7_create_attribute (PRArenaPool *poolp, SECOidTag oidtag,
-			    SECItem *value, PRBool encoded)
-{
-    SEC_PKCS7Attribute *attr;
-    SECItem **values;
-    void *mark;
-
-    PORT_Assert (poolp != NULL);
-    mark = PORT_ArenaMark (poolp);
-
-    attr = (SEC_PKCS7Attribute*)PORT_ArenaAlloc (poolp, 
-						 sizeof(SEC_PKCS7Attribute));
-    if (attr == NULL)
-	goto loser;
-
-    attr->typeTag = SECOID_FindOIDByTag (oidtag);
-    if (attr->typeTag == NULL)
-	goto loser;
-
-    if (SECITEM_CopyItem (poolp, &(attr->type),
-			  &(attr->typeTag->oid)) != SECSuccess)
-	goto loser;
-
-    values = (SECItem**)PORT_ArenaAlloc (poolp, 2 * sizeof(SECItem *));
-    if (values == NULL)
-	goto loser;
-
-    if (value != NULL) {
-	SECItem *copy;
-
-	copy = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
-	if (copy == NULL)
-	    goto loser;
-
-	if (SECITEM_CopyItem (poolp, copy, value) != SECSuccess)
-	    goto loser;
-
-	value = copy;
-    }
-
-    values[0] = value;
-    values[1] = NULL;
-    attr->values = values;
-    attr->encoded = encoded;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return attr;
-
-loser:
-    PORT_Assert (mark != NULL);
-    PORT_ArenaRelease (poolp, mark);
-    return NULL;
-}
-
-
-static SECStatus
-sec_pkcs7_add_attribute (SEC_PKCS7ContentInfo *cinfo,
-			 SEC_PKCS7Attribute ***attrsp,
-			 SEC_PKCS7Attribute *attr)
-{
-    SEC_PKCS7Attribute **attrs;
-    SECItem *ct_value;
-    void *mark;
-
-    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return SECFailure;
-
-    attrs = *attrsp;
-    if (attrs != NULL) {
-	int count;
-
-	/*
-	 * We already have some attributes, and just need to add this
-	 * new one.
-	 */
-
-	/*
-	 * We should already have the *required* attributes, which were
-	 * created/added at the same time the first attribute was added.
-	 */
-	PORT_Assert (sec_PKCS7FindAttribute (attrs,
-					     SEC_OID_PKCS9_CONTENT_TYPE,
-					     PR_FALSE) != NULL);
-	PORT_Assert (sec_PKCS7FindAttribute (attrs,
-					     SEC_OID_PKCS9_MESSAGE_DIGEST,
-					     PR_FALSE) != NULL);
-
-	for (count = 0; attrs[count] != NULL; count++)
-	    ;
-	attrs = (SEC_PKCS7Attribute**)PORT_ArenaGrow (cinfo->poolp, attrs,
-				(count + 1) * sizeof(SEC_PKCS7Attribute *),
-				(count + 2) * sizeof(SEC_PKCS7Attribute *));
-	if (attrs == NULL)
-	    return SECFailure;
-
-	attrs[count] = attr;
-	attrs[count+1] = NULL;
-	*attrsp = attrs;
-
-	return SECSuccess;
-    }
-
-    /*
-     * This is the first time an attribute is going in.
-     * We need to create and add the required attributes, and then
-     * we will also add in the one our caller gave us.
-     */
-
-    /*
-     * There are 2 required attributes, plus the one our caller wants
-     * to add, plus we always end with a NULL one.  Thus, four slots.
-     */
-    attrs = (SEC_PKCS7Attribute**)PORT_ArenaAlloc (cinfo->poolp, 
-					   4 * sizeof(SEC_PKCS7Attribute *));
-    if (attrs == NULL)
-	return SECFailure;
-
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    /*
-     * First required attribute is the content type of the data
-     * being signed.
-     */
-    ct_value = &(cinfo->content.signedData->contentInfo.contentType);
-    attrs[0] = sec_pkcs7_create_attribute (cinfo->poolp,
-					   SEC_OID_PKCS9_CONTENT_TYPE,
-					   ct_value, PR_FALSE);
-    /*
-     * Second required attribute is the message digest of the data
-     * being signed; we leave the value NULL for now (just create
-     * the place for it to go), and the encoder will fill it in later.
-     */
-    attrs[1] = sec_pkcs7_create_attribute (cinfo->poolp,
-					   SEC_OID_PKCS9_MESSAGE_DIGEST,
-					   NULL, PR_FALSE);
-    if (attrs[0] == NULL || attrs[1] == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure; 
-    }
-
-    attrs[2] = attr;
-    attrs[3] = NULL;
-    *attrsp = attrs;
-
-    PORT_ArenaUnmark (cinfo->poolp, mark);
-    return SECSuccess;
-}
-
-
-/*
- * Add the signing time to the authenticated (i.e. signed) attributes
- * of "cinfo".  This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will either do
- * nothing or replace an old signing time with a newer one.
- *
- * XXX This will probably just shove the current time into "cinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-SECStatus
-SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo)
-{
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7Attribute *attr;
-    SECItem stime;
-    SECStatus rv;
-    int si;
-
-    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return SECFailure;
-
-    signerinfos = cinfo->content.signedData->signerInfos;
-
-    /* There has to be a signer, or it makes no sense. */
-    if (signerinfos == NULL || signerinfos[0] == NULL)
-	return SECFailure;
-
-    rv = DER_TimeToUTCTime (&stime, PR_Now());
-    if (rv != SECSuccess)
-	return rv;
-
-    attr = sec_pkcs7_create_attribute (cinfo->poolp,
-				       SEC_OID_PKCS9_SIGNING_TIME,
-				       &stime, PR_FALSE);
-    SECITEM_FreeItem (&stime, PR_FALSE);
-
-    if (attr == NULL)
-	return SECFailure;
-
-    rv = SECSuccess;
-    for (si = 0; signerinfos[si] != NULL; si++) {
-	SEC_PKCS7Attribute *oattr;
-
-	oattr = sec_PKCS7FindAttribute (signerinfos[si]->authAttr,
-					SEC_OID_PKCS9_SIGNING_TIME, PR_FALSE);
-	PORT_Assert (oattr == NULL);
-	if (oattr != NULL)
-	    continue;	/* XXX or would it be better to replace it? */
-
-	rv = sec_pkcs7_add_attribute (cinfo, &(signerinfos[si]->authAttr),
-				      attr);
-	if (rv != SECSuccess)
-	    break;	/* could try to continue, but may as well give up now */
-    }
-
-    return rv;
-}
-
-
-/*
- * Add the specified attribute to the authenticated (i.e. signed) attributes
- * of "cinfo" -- "oidtag" describes the attribute and "value" is the
- * value to be associated with it.  NOTE! "value" must already be encoded;
- * no interpretation of "oidtag" is done.  Also, it is assumed that this
- * signedData has only one signer -- if we ever need to add attributes
- * when there is more than one signature, we need a way to specify *which*
- * signature should get the attribute.
- *
- * XXX Technically, a signed attribute can have multiple values; if/when
- * we ever need to support an attribute which takes multiple values, we
- * either need to change this interface or create an AddSignedAttributeValue
- * which can be called subsequently, and would then append a value.
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-SECStatus
-SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
-			     SECOidTag oidtag,
-			     SECItem *value)
-{
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7Attribute *attr;
-
-    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return SECFailure;
-
-    signerinfos = cinfo->content.signedData->signerInfos;
-
-    /*
-     * No signature or more than one means no deal.
-     */
-    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
-	return SECFailure;
-
-    attr = sec_pkcs7_create_attribute (cinfo->poolp, oidtag, value, PR_TRUE);
-    if (attr == NULL)
-	return SECFailure;
-
-    return sec_pkcs7_add_attribute (cinfo, &(signerinfos[0]->authAttr), attr);
-}
- 
-
-/*
- * Mark that the signer certificates and their issuing chain should
- * be included in the encoded data.  This is expected to be used
- * in outgoing signed messages for email (S/MIME).
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-SECStatus
-SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
-			   CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	signerinfos = cinfo->content.signedData->signerInfos;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    if (signerinfos == NULL)		/* no signer, no certs? */
-	return SECFailure;		/* XXX set an error? */
-
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL) {
-	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
-	    return SECFailure;
-	}
-    }
-
-    /* XXX Should it be an error if we find no signerinfo or no certs? */
-    while ((signerinfo = *signerinfos++) != NULL) {
-	if (signerinfo->cert != NULL)
-	    /* get the cert chain.  don't send the root to avoid contamination
-	     * of old clients with a new root that they don't trust
-	     */
-	    signerinfo->certList = CERT_CertChainFromCert (signerinfo->cert,
-							   certUsageEmailSigner,
-							   PR_FALSE);
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * Helper function to add a certificate chain for inclusion in the
- * bag of certificates in a signedData.
- */
-static SECStatus
-sec_pkcs7_add_cert_chain (SEC_PKCS7ContentInfo *cinfo,
-			  CERTCertificate *cert,
-			  CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-    CERTCertificateList *certlist, **certlists, ***certlistsp;
-    int count;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    certlistsp = &(sdp->certLists);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    certlistsp = &(saedp->certLists);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL) {
-	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
-	    return SECFailure;
-	}
-    }
-
-    certlist = CERT_CertChainFromCert (cert, certUsageEmailSigner, PR_FALSE);
-    if (certlist == NULL)
-	return SECFailure;
-
-    certlists = *certlistsp;
-    if (certlists == NULL) {
-	count = 0;
-	certlists = (CERTCertificateList**)PORT_ArenaAlloc (cinfo->poolp,
-				     2 * sizeof(CERTCertificateList *));
-    } else {
-	for (count = 0; certlists[count] != NULL; count++)
-	    ;
-	PORT_Assert (count);	/* should be at least one already */
-	certlists = (CERTCertificateList**)PORT_ArenaGrow (cinfo->poolp, 
-				 certlists,
-				(count + 1) * sizeof(CERTCertificateList *),
-				(count + 2) * sizeof(CERTCertificateList *));
-    }
-
-    if (certlists == NULL) {
-	CERT_DestroyCertificateList (certlist);
-	return SECFailure;
-    }
-
-    certlists[count] = certlist;
-    certlists[count + 1] = NULL;
-
-    *certlistsp = certlists;
-
-    return SECSuccess;
-}
-
-
-/*
- * Helper function to add a certificate for inclusion in the bag of
- * certificates in a signedData.
- */
-static SECStatus
-sec_pkcs7_add_certificate (SEC_PKCS7ContentInfo *cinfo,
-			   CERTCertificate *cert)
-{
-    SECOidTag kind;
-    CERTCertificate **certs, ***certsp;
-    int count;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    certsp = &(sdp->certs);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    certsp = &(saedp->certs);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    cert = CERT_DupCertificate (cert);
-    if (cert == NULL)
-	return SECFailure;
-
-    certs = *certsp;
-    if (certs == NULL) {
-	count = 0;
-	certs = (CERTCertificate**)PORT_ArenaAlloc (cinfo->poolp, 
-					      2 * sizeof(CERTCertificate *));
-    } else {
-	for (count = 0; certs[count] != NULL; count++)
-	    ;
-	PORT_Assert (count);	/* should be at least one already */
-	certs = (CERTCertificate**)PORT_ArenaGrow (cinfo->poolp, certs,
-				(count + 1) * sizeof(CERTCertificate *),
-				(count + 2) * sizeof(CERTCertificate *));
-    }
-
-    if (certs == NULL) {
-	CERT_DestroyCertificate (cert);
-	return SECFailure;
-    }
-
-    certs[count] = cert;
-    certs[count + 1] = NULL;
-
-    *certsp = certs;
-
-    return SECSuccess;
-}
-
-
-/*
- * Create a PKCS7 certs-only container.
- *
- * "cert" is the (first) cert that will be included.
- *
- * "include_chain" specifies whether the entire chain for "cert" should
- * be included.
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL in when "include_chain" is false, or when meaning
- * use the default database.
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
-			  PRBool include_chain,
-			  CERTCertDBHandle *certdb)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_signed_data (NULL, NULL);
-    if (cinfo == NULL)
-	return NULL;
-
-    if (include_chain)
-	rv = sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
-    else
-	rv = sec_pkcs7_add_certificate (cinfo, cert);
-
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Add "cert" and its entire chain to the set of certs included in "cinfo".
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-SECStatus
-SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
-		       CERTCertificate *cert,
-		       CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    if (kind != SEC_OID_PKCS7_SIGNED_DATA
-	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
-	return SECFailure;		/* XXX set an error? */
-
-    return sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
-}
-
-
-/*
- * Add "cert" to the set of certs included in "cinfo".
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-SECStatus
-SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo, CERTCertificate *cert)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    if (kind != SEC_OID_PKCS7_SIGNED_DATA
-	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
-	return SECFailure;		/* XXX set an error? */
-
-    return sec_pkcs7_add_certificate (cinfo, cert);
-}
-
-
-static SECStatus
-sec_pkcs7_init_encrypted_content_info (SEC_PKCS7EncryptedContentInfo *enccinfo,
-				       PRArenaPool *poolp,
-				       SECOidTag kind, PRBool detached,
-				       SECOidTag encalg, int keysize)
-{
-    SECStatus rv;
-
-    PORT_Assert (enccinfo != NULL && poolp != NULL);
-    if (enccinfo == NULL || poolp == NULL)
-	return SECFailure;
-
-    /*
-     * XXX Some day we may want to allow for other kinds.  That needs
-     * more work and modifications to the creation interface, etc.
-     * For now, allow but notice callers who pass in other kinds.
-     * They are responsible for creating the inner type and encoding,
-     * if it is other than DATA.
-     */
-    PORT_Assert (kind == SEC_OID_PKCS7_DATA);
-
-    enccinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
-    PORT_Assert (enccinfo->contentTypeTag
-	       && enccinfo->contentTypeTag->offset == kind);
-
-    rv = SECITEM_CopyItem (poolp, &(enccinfo->contentType),
-			   &(enccinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
-	return rv;
-
-    /* Save keysize and algorithm for later. */
-    enccinfo->keysize = keysize;
-    enccinfo->encalg = encalg;
-
-    return SECSuccess;
-}
-
-
-/*
- * Add a recipient to a PKCS7 thing, verifying their cert first.
- * Any error returns SECFailure.
- */
-static SECStatus
-sec_pkcs7_add_recipient (SEC_PKCS7ContentInfo *cinfo,
-			 CERTCertificate *cert,
-			 SECCertUsage certusage,
-			 CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-    SEC_PKCS7RecipientInfo *recipientinfo, **recipientinfos, ***recipientinfosp;
-    SECItem *dummy;
-    void *mark;
-    int count;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *edp;
-
-	    edp = cinfo->content.envelopedData;
-	    recipientinfosp = &(edp->recipientInfos);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    recipientinfosp = &(saedp->recipientInfos);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    /*
-     * XXX I think that CERT_VerifyCert should do this if *it* is passed
-     * a NULL database.
-     */
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL)
-	    return SECFailure;		/* XXX set an error? */
-    }
-
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
-			 cinfo->pwfn_arg, NULL) != SECSuccess)
-	{
-	/* XXX Did CERT_VerifyCert set an error? */
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    recipientinfo = (SEC_PKCS7RecipientInfo*)PORT_ArenaZAlloc (cinfo->poolp,
-				      sizeof(SEC_PKCS7RecipientInfo));
-    if (recipientinfo == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &recipientinfo->version,
-				   SEC_PKCS7_RECIPIENT_INFO_VERSION);
-    if (dummy == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    PORT_Assert (dummy == &recipientinfo->version);
-
-    recipientinfo->cert = CERT_DupCertificate (cert);
-    if (recipientinfo->cert == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    recipientinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
-    if (recipientinfo->issuerAndSN == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    /*
-     * Okay, now recipientinfo is all set.  We just need to put it into
-     * the main structure.
-     *
-     * If this is the first recipient, allocate a new recipientinfos array;
-     * otherwise, reallocate the array, making room for the new entry.
-     */
-    recipientinfos = *recipientinfosp;
-    if (recipientinfos == NULL) {
-	count = 0;
-	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaAlloc (
-					  cinfo->poolp,
-					  2 * sizeof(SEC_PKCS7RecipientInfo *));
-    } else {
-	for (count = 0; recipientinfos[count] != NULL; count++)
-	    ;
-	PORT_Assert (count);	/* should be at least one already */
-	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaGrow (
-				 cinfo->poolp, recipientinfos,
-				(count + 1) * sizeof(SEC_PKCS7RecipientInfo *),
-				(count + 2) * sizeof(SEC_PKCS7RecipientInfo *));
-    }
-
-    if (recipientinfos == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    recipientinfos[count] = recipientinfo;
-    recipientinfos[count + 1] = NULL;
-
-    *recipientinfosp = recipientinfos;
-
-    PORT_ArenaUnmark (cinfo->poolp, mark);
-    return SECSuccess;
-}
-
-
-/*
- * Start a PKCS7 enveloping context.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- *
- * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
- *
- * "keysize" specifies the bulk encryption key size, in bits.
- *
- * The return value can be passed to functions which add things to
- * it like more recipients, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
-			      SECCertUsage certusage,
-			      CERTCertDBHandle *certdb,
-			      SECOidTag encalg,
-			      int keysize,
- 			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7EnvelopedData *envd;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENVELOPED_DATA,
-					   PR_FALSE, pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    rv = sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    envd = cinfo->content.envelopedData;
-    PORT_Assert (envd != NULL);
-
-    /*
-     * XXX Might we want to allow content types other than data?
-     * If so, via what interface?
-     */
-    rv = sec_pkcs7_init_encrypted_content_info (&(envd->encContentInfo),
-						cinfo->poolp,
-						SEC_OID_PKCS7_DATA, PR_FALSE,
-						encalg, keysize);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    /* XXX Anything more to do here? */
-
-    return cinfo;
-}
-
-
-/*
- * Add another recipient to an encrypted message.
- *
- * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- */
-SECStatus
-SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
-		       CERTCertificate *cert,
-		       SECCertUsage certusage,
-		       CERTCertDBHandle *certdb)
-{
-    return sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
-}
-
-
-/*
- * Create an empty PKCS7 data content info.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateData (void)
-{
-    return sec_pkcs7_create_content_info (SEC_OID_PKCS7_DATA, PR_FALSE,
-					  NULL, NULL);
-}
-
-
-/*
- * Create an empty PKCS7 encrypted content info.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
-			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECAlgorithmID *algid;
-    SEC_PKCS7EncryptedData *enc_data;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENCRYPTED_DATA, 
-					   PR_FALSE, pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    enc_data = cinfo->content.encryptedData;
-    algid = &(enc_data->encContentInfo.contentEncAlg);
-
-    switch (algorithm) {
-      case SEC_OID_RC2_CBC:
-      case SEC_OID_DES_EDE3_CBC:
-      case SEC_OID_DES_CBC:
-	rv = SECOID_SetAlgorithmID (cinfo->poolp, algid, algorithm, NULL);
-	break;
-      default:
-	{
-	    /*
-	     * Assume password-based-encryption.  At least, try that.
-	     */
-	    SECAlgorithmID *pbe_algid;
-	    pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL);
-	    if (pbe_algid == NULL) {
-		rv = SECFailure;
-	    } else {
-		rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid);
-		SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
-	    }
-	}
-	break;
-    }
-
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    rv = sec_pkcs7_init_encrypted_content_info (&(enc_data->encContentInfo),
-						cinfo->poolp,
-						SEC_OID_PKCS7_DATA, PR_FALSE,
-						algorithm, keysize);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
deleted file mode 100644
index 0eee743c2..000000000
--- a/security/nss/lib/pkcs7/p7decode.c
+++ /dev/null
@@ -1,2087 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * PKCS7 decoding, verification.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cert.h"
-				/* XXX do not want to have to include */
-#include "certdb.h"		/* certdb.h -- the trust stuff needed by */
-     				/* the add certificate code needs to get */
-                           	/* rewritten/abstracted and then this */
-      				/* include should be removed! */
-#include "cdbhdl.h"
-#include "cryptohi.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-
-struct sec_pkcs7_decoder_worker {
-    int depth;
-    int digcnt;
-    void **digcxs;
-    SECHashObject **digobjs;
-    sec_PKCS7CipherObject *decryptobj;
-    PRBool saw_contents;
-};
-
-struct SEC_PKCS7DecoderContextStr {
-    SEC_ASN1DecoderContext *dcx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7DecoderContentCallback cb;
-    void *cb_arg;
-    SECKEYGetPasswordKey pwfn;
-    void *pwfn_arg;
-    struct sec_pkcs7_decoder_worker worker;
-    PRArenaPool *tmp_poolp;
-    int error;
-    SEC_PKCS7GetDecryptKeyCallback dkcb;
-    void *dkcb_arg;
-    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb;
-};
-
-/*
- * Handle one worker, decrypting and digesting the data as necessary.
- *
- * XXX If/when we support nested contents, this probably needs to be
- * revised somewhat to get passed the content-info (which unfortunately
- * can be two different types depending on whether it is encrypted or not)
- * corresponding to the given worker.
- */
-static void
-sec_pkcs7_decoder_work_data (SEC_PKCS7DecoderContext *p7dcx,
-			     struct sec_pkcs7_decoder_worker *worker,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final)
-{
-    unsigned char *buf = NULL;
-    SECStatus rv;
-    int i;
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    /*
-     * Decrypt this chunk.
-     *
-     * XXX If we get an error, we do not want to do the digest or callback,
-     * but we want to keep decoding.  Or maybe we want to stop decoding
-     * altogether if there is a callback, because obviously we are not
-     * sending the data back and they want to know that.
-     */
-    if (worker->decryptobj != NULL) {
-	/* XXX the following lengths should all be longs? */
-	unsigned int inlen;	/* length of data being decrypted */
-	unsigned int outlen;	/* length of decrypted data */
-	unsigned int buflen;	/* length available for decrypted data */
-	SECItem *plain;
-
-	inlen = len;
-	buflen = sec_PKCS7DecryptLength (worker->decryptobj, inlen, final);
-	if (buflen == 0) {
-	    if (inlen == 0)	/* no input and no output */
-		return;
-	    /*
-	     * No output is expected, but the input data may be buffered
-	     * so we still have to call Decrypt.
-	     */
-	    rv = sec_PKCS7Decrypt (worker->decryptobj, NULL, NULL, 0,
-				   data, inlen, final);
-	    if (rv != SECSuccess) {
-		p7dcx->error = PORT_GetError();
-		return;		/* XXX indicate error? */
-	    }
-	    return;
-	}
-
-	if (p7dcx->cb != NULL) {
-	    buf = (unsigned char *) PORT_Alloc (buflen);
-	    plain = NULL;
-	} else {
-	    unsigned long oldlen;
-
-	    /*
-	     * XXX This assumes one level of content only.
-	     * See comment above about nested content types.
-	     * XXX Also, it should work for signedAndEnvelopedData, too!
-	     */
-	    plain = &(p7dcx->cinfo->
-			content.envelopedData->encContentInfo.plainContent);
-
-	    oldlen = plain->len;
-	    if (oldlen == 0) {
-		buf = (unsigned char*)PORT_ArenaAlloc (p7dcx->cinfo->poolp, 
-						       buflen);
-	    } else {
-		buf = (unsigned char*)PORT_ArenaGrow (p7dcx->cinfo->poolp, 
-				      plain->data,
-				      oldlen, oldlen + buflen);
-		if (buf != NULL)
-		    buf += oldlen;
-	    }
-	    plain->data = buf;
-	}
-	if (buf == NULL) {
-	    p7dcx->error = SEC_ERROR_NO_MEMORY;
-	    return;		/* XXX indicate error? */
-	}
-	rv = sec_PKCS7Decrypt (worker->decryptobj, buf, &outlen, buflen,
-			       data, inlen, final);
-	if (rv != SECSuccess) {
-	    p7dcx->error = PORT_GetError();
-	    return;		/* XXX indicate error? */
-	}
-	if (plain != NULL) {
-	    PORT_Assert (final || outlen == buflen);
-	    plain->len += outlen;
-	}
-	data = buf;
-	len = outlen;
-    }
-
-    /*
-     * Update the running digests.
-     */
-    if (len) {
-	for (i = 0; i < worker->digcnt; i++) {
-	    (* worker->digobjs[i]->update) (worker->digcxs[i], data, len);
-	}
-    }
-
-    /*
-     * Pass back the contents bytes, and free the temporary buffer.
-     */
-    if (p7dcx->cb != NULL) {
-	if (len)
-	    (* p7dcx->cb) (p7dcx->cb_arg, (const char *)data, len);
-	if (worker->decryptobj != NULL) {
-	    PORT_Assert (buf != NULL);
-	    PORT_Free (buf);
-	}
-    }
-}
-
-static void
-sec_pkcs7_decoder_filter (void *arg, const char *data, unsigned long len,
-			  int depth, SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-    struct sec_pkcs7_decoder_worker *worker;
-
-    /*
-     * Since we do not handle any nested contents, the only bytes we
-     * are really interested in are the actual contents bytes (not
-     * the identifier, length, or end-of-contents bytes).  If we were
-     * handling nested types we would probably need to do something
-     * smarter based on depth and data_kind.
-     */
-    if (data_kind != SEC_ASN1_Contents)
-	return;
-
-    /*
-     * The ASN.1 decoder should not even call us with a length of 0.
-     * Just being paranoid.
-     */
-    PORT_Assert (len);
-    if (len == 0)
-	return;
-
-    p7dcx = (SEC_PKCS7DecoderContext*)arg;
-
-    /*
-     * Handling nested contents would mean that there is a chain
-     * of workers -- one per each level of content.  The following
-     * would start with the first worker and loop over them.
-     */
-    worker = &(p7dcx->worker);
-
-    worker->saw_contents = PR_TRUE;
-
-    sec_pkcs7_decoder_work_data (p7dcx, worker,
-				 (const unsigned char *) data, len, PR_FALSE);
-}
-
-
-/*
- * Create digest contexts for each algorithm in "digestalgs".
- * No algorithms is not an error, we just do not do anything.
- * An error (like trouble allocating memory), marks the error
- * in "p7dcx" and returns SECFailure, which means that our caller
- * should just give up altogether.
- */
-static SECStatus
-sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth,
-				 SECAlgorithmID **digestalgs)
-{
-    SECAlgorithmID *algid;
-    SECOidData *oiddata;
-    SECHashObject *digobj;
-    void *digcx;
-    int i, digcnt;
-
-    if (digestalgs == NULL)
-	return SECSuccess;
-
-    /*
-     * Count the algorithms.
-     */
-    digcnt = 0;
-    while (digestalgs[digcnt] != NULL)
-	digcnt++;
-
-    /*
-     * No algorithms means no work to do.
-     * This is not expected, so cause an assert.
-     * But if it does happen, just act as if there were
-     * no algorithms specified.
-     */
-    PORT_Assert (digcnt != 0);
-    if (digcnt == 0)
-	return SECSuccess;
-
-    p7dcx->worker.digcxs = (void**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
-					    digcnt * sizeof (void *));
-    p7dcx->worker.digobjs = (SECHashObject**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
-					     digcnt * sizeof (SECHashObject *));
-    if (p7dcx->worker.digcxs == NULL || p7dcx->worker.digobjs == NULL) {
-	p7dcx->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-
-    p7dcx->worker.depth = depth;
-    p7dcx->worker.digcnt = 0;
-
-    /*
-     * Create a digest context for each algorithm.
-     */
-    for (i = 0; i < digcnt; i++) {
-	algid = digestalgs[i];
-	oiddata = SECOID_FindOID(&(algid->algorithm));
-	if (oiddata == NULL) {
-	    digobj = NULL;
-	} else {
-	    switch (oiddata->offset) {
-	      case SEC_OID_MD2:
-		digobj = &SECHashObjects[HASH_AlgMD2];
-		break;
-	      case SEC_OID_MD5:
-		digobj = &SECHashObjects[HASH_AlgMD5];
-		break;
-	      case SEC_OID_SHA1:
-		digobj = &SECHashObjects[HASH_AlgSHA1];
-		break;
-	      default:
-		digobj = NULL;
-		break;
-	    }
-	}
-
-	/*
-	 * Skip any algorithm we do not even recognize; obviously,
-	 * this could be a problem, but if it is critical then the
-	 * result will just be that the signature does not verify.
-	 * We do not necessarily want to error out here, because
-	 * the particular algorithm may not actually be important,
-	 * but we cannot know that until later.
-	 */
-	if (digobj == NULL) {
-	    p7dcx->worker.digcnt--;
-	    continue;
-	}
-
-	digcx = (* digobj->create)();
-	if (digcx != NULL) {
-	    (* digobj->begin) (digcx);
-	    p7dcx->worker.digobjs[p7dcx->worker.digcnt] = digobj;
-	    p7dcx->worker.digcxs[p7dcx->worker.digcnt] = digcx;
-	    p7dcx->worker.digcnt++;
-	}
-    }
-
-    if (p7dcx->worker.digcnt != 0)
-	SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
-				      sec_pkcs7_decoder_filter,
-				      p7dcx,
-				      (PRBool)(p7dcx->cb != NULL));
-    return SECSuccess;
-}
-
-
-/*
- * Close out all of the digest contexts, storing the results in "digestsp".
- */
-static SECStatus
-sec_pkcs7_decoder_finish_digests (SEC_PKCS7DecoderContext *p7dcx,
-				  PRArenaPool *poolp,
-				  SECItem ***digestsp)
-{
-    struct sec_pkcs7_decoder_worker *worker;
-    SECHashObject *digobj;
-    void *digcx;
-    SECItem **digests, *digest;
-    int i;
-    void *mark;
-
-    /*
-     * XXX Handling nested contents would mean that there is a chain
-     * of workers -- one per each level of content.  The following
-     * would want to find the last worker in the chain.
-     */
-    worker = &(p7dcx->worker);
-
-    /*
-     * If no digests, then we have nothing to do.
-     */
-    if (worker->digcnt == 0)
-	return SECSuccess;
-
-    /*
-     * No matter what happens after this, we want to stop filtering.
-     * XXX If we handle nested contents, we only want to stop filtering
-     * if we are finishing off the *last* worker.
-     */
-    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-
-    /*
-     * If we ended up with no contents, just destroy each
-     * digest context -- they are meaningless and potentially
-     * confusing, because their presence would imply some content
-     * was digested.
-     */
-    if (! worker->saw_contents) {
-	for (i = 0; i < worker->digcnt; i++) {
-	    digcx = worker->digcxs[i];
-	    digobj = worker->digobjs[i];
-	    (* digobj->destroy) (digcx, PR_TRUE);
-	}
-	return SECSuccess;
-    }
-
-    mark = PORT_ArenaMark (poolp);
-
-    /*
-     * Close out each digest context, saving digest away.
-     */
-    digests = 
-      (SECItem**)PORT_ArenaAlloc (poolp,(worker->digcnt+1)*sizeof(SECItem *));
-    digest = (SECItem*)PORT_ArenaAlloc (poolp, worker->digcnt*sizeof(SECItem));
-    if (digests == NULL || digest == NULL) {
-	p7dcx->error = PORT_GetError();
-	PORT_ArenaRelease (poolp, mark);
-	return SECFailure;
-    }
-
-    for (i = 0; i < worker->digcnt; i++, digest++) {
-	digcx = worker->digcxs[i];
-	digobj = worker->digobjs[i];
-
-	digest->data = (unsigned char*)PORT_ArenaAlloc (poolp, digobj->length);
-	if (digest->data == NULL) {
-	    p7dcx->error = PORT_GetError();
-	    PORT_ArenaRelease (poolp, mark);
-	    return SECFailure;
-	}
-
-	digest->len = digobj->length;
-	(* digobj->end) (digcx, digest->data, &(digest->len), digest->len);
-	(* digobj->destroy) (digcx, PR_TRUE);
-
-	digests[i] = digest;
-    }
-    digests[i] = NULL;
-    *digestsp = digests;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-}
-
-/*
- * XXX Need comment explaining following helper function (which is used
- * by sec_pkcs7_decoder_start_decrypt).
- */
-extern const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[];
-
-static PK11SymKey *
-sec_pkcs7_decoder_get_recipient_key (SEC_PKCS7DecoderContext *p7dcx,
-				     SEC_PKCS7RecipientInfo **recipientinfos,
-				     SEC_PKCS7EncryptedContentInfo *enccinfo)
-{
-    SEC_PKCS7RecipientInfo *ri;
-    CERTCertificate *cert = NULL;
-    SECKEYPrivateKey *privkey = NULL;
-    PK11SymKey *bulkkey;
-    SECOidTag keyalgtag, bulkalgtag, encalgtag;
-    PK11SlotInfo *slot;
-    int i, bulkLength = 0;
-
-    if (recipientinfos == NULL || recipientinfos[0] == NULL) {
-	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
-	goto no_key_found;
-    }
-
-    cert = PK11_FindCertAndKeyByRecipientList(&slot,recipientinfos,&ri,
-						&privkey, p7dcx->pwfn_arg);
-    if (cert == NULL) {
-	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
-	goto no_key_found;
-    }
-
-    ri->cert = cert;		/* so we can find it later */
-    PORT_Assert(privkey != NULL);
-
-    keyalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    encalgtag = SECOID_GetAlgorithmTag (&(ri->keyEncAlg));
-    if ((encalgtag != SEC_OID_NETSCAPE_SMIME_KEA) && (keyalgtag != encalgtag)) {
-	p7dcx->error = SEC_ERROR_PKCS7_KEYALG_MISMATCH;
-	goto no_key_found;
-    }
-    bulkalgtag = SECOID_GetAlgorithmTag (&(enccinfo->contentEncAlg));
-
-    switch (encalgtag) {
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	bulkkey = PK11_PubUnwrapSymKey (privkey, &ri->encKey,
-					PK11_AlgtagToMechanism (bulkalgtag),
-					CKA_DECRYPT, 0);
-	if (bulkkey == NULL) {
-	    p7dcx->error = PORT_GetError();
-	    PORT_SetError(0);
-	    goto no_key_found;
-	}
-	break;
-	/* ### mwelch -- KEA */ 
-        case SEC_OID_NETSCAPE_SMIME_KEA:
-	  {
-	      SECStatus err;
-	      CK_MECHANISM_TYPE bulkType;
-	      PK11SymKey *tek;
-	      SECKEYPublicKey *senderPubKey;
-	      SEC_PKCS7SMIMEKEAParameters   keaParams;
-
-	      (void) memset(&keaParams, 0, sizeof(keaParams));
-
-	      /* Decode the KEA algorithm parameters. */
-	      err = SEC_ASN1DecodeItem(NULL,
-				       &keaParams,
-				       SEC_SMIMEKEAParamTemplateAllParams,
-				       &(ri->keyEncAlg.parameters));
-	      if (err != SECSuccess)
-	      {
-		  p7dcx->error = err;
-		  PORT_SetError(0);
-		  goto no_key_found;
-	      }
-	  
-
-	      /* We just got key data, no key structure. So, we
-		 create one. */
-	     senderPubKey = 
-		  PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
-				     keaParams.originatorKEAKey.len);
-	     if (senderPubKey == NULL)
-	     {
-		    p7dcx->error = PORT_GetError();
-		    PORT_SetError(0);
-		    goto no_key_found;
-	     }
-	      
-	     /* Generate the TEK (token exchange key) which we use
-	         to unwrap the bulk encryption key. */
-	     tek = PK11_PubDerive(privkey, senderPubKey, 
-				   PR_FALSE,
-				   &keaParams.originatorRA,
-				   NULL,
-				   CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-				   CKA_WRAP, 0, p7dcx->pwfn_arg);
-	     SECKEY_DestroyPublicKey(senderPubKey);
-	      
-	     if (tek == NULL)
-	     {
-		  p7dcx->error = PORT_GetError();
-		  PORT_SetError(0);
-		  goto no_key_found;
-	     }
-	      
-	      /* Now that we have the TEK, unwrap the bulk key
-	         with which to decrypt the message. We have to
-		 do one of two different things depending on 
-		 whether Skipjack was used for bulk encryption 
-		 of the message. */
-	      bulkType = PK11_AlgtagToMechanism (bulkalgtag);
-	      switch(bulkType)
-	      {
-	      case CKM_SKIPJACK_CBC64:
-	      case CKM_SKIPJACK_ECB64:
-	      case CKM_SKIPJACK_OFB64:
-	      case CKM_SKIPJACK_CFB64:
-	      case CKM_SKIPJACK_CFB32:
-	      case CKM_SKIPJACK_CFB16:
-	      case CKM_SKIPJACK_CFB8:
-		  /* Skipjack is being used as the bulk encryption algorithm.*/
-		  /* Unwrap the bulk key. */
-		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP,
-					      NULL, &ri->encKey, 
-					      CKM_SKIPJACK_CBC64, 
-					      CKA_DECRYPT, 0);
-		  break;
-	      default:
-		  /* Skipjack was not used for bulk encryption of this
-		     message. Use Skipjack CBC64, with the nonSkipjackIV
-		     part of the KEA key parameters, to decrypt 
-		     the bulk key. If we got a parameter indicating that the
-		     bulk key size is different than the encrypted key size,
-		     pass in the real key size. */
-		  
-		  /* Check for specified bulk key length (unspecified implies
-		     that the bulk key length is the same as encrypted length) */
-		  if (keaParams.bulkKeySize.len > 0)
-		  {
-		      p7dcx->error = SEC_ASN1DecodeItem(NULL, &bulkLength,
-							SEC_IntegerTemplate,
-							&keaParams.bulkKeySize);
-		  }
-		  
-		  if (p7dcx->error != SECSuccess)
-		      goto no_key_found;
-		  
-		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64,
-					      &keaParams.nonSkipjackIV, 
-					      &ri->encKey,
-					      bulkType,
-					      CKA_DECRYPT, bulkLength);
-	      }
-	      
-	      
-	      if (bulkkey == NULL)
-	      {
-		  p7dcx->error = PORT_GetError();
-		  PORT_SetError(0);
-		  goto no_key_found;
-	      }
-	      break;
-	  }
-      default:
-	p7dcx->error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	goto no_key_found;
-    }
-
-    return bulkkey;
-
-no_key_found:
-    if (privkey != NULL)
-	SECKEY_DestroyPrivateKey (privkey);
-
-    return NULL;
-}
- 
-/*
- * XXX The following comment is old -- the function used to only handle
- * EnvelopedData or SignedAndEnvelopedData but now handles EncryptedData
- * as well (and it had all of the code of the helper function above
- * built into it), though the comment was left as is.  Fix it...
- *
- * We are just about to decode the content of an EnvelopedData.
- * Set up a decryption context so we can decrypt as we go.
- * Presumably we are one of the recipients listed in "recipientinfos".
- * (XXX And if we are not, or if we have trouble, what should we do?
- *  It would be nice to let the decoding still work.  Maybe it should
- *  be an error if there is a content callback, but not an error otherwise?)
- * The encryption key and related information can be found in "enccinfo".
- */
-static SECStatus
-sec_pkcs7_decoder_start_decrypt (SEC_PKCS7DecoderContext *p7dcx, int depth,
-				 SEC_PKCS7RecipientInfo **recipientinfos,
-				 SEC_PKCS7EncryptedContentInfo *enccinfo,
-				 PK11SymKey **copy_key_for_signature)
-{
-    PK11SymKey *bulkkey = NULL;
-    sec_PKCS7CipherObject *decryptobj;
-
-    /*
-     * If a callback is supplied to retrieve the encryption key, 
-     * for instance, for Encrypted Content infos, then retrieve
-     * the bulkkey from the callback.  Otherwise, assume that
-     * we are processing Enveloped or SignedAndEnveloped data
-     * content infos.
-     *
-     * XXX Put an assert here?
-     */
-    if (SEC_PKCS7ContentType(p7dcx->cinfo) == SEC_OID_PKCS7_ENCRYPTED_DATA) {
-	if (p7dcx->dkcb != NULL) {
-	    bulkkey = (*p7dcx->dkcb)(p7dcx->dkcb_arg, 
-				     &(enccinfo->contentEncAlg));
-	}
-	enccinfo->keysize = 0;
-    } else {
-	bulkkey = sec_pkcs7_decoder_get_recipient_key (p7dcx, recipientinfos, 
-						       enccinfo);
-	if (bulkkey == NULL) goto no_decryption;
-	enccinfo->keysize = PK11_GetKeyStrength(bulkkey, 
-						&(enccinfo->contentEncAlg));
-
-    }
-
-    /*
-     * XXX I think following should set error in p7dcx and clear set error
-     * (as used to be done here, or as is done in get_receipient_key above.
-     */
-    if(bulkkey == NULL) {
-	goto no_decryption;
-    }
-    
-    /* 
-     * We want to make sure decryption is allowed.  This is done via
-     * a callback specified in SEC_PKCS7DecoderStart().
-     */
-    if (p7dcx->decrypt_allowed_cb) {
-	if ((*p7dcx->decrypt_allowed_cb) (&(enccinfo->contentEncAlg), 
-					  bulkkey) == PR_FALSE) {
-	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
-	    goto no_decryption;
-	}
-    } else {
-	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
-	    goto no_decryption;
-    }
-
-    /*
-     * When decrypting a signedAndEnvelopedData, the signature also has
-     * to be decrypted with the bulk encryption key; to avoid having to
-     * get it all over again later (and do another potentially expensive
-     * RSA operation), copy it for later signature verification to use.
-     */
-    if (copy_key_for_signature != NULL)
-	*copy_key_for_signature = PK11_ReferenceSymKey (bulkkey);
-
-    /*
-     * Now we have the bulk encryption key (in bulkkey) and the
-     * the algorithm (in enccinfo->contentEncAlg).  Using those,
-     * create a decryption context.
-     */
-    decryptobj = sec_PKCS7CreateDecryptObject (bulkkey,
-					       &(enccinfo->contentEncAlg));
-
-    /* 
-     * For PKCS5 Encryption Algorithms, the bulkkey is actually a different
-     * structure.  Therefore, we need to set the bulkkey to the actual key 
-     * prior to freeing it.
-     */
-    if ( SEC_PKCS5IsAlgorithmPBEAlg(&(enccinfo->contentEncAlg)) && bulkkey ) {
-	SEC_PKCS5KeyAndPassword *keyPwd = (SEC_PKCS5KeyAndPassword *)bulkkey;
-	bulkkey = keyPwd->key;
-    }
-
-    /*
-     * We are done with (this) bulkkey now.
-     */
-    PK11_FreeSymKey (bulkkey);
-
-    if (decryptobj == NULL) {
-	p7dcx->error = PORT_GetError();
-	PORT_SetError(0);
-	goto no_decryption;
-    }
-
-    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
-				  sec_pkcs7_decoder_filter,
-				  p7dcx,
-				  (PRBool)(p7dcx->cb != NULL));
-
-    p7dcx->worker.depth = depth;
-    p7dcx->worker.decryptobj = decryptobj;
-
-    return SECSuccess;
-
-no_decryption:
-    /*
-     * For some reason (error set already, if appropriate), we cannot
-     * decrypt the content.  I am not sure what exactly is the right
-     * thing to do here; in some cases we want to just stop, and in
-     * others we want to let the decoding finish even though we cannot
-     * decrypt the content.  My current thinking is that if the caller
-     * set up a content callback, then they are really interested in
-     * getting (decrypted) content, and if they cannot they will want
-     * to know about it.  However, if no callback was specified, then
-     * maybe it is not important that the decryption failed.
-     */
-    if (p7dcx->cb != NULL)
-	return SECFailure;
-    else
-	return SECSuccess;	/* Let the decoding continue. */
-}
-
-
-static SECStatus
-sec_pkcs7_decoder_finish_decrypt (SEC_PKCS7DecoderContext *p7dcx,
-				  PRArenaPool *poolp,
-				  SEC_PKCS7EncryptedContentInfo *enccinfo)
-{
-    struct sec_pkcs7_decoder_worker *worker;
-
-    /*
-     * XXX Handling nested contents would mean that there is a chain
-     * of workers -- one per each level of content.  The following
-     * would want to find the last worker in the chain.
-     */
-    worker = &(p7dcx->worker);
-
-    /*
-     * If no decryption context, then we have nothing to do.
-     */
-    if (worker->decryptobj == NULL)
-	return SECSuccess;
-
-    /*
-     * No matter what happens after this, we want to stop filtering.
-     * XXX If we handle nested contents, we only want to stop filtering
-     * if we are finishing off the *last* worker.
-     */
-    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-
-    /*
-     * Handle the last block.
-     */
-    sec_pkcs7_decoder_work_data (p7dcx, worker, NULL, 0, PR_TRUE);
-
-    /*
-     * All done, destroy it.
-     */
-    sec_PKCS7DestroyDecryptObject (worker->decryptobj);
-
-    return SECSuccess;
-}
-
-
-static void
-sec_pkcs7_decoder_notify (void *arg, PRBool before, void *dest, int depth)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7SignedData *sigd;
-    SEC_PKCS7EnvelopedData *envd;
-    SEC_PKCS7SignedAndEnvelopedData *saed;
-    SEC_PKCS7EncryptedData *encd;
-    SEC_PKCS7DigestedData *digd;
-    PRBool after;
-    SECStatus rv;
-
-    /*
-     * Just to make the code easier to read, create an "after" variable
-     * that is equivalent to "not before".
-     * (This used to be just the statement "after = !before", but that
-     * causes a warning on the mac; to avoid that, we do it the long way.)
-     */
-    if (before)
-	after = PR_FALSE;
-    else
-	after = PR_TRUE;
-
-    p7dcx = (SEC_PKCS7DecoderContext*)arg;
-    cinfo = p7dcx->cinfo;
-
-    if (cinfo->contentTypeTag == NULL) {
-	if (after && dest == &(cinfo->contentType))
-	    cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-	return;
-    }
-
-    switch (cinfo->contentTypeTag->offset) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	sigd = cinfo->content.signedData;
-	if (sigd == NULL)
-	    break;
-
-	if (sigd->contentInfo.contentTypeTag == NULL) {
-	    if (after && dest == &(sigd->contentInfo.contentType))
-		sigd->contentInfo.contentTypeTag =
-			SECOID_FindOID(&(sigd->contentInfo.contentType));
-	    break;
-	}
-
-	/*
-	 * We only set up a filtering digest if the content is
-	 * plain DATA; anything else needs more work because a
-	 * second pass is required to produce a DER encoding from
-	 * an input that can be BER encoded.  (This is a requirement
-	 * of PKCS7 that is unfortunate, but there you have it.)
-	 *
-	 * XXX Also, since we stop here if this is not DATA, the
-	 * inner content is not getting processed at all.  Someday
-	 * we may want to fix that.
-	 */
-	if (sigd->contentInfo.contentTypeTag->offset != SEC_OID_PKCS7_DATA) {
-	    /* XXX Set an error in p7dcx->error */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	    break;
-	}
-
-	/*
-	 * Just before the content, we want to set up a digest context
-	 * for each digest algorithm listed, and start a filter which
-	 * will run all of the contents bytes through that digest.
-	 */
-	if (before && dest == &(sigd->contentInfo.content)) {
-	    rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
-						  sigd->digestAlgorithms);
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-
-	    break;
-	}
-
-	/*
-	 * XXX To handle nested types, here is where we would want
-	 * to check for inner boundaries that need handling.
-	 */
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(sigd->contentInfo.content)) {
-	    /*
-	     * Close out the digest contexts.  We ignore any error
-	     * because we are stopping anyway; the error status left
-	     * behind in p7dcx will be seen by outer functions.
-	     */
-	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
-						     &(sigd->digests));
-
-	    /*
-	     * XXX To handle nested contents, we would need to remove
-	     * the worker from the chain (and free it).
-	     */
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	envd = cinfo->content.envelopedData;
-	if (envd == NULL)
-	    break;
-
-	if (envd->encContentInfo.contentTypeTag == NULL) {
-	    if (after && dest == &(envd->encContentInfo.contentType))
-		envd->encContentInfo.contentTypeTag =
-			SECOID_FindOID(&(envd->encContentInfo.contentType));
-	    break;
-	}
-
-	/*
-	 * Just before the content, we want to set up a decryption
-	 * context, and start a filter which will run all of the
-	 * contents bytes through it to determine the plain content.
-	 */
-	if (before && dest == &(envd->encContentInfo.encContent)) {
-	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
-						  envd->recipientInfos,
-						  &(envd->encContentInfo),
-						  NULL);
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(envd->encContentInfo.encContent)) {
-	    /*
-	     * Close out the decryption context.  We ignore any error
-	     * because we are stopping anyway; the error status left
-	     * behind in p7dcx will be seen by outer functions.
-	     */
-	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
-						     &(envd->encContentInfo));
-
-	    /*
-	     * XXX To handle nested contents, we would need to remove
-	     * the worker from the chain (and free it).
-	     */
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	saed = cinfo->content.signedAndEnvelopedData;
-	if (saed == NULL)
-	    break;
-
-	if (saed->encContentInfo.contentTypeTag == NULL) {
-	    if (after && dest == &(saed->encContentInfo.contentType))
-		saed->encContentInfo.contentTypeTag =
-			SECOID_FindOID(&(saed->encContentInfo.contentType));
-	    break;
-	}
-
-	/*
-	 * Just before the content, we want to set up a decryption
-	 * context *and* digest contexts, and start a filter which
-	 * will run all of the contents bytes through both.
-	 */
-	if (before && dest == &(saed->encContentInfo.encContent)) {
-	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
-						  saed->recipientInfos,
-						  &(saed->encContentInfo),
-						  &(saed->sigKey));
-	    if (rv == SECSuccess)
-		rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
-						      saed->digestAlgorithms);
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(saed->encContentInfo.encContent)) {
-	    /*
-	     * Close out the decryption and digests contexts.
-	     * We ignore any errors because we are stopping anyway;
-	     * the error status left behind in p7dcx will be seen by
-	     * outer functions.
-	     *
-	     * Note that the decrypt stuff must be called first;
-	     * it may have a last buffer to do which in turn has
-	     * to be added to the digest.
-	     */
-	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
-						     &(saed->encContentInfo));
-	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
-						     &(saed->digests));
-
-	    /*
-	     * XXX To handle nested contents, we would need to remove
-	     * the worker from the chain (and free it).
-	     */
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	digd = cinfo->content.digestedData;
-	
-	/* 
-	 * XXX Want to do the digest or not?  Maybe future enhancement...
-	 */
-	if (before && dest == &(digd->contentInfo.content.data)) {
-	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx, sec_pkcs7_decoder_filter,
-					  p7dcx,
-					  (PRBool)(p7dcx->cb != NULL));
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(digd->contentInfo.content.data)) {
-	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	encd = cinfo->content.encryptedData;
-
-	/*
-	 * XXX If the decryption key callback is set, we want to start
-	 * the decryption.  If the callback is not set, we will treat the
-	 * content as plain data, since we do not have the key.
-	 *
-	 * Is this the proper thing to do?
-	 */
-	if (before && dest == &(encd->encContentInfo.encContent)) {
-	    /*
-	     * Start the encryption process if the decryption key callback
-	     * is present.  Otherwise, treat the content like plain data.
-	     */
-	    rv = SECSuccess;
-	    if (p7dcx->dkcb != NULL) {
-		rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth, NULL,
-						      &(encd->encContentInfo),
-						      NULL);
-	    }
-
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-		
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(encd->encContentInfo.encContent)) {
-	    /*
-	     * Close out the decryption context.  We ignore any error
-	     * because we are stopping anyway; the error status left
-	     * behind in p7dcx will be seen by outer functions.
-	     */
-	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
-						     &(encd->encContentInfo));
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_DATA:
-	/*
-	 * If a output callback has been specified, we want to set the filter
-	 * to call the callback.  This is taken care of in 
-	 * sec_pkcs7_decoder_start_decrypt() or 
-	 * sec_pkcs7_decoder_start_digests() for the other content types.
-	 */ 
-	
-	if (before && dest == &(cinfo->content.data)) {
-
-	    /* 
-	     * Set the filter proc up.
-	     */
-	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
-					  sec_pkcs7_decoder_filter,
-					  p7dcx,
-					  (PRBool)(p7dcx->cb != NULL));
-	    break;
-	}
-
-	if (after && dest == &(cinfo->content.data)) {
-	    /*
-	     * Time to clean up after ourself, stop the Notify and Filter
-	     * procedures.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-	}
-	break;
-
-      default:
-	SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	break;
-    }
-}
-
-
-SEC_PKCS7DecoderContext *
-SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
-		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		      void *decrypt_key_cb_arg,
-		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-    SEC_ASN1DecoderContext *dcx;
-    SEC_PKCS7ContentInfo *cinfo;
-    PRArenaPool *poolp;
-
-    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
-    if (poolp == NULL)
-	return NULL;
-
-    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
-    if (cinfo == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    cinfo->poolp = poolp;
-    cinfo->pwfn = pwfn;
-    cinfo->pwfn_arg = pwfn_arg;
-    cinfo->created = PR_FALSE;
-    cinfo->refCount = 1;
-
-    p7dcx = 
-      (SEC_PKCS7DecoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7DecoderContext));
-    if (p7dcx == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    p7dcx->tmp_poolp = PORT_NewArena (1024);	/* XXX what is right value? */
-    if (p7dcx->tmp_poolp == NULL) {
-	PORT_Free (p7dcx);
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    dcx = SEC_ASN1DecoderStart (poolp, cinfo, sec_PKCS7ContentInfoTemplate);
-    if (dcx == NULL) {
-	PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
-	PORT_Free (p7dcx);
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    SEC_ASN1DecoderSetNotifyProc (dcx, sec_pkcs7_decoder_notify, p7dcx);
-
-    p7dcx->dcx = dcx;
-    p7dcx->cinfo = cinfo;
-    p7dcx->cb = cb;
-    p7dcx->cb_arg = cb_arg;
-    p7dcx->pwfn = pwfn;
-    p7dcx->pwfn_arg = pwfn_arg;
-    p7dcx->dkcb = decrypt_key_cb;
-    p7dcx->dkcb_arg = decrypt_key_cb_arg;
-    p7dcx->decrypt_allowed_cb = decrypt_allowed_cb;
-
-    return p7dcx;
-}
-
-
-/*
- * Do the next chunk of PKCS7 decoding.  If there is a problem, set
- * an error and return a failure status.  Note that in the case of
- * an error, this routine is still prepared to be called again and
- * again in case that is the easiest route for our caller to take.
- * We simply detect it and do not do anything except keep setting
- * that error in case our caller has not noticed it yet...
- */
-SECStatus
-SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
-		       const char *buf, unsigned long len)
-{
-    if (p7dcx->cinfo != NULL && p7dcx->dcx != NULL) { 
-	PORT_Assert (p7dcx->error == 0);
-	if (p7dcx->error == 0) {
-	    if (SEC_ASN1DecoderUpdate (p7dcx->dcx, buf, len) != SECSuccess) {
-		p7dcx->error = PORT_GetError();
-		PORT_Assert (p7dcx->error);
-		if (p7dcx->error == 0)
-		    p7dcx->error = -1;
-	    }
-	}
-    }
-
-    if (p7dcx->error) {
-	if (p7dcx->dcx != NULL) {
-	    (void) SEC_ASN1DecoderFinish (p7dcx->dcx);
-	    p7dcx->dcx = NULL;
-	}
-	if (p7dcx->cinfo != NULL) {
-	    SEC_PKCS7DestroyContentInfo (p7dcx->cinfo);
-	    p7dcx->cinfo = NULL;
-	}
-	PORT_SetError (p7dcx->error);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-SEC_PKCS7ContentInfo *
-SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-
-    cinfo = p7dcx->cinfo;
-    if (p7dcx->dcx != NULL) {
-	if (SEC_ASN1DecoderFinish (p7dcx->dcx) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    cinfo = NULL;
-	}
-    }
-    PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
-    PORT_Free (p7dcx);
-    return cinfo;
-}
-
-
-SEC_PKCS7ContentInfo *
-SEC_PKCS7DecodeItem(SECItem *p7item,
-		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
-		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		    void *decrypt_key_cb_arg,
-		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-
-    p7dcx = SEC_PKCS7DecoderStart(cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb,
-				  decrypt_key_cb_arg, decrypt_allowed_cb);
-    (void) SEC_PKCS7DecoderUpdate(p7dcx, (char *) p7item->data, p7item->len);
-    return SEC_PKCS7DecoderFinish(p7dcx);
-}
-
-
-/*
- * If the thing contains any certs or crls return true; false otherwise.
- */
-PRBool
-SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-    SECItem **certs;
-    CERTSignedCrl **crls;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return PR_FALSE;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	certs = cinfo->content.signedData->rawCerts;
-	crls = cinfo->content.signedData->crls;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	certs = cinfo->content.signedAndEnvelopedData->rawCerts;
-	crls = cinfo->content.signedAndEnvelopedData->crls;
-	break;
-    }
-
-    /*
-     * I know this could be collapsed, but I was in a mood to be explicit.
-     */
-    if (certs != NULL && certs[0] != NULL)
-	return PR_TRUE;
-    else if (crls != NULL && crls[0] != NULL)
-	return PR_TRUE;
-    else
-	return PR_FALSE;
-}
-
-/* return the content length...could use GetContent, however we
- * need the encrypted content length 
- */
-PRBool
-SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen)
-{
-    SECItem *item = NULL;
-
-    if(cinfo == NULL) {
-	return PR_TRUE;
-    }
-
-    switch(SEC_PKCS7ContentType(cinfo)) 
-    {
-	case SEC_OID_PKCS7_DATA:
-	    item = cinfo->content.data;
-	    break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    item = &cinfo->content.encryptedData->encContentInfo.encContent;
-	    break;
-	default:
-	    /* add other types */
-	    return PR_FALSE;
-    }
-
-    if(!item) {
-	return PR_TRUE;
-    } else if(item->len <= minLen) {
-	return PR_TRUE;
-    }
-
-    return PR_FALSE;
-}
-
-
-PRBool
-SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	return PR_FALSE;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	return PR_TRUE;
-    }
-}
-
-
-/*
- * If the PKCS7 content has a signature (not just *could* have a signature)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-PRBool
-SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-    SEC_PKCS7SignerInfo **signerinfos;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return PR_FALSE;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	signerinfos = cinfo->content.signedData->signerInfos;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
-	break;
-    }
-
-    /*
-     * I know this could be collapsed; but I kind of think it will get
-     * more complicated before I am finished, so...
-     */
-    if (signerinfos != NULL && signerinfos[0] != NULL)
-	return PR_TRUE;
-    else
-	return PR_FALSE;
-}
-
-
-/*
- * SEC_PKCS7ContentVerifySignature
- *	Look at a PKCS7 contentInfo and check if the signature is good.
- *	The digest was either calculated earlier (and is stored in the
- *	contentInfo itself) or is passed in via "detached_digest".
- *
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- *
- * XXX Each place which returns PR_FALSE should be sure to have a good
- * error set for inspection by the caller.  Alternatively, we could create
- * an enumeration of success and each type of failure and return that
- * instead of a boolean.  For now, the default in a bad situation is to
- * set the error to SEC_ERROR_PKCS7_BAD_SIGNATURE.  But this should be
- * reviewed; better (more specific) errors should be possible (to distinguish
- * a signature failure from a badly-formed pkcs7 signedData, for example).
- * Some of the errors should probably just be SEC_ERROR_BAD_SIGNATURE,
- * but that has a less helpful error string associated with it right now;
- * if/when that changes, review and change these as needed.
- *
- * XXX This is broken wrt signedAndEnvelopedData.  In that case, the
- * message digest is doubly encrypted -- first encrypted with the signer
- * private key but then again encrypted with the bulk encryption key used
- * to encrypt the content.  So before we can pass the digest to VerifyDigest,
- * we need to decrypt it with the bulk encryption key.  Also, in this case,
- * there should be NO authenticatedAttributes (signerinfo->authAttr should
- * be NULL).
- */
-static PRBool
-sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
-			   SECCertUsage certusage,
-			   SECItem *detached_digest,
-			   HASH_HashType digest_type,
-			   PRBool keepcerts)
-{
-    SECAlgorithmID **digestalgs, *bulkid;
-    SECItem *digest;
-    SECItem **digests;
-    SECItem **rawcerts;
-    CERTSignedCrl **crls;
-    SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
-    CERTCertificate *cert, **certs;
-    PRBool goodsig;
-    CERTCertDBHandle local_certdb, *certdb, *defaultdb;
-    SECOidData *algiddata;
-    int i, certcount;
-    SECKEYPublicKey *publickey;
-    SECItem *content_type;
-    PK11SymKey *sigkey;
-    SECItem *utc_stime;
-    int64 stime;
-    SECStatus rv;
-
-    /*
-     * Everything needed in order to "goto done" safely.
-     */
-    goodsig = PR_FALSE;
-    certcount = 0;
-    cert = NULL;
-    certs = NULL;
-    certdb = NULL;
-    defaultdb = CERT_GetDefaultCertDB();
-    publickey = NULL;
-
-    if (! SEC_PKCS7ContentIsSigned(cinfo)) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    PORT_Assert (cinfo->contentTypeTag != NULL);
-
-    switch (cinfo->contentTypeTag->offset) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	/* Could only get here if SEC_PKCS7ContentIsSigned is broken. */
-	PORT_Assert (0);
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    digestalgs = sdp->digestAlgorithms;
-	    digests = sdp->digests;
-	    rawcerts = sdp->rawCerts;
-	    crls = sdp->crls;
-	    signerinfos = sdp->signerInfos;
-	    content_type = &(sdp->contentInfo.contentType);
-	    sigkey = NULL;
-	    bulkid = NULL;
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    digestalgs = saedp->digestAlgorithms;
-	    digests = saedp->digests;
-	    rawcerts = saedp->rawCerts;
-	    crls = saedp->crls;
-	    signerinfos = saedp->signerInfos;
-	    content_type = &(saedp->encContentInfo.contentType);
-	    sigkey = saedp->sigKey;
-	    bulkid = &(saedp->encContentInfo.contentEncAlg);
-	}
-	break;
-    }
-
-    if ((signerinfos == NULL) || (signerinfos[0] == NULL)) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    /*
-     * XXX Need to handle multiple signatures; checking them is easy,
-     * but what should be the semantics here (like, return value)?
-     */
-    if (signerinfos[1] != NULL) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    signerinfo = signerinfos[0];
-
-    /*
-     * XXX I would like to just pass the issuerAndSN, along with the rawcerts
-     * and crls, to some function that did all of this certificate stuff
-     * (open/close the database if necessary, verifying the certs, etc.)
-     * and gave me back a cert pointer if all was good.
-     */
-    certdb = defaultdb;
-    if (certdb == NULL) {
-	if (CERT_OpenCertDBFilename (&local_certdb, NULL,
-				     (PRBool)!keepcerts) != SECSuccess)
-	    goto done;
-	certdb = &local_certdb;
-    }
-
-    certcount = 0;
-    if (rawcerts != NULL) {
-	for (; rawcerts[certcount] != NULL; certcount++) {
-	    /* just counting */
-	}
-    }
-
-    /*
-     * Note that the result of this is that each cert in "certs"
-     * needs to be destroyed.
-     */
-    rv = CERT_ImportCerts(certdb, certusage, certcount, rawcerts, &certs,
-			  keepcerts, PR_FALSE, NULL);
-    if ( rv != SECSuccess ) {
-	goto done;
-    }
-
-    /*
-     * This cert will also need to be freed, but since we save it
-     * in signerinfo for later, we do not want to destroy it when
-     * we leave this function -- we let the clean-up of the entire
-     * cinfo structure later do the destroy of this cert.
-     */
-    cert = CERT_FindCertByIssuerAndSN(certdb, signerinfo->issuerAndSN);
-    if (cert == NULL) {
-	goto done;
-    }
-
-    signerinfo->cert = cert;
-
-    /*
-     * Get and convert the signing time; if available, it will be used
-     * both on the cert verification and for importing the sender
-     * email profile.
-     */
-    utc_stime = SEC_PKCS7GetSigningTime (cinfo);
-    if (utc_stime != NULL) {
-	if (DER_UTCTimeToTime (&stime, utc_stime) != SECSuccess)
-	    utc_stime = NULL;	/* conversion failed, so pretend none */
-    }
-
-    /*
-     * XXX  This uses the signing time, if available.  Additionally, we
-     * might want to, if there is no signing time, get the message time
-     * from the mail header itself, and use that.  That would require
-     * a change to our interface though, and for S/MIME callers to pass
-     * in a time (and for non-S/MIME callers to pass in nothing, or
-     * maybe make them pass in the current time, always?).
-     */
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
-			 utc_stime != NULL ? stime : PR_Now(),
-			 cinfo->pwfn_arg, NULL) != SECSuccess)
-	{
-	/*
-	 * XXX Give the user an option to check the signature anyway?
-	 * If we want to do this, need to give a way to leave and display
-	 * some dialog and get the answer and come back through (or do
-	 * the rest of what we do below elsewhere, maybe by putting it
-	 * in a function that we call below and could call from a dialog
-	 * finish handler).
-	 */
-	goto savecert;
-    }
-
-    publickey = CERT_ExtractPublicKey (cert);
-    if (publickey == NULL)
-	goto done;
-
-    /*
-     * XXX No!  If digests is empty, see if we can create it now by
-     * digesting the contents.  This is necessary if we want to allow
-     * somebody to do a simple decode (without filtering, etc.) and
-     * then later call us here to do the verification.
-     * OR, we can just specify that the interface to this routine
-     * *requires* that the digest(s) be done before calling and either
-     * stashed in the struct itself or passed in explicitly (as would
-     * be done for detached contents).
-     */
-    if ((digests == NULL || digests[0] == NULL)
-	&& (detached_digest == NULL || detached_digest->data == NULL))
-	goto done;
-
-    /*
-     * Find and confirm digest algorithm.
-     */
-    algiddata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
-
-    if (detached_digest != NULL) {
-	switch (digest_type) {
-	  default:
-	  case HASH_AlgNULL:
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	  case HASH_AlgMD2:
-	    PORT_Assert (detached_digest->len == MD2_LENGTH);
-	    if (algiddata->offset != SEC_OID_MD2) {
-		PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-		goto done;
-	    }
-	    break;
-	  case HASH_AlgMD5:
-	    PORT_Assert (detached_digest->len == MD5_LENGTH);
-	    if (algiddata->offset != SEC_OID_MD5) {
-		PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-		goto done;
-	    }
-	    break;
-	  case HASH_AlgSHA1:
-	    PORT_Assert (detached_digest->len == SHA1_LENGTH);
-	    if (algiddata->offset != SEC_OID_SHA1) {
-		PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-		goto done;
-	    }
-	    break;
-	}
-	digest = detached_digest;
-    } else {
-	PORT_Assert (digestalgs != NULL && digestalgs[0] != NULL);
-	if (digestalgs == NULL || digestalgs[0] == NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * pick digest matching signerinfo->digestAlg from digests
-	 */
-	if (algiddata == NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	for (i = 0; digestalgs[i] != NULL; i++) {
-	    if (SECOID_FindOID (&(digestalgs[i]->algorithm)) == algiddata)
-		break;
-	}
-	if (digestalgs[i] == NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	digest = digests[i];
-    }
-
-    /*
-     * XXX This may not be the right set of algorithms to check.
-     * I'd prefer to trust that just calling VFY_Verify{Data,Digest}
-     * would do the right thing (and set an error if it could not);
-     * then additional algorithms could be handled by that code
-     * and we would Just Work.  So this check should just be removed,
-     * but not until the VFY code is better at setting errors.
-     */
-    algiddata = SECOID_FindOID (&(signerinfo->digestEncAlg.algorithm));
-    if (algiddata == NULL ||
-	((algiddata->offset != SEC_OID_PKCS1_RSA_ENCRYPTION) &&
-	 (algiddata->offset != SEC_OID_ANSIX9_DSA_SIGNATURE))) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    if (signerinfo->authAttr != NULL) {
-	SEC_PKCS7Attribute *attr;
-	SECItem *value;
-	SECItem encoded_attrs;
-
-	/*
-	 * We have a sigkey only for signedAndEnvelopedData, which is
-	 * not supposed to have any authenticated attributes.
-	 */
-	if (sigkey != NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * PKCS #7 says that if there are any authenticated attributes,
-	 * then there must be one for content type which matches the
-	 * content type of the content being signed, and there must
-	 * be one for message digest which matches our message digest.
-	 * So check these things first.
-	 * XXX Might be nice to have a compare-attribute-value function
-	 * which could collapse the following nicely.
-	 */
-	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-				       SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE);
-	value = sec_PKCS7AttributeValue (attr);
-	if (value == NULL || value->len != content_type->len) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	if (PORT_Memcmp (value->data, content_type->data, value->len) != 0) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-				       SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE);
-	value = sec_PKCS7AttributeValue (attr);
-	if (value == NULL || value->len != digest->len) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	if (PORT_Memcmp (value->data, digest->data, value->len) != 0) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * Okay, we met the constraints of the basic attributes.
-	 * Now check the signature, which is based on a digest of
-	 * the DER-encoded authenticated attributes.  So, first we
-	 * encode and then we digest/verify.
-	 */
-	encoded_attrs.data = NULL;
-	encoded_attrs.len = 0;
-	if (sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
-				       &(signerinfo->authAttr)) == NULL)
-	    goto done;
-
-	if (encoded_attrs.data == NULL || encoded_attrs.len == 0) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	goodsig = (PRBool)(VFY_VerifyData (encoded_attrs.data, 
-				   encoded_attrs.len,
-				   publickey, &(signerinfo->encDigest),
-				   SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
-				   cinfo->pwfn_arg) == SECSuccess);
-	PORT_Free (encoded_attrs.data);
-    } else {
-	SECItem *sig;
-	SECItem holder;
-	SECStatus rv;
-
-	/*
-	 * No authenticated attributes.
-	 * The signature is based on the plain message digest.
-	 */
-
-	sig = &(signerinfo->encDigest);
-	if (sig->len == 0) {		/* bad signature */
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	if (sigkey != NULL) {
-	    sec_PKCS7CipherObject *decryptobj;
-	    unsigned int buflen;
-
-	    /*
-	     * For signedAndEnvelopedData, we first must decrypt the encrypted
-	     * digest with the bulk encryption key.  The result is the normal
-	     * encrypted digest (aka the signature).
-	     */
-	    decryptobj = sec_PKCS7CreateDecryptObject (sigkey, bulkid);
-	    if (decryptobj == NULL)
-		goto done;
-
-	    buflen = sec_PKCS7DecryptLength (decryptobj, sig->len, PR_TRUE);
-	    PORT_Assert (buflen);
-	    if (buflen == 0) {		/* something is wrong */
-		sec_PKCS7DestroyDecryptObject (decryptobj);
-		goto done;
-	    }
-
-	    holder.data = (unsigned char*)PORT_Alloc (buflen);
-	    if (holder.data == NULL) {
-		sec_PKCS7DestroyDecryptObject (decryptobj);
-		goto done;
-	    }
-
-	    rv = sec_PKCS7Decrypt (decryptobj, holder.data, &holder.len, buflen,
-				   sig->data, sig->len, PR_TRUE);
-	    if (rv != SECSuccess) {
-		sec_PKCS7DestroyDecryptObject (decryptobj);
-		goto done;
-	    }
-
-	    sig = &holder;
-	}
-
-	goodsig = (PRBool)(VFY_VerifyDigest (digest, publickey, sig,
-				     SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
-				     cinfo->pwfn_arg)
-		   == SECSuccess);
-
-	if (sigkey != NULL) {
-	    PORT_Assert (sig == &holder);
-	    PORT_ZFree (holder.data, holder.len);
-	}
-    }
-
-    if (! goodsig) {
-	/*
-	 * XXX Change the generic error into our specific one, because
-	 * in that case we get a better explanation out of the Security
-	 * Advisor.  This is really a bug in our error strings (the
-	 * "generic" error has a lousy/wrong message associated with it
-	 * which assumes the signature verification was done for the
-	 * purposes of checking the issuer signature on a certificate)
-	 * but this is at least an easy workaround and/or in the
-	 * Security Advisor, which specifically checks for the error
-	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
-	 * in that case but does not similarly check for
-	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
-	 * probably say the wrong thing in the case that it *was* the
-	 * certificate signature check that failed during the cert
-	 * verification done above.  Our error handling is really a mess.
-	 */
-	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-    }
-
-savecert:
-    /*
-     * Only save the smime profile if we are checking an email message and
-     * the cert has an email address in it.
-     */
-    if ( ( cert->emailAddr != NULL ) &&
-	( ( certusage == certUsageEmailSigner ) ||
-	 ( certusage == certUsageEmailRecipient ) ) ) {
-	SECItem *profile = NULL;
-	int save_error;
-
-	/*
-	 * Remember the current error set because we do not care about
-	 * anything set by the functions we are about to call.
-	 */
-	save_error = PORT_GetError();
-
-	if (goodsig && (signerinfo->authAttr != NULL)) {
-	    /*
-	     * If the signature is good, then we can save the S/MIME profile,
-	     * if we have one.
-	     */
-	    SEC_PKCS7Attribute *attr;
-
-	    attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-					   SEC_OID_PKCS9_SMIME_CAPABILITIES,
-					   PR_TRUE);
-	    profile = sec_PKCS7AttributeValue (attr);
-	}
-
-	rv = CERT_SaveSMimeProfile (cert, profile, utc_stime);
-
-	/*
-	 * Restore the saved error in case the calls above set a new
-	 * one that we do not actually care about.
-	 */
-	PORT_SetError (save_error);
-
-	/*
-	 * XXX Failure is not indicated anywhere -- the signature
-	 * verification itself is unaffected by whether or not the
-	 * profile was successfully saved.
-	 */
-    }
-	
-
-done:
-
-    /*
-     * See comment above about why we do not want to destroy cert
-     * itself here.
-     */
-
-    if (certs != NULL)
-	CERT_DestroyCertArray (certs, certcount);
-
-    if (defaultdb == NULL && certdb != NULL)
-	CERT_ClosePermCertDB (certdb);
-
-    if (publickey != NULL)
-	SECKEY_DestroyPublicKey (publickey);
-
-    return goodsig;
-}
-
-/*
- * SEC_PKCS7VerifySignature
- *	Look at a PKCS7 contentInfo and check if the signature is good.
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-PRBool
-SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
-			 SECCertUsage certusage,
-			 PRBool keepcerts)
-{
-    return sec_pkcs7_verify_signature (cinfo, certusage,
-				       NULL, HASH_AlgNULL, keepcerts);
-}
-
-/*
- * SEC_PKCS7VerifyDetachedSignature
- *	Look at a PKCS7 contentInfo and check if the signature matches
- *	a passed-in digest (calculated, supposedly, from detached contents).
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-PRBool
-SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
-				 SECCertUsage certusage,
-				 SECItem *detached_digest,
-				 HASH_HashType digest_type,
-				 PRBool keepcerts)
-{
-    return sec_pkcs7_verify_signature (cinfo, certusage,
-				       detached_digest, digest_type,
-				       keepcerts);
-}
-
-
-/*
- * Return the asked-for portion of the name of the signer of a PKCS7
- * signed object.
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A NULL return value is an error.
- */
-
-#define sec_common_name 1
-#define sec_email_address 2
-
-static char *
-sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
-{
-    SECOidTag kind;
-    SEC_PKCS7SignerInfo **signerinfos;
-    CERTCertificate *signercert;
-    char *container;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	PORT_Assert (0);
-	return NULL;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    signerinfos = sdp->signerInfos;
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    signerinfos = saedp->signerInfos;
-	}
-	break;
-    }
-
-    if (signerinfos == NULL || signerinfos[0] == NULL)
-	return NULL;
-
-    signercert = signerinfos[0]->cert;
-
-    /*
-     * No cert there; see if we can find one by calling verify ourselves.
-     */
-    if (signercert == NULL) {
-	/*
-	 * The cert usage does not matter in this case, because we do not
-	 * actually care about the verification itself, but we have to pick
-	 * some valid usage to pass in.
-	 */
-	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
-					   NULL, HASH_AlgNULL, PR_FALSE);
-	signercert = signerinfos[0]->cert;
-	if (signercert == NULL)
-	    return NULL;
-    }
-
-    switch (selector) {
-      case sec_common_name:
-	container = CERT_GetCommonName (&signercert->subject);
-	break;
-      case sec_email_address:
-	if(signercert->emailAddr) {
-	    container = PORT_Strdup(signercert->emailAddr);
-	} else {
-	    container = NULL;
-	}
-	break;
-      default:
-	PORT_Assert (0);
-	container = NULL;
-	break;
-    }
-
-    return container;
-}
-
-char *
-SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo)
-{
-    return sec_pkcs7_get_signer_cert_info(cinfo, sec_common_name);
-}
-
-char *
-SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo)
-{
-    return sec_pkcs7_get_signer_cert_info(cinfo, sec_email_address);
-}
-
-
-/*
- * Return the signing time, in UTCTime format, of a PKCS7 contentInfo.
- */
-SECItem *
-SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo)
-{
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7Attribute *attr;
-
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return NULL;
-
-    signerinfos = cinfo->content.signedData->signerInfos;
-
-    /*
-     * No signature, or more than one, means no deal.
-     */
-    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
-	return NULL;
-
-    attr = sec_PKCS7FindAttribute (signerinfos[0]->authAttr,
-				   SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
-    return sec_PKCS7AttributeValue (attr);
-}
diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c
deleted file mode 100644
index b45d2d916..000000000
--- a/security/nss/lib/pkcs7/p7encode.c
+++ /dev/null
@@ -1,1329 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * PKCS7 encoding.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cert.h"
-#include "cryptohi.h"
-#include "keyhi.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-struct sec_pkcs7_encoder_output {
-    SEC_PKCS7EncoderOutputCallback outputfn;
-    void *outputarg;
-};
-
-struct SEC_PKCS7EncoderContextStr {
-    SEC_ASN1EncoderContext *ecx;
-    SEC_PKCS7ContentInfo *cinfo;
-    struct sec_pkcs7_encoder_output output;
-    sec_PKCS7CipherObject *encryptobj;
-    SECHashObject *digestobj;
-    void *digestcx;
-};
-
-
-/*
- * The little output function that the ASN.1 encoder calls to hand
- * us bytes which we in turn hand back to our caller (via the callback
- * they gave us).
- */
-static void
-sec_pkcs7_encoder_out(void *arg, const char *buf, unsigned long len,
-		      int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct sec_pkcs7_encoder_output *output;
-
-    output = (struct sec_pkcs7_encoder_output*)arg;
-    output->outputfn (output->outputarg, buf, len);
-}
-
-static sec_PKCS7CipherObject *
-sec_pkcs7_encoder_start_encrypt (SEC_PKCS7ContentInfo *cinfo,
-						 PK11SymKey *orig_bulkkey)
-{
-    SECOidTag kind;
-    sec_PKCS7CipherObject *encryptobj;
-    SEC_PKCS7RecipientInfo **recipientinfos, *ri;
-    SEC_PKCS7EncryptedContentInfo *enccinfo;
-    SEC_PKCS7SMIMEKEAParameters   keaParams;
-    SECKEYPublicKey *publickey = NULL;
-    SECKEYPrivateKey *ourPrivKey = NULL;
-    PK11SymKey  *bulkkey;
-    void *mark, *wincx;
-    int i;
-    PRArenaPool *arena = NULL;
-    unsigned char zero = 0;
-
-    /* Get the context in case we need it below. */
-    wincx = cinfo->pwfn_arg;
-
-    /* Clear keaParams, since cleanup code checks the lengths */
-    (void) memset(&keaParams, 0, sizeof(keaParams));
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	recipientinfos = NULL;
-	enccinfo = NULL;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	{
-	    SEC_PKCS7EncryptedData *encdp;
-
-	    /* To do EncryptedData we *must* be given a bulk key. */
-	    PORT_Assert (orig_bulkkey != NULL);
-	    if (orig_bulkkey == NULL) {
-		/* XXX error? */
-		return NULL;
-	    }
-
-	    encdp = cinfo->content.encryptedData;
-	    recipientinfos = NULL;
-	    enccinfo = &(encdp->encContentInfo);
-	}
-	break;
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *envdp;
-
-	    envdp = cinfo->content.envelopedData;
-	    recipientinfos = envdp->recipientInfos;
-	    enccinfo = &(envdp->encContentInfo);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    recipientinfos = saedp->recipientInfos;
-	    enccinfo = &(saedp->encContentInfo);
-	}
-	break;
-    }
-
-    if (enccinfo == NULL)
-	return NULL;
-
-    bulkkey = orig_bulkkey;
-    if (bulkkey == NULL) {
-	CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(enccinfo->encalg);
-	PK11SlotInfo *slot;
-
-
-	slot = PK11_GetBestSlot(type,cinfo->pwfn_arg);
-	if (slot == NULL) {
-	    return NULL;
-	}
-	bulkkey = PK11_KeyGen(slot,type,NULL, enccinfo->keysize/8,
-			      cinfo->pwfn_arg);
-	PK11_FreeSlot(slot);
-	if (bulkkey == NULL) {
-	    return NULL;
-	}
-    }
-
-    encryptobj = NULL;
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    /*
-     * Encrypt the bulk key with the public key of each recipient.
-     */
-    for (i = 0; recipientinfos && (ri = recipientinfos[i]) != NULL; i++) {
-	CERTCertificate *cert;
-	SECOidTag certalgtag, encalgtag;
-	SECStatus rv;
-	int data_len;
-	SECItem *params = NULL;
-
-	cert = ri->cert;
-	PORT_Assert (cert != NULL);
-	if (cert == NULL)
-	    continue;
-
-	/*
-	 * XXX Want an interface that takes a cert and some data and
-	 * fills in an algorithmID and encrypts the data with the public
-	 * key from the cert.  Or, give me two interfaces -- one which
-	 * gets the algorithm tag from a cert (I should not have to go
-	 * down into the subjectPublicKeyInfo myself) and another which
-	 * takes a public key and algorithm tag and data and encrypts
-	 * the data.  Or something like that.  The point is that all
-	 * of the following hardwired RSA and KEA stuff should be done
-	 * elsewhere.
-	 */
-
-	certalgtag=SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-
-	switch (certalgtag) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    encalgtag = certalgtag;
-	    publickey = CERT_ExtractPublicKey (cert);
-	    if (publickey == NULL) goto loser;
-		
-	    data_len = SECKEY_PublicKeyStrength(publickey);
-	    ri->encKey.data = 
-	        (unsigned char*)PORT_ArenaAlloc(cinfo->poolp ,data_len);
-	    ri->encKey.len = data_len;
-	    if (ri->encKey.data == NULL) goto loser;
-
-	    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(certalgtag),publickey,
-				bulkkey,&ri->encKey);
-
-	    SECKEY_DestroyPublicKey(publickey);
-	    publickey = NULL;
-	    if (rv != SECSuccess) goto loser;
-	    params = NULL; /* paranoia */
-	    break;
-	/* ### mwelch -- KEA */ 
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_KEA:
-	    {
-#define SMIME_FORTEZZA_RA_LENGTH 128
-#define SMIME_FORTEZZA_IV_LENGTH 24
-#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
-		SECStatus err;
-		PK11SymKey *tek;
-		CERTCertificate *ourCert;
-		SECKEYPublicKey *ourPubKey;
-		SECKEATemplateSelector whichKEA;
-
-		/* We really want to show our KEA tag as the
-		   key exchange algorithm tag. */
-		encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
-
-		/* Get the public key of the recipient. */
-		publickey = CERT_ExtractPublicKey(cert);
-		if (publickey == NULL) goto loser;
-
-		/* Find our own cert, and extract its keys. */
-		ourCert = PK11_FindBestKEAMatch(cert,wincx);
-		if (ourCert == NULL) goto loser;
-
-		arena = PORT_NewArena(1024);
-		if (arena == NULL) goto loser;
-
-		ourPubKey = CERT_ExtractPublicKey(ourCert);
-		if (ourPubKey == NULL)
-		{
-		    CERT_DestroyCertificate(ourCert);
-		    goto loser;
-		}
-
-		/* While we're here, copy the public key into the outgoing
-		 * KEA parameters. */
-		SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey),
-				 &(ourPubKey->u.fortezza.KEAKey));
-		SECKEY_DestroyPublicKey(ourPubKey);
-		ourPubKey = NULL;
-
-		/* Extract our private key in order to derive the 
-		 * KEA key. */
-		ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
-		CERT_DestroyCertificate(ourCert); /* we're done with this */
-		if (!ourPrivKey) goto loser;
-
-		/* Prepare raItem with 128 bytes (filled with zeros). */
-		keaParams.originatorRA.data = 
-		  (unsigned char*)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
-		keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
-
-
-		/* Generate the TEK (token exchange key) which we use
-		 * to wrap the bulk encryption key. (raItem) will be
-		 * filled with a random seed which we need to send to
-		 * the recipient. */
-		tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
-				     &keaParams.originatorRA, NULL,
-				     CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-				     CKA_WRAP, 0, wincx);
-
-		    SECKEY_DestroyPublicKey(publickey);
-		    SECKEY_DestroyPrivateKey(ourPrivKey);
-		    publickey = NULL;
-		    ourPrivKey = NULL;
-		
-		if (!tek)
-		    goto loser;
-
-		ri->encKey.data = (unsigned char*)PORT_ArenaAlloc(cinfo->poolp,
-						  SMIME_FORTEZZA_MAX_KEY_SIZE);
-		ri->encKey.len = SMIME_FORTEZZA_MAX_KEY_SIZE;
-
-		if (ri->encKey.data == NULL)
-		{
-		    PK11_FreeSymKey(tek);
-		    goto loser;
-		}
-
-		/* Wrap the bulk key. What we do with the resulting data
-		   depends on whether we're using Skipjack to wrap the key. */
-		switch(PK11_AlgtagToMechanism(enccinfo->encalg))
-		{
-		case CKM_SKIPJACK_CBC64:
-		case CKM_SKIPJACK_ECB64:
-		case CKM_SKIPJACK_OFB64:
-		case CKM_SKIPJACK_CFB64:
-		case CKM_SKIPJACK_CFB32:
-		case CKM_SKIPJACK_CFB16:
-		case CKM_SKIPJACK_CFB8:
-		    /* do SKIPJACK, we use the wrap mechanism */
-		    err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, 
-				      tek, bulkkey, &ri->encKey);
-		    whichKEA = SECKEAUsesSkipjack;
-		    break;
-		default:
-		    /* Not SKIPJACK, we encrypt the raw key data */
-		    keaParams.nonSkipjackIV .data = 
-		      (unsigned char*)PORT_ArenaAlloc(arena,
-						     SMIME_FORTEZZA_IV_LENGTH);
-		    keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
-		    err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64,
-					  &keaParams.nonSkipjackIV, 
-				          tek, bulkkey, &ri->encKey);
-		    if (err != SECSuccess)
-			goto loser;
-
-		    if (ri->encKey.len != PK11_GetKeyLength(bulkkey))
-		    {
-			/* The size of the encrypted key is not the same as
-			   that of the original bulk key, presumably due to
-			   padding. Encode and store the real size of the
-			   bulk key. */
-			if (SEC_ASN1EncodeInteger(arena, 
-						  &keaParams.bulkKeySize,
-						  PK11_GetKeyLength(bulkkey))
-			    == NULL)
-			    err = (SECStatus)PORT_GetError();
-			else
-			    /* use full template for encoding */
-			    whichKEA = SECKEAUsesNonSkipjackWithPaddedEncKey;
-		    }
-		    else
-			/* enc key length == bulk key length */
-			whichKEA = SECKEAUsesNonSkipjack; 
-		    break;
-		}
-
-		PK11_FreeSymKey(tek);
-		if (err != SECSuccess)
-		    goto loser;
-
-		/* Encode the KEA parameters into the recipient info. */
-		params = SEC_ASN1EncodeItem(arena,NULL, &keaParams, 
-				      sec_pkcs7_get_kea_template(whichKEA));
-		if (params == NULL) goto loser;
-		break;
-	    }
-	default:
-	    PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
-	    goto loser;
-	}
-
-	rv = SECOID_SetAlgorithmID(cinfo->poolp, &ri->keyEncAlg, encalgtag, 
-			params);
-	if (rv != SECSuccess)
-	    goto loser;
-	if (arena) PORT_FreeArena(arena,PR_FALSE);
-	arena = NULL;
-    }
-
-    encryptobj = sec_PKCS7CreateEncryptObject (cinfo->poolp, bulkkey,
-					       enccinfo->encalg,
-					       &(enccinfo->contentEncAlg));
-    if (encryptobj != NULL) {
-	PORT_ArenaUnmark (cinfo->poolp, mark);
-	mark = NULL;		/* good one; do not want to release */
-    }
-    /* fallthru */
-
-loser:
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (publickey) {
-        SECKEY_DestroyPublicKey(publickey);
-    }
-    if (ourPrivKey) {
-        SECKEY_DestroyPrivateKey(ourPrivKey);
-    }
-    if (mark != NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-    }
-    if (orig_bulkkey == NULL) {
-	if (bulkkey) PK11_FreeSymKey(bulkkey);
-    }
-
-    return encryptobj;
-}
-
-
-static void
-sec_pkcs7_encoder_notify (void *arg, PRBool before, void *dest, int depth)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SECOidTag kind;
-    PRBool before_content;
-
-    /*
-     * We want to notice just before the content field.  After fields are
-     * not interesting to us.
-     */
-    if (!before)
-	return;
-
-    p7ecx = (SEC_PKCS7EncoderContext*)arg;
-    cinfo = p7ecx->cinfo;
-
-    before_content = PR_FALSE;
-
-    /*
-     * Watch for the content field, at which point we want to instruct
-     * the ASN.1 encoder to start taking bytes from the buffer.
-     *
-     * XXX The following assumes the inner content type is data;
-     * if/when we want to handle fully nested types, this will have
-     * to recurse until reaching the innermost data content.
-     */
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-	if (dest == &(cinfo->content.data))
-	    before_content = PR_TRUE;
-	break;
-
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	{
-	    SEC_PKCS7DigestedData *digd;
-
-	    digd = cinfo->content.digestedData;
-	    if (digd == NULL)
-		break;
-
-	    if (dest == &(digd->contentInfo.content))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	{
-	    SEC_PKCS7EncryptedData *encd;
-
-	    encd = cinfo->content.encryptedData;
-	    if (encd == NULL)
-		break;
-
-	    if (dest == &(encd->encContentInfo.encContent))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *envd;
-
-	    envd = cinfo->content.envelopedData;
-	    if (envd == NULL)
-		break;
-
-	    if (dest == &(envd->encContentInfo.encContent))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sigd;
-
-	    sigd = cinfo->content.signedData;
-	    if (sigd == NULL)
-		break;
-
-	    if (dest == &(sigd->contentInfo.content))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saed;
-
-	    saed = cinfo->content.signedAndEnvelopedData;
-	    if (saed == NULL)
-		break;
-
-	    if (dest == &(saed->encContentInfo.encContent))
-		before_content = PR_TRUE;
-	}
-	break;
-    }
-
-    if (before_content) {
-	/*
-	 * This will cause the next SEC_ASN1EncoderUpdate to take the
-	 * contents bytes from the passed-in buffer.
-	 */
-	SEC_ASN1EncoderSetTakeFromBuf (p7ecx->ecx);
-	/*
-	 * And that is all we needed this notify function for.
-	 */
-	SEC_ASN1EncoderClearNotifyProc (p7ecx->ecx);
-    }
-}
-
-
-static SEC_PKCS7EncoderContext *
-sec_pkcs7_encoder_start_contexts (SEC_PKCS7ContentInfo *cinfo,
-				  PK11SymKey *bulkkey)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SECOidTag kind;
-    PRBool encrypt;
-    SECItem **digests;
-    SECAlgorithmID *digestalg, **digestalgs;
-
-    p7ecx = 
-      (SEC_PKCS7EncoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7EncoderContext));
-    if (p7ecx == NULL)
-	return NULL;
-
-    digests = NULL;
-    digestalg = NULL;
-    digestalgs = NULL;
-    encrypt = PR_FALSE;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	digestalg = &(cinfo->content.digestedData->digestAlg);
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	digests = cinfo->content.signedData->digests;
-	digestalgs = cinfo->content.signedData->digestAlgorithms;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	encrypt = PR_TRUE;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	digests = cinfo->content.signedAndEnvelopedData->digests;
-	digestalgs = cinfo->content.signedAndEnvelopedData->digestAlgorithms;
-	encrypt = PR_TRUE;
-	break;
-    }
-
-    if (encrypt) {
-	p7ecx->encryptobj = sec_pkcs7_encoder_start_encrypt (cinfo, bulkkey);
-	if (p7ecx->encryptobj == NULL) {
-	    PORT_Free (p7ecx);
-	    return NULL;
-	}
-    }
-
-    if (digestalgs != NULL) {
-	if (digests != NULL) {
-	    /* digests already created (probably for detached data) */
-	    digestalg = NULL;
-	} else {
-	    /*
-	     * XXX Some day we should handle multiple digests; for now,
-	     * assume only one will be done.
-	     */
-	    PORT_Assert (digestalgs[0] != NULL && digestalgs[1] == NULL);
-	    digestalg = digestalgs[0];
-	}
-    }
-
-    if (digestalg != NULL) {
-	SECOidData *oiddata;
-
-	oiddata = SECOID_FindOID (&(digestalg->algorithm));
-	if (oiddata != NULL) {
-	    switch (oiddata->offset) {
-	      case SEC_OID_MD2:
-		p7ecx->digestobj = &SECHashObjects[HASH_AlgMD2];
-		break;
-	      case SEC_OID_MD5:
-		p7ecx->digestobj = &SECHashObjects[HASH_AlgMD5];
-		break;
-	      case SEC_OID_SHA1:
-		p7ecx->digestobj = &SECHashObjects[HASH_AlgSHA1];
-		break;
-	      default:
-		/* XXX right error? */
-		PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
-		break;
-	    }
-	}
-	if (p7ecx->digestobj != NULL) {
-	    p7ecx->digestcx = (* p7ecx->digestobj->create) ();
-	    if (p7ecx->digestcx == NULL)
-		p7ecx->digestobj = NULL;
-	    else
-		(* p7ecx->digestobj->begin) (p7ecx->digestcx);
-	}
-	if (p7ecx->digestobj == NULL) {
-	    if (p7ecx->encryptobj != NULL)
-		sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
-	    PORT_Free (p7ecx);
-	    return NULL;
-	}
-    }
-
-    p7ecx->cinfo = cinfo;
-    return p7ecx;
-}
-
-
-SEC_PKCS7EncoderContext *
-SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
-		       SEC_PKCS7EncoderOutputCallback outputfn,
-		       void *outputarg,
-		       PK11SymKey *bulkkey)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SECStatus rv;
-
-    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
-    if (p7ecx == NULL)
-	return NULL;
-
-    p7ecx->output.outputfn = outputfn;
-    p7ecx->output.outputarg = outputarg;
-
-    /*
-     * Initialize the BER encoder.
-     */
-    p7ecx->ecx = SEC_ASN1EncoderStart (cinfo, sec_PKCS7ContentInfoTemplate,
-				       sec_pkcs7_encoder_out, &(p7ecx->output));
-    if (p7ecx->ecx == NULL) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-
-    /*
-     * Indicate that we are streaming.  We will be streaming until we
-     * get past the contents bytes.
-     */
-    SEC_ASN1EncoderSetStreaming (p7ecx->ecx);
-
-    /*
-     * The notify function will watch for the contents field.
-     */
-    SEC_ASN1EncoderSetNotifyProc (p7ecx->ecx, sec_pkcs7_encoder_notify, p7ecx);
-
-    /*
-     * This will encode everything up to the content bytes.  (The notify
-     * function will then cause the encoding to stop there.)  Then our
-     * caller can start passing contents bytes to our Update, which we
-     * will pass along.
-     */
-    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
-    if (rv != SECSuccess) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-
-    return p7ecx;
-}
-
-
-/*
- * XXX If/when we support nested contents, this needs to be revised.
- */
-static SECStatus
-sec_pkcs7_encoder_work_data (SEC_PKCS7EncoderContext *p7ecx, SECItem *dest,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final)
-{
-    unsigned char *buf = NULL;
-    SECStatus rv;
-
-
-    rv = SECSuccess;		/* may as well be optimistic */
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    /*
-     * Update the running digest.
-     * XXX This needs modification if/when we handle multiple digests.
-     */
-    if (len && p7ecx->digestobj != NULL) {
-	(* p7ecx->digestobj->update) (p7ecx->digestcx, data, len);
-    }
-
-    /*
-     * Encrypt this chunk.
-     */
-    if (p7ecx->encryptobj != NULL) {
-	/* XXX the following lengths should all be longs? */
-	unsigned int inlen;	/* length of data being encrypted */
-	unsigned int outlen;	/* length of encrypted data */
-	unsigned int buflen;	/* length available for encrypted data */
-
-	inlen = len;
-	buflen = sec_PKCS7EncryptLength (p7ecx->encryptobj, inlen, final);
-	if (buflen == 0) {
-	    /*
-	     * No output is expected, but the input data may be buffered
-	     * so we still have to call Encrypt.
-	     */
-	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, NULL, NULL, 0,
-				   data, inlen, final);
-	    if (final) {
-		len = 0;
-		goto done;
-	    }
-	    return rv;
-	}
-
-	if (dest != NULL)
-	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cinfo->poolp, buflen);
-	else
-	    buf = (unsigned char*)PORT_Alloc (buflen);
-
-	if (buf == NULL) {
-	    rv = SECFailure;
-	} else {
-	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, buf, &outlen, buflen,
-				   data, inlen, final);
-	    data = buf;
-	    len = outlen;
-	}
-	if (rv != SECSuccess) {
-	    if (final)
-		goto done;
-	    return rv;
-	}
-    }
-
-    if (p7ecx->ecx != NULL) {
-	/*
-	 * Encode the contents bytes.
-	 */
-	if(len) {
-	    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, (const char *)data, len);
-	}
-    }
-
-done:
-    if (p7ecx->encryptobj != NULL) {
-	if (final)
-	    sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
-	if (dest != NULL) {
-	    dest->data = buf;
-	    dest->len = len;
-	} else if (buf != NULL) {
-	    PORT_Free (buf);
-	}
-    }
-
-    if (final && p7ecx->digestobj != NULL) {
-	SECItem *digest, **digests, ***digestsp;
-	unsigned char *digdata;
-	SECOidTag kind;
-
-	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
-	switch (kind) {
-	  default:
-	    PORT_Assert (0);
-	    return SECFailure;
-	  case SEC_OID_PKCS7_DIGESTED_DATA:
-	    digest = &(p7ecx->cinfo->content.digestedData->digest);
-	    digestsp = NULL;
-	    break;
-	  case SEC_OID_PKCS7_SIGNED_DATA:
-	    digest = NULL;
-	    digestsp = &(p7ecx->cinfo->content.signedData->digests);
-	    break;
-	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	    digest = NULL;
-	    digestsp = &(p7ecx->cinfo->content.signedAndEnvelopedData->digests);
-	    break;
-	}
-
-	digdata = (unsigned char*)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
-				   p7ecx->digestobj->length);
-	if (digdata == NULL)
-	    return SECFailure;
-
-	if (digestsp != NULL) {
-	    PORT_Assert (digest == NULL);
-
-	    digest = (SECItem*)PORT_ArenaAlloc (p7ecx->cinfo->poolp, 
-						sizeof(SECItem));
-	    digests = (SECItem**)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
-				       2 * sizeof(SECItem *));
-	    if (digests == NULL || digest == NULL)
-		return SECFailure;
-
-	    digests[0] = digest;
-	    digests[1] = NULL;
-
-	    *digestsp = digests;
-	}
-
-	PORT_Assert (digest != NULL);
-
-	digest->data = digdata;
-	digest->len = p7ecx->digestobj->length;
-
-	(* p7ecx->digestobj->end) (p7ecx->digestcx, digest->data,
-				   &(digest->len), digest->len);
-	(* p7ecx->digestobj->destroy) (p7ecx->digestcx, PR_TRUE);
-    }
-
-    return rv;
-}
-
-
-SECStatus
-SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
-			const char *data, unsigned long len)
-{
-    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
-    return sec_pkcs7_encoder_work_data (p7ecx, NULL,
-					(const unsigned char *)data, len,
-					PR_FALSE);
-}
-
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-static SECOidTag
-sec_pkcs7_pick_sign_alg (SECOidTag hashalg, SECOidTag encalg)
-{
-    switch (encalg) {
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	switch (hashalg) {
-	  case SEC_OID_MD2:
-	    return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_MD5:
-	    return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA1:
-	    return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS:
-	switch (hashalg) {
-	  case SEC_OID_SHA1:
-	    return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      default:
-	break;
-    }
-
-    return encalg;		/* maybe it is already the right algid */
-}
-
-
-static SECStatus
-sec_pkcs7_encoder_sig_and_certs (SEC_PKCS7ContentInfo *cinfo,
-				 SECKEYGetPasswordKey pwfn, void *pwfnarg)
-{
-    SECOidTag kind;
-    CERTCertificate **certs;
-    CERTCertificateList **certlists;
-    SECAlgorithmID **digestalgs;
-    SECItem **digests;
-    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
-    SECItem **rawcerts, ***rawcertsp;
-    PRArenaPool *poolp;
-    int certcount;
-    int ci, cli, rci, si;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	certs = NULL;
-	certlists = NULL;
-	digestalgs = NULL;
-	digests = NULL;
-	signerinfos = NULL;
-	rawcertsp = NULL;
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    certs = sdp->certs;
-	    certlists = sdp->certLists;
-	    digestalgs = sdp->digestAlgorithms;
-	    digests = sdp->digests;
-	    signerinfos = sdp->signerInfos;
-	    rawcertsp = &(sdp->rawCerts);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    certs = saedp->certs;
-	    certlists = saedp->certLists;
-	    digestalgs = saedp->digestAlgorithms;
-	    digests = saedp->digests;
-	    signerinfos = saedp->signerInfos;
-	    rawcertsp = &(saedp->rawCerts);
-	}
-	break;
-    }
-
-    if (certs == NULL && certlists == NULL && signerinfos == NULL)
-	return SECSuccess;		/* nothing for us to do! */
-
-    poolp = cinfo->poolp;
-    certcount = 0;
-
-    if (signerinfos != NULL) {
-	SECOidTag digestalgtag;
-	int di;
-	SECStatus rv;
-	CERTCertificate *cert;
-	SECKEYPrivateKey *privkey;
-	SECItem signature;
-	SECOidTag signalgtag;
-
-	PORT_Assert (digestalgs != NULL && digests != NULL);
-
-	/*
-	 * If one fails, we bail right then.  If we want to continue and
-	 * try to do subsequent signatures, this loop, and the departures
-	 * from it, will need to be reworked.
-	 */
-	for (si = 0; signerinfos[si] != NULL; si++) {
-
-	    signerinfo = signerinfos[si];
-
-	    /* find right digest */
-	    digestalgtag = SECOID_GetAlgorithmTag (&(signerinfo->digestAlg));
-	    for (di = 0; digestalgs[di] != NULL; di++) {
-		/* XXX Should I be comparing more than the tag? */
-		if (digestalgtag == SECOID_GetAlgorithmTag (digestalgs[di]))
-		    break;
-	    }
-	    if (digestalgs[di] == NULL) {
-		/* XXX oops; do what? set an error? */
-		return SECFailure;
-	    }
-	    PORT_Assert (digests[di] != NULL);
-
-	    cert = signerinfo->cert;
-	    privkey = PK11_FindKeyByAnyCert (cert, pwfnarg);
-	    if (privkey == NULL)
-		return SECFailure;
-
-	    /*
-	     * XXX I think there should be a cert-level interface for this,
-	     * so that I do not have to know about subjectPublicKeyInfo...
-	     */
-	    signalgtag = SECOID_GetAlgorithmTag (&(cert->subjectPublicKeyInfo.algorithm));
-
-	    /* Fortezza MISSI have weird signature formats.  Map them
-	     * to standard DSA formats */
-	    signalgtag = PK11_FortezzaMapSig(signalgtag);
-
-	    if (signerinfo->authAttr != NULL) {
-		SEC_PKCS7Attribute *attr;
-		SECItem encoded_attrs;
-		SECItem *dummy;
-
-		/*
-		 * First, find and fill in the message digest attribute.
-		 */
-		attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-					       SEC_OID_PKCS9_MESSAGE_DIGEST,
-					       PR_TRUE);
-		PORT_Assert (attr != NULL);
-		if (attr == NULL) {
-		    SECKEY_DestroyPrivateKey (privkey);
-		    return SECFailure;
-		}
-
-		/*
-		 * XXX The second half of the following assertion prevents
-		 * the encoder from being called twice on the same content.
-		 * Either just remove the second half the assertion, or
-		 * change the code to check if the value already there is
-		 * the same as digests[di], whichever seems more right.
-		 */
-		PORT_Assert (attr->values != NULL && attr->values[0] == NULL);
-		attr->values[0] = digests[di];
-
-		/*
-		 * Before encoding, reorder the attributes so that when they
-		 * are encoded, they will be conforming DER, which is required
-		 * to have a specific order and that is what must be used for
-		 * the hash/signature.  We do this here, rather than building
-		 * it into EncodeAttributes, because we do not want to do
-		 * such reordering on incoming messages (which also uses
-		 * EncodeAttributes) or our old signatures (and other "broken"
-		 * implementations) will not verify.  So, we want to guarantee
-		 * that we send out good DER encodings of attributes, but not
-		 * to expect to receive them.
-		 */
-		rv = sec_PKCS7ReorderAttributes (signerinfo->authAttr);
-		if (rv != SECSuccess) {
-		    SECKEY_DestroyPrivateKey (privkey);
-		    return SECFailure;
-		}
-
-		encoded_attrs.data = NULL;
-		encoded_attrs.len = 0;
-		dummy = sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
-						   &(signerinfo->authAttr));
-		if (dummy == NULL) {
-		    SECKEY_DestroyPrivateKey (privkey);
-		    return SECFailure;
-		}
-
-		rv = SEC_SignData (&signature,
-				   encoded_attrs.data, encoded_attrs.len,
-				   privkey,
-				   sec_pkcs7_pick_sign_alg (digestalgtag,
-							    signalgtag));
-		SECITEM_FreeItem (&encoded_attrs, PR_FALSE);
-	    } else {
-		rv = SGN_Digest (privkey, digestalgtag, &signature,
-				 digests[di]);
-	    }
-
-	    SECKEY_DestroyPrivateKey (privkey);
-
-	    if (rv != SECSuccess)
-		return rv;
-
-	    rv = SECITEM_CopyItem (poolp, &(signerinfo->encDigest), &signature);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    SECITEM_FreeItem (&signature, PR_FALSE);
-
-	    rv = SECOID_SetAlgorithmID (poolp, &(signerinfo->digestEncAlg),
-					signalgtag, NULL);
-	    if (rv != SECSuccess)
-		return SECFailure;
-
-	    /*
-	     * Count the cert chain for this signer.
-	     */
-	    if (signerinfo->certList != NULL)
-		certcount += signerinfo->certList->len;
-	}
-    }
-
-    if (certs != NULL) {
-	for (ci = 0; certs[ci] != NULL; ci++)
-	    certcount++;
-    }
-
-    if (certlists != NULL) {
-	for (cli = 0; certlists[cli] != NULL; cli++)
-	    certcount += certlists[cli]->len;
-    }
-
-    if (certcount == 0)
-	return SECSuccess;		/* signing done; no certs */
-
-    /*
-     * Combine all of the certs and cert chains into rawcerts.
-     * Note: certcount is an upper bound; we may not need that many slots
-     * but we will allocate anyway to avoid having to do another pass.
-     * (The temporary space saving is not worth it.)
-     */
-    rawcerts = (SECItem**)PORT_ArenaAlloc (poolp, 
-					(certcount + 1) * sizeof(SECItem *));
-    if (rawcerts == NULL)
-	return SECFailure;
-
-    /*
-     * XXX Want to check for duplicates and not add *any* cert that is
-     * already in the set.  This will be more important when we start
-     * dealing with larger sets of certs, dual-key certs (signing and
-     * encryption), etc.  For the time being we can slide by...
-     */
-    rci = 0;
-    if (signerinfos != NULL) {
-	for (si = 0; signerinfos[si] != NULL; si++) {
-	    signerinfo = signerinfos[si];
-	    for (ci = 0; ci < signerinfo->certList->len; ci++)
-		rawcerts[rci++] = &(signerinfo->certList->certs[ci]);
-	}
-
-    }
-
-    if (certs != NULL) {
-	for (ci = 0; certs[ci] != NULL; ci++)
-	    rawcerts[rci++] = &(certs[ci]->derCert);
-    }
-
-    if (certlists != NULL) {
-	for (cli = 0; certlists[cli] != NULL; cli++) {
-	    for (ci = 0; ci < certlists[cli]->len; ci++)
-		rawcerts[rci++] = &(certlists[cli]->certs[ci]);
-	}
-    }
-
-    rawcerts[rci] = NULL;
-    *rawcertsp = rawcerts;
-
-    return SECSuccess;
-}
-
-
-SECStatus
-SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
-			SECKEYGetPasswordKey pwfn, void *pwfnarg)
-{
-    SECStatus rv;
-
-    /*
-     * Flush out any remaining data.
-     */
-    rv = sec_pkcs7_encoder_work_data (p7ecx, NULL, NULL, 0, PR_TRUE);
-
-    /*
-     * Turn off streaming stuff.
-     */
-    SEC_ASN1EncoderClearTakeFromBuf (p7ecx->ecx);
-    SEC_ASN1EncoderClearStreaming (p7ecx->ecx);
-
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = sec_pkcs7_encoder_sig_and_certs (p7ecx->cinfo, pwfn, pwfnarg);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
-
-loser:
-    SEC_ASN1EncoderFinish (p7ecx->ecx);
-    PORT_Free (p7ecx);
-    return rv;
-}
-
-
-/*
- * After this routine is called, the entire PKCS7 contentInfo is ready
- * to be encoded.  This is used internally, but can also be called from
- * elsewhere for those who want to be able to just have pointers to
- * the ASN1 template for pkcs7 contentInfo built into their own encodings.
- */
-SECStatus
-SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
-			   PK11SymKey *bulkkey,
-			   SECKEYGetPasswordKey pwfn,
-			   void *pwfnarg)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SECItem *content, *enc_content;
-    SECStatus rv;
-
-    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
-    if (p7ecx == NULL)
-	return SECFailure;
-
-    content = SEC_PKCS7GetContent (cinfo);
-
-    if (p7ecx->encryptobj != NULL) {
-	SECOidTag kind;
-	SEC_PKCS7EncryptedContentInfo *enccinfo;
-
-	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
-	switch (kind) {
-	  default:
-	    PORT_Assert (0);
-	    rv = SECFailure;
-	    goto loser;
-	  case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    enccinfo = &(p7ecx->cinfo->content.encryptedData->encContentInfo);
-	    break;
-	  case SEC_OID_PKCS7_ENVELOPED_DATA:
-	    enccinfo = &(p7ecx->cinfo->content.envelopedData->encContentInfo);
-	    break;
-	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	    enccinfo = &(p7ecx->cinfo->content.signedAndEnvelopedData->encContentInfo);
-	    break;
-	}
-	enc_content = &(enccinfo->encContent);
-    } else {
-	enc_content = NULL;
-    }
-
-    if (content != NULL && content->data != NULL && content->len) {
-	rv = sec_pkcs7_encoder_work_data (p7ecx, enc_content,
-					  content->data, content->len, PR_TRUE);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    rv = sec_pkcs7_encoder_sig_and_certs (cinfo, pwfn, pwfnarg);
-
-loser:
-    PORT_Free (p7ecx);
-    return rv;
-}
-
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "outputfn" is where the encoded bytes will be passed.
- *
- * "outputarg" is an opaque argument to the above callback.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-SECStatus
-SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
-		 SEC_PKCS7EncoderOutputCallback outputfn,
-		 void *outputarg,
-		 PK11SymKey *bulkkey,
-		 SECKEYGetPasswordKey pwfn,
-		 void *pwfnarg)
-{
-    SECStatus rv;
-
-    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
-    if (rv == SECSuccess) {
-	struct sec_pkcs7_encoder_output outputcx;
-
-	outputcx.outputfn = outputfn;
-	outputcx.outputarg = outputarg;
-
-	rv = SEC_ASN1Encode (cinfo, sec_PKCS7ContentInfoTemplate,
-			     sec_pkcs7_encoder_out, &outputcx);
-    }
-
-    return rv;
-}
-
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).  The output, rather than
- * being passed to an output function as is done above, is all put
- * into a SECItem.
- *
- * "pool" specifies a pool from which to allocate the result.
- * It can be NULL, in which case memory is allocated generically.
- *
- * "dest" specifies a SECItem in which to put the result data.
- * It can be NULL, in which case the entire item is allocated, too.
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-SECItem *
-SEC_PKCS7EncodeItem (PRArenaPool *pool,
-		     SECItem *dest,
-		     SEC_PKCS7ContentInfo *cinfo,
-		     PK11SymKey *bulkkey,
-		     SECKEYGetPasswordKey pwfn,
-		     void *pwfnarg)
-{
-    SECStatus rv;
-
-    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
-    if (rv != SECSuccess)
-	return NULL;
-
-    return SEC_ASN1EncodeItem (pool, dest, cinfo, sec_PKCS7ContentInfoTemplate);
-}
-
diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c
deleted file mode 100644
index d3e58be50..000000000
--- a/security/nss/lib/pkcs7/p7local.c
+++ /dev/null
@@ -1,1431 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support routines for PKCS7 implementation, none of which are exported.
- * This file should only contain things that are needed by both the
- * encoding/creation side *and* the decoding/decryption side.  Anything
- * else should be static routines in the appropriate file.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cryptohi.h" 
-#include "secasn1.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secpkcs5.h"
-#include "secerr.h"
-
-/*
- * -------------------------------------------------------------------
- * Cipher stuff.
- */
-
-typedef SECStatus (*sec_pkcs7_cipher_function) (void *,
-						unsigned char *,
-						unsigned *,
-						unsigned int,
-						const unsigned char *,
-						unsigned int);
-typedef SECStatus (*sec_pkcs7_cipher_destroy) (void *, PRBool);
-
-#define BLOCK_SIZE 4096
-
-struct sec_pkcs7_cipher_object {
-    void *cx;
-    sec_pkcs7_cipher_function doit;
-    sec_pkcs7_cipher_destroy destroy;
-    PRBool encrypt;
-    int block_size;
-    int pad_size;
-    int pending_count;
-    unsigned char pending_buf[BLOCK_SIZE];
-};
-
-/*
- * Create a cipher object to do decryption,  based on the given bulk
- * encryption key and algorithm identifier (which may include an iv).
- *
- * XXX This interface, or one similar, would be really nice available
- * in general...  I tried to keep the pkcs7-specific stuff (mostly
- * having to do with padding) out of here.
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function below (for starting up encryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-sec_PKCS7CipherObject *
-sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid)
-{
-    sec_PKCS7CipherObject *result;
-    SECOidTag algtag;
-    void *ciphercx;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *param;
-    PK11SlotInfo *slot;
-
-    result = (struct sec_pkcs7_cipher_object*)
-      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
-    if (result == NULL)
-	return NULL;
-
-    ciphercx = NULL;
-    algtag = SECOID_GetAlgorithmTag (algid);
-
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams, *pwitem;
-	SEC_PKCS5KeyAndPassword *keyPwd;
-
-	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
-	key = keyPwd->key;
-	pwitem = keyPwd->pwitem;
-
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if (!pbeParams) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem,
-						  PR_FALSE) != CKR_OK) { 
-	    PORT_Free(result);
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	param = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	if(!param) {
-	     PORT_Free(result);
-	     return NULL;
-	}
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	param = PK11_ParamFromAlgid(algid);
-	if (param == NULL) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-    }
-
-    result->pad_size = PK11_GetBlockSize(mechanism,param);
-    slot = PK11_GetSlotFromKey(key);
-    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
-    PK11_FreeSlot(slot);
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param);
-    SECITEM_FreeItem(param,PR_TRUE);
-    if (ciphercx == NULL) {
-	PORT_Free (result);
-	return NULL;
-    }
-
-    result->cx = ciphercx;
-    result->doit =  (sec_pkcs7_cipher_function) PK11_CipherOp;
-    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
-    result->encrypt = PR_FALSE;
-    result->pending_count = 0;
-
-    return result;
-}
-
-/*
- * Create a cipher object to do encryption, based on the given bulk
- * encryption key and algorithm tag.  Fill in the algorithm identifier
- * (which may include an iv) appropriately.
- *
- * XXX This interface, or one similar, would be really nice available
- * in general...  I tried to keep the pkcs7-specific stuff (mostly
- * having to do with padding) out of here.
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function above (for starting up decryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-sec_PKCS7CipherObject *
-sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
-			      SECOidTag algtag, SECAlgorithmID *algid)
-{
-    sec_PKCS7CipherObject *result;
-    void *ciphercx;
-    SECItem *param;
-    SECStatus rv;
-    CK_MECHANISM_TYPE mechanism;
-    PRBool needToEncodeAlgid = PR_FALSE;
-    PK11SlotInfo *slot;
-
-    result = (struct sec_pkcs7_cipher_object*)
-	      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
-    if (result == NULL)
-	return NULL;
-
-    ciphercx = NULL;
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams;
-	SEC_PKCS5KeyAndPassword *keyPwd;
-
-	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
-	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
-
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if(!pbeParams) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
-	key = keyPwd->key;
-
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-	if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
-					 keyPwd->pwitem, PR_FALSE) != CKR_OK) {
-	    PORT_Free(result);
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	param = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	if(!param) {
-	     PORT_Free(result);
-	     return NULL;
-	}
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	param = PK11_GenerateNewParam(mechanism,key);
-	if (param == NULL) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-	needToEncodeAlgid = PR_TRUE;
-    }
-
-    result->pad_size = PK11_GetBlockSize(mechanism,param);
-    slot = PK11_GetSlotFromKey(key);
-    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
-    PK11_FreeSlot(slot);
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, 
-    					  key, param);
-    if (ciphercx == NULL) {
-	PORT_Free (result);
-        SECITEM_FreeItem(param,PR_TRUE);
-	return NULL;
-    }
-
-    /*
-     * These are placed after the CreateContextBySymKey() because some
-     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
-     * Don't move it from here.
-     */
-    if (needToEncodeAlgid) {
-	rv = PK11_ParamToAlgid(algtag,param,poolp,algid);
-	if(rv != SECSuccess) {
-	    return NULL;
-	}
-    }
-    SECITEM_FreeItem(param,PR_TRUE);
-
-    result->cx = ciphercx;
-    result->doit = (sec_pkcs7_cipher_function) PK11_CipherOp;
-    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
-    result->encrypt = PR_TRUE;
-    result->pending_count = 0;
-
-    return result;
-}
-
-
-/*
- * Destroy the cipher object.
- */
-static void
-sec_pkcs7_destroy_cipher (sec_PKCS7CipherObject *obj)
-{
-    (* obj->destroy) (obj->cx, PR_TRUE);
-    PORT_Free (obj);
-}
-
-void
-sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj)
-{
-    PORT_Assert (obj != NULL);
-    if (obj == NULL)
-	return;
-    PORT_Assert (! obj->encrypt);
-    sec_pkcs7_destroy_cipher (obj);
-}
-
-void
-sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj)
-{
-    PORT_Assert (obj != NULL);
-    if (obj == NULL)
-	return;
-    PORT_Assert (obj->encrypt);
-    sec_pkcs7_destroy_cipher (obj);
-}
-
-
-/*
- * XXX I think all of the following lengths should be longs instead
- * of ints, but our current crypto interface uses ints, so I did too.
- */
-
-
-/*
- * What will be the output length of the next call to decrypt?
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and bsize).
- *
- * Note that this can return zero, which does not mean that the decrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent decrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
-			PRBool final)
-{
-    int blocks, block_size;
-
-    PORT_Assert (! obj->encrypt);
-
-    block_size = obj->block_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we will always use up all of the pending
-     * bytes plus all of the input bytes, *but*, there will be padding
-     * at the end and we cannot predict how many bytes of padding we
-     * will end up removing.  The amount given here is actually known
-     * to be at least 1 byte too long (because we know we will have
-     * at least 1 byte of padding), but seemed clearer/better to me.
-     */
-    if (final)
-	return obj->pending_count + input_len;
-
-    /*
-     * Okay, this amount is exactly what we will output on the
-     * next cipher operation.  We will always hang onto the last
-     * 1 - block_size bytes for non-final operations.  That is,
-     * we will do as many complete blocks as we can *except* the
-     * last block (complete or partial).  (This is because until
-     * we know we are at the end, we cannot know when to interpret
-     * and removing the padding byte(s), which are guaranteed to
-     * be there.)
-     */
-    blocks = (obj->pending_count + input_len - 1) / block_size;
-    return blocks * block_size;
-}
-
-/*
- * What will be the output length of the next call to encrypt?
- * Result can be used to perform memory allocations.
- *
- * Note that this can return zero, which does not mean that the encrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent encrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
-			PRBool final)
-{
-    int blocks, block_size;
-    int pad_size;
-
-    PORT_Assert (obj->encrypt);
-
-    block_size = obj->block_size;
-    pad_size = obj->pad_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we only send out what we need for
-     * remaining bytes plus the padding.  (There is always padding,
-     * so even if we have an exact number of blocks as input, we
-     * will add another full block that is just padding.)
-     */
-    if (final) {
-	if (pad_size == 0) {
-    	    return obj->pending_count + input_len;
-	} else {
-    	    blocks = (obj->pending_count + input_len) / pad_size;
-	    blocks++;
-	    return blocks*pad_size;
-	}
-    }
-
-    /*
-     * Now, count the number of complete blocks of data we have.
-     */
-    blocks = (obj->pending_count + input_len) / block_size;
-
-
-    return blocks * block_size;
-}
-
-
-/*
- * Decrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateDecryptObject.
- * When "final" is true, this is the last of the data to be decrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the decryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "obj".
- * We also need to determine which bytes are padding, and remove
- * them from the output.  We can only do this step when we know we
- * have the final block of data.  PKCS #7 specifies that the padding
- * used for a block cipher is a string of bytes, each of whose value is
- * the same as the length of the padding, and that all data is padded.
- * (Even data that starts out with an exact multiple of blocks gets
- * added to it another block, all of which is padding.)
- */ 
-SECStatus
-sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (! obj->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = sec_PKCS7DecryptLength (obj, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    /*
-     * hardware encryption does not like small decryption sizes here, so we
-     * allow both blocking and padding.
-     */
-    bsize = obj->block_size;
-    padsize = obj->pad_size;
-
-    /*
-     * When no blocking or padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = obj->pending_count;
-    pbuf = obj->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we have at most a whole block and this is not our last call,
-	 * then we are done for now.  (We do not try to decrypt a lone
-	 * single block because we cannot interpret the padding bytes
-	 * until we know we are handling the very last block of all input.)
-	 */
-	if (input_len == 0 && !final) {
-	    obj->pending_count = pcount;
-	    if (output_len_p)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * Given the logic above, we expect to have a full block by now.
-	 * If we do not, there is something wrong, either with our own
-	 * logic or with (length of) the data given to us.
-	 */
-	PORT_Assert ((padsize == 0) || (pcount % padsize) == 0);
-	if ((padsize != 0) && (pcount % padsize) != 0) {
-	    PORT_Assert (final);	
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	/*
-	 * Decrypt the block.
-	 */
-	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ofraglen == pcount);
-
-	/*
-	 * Account for the bytes now in output.
-	 */
-	max_output_len -= ofraglen;
-	output_len += ofraglen;
-	output += ofraglen;
-    }
-
-    /*
-     * If this is our last call, we expect to have an exact number of
-     * blocks left to be decrypted; we will decrypt them all.
-     * 
-     * If not our last call, we always save between 1 and bsize bytes
-     * until next time.  (We must do this because we cannot be sure
-     * that none of the decrypted bytes are padding bytes until we
-     * have at least another whole block of data.  You cannot tell by
-     * looking -- the data could be anything -- you can only tell by
-     * context, knowing you are looking at the last block.)  We could
-     * decrypt a whole block now but it is easier if we just treat it
-     * the same way we treat partial block bytes.
-     */
-    if (final) {
-	if (padsize) {
-	    blocks = input_len / padsize;
-	    ifraglen = blocks * padsize;
-	} else ifraglen = input_len;
-	PORT_Assert (ifraglen == input_len);
-
-	if (ifraglen != input_len) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-    } else {
-	blocks = (input_len - 1) / bsize;
-	ifraglen = blocks * bsize;
-	PORT_Assert (ifraglen < input_len);
-
-	pcount = input_len - ifraglen;
-	PORT_Memcpy (pbuf, input + ifraglen, pcount);
-	obj->pending_count = pcount;
-    }
-
-    if (ifraglen) {
-	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-			    input, ifraglen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ifraglen == ofraglen);
-	if (ifraglen != ofraglen) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-
-	output_len += ofraglen;
-    } else {
-	ofraglen = 0;
-    }
-
-    /*
-     * If we just did our very last block, "remove" the padding by
-     * adjusting the output length.
-     */
-    if (final && (padsize != 0)) {
-	unsigned int padlen = *(output + ofraglen - 1);
-	PORT_Assert (padlen > 0 && padlen <= padsize);
-	if (padlen == 0 || padlen > padsize) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	output_len -= padlen;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
-
-/*
- * Encrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateEncryptObject.
- * When "final" is true, this is the last of the data to be encrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the encryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "obj".
- * We also need to add padding bytes at the end.  PKCS #7 specifies
- * that the padding used for a block cipher is a string of bytes,
- * each of whose value is the same as the length of the padding,
- * and that all data is padded.  (Even data that starts out with
- * an exact multiple of blocks gets added to it another block,
- * all of which is padding.)
- *
- * XXX I would kind of like to combine this with the function above
- * which does decryption, since they have a lot in common.  But the
- * tricky parts about padding and filling blocks would be much
- * harder to read that way, so I left them separate.  At least for
- * now until it is clear that they are right.
- */ 
-SECStatus
-sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, padlen, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (obj->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = sec_PKCS7EncryptLength (obj, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    bsize = obj->block_size;
-    padsize = obj->pad_size;
-
-    /*
-     * When no blocking and padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = obj->pending_count;
-    pbuf = obj->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we do not have a full block and we know we will be
-	 * called again, then we are done for now.
-	 */
-	if (pcount < bsize && !final) {
-	    obj->pending_count = pcount;
-	    if (output_len_p != NULL)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * If we have a whole block available, encrypt it.
-	 */
-	if ((padsize == 0) || (pcount % padsize) == 0) {
-	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-				pbuf, pcount);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ofraglen == pcount);
-
-	    /*
-	     * Account for the bytes now in output.
-	     */
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-
-	    pcount = 0;
-	}
-    }
-
-    if (input_len) {
-	PORT_Assert (pcount == 0);
-
-	blocks = input_len / bsize;
-	ifraglen = blocks * bsize;
-
-	if (ifraglen) {
-	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-				input, ifraglen);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ifraglen == ofraglen);
-
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-	}
-
-	pcount = input_len - ifraglen;
-	PORT_Assert (pcount < bsize);
-	if (pcount)
-	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
-    }
-
-    if (final) {
-	padlen = padsize - (pcount % padsize);
-	PORT_Memset (pbuf + pcount, padlen, padlen);
-	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount+padlen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7EncryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ofraglen == (pcount+padlen));
-	output_len += ofraglen;
-    } else {
-	obj->pending_count = pcount;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
-
-/*
- * End of cipher stuff.
- * -------------------------------------------------------------------
- */
-
-
-/*
- * -------------------------------------------------------------------
- * XXX The following Attribute stuff really belongs elsewhere.
- * The Attribute type is *not* part of pkcs7 but rather X.501.
- * But for now, since PKCS7 is the only customer of attributes,
- * we define them here.  Once there is a use outside of PKCS7,
- * then change the attribute types and functions from internal
- * to external naming convention, and move them elsewhere!
- */
-
-/*
- * Look through a set of attributes and find one that matches the
- * specified object ID.  If "only" is true, then make sure that
- * there is not more than one attribute of the same type.  Otherwise,
- * just return the first one found. (XXX Does anybody really want
- * that first-found behavior?  It was like that when I found it...)
- */
-SEC_PKCS7Attribute *
-sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs, SECOidTag oidtag,
-			PRBool only)
-{
-    SECOidData *oid;
-    SEC_PKCS7Attribute *attr1, *attr2;
-
-    if (attrs == NULL)
-	return NULL;
-
-    oid = SECOID_FindOIDByTag(oidtag);
-    if (oid == NULL)
-	return NULL;
-
-    while ((attr1 = *attrs++) != NULL) {
-	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr1 == NULL)
-	return NULL;
-
-    if (!only)
-	return attr1;
-
-    while ((attr2 = *attrs++) != NULL) {
-	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr2 != NULL)
-	return NULL;
-
-    return attr1;
-}
-
-
-/*
- * Return the single attribute value, doing some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-SECItem *
-sec_PKCS7AttributeValue(SEC_PKCS7Attribute *attr)
-{
-    SECItem *value;
-
-    if (attr == NULL)
-	return NULL;
-
-    value = attr->values[0];
-
-    if (value == NULL || value->data == NULL || value->len == 0)
-	return NULL;
-
-    if (attr->values[1] != NULL)
-	return NULL;
-
-    return value;
-}
-
-static const SEC_ASN1Template *
-sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS7Attribute *attribute;
-    SECOidData *oiddata;
-    PRBool encoded;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    attribute = (SEC_PKCS7Attribute*)src_or_dest;
-
-    if (encoding && attribute->encoded)
-	return SEC_AnyTemplate;
-
-    oiddata = attribute->typeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&attribute->type);
-	attribute->typeTag = oiddata;
-    }
-
-    if (oiddata == NULL) {
-	encoded = PR_TRUE;
-	theTemplate = SEC_AnyTemplate;
-    } else {
-	switch (oiddata->offset) {
-	  default:
-	    encoded = PR_TRUE;
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	  case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	  case SEC_OID_RFC1274_MAIL:
-	  case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_IA5StringTemplate;
-	    break;
-	  case SEC_OID_PKCS9_CONTENT_TYPE:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ObjectIDTemplate;
-	    break;
-	  case SEC_OID_PKCS9_MESSAGE_DIGEST:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_OctetStringTemplate;
-	    break;
-	  case SEC_OID_PKCS9_SIGNING_TIME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_UTCTimeTemplate;
-	    break;
-	  /* XXX Want other types here, too */
-	}
-    }
-
-    if (encoding) {
-	/*
-	 * If we are encoding and we think we have an already-encoded value,
-	 * then the code which initialized this attribute should have set
-	 * the "encoded" property to true (and we would have returned early,
-	 * up above).  No devastating error, but that code should be fixed.
-	 * (It could indicate that the resulting encoded bytes are wrong.)
-	 */
-	PORT_Assert (!encoded);
-    } else {
-	/*
-	 * We are decoding; record whether the resulting value is
-	 * still encoded or not.
-	 */
-	attribute->encoded = encoded;
-    }
-    return theTemplate;
-}
-
-static SEC_ChooseASN1TemplateFunc sec_attr_chooser
-	= sec_attr_choose_attr_value_template;
-
-static const SEC_ASN1Template sec_pkcs7_attribute_template[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7Attribute) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SEC_PKCS7Attribute,type) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7Attribute,values),
-	  &sec_attr_chooser },
-    { 0 }
-};
-
-static const SEC_ASN1Template sec_pkcs7_set_of_attribute_template[] = {
-    { SEC_ASN1_SET_OF, 0, sec_pkcs7_attribute_template },
-};
-
-/*
- * If you are wondering why this routine does not reorder the attributes
- * first, and might be tempted to make it do so, see the comment by the
- * call to ReorderAttributes in p7encode.c.  (Or, see who else calls this
- * and think long and hard about the implications of making it always
- * do the reordering.)
- */
-SECItem *
-sec_PKCS7EncodeAttributes (PRArenaPool *poolp, SECItem *dest, void *src)
-{
-    return SEC_ASN1EncodeItem (poolp, dest, src,
-			       sec_pkcs7_set_of_attribute_template);
-}
-
-/*
- * Make sure that the order of the attributes guarantees valid DER
- * (which must be in lexigraphically ascending order for a SET OF);
- * if reordering is necessary it will be done in place (in attrs).
- */
-SECStatus
-sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs)
-{
-    PRArenaPool *poolp;
-    int num_attrs, i, j, pass, besti;
-    SECItem **enc_attrs;
-    SEC_PKCS7Attribute **new_attrs;
-
-    /*
-     * I think we should not be called with NULL.  But if we are,
-     * call it a success anyway, because the order *is* okay.
-     */
-    PORT_Assert (attrs != NULL);
-    if (attrs == NULL)
-	return SECSuccess;
-
-    /*
-     * Count how many attributes we are dealing with here.
-     */
-    num_attrs = 0;
-    while (attrs[num_attrs] != NULL)
-	num_attrs++;
-
-    /*
-     * Again, I think we should have some attributes here.
-     * But if we do not, or if there is only one, then call it
-     * a success because it also already has a fine order.
-     */
-    PORT_Assert (num_attrs);
-    if (num_attrs == 0 || num_attrs == 1)
-	return SECSuccess;
-
-    /*
-     * Allocate an arena for us to work with, so it is easy to
-     * clean up all of the memory (fairly small pieces, really).
-     */
-    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
-    if (poolp == NULL)
-	return SECFailure;		/* no memory; nothing we can do... */
-
-    /*
-     * Allocate arrays to hold the individual encodings which we will use
-     * for comparisons and the reordered attributes as they are sorted.
-     */
-    enc_attrs=(SECItem**)PORT_ArenaZAlloc(poolp, num_attrs*sizeof(SECItem *));
-    new_attrs = (SEC_PKCS7Attribute**)PORT_ArenaZAlloc (poolp,
-				  num_attrs * sizeof(SEC_PKCS7Attribute *));
-    if (enc_attrs == NULL || new_attrs == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return SECFailure;
-    }
-
-    /*
-     * DER encode each individual attribute.
-     */
-    for (i = 0; i < num_attrs; i++) {
-	enc_attrs[i] = SEC_ASN1EncodeItem (poolp, NULL, attrs[i],
-					   sec_pkcs7_attribute_template);
-	if (enc_attrs[i] == NULL) {
-	    PORT_FreeArena (poolp, PR_FALSE);
-	    return SECFailure;
-	}
-    }
-
-    /*
-     * Now compare and sort them; this is not the most efficient sorting
-     * method, but it is just fine for the problem at hand, because the
-     * number of attributes is (always) going to be small.
-     */
-    for (pass = 0; pass < num_attrs; pass++) {
-	/*
-	 * Find the first not-yet-accepted attribute.  (Once one is
-	 * sorted into the other array, it is cleared from enc_attrs.)
-	 */
-	for (i = 0; i < num_attrs; i++) {
-	    if (enc_attrs[i] != NULL)
-		break;
-	}
-	PORT_Assert (i < num_attrs);
-	besti = i;
-
-	/*
-	 * Find the lowest (lexigraphically) encoding.  One that is
-	 * shorter than all the rest is known to be "less" because each
-	 * attribute is of the same type (a SEQUENCE) and so thus the
-	 * first octet of each is the same, and the second octet is
-	 * the length (or the length of the length with the high bit
-	 * set, followed by the length, which also works out to always
-	 * order the shorter first).  Two (or more) that have the
-	 * same length need to be compared byte by byte until a mismatch
-	 * is found.
-	 */
-	for (i = besti + 1; i < num_attrs; i++) {
-	    if (enc_attrs[i] == NULL)	/* slot already handled */
-		continue;
-
-	    if (enc_attrs[i]->len != enc_attrs[besti]->len) {
-		if (enc_attrs[i]->len < enc_attrs[besti]->len)
-		    besti = i;
-		continue;
-	    }
-
-	    for (j = 0; j < enc_attrs[i]->len; j++) {
-		if (enc_attrs[i]->data[j] < enc_attrs[besti]->data[j]) {
-		    besti = i;
-		    break;
-		}
-	    }
-
-	    /*
-	     * For this not to be true, we would have to have encountered	
-	     * two *identical* attributes, which I think we should not see.
-	     * So assert if it happens, but even if it does, let it go
-	     * through; the ordering of the two does not matter.
-	     */
-	    PORT_Assert (j < enc_attrs[i]->len);
-	}
-
-	/*
-	 * Now we have found the next-lowest one; copy it over and
-	 * remove it from enc_attrs.
-	 */
-	new_attrs[pass] = attrs[besti];
-	enc_attrs[besti] = NULL;
-    }
-
-    /*
-     * Now new_attrs has the attributes in the order we want;
-     * copy them back into the attrs array we started with.
-     */
-    for (i = 0; i < num_attrs; i++)
-	attrs[i] = new_attrs[i];
-
-    PORT_FreeArena (poolp, PR_FALSE);
-    return SECSuccess;
-}
-
-/*
- * End of attribute stuff.
- * -------------------------------------------------------------------
- */
-
-
-/*
- * Templates and stuff.  Keep these at the end of the file.
- */
-
-/* forward declaration */
-static const SEC_ASN1Template *
-sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding);
-
-static SEC_ChooseASN1TemplateFunc sec_pkcs7_chooser
-	= sec_pkcs7_choose_content_template;
-
-const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7ContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SEC_PKCS7ContentInfo,contentType) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7ContentInfo,content),
-	  &sec_pkcs7_chooser },
-    { 0 }
-};
-
-/* XXX These names should change from external to internal convention. */
-
-static const SEC_ASN1Template SEC_PKCS7SignerInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SignerInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7SignerInfo,version) },
-    { SEC_ASN1_POINTER,
-	  offsetof(SEC_PKCS7SignerInfo,issuerAndSN),
-	  CERT_IssuerAndSNTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7SignerInfo,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7SignerInfo,authAttr),
-	  sec_pkcs7_set_of_attribute_template },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7SignerInfo,digestEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SignerInfo,encDigest) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(SEC_PKCS7SignerInfo,unAuthAttr),
-	  sec_pkcs7_set_of_attribute_template },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PKCS7SignedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7SignedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7SignedData,version) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedData,digestAlgorithms),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7SignedData,contentInfo),
-	  sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7SignedData,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(SEC_PKCS7SignedData,crls),
-	  CERT_SetOfSignedCrlTemplate },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedData,signerInfos),
-	  SEC_PKCS7SignerInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7SignedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7RecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7RecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7RecipientInfo,version) },
-    { SEC_ASN1_POINTER,
-	  offsetof(SEC_PKCS7RecipientInfo,issuerAndSN),
-	  CERT_IssuerAndSNTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7RecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7RecipientInfo,encKey) },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PKCS7EncryptedContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7EncryptedContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SEC_PKCS7EncryptedContentInfo,contentType) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7EncryptedContentInfo,contentEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7EncryptedContentInfo,encContent),
-	  SEC_OctetStringTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PKCS7EnvelopedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7EnvelopedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7EnvelopedData,version) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7EnvelopedData,recipientInfos),
-	  SEC_PKCS7RecipientInfoTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7EnvelopedData,encContentInfo),
-	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7EnvelopedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7EnvelopedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7SignedAndEnvelopedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7SignedAndEnvelopedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,version) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,recipientInfos),
-	  SEC_PKCS7RecipientInfoTemplate },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,digestAlgorithms),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,encContentInfo),
-	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,crls),
-	  CERT_SetOfSignedCrlTemplate },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,signerInfos),
-	  SEC_PKCS7SignerInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template
-SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedAndEnvelopedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7DigestedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7DigestedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7DigestedData,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7DigestedData,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7DigestedData,contentInfo),
-	  sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7DigestedData,digest) },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7DigestedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7DigestedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7EncryptedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7EncryptedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7EncryptedData,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7EncryptedData,encContentInfo),
-	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7EncryptedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7EncryptedDataTemplate }
-};
-
-const SEC_ASN1Template SEC_SMIMEKEAParamTemplateSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
-	{ 0 }
-};
-
-const SEC_ASN1Template SEC_SMIMEKEAParamTemplateNoSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
-	{ 0 }
-};
-
-const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,bulkKeySize) },
-	{ 0 }
-};
-
-const SEC_ASN1Template*
-sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate)
-{
-	const SEC_ASN1Template *returnVal = NULL;
-
-	switch(whichTemplate)
-	{
-	case SECKEAUsesNonSkipjack:
-		returnVal = SEC_SMIMEKEAParamTemplateNoSkipjack;
-		break;
-	case SECKEAUsesSkipjack:
-		returnVal = SEC_SMIMEKEAParamTemplateSkipjack;
-		break;
-	case SECKEAUsesNonSkipjackWithPaddedEncKey:
-	default:
-		returnVal = SEC_SMIMEKEAParamTemplateAllParams;
-		break;
-	}
-	return returnVal;
-}
-	
-static const SEC_ASN1Template *
-sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS7ContentInfo *cinfo;
-    SECOidTag kind;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    cinfo = (SEC_PKCS7ContentInfo*)src_or_dest;
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-	theTemplate = SEC_PointerToAnyTemplate;
-	break;
-      case SEC_OID_PKCS7_DATA:
-	theTemplate = SEC_PointerToOctetStringTemplate;
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	theTemplate = SEC_PointerToPKCS7SignedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	theTemplate = SEC_PointerToPKCS7EnvelopedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	theTemplate = SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	theTemplate = SEC_PointerToPKCS7DigestedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	theTemplate = SEC_PointerToPKCS7EncryptedDataTemplate;
-	break;
-    }
-    return theTemplate;
-}
-
-/*
- * End of templates.  Do not add stuff after this; put new code
- * up above the start of the template definitions.
- */
diff --git a/security/nss/lib/pkcs7/p7local.h b/security/nss/lib/pkcs7/p7local.h
deleted file mode 100644
index 80640c930..000000000
--- a/security/nss/lib/pkcs7/p7local.h
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support routines for PKCS7 implementation, none of which are exported.
- * This file should only contain things that are needed by both the
- * encoding/creation side *and* the decoding/decryption side.  Anything
- * else should just be static routines in the appropriate file.
- *
- * Do not export this file!  If something in here is really needed outside
- * of pkcs7 code, first try to add a PKCS7 interface which will do it for
- * you.  If that has a problem, then just move out what you need, changing
- * its name as appropriate!
- *
- * $Id$
- */
-
-#ifndef _P7LOCAL_H_
-#define _P7LOCAL_H_
-
-#include "secpkcs7.h"
-#include "secasn1t.h"
-
-extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
-
-/* opaque objects */
-typedef struct sec_pkcs7_cipher_object sec_PKCS7CipherObject;
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * Look through a set of attributes and find one that matches the
- * specified object ID.  If "only" is true, then make sure that
- * there is not more than one attribute of the same type.  Otherwise,
- * just return the first one found. (XXX Does anybody really want
- * that first-found behavior?  It was like that when I found it...)
- */
-extern SEC_PKCS7Attribute *sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs,
-						   SECOidTag oidtag,
-						   PRBool only);
-/*
- * Return the single attribute value, doing some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-extern SECItem *sec_PKCS7AttributeValue (SEC_PKCS7Attribute *attr);
-
-/*
- * Encode a set of attributes (found in "src").
- */
-extern SECItem *sec_PKCS7EncodeAttributes (PRArenaPool *poolp,
-					   SECItem *dest, void *src);
-
-/*
- * Make sure that the order of the attributes guarantees valid DER
- * (which must be in lexigraphically ascending order for a SET OF);
- * if reordering is necessary it will be done in place (in attrs).
- */
-extern SECStatus sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs);
-
-
-/*
- * Create a context for decrypting, based on the given key and algorithm.
- */
-extern sec_PKCS7CipherObject *
-sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid);
-
-/*
- * Create a context for encrypting, based on the given key and algorithm,
- * and fill in the algorithm id.
- */
-extern sec_PKCS7CipherObject *
-sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
-			      SECOidTag algtag, SECAlgorithmID *algid);
-
-/*
- * Destroy the given decryption or encryption object.
- */
-extern void sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj);
-extern void sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj);
-
-/*
- * What will be the output length of the next call to encrypt/decrypt?
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and the cipher block size).
- *
- * Note that this can return zero, which does not mean that the cipher
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent cipher operation, as no output bytes
- * will be stored.
- */
-extern unsigned int sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj,
-					    unsigned int input_len,
-					    PRBool final);
-extern unsigned int sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj,
-					    unsigned int input_len,
-					    PRBool final);
-
-/*
- * Decrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateDecryptObject.
- * When "final" is true, this is the last of the data to be decrypted.
- */ 
-extern SECStatus sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj,
-				   unsigned char *output,
-				   unsigned int *output_len_p,
-				   unsigned int max_output_len,
-				   const unsigned char *input,
-				   unsigned int input_len,
-				   PRBool final);
-
-/*
- * Encrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateEncryptObject.
- * When "final" is true, this is the last of the data to be encrypted.
- */ 
-extern SECStatus sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj,
-				   unsigned char *output,
-				   unsigned int *output_len_p,
-				   unsigned int max_output_len,
-				   const unsigned char *input,
-				   unsigned int input_len,
-				   PRBool final);
-
-/* return the correct kea template based on the template selector. skipjack
- * does not have the extra IV.
- */
-const SEC_ASN1Template * 
-sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _P7LOCAL_H_ */
diff --git a/security/nss/lib/pkcs7/pkcs7t.h b/security/nss/lib/pkcs7/pkcs7t.h
deleted file mode 100644
index 73b23014d..000000000
--- a/security/nss/lib/pkcs7/pkcs7t.h
+++ /dev/null
@@ -1,292 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Header for pkcs7 types.
- *
- * $Id$
- */
-
-#ifndef _PKCS7T_H_
-#define _PKCS7T_H_
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "certt.h"
-#include "secmodt.h"
-
-/* Opaque objects */
-typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
-typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
-
-/* Non-opaque objects.  NOTE, though: I want them to be treated as
- * opaque as much as possible.  If I could hide them completely,
- * I would.  (I tried, but ran into trouble that was taking me too
- * much time to get out of.)  I still intend to try to do so.
- * In fact, the only type that "outsiders" should even *name* is
- * SEC_PKCS7ContentInfo, and they should not reference its fields.
- */
-/* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
- * This is because when we search the recipient list for the cert and key we
- * want, we need to invert the order of the loops we used to have. The old
- * loops were:
- *
- *  For each recipient {
- *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
- *       [which unrolls to... ]
- *       For each slot {
- *            Log into slot;
- *            search slot for cert;
- *      }
- *  }
- *
- *  the new loop searchs all the recipients at once on a slot. this allows
- *  PKCS #11 to order slots in such a way that logout slots don't get checked
- *  if we can find the cert on a logged in slot. This eliminates lots of
- *  spurious password prompts when smart cards are installed... so why this
- *  comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
- *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
- *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
- *  function.
- */
-typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
-typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
-typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
-typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
-typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
-		SEC_PKCS7SignedAndEnvelopedData;
-typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
-typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
-typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
-typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
-typedef struct SEC_PKCS7SMIMEKEAParametersStr SEC_PKCS7SMIMEKEAParameters;
-/*
- * The following is not actually a PKCS7 type, but for now it is only
- * used by PKCS7, so we have adopted it.  If someone else *ever* needs
- * it, its name should be changed and it should be moved out of here.
- * Do not dare to use it without doing so!
- */
-typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
-
-
-struct SEC_PKCS7ContentInfoStr {
-    PRArenaPool *poolp;			/* local; not part of encoding */
-    PRBool created;			/* local; not part of encoding */
-    int refCount;			/* local; not part of encoding */
-    SECOidData *contentTypeTag;		/* local; not part of encoding */
-    SECKEYGetPasswordKey pwfn;		/* local; not part of encoding */
-    void *pwfn_arg;			/* local; not part of encoding */
-    SECItem contentType;
-    union {
-	SECItem				*data;
-	SEC_PKCS7DigestedData		*digestedData;
-	SEC_PKCS7EncryptedData		*encryptedData;
-	SEC_PKCS7EnvelopedData		*envelopedData;
-	SEC_PKCS7SignedData		*signedData;
-	SEC_PKCS7SignedAndEnvelopedData	*signedAndEnvelopedData;
-    } content;
-};
-
-struct SEC_PKCS7SignedDataStr {
-    SECItem version;
-    SECAlgorithmID **digestAlgorithms;
-    SEC_PKCS7ContentInfo contentInfo;
-    SECItem **rawCerts;
-    CERTSignedCrl **crls;
-    SEC_PKCS7SignerInfo **signerInfos;
-    SECItem **digests;			/* local; not part of encoding */
-    CERTCertificate **certs;		/* local; not part of encoding */
-    CERTCertificateList **certLists;	/* local; not part of encoding */
-};
-#define SEC_PKCS7_SIGNED_DATA_VERSION		1	/* what we *create* */
-
-struct SEC_PKCS7EncryptedContentInfoStr {
-    SECOidData *contentTypeTag;		/* local; not part of encoding */
-    SECItem contentType;
-    SECAlgorithmID contentEncAlg;
-    SECItem encContent;
-    SECItem plainContent;		/* local; not part of encoding */
-					/* bytes not encrypted, but encoded */
-    int keysize;			/* local; not part of encoding */
-					/* size of bulk encryption key
-					 * (only used by creation code) */
-    SECOidTag encalg;			/* local; not part of encoding */
-					/* oid tag of encryption algorithm
-					 * (only used by creation code) */
-};
-
-struct SEC_PKCS7EnvelopedDataStr {
-    SECItem version;
-    SEC_PKCS7RecipientInfo **recipientInfos;
-    SEC_PKCS7EncryptedContentInfo encContentInfo;
-};
-#define SEC_PKCS7_ENVELOPED_DATA_VERSION	0	/* what we *create* */
-
-struct SEC_PKCS7SignedAndEnvelopedDataStr {
-    SECItem version;
-    SEC_PKCS7RecipientInfo **recipientInfos;
-    SECAlgorithmID **digestAlgorithms;
-    SEC_PKCS7EncryptedContentInfo encContentInfo;
-    SECItem **rawCerts;
-    CERTSignedCrl **crls;
-    SEC_PKCS7SignerInfo **signerInfos;
-    SECItem **digests;			/* local; not part of encoding */
-    CERTCertificate **certs;		/* local; not part of encoding */
-    CERTCertificateList **certLists;	/* local; not part of encoding */
-    PK11SymKey *sigKey;			/* local; not part of encoding */
-};
-#define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1	/* what we *create* */
-
-struct SEC_PKCS7SignerInfoStr {
-    SECItem version;
-    CERTIssuerAndSN *issuerAndSN;
-    SECAlgorithmID digestAlg;
-    SEC_PKCS7Attribute **authAttr;
-    SECAlgorithmID digestEncAlg;
-    SECItem encDigest;
-    SEC_PKCS7Attribute **unAuthAttr;
-    CERTCertificate *cert;		/* local; not part of encoding */
-    CERTCertificateList *certList;	/* local; not part of encoding */
-};
-#define SEC_PKCS7_SIGNER_INFO_VERSION		1	/* what we *create* */
-
-struct SEC_PKCS7RecipientInfoStr {
-    SECItem version;
-    CERTIssuerAndSN *issuerAndSN;
-    SECAlgorithmID keyEncAlg;
-    SECItem encKey;
-    CERTCertificate *cert;		/* local; not part of encoding */
-};
-#define SEC_PKCS7_RECIPIENT_INFO_VERSION	0	/* what we *create* */
-
-struct SEC_PKCS7DigestedDataStr {
-    SECItem version;
-    SECAlgorithmID digestAlg;
-    SEC_PKCS7ContentInfo contentInfo;
-    SECItem digest;
-};
-#define SEC_PKCS7_DIGESTED_DATA_VERSION		0	/* what we *create* */
-
-struct SEC_PKCS7EncryptedDataStr {
-    SECItem version;
-    SEC_PKCS7EncryptedContentInfo encContentInfo;
-};
-#define SEC_PKCS7_ENCRYPTED_DATA_VERSION	0	/* what we *create* */
-
-/*
- * See comment above about this type not really belonging to PKCS7.
- */
-struct SEC_PKCS7AttributeStr {
-    /* The following fields make up an encoded Attribute: */
-    SECItem type;
-    SECItem **values;	/* data may or may not be encoded */
-    /* The following fields are not part of an encoded Attribute: */
-    SECOidData *typeTag;
-    PRBool encoded;	/* when true, values are encoded */
-};
-
-/* An enumerated type used to select templates based on the encryption
-   scenario and data specifics. */
-typedef enum
-{
-	SECKEAUsesSkipjack,
-	SECKEAUsesNonSkipjack,
-	SECKEAUsesNonSkipjackWithPaddedEncKey
-} SECKEATemplateSelector;
-
-/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
-                but I cannot think of a more appropriate place at this time. */
-struct SEC_PKCS7SMIMEKEAParametersStr {
-	SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
-	SECItem originatorRA;		/* random number generated by sender */
-	SECItem nonSkipjackIV;		/* init'n vector for SkipjackCBC64
-					   decryption of KEA key if Skipjack
-					   is not the bulk algorithm used on
-					   the message */
-	SECItem bulkKeySize;		/* if Skipjack is not the bulk
-					   algorithm used on the message,
-					   and the size of the bulk encryption
-					   key is not the same as that of
-					   originatorKEAKey (due to padding
-					   perhaps), this field will contain
-					   the real size of the bulk encryption
-					   key. */
-};
-
-/*
- * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
- * If specified, this is where the content bytes (only) will be "sent"
- * as they are recovered during the decoding.
- *
- * XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
- * and use a simpler, common name.
- */
-typedef void (* SEC_PKCS7DecoderContentCallback)(void *arg,
-						 const char *buf,
-						 unsigned long len);
-
-/*
- * Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
- * This is where the encoded bytes will be "sent".
- *
- * XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
- * and use a simpler, common name.
- */
-typedef void (* SEC_PKCS7EncoderOutputCallback)(void *arg,
-						const char *buf,
-						unsigned long len);
-
-
-/*
- * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
- * to retrieve the decryption key.  This function is inteded to be
- * used for EncryptedData content info's which do not have a key available
- * in a certificate, etc.
- */
-typedef PK11SymKey * (* SEC_PKCS7GetDecryptKeyCallback)(void *arg, 
-							SECAlgorithmID *algid);
-
-/* 
- * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
- * This function in intended to be used to verify that decrypting a
- * particular crypto algorithm is allowed.  Content types which do not
- * require decryption will not need the callback.  If the callback
- * is not specified for content types which require decryption, the
- * decryption will be disallowed.
- */
-typedef PRBool (* SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,  
-						      PK11SymKey *bulkkey);
-
-#endif /* _PKCS7T_H_ */
diff --git a/security/nss/lib/pkcs7/secmime.c b/security/nss/lib/pkcs7/secmime.c
deleted file mode 100644
index 017896bd7..000000000
--- a/security/nss/lib/pkcs7/secmime.c
+++ /dev/null
@@ -1,901 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Stuff specific to S/MIME policy and interoperability.
- * Depends on PKCS7, but there should be no dependency the other way around.
- *
- * $Id$
- */
-
-#include "secmime.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
-#include "secasn1.h"
-#include "secitem.h"
-#include "cert.h"
-#include "key.h"
-#include "secerr.h"
-
-typedef struct smime_cipher_map_struct {
-    unsigned long cipher;
-    SECOidTag algtag;
-    SECItem *parms;
-} smime_cipher_map;
-
-/*
- * These are macros because I think some subsequent parameters,
- * like those for RC5, will want to use them, too, separately.
- */
-#define SMIME_DER_INTVAL_16	SEC_ASN1_INTEGER, 0x01, 0x10
-#define SMIME_DER_INTVAL_40	SEC_ASN1_INTEGER, 0x01, 0x28
-#define SMIME_DER_INTVAL_64	SEC_ASN1_INTEGER, 0x01, 0x40
-#define SMIME_DER_INTVAL_128	SEC_ASN1_INTEGER, 0x02, 0x00, 0x80
-
-#ifdef SMIME_DOES_RC5	/* will be needed; quiet unused warning for now */
-static unsigned char smime_int16[] = { SMIME_DER_INTVAL_16 };
-#endif
-static unsigned char smime_int40[] = { SMIME_DER_INTVAL_40 };
-static unsigned char smime_int64[] = { SMIME_DER_INTVAL_64 };
-static unsigned char smime_int128[] = { SMIME_DER_INTVAL_128 };
-
-static SECItem smime_rc2p40 = { siBuffer, smime_int40, sizeof(smime_int40) };
-static SECItem smime_rc2p64 = { siBuffer, smime_int64, sizeof(smime_int64) };
-static SECItem smime_rc2p128 = { siBuffer, smime_int128, sizeof(smime_int128) };
-
-static smime_cipher_map smime_cipher_maps[] = {
-    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&smime_rc2p40 },
-    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&smime_rc2p64 },
-    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&smime_rc2p128 },
-#ifdef SMIME_DOES_RC5
-    { SMIME_RC5PAD_64_16_40,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p40 },
-    { SMIME_RC5PAD_64_16_64,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p64 },
-    { SMIME_RC5PAD_64_16_128,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p128 },
-#endif
-    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL },
-    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL },
-    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL}
-};
-
-/*
- * Note, the following value really just needs to be an upper bound
- * on the ciphers.
- */
-static const int smime_symmetric_count = sizeof(smime_cipher_maps)
-					 / sizeof(smime_cipher_map);
-
-static unsigned long *smime_prefs, *smime_newprefs;
-static int smime_current_pref_index = 0;
-static PRBool smime_prefs_complete = PR_FALSE;
-static PRBool smime_prefs_changed = PR_TRUE;
-
-static unsigned long smime_policy_bits = 0;
-
-
-static int
-smime_mapi_by_cipher (unsigned long cipher)
-{
-    int i;
-
-    for (i = 0; i < smime_symmetric_count; i++) {
-	if (smime_cipher_maps[i].cipher == cipher)
-	    break;
-    }
-
-    if (i == smime_symmetric_count)
-	return -1;
-
-    return i;
-}
-
-
-/*
- * this function locally records the user's preference
- */
-SECStatus 
-SECMIME_EnableCipher(long which, int on)
-{
-    unsigned long mask;
-
-    if (smime_newprefs == NULL || smime_prefs_complete) {
-	/*
-	 * This is either the very first time, or we are starting over.
-	 */
-	smime_newprefs = (unsigned long*)PORT_ZAlloc (smime_symmetric_count
-				      * sizeof(*smime_newprefs));
-	if (smime_newprefs == NULL)
-	    return SECFailure;
-	smime_current_pref_index = 0;
-	smime_prefs_complete = PR_FALSE;
-    }
-
-    mask = which & CIPHER_FAMILYID_MASK;
-    if (mask == CIPHER_FAMILYID_MASK) {
-    	/*
-	 * This call signifies that all preferences have been set.
-	 * Move "newprefs" over, after checking first whether or
-	 * not the new ones are different from the old ones.
-	 */
-	if (smime_prefs != NULL) {
-	    if (PORT_Memcmp (smime_prefs, smime_newprefs,
-			     smime_symmetric_count * sizeof(*smime_prefs)) == 0)
-		smime_prefs_changed = PR_FALSE;
-	    else
-		smime_prefs_changed = PR_TRUE;
-	    PORT_Free (smime_prefs);
-	}
-
-	smime_prefs = smime_newprefs;
-	smime_prefs_complete = PR_TRUE;
-	return SECSuccess;
-    }
-
-    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
-    if (mask != CIPHER_FAMILYID_SMIME) {
-	/* XXX set an error! */
-    	return SECFailure;
-    }
-
-    if (on) {
-	PORT_Assert (smime_current_pref_index < smime_symmetric_count);
-	if (smime_current_pref_index >= smime_symmetric_count) {
-	    /* XXX set an error! */
-	    return SECFailure;
-	}
-
-	smime_newprefs[smime_current_pref_index++] = which;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * this function locally records the export policy
- */
-SECStatus 
-SECMIME_SetPolicy(long which, int on)
-{
-    unsigned long mask;
-
-    PORT_Assert ((which & CIPHER_FAMILYID_MASK) == CIPHER_FAMILYID_SMIME);
-    if ((which & CIPHER_FAMILYID_MASK) != CIPHER_FAMILYID_SMIME) {
-	/* XXX set an error! */
-    	return SECFailure;
-    }
-
-    which &= ~CIPHER_FAMILYID_MASK;
-
-    PORT_Assert (which < 32);	/* bits in the long */
-    if (which >= 32) {
-	/* XXX set an error! */
-    	return SECFailure;
-    }
-
-    mask = 1UL << which;
-
-    if (on) {
-    	smime_policy_bits |= mask;
-    } else {
-    	smime_policy_bits &= ~mask;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * Based on the given algorithm (including its parameters, in some cases!)
- * and the given key (may or may not be inspected, depending on the
- * algorithm), find the appropriate policy algorithm specification
- * and return it.  If no match can be made, -1 is returned.
- */
-static long
-smime_policy_algorithm (SECAlgorithmID *algid, PK11SymKey *key)
-{
-    SECOidTag algtag;
-
-    algtag = SECOID_GetAlgorithmTag (algid);
-    switch (algtag) {
-      case SEC_OID_RC2_CBC:
-	{
-	    unsigned int keylen_bits;
-
-	    keylen_bits = PK11_GetKeyStrength (key, algid);
-	    switch (keylen_bits) {
-	      case 40:
-		return SMIME_RC2_CBC_40;
-	      case 64:
-		return SMIME_RC2_CBC_64;
-	      case 128:
-		return SMIME_RC2_CBC_128;
-	      default:
-		break;
-	    }
-	}
-	break;
-      case SEC_OID_DES_CBC:
-	return SMIME_DES_CBC_56;
-      case SEC_OID_DES_EDE3_CBC:
-	return SMIME_DES_EDE3_168;
-      case SEC_OID_FORTEZZA_SKIPJACK:
-	return SMIME_FORTEZZA;
-#ifdef SMIME_DOES_RC5
-      case SEC_OID_RC5_CBC_PAD:
-	PORT_Assert (0);	/* XXX need to pull out parameters and match */
-	break;
-#endif
-      default:
-	break;
-    }
-
-    return -1;
-}
-
-
-static PRBool
-smime_cipher_allowed (unsigned long which)
-{
-    unsigned long mask;
-
-    which &= ~CIPHER_FAMILYID_MASK;
-    PORT_Assert (which < 32);	/* bits per long (min) */
-    if (which >= 32)
-	return PR_FALSE;
-
-    mask = 1UL << which;
-    if ((mask & smime_policy_bits) == 0)
-	return PR_FALSE;
-
-    return PR_TRUE;
-}
-
-
-PRBool
-SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
-{
-    long which;
-
-    which = smime_policy_algorithm (algid, key);
-    if (which < 0)
-	return PR_FALSE;
-
-    return smime_cipher_allowed ((unsigned long)which);
-}
-
-
-/*
- * Does the current policy allow *any* S/MIME encryption (or decryption)?
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-PRBool
-SECMIME_EncryptionPossible (void)
-{
-    if (smime_policy_bits != 0)
-	return PR_TRUE;
-
-    return PR_FALSE;
-}
-
-
-/*
- * XXX Would like the "parameters" field to be a SECItem *, but the
- * encoder is having trouble with optional pointers to an ANY.  Maybe
- * once that is fixed, can change this back...
- */
-typedef struct smime_capability_struct {
-    unsigned long cipher;	/* local; not part of encoding */
-    SECOidTag capIDTag;		/* local; not part of encoding */
-    SECItem capabilityID;
-    SECItem parameters;
-} smime_capability;
-
-static const SEC_ASN1Template smime_capability_template[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(smime_capability) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(smime_capability,capabilityID), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(smime_capability,parameters), },
-    { 0, }
-};
-
-static const SEC_ASN1Template smime_capabilities_template[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, smime_capability_template }
-};
-
-
-
-static void
-smime_fill_capability (smime_capability *cap)
-{
-    unsigned long cipher;
-    SECOidTag algtag;
-    int i;
-
-    algtag = SECOID_FindOIDTag (&(cap->capabilityID));
-
-    for (i = 0; i < smime_symmetric_count; i++) {
-	if (smime_cipher_maps[i].algtag != algtag)
-	    continue;
-	/*
-	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
-	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
-	 * use that here instead of all of the following comparison code.
-	 */
-	if (cap->parameters.data != NULL) {
-	    if (smime_cipher_maps[i].parms == NULL)
-		continue;
-	    if (cap->parameters.len != smime_cipher_maps[i].parms->len)
-		continue;
-	    if (PORT_Memcmp (cap->parameters.data,
-			     smime_cipher_maps[i].parms->data,
-			     cap->parameters.len) == 0)
-		break;
-	} else if (smime_cipher_maps[i].parms == NULL) {
-	    break;
-	}
-    }
-
-    if (i == smime_symmetric_count)
-	cipher = 0;
-    else
-	cipher = smime_cipher_maps[i].cipher;
-
-    cap->cipher = cipher;
-    cap->capIDTag = algtag;
-}
-
-
-static long
-smime_choose_cipher (CERTCertificate *scert, CERTCertificate **rcerts)
-{
-    PRArenaPool *poolp;
-    long chosen_cipher;
-    int *cipher_abilities;
-    int *cipher_votes;
-    int strong_mapi;
-    int rcount, mapi, max, i;
-	PRBool isFortezza = PK11_FortezzaHasKEA(scert);
-
-    if (smime_policy_bits == 0) {
-	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
-	return -1;
-    }
-
-    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
-
-    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
-    if (poolp == NULL)
-	goto done;
-
-    cipher_abilities = (int*)PORT_ArenaZAlloc (poolp,
-					 smime_symmetric_count * sizeof(int));
-    if (cipher_abilities == NULL)
-	goto done;
-
-    cipher_votes = (int*)PORT_ArenaZAlloc (poolp,
-				     smime_symmetric_count * sizeof(int));
-    if (cipher_votes == NULL)
-	goto done;
-
-    /*
-     * XXX Should have a #define somewhere which specifies default
-     * strong cipher.  (Or better, a way to configure, which would
-     * take Fortezza into account as well.)
-     */
-
-    /* If the user has the Fortezza preference turned on, make
-     *  that the strong cipher. Otherwise, use triple-DES. */
-    strong_mapi = -1;
-    if (isFortezza) {
-	for(i=0;i < smime_current_pref_index && strong_mapi < 0;i++)
-	{
-	    if (smime_prefs[i] == SMIME_FORTEZZA)
-		strong_mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
-	}
-    }
-
-    if (strong_mapi == -1)
-	strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
-
-    PORT_Assert (strong_mapi >= 0);
-
-    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
-	SECItem *profile;
-	smime_capability **caps;
-	int capi, pref;
-	SECStatus dstat;
-
-	pref = smime_symmetric_count;
-	profile = CERT_FindSMimeProfile (rcerts[rcount]);
-	if (profile != NULL && profile->data != NULL && profile->len > 0) {
-	    caps = NULL;
-	    dstat = SEC_ASN1DecodeItem (poolp, &caps,
-					smime_capabilities_template,
-					profile);
-	    if (dstat == SECSuccess && caps != NULL) {
-		for (capi = 0; caps[capi] != NULL; capi++) {
-		    smime_fill_capability (caps[capi]);
-		    mapi = smime_mapi_by_cipher (caps[capi]->cipher);
-		    if (mapi >= 0) {
-			cipher_abilities[mapi]++;
-			cipher_votes[mapi] += pref;
-			--pref;
-		    }
-		}
-	    }
-	} else {
-	    SECKEYPublicKey *key;
-	    unsigned int pklen_bits;
-
-	    /*
-	     * XXX This is probably only good for RSA keys.  What I would
-	     * really like is a function to just say;  Is the public key in
-	     * this cert an export-length key?  Then I would not have to
-	     * know things like the value 512, or the kind of key, or what
-	     * a subjectPublicKeyInfo is, etc.
-	     */
-	    key = CERT_ExtractPublicKey (rcerts[rcount]);
-	    if (key != NULL) {
-		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
-		SECKEY_DestroyPublicKey (key);
-
-		if (pklen_bits > 512) {
-		    cipher_abilities[strong_mapi]++;
-		    cipher_votes[strong_mapi] += pref;
-		}
-	    }
-	}
-	if (profile != NULL)
-	    SECITEM_FreeItem (profile, PR_TRUE);
-    }
-
-    max = 0;
-    for (mapi = 0; mapi < smime_symmetric_count; mapi++) {
-	if (cipher_abilities[mapi] != rcount)
-	    continue;
-	if (! smime_cipher_allowed (smime_cipher_maps[mapi].cipher))
-	    continue;
-	if (!isFortezza  && (smime_cipher_maps[mapi].cipher == SMIME_FORTEZZA))
-		continue;
-	if (cipher_votes[mapi] > max) {
-	    chosen_cipher = smime_cipher_maps[mapi].cipher;
-	    max = cipher_votes[mapi];
-	} /* XXX else if a tie, let scert break it? */
-    }
-
-done:
-    if (poolp != NULL)
-	PORT_FreeArena (poolp, PR_FALSE);
-
-    return chosen_cipher;
-}
-
-
-/*
- * XXX This is a hack for now to satisfy our current interface.
- * Eventually, with more parameters needing to be specified, just
- * looking up the keysize is not going to be sufficient.
- */
-static int
-smime_keysize_by_cipher (unsigned long which)
-{
-    int keysize;
-
-    switch (which) {
-      case SMIME_RC2_CBC_40:
-	keysize = 40;
-	break;
-      case SMIME_RC2_CBC_64:
-	keysize = 64;
-	break;
-      case SMIME_RC2_CBC_128:
-	keysize = 128;
-	break;
-#ifdef SMIME_DOES_RC5
-      case SMIME_RC5PAD_64_16_40:
-      case SMIME_RC5PAD_64_16_64:
-      case SMIME_RC5PAD_64_16_128:
-	/* XXX See comment above; keysize is not enough... */
-	PORT_Assert (0);
-	PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
-	keysize = -1;
-	break;
-#endif
-      case SMIME_DES_CBC_56:
-      case SMIME_DES_EDE3_168:
-      case SMIME_FORTEZZA:
-	/*
-	 * These are special; since the key size is fixed, we actually
-	 * want to *avoid* specifying a key size.
-	 */
-	keysize = 0;
-	break;
-      default:
-	keysize = -1;
-	break;
-    }
-
-    return keysize;
-}
-
-
-/*
- * Start an S/MIME encrypting context.
- *
- * "scert" is the cert for the sender.  It will be checked for validity.
- * "rcerts" are the certs for the recipients.  They will also be checked.
- *
- * "certdb" is the cert database to use for verifying the certs.
- * It can be NULL if a default database is available (like in the client).
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SECMIME_CreateEncrypted(CERTCertificate *scert,
-			CERTCertificate **rcerts,
-			CERTCertDBHandle *certdb,
-			SECKEYGetPasswordKey pwfn,
-			void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    long cipher;
-    SECOidTag encalg;
-    int keysize;
-    int mapi, rci;
-
-    cipher = smime_choose_cipher (scert, rcerts);
-    if (cipher < 0)
-	return NULL;
-
-    mapi = smime_mapi_by_cipher (cipher);
-    if (mapi < 0)
-	return NULL;
-
-    /*
-     * XXX This is stretching it -- CreateEnvelopedData should probably
-     * take a cipher itself of some sort, because we cannot know what the
-     * future will bring in terms of parameters for each type of algorithm.
-     * For example, just an algorithm and keysize is *not* sufficient to
-     * fully specify the usage of RC5 (which also needs to know rounds and
-     * block size).  Work this out into a better API!
-     */
-    encalg = smime_cipher_maps[mapi].algtag;
-    keysize = smime_keysize_by_cipher (cipher);
-    if (keysize < 0)
-	return NULL;
-
-    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
-					  certdb, encalg, keysize,
-					  pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    for (rci = 0; rcerts[rci] != NULL; rci++) {
-	if (rcerts[rci] == scert)
-	    continue;
-	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
-				   NULL) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    return NULL;
-	}
-    }
-
-    return cinfo;
-}
-
-
-static smime_capability **smime_capabilities;
-static SECItem *smime_encoded_caps;
-static PRBool lastUsedFortezza;
-
-
-static SECStatus
-smime_init_caps (PRBool isFortezza)
-{
-    smime_capability *cap;
-    smime_cipher_map *map;
-    SECOidData *oiddata;
-    SECStatus rv;
-    int i, capIndex;
-
-    if (smime_encoded_caps != NULL 
-	&& (! smime_prefs_changed) 
-	&& lastUsedFortezza == isFortezza)
-	return SECSuccess;
-
-    if (smime_encoded_caps != NULL) {
-	SECITEM_FreeItem (smime_encoded_caps, PR_TRUE);
-	smime_encoded_caps = NULL;
-    }
-
-    if (smime_capabilities == NULL) {
-	smime_capabilities = (smime_capability**)PORT_ZAlloc (
-					  (smime_symmetric_count + 1)
-					  * sizeof(smime_capability *));
-	if (smime_capabilities == NULL)
-	    return SECFailure;
-    }
-
-    rv = SECFailure;
-
-    /* 
-       The process of creating the encoded PKCS7 cipher capability list
-       involves two basic steps: 
-
-       (a) Convert our internal representation of cipher preferences 
-           (smime_prefs) into an array containing cipher OIDs and 
-	   parameter data (smime_capabilities). This step is
-	   performed here.
-
-       (b) Encode, using ASN.1, the cipher information in 
-           smime_capabilities, leaving the encoded result in 
-	   smime_encoded_caps.
-
-       (In the process of performing (a), Lisa put in some optimizations
-       which allow us to avoid needlessly re-populating elements in 
-       smime_capabilities as we walk through smime_prefs.)
-
-       We want to use separate loop variables for smime_prefs and
-       smime_capabilities because in the case where the Skipjack cipher 
-       is turned on in the prefs, but where we don't want to include 
-       Skipjack in the encoded capabilities (presumably due to using a 
-       non-fortezza cert when sending a message), we want to avoid creating
-       an empty element in smime_capabilities. This would otherwise cause 
-       the encoding step to produce an empty set, since Skipjack happens 
-       to be the first cipher in smime_prefs, if it is turned on.
-    */
-    for (i = 0, capIndex = 0; i < smime_current_pref_index; i++, capIndex++) {
-	int mapi;
-
-	/* Get the next cipher preference in smime_prefs. */
-	mapi = smime_mapi_by_cipher (smime_prefs[i]);
-	if (mapi < 0)
-	    break;
-
-	/* Find the corresponding entry in the cipher map. */
-	PORT_Assert (mapi < smime_symmetric_count);
-	map = &(smime_cipher_maps[mapi]);
-
-	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
-	   capabilities. (We advertise all capabilities if we have a 
-	   Fortezza cert.) */
-	if ((!isFortezza) && (map->cipher == SMIME_FORTEZZA))
-	{
-	    capIndex--; /* we want to visit the same caps index entry next time */
-	    continue;
-	}
-
-	/*
-	 * Convert the next preference found in smime_prefs into an
-	 * smime_capability.
-	 */
-
-	cap = smime_capabilities[capIndex];
-	if (cap == NULL) {
-	    cap = (smime_capability*)PORT_ZAlloc (sizeof(smime_capability));
-	    if (cap == NULL)
-		break;
-	    smime_capabilities[capIndex] = cap;
-	} else if (cap->cipher == smime_prefs[i]) {
-	    continue;		/* no change to this one */
-	}
-
-	cap->capIDTag = map->algtag;
-	oiddata = SECOID_FindOIDByTag (map->algtag);
-	if (oiddata == NULL)
-	    break;
-
-	if (cap->capabilityID.data != NULL) {
-	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
-	    cap->capabilityID.data = NULL;
-	    cap->capabilityID.len = 0;
-	}
-
-	rv = SECITEM_CopyItem (NULL, &(cap->capabilityID), &(oiddata->oid));
-	if (rv != SECSuccess)
-	    break;
-
-	if (map->parms == NULL) {
-	    cap->parameters.data = NULL;
-	    cap->parameters.len = 0;
-	} else {
-	    cap->parameters.data = map->parms->data;
-	    cap->parameters.len = map->parms->len;
-	}
-
-	cap->cipher = smime_prefs[i];
-    }
-
-    if (i != smime_current_pref_index)
-	return rv;
-
-    while (capIndex < smime_symmetric_count) {
-	cap = smime_capabilities[capIndex];
-	if (cap != NULL) {
-	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
-	    PORT_Free (cap);
-	}
-	smime_capabilities[capIndex] = NULL;
-	capIndex++;
-    }
-    smime_capabilities[capIndex] = NULL;
-
-    smime_encoded_caps = SEC_ASN1EncodeItem (NULL, NULL, &smime_capabilities,
-					     smime_capabilities_template);
-    if (smime_encoded_caps == NULL)
-	return SECFailure;
-
-    lastUsedFortezza = isFortezza;
-
-    return SECSuccess;
-}
-
-
-static SECStatus
-smime_add_profile (CERTCertificate *cert, SEC_PKCS7ContentInfo *cinfo)
-{
-    PRBool isFortezza = PR_FALSE;
-
-    PORT_Assert (smime_prefs_complete);
-    if (! smime_prefs_complete)
-	return SECFailure;
-
-    /* See if the sender's cert specifies Fortezza key exchange. */
-    if (cert != NULL)
-	isFortezza = PK11_FortezzaHasKEA(cert);
-
-    /* For that matter, if capabilities haven't been initialized yet,
-       do so now. */
-    if (isFortezza != lastUsedFortezza || smime_encoded_caps == NULL || smime_prefs_changed) {
-	SECStatus rv;
-
-	rv = smime_init_caps(isFortezza);
-	if (rv != SECSuccess)
-	    return rv;
-
-	PORT_Assert (smime_encoded_caps != NULL);
-    }
-
-    return SEC_PKCS7AddSignedAttribute (cinfo, SEC_OID_PKCS9_SMIME_CAPABILITIES,
-					smime_encoded_caps);
-}
-
-
-/*
- * Start an S/MIME signing context.
- *
- * "scert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "ecert" is the signer's encryption cert.  If it is different from
- * scert, then it will be included in the signed message so that the
- * recipient can save it for future encryptions.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- * XXX There should be SECMIME functions for hashing, or the hashing should
- * be built into this interface, which we would like because we would
- * support more smartcards that way, and then this argument should go away.)
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-
-SEC_PKCS7ContentInfo *
-SECMIME_CreateSigned (CERTCertificate *scert,
-		      CERTCertificate *ecert,
-		      CERTCertDBHandle *certdb,
-		      SECOidTag digestalg,
-		      SECItem *digest,
-		      SECKEYGetPasswordKey pwfn,
-		      void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    /* See note in header comment above about digestalg. */
-    PORT_Assert (digestalg == SEC_OID_SHA1);
-
-    cinfo = SEC_PKCS7CreateSignedData (scert, certUsageEmailSigner,
-				       certdb, digestalg, digest,
-				       pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    if (SEC_PKCS7IncludeCertChain (cinfo, NULL) != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    /* if the encryption cert and the signing cert differ, then include
-     * the encryption cert too.
-     */
-    /* it is ok to compare the pointers since we ref count, and the same
-     * cert will always have the same pointer
-     */
-    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
-	rv = SEC_PKCS7AddCertificate(cinfo, ecert);
-	if ( rv != SECSuccess ) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    return NULL;
-	}
-    }
-    /*
-     * Add the signing time.  But if it fails for some reason,
-     * may as well not give up altogether -- just assert.
-     */
-    rv = SEC_PKCS7AddSigningTime (cinfo);
-    PORT_Assert (rv == SECSuccess);
-
-    /*
-     * Add the email profile.  Again, if it fails for some reason,
-     * may as well not give up altogether -- just assert.
-     */
-    rv = smime_add_profile (ecert, cinfo);
-    PORT_Assert (rv == SECSuccess);
-
-    return cinfo;
-}
diff --git a/security/nss/lib/pkcs7/secmime.h b/security/nss/lib/pkcs7/secmime.h
deleted file mode 100644
index 6950e416f..000000000
--- a/security/nss/lib/pkcs7/secmime.h
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Header file for routines specific to S/MIME.  Keep things that are pure
- * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
- *
- * $Id$
- */
-
-#ifndef _SECMIME_H_
-#define _SECMIME_H_ 1
-
-#include "secpkcs7.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * Initialize the local recording of the user S/MIME cipher preferences.
- * This function is called once for each cipher, the order being
- * important (first call records greatest preference, and so on).
- * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
- * If the function is called again after that, it is assumed that
- * the preferences are being reset, and the old preferences are
- * discarded.
- *
- * XXX This is for a particular user, and right now the storage is
- * XXX local, static.  The preference should be stored elsewhere to allow
- * XXX for multiple uses of one library?  How does SSL handle this;
- * XXX it has something similar?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.  (It is not necessary to call the function for
- *    ciphers that are disabled, however, as that is the default.)
- *
- * If the cipher preference is successfully recorded, SECSuccess
- * is returned.  Otherwise SECFailure is returned.  The only errors
- * are due to failure allocating memory or bad parameters/calls:
- *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
- *	SEC_ERROR_XXX (function is being called more times than there
- *		are known/expected ciphers)
- */
-extern SECStatus SECMIME_EnableCipher(long which, int on);
-
-/*
- * Initialize the local recording of the S/MIME policy.
- * This function is called to enable/disable a particular cipher.
- * (S/MIME encryption or decryption using a particular cipher is only
- * allowed if that cipher is currently enabled.)  At startup, all S/MIME
- * ciphers are disabled.  From that point, this function can be called
- * to enable a cipher -- it is not necessary to call this to disable
- * a cipher unless that cipher was previously, explicitly enabled via
- * this function.
- *
- * XXX This is for a the current module, I think, so local, static storage
- * XXX is okay.  Is that correct, or could multiple uses of the same
- * XXX library expect to operate under different policies?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.
- *
- * If the cipher is successfully enabled/disabled, SECSuccess is
- * returned.  Otherwise SECFailure is returned.  The only errors
- * are due to bad parameters:
- *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
- *	SEC_ERROR_XXX ("which" exceeds expected maximum cipher; this is
- *		really an internal error)
- */
-extern SECStatus SECMIME_SetPolicy(long which, int on);
-
-/*
- * Does the current policy allow S/MIME decryption of this particular
- * algorithm and keysize?
- */
-extern PRBool SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
-
-/*
- * Does the current policy allow *any* S/MIME encryption (or decryption)?
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-extern PRBool SECMIME_EncryptionPossible(void);
-
-/*
- * Start an S/MIME encrypting context.
- *
- * "scert" is the cert for the sender.  It will be checked for validity.
- * "rcerts" are the certs for the recipients.  They will also be checked.
- *
- * "certdb" is the cert database to use for verifying the certs.
- * It can be NULL if a default database is available (like in the client).
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *SECMIME_CreateEncrypted(CERTCertificate *scert,
-						     CERTCertificate **rcerts,
-						     CERTCertDBHandle *certdb,
-						     SECKEYGetPasswordKey pwfn,
-						     void *pwfn_arg);
-
-/*
- * Start an S/MIME signing context.
- *
- * "scert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm.  (It should be SEC_OID_SHA1;
- * XXX There should be SECMIME functions for hashing, or the hashing should
- * be built into this interface, which we would like because we would
- * support more smartcards that way, and then this argument should go away.)
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *SECMIME_CreateSigned(CERTCertificate *scert,
-						  CERTCertificate *ecert,
-						  CERTCertDBHandle *certdb,
-						  SECOidTag digestalg,
-						  SECItem *digest,
-						  SECKEYGetPasswordKey pwfn,
-						  void *pwfn_arg);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
deleted file mode 100644
index 7a2b71b24..000000000
--- a/security/nss/lib/pkcs7/secpkcs7.h
+++ /dev/null
@@ -1,618 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Interface to the PKCS7 implementation.
- *
- * $Id$
- */
-
-#ifndef _SECPKCS7_H_
-#define _SECPKCS7_H_
-
-#include "seccomon.h"
-#include "mcom_db.h"	/* needed by certt.h */
-
-#include "secoidt.h"
-#include "secder.h"	/* needed by certt.h; XXX go away when possible */
-#include "certt.h"
-#include "keyt.h"
-#include "hasht.h"
-#include "pkcs7t.h"
-
-extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/************************************************************************
- *	Miscellaneous
- ************************************************************************/
-
-/*
- * Returns the content type of the given contentInfo.
- */
-extern SECOidTag SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Destroy a PKCS7 contentInfo and all of its sub-pieces.
- */
-extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
-
-/*
- * Copy a PKCS7 contentInfo.  A Destroy is needed on *each* copy.
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
-
-/*
- * Return a pointer to the actual content.  In the case of those types
- * which are encrypted, this returns the *plain* content.
- */
-extern SECItem *SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo);
-
-/************************************************************************
- *	PKCS7 Decoding, Verification, etc..
- ************************************************************************/
-
-extern SEC_PKCS7DecoderContext *
-SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback,
-		      void *callback_arg,
-		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		      void *decrypt_key_cb_arg,
-		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
-
-extern SECStatus
-SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
-		       const char *buf, unsigned long len);
-
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
-
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7DecodeItem(SECItem *p7item,
-		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
-		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		    void *decrypt_key_cb_arg,
-		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
-
-extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo);
-
-/* checks to see if the contents of the content info is
- * empty.  it so, PR_TRUE is returned.  PR_FALSE, otherwise.
- *
- * minLen is used to specify a minimum size.  if content size <= minLen,
- * content is assumed empty.
- */
-extern PRBool 
-SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen); 
-
-extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * If the PKCS7 content has a signature (not just *could* have a signature)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * SEC_PKCS7VerifySignature
- *	Look at a PKCS7 contentInfo and check if the signature is good.
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
-				       SECCertUsage certusage,
-				       PRBool keepcerts);
-
-/*
- * SEC_PKCS7VerifyDetachedSignature
- *	Look at a PKCS7 contentInfo and check if the signature matches
- *	a passed-in digest (calculated, supposedly, from detached contents).
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
-					       SECCertUsage certusage,
-					       SECItem *detached_digest,
-					       HASH_HashType digest_type,
-					       PRBool keepcerts);
-
-/*
- * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
- *      The passed-in contentInfo is espected to be Signed, and these
- *      functions return the specified portion of the full signer name.
- *
- *      Returns a pointer to allocated memory, which must be freed.
- *      A NULL return value is an error.
- */
-extern char *SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo);
-extern char *SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Return the the signing time, in UTCTime format, of a PKCS7 contentInfo.
- */
-extern SECItem *SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo);
-
-
-/************************************************************************
- *	PKCS7 Creation and Encoding.
- ************************************************************************/
-
-/*
- * Start a PKCS7 signing context.
- *
- * "cert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "signing" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * The return value can be passed to functions which add things to
- * it like attributes, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateSignedData (CERTCertificate *cert,
-			   SECCertUsage certusage,
-			   CERTCertDBHandle *certdb,
-			   SECOidTag digestalg,
-			   SECItem *digest,
-		           SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
-/*
- * Create a PKCS7 certs-only container.
- *
- * "cert" is the (first) cert that will be included.
- *
- * "include_chain" specifies whether the entire chain for "cert" should
- * be included.
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL in when "include_chain" is false, or when meaning
- * use the default database.
- *
- * More certs and chains can be added via AddCertficate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
-			  PRBool include_chain,
-			  CERTCertDBHandle *certdb);
-
-/*
- * Start a PKCS7 enveloping context.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- *
- * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
- *
- * "keysize" specifies the bulk encryption key size, in bits.
- *
- * The return value can be passed to functions which add things to
- * it like more recipients, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
-			      SECCertUsage certusage,
-			      CERTCertDBHandle *certdb,
-			      SECOidTag encalg,
-			      int keysize,
-		              SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
-/*
- * XXX There will be a similar routine for creating signedAndEnvelopedData.
- * But its parameters will be different and I have no plans to implement
- * it any time soon because we have no current need for it.
- */
-
-/*
- * Create an empty PKCS7 data content info.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *SEC_PKCS7CreateData (void);
-
-/*
- * Create an empty PKCS7 encrypted content info.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
-			      SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
-/*
- * All of the following things return SECStatus to signal success or failure.
- * Failure should have a more specific error status available via
- * PORT_GetError()/XP_GetError().
- */
-
-/*
- * Add the specified attribute to the authenticated (i.e. signed) attributes
- * of "cinfo" -- "oidtag" describes the attribute and "value" is the
- * value to be associated with it.  NOTE! "value" must already be encoded;
- * no interpretation of "oidtag" is done.  Also, it is assumed that this
- * signedData has only one signer -- if we ever need to add attributes
- * when there is more than one signature, we need a way to specify *which*
- * signature should get the attribute.
- *
- * XXX Technically, a signed attribute can have multiple values; if/when
- * we ever need to support an attribute which takes multiple values, we
- * either need to change this interface or create an AddSignedAttributeValue
- * which can be called subsequently, and would then append a value.
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-extern SECStatus SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
-					      SECOidTag oidtag,
-					      SECItem *value);
-
-/*
- * Add "cert" and its entire chain to the set of certs included in "cinfo".
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
-					CERTCertificate *cert,
-					CERTCertDBHandle *certdb);
-
-/*
- * Add "cert" to the set of certs included in "cinfo".
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo,
-					  CERTCertificate *cert);
-
-/*
- * Add another recipient to an encrypted message.
- *
- * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- */
-extern SECStatus SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
-					CERTCertificate *cert,
-					SECCertUsage certusage,
-					CERTCertDBHandle *certdb);
-
-/*
- * Add the signing time to the authenticated (i.e. signed) attributes
- * of "cinfo".  This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will either do
- * nothing or replace an old signing time with a newer one.
- *
- * XXX This will probably just shove the current time into "cinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-extern SECStatus SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Add the signer's symmetric capabilities to the authenticated
- * (i.e. signed) attributes of "cinfo".  This is expected to be
- * included in outgoing signed messages for email (S/MIME).
- *
- * This can only be added once; a second call will return SECFailure.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Mark that the signer's certificate and its issuing chain should
- * be included in the encoded data.  This is expected to be used
- * in outgoing signed messages for email (S/MIME).
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
-					    CERTCertDBHandle *certdb);
-
-
-/*
- * Set the content; it will be included and also hashed and/or encrypted
- * as appropriate.  This is for in-memory content (expected to be "small")
- * that will be included in the PKCS7 object.  All others should stream the
- * content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}).
- *
- * "buf" points to data of length "len"; it will be copied.
- */
-extern SECStatus SEC_PKCS7SetContent (SEC_PKCS7ContentInfo *cinfo,
-				      const char *buf, unsigned long len);
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "outputfn" is where the encoded bytes will be passed.
- *
- * "outputarg" is an opaque argument to the above callback.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-extern SECStatus SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
-				  SEC_PKCS7EncoderOutputCallback outputfn,
-				  void *outputarg,
-				  PK11SymKey *bulkkey,
-				  SECKEYGetPasswordKey pwfn,
-				  void *pwfnarg);
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).  The output, rather than
- * being passed to an output function as is done above, is all put
- * into a SECItem.
- *
- * "pool" specifies a pool from which to allocate the result.
- * It can be NULL, in which case memory is allocated generically.
- *
- * "dest" specifies a SECItem in which to put the result data.
- * It can be NULL, in which case the entire item is allocated, too.
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-extern SECItem *SEC_PKCS7EncodeItem (PRArenaPool *pool,
-				     SECItem *dest,
-				     SEC_PKCS7ContentInfo *cinfo,
-				     PK11SymKey *bulkkey,
-				     SECKEYGetPasswordKey pwfn,
-				     void *pwfnarg);
-
-/*
- * For those who want to simply point to the pkcs7 contentInfo ASN.1
- * template, and *not* call the encoding functions directly, the
- * following function can be used -- after it is called, the entire
- * PKCS7 contentInfo is ready to be encoded.
- */
-extern SECStatus SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
-					    PK11SymKey *bulkkey,
-					    SECKEYGetPasswordKey pwfn,
-					    void *pwfnarg);
-
-/*
- * Start the process of encoding a PKCS7 object.  The first part of
- * the encoded object will be passed to the output function right away;
- * after that it is expected that SEC_PKCS7EncoderUpdate will be called,
- * streaming in the actual content that is getting included as well as
- * signed or encrypted (or both).
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "outputfn" is where the encoded bytes will be passed.
- *
- * "outputarg" is an opaque argument to the above callback.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * Returns an object to be passed to EncoderUpdate and EncoderFinish.
- */
-extern SEC_PKCS7EncoderContext *
-SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
-		       SEC_PKCS7EncoderOutputCallback outputfn,
-		       void *outputarg,
-		       PK11SymKey *bulkkey);
-
-/*
- * Encode more contents, hashing and/or encrypting along the way.
- */
-extern SECStatus SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
-					 const char *buf,
-					 unsigned long len);
-
-/*
- * No more contents; finish the signature creation, if appropriate,
- * and then the encoding.
- *
- * "pwfn" is a callback for getting the password which protects the
- * signer's private key.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
-					 SECKEYGetPasswordKey pwfn,
-					 void *pwfnarg);
-
-/* retrieve the algorithm ID used to encrypt the content info
- * for encrypted and enveloped data.  The SECAlgorithmID pointer
- * returned needs to be freed as it is a copy of the algorithm
- * id in the content info.
- */ 
-extern SECAlgorithmID *
-SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo); 
-
-/* the content of an encrypted data content info is encrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "plainContent" field of the content info.
- *
- * cinfo is the content info to encrypt
- *
- * key is the key with which to perform the encryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-extern SECStatus 
-SEC_PKCS7EncryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo, 
-			 SECItem *key,
-			 void *wincx); 
-	
-/* the content of an encrypted data content info is decrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "encContent" field of the content info.
- *
- * cinfo is the content info to decrypt
- *
- * key is the key with which to perform the decryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-extern SECStatus 
-SEC_PKCS7DecryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo, 
-			 SECItem *key,
-			 void *wincx); 
-
-/* retrieve the certificate list from the content info.  the list
- * is a pointer to the list in the content info.  this should not
- * be deleted or freed in any way short of calling 
- * SEC_PKCS7DestroyContentInfo
- */
-extern SECItem **
-SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo);
-
-/* Returns the key length (in bits) of the algorithm used to encrypt
-   this object.  Returns 0 if it's not encrypted, or the key length is
-   irrelevant. */
-extern int 
-SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo);
- 
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _SECPKCS7_H_ */
diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h
deleted file mode 100644
index c8da14050..000000000
--- a/security/nss/lib/pki/nsspki.h
+++ /dev/null
@@ -1,3161 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSPKI_H
-#define NSSPKI_H
-
-#ifdef DEBUG
-static const char NSSPKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nsspki.h
- *
- * This file prototypes the methods of the top-level PKI objects.
- */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A note about interfaces
- *
- * Although these APIs are specified in C, a language which does
- * not have fancy support for abstract interfaces, this library
- * was designed from an object-oriented perspective.  It may be
- * useful to consider the standard interfaces which went into
- * the writing of these APIs.
- *
- * Basic operations on all objects:
- *  Destroy -- free a pointer to an object
- *  DeleteStoredObject -- delete an object permanently
- *
- * Public Key cryptographic operations:
- *  Encrypt
- *  Verify
- *  VerifyRecover
- *  Wrap
- *  Derive
- *
- * Private Key cryptographic operations:
- *  IsStillPresent
- *  Decrypt
- *  Sign
- *  SignRecover
- *  Unwrap
- *  Derive
- *
- * Symmetric Key cryptographic operations:
- *  IsStillPresent
- *  Encrypt
- *  Decrypt
- *  Sign
- *  SignRecover
- *  Verify
- *  VerifyRecover
- *  Wrap
- *  Unwrap
- *  Derive
- *
- */
-
-/*
- * NSSCertificate
- *
- * These things can do crypto ops like public keys, except that the trust, 
- * usage, and other constraints are checked.  These objects are "high-level,"
- * so trust, usages, etc. are in the form we throw around (client auth,
- * email signing, etc.).  Remember that theoretically another implementation
- * (think PGP) could be beneath this object.
- */
-
-/*
- * NSSCertificate_Destroy
- *
- * Free a pointer to a certificate object.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_Destroy
-(
-  NSSCertificate *c
-);
-
-/*
- * NSSCertificate_DeleteStoredObject
- *
- * Permanently remove this certificate from storage.  If this is the
- * only (remaining) certificate corresponding to a private key, 
- * public key, and/or other object; then that object (those objects)
- * are deleted too.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_DeleteStoredObject
-(
-  NSSCertificate *c,
-  NSSCallback *uhh
-);
-
-/*
- * NSSCertificate_Validate
- *
- * Verify that this certificate is trusted, for the specified usage(s), 
- * at the specified time, {word word} the specified policies.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_Validate
-(
-  NSSCertificate *c,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/*
- * NSSCertificate_ValidateCompletely
- *
- * Verify that this certificate is trusted.  The difference between
- * this and the previous call is that NSSCertificate_Validate merely
- * returns success or failure with an appropriate error stack.
- * However, there may be (and often are) multiple problems with a
- * certificate.  This routine returns an array of errors, specifying
- * every problem.
- */
-
-/* 
- * Return value must be an array of objects, each of which has
- * an NSSError, and any corresponding certificate (in the chain)
- * and/or policy.
- */
-
-NSS_EXTERN void ** /* void *[] */
-NSSCertificate_ValidateCompletely
-(
-  NSSCertificate *c,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt, /* NULL for none */
-  void **rvOpt, /* NULL for allocate */
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt /* NULL for heap */
-);
-
-/*
- * NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
- *
- * Returns PR_SUCCESS if the certificate is valid for at least something.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
-(
-  NSSCertificate *c,
-  NSSTime **notBeforeOutOpt,
-  NSSTime **notAfterOutOpt,
-  void *allowedUsages,
-  void *disallowedUsages,
-  void *allowedPolicies,
-  void *disallowedPolicies,
-  /* more args.. work on this fgmr */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_Encode
- *
- */
-
-NSS_EXTERN NSSDER *
-NSSCertificate_Encode
-(
-  NSSCertificate *c,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_BuildChain
- *
- * This routine returns NSSCertificate *'s for each certificate
- * in the "chain" starting from the specified one up to and
- * including the root.  The zeroth element in the array is the
- * specified ("leaf") certificate.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCertificate_BuildChain
-(
-  NSSCertificate *c,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_GetTrustDomain
- *
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSCertificate_GetTrustDomain
-(
-  NSSCertificate *c
-);
-
-/*
- * NSSCertificate_GetToken
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSToken *
-NSSCertificate_GetToken
-(
-  NSSCertificate *c,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCertificate_GetSlot
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSSlot *
-NSSCertificate_GetSlot
-(
-  NSSCertificate *c,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCertificate_GetModule
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSModule *
-NSSCertificate_GetModule
-(
-  NSSCertificate *c,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCertificate_Encrypt
- *
- * Encrypt a single chunk of data with the public key corresponding to
- * this certificate.
- */
-
-NSS_EXTERN NSSItem *
-NSSCertificate_Encrypt
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_Verify
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSCertificate_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCertificate_VerifyRecover
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_WrapSymmetricKey
- *
- * This method tries very hard to to succeed, even in situations 
- * involving sensitive keys and multiple modules.
- * { relyea: want to add verbiage? }
- */
-
-NSS_EXTERN NSSItem *
-NSSCertificate_WrapSymmetricKey
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_CreateCryptoContext
- *
- * Create a crypto context, in this certificate's trust domain, with this
- * as the distinguished certificate.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSCertificate_CreateCryptoContext
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh  
-);
-
-/*
- * NSSCertificate_GetPublicKey
- *
- * Returns the public key corresponding to this certificate.
- */
-
-NSS_EXTERN NSSPublicKey *
-NSSCertificate_GetPublicKey
-(
-  NSSCertificate *c
-);
-
-/*
- * NSSCertificate_FindPrivateKey
- *
- * Finds and returns the private key corresponding to this certificate,
- * if it is available.
- *
- * { Should this hang off of NSSUserCertificate? }
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSCertificate_FindPrivateKey
-(
-  NSSCertificate *c,
-  NSSCallback *uhh
-);
-
-/*
- * NSSCertificate_IsPrivateKeyAvailable
- *
- * Returns success if the private key corresponding to this certificate
- * is available to be used.
- *
- * { Should *this* hang off of NSSUserCertificate?? }
- */
-
-NSS_EXTERN PRBool
-NSSCertificate_IsPrivateKeyAvailable
-(
-  NSSCertificate *c,
-  NSSCallback *uhh,
-  PRStatus *statusOpt
-);
-
-/*
- * If we make NSSUserCertificate not a typedef of NSSCertificate, 
- * then we'll need implementations of the following:
- *
- *  NSSUserCertificate_Destroy
- *  NSSUserCertificate_DeleteStoredObject
- *  NSSUserCertificate_Validate
- *  NSSUserCertificate_ValidateCompletely
- *  NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies
- *  NSSUserCertificate_Encode
- *  NSSUserCertificate_BuildChain
- *  NSSUserCertificate_GetTrustDomain
- *  NSSUserCertificate_GetToken
- *  NSSUserCertificate_GetSlot
- *  NSSUserCertificate_GetModule
- *  NSSUserCertificate_GetCryptoContext
- *  NSSUserCertificate_GetPublicKey
- */
-
-/*
- * NSSUserCertificate_IsStillPresent
- *
- * Verify that if this certificate lives on a token, that the token
- * is still present and the certificate still exists.  This is a
- * lightweight call which should be used whenever it should be
- * verified that the user hasn't perhaps popped out his or her
- * token and strolled away.
- */
-
-NSS_EXTERN PRBool
-NSSUserCertificate_IsStillPresent
-(
-  NSSUserCertificate *uc,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSUserCertificate_Decrypt
- *
- * Decrypt a single chunk of data with the private key corresponding
- * to this certificate.
- */
-
-NSS_EXTERN NSSItem *
-NSSUserCertificate_Decrypt
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSUserCertificate_Sign
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSUserCertificate_SignRecover
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSUserCertificate_UnwrapSymmetricKey
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSUserCertificate_DeriveSymmetricKey
-(
-  NSSUserCertificate *uc, /* provides private key */
-  NSSCertificate *c, /* provides public key */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/* filter-certs function(s) */
-
-/**
- ** fgmr -- trust objects
- **/
-
-/*
- * NSSPrivateKey
- *
- */
-
-/*
- * NSSPrivateKey_Destroy
- *
- * Free a pointer to a private key object.
- */
-
-NSS_EXTERN PRStatus
-NSSPrivateKey_Destroy
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_DeleteStoredObject
- *
- * Permanently remove this object, and any related objects (such as the
- * certificates corresponding to this key).
- */
-
-NSS_EXTERN PRStatus
-NSSPrivateKey_DeleteStoredObject
-(
-  NSSPrivateKey *vk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_GetSignatureLength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSPrivateKey_GetSignatureLength
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_GetPrivateModulusLength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSPrivateKey_GetPrivateModulusLength
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_IsStillPresent
- *
- */
-
-NSS_EXTERN PRBool
-NSSPrivateKey_IsStillPresent
-(
-  NSSPrivateKey *vk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPrivateKey_Encode
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_Encode
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *ap,
-  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_GetTrustDomain
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSPrivateKey_GetTrustDomain
-(
-  NSSPrivateKey *vk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPrivateKey_GetToken
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSPrivateKey_GetToken
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_GetSlot
- *
- */
-
-NSS_EXTERN NSSSlot *
-NSSPrivateKey_GetSlot
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_GetModule
- *
- */
-
-NSS_EXTERN NSSModule *
-NSSPrivateKey_GetModule
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_Decrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_Decrypt
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_Sign
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_SignRecover
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSPrivateKey_UnwrapSymmetricKey
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSPrivateKey_DeriveSymmetricKey
-(
-  NSSPrivateKey *vk,
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_FindPublicKey
- *
- */
-
-NSS_EXTERN NSSPublicKey *
-NSSPrivateKey_FindPublicKey
-(
-  NSSPrivateKey *vk
-  /* { don't need the callback here, right? } */
-);
-
-/*
- * NSSPrivateKey_CreateCryptoContext
- *
- * Create a crypto context, in this key's trust domain,
- * with this as the distinguished private key.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSPrivateKey_CreateCryptoContext
-(
-  NSSPrivateKey *vk
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_FindCertificates
- *
- * Note that there may be more than one certificate for this
- * private key.  { FilterCertificates function to further
- * reduce the list. }
- */
-
-NSS_EXTERN NSSCertificate **
-NSSPrivateKey_FindCertificates
-(
-  NSSPrivateKey *vk,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_FindBestCertificate
- *
- * The parameters for this function will depend on what the users
- * need.  This is just a starting point.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSPrivateKey_FindBestCertificate
-(
-  NSSPrivateKey *vk,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSPublicKey
- *
- * Once you generate, find, or derive one of these, you can use it
- * to perform (simple) cryptographic operations.  Though there may
- * be certificates associated with these public keys, they are not
- * verified.
- */
-
-/*
- * NSSPublicKey_Destroy
- *
- * Free a pointer to a public key object.
- */
-
-NSS_EXTERN PRStatus
-NSSPublicKey_Destroy
-(
-  NSSPublicKey *bk
-);
-
-/*
- * NSSPublicKey_DeleteStoredObject
- *
- * Permanently remove this object, and any related objects (such as the
- * corresponding private keys and certificates).
- */
-
-NSS_EXTERN PRStatus
-NSSPublicKey_DeleteStoredObject
-(
-  NSSPublicKey *bk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPublicKey_Encode
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_Encode
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *ap,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_GetTrustDomain
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSPublicKey_GetTrustDomain
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_GetToken
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSToken *
-NSSPublicKey_GetToken
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_GetSlot
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSSlot *
-NSSPublicKey_GetSlot
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_GetModule
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSModule *
-NSSPublicKey_GetModule
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_Encrypt
- *
- * Encrypt a single chunk of data with the public key corresponding to
- * this certificate.
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_Encrypt
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSPublicKey_Verify
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPublicKey_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_VerifyRecover
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_WrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_WrapSymmetricKey
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_CreateCryptoContext
- *
- * Create a crypto context, in this key's trust domain, with this
- * as the distinguished public key.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSPublicKey_CreateCryptoContext
-(
-  NSSPublicKey *bk
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPublicKey_FindCertificates
- *
- * Note that there may be more than one certificate for this
- * public key.  The current implementation may not find every
- * last certificate available for this public key: that would
- * involve trolling e.g. huge ldap databases, which will be
- * grossly inefficient and not generally useful.
- * { FilterCertificates function to further reduce the list }
- */
-
-NSS_EXTERN NSSCertificate **
-NSSPublicKey_FindCertificates
-(
-  NSSPublicKey *bk,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_FindBestCertificate
- *
- * The parameters for this function will depend on what the users
- * need.  This is just a starting point.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSPublicKey_FindBestCertificate
-(
-  NSSPublicKey *bk,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSPublicKey_FindPrivateKey
- *
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSPublicKey_FindPrivateKey
-(
-  NSSPublicKey *bk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey
- *
- */
-
-/*
- * NSSSymmetricKey_Destroy
- *
- * Free a pointer to a symmetric key object.
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_Destroy
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_DeleteStoredObject
- *
- * Permanently remove this object.
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_DeleteStoredObject
-(
-  NSSSymmetricKey *mk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_GetKeyLength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSSymmetricKey_GetKeyLength
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_GetKeyStrength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSSymmetricKey_GetKeyStrength
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_IsStillPresent
- *
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_IsStillPresent
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_GetTrustDomain
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSSymmetricKey_GetTrustDomain
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_GetToken
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSToken *
-NSSSymmetricKey_GetToken
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_GetSlot
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSSlot *
-NSSSymmetricKey_GetSlot
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_GetModule
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSModule *
-NSSSymmetricKey_GetModule
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_Encrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_Encrypt
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_Decrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_Decrypt
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_Sign
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_SignRecover
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_Verify
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_VerifyRecover
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_WrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_WrapSymmetricKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_WrapPrivateKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_WrapPrivateKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPrivateKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSSymmetricKey_UnwrapSymmetricKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSOID *target,
-  PRUint32 keySizeOpt,
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_UnwrapPrivateKey
- *
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSSymmetricKey_UnwrapPrivateKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSUTF8 *labelOpt,
-  NSSItem *keyIDOpt,
-  PRBool persistant,
-  PRBool sensitive,
-  NSSToken *destinationOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSSymmetricKey_DeriveSymmetricKey
-(
-  NSSSymmetricKey *originalKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt,
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_CreateCryptoContext
- *
- * Create a crypto context, in this key's trust domain,
- * with this as the distinguished symmetric key.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSSymmetricKey_CreateCryptoContext
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSTrustDomain
- *
- */
-
-/*
- * NSSTrustDomain_Create
- *
- * This creates a trust domain, optionally with an initial cryptoki
- * module.  If the module name is not null, the module is loaded if
- * needed (using the uriOpt argument), and initialized with the
- * opaqueOpt argument.  If mumble mumble priority settings, then
- * module-specification objects in the module can cause the loading
- * and initialization of further modules.
- *
- * The uriOpt is defined to take a URI.  At present, we only
- * support file: URLs pointing to platform-native shared libraries.
- * However, by specifying this as a URI, this keeps open the 
- * possibility of supporting other, possibly remote, resources.
- *
- * The "reserved" arguments is held for when we figure out the
- * module priority stuff.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSTrustDomain_Create
-(
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void *reserved
-);
-
-/*
- * NSSTrustDomain_Destroy
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_Destroy
-(
-  NSSTrustDomain *td
-);
-
-/*
- * NSSTrustDomain_SetDefaultCallback
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_SetDefaultCallback
-(
-  NSSTrustDomain *td,
-  NSSCallback *newCallback,
-  NSSCallback **oldCallbackOpt
-);
-
-/*
- * NSSTrustDomain_GetDefaultCallback
- *
- */
-
-NSS_EXTERN NSSCallback *
-NSSTrustDomain_GetDefaultCallback
-(
-  NSSTrustDomain *td,
-  PRStatus *statusOpt
-);
-
-/*
- * Default policies?
- * Default usage?
- * Default time, for completeness?
- */
-
-/*
- * NSSTrustDomain_LoadModule
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_LoadModule
-(
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void *reserved
-);
-
-/*
- * NSSTrustDomain_AddModule
- * NSSTrustDomain_AddSlot
- * NSSTrustDomain_UnloadModule
- * Managing modules, slots, tokens; priorities;
- * Traversing all of the above
- * this needs more work
- */
-
-/*
- * NSSTrustDomain_DisableToken
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_DisableToken
-(
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSError why
-);
-
-/*
- * NSSTrustDomain_EnableToken
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_EnableToken
-(
-  NSSTrustDomain *td,
-  NSSToken *token
-);
-
-/*
- * NSSTrustDomain_IsTokenEnabled
- *
- * If disabled, "why" is always on the error stack.
- * The optional argument is just for convenience.
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_IsTokenEnabled
-(
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSError *whyOpt
-);
-
-/*
- * NSSTrustDomain_FindSlotByName
- *
- */
-
-NSS_EXTERN NSSSlot *
-NSSTrustDomain_FindSlotByName
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *slotName
-);
-
-/*
- * NSSTrustDomain_FindTokenByName
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindTokenByName
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *tokenName
-);
-
-/*
- * NSSTrustDomain_FindTokenBySlotName
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindTokenBySlotName
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *slotName
-);
-
-/*
- * NSSTrustDomain_FindBestTokenForAlgorithm
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindTokenForAlgorithm
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithm
-);
-
-/*
- * NSSTrustDomain_FindBestTokenForAlgorithms
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindBestTokenForAlgorithms
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithms[], /* may be null-terminated */
-  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
-);
-
-/*
- * NSSTrustDomain_Login
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_Login
-(
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_Logout
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_Logout
-(
-  NSSTrustDomain *td
-);
-
-/* Importing things */
-
-/*
- * NSSTrustDomain_ImportCertificate
- *
- * The implementation will pull some data out of the certificate
- * (e.g. e-mail address) for use in pkcs#11 object attributes.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_ImportCertificate
-(
-  NSSTrustDomain *td,
-  NSSCertificate *c
-);
-
-/*
- * NSSTrustDomain_ImportPKIXCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_ImportPKIXCertificate
-(
-  NSSTrustDomain *td,
-  /* declared as a struct until these "data types" are defined */
-  struct NSSPKIXCertificateStr *pc
-);
-
-/*
- * NSSTrustDomain_ImportEncodedCertificate
- *
- * Imports any type of certificate we support.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_ImportEncodedCertificate
-(
-  NSSTrustDomain *td,
-  NSSBER *ber
-);
-
-/*
- * NSSTrustDomain_ImportEncodedCertificateChain
- *
- * If you just want the leaf, pass in a maximum of one.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_ImportEncodedCertificateChain
-(
-  NSSTrustDomain *td,
-  NSSBER *ber,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_ImportEncodedPrivateKey
- *
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSTrustDomain_ImportEncodedPrivateKey
-(
-  NSSTrustDomain *td,
-  NSSBER *ber,
-  NSSItem *passwordOpt, /* NULL will cause a callback */
-  NSSCallback *uhhOpt,
-  NSSToken *destination
-);
-
-/*
- * NSSTrustDomain_ImportEncodedPublicKey
- *
- */
-
-NSS_EXTERN NSSPublicKey *
-NSSTrustDomain_ImportEncodedPublicKey
-(
-  NSSTrustDomain *td,
-  NSSBER *ber
-);
-
-/* Other importations: S/MIME capabilities */
-
-/*
- * NSSTrustDomain_FindBestCertificateByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestCertificateByNickname
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesByNickname
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
-(
-  NSSTrustDomain *td,
-  NSSDER *issuer,
-  NSSDER *serialNumber
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber
- *
- * Theoretically, this should never happen.  However, some companies
- * we know have issued duplicate certificates with the same issuer
- * and serial number.  Do we just ignore them?  I'm thinking yes.
- */
-
-/*
- * NSSTrustDomain_FindBestCertificateBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestCertificateBySubject
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificatesBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesBySubject
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindBestCertificateByNameComponents
- *
- * This call does try several tricks, including a pseudo pkcs#11 
- * attribute for the ldap module to try as a query.  Eventually
- * this call falls back to a traversal if that's what's required.
- * It will search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestCertificateByNameComponents
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *nameComponents,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByNameComponents
- *
- * This call, too, tries several tricks.  It will stop on the first
- * attempt that generates results, so it won't e.g. traverse the
- * entire ldap database.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesByNameComponents
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *nameComponents,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificateByEncodedCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByEncodedCertificate
-(
-  NSSTrustDomain *td,
-  NSSBER *encodedCertificate
-);
-
-/*
- * NSSTrustDomain_FindBestCertificateByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByEmail
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificateByEmail
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificateByOCSPHash
- *
- * There can be only one.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByOCSPHash
-(
-  NSSTrustDomain *td,
-  NSSItem *hash
-);
-
-/*
- * NSSTrustDomain_TraverseCertificates
- *
- * This function descends from one in older versions of NSS which
- * traverses the certs in the permanent database.  That function
- * was used to implement selection routines, but was directly
- * available too.  Trust domains are going to contain a lot more
- * certs now (e.g., an ldap server), so we'd really like to
- * discourage traversal.  Thus for now, this is commented out.
- * If it's needed, let's look at the situation more closely to
- * find out what the actual requirements are.
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSTrustDomain_TraverseCertificates
- * (
- *   NSSTrustDomain *td,
- *   PRStatus (*callback)(NSSCertificate *c, void *arg),
- *   void *arg
- * );
- */
-
-/*
- * NSSTrustDomain_FindBestUserCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestUserCertificate
-(
-  NSSTrustDomain *td,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindUserCertificates
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindUserCertificates
-(
-  NSSTrustDomain *td,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindUserCertificatesForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindUserCertificatesForSSLClientAuth
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindBestUserCertificateForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestUserCertificateForEmailSigning
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindUserCertificatesForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindUserCertificatesForEmailSigning
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * Here is where we'd add more Find[Best]UserCertificate[s]For<usage>
- * routines.
- */
-
-/* Private Keys */
-
-/*
- * NSSTrustDomain_GenerateKeyPair
- *
- * Creates persistant objects.  If you want session objects, use
- * NSSCryptoContext_GenerateKeyPair.  The destination token is where
- * the keys are stored.  If that token can do the required math, then
- * that's where the keys are generated too.  Otherwise, the keys are
- * generated elsewhere and moved to that token.
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_GenerateKeyPair
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  NSSPrivateKey **pvkOpt,
-  NSSPublicKey **pbkOpt,
-  PRBool privateKeyIsSensitive,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_TraversePrivateKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSTrustDomain_TraversePrivateKeys
- * (
- *   NSSTrustDomain *td,
- *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
- *   void *arg
- * );
- */
-
-/* Symmetric Keys */
-
-/*
- * NSSTrustDomain_GenerateSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSTrustDomain_GenerateSymmetricKey
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  PRUint32 keysize,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_GenerateSymmetricKeyFromPassword
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSTrustDomain_GenerateSymmetricKeyFromPassword
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  NSSUTF8 *passwordOpt, /* if null, prompt */
-  NSSToken *destinationOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_FindSymmetricKeyByAlgorithm
- *
- * Is this still needed?
- * 
- * NSS_EXTERN NSSSymmetricKey *
- * NSSTrustDomain_FindSymmetricKeyByAlgorithm
- * (
- *   NSSTrustDomain *td,
- *   NSSOID *algorithm,
- *   NSSCallback *uhhOpt
- * );
- */
-
-/*
- * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithm,
-  NSSItem *keyID,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_TraverseSymmetricKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSTrustDomain_TraverseSymmetricKeys
- * (
- *   NSSTrustDomain *td,
- *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
- *   void *arg
- * );
- */
-
-/*
- * NSSTrustDomain_CreateCryptoContext
- *
- * If a callback object is specified, it becomes the for the crypto
- * context; otherwise, this trust domain's default (if any) is
- * inherited.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContext
-(
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_CreateCryptoContextForAlgorithm
- *
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContextForAlgorithm
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithm
-);
-
-/*
- * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
- *
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap
-);
-
-/* find/traverse other objects, e.g. s/mime profiles */
-
-/*
- * NSSCryptoContext
- *
- * A crypto context is sort of a short-term snapshot of a trust domain,
- * used for the life of "one crypto operation."  You can also think of
- * it as a "temporary database."
- * 
- * Just about all of the things you can do with a trust domain -- importing
- * or creating certs, keys, etc. -- can be done with a crypto context.
- * The difference is that the objects will be temporary ("session") objects.
- * 
- * Also, if the context was created for a key, cert, and/or algorithm; or
- * if such objects have been "associated" with the context, then the context
- * can do everything the keys can, like crypto operations.
- * 
- * And finally, because it keeps the state of the crypto operations, it
- * can do streaming crypto ops.
- */
-
-/*
- * NSSTrustDomain_Destroy
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_Destroy
-(
-  NSSCryptoContext *td
-);
-
-/* establishing a default callback */
-
-/*
- * NSSCryptoContext_SetDefaultCallback
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_SetDefaultCallback
-(
-  NSSCryptoContext *td,
-  NSSCallback *newCallback,
-  NSSCallback **oldCallbackOpt
-);
-
-/*
- * NSSCryptoContext_GetDefaultCallback
- *
- */
-
-NSS_EXTERN NSSCallback *
-NSSCryptoContext_GetDefaultCallback
-(
-  NSSCryptoContext *td,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCryptoContext_GetTrustDomain
- *
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSCryptoContext_GetTrustDomain
-(
-  NSSCryptoContext *td
-);
-
-/* AddModule, etc: should we allow "temporary" changes here? */
-/* DisableToken, etc: ditto */
-/* Ordering of tokens? */
-/* Finding slots+token etc. */
-/* login+logout */
-
-/* Importing things */
-
-/*
- * NSSCryptoContext_ImportCertificate
- *
- * If there's not a "distinguished certificate" for this context, this
- * sets the specified one to be it.
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ImportCertificate
-(
-  NSSCryptoContext *cc,
-  NSSCertificate *c
-);
-
-/*
- * NSSCryptoContext_ImportPKIXCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_ImportPKIXCertificate
-(
-  NSSCryptoContext *cc,
-  struct NSSPKIXCertificateStr *pc
-);
-
-/*
- * NSSCryptoContext_ImportEncodedCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_ImportEncodedCertificate
-(
-  NSSCryptoContext *cc,
-  NSSBER *ber
-);
-
-/*
- * NSSCryptoContext_ImportEncodedPKIXCertificateChain
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ImportEncodedPKIXCertificateChain
-(
-  NSSCryptoContext *cc,
-  NSSBER *ber
-);
-
-/* Other importations: S/MIME capabilities
- */
-
-/*
- * NSSCryptoContext_FindBestCertificateByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateByNickname
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *name,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/*
- * NSSCryptoContext_FindCertificatesByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesByNickname
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
-(
-  NSSCryptoContext *cc,
-  NSSDER *issuer,
-  NSSDER *serialNumber
-);
-
-/*
- * NSSCryptoContext_FindBestCertificateBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateBySubject
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificatesBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesBySubject
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindBestCertificateByNameComponents
- *
- * This call does try several tricks, including a pseudo pkcs#11 
- * attribute for the ldap module to try as a query.  Eventually
- * this call falls back to a traversal if that's what's required.
- * It will search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateByNameComponents
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *nameComponents,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificatesByNameComponents
- *
- * This call, too, tries several tricks.  It will stop on the first
- * attempt that generates results, so it won't e.g. traverse the
- * entire ldap database.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesByNameComponents
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *nameComponents,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificateByEncodedCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificateByEncodedCertificate
-(
-  NSSCryptoContext *cc,
-  NSSBER *encodedCertificate
-);
-
-/*
- * NSSCryptoContext_FindBestCertificateByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateByEmail
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *email
-);
-
-/*
- * NSSCryptoContext_FindCertificatesByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificatesByEmail
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificateByOCSPHash
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificateByOCSPHash
-(
-  NSSCryptoContext *cc,
-  NSSITem *hash
-);
-
-/*
- * NSSCryptoContext_TraverseCertificates
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSCryptoContext_TraverseCertificates
- * (
- *   NSSCryptoContext *cc,
- *   PRStatus (*callback)(NSSCertificate *c, void *arg),
- *   void *arg
- * );
- */
-
-/*
- * NSSCryptoContext_FindBestUserCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestUserCertificate
-(
-  NSSCryptoContext *cc,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindUserCertificates
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindUserCertificates
-(
-  NSSCryptoContext *cc,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindUserCertificatesForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindUserCertificatesForSSLClientAuth
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindBestUserCertificateForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestUserCertificateForEmailSigning
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindUserCertificatesForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindUserCertificatesForEmailSigning
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/* Private Keys */
-
-/*
- * NSSCryptoContext_GenerateKeyPair
- *
- * Creates session objects.  If you want persistant objects, use
- * NSSTrustDomain_GenerateKeyPair.  The destination token is where
- * the keys are stored.  If that token can do the required math, then
- * that's where the keys are generated too.  Otherwise, the keys are
- * generated elsewhere and moved to that token.
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_GenerateKeyPair
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  NSSPrivateKey **pvkOpt,
-  NSSPublicKey **pbkOpt,
-  PRBool privateKeyIsSensitive,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_TraversePrivateKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSCryptoContext_TraversePrivateKeys
- * (
- *   NSSCryptoContext *cc,
- *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
- *   void *arg
- * );
- */
-
-/* Symmetric Keys */
-
-/*
- * NSSCryptoContext_GenerateSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_GenerateSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  PRUint32 keysize,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_GenerateSymmetricKeyFromPassword
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_GenerateSymmetricKeyFromPassword
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  NSSUTF8 *passwordOpt, /* if null, prompt */
-  NSSToken *destinationOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_FindSymmetricKeyByAlgorithm
- *
- * 
- * NSS_EXTERN NSSSymmetricKey *
- * NSSCryptoContext_FindSymmetricKeyByType
- * (
- *   NSSCryptoContext *cc,
- *   NSSOID *type,
- *   NSSCallback *uhhOpt
- * );
- */
-
-/*
- * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
-(
-  NSSCryptoContext *cc,
-  NSSOID *algorithm,
-  NSSItem *keyID,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_TraverseSymmetricKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSCryptoContext_TraverseSymmetricKeys
- * (
- *   NSSCryptoContext *cc,
- *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
- *   void *arg
- * );
- */
-
-/* Crypto ops on distinguished keys */
-
-/*
- * NSSCryptoContext_Decrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Decrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginDecrypt
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginDecrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueDecrypt
- *
- */
-
-/*
- * NSSItem semantics:
- *
- *   If rvOpt is NULL, a new NSSItem and buffer are allocated.
- *   If rvOpt is not null, but the buffer pointer is null,
- *     then rvOpt is returned but a new buffer is allocated.
- *     In this case, if the length value is not zero, then
- *     no more than that much space will be allocated.
- *   If rvOpt is not null and the buffer pointer is not null,
- *     then that buffer is re-used.  No more than the buffer
- *     length value will be used; if it's not enough, an
- *     error is returned.  If less is used, the number is
- *     adjusted downwards.
- *
- *  Note that although this is short of some ideal "Item"
- *  definition, we can usually tell how big these buffers
- *  have to be.
- *
- *  Feedback is requested; and earlier is better than later.
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueDecrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishDecrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishDecrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Sign
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginSign
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginSign
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueSign
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginSign
-(
-  NSSCryptoContext *cc,
-  NSSItem *data
-);
-
-/*
- * NSSCryptoContext_FinishSign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishSign
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_SignRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginSignRecover
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginSignRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueSignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueSignRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishSignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishSignRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_UnwrapSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_DeriveSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_Encrypt
- *
- * Encrypt a single chunk of data with the distinguished public key
- * of this crypto context.
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Encrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginEncrypt
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginEncrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueEncrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueEncrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishEncrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishEncrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_Verify
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_BeginVerify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginVerify
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueVerify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ContinueVerify
-(
-  NSSCryptoContext *cc,
-  NSSItem *data
-);
-
-/*
- * NSSCryptoContext_FinishVerify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_FinishVerify
-(
-  NSSCryptoContext *cc
-);
-
-/*
- * NSSCryptoContext_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_VerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginVerifyRecover
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginVerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueVerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueVerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishVerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishVerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_WrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_WrapSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_Digest
- *
- * Digest a single chunk of data with the distinguished digest key
- * of this crypto context.
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Digest
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginDigest
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginDigest
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueDigest
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ContinueDigest
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *item
-);
-
-/*
- * NSSCryptoContext_FinishDigest
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishDigest
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * tbd: Combination ops
- */
-
-/*
- * NSSCryptoContext_Clone
- *
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSCryptoContext_Clone
-(
-  NSSCryptoContext *cc
-);
-
-/*
- * NSSCryptoContext_Save
- * NSSCryptoContext_Restore
- *
- * We need to be able to save and restore the state of contexts.
- * Perhaps a mark-and-release mechanism would be better?
- */
-
-/*
- * ..._SignTBSCertificate
- *
- * This requires feedback from the cert server team.
- */
-
-/*
- * PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c);
- * PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted);
- *
- * These will be helper functions which get the trust object for a cert,
- * and then call the corresponding function(s) on it.
- *
- * PKIX trust objects will have methods to manipulate the low-level trust
- * bits (which are based on key usage and extended key usage), and also the
- * conceptual high-level usages (e.g. ssl client auth, email encryption, etc.)
- *
- * Other types of trust objects (if any) might have different low-level
- * representations, but hopefully high-level concepts would map.
- *
- * Only these high-level general routines would be promoted to the
- * general certificate level here.  Hence the {xxx} above would be things
- * like "EmailSigning."
- *
- *
- * NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c);
- * PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t);
- *
- * I want to hold off on any general trust object until we've investigated
- * other models more thoroughly.
- */
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKI_H */
diff --git a/security/nss/lib/pki/nsspkit.h b/security/nss/lib/pki/nsspkit.h
deleted file mode 100644
index e1b5888fa..000000000
--- a/security/nss/lib/pki/nsspkit.h
+++ /dev/null
@@ -1,261 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSPKIT_H
-#define NSSPKIT_H
-
-#ifdef DEBUG
-static const char NSSPKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nsspkit.h
- *
- * This file defines the types of the top-level PKI objects.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSCertificate
- *
- * This is the public representation of a Certificate.  The certificate
- * may be one found on a smartcard or other token, one decoded from data
- * received as part of a protocol, one constructed from constituent
- * parts, etc.  Usually it is associated with ("in") a trust domain; as
- * it can be verified only within a trust domain.  The underlying type
- * of certificate may be of any supported standard, e.g. PKIX, PGP, etc.
- *
- * People speak of "verifying (with) the server's, or correspondant's, 
- * certificate"; for simple operations we support that simplification
- * by implementing public-key crypto operations as methods on this type.
- */
-
-struct NSSCertificateStr;
-typedef struct NSSCertificateStr NSSCertificate;
-
-/*
- * NSSUserCertificate
- *
- * A ``User'' certificate is one for which the private key is available.
- * People speak of "using my certificate to sign my email" and "using
- * my certificate to authenticate to (or login to) the server"; for
- * simple operations, we support that simplification by implementing
- * private-key crypto operations as methods on this type.
- *
- * The current design only weakly distinguishes between certificates
- * and user certificates: as far as the compiler goes they're 
- * interchangable; debug libraries only have one common pointer-tracker;
- * etc.  However, attempts to do private-key operations on a certificate
- * for which the private key is not available will fail.
- *
- * Open design question: should these types be more firmly separated?
- */
-
-typedef NSSCertificate NSSUserCertificate;
-
-/*
- * NSSPrivateKey
- *
- * This is the public representation of a Private Key.  In general,
- * the actual value of the key is not available, but operations may
- * be performed with it.
- */
-
-struct NSSPrivateKeyStr;
-typedef struct NSSPrivateKeyStr NSSPrivateKey;
-
-/*
- * NSSPublicKey
- *
- */
-
-struct NSSPublicKeyStr;
-typedef struct NSSPublicKeyStr NSSPublicKey;
-
-/*
- * NSSSymmetricKey
- *
- */
-
-struct NSSSymmetricKeyStr;
-typedef struct NSSSymmetricKeyStr NSSSymmetricKey;
-
-/*
- * NSSTrustDomain
- *
- * A Trust Domain is the field in which certificates may be validated.
- * A trust domain will generally have one or more cryptographic modules
- * open; these modules perform the cryptographic operations, and 
- * provide the basic "root" trust information from which the trust in
- * a specific certificate or key depends.
- *
- * A client program, or a simple server, would typically have one
- * trust domain.  A server supporting multiple "virtual servers" might
- * have a separate trust domain for each virtual server.  The separate
- * trust domains might share some modules (e.g., a hardware crypto
- * accelerator) but not others (e.g., the tokens storing the different
- * servers' private keys, or the databases with each server's trusted
- * root certificates).
- *
- * This object descends from the "permananet database" in the old code.
- */
-
-struct NSSTrustDomainStr;
-typedef struct NSSTrustDomainStr NSSTrustDomain;
-
-/*
- * NSSCryptoContext
- *
- * A Crypto Context is a short-term, "helper" object which is used
- * for the lifetime of one ongoing "crypto operation."  Such an
- * operation may be the creation of a signed message, the use of an
- * TLS socket connection, etc.  Each crypto context is "in" a
- * specific trust domain, and it may have associated with it a
- * distinguished certificate, public key, private key, and/or
- * symmetric key.  It can also temporarily hold and use temporary
- * data (e.g. intermediate certificates) which is not stored
- * permanently in the trust domain.
- *
- * In OO terms, this interface inherits interfaces from the trust
- * domain, the certificates, and the keys.  It also provides
- * streaming crypto operations.
- *
- * This object descends from the "temporary database" concept in the
- * old code, but it has changed a lot as a result of what we've 
- * learned.
- */
-
-struct NSSCryptoContextStr;
-typedef struct NSSCryptoContextStr NSSCryptoContext;
-
-/*
- * fgmr others
- */
-
-/* 
- * NSSTime
- *
- * Unfortunately, we need an "exceptional" value to indicate
- * an error upon return, or "no value" on input.  Note that zero
- * is a perfectly valid value for both time_t and PRTime.
- *
- * If we were to create a "range" object, with two times for
- * Not Before and Not After, we would have an obvious place for
- * the somewhat arbitrary logic involved in comparing them.
- *
- * Failing that, let's have an NSSTime_CompareRanges function.
- */
-
-struct NSSTimeStr;
-typedef struct NSSTimeStr NSSTime;
-
-/*
- * NSSUsage
- *
- * This is trickier than originally planned; I'll write up a
- * doc on it.
- *
- * We'd still like nsspki.h to have a list of common usages,
- * e.g.:
- *
- *  extern const NSSUsage *NSSUsage_ClientAuth;
- *  extern const NSSUsage *NSSUsage_ServerAuth;
- *  extern const NSSUsage *NSSUsage_SignEmail;
- *  extern const NSSUsage *NSSUsage_EncryptEmail;
- *  etc.
- */
-
-struct NSSUsageStr;
-typedef struct NSSUsageStr NSSUsage;
-
-/*
- * NSSPolicies
- *
- * Placeholder, for now.
- */
-
-struct NSSPoliciesStr;
-typedef struct NSSPoliciesStr NSSPolicies;
-
-/*
- * NSSAlgorithmAndParameters
- *
- * Algorithm is an OID
- * Parameters depend on the algorithm
- */
-
-struct NSSAlgorithmAndParametersStr;
-typedef struct NSSAlgorithmAndParametersStr NSSAlgorithmAndParameters;
-
-/*
- * NSSCallback
- *
- * At minimum, a "challenge" method and a closure argument.
- * Usually the challenge will just be prompting for a password.
- * How OO do we want to make it?
- */
-
-struct NSSCallbackStr;
-typedef struct NSSCallbackStr NSSCallback;
-
-/*
- * NSSModule and NSSSlot -- placeholders for the PKCS#11 types
- */
-
-struct NSSModuleStr;
-typedef struct NSSModuleStr NSSModule;
-
-struct NSSSlotStr;
-typedef struct NSSSlotStr NSSSlot;
-
-typedef PRUint32 NSSOperations;
-/* 1) Do we want these to be preprocessor definitions or constants? */
-/* 2) What is the correct and complete list? */
-
-#define NSSOperations_ENCRYPT           0x0001
-#define NSSOperations_DECRYPT           0x0002
-#define NSSOperations_WRAP              0x0004
-#define NSSOperations_UNWRAP            0x0008
-#define NSSOperations_SIGN              0x0010
-#define NSSOperations_SIGN_RECOVER      0x0020
-#define NSSOperations_VERIFY            0x0040
-#define NSSOperations_VERIFY_RECOVER    0x0080
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKIT_H */
diff --git a/security/nss/lib/pki1/.cvsignore b/security/nss/lib/pki1/.cvsignore
deleted file mode 100644
index 12bfbfc7c..000000000
--- a/security/nss/lib/pki1/.cvsignore
+++ /dev/null
@@ -1,3 +0,0 @@
-oiddata.c
-oiddata.h
-
diff --git a/security/nss/lib/pki1/Makefile b/security/nss/lib/pki1/Makefile
deleted file mode 100644
index 03e1fb4c6..000000000
--- a/security/nss/lib/pki1/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/pki1/atav.c b/security/nss/lib/pki1/atav.c
deleted file mode 100644
index 299ddfc0d..000000000
--- a/security/nss/lib/pki1/atav.c
+++ /dev/null
@@ -1,1803 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * atav.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * AttributeTypeAndValue.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * AttributeTypeAndValue
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  AttributeTypeAndValue           ::=     SEQUENCE {
- *          type            ATTRIBUTE.&id ({SupportedAttributes}),
- *          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type})}
- *  
- *  -- ATTRIBUTE information object class specification
- *  --  Note: This has been greatly simplified for PKIX !!
- *  
- *  ATTRIBUTE               ::=     CLASS {
- *          &Type,
- *          &id                     OBJECT IDENTIFIER UNIQUE }
- *  WITH SYNTAX {
- *          WITH SYNTAX &Type ID &id }
- *  
- * What this means is that the "type" of the value is determined by
- * the value of the oid.  If we hide the structure, our accessors
- * can (at least in debug builds) assert value semantics beyond what
- * the compiler can provide.  Since these things are only used in
- * RelativeDistinguishedNames, and since RDNs always contain a SET
- * of these things, we don't lose anything by hiding the structure
- * (and its size).
- */
-
-struct NSSATAVStr {
-  NSSBER ber;
-  const NSSOID *oid;
-  NSSUTF8 *value;
-  nssStringType stringForm;
-};
-
-/*
- * NSSATAV
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSATAV_CreateFromBER   -- constructor
- *  NSSATAV_CreateFromUTF8  -- constructor
- *  NSSATAV_Create          -- constructor
- *
- *  NSSATAV_Destroy
- *  NSSATAV_GetDEREncoding
- *  NSSATAV_GetUTF8Encoding
- *  NSSATAV_GetType
- *  NSSATAV_GetValue
- *  NSSATAV_Compare
- *  NSSATAV_Duplicate
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssATAV_CreateFromBER   -- constructor
- *  nssATAV_CreateFromUTF8  -- constructor
- *  nssATAV_Create          -- constructor
- *
- *  nssATAV_Destroy
- *  nssATAV_GetDEREncoding
- *  nssATAV_GetUTF8Encoding
- *  nssATAV_GetType
- *  nssATAV_GetValue
- *  nssATAV_Compare
- *  nssATAV_Duplicate
- *
- * In debug builds, the following non-public call is also available:
- *
- *  nssATAV_verifyPointer
- */
-
-/*
- * NSSATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berATAV
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  /* 
-   * NSSBERs can be created by the user, 
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSBER *)NULL == berATAV ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-
-  if( (void *)NULL == berATAV->data ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_CreateFromBER(arenaOpt, berATAV);
-}
-
-/*
- * NSSATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringATAV
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  /*
-   * NSSUTF8s can be created by the user,
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSUTF8 *)NULL == stringATAV ) {
-    nss_SetError(NSS_ERROR_INVALID_UTF8);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_CreateFromUTF8(arenaOpt, stringATAV);
-}
-
-/*
- * NSSATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (const void *)NULL == data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Create(arenaOpt, oid, data, length);
-}
-
-/*
- * NSSATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-NSSATAV_Destroy
-(
-  NSSATAV *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Destroy(atav);
-}
-
-/*
- * NSSATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_IMPLEMENT NSSDER *
-NSSATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetDEREncoding(atav, arenaOpt);
-}
-
-/*
- * NSSATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetUTF8Encoding(atav, arenaOpt);
-}
-
-/*
- * NSSATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An element of enum NSSOIDenum upon success
- */
-
-NSS_IMPLEMENT const NSSOID *
-NSSATAV_GetType
-(
-  NSSATAV *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetType(atav);
-}
-
-/*
- * NSSATAV_GetValue
- *
- * This routine returns a string containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetValue(atav, arenaOpt);
-}
-
-/*
- * NSSATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_IMPLEMENT PRStatus
-NSSATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
-    return PR_FAILURE;
-  }
-
-  if( (PRBool *)NULL == equalp ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Compare(atav1, atav2, equalp);
-}
-
-/*
- * NSSATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Duplicate(atav, arenaOpt);
-}
-
-/*
- * The pointer-tracking code
- */
-
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker atav_pointer_tracker;
-
-static PRStatus
-atav_add_pointer
-(
-  const NSSATAV *atav
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&atav_pointer_tracker, atav);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-atav_remove_pointer
-(
-  const NSSATAV *atav
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&atav_pointer_tracker, atav);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSATAV object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILRUE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssATAV_verifyPointer
-(
-  NSSATAV *atav
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&atav_pointer_tracker, atav);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ATAV);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-typedef struct {
-  NSSBER oid;
-  NSSBER value;
-} atav_holder;
-
-static const nssASN1Template nss_atav_template[] = {
-  { nssASN1_SEQUENCE, 0, NULL, sizeof(atav_holder) },
-  { nssASN1_OBJECT_ID, nsslibc_offsetof(atav_holder, oid), NULL, 0 },
-  { nssASN1_ANY, nsslibc_offsetof(atav_holder, value), NULL, 0 },
-  { 0, 0, NULL, 0 }
-};
-
-/*
- * There are several common attributes, with well-known type aliases
- * and value semantics.  This table lists the ones we recognize.
- */
-
-struct nss_attribute_data_str {
-  const NSSOID **oid;
-  nssStringType stringType;
-  PRUint32 minStringLength;
-  PRUint32 maxStringLength; /* zero for no limit */
-};
-
-static const struct nss_attribute_data_str nss_attribute_data[] = {
-  { &NSS_OID_X520_NAME,                     
-    nssStringType_DirectoryString, 1, 32768 },
-  { &NSS_OID_X520_COMMON_NAME,              
-    nssStringType_DirectoryString, 1,    64 },
-  { &NSS_OID_X520_SURNAME,                  
-    nssStringType_DirectoryString, 1,    40 },
-  { &NSS_OID_X520_GIVEN_NAME,               
-    nssStringType_DirectoryString, 1,    16 },
-  { &NSS_OID_X520_INITIALS,                 
-    nssStringType_DirectoryString, 1,     5 },
-  { &NSS_OID_X520_GENERATION_QUALIFIER,     
-    nssStringType_DirectoryString, 1,     3 },
-  { &NSS_OID_X520_DN_QUALIFIER,             
-    nssStringType_PrintableString, 1,     0 },
-  { &NSS_OID_X520_COUNTRY_NAME,             
-    nssStringType_PrintableString, 2,     2 },
-  { &NSS_OID_X520_LOCALITY_NAME,            
-    nssStringType_DirectoryString, 1,   128 },
-  { &NSS_OID_X520_STATE_OR_PROVINCE_NAME,   
-    nssStringType_DirectoryString, 1,   128 },
-  { &NSS_OID_X520_ORGANIZATION_NAME,        
-    nssStringType_DirectoryString, 1,    64 },
-  { &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 
-    nssStringType_DirectoryString, 1,
-    /*
-     * Note, draft #11 defines both "32" and "64" for this maximum,
-     * in two separate places.  Until it's settled, "conservative
-     * in what you send."  We're always liberal in what we accept.
-     */
-                                         32 },
-  { &NSS_OID_X520_TITLE,                    
-    nssStringType_DirectoryString, 1,    64 },
-  { &NSS_OID_RFC1274_EMAIL,                 
-    nssStringType_PHGString,       1,   128 }
-};
-
-PRUint32 nss_attribute_data_quantity = 
-  (sizeof(nss_attribute_data)/sizeof(nss_attribute_data[0]));
-
-static nssStringType
-nss_attr_underlying_string_form
-(
-  nssStringType type,
-  void *data
-)
-{
-  if( nssStringType_DirectoryString == type ) {
-    PRUint8 tag = *(PRUint8 *)data;
-    switch( tag & nssASN1_TAGNUM_MASK ) {
-    case 20:
-      /*
-       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-       * below) but is T61 a suitable value for "Latin-1"?
-       */
-      return nssStringType_TeletexString;
-    case 19:
-      return nssStringType_PrintableString;
-    case 28:
-      return nssStringType_UniversalString;
-    case 30:
-      return nssStringType_BMPString;
-    case 12:
-      return nssStringType_UTF8String;
-    default:
-      return nssStringType_Unknown;
-    }
-  }
-
-  return type;
-}
-    
-
-/*
- * This routine decodes the attribute value, in a type-specific way.
- *
- */
-
-static NSSUTF8 *
-nss_attr_to_utf8
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  NSSItem *item,
-  nssStringType *stringForm
-)
-{
-  NSSUTF8 *rv = (NSSUTF8 *)NULL;
-  PRUint32 i;
-  const struct nss_attribute_data_str *which = 
-    (struct nss_attribute_data_str *)NULL;
-  PRUint32 len = 0;
-
-  for( i = 0; i < nss_attribute_data_quantity; i++ ) {
-    if( *(nss_attribute_data[ i ].oid) == oid ) {
-      which = &nss_attribute_data[i];
-      break;
-    }
-  }
-
-  if( (struct nss_attribute_data_str *)NULL == which ) {
-    /* Unknown OID.  Encode it as hex. */
-    PRUint8 *c;
-    PRUint8 *d = (PRUint8 *)item->data;
-    PRUint32 amt = item->size;
-
-    if( item->size >= 0x7FFFFFFF ) {
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSUTF8 *)NULL;
-    }
-
-    len = 1 + (item->size * 2) + 1; /* '#' + hex + '\0' */
-    rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
-    if( (NSSUTF8 *)NULL == rv ) {
-      return (NSSUTF8 *)NULL;
-    }
-
-    c = (PRUint8 *)rv;
-    *c++ = '#'; /* XXX fgmr check this */
-    while( amt > 0 ) {
-      static char hex[16] = "0123456789ABCDEF";
-      *c++ = hex[ ((*d) & 0xf0) >> 4 ];
-      *c++ = hex[ ((*d) & 0x0f)      ];
-    }
-
-    /* *c = '\0'; nss_ZAlloc, remember */
-
-    *stringForm = nssStringType_Unknown; /* force exact comparison */
-  } else {
-    rv = nssUTF8_CreateFromBER(arenaOpt, which->stringType, 
-                               (NSSBER *)item);
-
-    if( (NSSUTF8 *)NULL == rv ) {
-      return (NSSUTF8 *)NULL;
-    }
-
-    if( PR_SUCCESS != nssUTF8_Length(rv, &len) ) {
-      nss_ZFreeIf(rv);
-      return (NSSUTF8 *)NULL;
-    }
-
-    *stringForm = nss_attr_underlying_string_form(which->stringType,
-                                                  item->data);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  const NSSBER *berATAV
-)
-{
-  atav_holder holder;
-  PRStatus status;
-  NSSATAV *rv;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  /* 
-   * NSSBERs can be created by the user, 
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSBER *)NULL == berATAV ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-
-  if( (void *)NULL == berATAV->data ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  status = nssASN1_DecodeBER(arenaOpt, &holder, 
-                             nss_atav_template, berATAV);
-  if( PR_SUCCESS != status ) {
-    return (NSSATAV *)NULL;
-  }
-
-  rv = nss_ZNEW(arenaOpt, NSSATAV);
-  if( (NSSATAV *)NULL == rv ) {
-    nss_ZFreeIf(holder.oid.data);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->oid = nssOID_CreateFromBER(&holder.oid);
-  if( (NSSOID *)NULL == rv->oid ) {
-    nss_ZFreeIf(rv);
-    nss_ZFreeIf(holder.oid.data);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  nss_ZFreeIf(holder.oid.data);
-
-  rv->ber.data = nss_ZAlloc(arenaOpt, berATAV->size);
-  if( (void *)NULL == rv->ber.data ) {
-    nss_ZFreeIf(rv);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->ber.size = berATAV->size;
-  (void)nsslibc_memcpy(rv->ber.data, berATAV->data, berATAV->size);
-
-  rv->value = nss_attr_to_utf8(arenaOpt, rv->oid, &holder.value,
-                               &rv->stringForm);
-  if( (NSSUTF8 *)NULL == rv->value ) {
-    nss_ZFreeIf(rv->ber.data);
-    nss_ZFreeIf(rv);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  nss_ZFreeIf(holder.value.data);
-
-#ifdef DEBUG
-  if( PR_SUCCESS != atav_add_pointer(rv) ) {
-    nss_ZFreeIf(rv->ber.data);
-    nss_ZFreeIf(rv->value);
-    nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-static PRBool
-nss_atav_utf8_string_is_hex
-(
-  const NSSUTF8 *s
-)
-{
-  /* All hex digits are ASCII, so this works */
-  PRUint8 *p = (PRUint8 *)s;
-
-  for( ; (PRUint8)0 != *p; p++ ) {
-    if( (('0' <= *p) && (*p <= '9')) ||
-        (('A' <= *p) && (*p <= 'F')) ||
-        (('a' <= *p) && (*p <= 'f')) ) {
-      continue;
-    } else {
-      return PR_FALSE;
-    }
-  }
-
-  return PR_TRUE;
-}
-
-static PRUint8
-nss_atav_fromhex
-(
-  PRUint8 *d
-)
-{
-  PRUint8 rv;
-
-  if( d[0] <= '9' ) {
-    rv = (d[0] - '0') * 16;
-  } else if( d[0] >= 'a' ) {
-    rv = (d[0] - 'a' + 10) * 16;
-  } else {
-    rv = (d[0] - 'A' + 10);
-  }
-
-  if( d[1] <= '9' ) {
-    rv += (d[1] - '0');
-  } else if( d[1] >= 'a' ) {
-    rv += (d[1] - 'a' + 10);
-  } else {
-    rv += (d[1] - 'A' + 10);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  const NSSUTF8 *stringATAV
-)
-{
-  char *c;
-  NSSUTF8 *type;
-  NSSUTF8 *value;
-  PRUint32 i;
-  const NSSOID *oid = (NSSOID *)NULL;
-  NSSATAV *rv;
-  NSSItem xitem;
-
-  xitem.data = (void *)NULL;
-
-  for( c = (char *)stringATAV; '\0' != *c; c++ ) {
-    if( '=' == *c ) {
-#ifdef PEDANTIC
-      /*
-       * Theoretically, one could have an '=' in an 
-       * attribute string alias.  We don't, yet, though.
-       */
-      if( (char *)stringATAV == c ) {
-        nss_SetError(NSS_ERROR_INVALID_STRING);
-        return (NSSATAV *)NULL;
-      } else {
-        if( '\\' == c[-1] ) {
-          continue;
-        }
-      }
-#endif /* PEDANTIC */
-      break;
-    }
-  }
-
-  if( '\0' == *c ) {
-    nss_SetError(NSS_ERROR_INVALID_UTF8);
-    return (NSSATAV *)NULL;
-  } else {
-    c++;
-    value = (NSSUTF8 *)c;
-  }
-
-  i = ((NSSUTF8 *)c - stringATAV);
-  type = (NSSUTF8 *)nss_ZAlloc((NSSArena *)NULL, i);
-  if( (NSSUTF8 *)NULL == type ) {
-    return (NSSATAV *)NULL;
-  }
-
-  (void)nsslibc_memcpy(type, stringATAV, i-1);
-
-  c = (char *)stringATAV;
-  if( (('0' <= *c) && (*c <= '9')) || ('#' == *c) ) {
-    oid = nssOID_CreateFromUTF8(type);
-    if( (NSSOID *)NULL == oid ) {
-      nss_ZFreeIf(type);
-      return (NSSATAV *)NULL;
-    }
-  } else {
-    for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
-      const nssAttributeTypeAliasTable *e = &nss_attribute_type_aliases[i];
-      PRBool match = PR_FALSE;
-      if( PR_SUCCESS != nssUTF8_CaseIgnoreMatch(type, e->alias, 
-                                                &match) ) {
-        nss_ZFreeIf(type);
-        return (NSSATAV *)NULL;
-      }
-      if( PR_TRUE == match ) {
-        oid = *(e->oid);
-        break;
-      }
-    }
-
-    if( (NSSOID *)NULL == oid ) {
-      nss_ZFreeIf(type);
-      nss_SetError(NSS_ERROR_UNKNOWN_ATTRIBUTE);
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  nss_ZFreeIf(type);
-  type = (NSSUTF8 *)NULL;
-
-  rv = nss_ZNEW(arenaOpt, NSSATAV);
-  if( (NSSATAV *)NULL == rv ) {
-    return (NSSATAV *)NULL;
-  }
-
-  rv->oid = oid;
-
-  if( '#' == *value ) { /* XXX fgmr.. was it '#'?  or backslash? */
-    PRUint32 size;
-    PRUint32 len;
-    PRUint8 *c;
-    PRUint8 *d;
-    /* It's in hex */
-
-    value++;
-    if( PR_TRUE != nss_atav_utf8_string_is_hex(value) ) {
-      (void)nss_ZFreeIf(rv);
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSATAV *)NULL;
-    }
-
-    if( PR_SUCCESS != nssUTF8_Size(value, &size) ) {
-      /* 
-       * Only returns an error on bad pointer (nope) or string
-       * too long.  The defined limits for known attributes are
-       * small enough to fit in PRUint32, and when undefined we
-       * get to apply our own practical limits.  Ergo, I say the 
-       * string is invalid.
-       */
-      (void)nss_ZFreeIf(rv);
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSATAV *)NULL;
-    }
-
-    if( ((size-1) & 1) ) {
-      /* odd length */
-      (void)nss_ZFreeIf(rv);
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSATAV *)NULL;
-    }
-
-    len = (size-1)/2;
-
-    rv->value = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
-    if( (NSSUTF8 *)NULL == rv->value ) {
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    xitem.size = len;
-    xitem.data = (void *)rv->value;
-
-    for( c = rv->value, d = value; len--; c++, d += 2 ) {
-      *c = nss_atav_fromhex(d);
-    }
-
-    *c = 0;
-  } else {
-    PRUint32 i, len;
-    PRUint8 *s;
-
-    /*
-     * XXX fgmr-- okay, this is a little wasteful, and should
-     * probably be abstracted out a bit.  Later.
-     */
-
-    rv->value = nssUTF8_Duplicate(value, arenaOpt);
-    if( (NSSUTF8 *)NULL == rv->value ) {
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    if( PR_SUCCESS != nssUTF8_Size(rv->value, &len) ) {
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    s = (PRUint8 *)rv->value;
-    for( i = 0; i < len; i++ ) {
-      if( '\\' == s[i] ) {
-        (void)nsslibc_memcpy(&s[i], &s[i+1], len-i-1);
-      }
-    }
-  }
-
-  /* Now just BER-encode the baby and we're through.. */
-  {
-    const struct nss_attribute_data_str *which = 
-      (struct nss_attribute_data_str *)NULL;
-    PRUint32 i;
-    NSSArena *a;
-    NSSDER *oidder;
-    NSSItem *vitem;
-    atav_holder ah;
-    NSSDER *status;
-
-    for( i = 0; i < nss_attribute_data_quantity; i++ ) {
-      if( *(nss_attribute_data[ i ].oid) == rv->oid ) {
-        which = &nss_attribute_data[i];
-        break;
-      }
-    }
-
-    a = NSSArena_Create();
-    if( (NSSArena *)NULL == a ) {
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    oidder = nssOID_GetDEREncoding(rv->oid, a);
-    if( (NSSDER *)NULL == oidder ) {
-      (void)NSSArena_Destroy(a);
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    if( (struct nss_attribute_data_str *)NULL == which ) {
-      /*
-       * We'll just have to take the user data as an octet stream.
-       */
-      if( (void *)NULL == xitem.data ) {
-        /*
-         * This means that an ATTR entry has been added to oids.txt,
-         * but no corresponding entry has been added to the array
-         * ns_attribute_data[] above.
-         */
-        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      vitem = nssASN1_EncodeDER(a, (NSSDER *)NULL, &xitem, 
-                                nssASN1Template_OctetString);
-      if( (NSSItem *)NULL == vitem ) {
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      rv->stringForm = nssStringType_Unknown;
-    } else {
-      PRUint32 length = 0;
-      
-      if( PR_SUCCESS != nssUTF8_Length(rv->value, &length) ) {
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      if( ((0 != which->minStringLength) && 
-           (length < which->minStringLength)) ||
-          ((0 != which->maxStringLength) &&
-           (length > which->maxStringLength)) ) {
-        nss_SetError(NSS_ERROR_INVALID_STRING);
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      vitem = nssUTF8_GetDEREncoding(a, which->stringType, rv->value);
-      if( (NSSItem *)NULL == vitem ) {
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      if( nssStringType_DirectoryString == which->stringType ) {
-        rv->stringForm = nssStringType_UTF8String;
-      } else {
-        rv->stringForm = which->stringType;
-      }
-    }
-
-    ah.oid = *oidder;
-    ah.value = *vitem;
-
-    status = nssASN1_EncodeDER(arenaOpt, &rv->ber, &ah, 
-                               nss_atav_template);
-
-    if( (NSSDER *)NULL == status ) {
-      (void)NSSArena_Destroy(a);
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    (void)NSSArena_Destroy(a);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-)
-{
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (const void *)NULL == data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /* XXX fgmr-- oops, forgot this one */
-  return (NSSATAV *)NULL;
-}
-
-/*
- * nssATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssATAV_Destroy
-(
-  NSSATAV *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nss_ZFreeIf(atav->ber.data);
-  (void)nss_ZFreeIf(atav->value);
-
-#ifdef DEBUG
-  if( PR_SUCCESS != atav_remove_pointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_IMPLEMENT NSSDER *
-nssATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSDER *rv;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSDER *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  rv = nss_ZNEW(arenaOpt, NSSDER);
-  if( (NSSDER *)NULL == rv ) {
-    return (NSSDER *)NULL;
-  }
-
-  rv->data = nss_ZAlloc(arenaOpt, atav->ber.size);
-  if( (void *)NULL == rv->data ) {
-    (void)nss_ZFreeIf(rv);
-    return (NSSDER *)NULL;
-  }
-
-  rv->size = atav->ber.size;
-  if( PR_SUCCESS != nsslibc_memcpy(rv->data, atav->ber.data, 
-                                   rv->size) ) {
-    (void)nss_ZFreeIf(rv->data);
-    (void)nss_ZFreeIf(rv);
-    return (NSSDER *)NULL;
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  PRUint32 i;
-  const NSSUTF8 *alias = (NSSUTF8 *)NULL;
-  NSSUTF8 *oid;
-  NSSUTF8 *value;
-  PRUint32 oidlen;
-  PRUint32 valuelen;
-  PRUint32 totallen;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
-    if( *(nss_attribute_type_aliases[i].oid) == atav->oid ) {
-      alias = nss_attribute_type_aliases[i].alias;
-      break;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == alias ) {
-    oid = nssOID_GetUTF8Encoding(atav->oid, (NSSArena *)NULL);
-    if( (NSSUTF8 *)NULL == oid ) {
-      return (NSSUTF8 *)NULL;
-    }
-
-    if( PR_SUCCESS != nssUTF8_Size(oid, &oidlen) ) {
-      (void)nss_ZFreeIf(oid);
-      return (NSSUTF8 *)NULL;
-    }
-  } else {
-    if( PR_SUCCESS != nssUTF8_Size(alias, &oidlen) ) {
-      return (NSSUTF8 *)NULL;
-    }
-    oid = (NSSUTF8 *)NULL;
-  }
-
-  value = nssATAV_GetValue(atav, (NSSArena *)NULL);
-  if( (NSSUTF8 *)NULL == value ) {
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( PR_SUCCESS != nssUTF8_Size(value, &valuelen) ) {
-    (void)nss_ZFreeIf(value);
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  totallen = oidlen + valuelen - 1 + 1;
-  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, totallen);
-  if( (NSSUTF8 *)NULL == rv ) {
-    (void)nss_ZFreeIf(value);
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSUTF8 *)NULL == alias ) {
-    if( (void *)NULL == nsslibc_memcpy(rv, oid, oidlen-1) ) {
-      (void)nss_ZFreeIf(rv);
-      (void)nss_ZFreeIf(value);
-      (void)nss_ZFreeIf(oid);
-      return (NSSUTF8 *)NULL;
-    }
-  } else {
-    if( (void *)NULL == nsslibc_memcpy(rv, alias, oidlen-1) ) {
-      (void)nss_ZFreeIf(rv);
-      (void)nss_ZFreeIf(value);
-      return (NSSUTF8 *)NULL;
-    }
-  }
-
-  rv[ oidlen-1 ] = '=';
-
-  if( (void *)NULL == nsslibc_memcpy(&rv[oidlen], value, valuelen) ) {
-    (void)nss_ZFreeIf(rv);
-    (void)nss_ZFreeIf(value);
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  A valid NSSOID pointer upon success
- */
-
-NSS_IMPLEMENT const NSSOID *
-nssATAV_GetType
-(
-  NSSATAV *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSOID *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return atav->oid;
-}
-
-/*
- * nssATAV_GetValue
- *
- * This routine returns a NSSUTF8 string containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error upon the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return nssUTF8_Duplicate(atav->value, arenaOpt);
-}
-
-/*
- * nssATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have set an 
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_IMPLEMENT PRStatus
-nssATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-)
-{
-  nssStringType comparison;
-  PRUint32 len1;
-  PRUint32 len2;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
-    return PR_FAILURE;
-  }
-
-  if( (PRBool *)NULL == equalp ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( atav1->oid != atav2->oid ) {
-    *equalp = PR_FALSE;
-    return PR_SUCCESS;
-  }
-
-  if( atav1->stringForm != atav2->stringForm ) {
-    if( (nssStringType_PrintableString == atav1->stringForm) ||
-        (nssStringType_PrintableString == atav2->stringForm) ) {
-      comparison = nssStringType_PrintableString;
-    } else if( (nssStringType_PHGString == atav1->stringForm) ||
-               (nssStringType_PHGString == atav2->stringForm) ) {
-      comparison = nssStringType_PHGString;
-    } else {
-      comparison = atav1->stringForm;
-    }
-  } else {
-    comparison = atav1->stringForm;
-  }
-
-  switch( comparison ) {
-  case nssStringType_DirectoryString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  case nssStringType_TeletexString:
-    break;
-  case nssStringType_PrintableString:
-    return nssUTF8_PrintableMatch(atav1->value, atav2->value, 
-                                  equalp);
-    /* Case-insensitive, with whitespace reduction */
-    break;
-  case nssStringType_UniversalString:
-    break;
-  case nssStringType_BMPString:
-    break;
-  case nssStringType_UTF8String:
-    break;
-  case nssStringType_PHGString:
-    /* Case-insensitive (XXX fgmr, actually see draft-11 pg. 21) */
-    return nssUTF8_CaseIgnoreMatch(atav1->value, atav2->value, 
-                                   equalp);
-  case nssStringType_Unknown:
-    break;
-  }
-  
-  if( PR_SUCCESS != nssUTF8_Size(atav1->value, &len1) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssUTF8_Size(atav2->value, &len2) ) {
-    return PR_FAILURE;
-  }
-
-  if( len1 != len2 ) {
-    *equalp = PR_FALSE;
-    return PR_SUCCESS;
-  }
-
-  return nsslibc_compare(atav1->value, atav2->value, len1, equalp);
-}
-
-
-/*
- * nssATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSATAV *rv;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  rv = nss_ZNEW(arenaOpt, NSSATAV);
-  if( (NSSATAV *)NULL == rv ) {
-    return (NSSATAV *)NULL;
-  }
-
-  rv->oid = atav->oid;
-  rv->stringForm = atav->stringForm;
-  rv->value = nssUTF8_Duplicate(atav->value, arenaOpt);
-  if( (NSSUTF8 *)NULL == rv->value ) {
-    (void)nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->ber.data = nss_ZAlloc(arenaOpt, atav->ber.size);
-  if( (void *)NULL == rv->ber.data ) {
-    (void)nss_ZFreeIf(rv->value);
-    (void)nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->ber.size = atav->ber.size;
-  if( PR_SUCCESS != nsslibc_memcpy(rv->ber.data, atav->ber.data, 
-                                   atav->ber.size) ) {
-    (void)nss_ZFreeIf(rv->ber.data);
-    (void)nss_ZFreeIf(rv->value);
-    (void)nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-
-  return rv;
-}
diff --git a/security/nss/lib/pki1/config.mk b/security/nss/lib/pki1/config.mk
deleted file mode 100644
index 80b3135f4..000000000
--- a/security/nss/lib/pki1/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/pki1/genname.c b/security/nss/lib/pki1/genname.c
deleted file mode 100644
index e7b12806a..000000000
--- a/security/nss/lib/pki1/genname.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * genname.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * GeneralName.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * GeneralName
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  GeneralName ::= CHOICE {
- *          otherName                   [0] INSTANCE OF OTHER-NAME,
- *          rfc822Name                  [1] IA5String,
- *          dNSName                     [2] IA5String,
- *          x400Address                 [3] ORAddress,
- *          directoryName               [4] Name,
- *          ediPartyName                [5] EDIPartyName,
- *          uniformResourceIdentifier   [6] IA5String,
- *          iPAddress                   [7] OCTET STRING,
- *          registeredID                [8] OBJECT IDENTIFIER }
- *  
- *  OTHER-NAME ::= TYPE-IDENTIFIER
- *  
- *  EDIPartyName ::= SEQUENCE {
- *          nameAssigner        [0] DirectoryString {ub-name} OPTIONAL,
- *          partyName           [1] DirectoryString {ub-name} }
- *
- */
-
-struct nssGeneralNameStr {
-  NSSGeneralNameChoice choice;
-  union {
-    /* OTHER-NAME otherName */
-    NSSUTF8 *rfc822Name;
-    NSSUTF8 *dNSName;
-    /* ORAddress x400Address */
-    NSSName *directoryName;
-    /* EDIPartyName ediPartyName */
-    NSSUTF8 *uniformResourceIdentifier;
-    NSSItem *iPAddress;
-    NSSOID *registeredID;
-  } u;
-};
diff --git a/security/nss/lib/pki1/gnseq.c b/security/nss/lib/pki1/gnseq.c
deleted file mode 100644
index e56ec93b9..000000000
--- a/security/nss/lib/pki1/gnseq.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * gnseq.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * GeneralNames (note the ending 's').
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * GeneralNames (or, as we call it, GeneralNameSeq)
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * A GeneralNames is simply an (ordered) sequence of General Names.
- * The seqSize variable is  "helper" kept for simplicity.
- */
-
-struct nssGeneralNameSeqStr {
-  PRUint32 seqSize;
-  NSSGeneralName **generalNames;
-};
diff --git a/security/nss/lib/pki1/manifest.mn b/security/nss/lib/pki1/manifest.mn
deleted file mode 100644
index 8e032d974..000000000
--- a/security/nss/lib/pki1/manifest.mn
+++ /dev/null
@@ -1,63 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	pki1.h		  \
-	pki1t.h		  \
-	$(NULL)
-
-EXPORTS =	   \
-	oiddata.h  \
-	nsspki1.h  \
-	nsspki1t.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS =		  \
-	atav.c	  \
-	genname.c \
-	gnseq.c	  \
-	name.c	  \
-	oid.c	  \
-	oiddata.c \
-	rdn.c	  \
-	rdnseq.c  \
-	$(NULL)
-
-REQUIRES = security nspr
-
-LIBRARY_NAME = pki1
diff --git a/security/nss/lib/pki1/name.c b/security/nss/lib/pki1/name.c
deleted file mode 100644
index 558e1142f..000000000
--- a/security/nss/lib/pki1/name.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * name.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * Name.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * Name
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  -- naming data types --
- *  
- *  Name            ::=     CHOICE { -- only one possibility for now --
- *                                          rdnSequence  RDNSequence }
- *
- * A name is basically a union of the possible names.  At the moment,
- * there is only one type of name: an RDNSequence.
- */
-
-struct nssNameStr {
-  PRUint32 tagPlaceHolder;
-  union {
-    NSSRDNSeq *rdnSequence;
-  } n;
-};
-
diff --git a/security/nss/lib/pki1/nsspki1.h b/security/nss/lib/pki1/nsspki1.h
deleted file mode 100644
index 3498ab520..000000000
--- a/security/nss/lib/pki1/nsspki1.h
+++ /dev/null
@@ -1,2869 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSPKI1_H
-#define NSSPKI1_H
-
-#ifdef DEBUG
-static const char NSSPKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nsspki1.h
- *
- * This file contains the prototypes of the public NSS routines 
- * dealing with the PKIX part-1 definitions.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-#ifndef OIDDATA_H
-#include "oiddata.h"
-#endif /* OIDDATA_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSOID
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSOID_CreateFromBER   -- constructor
- *  NSSOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  NSSOID_GetDEREncoding
- *  NSSOID_GetUTF8Encoding
- */
-
-extern const NSSOID *NSS_OID_UNKNOWN;
-
-/*
- * NSSOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromBER
-(
-  NSSBER *berOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_BER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_STRING;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-NSSOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSATAV_CreateFromBER   -- constructor
- *  NSSATAV_CreateFromUTF8  -- constructor
- *  NSSATAV_Create          -- constructor
- *
- *  NSSATAV_Destroy
- *  NSSATAV_GetDEREncoding
- *  NSSATAV_GetUTF8Encoding
- *  NSSATAV_GetType
- *  NSSATAV_GetValue
- *  NSSATAV_Compare
- *  NSSATAV_Duplicate
- */
-
-/*
- * NSSATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *derATAV
-);
-
-extern const NSSError NSS_ERROR_INVALID_BER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringATAV
-);
-
-extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
-extern const NSSError NSS_ERROR_INVALID_STRING;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSATAV_Destroy
-(
-  NSSATAV *atav
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-
-/*
- * NSSATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_EXTERN NSSDER *
-NSSATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An element of enum NSSOIDenum upon success
- */
-
-NSS_EXTERN const NSSOID *
-NSSATAV_GetType
-(
-  NSSATAV *atav
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-
-/*
- * NSSATAV_GetValue
- *
- * This routine returns an NSSItem containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
-
-/*
- * NSSATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSRDN
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSRDN_CreateFromBER   -- constructor
- *  NSSRDN_CreateFromUTF8  -- constructor
- *  NSSRDN_Create          -- constructor
- *  NSSRDN_CreateSimple    -- constructor
- *
- *  NSSRDN_Destroy
- *  NSSRDN_GetDEREncoding
- *  NSSRDN_GetUTF8Encoding
- *  NSSRDN_AddATAV
- *  NSSRDN_GetATAVCount
- *  NSSRDN_GetATAV
- *  NSSRDN_GetSimpleATAV
- *  NSSRDN_Compare
- *  NSSRDN_Duplicate
- */
-
-/*
- * NSSRDN_CreateFromBER
- *
- * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
- * RDN.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDN
-);
-
-/*
- * NSSRDN_CreateFromUTF8
- *
- * This routine creates an NSSRDN by decoding an UTF8 string 
- * consisting of either a single ATAV in the "equals" format, e.g., 
- * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
- * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDN
-);
-
-/*
- * NSSRDN_Create
- *
- * This routine creates an NSSRDN from one or more NSSATAVs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_Create
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav1,
-  ...
-);
-
-/*
- * NSSRDN_CreateSimple
- *
- * This routine creates a simple NSSRDN from a single NSSATAV.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_CreateSimple
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav
-);
-
-/*
- * NSSRDN_Destroy
- *
- * This routine will destroy an RDN object.  It should eventually be
- * called on all RDNs created without an arena.  While it is not 
- * necessary to call it on RDNs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSRDN_Destroy
-(
-  NSSRDN *rdn
-);
-
-/*
- * NSSRDN_GetDEREncoding
- *
- * This routine will DER-encode an RDN object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDN
- */
-
-NSS_EXTERN NSSDER *
-NSSRDN_GetDEREncoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDN_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDN.  A simple (one-ATAV) RDN will be simply
- * the string representation of that ATAV; a non-simple RDN will be in
- * parenthesised form.  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * null upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSRDN_GetUTF8Encoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDN_AddATAV
- *
- * This routine adds an ATAV to the set of ATAVs in the specified RDN.
- * Remember that RDNs consist of an unordered set of ATAVs.  If the
- * RDN was created with a non-null arena argument, that same arena
- * will be used for any additional required memory.  If the RDN was 
- * created with a NULL arena argument, any additional memory will
- * be obtained from the heap.  This routine returns a PRStatus value;
- * it will return PR_SUCCESS upon success, and upon failure it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSRDN_AddATAV
-(
-  NSSRDN *rdn,
-  NSSATAV *atav
-);
-
-/*
- * NSSRDN_GetATAVCount
- *
- * This routine returns the cardinality of the set of ATAVs within
- * the specified RDN.  This routine may return 0 upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-NSSRDN_GetATAVCount
-(
-  NSSRDN *rdn
-);
-
-/*
- * NSSRDN_GetATAV
- *
- * This routine returns a pointer to an ATAV that is a member of
- * the set of ATAVs within the specified RDN.  While the set of
- * ATAVs within an RDN is unordered, this routine will return
- * distinct values for distinct values of 'i' as long as the RDN
- * is not changed in any way.  The RDN may be changed by calling
- * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
- * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
- * The caller owns the ATAV the pointer to which is returned.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-NSSRDN_GetATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * NSSRDN_GetSimpleATAV
- *
- * Most RDNs are actually very simple, with a single ATAV.  This 
- * routine will return the single ATAV from such an RDN.  The caller
- * owns the ATAV the pointer to which is returned.  If the optional
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, including the case where
- * the set of ATAVs in the RDN is nonsingular.  Upon error, this
- * routine will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_RDN_NOT_SIMPLE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-NSSRDN_GetSimpleATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDN_Compare
- *
- * This routine compares two RDNs for equality.  For two RDNs to be
- * equal, they must have the same number of ATAVs, and every ATAV in
- * one must be equal to an ATAV in the other.  (Note that the sets
- * of ATAVs are unordered.)  The result of the comparison will be
- * stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool.  This routine may return PR_FAILURE
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSRDN_Compare
-(
-  NSSRDN *rdn1,
-  NSSRDN *rdn2,
-  PRBool *equalp
-);
-
-/*
- * NSSRDN_Duplicate
- *
- * This routine duplicates the specified RDN.  If the optional arena
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new RDN
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_Duplicate
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSRDNSeq_CreateFromBER   -- constructor
- *  NSSRDNSeq_CreateFromUTF8  -- constructor
- *  NSSRDNSeq_Create          -- constructor
- *
- *  NSSRDNSeq_Destroy
- *  NSSRDNSeq_GetDEREncoding
- *  NSSRDNSeq_GetUTF8Encoding
- *  NSSRDNSeq_AppendRDN
- *  NSSRDNSeq_GetRDNCount
- *  NSSRDNSeq_GetRDN
- *  NSSRDNSeq_Compare
- *  NSSRDNSeq_Duplicate
- */
-
-/*
- * NSSRDNSeq_CreateFromBER
- *
- * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
- * sequence of RDNs.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDNSeq
-);
-
-/*
- * NSSRDNSeq_CreateFromUTF8
- *
- * This routine creates an NSSRDNSeq by decoding a UTF8 string
- * consisting of a comma-separated sequence of RDNs, such as
- * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDNSeq
-);
-
-/*
- * NSSRDNSeq_Create
- *
- * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  NULL upon error
- *  A pointero to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSRDN *rdn1,
-  ...
-);
-
-/*
- * NSSRDNSeq_Destroy
- *
- * This routine will destroy an RDNSeq object.  It should eventually 
- * be called on all RDNSeqs created without an arena.  While it is not
- * necessary to call it on RDNSeqs created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSRDNSeq_Destroy
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * NSSRDNSeq_GetDEREncoding
- *
- * This routine will DER-encode an RDNSeq object.  If the optional 
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return null upon error, in which case it will have
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDNSeq
- */
-
-NSS_EXTERN NSSDER *
-NSSRDNSeq_GetDEREncoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDNSeq as a comma-separated sequence of RDNs.  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSRDNSeq_GetUTF8Encoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq_AppendRDN
- *
- * This routine appends an RDN to the end of the existing RDN 
- * sequence.  If the RDNSeq was created with a non-null arena 
- * argument, that same arena will be used for any additional required
- * memory.  If the RDNSeq was created with a NULL arena argument, any
- * additional memory will be obtained from the heap.  This routine
- * returns a PRStatus value; it will return PR_SUCCESS upon success,
- * and upon failure it will create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSRDNSeq_AppendRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSRDN *rdn
-);
-
-/*
- * NSSRDNSeq_GetRDNCount
- *
- * This routine returns the cardinality of the sequence of RDNs within
- * the specified RDNSeq.  This routine may return 0 upon error, in 
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-NSSRDNSeq_GetRDNCount
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * NSSRDNSeq_GetRDN
- *
- * This routine returns a pointer to the i'th RDN in the sequence of
- * RDNs that make up the specified RDNSeq.  The sequence begins with
- * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
- * is on the range [0,c) where c is the cardinality returned from
- * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
- * is returned.  If the optional arena argument is non-null, the memory
- * used will be obtained from that areana; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.  Note that the 
- * usual string representation of RDN Sequences is from last to first.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDN
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDNSeq_GetRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * NSSRDNSeq_Compare
- *
- * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
- * be equal, they must have the same number of RDNs, and each RDN in
- * one sequence must be equal to the corresponding RDN in the other
- * sequence.  The result of the comparison will be stored at the
- * location pointed to by the "equalp" variable, which must point to a
- * valid PRBool.  This routine may return PR_FAILURE upon error, in
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSRDNSeq_Compare
-(
-  NSSRDNSeq *rdnseq1,
-  NSSRDNSeq *rdnseq2,
-  PRBool *equalp
-);
-
-/*
- * NSSRDNSeq_Duplicate
- *
- * This routine duplicates the specified RDNSeq.  If the optional arena
- * argument is non-null, the memory required will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new RDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_Duplicate
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName
- *
- * The public "methods" regarding this "object" are:
- *
- * NSSName_CreateFromBER   -- constructor
- * NSSName_CreateFromUTF8  -- constructor
- * NSSName_Create          -- constructor
- *
- * NSSName_Destroy
- * NSSName_GetDEREncoding
- * NSSName_GetUTF8Encoding
- * NSSName_GetChoice
- * NSSName_GetRDNSequence
- * NSSName_GetSpecifiedChoice
- * NSSName_Compare
- * NSSName_Duplicate
- *
- * NSSName_GetUID
- * NSSName_GetEmail
- * NSSName_GetCommonName
- * NSSName_GetOrganization
- * NSSName_GetOrganizationalUnits
- * NSSName_GetStateOrProvince
- * NSSName_GetLocality
- * NSSName_GetCountry
- * NSSName_GetAttribute
- */
-
-/*
- * NSSName_CreateFromBER
- *
- * This routine creates an NSSName by decoding a BER- or DER-encoded 
- * (directory) Name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may
- * return NULL upon error, in which case it will have created an error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-NSSName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berName
-);
-
-/*
- * NSSName_CreateFromUTF8
- *
- * This routine creates an NSSName by decoding a UTF8 string 
- * consisting of the string representation of one of the choices of 
- * (directory) names.  Currently the only choice is an RDNSeq.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  The routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-NSSName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringName
-);
-
-/*
- * NSSName_Create
- *
- * This routine creates an NSSName with the specified choice of
- * underlying name types.  The value of the choice variable must be
- * one of the values of the NSSNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                     Type
- *   ========================   ===========
- *   NSSNameChoiceRdnSequence   NSSRDNSeq *
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-NSSName_Create
-(
-  NSSArena *arenaOpt,
-  NSSNameChoice choice,
-  void *arg
-);
-
-/*
- * NSSName_Destroy
- *
- * This routine will destroy a Name object.  It should eventually be
- * called on all Names created without an arena.  While it is not
- * necessary to call it on Names created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSName_Destroy
-(
-  NSSName *name
-);
-
-/*
- * NSSName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSName
- */
-
-NSS_EXTERN NSSDER *
-NSSName_GetDEREncoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the Name in the format specified by the 
- * underlying name choice.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSName_GetUTF8Encoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetChoice
- *
- * This routine returns the type of the choice underlying the specified
- * name.  The return value will be a member of the NSSNameChoice 
- * enumeration.  This routine may return NSSNameChoiceInvalid upon 
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  NSSNameChoiceInvalid upon error
- *  An other member of the NSSNameChoice enumeration upon success
- */
-
-NSS_EXTERN NSSNameChoice
-NSSName_GetChoice
-(
-  NSSName *name
-);
-
-/*
- * NSSName_GetRDNSequence
- *
- * If the choice underlying the specified NSSName is that of an 
- * RDNSequence, this routine will return a pointer to that RDN
- * sequence.  Otherwise, this routine will place an error on the
- * error stack, and return NULL.  If the optional arena argument is
- * non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The
- * caller owns the returned pointer.  This routine may return NULL
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSName_GetRDNSequence
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSName matches the specified
- * choice, a caller-owned pointer to that underlying object will be
- * returned.  Otherwise, an error will be placed on the error stack and
- * NULL will be returned.  If the optional arena argument is non-null, 
- * the memory required will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  The caller owns the returned
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-NSSName_GetSpecifiedChoice
-(
-  NSSName *name,
-  NSSNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_Compare
- *
- * This routine compares two Names for equality.  For two Names to be
- * equal, they must have the same choice of underlying types, and the
- * underlying values must be equal.  The result of the comparison will
- * be stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool. This routine may return PR_FAILURE
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSName_Compare
-(
-  NSSName *name1,
-  NSSName *name2,
-  PRBool *equalp
-);
-
-/*
- * NSSName_Duplicate
- *
- * This routine duplicates the specified nssname.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSName
- */
-
-NSS_EXTERN NSSName *
-NSSName_Duplicate
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a UID attribute, the UID will be the value of 
- * that attribute.  Note that no UID attribute is defined in either 
- * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
- * defines the type as a caseIgnoreString.  We'll return a Directory 
- * String.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetUID
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing either a PKIX email address or a PKCS#9 email
- * address, the result will be the value of that attribute.  If the
- * optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
-NSSName_GetEmail
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a PKIX Common Name, the result will be that name.  If 
- * the optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetCommonName
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified name, if the choices and content of the name permit.  
- * If Name consists of a Sequence of Relative Distinguished names 
- * containing a PKIX Organization, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetOrganization
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified name, if the choices and content of 
- * the name permit.  If the Name consists of a Sequence of Relative 
- * Distinguished Names containing one or more organisational units,
- * the result will be the values of those attributes.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-NSSName_GetOrganizationalUnits
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a state or province, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetStateOrProvince
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetLocality
- *
- * This routine will attempt to derive a locality name from the 
- * specified name, if the choices and content of the name permit.  If
- * the Name consists of a Sequence of Relative Distinguished names
- * containing a Locality, the result will be the value of that 
- * attribute.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetLocality
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a Country, the result will be the value of
- * that attribute..  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have created an 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-NSSName_GetCountry
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetAttribute
- *
- * If the specified name consists of a Sequence of Relative 
- * Distinguished Names containing an attribute with the specified 
- * type, and the actual value of that attribute may be expressed 
- * with a Directory String, then the value of that attribute will 
- * be returned as a Directory String.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetAttribute
-(
-  NSSName *name,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName
- *
- * The public "methods" regarding this "object" are:
- *
- * NSSGeneralName_CreateFromBER   -- constructor
- * NSSGeneralName_CreateFromUTF8  -- constructor
- * NSSGeneralName_Create          -- constructor
- *
- * NSSGeneralName_Destroy
- * NSSGeneralName_GetDEREncoding
- * NSSGeneralName_GetUTF8Encoding
- * NSSGeneralName_GetChoice
- * NSSGeneralName_GetOtherName
- * NSSGeneralName_GetRfc822Name
- * NSSGeneralName_GetDNSName
- * NSSGeneralName_GetX400Address
- * NSSGeneralName_GetDirectoryName
- * NSSGeneralName_GetEdiPartyName
- * NSSGeneralName_GetUniformResourceIdentifier
- * NSSGeneralName_GetIPAddress
- * NSSGeneralName_GetRegisteredID
- * NSSGeneralName_GetSpecifiedChoice
- * NSSGeneralName_Compare
- * NSSGeneralName_Duplicate
- *
- * NSSGeneralName_GetUID
- * NSSGeneralName_GetEmail
- * NSSGeneralName_GetCommonName
- * NSSGeneralName_GetOrganization
- * NSSGeneralName_GetOrganizationalUnits
- * NSSGeneralName_GetStateOrProvince
- * NSSGeneralName_GetLocality
- * NSSGeneralName_GetCountry
- * NSSGeneralName_GetAttribute
- */
-
-/*
- * NSSGeneralName_CreateFromBER
- *
- * This routine creates an NSSGeneralName by decoding a BER- or DER-
- * encoded general name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralName
-);
-
-/*
- * NSSGeneralName_CreateFromUTF8
- *
- * This routine creates an NSSGeneralName by decoding a UTF8 string
- * consisting of the string representation of one of the choices of
- * general names.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.  The routine may return NULL upon
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringGeneralName
-);
-
-/*
- * NSSGeneralName_Create
- *
- * This routine creates an NSSGeneralName with the specified choice of
- * underlying name types.  The value of the choice variable must be one
- * of the values of the NSSGeneralNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                                         Type
- *   ============================================   =========
- *   NSSGeneralNameChoiceOtherName
- *   NSSGeneralNameChoiceRfc822Name
- *   NSSGeneralNameChoiceDNSName
- *   NSSGeneralNameChoiceX400Address
- *   NSSGeneralNameChoiceDirectoryName              NSSName *
- *   NSSGeneralNameChoiceEdiPartyName
- *   NSSGeneralNameChoiceUniformResourceIdentifier
- *   NSSGeneralNameChoiceIPAddress
- *   NSSGeneralNameChoiceRegisteredID
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one fo the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_Create
-(
-  NSSGeneralNameChoice choice,
-  void *arg
-);
-
-/*
- * NSSGeneralName_Destroy
- * 
- * This routine will destroy a General Name object.  It should 
- * eventually be called on all General Names created without an arena.
- * While it is not necessary to call it on General Names created within
- * an arena, it is not an error to do so.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS. If 
- * usuccessful, it will create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralName_Destroy
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * NSSGeneralName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralName
- */
-
-NSS_EXTERN NSSDER *
-NSSGeneralName_GetDEREncoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the General Name in the format specified by the
- * underlying name choice.  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSGeneralName_GetUTF8Encoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetChoice
- *
- * This routine returns the type of choice underlying the specified 
- * general name.  The return value will be a member of the 
- * NSSGeneralNameChoice enumeration.  This routine may return 
- * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NSSGeneralNameChoiceInvalid upon error
- *  An other member of the NSSGeneralNameChoice enumeration 
- */
-
-NSS_EXTERN NSSGeneralNameChoice
-NSSGeneralName_GetChoice
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * NSSGeneralName_GetOtherName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * Other Name, this routine will return a pointer to that Other name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSOtherName
- */
-
-NSS_EXTERN NSSOtherName *
-NSSGeneralName_GetOtherName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetRfc822Name
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * RFC 822 Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRFC822Name
- */
-
-NSS_EXTERN NSSRFC822Name *
-NSSGeneralName_GetRfc822Name
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetDNSName
- *
- * If the choice underlying the specified NSSGeneralName is that of a 
- * DNS Name, this routine will return a pointer to that DNS name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSDNSName
- */
-
-NSS_EXTERN NSSDNSName *
-NSSGeneralName_GetDNSName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetX400Address
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * X.400 Address, this routine will return a pointer to that Address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSX400Address
- */
-
-NSS_EXTERN NSSX400Address *
-NSSGeneralName_GetX400Address
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetDirectoryName
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * (directory) Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSName
- */
-
-NSS_EXTERN NSSName *
-NSSGeneralName_GetName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetEdiPartyName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * EDI Party Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSEdiPartyName
- */
-
-NSS_EXTERN NSSEdiPartyName *
-NSSGeneralName_GetEdiPartyName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetUniformResourceIdentifier
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * URI, this routine will return a pointer to that URI.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSURI
- */
-
-NSS_EXTERN NSSURI *
-NSSGeneralName_GetUniformResourceIdentifier
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetIPAddress
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * IP Address , this routine will return a pointer to that address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSIPAddress
- */
-
-NSS_EXTERN NSSIPAddress *
-NSSGeneralName_GetIPAddress
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetRegisteredID
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * Registered ID, this routine will return a pointer to that ID.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRegisteredID
- */
-
-NSS_EXTERN NSSRegisteredID *
-NSSGeneralName_GetRegisteredID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSGeneralName matches the
- * specified choice, a caller-owned pointer to that underlying object
- * will be returned.  Otherwise, an error will be placed on the error
- * stack and NULL will be returned.  If the optional arena argument
- * is non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The caller
- * owns the returned pointer.  This routine may return NULL upon 
- * error, in which caes it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-NSSGeneralName_GetSpecifiedChoice
-(
-  NSSGeneralName *generalName,
-  NSSGeneralNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_Compare
- * 
- * This routine compares two General Names for equality.  For two 
- * General Names to be equal, they must have the same choice of
- * underlying types, and the underlying values must be equal.  The
- * result of the comparison will be stored at the location pointed
- * to by the "equalp" variable, which must point to a valid PRBool.
- * This routine may return PR_FAILURE upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following value:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralName_Compare
-(
-  NSSGeneralName *generalName1,
-  NSSGeneralName *generalName2,
-  PRBool *equalp
-);
-
-/*
- * NSSGeneralName_Duplicate
- *
- * This routine duplicates the specified General Name.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it 
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSGeneralName
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_Duplicate
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished Names containing a UID
- * attribute, the UID will be the value of that attribute.  Note
- * that no UID attribute is defined in either PKIX or PKCS#9; 
- * rather, this seems to derive from RFC 1274, which defines the
- * type as a caseIgnoreString.  We'll return a Directory String.
- * If the optional arena argument is non-null, the memory used
- * will be obtained from that arena; otherwise, the memory will be
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetUID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing either
- * a PKIX email address or a PKCS#9 email address, the result will
- * be the value of that attribute.  If the General Name is an RFC 822
- * Name, the result will be the string form of that name.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
-NSSGeneralName_GetEmail
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a PKIX
- * Common Name, the result will be that name.  If the optional arena 
- * argument is non-null, the memory used will be obtained from that 
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetCommonName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing an
- * Organization, the result will be the value of that attribute.  
- * If the optional arena argument is non-null, the memory used will 
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetOrganization
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified general name, if the choices and 
- * content of the name permit.  If the General Name is a (directory) 
- * Name consisting of a Sequence of Relative Distinguished names 
- * containing one or more organisational units, the result will 
- * consist of those units.  If the optional arena  argument is non-
- * null, the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-NSSGeneralName_GetOrganizationalUnits
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a state or 
- * province, the result will be the value of that attribute.  If the 
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetStateOrProvince
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetLocality
- *
- * This routine will attempt to derive a locality name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a Locality, 
- * the result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetLocality
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified general name, if the choices and content of the name 
- * permit.  If the General Name is a (directory) Name consisting of a
- * Sequence of Relative Distinguished names containing a Country, the 
- * result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-NSSGeneralName_GetCountry
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetAttribute
- *
- * If the specified general name is a (directory) name consisting
- * of a Sequence of Relative Distinguished Names containing an 
- * attribute with the specified type, and the actual value of that
- * attribute may be expressed with a Directory String, then the
- * value of that attribute will be returned as a Directory String.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetAttribute
-(
-  NSSGeneralName *generalName,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralNameSeq
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSGeneralNameSeq_CreateFromBER   -- constructor
- *  NSSGeneralNameSeq_Create          -- constructor
- *
- *  NSSGeneralNameSeq_Destroy
- *  NSSGeneralNameSeq_GetDEREncoding
- *  NSSGeneralNameSeq_AppendGeneralName
- *  NSSGeneralNameSeq_GetGeneralNameCount
- *  NSSGeneralNameSeq_GetGeneralName
- *  NSSGeneralNameSeq_Compare
- *  NSSGeneralnameSeq_Duplicate
- */
-
-/*
- * NSSGeneralNameSeq_CreateFromBER
- *
- * This routine creates a general name sequence by decoding a BER-
- * or DER-encoded GeneralNames.  If the optional arena argument is
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-NSSGeneralNameSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralNameSeq
-);
-
-/*
- * NSSGeneralNameSeq_Create
- *
- * This routine creates an NSSGeneralNameSeq from one or more General
- * Names.  The final argument to this routine must be NULL.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-NSSGeneralNameSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSGeneralName *generalName1,
-  ...
-);
-
-/*
- * NSSGeneralNameSeq_Destroy
- *
- * This routine will destroy an NSSGeneralNameSeq object.  It should
- * eventually be called on all NSSGeneralNameSeqs created without an
- * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
- * created within an arena, it is not an error to do so.  This routine
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralNameSeq_Destroy
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * NSSGeneralNameSeq_GetDEREncoding
- *
- * This routine will DER-encode an NSSGeneralNameSeq object.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return null upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralNameSeq
- */
-
-NSS_EXTERN NSSDER *
-NSSGeneralNameSeq_GetDEREncoding
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralNameSeq_AppendGeneralName
- *
- * This routine appends a General Name to the end of the existing
- * General Name Sequence.  If the sequence was created with a non-null
- * arena argument, that same arena will be used for any additional
- * required memory.  If the sequence was created with a NULL arena
- * argument, any additional memory will be obtained from the heap.
- * This routine returns a PRStatus value; it will return PR_SUCCESS
- * upon success, and upon failure it will create an error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure.
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralNameSeq_AppendGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSGeneralName *generalName
-);
-
-/*
- * NSSGeneralNameSeq_GetGeneralNameCount
- *
- * This routine returns the cardinality of the specified General name
- * Sequence.  This routine may return 0 upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value;
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-NSSGeneralNameSeq_GetGeneralNameCount
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * NSSGeneralNameSeq_GetGeneralName
- *
- * This routine returns a pointer to the i'th General Name in the 
- * specified General Name Sequence.  The value of the variable 'i' is
- * on the range [0,c) where c is the cardinality returned from 
- * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
- * Name the pointer to which is returned.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to a General Name.
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralNameSeq_GetGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * NSSGeneralNameSeq_Compare
- *
- * This routine compares two General Name Sequences for equality.  For
- * two General Name Sequences to be equal, they must have the same
- * cardinality, and each General Name in one sequence must be equal to
- * the corresponding General Name in the other.  The result of the
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralNameSeq_Compare
-(
-  NSSGeneralNameSeq *generalNameSeq1,
-  NSSGeneralNameSeq *generalNameSeq2,
-  PRBool *equalp
-);
-
-/*
- * NSSGeneralNameSeq_Duplicate
- *
- * This routine duplicates the specified sequence of general names.  If
- * the optional arena argument is non-null, the memory required will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new General Name Sequence.
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-NSSGeneralNameSeq_Duplicate
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-PR_END_EXTERN_C
-
-#endif /* NSSPT1M_H */
diff --git a/security/nss/lib/pki1/nsspki1t.h b/security/nss/lib/pki1/nsspki1t.h
deleted file mode 100644
index 8765a3ad3..000000000
--- a/security/nss/lib/pki1/nsspki1t.h
+++ /dev/null
@@ -1,202 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSPKI1T_H
-#define NSSPKI1T_H
-
-#ifdef DEBUG
-static const char NSSPKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nsspki1t.h
- *
- * This file contains the public type definitions for the PKIX part-1
- * objects.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * OBJECT IDENTIFIER
- *
- * This is the basic OID that crops up everywhere.
- */
-
-struct NSSOIDStr;
-typedef struct NSSOIDStr NSSOID;
-
-/*
- * AttributeTypeAndValue
- *
- * This structure contains an attribute type (indicated by an OID), 
- * and the type-specific value.  RelativeDistinguishedNamess consist
- * of a set of these.  These are distinct from Attributes (which have
- * SET of values), from AttributeDescriptions (which have qualifiers
- * on the types), and from AttributeValueAssertions (which assert a
- * a value comparison under some matching rule).
- */
-
-struct NSSATAVStr;
-typedef struct NSSATAVStr NSSATAV;
-
-/*
- * RelativeDistinguishedName
- *
- * This structure contains an unordered set of AttributeTypeAndValue 
- * objects.  RDNs are used to distinguish a set of objects underneath 
- * a common object.
- *
- * Often, a single ATAV is sufficient to make a unique distinction.
- * For example, if a company assigns its people unique uid values,
- * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
- * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
- * needed.  For example, if a company needed to distinguish between
- * two Smiths by specifying their corporate divisions, then in the
- * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
- * set of ATAVs forms the RDN.
- */
-
-struct NSSRDNStr;
-typedef struct NSSRDNStr NSSRDN;
-
-/*
- * RDNSequence
- *
- * This structure contains a sequence of RelativeDistinguishedName
- * objects.
- */
-
-struct NSSRDNSeqStr;
-typedef struct NSSRDNSeqStr NSSRDNSeq;
-
-/*
- * Name
- *
- * This structure contains a union of the possible name formats,
- * which at the moment is limited to an RDNSequence.
- */
-
-struct NSSNameStr;
-typedef struct NSSNameStr NSSName;
-
-/*
- * NameChoice
- *
- * This enumeration is used to specify choice within a name.
- */
-
-enum NSSNameChoiceEnum {
-  NSSNameChoiceInvalid = -1,
-  NSSNameChoiceRdnSequence
-};
-typedef enum NSSNameChoiceEnum NSSNameChoice;
-
-/*
- * GeneralName
- *
- * This structure contains a union of the possible general names,
- * of which there are several.
- */
-
-struct NSSGeneralNameStr;
-typedef struct NSSGeneralNameStr NSSGeneralName;
-
-/*
- * GeneralNameChoice
- *
- * This enumerates the possible general name types.
- */
-
-enum NSSGeneralNameChoiceEnum {
-  NSSGeneralNameChoiceInvalid = -1,
-  NSSGeneralNameChoiceOtherName = 0,
-  NSSGeneralNameChoiceRfc822Name = 1,
-  NSSGeneralNameChoiceDNSName = 2,
-  NSSGeneralNameChoiceX400Address = 3,
-  NSSGeneralNameChoiceDirectoryName = 4,
-  NSSGeneralNameChoiceEdiPartyName = 5,
-  NSSGeneralNameChoiceUniformResourceIdentifier = 6,
-  NSSGeneralNameChoiceIPAddress = 7,
-  NSSGeneralNameChoiceRegisteredID = 8
-};
-typedef enum NSSGeneralNameChoiceEnum NSSGeneralNameChoice;
-
-/*
- * The "other" types of general names.
- */
-
-struct NSSOtherNameStr;
-typedef struct NSSOtherNameStr NSSOtherName;
-
-struct NSSRFC822NameStr;
-typedef struct NSSRFC822NameStr NSSRFC822Name;
-
-struct NSSDNSNameStr;
-typedef struct NSSDNSNameStr NSSDNSName;
-
-struct NSSX400AddressStr;
-typedef struct NSSX400AddressStr NSSX400Address;
-
-struct NSSEdiPartyNameStr;
-typedef struct NSSEdiPartyNameStr NSSEdiPartyName;
-
-struct NSSURIStr;
-typedef struct NSSURIStr NSSURI;
-
-struct NSSIPAddressStr;
-typedef struct NSSIPAddressStr NSSIPAddress;
-
-struct NSSRegisteredIDStr;
-typedef struct NSSRegisteredIDStr NSSRegisteredID;
-
-/*
- * GeneralNameSeq
- *
- * This structure contains a sequence of GeneralName objects.
- * Note that the PKIX documents refer to this as "GeneralNames,"
- * which differs from "GeneralName" by only one letter.  To
- * try to reduce confusion, we expand the name slightly to
- * "GeneralNameSeq."
- */
-
-struct NSSGeneralNameSeqStr;
-typedef struct NSSGeneralNameSeqStr NSSGeneralNameSeq;
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKI1T_H */
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
deleted file mode 100644
index c4028a803..000000000
--- a/security/nss/lib/pki1/oid.c
+++ /dev/null
@@ -1,1615 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * oid.c
- *
- * This file contains the implementation of the basic OID routines.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-#include "plhash.h"
-#include "plstr.h"
-
-/*
- * NSSOID
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSOID_CreateFromBER   -- constructor
- *  NSSOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  NSSOID_GetDEREncoding
- *  NSSOID_GetUTF8Encoding
-
- * The non-public "methods" regarding this "object" are:
- *
- *  nssOID_CreateFromBER   -- constructor
- *  nssOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  nssOID_GetDEREncoding
- *  nssOID_GetUTF8Encoding
- *
- * In debug builds, the following non-public calls are also available:
- *
- *  nssOID_verifyPointer
- *  nssOID_getExplanation
- *  nssOID_getTaggedUTF8
- */
-
-const NSSOID *NSS_OID_UNKNOWN = (NSSOID *)NULL;
-
-/*
- * First, the public "wrappers"
- */
-
-/*
- * NSSOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NULL upon error, in which case it 
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromBER
-(
-  NSSBER *berOid
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  /* 
-   * NSSBERs can be created by the user, 
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSBER *)NULL == berOid ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSOID *)NULL;
-  }
-
-  if( (void *)NULL == berOid->data ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-  
-  return nssOID_CreateFromBER(berOid);
-}
-
-/*
- * NSSOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NULL
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  /*
-   * NSSUTF8s can be created by the user,
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSUTF8 *)NULL == stringOid ) {
-    nss_SetError(NSS_ERROR_INVALID_UTF8);
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssOID_CreateFromUTF8(stringOid);
-}
-
-/*
- * NSSOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-NSSOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssOID_GetDEREncoding(oid, rvOpt, arenaOpt);
-}
-
-/*
- * NSSOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssOID_GetUTF8Encoding(oid, arenaOpt);
-}
-
-/*
- * Next, some internal bookkeeping; including the OID "tag" table 
- * and the debug-version pointer tracker.
- */
-
-/*
- * For implementation reasons (so NSSOIDs can be compared with ==),
- * we hash all NSSOIDs.  This is the hash table.
- */
-
-static PLHashTable *oid_hash_table;
-
-/*
- * And this is its lock.
- */
-
-static PRLock *oid_hash_lock;
-
-/*
- * This is the hash function.  We simply XOR the encoded form with
- * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
- * routine is left as an excercise for the more mathematically
- * inclined student.
- */
-
-static PR_CALLBACK PLHashNumber
-oid_hash
-(
-  const void *key
-)
-{
-  const NSSItem *item = (const NSSItem *)key;
-  PLHashNumber rv = 0;
-
-  PRUint8 *data = (PRUint8 *)item->data;
-  PRUint32 i;
-  PRUint8 *rvc = (PRUint8 *)&rv;
-
-  for( i = 0; i < item->size; i++ ) {
-    rvc[ i % sizeof(rv) ] ^= *data;
-    data++;
-  }
-
-  return rv;
-}
-
-/*
- * This is the key-compare function.  It simply does a lexical
- * comparison on the encoded OID form.  This does not result in
- * quite the same ordering as the "sequence of numbers" order,
- * but heck it's only used internally by the hash table anyway.
- */
-
-static PR_CALLBACK PRIntn
-oid_hash_compare
-(
-  const void *k1,
-  const void *k2
-)
-{
-  PRIntn rv;
-
-  const NSSItem *i1 = (const NSSItem *)k1;
-  const NSSItem *i2 = (const NSSItem *)k2;
-
-  PRUint32 size = (i1->size < i2->size) ? i1->size : i2->size;
-
-  rv = (PRIntn)nsslibc_memcmp(i1->data, i2->data, size, (PRStatus *)NULL);
-  if( 0 == rv ) {
-    rv = i1->size - i2->size;
-  }
-
-  return !rv;
-}
-
-/*
- * The pointer-tracking code
- */
-
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker oid_pointer_tracker;
-
-static PRStatus
-oid_add_pointer
-(
-  const NSSOID *oid
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&oid_pointer_tracker, oid);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-#if defined(CAN_DELETE_OIDS)
-/*
- * We actually don't define NSSOID deletion, since we keep OIDs
- * in a hash table for easy comparison.  Were we to, this is
- * what the pointer-removal function would look like.
- */
-
-static PRStatus
-oid_remove_pointer
-(
-  const NSSOID *oid
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&oid_pointer_tracker, oid);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-#endif /* CAN_DELETE_OIDS */
-
-#endif /* DEBUG */
-
-/*
- * All dynamically-added OIDs get their memory from one statically-
- * declared arena here, merely so that any cleanup code will have
- * an easier time of it.
- */
-
-static NSSArena *oid_arena;
-
-/*
- * This is the call-once function which initializes the hashtable.
- * It creates it, then prepopulates it with all of the builtin OIDs.
- * It also creates the aforementioned NSSArena.
- */
-
-static PR_CALLBACK PRStatus
-oid_once_func
-(
-  void
-)
-{
-  PRUint32 i;
-  
-  /* Initialize the arena */
-  oid_arena = nssArena_Create();
-  if( (NSSArena *)NULL == oid_arena ) {
-    goto loser;
-  }
-
-  /* Create the hash table lock */
-  oid_hash_lock = PR_NewLock();
-  if( (PRLock *)NULL == oid_hash_lock ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    goto loser;
-  }
-
-  /* Create the hash table */
-  oid_hash_table = PL_NewHashTable(0, oid_hash, oid_hash_compare,
-                                   PL_CompareValues, 
-                                   (PLHashAllocOps *)0,
-                                   (void *)0);
-  if( (PLHashTable *)NULL == oid_hash_table ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    goto loser;
-  }
-
-  /* And populate it with all the builtins */
-  for( i = 0; i < nss_builtin_oid_count; i++ ) {
-    NSSOID *oid = (NSSOID *)&nss_builtin_oids[i];
-    PLHashEntry *e = PL_HashTableAdd(oid_hash_table, &oid->data, oid);
-    if( (PLHashEntry *)NULL == e ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      goto loser;
-    }
-
-#ifdef DEBUG
-    if( PR_SUCCESS != oid_add_pointer(oid) ) {
-      goto loser;
-    }
-#endif /* DEBUG */
-  }
-
-  return PR_SUCCESS;
-
- loser:
-  if( (PLHashTable *)NULL != oid_hash_table ) {
-    PL_HashTableDestroy(oid_hash_table);
-    oid_hash_table = (PLHashTable *)NULL;
-  }
-
-  if( (PRLock *)NULL != oid_hash_lock ) {
-    PR_DestroyLock(oid_hash_lock);
-    oid_hash_lock = (PRLock *)NULL;
-  }
-
-  if( (NSSArena *)NULL != oid_arena ) {
-    (void)nssArena_Destroy(oid_arena);
-    oid_arena = (NSSArena *)NULL;
-  }
-
-  return PR_FAILURE;
-}
-
-/*
- * This is NSPR's once-block.
- */
-
-static PRCallOnceType oid_call_once;
-
-/*
- * And this is our multiply-callable internal init routine, which
- * will call-once our call-once function.
- */
-
-static PRStatus
-oid_init
-(
-  void
-)
-{
-  return PR_CallOnce(&oid_call_once, oid_once_func);
-}
-
-#ifdef DEBUG
-
-/*
- * nssOID_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSOID object, 
- * this routine will return PR_SUCCESS.  Otherwise, it will put an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssOID_verifyPointer
-(
-  const NSSOID *oid
-)
-{
-  PRStatus rv;
-
-  rv = oid_init();
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&oid_pointer_tracker, oid);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_NSSOID);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-/*
- * oid_sanity_check_ber
- *
- * This routine merely applies some sanity-checking to the BER-encoded
- * OID.
- */
-
-static PRStatus
-oid_sanity_check_ber
-(
-  NSSBER *berOid
-)
-{
-  PRUint32 i;
-  PRUint8 *data = (PRUint8 *)berOid->data;
-
-  /*
-   * The size must be longer than zero bytes.
-   */
-
-  if( berOid->size <= 0 ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * In general, we can't preclude any number from showing up
-   * someday.  We could probably guess that top-level numbers
-   * won't get very big (beyond the current ccitt(0), iso(1),
-   * or joint-ccitt-iso(2)).  However, keep in mind that the
-   * encoding rules wrap the first two numbers together, as
-   *
-   *     (first * 40) + second
-   *
-   * Also, it is noted in the specs that this implies that the
-   * second number won't go above forty.
-   *
-   * 128 encodes 3.8, which seems pretty safe for now.  Let's
-   * check that the first byte is less than that.
-   *
-   * XXX This is a "soft check" -- we may want to exclude it.
-   */
-
-  if( data[0] >= 0x80 ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * In a normalised format, leading 0x80s will never show up.
-   * This means that no 0x80 will be preceeded by the final
-   * byte of a sequence, which would naturaly be less than 0x80.
-   * Our internal encoding for the single-digit OIDs uses 0x80,
-   * but the only places we use them (loading the builtin table,
-   * and adding a UTF8-encoded OID) bypass this check.
-   */
-
-  for( i = 1; i < berOid->size; i++ ) {
-    if( (0x80 == data[i]) && (data[i-1] < 0x80) ) {
-      return PR_FAILURE;
-    }
-  }
-
-  /*
-   * The high bit of each octet indicates that following octets
-   * are included in the current number.  Thus the last byte can't
-   * have the high bit set.
-   */
-
-  if( data[ berOid->size-1 ] >= 0x80 ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * Other than that, any byte sequence is legit.
-   */
-  return PR_SUCCESS;
-}
-
-/*
- * nssOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NULL upon error, in which case it 
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromBER
-(
-  NSSBER *berOid
-)
-{
-  NSSOID *rv;
-  PLHashEntry *e;
-  
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSOID *)NULL;
-  }
-
-  if( PR_SUCCESS != oid_sanity_check_ber(berOid) ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSOID *)NULL;
-  }
-
-  /*
-   * Does it exist?
-   */
-  PR_Lock(oid_hash_lock);
-  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, berOid);
-  (void)PR_Unlock(oid_hash_lock);
-  if( (NSSOID *)NULL != rv ) {
-    /* Found it! */
-    return rv;
-  }
-
-  /*
-   * Doesn't exist-- create it.
-   */
-  rv = nss_ZNEW(oid_arena, NSSOID);
-  if( (NSSOID *)NULL == rv ) {
-    return (NSSOID *)NULL;
-  }
-
-  rv->data.data = nss_ZAlloc(oid_arena, berOid->size);
-  if( (void *)NULL == rv->data.data ) {
-    return (NSSOID *)NULL;
-  }
-
-  rv->data.size = berOid->size;
-  nsslibc_memcpy(rv->data.data, berOid->data, berOid->size);
-
-#ifdef DEBUG
-  rv->tag = "<runtime>";
-  rv->expl = "(OID registered at runtime)";
-#endif /* DEBUG */
-
-  PR_Lock(oid_hash_lock);
-  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
-  (void)PR_Unlock(oid_hash_lock);
-  if( (PLHashEntry *)NULL == e ) {
-    nss_ZFreeIf(rv->data.data);
-    nss_ZFreeIf(rv);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSOID *)NULL;
-  }
-
-#ifdef DEBUG
-  {
-    PRStatus st;
-    st = oid_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PR_Lock(oid_hash_lock);
-      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
-      (void)PR_Unlock(oid_hash_lock);
-      (void)nss_ZFreeIf(rv->data.data);
-      (void)nss_ZFreeIf(rv);
-      return (NSSOID *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * oid_sanity_check_utf8
- *
- * This routine merely applies some sanity-checking to the 
- * UTF8-encoded OID.
- */
-
-static PRStatus
-oid_sanity_check_utf8
-(
-  NSSUTF8 *s
-)
-{
-  /*
-   * It may begin with an octothorpe, which we skip.
-   */
-
-  if( '#' == *s ) {
-    s++;
-  }
-
-  /*
-   * It begins with a number
-   */
-
-  if( (*s < '0') || (*s > '9') ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * First number is only one digit long
-   *
-   * XXX This is a "soft check" -- we may want to exclude it
-   */
-
-  if( (s[1] != '.') && (s[1] != '\0') ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * Every character is either a digit or a period
-   */
-
-  for( ; '\0' != *s; s++ ) {
-    if( ('.' != *s) && ((*s < '0') || (*s > '9')) ) {
-      return PR_FAILURE;
-    }
-
-    /* No two consecutive periods */
-    if( ('.' == *s) && ('.' == s[1]) ) {
-      return PR_FAILURE;
-    }
-  }
-
-  /*
-   * The last character isn't a period
-   */
-
-  if( '.' == *--s ) {
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRUint32
-oid_encode_number
-(
-  PRUint32 n,
-  PRUint8 *dp,
-  PRUint32 nb
-)
-{
-  PRUint32 a[5];
-  PRUint32 i;
-  PRUint32 rv;
-
-  a[0] = (n >> 28) & 0x7f;
-  a[1] = (n >> 21) & 0x7f;
-  a[2] = (n >> 14) & 0x7f;
-  a[3] = (n >>  7) & 0x7f;
-  a[4] =  n        & 0x7f;
-
-  for( i = 0; i < 5; i++ ) {
-    if( 0 != a[i] ) {
-      break;
-    }
-  }
-
-  if( 5 == i ) {
-    i--;
-  }
-
-  rv = 5-i;
-  if( rv > nb ) {
-    return rv;
-  }
-
-  for( ; i < 4; i++ ) {
-    *dp = 0x80 | a[i];
-    dp++;
-  }
-
-  *dp = a[4];
-
-  return rv;
-}
-
-/*
- * oid_encode_huge
- *
- * This routine will convert a huge decimal number into the DER 
- * encoding for oid numbers.  It is not limited to numbers that will
- * fit into some wordsize, like oid_encode_number.  But it's not
- * necessarily very fast, either.  This is here in case some joker
- * throws us an ASCII oid like 1.2.3.99999999999999999999999999.
- */
-
-static PRUint32
-oid_encode_huge
-(
-  NSSUTF8 *s,
-  NSSUTF8 *e,
-  PRUint8 *dp,
-  PRUint32 nb
-)
-{
-  PRUint32 slen = (e-s);
-  PRUint32 blen = (slen+1)/2;
-  PRUint8 *st = (PRUint8 *)NULL;
-  PRUint8 *bd = (PRUint8 *)NULL;
-  PRUint32 i;
-  PRUint32 bitno;
-  PRUint8 *last;
-  PRUint8 *first;
-  PRUint32 byteno;
-  PRUint8 mask;
-
-  /* We'll be munging the data, so duplicate it */
-  st = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, slen);
-  if( (PRUint8 *)NULL == st ) {
-    return 0;
-  }
-
-  /* Don't know ahead of time exactly how long we'll need */
-  bd = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, blen);
-  if( (PRUint8 *)NULL == bd ) {
-    (void)nss_ZFreeIf(st);
-    return 0;
-  }
-
-  /* Copy the original, and convert ASCII to numbers */
-  for( i = 0; i < slen; i++ ) {
-    st[i] = (PRUint8)(s[i] - '0');
-  }
-
-  last = &st[slen-1];
-  first = &st[0];
-
-  /*
-   * The way we create the binary version is by looking at it 
-   * bit by bit.  Start with the least significant bit.  If the
-   * number is odd, set that bit.  Halve the number (with integer
-   * division), and go to the next least significant bit.  Keep 
-   * going until the number goes to zero.
-   */
-  for( bitno = 0; ; bitno++ ) {
-    PRUint8 *d;
-
-    byteno = bitno/7;
-    mask = (PRUint8)(1 << (bitno%7));
-
-    /* Skip leading zeroes */
-    for( ; first < last; first ++ ) {
-      if( 0 != *first ) {
-        break;
-      }
-    }
-
-    /* Down to one number and it's a zero?  Done. */
-    if( (first == last) && (0 == *last) ) {
-      break;
-    }
-
-    /* Last digit is odd?  Set the bit */
-    if( *last & 1 ) {
-      bd[ byteno ] |= mask;
-    }
-
-
-    /* 
-     * Divide the number in half.  This is just a matter
-     * of going from the least significant digit upwards,
-     * halving each one.  If any digit is odd (other than
-     * the last, which has already been handled), add five
-     * to the digit to its right.
-     */
-    *last /= 2;
-
-    for( d = &last[-1]; d >= first; d-- ) {
-      if( *d & 1 ) {
-        d[1] += 5;
-      }
-
-      *d /= 2;
-    }
-  }
-
-  /* Is there room to write the encoded data? */
-  if( (byteno+1) > nb ) {
-    return (byteno+1);
-  }
-
-  /* Trim any leading zero that crept in there */
-  for( ; byteno > 0; byteno-- ) {
-    if( 0 != bd[ byteno ] ) {
-      break;
-    }
-  }
-
-  /* Copy all but the last, marking the "continue" bit */
-  for( i = 0; i < byteno; i++ ) {
-    dp[i] = bd[ byteno-i ] | 0x80;
-  }
-  /* And the last with the "continue" bit clear */
-  dp[byteno] = bd[0];
-
-  (void)nss_ZFreeIf(bd);
-  (void)nss_ZFreeIf(st);
-  return (byteno+1);
-}
-
-/*
- * oid_encode_string
- *
- * This routine converts a dotted-number OID into a DER-encoded
- * one.  It assumes we've already sanity-checked the string.
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static NSSOID *
-oid_encode_string
-(
-  NSSUTF8 *s
-)
-{
-  PRUint32 nn = 0; /* number of numbers */
-  PRUint32 nb = 0; /* number of bytes (estimated) */
-  NSSUTF8 *t;
-  PRUint32 nd = 0; /* number of digits */
-  NSSOID *rv;
-  PRUint8 *dp;
-  PRUint32 a, b;
-  PRUint32 inc;
-
-  /* Dump any octothorpe */
-  if( '#' == *s ) {
-    s++;
-  }
-
-  /* Count up the bytes needed */
-  for( t = s; '\0' != *t; t++ ) {
-    if( '.' == *t ) {
-      nb += (nd+1)/2; /* errs on the big side */
-      nd = 0;
-      nn++;
-    } else {
-      nd++;
-    }
-  }
-  nb += (nd+1)/2;
-  nn++;
-
-  if( 1 == nn ) {
-    /*
-     * We have our own "denormalised" encoding for these,
-     * which is only used internally.
-     */
-    nb++;
-  }
-
-  /* 
-   * Allocate.  Note that we don't use the oid_arena here.. this is
-   * because there really isn't a "free()" for stuff allocated out of
-   * arenas (at least with the current implementation), so this would
-   * keep using up memory each time a UTF8-encoded OID were added.
-   * If need be (if this is the first time this oid has been seen),
-   * we'll copy it.
-   */
-  rv = nss_ZNEW((NSSArena *)NULL, NSSOID);
-  if( (NSSOID *)NULL == rv ) {
-    return (NSSOID *)NULL;
-  }
-
-  rv->data.data = nss_ZAlloc((NSSArena *)NULL, nb);
-  if( (void *)NULL == rv->data.data ) {
-    (void)nss_ZFreeIf(rv);
-    return (NSSOID *)NULL;
-  }
-
-  dp = (PRUint8 *)rv->data.data;
-
-  a = atoi(s);
-
-  if( 1 == nn ) {
-    dp[0] = '\x80';
-    inc = oid_encode_number(a, &dp[1], nb-1);
-    if( inc >= nb ) {
-      goto loser;
-    }
-  } else {
-    for( t = s; '.' != *t; t++ ) {
-      ;
-    }
-
-    t++;
-    b = atoi(t);
-    inc = oid_encode_number(a*40+b, dp, nb);
-    if( inc > nb ) {
-      goto loser;
-    }
-    dp += inc;
-    nb -= inc;
-    nn -= 2;
-
-    while( nn-- > 0 ) {
-      NSSUTF8 *u;
-
-      for( ; '.' != *t; t++ ) {
-        ;
-      }
-
-      t++;
-
-      for( u = t; ('\0' != *u) && ('.' != *u); u++ ) {
-        ;
-      }
-
-      if( (u-t > 9) ) {
-        /* In the billions.  Rats. */
-        inc = oid_encode_huge(t, u, dp, nb);
-      } else {
-        b = atoi(t);
-        inc = oid_encode_number(b, dp, nb);
-      }
-
-      if( inc > nb ) {
-        goto loser;
-      }
-      dp += inc;
-      nb -= inc;
-    }
-  }
-
-  return rv;
-
- loser:
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return (NSSOID *)NULL;
-}
-
-/*
- * nssOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NULL
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-)
-{
-  NSSOID *rv = (NSSOID *)NULL;
-  NSSOID *candidate = (NSSOID *)NULL;
-  PLHashEntry *e;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSOID *)NULL;
-  }
-
-  if( PR_SUCCESS != oid_sanity_check_utf8(stringOid) ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSOID *)NULL;
-  }
-
-  candidate = oid_encode_string(stringOid);
-  if( (NSSOID *)NULL == candidate ) {
-    /* Internal error only */
-    return rv;
-  }
-
-  /*
-   * Does it exist?
-   */
-  PR_Lock(oid_hash_lock);
-  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, &candidate->data);
-  (void)PR_Unlock(oid_hash_lock);
-  if( (NSSOID *)NULL != rv ) {
-    /* Already exists.  Delete my copy and return the original. */
-    (void)nss_ZFreeIf(candidate->data.data);
-    (void)nss_ZFreeIf(candidate);
-    return rv;
-  }
-
-  /* 
-   * Nope.  Add it.  Remember to allocate it out of the oid arena.
-   */
-
-  rv = nss_ZNEW(oid_arena, NSSOID);
-  if( (NSSOID *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->data.data = nss_ZAlloc(oid_arena, candidate->data.size);
-  if( (void *)NULL == rv->data.data ) {
-    goto loser;
-  }
-
-  rv->data.size = candidate->data.size;
-  nsslibc_memcpy(rv->data.data, candidate->data.data, rv->data.size);
-
-  (void)nss_ZFreeIf(candidate->data.data);
-  (void)nss_ZFreeIf(candidate);
-
-#ifdef DEBUG
-  rv->tag = "<runtime>";
-  rv->expl = "(OID registered at runtime)";
-#endif /* DEBUG */
-
-  PR_Lock(oid_hash_lock);
-  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
-  (void)PR_Unlock(oid_hash_lock);
-  if( (PLHashEntry *)NULL == e ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    goto loser;
-  }
-
-#ifdef DEBUG
-  {
-    PRStatus st;
-    st = oid_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PR_Lock(oid_hash_lock);
-      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
-      (void)PR_Unlock(oid_hash_lock);
-      goto loser;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (NSSOID *)NULL != candidate ) {
-    (void)nss_ZFreeIf(candidate->data.data);
-  }
-  (void)nss_ZFreeIf(candidate);
-
-  if( (NSSOID *)NULL != rv ) {
-    (void)nss_ZFreeIf(rv->data.data);
-  }
-  (void)nss_ZFreeIf(rv);
-
-  return (NSSOID *)NULL;
-}
-
-/*
- * nssOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-nssOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  const NSSItem *it;
-  NSSDER *rv;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSDER *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  it = &oid->data;
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  rv->data = nss_ZAlloc(arenaOpt, it->size);
-  if( (void *)NULL == rv->data ) {
-    if( rv != rvOpt ) {
-      (void)nss_ZFreeIf(rv);
-    }
-    return (NSSDER *)NULL;
-  }
-
-  rv->size = it->size;
-  nsslibc_memcpy(rv->data, it->data, it->size);
-
-  return rv;
-}
-
-/*
- * nssOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-nssOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  PRUint8 *end;
-  PRUint8 *d;
-  PRUint8 *e;
-  char *a;
-  char *b;
-  PRUint32 len;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  a = (char *)NULL;
-
-  /* d will point to the next sequence of bytes to decode */
-  d = (PRUint8 *)oid->data.data;
-  /* end points to one past the legitimate data */
-  end = &d[ oid->data.size ];
-
-#ifdef NSSDEBUG
-  /*
-   * Guarantee that the for(e=d;e<end;e++) loop below will
-   * terminate.  Our BER sanity-checking code above will prevent
-   * such a BER from being registered, so the only other way one
-   * might show up is if our dotted-decimal encoder above screws
-   * up or our generated list is wrong.  So I'll wrap it with
-   * #ifdef NSSDEBUG and #endif.
-   */
-  if( end[-1] & 0x80 ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * Check for our pseudo-encoded single-digit OIDs
-   */
-  if( (*d == 0x80) && (2 == oid->data.size) ) {
-    /* Funky encoding.  The second byte is the number */
-    a = PR_smprintf("%lu", (PRUint32)d[1]);
-    if( (char *)NULL == a ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (NSSUTF8 *)NULL;
-    }
-    goto done;
-  }
-
-  for( ; d < end; d = &e[1] ) {
-    
-    for( e = d; e < end; e++ ) {
-      if( 0 == (*e & 0x80) ) {
-        break;
-      }
-    }
-    
-    if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
-      /* More than a 32-bit number */
-    } else {
-      PRUint32 n = 0;
-      
-      switch( e-d ) {
-      case 4:
-        n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
-      case 3:
-        n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
-      case 2:
-        n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
-      case 1:
-        n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
-      case 0:
-        n |= ((PRUint32)(e[-0] & 0x7f))      ;
-      }
-      
-      if( (char *)NULL == a ) {
-        /* This is the first number.. decompose it */
-        PRUint32 one = (n/40), two = (n%40);
-        
-        a = PR_smprintf("%lu.%lu", one, two);
-        if( (char *)NULL == a ) {
-          nss_SetError(NSS_ERROR_NO_MEMORY);
-          return (NSSUTF8 *)NULL;
-        }
-      } else {
-        b = PR_smprintf("%s.%lu", a, n);
-        if( (char *)NULL == b ) {
-          PR_smprintf_free(a);
-          nss_SetError(NSS_ERROR_NO_MEMORY);
-          return (NSSUTF8 *)NULL;
-        }
-        
-        PR_smprintf_free(a);
-        a = b;
-      }
-    }
-  }
-
- done:
-  /*
-   * Even if arenaOpt is NULL, we have to copy the data so that
-   * it'll be freed with the right version of free: ours, not
-   * PR_smprintf_free's.
-   */
-  len = PL_strlen(a);
-  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
-  if( (NSSUTF8 *)NULL == rv ) {
-    PR_smprintf_free(a);
-    return (NSSUTF8 *)NULL;
-  }
-
-  nsslibc_memcpy(rv, a, len);
-  PR_smprintf_free(a);
-
-  return rv;
-}
-
-/*
- * nssOID_getExplanation
- *
- * This method is only present in debug builds.
- *
- * This routine will return a static pointer to a UTF8-encoded string
- * describing (in English) the specified OID.  The memory pointed to
- * by the return value is not owned by the caller, and should not be
- * freed or modified.  Note that explanations are only provided for
- * the OIDs built into the NSS library; there is no way to specify an
- * explanation for dynamically created OIDs.  This routine is intended
- * only for use in debugging tools such as "derdump."  This routine
- * may return null upon error, in which case it will have placed an
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *
- * Return value:
- *  NULL upon error
- *  A static pointer to a readonly, non-caller-owned UTF8-encoded
- *    string explaining the specified OID.
- */
-
-#ifdef DEBUG
-NSS_EXTERN const NSSUTF8 *
-nssOID_getExplanation
-(
-  NSSOID *oid
-)
-{
-  if( PR_SUCCESS != oid_init() ) {
-    return (const NSSUTF8 *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return oid->expl;
-}
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-#endif /* DEBUG */
-
-/*
- * nssOID_getTaggedUTF8
- *
- * This method is only present in debug builds.
- *
- * This routine will return a pointer to a caller-owned UTF8-encoded
- * string containing a tagged encoding of the specified OID.  Note
- * that OID (component) tags are only provided for the OIDs built 
- * into the NSS library; there is no way to specify tags for 
- * dynamically created OIDs.  This routine is intended for use in
- * debugging tools such as "derdump."   If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return return null upon error, in which case it will have set 
- * an error on the error stack.
- *
- * The error may be one of the following values
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the tagged encoding of
- *      this NSSOID
- */
-
-#ifdef DEBUG
-NSS_EXTERN NSSUTF8 *
-nssOID_getTaggedUTF8
-(
-  NSSOID *oid,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  char *raw;
-  char *c;
-  char *a = (char *)NULL;
-  char *b;
-  PRBool done = PR_FALSE;
-  PRUint32 len;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  a = PR_smprintf("{");
-  if( (char *)NULL == a ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-
-  /*
-   * What I'm doing here is getting the text version of the OID,
-   * e.g. 1.2.12.92, then looking up each set of leading numbers
-   * as oids.. e.g. "1," then "1.2," then "1.2.12," etc.  Each of
-   * those will have the leaf tag, and I just build up the string.
-   * I never said this was the most efficient way of doing it,
-   * but hey it's a debug-build thing, and I'm getting really tired
-   * of writing this stupid low-level PKI code.
-   */
-
-  /* I know it's all ASCII, so I can use char */
-  raw = (char *)nssOID_GetUTF8Encoding(oid, (NSSArena *)NULL);
-  if( (char *)NULL == raw ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  for( c = raw; !done; c++ ) {
-    NSSOID *lead;
-    char *lastdot;
-
-    for( ; '.' != *c; c++ ) {
-      if( '\0' == *c ) {
-        done = PR_TRUE;
-        break;
-      }
-    }
-
-    *c = '\0';
-    lead = nssOID_CreateFromUTF8((NSSUTF8 *)raw);
-    if( (NSSOID *)NULL == lead ) {
-      PR_smprintf_free(a);
-      nss_ZFreeIf(raw);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (NSSUTF8 *)NULL;
-    }
-
-    lastdot = PL_strrchr(raw, '.');
-    if( (char *)NULL == lastdot ) {
-      lastdot = raw;
-    }
-
-    b = PR_smprintf("%s %s(%s) ", a, lead->tag, &lastdot[1]);
-    if( (char *)NULL == b ) {
-      PR_smprintf_free(a);
-      nss_ZFreeIf(raw);
-      /* drop the OID reference on the floor */
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (NSSUTF8 *)NULL;
-    }
-
-    PR_smprintf_free(a);
-    a = b;
-
-    if( !done ) {
-      *c = '.';
-    }
-  }
-
-  nss_ZFreeIf(raw);
-
-  b = PR_smprintf("%s }", a);
-  if( (char *)NULL == b ) {
-    PR_smprintf_free(a);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-
-  len = PL_strlen(b);
-  
-  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
-  if( (NSSUTF8 *)NULL == rv ) {
-    PR_smprintf_free(b);
-    return (NSSUTF8 *)NULL;
-  }
-
-  nsslibc_memcpy(rv, b, len);
-  PR_smprintf_free(b);
-
-  return rv;
-}
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-#endif /* DEBUG */
diff --git a/security/nss/lib/pki1/oidgen.perl b/security/nss/lib/pki1/oidgen.perl
deleted file mode 100755
index 959e3cbaf..000000000
--- a/security/nss/lib/pki1/oidgen.perl
+++ /dev/null
@@ -1,311 +0,0 @@
-#!perl
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
-
-$count = -1;
-while(<>) {
-  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-  next if (/^\s*$/);
-
-  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
-  $name = $1;
-  $value = $2;
-  # This is certainly not the best way to dequote the data.
-  $value =~ s/"//g;
-
-  if( $name =~ "OID" ) {
-    $count++;
-    $x[$count]{$name} = $value;
-    $enc = encodeoid($value);
-    $x[$count]{" encoding"} = escapeoid($enc);
-    $x[$count]{" encoding length"} = length($enc);
-  } else {
-    if( $count < 0 ) {
-      $g{$name} = $value;
-    } else {
-      $x[$count]{$name} = $value;
-    }
-  }
-}
-
-# dodump();
-doprint();
-
-sub dodump {
-for( $i = 0; $i <= $count; $i++ ) {
-  print "number $i:\n";
-  %y = %{$x[$i]};
-  while(($n,$v) = each(%y)) {
-    print "\t$n ==> $v\n";
-  }
-}
-}
-
-sub doprint {
-open(CFILE, ">oiddata.c") || die "Can't open oiddata.c: $!"; 
-open(HFILE, ">oiddata.h") || die "Can't open oiddata.h: $!";
-
-print CFILE <<EOD
-/* THIS IS A GENERATED FILE */
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifdef DEBUG
-static const char CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-#ifndef PKI1T_H
-#include "pki1t.h"
-#endif /* PKI1T_H */
-
-const NSSOID nss_builtin_oids[] = {
-EOD
-    ;
-
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  print CFILE "  {\n";
-  print CFILE "#ifdef DEBUG\n";
-  print CFILE "    \"$y{TAG}\",\n";
-  print CFILE "    \"$y{EXPL}\",\n";
-  print CFILE "#endif /* DEBUG */\n";
-  print CFILE "    { \"", $y{" encoding"};
-  print CFILE "\", ", $y{" encoding length"}, " }\n";
-
-  if( $i == $count ) {
-    print CFILE "  }\n";
-  } else {
-    print CFILE "  },\n";
-  }
-}
-
-print CFILE "};\n\n";
-
-print CFILE "const PRUint32 nss_builtin_oid_count = ", ($count+1), ";\n\n";
-
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  if( defined($y{NAME}) ) {
-    print CFILE "const NSSOID *$y{NAME} = (NSSOID *)&nss_builtin_oids[$i];\n";
-  }
-}
-
-print CFILE "\n";
-
-$attrcount = -1;
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  if( defined($y{ATTR}) ) {
-    if( defined($y{NAME}) ) {
-      $attrcount++;
-      $attr[$attrcount]{ATTR} = $y{ATTR};
-      $attr[$attrcount]{NAME} = $y{NAME};
-    } else {
-      warn "Attribute $y{ATTR} has no name, and will be omitted!";
-    }
-  }
-}
-
-print CFILE "const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {\n";
-
-for( $i = 0; $i <= $attrcount; $i++ ) {
-  %y = %{$attr[$i]};
-  print CFILE "  {\n";
-  print CFILE "    \"$y{ATTR}\",\n";
-  print CFILE "    &$y{NAME}\n";
-
-  if( $i == $attrcount ) {
-    print CFILE "  }\n";
-  } else {
-    print CFILE "  },\n";
-  }
-}
-
-print CFILE "};\n\n";
-
-print CFILE "const PRUint32 nss_attribute_type_alias_count = ", ($attrcount+1), ";\n\n";
-
-print HFILE <<EOD
-/* THIS IS A GENERATED FILE */
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef OIDDATA_H
-#define OIDDATA_H
-
-#ifdef DEBUG
-static const char OIDDATA_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-extern const NSSOID nss_builtin_oids[];
-extern const PRUint32 nss_builtin_oid_count;
-
-/*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/
-/*extern const PRUint32 nss_attribute_type_alias_count;*/
-
-EOD
-    ;
-
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  if( defined($y{NAME}) ) {
-    print HFILE "extern const NSSOID *$y{NAME};\n";
-  }
-}
-
-print HFILE <<EOD
-
-#endif /* OIDDATA_H */
-EOD
-    ;
-
-close CFILE;
-close HFILE;
-}
-
-sub encodenum {
-    my $v = $_[0];
-    my @d;
-    my $i;
-    my $rv = "";
-
-    while( $v > 128 ) {
-        push @d, ($v % 128);
-        $v /= 128;
-    };
-    push @d, ($v%128);
-
-    for( $i = @d-1; $i > 0; $i-- ) {
-        $rv = $rv . chr(128 + $d[$i]);
-    }
-
-    $rv = $rv . chr($d[0]);
-
-    return $rv;
-}
-
-sub encodeoid {
-    my @o = split(/\./, $_[0]);
-    my $rv = "";
-    my $i;
-
-    if( @o < 2 ) {
-        # NSS's special "illegal" encoding
-        return chr(128) . encodenum($o[0]);
-    }
-
-    $rv = encodenum($o[0] * 40 + $o[1]);
-    shift @o; shift @o;
-
-    foreach $i (@o) {
-        $rv = $rv . encodenum($i);
-    }
-
-    return $rv;
-}
-
-sub escapeoid {
-  my @v = unpack("C*", $_[0]);
-  my $a;
-  my $rv = "";
-
-  foreach $a (@v) {
-    $rv = $rv . sprintf("\\x%02x", $a);
-  }
-
-  return $rv;
-}
diff --git a/security/nss/lib/pki1/oids.txt b/security/nss/lib/pki1/oids.txt
deleted file mode 100644
index df7b3ab28..000000000
--- a/security/nss/lib/pki1/oids.txt
+++ /dev/null
@@ -1,2115 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
-
-# Fields
-#  OID  -- the OID data itself, in dotted-number format
-#  TAG  -- the unofficial but common name.  e.g., when written like
-#          { joint-iso-ccitt(2) country(16) US(840) company(1) netscape(113730) }
-#          those words ("joint-iso-ccitt," "country," etc.) are the tags.
-#  EXPL -- a textual explanation, that should stand by itself
-#  NAME -- the name we use in our code.  If no NAME is given, it won't be included
-#
-# Additionally, some sets of OIDs map to some other spaces.. 
-# additional fields capture that data:
-#
-#  CKM  -- the corresponding Cryptoki Mechanism, if any
-#  CKK  -- the corresponding Cryptoki Key type, if any
-#  ATTR -- the UTF-8 attribute type encoding, if applicable
-#          it should be in the standard presentation style (e.g., lowercase),
-#          already-escaped a la RFC 2253 if necessary (which would only
-#          be necessary if some idiot defined an attribute with, say,
-#          an equals sign in it)
-#  CERT_EXTENSION -- SUPPORTED or UNSUPPORTED certificate extension, if applicable
-
-# Top of the OID tree -- see http://www.alvestrand.no/objectid/top.html
-# 
-OID 0
-TAG ccitt               # ITU-T used to be called CCITT
-EXPL "ITU-T"
-
-# See X.208 Annex C for an explanation of the OIDs below ccitt/itu-t
-
-OID 0.0
-TAG recommendation
-EXPL "ITU-T Recommendation"
-
-OID 0.1
-TAG question
-EXPL "ITU-T Question"
-
-OID 0.2
-TAG administration
-EXPL "ITU-T Administration"
-
-OID 0.3
-TAG network-operator
-EXPL "ITU-T Network Operator"
-
-OID 0.4
-TAG identified-organization
-EXPL "ITU-T Identified Organization"
-
-OID 0.9           # used in some RFCs (unofficial!)
-TAG data
-EXPL "RFC Data"
-
-OID 0.9.2342
-TAG pss
-EXPL "PSS British Telecom X.25 Network"
-
-OID 0.9.2342.19200300
-TAG ucl
-EXPL "RFC 1274 UCL Data networks"
-
-OID 0.9.2342.19200300.100
-TAG pilot
-EXPL "RFC 1274 pilot"
-
-OID 0.9.2342.19200300.100.1
-TAG attributeType
-EXPL "RFC 1274 Attribute Type"
-
-OID 0.9.2342.19200300.100.1.1
-TAG uid
-EXPL "RFC 1274 User Id"
-NAME NSS_OID_RFC1274_UID
-ATTR "uid"
-
-OID 0.9.2342.19200300.100.1.3
-TAG mail
-EXPL "RFC 1274 E-mail Addres"
-NAME NSS_OID_RFC1274_EMAIL
-ATTR "mail" # XXX fgmr
-
-OID 0.9.2342.19200300.100.1.25
-TAG dc
-EXPL "RFC 2247 Domain Component"
-NAME NSS_OID_RFC2247_DC
-ATTR "dc"
-
-OID 0.9.2342.19200300.100.3
-TAG attributeSyntax
-EXPL "RFC 1274 Attribute Syntax"
-
-OID 0.9.2342.19200300.100.3.4
-TAG iA5StringSyntax
-EXPL "RFC 1274 IA5 String Attribute Syntax"
-
-OID 0.9.2342.19200300.100.3.5
-TAG caseIgnoreIA5StringSyntax
-EXPL "RFC 1274 Case-Ignore IA5 String Attribute Syntax"
-
-OID 0.9.2342.19200300.100.4
-TAG objectClass
-EXPL "RFC 1274 Object Class"
-
-OID 0.9.2342.19200300.100.10
-TAG groups
-EXPL "RFC 1274 Groups"
-
-OID 0.9.2342.234219200300 
-TAG ucl
-EXPL "RFC 1327 ucl"
-
-OID 1
-TAG iso
-EXPL "ISO"
-
-# See X.208 Annex B for an explanation of the OIDs below iso
-
-OID 1.0
-TAG standard
-EXPL "ISO Standard"
-
-OID 1.1
-TAG registration-authority
-EXPL "ISO Registration Authority"
-
-OID 1.2
-TAG member-body
-EXPL "ISO Member Body"
-
-OID 1.2.36
-TAG australia
-EXPL "Australia (ISO)"
-
-OID 1.2.158
-TAG taiwan
-EXPL "Taiwan (ISO)"
-
-OID 1.2.372 
-TAG ireland
-EXPL "Ireland (ISO)"
-
-OID 1.2.578 
-TAG norway
-EXPL "Norway (ISO)"
-
-OID 1.2.752 
-TAG sweden
-EXPL "Sweden (ISO)"
-
-OID 1.2.826 
-TAG great-britain
-EXPL "Great Britain (ISO)"
-
-OID 1.2.840
-TAG us
-EXPL "United States (ISO)"
-
-OID 1.2.840.1 
-TAG organization
-EXPL "US (ISO) organization"
-
-OID 1.2.840.10003
-TAG ansi-z30-50
-EXPL "ANSI Z39.50"
-
-OID 1.2.840.10008
-TAG dicom
-EXPL "DICOM"
-
-OID 1.2.840.10017
-TAG ieee-1224
-EXPL "IEEE 1224"
-
-OID 1.2.840.10022
-TAG ieee-802-10
-EXPL "IEEE 802.10"
-
-OID 1.2.840.10036
-TAG ieee-802-11
-EXPL "IEEE 802.11"
-
-OID 1.2.840.10040
-TAG x9-57
-EXPL "ANSI X9.57"
-
-# RFC 2459:
-#
-# holdInstruction OBJECT IDENTIFIER ::=
-#           {iso(1) member-body(2) us(840) x9cm(10040) 2}
-#
-# Note that the appendices of RFC 2459 define the (wrong) value
-# of 2.2.840.10040.2 for this oid.
-OID 1.2.840.10040.2
-TAG holdInstruction
-EXPL "ANSI X9.57 Hold Instruction"
-
-# RFC 2459:
-#
-# id-holdinstruction-none OBJECT IDENTIFIER  ::=
-#                 {holdInstruction 1} -- deprecated
-OID 1.2.840.10040.2.1
-TAG id-holdinstruction-none
-EXPL "ANSI X9.57 Hold Instruction: None"
-
-# RFC 2459:
-#
-# id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
-#                 {holdInstruction 2}
-OID 1.2.840.10040.2.2
-TAG id-holdinstruction-callissuer
-EXPL "ANSI X9.57 Hold Instruction: Call Issuer"
-
-# RFC 2459:
-#
-# id-holdinstruction-reject OBJECT IDENTIFIER ::=
-#                 {holdInstruction 3}
-OID 1.2.840.10040.2.3
-TAG id-holdinstruction-reject
-EXPL "ANSI X9.57 Hold Instruction: Reject"
-
-OID 1.2.840.10040.4
-TAG x9algorithm
-EXPL "ANSI X9.57 Algorithm"
-
-# RFC 2459:
-#
-# id-dsa OBJECT IDENTIFIER ::= {
-#      iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
-OID 1.2.840.10040.4.1
-TAG id-dsa
-EXPL "ANSI X9.57 DSA Signature"
-NAME NSS_OID_ANSIX9_DSA_SIGNATURE
-CKM CKM_DSA
-CKK CKK_DSA
-
-# RFC 2459:
-#
-# id-dsa-with-sha1 OBJECT IDENTIFIER ::=  {
-#      iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
-OID 1.2.840.10040.4.3
-TAG id-dsa-with-sha1
-EXPL "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest"
-NAME NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST
-CKM CKM_DSA_SHA1
-
-OID 1.2.840.10046
-TAG x942
-EXPL "ANSI X9.42"
-
-OID 1.2.840.10046.2
-TAG algorithm
-EXPL "ANSI X9.42 Algorithm"
-
-# RFC 2459:
-#
-# dhpublicnumber OBJECT IDENTIFIER ::= {
-#      iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
-OID 1.2.840.10046.2.1
-TAG dhpublicnumber
-EXPL "Diffie-Hellman Public Key Algorithm"
-NAME NSS_OID_X942_DIFFIE_HELMAN_KEY
-CKM CKM_DH_PKCS_DERIVE
-CKK CKK_DH
-
-OID 1.2.840.113533
-TAG entrust
-EXPL "Entrust Technologies"
-
-OID 1.2.840.113549 
-TAG rsadsi
-EXPL "RSA Data Security Inc."
-
-OID 1.2.840.113549.1 
-# http://www.rsa.com/rsalabs/pubs/PKCS/
-TAG pkcs
-EXPL "PKCS"
-
-# RFC 2459:
-#
-# pkcs-1 OBJECT IDENTIFIER ::= {
-#      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
-OID 1.2.840.113549.1.1
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
-TAG pkcs-1
-EXPL "PKCS #1"
-
-# RFC 2459:
-#
-# rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 }
-OID 1.2.840.113549.1.1.1
-TAG rsaEncryption
-EXPL "PKCS #1 RSA Encryption"
-NAME NSS_OID_PKCS1_RSA_ENCRYPTION
-CKM CKM_RSA_PKCS
-CKK CKK_RSA
-
-# RFC 2459:
-#
-# md2WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 2 }
-OID 1.2.840.113549.1.1.2 
-TAG md2WithRSAEncryption
-EXPL "PKCS #1 MD2 With RSA Encryption"      
-NAME NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION
-CKM CKM_MD2_RSA_PKCS
-
-OID 1.2.840.113549.1.1.3 
-TAG md4WithRSAEncryption
-EXPL "PKCS #1 MD4 With RSA Encryption"      
-NAME NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION
-# No CKM!
-
-# RFC 2459:
-#
-# md5WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 4 }
-OID 1.2.840.113549.1.1.4 
-TAG md5WithRSAEncryption
-EXPL "PKCS #1 MD5 With RSA Encryption"      
-NAME NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
-CKM CKM_MD5_RSA_PKCS
-
-# RFC 2459:
-#
-# sha1WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 5 }
-OID 1.2.840.113549.1.1.5 
-TAG sha1WithRSAEncryption
-EXPL "PKCS #1 SHA-1 With RSA Encryption"    
-NAME NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION
-CKM CKM_SHA1_RSA_PKCS
-
-OID 1.2.840.113549.1.5 
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc
-TAG pkcs-5
-EXPL "PKCS #5"
-
-OID 1.2.840.113549.1.5.1 
-TAG pbeWithMD2AndDES-CBC
-EXPL "PKCS #5 Password Based Encryption With MD2 and DES-CBC"     
-NAME NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC
-CKM CKM_PBE_MD2_DES_CBC
-
-OID 1.2.840.113549.1.5.3 
-TAG pbeWithMD5AndDES-CBC
-EXPL "PKCS #5 Password Based Encryption With MD5 and DES-CBC"     
-NAME NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC
-CKM CKM_PBE_MD5_DES_CBC
-
-OID 1.2.840.113549.1.5.10 
-TAG pbeWithSha1AndDES-CBC
-EXPL "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC"   
-NAME NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_DES_CBC
-
-OID 1.2.840.113549.1.7 
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-7.asc
-TAG pkcs-7
-EXPL "PKCS #7"
-NAME NSS_OID_PKCS7
-
-OID 1.2.840.113549.1.7.1
-TAG data
-EXPL "PKCS #7 Data"
-NAME NSS_OID_PKCS7_DATA
-
-OID 1.2.840.113549.1.7.2 
-TAG signedData
-EXPL "PKCS #7 Signed Data"
-NAME NSS_OID_PKCS7_SIGNED_DATA
-
-OID 1.2.840.113549.1.7.3 
-TAG envelopedData
-EXPL "PKCS #7 Enveloped Data"
-NAME NSS_OID_PKCS7_ENVELOPED_DATA
-
-OID 1.2.840.113549.1.7.4 
-TAG signedAndEnvelopedData
-EXPL "PKCS #7 Signed and Enveloped Data"
-NAME NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA
-
-OID 1.2.840.113549.1.7.5 
-TAG digestedData
-EXPL "PKCS #7 Digested Data"
-NAME NSS_OID_PKCS7_DIGESTED_DATA
-
-OID 1.2.840.113549.1.7.6 
-TAG encryptedData
-EXPL "PKCS #7 Encrypted Data"
-NAME NSS_OID_PKCS7_ENCRYPTED_DATA
-
-# RFC 2459:
-#
-# pkcs-9 OBJECT IDENTIFIER ::=
-#        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
-OID 1.2.840.113549.1.9 
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-9.asc
-TAG pkcs-9
-EXPL "PKCS #9"
-
-# RFC 2459:
-#
-# emailAddress AttributeType      ::= { pkcs-9 1 }
-OID 1.2.840.113549.1.9.1
-TAG emailAddress
-EXPL "PKCS #9 Email Address"
-NAME NSS_OID_PKCS9_EMAIL_ADDRESS
-
-OID 1.2.840.113549.1.9.2 
-TAG unstructuredName
-EXPL "PKCS #9 Unstructured Name"
-NAME NSS_OID_PKCS9_UNSTRUCTURED_NAME
-
-OID 1.2.840.113549.1.9.3 
-TAG contentType
-EXPL "PKCS #9 Content Type"
-NAME NSS_OID_PKCS9_CONTENT_TYPE
-
-OID 1.2.840.113549.1.9.4 
-TAG messageDigest
-EXPL "PKCS #9 Message Digest"
-NAME NSS_OID_PKCS9_MESSAGE_DIGEST
-
-OID 1.2.840.113549.1.9.5 
-TAG signingTime
-EXPL "PKCS #9 Signing Time"
-NAME NSS_OID_PKCS9_SIGNING_TIME
-
-OID 1.2.840.113549.1.9.6 
-TAG counterSignature
-EXPL "PKCS #9 Counter Signature"
-NAME NSS_OID_PKCS9_COUNTER_SIGNATURE
-
-OID 1.2.840.113549.1.9.7 
-TAG challengePassword
-EXPL "PKCS #9 Challenge Password"
-NAME NSS_OID_PKCS9_CHALLENGE_PASSWORD
-
-OID 1.2.840.113549.1.9.8 
-TAG unstructuredAddress
-EXPL "PKCS #9 Unstructured Address"
-NAME NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS
-
-OID 1.2.840.113549.1.9.9 
-TAG extendedCertificateAttributes
-EXPL "PKCS #9 Extended Certificate Attributes"
-NAME NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES
-
-OID 1.2.840.113549.1.9.15 
-TAG sMIMECapabilities
-EXPL "PKCS #9 S/MIME Capabilities"
-NAME NSS_OID_PKCS9_SMIME_CAPABILITIES
-
-OID 1.2.840.113549.1.9.20
-TAG friendlyName
-EXPL "PKCS #9 Friendly Name"
-NAME NSS_OID_PKCS9_FRIENDLY_NAME
-
-OID 1.2.840.113549.1.9.21
-TAG localKeyID
-EXPL "PKCS #9 Local Key ID"
-NAME NSS_OID_PKCS9_LOCAL_KEY_ID
-
-OID 1.2.840.113549.1.9.22 
-TAG certTypes
-EXPL "PKCS #9 Certificate Types"
-
-OID 1.2.840.113549.1.9.22.1
-TAG x509Certificate
-EXPL "PKCS #9 Certificate Type = X.509"
-NAME NSS_OID_PKCS9_X509_CERT
-
-OID 1.2.840.113549.1.9.22.2
-TAG sdsiCertificate
-EXPL "PKCS #9 Certificate Type = SDSI"
-NAME NSS_OID_PKCS9_SDSI_CERT
-
-OID 1.2.840.113549.1.9.23 
-TAG crlTypes
-EXPL "PKCS #9 Certificate Revocation List Types"
-
-OID 1.2.840.113549.1.9.23.1
-TAG x509Crl
-EXPL "PKCS #9 CRL Type = X.509"
-NAME NSS_OID_PKCS9_X509_CRL
-
-OID 1.2.840.113549.1.12
-# http://www.rsa.com/rsalabs/pubs/PKCS/html/pkcs-12.html
-# NOTE -- PKCS #12                          multiple contradictory
-#         documents exist.  Somebody go figure out the canonical
-#         OID list, keeping in mind backwards-compatability..
-TAG pkcs-12
-EXPL "PKCS #12"
-NAME NSS_OID_PKCS12
-
-OID 1.2.840.113549.1.12.1 
-TAG pkcs-12PbeIds
-EXPL "PKCS #12 Password Based Encryption IDs"
-NAME NSS_OID_PKCS12_PBE_IDS
-# We called it SEC_OID_PKCS12_MODE_IDS
-
-OID 1.2.840.113549.1.12.1.1
-TAG pbeWithSHA1And128BitRC4
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4
-
-OID 1.2.840.113549.1.12.1.2
-TAG pbeWithSHA1And40BitRC4
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4
-
-OID 1.2.840.113549.1.12.1.3
-TAG pbeWithSHA1And3-KeyTripleDES-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
-
-OID 1.2.840.113549.1.12.1.4
-TAG pbeWithSHA1And2-KeyTripleDES-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC
-CKM CKM_PBE_SHA1_DES2_EDE_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC
-
-OID 1.2.840.113549.1.12.1.5
-TAG pbeWithSHA1And128BitRC2-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.1.6
-TAG pbeWithSHA1And40BitRC2-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.2 
-TAG pkcs-12EspvkIds
-EXPL "PKCS #12 ESPVK IDs"
-# We called it SEC_OID_PKCS12_ESPVK_IDS
-
-OID 1.2.840.113549.1.12.2.1
-TAG pkcs8-key-shrouding
-EXPL "PKCS #12 Key Shrouding"
-# We called it SEC_OID_PKCS12_PKCS8_KEY_SHROUDING
-
-OID 1.2.840.113549.1.12.3 
-TAG draft1Pkcs-12Bag-ids
-EXPL "Draft 1.0 PKCS #12 Bag IDs"
-# We called it SEC_OID_PKCS12_BAG_IDS
-
-OID 1.2.840.113549.1.12.3.1
-TAG keyBag
-EXPL "Draft 1.0 PKCS #12 Key Bag"
-# We called it SEC_OID_PKCS12_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.3.2
-TAG certAndCRLBagId
-EXPL "Draft 1.0 PKCS #12 Cert and CRL Bag ID"
-# We called it SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
-
-OID 1.2.840.113549.1.12.3.3
-TAG secretBagId
-EXPL "Draft 1.0 PKCS #12 Secret Bag ID"
-# We called it SEC_OID_PKCS12_SECRET_BAG_ID
-
-OID 1.2.840.113549.1.12.3.4
-TAG safeContentsId
-EXPL "Draft 1.0 PKCS #12 Safe Contents Bag ID"
-# We called it SEC_OID_PKCS12_SAFE_CONTENTS_ID
-
-OID 1.2.840.113549.1.12.3.5
-TAG pkcs-8ShroudedKeyBagId
-EXPL "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID"
-# We called it SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.4 
-TAG pkcs-12CertBagIds
-EXPL "PKCS #12 Certificate Bag IDs"
-# We called it SEC_OID_PKCS12_CERT_BAG_IDS
-
-OID 1.2.840.113549.1.12.4.1
-TAG x509CertCRLBagId
-EXPL "PKCS #12 X.509 Certificate and CRL Bag"
-# We called it SEC_OID_PKCS12_X509_CERT_CRL_BAG
-
-OID 1.2.840.113549.1.12.4.2
-TAG SDSICertBagID
-EXPL "PKCS #12 SDSI Certificate Bag"
-# We called it SEC_OID_PKCS12_SDSI_CERT_BAG
-
-OID 1.2.840.113549.1.12.5 
-TAG pkcs-12Oids
-EXPL "PKCS #12 OIDs (XXX)"
-# We called it SEC_OID_PKCS12_OIDS
-
-OID 1.2.840.113549.1.12.5.1 
-TAG pkcs-12PbeIds
-EXPL "PKCS #12 OIDs PBE IDs (XXX)"
-# We called it SEC_OID_PKCS12_PBE_IDS
-
-OID 1.2.840.113549.1.12.5.1.1
-TAG pbeWithSha1And128BitRC4
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.1.2
-TAG pbeWithSha1And40BitRC4
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.1.3
-TAG pbeWithSha1AndTripleDES-CBC
-EXPL "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC
-
-OID 1.2.840.113549.1.12.5.1.4
-TAG pbeWithSha1And128BitRC2-CBC
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.5.1.5
-TAG pbeWithSha1And40BitRC2-CBC
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.5.2 
-TAG pkcs-12EnvelopingIds
-EXPL "PKCS #12 OIDs Enveloping IDs (XXX)"
-# We called it SEC_OID_PKCS12_ENVELOPING_IDS
-
-OID 1.2.840.113549.1.12.5.2.1
-TAG rsaEncryptionWith128BitRC4
-EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4"
-# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.2.2
-TAG rsaEncryptionWith40BitRC4
-EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4"
-# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.2.3
-TAG rsaEncryptionWithTripleDES
-EXPL "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES"
-# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES
-
-OID 1.2.840.113549.1.12.5.3 
-TAG pkcs-12SignatureIds
-EXPL "PKCS #12 OIDs Signature IDs (XXX)"
-# We called it SEC_OID_PKCS12_SIGNATURE_IDS
-
-OID 1.2.840.113549.1.12.5.3.1
-TAG rsaSignatureWithSHA1Digest
-EXPL "PKCS #12 OIDs RSA Signature with SHA-1 Digest"
-# We called it SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST
-
-OID 1.2.840.113549.1.12.10 
-TAG pkcs-12Version1
-EXPL "PKCS #12 Version 1"
-
-OID 1.2.840.113549.1.12.10.1
-TAG pkcs-12BagIds
-EXPL "PKCS #12 Bag IDs"
-
-OID 1.2.840.113549.1.12.10.1.1
-TAG keyBag
-EXPL "PKCS #12 Key Bag"
-NAME NSS_OID_PKCS12_KEY_BAG
-# We called it SEC_OID_PKCS12_V1_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.2
-TAG pkcs-8ShroudedKeyBag
-EXPL "PKCS #12 PKCS #8-shrouded Key Bag"
-NAME NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG
-# We called it SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.3
-TAG certBag
-EXPL "PKCS #12 Certificate Bag"
-NAME NSS_OID_PKCS12_CERT_BAG
-# We called it SEC_OID_PKCS12_V1_CERT_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.4
-TAG crlBag
-EXPL "PKCS #12 CRL Bag"
-NAME NSS_OID_PKCS12_CRL_BAG
-# We called it SEC_OID_PKCS12_V1_CRL_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.5
-TAG secretBag
-EXPL "PKCS #12 Secret Bag"
-NAME NSS_OID_PKCS12_SECRET_BAG
-# We called it SEC_OID_PKCS12_V1_SECRET_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.6
-TAG safeContentsBag
-EXPL "PKCS #12 Safe Contents Bag"
-NAME NSS_OID_PKCS12_SAFE_CONTENTS_BAG
-# We called it SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID
-
-OID 1.2.840.113549.2
-TAG digest
-EXPL "RSA digest algorithm"
-
-OID 1.2.840.113549.2.2 
-TAG md2
-EXPL "MD2"
-NAME NSS_OID_MD2
-CKM CKM_MD2
-
-OID 1.2.840.113549.2.4 
-TAG md4
-EXPL "MD4"
-NAME NSS_OID_MD4
-# No CKM
-
-OID 1.2.840.113549.2.5
-TAG md5
-EXPL "MD5"
-NAME NSS_OID_MD5
-CKM CKM_MD5
-
-OID 1.2.840.113549.3 
-TAG cipher
-EXPL "RSA cipher algorithm"
-
-OID 1.2.840.113549.3.2 
-TAG rc2cbc
-EXPL "RC2-CBC"
-NAME NSS_OID_RC2_CBC
-CKM_RC2_CBC
-
-OID 1.2.840.113549.3.4 
-TAG rc4
-EXPL "RC4"
-NAME NSS_OID_RC4
-CKM CKM_RC4
-
-OID 1.2.840.113549.3.7 
-TAG desede3cbc
-EXPL "DES-EDE3-CBC"
-NAME NSS_OID_DES_EDE3_CBC
-CKM CKM_DES3_CBC
-
-OID 1.2.840.113549.3.9 
-TAG rc5cbcpad
-EXPL "RC5-CBCPad"
-NAME NSS_OID_RC5_CBC_PAD
-CKM CKM_RC5_CBC
-
-OID 1.2.840.113556
-TAG microsoft
-EXPL "Microsoft"
-
-OID 1.2.840.113560
-TAG columbia-university
-EXPL "Columbia University"
-
-OID 1.2.840.113572
-TAG unisys
-EXPL "Unisys"
-
-OID 1.2.840.113658
-TAG xapia
-EXPL "XAPIA"
-
-OID 1.2.840.113699
-TAG wordperfect
-EXPL "WordPerfect"
-
-OID 1.3
-TAG identified-organization
-EXPL "ISO identified organizations"
-
-OID 1.3.6
-TAG us-dod
-EXPL "United States Department of Defense"
-
-OID 1.3.6.1 
-TAG internet  # See RFC 1065
-EXPL "The Internet"
-
-OID 1.3.6.1.1
-TAG directory
-EXPL "Internet: Directory"
-
-OID 1.3.6.1.2
-TAG management
-EXPL "Internet: Management"
-
-OID 1.3.6.1.3
-TAG experimental
-EXPL "Internet: Experimental"
-
-OID 1.3.6.1.4
-TAG private
-EXPL "Internet: Private"
-
-OID 1.3.6.1.5
-TAG security
-EXPL "Internet: Security"
-
-OID 1.3.6.1.5.5
-
-# RFC 2459:
-#
-# id-pkix  OBJECT IDENTIFIER  ::=
-#          { iso(1) identified-organization(3) dod(6) internet(1)
-#                     security(5) mechanisms(5) pkix(7) }
-OID 1.3.6.1.5.5.7 
-TAG id-pkix
-EXPL "Public Key Infrastructure"
-
-# RFC 2459:
-#
-# PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1)
-#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
-OID 1.3.6.1.5.5.7.0.1
-TAG PKIX1Explicit88
-EXPL "RFC 2459 Explicitly Tagged Module, 1988 Syntax"
-
-# RFC 2459:
-#
-# PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1)
-#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)}
-OID 1.3.6.1.5.5.7.0.2
-TAG PKIXImplicit88
-EXPL "RFC 2459 Implicitly Tagged Module, 1988 Syntax"
-
-# RFC 2459:
-#
-# PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1)
-#    security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)}
-OID 1.3.6.1.5.5.7.0.3
-TAG PKIXExplicit93
-EXPL "RFC 2459 Explicitly Tagged Module, 1993 Syntax"
-
-# RFC 2459:
-#
-# id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
-#         -- arc for private certificate extensions
-OID 1.3.6.1.5.5.7.1 
-TAG id-pe
-EXPL "PKIX Private Certificate Extensions"
-
-# RFC 2459:
-#
-# id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
-OID 1.3.6.1.5.5.7.1.1
-TAG id-pe-authorityInfoAccess
-EXPL "Certificate Authority Information Access"
-NAME NSS_OID_X509_AUTH_INFO_ACCESS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
-#         -- arc for policy qualifier types
-OID 1.3.6.1.5.5.7.2 
-TAG id-qt
-EXPL "PKIX Policy Qualifier Types"
-
-# RFC 2459:
-#
-# id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
-#         -- OID for CPS qualifier
-OID 1.3.6.1.5.5.7.2.1
-TAG id-qt-cps
-EXPL "PKIX CPS Pointer Qualifier"
-NAME NSS_OID_PKIX_CPS_POINTER_QUALIFIER
-
-# RFC 2459:
-#
-# id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
-#         -- OID for user notice qualifier
-OID 1.3.6.1.5.5.7.2.2
-TAG id-qt-unotice
-EXPL "PKIX User Notice Qualifier"
-NAME NSS_OID_PKIX_USER_NOTICE_QUALIFIER
-
-# RFC 2459:
-#
-# id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
-#         -- arc for extended key purpose OIDS
-OID 1.3.6.1.5.5.7.3 
-TAG id-kp
-EXPL "PKIX Key Purpose"
-
-# RFC 2459:
-#
-# id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
-OID 1.3.6.1.5.5.7.3.1
-TAG id-kp-serverAuth
-EXPL "TLS Web Server Authentication Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_SERVER_AUTH
-
-# RFC 2459:
-#
-# id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
-OID 1.3.6.1.5.5.7.3.2
-TAG id-kp-clientAuth
-EXPL "TLS Web Client Authentication Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH
-
-# RFC 2459:
-#
-# id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
-OID 1.3.6.1.5.5.7.3.3
-TAG id-kp-codeSigning
-EXPL "Code Signing Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_CODE_SIGN
-
-# RFC 2459:
-#
-# id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
-OID 1.3.6.1.5.5.7.3.4
-TAG id-kp-emailProtection
-EXPL "E-Mail Protection Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION
-
-# RFC 2459:
-#
-# id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
-OID 1.3.6.1.5.5.7.3.5
-TAG id-kp-ipsecEndSystem
-EXPL "IPSEC End System Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM
-
-# RFC 2459:
-#
-# id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
-OID 1.3.6.1.5.5.7.3.6
-TAG id-kp-ipsecTunnel
-EXPL "IPSEC Tunnel Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL
-
-# RFC 2459:
-#
-# id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
-OID 1.3.6.1.5.5.7.3.7
-TAG id-kp-ipsecUser
-EXPL "IPSEC User Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_IPSEC_USER
-
-# RFC 2459:
-#
-# id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
-OID 1.3.6.1.5.5.7.3.8
-TAG id-kp-timeStamping
-EXPL "Time Stamping Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_TIME_STAMP
-
-OID 1.3.6.1.5.5.7.3.9
-TAG ocsp-responder
-EXPL "OCSP Responder Certificate"
-NAME NSS_OID_OCSP_RESPONDER
-
-OID 1.3.6.1.5.5.7.7 
-TAG pkix-id-pkix
-
-OID 1.3.6.1.5.5.7.7.5 
-TAG pkix-id-pkip
-
-OID 1.3.6.1.5.5.7.7.5.1 
-TAG pkix-id-regctrl
-EXPL "CRMF Registration Control"
-
-OID 1.3.6.1.5.5.7.7.5.1.1
-TAG regtoken
-EXPL "CRMF Registration Control, Registration Token"
-NAME NSS_OID_PKIX_REGCTRL_REGTOKEN
-
-OID 1.3.6.1.5.5.7.7.5.1.2
-TAG authenticator
-EXPL "CRMF Registration Control, Registration Authenticator"
-NAME NSS_OID_PKIX_REGCTRL_AUTHENTICATOR
-
-OID 1.3.6.1.5.5.7.7.5.1.3
-TAG pkipubinfo
-EXPL "CRMF Registration Control, PKI Publication Info"
-NAME NSS_OID_PKIX_REGCTRL_PKIPUBINFO
-
-OID 1.3.6.1.5.5.7.7.5.1.4
-TAG pki-arch-options
-EXPL "CRMF Registration Control, PKI Archive Options"
-NAME NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS
-
-OID 1.3.6.1.5.5.7.7.5.1.5
-TAG old-cert-id
-EXPL "CRMF Registration Control, Old Certificate ID"
-NAME NSS_OID_PKIX_REGCTRL_OLD_CERT_ID
-
-OID 1.3.6.1.5.5.7.7.5.1.6
-TAG protocol-encryption-key
-EXPL "CRMF Registration Control, Protocol Encryption Key"
-NAME NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY
-
-OID 1.3.6.1.5.5.7.7.5.2 
-TAG pkix-id-reginfo
-EXPL "CRMF Registration Info"
-
-OID 1.3.6.1.5.5.7.7.5.2.1
-TAG utf8-pairs
-EXPL "CRMF Registration Info, UTF8 Pairs"
-NAME NSS_OID_PKIX_REGINFO_UTF8_PAIRS
-
-OID 1.3.6.1.5.5.7.7.5.2.2
-TAG cert-request
-EXPL "CRMF Registration Info, Certificate Request"
-NAME NSS_OID_PKIX_REGINFO_CERT_REQUEST
-
-# RFC 2549:
-#
-# id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
-#         -- arc for access descriptors
-OID 1.3.6.1.5.5.7.48 
-TAG id-ad
-EXPL "PKIX Access Descriptors"
-
-# RFC 2549:
-#
-# id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
-OID 1.3.6.1.5.5.7.48.1
-TAG id-ad-ocsp
-EXPL "PKIX Online Certificate Status Protocol"
-NAME NSS_OID_OID_PKIX_OCSP
-
-OID 1.3.6.1.5.5.7.48.1.1
-TAG basic-response
-EXPL "OCSP Basic Response"
-NAME NSS_OID_PKIX_OCSP_BASIC_RESPONSE
-
-OID 1.3.6.1.5.5.7.48.1.2
-TAG nonce-extension
-EXPL "OCSP Nonce Extension"
-NAME NSS_OID_PKIX_OCSP_NONCE
-
-OID 1.3.6.1.5.5.7.48.1.3
-TAG response
-EXPL "OCSP Response Types Extension"
-NAME NSS_OID_PKIX_OCSP_RESPONSE
-
-OID 1.3.6.1.5.5.7.48.1.4
-TAG crl
-EXPL "OCSP CRL Reference Extension"
-NAME NSS_OID_PKIX_OCSP_CRL
-
-OID 1.3.6.1.5.5.7.48.1.5
-TAG no-check
-EXPL "OCSP No Check Extension"
-NAME NSS_OID_X509_OCSP_NO_CHECK  # X509_... ?
-
-OID 1.3.6.1.5.5.7.48.1.6
-TAG archive-cutoff
-EXPL "OCSP Archive Cutoff Extension"
-NAME NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF
-
-OID 1.3.6.1.5.5.7.48.1.7
-TAG service-locator
-EXPL "OCSP Service Locator Extension"
-NAME NSS_OID_PKIX_OCSP_SERVICE_LOCATOR
-
-# RFC 2549:
-#
-# id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
-OID 1.3.6.1.5.5.7.48.2
-TAG id-ad-caIssuers
-EXPL "Certificate Authority Issuers"
-
-OID 1.3.6.1.6
-TAG snmpv2
-EXPL "Internet: SNMPv2"
-
-OID 1.3.6.1.7
-TAG mail
-EXPL "Internet: mail"
-
-OID 1.3.6.1.7.1
-TAG mime-mhs
-EXPL "Internet: mail MIME mhs"
-
-OID 1.3.12 
-TAG ecma
-EXPL "European Computers Manufacturing Association"
-
-OID 1.3.14
-TAG oiw
-EXPL "Open Systems Implementors Workshop"
-
-OID 1.3.14.3 secsig
-TAG secsig
-EXPL "Open Systems Implementors Workshop Security Special Interest Group"
-
-OID 1.3.14.3.1
-TAG oIWSECSIGAlgorithmObjectIdentifiers
-EXPL "OIW SECSIG Algorithm OIDs"
-
-OID 1.3.14.3.2 
-TAG algorithm
-EXPL "OIW SECSIG Algorithm"
-
-OID 1.3.14.3.2.6 
-TAG desecb
-EXPL "DES-ECB"
-NAME NSS_OID_DES_ECB
-CKM CKM_DES_ECB
-
-OID 1.3.14.3.2.7
-TAG descbc
-EXPL "DES-CBC"
-NAME NSS_OID_DES_CBC
-CKM CKM_DES_CBC
-
-OID 1.3.14.3.2.8
-TAG desofb
-EXPL "DES-OFB"
-NAME NSS_OID_DES_OFB
-# No CKM..
-
-OID 1.3.14.3.2.9 
-TAG descfb
-EXPL "DES-CFB"
-NAME NSS_OID_DES_CFB
-# No CKM..
-
-OID 1.3.14.3.2.10
-TAG desmac
-EXPL "DES-MAC"
-NAME NSS_OID_DES_MAC
-CKM CKM_DES_MAC
-
-OID 1.3.14.3.2.15 
-TAG isoSHAWithRSASignature
-EXPL "ISO SHA with RSA Signature"
-NAME NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE
-# No CKM..
-
-OID 1.3.14.3.2.17 
-TAG desede
-EXPL "DES-EDE"
-NAME NSS_OID_DES_EDE
-# No CKM..
-
-OID 1.3.14.3.2.26 
-TAG sha1
-EXPL "SHA-1"
-NAME NSS_OID_SHA1
-CKM CKM_SHA_1
-
-OID 1.3.14.3.2.27
-TAG bogusDSASignatureWithSHA1Digest
-EXPL "Forgezza DSA Signature with SHA-1 Digest"
-NAME NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST
-CKM CKM_DSA_SHA1
-
-OID 1.3.14.3.3
-TAG authentication-mechanism
-EXPL "OIW SECSIG Authentication Mechanisms"
-
-OID 1.3.14.3.4
-TAG security-attribute
-EXPL "OIW SECSIG Security Attributes"
-
-OID 1.3.14.3.5
-TAG document-definition
-EXPL "OIW SECSIG Document Definitions used in security"
-
-OID 1.3.14.7
-TAG directory-services-sig
-EXPL "OIW directory services sig"
-
-OID 1.3.16
-TAG ewos
-EXPL "European Workshop on Open Systems"
-
-OID 1.3.22
-TAG osf
-EXPL "Open Software Foundation"
-
-OID 1.3.23
-TAG nordunet
-EXPL "Nordunet"
-
-OID 1.3.26
-TAG nato-id-org
-EXPL "NATO identified organisation"
-
-OID 1.3.36
-TAG teletrust
-EXPL "Teletrust"
-
-OID 1.3.52
-TAG smpte
-EXPL "Society of Motion Picture and Television Engineers"
-
-OID 1.3.69
-TAG sita
-EXPL "Societe Internationale de Telecommunications Aeronautiques"
-
-OID 1.3.90
-TAG iana
-EXPL "Internet Assigned Numbers Authority"
-
-OID 1.3.101 
-TAG thawte
-EXPL "Thawte"
-
-OID 2 
-TAG joint-iso-ccitt
-EXPL "Joint ISO/ITU-T assignment"
-
-OID 2.0
-TAG presentation
-EXPL "Joint ISO/ITU-T Presentation"
-
-OID 2.1
-TAG asn-1
-EXPL "Abstract Syntax Notation One"
-
-OID 2.2
-TAG acse
-EXPL "Association Control"
-
-OID 2.3
-TAG rtse
-EXPL "Reliable Transfer"
-
-OID 2.4
-TAG rose
-EXPL "Remote Operations"
-
-OID 2.5
-TAG x500
-EXPL "Directory"
-
-OID 2.5.1
-TAG modules
-EXPL "X.500 modules"
-
-OID 2.5.2
-TAG service-environment
-EXPL "X.500 service environment"
-
-OID 2.5.3
-TAG application-context
-EXPL "X.500 application context"
-
-# RFC 2459:
-#
-# id-at           OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
-OID 2.5.4
-TAG id-at
-EXPL "X.520 attribute types"
-
-# RFC 2459:
-#
-# id-at-commonName        AttributeType   ::=     {id-at 3}
-OID 2.5.4.3
-TAG id-at-commonName
-EXPL "X.520 Common Name"
-NAME NSS_OID_X520_COMMON_NAME
-ATTR "cn"
-
-# RFC 2459:
-#
-# id-at-surname           AttributeType   ::=     {id-at 4}
-OID 2.5.4.4
-TAG id-at-surname
-EXPL "X.520 Surname"
-NAME NSS_OID_X520_SURNAME
-ATTR "sn"
-
-# RFC 2459:
-#
-# id-at-countryName       AttributeType   ::=     {id-at 6}
-OID 2.5.4.6
-TAG id-at-countryName
-EXPL "X.520 Country Name"
-NAME NSS_OID_X520_COUNTRY_NAME
-ATTR "c"
-
-# RFC 2459:
-#
-# id-at-localityName      AttributeType   ::=     {id-at 7}
-OID 2.5.4.7
-TAG id-at-localityName
-EXPL "X.520 Locality Name"
-NAME NSS_OID_X520_LOCALITY_NAME
-ATTR "l"
-
-# RFC 2459:
-#
-# id-at-stateOrProvinceName       AttributeType   ::=     {id-at 8}
-OID 2.5.4.8
-TAG id-at-stateOrProvinceName
-EXPL "X.520 State or Province Name"
-NAME NSS_OID_X520_STATE_OR_PROVINCE_NAME
-ATTR "s"
-
-# RFC 2459:
-#
-# id-at-organizationName          AttributeType   ::=     {id-at 10}
-OID 2.5.4.10
-TAG id-at-organizationName
-EXPL "X.520 Organization Name"
-NAME NSS_OID_X520_ORGANIZATION_NAME
-ATTR "o"
-
-# RFC 2459:
-#
-# id-at-organizationalUnitName    AttributeType   ::=     {id-at 11}
-OID 2.5.4.11
-TAG id-at-organizationalUnitName
-EXPL "X.520 Organizational Unit Name"
-NAME NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
-ATTR "ou"
-
-# RFC 2459:
-#
-# id-at-title     AttributeType   ::=     {id-at 12}
-OID 2.5.4.12
-TAG id-at-title
-EXPL "X.520 Title"
-NAME NSS_OID_X520_TITLE
-ATTR "title"
-
-# RFC 2459:
-#
-# id-at-name              AttributeType   ::=     {id-at 41}
-OID 2.5.4.41
-TAG id-at-name
-EXPL "X.520 Name"
-NAME NSS_OID_X520_NAME
-ATTR "name"
-
-# RFC 2459:
-#
-# id-at-givenName         AttributeType   ::=     {id-at 42}
-OID 2.5.4.42
-TAG id-at-givenName
-EXPL "X.520 Given Name"
-NAME NSS_OID_X520_GIVEN_NAME
-ATTR "givenName"
-
-# RFC 2459:
-#
-# id-at-initials          AttributeType   ::=     {id-at 43}
-OID 2.5.4.43
-TAG id-at-initials
-EXPL "X.520 Initials"
-NAME NSS_OID_X520_INITIALS
-ATTR "initials"
-
-# RFC 2459:
-#
-# id-at-generationQualifier       AttributeType   ::=     {id-at 44}
-OID 2.5.4.44
-TAG id-at-generationQualifier
-EXPL "X.520 Generation Qualifier"
-NAME NSS_OID_X520_GENERATION_QUALIFIER
-ATTR "generationQualifier"
-
-# RFC 2459:
-#
-# id-at-dnQualifier       AttributeType   ::=     {id-at 46}
-OID 2.5.4.46
-TAG id-at-dnQualifier
-EXPL "X.520 DN Qualifier"
-NAME NSS_OID_X520_DN_QUALIFIER
-ATTR "dnQualifier"
-
-OID 2.5.5
-TAG attribute-syntax
-EXPL "X.500 attribute syntaxes"
-
-OID 2.5.6
-TAG object-classes
-EXPL "X.500 standard object classes"
-
-OID 2.5.7
-TAG attribute-set
-EXPL "X.500 attribute sets"
-
-OID 2.5.8
-TAG algorithms
-EXPL "X.500-defined algorithms"
-
-OID 2.5.8.1 
-TAG encryption
-EXPL "X.500-defined encryption algorithms"
-
-OID 2.5.8.1.1 
-TAG rsa
-EXPL "RSA Encryption Algorithm"
-NAME NSS_OID_X500_RSA_ENCRYPTION
-CKM CKM_RSA_X_509
-
-OID 2.5.9
-TAG abstract-syntax
-EXPL "X.500 abstract syntaxes"
-
-OID 2.5.12
-TAG operational-attribute
-EXPL "DSA Operational Attributes"
-
-OID 2.5.13
-TAG matching-rule
-EXPL "Matching Rule"
-
-OID 2.5.14
-TAG knowledge-matching-rule
-EXPL "X.500 knowledge Matching Rules"
-
-OID 2.5.15
-TAG name-form
-EXPL "X.500 name forms"
-
-OID 2.5.16
-TAG group
-EXPL "X.500 groups"
-
-OID 2.5.17
-TAG subentry
-EXPL "X.500 subentry"
-
-OID 2.5.18
-TAG operational-attribute-type
-EXPL "X.500 operational attribute type"
-
-OID 2.5.19
-TAG operational-binding
-EXPL "X.500 operational binding"
-
-OID 2.5.20
-TAG schema-object-class
-EXPL "X.500 schema Object class"
-
-OID 2.5.21
-TAG schema-operational-attribute
-EXPL "X.500 schema operational attributes"
-
-OID 2.5.23
-TAG administrative-role
-EXPL "X.500 administrative roles"
-
-OID 2.5.24
-TAG access-control-attribute
-EXPL "X.500 access control attribute"
-
-OID 2.5.25
-TAG ros
-EXPL "X.500 ros object"
-
-OID 2.5.26
-TAG contract
-EXPL "X.500 contract"
-
-OID 2.5.27
-TAG package
-EXPL "X.500 package"
-
-OID 2.5.28
-TAG access-control-schema
-EXPL "X.500 access control schema"
-
-# RFC 2459:
-#
-# id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29}
-OID 2.5.29
-TAG id-ce
-EXPL "X.500 Certificate Extension"
-
-OID 2.5.29.5
-TAG subject-directory-attributes
-EXPL "Certificate Subject Directory Attributes"
-NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTR
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }
-OID 2.5.29.9
-TAG id-ce-subjectDirectoryAttributes
-EXPL "Certificate Subject Directory Attributes"
-NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
-OID 2.5.29.14
-TAG id-ce-subjectKeyIdentifier
-EXPL "Certificate Subject Key ID"
-NAME NSS_OID_X509_SUBJECT_KEY_ID
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
-OID 2.5.29.15
-TAG id-ce-keyUsage
-EXPL "Certificate Key Usage"
-NAME NSS_OID_X509_KEY_USAGE
-CERT_EXTENSION SUPPORTED
-# We called it PKCS12_KEY_USAGE
-
-# RFC 2459:
-#
-# id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }
-OID 2.5.29.16
-TAG id-ce-privateKeyUsagePeriod
-EXPL "Certificate Private Key Usage Period"
-NAME NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
-OID 2.5.29.17
-TAG id-ce-subjectAltName
-EXPL "Certificate Subject Alternate Name"
-NAME NSS_OID_X509_SUBJECT_ALT_NAME
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
-OID 2.5.29.18
-TAG id-ce-issuerAltName
-EXPL "Certificate Issuer Alternate Name"
-NAME NSS_OID_X509_ISSUER_ALT_NAME
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
-OID 2.5.29.19
-TAG id-ce-basicConstraints
-EXPL "Certificate Basic Constraints"
-NAME NSS_OID_X509_BASIC_CONSTRAINTS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
-OID 2.5.29.20
-TAG id-ce-cRLNumber
-EXPL "CRL Number"
-NAME NSS_OID_X509_CRL_NUMBER
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
-OID 2.5.29.21
-TAG id-ce-cRLReasons
-EXPL "CRL Reason Code"
-NAME NSS_OID_X509_REASON_CODE
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
-OID 2.5.29.23
-TAG id-ce-holdInstructionCode
-EXPL "Hold Instruction Code"
-NAME NSS_OID_X509_HOLD_INSTRUCTION_CODE
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
-OID 2.5.29.24
-TAG id-ce-invalidityDate
-EXPL "Invalid Date"
-NAME NSS_OID_X509_INVALID_DATE
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
-OID 2.5.29.27
-TAG id-ce-deltaCRLIndicator
-EXPL "Delta CRL Indicator"
-NAME NSS_OID_X509_DELTA_CRL_INDICATOR
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
-OID 2.5.29.28
-TAG id-ce-issuingDistributionPoint
-EXPL "Issuing Distribution Point"
-NAME NSS_OID_X509_ISSUING_DISTRIBUTION_POINT
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
-OID 2.5.29.29
-TAG id-ce-certificateIssuer
-EXPL "Certificate Issuer"
-NAME NSS_OID_X509_CERTIFICATE_ISSUER
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
-OID 2.5.29.30
-TAG id-ce-nameConstraints
-EXPL "Certificate Name Constraints"
-NAME NSS_OID_X509_NAME_CONSTRAINTS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
-OID 2.5.29.31
-TAG id-ce-cRLDistributionPoints
-EXPL "CRL Distribution Points"
-NAME NSS_OID_X509_CRL_DIST_POINTS
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
-OID 2.5.29.32
-TAG id-ce-certificatePolicies
-EXPL "Certificate Policies"
-NAME NSS_OID_X509_CERTIFICATE_POLICIES
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
-OID 2.5.29.33
-TAG id-ce-policyMappings
-EXPL "Certificate Policy Mappings"
-NAME NSS_OID_X509_POLICY_MAPPINGS
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.5.29.34
-TAG policy-constraints
-EXPL "Certificate Policy Constraints (old)"
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
-OID 2.5.29.35
-TAG id-ce-authorityKeyIdentifier
-EXPL "Certificate Authority Key Identifier"
-NAME NSS_OID_X509_AUTH_KEY_ID
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
-OID 2.5.29.36
-TAG id-ce-policyConstraints
-EXPL "Certificate Policy Constraints"
-NAME NSS_OID_X509_POLICY_CONSTRAINTS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
-OID 2.5.29.37
-TAG id-ce-extKeyUsage
-EXPL "Extended Key Usage"
-NAME NSS_OID_X509_EXT_KEY_USAGE
-CERT_EXTENSION SUPPORTED
-
-OID 2.5.30
-TAG id-mgt
-EXPL "X.500 Management Object"
-
-OID 2.6
-TAG x400
-EXPL "X.400 MHS"
-
-OID 2.7
-TAG ccr
-EXPL "Committment, Concurrency and Recovery"
-
-OID 2.8
-TAG oda
-EXPL "Office Document Architecture"
-
-OID 2.9
-TAG osi-management
-EXPL "OSI management"
-
-OID 2.10
-TAG tp
-EXPL "Transaction Processing"
-
-OID 2.11
-TAG dor
-EXPL "Distinguished Object Reference"
-
-OID 2.12
-TAG rdt
-EXPL "Referenced Data Transfer"
-
-OID 2.13
-TAG nlm
-EXPL "Network Layer Management"
-
-OID 2.14
-TAG tlm
-EXPL "Transport Layer Management"
-
-OID 2.15
-TAG llm
-EXPL "Link Layer Management"
-
-OID 2.16
-TAG country
-EXPL "Country Assignments"
-
-OID 2.16.124 
-TAG canada
-EXPL "Canada"
-
-OID 2.16.158
-TAG taiwan
-EXPL "Taiwan"
-
-OID 2.16.578 
-TAG norway
-EXPL "Norway"
-
-OID 2.16.756 
-TAG switzerland
-EXPL "Switzerland"
-
-OID 2.16.840 
-TAG us
-EXPL "United States"
-
-OID 2.16.840.1 
-TAG us-company
-EXPL "United States Company"
-
-OID 2.16.840.1.101 
-TAG us-government
-EXPL "United States Government (1.101)"
-
-OID 2.16.840.1.101.2 
-TAG us-dod
-EXPL "United States Department of Defense"
-
-OID 2.16.840.1.101.2.1 
-TAG id-infosec
-EXPL "US DOD Infosec"
-
-OID 2.16.840.1.101.2.1.0 
-TAG id-modules
-EXPL "US DOD Infosec modules"
-
-OID 2.16.840.1.101.2.1.1 
-TAG id-algorithms
-EXPL "US DOD Infosec algorithms (MISSI)"
-
-OID 2.16.840.1.101.2.1.1.2  
-TAG old-dss
-EXPL "MISSI DSS Algorithm (Old)"
-NAME NSS_OID_MISSI_DSS_OLD
-
-# This is labeled as "### mwelch temporary"
-# Is it official?? XXX fgmr
-OID 2.16.840.1.101.2.1.1.4
-TAG skipjack-cbc-64
-EXPL "Skipjack CBC64"
-NAME NSS_OID_FORTEZZA_SKIPJACK
-CKM CKM_SKIPJACK_CBC64
-
-OID 2.16.840.1.101.2.1.1.10
-TAG kea
-EXPL "MISSI KEA Algorithm"
-NAME NSS_OID_MISSI_KEA
-
-OID 2.16.840.1.101.2.1.1.12
-TAG old-kea-dss
-EXPL "MISSI KEA and DSS Algorithm (Old)"
-NAME NSS_OID_MISSI_KEA_DSS_OLD
-
-OID 2.16.840.1.101.2.1.1.19
-TAG dss
-EXPL "MISSI DSS Algorithm"
-NAME NSS_OID_MISSI_DSS
-
-OID 2.16.840.1.101.2.1.1.20
-TAG kea-dss
-EXPL "MISSI KEA and DSS Algorithm"
-NAME NSS_OID_MISSI_KEA_DSS
-
-OID 2.16.840.1.101.2.1.1.22
-TAG alt-kea
-EXPL "MISSI Alternate KEA Algorithm"
-NAME NSS_OID_MISSI_ALT_KEY
-
-OID 2.16.840.1.101.2.1.2 
-TAG id-formats
-EXPL "US DOD Infosec formats"
-
-OID 2.16.840.1.101.2.1.3 
-TAG id-policy
-EXPL "US DOD Infosec policy"
-
-OID 2.16.840.1.101.2.1.4 
-TAG id-object-classes
-EXPL "US DOD Infosec object classes"
-
-OID 2.16.840.1.101.2.1.5 
-TAG id-attributes
-EXPL "US DOD Infosec attributes"
-
-OID 2.16.840.1.101.2.1.6 
-TAG id-attribute-syntax
-EXPL "US DOD Infosec attribute syntax"
-
-OID 2.16.840.1.113730 
-# The Netscape OID space
-TAG netscape
-EXPL "Netscape Communications Corp."
-
-OID 2.16.840.1.113730.1
-TAG cert-ext
-EXPL "Netscape Cert Extensions"
-
-OID 2.16.840.1.113730.1.1
-TAG cert-type
-EXPL "Certificate Type"
-NAME NSS_OID_NS_CERT_EXT_CERT_TYPE
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.2
-TAG base-url
-EXPL "Certificate Extension Base URL"
-NAME NSS_OID_NS_CERT_EXT_BASE_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.3
-TAG revocation-url
-EXPL "Certificate Revocation URL"
-NAME NSS_OID_NS_CERT_EXT_REVOCATION_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.4
-TAG ca-revocation-url
-EXPL "Certificate Authority Revocation URL"
-NAME NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.5
-TAG ca-crl-download-url
-EXPL "Certificate Authority CRL Download URL"
-NAME NSS_OID_NS_CERT_EXT_CA_CRL_URL
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.6
-TAG ca-cert-url
-EXPL "Certificate Authority Certificate Download URL"
-NAME NSS_OID_NS_CERT_EXT_CA_CERT_URL
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.7
-TAG renewal-url
-EXPL "Certificate Renewal URL"
-NAME NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.8
-TAG ca-policy-url
-EXPL "Certificate Authority Policy URL"
-NAME NSS_OID_NS_CERT_EXT_CA_POLICY_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.9
-TAG homepage-url
-EXPL "Certificate Homepage URL"
-NAME NSS_OID_NS_CERT_EXT_HOMEPAGE_URL
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.10
-TAG entity-logo
-EXPL "Certificate Entity Logo"
-NAME NSS_OID_NS_CERT_EXT_ENTITY_LOGO
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.11
-TAG user-picture
-EXPL "Certificate User Picture"
-NAME NSS_OID_NS_CERT_EXT_USER_PICTURE
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.12
-TAG ssl-server-name
-EXPL "Certificate SSL Server Name"
-NAME NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.13
-TAG comment
-EXPL "Certificate Comment"
-NAME NSS_OID_NS_CERT_EXT_COMMENT
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.14
-TAG thayes
-EXPL ""
-NAME NSS_OID_NS_CERT_EXT_THAYES
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.2
-TAG data-type
-EXPL "Netscape Data Types"
-
-OID 2.16.840.1.113730.2.1 
-TAG gif
-EXPL "image/gif"
-NAME NSS_OID_NS_TYPE_GIF
-
-OID 2.16.840.1.113730.2.2 
-TAG jpeg
-EXPL "image/jpeg"
-NAME NSS_OID_NS_TYPE_JPEG
-
-OID 2.16.840.1.113730.2.3 
-TAG url
-EXPL "URL"
-NAME NSS_OID_NS_TYPE_URL
-
-OID 2.16.840.1.113730.2.4 
-TAG html
-EXPL "text/html"
-NAME NSS_OID_NS_TYPE_HTML
-
-OID 2.16.840.1.113730.2.5 
-TAG cert-sequence
-EXPL "Certificate Sequence"
-NAME NSS_OID_NS_TYPE_CERT_SEQUENCE
-
-OID 2.16.840.1.113730.3
-# The Netscape Directory OID space
-TAG directory
-EXPL "Netscape Directory"
-
-OID 2.16.840.1.113730.4
-TAG policy
-EXPL "Netscape Policy Type OIDs"
-
-OID 2.16.840.1.113730.4.1
-TAG export-approved
-EXPL "Strong Crypto Export Approved"
-NAME NSS_OID_NS_KEY_USAGE_GOVT_APPROVED
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.5
-TAG cert-server
-EXPL "Netscape Certificate Server"
-
-OID 2.16.840.1.113730.5.1
-
-OID 2.16.840.1.113730.5.1.1
-TAG recovery-request
-EXPL "Netscape Cert Server Recovery Request"
-NAME NSS_OID_NETSCAPE_RECOVERY_REQUEST
-
-OID 2.16.840.1.113730.6
-TAG algs
-EXPL "Netscape algorithm OIDs"
-
-OID 2.16.840.1.113730.6.1
-TAG smime-kea
-EXPL "Netscape S/MIME KEA"
-NAME NSS_OID_NETSCAPE_SMIME_KEA
-
-OID 2.16.840.1.113730.7
-TAG name-components
-EXPL "Netscape Name Components"
-
-OID 2.16.840.1.113730.7.1
-TAG nickname
-EXPL "Netscape Nickname"
-NAME NSS_OID_NETSCAPE_NICKNAME
-
-OID 2.16.840.1.113733 
-TAG verisign
-EXPL "Verisign"
-
-OID 2.16.840.1.113733.1
-
-OID 2.16.840.1.113733.1.7
-
-OID 2.16.840.1.113733.1.7.1
-
-OID 2.16.840.1.113733.1.7.1.1
-TAG verisign-user-notices
-EXPL "Verisign User Notices"
-NAME NSS_OID_VERISIGN_USER_NOTICES
-
-OID 2.16.840.101 
-TAG us-government
-EXPL "US Government (101)"
-
-OID 2.16.840.102 
-TAG us-government2
-EXPL "US Government (102)"
- 
-OID 2.16.840.11370 
-TAG old-netscape
-EXPL "Netscape Communications Corp. (Old)"
-
-OID 2.16.840.11370.1 
-TAG ns-cert-ext
-EXPL "Netscape Cert Extensions (Old NS)"
-
-OID 2.16.840.11370.1.1 
-TAG netscape-ok
-EXPL "Netscape says this cert is ok (Old NS)"
-NAME NSS_OID_NS_CERT_EXT_NETSCAPE_OK
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.11370.1.2
-TAG issuer-logo
-EXPL "Certificate Issuer Logo (Old NS)"
-NAME NSS_OID_NS_CERT_EXT_ISSUER_LOGO
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.11370.1.3
-TAG subject-logo
-EXPL "Certificate Subject Logo (Old NS)"
-NAME NSS_OID_NS_CERT_EXT_SUBJECT_LOGO
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.11370.2 
-TAG ns-file-type
-EXPL "Netscape File Type"
-
-OID 2.16.840.11370.3 
-TAG ns-image-type
-EXPL "Netscape Image Type"
-
-OID 2.17
-TAG registration-procedures
-EXPL "Registration procedures"
-
-OID 2.18
-TAG physical-layer-management
-EXPL "Physical layer Management"
-
-OID 2.19
-TAG mheg
-EXPL "MHEG"
-
-OID 2.20
-TAG guls
-EXPL "Generic Upper Layer Security"
-
-OID 2.21
-TAG tls
-EXPL "Transport Layer Security Protocol"
-
-OID 2.22
-TAG nls
-EXPL "Network Layer Security Protocol"
-
-OID 2.23
-TAG organization
-EXPL "International organizations"
diff --git a/security/nss/lib/pki1/pki1.h b/security/nss/lib/pki1/pki1.h
deleted file mode 100644
index 62049efcc..000000000
--- a/security/nss/lib/pki1/pki1.h
+++ /dev/null
@@ -1,3032 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef PKI1_H
-#define PKI1_H
-
-#ifdef DEBUG
-static const char PKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * pki1.h
- *
- * This file contains the prototypes to the non-public NSS routines
- * relating to the PKIX part-1 objects.
- */
-
-#ifndef PKI1T_H
-#include "pki1t.h"
-#endif /* PKI1T_H */
-
-#ifndef NSSPKI1_H
-#include "nsspki1.h"
-#endif /* NSSPKI1_H */
-
-PR_BEGIN_EXTERN_C
-
-/* fgmr 19990505 moved these here from oiddata.h */
-extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
-extern const PRUint32 nss_attribute_type_alias_count;
-
-/*
- * NSSOID
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssOID_CreateFromBER   -- constructor
- *  nssOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  nssOID_GetDEREncoding
- *  nssOID_GetUTF8Encoding
- *
- * In debug builds, the following non-public calls are also available:
- *
- *  nssOID_verifyPointer
- *  nssOID_getExplanation
- *  nssOID_getTaggedUTF8
- */
-
-/*
- * nssOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromBER
-(
-  NSSBER *berOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_BER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_UTF8;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-nssOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-nssOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssOID_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid poitner to an NSSOID object, 
- * this routine will return PR_SUCCESS.  Otherwise, it will put an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssOID_verifyPointer
-(
-  const NSSOID *oid
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-#endif /* DEBUG */
-
-/*
- * nssOID_getExplanation
- *
- * This method is only present in debug builds.
- *
- * This routine will return a static pointer to a UTF8-encoded string
- * describing (in English) the specified OID.  The memory pointed to
- * by the return value is not owned by the caller, and should not be
- * freed or modified.  Note that explanations are only provided for
- * the OIDs built into the NSS library; there is no way to specify an
- * explanation for dynamically created OIDs.  This routine is intended
- * only for use in debugging tools such as "derdump."  This routine
- * may return null upon error, in which case it will have placed an
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *
- * Return value:
- *  NULL upon error
- *  A static pointer to a readonly, non-caller-owned UTF8-encoded
- *    string explaining the specified OID.
- */
-
-#ifdef DEBUG
-NSS_EXTERN const char *
-nssOID_getExplanation
-(
-  NSSOID *oid
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-#endif /* DEBUG */
-
-/*
- * nssOID_getTaggedUTF8
- *
- * This method is only present in debug builds.
- *
- * This routine will return a pointer to a caller-owned UTF8-encoded
- * string containing a tagged encoding of the specified OID.  Note
- * that OID (component) tags are only provided for the OIDs built 
- * into the NSS library; there is no way to specify tags for 
- * dynamically created OIDs.  This routine is intended for use in
- * debugging tools such as "derdump."   If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return return null upon error, in which case it will have set 
- * an error on the error stack.
- *
- * The error may be one of the following values
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the tagged encoding of
- *      this NSSOID
- */
-
-#ifdef DEBUG
-NSS_EXTERN NSSUTF8 *
-nssOID_getTaggedUTF8
-(
-  NSSOID *oid,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-#endif /* DEBUG */
-
-/*
- * NSSATAV
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssATAV_CreateFromBER   -- constructor
- *  nssATAV_CreateFromUTF8  -- constructor
- *  nssATAV_Create          -- constructor
- *
- *  nssATAV_Destroy
- *  nssATAV_GetDEREncoding
- *  nssATAV_GetUTF8Encoding
- *  nssATAV_GetType
- *  nssATAV_GetValue
- *  nssATAV_Compare
- *  nssATAV_Duplicate
- *
- * In debug builds, the following non-public call is also available:
- *
- *  nssATAV_verifyPointer
- */
-
-/*
- * nssATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  const NSSBER *berATAV
-);
-
-/*
- * nssATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  const NSSUTF8 *stringATAV
-);
-
-/*
- * nssATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-);
-
-/*
- * nssATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssATAV_Destroy
-(
-  NSSATAV *atav
-);
-
-/*
- * nssATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_EXTERN NSSDER *
-nssATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_EXTERN NSSUTF8 *
-nssATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An element of enum NSSOIDenum upon success
- */
-
-NSS_EXTERN const NSSOID *
-nssATAV_GetType
-(
-  NSSATAV *atav
-);
-
-/*
- * nssATAV_GetValue
- *
- * This routine returns a string containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error upon the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_EXTERN NSSUTF8 *
-nssATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have set an 
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-);
-
-/*
- * nssATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSATAV object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILRUE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssATAV_verifyPointer
-(
-  NSSATAV *atav
-);
-#endif /* DEBUG */
-
-/*
- * NSSRDN
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssRDN_CreateFromBER   -- constructor
- *  nssRDN_CreateFromUTF8  -- constructor
- *  nssRDN_Create          -- constructor
- *  nssRDN_CreateSimple    -- constructor
- *
- *  nssRDN_Destroy
- *  nssRDN_GetDEREncoding
- *  nssRDN_GetUTF8Encoding
- *  nssRDN_AddATAV
- *  nssRDN_GetATAVCount
- *  nssRDN_GetATAV
- *  nssRDN_GetSimpleATAV
- *  nssRDN_Compare
- *  nssRDN_Duplicate
- */
-
-/*
- * nssRDN_CreateFromBER
- *
- * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
- * RDN.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDN
-);
-
-/*
- * nssRDN_CreateFromUTF8
- *
- * This routine creates an NSSRDN by decoding an UTF8 string 
- * consisting of either a single ATAV in the "equals" format, e.g., 
- * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
- * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error on the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDN
-);
-
-/*
- * nssRDN_Create
- *
- * This routine creates an NSSRDN from one or more NSSATAVs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_Create
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav1,
-  ...
-);
-
-/*
- * nssRDN_CreateSimple
- *
- * This routine creates a simple NSSRDN from a single NSSATAV.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_CreateSimple
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav
-);
-
-/*
- * nssRDN_Destroy
- *
- * This routine will destroy an RDN object.  It should eventually be
- * called on all RDNs created without an arena.  While it is not 
- * necessary to call it on RDNs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssRDN_Destroy
-(
-  NSSRDN *rdn
-);
-
-/*
- * nssRDN_GetDEREncoding
- *
- * This routine will DER-encode an RDN object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDN
- */
-
-NSS_EXTERN NSSDER *
-nssRDN_GetDEREncoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDN_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDN.  A simple (one-ATAV) RDN will be simply
- * the string representation of that ATAV; a non-simple RDN will be in
- * parenthesised form.  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * null upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssRDN_GetUTF8Encoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDN_AddATAV
- *
- * This routine adds an ATAV to the set of ATAVs in the specified RDN.
- * Remember that RDNs consist of an unordered set of ATAVs.  If the
- * RDN was created with a non-null arena argument, that same arena
- * will be used for any additional required memory.  If the RDN was 
- * created with a NULL arena argument, any additional memory will
- * be obtained from the heap.  This routine returns a PRStatus value;
- * it will return PR_SUCCESS upon success, and upon failure it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssRDN_AddATAV
-(
-  NSSRDN *rdn,
-  NSSATAV *atav
-);
-
-/*
- * nssRDN_GetATAVCount
- *
- * This routine returns the cardinality of the set of ATAVs within
- * the specified RDN.  This routine may return 0 upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-nssRDN_GetATAVCount
-(
-  NSSRDN *rdn
-);
-
-/*
- * nssRDN_GetATAV
- *
- * This routine returns a pointer to an ATAV that is a member of
- * the set of ATAVs within the specified RDN.  While the set of
- * ATAVs within an RDN is unordered, this routine will return
- * distinct values for distinct values of 'i' as long as the RDN
- * is not changed in any way.  The RDN may be changed by calling
- * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
- * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
- * The caller owns the ATAV the pointer to which is returned.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-nssRDN_GetATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * nssRDN_GetSimpleATAV
- *
- * Most RDNs are actually very simple, with a single ATAV.  This 
- * routine will return the single ATAV from such an RDN.  The caller
- * owns the ATAV the pointer to which is returned.  If the optional
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, including the case where
- * the set of ATAVs in the RDN is nonsingular.  Upon error, this
- * routine will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_RDN_NOT_SIMPLE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-nssRDN_GetSimpleATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDN_Compare
- *
- * This routine compares two RDNs for equality.  For two RDNs to be
- * equal, they must have the same number of ATAVs, and every ATAV in
- * one must be equal to an ATAV in the other.  (Note that the sets
- * of ATAVs are unordered.)  The result of the comparison will be
- * stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool.  This routine may return PR_FAILURE
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssRDN_Compare
-(
-  NSSRDN *rdn1,
-  NSSRDN *rdn2,
-  PRBool *equalp
-);
-
-/*
- * nssRDN_Duplicate
- *
- * This routine duplicates the specified RDN.  If the optional arena
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, in which case it will have
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new RDN
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_Duplicate
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssRDNSeq_CreateFromBER   -- constructor
- *  nssRDNSeq_CreateFromUTF8  -- constructor
- *  nssRDNSeq_Create          -- constructor
- *
- *  nssRDNSeq_Destroy
- *  nssRDNSeq_GetDEREncoding
- *  nssRDNSeq_GetUTF8Encoding
- *  nssRDNSeq_AppendRDN
- *  nssRDNSeq_GetRDNCount
- *  nssRDNSeq_GetRDN
- *  nssRDNSeq_Compare
- *  nssRDNSeq_Duplicate
- *
- *  nssRDNSeq_EvaluateUTF8 -- not an object method
- */
-
-/*
- * nssRDNSeq_CreateFromBER
- *
- * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
- * sequence of RDNs.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have set an error on the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDNSeq
-);
-
-/*
- * nssRDNSeq_CreateFromUTF8
- *
- * This routine creates an NSSRDNSeq by decoding a UTF8 string
- * consisting of a comma-separated sequence of RDNs, such as
- * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDNSeq
-);
-
-/*
- * nssRDNSeq_Create
- *
- * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  NULL upon error
- *  A pointero to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSRDN *rdn1,
-  ...
-);
-
-/*
- * nssRDNSeq_Destroy
- *
- * This routine will destroy an RDNSeq object.  It should eventually 
- * be called on all RDNSeqs created without an arena.  While it is not
- * necessary to call it on RDNSeqs created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssRDNSeq_Destroy
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * nssRDNSeq_GetDEREncoding
- *
- * This routine will DER-encode an RDNSeq object.  If the optional 
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return null upon error, in which case it will have
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDNSeq
- */
-
-NSS_EXTERN NSSDER *
-nssRDNSeq_GetDEREncoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDNSeq_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDNSeq as a comma-separated sequence of RDNs.  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssRDNSeq_GetUTF8Encoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDNSeq_AppendRDN
- *
- * This routine appends an RDN to the end of the existing RDN 
- * sequence.  If the RDNSeq was created with a non-null arena 
- * argument, that same arena will be used for any additional required
- * memory.  If the RDNSeq was created with a NULL arena argument, any
- * additional memory will be obtained from the heap.  This routine
- * returns a PRStatus value; it will return PR_SUCCESS upon success,
- * and upon failure it will set an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssRDNSeq_AppendRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSRDN *rdn
-);
-
-/*
- * nssRDNSeq_GetRDNCount
- *
- * This routine returns the cardinality of the sequence of RDNs within
- * the specified RDNSeq.  This routine may return 0 upon error, in 
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-nssRDNSeq_GetRDNCount
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * nssRDNSeq_GetRDN
- *
- * This routine returns a pointer to the i'th RDN in the sequence of
- * RDNs that make up the specified RDNSeq.  The sequence begins with
- * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
- * is on the range [0,c) where c is the cardinality returned from
- * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
- * is returned.  If the optional arena argument is non-null, the memory
- * used will be obtained from that areana; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error upon the error stack.  Note
- * that the usual UTF8 representation of RDN Sequences is from last
- * to first.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDN
- */
-
-NSS_EXTERN NSSRDN *
-nssRDNSeq_GetRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * nssRDNSeq_Compare
- *
- * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
- * be equal, they must have the same number of RDNs, and each RDN in
- * one sequence must be equal to the corresponding RDN in the other
- * sequence.  The result of the comparison will be stored at the
- * location pointed to by the "equalp" variable, which must point to a
- * valid PRBool.  This routine may return PR_FAILURE upon error, in
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssRDNSeq_Compare
-(
-  NSSRDNSeq *rdnseq1,
-  NSSRDNSeq *rdnseq2,
-  PRBool *equalp
-);
-
-/*
- * nssRDNSeq_Duplicate
- *
- * This routine duplicates the specified RDNSeq.  If the optional arena
- * argument is non-null, the memory required will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have 
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new RDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_Duplicate
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDNSeq_EvaluateUTF8
- *
- * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
- * string contains the string representation of an RDNSeq.  This 
- * routine is used by the (directory) Name routines 
- * nssName_CreateFromUTF8 and nssName_EvaluateUTF8 to determine which
- * choice of directory name the string may encode.  This routine may 
- * return PR_FALSE upon error, but it subsumes that condition under the
- * general "string does not evaluate as an RDNSeq" state, and does not
- * set an error on the error stack.
- *
- * Return value:
- *  PR_TRUE if the string represents an RDNSeq
- *  PR_FALSE if otherwise
- */
-
-NSS_EXTERN PRBool
-nssRDNSeq_EvaluateUTF8
-(
-  NSSUTF8 *str
-);
-
-/*
- * NSSName
- *
- * The non-public "methods" regarding this "object" are:
- *
- * nssName_CreateFromBER   -- constructor
- * nssName_CreateFromUTF8  -- constructor
- * nssName_Create          -- constructor
- *
- * nssName_Destroy
- * nssName_GetDEREncoding
- * nssName_GetUTF8Encoding
- * nssName_GetChoice
- * nssName_GetRDNSequence
- * nssName_GetSpecifiedChoice
- * nssName_Compare
- * nssName_Duplicate
- *
- * nssName_GetUID
- * nssName_GetEmail
- * nssName_GetCommonName
- * nssName_GetOrganization
- * nssName_GetOrganizationalUnits
- * nssName_GetStateOrProvince
- * nssName_GetLocality
- * nssName_GetCountry
- * nssName_GetAttribute
- *
- * nssName_EvaluateUTF8 -- not an object method
- */
-
-/*
- * nssName_CreateFromBER
- *
- * This routine creates an NSSName by decoding a BER- or DER-encoded 
- * (directory) Name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may
- * return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-nssName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berName
-);
-
-/*
- * nssName_CreateFromUTF8
- *
- * This routine creates an NSSName by decoding a UTF8 string 
- * consisting of the string representation of one of the choices of 
- * (directory) names.  Currently the only choice is an RDNSeq.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  The routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-nssName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringName
-);
-
-/*
- * nssName_Create
- *
- * This routine creates an NSSName with the specified choice of
- * underlying name types.  The value of the choice variable must be
- * one of the values of the NSSNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                     Type
- *   ========================   ===========
- *   NSSNameChoiceRdnSequence   NSSRDNSeq *
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-nssName_Create
-(
-  NSSArena *arenaOpt,
-  NSSNameChoice choice,
-  void *arg
-);
-
-/*
- * nssName_Destroy
- *
- * This routine will destroy a Name object.  It should eventually be
- * called on all Names created without an arena.  While it is not
- * necessary to call it on Names created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssName_Destroy
-(
-  NSSName *name
-);
-
-/*
- * nssName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSName
- */
-
-NSS_EXTERN NSSDER *
-nssName_GetDEREncoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the Name in the format specified by the 
- * underlying name choice.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssName_GetUTF8Encoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetChoice
- *
- * This routine returns the type of the choice underlying the specified
- * name.  The return value will be a member of the NSSNameChoice 
- * enumeration.  This routine may return NSSNameChoiceInvalid upon 
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  NSSNameChoiceInvalid upon error
- *  An other member of the NSSNameChoice enumeration upon success
- */
-
-NSS_EXTERN NSSNameChoice
-nssName_GetChoice
-(
-  NSSName *name
-);
-
-/*
- * nssName_GetRDNSequence
- *
- * If the choice underlying the specified NSSName is that of an 
- * RDNSequence, this routine will return a pointer to that RDN
- * sequence.  Otherwise, this routine will place an error on the
- * error stack, and return NULL.  If the optional arena argument is
- * non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The
- * caller owns the returned pointer.  This routine may return NULL
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssName_GetRDNSequence
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSName matches the specified
- * choice, a caller-owned pointer to that underlying object will be
- * returned.  Otherwise, an error will be placed on the error stack and
- * NULL will be returned.  If the optional arena argument is non-null, 
- * the memory required will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  The caller owns the returned
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-nssName_GetSpecifiedChoice
-(
-  NSSName *name,
-  NSSNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_Compare
- *
- * This routine compares two Names for equality.  For two Names to be
- * equal, they must have the same choice of underlying types, and the
- * underlying values must be equal.  The result of the comparison will
- * be stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool. This routine may return PR_FAILURE
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssName_Compare
-(
-  NSSName *name1,
-  NSSName *name2,
-  PRBool *equalp
-);
-
-/*
- * nssName_Duplicate
- *
- * This routine duplicates the specified nssname.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it
- * will have placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSName
- */
-
-NSS_EXTERN NSSName *
-nssName_Duplicate
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a UID attribute, the UID will be the value of 
- * that attribute.  Note that no UID attribute is defined in either 
- * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
- * defines the type as a caseIgnoreString.  We'll return a Directory 
- * String.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetUID
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing either a PKIX email address or a PKCS#9 email
- * address, the result will be the value of that attribute.  If the
- * optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
-nssName_GetEmail
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a PKIX Common Name, the result will be that name.  If 
- * the optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetCommonName
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified name, if the choices and content of the name permit.  
- * If Name consists of a Sequence of Relative Distinguished names 
- * containing a PKIX Organization, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetOrganization
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified name, if the choices and content of 
- * the name permit.  If the Name consists of a Sequence of Relative 
- * Distinguished Names containing one or more organisational units,
- * the result will be the values of those attributes.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-nssName_GetOrganizationalUnits
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a state or province, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetStateOrProvince
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetLocality
- *
- * This routine will attempt to derive a locality name from the 
- * specified name, if the choices and content of the name permit.  If
- * the Name consists of a Sequence of Relative Distinguished names
- * containing a Locality, the result will be the value of that 
- * attribute.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetLocality
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a Country, the result will be the value of
- * that attribute..  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-nssName_GetCountry
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetAttribute
- *
- * If the specified name consists of a Sequence of Relative 
- * Distinguished Names containing an attribute with the specified 
- * type, and the actual value of that attribute may be expressed 
- * with a Directory String, then the value of that attribute will 
- * be returned as a Directory String.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetAttribute
-(
-  NSSName *name,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_EvaluateUTF8
- *
- * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
- * string contains the string representation of an NSSName.  This 
- * routine is used by the GeneralName routine 
- * nssGeneralName_CreateFromUTF8 to determine which choice of
- * general name the string may encode.  This routine may return 
- * PR_FALSE upon error, but it subsumes that condition under the 
- * general "string does not evaluate as a Name" state, and does not
- * set an error on the error stack.
- * 
- * Return value:
- *  PR_TRUE if the string represents a Name
- *  PR_FALSE otherwise
- */
-
-NSS_EXTERN PRBool
-nssName_EvaluateUTF8
-(
-  NSSUTF8 *str
-);
-
-/*
- * NSSGeneralName
- *
- * The non-public "methods" regarding this "object" are:
- *
- * nssGeneralName_CreateFromBER   -- constructor
- * nssGeneralName_CreateFromUTF8  -- constructor
- * nssGeneralName_Create          -- constructor
- *
- * nssGeneralName_Destroy
- * nssGeneralName_GetDEREncoding
- * nssGeneralName_GetUTF8Encoding
- * nssGeneralName_GetChoice
- * nssGeneralName_GetOtherName
- * nssGeneralName_GetRfc822Name
- * nssGeneralName_GetDNSName
- * nssGeneralName_GetX400Address
- * nssGeneralName_GetDirectoryName
- * nssGeneralName_GetEdiPartyName
- * nssGeneralName_GetUniformResourceIdentifier
- * nssGeneralName_GetIPAddress
- * nssGeneralName_GetRegisteredID
- * nssGeneralName_GetSpecifiedChoice
- * nssGeneralName_Compare
- * nssGeneralName_Duplicate
- *
- * nssGeneralName_GetUID
- * nssGeneralName_GetEmail
- * nssGeneralName_GetCommonName
- * nssGeneralName_GetOrganization
- * nssGeneralName_GetOrganizationalUnits
- * nssGeneralName_GetStateOrProvince
- * nssGeneralName_GetLocality
- * nssGeneralName_GetCountry
- * nssGeneralName_GetAttribute
- */
-
-/*
- * nssGeneralName_CreateFromBER
- *
- * This routine creates an NSSGeneralName by decoding a BER- or DER-
- * encoded general name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralName
-);
-
-/*
- * nssGeneralName_CreateFromUTF8
- *
- * This routine creates an NSSGeneralName by decoding a UTF8 string
- * consisting of the string representation of one of the choices of
- * general names.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.  The routine may return NULL upon
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringGeneralName
-);
-
-/*
- * nssGeneralName_Create
- *
- * This routine creates an NSSGeneralName with the specified choice of
- * underlying name types.  The value of the choice variable must be one
- * of the values of the NSSGeneralNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                                         Type
- *   ============================================   =========
- *   NSSGeneralNameChoiceOtherName
- *   NSSGeneralNameChoiceRfc822Name
- *   NSSGeneralNameChoiceDNSName
- *   NSSGeneralNameChoiceX400Address
- *   NSSGeneralNameChoiceDirectoryName              NSSName *
- *   NSSGeneralNameChoiceEdiPartyName
- *   NSSGeneralNameChoiceUniformResourceIdentifier
- *   NSSGeneralNameChoiceIPAddress
- *   NSSGeneralNameChoiceRegisteredID
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one fo the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_Create
-(
-  NSSGeneralNameChoice choice,
-  void *arg
-);
-
-/*
- * nssGeneralName_Destroy
- * 
- * This routine will destroy a General Name object.  It should 
- * eventually be called on all General Names created without an arena.
- * While it is not necessary to call it on General Names created within
- * an arena, it is not an error to do so.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS. If 
- * usuccessful, it will set an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssGeneralName_Destroy
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * nssGeneralName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralName
- */
-
-NSS_EXTERN NSSDER *
-nssGeneralName_GetDEREncoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the General Name in the format specified by the
- * underlying name choice.  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssGeneralName_GetUTF8Encoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetChoice
- *
- * This routine returns the type of choice underlying the specified 
- * general name.  The return value will be a member of the 
- * NSSGeneralNameChoice enumeration.  This routine may return 
- * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NSSGeneralNameChoiceInvalid upon error
- *  An other member of the NSSGeneralNameChoice enumeration 
- */
-
-NSS_EXTERN NSSGeneralNameChoice
-nssGeneralName_GetChoice
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * nssGeneralName_GetOtherName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * Other Name, this routine will return a pointer to that Other name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSOtherName
- */
-
-NSS_EXTERN NSSOtherName *
-nssGeneralName_GetOtherName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetRfc822Name
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * RFC 822 Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRFC822Name
- */
-
-NSS_EXTERN NSSRFC822Name *
-nssGeneralName_GetRfc822Name
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetDNSName
- *
- * If the choice underlying the specified NSSGeneralName is that of a 
- * DNS Name, this routine will return a pointer to that DNS name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSDNSName
- */
-
-NSS_EXTERN NSSDNSName *
-nssGeneralName_GetDNSName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetX400Address
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * X.400 Address, this routine will return a pointer to that Address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSX400Address
- */
-
-NSS_EXTERN NSSX400Address *
-nssGeneralName_GetX400Address
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetDirectoryName
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * (directory) Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSName
- */
-
-NSS_EXTERN NSSName *
-nssGeneralName_GetName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetEdiPartyName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * EDI Party Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSEdiPartyName
- */
-
-NSS_EXTERN NSSEdiPartyName *
-nssGeneralName_GetEdiPartyName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetUniformResourceIdentifier
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * URI, this routine will return a pointer to that URI.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSURI
- */
-
-NSS_EXTERN NSSURI *
-nssGeneralName_GetUniformResourceIdentifier
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetIPAddress
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * IP Address , this routine will return a pointer to that address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSIPAddress
- */
-
-NSS_EXTERN NSSIPAddress *
-nssGeneralName_GetIPAddress
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetRegisteredID
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * Registered ID, this routine will return a pointer to that ID.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRegisteredID
- */
-
-NSS_EXTERN NSSRegisteredID *
-nssGeneralName_GetRegisteredID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSGeneralName matches the
- * specified choice, a caller-owned pointer to that underlying object
- * will be returned.  Otherwise, an error will be placed on the error
- * stack and NULL will be returned.  If the optional arena argument
- * is non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The caller
- * owns the returned pointer.  This routine may return NULL upon 
- * error, in which caes it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-nssGeneralName_GetSpecifiedChoice
-(
-  NSSGeneralName *generalName,
-  NSSGeneralNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_Compare
- * 
- * This routine compares two General Names for equality.  For two 
- * General Names to be equal, they must have the same choice of
- * underlying types, and the underlying values must be equal.  The
- * result of the comparison will be stored at the location pointed
- * to by the "equalp" variable, which must point to a valid PRBool.
- * This routine may return PR_FAILURE upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following value:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssGeneralName_Compare
-(
-  NSSGeneralName *generalName1,
-  NSSGeneralName *generalName2,
-  PRBool *equalp
-);
-
-/*
- * nssGeneralName_Duplicate
- *
- * This routine duplicates the specified General Name.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it 
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSGeneralName
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_Duplicate
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished Names containing a UID
- * attribute, the UID will be the value of that attribute.  Note
- * that no UID attribute is defined in either PKIX or PKCS#9; 
- * rather, this seems to derive from RFC 1274, which defines the
- * type as a caseIgnoreString.  We'll return a Directory String.
- * If the optional arena argument is non-null, the memory used
- * will be obtained from that arena; otherwise, the memory will be
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetUID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing either
- * a PKIX email address or a PKCS#9 email address, the result will
- * be the value of that attribute.  If the General Name is an RFC 822
- * Name, the result will be the string form of that name.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
-nssGeneralName_GetEmail
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a PKIX
- * Common Name, the result will be that name.  If the optional arena 
- * argument is non-null, the memory used will be obtained from that 
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have set 
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetCommonName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing an
- * Organization, the result will be the value of that attribute.  
- * If the optional arena argument is non-null, the memory used will 
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetOrganization
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified general name, if the choices and 
- * content of the name permit.  If the General Name is a (directory) 
- * Name consisting of a Sequence of Relative Distinguished names 
- * containing one or more organisational units, the result will 
- * consist of those units.  If the optional arena  argument is non-
- * null, the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-nssGeneralName_GetOrganizationalUnits
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a state or 
- * province, the result will be the value of that attribute.  If the 
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetStateOrProvince
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetLocality
- *
- * This routine will attempt to derive a locality name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a Locality, 
- * the result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetLocality
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified general name, if the choices and content of the name 
- * permit.  If the General Name is a (directory) Name consisting of a
- * Sequence of Relative Distinguished names containing a Country, the 
- * result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-nssGeneralName_GetCountry
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetAttribute
- *
- * If the specified general name is a (directory) name consisting
- * of a Sequence of Relative Distinguished Names containing an 
- * attribute with the specified type, and the actual value of that
- * attribute may be expressed with a Directory String, then the
- * value of that attribute will be returned as a Directory String.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetAttribute
-(
-  NSSGeneralName *generalName,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralNameSeq
- *
- * The public "methods" regarding this "object" are:
- *
- *  nssGeneralNameSeq_CreateFromBER   -- constructor
- *  nssGeneralNameSeq_Create          -- constructor
- *
- *  nssGeneralNameSeq_Destroy
- *  nssGeneralNameSeq_GetDEREncoding
- *  nssGeneralNameSeq_AppendGeneralName
- *  nssGeneralNameSeq_GetGeneralNameCount
- *  nssGeneralNameSeq_GetGeneralName
- *  nssGeneralNameSeq_Compare
- *  nssGeneralnameSeq_Duplicate
- */
-
-/*
- * nssGeneralNameSeq_CreateFromBER
- *
- * This routine creates a general name sequence by decoding a BER-
- * or DER-encoded GeneralNames.  If the optional arena argument is
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-nssGeneralNameSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralNameSeq
-);
-
-/*
- * nssGeneralNameSeq_Create
- *
- * This routine creates an NSSGeneralNameSeq from one or more General
- * Names.  The final argument to this routine must be NULL.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-nssGeneralNameSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSGeneralName *generalName1,
-  ...
-);
-
-/*
- * nssGeneralNameSeq_Destroy
- *
- * This routine will destroy an NSSGeneralNameSeq object.  It should
- * eventually be called on all NSSGeneralNameSeqs created without an
- * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
- * created within an arena, it is not an error to do so.  This routine
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssGeneralNameSeq_Destroy
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * nssGeneralNameSeq_GetDEREncoding
- *
- * This routine will DER-encode an NSSGeneralNameSeq object.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return null upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralNameSeq
- */
-
-NSS_EXTERN NSSDER *
-nssGeneralNameSeq_GetDEREncoding
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralNameSeq_AppendGeneralName
- *
- * This routine appends a General Name to the end of the existing
- * General Name Sequence.  If the sequence was created with a non-null
- * arena argument, that same arena will be used for any additional
- * required memory.  If the sequence was created with a NULL arena
- * argument, any additional memory will be obtained from the heap.
- * This routine returns a PRStatus value; it will return PR_SUCCESS
- * upon success, and upon failure it will set an error on the error
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure.
- */
-
-NSS_EXTERN PRStatus
-nssGeneralNameSeq_AppendGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSGeneralName *generalName
-);
-
-/*
- * nssGeneralNameSeq_GetGeneralNameCount
- *
- * This routine returns the cardinality of the specified General name
- * Sequence.  This routine may return 0 upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value;
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-nssGeneralNameSeq_GetGeneralNameCount
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * nssGeneralNameSeq_GetGeneralName
- *
- * This routine returns a pointer to the i'th General Name in the 
- * specified General Name Sequence.  The value of the variable 'i' is
- * on the range [0,c) where c is the cardinality returned from 
- * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
- * Name the pointer to which is returned.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have set
- * an error upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to a General Name.
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralNameSeq_GetGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * nssGeneralNameSeq_Compare
- *
- * This routine compares two General Name Sequences for equality.  For
- * two General Name Sequences to be equal, they must have the same
- * cardinality, and each General Name in one sequence must be equal to
- * the corresponding General Name in the other.  The result of the
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have set an 
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssGeneralNameSeq_Compare
-(
-  NSSGeneralNameSeq *generalNameSeq1,
-  NSSGeneralNameSeq *generalNameSeq2,
-  PRBool *equalp
-);
-
-/*
- * nssGeneralNameSeq_Duplicate
- *
- * This routine duplicates the specified sequence of general names.  If
- * the optional arena argument is non-null, the memory required will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new General Name Sequence.
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-nssGeneralNameSeq_Duplicate
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-PR_END_EXTERN_C
-
-#endif /* PKI1_H */
diff --git a/security/nss/lib/pki1/pki1t.h b/security/nss/lib/pki1/pki1t.h
deleted file mode 100644
index de6e5c835..000000000
--- a/security/nss/lib/pki1/pki1t.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef PKI1T_H
-#define PKI1T_H
-
-#ifdef DEBUG
-static const char PKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * pki1t.h
- *
- * This file contains definitions for the types used in the PKIX part-1
- * code, but not available publicly.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSOID
- *
- * This structure is used to hold our internal table of built-in OID
- * data.  The fields are as follows:
- *
- *  NSSItem     data -- this is the actual DER-encoded multinumber oid
- *  const char *expl -- this explains the derivation, and is checked
- *                      in a unit test.  While the field always exists,
- *                      it is only populated or used in debug builds.
- *
- */
-
-struct NSSOIDStr {
-#ifdef DEBUG
-  const NSSUTF8 *tag;
-  const NSSUTF8 *expl;
-#endif /* DEBUG */
-  NSSItem data;
-};
-
-/*
- * nssAttributeTypeAliasTable
- *
- * Attribute types are passed around as oids (at least in the X.500
- * and PKI worlds, as opposed to ldap).  However, when written as 
- * strings they usually have well-known aliases, e.g., "ou" or "c."
- *
- * This type defines a table, populated in the generated oiddata.c
- * file, of the aliases we recognize.
- *
- * The fields are as follows:
- *
- *  NSSUTF8 *alias -- a well-known string alias for an oid
- *  NSSOID  *oid   -- the oid to which the alias corresponds
- *
- */
-
-struct nssAttributeTypeAliasTableStr {
-  const NSSUTF8 *alias;
-  const NSSOID **oid;
-};
-typedef struct nssAttributeTypeAliasTableStr nssAttributeTypeAliasTable;
-
-PR_END_EXTERN_C
-
-#endif /* PKI1T_H */
diff --git a/security/nss/lib/pki1/rdn.c b/security/nss/lib/pki1/rdn.c
deleted file mode 100644
index f778de22c..000000000
--- a/security/nss/lib/pki1/rdn.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * rdn.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * RelativeDistinguishedName.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * RelativeDistinguishedName
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  RelativeDistinguishedName       ::=
- *                  SET SIZE (1 .. MAX) OF AttributeTypeAndValue
- *
- * An RDN is merely an (unordered) set of ATAV's.  The setSize (that's
- * a noun, not a verb) variable is a "helper" variable kept for
- * convenience.
- */
-
-struct nssRDNStr {
-  PRUint32 setSize;
-  NSSATAV **atavs;
-};
diff --git a/security/nss/lib/pki1/rdnseq.c b/security/nss/lib/pki1/rdnseq.c
deleted file mode 100644
index bbd4dfe4b..000000000
--- a/security/nss/lib/pki1/rdnseq.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * rdnseq.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * RDNSequence.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * RDNSequence
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
- *
- * An RDNSequence is simply an (ordered) sequence of RDN's.  The 
- * seqSize variable is a "helper" kept for simplicity.
- */
-
-struct nssRDNSeqStr {
-  PRUint32 seqSize;
-  NSSRDN **rdns;
-};
diff --git a/security/nss/lib/pkix/doc/name_rules.html b/security/nss/lib/pkix/doc/name_rules.html
deleted file mode 100644
index 70f9dd72e..000000000
--- a/security/nss/lib/pkix/doc/name_rules.html
+++ /dev/null
@@ -1,178 +0,0 @@
-<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
-<!--
-   - The contents of this file are subject to the Mozilla Public
-   - License Version 1.1 (the "License"); you may not use this file
-   - except in compliance with the License. You may obtain a copy of
-   - the License at http://www.mozilla.org/MPL/
-   - 
-   - Software distributed under the License is distributed on an "AS
-   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-   - implied. See the License for the specific language governing
-   - rights and limitations under the License.
-   - 
-   - The Original Code is the Netscape security libraries.
-   - 
-   - The Initial Developer of the Original Code is Netscape
-   - Communications Corporation.  Portions created by Netscape are 
-   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-   - Rights Reserved.
-   - 
-   - Contributor(s):
-   - 
-   - Alternatively, the contents of this file may be used under the
-   - terms of the GNU General Public License Version 2 or later (the
-   - "GPL"), in which case the provisions of the GPL are applicable 
-   - instead of those above.  If you wish to allow use of your 
-   - version of this file only under the terms of the GPL and not to
-   - allow others to use your version of this file under the MPL,
-   - indicate your decision by deleting the provisions above and
-   - replace them with the notice and other provisions required by
-   - the GPL.  If you do not delete the provisions above, a recipient
-   - may use your version of this file under either the MPL or the
-   - GPL.
-  -->
-<html>
-<head>
-   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-   <meta name="GENERATOR" content="Mozilla/4.6 [en] (X11; U; IRIX 6.3 IP32) [Netscape]">
-</head>
-<body>
-
-<h1>
-Notes on libpkix name rules</h1>
-&nbsp;
-<h2>
-Types</h2>
-Every type mentioned in RFC 2459 is reflected in libpkix.&nbsp; The type
-names, defined in <tt>nsspkix.h</tt>, are exactly the names used in the
-RFC with the added prefix of ``<tt>NSSPKIX</tt>.''&nbsp; The <tt>PKIX</tt>
-part of the name is to distinguish between these specifically defined types
-and more general reflections that are used in higher-level trust domains,
-crypto contexts, etc.&nbsp; For example, <tt>NSSPKIXCertificate</tt> is
-a type with specific properties defined in RFC 2459, while <tt>NSSCertificate</tt>
-is a general type, not necessarily based on an X.509 certificate, that
-has additional associated information.
-<p>Additionally, libpkix defines some "helper"&nbsp;types, usually when
-a type definition in the RFC&nbsp;was unusually complex.&nbsp; These types
-are prefixed with <tt>NSSPKIX</tt> as above, but the next letter is lowercase.&nbsp;
-Examples of these types include <tt>NSSPKIXrevokedCertificates</tt> and
-<tt>NSSPKIXpolicyMapping</tt>.
-<br>&nbsp;
-<h2>
-Simple types</h2>
-Many types used in or defined by RFC 2459 have more-or-less equivalent
-``natural'' types.&nbsp; These include <tt>BOOLEAN</tt>, <tt>INTEGER</tt>,
-the string types, and the date types.
-<p><tt>BOOLEAN</tt> values are always automatically converted to and from
-<tt>PRBool</tt> types.
-<p><tt>INTEGER</tt> types are used in two ways: as a ``small integer,''
-typically a quantity, and as an identification value (e.g., the serial
-number of a certificate).&nbsp; In the former situation, the RFC usually
-states that the values may be limited by the application to some value.&nbsp;
-We reflect these integers as <tt>PRInt32</tt> values, which is limited
-to about two billion.&nbsp; (The reason an unsigned integer wasn't used
-is that we use -1 as an error value; while admittedly reserving one half
-of the number space merely to indicate an error is perhaps wasteful, reducing
-the count limit from four billion to two isn't that unreasonable.)&nbsp;
-``Large integer'' uses are reflected as <tt>NSSItem</tt>s.
-<p>String types -- even complicated <tt>CHOICE</tt>s of strings -- are
-always converted to and from <tt>NSSUTF8</tt> strings.&nbsp; Most of the
-string types can handle any UTF-8 string; the few that don't will check
-the <tt>NSSUTF8</tt> string for invalid characters and return an error
-if any are found.
-<p>Date types are always converted to and from <tt>PRTime</tt> values.
-<font color="#FF0000">***FGMR*** or whatever.</font><font color="#000000">&nbsp;
-The RFC-defined types may contain values that may not be represented as
-<tt>PRTime</tt>s; when conversion of such a value is attempted, the error
-<tt>NSS_ERROR_VALUE_OUT_OF_RANGE</tt> will be returned.&nbsp; However,
-types that contain time values have comparator methods defined, so that
-valid comparisons may be made, even if the time is out of the range of
-<tt>PRTime</tt>.</font>
-<br><font color="#000000"></font>&nbsp;
-<h2>
-<font color="#000000">Function names</font></h2>
-<font color="#000000">All function names are created by catenating the
-type name, an underscore, and the name of a method defined on that type.&nbsp;
-In some situations, this does create rather long function names; however,
-since these are usually assocated with the more obscure types, we felt
-that sticking to a common naming system was preferable to inventing new
-names.&nbsp; (The Principle of Least Surprise.)</font>
-<br><font color="#000000"></font>&nbsp;
-<h2>
-<font color="#000000">Universal methods</font></h2>
-<font color="#000000">Every type has a few standard methods:</font>
-<ul>
-<li>
-<tt><font color="#000000">&lt;typename>_CreateFromBER</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Create</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Destroy</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_GetDEREncoding</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Equal</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Duplicate</font></tt></li>
-</ul>
-<font color="#000000">For types for which a BER encoding can be created
-which is not the DER&nbsp;encoding, there is a method <tt>&lt;typename>_GetBEREncoding</tt>.</font>
-<br><font color="#000000"></font>&nbsp;
-<h2>
-<font color="#000000">Accessors</font></h2>
-<font color="#000000">Simple accessor method names are constructed with
-``<tt>Get</tt>'' and ``<tt>Set</tt>'' followed by the field name:</font>
-<ul>
-<li>
-<tt><font color="#000000">&lt;typename>_Get&lt;fieldname></font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Set&lt;fieldname></font></tt></li>
-</ul>
-<font color="#000000">Optional fields also have ``<tt>Has</tt>'' and ``<tt>Remove</tt>''
-methods, constructed in the same way.</font>
-<br><font color="#000000"></font>&nbsp;
-<h2>
-<font color="#000000">Sequences</font></h2>
-<font color="#000000">Sequences have the following accessors:</font>
-<ul>
-<li>
-<tt><font color="#000000">&lt;typename>_Get&lt;name>Count</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Get&lt;name>s</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Set&lt;name>s</font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Get&lt;name></font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Set&lt;name></font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Append&lt;name></font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Insert&lt;name></font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Remove&lt;name></font></tt></li>
-
-<li>
-<tt><font color="#000000">&lt;typename>_Find&lt;name></font></tt></li>
-</ul>
-<font color="#000000">Sets (unordered sequences) replace the <tt>Append</tt>
-and <tt>Insert</tt> methods with <tt>Add</tt>.&nbsp; The plural Get and
-Set methods operate on arrays of the subtype.</font>
-<br><font color="#000000"></font>&nbsp;
-<br><font color="#000000"></font>&nbsp;
-<br><font color="#000000"></font>&nbsp;
-</body>
-</html>
diff --git a/security/nss/lib/pkix/include/nsspkix.h b/security/nss/lib/pkix/include/nsspkix.h
deleted file mode 100644
index 6e55be3a9..000000000
--- a/security/nss/lib/pkix/include/nsspkix.h
+++ /dev/null
@@ -1,24377 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSPKIX_H
-#define NSSPKIX_H
-
-#ifdef DEBUG
-static const char NSSPKIX_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nsspkix.h
- *
- * This file contains the prototypes for the public methods defined
- * for the PKIX part-1 objects.
- */
-
-#ifndef NSSPKIXT_H
-#include "nsspkixt.h"
-#endif /* NSSPKIXT_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Attribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Attribute       ::=     SEQUENCE {
- *          type            AttributeType,
- *          values  SET OF AttributeValue
- *                  -- at least one value is required -- }
- *
- * The public calls for the type:
- * 
- *  NSSPKIXAttribute_Decode
- *  NSSPKIXAttribute_Create
- *  NSSPKIXAttribute_CreateFromArray
- *  NSSPKIXAttribute_Destroy
- *  NSSPKIXAttribute_Encode
- *  NSSPKIXAttribute_GetType
- *  NSSPKIXAttribute_SetType
- *  NSSPKIXAttribute_GetValueCount
- *  NSSPKIXAttribute_GetValues
- *  NSSPKIXAttribute_SetValues
- *  NSSPKIXAttribute_GetValue
- *  NSSPKIXAttribute_SetValue
- *  NSSPKIXAttribute_AddValue
- *  NSSPKIXAttribute_RemoveValue
- *  NSSPKIXAttribute_FindValue
- *  NSSPKIXAttribute_Equal
- *  NSSPKIXAttribute_Duplicate
- *
- */
-
-/*
- * NSSPKIXAttribute_Decode
- *
- * This routine creates an NSSPKIXAttribute by decoding a BER-
- * or DER-encoded Attribute as defined in RFC 2459.  This
- * routine may return NULL upon error, in which case it will
- * have created an error stack.  If the optional arena argument
- * is non-NULL, that arena will be used for the required memory.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-NSSPKIXAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAttribute_Create
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-NSSPKIXAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value1,
-  ...
-);
-
-/*
- * NSSPKIXAttribute_CreateFromArray
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-NSSPKIXAttribute_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  PRUint32 count,
-  NSSPKIXAttributeValue values[]
-);
-
-/*
- * NSSPKIXAttribute_Destroy
- *
- * This routine destroys an NSSPKIXAttribute.  It should be called on
- * all such objects created without an arena.  It does not need to be
- * called for objects created with an arena, but it may be.  This
- * routine returns a PRStatus value.  Upon error, it will create an
- * error stack and return PR_FAILURE.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_Destroy
-(
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXAttribute_Encode
- *
- * This routine returns the BER encoding of the specified 
- * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
- * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
- * if there are no attribute values (i.e., the last one was removed).
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAttribute_Encode
-(
-  NSSPKIXAttribute *attribute,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAttribute_GetType
- *
- * This routine returns the attribute type oid of the specified
- * NSSPKIXAttribute.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttributeType *
-NSSPKIXAttribute_GetType
-(
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXAttribute_SetType
- *
- * This routine sets the attribute type oid of the indicated
- * NSSPKIXAttribute to the specified value.  Since attributes
- * may be application-defined, no checking can be done on
- * either the correctness of the attribute type oid value nor
- * the suitability of the set of attribute values.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_SetType
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeType *attributeType
-);
-
-/*
- * NSSPKIXAttribute_GetValueCount
- *
- * This routine returns the number of attribute values present in
- * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
- * Upon error, this routine returns -1.  This routine indicates an
- * error if the number of values cannot be expressed as a PRInt32.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXAttribute_GetValueCount
-(
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXAttribute_GetValues
- *
- * This routine returns all of the attribute values in the specified
- * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
- * is non-null, then that array will be used and returned; otherwise,
- * an array will be allocated and returned.  If the limit is nonzero
- * (which is must be if the specified array is nonnull), then an
- * error is indicated if it is smaller than the value count.
- * {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSItem's upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-NSSPKIXAttribute_GetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAttribute_SetValues
- *
- * This routine sets all of the values of the specified 
- * NSSPKIXAttribute to the values in the specified NSSItem array.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_SetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue values[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXAttribute_GetValue
- *
- * This routine returns the i'th attribute value of the set of
- * values in the specified NSSPKIXAttribute.  Although the set
- * is unordered, an arbitrary ordering will be maintained until
- * the data in the attribute is changed.  {usual comments about
- * itemOpt and arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-NSSPKIXAttribute_GetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAttribute_SetValue
- *
- * This routine sets the i'th attribute value {blah blah; copies
- * memory contents over..}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_SetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *value
-);
-
-/*
- * NSSPKIXAttribute_AddValue
- *
- * This routine adds the specified attribute value to the set in
- * the specified NSSPKIXAttribute.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_AddValue
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue *value
-); 
-
-/*
- * NSSPKIXAttribute_RemoveValue
- *
- * This routine removes the i'th attribute value of the set in the
- * specified NSSPKIXAttribute.  An attempt to remove the last value
- * will fail.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_RemoveValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXAttribute_FindValue
- *
- * This routine searches the set of attribute values in the specified
- * NSSPKIXAttribute for the provided data.  If an exact match is found,
- * then that value's index is returned.  If an exact match is not 
- * found, -1 is returned.  If there is more than one exact match, one
- * index will be returned.  {notes about unorderdness of SET, etc}
- * If the index may not be represented as an integer, an error is
- * indicated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXAttribute_FindValue
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue *attributeValue
-);
-
-/*
- * NSSPKIXAttribute_Equal
- *
- * This routine compares two NSSPKIXAttribute's for equality.
- * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
- * This routine also returns PR_FALSE upon error; if you're
- * that worried about it, check for an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAttribute_Equal
-(
-  NSSPKIXAttribute *one,
-  NSSPKIXAttribute *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAttribute_Duplicate
- *
- * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-NSSPKIXAttribute_Duplicate
-(
-  NSSPKIXAttribute *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * AttributeTypeAndValue
- *
- * This structure contains an attribute type (indicated by an OID), 
- * and the type-specific value.  RelativeDistinguishedNames consist
- * of a set of these.  These are distinct from Attributes (which have
- * SET of values), from AttributeDescriptions (which have qualifiers
- * on the types), and from AttributeValueAssertions (which assert a
- * a value comparison under some matching rule).
- *
- * From RFC 2459:
- *
- *  AttributeTypeAndValue           ::=     SEQUENCE {
- *          type    AttributeType,
- *          value   AttributeValue }
- * 
- * The public calls for the type:
- *
- *  NSSPKIXAttributeTypeAndValue_Decode
- *  NSSPKIXAttributeTypeAndValue_CreateFromUTF8
- *  NSSPKIXAttributeTypeAndValue_Create
- *  NSSPKIXAttributeTypeAndValue_Destroy
- *  NSSPKIXAttributeTypeAndValue_Encode
- *  NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
- *  NSSPKIXAttributeTypeAndValue_GetType
- *  NSSPKIXAttributeTypeAndValue_SetType
- *  NSSPKIXAttributeTypeAndValue_GetValue
- *  NSSPKIXAttributeTypeAndValue_SetValue
- *  NSSPKIXAttributeTypeAndValue_Equal
- *  NSSPKIXAttributeTypeAndValue_Duplicate
- */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_CreateFromUTF8
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_Create
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_Destroy
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttributeTypeAndValue_Destroy
-(
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_Encode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAttributeTypeAndValue_Encode
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_GetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeType *
-NSSPKIXAttributeTypeAndValue_GetType
-(
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_SetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttributeTypeAndValue_SetType
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeType *attributeType
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_GetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-NSSPKIXAttributeTypeAndValue_GetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_SetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttributeTypeAndValue_SetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *value
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_Equal
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAttributeTypeAndValue_Equal
-(
-  NSSPKIXAttributeTypeAndValue *atav1,
-  NSSPKIXAttributeTypeAndValue *atav2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAttributeTypeAndValue_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_Duplicate
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520Name
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520name        ::= CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-name)),
- *        printableString       PrintableString (SIZE (1..ub-name)),
- *        universalString       UniversalString (SIZE (1..ub-name)),
- *        utf8String            UTF8String (SIZE (1..ub-name)),
- *        bmpString             BMPString (SIZE(1..ub-name))   }
- *
- *  ub-name INTEGER ::=     32768
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520Name_Decode
- *  NSSPKIXX520Name_CreateFromUTF8
- *  NSSPKIXX520Name_Create (?)
- *  NSSPKIXX520Name_Destroy
- *  NSSPKIXX520Name_Encode
- *  NSSPKIXX520Name_GetUTF8Encoding
- *  NSSPKIXX520Name_Equal
- *  NSSPKIXX520Name_Duplicate
- *
- * The public data for this type:
- *
- *  NSSPKIXX520Name_MAXIMUM_LENGTH
- *
- */
-
-/*
- * NSSPKIXX520Name_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-NSSPKIXX520Name_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520Name_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-NSSPKIXX520Name_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520Name_Create
- *
- * XXX fgmr: currently nssStringType is a private type.  Thus,
- * this public method should not exist.  I'm leaving this here
- * to remind us later what we want to decide.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING_TYPE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-/* 
- * NSS_EXTERN NSSPKIXX520Name *
- * NSSPKIXX520Name_Create
- * (
- *   NSSArena *arenaOpt,
- *   nssStringType type,
- *   NSSItem *data
- * );
- */
-
-/*
- * NSSPKIXX520Name_Destroy
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520Name_Destroy
-(
-  NSSPKIXX520Name *name
-);
-
-/*
- * NSSPKIXX520Name_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520Name_Encode
-(
-  NSSPKIXX520Name *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXX520Name_GetUTF8Encoding
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXX520Name_GetUTF8Encoding
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXX520Name_Equal
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXX520Name_Equal
-(
-  NSSPKIXX520Name *name1,
-  NSSPKIXX520Name *name2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXX520Name_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-NSSPKIXX520Name_Duplicate
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXX520Name_MAXIMUM_LENGTH
- *
- * From RFC 2459:
- *
- *  ub-name INTEGER ::=     32768
- */
-
-extern const PRUint32 NSSPKIXX520Name_MAXIMUM_LENGTH;
-
-/*
- * X520CommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520CommonName  ::=      CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-common-name)),
- *        printableString       PrintableString (SIZE (1..ub-common-name)),
- *        universalString       UniversalString (SIZE (1..ub-common-name)),
- *        utf8String            UTF8String (SIZE (1..ub-common-name)),
- *        bmpString             BMPString (SIZE(1..ub-common-name))   }
- * 
- *  ub-common-name  INTEGER ::=     64
- * 
- * The public calls for this type:
- *
- *  NSSPKIXX520CommonName_Decode
- *  NSSPKIXX520CommonName_CreateFromUTF8
- *  NSSPKIXX520CommonName_Create (?)
- *  NSSPKIXX520CommonName_Destroy
- *  NSSPKIXX520CommonName_Encode
- *  NSSPKIXX520CommonName_GetUTF8Encoding
- *  NSSPKIXX520CommonName_Equal
- *  NSSPKIXX520CommonName_Duplicate
- *
- * The public data for this type:
- *
- *  NSSPKIXX520CommonName_MAXIMUM_LENGTH
- *
- */
-
-/*
- * NSSPKIXX520CommonName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-NSSPKIXX520CommonName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520CommonName_Create
- *
- * XXX fgmr: currently nssStringType is a private type.  Thus,
- * this public method should not exist.  I'm leaving this here
- * to remind us later what we want to decide.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING_TYPE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-/* 
- * NSS_EXTERN NSSPKIXX520CommonName *
- * NSSPKIXX520CommonName_Create
- * (
- *   NSSArena *arenaOpt,
- *   nssStringType type,
- *   NSSItem *data
- * );
- */
-
-/*
- * NSSPKIXX520CommonName_Destroy
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_COMMON_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520CommonName_Destroy
-(
-  NSSPKIXX520CommonName *name
-);
-
-/*
- * NSSPKIXX520CommonName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-NSSPKIXX520CommonName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520CommonName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520CommonName_Encode
-(
-  NSSPKIXX520CommonName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXX520CommonName_GetUTF8Encoding
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXX520CommonName_GetUTF8Encoding
-(
-  NSSPKIXX520CommonName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXX520CommonName_Equal
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_COMMON_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXX520CommonName_Equal
-(
-  NSSPKIXX520CommonName *name1,
-  NSSPKIXX520CommonName *name2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXX520CommonName_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-NSSPKIXX520CommonName_Duplicate
-(
-  NSSPKIXX520CommonName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXX520CommonName_MAXIMUM_LENGTH
- *
- * From RFC 2459:
- *
- *  ub-common-name  INTEGER ::=     64
- */
-
-extern const PRUint32 NSSPKIXX520CommonName_MAXIMUM_LENGTH;
-
-/*
- * X520LocalityName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520LocalityName ::= CHOICE {
- *        teletexString       TeletexString (SIZE (1..ub-locality-name)),
- *        printableString     PrintableString (SIZE (1..ub-locality-name)),
- *        universalString     UniversalString (SIZE (1..ub-locality-name)),
- *        utf8String          UTF8String (SIZE (1..ub-locality-name)),
- *        bmpString           BMPString (SIZE(1..ub-locality-name))   }
- * 
- * The public calls for this type:
- *
- *  NSSPKIXX520LocalityName_Decode
- *  NSSPKIXX520LocalityName_CreateFromUTF8
- *  NSSPKIXX520LocalityName_Encode
- *
- */
-
-/*
- * NSSPKIXX520LocalityName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520LocalityName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520LocalityName *
-NSSPKIXX520LocalityName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520LocalityName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520LocalityName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520LocalityName *
-NSSPKIXX520LocalityName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520LocalityName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520LocalityName_Encode
-(
-  NSSPKIXX520LocalityName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520StateOrProvinceName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520StateOrProvinceName         ::= CHOICE {
- *        teletexString       TeletexString (SIZE (1..ub-state-name)),
- *        printableString     PrintableString (SIZE (1..ub-state-name)),
- *        universalString     UniversalString (SIZE (1..ub-state-name)),
- *        utf8String          UTF8String (SIZE (1..ub-state-name)),
- *        bmpString           BMPString (SIZE(1..ub-state-name))   }
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520StateOrProvinceName_Decode
- *  NSSPKIXX520StateOrProvinceName_CreateFromUTF8
- *  NSSPKIXX520StateOrProvinceName_Encode
- *
- */
-
-/*
- * NSSPKIXX520StateOrProvinceName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520StateOrProvinceName *
-NSSPKIXX520StateOrProvinceName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520StateOrProvinceName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520StateOrProvinceName *
-NSSPKIXX520StateOrProvinceName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520StateOrProvinceName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520StateOrProvinceName_Encode
-(
-  NSSPKIXX520StateOrProvinceName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520OrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520OrganizationName ::= CHOICE {
- *    teletexString     TeletexString (SIZE (1..ub-organization-name)),
- *    printableString   PrintableString (SIZE (1..ub-organization-name)),
- *    universalString   UniversalString (SIZE (1..ub-organization-name)),
- *    utf8String        UTF8String (SIZE (1..ub-organization-name)),
- *    bmpString         BMPString (SIZE(1..ub-organization-name))   }
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520OrganizationName_Decode
- *  NSSPKIXX520OrganizationName_CreateFromUTF8
- *  NSSPKIXX520OrganizationName_Encode
- *
- */
-
-/*
- * NSSPKIXX520OrganizationName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationName *
-NSSPKIXX520OrganizationName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520OrganizationName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationName *
-NSSPKIXX520OrganizationName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520OrganizationName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520OrganizationName_Encode
-(
-  NSSPKIXX520OrganizationName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520OrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520OrganizationalUnitName ::= CHOICE {
- *   teletexString    TeletexString (SIZE (1..ub-organizational-unit-name)),
- *   printableString        PrintableString
- *                        (SIZE (1..ub-organizational-unit-name)),
- *   universalString        UniversalString
- *                        (SIZE (1..ub-organizational-unit-name)),
- *   utf8String       UTF8String (SIZE (1..ub-organizational-unit-name)),
- *   bmpString        BMPString (SIZE(1..ub-organizational-unit-name))   }
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520OrganizationalUnitName_Decode
- *  NSSPKIXX520OrganizationalUnitName_CreateFromUTF8
- *  NSSPKIXX520OrganizationalUnitName_Encode
- *
- */
-
-/*
- * NSSPKIXX520OrganizationalUnitName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
-NSSPKIXX520OrganizationalUnitName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520OrganizationalUnitName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
-NSSPKIXX520OrganizationalUnitName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520OrganizationalUnitName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520OrganizationalUnitName_Encode
-(
-  NSSPKIXX520OrganizationalUnitName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520Title
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520Title ::=   CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-title)),
- *        printableString       PrintableString (SIZE (1..ub-title)),
- *        universalString       UniversalString (SIZE (1..ub-title)),
- *        utf8String            UTF8String (SIZE (1..ub-title)),
- *        bmpString             BMPString (SIZE(1..ub-title))   }
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520Title_Decode
- *  NSSPKIXX520Title_CreateFromUTF8
- *  NSSPKIXX520Title_Encode
- *
- */
-
-/*
- * NSSPKIXX520Title_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Title upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Title *
-NSSPKIXX520Title_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520Title_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Title upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Title *
-NSSPKIXX520Title_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520Title_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520Title_Encode
-(
-  NSSPKIXX520Title *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520dnQualifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520dnQualifier ::=     PrintableString
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520dnQualifier_Decode
- *  NSSPKIXX520dnQualifier_CreateFromUTF8
- *  NSSPKIXX520dnQualifier_Encode
- *
- */
-
-/*
- * NSSPKIXX520dnQualifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520dnQualifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520dnQualifier *
-NSSPKIXX520dnQualifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520dnQualifier_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520dnQualifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520dnQualifier *
-NSSPKIXX520dnQualifier_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520dnQualifier_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520dnQualifier_Encode
-(
-  NSSPKIXX520dnQualifier *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520countryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes
- *
- * The public calls for this type:
- *
- *  NSSPKIXX520countryName_Decode
- *  NSSPKIXX520countryName_CreateFromUTF8
- *  NSSPKIXX520countryName_Encode
- *
- */
-
-/*
- * NSSPKIXX520countryName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520countryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520countryName *
-NSSPKIXX520countryName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX520countryName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520countryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520countryName *
-NSSPKIXX520countryName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX520countryName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX520countryName_Encode
-(
-  NSSPKIXX520countryName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * Pkcs9email
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXPkcs9email_Decode
- *  NSSPKIXPkcs9email_CreateFromUTF8
- *  NSSPKIXPkcs9email_Encode
- *
- */
-
-/*
- * NSSPKIXPkcs9email_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPkcs9email upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPkcs9email *
-NSSPKIXPkcs9email_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPkcs9email_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPkcs9email upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPkcs9email *
-NSSPKIXPkcs9email_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXPkcs9email_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPkcs9email_Encode
-(
-  NSSPKIXPkcs9email *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * Name
- *
- * This structure contains a union of the possible name formats,
- * which at the moment is limited to an RDNSequence.
- *
- * From RFC 2459:
- *
- *  Name            ::=   CHOICE { -- only one possibility for now --
- *                                   rdnSequence  RDNSequence }
- *
- * The public calls for this type:
- *
- *  NSSPKIXName_Decode
- *  NSSPKIXName_CreateFromUTF8
- *  NSSPKIXName_Create
- *  NSSPKIXName_CreateFromRDNSequence
- *  NSSPKIXName_Destroy
- *  NSSPKIXName_Encode
- *  NSSPKIXName_GetUTF8Encoding
- *  NSSPKIXName_GetChoice
- *  NSSPKIXName_GetRDNSequence
- *  NSSPKIXName_GetSpecifiedChoice {fgmr remove this}
- *  NSSPKIXName_SetRDNSequence
- *  NSSPKIXName_SetSpecifiedChoice
- *  NSSPKIXName_Equal
- *  NSSPKIXName_Duplicate
- *
- *  (here is where I had specific attribute value gettors in pki1)
- *
- */
-
-/*
- * NSSPKIXName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * NSSPKIXName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXNameChoice choice,
-  void *arg
-);
-
-/*
- * NSSPKIXName_CreateFromRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXName_CreateFromRDNSequence
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRDNSequence *rdnSequence
-);
-
-/*
- * NSSPKIXName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXName_Destroy
-(
-  NSSPKIXName *name
-);
-
-/*
- * NSSPKIXName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXName_Encode
-(
-  NSSPKIXName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXName_GetUTF8Encoding
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  A valid element of the NSSPKIXNameChoice enumeration upon success
- *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
- */
-
-NSS_EXTERN NSSPKIXNameChoice
-NSSPKIXName_GetChoice
-(
-  NSSPKIXName *name
-);
-
-/*
- * NSSPKIXName_GetRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A pointer to a valid NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-NSSPKIXName_GetRDNSequence
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXName_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A valid pointer ...
- *  NULL upon failure
- */
-
-NSS_EXTERN void *
-NSSPKIXName_GetSpecifiedChoice
-(
-  NSSPKIXName *name,
-  NSSPKIXNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXName_Equal
-(
-  NSSPKIXName *name1,
-  NSSPKIXName *name2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXName_Duplicate
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * RDNSequence
- *
- * This structure contains a sequence of RelativeDistinguishedName
- * objects.
- *
- * From RFC 2459:
- *
- *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
- *
- * The public calls for this type:
- *
- *  NSSPKIXRDNSequence_Decode
- *  NSSPKIXRDNSequence_CreateFromUTF8
- *  NSSPKIXRDNSequence_Create
- *  NSSPKIXRDNSequence_CreateFromArray
- *  NSSPKIXRDNSequence_Destroy
- *  NSSPKIXRDNSequence_Encode
- *  NSSPKIXRDNSequence_GetUTF8Encoding
- *  NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
- *  NSSPKIXRDNSequence_GetRelativeDistinguishedNames
- *  NSSPKIXRDNSequence_SetRelativeDistinguishedNames
- *  NSSPKIXRDNSequence_GetRelativeDistinguishedName
- *  NSSPKIXRDNSequence_SetRelativeDistinguishedName
- *  NSSPKIXRDNSequence_AppendRelativeDistinguishedName
- *  NSSPKIXRDNSequence_InsertRelativeDistinguishedName
- *  NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
- *  NSSPKIXRDNSequence_FindRelativeDistinguishedName
- *  NSSPKIXRDNSequence_Equal
- *  NSSPKIXRDNSequence_Duplicate
- *
- */
-
-/*
- * NSSPKIXRDNSequence_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXRDNSequence_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * NSSPKIXRDNSequence_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRelativeDistinguishedName *rdn1,
-  ...
-);
-
-/*
- * NSSPKIXRDNSequence_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXRelativeDistinguishedName *rdns[]
-);
-
-/*
- * NSSPKIXRDNSequence_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRDNSequence_Destroy
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-/*
- * NSSPKIXRDNSequence_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXRDNSequence_Encode
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRDNSequence_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXRDNSequence_GetUTF8Encoding
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-/*
- * NSSPKIXRDNSequence_GetRelativeDistinguishedNames
- *
- * This routine returns all of the relative distinguished names in the
- * specified RDN Sequence.  {...} If the array is allocated, or if the
- * specified one has extra space, the array will be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
- *      pointers upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName **
-NSSPKIXRDNSequence_GetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRDNSequence_SetRelativeDistinguishedNames
- *
- * -- fgmr comments --
- * If the array pointer itself is null, the set is considered empty.
- * If the count is zero but the pointer nonnull, the array will be
- * assumed to be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRDNSequence_SetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdns[],
-  PRInt32 countOpt
-);
-
-/*
- * NSSPKIXRDNSequence_GetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRDNSequence_GetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRDNSequence_SetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRDNSequence_SetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * NSSPKIXRDNSequence_AppendRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRDNSequence_AppendRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * NSSPKIXRDNSequence_InsertRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRDNSequence_InsertRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXRDNSequence_FindRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXRDNSequence_FindRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * NSSPKIXRDNSequence_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXRDNSequence_Equal
-(
-  NSSPKIXRDNSequence *one,
-  NSSPKIXRDNSequence *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXRDNSequence_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Duplicate
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * DistinguishedName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistinguishedName       ::=   RDNSequence
- *
- * This is just a public typedef; no new methods are required. {fgmr-- right?}
- */
-
-/*
- * RelativeDistinguishedName
- *
- * This structure contains an unordered set of AttributeTypeAndValue 
- * objects.  RDNs are used to distinguish a set of objects underneath 
- * a common object.
- *
- * Often, a single ATAV is sufficient to make a unique distinction.
- * For example, if a company assigns its people unique uid values,
- * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
- * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
- * needed.  For example, if a company needed to distinguish between
- * two Smiths by specifying their corporate divisions, then in the
- * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
- * set of ATAVs forms the RDN.
- *
- * From RFC 2459:
- *
- *  RelativeDistinguishedName  ::=
- *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
- *
- * The public calls for this type:
- *
- *  NSSPKIXRelativeDistinguishedName_Decode
- *  NSSPKIXRelativeDistinguishedName_CreateFromUTF8
- *  NSSPKIXRelativeDistinguishedName_Create
- *  NSSPKIXRelativeDistinguishedName_CreateFromArray
- *  NSSPKIXRelativeDistinguishedName_Destroy
- *  NSSPKIXRelativeDistinguishedName_Encode
- *  NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
- *  NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_Equal
- *  NSSPKIXRelativeDistinguishedName_Duplicate
- *
- * fgmr: Logical additional functions include
- *
- *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValueByType
- *    returns PRInt32
- *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValuesByType
- *    returns array of PRInt32
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueForType
- *    returns NSSPKIXAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValuesForType
- *    returns array of NSSPKIXAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_GetAttributeValueForType
- *    returns NSSPKIXAttributeValue
- *  NSSPKIXRelativeDistinguishedName_GetAttributeValuesForType
- *    returns array of NSSPKIXAttributeValue
- *
- * NOTE: the "return array" versions are only meaningful if an RDN may
- * contain multiple ATAVs with the same type.  Verify in the RFC if
- * this is possible or not.  If not, nuke those three functions.
- *
- */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeTypeAndValue *atav1,
-  ...
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXAttributeTypeAndValue *atavs[]
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRelativeDistinguishedName_Destroy
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXRelativeDistinguishedName_Encode
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue **
-NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atavs[],
-  PRInt32 countOpt
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXRelativeDistinguishedName_Equal
-(
-  NSSPKIXRelativeDistinguishedName *one,
-  NSSPKIXRelativeDistinguishedName *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXRelativeDistinguishedName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_Duplicate
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * DirectoryString
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DirectoryString ::= CHOICE {
- *        teletexString             TeletexString (SIZE (1..MAX)),
- *        printableString           PrintableString (SIZE (1..MAX)),
- *        universalString           UniversalString (SIZE (1..MAX)),
- *        utf8String              UTF8String (SIZE (1..MAX)),
- *        bmpString               BMPString (SIZE(1..MAX))   }
- *
- * The public calls for this type:
- *
- *  NSSPKIXDirectoryString_Decode
- *  NSSPKIXDirectoryString_CreateFromUTF8
- *  NSSPKIXDirectoryString_Encode
- *
- */
-
-/*
- * NSSPKIXDirectoryString_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDirectoryString upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDirectoryString *
-NSSPKIXDirectoryString_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXDirectoryString_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDirectoryString upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDirectoryString *
-NSSPKIXDirectoryString_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXDirectoryString_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_DIRECTORY_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXDirectoryString_Encode
-(
-  NSSPKIXDirectoryString *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * Certificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Certificate  ::=  SEQUENCE  {
- *       tbsCertificate       TBSCertificate,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- * The public calls for this type:
- *
- *  NSSPKIXCertificate_Decode
- *  NSSPKIXCertificate_Create
- *  NSSPKIXCertificate_Destroy
- *  NSSPKIXCertificate_Encode
- *  NSSPKIXCertificate_GetTBSCertificate
- *  NSSPKIXCertificate_SetTBSCertificate
- *  NSSPKIXCertificate_GetAlgorithmIdentifier
- *  NSSPKIXCertificate_SetAlgorithmIdentifier
- *  NSSPKIXCertificate_GetSignature
- *  NSSPKIXCertificate_SetSignature
- *  NSSPKIXCertificate_Equal
- *  NSSPKIXCertificate_Duplicate
- *
- *  { inherit TBSCertificate gettors? }
- *
- */
-
-/*
- * NSSPKIXCertificate_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificate *
-NSSPKIXCertificate_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCertificate_Create
- *
- * -- fgmr comments --
- * { at this level we'll have to just accept a specified signature }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_ALGID
- *  NSS_ERROR_INVALID_PKIX_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificate *
-NSSPKIXCertificate_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXAlgorithmIdentifier *algID,
-  NSSItem *signature
-);
-
-/*
- * NSSPKIXCertificate_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificate_Destroy
-(
-  NSSPKIXCertificate *cert
-);
-
-/*
- * NSSPKIXCertificate_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCertificate_Encode
-(
-  NSSPKIXCertificate *cert,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificate_GetTBSCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-NSSPKIXCertificate_GetTBSCertificate
-(
-  NSSPKIXCertificate *cert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificate_SetTBSCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificate_SetTBSCertificate
-(
-  NSSPKIXCertificate *cert,
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * NSSPKIXCertificate_GetAlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXCertificate_GetAlgorithmIdentifier
-(
-  NSSPKIXCertificate *cert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificate_SetAlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificate_SetAlgorithmIdentifier
-(
-  NSSPKIXCertificate *cert,
-  NSSPKIXAlgorithmIdentifier *algid,
-);
-
-/*
- * NSSPKIXCertificate_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXCertificate_GetSignature
-(
-  NSSPKIXCertificate *cert,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificate_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificate_SetSignature
-(
-  NSSPKIXCertificate *cert,
-  NSSItem *signature
-);
-
-/*
- * NSSPKIXCertificate_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXCertificate_Equal
-(
-  NSSPKIXCertificate *one,
-  NSSPKIXCertificate *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXCertificate_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificate *
-NSSPKIXCertificate_Duplicate
-(
-  NSSPKIXCertificate *cert,
-  NSSArena *arenaOpt
-);
-
-/*
- * TBSCertificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertificate  ::=  SEQUENCE  {
- *       version         [0]  Version DEFAULT v1,
- *       serialNumber         CertificateSerialNumber,
- *       signature            AlgorithmIdentifier,
- *       issuer               Name,
- *       validity             Validity,
- *       subject              Name,
- *       subjectPublicKeyInfo SubjectPublicKeyInfo,
- *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       extensions      [3]  Extensions OPTIONAL
- *                            -- If present, version shall be v3 --  }
- *
- * The public calls for this type:
- *
- *  NSSPKIXTBSCertificate_Decode
- *  NSSPKIXTBSCertificate_Create
- *  NSSPKIXTBSCertificate_Destroy
- *  NSSPKIXTBSCertificate_Encode
- *  NSSPKIXTBSCertificate_GetVersion
- *  NSSPKIXTBSCertificate_SetVersion
- *  NSSPKIXTBSCertificate_GetSerialNumber
- *  NSSPKIXTBSCertificate_SetSerialNumber
- *  NSSPKIXTBSCertificate_GetSignature
- *  NSSPKIXTBSCertificate_SetSignature
- *    { inherit algid gettors? }
- *  NSSPKIXTBSCertificate_GetIssuer
- *  NSSPKIXTBSCertificate_SetIssuer
- *    { inherit "helper" issuer gettors? }
- *  NSSPKIXTBSCertificate_GetValidity
- *  NSSPKIXTBSCertificate_SetValidity
- *    { inherit validity accessors }
- *  NSSPKIXTBSCertificate_GetSubject
- *  NSSPKIXTBSCertificate_SetSubject
- *  NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo
- *  NSSPKIXTBSCertificate_SetSubjectPublicKeyInfo
- *  NSSPKIXTBSCertificate_HasIssuerUniqueID
- *  NSSPKIXTBSCertificate_GetIssuerUniqueID
- *  NSSPKIXTBSCertificate_SetIssuerUniqueID
- *  NSSPKIXTBSCertificate_RemoveIssuerUniqueID
- *  NSSPKIXTBSCertificate_HasSubjectUniqueID
- *  NSSPKIXTBSCertificate_GetSubjectUniqueID
- *  NSSPKIXTBSCertificate_SetSubjectUniqueID
- *  NSSPKIXTBSCertificate_RemoveSubjectUniqueID
- *  NSSPKIXTBSCertificate_HasExtensions
- *  NSSPKIXTBSCertificate_GetExtensions
- *  NSSPKIXTBSCertificate_SetExtensions
- *  NSSPKIXTBSCertificate_RemoveExtensions
- *    { extension accessors }
- *  NSSPKIXTBSCertificate_Equal
- *  NSSPKIXTBSCertificate_Duplicate
- */
-
-/*
- * NSSPKIXTBSCertificate_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-NSSPKIXTBSCertificate_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTBSCertificate_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ISSUER_NAME
- *  NSS_ERROR_INVALID_VALIDITY
- *  NSS_ERROR_INVALID_SUBJECT_NAME
- *  NSS_ERROR_INVALID_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ISSUER_UNIQUE_IDENTIFIER
- *  NSS_ERROR_INVALID_SUBJECT_UNIQUE_IDENTIFIER
- *  NSS_ERROR_INVALID_EXTENSION
- *
- * Return value:
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-NSSPKIXTBSCertificate_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXVersion version,
-  NSSPKIXCertificateSerialNumber *serialNumber,
-  NSSPKIXAlgorithmIdentifier *signature,
-  NSSPKIXName *issuer,
-  NSSPKIXValidity *validity,
-  NSSPKIXName *subject,
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSPKIXUniqueIdentifier *issuerUniqueID,
-  NSSPKIXUniqueIdentifier *subjectUniqueID,
-  NSSPKIXExtensions *extensions
-);
-
-/*
- * NSSPKIXTBSCertificate_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_Destroy
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * NSSPKIXTBSCertificate_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTBSCertificate_Encode
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_GetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid element of the NSSPKIXVersion enumeration upon success
- *  NSSPKIXVersion_NSSinvalid (-1) upon failure
- */
-
-NSS_EXTERN NSSPKIXVersion
-NSSPKIXTBSCertificate_GetVersion
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * NSSPKIXTBSCertificate_SetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetVersion
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXVersion version
-);
-
-/*
- * NSSPKIXTBSCertificate_GetSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateSerialNumber *
-NSSPKIXTBSCertificate_GetSerialNumber
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXCertificateSerialNumber *snOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetSerialNumber
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXCertificateSerialNumber *sn
-);
-
-/*
- * NSSPKIXTBSCertificate_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXTBSCertificate_GetSignature
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetSignature
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXAlgorithmIdentifier *algID
-);
-
-/*
- *   { fgmr inherit algid gettors? }
- */
-
-/*
- * NSSPKIXTBSCertificate_GetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXTBSCertificate_GetIssuer
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetIssuer
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXName *issuer
-);
-
-/*
- *   { inherit "helper" issuer gettors? }
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *
- * Return value:
- */
-
-/*
- * NSSPKIXTBSCertificate_GetValidity
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-NSSPKIXTBSCertificate_GetValidity
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetValidity
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetValidity
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXValidity *validity
-);
-
-/*
- *   { fgmr inherit validity accessors }
- */
-
-/*
- * NSSPKIXTBSCertificate_GetSubject
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXTBSCertificate_GetSubject
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetSubject
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetSubject
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXName *subject
-);
-
-/*
- * NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetSubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetSubjectPublicKeyInfo
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXSubjectPublicKeyInfo *spki
-);
-
-/*
- * NSSPKIXTBSCertificate_HasIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertificate_HasIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_GetIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
- *
- * Return value:
- *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUniqueIdentifier *
-NSSPKIXTBSCertificate_GetIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uidOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uid
-);
-
-/*
- * NSSPKIXTBSCertificate_RemoveIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_RemoveIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * NSSPKIXTBSCertificate_HasSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertificate_HasSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_GetSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
- *
- * Return value:
- *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUniqueIdentifier *
-NSSPKIXTBSCertificate_GetSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uidOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uid
-);
-
-/*
- * NSSPKIXTBSCertificate_RemoveSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_RemoveSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * NSSPKIXTBSCertificate_HasExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertificate_HasExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_GetExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensions upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensions *
-NSSPKIXTBSCertificate_GetExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_SetExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_SetExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXExtensions *extensions
-);
-
-/*
- * NSSPKIXTBSCertificate_RemoveExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertificate_RemoveExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- *   { extension accessors }
- */
-
-/*
- * NSSPKIXTBSCertificate_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertificate_Equal
-(
-  NSSPKIXTBSCertificate *one,
-  NSSPKIXTBSCertificate *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertificate_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-NSSPKIXTBSCertificate_Duplicate
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * CertificateSerialNumber
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateSerialNumber  ::=  INTEGER
- *
- * This is just a typedef'd NSSBER; no methods are required.
- * {fgmr -- the asn.1 stuff should have routines to convert
- * integers to natural types when possible and vv.  we can
- * refer to them here..}
- */
-
-/*
- * Validity
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Validity ::= SEQUENCE {
- *       notBefore      Time,
- *       notAfter       Time }
- *
- * The public calls for the type:
- *
- *  NSSPKIXValidity_Decode
- *  NSSPKIXValidity_Create
- *  NSSPKIXValidity_Encode
- *  NSSPKIXValidity_Destroy
- *  NSSPKIXValidity_GetNotBefore
- *  NSSPKIXValidity_SetNotBefore
- *  NSSPKIXValidity_GetNotAfter
- *  NSSPKIXValidity_SetNotAfter
- *  NSSPKIXValidity_Equal
- *  NSSPKIXValidity_Compare
- *  NSSPKIXValidity_Duplicate
- *
- */
-
-/*
- * NSSPKIXValidity_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-NSSPKIXValidity_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXValidity_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TIME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-NSSPKIXValidity_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTime notBefore,
-  NSSPKIXTime notAfter
-);
-
-/*
- * NSSPKIXValidity_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXValidity_Destroy
-(
-  NSSPKIXValidity *validity
-);
-
-/*
- * NSSPKIXValidity_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXValidity_Encode
-(
-  NSSPKIXValidity *validity,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXValidity_GetNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-NSSPKIXValidity_GetNotBefore
-(
-  NSSPKIXValidity *validity
-);
-
-/*
- * NSSPKIXValidity_SetNotBefore
- *
- * -- fgmr comments --
- * {do we require that it be before the "notAfter" value?}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXValidity_SetNotBefore
-(
-  NSSPKIXValidity *validity,
-  NSSPKIXTime notBefore
-);
-
-/*
- * NSSPKIXValidity_GetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-NSSPKIXValidity_GetNotAfter
-(
-  NSSPKIXValidity *validity
-);
-
-/*
- * NSSPKIXValidity_SetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXValidity_SetNotAfter
-(
-  NSSPKIXValidity *validity,
-  NSSPKIXTime notAfter
-);
-
-/*
- * NSSPKIXValidity_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXValidity_Equal
-(
-  NSSPKIXValidity *one,
-  NSSPKIXValidity *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXValidity_Compare
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *   1 if the second is "greater" or later than the first
- *   0 if they are equal
- *  -1 if the first is "greater" or later than the first
- *  -2 upon failure
- */
-
-NSS_EXTERN PRIntn
-NSSPKIXValidity_Compare
-(
-  NSSPKIXValidity *one,
-  NSSPKIXValidity *two
-);
-
-/*
- * NSSPKIXValidity_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-NSSPKIXValidity_Duplicate
-(
-  NSSPKIXValidity *validity,
-  NSSArena *arenaOpt
-);
-
-/*
- * Time
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Time ::= CHOICE {
- *       utcTime        UTCTime,
- *       generalTime    GeneralizedTime }
- *
- * The public calls for the type:
- *
- *  NSSPKIXTime_Decode
- *  NSSPKIXTime_CreateFromPRTime
- *  NSSPKIXTime_CreateFromUTF8
- *  NSSPKIXTime_Destroy
- *  NSSPKIXTime_Encode
- *  NSSPKIXTime_GetPRTime
- *  NSSPKIXTime_GetUTF8Encoding
- *  NSSPKIXTime_Equal
- *  NSSPKIXTime_Duplicate
- *  NSSPKIXTime_Compare
- *  
- */
-
-/*
- * NSSPKIXTime_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTime upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTime *
-NSSPKIXTime_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTime_CreateFromPRTime
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-NSSPKIXTime_CreateFromPRTime
-(
-  NSSArena *arenaOpt,
-  PRTime prTime
-);
-
-/*
- * NSSPKIXTime_CreateFromUTF8
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-NSSPKIXTime_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXTime_Destroy
- *
- */
-
-NSS_EXTERN PR_STATUS
-NSSPKIXTime_Destroy
-(
-  NSSPKIXTime *time
-);
-
-/*
- * NSSPKIXTime_Encode
- *
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTime_Encode
-(
-  NSSPKIXTime *time,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTime_GetPRTime
- *
- * Returns a zero on error
- */
-
-NSS_EXTERN PRTime
-NSSPKIXTime_GetPRTime
-(
-  NSSPKIXTime *time,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTime_GetUTF8Encoding
- *
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKXITime_GetUTF8Encoding
-(
-  NSSPKIXTime *time,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTime_Equal
- *
- */
-
-NSS_EXTERN PRBool
-NSSPKXITime_Equal
-(
-  NSSPKXITime *time1,
-  NSSPKXITime *time2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTime_Duplicate
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-NSSPKXITime_Duplicate
-(
-  NSSPKIXTime *time,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTime_Compare
- *
- * Usual result: -1, 0, 1
- *  Returns 0 on error
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXTime_Compare
-(
-  NSSPKIXTime *time1,
-  NSSPKIXTime *tiem2,
-  PRStatus *statusOpt
-);
-
-/*
- * UniqueIdentifier
- *
- * -- fgmr comments --
- * Should we distinguish bitstrings from "regular" items/BERs?
- * It could be another typedef, but with a separate type to help
- * remind users about the factor of 8.  OR we could make it a
- * hard type, and require the use of some (trivial) converters.
- *
- * From RFC 2459:
- *
- *  UniqueIdentifier  ::=  BIT STRING
- *
- */
-
-/*
- * SubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *       algorithm            AlgorithmIdentifier,
- *       subjectPublicKey     BIT STRING  }
- *
- * The public calls for the type:
- *
- *  NSSPKIXSubjectPublicKeyInfo_Decode
- *  NSSPKIXSubjectPublicKeyInfo_Create
- *  NSSPKIXSubjectPublicKeyInfo_Encode
- *  NSSPKIXSubjectPublicKeyInfo_Destroy
- *  NSSPKIXSubjectPublicKeyInfo_GetAlgorithm
- *  NSSPKIXSubjectPublicKeyInfo_SetAlgorithm
- *  NSSPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
- *  NSSPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
- *  NSSPKIXSubjectPublicKeyInfo_Equal
- *  NSSPKIXSubjectPublicKeyInfo_Duplicate
- *
- */
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-NSSPKIXSubjectPublicKeyInfo_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-NSSPKIXSubjectPublicKeyInfo_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *subjectPublicKey
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectPublicKeyInfo_Destroy
-(
-  NSSPKIXSubjectPublicKeyInfo *spki
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXSubjectPublicKeyInfo_Encode
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_GetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXSubjectPublicKeyInfo_GetAlgorithm
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_SetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectPublicKeyInfo_SetAlgorithm
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSPKIXAlgorithmIdentifier *algid
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSItem *spkOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSItem *spk
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXSubjectPublicKeyInfo_Equal
-(
-  NSSPKIXSubjectPublicKeyInfo *one,
-  NSSPKIXSubjectPublicKeyInfo *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXSubjectPublicKeyInfo_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-NSSPKIXSubjectPublicKeyInfo_Duplicate
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSArena *arenaOpt
-);
-
-/*
- * Extensions
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
- *
- */
-
-/* { FGMR } */
-
-/*
- * Extension
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extension  ::=  SEQUENCE  {
- *       extnID      OBJECT IDENTIFIER,
- *       critical    BOOLEAN DEFAULT FALSE,
- *       extnValue   OCTET STRING  }
- *
- */
-
-/* { FGMR } */
-
-/*
- * CertificateList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateList  ::=  SEQUENCE  {
- *       tbsCertList          TBSCertList,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- * The public calls for the type:
- *
- *  NSSPKIXCertificateList_Decode
- *  NSSPKIXCertificateList_Create
- *  NSSPKIXCertificateList_Encode
- *  NSSPKIXCertificateList_Destroy
- *  NSSPKIXCertificateList_GetTBSCertList
- *  NSSPKIXCertificateList_SetTBSCertList
- *  NSSPKIXCertificateList_GetSignatureAlgorithm
- *  NSSPKIXCertificateList_SetSignatureAlgorithm
- *  NSSPKIXCertificateList_GetSignature
- *  NSSPKIXCertificateList_SetSignature
- *  NSSPKIXCertificateList_Equal
- *  NSSPKIXCertificateList_Duplicate
- *
- */
-
-/*
- * NSSPKIXCertificateList_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateList *
-NSSPKIXCertificateList_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCertificateList_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateList *
-NSSPKIXCertificateList_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTBSCertList *tbsCertList,
-  NSSPKIXAlgorithmIdentifier *sigAlg,
-  NSSItem *signature
-);
-
-/*
- * NSSPKIXCertificateList_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificateList_Destroy
-(
-  NSSPKIXCertificateList *certList
-);
-
-/*
- * NSSPKIXCertificateList_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCertificateList_Encode
-(
-  NSSPKIXCertificateList *certList,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificateList_GetTBSCertList
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-NSSPKIXCertificateList_GetTBSCertList
-(
-  NSSPKIXCertificateList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificateList_SetTBSCertList
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificateList_SetTBSCertList
-(
-  NSSPKIXCertificateList *certList,
-  NSSPKIXTBSCertList *tbsCertList
-);
-
-/*
- * NSSPKIXCertificateList_GetSignatureAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXCertificateList_GetSignatureAlgorithm
-(
-  NSSPKIXCertificateList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificateList_SetSignatureAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificateList_SetSignatureAlgorithm
-(
-  NSSPKIXCertificateList *certList,
-  NSSPKIXAlgorithmIdentifier *sigAlg
-);
-
-/*
- * NSSPKIXCertificateList_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXCertificateList_GetSignature
-(
-  NSSPKIXCertificateList *certList,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificateList_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificateList_SetSignature
-(
-  NSSPKIXCertificateList *certList,
-  NSSItem *sig
-);
-
-/*
- * NSSPKIXCertificateList_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXCertificateList_Equal
-(
-  NSSPKIXCertificateList *one,
-  NSSPKIXCertificateList *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXCertificateList_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateList *
-NSSPKIXCertificateList_Duplicate
-(
-  NSSPKIXCertificateList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * TBSCertList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertList  ::=  SEQUENCE  {
- *       version                 Version OPTIONAL,
- *                                    -- if present, shall be v2
- *       signature               AlgorithmIdentifier,
- *       issuer                  Name,
- *       thisUpdate              Time,
- *       nextUpdate              Time OPTIONAL,
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *       crlExtensions           [0] Extensions OPTIONAL
- *                                           -- if present, shall be v2 -- }
- *
- * The public calls for the type:
- *
- *  NSSPKIXTBSCertList_Decode
- *  NSSPKIXTBSCertList_Create
- *  NSSPKIXTBSCertList_Destroy
- *  NSSPKIXTBSCertList_Encode
- *  NSSPKIXTBSCertList_GetVersion
- *  NSSPKIXTBSCertList_SetVersion
- *  NSSPKIXTBSCertList_GetSignature
- *  NSSPKIXTBSCertList_SetSignature
- *  NSSPKIXTBSCertList_GetIssuer
- *  NSSPKIXTBSCertList_SetIssuer
- *  NSSPKIXTBSCertList_GetThisUpdate
- *  NSSPKIXTBSCertList_SetThisUpdate
- *  NSSPKIXTBSCertList_HasNextUpdate
- *  NSSPKIXTBSCertList_GetNextUpdate
- *  NSSPKIXTBSCertList_SetNextUpdate
- *  NSSPKIXTBSCertList_RemoveNextUpdate
- *  NSSPKIXTBSCertList_GetRevokedCertificates
- *  NSSPKIXTBSCertList_SetRevokedCertificates
- *  NSSPKIXTBSCertList_HasCrlExtensions
- *  NSSPKIXTBSCertList_GetCrlExtensions
- *  NSSPKIXTBSCertList_SetCrlExtensions
- *  NSSPKIXTBSCertList_RemoveCrlExtensions
- *  NSSPKIXTBSCertList_Equal
- *  NSSPKIXTBSCertList_Duplicate
- *
- */
-
-/*
- * NSSPKIXTBSCertList_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-NSSPKIXTBSCertList_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTBSCertList_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_PKIX_TIME
- *  (something for the times being out of order?)
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-NSSPKIXTBSCertList_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXVersion version,
-  NSSPKIXAlgorithmIdentifier *signature,
-  NSSPKIXName *issuer,
-  NSSPKIXTime thisUpdate,
-  NSSPKIXTime nextUpdateOpt,
-  NSSPKIXrevokedCertificates *revokedCerts,
-  NSSPKIXExtensions *crlExtensionsOpt
-);
-
-/*
- * NSSPKIXTBSCertList_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_Destroy
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * NSSPKIXTBSCertList_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTBSCertList_Encode
-(
-  NSSPKIXTBSCertList *certList,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertList_GetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid element of the NSSPKIXVersion enumeration upon success
- *  NSSPKIXVersion_NSSinvalid (-1) upon failure
- */
-
-NSS_EXTERN NSSPKIXVersion
-NSSPKIXTBSCertList_GetVersion
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * NSSPKIXTBSCertList_SetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetVersion
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXVersion version
-);
-
-/*
- * NSSPKIXTBSCertList_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXTBSCertList_GetSignature
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertList_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetSignature
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXAlgorithmIdentifier *algid,
-);
-
-/*
- * NSSPKIXTBSCertList_GetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXTBSCertList_GetIssuer
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertList_SetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetIssuer
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXName *issuer
-);
-
-/*
- * NSSPKIXTBSCertList_GetThisUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-NSSPKIXTBSCertList_GetThisUpdate
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * NSSPKIXTBSCertList_SetThisUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetThisUpdate
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXTime thisUpdate
-);
-
-/*
- * NSSPKIXTBSCertList_HasNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertList_HasNextUpdate
-(
-  NSSPKIXTBSCertList *certList,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertList_GetNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-NSSPKIXTBSCertList_GetNextUpdate
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * NSSPKIXTBSCertList_SetNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetNextUpdate
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXTime nextUpdate
-);
-
-/*
- * NSSPKIXTBSCertList_RemoveNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_HAS_NO_NEXT_UPDATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_RemoveNextUpdate
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * NSSPKIXTBSCertList_GetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon succes
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-NSSPKIXTBSCertList_GetRevokedCertificates
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertList_SetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetRevokedCertificates
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXrevokedCertificates *revoked
-);
-
-/*
- * NSSPKIXTBSCertList_HasCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertList_HasCrlExtensions
-(
-  NSSPKIXTBSCertList *certList,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertList_GetCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensions upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensions *
-NSSPKIXTBSCertList_GetCrlExtensions
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTBSCertList_SetCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_SetCrlExtensions
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXExtensions *extensions
-);
-
-/*
- * NSSPKIXTBSCertList_RemoveCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_HAS_NO_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTBSCertList_RemoveCrlExtensions
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * NSSPKIXTBSCertList_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTBSCertList_Equal
-(
-  NSSPKIXTBSCertList *one,
-  NSSPKIXTBSCertList *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTBSCertList_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-NSSPKIXTBSCertList_Duplicate
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * revokedCertificates
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- * The public calls for the type:
- *
- *  NSSPKIXrevokedCertificates_Decode
- *  NSSPKIXrevokedCertificates_Create
- *  NSSPKIXrevokedCertificates_Encode
- *  NSSPKIXrevokedCertificates_Destroy
- *  NSSPKIXrevokedCertificates_GetRevokedCertificateCount
- *  NSSPKIXrevokedCertificates_GetRevokedCertificates
- *  NSSPKIXrevokedCertificates_SetRevokedCertificates
- *  NSSPKIXrevokedCertificates_GetRevokedCertificate
- *  NSSPKIXrevokedCertificates_SetRevokedCertificate
- *  NSSPKIXrevokedCertificates_InsertRevokedCertificate
- *  NSSPKIXrevokedCertificates_AppendRevokedCertificate
- *  NSSPKIXrevokedCertificates_RemoveRevokedCertificate
- *  NSSPKIXrevokedCertificates_Equal
- *  NSSPKIXrevokedCertificates_Duplicate
- *
- */
-
-/*
- * NSSPKIXrevokedCertificates_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-NSSPKIXrevokedCertificates_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXrevokedCertificates_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-NSSPKIXrevokedCertificates_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXrevokedCertificate *rc1,
-  ...
-);
-
-/*
- * NSSPKIXrevokedCertificates_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificates_Destroy
-(
-  NSSPKIXrevokedCertificates *rcs
-);
-
-/*
- * NSSPKIXrevokedCertificates_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXrevokedCertificates_Encode
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXrevokedCertificates_GetRevokedCertificateCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXrevokedCertificates_GetRevokedCertificateCount
-(
-  NSSPKIXrevokedCertificates *rcs
-);
-
-/*
- * NSSPKIXrevokedCertificates_GetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXrevokedCertificate pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate **
-NSSPKIXrevokedCertificates_GetRevokedCertificates
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSPKIXrevokedCertificate *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXrevokedCertificates_SetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificates_SetRevokedCertificates
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSPKIXrevokedCertificate *rc[],
-  PRInt32 countOpt
-);
-
-/*
- * NSSPKIXrevokedCertificates_GetRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-NSSPKIXrevokedCertificates_GetRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXrevokedCertificates_SetRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificates_SetRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * NSSPKIXrevokedCertificates_InsertRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificates_InsertRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * NSSPKIXrevokedCertificates_AppendRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificates_AppendRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * NSSPKIXrevokedCertificates_RemoveRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificates_RemoveRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXrevokedCertificates_FindRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXrevokedCertificates_FindRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * NSSPKIXrevokedCertificates_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXrevokedCertificates_Equal
-(
-  NSSPKIXrevokedCertificates *one,
-  NSSPKIXrevokedCertificates *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXrevokedCertificates_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-NSSPKIXrevokedCertificates_Duplicate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSArena *arenaOpt
-);
-
-/*
- * revokedCertificate
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *                                           SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- * The public calls for this type:
- *
- *  NSSPKIXrevokedCertificate_Decode
- *  NSSPKIXrevokedCertificate_Create
- *  NSSPKIXrevokedCertificate_Encode
- *  NSSPKIXrevokedCertificate_Destroy
- *  NSSPKIXrevokedCertificate_GetUserCertificate
- *  NSSPKIXrevokedCertificate_SetUserCertificate
- *  NSSPKIXrevokedCertificate_GetRevocationDate
- *  NSSPKIXrevokedCertificate_SetRevocationDate
- *  NSSPKIXrevokedCertificate_HasCrlEntryExtensions
- *  NSSPKIXrevokedCertificate_GetCrlEntryExtensions
- *  NSSPKIXrevokedCertificate_SetCrlEntryExtensions
- *  NSSPKIXrevokedCertificate_RemoveCrlEntryExtensions
- *  NSSPKIXrevokedCertificate_Equal
- *  NSSPKIXrevokedCertificate_Duplicate
- *
- */
-
-
-/*
- * NSSPKIXrevokedCertificate_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-NSSPKIXrevokedCertificate_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXrevokedCertificate_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
- *  NSS_ERROR_INVALID_PKIX_TIME
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-NSSPKIXrevokedCertificate_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCertificateSerialNumber *userCertificate,
-  NSSPKIXTime *revocationDate,
-  NSSPKIXExtensions *crlEntryExtensionsOpt
-);
-
-/*
- * NSSPKIXrevokedCertificate_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificate_Destroy
-(
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * NSSPKIXrevokedCertificate_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXrevokedCertificate_Encode
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXrevokedCertificate_GetUserCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateSerialNumber *
-NSSPKIXrevokedCertificate_GetUserCertificate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);  
-
-/*
- * NSSPKIXrevokedCertificate_SetUserCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificate_SetUserCertificate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSPKIXCertificateSerialNumber *csn
-);
-
-/*
- * NSSPKIXrevokedCertificate_GetRevocationDate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTime upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTime *
-NSSPKIXrevokedCertificate_GetRevocationDate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);  
-
-/*
- * NSSPKIXrevokedCertificate_SetRevocationDate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_TIME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificate_SetRevocationDate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSPKIXTime *revocationDate
-);
-
-/*
- * NSSPKIXrevokedCertificate_HasCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXrevokedCertificate_HasCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXrevokedCertificate_GetCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_NO_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensions upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensions *
-NSSPKIXrevokedCertificate_GetCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);  
-
-/*
- * NSSPKIXrevokedCertificate_SetCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificate_SetCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSPKIXExtensions *crlEntryExtensions
-);
-
-/*
- * NSSPKIXrevokedCertificate_RemoveCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXrevokedCertificate_RemoveCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * NSSPKIXrevokedCertificate_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXrevokedCertificate_Equal
-(
-  NSSPKIXrevokedCertificate *one,
-  NSSPKIXrevokedCertificate *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXrevokedCertificate_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-NSSPKIXrevokedCertificate_Duplicate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);
-
-/*
- * AlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- * (1988 syntax)
- *
- *  AlgorithmIdentifier  ::=  SEQUENCE  {
- *       algorithm               OBJECT IDENTIFIER,
- *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
- *                                  -- contains a value of the type
- *                                  -- registered for use with the
- *                                  -- algorithm object identifier value
- *
- * The public calls for this type:
- *
- *  NSSPKIXAlgorithmIdentifier_Decode
- *  NSSPKIXAlgorithmIdentifier_Create
- *  NSSPKIXAlgorithmIdentifier_Encode
- *  NSSPKIXAlgorithmIdentifier_Destroy
- *  NSSPKIXAlgorithmIdentifier_GetAlgorithm
- *  NSSPKIXAlgorithmIdentifier_SetAlgorithm
- *  NSSPKIXAlgorithmIdentifier_GetParameters
- *  NSSPKIXAlgorithmIdentifier_SetParameters
- *  NSSPKIXAlgorithmIdentifier_Compare
- *  NSSPKIXAlgorithmIdentifier_Duplicate
- *    { algorithm-specific parameter types and accessors ? }
- *
- */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXAlgorithmIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXAlgorithmIdentifier_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *algorithm,
-  NSSItem *parameters
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAlgorithmIdentifier_Destroy
-(
-  NSSPKIXAlgorithmIdentifier *algid
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAlgorithmIdentifier_Encode
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_GetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSOID pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-NSSPKIXAlgorithmIdentifier_GetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_SetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAlgorithmIdentifier_SetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSOID *algorithm
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_GetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXAlgorithmIdentifier_GetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_SetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAlgorithmIdentifier_SetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *parameters
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAlgorithmIdentifier_Equal
-(
-  NSSPKIXAlgorithmIdentifier *algid1,
-  NSSPKIXAlgorithmIdentifier *algid2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAlgorithmIdentifier_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-NSSPKIXAlgorithmIdentifier_Duplicate
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { algorithm-specific parameter types and accessors ? }
- */
-
-/*
- * ORAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ORAddress ::= SEQUENCE {
- *     built-in-standard-attributes BuiltInStandardAttributes,
- *     built-in-domain-defined-attributes
- *                          BuiltInDomainDefinedAttributes OPTIONAL,
- *     -- see also teletex-domain-defined-attributes
- *     extension-attributes ExtensionAttributes OPTIONAL }
- *  --      The OR-address is semantically absent from the OR-name if the
- *  --      built-in-standard-attribute sequence is empty and the
- *  --      built-in-domain-defined-attributes and extension-attributes are
- *  --      both omitted.
- *
- * The public calls for this type:
- *
- *  NSSPKIXORAddress_Decode
- *  NSSPKIXORAddress_Create
- *  NSSPKIXORAddress_Destroy
- *  NSSPKIXORAddress_Encode
- *  NSSPKIXORAddress_GetBuiltInStandardAttributes
- *  NSSPKIXORAddress_SetBuiltInStandardAttributes
- *  NSSPKIXORAddress_HasBuiltInDomainDefinedAttributes
- *  NSSPKIXORAddress_GetBuiltInDomainDefinedAttributes
- *  NSSPKIXORAddress_SetBuiltInDomainDefinedAttributes
- *  NSSPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
- *  NSSPKIXORAddress_HasExtensionsAttributes
- *  NSSPKIXORAddress_GetExtensionsAttributes
- *  NSSPKIXORAddress_SetExtensionsAttributes
- *  NSSPKIXORAddress_RemoveExtensionsAttributes
- *  NSSPKIXORAddress_Equal
- *  NSSPKIXORAddress_Duplicate
- *
- */
-
-/*
- * NSSPKIXORAddress_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXORAddres upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-NSSPKIXORAddress_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXORAddress_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS_ATTRIBUTES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXORAddres upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-NSSPKIXORAddress_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXBuiltInDomainDefinedAttributes *biddaOpt,
-  NSSPKIXExtensionAttributes *eaOpt
-);
-
-/*
- * NSSPKIXORAddress_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXORAddress_Destroy
-(
-  NSSPKIXORAddress *ora
-);
-
-/*
- * NSSPKIXORAddress_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXORAddress_Encode
-(
-  NSSPKIXORAddress *ora,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXORAddress_GetBuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-NSSPKIXORAddress_GetBuiltInStandardAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXORAddress_SetBuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXORAddress_SetBuiltInStandardAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXORAddress_HasBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXORAddress_HasBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXORAddress_GetBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-NSSPKIXORAddress_GetBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXORAddress_SetBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXORAddress_SetBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora
-);
-
-/*
- * NSSPKIXORAddress_HasExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXORAddress_HasExtensionsAttributes
-(
-  NSSPKIXORAddress *ora,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXORAddress_GetExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-NSSPKIXORAddress_GetExtensionsAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXORAddress_SetExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXORAddress_SetExtensionsAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSPKIXExtensionAttributes *eaOpt
-);
-
-/*
- * NSSPKIXORAddress_RemoveExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXORAddress_RemoveExtensionsAttributes
-(
-  NSSPKIXORAddress *ora
-);
-
-/*
- * NSSPKIXORAddress_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXORAddress_Equal
-(
-  NSSPKIXORAddress *ora1,
-  NSSPKIXORAddress *ora2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXORAddress_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXORAddres upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-NSSPKIXORAddress_Duplicate
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * BuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInStandardAttributes ::= SEQUENCE {
- *     country-name CountryName OPTIONAL,
- *     administration-domain-name AdministrationDomainName OPTIONAL,
- *     network-address      [0] NetworkAddress OPTIONAL,
- *     -- see also extended-network-address
- *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
- *     private-domain-name  [2] PrivateDomainName OPTIONAL,
- *     organization-name    [3] OrganizationName OPTIONAL,
- *     -- see also teletex-organization-name
- *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
- *     personal-name        [5] PersonalName OPTIONAL,
- *     -- see also teletex-personal-name
- *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
- *     -- see also teletex-organizational-unit-names -- }
- *
- * The public calls for this type:
- *
- *  NSSPKIXBuiltInStandardAttributes_Decode
- *  NSSPKIXBuiltInStandardAttributes_Create
- *  NSSPKIXBuiltInStandardAttributes_Destroy
- *  NSSPKIXBuiltInStandardAttributes_Encode
- *  NSSPKIXBuiltInStandardAttributes_HasCountryName
- *  NSSPKIXBuiltInStandardAttributes_GetCountryName
- *  NSSPKIXBuiltInStandardAttributes_SetCountryName
- *  NSSPKIXBuiltInStandardAttributes_RemoveCountryName
- *  NSSPKIXBuiltInStandardAttributes_HasAdministrationDomainName
- *  NSSPKIXBuiltInStandardAttributes_GetAdministrationDomainName
- *  NSSPKIXBuiltInStandardAttributes_SetAdministrationDomainName
- *  NSSPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
- *  NSSPKIXBuiltInStandardAttributes_HasNetworkAddress
- *  NSSPKIXBuiltInStandardAttributes_GetNetworkAddress
- *  NSSPKIXBuiltInStandardAttributes_SetNetworkAddress
- *  NSSPKIXBuiltInStandardAttributes_RemoveNetworkAddress
- *  NSSPKIXBuiltInStandardAttributes_HasTerminalIdentifier
- *  NSSPKIXBuiltInStandardAttributes_GetTerminalIdentifier
- *  NSSPKIXBuiltInStandardAttributes_SetTerminalIdentifier
- *  NSSPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
- *  NSSPKIXBuiltInStandardAttributes_HasPrivateDomainName
- *  NSSPKIXBuiltInStandardAttributes_GetPrivateDomainName
- *  NSSPKIXBuiltInStandardAttributes_SetPrivateDomainName
- *  NSSPKIXBuiltInStandardAttributes_RemovePrivateDomainName
- *  NSSPKIXBuiltInStandardAttributes_HasOrganizationName
- *  NSSPKIXBuiltInStandardAttributes_GetOrganizationName
- *  NSSPKIXBuiltInStandardAttributes_SetOrganizationName
- *  NSSPKIXBuiltInStandardAttributes_RemoveOrganizationName
- *  NSSPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
- *  NSSPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
- *  NSSPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
- *  NSSPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
- *  NSSPKIXBuiltInStandardAttributes_HasPersonalName
- *  NSSPKIXBuiltInStandardAttributes_GetPersonalName
- *  NSSPKIXBuiltInStandardAttributes_SetPersonalName
- *  NSSPKIXBuiltInStandardAttributes_RemovePersonalName
- *  NSSPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
- *  NSSPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
- *  NSSPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
- *  NSSPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
- *  NSSPKIXBuiltInStandardAttributes_Equal
- *  NSSPKIXBuiltInStandardAttributes_Duplicate
- *
- */
-
-/*
- * NSSPKIXBuiltInStandardAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-NSSPKIXBuiltInStandardAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
- *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
- *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
- *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-NSSPKIXBuiltInStandardAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCountryName *countryNameOpt,
-  NSSPKIXAdministrationDomainName *administrationDomainNameOpt,
-  NSSPKIXNetworkAddress *networkAddressOpt,
-  NSSPKIXTerminalIdentifier *terminalIdentifierOpt,
-  NSSPKIXPrivateDomainName *privateDomainNameOpt,
-  NSSPKIXOrganizationName *organizationNameOpt,
-  NSSPKIXNumericUserIdentifier *numericUserIdentifierOpt,
-  NSSPKIXPersonalName *personalNameOpt,
-  NSSPKIXOrganizationalUnitNames *organizationalUnitNamesOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_Destroy
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXBuiltInStandardAttributes_Encode
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCountryName *
-NSSPKIXBuiltInStandardAttributes_GetCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXCountryName *countryName
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_COUNTRY_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAdministrationDomainName *
-NSSPKIXBuiltInStandardAttributes_GetAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXAdministrationDomainName *administrationDomainName
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_ADMINISTRATION_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNetworkAddress *
-NSSPKIXBuiltInStandardAttributes_GetNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXNetworkAddress *networkAddress
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_NETWORK_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTerminalIdentifier *
-NSSPKIXBuiltInStandardAttributes_GetTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXTerminalIdentifier *terminalIdentifier
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_TERMINAL_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasPrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasPrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetPrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateDomainName *
-NSSPKIXBuiltInStandardAttributes_GetPrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetPrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetPrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXPrivateDomainName *privateDomainName
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemovePrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_PRIVATE_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemovePrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationName *
-NSSPKIXBuiltInStandardAttributes_GetOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXOrganizationName *organizationName
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_ORGANIZATION_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNumericUserIdentifier *
-NSSPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXNumericUserIdentifier *numericUserIdentifier
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_NUMERIC_USER_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasPersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasPersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetPersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-NSSPKIXBuiltInStandardAttributes_GetPersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetPersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetPersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemovePersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemovePersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-NSSPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXOrganizationalUnitNames *organizationalUnitNames
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInStandardAttributes_Equal
-(
-  NSSPKIXBuiltInStandardAttributes *bisa1,
-  NSSPKIXBuiltInStandardAttributes *bisa2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInStandardAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-NSSPKIXBuiltInStandardAttributes_Duplicate
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * CountryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CountryName ::= [APPLICATION 1] CHOICE {
- *     x121-dcc-code NumericString
- *                  (SIZE (ub-country-name-numeric-length)),
- *     iso-3166-alpha2-code PrintableString
- *                  (SIZE (ub-country-name-alpha-length)) }
- *
- * The public calls for this type:
- *
- *  NSSPKIXCountryName_Decode
- *  NSSPKIXCountryName_CreateFromUTF8
- *  NSSPKIXCountryName_Encode
- *
- */
-
-/*
- * NSSPKIXCountryName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCountryName *
-NSSPKIXCountryName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCountryName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCountryName *
-NSSPKIXCountryName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXCountryName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCountryName_Encode
-(
-  NSSPKIXCountryName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * AdministrationDomainName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
- *     numeric NumericString (SIZE (0..ub-domain-name-length)),
- *     printable PrintableString (SIZE (0..ub-domain-name-length)) }
- *
- * The public calls for this type:
- *
- *  NSSPKIXAdministrationDomainName_Decode
- *  NSSPKIXAdministrationDomainName_CreateFromUTF8
- *  NSSPKIXAdministrationDomainName_Encode
- *
- */
-
-/*
- * NSSPKIXAdministrationDomainName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAdministrationDomainName *
-NSSPKIXAdministrationDomainName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAdministrationDomainName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAdministrationDomainName *
-NSSPKIXAdministrationDomainName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXAdministrationDomainName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAdministrationDomainName_Encode
-(
-  NSSPKIXAdministrationDomainName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X121Address
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXX121Address_Decode
- *  NSSPKIXX121Address_CreateFromUTF8
- *  NSSPKIXX121Address_Encode
- *
- */
-
-/*
- * NSSPKIXX121Address_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX121Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX121Address *
-NSSPKIXX121Address_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXX121Address_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX121Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX121Address *
-NSSPKIXX121Address_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXX121Address_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_X121_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXX121Address_Encode
-(
-  NSSPKIXX121Address *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NetworkAddress ::= X121Address  -- see also extended-network-address
- *
- * The public calls for this type:
- *
- *  NSSPKIXNetworkAddress_Decode
- *  NSSPKIXNetworkAddress_CreateFromUTF8
- *  NSSPKIXNetworkAddress_Encode
- *
- */
-
-/*
- * NSSPKIXNetworkAddress_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNetworkAddress *
-NSSPKIXNetworkAddress_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXNetworkAddress_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNetworkAddress *
-NSSPKIXNetworkAddress_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXNetworkAddress_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXNetworkAddress_Encode
-(
-  NSSPKIXNetworkAddress *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TerminalIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXTerminalIdentifier_Decode
- *  NSSPKIXTerminalIdentifier_CreateFromUTF8
- *  NSSPKIXTerminalIdentifier_Encode
- *
- */
-
-/*
- * NSSPKIXTerminalIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTerminalIdentifier *
-NSSPKIXTerminalIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTerminalIdentifier_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTerminalIdentifier *
-NSSPKIXTerminalIdentifier_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXTerminalIdentifier_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTerminalIdentifier_Encode
-(
-  NSSPKIXTerminalIdentifier *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PrivateDomainName
- *
- * -- fgmr comments -- 
- *
- *  PrivateDomainName ::= CHOICE {
- *     numeric NumericString (SIZE (1..ub-domain-name-length)),
- *     printable PrintableString (SIZE (1..ub-domain-name-length)) }
- *
- * The public calls for this type:
- *
- *  NSSPKIXPrivateDomainName_Decode
- *  NSSPKIXPrivateDomainName_CreateFromUTF8
- *  NSSPKIXPrivateDomainName_Encode
- *
- */
-
-/*
- * NSSPKIXPrivateDomainName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateDomainName *
-NSSPKIXPrivateDomainName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPrivateDomainName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateDomainName *
-NSSPKIXPrivateDomainName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXPrivateDomainName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPrivateDomainName_Encode
-(
-  NSSPKIXPrivateDomainName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * OrganizationName
- *
- * -- fgmr comments --
- *
- *  OrganizationName ::= PrintableString
- *                              (SIZE (1..ub-organization-name-length))
- * 
- * The public calls for this type:
- *
- *  NSSPKIXOrganizationName_Decode
- *  NSSPKIXOrganizationName_CreateFromUTF8
- *  NSSPKIXOrganizationName_Encode
- *
- */
-
-/*
- * NSSPKIXOrganizationName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationName *
-NSSPKIXOrganizationName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXOrganizationName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationName *
-NSSPKIXOrganizationName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXOrganizationName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXOrganizationName_Encode
-(
-  NSSPKIXOrganizationName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NumericUserIdentifier ::= NumericString
- *                              (SIZE (1..ub-numeric-user-id-length))
- * 
- * The public calls for this type:
- *
- *  NSSPKIXNumericUserIdentifier_Decode
- *  NSSPKIXNumericUserIdentifier_CreateFromUTF8
- *  NSSPKIXNumericUserIdentifier_Encode
- *
- */
-
-/*
- * NSSPKIXNumericUserIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNumericUserIdentifier *
-NSSPKIXNumericUserIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXNumericUserIdentifier_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNumericUserIdentifier *
-NSSPKIXNumericUserIdentifier_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXNumericUserIdentifier_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXNumericUserIdentifier_Encode
-(
-  NSSPKIXNumericUserIdentifier *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PersonalName ::= SET {
- *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
- *     given-name [1] PrintableString
- *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] PrintableString
- *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXPersonalName_Decode
- *  NSSPKIXPersonalName_Create
- *  NSSPKIXPersonalName_Destroy
- *  NSSPKIXPersonalName_Encode
- *  NSSPKIXPersonalName_GetSurname
- *  NSSPKIXPersonalName_SetSurname
- *  NSSPKIXPersonalName_HasGivenName
- *  NSSPKIXPersonalName_GetGivenName
- *  NSSPKIXPersonalName_SetGivenName
- *  NSSPKIXPersonalName_RemoveGivenName
- *  NSSPKIXPersonalName_HasInitials
- *  NSSPKIXPersonalName_GetInitials
- *  NSSPKIXPersonalName_SetInitials
- *  NSSPKIXPersonalName_RemoveInitials
- *  NSSPKIXPersonalName_HasGenerationQualifier
- *  NSSPKIXPersonalName_GetGenerationQualifier
- *  NSSPKIXPersonalName_SetGenerationQualifier
- *  NSSPKIXPersonalName_RemoveGenerationQualifier
- *  NSSPKIXPersonalName_Equal
- *  NSSPKIXPersonalName_Duplicate
- *
- */
-
-/*
- * NSSPKIXPersonalName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-NSSPKIXPersonalName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPersonalName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-NSSPKIXPersonalName_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *surname,
-  NSSUTF8 *givenNameOpt,
-  NSSUTF8 *initialsOpt,
-  NSSUTF8 *generationQualifierOpt
-);
-
-/*
- * NSSPKIXPersonalName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_Destroy
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * NSSPKIXPersonalName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPersonalName_Encode
-(
-  NSSPKIXPersonalName *personalName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPersonalName_GetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPersonalName_GetSurname
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPersonalName_SetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_SetSurname
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *surname
-);
-
-/*
- * NSSPKIXPersonalName_HasGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPersonalName_HasGivenName
-(
-  NSSPKIXPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPersonalName_GetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_GIVEN_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPersonalName_GetGivenName
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPersonalName_SetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_SetGivenName
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *givenName
-);
-
-/*
- * NSSPKIXPersonalName_RemoveGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_HAS_NO_GIVEN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_RemoveGivenName
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * NSSPKIXPersonalName_HasInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPersonalName_HasInitials
-(
-  NSSPKIXPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPersonalName_GetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPersonalName_GetInitials
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPersonalName_SetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_SetInitials
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *initials
-);
-
-/*
- * NSSPKIXPersonalName_RemoveInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_RemoveInitials
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * NSSPKIXPersonalName_HasGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPersonalName_HasGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPersonalName_GetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPersonalName_GetGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPersonalName_SetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_SetGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *generationQualifier
-);
-
-/*
- * NSSPKIXPersonalName_RemoveGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPersonalName_RemoveGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * NSSPKIXPersonalName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPersonalName_Equal
-(
-  NSSPKIXPersonalName *personalName1,
-  NSSPKIXPersonalName *personalName2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPersonalName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-NSSPKIXPersonalName_Duplicate
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * OrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- *                                          OF OrganizationalUnitName
- * 
- * The public calls for the type:
- *
- *  NSSPKIXOrganizationalUnitNames_Decode
- *  NSSPKIXOrganizationalUnitNames_Create
- *  NSSPKIXOrganizationalUnitNames_Destroy
- *  NSSPKIXOrganizationalUnitNames_Encode
- *  NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
- *  NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
- *  NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
- *  NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitName
- *  NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitName
- *  NSSPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
- *  NSSPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
- *  NSSPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
- *  NSSPKIXOrganizationalUnitNames_FindOrganizationalUnitName
- *  NSSPKIXOrganizationalUnitNames_Equal
- *  NSSPKIXOrganizationalUnitNames_Duplicate
- *
- */
-
-/*
- * NSSPKIXOrganizationalUnitNames_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-NSSPKIXOrganizationalUnitNames_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-NSSPKIXOrganizationalUnitNames_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXOrganizationalUnitName *ou1,
-  ...
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXOrganizationalUnitNames_Destroy
-(
-  NSSPKIXOrganizationalUnitNames *ous
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXOrganizationalUnitNames_Encode
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
-(
-  NSSPKIXOrganizationalUnitNames *ous
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXOrganizationalUnitName
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName **
-NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *ou[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName *
-NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_FindOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRIntn
-NSSPKIXOrganizationalUnitNames_FindOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXOrganizationalUnitNames_Equal
-(
-  NSSPKIXOrganizationalUnitNames *ous1,
-  NSSPKIXOrganizationalUnitNames *ous2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXOrganizationalUnitNames_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-NSSPKIXOrganizationalUnitNames_Duplicate
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSArena *arenaOpt
-);
-
-/*
- * OrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitName ::= PrintableString (SIZE
- *                          (1..ub-organizational-unit-name-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXOrganizationalUnitName_Decode
- *  NSSPKIXOrganizationalUnitName_CreateFromUTF8
- *  NSSPKIXOrganizationalUnitName_Encode
- *
- */
-
-/*
- * NSSPKIXOrganizationalUnitName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName *
-NSSPKIXOrganizationalUnitName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXOrganizationalUnitName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName *
-NSSPKIXOrganizationalUnitName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXOrganizationalUnitName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXOrganizationalUnitName_Encode
-(
-  NSSPKIXOrganizationalUnitName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * BuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- *                                  (1..ub-domain-defined-attributes) OF
- *                                  BuiltInDomainDefinedAttribute
- *
- * The public calls for this type:
- *
- *  NSSPKIXBuiltInDomainDefinedAttributes_Decode
- *  NSSPKIXBuiltInDomainDefinedAttributes_Create
- *  NSSPKIXBuiltInDomainDefinedAttributes_Destroy
- *  NSSPKIXBuiltInDomainDefinedAttributes_Encode
- *  NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
- *  NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
- *  NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
- *  NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
- *  NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
- *  NSSPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
- *  NSSPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
- *  NSSPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
- *  NSSPKIXBuiltInDomainDefinedAttributes_Equal
- *  NSSPKIXBuiltInDomainDefinedAttributes_Duplicate
- *
- */
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-NSSPKIXBuiltInDomainDefinedAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-NSSPKIXBuiltInDomainDefinedAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
-  ...
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttributes_Destroy
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXBuiltInDomainDefinedAttributes_Encode
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXBuiltInDomainDefinedAttribute
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute **
-NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribut *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribut *bidda[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInDomainDefinedAttributes_Equal
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas1,
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-NSSPKIXBuiltInDomainDefinedAttributes_Duplicate
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSArena *arenaOpt
-);
-
-/*
- * BuiltInDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
- *     type PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-type-length)),
- *     value PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-value-length))}
- *
- * The public calls for this type:
- *
- *  NSSPKIXBuiltInDomainDefinedAttribute_Decode
- *  NSSPKIXBuiltInDomainDefinedAttribute_Create
- *  NSSPKIXBuiltInDomainDefinedAttribute_Destroy
- *  NSSPKIXBuiltInDomainDefinedAttribute_Encode
- *  NSSPKIXBuiltInDomainDefinedAttribute_GetType
- *  NSSPKIXBuiltInDomainDefinedAttribute_SetType
- *  NSSPKIXBuiltInDomainDefinedAttribute_GetValue
- *  NSSPKIXBuiltInDomainDefinedAttribute_SetValue
- *  NSSPKIXBuiltInDomainDefinedAttribute_Equal
- *  NSSPKIXBuiltInDomainDefinedAttribute_Duplicate
- *
- */
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-NSSPKIXBuiltInDomainDefinedAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-NSSPKIXBuiltInDomainDefinedAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *type,
-  NSSUTF8 *value
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttribute_Destroy
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXBuiltInDomainDefinedAttribute_Encode
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_GetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXBuiltInDomainDefinedAttribute_GetType
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_SetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttribute_SetType
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSUTF8 *type
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXBuiltInDomainDefinedAttribute_GetValue
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBuiltInDomainDefinedAttribute_SetValue
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSUTF8 *value
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBuiltInDomainDefinedAttribute_Equal
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBuiltInDomainDefinedAttribute_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-NSSPKIXBuiltInDomainDefinedAttribute_Duplicate
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSArena *arenaOpt
-);
-
-/*
- * ExtensionAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- *                          ExtensionAttribute
- *
- * The public calls for this type:
- *
- *  NSSPKIXExtensionAttributes_Decode
- *  NSSPKIXExtensionAttributes_Create
- *  NSSPKIXExtensionAttributes_Destroy
- *  NSSPKIXExtensionAttributes_Encode
- *  NSSPKIXExtensionAttributes_GetExtensionAttributeCount
- *  NSSPKIXExtensionAttributes_GetExtensionAttributes
- *  NSSPKIXExtensionAttributes_SetExtensionAttributes
- *  NSSPKIXExtensionAttributes_GetExtensionAttribute
- *  NSSPKIXExtensionAttributes_SetExtensionAttribute
- *  NSSPKIXExtensionAttributes_InsertExtensionAttribute
- *  NSSPKIXExtensionAttributes_AppendExtensionAttribute
- *  NSSPKIXExtensionAttributes_RemoveExtensionAttribute
- *  NSSPKIXExtensionAttributes_FindExtensionAttribute
- *  NSSPKIXExtensionAttributes_Equal
- *  NSSPKIXExtensionAttributes_Duplicate
- *
- */
-
-/*
- * NSSPKIXExtensionAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-NSSPKIXExtensionAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXExtensionAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-NSSPKIXExtensionAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXExtensionAttribute ea1,
-  ...
-);
-
-/*
- * NSSPKIXExtensionAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttributes_Destroy
-(
-  NSSPKIXExtensionAttributes *eas
-);
-
-/*
- * NSSPKIXExtensionAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXExtensionAttributes_Encode
-(
-  NSSPKIXExtensionAttributes *eas
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtensionAttributes_GetExtensionAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXExtensionAttributes_GetExtensionAttributeCount
-(
-  NSSPKIXExtensionAttributes *eas
-);
-
-/*
- * NSSPKIXExtensionAttributes_GetExtensionAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXExtensionAttribute pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute **
-NSSPKIXExtensionAttributes_GetExtensionAttributes
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtensionAttributes_SetExtensionAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_INVALID_POINTER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttributes_SetExtensionAttributes
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *ea[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXExtensionAttributes_GetExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-NSSPKIXExtensionAttributes_GetExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtensionAttributes_SetExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttributes_SetExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * NSSPKIXExtensionAttributes_InsertExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttributes_InsertExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * NSSPKIXExtensionAttributes_AppendExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttributes_AppendExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * NSSPKIXExtensionAttributes_RemoveExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttributes_RemoveExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-);
-
-/*
- * NSSPKIXExtensionAttributes_FindExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  A nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXExtensionAttributes_FindExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * NSSPKIXExtensionAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXExtensionAttributes_Equal
-(
-  NSSPKIXExtensionAttributes *eas1,
-  NSSPKIXExtensionAttributes *eas2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXExtensionAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-NSSPKIXExtensionAttributes_Duplicate
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSArena *arenaOpt
-);
-
-/*
- * fgmr
- * There should be accessors to search the ExtensionAttributes and
- * return the value for a specific value, etc.
- */
-
-/*
- * ExtensionAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttribute ::=  SEQUENCE {
- *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
- *     extension-attribute-value [1]
- *                          ANY DEFINED BY extension-attribute-type }
- *
- * The public calls for this type:
- *
- *  NSSPKIXExtensionAttribute_Decode
- *  NSSPKIXExtensionAttribute_Create
- *  NSSPKIXExtensionAttribute_Destroy
- *  NSSPKIXExtensionAttribute_Encode
- *  NSSPKIXExtensionAttribute_GetExtensionsAttributeType
- *  NSSPKIXExtensionAttribute_SetExtensionsAttributeType
- *  NSSPKIXExtensionAttribute_GetExtensionsAttributeValue
- *  NSSPKIXExtensionAttribute_SetExtensionsAttributeValue
- *  NSSPKIXExtensionAttribute_Equal
- *  NSSPKIXExtensionAttribute_Duplicate
- *
- */
-
-/*
- * NSSPKIXExtensionAttribute_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-NSSPKIXExtensionAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXExtensionAttribute_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE_TYPE
- *  NSS_ERROR_INVALID_POINTER
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-NSSPKIXExtensionAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXExtensionAttributeType type,
-  NSSItem *value
-);
-
-/*
- * NSSPKIXExtensionAttribute_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttribute_Destroy
-(
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * NSSPKIXExtensionAttribute_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXExtensionAttribute_Encode
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtensionAttribute_GetExtensionsAttributeType
- *
- * -- fgmr comments --
- * {One of these objects created from BER generated by a program
- * adhering to a later version of the PKIX standards might have
- * a value not mentioned in the enumeration definition.  This isn't
- * a bug.}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  A member of the NSSPKIXExtensionAttributeType enumeration
- *      upon success
- *  NSSPKIXExtensionAttributeType_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributeType
-NSSPKIXExtensionAttribute_GetExtensionsAttributeType
-(
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * NSSPKIXExtensionAttribute_SetExtensionsAttributeType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttribute_SetExtensionsAttributeType
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSPKIXExtensionAttributeType type
-);
-
-/*
- * NSSPKIXExtensionAttribute_GetExtensionsAttributeValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXExtensionAttribute_GetExtensionsAttributeValue
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtensionAttribute_SetExtensionsAttributeValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtensionAttribute_SetExtensionsAttributeValue
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSItem *value
-);
-
-/*
- * NSSPKIXExtensionAttribute_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXExtensionAttribute_Equal
-(
-  NSSPKIXExtensionAttribute *ea1,
-  NSSPKIXExtensionAttribute *ea2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXExtensionAttribute_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-NSSPKIXExtensionAttribute_Duplicate
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSArena *arenaOpt
-);
-
-/*
- * CommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXCommonName_Decode
- *  NSSPKIXCommonName_CreateFromUTF8
- *  NSSPKIXCommonName_Encode
- *
- */
-
-/*
- * NSSPKIXCommonName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCommonName *
-NSSPKIXCommonName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCommonName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCommonName *
-NSSPKIXCommonName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXCommonName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCommonName_Encode
-(
-  NSSPKIXCommonName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexCommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXTeletexCommonName_Decode
- *  NSSPKIXTeletexCommonName_CreateFromUTF8
- *  NSSPKIXTeletexCommonName_Encode
- *
- */
-
-/*
- * NSSPKIXTeletexCommonName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexCommonName *
-NSSPKIXTeletexCommonName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexCommonName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexCommonName *
-NSSPKIXTeletexCommonName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXTeletexCommonName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexCommonName_Encode
-(
-  NSSPKIXTeletexCommonName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexOrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationName ::=
- *                  TeletexString (SIZE (1..ub-organization-name-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXTeletexOrganizationName_Decode
- *  NSSPKIXTeletexOrganizationName_CreateFromUTF8
- *  NSSPKIXTeletexOrganizationName_Encode
- *
- */
-
-/*
- * NSSPKIXTeletexOrganizationName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationName *
-NSSPKIXTeletexOrganizationName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexOrganizationName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationName *
-NSSPKIXTeletexOrganizationName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXTeletexOrganizationName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATION_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexOrganizationName_Encode
-(
-  NSSPKIXTeletexOrganizationName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexPersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexPersonalName ::= SET {
- *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
- *     given-name [1] TeletexString
- *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] TeletexString (SIZE
- *                  (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXTeletexPersonalName_Decode
- *  NSSPKIXTeletexPersonalName_Create
- *  NSSPKIXTeletexPersonalName_Destroy
- *  NSSPKIXTeletexPersonalName_Encode
- *  NSSPKIXTeletexPersonalName_GetSurname
- *  NSSPKIXTeletexPersonalName_SetSurname
- *  NSSPKIXTeletexPersonalName_HasGivenName
- *  NSSPKIXTeletexPersonalName_GetGivenName
- *  NSSPKIXTeletexPersonalName_SetGivenName
- *  NSSPKIXTeletexPersonalName_RemoveGivenName
- *  NSSPKIXTeletexPersonalName_HasInitials
- *  NSSPKIXTeletexPersonalName_GetInitials
- *  NSSPKIXTeletexPersonalName_SetInitials
- *  NSSPKIXTeletexPersonalName_RemoveInitials
- *  NSSPKIXTeletexPersonalName_HasGenerationQualifier
- *  NSSPKIXTeletexPersonalName_GetGenerationQualifier
- *  NSSPKIXTeletexPersonalName_SetGenerationQualifier
- *  NSSPKIXTeletexPersonalName_RemoveGenerationQualifier
- *  NSSPKIXTeletexPersonalName_Equal
- *  NSSPKIXTeletexPersonalName_Duplicate
- *
- */
-
-/*
- * NSSPKIXTeletexPersonalName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexPersonalName *
-NSSPKIXTeletexPersonalName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexPersonalName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexPersonalName *
-NSSPKIXTeletexPersonalName_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *surname,
-  NSSUTF8 *givenNameOpt,
-  NSSUTF8 *initialsOpt,
-  NSSUTF8 *generationQualifierOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_Destroy
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * NSSPKIXTeletexPersonalName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexPersonalName_Encode
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_GetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexPersonalName_GetSurname
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_SetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_SetSurname
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *surname
-);
-
-/*
- * NSSPKIXTeletexPersonalName_HasGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexPersonalName_HasGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_GetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexPersonalName_GetGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_SetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_SetGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *givenName
-);
-
-/*
- * NSSPKIXTeletexPersonalName_RemoveGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_RemoveGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * NSSPKIXTeletexPersonalName_HasInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexPersonalName_HasInitials
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_GetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexPersonalName_GetInitials
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_SetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_SetInitials
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *initials
-);
-
-/*
- * NSSPKIXTeletexPersonalName_RemoveInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_RemoveInitials
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * NSSPKIXTeletexPersonalName_HasGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexPersonalName_HasGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_GetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexPersonalName_GetGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_SetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_SetGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *generationQualifier
-);
-
-/*
- * NSSPKIXTeletexPersonalName_RemoveGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexPersonalName_RemoveGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * NSSPKIXTeletexPersonalName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexPersonalName_Equal
-(
-  NSSPKIXTeletexPersonalName *personalName1,
-  NSSPKIXTeletexPersonalName *personalName2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexPersonalName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexPersonalName *
-NSSPKIXTeletexPersonalName_Duplicate
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
- *
- * The public calls for the type:
- *
- *  NSSPKIXTeletexOrganizationalUnitNames_Decode
- *  NSSPKIXTeletexOrganizationalUnitNames_Create
- *  NSSPKIXTeletexOrganizationalUnitNames_Destroy
- *  NSSPKIXTeletexOrganizationalUnitNames_Encode
- *  NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
- *  NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
- *  NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
- *  NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
- *  NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
- *  NSSPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
- *  NSSPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
- *  NSSPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
- *  NSSPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
- *  NSSPKIXTeletexOrganizationalUnitNames_Equal
- *  NSSPKIXTeletexOrganizationalUnitNames_Duplicate
- *
- */
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
-NSSPKIXTeletexOrganizationalUnitNames_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
-NSSPKIXTeletexOrganizationalUnitNames_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTeletexOrganizationalUnitName *ou1,
-  ...
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexOrganizationalUnitNames_Destroy
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexOrganizationalUnitNames_Encode
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXTeletexOrganizationalUnitName
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName **
-NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *ou[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
-NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexOrganizationalUnitNames_Equal
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous1,
-  NSSPKIXTeletexOrganizationalUnitNames *ous2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitNames_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
-NSSPKIXTeletexOrganizationalUnitNames_Duplicate
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitName ::= TeletexString
- *                          (SIZE (1..ub-organizational-unit-name-length))
- *  
- * The public calls for this type:
- *
- *  NSSPKIXTeletexOrganizationalUnitName_Decode
- *  NSSPKIXTeletexOrganizationalUnitName_CreateFromUTF8
- *  NSSPKIXTeletexOrganizationalUnitName_Encode
- *
- */
-
-/*
- * NSSPKIXTeletexOrganizationalUnitName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
-NSSPKIXTeletexOrganizationalUnitName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
-NSSPKIXTeletexOrganizationalUnitName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXTeletexOrganizationalUnitName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexOrganizationalUnitName_Encode
-(
-  NSSPKIXTeletexOrganizationalUnitName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PDSName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
- *
- * The public calls for this type:
- *
- *  NSSPKIXPDSName_Decode
- *  NSSPKIXPDSName_CreateFromUTF8
- *  NSSPKIXPDSName_Encode
- *
- */
-
-/*
- * NSSPKIXPDSName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSName *
-NSSPKIXPDSName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPDSName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSName *
-NSSPKIXPDSName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXPDSName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPDSName_Encode
-(
-  NSSPKIXPDSName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PhysicalDeliveryCountryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryCountryName ::= CHOICE {
- *     x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
- *     iso-3166-alpha2-code PrintableString
- *                          (SIZE (ub-country-name-alpha-length)) }
- *
- * The public calls for this type:
- *
- *  NSSPKIXPhysicalDeliveryCountryName_Decode
- *  NSSPKIXPhysicalDeliveryCountryName_CreateFromUTF8
- *  NSSPKIXPhysicalDeliveryCountryName_Encode
- *
- */
-
-/*
- * NSSPKIXPhysicalDeliveryCountryName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
-NSSPKIXPhysicalDeliveryCountryName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPhysicalDeliveryCountryName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
-NSSPKIXPhysicalDeliveryCountryName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXPhysicalDeliveryCountryName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PHYSICAL_DELIVERY_COUNTRY_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPhysicalDeliveryCountryName_Encode
-(
-  NSSPKIXPhysicalDeliveryCountryName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PostalCode
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PostalCode ::= CHOICE {
- *     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
- *     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
- *
- * The public calls for this type:
- *
- *  NSSPKIXPostalCode_Decode
- *  NSSPKIXPostalCode_CreateFromUTF8
- *  NSSPKIXPostalCode_Encode
- *
- */
-
-/*
- * NSSPKIXPostalCode_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPostalCode upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPostalCode *
-NSSPKIXPostalCode_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPostalCode_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPostalCode upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPostalCode *
-NSSPKIXPostalCode_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXPostalCode_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POSTAL_CODE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPostalCode_Encode
-(
-  NSSPKIXPostalCode *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PDSParameter
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSParameter ::= SET {
- *     printable-string PrintableString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXPDSParameter_Decode
- *  NSSPKIXPDSParameter_CreateFromUTF8
- *  NSSPKIXPDSParameter_Create
- *  NSSPKIXPDSParameter_Delete
- *  NSSPKIXPDSParameter_Encode
- *  NSSPKIXPDSParameter_GetUTF8Encoding
- *  NSSPKIXPDSParameter_HasPrintableString
- *  NSSPKIXPDSParameter_GetPrintableString
- *  NSSPKIXPDSParameter_SetPrintableString
- *  NSSPKIXPDSParameter_RemovePrintableString
- *  NSSPKIXPDSParameter_HasTeletexString
- *  NSSPKIXPDSParameter_GetTeletexString
- *  NSSPKIXPDSParameter_SetTeletexString
- *  NSSPKIXPDSParameter_RemoveTeletexString
- *  NSSPKIXPDSParameter_Equal
- *  NSSPKIXPDSParameter_Duplicate
- */
-
-/*
- * NSSPKIXPDSParameter_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-NSSPKIXPDSParameter_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPDSParameter_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-NSSPKIXPDSParameter_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXPDSParameter_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-NSSPKIXPDSParameter_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *printableStringOpt,
-  NSSUTF8 *teletexStringOpt
-);
-
-/*
- * NSSPKIXPDSParameter_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPDSParameter_Destroy
-(
-  NSSPKIXPDSParameter *p
-);
-
-/*
- * NSSPKIXPDSParameter_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPDSParameter_Encode
-(
-  NSSPKIXPDSParameter *p,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPDSParameter_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPDSParameter_GetUTF8Encoding
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPDSParameter_HasPrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPDSParameter_HasPrintableString
-(
-  NSSPKIXPDSParameter *p,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPDSParameter_GetPrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPDSParameter_GetPrintableString
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPDSParameter_SetPrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPDSParameter_SetPrintableString
-(
-  NSSPKIXPDSParameter *p,
-  NSSUTF8 *printableString
-);
-
-/*
- * NSSPKIXPDSParameter_RemovePrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPDSParameter_RemovePrintableString
-(
-  NSSPKIXPDSParameter *p
-);
-
-/*
- * NSSPKIXPDSParameter_HasTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPDSParameter_HasTeletexString
-(
-  NSSPKIXPDSParameter *p,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPDSParameter_GetTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXPDSParameter_GetTeletexString
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPDSParameter_SetTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPDSParameter_SetTeletexString
-(
-  NSSPKIXPDSParameter *p,
-  NSSUTF8 *teletexString
-);
-
-/*
- * NSSPKIXPDSParameter_RemoveTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPDSParameter_RemoveTeletexString
-(
-  NSSPKIXPDSParameter *p
-);
-
-/*
- * NSSPKIXPDSParameter_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPDSParameter_Equal
-(
-  NSSPKIXPDSParameter *p1,
-  NSSPKIXPDSParameter *p2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPDSParameter_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-NSSPKIXPDSParameter_Duplicate
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * fgmr: what about these PDS types?
- *
- * PhysicalDeliveryOfficeName
- *
- * PhysicalDeliveryOfficeNumber
- *
- * ExtensionORAddressComponents
- *
- * PhysicalDeliveryPersonalName
- *
- * PhysicalDeliveryOrganizationName
- *
- * ExtensionPhysicalDeliveryAddressComponents
- *
- * StreetAddress
- *
- * PostOfficeBoxAddress
- *
- * PosteRestanteAddress
- *
- * UniquePostalName
- *
- * LocalPostalAttributes
- *
- */
-
-/*
- * UnformattedPostalAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UnformattedPostalAddress ::= SET {
- *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
- *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
- *
- * The public calls for the type:
- *
- *
- */
-
-/*
- * ExtendedNetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtendedNetworkAddress ::= CHOICE {
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- *     psap-address [0] PresentationAddress }
- *
- * The public calls for the type:
- *
- *  NSSPKIXExtendedNetworkAddress_Decode
- *  NSSPKIXExtendedNetworkAddress_Create
- *  NSSPKIXExtendedNetworkAddress_Destroy
- *  NSSPKIXExtendedNetworkAddress_Encode
- *  NSSPKIXExtendedNetworkAddress_GetChoice
- *  NSSPKIXExtendedNetworkAddress_Get
- *  NSSPKIXExtendedNetworkAddress_GetE1634Address
- *  NSSPKIXExtendedNetworkAddress_GetPsapAddress
- *  NSSPKIXExtendedNetworkAddress_Set
- *  NSSPKIXExtendedNetworkAddress_SetE163Address
- *  NSSPKIXExtendedNetworkAddress_SetPsapAddress
- *  NSSPKIXExtendedNetworkAddress_Equal
- *  NSSPKIXExtendedNetworkAddress_Duplicate
- *
- */
-
-/*
- * NSSPKIXExtendedNetworkAddress_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-NSSPKIXExtendedNetworkAddress_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-NSSPKIXExtendedNetworkAddress_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXExtendedNetworkAddressChoice choice,
-  void *address
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_CreateFromE1634Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-NSSPKIXExtendedNetworkAddress_CreateFromE1634Address
-(
-  NSSArena *arenaOpt,
-  NSSPKIXe1634Address *e1634address
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_CreateFromPresentationAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-NSSPKIXExtendedNetworkAddress_CreateFromPresentationAddress
-(
-  NSSArena *arenaOpt,
-  NSSPKIXPresentationAddress *presentationAddress
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtendedNetworkAddress_Destroy
-(
-  NSSPKIXExtendedNetworkAddress *ena
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXExtendedNetworkAddress_Encode
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- * 
- * Return value:
- *  A valid element of the NSSPKIXExtendedNetworkAddressChoice upon
- *      success
- *  The value NSSPKIXExtendedNetworkAddress_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddressChoice
-NSSPKIXExtendedNetworkAddress_GetChoice
-(
-  NSSPKIXExtendedNetworkAddress *ena
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- * 
- * Return value:
- *  A pointer...
- *  NULL upon failure
- */
-
-NSS_EXTERN void *
-NSSPKIXExtendedNetworkAddress_GetSpecifiedChoice
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXExtendedNetworkAddressChoice which,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_GetE1634Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1643Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1643Address *
-NSSPKIXExtendedNetworkAddress_GetE1634Address
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_GetPresentationAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPresentationAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPresentationAddress *
-NSSPKIXExtendedNetworkAddress_GetPresentationAddress
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_SetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtendedNetworkAddress_SetSpecifiedChoice
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXExtendedNetworkAddressChoice which,
-  void *address
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_SetE163Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtendedNetworkAddress_SetE163Address
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXe1634Address *e1634address
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_SetPresentationAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtendedNetworkAddress_SetPresentationAddress
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXPresentationAddress *presentationAddress
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXExtendedNetworkAddress_Equal
-(
-  NSSPKIXExtendedNetworkAddress *ena1,
-  NSSPKIXExtendedNetworkAddress *ena2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXExtendedNetworkAddress_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-NSSPKIXExtendedNetworkAddress_Duplicate
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSArena *arenaOpt
-);
-
-/*
- * e163-4-address
- *
- * Helper structure for ExtendedNetworkAddress.
- * -- fgmr comments --
- *
- * From RFC 2459:
- * 
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- * 
- * The public calls for the type:
- *
- *  NSSPKIXe1634Address_Decode
- *  NSSPKIXe1634Address_Create
- *  NSSPKIXe1634Address_Destroy
- *  NSSPKIXe1634Address_Encode
- *  NSSPKIXe1634Address_GetNumber
- *  NSSPKIXe1634Address_SetNumber
- *  NSSPKIXe1634Address_HasSubAddress
- *  NSSPKIXe1634Address_GetSubAddress
- *  NSSPKIXe1634Address_SetSubAddress
- *  NSSPKIXe1634Address_RemoveSubAddress
- *  NSSPKIXe1634Address_Equal
- *  NSSPKIXe1634Address_Duplicate
- *
- */
-
-/*
- * NSSPKIXe1634Address_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1634Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1634Address *
-NSSPKIXe1634Address_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXe1634Address_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1634Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1634Address *
-NSSPKIXe1634Address_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *number,
-  NSSUTF8 *subAddressOpt
-);
-
-/*
- * NSSPKIXe1634Address_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXe1634Address_Destroy
-(
-  NSSPKIXe1634Address *e
-);
-
-/*
- * NSSPKIXe1634Address_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXe1634Address_Encode
-(
-  NSSPKIXe1634Address *e,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXe1634Address_GetNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXe1634Address_GetNumber
-(
-  NSSPKIXe1634Address *e,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXe1634Address_SetNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXe1634Address_SetNumber
-(
-  NSSPKIXe1634Address *e,
-  NSSUTF8 *number
-);
-
-/*
- * NSSPKIXe1634Address_HasSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXe1634Address_HasSubAddress
-(
-  NSSPKIXe1634Address *e,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXe1634Address_GetSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXe1634Address_GetSubAddress
-(
-  NSSPKIXe1634Address *e,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXe1634Address_SetSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXe1634Address_SetSubAddress
-(
-  NSSPKIXe1634Address *e,
-  NSSUTF8 *subAddress
-);
-
-/*
- * NSSPKIXe1634Address_RemoveSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXe1634Address_RemoveSubAddress
-(
-  NSSPKIXe1634Address *e
-);
-
-/*
- * NSSPKIXe1634Address_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXe1634Address_Equal
-(
-  NSSPKIXe1634Address *e1,
-  NSSPKIXe1634Address *e2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXe1634Address_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1634Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1634Address *
-NSSPKIXe1634Address_Duplicate
-(
-  NSSPKIXe1634Address *e,
-  NSSArena *arenaOpt
-);
-
-/*
- * PresentationAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PresentationAddress ::= SEQUENCE {
- *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
- *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
- *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
- *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
- *
- * The public calls for the type:
- *
- *  NSSPKIXPresentationAddress_Decode
- *  NSSPKIXPresentationAddress_Create
- *  NSSPKIXPresentationAddress_Destroy
- *  NSSPKIXPresentationAddress_Encode
- *  NSSPKIXPresentationAddress_HasPSelector
- *  NSSPKIXPresentationAddress_GetPSelector
- *  NSSPKIXPresentationAddress_SetPSelector
- *  NSSPKIXPresentationAddress_RemovePSelector
- *  NSSPKIXPresentationAddress_HasSSelector
- *  NSSPKIXPresentationAddress_GetSSelector
- *  NSSPKIXPresentationAddress_SetSSelector
- *  NSSPKIXPresentationAddress_RemoveSSelector
- *  NSSPKIXPresentationAddress_HasTSelector
- *  NSSPKIXPresentationAddress_GetTSelector
- *  NSSPKIXPresentationAddress_SetTSelector
- *  NSSPKIXPresentationAddress_RemoveTSelector
- *  NSSPKIXPresentationAddress_HasNAddresses
- *  NSSPKIXPresentationAddress_GetNAddresses
- *  NSSPKIXPresentationAddress_SetNAddresses
- *  NSSPKIXPresentationAddress_RemoveNAddresses
- *{NAddresses must be more complex than that}
- *  NSSPKIXPresentationAddress_Compare
- *  NSSPKIXPresentationAddress_Duplicate
- *
- */
-
-/*
- * TeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
- * 
- * The public calls for the type:
- *
- *  NSSPKIXTeletexDomainDefinedAttributes_Decode
- *  NSSPKIXTeletexDomainDefinedAttributes_Create
- *  NSSPKIXTeletexDomainDefinedAttributes_Destroy
- *  NSSPKIXTeletexDomainDefinedAttributes_Encode
- *  NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
- *  NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
- *  NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
- *  NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
- *  NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
- *  NSSPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
- *  NSSPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
- *  NSSPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
- *  NSSPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
- *  NSSPKIXTeletexDomainDefinedAttributes_Equal
- *  NSSPKIXTeletexDomainDefinedAttributes_Duplicate
- *
- */
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
-NSSPKIXTeletexDomainDefinedAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
-NSSPKIXTeletexDomainDefinedAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
-  ...
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttributes_Destroy
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexDomainDefinedAttributes_Encode
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXTeletexDomainDefinedAttribute
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute **
-NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  The nonnegative integer upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexDomainDefinedAttributes_Equal
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas1,
-  NSSPKIXTeletexDomainDefinedAttributes *tddas2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
-NSSPKIXTeletexDomainDefinedAttributes_Duplicate
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttribute ::= SEQUENCE {
- *          type TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
- *          value TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
- * 
- * The public calls for the type:
- *
- *  NSSPKIXTeletexDomainDefinedAttribute_Decode
- *  NSSPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
- *  NSSPKIXTeletexDomainDefinedAttribute_Create
- *  NSSPKIXTeletexDomainDefinedAttribute_Destroy
- *  NSSPKIXTeletexDomainDefinedAttribute_Encode
- *  NSSPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
- *  NSSPKIXTeletexDomainDefinedAttribute_GetType
- *  NSSPKIXTeletexDomainDefinedAttribute_SetType
- *  NSSPKIXTeletexDomainDefinedAttribute_GetValue
- *  NSSPKIXTeletexDomainDefinedAttribute_GetValue
- *  NSSPKIXTeletexDomainDefinedAttribute_Equal
- *  NSSPKIXTeletexDomainDefinedAttribute_Duplicate
- *
- */
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-NSSPKIXTeletexDomainDefinedAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-NSSPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-NSSPKIXTeletexDomainDefinedAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *type,
-  NSSUTF8 *value
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttribute_Destroy
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXTeletexDomainDefinedAttribute_Encode
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_GetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexDomainDefinedAttribute_GetType
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_SetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttribute_SetType
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSUTF8 *type
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXTeletexDomainDefinedAttribute_GetValue
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXTeletexDomainDefinedAttribute_SetValue
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSUTF8 *value
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXTeletexDomainDefinedAttribute_Equal
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXTeletexDomainDefinedAttribute_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-NSSPKIXTeletexDomainDefinedAttribute_Duplicate
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * AuthorityKeyIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityKeyIdentifier ::= SEQUENCE {
- *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
- *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
- *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
- *      -- authorityCertIssuer and authorityCertSerialNumber shall both
- *      -- be present or both be absent
- *
- * The public calls for the type:
- *
- *  NSSPKIXAuthorityKeyIdentifier_Decode
- *  NSSPKIXAuthorityKeyIdentifier_Create
- *  NSSPKIXAuthorityKeyIdentifier_Destroy
- *  NSSPKIXAuthorityKeyIdentifier_Encode
- *  NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier
- *  NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier
- *  NSSPKIXAuthorityKeyIdentifier_SetKeyIdentifier
- *  NSSPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
- *  NSSPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
- *  NSSPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
- *  NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
- *  NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
- *  NSSPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
- *  NSSPKIXAuthorityKeyIdentifier_Equal
- *  NSSPKIXAuthorityKeyIdentifier_Duplicate
- *
- */
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
-NSSPKIXAuthorityKeyIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARGUMENTS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
-NSSPKIXAuthorityKeyIdentifier_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXKeyIdentifier *keyIdentifierOpt,
-  NSSPKIXGeneralNames *authorityCertIssuerOpt,
-  NSSPKIXCertificateSerialNumber *authorityCertSerialNumberOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityKeyIdentifier_Destroy
-(
-  NSSPKIXAuthorityKeyIdentifier *aki
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAuthorityKeyIdentifier_Encode
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyIdentifier *
-NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXKeyIdentifier *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_SetKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityKeyIdentifier_SetKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXKeyIdentifier *keyIdentifier
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if it has them
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateSerialNumber *
-NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXCertificateSerialNumber *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXGeneralNames *issuer,
-  NSSPKIXCertificateSerialNumber *serialNumber
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAuthorityKeyIdentifier_Equal
-(
-  NSSPKIXAuthorityKeyIdentifier *aki1,
-  NSSPKIXAuthorityKeyIdentifier *aki2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAuthorityKeyIdentifier_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
-NSSPKIXAuthorityKeyIdentifier_Duplicate
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSArena *arenaOpt
-);
-
-/*
- * KeyUsage
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  KeyUsage ::= BIT STRING {
- *       digitalSignature        (0),
- *       nonRepudiation          (1),
- *       keyEncipherment         (2),
- *       dataEncipherment        (3),
- *       keyAgreement            (4),
- *       keyCertSign             (5),
- *       cRLSign                 (6),
- *       encipherOnly            (7),
- *       decipherOnly            (8) }
- *
- * The public calls for the type:
- *
- *  NSSPKIXKeyUsage_Decode
- *  NSSPKIXKeyUsage_CreateFromUTF8
- *  NSSPKIXKeyUsage_CreateFromValue
- *  NSSPKIXKeyUsage_Destroy
- *  NSSPKIXKeyUsage_Encode
- *  NSSPKIXKeyUsage_GetUTF8Encoding
- *  NSSPKIXKeyUsage_GetValue
- *  NSSPKIXKeyUsage_SetValue
- *    { bitwise accessors? }
- *  NSSPKIXKeyUsage_Equal
- *  NSSPKIXKeyUsage_Duplicate
- *
- */
-
-/*
- * NSSPKIXKeyUsage_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-NSSPKIXKeyUsage_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXKeyUsage_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-NSSPKIXKeyUsage_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXKeyUsage_CreateFromValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-NSSPKIXKeyUsage_CreateFromValue
-(
-  NSSArena *arenaOpt,
-  NSSPKIXKeyUsageValue value
-);
-
-/*
- * NSSPKIXKeyUsage_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXKeyUsage_Destroy
-(
-  NSSPKIXKeyUsage *keyUsage
-);
-
-/*
- * NSSPKIXKeyUsage_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXKeyUsage_Encode
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXKeyUsage_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXKeyUsage_GetUTF8Encoding
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXKeyUsage_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  A set of NSSKeyUsageValue values OR-d together upon success
- *  NSSKeyUsage_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSKeyUsageValue
-NSSPKIXKeyUsage_GetValue
-(
-  NSSPKIXKeyUsage *keyUsage
-);
-
-/*
- * NSSPKIXKeyUsage_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXKeyUsage_SetValue
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSPKIXKeyUsageValue value
-);
-
-/*
- * NSSPKIXKeyUsage_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXKeyUsage_Equal
-(
-  NSSPKIXKeyUsage *keyUsage1,
-  NSSPKIXKeyUsage *keyUsage2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXKeyUsage_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-NSSPKIXKeyUsage_Duplicate
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSArena *arenaOpt
-);
-
-/*
- * PrivateKeyUsagePeriod
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PrivateKeyUsagePeriod ::= SEQUENCE {
- *       notBefore       [0]     GeneralizedTime OPTIONAL,
- *       notAfter        [1]     GeneralizedTime OPTIONAL }
- *       -- either notBefore or notAfter shall be present
- *
- * The public calls for the type:
- *
- *  NSSPKIXPrivateKeyUsagePeriod_Decode
- *  NSSPKIXPrivateKeyUsagePeriod_Create
- *  NSSPKIXPrivateKeyUsagePeriod_Destroy
- *  NSSPKIXPrivateKeyUsagePeriod_Encode
- *  NSSPKIXPrivateKeyUsagePeriod_HasNotBefore
- *  NSSPKIXPrivateKeyUsagePeriod_GetNotBefore
- *  NSSPKIXPrivateKeyUsagePeriod_SetNotBefore
- *  NSSPKIXPrivateKeyUsagePeriod_RemoveNotBefore
- *  NSSPKIXPrivateKeyUsagePeriod_HasNotAfter
- *  NSSPKIXPrivateKeyUsagePeriod_GetNotAfter
- *  NSSPKIXPrivateKeyUsagePeriod_SetNotAfter
- *  NSSPKIXPrivateKeyUsagePeriod_RemoveNotAfter
- *  NSSPKIXPrivateKeyUsagePeriod_Equal
- *  NSSPKIXPrivateKeyUsagePeriod_Duplicate
- *
- */
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
-NSSPKIXPrivateKeyUsagePeriod_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_TIME
- *  NSS_ERROR_INVALID_ARGUMENTS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
-NSSPKIXPrivateKeyUsagePeriod_Create
-(
-  NSSArena *arenaOpt,
-  NSSTime *notBeforeOpt,
-  NSSTime *notAfterOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPrivateKeyUsagePeriod_Destroy
-(
-  NSSPKIXPrivateKeyUsagePeriod *period
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPrivateKeyUsagePeriod_Encode
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_HasNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPrivateKeyUsagePeriod_HasNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_GetNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NOT_BEFORE
- *
- * Return value:
- *  NSSTime {fgmr!}
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSTime *
-NSSPKIXPrivateKeyUsagePeriod_GetNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_SetNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_TIME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPrivateKeyUsagePeriod_SetNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSTime *notBefore
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_RemoveNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_HAS_NO_NOT_BEFORE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPrivateKeyUsagePeriod_RemoveNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_HasNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPrivateKeyUsagePeriod_HasNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_GetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NOT_AFTER
- *
- * Return value:
- *  NSSTime {fgmr!}
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSTime *
-NSSPKIXPrivateKeyUsagePeriod_GetNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_SetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_TIME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPrivateKeyUsagePeriod_SetNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSTime *notAfter
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_RemoveNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_HAS_NO_NOT_AFTER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPrivateKeyUsagePeriod_RemoveNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPrivateKeyUsagePeriod_Equal
-(
-  NSSPKIXPrivateKeyUsagePeriod *period1,
-  NSSPKIXPrivateKeyUsagePeriod *period2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPrivateKeyUsagePeriod_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
-NSSPKIXPrivateKeyUsagePeriod_Duplicate
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSArena *arenaOpt
-);
-
-/*
- * CertificatePolicies
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
- *
- * The public calls for the type:
- *
- *  NSSPKIXCertificatePolicies_Decode
- *  NSSPKIXCertificatePolicies_Create
- *  NSSPKIXCertificatePolicies_Destroy
- *  NSSPKIXCertificatePolicies_Encode
- *  NSSPKIXCertificatePolicies_GetPolicyInformationCount
- *  NSSPKIXCertificatePolicies_GetPolicyInformations
- *  NSSPKIXCertificatePolicies_SetPolicyInformations
- *  NSSPKIXCertificatePolicies_GetPolicyInformation
- *  NSSPKIXCertificatePolicies_SetPolicyInformation
- *  NSSPKIXCertificatePolicies_InsertPolicyInformation
- *  NSSPKIXCertificatePolicies_AppendPolicyInformation
- *  NSSPKIXCertificatePolicies_RemovePolicyInformation
- *  NSSPKIXCertificatePolicies_FindPolicyInformation
- *  NSSPKIXCertificatePolicies_Equal
- *  NSSPKIXCertificatePolicies_Duplicate
- *
- */
-
-/*
- * NSSPKIXCertificatePolicies_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificatePolicies upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificatePolicies *
-NSSPKIXCertificatePolicies_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCertificatePolicies_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificatePolicies upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificatePolicies *
-NSSPKIXCertificatePolicies_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXPolicyInformation *pi1,
-  ...
-);
-
-/*
- * NSSPKIXCertificatePolicies_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificatePolicies_Destroy
-(
-  NSSPKIXCertificatePolicies *cp
-);
-
-/*
- * NSSPKIXCertificatePolicies_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCertificatePolicies_Encode
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificatePolicies_GetPolicyInformationCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXCertificatePolicies_GetPolicyInformationCount
-(
-  NSSPKIXCertificatePolicies *cp
-);
-
-/*
- * NSSPKIXCertificatePolicies_GetPolicyInformations
- *
- * We regret the function name.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXPolicyInformation pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation **
-NSSPKIXCertificatePolicies_GetPolicyInformations
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificatePolicies_SetPolicyInformations
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificatePolicies_SetPolicyInformations
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *pi[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXCertificatePolicies_GetPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-NSSPKIXCertificatePolicies_GetPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCertificatePolicies_SetPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificatePolicies_SetPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXCertificatePolicies_InsertPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificatePolicies_InsertPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXCertificatePolicies_AppendPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificatePolicies_AppendPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXCertificatePolicies_RemovePolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCertificatePolicies_RemovePolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXCertificatePolicies_FindPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  The nonnegative integer upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXCertificatePolicies_FindPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXCertificatePolicies_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXCertificatePolicies_Equal
-(
-  NSSPKIXCertificatePolicies *cp1,
-  NSSPKIXCertificatePolicies *cp2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXCertificatePolicies_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificatePolicies upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificatePolicies *
-NSSPKIXCertificatePolicies_Duplicate
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSArena *arenaOpt
-);
-
-/*
- * PolicyInformation
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyInformation ::= SEQUENCE {
- *       policyIdentifier   CertPolicyId,
- *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
- *               PolicyQualifierInfo OPTIONAL }
- *
- * The public calls for the type:
- *
- *  NSSPKIXPolicyInformation_Decode
- *  NSSPKIXPolicyInformation_Create
- *  NSSPKIXPolicyInformation_Destroy
- *  NSSPKIXPolicyInformation_Encode
- *  NSSPKIXPolicyInformation_GetPolicyIdentifier
- *  NSSPKIXPolicyInformation_SetPolicyIdentifier
- *  NSSPKIXPolicyInformation_GetPolicyQualifierCount
- *  NSSPKIXPolicyInformation_GetPolicyQualifiers
- *  NSSPKIXPolicyInformation_SetPolicyQualifiers
- *  NSSPKIXPolicyInformation_GetPolicyQualifier
- *  NSSPKIXPolicyInformation_SetPolicyQualifier
- *  NSSPKIXPolicyInformation_InsertPolicyQualifier
- *  NSSPKIXPolicyInformation_AppendPolicyQualifier
- *  NSSPKIXPolicyInformation_RemovePolicyQualifier
- *  NSSPKIXPolicyInformation_Equal
- *  NSSPKIXPolicyInformation_Duplicate
- *    { and accessors by specific policy qualifier ID }
- *
- */
-
-/*
- * NSSPKIXPolicyInformation_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-NSSPKIXPolicyInformation_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPolicyInformation_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-NSSPKIXPolicyInformation_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCertPolicyId *id,
-  NSSPKIXPolicyQualifierInfo *pqi1,
-  ...
-);
-
-/*
- * NSSPKIXPolicyInformation_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_Destroy
-(
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXPolicyInformation_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPolicyInformation_Encode
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyInformation_GetPolicyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid OID upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-NSSPKIXPolicyInformation_GetPolicyIdentifier
-(
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXPolicyInformation_SetPolicyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_SetPolicyIdentifier
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSPKIXCertPolicyIdentifier *cpi
-);
-
-/*
- * NSSPKIXPolicyInformation_GetPolicyQualifierCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyInformation_GetPolicyQualifierCount
-(
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * NSSPKIXPolicyInformation_GetPolicyQualifiers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXPolicyQualifierInfo pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo **
-NSSPKIXPolicyInformation_GetPolicyQualifiers
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSPKIXPolicyQualifierInfo *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyInformation_SetPolicyQualifiers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_SetPolicyQualifiers
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSPKIXPolicyQualifierInfo *pqi[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXPolicyInformation_GetPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-NSSPKIXPolicyInformation_GetPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyInformation_SetPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_SetPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * NSSPKIXPolicyInformation_InsertPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_InsertPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * NSSPKIXPolicyInformation_AppendPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_AppendPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * NSSPKIXPolicyInformation_RemovePolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyInformation_RemovePolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXPolicyInformation_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyInformation_Equal
-(
-  NSSPKIXPolicyInformation *pi1,
-  NSSPKIXPolicyInformation *pi2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPolicyInformation_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-NSSPKIXPolicyInformation_Duplicate
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and accessors by specific policy qualifier ID }
- *
- */
-
-/*
- * PolicyQualifierInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyQualifierInfo ::= SEQUENCE {
- *         policyQualifierId  PolicyQualifierId,
- *         qualifier        ANY DEFINED BY policyQualifierId }
- *
- * The public calls for the type:
- *
- *  NSSPKIXPolicyQualifierInfo_Decode
- *  NSSPKIXPolicyQualifierInfo_Create
- *  NSSPKIXPolicyQualifierInfo_Destroy
- *  NSSPKIXPolicyQualifierInfo_Encode
- *  NSSPKIXPolicyQualifierInfo_GetPolicyQualifierID
- *  NSSPKIXPolicyQualifierInfo_SetPolicyQualifierID
- *  NSSPKIXPolicyQualifierInfo_GetQualifier
- *  NSSPKIXPolicyQualifierInfo_SetQualifier
- *  NSSPKIXPolicyQualifierInfo_Equal
- *  NSSPKIXPolicyQualifierInfo_Duplicate
- *    { and accessors by specific qualifier id/type }
- *
- */
-
-/*
- * NSSPKIXPolicyQualifierInfo_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-NSSPKIXPolicyQualifierInfo_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-NSSPKIXPolicyQualifierInfo_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXPolicyQualifierId *policyQualifierId,
-  NSSItem *qualifier
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyQualifierInfo_Destroy
-(
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPolicyQualifierInfo_Encode
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_GetPolicyQualifierId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierId (an NSSOID) upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierId *
-NSSPKIXPolicyQualifierInfo_GetPolicyQualifierId
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_SetPolicyQualifierId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyQualifierInfo_SetPolicyQualifierId
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSPKIXPolicyQualifierId *pqid
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_GetQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXPolicyQualifierInfo_GetQualifier
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_SetQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyQualifierInfo_SetQualifier
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSItem *qualifier
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyQualifierInfo_Equal
-(
-  NSSPKIXPolicyQualifierInfo *pqi1,
-  NSSPKIXPolicyQualifierInfo *pqi2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPolicyQualifierInfo_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-NSSPKIXPolicyQualifierInfo_Duplicate
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and accessors by specific qualifier id/type }
- *
- */
-
-/*
- * CPSuri
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CPSuri ::= IA5String
- *
- * The public calls for this type:
- *
- *  NSSPKIXCPSuri_Decode
- *  NSSPKIXCPSuri_CreateFromUTF8
- *  NSSPKIXCPSuri_Encode
- *
- */
-
-/*
- * NSSPKIXCPSuri_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCPSuri upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCPSuri *
-NSSPKIXCPSuri_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCPSuri_CreateFromUTF8
- *
- * { basically just enforces the length and charset limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCPSuri upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCPSuri *
-NSSPKIXCPSuri_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXCPSuri_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CPS_URI
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCPSuri_Encode
-(
-  NSSPKIXCPSuri *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * UserNotice
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UserNotice ::= SEQUENCE {
- *       noticeRef        NoticeReference OPTIONAL,
- *       explicitText     DisplayText OPTIONAL}
- *
- * The public calls for this type:
- *
- *  NSSPKIXUserNotice_Decode
- *  NSSPKIXUserNotice_Create
- *  NSSPKIXUserNotice_Destroy
- *  NSSPKIXUserNotice_Encode
- *  NSSPKIXUserNotice_HasNoticeRef
- *  NSSPKIXUserNotice_GetNoticeRef
- *  NSSPKIXUserNotice_SetNoticeRef
- *  NSSPKIXUserNotice_RemoveNoticeRef
- *  NSSPKIXUserNotice_HasExplicitText
- *  NSSPKIXUserNotice_GetExplicitText
- *  NSSPKIXUserNotice_SetExplicitText
- *  NSSPKIXUserNotice_RemoveExplicitText
- *  NSSPKIXUserNotice_Equal
- *  NSSPKIXUserNotice_Duplicate
- *
- */
-
-
-/*
- * NSSPKIXUserNotice_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXUserNotice upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUserNotice *
-NSSPKIXUserNotice_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXUserNotice_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXUserNotice upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUserNotice *
-NSSPKIXUserNotice_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXNoticeReference *noticeRef,
-  NSSPKIXDisplayText *explicitText
-);
-
-/*
- * NSSPKIXUserNotice_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXUserNotice_Destroy
-(
-  NSSPKIXUserNotice *userNotice
-);
-
-/*
- * NSSPKIXUserNotice_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXUserNotice_Encode
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXUserNotice_HasNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXUserNotice_HasNoticeRef
-(
-  NSSPKIXUserNotice *userNotice,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXUserNotice_GetNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NOTICE_REF
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-NSSPKIXUserNotice_GetNoticeRef
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXUserNotice_SetNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXUserNotice_SetNoticeRef
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSPKIXNoticeReference *noticeRef
-);
-
-/*
- * NSSPKIXUserNotice_RemoveNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_HAS_NO_NOTICE_REF
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXUserNotice_RemoveNoticeRef
-(
-  NSSPKIXUserNotice *userNotice
-);
-
-/*
- * NSSPKIXUserNotice_HasExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_TRUE if it has some
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXUserNotice_HasExplicitText
-(
-  NSSPKIXUserNotice *userNotice,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXUserNotice_GetExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-NSSPKIXUserNotice_GetExplicitText
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXUserNotice_SetExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXUserNotice_SetExplicitText
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSPKIXDisplayText *explicitText
-);
-
-/*
- * NSSPKIXUserNotice_RemoveExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXUserNotice_RemoveExplicitText
-(
-  NSSPKIXUserNotice *userNotice
-);
-
-/*
- * NSSPKIXUserNotice_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXUserNotice_Equal
-(
-  NSSPKIXUserNotice *userNotice1,
-  NSSPKIXUserNotice *userNotice2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXUserNotice_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXUserNotice upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUserNotice *
-NSSPKIXUserNotice_Duplicate
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NoticeReference
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NoticeReference ::= SEQUENCE {
- *       organization     DisplayText,
- *       noticeNumbers    SEQUENCE OF INTEGER }
- *
- * The public calls for this type:
- *
- *  NSSPKIXNoticeReference_Decode
- *  NSSPKIXNoticeReference_Create
- *  NSSPKIXNoticeReference_Destroy
- *  NSSPKIXNoticeReference_Encode
- *  NSSPKIXNoticeReference_GetOrganization
- *  NSSPKIXNoticeReference_SetOrganization
- *  NSSPKIXNoticeReference_GetNoticeNumberCount
- *  NSSPKIXNoticeReference_GetNoticeNumbers
- *  NSSPKIXNoticeReference_SetNoticeNumbers
- *  NSSPKIXNoticeReference_GetNoticeNumber
- *  NSSPKIXNoticeReference_SetNoticeNumber
- *  NSSPKIXNoticeReference_InsertNoticeNumber
- *  NSSPKIXNoticeReference_AppendNoticeNumber
- *  NSSPKIXNoticeReference_RemoveNoticeNumber
- *    { maybe number-exists-p gettor? }
- *  NSSPKIXNoticeReference_Equal
- *  NSSPKIXNoticeReference_Duplicate
- *
- */
-
-/*
- * NSSPKIXNoticeReference_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-NSSPKIXNoticeReference_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXNoticeReference_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-NSSPKIXNoticeReference_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDisplayText *organization,
-  PRUint32 noticeCount,
-  PRInt32 noticeNumber1,
-  ...
-);
-
-/*
- * { fgmr -- or should the call that takes PRInt32 be _CreateFromValues,
- *  and the _Create call take NSSBER integers? }
- */
-
-/*
- * NSSPKIXNoticeReference_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_Destroy
-(
-  NSSPKIXNoticeReference *nr
-);
-
-/*
- * NSSPKIXNoticeReference_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXNoticeReference_Encode
-(
-  NSSPKIXNoticeReference *nr,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXNoticeReference_GetOrganization
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-NSSPKIXNoticeReference_GetOrganization
-(
-  NSSPKIXNoticeReference *nr,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXNoticeReference_SetOrganization
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_SetOrganization
-(
-  NSSPKIXNoticeReference *nr,
-  NSSPKIXDisplayText *organization
-);
-
-/*
- * NSSPKIXNoticeReference_GetNoticeNumberCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXNoticeReference_GetNoticeNumberCount
-(
-  NSSPKIXNoticeReference *nr
-);
-
-/*
- * NSSPKIXNoticeReference_GetNoticeNumbers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of PRInt32 values upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN PRInt32 *
-NSSPKIXNoticeReference_GetNoticeNumbers
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXNoticeReference_SetNoticeNumbers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_SetNoticeNumbers
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 noticeNumbers[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXNoticeReference_GetNoticeNumber
- *
- * -- fgmr comments --
- * Because there is no natural "invalid" notice number value, we must
- * pass the number by reference, and return an explicit status value.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_POINTER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_GetNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i,
-  PRInt32 *noticeNumberP
-);
-  
-/*
- * NSSPKIXNoticeReference_SetNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_SetNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i,
-  PRInt32 noticeNumber
-);
-
-/*
- * NSSPKIXNoticeReference_InsertNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_InsertNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i,
-  PRInt32 noticeNumber
-);
-
-/*
- * NSSPKIXNoticeReference_AppendNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_AppendNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 noticeNumber
-);
-
-/*
- * NSSPKIXNoticeReference_RemoveNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNoticeReference_RemoveNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i
-);
-
-/*
- *   { maybe number-exists-p gettor? }
- */
-
-/*
- * NSSPKIXNoticeReference_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXNoticeReference_Equal
-(
-  NSSPKIXNoticeReference *nr1,
-  NSSPKIXNoticeReference *nr2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXNoticeReference_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-NSSPKIXNoticeReference_Duplicate
-(
-  NSSPKIXNoticeReference *nr,
-  NSSArena *arenaOpt
-);
-
-/*
- * DisplayText
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DisplayText ::= CHOICE {
- *       visibleString    VisibleString  (SIZE (1..200)),
- *       bmpString        BMPString      (SIZE (1..200)),
- *       utf8String       UTF8String     (SIZE (1..200)) }
- * 
- * The public calls for this type:
- *
- *  NSSPKIXDisplayText_Decode
- *  NSSPKIXDisplayText_CreateFromUTF8
- *  NSSPKIXDisplayText_Encode
- *
- */
-
-/*
- * NSSPKIXDisplayText_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-NSSPKIXDisplayText_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXDisplayText_CreateFromUTF8
- *
- * { basically just enforces the length and charset limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-NSSPKIXDisplayText_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXDisplayText_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXDisplayText_Encode
-(
-  NSSPKIXDisplayText *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PolicyMappings
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- * The public calls for this type:
- *
- *  NSSPKIXPolicyMappings_Decode
- *  NSSPKIXPolicyMappings_Create
- *  NSSPKIXPolicyMappings_Destroy
- *  NSSPKIXPolicyMappings_Encode
- *  NSSPKIXPolicyMappings_GetPolicyMappingCount
- *  NSSPKIXPolicyMappings_GetPolicyMappings
- *  NSSPKIXPolicyMappings_SetPolicyMappings
- *  NSSPKIXPolicyMappings_GetPolicyMapping
- *  NSSPKIXPolicyMappings_SetPolicyMapping
- *  NSSPKIXPolicyMappings_InsertPolicyMapping
- *  NSSPKIXPolicyMappings_AppendPolicyMapping
- *  NSSPKIXPolicyMappings_RemovePolicyMapping
- *  NSSPKIXPolicyMappings_FindPolicyMapping
- *  NSSPKIXPolicyMappings_Equal
- *  NSSPKIXPolicyMappings_Duplicate
- *  NSSPKIXPolicyMappings_IssuerDomainPolicyExists
- *  NSSPKIXPolicyMappings_SubjectDomainPolicyExists
- *  NSSPKIXPolicyMappings_FindIssuerDomainPolicy
- *  NSSPKIXPolicyMappings_FindSubjectDomainPolicy
- *  NSSPKIXPolicyMappings_MapIssuerToSubject
- *  NSSPKIXPolicyMappings_MapSubjectToIssuer
- *    { find's and map's: what if there's more than one? }
- *
- */
-
-/*
- * NSSPKIXPolicyMappings_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyMappings upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyMappings *
-NSSPKIXPolicyMappings_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPolicyMappings_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyMappings upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyMappings *
-NSSPKIXPolicyMappings_Decode
-(
-  NSSArena *arenaOpt,
-  NSSPKIXpolicyMapping *policyMapping1,
-  ...
-);
-
-/*
- * NSSPKIXPolicyMappings_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyMappings_Destroy
-(
-  NSSPKIXPolicyMappings *policyMappings
-);
-
-/*
- * NSSPKIXPolicyMappings_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPolicyMappings_Encode
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_GetPolicyMappingCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyMappings_GetPolicyMappingCount
-(
-  NSSPKIXPolicyMappings *policyMappings
-);
-
-/*
- * NSSPKIXPolicyMappings_GetPolicyMappings
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXpolicyMapping pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping **
-NSSPKIXPolicyMappings_GetPolicyMappings
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_SetPolicyMappings
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyMappings_SetPolicyMappings
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *policyMapping[]
-  PRInt32 count
-);
-
-/*
- * NSSPKIXPolicyMappings_GetPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-NSSPKIXPolicyMappings_GetPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_SetPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyMappings_SetPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i,
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXPolicyMappings_InsertPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyMappings_InsertPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i,
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXPolicyMappings_AppendPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyMappings_AppendPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXPolicyMappings_RemovePolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyMappings_RemovePolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i
-);
-
-/*
- * NSSPKIXPolicyMappings_FindPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyMappings_FindPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXPolicyMappings_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyMappings_Equal
-(
-  NSSPKIXPolicyMappings *policyMappings1,
-  NSSPKIXpolicyMappings *policyMappings2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyMappings upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyMappings *
-NSSPKIXPolicyMappings_Duplicate
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_IssuerDomainPolicyExists
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- * 
- * Return value:
- *  PR_TRUE if the specified domain policy OID exists
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyMappings_IssuerDomainPolicyExists
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_SubjectDomainPolicyExists
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- * 
- * Return value:
- *  PR_TRUE if the specified domain policy OID exists
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyMappings_SubjectDomainPolicyExists
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *subjectDomainPolicy,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPolicyMappings_FindIssuerDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyMappings_FindIssuerDomainPolicy
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * NSSPKIXPolicyMappings_FindSubjectDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyMappings_FindSubjectDomainPolicy
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * NSSPKIXPolicyMappings_MapIssuerToSubject
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-NSSPKIXPolicyMappings_MapIssuerToSubject
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * NSSPKIXPolicyMappings_MapSubjectToIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-NSSPKIXPolicyMappings_MapSubjectToIssuer
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * policyMapping
- *
- * Helper structure for PolicyMappings
- *
- *                                               SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- * The public calls for this type:
- *
- *  NSSPKIXpolicyMapping_Decode
- *  NSSPKIXpolicyMapping_Create
- *  NSSPKIXpolicyMapping_Destroy
- *  NSSPKIXpolicyMapping_Encode
- *  NSSPKIXpolicyMapping_GetIssuerDomainPolicy
- *  NSSPKIXpolicyMapping_SetIssuerDomainPolicy
- *  NSSPKIXpolicyMapping_GetSubjectDomainPolicy
- *  NSSPKIXpolicyMapping_SetSubjectDomainPolicy
- *  NSSPKIXpolicyMapping_Equal
- *  NSSPKIXpolicyMapping_Duplicate
- *
- */
-
-/*
- * NSSPKIXpolicyMapping_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-NSSPKIXpolicyMapping_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXpolicyMapping_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-NSSPKIXpolicyMapping_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCertPolicyId *issuerDomainPolicy,
-  NSSPKIXCertPolicyId *subjectDomainPolicy
-);
-
-/*
- * NSSPKIXpolicyMapping_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXpolicyMapping_Destroy
-(
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXpolicyMapping_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXpolicyMapping_Encode
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXpolicyMapping_GetIssuerDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
- *  NULL upon faliure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-NSSPKIXpolicyMapping_GetIssuerDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXpolicyMapping_SetIssuerDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXpolicyMapping_SetIssuerDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * NSSPKIXpolicyMapping_GetSubjectDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
- *  NULL upon faliure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-NSSPKIXpolicyMapping_GetSubjectDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * NSSPKIXpolicyMapping_SetSubjectDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXpolicyMapping_SetSubjectDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSPKIXCertPolicyId *subjectDomainPolicy
-);
-
-/*
- * NSSPKIXpolicyMapping_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXpolicyMapping_Equal
-(
-  NSSPKIXpolicyMapping *policyMapping1,
-  NSSPKIXpolicyMapping *policyMapping2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXpolicyMapping_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-NSSPKIXpolicyMapping_Duplicate
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSArena *arenaOpt
-);
-
-/*
- * GeneralName
- *
- * This structure contains a union of the possible general names,
- * of which there are several.
- *
- * From RFC 2459:
- *
- *  GeneralName ::= CHOICE {
- *       otherName                       [0]     AnotherName,
- *       rfc822Name                      [1]     IA5String,
- *       dNSName                         [2]     IA5String,
- *       x400Address                     [3]     ORAddress,
- *       directoryName                   [4]     Name,
- *       ediPartyName                    [5]     EDIPartyName,
- *       uniformResourceIdentifier       [6]     IA5String,
- *       iPAddress                       [7]     OCTET STRING,
- *       registeredID                    [8]     OBJECT IDENTIFIER }
- *
- * The public calls for this type:
- *
- *  NSSPKIXGeneralName_Decode
- *  NSSPKIXGeneralName_CreateFromUTF8
- *  NSSPKIXGeneralName_Create
- *  NSSPKIXGeneralName_CreateFromOtherName
- *  NSSPKIXGeneralName_CreateFromRfc822Name
- *  NSSPKIXGeneralName_CreateFromDNSName
- *  NSSPKIXGeneralName_CreateFromX400Address
- *  NSSPKIXGeneralName_CreateFromDirectoryName
- *  NSSPKIXGeneralName_CreateFromEDIPartyName
- *  NSSPKIXGeneralName_CreateFromUniformResourceIdentifier
- *  NSSPKIXGeneralName_CreateFromIPAddress
- *  NSSPKIXGeneralName_CreateFromRegisteredID
- *  NSSPKIXGeneralName_Destroy
- *  NSSPKIXGeneralName_Encode
- *  NSSPKIXGeneralName_GetUTF8Encoding
- *  NSSPKIXGeneralName_GetChoice
- *  NSSPKIXGeneralName_GetOtherName
- *  NSSPKIXGeneralName_GetRfc822Name
- *  NSSPKIXGeneralName_GetDNSName
- *  NSSPKIXGeneralName_GetX400Address
- *  NSSPKIXGeneralName_GetDirectoryName
- *  NSSPKIXGeneralName_GetEDIPartyName
- *  NSSPKIXGeneralName_GetUniformResourceIdentifier
- *  NSSPKIXGeneralName_GetIPAddress
- *  NSSPKIXGeneralName_GetRegisteredID
- *  NSSPKIXGeneralName_GetSpecifiedChoice
- *  NSSPKIXGeneralName_Equal
- *  NSSPKIXGeneralName_Duplicate
- *  (in pki1 I had specific attribute value gettors here too)
- *
- */
-
-/*
- * NSSPKIXGeneralName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * NSSPKIXGeneralName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INVALID_OID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralNameChoice choice,
-  void *content
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromOtherName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromOtherName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAnotherName *otherName
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromRfc822Name
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromRfc822Name
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *rfc822Name
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromDNSName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromDNSName
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *dNSName
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromX400Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromX400Address
-(
-  NSSArena *arenaOpt,
-  NSSPKIXORAddress *x400Address
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromDirectoryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromDirectoryName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXName *directoryName
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromEDIPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromEDIPartyName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXEDIPartyName *ediPartyname
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromUniformResourceIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromUniformResourceIdentifier
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *uniformResourceIdentifier
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromIPAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromIPAddress
-(
-  NSSArena *arenaOpt,
-  NSSItem *iPAddress
-);
-
-/*
- * NSSPKIXGeneralName_CreateFromRegisteredID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_CreateFromRegisteredID
-(
-  NSSArena *arenaOpt,
-  NSSOID *registeredID
-);
-
-/*
- * NSSPKIXGeneralName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralName_Destroy
-(
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXGeneralName_Encode
-(
-  NSSPKIXGeneralName *generalName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXGeneralName_GetUTF8Encoding
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  A valid NSSPKIXGeneralNameChoice value upon success
- *  NSSPKIXGeneralNameChoice_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNameChoice
-NSSPKIXGeneralName_GetChoice
-(
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralName_GetOtherName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-NSSPKIXGeneralName_GetOtherName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetRfc822Name
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXGeneralName_GetRfc822Name
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetDNSName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXGeneralName_GetDNSName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetX400Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXORAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-NSSPKIXGeneralName_GetX400Address
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetDirectoryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-NSSPKIXGeneralName_GetDirectoryName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetEDIPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-NSSPKIXGeneralName_GetEDIPartyName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetUniformResourceIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXGeneralName_GetUniformResourceIdentifier
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetIPAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXGeneralName_GetIPAddress
-(
-  NSSPKIXGeneralName *generalName,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_GetRegisteredID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSOID upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-NSSPKIXGeneralName_GetRegisteredID
-(
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralName_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN void *
-NSSPKIXGeneralName_GetSpecifiedChoice
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXGeneralName_Equal
-(
-  NSSPKIXGeneralName *generalName1,
-  NSSPKIXGeneralName *generalName2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXGeneralName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralName_Duplicate
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * (in pki1 I had specific attribute value gettors here too)
- *
- */
-
-/*
- * GeneralNames
- *
- * This structure contains a sequence of GeneralName objects.
- *
- * From RFC 2459:
- *
- *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * The public calls for this type:
- *
- *  NSSPKIXGeneralNames_Decode
- *  NSSPKIXGeneralNames_Create
- *  NSSPKIXGeneralNames_Destroy
- *  NSSPKIXGeneralNames_Encode
- *  NSSPKIXGeneralNames_GetGeneralNameCount
- *  NSSPKIXGeneralNames_GetGeneralNames
- *  NSSPKIXGeneralNames_SetGeneralNames
- *  NSSPKIXGeneralNames_GetGeneralName
- *  NSSPKIXGeneralNames_SetGeneralName
- *  NSSPKIXGeneralNames_InsertGeneralName
- *  NSSPKIXGeneralNames_AppendGeneralName
- *  NSSPKIXGeneralNames_RemoveGeneralName
- *  NSSPKIXGeneralNames_FindGeneralName
- *  NSSPKIXGeneralNames_Equal
- *  NSSPKIXGeneralNames_Duplicate
- *
- */
-
-/*
- * NSSPKIXGeneralNames_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-NSSPKIXGeneralNames_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXGeneralNames_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-NSSPKIXGeneralNames_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralName *generalName1,
-  ...
-);
-
-/*
- * NSSPKIXGeneralNames_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralNames_Destroy
-(
-  NSSPKIXGeneralNames *generalNames
-);
-
-/*
- * NSSPKIXGeneralNames_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXGeneralNames_Encode
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralNames_GetGeneralNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXGeneralNames_GetGeneralNameCount
-(
-  NSSPKIXGeneralNames *generalNames
-);
-
-/*
- * NSSPKIXGeneralNames_GetGeneralNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXGeneralName pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName **
-NSSPKIXGeneralNames_GetGeneralNames
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralNames_SetGeneralNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralNames_SetGeneralNames
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *generalName[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXGeneralNames_GetGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralNames_GetGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralNames_SetGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralNames_SetGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralNames_InsertGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralNames_InsertGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralNames_AppendGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralNames_AppendGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralNames_RemoveGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralNames_RemoveGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXGeneralNames_FindGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXGeneralNames_FindGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * NSSPKIXGeneralNames_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXGeneralNames_Equal
-(
-  NSSPKIXGeneralNames *generalNames1,
-  NSSPKIXGeneralNames *generalNames2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXGeneralNames_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-NSSPKIXGeneralNames_Duplicate
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSArena *arenaOpt
-);
-
-/*
- * AnotherName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AnotherName ::= SEQUENCE {
- *       type-id    OBJECT IDENTIFIER,
- *       value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- * The public calls for this type:
- *
- *  NSSPKIXAnotherName_Decode
- *  NSSPKIXAnotherName_Create
- *  NSSPKIXAnotherName_Destroy
- *  NSSPKIXAnotherName_Encode
- *  NSSPKIXAnotherName_GetTypeId
- *  NSSPKIXAnotherName_SetTypeId
- *  NSSPKIXAnotherName_GetValue
- *  NSSPKIXAnotherName_SetValue
- *  NSSPKIXAnotherName_Equal
- *  NSSPKIXAnotherName_Duplicate
- *
- */
-
-/*
- * NSSPKIXAnotherName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-NSSPKIXAnotherName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAnotherName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-NSSPKIXAnotherName_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *typeId,
-  NSSItem *value
-);
-
-/*
- * NSSPKIXAnotherName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAnotherName_Destroy
-(
-  NSSPKIXAnotherName *anotherName
-);
-
-/*
- * NSSPKIXAnotherName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAnotherName_Encode
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAnotherName_GetTypeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSOID upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-NSSPKIXAnotherName_GetTypeId
-(
-  NSSPKIXAnotherName *anotherName
-);
-
-/*
- * NSSPKIXAnotherName_SetTypeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAnotherName_SetTypeId
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSOID *typeId
-);
-
-/*
- * NSSPKIXAnotherName_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-NSSPKIXAnotherName_GetValue
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAnotherName_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ITEM
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAnotherName_SetValue
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSItem *value
-);
-
-/*
- * NSSPKIXAnotherName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAnotherName_Equal
-(
-  NSSPKIXAnotherName *anotherName1,
-  NSSPKIXAnotherName *anotherName2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAnotherName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-NSSPKIXAnotherName_Duplicate
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSArena *arenaOpt
-);
-
-/*
- * EDIPartyName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *
- *  EDIPartyName ::= SEQUENCE {
- *       nameAssigner            [0]     DirectoryString OPTIONAL,
- *       partyName               [1]     DirectoryString }
- *
- * The public calls for this type:
- *
- *  NSSPKIXEDIPartyName_Decode
- *  NSSPKIXEDIPartyName_Create
- *  NSSPKIXEDIPartyName_Destroy
- *  NSSPKIXEDIPartyName_Encode
- *  NSSPKIXEDIPartyName_HasNameAssigner
- *  NSSPKIXEDIPartyName_GetNameAssigner
- *  NSSPKIXEDIPartyName_SetNameAssigner
- *  NSSPKIXEDIPartyName_RemoveNameAssigner
- *  NSSPKIXEDIPartyName_GetPartyName
- *  NSSPKIXEDIPartyName_SetPartyName
- *  NSSPKIXEDIPartyName_Equal
- *  NSSPKIXEDIPartyName_Duplicate
- *
- */
-
-/*
- * NSSPKIXEDIPartyName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-NSSPKIXEDIPartyName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXEDIPartyName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-NSSPKIXEDIPartyName_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *nameAssignerOpt,
-  NSSUTF8 *partyName
-);
-
-/*
- * NSSPKIXEDIPartyName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXEDIPartyName_Destroy
-(
-  NSSPKIXEDIPartyName *ediPartyName
-);
-
-/*
- * NSSPKIXEDIPartyName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXEDIPartyName_Encode
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXEDIPartyName_HasNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXEDIPartyName_HasNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName
-);
-
-/*
- * NSSPKIXEDIPartyName_GetNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXEDIPartyName_GetNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXEDIPartyName_SetNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXEDIPartyName_SetNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSUTF8 *nameAssigner
-);
-
-/*
- * NSSPKIXEDIPartyName_RemoveNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXEDIPartyName_RemoveNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName
-);
-
-/*
- * NSSPKIXEDIPartyName_GetPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSPKIXEDIPartyName_GetPartyName
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXEDIPartyName_SetPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXEDIPartyName_SetPartyName
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSUTF8 *partyName
-);
-
-/*
- * NSSPKIXEDIPartyName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXEDIPartyName_Equal
-(
-  NSSPKIXEDIPartyName *ediPartyName1,
-  NSSPKIXEDIPartyName *ediPartyName2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXEDIPartyName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-NSSPKIXEDIPartyName_Duplicate
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSArena *arenaOpt
-);
-
-/*
- * SubjectDirectoryAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
- *
- * The public calls for this type:
- *
- *  NSSPKIXSubjectDirectoryAttributes_Decode
- *  NSSPKIXSubjectDirectoryAttributes_Create
- *  NSSPKIXSubjectDirectoryAttributes_Destroy
- *  NSSPKIXSubjectDirectoryAttributes_Encode
- *  NSSPKIXSubjectDirectoryAttributes_GetAttributeCount
- *  NSSPKIXSubjectDirectoryAttributes_GetAttributes
- *  NSSPKIXSubjectDirectoryAttributes_SetAttributes
- *  NSSPKIXSubjectDirectoryAttributes_GetAttribute
- *  NSSPKIXSubjectDirectoryAttributes_SetAttribute
- *  NSSPKIXSubjectDirectoryAttributes_InsertAttribute
- *  NSSPKIXSubjectDirectoryAttributes_AppendAttribute
- *  NSSPKIXSubjectDirectoryAttributes_RemoveAttribute
- *  NSSPKIXSubjectDirectoryAttributes_FindAttribute
- *  NSSPKIXSubjectDirectoryAttributes_Equal
- *  NSSPKIXSubjectDirectoryAttributes_Duplicate
- *
- */
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
-NSSPKIXSubjectDirectoryAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
-NSSPKIXSubjectDirectoryAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttribute *attribute1,
-  ...
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectDirectoryAttributes_Destroy
-(
-  NSSPKIXSubjectDirectoryAttributes *sda
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXSubjectDirectoryAttributes_Encode
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_GetAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXSubjectDirectoryAttributes_GetAttributeCount
-(
-  NSSPKIXSubjectDirectoryAttributes *sda
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_GetAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXAttribute pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttribute **
-NSSPKIXSubjectDirectoryAttributes_GetAttributes
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSPKIXAttribute *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_SetAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectDirectoryAttributes_SetAttributes
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSAttribute *attributes[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_GetAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon error
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-NSSPKIXSubjectDirectoryAttributes_GetAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_SetAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectDirectoryAttributes_SetAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_InsertAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectDirectoryAttributes_InsertAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_AppendAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectDirectoryAttributes_AppendAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_RemoveAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXSubjectDirectoryAttributes_RemoveAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_FindAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ATTRIBUTE
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXSubjectDirectoryAttributes_FindAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXSubjectDirectoryAttributes_Equal
-(
-  NSSPKIXSubjectDirectoryAttributes *sda1,
-  NSSPKIXSubjectDirectoryAttributes *sda2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXSubjectDirectoryAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
-NSSPKIXSubjectDirectoryAttributes_Duplicate
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSArena *arenaOpt
-);
-
-/*
- * BasicConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BasicConstraints ::= SEQUENCE {
- *       cA                      BOOLEAN DEFAULT FALSE,
- *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXBasicConstraints_Decode
- *  NSSPKIXBasicConstraints_Create
- *  NSSPKIXBasicConstraints_Destroy
- *  NSSPKIXBasicConstraints_Encode
- *  NSSPKIXBasicConstraints_GetCA
- *  NSSPKIXBasicConstraints_SetCA 
- *  NSSPKIXBasicConstraints_HasPathLenConstraint
- *  NSSPKIXBasicConstraints_GetPathLenConstraint
- *  NSSPKIXBasicConstraints_SetPathLenConstraint
- *  NSSPKIXBasicConstraints_RemovePathLenConstraint
- *  NSSPKIXBasicConstraints_Equal
- *  NSSPKIXBasicConstraints_Duplicate
- *  NSSPKIXBasicConstraints_CompareToPathLenConstraint
- *
- */
-
-/*
- * NSSPKIXBasicConstraints_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBasicConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBasicConstraints *
-NSSPKIXBasicConstraints_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXBasicConstraints_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBasicConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBasicConstraints *
-NSSPKIXBasicConstraints_Create
-(
-  NSSArena *arenaOpt,
-  PRBool ca,
-  PRInt32 pathLenConstraint
-);
-
-/*
- * NSSPKIXBasicConstraints_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBasicConstraints_Destroy
-(
-  NSSPKIXBasicConstraints *basicConstraints
-);
-
-/*
- * NSSPKIXBasicConstraints_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXBasicConstraints_Encode
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBasicConstraints_GetCA
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the CA bit is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBasicConstraints_GetCA
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBasicConstraints_SetCA
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBasicConstraints_SetCA
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRBool ca
-);
-
-/*
- * NSSPKIXBasicConstraints_HasPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBasicConstraints_HasPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBasicConstraints_GetPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXBasicConstraints_GetPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints
-);
-
-/*
- * NSSPKIXBasicConstraints_SetPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBasicConstraints_SetPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRInt32 pathLenConstraint
-);
-
-/*
- * NSSPKIXBasicConstraints_RemovePathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXBasicConstraints_RemovePathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints
-);
-
-/*
- * NSSPKIXBasicConstraints_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXBasicConstraints_Equal
-(
-  NSSPKIXBasicConstraints *basicConstraints1,
-  NSSPKIXBasicConstraints *basicConstraints2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXBasicConstraints_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBasicConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBasicConstraints *
-NSSPKIXBasicConstraints_Duplicate
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXBasicConstraints_CompareToPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
- * 
- * Return value:
- *  1 if the specified value is greater than the pathLenConstraint
- *  0 if the specified value equals the pathLenConstraint
- *  -1 if the specified value is less than the pathLenConstraint
- *  -2 upon error
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXBasicConstraints_CompareToPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRInt32 value
-);
-
-/*
- * NameConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NameConstraints ::= SEQUENCE {
- *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
- *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXNameConstraints_Decode
- *  NSSPKIXNameConstraints_Create
- *  NSSPKIXNameConstraints_Destroy
- *  NSSPKIXNameConstraints_Encode
- *  NSSPKIXNameConstraints_HasPermittedSubtrees
- *  NSSPKIXNameConstraints_GetPermittedSubtrees
- *  NSSPKIXNameConstraints_SetPermittedSubtrees
- *  NSSPKIXNameConstraints_RemovePermittedSubtrees
- *  NSSPKIXNameConstraints_HasExcludedSubtrees
- *  NSSPKIXNameConstraints_GetExcludedSubtrees
- *  NSSPKIXNameConstraints_SetExcludedSubtrees
- *  NSSPKIXNameConstraints_RemoveExcludedSubtrees
- *  NSSPKIXNameConstraints_Equal
- *  NSSPKIXNameConstraints_Duplicate
- *    { and the comparator functions }
- *
- */
-
-/*
- * NSSPKIXNameConstraints_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNameConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNameConstraints *
-NSSPKIXNameConstraints_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXNameConstraints_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNameConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNameConstraints *
-NSSPKIXNameConstraints_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralSubtrees *permittedSubtrees,
-  NSSPKIXGeneralSubtrees *excludedSubtrees
-);
-
-/*
- * NSSPKIXNameConstraints_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNameConstraints_Destroy
-(
-  NSSPKIXNameConstraints *nameConstraints
-);
-
-/*
- * NSSPKIXNameConstraints_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXNameConstraints_Encode
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXNameConstraints_HasPermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXNameConstraints_HasPermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXNameConstraints_GetPermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-NSSPKIXNameConstraints_GetPermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXNameConstraints_SetPermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNameConstraints_SetPermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSPKIXGeneralSubtrees *permittedSubtrees
-);
-
-/*
- * NSSPKIXNameConstraints_RemovePermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNameConstraints_RemovePermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints
-);
-
-/*
- * NSSPKIXNameConstraints_HasExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXNameConstraints_HasExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXNameConstraints_GetExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-NSSPKIXNameConstraints_GetExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXNameConstraints_SetExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNameConstraints_SetExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSPKIXGeneralSubtrees *excludedSubtrees
-);
-
-/*
- * NSSPKIXNameConstraints_RemoveExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXNameConstraints_RemoveExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints
-);
-
-/*
- * NSSPKIXNameConstraints_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXNameConstraints_Equal
-(
-  NSSPKIXNameConstraints *nameConstraints1,
-  NSSPKIXNameConstraints *nameConstraints2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXNameConstraints_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNameConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNameConstraints *
-NSSPKIXNameConstraints_Duplicate
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and the comparator functions }
- *
- */
-
-/*
- * GeneralSubtrees
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
- *
- * The public calls for this type:
- *
- *  NSSPKIXGeneralSubtrees_Decode
- *  NSSPKIXGeneralSubtrees_Create
- *  NSSPKIXGeneralSubtrees_Destroy
- *  NSSPKIXGeneralSubtrees_Encode
- *  NSSPKIXGeneralSubtrees_GetGeneralSubtreeCount
- *  NSSPKIXGeneralSubtrees_GetGeneralSubtrees
- *  NSSPKIXGeneralSubtrees_SetGeneralSubtrees
- *  NSSPKIXGeneralSubtrees_GetGeneralSubtree
- *  NSSPKIXGeneralSubtrees_SetGeneralSubtree
- *  NSSPKIXGeneralSubtrees_InsertGeneralSubtree
- *  NSSPKIXGeneralSubtrees_AppendGeneralSubtree
- *  NSSPKIXGeneralSubtrees_RemoveGeneralSubtree
- *  NSSPKIXGeneralSubtrees_FindGeneralSubtree
- *  NSSPKIXGeneralSubtrees_Equal
- *  NSSPKIXGeneralSubtrees_Duplicate
- *    { and finders and comparators }
- *
- */
-
-/*
- * NSSPKIXGeneralSubtrees_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-NSSPKIXGeneralSubtrees_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXGeneralSubtrees_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-NSSPKIXGeneralSubtrees_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralSubtree *generalSubtree1,
-  ...
-);
-
-/*
- * NSSPKIXGeneralSubtrees_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtrees_Destroy
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees
-);
-
-/*
- * NSSPKIXGeneralSubtrees_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXGeneralSubtrees_Encode
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralSubtrees_GetGeneralSubtreeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXGeneralSubtrees_GetGeneralSubtreeCount
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees
-);
-
-/*
- * NSSPKIXGeneralSubtrees_GetGeneralSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXGeneralSubtree pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree **
-NSSPKIXGeneralSubtrees_GetGeneralSubtrees
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralSubtrees_SetGeneralSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtrees_SetGeneralSubtrees
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *generalSubtree[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXGeneralSubtrees_GetGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-NSSPKIXGeneralSubtrees_GetGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralSubtrees_SetGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtrees_SetGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtrees_InsertGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtrees_InsertGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtrees_AppendGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtrees_AppendGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtrees_RemoveGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtrees_RemoveGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXGeneralSubtrees_FindGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXGeneralSubtrees_FindGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtrees_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXGeneralSubtrees_Equal
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees1,
-  NSSPKIXGeneralSubtrees *generalSubtrees2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXGeneralSubtrees_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-NSSPKIXGeneralSubtrees_Duplicate
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and finders and comparators }
- *
- */
-
-/*
- * GeneralSubtree
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtree ::= SEQUENCE {
- *       base                    GeneralName,
- *       minimum         [0]     BaseDistance DEFAULT 0,
- *       maximum         [1]     BaseDistance OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXGeneralSubtree_Decode
- *  NSSPKIXGeneralSubtree_Create
- *  NSSPKIXGeneralSubtree_Destroy
- *  NSSPKIXGeneralSubtree_Encode
- *  NSSPKIXGeneralSubtree_GetBase
- *  NSSPKIXGeneralSubtree_SetBase
- *  NSSPKIXGeneralSubtree_GetMinimum
- *  NSSPKIXGeneralSubtree_SetMinimum
- *  NSSPKIXGeneralSubtree_HasMaximum
- *  NSSPKIXGeneralSubtree_GetMaximum
- *  NSSPKIXGeneralSubtree_SetMaximum
- *  NSSPKIXGeneralSubtree_RemoveMaximum
- *  NSSPKIXGeneralSubtree_Equal
- *  NSSPKIXGeneralSubtree_Duplicate
- *  NSSPKIXGeneralSubtree_DistanceInRange
- *    {other tests and comparators}
- *
- */
-
-/*
- * NSSPKIXGeneralSubtree_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-NSSPKIXGeneralSubtree_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXGeneralSubtree_Create
- *
- * -- fgmr comments --
- * The optional maximum value may be omitted by specifying -1.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-NSSPKIXGeneralSubtree_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXBaseDistance minimum,
-  NSSPKIXBaseDistance maximumOpt
-);
-
-/*
- * NSSPKIXGeneralSubtree_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtree_Destroy
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtree_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXGeneralSubtree_Encode
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralSubtree_GetBase
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXGeneralSubtree_GetBase
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralSubtree_SetBase
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtree_SetBase
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXGeneralName *base
-);
-
-/*
- * NSSPKIXGeneralSubtree_GetMinimum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN NSSPKIXBaseDistance
-NSSPKIXGeneralSubtree_GetMinimum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtree_SetMinimum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtree_SetMinimum
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXBaseDistance *minimum
-);
-
-/*
- * NSSPKIXGeneralSubtree_HasMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXGeneralSubtree_HasMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtree_GetMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN NSSPKIXBaseDistance
-NSSPKIXGeneralSubtree_GetMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtree_SetMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtree_SetMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXBaseDistance *maximum
-);
-
-/*
- * NSSPKIXGeneralSubtree_RemoveMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXGeneralSubtree_RemoveMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * NSSPKIXGeneralSubtree_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXGeneralSubtree_Equal
-(
-  NSSPKIXGeneralSubtree *generalSubtree1,
-  NSSPKIXGeneralSubtree *generalSubtree2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXGeneralSubtree_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-NSSPKIXGeneralSubtree_Duplicate
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXGeneralSubtree_DistanceInRange
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_TRUE if the specified value is within the minimum and maximum
- *      base distances
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXGeneralSubtree_DistanceInRange
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXBaseDistance value,
-  PRStatus *statusOpt
-);
-
-/*
- *   {other tests and comparators}
- *
- */
-
-/*
- * PolicyConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyConstraints ::= SEQUENCE {
- *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
- *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
- * 
- * The public calls for this type:
- *
- *  NSSPKIXPolicyConstraints_Decode
- *  NSSPKIXPolicyConstraints_Create
- *  NSSPKIXPolicyConstraints_Destroy
- *  NSSPKIXPolicyConstraints_Encode
- *  NSSPKIXPolicyConstraints_HasRequireExplicitPolicy
- *  NSSPKIXPolicyConstraints_GetRequireExplicitPolicy
- *  NSSPKIXPolicyConstraints_SetRequireExplicitPolicy
- *  NSSPKIXPolicyConstraints_RemoveRequireExplicitPolicy
- *  NSSPKIXPolicyConstraints_HasInhibitPolicyMapping
- *  NSSPKIXPolicyConstraints_GetInhibitPolicyMapping
- *  NSSPKIXPolicyConstraints_SetInhibitPolicyMapping
- *  NSSPKIXPolicyConstraints_RemoveInhibitPolicyMapping
- *  NSSPKIXPolicyConstraints_Equal
- *  NSSPKIXPolicyConstraints_Duplicate
- *
- */
-
-/*
- * NSSPKIXPolicyConstraints_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyConstraints *
-NSSPKIXPolicyConstraints_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXPolicyConstraints_Create
- *
- * -- fgmr comments --
- * The optional values may be omitted by specifying -1.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyConstraints *
-NSSPKIXPolicyConstraints_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXSkipCerts requireExplicitPolicy,
-  NSSPKIXSkipCerts inhibitPolicyMapping
-);
-
-/*
- * NSSPKIXPolicyConstraints_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyConstraints_Destroy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXPolicyConstraints_Encode
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXPolicyConstraints_HasRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyConstraints_HasRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_GetRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyConstraints_GetRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_SetRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyConstraints_SetRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSPKIXSkipCerts requireExplicitPolicy
-);
-
-/*
- * NSSPKIXPolicyConstraints_RemoveRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyConstraints_RemoveRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_HasInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyConstraints_HasInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_GetInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXPolicyConstraints_GetInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_SetInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyConstraints_SetInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSPKIXSkipCerts inhibitPolicyMapping
-);
-
-/*
- * NSSPKIXPolicyConstraints_RemoveInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXPolicyConstraints_RemoveInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * NSSPKIXPolicyConstraints_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXPolicyConstraints_Equal
-(
-  NSSPKIXPolicyConstraints *policyConstraints1,
-  NSSPKIXPolicyConstraints *policyConstraints2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXPolicyConstraints_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyConstraints *
-NSSPKIXPolicyConstraints_Duplicate
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- * CRLDistPointsSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
- *
- * The public calls for this type:
- *
- *  NSSPKIXCRLDistPointsSyntax_Decode
- *  NSSPKIXCRLDistPointsSyntax_Create
- *  NSSPKIXCRLDistPointsSyntax_Destroy
- *  NSSPKIXCRLDistPointsSyntax_Encode
- *  NSSPKIXCRLDistPointsSyntax_GetDistributionPointCount
- *  NSSPKIXCRLDistPointsSyntax_GetDistributionPoints
- *  NSSPKIXCRLDistPointsSyntax_SetDistributionPoints
- *  NSSPKIXCRLDistPointsSyntax_GetDistributionPoint
- *  NSSPKIXCRLDistPointsSyntax_SetDistributionPoint
- *  NSSPKIXCRLDistPointsSyntax_InsertDistributionPoint
- *  NSSPKIXCRLDistPointsSyntax_AppendDistributionPoint
- *  NSSPKIXCRLDistPointsSyntax_RemoveDistributionPoint
- *  NSSPKIXCRLDistPointsSyntax_FindDistributionPoint
- *  NSSPKIXCRLDistPointsSyntax_Equal
- *  NSSPKIXCRLDistPointsSyntax_Duplicate
- *
- */
-
-/*
- * NSSPKIXCRLDistPointsSyntax_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
-NSSPKIXCRLDistPointsSyntax_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
-NSSPKIXCRLDistPointsSyntax_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPoint *distributionPoint1,
-  ...
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCRLDistPointsSyntax_Destroy
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXCRLDistPointsSyntax_Encode
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_GetDistributionPointCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXCRLDistPointsSyntax_GetDistributionPointCount
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_GetDistributionPoints
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXDistributionPoint pointers 
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoints **
-NSSPKIXCRLDistPointsSyntax_GetDistributionPoints
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSDistributionPoint *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_SetDistributionPoints
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCRLDistPointsSyntax_SetDistributionPoints
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSDistributionPoint *distributionPoint[]
-  PRInt32 count
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_GetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-NSSPKIXCRLDistPointsSyntax_GetDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_SetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCRLDistPointsSyntax_SetDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  PRInt32 i,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_InsertDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCRLDistPointsSyntax_InsertDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  PRInt32 i,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_AppendDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCRLDistPointsSyntax_AppendDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_RemoveDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXCRLDistPointsSyntax_RemoveDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_FindDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXCRLDistPointsSyntax_FindDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXCRLDistPointsSyntax_Equal
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax1,
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXCRLDistPointsSyntax_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
-NSSPKIXCRLDistPointsSyntax_Duplicate
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSArena *arenaOpt
-);
-
-/*
- * DistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0]     DistributionPointName OPTIONAL,
- *       reasons                 [1]     ReasonFlags OPTIONAL,
- *       cRLIssuer               [2]     GeneralNames OPTIONAL }
- *
- * The public calls for this type:
- *
- *  NSSPKIXDistributionPoint_Decode
- *  NSSPKIXDistributionPoint_Create
- *  NSSPKIXDistributionPoint_Destroy
- *  NSSPKIXDistributionPoint_Encode
- *  NSSPKIXDistributionPoint_HasDistributionPoint
- *  NSSPKIXDistributionPoint_GetDistributionPoint
- *  NSSPKIXDistributionPoint_SetDistributionPoint
- *  NSSPKIXDistributionPoint_RemoveDistributionPoint
- *  NSSPKIXDistributionPoint_HasReasons
- *  NSSPKIXDistributionPoint_GetReasons
- *  NSSPKIXDistributionPoint_SetReasons
- *  NSSPKIXDistributionPoint_RemoveReasons
- *  NSSPKIXDistributionPoint_HasCRLIssuer
- *  NSSPKIXDistributionPoint_GetCRLIssuer
- *  NSSPKIXDistributionPoint_SetCRLIssuer
- *  NSSPKIXDistributionPoint_RemoveCRLIssuer
- *  NSSPKIXDistributionPoint_Equal
- *  NSSPKIXDistributionPoint_Duplicate
- *
- */
-
-/*
- * NSSPKIXDistributionPoint_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-NSSPKIXDistributionPoint_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXDistributionPoint_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-NSSPKIXDistributionPoint_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPointName *distributionPoint,
-  NSSPKIXReasonFlags reasons,
-  NSSPKIXGeneralNames *cRLIssuer
-);
-
-/*
- * NSSPKIXDistributionPoint_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_Destroy
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXDistributionPoint_Encode
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXDistributionPoint_HasDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXDistributionPoint_HasDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_GetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXDistributionPoint_GetDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXDistributionPoint_SetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_SetDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSPKIXDistributionPointName *name
-);
-
-/*
- * NSSPKIXDistributionPoint_RemoveDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_RemoveDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_HasReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXDistributionPoint_HasReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_GetReasons
- *
- * It is unlikely that the reason flags are all zero; so zero is
- * returned in error situations.
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_REASONS
- * 
- * Return value:
- *  A valid nonzero NSSPKIXReasonFlags value upon success
- *  A valid zero NSSPKIXReasonFlags if the value is indeed zero
- *  Zero upon error
- */
-
-NSS_EXTERN NSSPKIXReasonFlags
-NSSPKIXDistributionPoint_GetReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXDistributionPoint_SetReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_SetReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSPKIXReasonFlags reasons
-);
-
-/*
- * NSSPKIXDistributionPoint_RemoveReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_REASONS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_RemoveReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_HasCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXDistributionPoint_HasCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_GetCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_CRL_ISSUER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-NSSPKIXDistributionPoint_GetCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXDistributionPoint_SetCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_SetCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSPKIXGeneralNames *cRLIssuer
-);
-
-/*
- * NSSPKIXDistributionPoint_RemoveCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_CRL_ISSUER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPoint_RemoveCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * NSSPKIXDistributionPoint_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXDistributionPoint_Equal
-(
-  NSSPKIXDistributionPoint *distributionPoint1,
-  NSSPKIXDistributionPoint *distributionPoint2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXDistributionPoint_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-NSSPKIXDistributionPoint_Duplicate
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSArena *arenaOpt
-);
-
-/*
- * DistributionPointName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPointName ::= CHOICE {
- *       fullName                [0]     GeneralNames,
- *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
- *
- * The public calls for this type:
- *
- *  NSSPKIXDistributionPointName_Decode
- *  NSSPKIXDistributionPointName_Create
- *  NSSPKIXDistributionPointName_CreateFromFullName
- *  NSSPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
- *  NSSPKIXDistributionPointName_Destroy
- *  NSSPKIXDistributionPointName_Encode
- *  NSSPKIXDistributionPointName_GetChoice
- *  NSSPKIXDistributionPointName_GetFullName
- *  NSSPKIXDistributionPointName_GetNameRelativeToCRLIssuer
- *  NSSPKIXDistributionPointName_Equal
- *  NSSPKIXDistributionPointName_Duplicate
- *
- */
-
-/*
- * NSSPKIXDistributionPointName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXDistributionPointName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXDistributionPointName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME_CHOICE
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXDistributionPointName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPointNameChoice which,
-  void *name
-);
-
-/*
- * NSSPKIXDistributionPointName_CreateFromFullName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXDistributionPointName_CreateFromFullName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralNames *fullName
-);
-
-/*
- * NSSPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRelativeDistinguishedName *nameRelativeToCRLIssuer
-);
-
-/*
- * NSSPKIXDistributionPointName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXDistributionPointName_Destroy
-(
-  NSSPKIXDistributionPointName *dpn
-);
-
-/*
- * NSSPKIXDistributionPointName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXDistributionPointName_Encode
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXDistributionPointName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- * 
- * Return value:
- *  A valid NSSPKIXDistributionPointNameChoice value upon success
- *  NSSPKIXDistributionPointNameChoice_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointNameChoice
-NSSPKIXDistributionPointName_GetChoice
-(
-  NSSPKIXDistributionPointName *dpn
-);
-
-/*
- * NSSPKIXDistributionPointName_GetFullName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralnames *
-NSSPKIXDistributionPointName_GetFullName
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXDistributionPointName_GetNameRelativeToCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXDistributionPointName_GetNameRelativeToCRLIssuer
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXDistributionPointName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXDistributionPointName_Equal
-(
-  NSSPKIXDistributionPointName *dpn1,
-  NSSPKIXDistributionPointName *dpn2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXDistributionPointName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXDistributionPointName_Duplicate
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSArena *arenaOpt
-);
-
-/*
- * ReasonFlags
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ReasonFlags ::= BIT STRING {
- *       unused                  (0),
- *       keyCompromise           (1),
- *       cACompromise            (2),
- *       affiliationChanged      (3),
- *       superseded              (4),
- *       cessationOfOperation    (5),
- *       certificateHold         (6) }
- *
- * The public calls for this type:
- *
- *  NSSPKIXReasonFlags_Decode
- *  NSSPKIXReasonFlags_Create
- *  NSSPKIXReasonFlags_CreateFromMask
- *  NSSPKIXReasonFlags_Destroy
- *  NSSPKIXReasonFlags_Encode
- *  NSSPKIXReasonFlags_GetMask
- *  NSSPKIXReasonFlags_SetMask
- *  NSSPKIXReasonFlags_Equal
- *  NSSPKIXReasonFlags_Duplicate
- *    { bitwise accessors? }
- *
- */
-
-/*
- * NSSPKIXReasonFlags_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-NSSPKIXReasonFlags_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXReasonFlags_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-NSSPKIXReasonFlags_Create
-(
-  NSSArena *arenaOpt,
-  PRBool keyCompromise,
-  PRBool cACompromise,
-  PRBool affiliationChanged,
-  PRBool superseded,
-  PRBool cessationOfOperation,
-  PRBool certificateHold
-);
-
-/*
- * NSSPKIXReasonFlags_CreateFromMask
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-NSSPKIXReasonFlags_CreateFromMask
-(
-  NSSArena *arenaOpt,
-  NSSPKIXReasonFlagsMask why
-);
-
-/*
- * NSSPKIXReasonFlags_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXReasonFlags_Destroy
-(
-  NSSPKIXReasonFlags *reasonFlags
-);
-
-/*
- * NSSPKIXReasonFlags_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXReasonFlags_Encode
-(
-  NSSPKIXReasonFlags *reasonFlags,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXReasonFlags_GetMask
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  A valid mask of NSSPKIXReasonFlagsMask values upon success
- *  NSSPKIXReasonFlagsMask_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlagsMask
-NSSPKIXReasonFlags_GetMask
-(
-  NSSPKIXReasonFlags *reasonFlags
-);
-
-/*
- * NSSPKIXReasonFlags_SetMask
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXReasonFlags_SetMask
-(
-  NSSPKIXReasonFlags *reasonFlags,
-  NSSPKIXReasonFlagsMask mask
-);
-
-/*
- * NSSPKIXReasonFlags_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXReasonFlags_Equal
-(
-  NSSPKIXReasonFlags *reasonFlags1,
-  NSSPKIXReasonFlags *reasonFlags2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXReasonFlags_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-NSSPKIXReasonFlags_Duplicate
-(
-  NSSPKIXReasonFlags *reasonFlags,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { bitwise accessors? }
- *
- */
-
-/*
- * ExtKeyUsageSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
- *
- * The public calls for this type:
- *
- *  NSSPKIXExtKeyUsageSyntax_Decode
- *  NSSPKIXExtKeyUsageSyntax_Create
- *  NSSPKIXExtKeyUsageSyntax_Destroy
- *  NSSPKIXExtKeyUsageSyntax_Encode
- *  NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
- *  NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIds
- *  NSSPKIXExtKeyUsageSyntax_SetKeyPurposeIds
- *  NSSPKIXExtKeyUsageSyntax_GetKeyPurposeId
- *  NSSPKIXExtKeyUsageSyntax_SetKeyPurposeId
- *  NSSPKIXExtKeyUsageSyntax_InsertKeyPurposeId
- *  NSSPKIXExtKeyUsageSyntax_AppendKeyPurposeId
- *  NSSPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
- *  NSSPKIXExtKeyUsageSyntax_FindKeyPurposeId
- *  NSSPKIXExtKeyUsageSyntax_Equal
- *  NSSPKIXExtKeyUsageSyntax_Duplicate
- *
- */
-
-/*
- * NSSPKIXExtKeyUsageSyntax_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
-NSSPKIXExtKeyUsageSyntax_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
-NSSPKIXExtKeyUsageSyntax_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXKeyPurposeId *kpid1,
-  ...
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtKeyUsageSyntax_Destroy
-(
-  NSSPKIXExtKeyUsageSyntax *eku
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXExtKeyUsageSyntax_Encode
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
-(
-  NSSPKIXExtKeyUsageSyntax *eku
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIds
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXKeyPurposeId pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyPurposeId **
-NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIds
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_SetKeyPurposeIds
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtKeyUsageSyntax_SetKeyPurposeIds
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *ids[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_GetKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXKeyPurposeId upon success
- *  NULL upon error
- */
-
-NSS_EXTERN NSSPKIXKeyPurposeId *
-NSSPKIXExtKeyUsageSyntax_GetKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_SetKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtKeyUsageSyntax_SetKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_InsertKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtKeyUsageSyntax_InsertKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_AppendKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtKeyUsageSyntax_AppendKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_FindKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified key purpose id upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXExtKeyUsageSyntax_FindKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXExtKeyUsageSyntax_Equal
-(
-  NSSPKIXExtKeyUsageSyntax *eku1,
-  NSSPKIXExtKeyUsageSyntax *eku2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXExtKeyUsageSyntax_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
-NSSPKIXExtKeyUsageSyntax_Duplicate
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSArena *arenaOpt
-);
-
-/*
- * AuthorityInfoAccessSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityInfoAccessSyntax  ::=
- *          SEQUENCE SIZE (1..MAX) OF AccessDescription
- *
- * The public calls for this type:
- *
- *  NSSPKIXAuthorityInfoAccessSyntax_Decode
- *  NSSPKIXAuthorityInfoAccessSyntax_Create
- *  NSSPKIXAuthorityInfoAccessSyntax_Destroy
- *  NSSPKIXAuthorityInfoAccessSyntax_Encode
- *  NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
- *  NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
- *  NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
- *  NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescription
- *  NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescription
- *  NSSPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
- *  NSSPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
- *  NSSPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
- *  NSSPKIXAuthorityInfoAccessSyntax_FindAccessDescription
- *  NSSPKIXAuthorityInfoAccessSyntax_Equal
- *  NSSPKIXAuthorityInfoAccessSyntax_Duplicate
- *
- */
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
-NSSPKIXAuthorityInfoAccessSyntax_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
-NSSPKIXAuthorityInfoAccessSyntax_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAccessDescription *ad1,
-  ...
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityInfoAccessSyntax_Destroy
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAuthorityInfoAccessSyntax_Encode
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXAccessDescription pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription **
-NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *ad[],
-  PRInt32 count
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_FindAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXAuthorityInfoAccessSyntax_FindAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAuthorityInfoAccessSyntax_Equal
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias1,
-  NSSPKIXAuthorityInfoAccessSyntax *aias2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAuthorityInfoAccessSyntax_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
-NSSPKIXAuthorityInfoAccessSyntax_Duplicate
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSArena *arenaOpt
-);
-
-/*
- * AccessDescription
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AccessDescription  ::=  SEQUENCE {
- *          accessMethod          OBJECT IDENTIFIER,
- *          accessLocation        GeneralName  }
- *
- * The public calls for this type:
- *
- *  NSSPKIXAccessDescription_Decode
- *  NSSPKIXAccessDescription_Create
- *  NSSPKIXAccessDescription_Destroy
- *  NSSPKIXAccessDescription_Encode
- *  NSSPKIXAccessDescription_GetAccessMethod
- *  NSSPKIXAccessDescription_SetAccessMethod
- *  NSSPKIXAccessDescription_GetAccessLocation
- *  NSSPKIXAccessDescription_SetAccessLocation
- *  NSSPKIXAccessDescription_Equal
- *  NSSPKIXAccessDescription_Duplicate
- *
- */
-
-/*
- * NSSPKIXAccessDescription_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-NSSPKIXAccessDescription_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXAccessDescription_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-NSSPKIXAccessDescription_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *accessMethod,
-  NSSPKIXGeneralName *accessLocation
-);
-
-/*
- * NSSPKIXAccessDescription_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAccessDescription_Destroy
-(
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * NSSPKIXAccessDescription_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXAccessDescription_Encode
-(
-  NSSPKIXAccessDescription *ad,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAccessDescription_GetAccessMethod
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSOID pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-NSSPKIXAccessDescription_GetAccessMethod
-(
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * NSSPKIXAccessDescription_SetAccessMethod
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAccessDescription_SetAccessMethod
-(
-  NSSPKIXAccessDescription *ad,
-  NSSOID *accessMethod
-);
-
-/*
- * NSSPKIXAccessDescription_GetAccessLocation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-NSSPKIXAccessDescription_GetAccessLocation
-(
-  NSSPKIXAccessDescription *ad,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXAccessDescription_SetAccessLocation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAccessDescription_SetAccessLocation
-(
-  NSSPKIXAccessDescription *ad,
-  NSSPKIXGeneralName *accessLocation
-);
-
-/*
- * NSSPKIXAccessDescription_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXAccessDescription_Equal
-(
-  NSSPKIXAccessDescription *ad1,
-  NSSPKIXAccessDescription *ad2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXAccessDescription_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-NSSPKIXAccessDescription_Duplicate
-(
-  NSSPKIXAccessDescription *ad,
-  NSSArena *arenaOpt
-);
-
-/*
- * IssuingDistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  IssuingDistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0] DistributionPointName OPTIONAL,
- *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
- *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
- *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
- *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
- *
- * The public calls for this type:
- *
- *  NSSPKIXIssuingDistributionPoint_Decode
- *  NSSPKIXIssuingDistributionPoint_Create
- *  NSSPKIXIssuingDistributionPoint_Destroy
- *  NSSPKIXIssuingDistributionPoint_Encode
- *  NSSPKIXIssuingDistributionPoint_HasDistributionPoint
- *  NSSPKIXIssuingDistributionPoint_GetDistributionPoint
- *  NSSPKIXIssuingDistributionPoint_SetDistributionPoint
- *  NSSPKIXIssuingDistributionPoint_RemoveDistributionPoint
- *  NSSPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
- *  NSSPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
- *  NSSPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
- *  NSSPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
- *  NSSPKIXIssuingDistributionPoint_HasOnlySomeReasons
- *  NSSPKIXIssuingDistributionPoint_GetOnlySomeReasons
- *  NSSPKIXIssuingDistributionPoint_SetOnlySomeReasons
- *  NSSPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
- *  NSSPKIXIssuingDistributionPoint_GetIndirectCRL
- *  NSSPKIXIssuingDistributionPoint_SetIndirectCRL
- *  NSSPKIXIssuingDistributionPoint_Equal
- *  NSSPKIXIssuingDistributionPoint_Duplicate
- *
- */
-
-/*
- * NSSPKIXIssuingDistributionPoint_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXIssuingDistributionPoint *
-NSSPKIXIssuingDistributionPoint_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXIssuingDistributionPoint *
-NSSPKIXIssuingDistributionPoint_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPointName *distributionPointOpt,
-  PRBool onlyContainsUserCerts,
-  PRBool onlyContainsCACerts,
-  NSSPKIXReasonFlags *onlySomeReasons
-  PRBool indirectCRL
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_Destroy
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-NSSPKIXIssuingDistributionPoint_Encode
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_HasDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXIssuingDistributionPoint_HasDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_GetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-NSSPKIXIssuingDistributionPoint_GetDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_SetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_SetDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSPKIXDistributionPointName *dpn
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_RemoveDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_RemoveDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the onlyContainsUserCerts value is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRBool onlyContainsUserCerts
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the onlyContainsCACerts value is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRBool onlyContainsCACerts
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_HasOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-NSSPKIXIssuingDistributionPoint_HasOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_GetOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-NSSPKIXIssuingDistributionPoint_GetOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_SetOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_SetOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSPKIXReasonFlags *onlySomeReasons
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_GetIndirectCRL
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the indirectCRL value is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXIssuingDistributionPoint_GetIndirectCRL
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_SetIndirectCRL
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXIssuingDistributionPoint_SetIndirectCRL
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRBool indirectCRL
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXIssuingDistributionPoint_Equal
-(
-  NSSPKIXIssuingDistributionPoint *idp1,
-  NSSPKIXIssuingDistributionPoint *idp2,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPKIXIssuingDistributionPoint_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXIssuingDistributionPoint *
-NSSPKIXIssuingDistributionPoint_Duplicate
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSArena *arenaOpt
-);
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKIX_H */
diff --git a/security/nss/lib/pkix/include/nsspkixt.h b/security/nss/lib/pkix/include/nsspkixt.h
deleted file mode 100644
index ea35269ff..000000000
--- a/security/nss/lib/pkix/include/nsspkixt.h
+++ /dev/null
@@ -1,2281 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef NSSPKIXT_H
-#define NSSPKIXT_H
-
-#ifdef DEBUG
-static const char NSSPKIXT_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * nsspkixt.h
- *
- * This file contains the public type definitions for the PKIX part-1
- * objects.  The contents are strongly based on the types defined in
- * RFC 2459 {fgmr: and others, e.g., s/mime?}.  The type names have
- * been prefixed with "NSSPKIX."
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A Note About Strings
- *
- * RFC 2459 refers to several types of strings, including UniversalString,
- * BMPString, UTF8String, TeletexString, PrintableString, IA5String, and
- * more.  As with the rest of the NSS libraries, all strings are converted
- * to UTF8 form as soon as possible, and dealt with in that form from
- * then on.
- *
- */
-
-/*
- * Attribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Attribute       ::=     SEQUENCE {
- *          type            AttributeType,
- *          values  SET OF AttributeValue
- *                  -- at least one value is required -- }
- *
- */
-
-struct NSSPKIXAttributeStr;
-typedef struct NSSPKIXAttributeStr NSSPKIXAttribute;
-
-/*
- * AttributeType
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AttributeType           ::=   OBJECT IDENTIFIER
- *
- */
-
-typedef NSSOID NSSPKIXAttributeType;
-
-/*
- * AttributeValue
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AttributeValue          ::=   ANY
- *
- */
-
-typedef NSSItem NSSPKIXAttributeValue;
-
-/*
- * AttributeTypeAndValue
- *
- * This structure contains an attribute type (indicated by an OID), 
- * and the type-specific value.  RelativeDistinguishedNamess consist
- * of a set of these.  These are distinct from Attributes (which have
- * SET of values), from AttributeDescriptions (which have qualifiers
- * on the types), and from AttributeValueAssertions (which assert a
- * a value comparison under some matching rule).
- *
- * From RFC 2459:
- *
- *  AttributeTypeAndValue           ::=     SEQUENCE {
- *          type    AttributeType,
- *          value   AttributeValue }
- * 
- */
-
-struct NSSPKIXAttributeTypeAndValueStr;
-typedef struct NSSPKIXAttributeTypeAndValueStr NSSPKIXAttributeTypeAndValue;
-
-/*
- * X520Name
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520name        ::= CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-name)),
- *        printableString       PrintableString (SIZE (1..ub-name)),
- *        universalString       UniversalString (SIZE (1..ub-name)),
- *        utf8String            UTF8String (SIZE (1..ub-name)),
- *        bmpString             BMPString (SIZE(1..ub-name))   }
- *
- */
-
-struct NSSPKIXX520NameStr;
-typedef struct NSSPKIXX520NameStr NSSPKIXX520Name;
-
-/*
- * X520CommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520CommonName  ::=      CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-common-name)),
- *        printableString       PrintableString (SIZE (1..ub-common-name)),
- *        universalString       UniversalString (SIZE (1..ub-common-name)),
- *        utf8String            UTF8String (SIZE (1..ub-common-name)),
- *        bmpString             BMPString (SIZE(1..ub-common-name))   }
- * 
- */
-
-struct NSSPKIXX520CommonNameStr;
-typedef struct NSSPKIXX520CommonNameStr NSSPKIXX520CommonName;
-
-/*
- * X520LocalityName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520LocalityName ::= CHOICE {
- *        teletexString       TeletexString (SIZE (1..ub-locality-name)),
- *        printableString     PrintableString (SIZE (1..ub-locality-name)),
- *        universalString     UniversalString (SIZE (1..ub-locality-name)),
- *        utf8String          UTF8String (SIZE (1..ub-locality-name)),
- *        bmpString           BMPString (SIZE(1..ub-locality-name))   }
- * 
- */
-
-struct NSSPKIXX520LocalityNameStr;
-typedef struct NSSPKIXX520LocalityNameStr NSSPKIXX520LocalityName;
-
-/*
- * X520StateOrProvinceName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520StateOrProvinceName         ::= CHOICE {
- *        teletexString       TeletexString (SIZE (1..ub-state-name)),
- *        printableString     PrintableString (SIZE (1..ub-state-name)),
- *        universalString     UniversalString (SIZE (1..ub-state-name)),
- *        utf8String          UTF8String (SIZE (1..ub-state-name)),
- *        bmpString           BMPString (SIZE(1..ub-state-name))   }
- *
- */
-
-struct NSSPKIXX520StateOrProvinceNameStr;
-typedef struct NSSPKIXX520StateOrProvinceNameStr NSSPKIXX520StateOrProvinceName;
-
-/*
- * X520OrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520OrganizationName ::= CHOICE {
- *    teletexString     TeletexString (SIZE (1..ub-organization-name)),
- *    printableString   PrintableString (SIZE (1..ub-organization-name)),
- *    universalString   UniversalString (SIZE (1..ub-organization-name)),
- *    utf8String        UTF8String (SIZE (1..ub-organization-name)),
- *    bmpString         BMPString (SIZE(1..ub-organization-name))   }
- *
- */
-
-struct NSSPKIXX520OrganizationNameStr;
-typedef struct NSSPKIXX520OrganizationNameStr NSSPKIXX520OrganizationName;
-
-/*
- * X520OrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520OrganizationalUnitName ::= CHOICE {
- *   teletexString    TeletexString (SIZE (1..ub-organizational-unit-name)),
- *   printableString        PrintableString
- *                        (SIZE (1..ub-organizational-unit-name)),
- *   universalString        UniversalString
- *                        (SIZE (1..ub-organizational-unit-name)),
- *   utf8String       UTF8String (SIZE (1..ub-organizational-unit-name)),
- *   bmpString        BMPString (SIZE(1..ub-organizational-unit-name))   }
- *
- */
-
-struct NSSPKIXX520OrganizationalUnitNameStr;
-typedef struct NSSPKIXX520OrganizationalUnitNameStr NSSPKIXX520OrganizationalUnitName;
-
-/*
- * X520Title
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520Title ::=   CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-title)),
- *        printableString       PrintableString (SIZE (1..ub-title)),
- *        universalString       UniversalString (SIZE (1..ub-title)),
- *        utf8String            UTF8String (SIZE (1..ub-title)),
- *        bmpString             BMPString (SIZE(1..ub-title))   }
- *
- */
-
-struct NSSPKIXX520TitleStr;
-typedef struct NSSPKIXX520TitleStr NSSPKIXX520Title;
-
-/*
- * X520dnQualifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520dnQualifier ::=     PrintableString
- *
- */
-
-struct NSSPKIXX520dnQualifierStr;
-typedef struct NSSPKIXX520dnQualifierStr NSSPKIXX520dnQualifier;
-
-/*
- * X520countryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes
- *
- */
-
-struct NSSPKIXX520countryNameStr;
-typedef struct NSSPKIXX520countryNameStr NSSPKIXX520countryName;
-
-/*
- * Pkcs9email
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
- *
- */
-
-struct NSSPKIXPkcs9emailStr;
-typedef struct NSSPKIXPkcs9emailStr NSSPKIXPkcs9email;
-
-/*
- * Name
- *
- * This structure contains a union of the possible name formats,
- * which at the moment is limited to an RDNSequence.
- *
- * From RFC 2459:
- *
- *  Name            ::=   CHOICE { -- only one possibility for now --
- *                                   rdnSequence  RDNSequence }
- *
- */
-
-struct NSSPKIXNameStr;
-typedef struct NSSPKIXNameStr NSSPKIXName;
-
-/*
- * NameChoice
- *
- * This enumeration is used to specify choice within a name.
- */
-
-enum NSSPKIXNameChoiceEnum {
-  NSSPKIXNameChoice_NSSinvalid = -1,
-  NSSPKIXNameChoice_rdnSequence
-};
-typedef enum NSSPKIXNameChoiceEnum NSSPKIXNameChoice;
-
-/*
- * RDNSequence
- *
- * This structure contains a sequence of RelativeDistinguishedName
- * objects.
- *
- * From RFC 2459:
- *
- *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
- *
- */
-
-struct NSSPKIXRDNSequenceStr;
-typedef struct NSSPKIXRDNSequenceStr NSSPKIXRDNSequence;
-
-/*
- * DistinguishedName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistinguishedName       ::=   RDNSequence
- *
- */
-
-typedef NSSPKIXRDNSequence NSSPKIXDistinguishedName;
-
-/*
- * RelativeDistinguishedName
- *
- * This structure contains an unordered set of AttributeTypeAndValue 
- * objects.  RDNs are used to distinguish a set of objects underneath 
- * a common object.
- *
- * Often, a single ATAV is sufficient to make a unique distinction.
- * For example, if a company assigns its people unique uid values,
- * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
- * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
- * needed.  For example, if a company needed to distinguish between
- * two Smiths by specifying their corporate divisions, then in the
- * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
- * set of ATAVs forms the RDN.
- *
- * From RFC 2459:
- *
- *  RelativeDistinguishedName  ::=
- *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
- *
- */
-
-struct NSSPKIXRelativeDistinguishedNameStr;
-typedef struct NSSPKIXRelativeDistinguishedNameStr NSSPKIXRelativeDistinguishedName;
-
-/*
- * DirectoryString
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DirectoryString ::= CHOICE {
- *        teletexString             TeletexString (SIZE (1..MAX)),
- *        printableString           PrintableString (SIZE (1..MAX)),
- *        universalString           UniversalString (SIZE (1..MAX)),
- *        utf8String              UTF8String (SIZE (1..MAX)),
- *        bmpString               BMPString (SIZE(1..MAX))   }
- *
- */
-
-struct NSSPKIXDirectoryStringStr;
-typedef struct NSSPKIXDirectoryStringStr NSSPKIXDirectoryString;
-
-/*
- * Certificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Certificate  ::=  SEQUENCE  {
- *       tbsCertificate       TBSCertificate,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- */
-
-struct NSSPKIXCertificateStr;
-typedef struct NSSPKIXCertificateStr NSSPKIXCertificate;
-
-/*
- * TBSCertificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertificate  ::=  SEQUENCE  {
- *       version         [0]  Version DEFAULT v1,
- *       serialNumber         CertificateSerialNumber,
- *       signature            AlgorithmIdentifier,
- *       issuer               Name,
- *       validity             Validity,
- *       subject              Name,
- *       subjectPublicKeyInfo SubjectPublicKeyInfo,
- *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       extensions      [3]  Extensions OPTIONAL
- *                            -- If present, version shall be v3 --  }
- *
- */
-
-struct NSSPKIXTBSCertificateStr;
-typedef struct NSSPKIXTBSCertificateStr NSSPKIXTBSCertificate;
-
-/*
- * Version
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
- *
- */
-
-enum NSSPKIXVersionEnum {
-  NSSPKIXVersion_NSSinvalid = -1,
-  NSSPKIXVersion_v1 = 0,
-  NSSPKIXVersion_v2 = 1,
-  NSSPKIXVersion_v3 = 2
-};
-typedef enum NSSPKIXVersionEnum NSSPKIXVersion;
-
-/*
- * CertificateSerialNumber
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateSerialNumber  ::=  INTEGER
- *
- */
-
-typedef NSSBER NSSPKIXCertificateSerialNumber;
-
-/*
- * Validity
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Validity ::= SEQUENCE {
- *       notBefore      Time,
- *       notAfter       Time }
- *
- */
-
-struct NSSPKIXValidityStr;
-typedef struct NSSPKIXValidityStr NSSPKIXValidity;
-
-/*
- * Time
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Time ::= CHOICE {
- *       utcTime        UTCTime,
- *       generalTime    GeneralizedTime }
- *
- */
-
-struct NSSPKIXTimeStr;
-typedef struct NSSPKIXTimeStr NSSPKIXTime;
-
-/*
- * UniqueIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UniqueIdentifier  ::=  BIT STRING
- *
- */
-
-typedef NSSBitString NSSPKIXUniqueIdentifier;
-
-/*
- * SubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *       algorithm            AlgorithmIdentifier,
- *       subjectPublicKey     BIT STRING  }
- *
- */
-
-struct NSSPKIXSubjectPublicKeyInfoStr;
-typedef NSSPKIXSubjectPublicKeyInfoStr NSSPKIXSubjectPublicKeyInfo;
-
-/*
- * Extensions
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
- *
- */
-
-struct NSSPKIXExtensionsStr;
-typedef struct NSSPKIXExtensionsStr NSSPKIXExtensions;
-
-/*
- * Extension
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extension  ::=  SEQUENCE  {
- *       extnID      OBJECT IDENTIFIER,
- *       critical    BOOLEAN DEFAULT FALSE,
- *       extnValue   OCTET STRING  }
- *
- */
-
-struct NSSPKIXExtensionStr;
-typedef struct NSSPKIXExtensionStr NSSPKIXExtension;
-
-/*
- * CertificateList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateList  ::=  SEQUENCE  {
- *       tbsCertList          TBSCertList,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- */
-
-struct NSSPKIXCertificateListStr;
-typedef struct NSSPKIXCertificateListStr NSSPKIXCertificateList;
-
-/*
- * TBSCertList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertList  ::=  SEQUENCE  {
- *       version                 Version OPTIONAL,
- *                                    -- if present, shall be v2
- *       signature               AlgorithmIdentifier,
- *       issuer                  Name,
- *       thisUpdate              Time,
- *       nextUpdate              Time OPTIONAL,
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *       crlExtensions           [0] Extensions OPTIONAL
- *                                           -- if present, shall be v2 -- }
- *
- */
-
-struct NSSPKIXTBSCertListStr;
-typedef struct NSSPKIXTBSCertListStr NSSPKIXTBSCertList;
-
-/*
- * revokedCertificates
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- */
-
-struct NSSPKIXrevokedCertificatesStr;
-typedef struct NSSPKIXrevokedCertificatesStr NSSPKIXrevokedCertificates;
-
-/*
- * revokedCertificate
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *                                           SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- */
-
-struct NSSPKIXrevokedCertificateStr;
-typedef struct NSSPKIXrevokedCertificateStr NSSPKIXrevokedCertificate;
-
-/*
- * AlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- * (1988 syntax)
- *
- *  AlgorithmIdentifier  ::=  SEQUENCE  {
- *       algorithm               OBJECT IDENTIFIER,
- *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
- *                                  -- contains a value of the type
- *                                  -- registered for use with the
- *                                  -- algorithm object identifier value
- *
- *
- */
-
-struct NSSPKIXAlgorithmIdentifierStr;
-typedef NSSPKIXAlgorithmIdentifierStr NSSPKIXAlgorithmIdentifier;
-
-/*
- * -- types related to NSSPKIXAlgorithmIdentifiers:
- *
- *  Dss-Sig-Value  ::=  SEQUENCE  {
- *       r       INTEGER,
- *       s       INTEGER  }
- *  
- *  DomainParameters ::= SEQUENCE {
- *       p       INTEGER, -- odd prime, p=jq +1
- *       g       INTEGER, -- generator, g
- *       q       INTEGER, -- factor of p-1
- *       j       INTEGER OPTIONAL, -- subgroup factor, j>= 2
- *       validationParms  ValidationParms OPTIONAL }
- *  
- *  ValidationParms ::= SEQUENCE {
- *       seed             BIT STRING,
- *       pgenCounter      INTEGER }
- *  
- *  Dss-Parms  ::=  SEQUENCE  {
- *       p             INTEGER,
- *       q             INTEGER,
- *       g             INTEGER  }
- *
- */
-
-/*
- * ORAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ORAddress ::= SEQUENCE {
- *     built-in-standard-attributes BuiltInStandardAttributes,
- *     built-in-domain-defined-attributes
- *                          BuiltInDomainDefinedAttributes OPTIONAL,
- *     -- see also teletex-domain-defined-attributes
- *     extension-attributes ExtensionAttributes OPTIONAL }
- *  --      The OR-address is semantically absent from the OR-name if the
- *  --      built-in-standard-attribute sequence is empty and the
- *  --      built-in-domain-defined-attributes and extension-attributes are
- *  --      both omitted.
- *
- */
-
-struct NSSPKIXORAddressStr;
-typedef struct NSSPKIXORAddressStr NSSPKIXORAddress;
-
-/*
- * BuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInStandardAttributes ::= SEQUENCE {
- *     country-name CountryName OPTIONAL,
- *     administration-domain-name AdministrationDomainName OPTIONAL,
- *     network-address      [0] NetworkAddress OPTIONAL,
- *     -- see also extended-network-address
- *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
- *     private-domain-name  [2] PrivateDomainName OPTIONAL,
- *     organization-name    [3] OrganizationName OPTIONAL,
- *     -- see also teletex-organization-name
- *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
- *     personal-name        [5] PersonalName OPTIONAL,
- *     -- see also teletex-personal-name
- *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
- *     -- see also teletex-organizational-unit-names -- }
- *
- */
-
-struct NSSPKIXBuiltInStandardAttributesStr;
-typedef struct NSSPKIXBuiltInStandardAttributesStr NSSPKIXBuiltInStandardAttributes;
-
-/*
- * CountryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CountryName ::= [APPLICATION 1] CHOICE {
- *     x121-dcc-code NumericString
- *                  (SIZE (ub-country-name-numeric-length)),
- *     iso-3166-alpha2-code PrintableString
- *                  (SIZE (ub-country-name-alpha-length)) }
- *
- */
-
-struct NSSPKIXCountryNameStr;
-typedef struct NSSPKIXCountryNameStr NSSPKIXCountryName;
-
-/*
- * AdministrationDomainName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
- *     numeric NumericString (SIZE (0..ub-domain-name-length)),
- *     printable PrintableString (SIZE (0..ub-domain-name-length)) }
- *
- */
-
-struct NSSPKIXAdministrationDomainNameStr;
-typedef struct NSSPKIXAdministrationDomainNameStr NSSPKIXAdministrationDomainName;
-
-/*
- * X121Address
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
- *
- */
-
-struct NSSPKIXX121AddressStr;
-typedef struct NSSPKIXX121AddressStr NSSPKIXX121Address;
-
-/*
- * NetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NetworkAddress ::= X121Address  -- see also extended-network-address
- *
- */
-
-struct NSSPKIXNetworkAddressStr;
-typedef struct NSSPKIXNetworkAddressStr NSSPKIXNetworkAddress;
-
-/*
- * TerminalIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
- *
- */
-
-struct NSSPKIXTerminalIdentifierStr;
-typedef struct NSSPKIXTerminalIdentifierStr NSSPKIXTerminalIdentifier;
-
-/*
- * PrivateDomainName
- *
- * -- fgmr comments -- 
- *
- *  PrivateDomainName ::= CHOICE {
- *     numeric NumericString (SIZE (1..ub-domain-name-length)),
- *     printable PrintableString (SIZE (1..ub-domain-name-length)) }
- *
- */
-
-struct NSSPKIXPrivateDomainNameStr;
-typedef struct NSSPKIXPrivateDomainNameStr NSSPKIXPrivateDomainName;
-
-/*
- * OrganizationName
- *
- * -- fgmr comments --
- *
- *  OrganizationName ::= PrintableString
- *                              (SIZE (1..ub-organization-name-length))
- * 
- */
-
-struct NSSPKIXOrganizationNameStr;
-typedef struct NSSPKIXOrganizationNameStr NSSPKIXOrganizationName;
-
-/*
- * NumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NumericUserIdentifier ::= NumericString
- *                              (SIZE (1..ub-numeric-user-id-length))
- * 
- */
-
-struct NSSPKIXNumericUserIdentifierStr;
-typedef struct NSSPKIXNumericUserIdentifierStr NSSPKIXNumericUserIdentifier;
-
-/*
- * PersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PersonalName ::= SET {
- *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
- *     given-name [1] PrintableString
- *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] PrintableString
- *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXPersonalNameStr;
-typedef NSSPKIXPersonalNameStr NSSPKIXPersonalName;
-
-/*
- * OrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- *                                          OF OrganizationalUnitName
- * 
- */
-
-struct NSSPKIXOrganizationalUnitNamesStr;
-typedef NSSPKIXOrganizationalUnitNamesStr NSSPKIXOrganizationalUnitNames;
-
-/*
- * OrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitName ::= PrintableString (SIZE
- *                          (1..ub-organizational-unit-name-length))
- *
- */
-
-struct NSSPKIXOrganizationalUnitNameStr;
-typedef struct NSSPKIXOrganizationalUnitNameStr NSSPKIXOrganizationalUnitName;
-
-/*
- * BuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- *                                  (1..ub-domain-defined-attributes) OF
- *                                  BuiltInDomainDefinedAttribute
- *
- */
-
-struct NSSPKIXBuiltInDomainDefinedAttributesStr;
-typedef struct NSSPKIXBuiltInDomainDefinedAttributesStr NSSPKIXBuiltInDomainDefinedAttributes;
-
-/*
- * BuiltInDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
- *     type PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-type-length)),
- *     value PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-value-length))}
- *
- */
-
-struct NSSPKIXBuiltInDomainDefinedAttributeStr;
-typedef struct NSSPKIXBuiltInDomainDefinedAttributeStr NSSPKIXBuiltInDomainDefinedAttribute;
-
-/*
- * ExtensionAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- *                          ExtensionAttribute
- *
- */
-
-struct NSSPKIXExtensionAttributesStr;
-typedef struct NSSPKIXExtensionAttributesStr NSSPKIXExtensionAttributes;
-
-/*
- * ExtensionAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttribute ::=  SEQUENCE {
- *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
- *     extension-attribute-value [1]
- *                          ANY DEFINED BY extension-attribute-type }
- *
- */
-
-struct NSSPKIXExtensionAttributeStr;
-typedef struct NSSPKIXExtensionAttributeStr NSSPKIXExtensionAttribute;
-
-/*
- * ExtensionAttributeType
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  common-name INTEGER ::= 1
- *  teletex-common-name INTEGER ::= 2
- *  teletex-organization-name INTEGER ::= 3
- *  teletex-personal-name INTEGER ::= 4
- *  teletex-organizational-unit-names INTEGER ::= 5
- *  teletex-domain-defined-attributes INTEGER ::= 6
- *  pds-name INTEGER ::= 7
- *  physical-delivery-country-name INTEGER ::= 8
- *  postal-code INTEGER ::= 9
- *  physical-delivery-office-name INTEGER ::= 10
- *  physical-delivery-office-number INTEGER ::= 11
- *  extension-OR-address-components INTEGER ::= 12
- *  physical-delivery-personal-name INTEGER ::= 13
- *  physical-delivery-organization-name INTEGER ::= 14
- *  extension-physical-delivery-address-components INTEGER ::= 15
- *  unformatted-postal-address INTEGER ::= 16
- *  street-address INTEGER ::= 17
- *  post-office-box-address INTEGER ::= 18
- *  poste-restante-address INTEGER ::= 19
- *  unique-postal-name INTEGER ::= 20
- *  local-postal-attributes INTEGER ::= 21
- *  extended-network-address INTEGER ::= 22
- *  terminal-type  INTEGER ::= 23
- *
- */
-
-enum NSSPKIXExtensionAttributeTypeEnum {
-  NSSPKIXExtensionAttributeType_NSSinvalid = -1,
-  NSSPKIXExtensionAttributeType_CommonName = 1,
-  NSSPKIXExtensionAttributeType_TeletexCommonName = 2,
-  NSSPKIXExtensionAttributeType_TeletexOrganizationName = 3,
-  NSSPKIXExtensionAttributeType_TeletexPersonalName = 4,
-  NSSPKIXExtensionAttributeType_TeletexOrganizationalUnitNames = 5,
-  NSSPKIXExtensionAttributeType_TeletexDomainDefinedAttributes = 6,
-  NSSPKIXExtensionAttributeType_PdsName = 7,
-  NSSPKIXExtensionAttributeType_PhysicalDeliveryCountryName = 8,
-  NSSPKIXExtensionAttributeType_PostalCode = 9,
-  NSSPKIXExtensionAttributeType_PhysicalDeliveryOfficeName = 10,
-  NSSPKIXExtensionAttributeType_PhysicalDeliveryOfficeNumber = 11,
-  NSSPKIXExtensionAttributeType_ExtensionOrAddressComponents = 12,
-  NSSPKIXExtensionAttributeType_PhysicalDeliveryPersonalName = 13,
-  NSSPKIXExtensionAttributeType_PhysicalDeliveryOrganizationName = 14,
-  NSSPKIXExtensionAttributeType_ExtensionPhysicalDeliveryAddressComponents = 15,
-  NSSPKIXExtensionAttributeType_UnformattedPostalAddress = 16,
-  NSSPKIXExtensionAttributeType_StreetAddress = 17,
-  NSSPKIXExtensionAttributeType_PostOfficeBoxAddress = 18,
-  NSSPKIXExtensionAttributeType_PosteRestanteAddress = 19,
-  NSSPKIXExtensionAttributeType_UniquePostalName = 20,
-  NSSPKIXExtensionAttributeType_LocalPostalAttributes = 21,
-  NSSPKIXExtensionAttributeType_ExtendedNetworkAddress = 22,
-  NSSPKIXExtensionAttributeType_TerminalType = 23
-};
-typedef enum NSSPKIXExtensionAttributeTypeEnum NSSPKIXExtensionAttributeType;
-
-/*
- * CommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
- *
- */
-
-struct NSSPKIXCommonNameStr;
-typedef struct NSSPKIXCommonNameStr NSSPKIXCommonName;
-
-/*
- * TeletexCommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
- *
- */
-
-struct NSSPKIXTeletexCommonNameStr;
-typedef struct NSSPKIXTeletexCommonNameStr NSSPKIXTeletexCommonName;
-
-/*
- * TeletexOrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationName ::=
- *                  TeletexString (SIZE (1..ub-organization-name-length))
- *
- */
-
-struct NSSPKIXTeletexOrganizationNameStr;
-typedef struct NSSPKIXTeletexOrganizationNameStr NSSPKIXTeletexOrganizationName;
-
-/*
- * TeletexPersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexPersonalName ::= SET {
- *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
- *     given-name [1] TeletexString
- *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] TeletexString (SIZE
- *                  (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXTeletexPersonalNameStr;
-typedef struct NSSPKIXTeletexPersonalNameStr NSSPKIXTeletexPersonalName;
-
-/*
- * TeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
- *
- */
-
-struct NSSPKIXTeletexOrganizationalUnitNamesStr;
-typedef struct NSSPKIXTeletexOrganizationalUnitNamesStr NSSPKIXTeletexOrganizationalUnitNames;
-
-/*
- * TeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitName ::= TeletexString
- *                          (SIZE (1..ub-organizational-unit-name-length))
- *  
- */
-
-struct NSSPKIXTeletexOrganizationalUnitNameStr;
-typedef struct NSSPKIXTeletexOrganizationalUnitNameStr NSSPKIXTeletexOrganizationalUnitName;
-
-/*
- * PDSName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
- *
- */
-
-struct NSSPKIXPDSNameStr;
-typedef struct NSSPKIXPDSNameStr NSSPKIXPDSName;
-
-/*
- * PhysicalDeliveryCountryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryCountryName ::= CHOICE {
- *     x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
- *     iso-3166-alpha2-code PrintableString
- *                          (SIZE (ub-country-name-alpha-length)) }
- *
- */
-
-struct NSSPKIXPhysicalDeliveryCountryNameStr;
-typedef struct NSSPKIXPhysicalDeliveryCountryNameStr NSSPKIXPhysicalDeliveryCountryName;
-
-/*
- * PostalCode
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PostalCode ::= CHOICE {
- *     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
- *     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
- *
- */
-
-struct NSSPKIXPostalCodeStr;
-typedef struct NSSPKIXPostalCodeStr NSSPKIXPostalCode;
-
-/*
- * PDSParameter
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSParameter ::= SET {
- *     printable-string PrintableString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXPDSParameterStr;
-typedef struct NSSPKIXPDSParameterStr NSSPKIXPDSParameter;
-
-/*
- * PhysicalDeliveryOfficeName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryOfficeName ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryOfficeName;
-
-/*
- * PhysicalDeliveryOfficeNumber
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryOfficeNumber ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryOfficeNumber;
-
-/*
- * ExtensionORAddressComponents
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionORAddressComponents ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXExtensionORAddressComponents;
-
-/*
- * PhysicalDeliveryPersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryPersonalName ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryPersonalName;
-
-/*
- * PhysicalDeliveryOrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryOrganizationName ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryOrganizationName;
-
-/*
- * ExtensionPhysicalDeliveryAddressComponents
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXExtensionPhysicalDeliveryAddressComponents;
-
-/*
- * UnformattedPostalAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UnformattedPostalAddress ::= SET {
- *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
- *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXUnformattedPostalAddressStr;
-typedef struct NSSPKIXUnformattedPostalAddressStr NSSPKIXUnformattedPostalAddress;
-
-/*
- * StreetAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  StreetAddress ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXStreetAddress;
-
-/*
- * PostOfficeBoxAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PostOfficeBoxAddress ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXPostOfficeBoxAddress;
-
-/*
- * PosteRestanteAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PosteRestanteAddress ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXPosteRestanteAddress;
-
-/*
- * UniquePostalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UniquePostalName ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXUniquePostalName;
-
-/*
- * LocalPostalAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  LocalPostalAttributes ::= PDSParameter
- *
- */
-
-typedef NSSPKIXPDSParameter NSSPKIXLocalPostalAttributes;
-
-/*
- * ExtendedNetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtendedNetworkAddress ::= CHOICE {
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- *     psap-address [0] PresentationAddress }
- *
- */
-
-struct NSSPKIXExtendedNetworkAddressStr;
-typedef struct NSSPKIXExtendedNetworkAddressStr NSSPKIXExtendedNetworkAddress;
-
-/*
- * NSSPKIXExtendedNetworkAddressChoice
- *
- * Helper enumeration for ExtendedNetworkAddress
- * -- fgmr comments --
- *
- */
-
-enum NSSPKIXExtendedNetworkAddressEnum {
-  NSSPKIXExtendedNetworkAddress_NSSinvalid = -1,
-  NSSPKIXExtendedNetworkAddress_e1634Address,
-  NSSPKIXExtendedNetworkAddress_psapAddress
-};
-typedef enum NSSPKIXExtendedNetworkAddressEnum NSSPKIXExtendedNetworkAddressChoice;
-
-/*
- * e163-4-address
- *
- * Helper structure for ExtendedNetworkAddress.
- * -- fgmr comments --
- *
- * From RFC 2459:
- * 
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- * 
- */
-
-struct NSSe1634addressStr;
-typedef struct NSSe1634addressStr NSSe1634address;
-
-/*
- * PresentationAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PresentationAddress ::= SEQUENCE {
- *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
- *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
- *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
- *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
- *
- */
-
-struct NSSPKIXPresentationAddressStr;
-typedef struct NSSPKIXPresentationAddressStr NSSPKIXPresentationAddress;
-
-/*
- * TerminalType
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TerminalType ::= INTEGER {
- *     telex (3),
- *     teletex (4),
- *     g3-facsimile (5),
- *     g4-facsimile (6),
- *     ia5-terminal (7),
- *     videotex (8) } (0..ub-integer-options)
- *
- */
-
-enum NSSPKIXTerminalTypeEnum {
-  NSSPKIXTerminalType_NSSinvalid = -1,
-  NSSPKIXTerminalType_telex = 3,
-  NSSPKIXTerminalType_teletex = 4,
-  NSSPKIXTerminalType_g3Facsimile = 5,
-  NSSPKIXTerminalType_g4Facsimile = 6,
-  NSSPKIXTerminalType_iA5Terminal = 7,
-  NSSPKIXTerminalType_videotex = 8
-};
-typedef enum NSSPKIXTerminalTypeEnum NSSPKIXTerminalType;
-
-/*
- * TeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
- * 
- */
-
-struct NSSPKIXTeletexDomainDefinedAttributesStr;
-typedef struct NSSPKIXTeletexDomainDefinedAttributesStr NSSPKIXTeletexDomainDefinedAttributes;
-
-/*
- * TeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttribute ::= SEQUENCE {
- *          type TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
- *          value TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
- * 
- */
-
-struct NSSPKIXTeletexDomainDefinedAttributeStr;
-typedef struct NSSPKIXTeletexDomainDefinedAttributeStr NSSPKIXTeletexDomainDefinedAttribute;
-
-/*
- * AuthorityKeyIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityKeyIdentifier ::= SEQUENCE {
- *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
- *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
- *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
- *      -- authorityCertIssuer and authorityCertSerialNumber shall both
- *      -- be present or both be absent
- *
- */
-
-struct NSSPKIXAuthorityKeyIdentifierStr;
-typedef struct NSSPKIXAuthorityKeyIdentifierStr NSSPKIXAuthorityKeyIdentifier;
-
-/*
- * KeyIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  KeyIdentifier ::= OCTET STRING
- *
- */
-
-typedef NSSItem NSSPKIXKeyIdentifier;
-
-/*
- * SubjectKeyIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectKeyIdentifier ::= KeyIdentifier
- *
- */
-
-typedef NSSPKIXKeyIdentifier NSSPKIXSubjectKeyIdentifier;
-
-/*
- * KeyUsage
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  KeyUsage ::= BIT STRING {
- *       digitalSignature        (0),
- *       nonRepudiation          (1),
- *       keyEncipherment         (2),
- *       dataEncipherment        (3),
- *       keyAgreement            (4),
- *       keyCertSign             (5),
- *       cRLSign                 (6),
- *       encipherOnly            (7),
- *       decipherOnly            (8) }
- *
- */
-
-struct NSSPKIXKeyUsageStr;
-typedef struct NSSPKIXKeyUsageStr NSSPKIXKeyUsage;
-
-/*
- * KeyUsageValue
- *
- * -- helper for testing many key usages at once
- *
- */
-
-enum NSSPKIXKeyUsageValueEnum {
-  NSSPKIXKeyUsage_NSSinvalid = 0,
-  NSSPKIXKeyUsage_DigitalSignature = 0x001,
-  NSSPKIXKeyUsage_NonRepudiation   = 0x002,
-  NSSPKIXKeyUsage_KeyEncipherment  = 0x004,
-  NSSPKIXKeyUsage_DataEncipherment = 0x008,
-  NSSPKIXKeyUsage_KeyAgreement     = 0x010,
-  NSSPKIXKeyUsage_KeyCertSign      = 0x020,
-  NSSPKIXKeyUsage_CRLSign          = 0x040,
-  NSSPKIXKeyUsage_EncipherOnly     = 0x080,
-  NSSPKIXKeyUsage_DecipherOnly     = 0x100
-};
-typedef enum NSSPKIXKeyUsageValueEnum NSSPKIXKeyUsageValue;
-
-/*
- * PrivateKeyUsagePeriod
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PrivateKeyUsagePeriod ::= SEQUENCE {
- *       notBefore       [0]     GeneralizedTime OPTIONAL,
- *       notAfter        [1]     GeneralizedTime OPTIONAL }
- *       -- either notBefore or notAfter shall be present
- *
- */
-
-struct NSSPKIXPrivateKeyUsagePeriodStr;
-typedef struct NSSPKIXPrivateKeyUsagePeriodStr NSSPKIXPrivateKeyUsagePeriod;
-
-/*
- * CertificatePolicies
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
- *
- */
-
-struct NSSPKIXCertificatePoliciesStr;
-typedef struct NSSPKIXCertificatePoliciesStr NSSPKIXCertificatePolicies;
-
-/*
- * PolicyInformation
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyInformation ::= SEQUENCE {
- *       policyIdentifier   CertPolicyId,
- *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
- *               PolicyQualifierInfo OPTIONAL }
- *
- */
-
-struct NSSPKIXPolicyInformationStr;
-typedef struct NSSPKIXPolicyInformationStr NSSPKIXPolicyInformation;
-
-/*
- * CertPolicyId
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertPolicyId ::= OBJECT IDENTIFIER
- *
- */
-
-typedef NSSOID NSSPKIXCertPolicyId;
-
-/*
- * PolicyQualifierInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyQualifierInfo ::= SEQUENCE {
- *         policyQualifierId  PolicyQualifierId,
- *         qualifier        ANY DEFINED BY policyQualifierId }
- *
- */
-
-struct NSSPKIXPolicyQualifierInfoStr;
-typedef NSSPKIXPolicyQualifierInfoStr NSSPKIXPolicyQualifierInfo;
-
-/*
- * PolicyQualifierId
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyQualifierId ::=
- *      OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
- *
- */
-
-typedef NSSOID NSSPKIXPolicyQualifierId;
-
-/*
- * CPSuri
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CPSuri ::= IA5String
- *
- */
-
-struct NSSPKIXCPSuriStr;
-typedef struct NSSPKIXCPSuriStr NSSPKIXCPSuri;
-
-/*
- * UserNotice
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UserNotice ::= SEQUENCE {
- *       noticeRef        NoticeReference OPTIONAL,
- *       explicitText     DisplayText OPTIONAL}
- *
- */
-
-struct NSSPKIXUserNoticeStr;
-typedef struct NSSPKIXUserNoticeStr NSSPKIXUserNotice;
-
-/*
- * NoticeReference
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NoticeReference ::= SEQUENCE {
- *       organization     DisplayText,
- *       noticeNumbers    SEQUENCE OF INTEGER }
- *
- */
-
-struct NSSPKIXNoticeReferenceStr;
-typedef struct NSSPKIXNoticeReferenceStr NSSPKIXNoticeReference;
-
-/*
- * DisplayText
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DisplayText ::= CHOICE {
- *       visibleString    VisibleString  (SIZE (1..200)),
- *       bmpString        BMPString      (SIZE (1..200)),
- *       utf8String       UTF8String     (SIZE (1..200)) }
- * 
- */
-
-struct NSSPKIXDisplayTextStr;
-typedef struct NSSPKIXDisplayTextStr NSSPKIXDisplayText;
-
-/*
- * PolicyMappings
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- */
-
-struct NSSPKIXPolicyMappingsStr;
-typedef struct NSSPKIXPolicyMappingsStr NSSPKIXPolicyMappings;
-
-/*
- * policyMapping
- *
- * Helper structure for PolicyMappings
- *
- *                                               SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- */
-
-struct NSSPKIXpolicyMappingStr;
-typedef struct NSSPKIXpolicyMappingStr NSSPKIXpolicyMapping;
-
-/*
- * GeneralName
- *
- * This structure contains a union of the possible general names,
- * of which there are several.
- *
- * From RFC 2459:
- *
- *  GeneralName ::= CHOICE {
- *       otherName                       [0]     AnotherName,
- *       rfc822Name                      [1]     IA5String,
- *       dNSName                         [2]     IA5String,
- *       x400Address                     [3]     ORAddress,
- *       directoryName                   [4]     Name,
- *       ediPartyName                    [5]     EDIPartyName,
- *       uniformResourceIdentifier       [6]     IA5String,
- *       iPAddress                       [7]     OCTET STRING,
- *       registeredID                    [8]     OBJECT IDENTIFIER }
- *
- */
-
-struct NSSPKIXGeneralNameStr;
-typedef struct NSSPKIXGeneralNameStr NSSPKIXGeneralName;
-
-/*
- * GeneralNameChoice
- *
- * This enumerates the possible general name types.
- */
-
-enum NSSPKIXGeneralNameChoiceEnum {
-  NSSPKIXGeneralNameChoice_NSSinvalid = -1,
-  NSSPKIXGeneralNameChoice_otherName = 0,
-  NSSPKIXGeneralNameChoice_rfc822Name = 1,
-  NSSPKIXGeneralNameChoice_dNSName = 2,
-  NSSPKIXGeneralNameChoice_x400Address = 3,
-  NSSPKIXGeneralNameChoice_directoryName = 4,
-  NSSPKIXGeneralNameChoice_ediPartyName = 5,
-  NSSPKIXGeneralNameChoice_uniformResourceIdentifier = 6,
-  NSSPKIXGeneralNameChoice_iPAddress = 7,
-  NSSPKIXGeneralNameChoice_registeredID = 8
-};
-typedef enum NSSPKIXGeneralNameChoiceEnum NSSPKIXGeneralNameChoice;
-
-/*
- * GeneralNames
- *
- * This structure contains a sequence of GeneralName objects.
- *
- * From RFC 2459:
- *
- *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- */
-
-struct NSSPKIXGeneralNamesStr;
-typedef struct NSSPKIXGeneralNamesStr NSSPKIXGeneralNames;
-
-/*
- * SubjectAltName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectAltName ::= GeneralNames
- *
- */
-
-typedef NSSPKIXGeneralNames NSSPKIXSubjectAltName;
-
-/*
- * AnotherName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AnotherName ::= SEQUENCE {
- *       type-id    OBJECT IDENTIFIER,
- *       value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- */
-
-struct NSSPKIXAnotherNameStr;
-typedef struct NSSPKIXAnotherNameStr NSSPKIXAnotherName;
-
-/*
- * EDIPartyName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *
- *  EDIPartyName ::= SEQUENCE {
- *       nameAssigner            [0]     DirectoryString OPTIONAL,
- *       partyName               [1]     DirectoryString }
- *
- */
-
-struct NSSPKIXEDIPartyNameStr;
-typedef struct NSSPKIXEDIPartyNameStr NSSPKIXEDIPartyName;
-
-/*
- * IssuerAltName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  IssuerAltName ::= GeneralNames
- *
- */
-
-typedef NSSPKIXGeneralNames NSSPKIXIssuerAltName;
-
-/*
- * SubjectDirectoryAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
- *
- */
-
-struct NSSPKIXSubjectDirectoryAttributesStr;
-typedef struct NSSPKIXSubjectDirectoryAttributesStr NSSPKIXSubjectDirectoryAttributes;
-
-/*
- * BasicConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BasicConstraints ::= SEQUENCE {
- *       cA                      BOOLEAN DEFAULT FALSE,
- *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
- *
- */
-
-struct NSSPKIXBasicConstraintsStr;
-typedef struct NSSPKIXBasicConstraintsStr NSSPKIXBasicConstraints;
-
-/*
- * NameConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NameConstraints ::= SEQUENCE {
- *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
- *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
- *
- */
-
-struct NSSPKIXNameConstraintsStr;
-typedef struct NSSPKIXNameConstraintsStr NSSPKIXNameConstraints;
-
-/*
- * GeneralSubtrees
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
- *
- */
-
-struct NSSPKIXGeneralSubtreesStr;
-typedef struct NSSPKIXGeneralSubtreesStr NSSPKIXGeneralSubtrees;
-
-/*
- * GeneralSubtree
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtree ::= SEQUENCE {
- *       base                    GeneralName,
- *       minimum         [0]     BaseDistance DEFAULT 0,
- *       maximum         [1]     BaseDistance OPTIONAL }
- *
- */
-
-struct NSSPKIXGeneralSubtreeStr;
-typedef struct NSSPKIXGeneralSubtreeStr NSSPKIXGeneralSubtree;
-
-/*
- * BaseDistance
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BaseDistance ::= INTEGER (0..MAX)
- *
- */
-
-typedef PRInt32 NSSPKIXBaseDistance;
-
-/*
- * PolicyConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyConstraints ::= SEQUENCE {
- *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
- *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
- * 
- */
-
-struct NSSPKIXPolicyConstraintsStr;
-typedef NSSPKIXPolicyConstraintsStr NSSPKIXPolicyConstraints;
-
-/*
- * SkipCerts
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SkipCerts ::= INTEGER (0..MAX)
- *
- */
-
-typedef NSSItem NSSPKIXSkipCerts;
-
-/*
- * CRLDistPointsSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
- *
- */
-
-struct NSSPKIXCRLDistPointsSyntaxStr;
-typedef struct NSSPKIXCRLDistPointsSyntaxStr NSSPKIXCRLDistPointsSyntax;
-
-/*
- * DistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0]     DistributionPointName OPTIONAL,
- *       reasons                 [1]     ReasonFlags OPTIONAL,
- *       cRLIssuer               [2]     GeneralNames OPTIONAL }
- *
- */
-
-struct NSSPKIXDistributionPointStr;
-typedef struct NSSPKIXDistributionPointStr NSSPKIXDistributionPoint;
-
-/*
- * DistributionPointName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPointName ::= CHOICE {
- *       fullName                [0]     GeneralNames,
- *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
- *
- */
-
-struct NSSPKIXDistributionPointNameStr;
-typedef struct NSSPKIXDistributionPointNameStr NSSPKIXDistributionPointName;
-
-/*
- * DistributionPointNameChoice
- *
- * -- fgmr comments --
- *
- */
-
-enum NSSPKIXDistributionPointNameChoiceEnum {
-  NSSDistributionPointNameChoice_NSSinvalid = -1,
-  NSSDistributionPointNameChoice_FullName = 0,
-  NSSDistributionPointNameChoice_NameRelativeToCRLIssuer = 1
-};
-typedef enum NSSPKIXDistributionPointNameChoiceEnum NSSPKIXDistributionPointNameChoice;
-
-/*
- * ReasonFlags
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ReasonFlags ::= BIT STRING {
- *       unused                  (0),
- *       keyCompromise           (1),
- *       cACompromise            (2),
- *       affiliationChanged      (3),
- *       superseded              (4),
- *       cessationOfOperation    (5),
- *       certificateHold         (6) }
- *
- */
-
-struct NSSPKIXReasonFlagsStr;
-typedef struct NSSPKIXReasonFlagsStr NSSPKIXReasonFlags;
-
-/*
- * ReasonFlagsMask
- *
- * -- fgmr comments --
- *
- */
-
-typedef PRInt32 NSSPKIXReasonFlagsMask;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_NSSinvalid          =  -1;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_KeyCompromise       =  0x02;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_CACompromise        =  0x04;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_AffiliationChanged  =  0x08;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_Superseded          =  0x10;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_CessationOfOperation=  0x20;
-const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_CertificateHold     =  0x40;
-
-/*
- * ExtKeyUsageSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
- *
- */
-
-struct NSSPKIXExtKeyUsageSyntaxStr;
-typedef struct NSSPKIXExtKeyUsageSyntaxStr NSSPKIXExtKeyUsageSyntax;
-
-/*
- * KeyPurposeId
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  KeyPurposeId ::= OBJECT IDENTIFIER
- *
- */
-
-typedef NSSOID NSSPKIXKeyPurposeId;
-
-/*
- * AuthorityInfoAccessSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityInfoAccessSyntax  ::=
- *          SEQUENCE SIZE (1..MAX) OF AccessDescription
- *
- */
-
-struct NSSPKIXAuthorityInfoAccessSyntaxStr;
-typedef struct NSSPKIXAuthorityInfoAccessSyntaxStr NSSPKIXAuthorityInfoAccessSyntax;
-
-/*
- * AccessDescription
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AccessDescription  ::=  SEQUENCE {
- *          accessMethod          OBJECT IDENTIFIER,
- *          accessLocation        GeneralName  }
- *
- */
-
-struct NSSPKIXAccessDescriptionStr;
-typedef struct NSSPKIXAccessDescriptionStr NSSPKIXAccessDescription;
-
-/*
- * CRLNumber
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CRLNumber ::= INTEGER (0..MAX)
- *
- */
-
-typedef NSSItem NSSPKIXCRLNumber;
-
-/*
- * IssuingDistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  IssuingDistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0] DistributionPointName OPTIONAL,
- *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
- *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
- *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
- *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
- *
- */
-
-struct NSSPKIXIssuingDistributionPointStr;
-typedef struct NSSPKIXIssuingDistributionPointStr NSSPKIXIssuingDistributionPoint;
-
-/*
- * BaseCRLNumber
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BaseCRLNumber ::= CRLNumber
- *
- */
-
-typedef NSSPKIXCRLNumber NSSPKIXBaseCRLNumber;
-
-/*
- * CRLReason
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CRLReason ::= ENUMERATED {
- *       unspecified             (0),
- *       keyCompromise           (1),
- *       cACompromise            (2),
- *       affiliationChanged      (3),
- *       superseded              (4),
- *       cessationOfOperation    (5),
- *       certificateHold         (6),
- *       removeFromCRL           (8) }
- * 
- */
-
-enum NSSPKIXCRLReasonEnum {
-  NSSPKIXCRLReasonEnum_NSSinvalid = -1,
-  NSSPKIXCRLReasonEnum_unspecified = 0,
-  NSSPKIXCRLReasonEnum_keyCompromise = 1,
-  NSSPKIXCRLReasonEnum_cACompromise = 2,
-  NSSPKIXCRLReasonEnum_affiliationChanged = 3,
-  NSSPKIXCRLReasonEnum_superseded = 4,
-  NSSPKIXCRLReasonEnum_cessationOfOperation = 5,
-  NSSPKIXCRLReasonEnum_certificateHold = 6,
-  NSSPKIXCRLReasonEnum_removeFromCRL = 8
-};
-typedef enum NSSPKIXCRLReasonEnum NSSPKIXCRLReason;
-
-/*
- * CertificateIssuer
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateIssuer ::= GeneralNames
- *
- */
-
-typedef NSSPKIXGeneralNames NSSPKIXCertificateIssuer;
-
-/*
- * HoldInstructionCode
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  HoldInstructionCode ::= OBJECT IDENTIFIER
- *
- */
-
-typedef NSSOID NSSPKIXHoldInstructionCode;
-
-/*
- * InvalidityDate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  InvalidityDate ::=  GeneralizedTime
- *
- */
-
-typedef PRTime NSSPKIXInvalidityDate;
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKIXT_H */
diff --git a/security/nss/lib/pkix/include/pkix.h b/security/nss/lib/pkix/include/pkix.h
deleted file mode 100644
index 8ebe95595..000000000
--- a/security/nss/lib/pkix/include/pkix.h
+++ /dev/null
@@ -1,26086 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef PKIX_H
-#define PKIX_H
-
-#ifdef DEBUG
-static const char PKIX_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * pkix.h
- *
- * This file contains the prototypes for the private methods defined
- * for the PKIX part-1 objects.
- */
-
-#ifndef NSSPKIX_H
-#include "nsspkix.h"
-#endif /* NSSPKIX_H */
-
-#ifndef PKIXT_H
-#include "pkixt.h"
-#endif /* PKIXT_H */
-
-#ifndef ASN1T_H
-#include "asn1t.h"
-#endif /* ASN1T_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Attribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Attribute       ::=     SEQUENCE {
- *          type            AttributeType,
- *          values  SET OF AttributeValue
- *                  -- at least one value is required -- }
- *
- * The private calls for the type:
- * 
- *  nssPKIXAttribute_Decode
- *  nssPKIXAttribute_Create
- *  nssPKIXAttribute_CreateFromArray
- *  nssPKIXAttribute_Destroy
- *  nssPKIXAttribute_Encode
- *  nssPKIXAttribute_GetType
- *  nssPKIXAttribute_SetType
- *  nssPKIXAttribute_GetValueCount
- *  nssPKIXAttribute_GetValues
- *  nssPKIXAttribute_SetValues
- *  nssPKIXAttribute_GetValue
- *  nssPKIXAttribute_SetValue
- *  nssPKIXAttribute_AddValue
- *  nssPKIXAttribute_RemoveValue
- *  nssPKIXAttribute_FindValue
- *  nssPKIXAttribute_Equal
- *  nssPKIXAttribute_Duplicate
- *
- * In debug builds, the following call is available:
- *
- *  nssPKIXAttribute_verifyPointer
- */
-
-/*
- * nssPKIXAttribute_template
- *
- *
- */
-
-extern const nssASN1Template nssPKIXAttribute_template[];
-
-/*
- * nssPKIXAttribute_Decode
- *
- * This routine creates an NSSPKIXAttribute by decoding a BER-
- * or DER-encoded Attribute as defined in RFC 2459.  This
- * routine may return NULL upon error, in which case it will
- * have created an error stack.  If the optional arena argument
- * is non-NULL, that arena will be used for the required memory.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nssPKIXAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAttribute_Create
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nssPKIXAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value1,
-  ...
-);
-
-/*
- * nssPKIXAttribute_CreateFromArray
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nssPKIXAttribute_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  PRUint32 count,
-  NSSPKIXAttributeValue values[]
-);
-
-/*
- * nssPKIXAttribute_Destroy
- *
- * This routine destroys an NSSPKIXAttribute.  It should be called on
- * all such objects created without an arena.  It does not need to be
- * called for objects created with an arena, but it may be.  This
- * routine returns a PRStatus value.  Upon error, it will create an
- * error stack and return PR_FAILURE.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_Destroy
-(
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXAttribute_Encode
- *
- * This routine returns the BER encoding of the specified 
- * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
- * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
- * if there are no attribute values (i.e., the last one was removed).
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAttribute_Encode
-(
-  NSSPKIXAttribute *attribute,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAttribute_GetType
- *
- * This routine returns the attribute type oid of the specified
- * NSSPKIXAttribute.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttributeType *
-nssPKIXAttribute_GetType
-(
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXAttribute_SetType
- *
- * This routine sets the attribute type oid of the indicated
- * NSSPKIXAttribute to the specified value.  Since attributes
- * may be application-defined, no checking can be done on
- * either the correctness of the attribute type oid value nor
- * the suitability of the set of attribute values.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_SetType
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeType *attributeType
-);
-
-/*
- * nssPKIXAttribute_GetValueCount
- *
- * This routine returns the number of attribute values present in
- * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
- * Upon error, this routine returns -1.  This routine indicates an
- * error if the number of values cannot be expressed as a PRInt32.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXAttribute_GetValueCount
-(
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXAttribute_GetValues
- *
- * This routine returns all of the attribute values in the specified
- * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
- * is non-null, then that array will be used and returned; otherwise,
- * an array will be allocated and returned.  If the limit is nonzero
- * (which is must be if the specified array is nonnull), then an
- * error is indicated if it is smaller than the value count.
- * {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSItem's upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-nssPKIXAttribute_GetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAttribute_SetValues
- *
- * This routine sets all of the values of the specified 
- * NSSPKIXAttribute to the values in the specified NSSItem array.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_SetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue values[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXAttribute_GetValue
- *
- * This routine returns the i'th attribute value of the set of
- * values in the specified NSSPKIXAttribute.  Although the set
- * is unordered, an arbitrary ordering will be maintained until
- * the data in the attribute is changed.  {usual comments about
- * itemOpt and arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-nssPKIXAttribute_GetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAttribute_SetValue
- *
- * This routine sets the i'th attribute value {blah blah; copies
- * memory contents over..}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_SetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *value
-);
-
-/*
- * nssPKIXAttribute_AddValue
- *
- * This routine adds the specified attribute value to the set in
- * the specified NSSPKIXAttribute.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_AddValue
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue *value
-); 
-
-/*
- * nssPKIXAttribute_RemoveValue
- *
- * This routine removes the i'th attribute value of the set in the
- * specified NSSPKIXAttribute.  An attempt to remove the last value
- * will fail.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_RemoveValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i
-);
-
-/*
- * nssPKIXAttribute_FindValue
- *
- * This routine searches the set of attribute values in the specified
- * NSSPKIXAttribute for the provided data.  If an exact match is found,
- * then that value's index is returned.  If an exact match is not 
- * found, -1 is returned.  If there is more than one exact match, one
- * index will be returned.  {notes about unorderdness of SET, etc}
- * If the index may not be represented as an integer, an error is
- * indicated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXAttribute_FindValue
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue *attributeValue
-);
-
-/*
- * nssPKIXAttribute_Equal
- *
- * This routine compares two NSSPKIXAttribute's for equality.
- * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
- * This routine also returns PR_FALSE upon error; if you're
- * that worried about it, check for an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAttribute_Equal
-(
-  NSSPKIXAttribute *one,
-  NSSPKIXAttribute *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAttribute_Duplicate
- *
- * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nssPKIXAttribute_Duplicate
-(
-  NSSPKIXAttribute *attribute,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXAttribute_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAttribute
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttribute_verifyPointer
-(
-  NSSPKIXAttribute *p
-);
-#endif /* DEBUG */
-
-/*
- * AttributeTypeAndValue
- *
- * This structure contains an attribute type (indicated by an OID), 
- * and the type-specific value.  RelativeDistinguishedNames consist
- * of a set of these.  These are distinct from Attributes (which have
- * SET of values), from AttributeDescriptions (which have qualifiers
- * on the types), and from AttributeValueAssertions (which assert a
- * a value comparison under some matching rule).
- *
- * From RFC 2459:
- *
- *  AttributeTypeAndValue           ::=     SEQUENCE {
- *          type    AttributeType,
- *          value   AttributeValue }
- * 
- * The private calls for the type:
- *
- *  nssPKIXAttributeTypeAndValue_Decode
- *  nssPKIXAttributeTypeAndValue_CreateFromUTF8
- *  nssPKIXAttributeTypeAndValue_Create
- *  nssPKIXAttributeTypeAndValue_Destroy
- *  nssPKIXAttributeTypeAndValue_Encode
- *  nssPKIXAttributeTypeAndValue_GetUTF8Encoding
- *  nssPKIXAttributeTypeAndValue_GetType
- *  nssPKIXAttributeTypeAndValue_SetType
- *  nssPKIXAttributeTypeAndValue_GetValue
- *  nssPKIXAttributeTypeAndValue_SetValue
- *  nssPKIXAttributeTypeAndValue_Equal
- *  nssPKIXAttributeTypeAndValue_Duplicate
- *
- * In debug builds, the following call is available:
- *
- *  nssPKIXAttributeTypeAndValue_verifyPointer
- */
-
-/*
- * nssPKIXAttributeTypeAndValue_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_CreateFromUTF8
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_Create
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_Destroy
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttributeTypeAndValue_Destroy
-(
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_Encode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAttributeTypeAndValue_Encode
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_GetUTF8Encoding
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXAttributeTypeAndValue_GetUTF8Encoding
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_GetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeType *
-nssPKIXAttributeTypeAndValue_GetType
-(
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_SetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttributeTypeAndValue_SetType
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeType *attributeType
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_GetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-nssPKIXAttributeTypeAndValue_GetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_SetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttributeTypeAndValue_SetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *value
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_Equal
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAttributeTypeAndValue_Equal
-(
-  NSSPKIXAttributeTypeAndValue *atav1,
-  NSSPKIXAttributeTypeAndValue *atav2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAttributeTypeAndValue_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_Duplicate
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXAttributeTypeAndValue_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAttributeTypeAndValue
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE_TYPE_AND_VALUE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttributeTypeAndValue_verifyPointer
-(
-  NSSPKIXAttributeTypeAndValue *p
-);
-#endif /* DEBUG */
-
-/*
- * X520Name
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520name        ::= CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-name)),
- *        printableString       PrintableString (SIZE (1..ub-name)),
- *        universalString       UniversalString (SIZE (1..ub-name)),
- *        utf8String            UTF8String (SIZE (1..ub-name)),
- *        bmpString             BMPString (SIZE(1..ub-name))   }
- *
- *
- *  ub-name INTEGER ::=     32768
- *
- * The private calls for this type:
- *
- *  nssPKIXX520Name_Decode
- *  nssPKIXX520Name_CreateFromUTF8
- *  nssPKIXX520Name_Create
- *  nssPKIXX520Name_Destroy
- *  nssPKIXX520Name_Encode
- *  nssPKIXX520Name_GetUTF8Encoding
- *  nssPKIXX520Name_Equal
- *  nssPKIXX520Name_Duplicate
- *
- * In debug builds, the following call is available:
- *
- *  nssPKIXX520Name_verifyPointer
- */
-
-/*
- * nssPKIXX520Name_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-nssPKIXX520Name_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520Name_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-nssPKIXX520Name_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520Name_Create
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING_TYPE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-nssPKIXX520Name_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSItem *data
-);
-
-/*
- * nssPKIXX520Name_Destroy
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520Name_Destroy
-(
-  NSSPKIXX520Name *name
-);
-
-/*
- * nssPKIXX520Name_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520Name_Encode
-(
-  NSSPKIXX520Name *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXX520Name_GetUTF8Encoding
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXX520Name_GetUTF8Encoding
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXX520Name_Equal
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXX520Name_Equal
-(
-  NSSPKIXX520Name *name1,
-  NSSPKIXX520Name *name2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXX520Name_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Name *
-nssPKIXX520Name_Duplicate
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-
-/*
- * nssPKIXX520Name_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXX520Name
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXX520Name_verifyPointer
-(
-  NSSPKIXX520Name *p
-);
-
-#endif /* DEBUG */
-
-/*
- * X520CommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520CommonName  ::=      CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-common-name)),
- *        printableString       PrintableString (SIZE (1..ub-common-name)),
- *        universalString       UniversalString (SIZE (1..ub-common-name)),
- *        utf8String            UTF8String (SIZE (1..ub-common-name)),
- *        bmpString             BMPString (SIZE(1..ub-common-name))   }
- * 
- * 
- *  ub-common-name  INTEGER ::=     64
- *
- * The private calls for this type:
- *
- *
- *  nssPKIXX520CommonName_Decode
- *  nssPKIXX520CommonName_CreateFromUTF8
- *  nssPKIXX520CommonName_Create
- *  nssPKIXX520CommonName_Destroy
- *  nssPKIXX520CommonName_Encode
- *  nssPKIXX520CommonName_GetUTF8Encoding
- *  nssPKIXX520CommonName_Equal
- *  nssPKIXX520CommonName_Duplicate
- *
- * In debug builds, the following call is available:
- *
- *  nssPKIXX520CommonName_verifyPointer
- */
-
-/*
- * nssPKIXX520CommonName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-nssPKIXX520CommonName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520CommonName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-nssPKIXX520CommonName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520CommonName_Create
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING_TYPE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-nssPKIXX520CommonName_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSItem *data
-);
-
-/*
- * nssPKIXX520CommonName_Destroy
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520CommonName_Destroy
-(
-  NSSPKIXX520CommonName *name
-);
-
-/*
- * nssPKIXX520CommonName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520CommonName_Encode
-(
-  NSSPKIXX520CommonName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXX520CommonName_GetUTF8Encoding
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXX520CommonName_GetUTF8Encoding
-(
-  NSSPKIXX520CommonName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXX520CommonName_Equal
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXX520CommonName_Equal
-(
-  NSSPKIXX520CommonName *name1,
-  NSSPKIXX520CommonName *name2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXX520CommonName_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520CommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520CommonName *
-nssPKIXX520CommonName_Duplicate
-(
-  NSSPKIXX520CommonName *name,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-
-/*
- * nssPKIXX520CommonName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXX520CommonName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXX520CommonName_verifyPointer
-(
-  NSSPKIXX520CommonName *p
-);
-
-#endif /* DEBUG */
-
-/*
- * X520LocalityName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520LocalityName ::= CHOICE {
- *        teletexString       TeletexString (SIZE (1..ub-locality-name)),
- *        printableString     PrintableString (SIZE (1..ub-locality-name)),
- *        universalString     UniversalString (SIZE (1..ub-locality-name)),
- *        utf8String          UTF8String (SIZE (1..ub-locality-name)),
- *        bmpString           BMPString (SIZE(1..ub-locality-name))   }
- * 
- * The private calls for this type:
- *
- *  nssPKIXX520LocalityName_Decode
- *  nssPKIXX520LocalityName_CreateFromUTF8
- *  nssPKIXX520LocalityName_Encode
- *
- */
-
-/*
- * nssPKIXX520LocalityName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520LocalityName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520LocalityName *
-nssPKIXX520LocalityName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520LocalityName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520LocalityName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520LocalityName *
-nssPKIXX520LocalityName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520LocalityName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520LocalityName_Encode
-(
-  NSSPKIXX520LocalityName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520StateOrProvinceName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520StateOrProvinceName         ::= CHOICE {
- *        teletexString       TeletexString (SIZE (1..ub-state-name)),
- *        printableString     PrintableString (SIZE (1..ub-state-name)),
- *        universalString     UniversalString (SIZE (1..ub-state-name)),
- *        utf8String          UTF8String (SIZE (1..ub-state-name)),
- *        bmpString           BMPString (SIZE(1..ub-state-name))   }
- *
- * The private calls for this type:
- *
- *  nssPKIXX520StateOrProvinceName_Decode
- *  nssPKIXX520StateOrProvinceName_CreateFromUTF8
- *  nssPKIXX520StateOrProvinceName_Encode
- *
- */
-
-/*
- * nssPKIXX520StateOrProvinceName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520StateOrProvinceName *
-nssPKIXX520StateOrProvinceName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520StateOrProvinceName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520StateOrProvinceName *
-nssPKIXX520StateOrProvinceName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520StateOrProvinceName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520StateOrProvinceName_Encode
-(
-  NSSPKIXX520StateOrProvinceName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520OrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520OrganizationName ::= CHOICE {
- *    teletexString     TeletexString (SIZE (1..ub-organization-name)),
- *    printableString   PrintableString (SIZE (1..ub-organization-name)),
- *    universalString   UniversalString (SIZE (1..ub-organization-name)),
- *    utf8String        UTF8String (SIZE (1..ub-organization-name)),
- *    bmpString         BMPString (SIZE(1..ub-organization-name))   }
- *
- * The private calls for this type:
- *
- *  nssPKIXX520OrganizationName_Decode
- *  nssPKIXX520OrganizationName_CreateFromUTF8
- *  nssPKIXX520OrganizationName_Encode
- *
- */
-
-/*
- * nssPKIXX520OrganizationName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationName *
-nssPKIXX520OrganizationName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520OrganizationName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationName *
-nssPKIXX520OrganizationName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520OrganizationName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520OrganizationName_Encode
-(
-  NSSPKIXX520OrganizationName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520OrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520OrganizationalUnitName ::= CHOICE {
- *   teletexString    TeletexString (SIZE (1..ub-organizational-unit-name)),
- *   printableString        PrintableString
- *                        (SIZE (1..ub-organizational-unit-name)),
- *   universalString        UniversalString
- *                        (SIZE (1..ub-organizational-unit-name)),
- *   utf8String       UTF8String (SIZE (1..ub-organizational-unit-name)),
- *   bmpString        BMPString (SIZE(1..ub-organizational-unit-name))   }
- *
- * The private calls for this type:
- *
- *  nssPKIXX520OrganizationalUnitName_Decode
- *  nssPKIXX520OrganizationalUnitName_CreateFromUTF8
- *  nssPKIXX520OrganizationalUnitName_Encode
- *
- */
-
-/*
- * nssPKIXX520OrganizationalUnitName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
-nssPKIXX520OrganizationalUnitName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520OrganizationalUnitName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
-nssPKIXX520OrganizationalUnitName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520OrganizationalUnitName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520OrganizationalUnitName_Encode
-(
-  NSSPKIXX520OrganizationalUnitName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520Title
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520Title ::=   CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-title)),
- *        printableString       PrintableString (SIZE (1..ub-title)),
- *        universalString       UniversalString (SIZE (1..ub-title)),
- *        utf8String            UTF8String (SIZE (1..ub-title)),
- *        bmpString             BMPString (SIZE(1..ub-title))   }
- *
- * The private calls for this type:
- *
- *  nssPKIXX520Title_Decode
- *  nssPKIXX520Title_CreateFromUTF8
- *  nssPKIXX520Title_Encode
- *
- */
-
-/*
- * nssPKIXX520Title_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Title upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Title *
-nssPKIXX520Title_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520Title_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Title upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520Title *
-nssPKIXX520Title_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520Title_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520Title_Encode
-(
-  NSSPKIXX520Title *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520dnQualifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520dnQualifier ::=     PrintableString
- *
- * The private calls for this type:
- *
- *  nssPKIXX520dnQualifier_Decode
- *  nssPKIXX520dnQualifier_CreateFromUTF8
- *  nssPKIXX520dnQualifier_Encode
- *
- */
-
-/*
- * nssPKIXX520dnQualifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520dnQualifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520dnQualifier *
-nssPKIXX520dnQualifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520dnQualifier_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520dnQualifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520dnQualifier *
-nssPKIXX520dnQualifier_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520dnQualifier_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520dnQualifier_Encode
-(
-  NSSPKIXX520dnQualifier *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X520countryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes
- *
- * The private calls for this type:
- *
- *  nssPKIXX520countryName_Decode
- *  nssPKIXX520countryName_CreateFromUTF8
- *  nssPKIXX520countryName_Encode
- *
- */
-
-/*
- * nssPKIXX520countryName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520countryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520countryName *
-nssPKIXX520countryName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX520countryName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520countryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX520countryName *
-nssPKIXX520countryName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX520countryName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX520countryName_Encode
-(
-  NSSPKIXX520countryName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * Pkcs9email
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXPkcs9email_Decode
- *  nssPKIXPkcs9email_CreateFromUTF8
- *  nssPKIXPkcs9email_Encode
- *
- */
-
-/*
- * nssPKIXPkcs9email_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPkcs9email upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPkcs9email *
-nssPKIXPkcs9email_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPkcs9email_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPkcs9email upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPkcs9email *
-nssPKIXPkcs9email_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXPkcs9email_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPkcs9email_Encode
-(
-  NSSPKIXPkcs9email *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * Name
- *
- * This structure contains a union of the possible name formats,
- * which at the moment is limited to an RDNSequence.
- *
- * From RFC 2459:
- *
- *  Name            ::=   CHOICE { -- only one possibility for now --
- *                                   rdnSequence  RDNSequence }
- *
- * The private calls for this type:
- *
- *  nssPKIXName_Decode
- *  nssPKIXName_CreateFromUTF8
- *  nssPKIXName_Create
- *  nssPKIXName_CreateFromRDNSequence
- *  nssPKIXName_Destroy
- *  nssPKIXName_Encode
- *  nssPKIXName_GetUTF8Encoding
- *  nssPKIXName_GetChoice
- *  nssPKIXName_GetRDNSequence
- *  nssPKIXName_GetSpecifiedChoice {fgmr remove this}
-{fgmr} _SetRDNSequence
-{fgmr} _SetSpecifiedChoice
- *  nssPKIXName_Equal
- *  nssPKIXName_Duplicate
- *
- *  (here is where I had specific attribute value gettors in pki1)
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXName_verifyPointer
- *
- */
-
-/*
- * nssPKIXName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * nssPKIXName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXNameChoice choice,
-  void *arg
-);
-
-/*
- * nssPKIXName_CreateFromRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXName_CreateFromRDNSequence
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRDNSequence *rdnSequence
-);
-
-/*
- * nssPKIXName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXName_Destroy
-(
-  NSSPKIXName *name
-);
-
-/*
- * nssPKIXName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXName_Encode
-(
-  NSSPKIXName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXName_GetUTF8Encoding
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  A valid element of the NSSPKIXNameChoice enumeration upon success
- *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
- */
-
-NSS_EXTERN NSSPKIXNameChoice
-nssPKIXName_GetChoice
-(
-  NSSPKIXName *name
-);
-
-/*
- * nssPKIXName_GetRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A pointer to a valid NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nssPKIXName_GetRDNSequence
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXName_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A valid pointer ...
- *  NULL upon failure
- */
-
-NSS_EXTERN void *
-nssPKIXName_GetSpecifiedChoice
-(
-  NSSPKIXName *name,
-  NSSPKIXNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXName_Equal
-(
-  NSSPKIXName *name1,
-  NSSPKIXName *name2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXName_Duplicate
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXName_verifyPointer
-(
-  NSSPKIXName *p
-);
-#endif /* DEBUG */
-
-/*
- * RDNSequence
- *
- * This structure contains a sequence of RelativeDistinguishedName
- * objects.
- *
- * From RFC 2459:
- *
- *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
- *
- * The private calls for this type:
- *
- *  nssPKIXRDNSequence_Decode
- *  nssPKIXRDNSequence_CreateFromUTF8
- *  nssPKIXRDNSequence_Create
- *  nssPKIXRDNSequence_CreateFromArray
- *  nssPKIXRDNSequence_Destroy
- *  nssPKIXRDNSequence_Encode
- *  nssPKIXRDNSequence_GetUTF8Encoding
- *  nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
- *  nssPKIXRDNSequence_GetRelativeDistinguishedNames
- *  nssPKIXRDNSequence_SetRelativeDistinguishedNames
- *  nssPKIXRDNSequence_GetRelativeDistinguishedName
- *  nssPKIXRDNSequence_SetRelativeDistinguishedName
- *  nssPKIXRDNSequence_AppendRelativeDistinguishedName
- *  nssPKIXRDNSequence_InsertRelativeDistinguishedName
- *  nssPKIXRDNSequence_RemoveRelativeDistinguishedName
- *  nssPKIXRDNSequence_FindRelativeDistinguishedName
- *  nssPKIXRDNSequence_Equal
- *  nssPKIXRDNSequence_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXRDNSequence_verifyPointer
- *
- */
-
-/*
- * nssPKIXRDNSequence_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nssPKIXRDNSequence_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXRDNSequence_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nssPKIXRDNSequence_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * nssPKIXRDNSequence_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nssPKIXRDNSequence_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXRelativeDistinguishedName *rdn1
-);
-
-/*
- * nssPKIXRDNSequence_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nssPKIXRDNSequence_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRelativeDistinguishedName *rdn1,
-  ...
-);
-
-/*
- * nssPKIXRDNSequence_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_Destroy
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-/*
- * nssPKIXRDNSequence_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXRDNSequence_Encode
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRDNSequence_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXRDNSequence_GetUTF8Encoding
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-/*
- * nssPKIXRDNSequence_GetRelativeDistinguishedNames
- *
- * This routine returns all of the relative distinguished names in the
- * specified RDN Sequence.  {...} If the array is allocated, or if the
- * specified one has extra space, the array will be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
- *      pointers upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName **
-nssPKIXRDNSequence_GetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRDNSequence_SetRelativeDistinguishedNames
- *
- * -- fgmr comments --
- * If the array pointer itself is null, the set is considered empty.
- * If the count is zero but the pointer nonnull, the array will be
- * assumed to be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_SetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdns[],
-  PRInt32 countOpt
-);
-
-/*
- * nssPKIXRDNSequence_GetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXRDNSequence_GetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRDNSequence_SetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_SetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * nssPKIXRDNSequence_AppendRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_AppendRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * nssPKIXRDNSequence_InsertRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_InsertRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * nssPKIXRDNSequence_RemoveRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_RemoveRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i
-);
-
-/*
- * nssPKIXRDNSequence_FindRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXRDNSequence_FindRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * nssPKIXRDNSequence_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXRDNSequence_Equal
-(
-  NSSPKIXRDNSequence *one,
-  NSSPKIXRDNSequence *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXRDNSequence_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nssPKIXRDNSequence_Duplicate
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXRDNSequence_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXRDNSequence
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRDNSequence_verifyPointer
-(
-  NSSPKIXRDNSequence *p
-);
-#endif /* DEBUG */
-
-/*
- * DistinguishedName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistinguishedName       ::=   RDNSequence
- *
- * This is just a public typedef; no new methods are required. {fgmr-- right?}
- */
-
-/*
- * RelativeDistinguishedName
- *
- * This structure contains an unordered set of AttributeTypeAndValue 
- * objects.  RDNs are used to distinguish a set of objects underneath 
- * a common object.
- *
- * Often, a single ATAV is sufficient to make a unique distinction.
- * For example, if a company assigns its people unique uid values,
- * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
- * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
- * needed.  For example, if a company needed to distinguish between
- * two Smiths by specifying their corporate divisions, then in the
- * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
- * set of ATAVs forms the RDN.
- *
- * From RFC 2459:
- *
- *  RelativeDistinguishedName  ::=
- *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
- *
- * The private calls for this type:
- *
- *  nssPKIXRelativeDistinguishedName_Decode
- *  nssPKIXRelativeDistinguishedName_CreateFromUTF8
- *  nssPKIXRelativeDistinguishedName_Create
- *  nssPKIXRelativeDistinguishedName_CreateFromArray
- *  nssPKIXRelativeDistinguishedName_Destroy
- *  nssPKIXRelativeDistinguishedName_Encode
- *  nssPKIXRelativeDistinguishedName_GetUTF8Encoding
- *  nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
- *  nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
- *  nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
- *  nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
- *  nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
- *  nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
- *  nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
- *  nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
- *  nssPKIXRelativeDistinguishedName_Equal
- *  nssPKIXRelativeDistinguishedName_Duplicate
- * 
- * fgmr: Logical additional functions include
- *
- *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValueByType
- *    returns PRInt32
- *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValuesByType
- *    returns array of PRInt32
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueForType
- *    returns NSSPKIXAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValuesForType
- *    returns array of NSSPKIXAttributeTypeAndValue
- *  NSSPKIXRelativeDistinguishedName_GetAttributeValueForType
- *    returns NSSPKIXAttributeValue
- *  NSSPKIXRelativeDistinguishedName_GetAttributeValuesForType
- *    returns array of NSSPKIXAttributeValue
- *
- * NOTE: the "return array" versions are only meaningful if an RDN may
- * contain multiple ATAVs with the same type.  Verify in the RFC if
- * this is possible or not.  If not, nuke those three functions.
- *
- * In debug builds, the following call is available:
- *
- *  nssPKIXRelativeDistinguishedName_verifyPointer
- *
- */
-
-/*
- * nssPKIXRelativeDistinguishedName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeTypeAndValue *atav1,
-  ...
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXAttributeTypeAndValue *atavs
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRelativeDistinguishedName_Destroy
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXRelativeDistinguishedName_Encode
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXRelativeDistinguishedName_GetUTF8Encoding
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue **
-nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atavs[],
-  PRInt32 countOpt
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeTypeAndValue *
-nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXRelativeDistinguishedName_Equal
-(
-  NSSPKIXRelativeDistinguishedName *one,
-  NSSPKIXRelativeDistinguishedName *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXRelativeDistinguishedName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_Duplicate
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXRelativeDistinguishedName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXRelativeDistinguishedName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXRelativeDistinguishedName_verifyPointer
-(
-  NSSPKIXRelativeDistinguishedName *p
-);
-#endif /* DEBUG */
-
-/*
- * DirectoryString
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DirectoryString ::= CHOICE {
- *        teletexString             TeletexString (SIZE (1..MAX)),
- *        printableString           PrintableString (SIZE (1..MAX)),
- *        universalString           UniversalString (SIZE (1..MAX)),
- *        utf8String              UTF8String (SIZE (1..MAX)),
- *        bmpString               BMPString (SIZE(1..MAX))   }
- *
- * The private calls for this type:
- *
- *  nssPKIXDirectoryString_Decode
- *  nssPKIXDirectoryString_CreateFromUTF8
- *  nssPKIXDirectoryString_Encode
- *
- */
-
-/*
- * nssPKIXDirectoryString_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDirectoryString upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDirectoryString *
-nssPKIXDirectoryString_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXDirectoryString_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDirectoryString upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDirectoryString *
-nssPKIXDirectoryString_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXDirectoryString_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_DIRECTORY_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXDirectoryString_Encode
-(
-  NSSPKIXDirectoryString *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * Certificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Certificate  ::=  SEQUENCE  {
- *       tbsCertificate       TBSCertificate,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- * The private calls for this type:
- *
- *  nssPKIXCertificate_Decode
- *  nssPKIXCertificate_Create
- *  nssPKIXCertificate_Destroy
- *  nssPKIXCertificate_Encode
- *  nssPKIXCertificate_GetTBSCertificate
- *  nssPKIXCertificate_SetTBSCertificate
- *  nssPKIXCertificate_GetAlgorithmIdentifier
- *  nssPKIXCertificate_SetAlgorithmIdentifier
- *  nssPKIXCertificate_GetSignature
- *  nssPKIXCertificate_SetSignature
- *  nssPKIXCertificate_Equal
- *  nssPKIXCertificate_Duplicate
- *
- *  { inherit TBSCertificate gettors? }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXCertificate_verifyPointer
- *
- */
-
-/*
- * nssPKIXCertificate_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificate *
-nssPKIXCertificate_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCertificate_Create
- *
- * -- fgmr comments --
- * { at this level we'll have to just accept a specified signature }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_ALGID
- *  NSS_ERROR_INVALID_PKIX_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificate *
-nssPKIXCertificate_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXAlgorithmIdentifier *algID,
-  NSSItem *signature
-);
-
-/*
- * nssPKIXCertificate_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificate_Destroy
-(
-  NSSPKIXCertificate *cert
-);
-
-/*
- * nssPKIXCertificate_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCertificate_Encode
-(
-  NSSPKIXCertificate *cert,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificate_GetTBSCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-nssPKIXCertificate_GetTBSCertificate
-(
-  NSSPKIXCertificate *cert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificate_SetTBSCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificate_SetTBSCertificate
-(
-  NSSPKIXCertificate *cert,
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * nssPKIXCertificate_GetAlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXCertificate_GetAlgorithmIdentifier
-(
-  NSSPKIXCertificate *cert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificate_SetAlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificate_SetAlgorithmIdentifier
-(
-  NSSPKIXCertificate *cert,
-  NSSPKIXAlgorithmIdentifier *algid,
-);
-
-/*
- * nssPKIXCertificate_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXCertificate_GetSignature
-(
-  NSSPKIXCertificate *cert,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificate_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificate_SetSignature
-(
-  NSSPKIXCertificate *cert,
-  NSSItem *signature
-);
-
-/*
- * nssPKIXCertificate_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXCertificate_Equal
-(
-  NSSPKIXCertificate *one,
-  NSSPKIXCertificate *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXCertificate_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificate *
-nssPKIXCertificate_Duplicate
-(
-  NSSPKIXCertificate *cert,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXCertificate_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXCertificate
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificate_verifyPointer
-(
-  NSSPKIXCertificate *p
-);
-#endif /* DEBUG */
-
-/*
- * TBSCertificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertificate  ::=  SEQUENCE  {
- *       version         [0]  Version DEFAULT v1,
- *       serialNumber         CertificateSerialNumber,
- *       signature            AlgorithmIdentifier,
- *       issuer               Name,
- *       validity             Validity,
- *       subject              Name,
- *       subjectPublicKeyInfo SubjectPublicKeyInfo,
- *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       extensions      [3]  Extensions OPTIONAL
- *                            -- If present, version shall be v3 --  }
- *
- * The private calls for this type:
- *
- *  nssPKIXTBSCertificate_Decode
- *  nssPKIXTBSCertificate_Create
- *  nssPKIXTBSCertificate_Destroy
- *  nssPKIXTBSCertificate_Encode
- *  nssPKIXTBSCertificate_GetVersion
- *  nssPKIXTBSCertificate_SetVersion
- *  nssPKIXTBSCertificate_GetSerialNumber
- *  nssPKIXTBSCertificate_SetSerialNumber
- *  nssPKIXTBSCertificate_GetSignature
- *  nssPKIXTBSCertificate_SetSignature
- *    { inherit algid gettors? }
- *  nssPKIXTBSCertificate_GetIssuer
- *  nssPKIXTBSCertificate_SetIssuer
- *    { inherit "helper" issuer gettors? }
- *  nssPKIXTBSCertificate_GetValidity
- *  nssPKIXTBSCertificate_SetValidity
- *    { inherit validity accessors }
- *  nssPKIXTBSCertificate_GetSubject
- *  nssPKIXTBSCertificate_SetSubject
- *  nssPKIXTBSCertificate_GetSubjectPublicKeyInfo
- *  nssPKIXTBSCertificate_SetSubjectPublicKeyInfo
- *  nssPKIXTBSCertificate_HasIssuerUniqueID
- *  nssPKIXTBSCertificate_GetIssuerUniqueID
- *  nssPKIXTBSCertificate_SetIssuerUniqueID
- *  nssPKIXTBSCertificate_RemoveIssuerUniqueID
- *  nssPKIXTBSCertificate_HasSubjectUniqueID
- *  nssPKIXTBSCertificate_GetSubjectUniqueID
- *  nssPKIXTBSCertificate_SetSubjectUniqueID
- *  nssPKIXTBSCertificate_RemoveSubjectUniqueID
- *  nssPKIXTBSCertificate_HasExtensions
- *  nssPKIXTBSCertificate_GetExtensions
- *  nssPKIXTBSCertificate_SetExtensions
- *  nssPKIXTBSCertificate_RemoveExtensions
- *    { extension accessors }
- *  nssPKIXTBSCertificate_Equal
- *  nssPKIXTBSCertificate_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXTBSCertificate_verifyPointer
- */
-
-/*
- * nssPKIXTBSCertificate_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-nssPKIXTBSCertificate_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTBSCertificate_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ISSUER_NAME
- *  NSS_ERROR_INVALID_VALIDITY
- *  NSS_ERROR_INVALID_SUBJECT_NAME
- *  NSS_ERROR_INVALID_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ISSUER_UNIQUE_IDENTIFIER
- *  NSS_ERROR_INVALID_SUBJECT_UNIQUE_IDENTIFIER
- *  NSS_ERROR_INVALID_EXTENSION
- *
- * Return value:
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-nssPKIXTBSCertificate_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXVersion version,
-  NSSPKIXCertificateSerialNumber *serialNumber,
-  NSSPKIXAlgorithmIdentifier *signature,
-  NSSPKIXName *issuer,
-  NSSPKIXValidity *validity,
-  NSSPKIXName *subject,
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSPKIXUniqueIdentifier *issuerUniqueID,
-  NSSPKIXUniqueIdentifier *subjectUniqueID,
-  NSSPKIXExtensions *extensions
-);
-
-/*
- * nssPKIXTBSCertificate_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_Destroy
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * nssPKIXTBSCertificate_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTBSCertificate_Encode
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_GetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid element of the NSSPKIXVersion enumeration upon success
- *  NSSPKIXVersion_NSSinvalid (-1) upon failure
- */
-
-NSS_EXTERN NSSPKIXVersion
-nssPKIXTBSCertificate_GetVersion
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * nssPKIXTBSCertificate_SetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetVersion
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXVersion version
-);
-
-/*
- * nssPKIXTBSCertificate_GetSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateSerialNumber *
-nssPKIXTBSCertificate_GetSerialNumber
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXCertificateSerialNumber *snOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetSerialNumber
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXCertificateSerialNumber *sn
-);
-
-/*
- * nssPKIXTBSCertificate_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXTBSCertificate_GetSignature
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetSignature
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXAlgorithmIdentifier *algID
-);
-
-/*
- *   { fgmr inherit algid gettors? }
- */
-
-/*
- * nssPKIXTBSCertificate_GetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXTBSCertificate_GetIssuer
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetIssuer
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXName *issuer
-);
-
-/*
- *   { inherit "helper" issuer gettors? }
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *
- * Return value:
- */
-
-/*
- * nssPKIXTBSCertificate_GetValidity
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-nssPKIXTBSCertificate_GetValidity
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetValidity
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetValidity
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXValidity *validity
-);
-
-/*
- *   { fgmr inherit validity accessors }
- */
-
-/*
- * nssPKIXTBSCertificate_GetSubject
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXTBSCertificate_GetSubject
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetSubject
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetSubject
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXName *subject
-);
-
-/*
- * nssPKIXTBSCertificate_GetSubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-nssPKIXTBSCertificate_GetSubjectPublicKeyInfo
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetSubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetSubjectPublicKeyInfo
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXSubjectPublicKeyInfo *spki
-);
-
-/*
- * nssPKIXTBSCertificate_HasIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertificate_HasIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertificate_GetIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
- *
- * Return value:
- *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUniqueIdentifier *
-nssPKIXTBSCertificate_GetIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uidOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uid
-);
-
-/*
- * nssPKIXTBSCertificate_RemoveIssuerUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_RemoveIssuerUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * nssPKIXTBSCertificate_HasSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertificate_HasSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertificate_GetSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
- *
- * Return value:
- *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUniqueIdentifier *
-nssPKIXTBSCertificate_GetSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uidOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXUniqueIdentifier *uid
-);
-
-/*
- * nssPKIXTBSCertificate_RemoveSubjectUniqueID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_RemoveSubjectUniqueID
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- * nssPKIXTBSCertificate_HasExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertificate_HasExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertificate_GetExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensions upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensions *
-nssPKIXTBSCertificate_GetExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertificate_SetExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_SetExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSPKIXExtensions *extensions
-);
-
-/*
- * nssPKIXTBSCertificate_RemoveExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_RemoveExtensions
-(
-  NSSPKIXTBSCertificate *tbsCert
-);
-
-/*
- *   { extension accessors }
- */
-
-/*
- * nssPKIXTBSCertificate_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertificate_Equal
-(
-  NSSPKIXTBSCertificate *one,
-  NSSPKIXTBSCertificate *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertificate_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertificate *
-nssPKIXTBSCertificate_Duplicate
-(
-  NSSPKIXTBSCertificate *tbsCert,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTBSCertificate_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXTBSCertificate
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertificate_verifyPointer
-(
-  NSSPKIXTBSCertificate *p
-);
-#endif /* DEBUG */
-
-/*
- * CertificateSerialNumber
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateSerialNumber  ::=  INTEGER
- *
- * This is just a typedef'd NSSBER; no methods are required.
- * {fgmr -- the asn.1 stuff should have routines to convert
- * integers to natural types when possible and vv.  we can
- * refer to them here..}
- */
-
-/*
- * Validity
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Validity ::= SEQUENCE {
- *       notBefore      Time,
- *       notAfter       Time }
- *
- * The private calls for the type:
- *
- *  nssPKIXValidity_Decode
- *  nssPKIXValidity_Create
- *  nssPKIXValidity_Encode
- *  nssPKIXValidity_Destroy
- *  nssPKIXValidity_GetNotBefore
- *  nssPKIXValidity_SetNotBefore
- *  nssPKIXValidity_GetNotAfter
- *  nssPKIXValidity_SetNotAfter
- *  nssPKIXValidity_Equal
- *  nssPKIXValidity_Compare
- *  nssPKIXValidity_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXValidity_verifyPointer
- *
- */
-
-/*
- * nssPKIXValidity_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-nssPKIXValidity_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXValidity_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TIME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-nssPKIXValidity_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTime notBefore,
-  NSSPKIXTime notAfter
-);
-
-/*
- * nssPKIXValidity_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXValidity_Destroy
-(
-  NSSPKIXValidity *validity
-);
-
-/*
- * nssPKIXValidity_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXValidity_Encode
-(
-  NSSPKIXValidity *validity,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXValidity_GetNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-nssPKIXValidity_GetNotBefore
-(
-  NSSPKIXValidity *validity
-);
-
-/*
- * nssPKIXValidity_SetNotBefore
- *
- * -- fgmr comments --
- * {do we require that it be before the "notAfter" value?}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXValidity_SetNotBefore
-(
-  NSSPKIXValidity *validity,
-  NSSPKIXTime notBefore
-);
-
-/*
- * nssPKIXValidity_GetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-nssPKIXValidity_GetNotAfter
-(
-  NSSPKIXValidity *validity
-);
-
-/*
- * nssPKIXValidity_SetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_VALUE_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXValidity_SetNotAfter
-(
-  NSSPKIXValidity *validity,
-  NSSPKIXTime notAfter
-);
-
-/*
- * nssPKIXValidity_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXValidity_Equal
-(
-  NSSPKIXValidity *one,
-  NSSPKIXValidity *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXValidity_Compare
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *   1 if the second is "greater" or later than the first
- *   0 if they are equal
- *  -1 if the first is "greater" or later than the first
- *  -2 upon failure
- */
-
-NSS_EXTERN PRIntn
-nssPKIXValidity_Compare
-(
-  NSSPKIXValidity *one,
-  NSSPKIXValidity *two
-);
-
-/*
- * nssPKIXValidity_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXValidity upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXValidity *
-nssPKIXValidity_Duplicate
-(
-  NSSPKIXValidity *validity,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXValidity_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXValidity
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_VALIDITY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXValidity_verifyPointer
-(
-  NSSPKIXValidity *p
-);
-#endif /* DEBUG */
-
-/*
- * Time
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Time ::= CHOICE {
- *       utcTime        UTCTime,
- *       generalTime    GeneralizedTime }
- *
- * The private calls for the type:
- *
- *  nssPKIXTime_Decode
- *  nssPKIXTime_CreateFromPRTime
- *  nssPKIXTime_CreateFromUTF8
- *  nssPKIXTime_Destroy
- *  nssPKIXTime_Encode
- *  nssPKIXTime_GetPRTime
- *  nssPKIXTime_GetUTF8Encoding
- *  nssPKIXTime_Equal
- *  nssPKIXTime_Duplicate
- *  nssPKIXTime_Compare
- *
- * In debug builds, the following call is available:
- *
- *  nssPKIXTime_verifyPointer
- *
- */
-
-/*
- * nssPKIXTime_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTime upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTime *
-nssPKIXTime_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTime_CreateFromPRTime
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-nssPKIXTime_CreateFromPRTime
-(
-  NSSArena *arenaOpt,
-  PRTime prTime
-);
-
-/*
- * nssPKIXTime_CreateFromUTF8
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-nssPKIXTime_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXTime_Destroy
- *
- */
-
-NSS_EXTERN PR_STATUS
-nssPKIXTime_Destroy
-(
-  NSSPKIXTime *time
-);
-
-/*
- * nssPKIXTime_Encode
- *
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTime_Encode
-(
-  NSSPKIXTime *time,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTime_GetPRTime
- *
- * Returns a zero on error
- */
-
-NSS_EXTERN PRTime
-nssPKIXTime_GetPRTime
-(
-  NSSPKIXTime *time,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTime_GetUTF8Encoding
- *
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKXITime_GetUTF8Encoding
-(
-  NSSPKIXTime *time,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTime_Equal
- *
- */
-
-NSS_EXTERN PRBool
-nssPKXITime_Equal
-(
-  NSSPKXITime *time1,
-  NSSPKXITime *time2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTime_Duplicate
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-nssPKXITime_Duplicate
-(
-  NSSPKIXTime *time,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTime_Compare
- *
- * Usual result: -1, 0, 1
- *  Returns 0 on error
- */
-
-NSS_EXTERN PRInt32
-nssPKIXTime_Compare
-(
-  NSSPKIXTime *time1,
-  NSSPKIXTime *tiem2,
-  PRStatus *statusOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTime_verifyPointer
- *
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTime_verifyPointer
-(
-  NSSPKIXTime *time
-);
-#endif /* DEBUG */
-
-/*
- * UniqueIdentifier
- *
- * From RFC 2459:
- *
- *  UniqueIdentifier  ::=  BIT STRING
- *
- */
-
-/*
- * SubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *       algorithm            AlgorithmIdentifier,
- *       subjectPublicKey     BIT STRING  }
- *
- * The private calls for the type:
- *
- *  nssPKIXSubjectPublicKeyInfo_Decode
- *  nssPKIXSubjectPublicKeyInfo_Create
- *  nssPKIXSubjectPublicKeyInfo_Encode
- *  nssPKIXSubjectPublicKeyInfo_Destroy
- *  nssPKIXSubjectPublicKeyInfo_GetAlgorithm
- *  nssPKIXSubjectPublicKeyInfo_SetAlgorithm
- *  nssPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
- *  nssPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
- *  nssPKIXSubjectPublicKeyInfo_Equal
- *  nssPKIXSubjectPublicKeyInfo_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXSubjectPublicKeyInfo_verifyPointer
- *
- */
-
-/*
- * nssPKIXSubjectPublicKeyInfo_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-nssPKIXSubjectPublicKeyInfo_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-nssPKIXSubjectPublicKeyInfo_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *subjectPublicKey
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectPublicKeyInfo_Destroy
-(
-  NSSPKIXSubjectPublicKeyInfo *spki
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXSubjectPublicKeyInfo_Encode
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_GetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXSubjectPublicKeyInfo_GetAlgorithm
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_SetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectPublicKeyInfo_SetAlgorithm
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSPKIXAlgorithmIdentifier *algid
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSItem *spkOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSItem *spk
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXSubjectPublicKeyInfo_Equal
-(
-  NSSPKIXSubjectPublicKeyInfo *one,
-  NSSPKIXSubjectPublicKeyInfo *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXSubjectPublicKeyInfo_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
-nssPKIXSubjectPublicKeyInfo_Duplicate
-(
-  NSSPKIXSubjectPublicKeyInfo *spki,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXSubjectPublicKeyInfo_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXSubjectPublicKeyInfo
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectPublicKeyInfo_verifyPointer
-(
-  NSSPKIXSubjectPublicKeyInfo *p
-);
-#endif /* DEBUG */
-
-/*
- * Extensions
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
- *
- */
-
-/* { FGMR } */
-
-/*
- * Extension
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extension  ::=  SEQUENCE  {
- *       extnID      OBJECT IDENTIFIER,
- *       critical    BOOLEAN DEFAULT FALSE,
- *       extnValue   OCTET STRING  }
- *
- */
-
-/* { FGMR } */
-
-/*
- * CertificateList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateList  ::=  SEQUENCE  {
- *       tbsCertList          TBSCertList,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- * The private calls for the type:
- *
- *  nssPKIXCertificateList_Decode
- *  nssPKIXCertificateList_Create
- *  nssPKIXCertificateList_Encode
- *  nssPKIXCertificateList_Destroy
- *  nssPKIXCertificateList_GetTBSCertList
- *  nssPKIXCertificateList_SetTBSCertList
- *  nssPKIXCertificateList_GetSignatureAlgorithm
- *  nssPKIXCertificateList_SetSignatureAlgorithm
- *  nssPKIXCertificateList_GetSignature
- *  nssPKIXCertificateList_SetSignature
- *  nssPKIXCertificateList_Equal
- *  nssPKIXCertificateList_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXCertificateList_verifyPointer
- *
- */
-
-/*
- * nssPKIXCertificateList_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateList *
-nssPKIXCertificateList_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCertificateList_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateList *
-nssPKIXCertificateList_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTBSCertList *tbsCertList,
-  NSSPKIXAlgorithmIdentifier *sigAlg,
-  NSSItem *signature
-);
-
-/*
- * nssPKIXCertificateList_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificateList_Destroy
-(
-  NSSPKIXCertificateList *certList
-);
-
-/*
- * nssPKIXCertificateList_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCertificateList_Encode
-(
-  NSSPKIXCertificateList *certList,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificateList_GetTBSCertList
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-nssPKIXCertificateList_GetTBSCertList
-(
-  NSSPKIXCertificateList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificateList_SetTBSCertList
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificateList_SetTBSCertList
-(
-  NSSPKIXCertificateList *certList,
-  NSSPKIXTBSCertList *tbsCertList
-);
-
-/*
- * nssPKIXCertificateList_GetSignatureAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXCertificateList_GetSignatureAlgorithm
-(
-  NSSPKIXCertificateList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificateList_SetSignatureAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificateList_SetSignatureAlgorithm
-(
-  NSSPKIXCertificateList *certList,
-  NSSPKIXAlgorithmIdentifier *sigAlg
-);
-
-/*
- * nssPKIXCertificateList_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXCertificateList_GetSignature
-(
-  NSSPKIXCertificateList *certList,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificateList_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificateList_SetSignature
-(
-  NSSPKIXCertificateList *certList,
-  NSSItem *sig
-);
-
-/*
- * nssPKIXCertificateList_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXCertificateList_Equal
-(
-  NSSPKIXCertificateList *one,
-  NSSPKIXCertificateList *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXCertificateList_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateList *
-nssPKIXCertificateList_Duplicate
-(
-  NSSPKIXCertificateList *certList,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXCertificateList_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXCertificateList
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificateList_verifyPointer
-(
-  NSSPKIXCertificateList *p
-);
-#endif /* DEBUG */
-
-/*
- * TBSCertList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertList  ::=  SEQUENCE  {
- *       version                 Version OPTIONAL,
- *                                    -- if present, shall be v2
- *       signature               AlgorithmIdentifier,
- *       issuer                  Name,
- *       thisUpdate              Time,
- *       nextUpdate              Time OPTIONAL,
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *       crlExtensions           [0] Extensions OPTIONAL
- *                                           -- if present, shall be v2 -- }
- *
- * The private calls for the type:
- *
- *  nssPKIXTBSCertList_Decode
- *  nssPKIXTBSCertList_Create
- *  nssPKIXTBSCertList_Destroy
- *  nssPKIXTBSCertList_Encode
- *  nssPKIXTBSCertList_GetVersion
- *  nssPKIXTBSCertList_SetVersion
- *  nssPKIXTBSCertList_GetSignature
- *  nssPKIXTBSCertList_SetSignature
- *  nssPKIXTBSCertList_GetIssuer
- *  nssPKIXTBSCertList_SetIssuer
- *  nssPKIXTBSCertList_GetThisUpdate
- *  nssPKIXTBSCertList_SetThisUpdate
- *  nssPKIXTBSCertList_HasNextUpdate
- *  nssPKIXTBSCertList_GetNextUpdate
- *  nssPKIXTBSCertList_SetNextUpdate
- *  nssPKIXTBSCertList_RemoveNextUpdate
- *  nssPKIXTBSCertList_GetRevokedCertificates
- *  nssPKIXTBSCertList_SetRevokedCertificates
- *  nssPKIXTBSCertList_HasCrlExtensions
- *  nssPKIXTBSCertList_GetCrlExtensions
- *  nssPKIXTBSCertList_SetCrlExtensions
- *  nssPKIXTBSCertList_RemoveCrlExtensions
- *  nssPKIXTBSCertList_Equal
- *  nssPKIXTBSCertList_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXTBSCertList_verifyPointer
- *
- */
-
-/*
- * nssPKIXTBSCertList_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-nssPKIXTBSCertList_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTBSCertList_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_PKIX_TIME
- *  (something for the times being out of order?)
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-nssPKIXTBSCertList_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXVersion version,
-  NSSPKIXAlgorithmIdentifier *signature,
-  NSSPKIXName *issuer,
-  NSSPKIXTime thisUpdate,
-  NSSPKIXTime nextUpdateOpt,
-  NSSPKIXrevokedCertificates *revokedCerts,
-  NSSPKIXExtensions *crlExtensionsOpt
-);
-
-/*
- * nssPKIXTBSCertList_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_Destroy
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * nssPKIXTBSCertList_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTBSCertList_Encode
-(
-  NSSPKIXTBSCertList *certList,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertList_GetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid element of the NSSPKIXVersion enumeration upon success
- *  NSSPKIXVersion_NSSinvalid (-1) upon failure
- */
-
-NSS_EXTERN NSSPKIXVersion
-nssPKIXTBSCertList_GetVersion
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * nssPKIXTBSCertList_SetVersion
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_VERSION
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetVersion
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXVersion version
-);
-
-/*
- * nssPKIXTBSCertList_GetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXTBSCertList_GetSignature
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertList_SetSignature
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetSignature
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXAlgorithmIdentifier *algid,
-);
-
-/*
- * nssPKIXTBSCertList_GetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXTBSCertList_GetIssuer
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertList_SetIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetIssuer
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXName *issuer
-);
-
-/*
- * nssPKIXTBSCertList_GetThisUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-nssPKIXTBSCertList_GetThisUpdate
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * nssPKIXTBSCertList_SetThisUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetThisUpdate
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXTime thisUpdate
-);
-
-/*
- * nssPKIXTBSCertList_HasNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertList_HasNextUpdate
-(
-  NSSPKIXTBSCertList *certList,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertList_GetNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid NSSPKIXTime upon success
- *  {we need to rethink NSSPKIXTime}
- */
-
-NSS_EXTERN NSSPKIXTime
-nssPKIXTBSCertList_GetNextUpdate
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * nssPKIXTBSCertList_SetNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_VALUE_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetNextUpdate
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXTime nextUpdate
-);
-
-/*
- * nssPKIXTBSCertList_RemoveNextUpdate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_HAS_NO_NEXT_UPDATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_RemoveNextUpdate
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * nssPKIXTBSCertList_GetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon succes
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-nssPKIXTBSCertList_GetRevokedCertificates
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertList_SetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetRevokedCertificates
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXrevokedCertificates *revoked
-);
-
-/*
- * nssPKIXTBSCertList_HasCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertList_HasCrlExtensions
-(
-  NSSPKIXTBSCertList *certList,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertList_GetCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensions upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensions *
-nssPKIXTBSCertList_GetCrlExtensions
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTBSCertList_SetCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_SetCrlExtensions
-(
-  NSSPKIXTBSCertList *certList,
-  NSSPKIXExtensions *extensions
-);
-
-/*
- * nssPKIXTBSCertList_RemoveCrlExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_HAS_NO_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_RemoveCrlExtensions
-(
-  NSSPKIXTBSCertList *certList
-);
-
-/*
- * nssPKIXTBSCertList_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXTBSCertList_Equal
-(
-  NSSPKIXTBSCertList *one,
-  NSSPKIXTBSCertList *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTBSCertList_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTBSCertList upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTBSCertList *
-nssPKIXTBSCertList_Duplicate
-(
-  NSSPKIXTBSCertList *certList,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTBSCertList_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXTBSCertList
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTBSCertList_verifyPointer
-(
-  NSSPKIXTBSCertList *p
-);
-#endif /* DEBUG */
-
-/*
- * revokedCertificates
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- * The private calls for the type:
- *
- *  nssPKIXrevokedCertificates_Decode
- *  nssPKIXrevokedCertificates_Create
- *  nssPKIXrevokedCertificates_Encode
- *  nssPKIXrevokedCertificates_Destroy
- *  nssPKIXrevokedCertificates_GetRevokedCertificateCount
- *  nssPKIXrevokedCertificates_GetRevokedCertificates
- *  nssPKIXrevokedCertificates_SetRevokedCertificates
- *  nssPKIXrevokedCertificates_GetRevokedCertificate
- *  nssPKIXrevokedCertificates_SetRevokedCertificate
- *  nssPKIXrevokedCertificates_InsertRevokedCertificate
- *  nssPKIXrevokedCertificates_AppendRevokedCertificate
- *  nssPKIXrevokedCertificates_RemoveRevokedCertificate
- *  nssPKIXrevokedCertificates_Equal
- *  nssPKIXrevokedCertificates_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXrevokedCertificates_verifyPointer
- *
- */
-
-/*
- * nssPKIXrevokedCertificates_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-nssPKIXrevokedCertificates_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXrevokedCertificates_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-nssPKIXrevokedCertificates_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXrevokedCertificate *rc1,
-  ...
-);
-
-/*
- * nssPKIXrevokedCertificates_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_Destroy
-(
-  NSSPKIXrevokedCertificates *rcs
-);
-
-/*
- * nssPKIXrevokedCertificates_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXrevokedCertificates_Encode
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXrevokedCertificates_GetRevokedCertificateCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXrevokedCertificates_GetRevokedCertificateCount
-(
-  NSSPKIXrevokedCertificates *rcs
-);
-
-/*
- * nssPKIXrevokedCertificates_GetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXrevokedCertificate pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate **
-nssPKIXrevokedCertificates_GetRevokedCertificates
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSPKIXrevokedCertificate *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXrevokedCertificates_SetRevokedCertificates
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_SetRevokedCertificates
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSPKIXrevokedCertificate *rc[],
-  PRInt32 countOpt
-);
-
-/*
- * nssPKIXrevokedCertificates_GetRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-nssPKIXrevokedCertificates_GetRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXrevokedCertificates_SetRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_SetRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * nssPKIXrevokedCertificates_InsertRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_InsertRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * nssPKIXrevokedCertificates_AppendRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_AppendRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * nssPKIXrevokedCertificates_RemoveRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_RemoveRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  PRInt32 i
-);
-
-/*
- * nssPKIXrevokedCertificates_FindRevokedCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
- *
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-nssPKIXrevokedCertificates_FindRevokedCertificate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * nssPKIXrevokedCertificates_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXrevokedCertificates_Equal
-(
-  NSSPKIXrevokedCertificates *one,
-  NSSPKIXrevokedCertificates *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXrevokedCertificates_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificates upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificates *
-nssPKIXrevokedCertificates_Duplicate
-(
-  NSSPKIXrevokedCertificates *rcs,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXrevokedCertificates_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXrevokedCertificates
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificates_verifyPointer
-(
-  NSSPKIXrevokedCertificates *p
-);
-#endif /* DEBUG */
-
-/*
- * revokedCertificate
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *                                           SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- * The private calls for this type:
- *
- *  nssPKIXrevokedCertificate_Decode
- *  nssPKIXrevokedCertificate_Create
- *  nssPKIXrevokedCertificate_Encode
- *  nssPKIXrevokedCertificate_Destroy
- *  nssPKIXrevokedCertificate_GetUserCertificate
- *  nssPKIXrevokedCertificate_SetUserCertificate
- *  nssPKIXrevokedCertificate_GetRevocationDate
- *  nssPKIXrevokedCertificate_SetRevocationDate
- *  nssPKIXrevokedCertificate_HasCrlEntryExtensions
- *  nssPKIXrevokedCertificate_GetCrlEntryExtensions
- *  nssPKIXrevokedCertificate_SetCrlEntryExtensions
- *  nssPKIXrevokedCertificate_RemoveCrlEntryExtensions
- *  nssPKIXrevokedCertificate_Equal
- *  nssPKIXrevokedCertificate_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXrevokedCertificate_verifyPointer
- *
- */
-
-
-/*
- * nssPKIXrevokedCertificate_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-nssPKIXrevokedCertificate_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXrevokedCertificate_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
- *  NSS_ERROR_INVALID_PKIX_TIME
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-nssPKIXrevokedCertificate_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCertificateSerialNumber *userCertificate,
-  NSSPKIXTime *revocationDate,
-  NSSPKIXExtensions *crlEntryExtensionsOpt
-);
-
-/*
- * nssPKIXrevokedCertificate_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificate_Destroy
-(
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * nssPKIXrevokedCertificate_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXrevokedCertificate_Encode
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXrevokedCertificate_GetUserCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateSerialNumber *
-nssPKIXrevokedCertificate_GetUserCertificate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);  
-
-/*
- * nssPKIXrevokedCertificate_SetUserCertificate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificate_SetUserCertificate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSPKIXCertificateSerialNumber *csn
-);
-
-/*
- * nssPKIXrevokedCertificate_GetRevocationDate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTime upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTime *
-nssPKIXrevokedCertificate_GetRevocationDate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);  
-
-/*
- * nssPKIXrevokedCertificate_SetRevocationDate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_TIME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificate_SetRevocationDate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSPKIXTime *revocationDate
-);
-
-/*
- * nssPKIXrevokedCertificate_HasCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXrevokedCertificate_HasCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXrevokedCertificate_GetCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_NO_EXTENSIONS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensions upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensions *
-nssPKIXrevokedCertificate_GetCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);  
-
-/*
- * nssPKIXrevokedCertificate_SetCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificate_SetCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSPKIXExtensions *crlEntryExtensions
-);
-
-/*
- * nssPKIXrevokedCertificate_RemoveCrlEntryExtensions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *  NSS_ERROR_NO_EXTENSIONS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificate_RemoveCrlEntryExtensions
-(
-  NSSPKIXrevokedCertificate *rc
-);
-
-/*
- * nssPKIXrevokedCertificate_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXrevokedCertificate_Equal
-(
-  NSSPKIXrevokedCertificate *one,
-  NSSPKIXrevokedCertificate *two,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXrevokedCertificate_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXrevokedCertificate upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXrevokedCertificate *
-nssPKIXrevokedCertificate_Duplicate
-(
-  NSSPKIXrevokedCertificate *rc,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXrevokedCertificate_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXrevokedCertificate
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXrevokedCertificate_verifyPointer
-(
-  NSSPKIXrevokedCertificate *p
-);
-#endif /* DEBUG */
-
-/*
- * AlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- * (1988 syntax)
- *
- *  AlgorithmIdentifier  ::=  SEQUENCE  {
- *       algorithm               OBJECT IDENTIFIER,
- *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
- *                                  -- contains a value of the type
- *                                  -- registered for use with the
- *                                  -- algorithm object identifier value
- *
- * The private calls for this type:
- *
- *  nssPKIXAlgorithmIdentifier_Decode
- *  nssPKIXAlgorithmIdentifier_Create
- *  nssPKIXAlgorithmIdentifier_Encode
- *  nssPKIXAlgorithmIdentifier_Destroy
- *  nssPKIXAlgorithmIdentifier_GetAlgorithm
- *  nssPKIXAlgorithmIdentifier_SetAlgorithm
- *  nssPKIXAlgorithmIdentifier_GetParameters
- *  nssPKIXAlgorithmIdentifier_SetParameters
- *  nssPKIXAlgorithmIdentifier_Compare
- *  nssPKIXAlgorithmIdentifier_Duplicate
- *    { algorithm-specific parameter types and accessors ? }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXAlgorithmIdentifier_verifyPointer
- *
- */
-
-/*
- * nssPKIXAlgorithmIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXAlgorithmIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXAlgorithmIdentifier_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *algorithm,
-  NSSItem *parameters
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAlgorithmIdentifier_Destroy
-(
-  NSSPKIXAlgorithmIdentifier *algid
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAlgorithmIdentifier_Encode
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_GetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSOID pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-nssPKIXAlgorithmIdentifier_GetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_SetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAlgorithmIdentifier_SetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSOID *algorithm
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_GetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXAlgorithmIdentifier_GetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_SetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAlgorithmIdentifier_SetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *parameters
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAlgorithmIdentifier_Equal
-(
-  NSSPKIXAlgorithmIdentifier *algid1,
-  NSSPKIXAlgorithmIdentifier *algid2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAlgorithmIdentifier_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAlgorithmIdentifier *
-nssPKIXAlgorithmIdentifier_Duplicate
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { algorithm-specific parameter types and accessors ? }
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXAlgorithmIdentifier_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAlgorithmIdentifier
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAlgorithmIdentifier_verifyPointer
-(
-  NSSPKIXAlgorithmIdentifier *p
-);
-#endif /* DEBUG */
-
-/*
- * ORAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ORAddress ::= SEQUENCE {
- *     built-in-standard-attributes BuiltInStandardAttributes,
- *     built-in-domain-defined-attributes
- *                          BuiltInDomainDefinedAttributes OPTIONAL,
- *     -- see also teletex-domain-defined-attributes
- *     extension-attributes ExtensionAttributes OPTIONAL }
- *  --      The OR-address is semantically absent from the OR-name if the
- *  --      built-in-standard-attribute sequence is empty and the
- *  --      built-in-domain-defined-attributes and extension-attributes are
- *  --      both omitted.
- *
- * The private calls for this type:
- *
- *  nssPKIXORAddress_Decode
- *  nssPKIXORAddress_Create
- *  nssPKIXORAddress_Destroy
- *  nssPKIXORAddress_Encode
- *  nssPKIXORAddress_GetBuiltInStandardAttributes
- *  nssPKIXORAddress_SetBuiltInStandardAttributes
- *  nssPKIXORAddress_HasBuiltInDomainDefinedAttributes
- *  nssPKIXORAddress_GetBuiltInDomainDefinedAttributes
- *  nssPKIXORAddress_SetBuiltInDomainDefinedAttributes
- *  nssPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
- *  nssPKIXORAddress_HasExtensionsAttributes
- *  nssPKIXORAddress_GetExtensionsAttributes
- *  nssPKIXORAddress_SetExtensionsAttributes
- *  nssPKIXORAddress_RemoveExtensionsAttributes
- *  nssPKIXORAddress_Equal
- *  nssPKIXORAddress_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXORAddress_verifyPointer
- *
- */
-
-/*
- * nssPKIXORAddress_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXORAddres upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-nssPKIXORAddress_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXORAddress_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSIONS_ATTRIBUTES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXORAddres upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-nssPKIXORAddress_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXBuiltInDomainDefinedAttributes *biddaOpt,
-  NSSPKIXExtensionAttributes *eaOpt
-);
-
-/*
- * nssPKIXORAddress_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_Destroy
-(
-  NSSPKIXORAddress *ora
-);
-
-/*
- * nssPKIXORAddress_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXORAddress_Encode
-(
-  NSSPKIXORAddress *ora,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXORAddress_GetBuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-nssPKIXORAddress_GetBuiltInStandardAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXORAddress_SetBuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_SetBuiltInStandardAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXORAddress_HasBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXORAddress_HasBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXORAddress_GetBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-nssPKIXORAddress_GetBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXORAddress_SetBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_SetBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
-(
-  NSSPKIXORAddress *ora
-);
-
-/*
- * nssPKIXORAddress_HasExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXORAddress_HasExtensionsAttributes
-(
-  NSSPKIXORAddress *ora,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXORAddress_GetExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-nssPKIXORAddress_GetExtensionsAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXORAddress_SetExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_SetExtensionsAttributes
-(
-  NSSPKIXORAddress *ora,
-  NSSPKIXExtensionAttributes *eaOpt
-);
-
-/*
- * nssPKIXORAddress_RemoveExtensionsAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_RemoveExtensionsAttributes
-(
-  NSSPKIXORAddress *ora
-);
-
-/*
- * nssPKIXORAddress_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXORAddress_Equal
-(
-  NSSPKIXORAddress *ora1,
-  NSSPKIXORAddress *ora2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXORAddress_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXORAddres upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-nssPKIXORAddress_Duplicate
-(
-  NSSPKIXORAddress *ora,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXORAddress_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXORAddress
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXORAddress_verifyPointer
-(
-  NSSPKIXORAddress *p
-);
-#endif /* DEBUG */
-
-/*
- * BuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInStandardAttributes ::= SEQUENCE {
- *     country-name CountryName OPTIONAL,
- *     administration-domain-name AdministrationDomainName OPTIONAL,
- *     network-address      [0] NetworkAddress OPTIONAL,
- *     -- see also extended-network-address
- *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
- *     private-domain-name  [2] PrivateDomainName OPTIONAL,
- *     organization-name    [3] OrganizationName OPTIONAL,
- *     -- see also teletex-organization-name
- *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
- *     personal-name        [5] PersonalName OPTIONAL,
- *     -- see also teletex-personal-name
- *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
- *     -- see also teletex-organizational-unit-names -- }
- *
- * The private calls for this type:
- *
- *  nssPKIXBuiltInStandardAttributes_Decode
- *  nssPKIXBuiltInStandardAttributes_Create
- *  nssPKIXBuiltInStandardAttributes_Destroy
- *  nssPKIXBuiltInStandardAttributes_Encode
- *  nssPKIXBuiltInStandardAttributes_HasCountryName
- *  nssPKIXBuiltInStandardAttributes_GetCountryName
- *  nssPKIXBuiltInStandardAttributes_SetCountryName
- *  nssPKIXBuiltInStandardAttributes_RemoveCountryName
- *  nssPKIXBuiltInStandardAttributes_HasAdministrationDomainName
- *  nssPKIXBuiltInStandardAttributes_GetAdministrationDomainName
- *  nssPKIXBuiltInStandardAttributes_SetAdministrationDomainName
- *  nssPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
- *  nssPKIXBuiltInStandardAttributes_HasNetworkAddress
- *  nssPKIXBuiltInStandardAttributes_GetNetworkAddress
- *  nssPKIXBuiltInStandardAttributes_SetNetworkAddress
- *  nssPKIXBuiltInStandardAttributes_RemoveNetworkAddress
- *  nssPKIXBuiltInStandardAttributes_HasTerminalIdentifier
- *  nssPKIXBuiltInStandardAttributes_GetTerminalIdentifier
- *  nssPKIXBuiltInStandardAttributes_SetTerminalIdentifier
- *  nssPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
- *  nssPKIXBuiltInStandardAttributes_HasPrivateDomainName
- *  nssPKIXBuiltInStandardAttributes_GetPrivateDomainName
- *  nssPKIXBuiltInStandardAttributes_SetPrivateDomainName
- *  nssPKIXBuiltInStandardAttributes_RemovePrivateDomainName
- *  nssPKIXBuiltInStandardAttributes_HasOrganizationName
- *  nssPKIXBuiltInStandardAttributes_GetOrganizationName
- *  nssPKIXBuiltInStandardAttributes_SetOrganizationName
- *  nssPKIXBuiltInStandardAttributes_RemoveOrganizationName
- *  nssPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
- *  nssPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
- *  nssPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
- *  nssPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
- *  nssPKIXBuiltInStandardAttributes_HasPersonalName
- *  nssPKIXBuiltInStandardAttributes_GetPersonalName
- *  nssPKIXBuiltInStandardAttributes_SetPersonalName
- *  nssPKIXBuiltInStandardAttributes_RemovePersonalName
- *  nssPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
- *  nssPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
- *  nssPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
- *  nssPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
- *  nssPKIXBuiltInStandardAttributes_Equal
- *  nssPKIXBuiltInStandardAttributes_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXBuiltInStandardAttributes_verifyPointer
- *
- */
-
-/*
- * nssPKIXBuiltInStandardAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-nssPKIXBuiltInStandardAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
- *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
- *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
- *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-nssPKIXBuiltInStandardAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCountryName *countryNameOpt,
-  NSSPKIXAdministrationDomainName *administrationDomainNameOpt,
-  NSSPKIXNetworkAddress *networkAddressOpt,
-  NSSPKIXTerminalIdentifier *terminalIdentifierOpt,
-  NSSPKIXPrivateDomainName *privateDomainNameOpt,
-  NSSPKIXOrganizationName *organizationNameOpt,
-  NSSPKIXNumericUserIdentifier *numericUserIdentifierOpt,
-  NSSPKIXPersonalName *personalNameOpt,
-  NSSPKIXOrganizationalUnitNames *organizationalUnitNamesOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_Destroy
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXBuiltInStandardAttributes_Encode
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCountryName *
-nssPKIXBuiltInStandardAttributes_GetCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXCountryName *countryName
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveCountryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_COUNTRY_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveCountryName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAdministrationDomainName *
-nssPKIXBuiltInStandardAttributes_GetAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXAdministrationDomainName *administrationDomainName
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_ADMINISTRATION_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNetworkAddress *
-nssPKIXBuiltInStandardAttributes_GetNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXNetworkAddress *networkAddress
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveNetworkAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_NETWORK_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveNetworkAddress
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTerminalIdentifier *
-nssPKIXBuiltInStandardAttributes_GetTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXTerminalIdentifier *terminalIdentifier
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_TERMINAL_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasPrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasPrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetPrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateDomainName *
-nssPKIXBuiltInStandardAttributes_GetPrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetPrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetPrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXPrivateDomainName *privateDomainName
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemovePrivateDomainName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_PRIVATE_DOMAIN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemovePrivateDomainName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationName *
-nssPKIXBuiltInStandardAttributes_GetOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXOrganizationName *organizationName
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveOrganizationName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_ORGANIZATION_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveOrganizationName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNumericUserIdentifier *
-nssPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXNumericUserIdentifier *numericUserIdentifier
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_NUMERIC_USER_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasPersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasPersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetPersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-nssPKIXBuiltInStandardAttributes_GetPersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetPersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetPersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemovePersonalName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemovePersonalName
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-nssPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSPKIXOrganizationalUnitNames *organizationalUnitNames
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
-(
-  NSSPKIXBuiltInStandardAttributes *bisa
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInStandardAttributes_Equal
-(
-  NSSPKIXBuiltInStandardAttributes *bisa1,
-  NSSPKIXBuiltInStandardAttributes *bisa2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInStandardAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
-nssPKIXBuiltInStandardAttributes_Duplicate
-(
-  NSSPKIXBuiltInStandardAttributes *bisa,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXBuiltInStandardAttributes_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXBuiltInStandardAttributes
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInStandardAttributes_verifyPointer
-(
-  NSSPKIXBuiltInStandardAttributes *p
-);
-#endif /* DEBUG */
-
-/*
- * CountryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CountryName ::= [APPLICATION 1] CHOICE {
- *     x121-dcc-code NumericString
- *                  (SIZE (ub-country-name-numeric-length)),
- *     iso-3166-alpha2-code PrintableString
- *                  (SIZE (ub-country-name-alpha-length)) }
- *
- * The private calls for this type:
- *
- *  nssPKIXCountryName_Decode
- *  nssPKIXCountryName_CreateFromUTF8
- *  nssPKIXCountryName_Encode
- *
- */
-
-/*
- * nssPKIXCountryName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCountryName *
-nssPKIXCountryName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCountryName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCountryName *
-nssPKIXCountryName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXCountryName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCountryName_Encode
-(
-  NSSPKIXCountryName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * AdministrationDomainName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
- *     numeric NumericString (SIZE (0..ub-domain-name-length)),
- *     printable PrintableString (SIZE (0..ub-domain-name-length)) }
- *
- * The private calls for this type:
- *
- *  nssPKIXAdministrationDomainName_Decode
- *  nssPKIXAdministrationDomainName_CreateFromUTF8
- *  nssPKIXAdministrationDomainName_Encode
- *
- */
-
-/*
- * nssPKIXAdministrationDomainName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAdministrationDomainName *
-nssPKIXAdministrationDomainName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAdministrationDomainName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAdministrationDomainName *
-nssPKIXAdministrationDomainName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXAdministrationDomainName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAdministrationDomainName_Encode
-(
-  NSSPKIXAdministrationDomainName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * X121Address
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXX121Address_Decode
- *  nssPKIXX121Address_CreateFromUTF8
- *  nssPKIXX121Address_Encode
- *
- */
-
-/*
- * nssPKIXX121Address_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX121Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX121Address *
-nssPKIXX121Address_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXX121Address_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX121Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXX121Address *
-nssPKIXX121Address_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXX121Address_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_X121_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXX121Address_Encode
-(
-  NSSPKIXX121Address *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NetworkAddress ::= X121Address  -- see also extended-network-address
- *
- * The private calls for this type:
- *
- *  nssPKIXNetworkAddress_Decode
- *  nssPKIXNetworkAddress_CreateFromUTF8
- *  nssPKIXNetworkAddress_Encode
- *
- */
-
-/*
- * nssPKIXNetworkAddress_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNetworkAddress *
-nssPKIXNetworkAddress_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXNetworkAddress_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNetworkAddress *
-nssPKIXNetworkAddress_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXNetworkAddress_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXNetworkAddress_Encode
-(
-  NSSPKIXNetworkAddress *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TerminalIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXTerminalIdentifier_Decode
- *  nssPKIXTerminalIdentifier_CreateFromUTF8
- *  nssPKIXTerminalIdentifier_Encode
- *
- */
-
-/*
- * nssPKIXTerminalIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTerminalIdentifier *
-nssPKIXTerminalIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTerminalIdentifier_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTerminalIdentifier *
-nssPKIXTerminalIdentifier_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXTerminalIdentifier_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTerminalIdentifier_Encode
-(
-  NSSPKIXTerminalIdentifier *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PrivateDomainName
- *
- * -- fgmr comments -- 
- *
- *  PrivateDomainName ::= CHOICE {
- *     numeric NumericString (SIZE (1..ub-domain-name-length)),
- *     printable PrintableString (SIZE (1..ub-domain-name-length)) }
- *
- * The private calls for this type:
- *
- *  nssPKIXPrivateDomainName_Decode
- *  nssPKIXPrivateDomainName_CreateFromUTF8
- *  nssPKIXPrivateDomainName_Encode
- *
- */
-
-/*
- * nssPKIXPrivateDomainName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateDomainName *
-nssPKIXPrivateDomainName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPrivateDomainName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateDomainName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateDomainName *
-nssPKIXPrivateDomainName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXPrivateDomainName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPrivateDomainName_Encode
-(
-  NSSPKIXPrivateDomainName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * OrganizationName
- *
- * -- fgmr comments --
- *
- *  OrganizationName ::= PrintableString
- *                              (SIZE (1..ub-organization-name-length))
- * 
- * The private calls for this type:
- *
- *  nssPKIXOrganizationName_Decode
- *  nssPKIXOrganizationName_CreateFromUTF8
- *  nssPKIXOrganizationName_Encode
- *
- */
-
-/*
- * nssPKIXOrganizationName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationName *
-nssPKIXOrganizationName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXOrganizationName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationName *
-nssPKIXOrganizationName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXOrganizationName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXOrganizationName_Encode
-(
-  NSSPKIXOrganizationName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NumericUserIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NumericUserIdentifier ::= NumericString
- *                              (SIZE (1..ub-numeric-user-id-length))
- * 
- * The private calls for this type:
- *
- *  nssPKIXNumericUserIdentifier_Decode
- *  nssPKIXNumericUserIdentifier_CreateFromUTF8
- *  nssPKIXNumericUserIdentifier_Encode
- *
- */
-
-/*
- * nssPKIXNumericUserIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNumericUserIdentifier *
-nssPKIXNumericUserIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXNumericUserIdentifier_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNumericUserIdentifier *
-nssPKIXNumericUserIdentifier_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXNumericUserIdentifier_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXNumericUserIdentifier_Encode
-(
-  NSSPKIXNumericUserIdentifier *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PersonalName ::= SET {
- *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
- *     given-name [1] PrintableString
- *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] PrintableString
- *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXPersonalName_Decode
- *  nssPKIXPersonalName_Create
- *  nssPKIXPersonalName_Destroy
- *  nssPKIXPersonalName_Encode
- *  nssPKIXPersonalName_GetSurname
- *  nssPKIXPersonalName_SetSurname
- *  nssPKIXPersonalName_HasGivenName
- *  nssPKIXPersonalName_GetGivenName
- *  nssPKIXPersonalName_SetGivenName
- *  nssPKIXPersonalName_RemoveGivenName
- *  nssPKIXPersonalName_HasInitials
- *  nssPKIXPersonalName_GetInitials
- *  nssPKIXPersonalName_SetInitials
- *  nssPKIXPersonalName_RemoveInitials
- *  nssPKIXPersonalName_HasGenerationQualifier
- *  nssPKIXPersonalName_GetGenerationQualifier
- *  nssPKIXPersonalName_SetGenerationQualifier
- *  nssPKIXPersonalName_RemoveGenerationQualifier
- *  nssPKIXPersonalName_Equal
- *  nssPKIXPersonalName_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPersonalName_verifyPointer
- *
- */
-
-/*
- * nssPKIXPersonalName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-nssPKIXPersonalName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPersonalName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-nssPKIXPersonalName_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *surname,
-  NSSUTF8 *givenNameOpt,
-  NSSUTF8 *initialsOpt,
-  NSSUTF8 *generationQualifierOpt
-);
-
-/*
- * nssPKIXPersonalName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_Destroy
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * nssPKIXPersonalName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPersonalName_Encode
-(
-  NSSPKIXPersonalName *personalName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPersonalName_GetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPersonalName_GetSurname
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPersonalName_SetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_SetSurname
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *surname
-);
-
-/*
- * nssPKIXPersonalName_HasGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPersonalName_HasGivenName
-(
-  NSSPKIXPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPersonalName_GetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_GIVEN_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPersonalName_GetGivenName
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPersonalName_SetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_SetGivenName
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *givenName
-);
-
-/*
- * nssPKIXPersonalName_RemoveGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_HAS_NO_GIVEN_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_RemoveGivenName
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * nssPKIXPersonalName_HasInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPersonalName_HasInitials
-(
-  NSSPKIXPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPersonalName_GetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPersonalName_GetInitials
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPersonalName_SetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_SetInitials
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *initials
-);
-
-/*
- * nssPKIXPersonalName_RemoveInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_RemoveInitials
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * nssPKIXPersonalName_HasGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPersonalName_HasGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPersonalName_GetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPersonalName_GetGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPersonalName_SetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_SetGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName,
-  NSSUTF8 *generationQualifier
-);
-
-/*
- * nssPKIXPersonalName_RemoveGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_RemoveGenerationQualifier
-(
-  NSSPKIXPersonalName *personalName
-);
-
-/*
- * nssPKIXPersonalName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPersonalName_Equal
-(
-  NSSPKIXPersonalName *personalName1,
-  NSSPKIXPersonalName *personalName2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPersonalName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPersonalName *
-nssPKIXPersonalName_Duplicate
-(
-  NSSPKIXPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXPersonalName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPersonalName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPersonalName_verifyPointer
-(
-  NSSPKIXPersonalName *p
-);
-#endif /* DEBUG */
-
-/*
- * OrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- *                                          OF OrganizationalUnitName
- * 
- * The private calls for the type:
- *
- *  nssPKIXOrganizationalUnitNames_Decode
- *  nssPKIXOrganizationalUnitNames_Create
- *  nssPKIXOrganizationalUnitNames_Destroy
- *  nssPKIXOrganizationalUnitNames_Encode
- *  nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
- *  nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
- *  nssPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
- *  nssPKIXOrganizationalUnitNames_GetOrganizationalUnitName
- *  nssPKIXOrganizationalUnitNames_SetOrganizationalUnitName
- *  nssPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
- *  nssPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
- *  nssPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
- *  nssPKIXOrganizationalUnitNames_FindOrganizationalUnitName
- *  nssPKIXOrganizationalUnitNames_Equal
- *  nssPKIXOrganizationalUnitNames_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXOrganizationalUnitNames_verifyPointer
- *
- */
-
-/*
- * nssPKIXOrganizationalUnitNames_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-nssPKIXOrganizationalUnitNames_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-nssPKIXOrganizationalUnitNames_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXOrganizationalUnitName *ou1,
-  ...
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_Destroy
-(
-  NSSPKIXOrganizationalUnitNames *ous
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXOrganizationalUnitNames_Encode
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
-(
-  NSSPKIXOrganizationalUnitNames *ous
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXOrganizationalUnitName
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName **
-nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *ou[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_GetOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName *
-nssPKIXOrganizationalUnitNames_GetOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_SetOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_SetOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  PRInt32 i
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_FindOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRIntn
-nssPKIXOrganizationalUnitNames_FindOrganizationalUnitName
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSPKIXOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXOrganizationalUnitNames_Equal
-(
-  NSSPKIXOrganizationalUnitNames *ous1,
-  NSSPKIXOrganizationalUnitNames *ous2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXOrganizationalUnitNames_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitNames *
-nssPKIXOrganizationalUnitNames_Duplicate
-(
-  NSSPKIXOrganizationalUnitNames *ous,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXOrganizationalUnitNames_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXOrganizationalUnitNames
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXOrganizationalUnitNames_verifyPointer
-(
-  NSSPKIXOrganizationalUnitNames *p
-);
-#endif /* DEBUG */
-
-/*
- * OrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitName ::= PrintableString (SIZE
- *                          (1..ub-organizational-unit-name-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXOrganizationalUnitName_Decode
- *  nssPKIXOrganizationalUnitName_CreateFromUTF8
- *  nssPKIXOrganizationalUnitName_Encode
- *
- */
-
-/*
- * nssPKIXOrganizationalUnitName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName *
-nssPKIXOrganizationalUnitName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXOrganizationalUnitName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXOrganizationalUnitName *
-nssPKIXOrganizationalUnitName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXOrganizationalUnitName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXOrganizationalUnitName_Encode
-(
-  NSSPKIXOrganizationalUnitName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * BuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- *                                  (1..ub-domain-defined-attributes) OF
- *                                  BuiltInDomainDefinedAttribute
- *
- * The private calls for this type:
- *
- *  nssPKIXBuiltInDomainDefinedAttributes_Decode
- *  nssPKIXBuiltInDomainDefinedAttributes_Create
- *  nssPKIXBuiltInDomainDefinedAttributes_Destroy
- *  nssPKIXBuiltInDomainDefinedAttributes_Encode
- *  nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
- *  nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
- *  nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
- *  nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
- *  nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
- *  nssPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
- *  nssPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
- *  nssPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
- *  nssPKIXBuiltInDomainDefinedAttributes_Equal
- *  nssPKIXBuiltInDomainDefinedAttributes_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXBuiltInDomainDefinedAttributes_verifyPointer
- *
- */
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-nssPKIXBuiltInDomainDefinedAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-nssPKIXBuiltInDomainDefinedAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
-  ...
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_Destroy
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXBuiltInDomainDefinedAttributes_Encode
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXBuiltInDomainDefinedAttribute
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute **
-nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribut *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribut *bidda[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  PRInt32 i
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-nssPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInDomainDefinedAttributes_Equal
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas1,
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
-nssPKIXBuiltInDomainDefinedAttributes_Duplicate
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXBuiltInDomainDefinedAttributes_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttributes_verifyPointer
-(
-  NSSPKIXBuiltInDomainDefinedAttributes *p
-);
-#endif /* DEBUG */
-
-/*
- * BuiltInDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
- *     type PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-type-length)),
- *     value PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-value-length))}
- *
- * The private calls for this type:
- *
- *  nssPKIXBuiltInDomainDefinedAttribute_Decode
- *  nssPKIXBuiltInDomainDefinedAttribute_Create
- *  nssPKIXBuiltInDomainDefinedAttribute_Destroy
- *  nssPKIXBuiltInDomainDefinedAttribute_Encode
- *  nssPKIXBuiltInDomainDefinedAttribute_GetType
- *  nssPKIXBuiltInDomainDefinedAttribute_SetType
- *  nssPKIXBuiltInDomainDefinedAttribute_GetValue
- *  nssPKIXBuiltInDomainDefinedAttribute_SetValue
- *  nssPKIXBuiltInDomainDefinedAttribute_Equal
- *  nssPKIXBuiltInDomainDefinedAttribute_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXBuiltInDomainDefinedAttribute_verifyPointer
- *
- */
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-nssPKIXBuiltInDomainDefinedAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-nssPKIXBuiltInDomainDefinedAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *type,
-  NSSUTF8 *value
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttribute_Destroy
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXBuiltInDomainDefinedAttribute_Encode
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_GetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXBuiltInDomainDefinedAttribute_GetType
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_SetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttribute_SetType
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSUTF8 *type
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXBuiltInDomainDefinedAttribute_GetValue
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttribute_SetValue
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSUTF8 *value
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXBuiltInDomainDefinedAttribute_Equal
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
-nssPKIXBuiltInDomainDefinedAttribute_Duplicate
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXBuiltInDomainDefinedAttribute_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBuiltInDomainDefinedAttribute_verifyPointer
-(
-  NSSPKIXBuiltInDomainDefinedAttribute *p
-);
-#endif /* DEBUG */
-
-/*
- * ExtensionAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- *                          ExtensionAttribute
- *
- * The private calls for this type:
- *
- *  nssPKIXExtensionAttributes_Decode
- *  nssPKIXExtensionAttributes_Create
- *  nssPKIXExtensionAttributes_Destroy
- *  nssPKIXExtensionAttributes_Encode
- *  nssPKIXExtensionAttributes_GetExtensionAttributeCount
- *  nssPKIXExtensionAttributes_GetExtensionAttributes
- *  nssPKIXExtensionAttributes_SetExtensionAttributes
- *  nssPKIXExtensionAttributes_GetExtensionAttribute
- *  nssPKIXExtensionAttributes_SetExtensionAttribute
- *  nssPKIXExtensionAttributes_InsertExtensionAttribute
- *  nssPKIXExtensionAttributes_AppendExtensionAttribute
- *  nssPKIXExtensionAttributes_RemoveExtensionAttribute
- *  nssPKIXExtensionAttributes_FindExtensionAttribute
- *  nssPKIXExtensionAttributes_Equal
- *  nssPKIXExtensionAttributes_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXExtensionAttributes_verifyPointer
- *
- */
-
-/*
- * nssPKIXExtensionAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-nssPKIXExtensionAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXExtensionAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-nssPKIXExtensionAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXExtensionAttribute ea1,
-  ...
-);
-
-/*
- * nssPKIXExtensionAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_Destroy
-(
-  NSSPKIXExtensionAttributes *eas
-);
-
-/*
- * nssPKIXExtensionAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXExtensionAttributes_Encode
-(
-  NSSPKIXExtensionAttributes *eas
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtensionAttributes_GetExtensionAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXExtensionAttributes_GetExtensionAttributeCount
-(
-  NSSPKIXExtensionAttributes *eas
-);
-
-/*
- * nssPKIXExtensionAttributes_GetExtensionAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXExtensionAttribute pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute **
-nssPKIXExtensionAttributes_GetExtensionAttributes
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtensionAttributes_SetExtensionAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_INVALID_POINTER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_SetExtensionAttributes
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *ea[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXExtensionAttributes_GetExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-nssPKIXExtensionAttributes_GetExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtensionAttributes_SetExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_SetExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * nssPKIXExtensionAttributes_InsertExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_InsertExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * nssPKIXExtensionAttributes_AppendExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_AppendExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * nssPKIXExtensionAttributes_RemoveExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_RemoveExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  PRInt32 i,
-);
-
-/*
- * nssPKIXExtensionAttributes_FindExtensionAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  A nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXExtensionAttributes_FindExtensionAttribute
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * nssPKIXExtensionAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXExtensionAttributes_Equal
-(
-  NSSPKIXExtensionAttributes *eas1,
-  NSSPKIXExtensionAttributes *eas2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXExtensionAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttributes upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributes *
-nssPKIXExtensionAttributes_Duplicate
-(
-  NSSPKIXExtensionAttributes *eas,
-  NSSArena *arenaOpt
-);
-
-/*
- * fgmr
- * There should be accessors to search the ExtensionAttributes and
- * return the value for a specific value, etc.
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXExtensionAttributes_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXExtensionAttributes
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttributes_verifyPointer
-(
-  NSSPKIXExtensionAttributes *p
-);
-#endif /* DEBUG */
-
-/*
- * ExtensionAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttribute ::=  SEQUENCE {
- *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
- *     extension-attribute-value [1]
- *                          ANY DEFINED BY extension-attribute-type }
- *
- * The private calls for this type:
- *
- *  nssPKIXExtensionAttribute_Decode
- *  nssPKIXExtensionAttribute_Create
- *  nssPKIXExtensionAttribute_Destroy
- *  nssPKIXExtensionAttribute_Encode
- *  nssPKIXExtensionAttribute_GetExtensionsAttributeType
- *  nssPKIXExtensionAttribute_SetExtensionsAttributeType
- *  nssPKIXExtensionAttribute_GetExtensionsAttributeValue
- *  nssPKIXExtensionAttribute_SetExtensionsAttributeValue
- *  nssPKIXExtensionAttribute_Equal
- *  nssPKIXExtensionAttribute_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXExtensionAttribute_verifyPointer
- *
- */
-
-/*
- * nssPKIXExtensionAttribute_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-nssPKIXExtensionAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXExtensionAttribute_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE_TYPE
- *  NSS_ERROR_INVALID_POINTER
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-nssPKIXExtensionAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXExtensionAttributeType type,
-  NSSItem *value
-);
-
-/*
- * nssPKIXExtensionAttribute_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttribute_Destroy
-(
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * nssPKIXExtensionAttribute_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXExtensionAttribute_Encode
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtensionAttribute_GetExtensionsAttributeType
- *
- * -- fgmr comments --
- * {One of these objects created from BER generated by a program
- * adhering to a later version of the PKIX standards might have
- * a value not mentioned in the enumeration definition.  This isn't
- * a bug.}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  A member of the NSSPKIXExtensionAttributeType enumeration
- *      upon success
- *  NSSPKIXExtensionAttributeType_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttributeType
-nssPKIXExtensionAttribute_GetExtensionsAttributeType
-(
-  NSSPKIXExtensionAttribute *ea
-);
-
-/*
- * nssPKIXExtensionAttribute_SetExtensionsAttributeType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttribute_SetExtensionsAttributeType
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSPKIXExtensionAttributeType type
-);
-
-/*
- * nssPKIXExtensionAttribute_GetExtensionsAttributeValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXExtensionAttribute_GetExtensionsAttributeValue
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtensionAttribute_SetExtensionsAttributeValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttribute_SetExtensionsAttributeValue
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSItem *value
-);
-
-/*
- * nssPKIXExtensionAttribute_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXExtensionAttribute_Equal
-(
-  NSSPKIXExtensionAttribute *ea1,
-  NSSPKIXExtensionAttribute *ea2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXExtensionAttribute_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtensionAttribute upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtensionAttribute *
-nssPKIXExtensionAttribute_Duplicate
-(
-  NSSPKIXExtensionAttribute *ea,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXExtensionAttribute_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXExtensionAttribute
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtensionAttribute_verifyPointer
-(
-  NSSPKIXExtensionAttribute *p
-);
-#endif /* DEBUG */
-
-/*
- * CommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXCommonName_Decode
- *  nssPKIXCommonName_CreateFromUTF8
- *  nssPKIXCommonName_Encode
- *
- */
-
-/*
- * nssPKIXCommonName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCommonName *
-nssPKIXCommonName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCommonName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCommonName *
-nssPKIXCommonName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXCommonName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCommonName_Encode
-(
-  NSSPKIXCommonName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexCommonName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXTeletexCommonName_Decode
- *  nssPKIXTeletexCommonName_CreateFromUTF8
- *  nssPKIXTeletexCommonName_Encode
- *
- */
-
-/*
- * nssPKIXTeletexCommonName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexCommonName *
-nssPKIXTeletexCommonName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexCommonName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexCommonName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexCommonName *
-nssPKIXTeletexCommonName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXTeletexCommonName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexCommonName_Encode
-(
-  NSSPKIXTeletexCommonName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexOrganizationName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationName ::=
- *                  TeletexString (SIZE (1..ub-organization-name-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXTeletexOrganizationName_Decode
- *  nssPKIXTeletexOrganizationName_CreateFromUTF8
- *  nssPKIXTeletexOrganizationName_Encode
- *
- */
-
-/*
- * nssPKIXTeletexOrganizationName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationName *
-nssPKIXTeletexOrganizationName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexOrganizationName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationName *
-nssPKIXTeletexOrganizationName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXTeletexOrganizationName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATION_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexOrganizationName_Encode
-(
-  NSSPKIXTeletexOrganizationName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * TeletexPersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexPersonalName ::= SET {
- *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
- *     given-name [1] TeletexString
- *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] TeletexString (SIZE
- *                  (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXTeletexPersonalName_Decode
- *  nssPKIXTeletexPersonalName_Create
- *  nssPKIXTeletexPersonalName_Destroy
- *  nssPKIXTeletexPersonalName_Encode
- *  nssPKIXTeletexPersonalName_GetSurname
- *  nssPKIXTeletexPersonalName_SetSurname
- *  nssPKIXTeletexPersonalName_HasGivenName
- *  nssPKIXTeletexPersonalName_GetGivenName
- *  nssPKIXTeletexPersonalName_SetGivenName
- *  nssPKIXTeletexPersonalName_RemoveGivenName
- *  nssPKIXTeletexPersonalName_HasInitials
- *  nssPKIXTeletexPersonalName_GetInitials
- *  nssPKIXTeletexPersonalName_SetInitials
- *  nssPKIXTeletexPersonalName_RemoveInitials
- *  nssPKIXTeletexPersonalName_HasGenerationQualifier
- *  nssPKIXTeletexPersonalName_GetGenerationQualifier
- *  nssPKIXTeletexPersonalName_SetGenerationQualifier
- *  nssPKIXTeletexPersonalName_RemoveGenerationQualifier
- *  nssPKIXTeletexPersonalName_Equal
- *  nssPKIXTeletexPersonalName_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXTeletexPersonalName_verifyPointer
- *
- */
-
-/*
- * nssPKIXTeletexPersonalName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexPersonalName *
-nssPKIXTeletexPersonalName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexPersonalName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexPersonalName *
-nssPKIXTeletexPersonalName_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *surname,
-  NSSUTF8 *givenNameOpt,
-  NSSUTF8 *initialsOpt,
-  NSSUTF8 *generationQualifierOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_Destroy
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * nssPKIXTeletexPersonalName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexPersonalName_Encode
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_GetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexPersonalName_GetSurname
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_SetSurname
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_SetSurname
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *surname
-);
-
-/*
- * nssPKIXTeletexPersonalName_HasGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexPersonalName_HasGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_GetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexPersonalName_GetGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_SetGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_SetGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *givenName
-);
-
-/*
- * nssPKIXTeletexPersonalName_RemoveGivenName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_RemoveGivenName
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * nssPKIXTeletexPersonalName_HasInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexPersonalName_HasInitials
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_GetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexPersonalName_GetInitials
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_SetInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_SetInitials
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *initials
-);
-
-/*
- * nssPKIXTeletexPersonalName_RemoveInitials
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_RemoveInitials
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * nssPKIXTeletexPersonalName_HasGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexPersonalName_HasGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_GetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexPersonalName_GetGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_SetGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_SetGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSUTF8 *generationQualifier
-);
-
-/*
- * nssPKIXTeletexPersonalName_RemoveGenerationQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_RemoveGenerationQualifier
-(
-  NSSPKIXTeletexPersonalName *personalName
-);
-
-/*
- * nssPKIXTeletexPersonalName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexPersonalName_Equal
-(
-  NSSPKIXTeletexPersonalName *personalName1,
-  NSSPKIXTeletexPersonalName *personalName2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexPersonalName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexPersonalName *
-nssPKIXTeletexPersonalName_Duplicate
-(
-  NSSPKIXTeletexPersonalName *personalName,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTeletexPersonalName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXTeletexPersonalName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexPersonalName_verifyPointer
-(
-  NSSPKIXTeletexPersonalName *p
-);
-#endif /* DEBUG */
-
-/*
- * TeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
- *
- * The private calls for the type:
- *
- *  nssPKIXTeletexOrganizationalUnitNames_Decode
- *  nssPKIXTeletexOrganizationalUnitNames_Create
- *  nssPKIXTeletexOrganizationalUnitNames_Destroy
- *  nssPKIXTeletexOrganizationalUnitNames_Encode
- *  nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
- *  nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
- *  nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
- *  nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
- *  nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
- *  nssPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
- *  nssPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
- *  nssPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
- *  nssPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
- *  nssPKIXTeletexOrganizationalUnitNames_Equal
- *  nssPKIXTeletexOrganizationalUnitNames_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXTeletexOrganizationalUnitNames_verifyPointer
- *
- */
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
-nssPKIXTeletexOrganizationalUnitNames_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
-nssPKIXTeletexOrganizationalUnitNames_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTeletexOrganizationalUnitName *ou1,
-  ...
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_Destroy
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexOrganizationalUnitNames_Encode
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXTeletexOrganizationalUnitName
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName **
-nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *ou[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
-nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  PRInt32 i
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  The index of the specified revoked certificate upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-nssPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSPKIXTeletexOrganizationalUnitName *ou
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexOrganizationalUnitNames_Equal
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous1,
-  NSSPKIXTeletexOrganizationalUnitNames *ous2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitNames_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
-nssPKIXTeletexOrganizationalUnitNames_Duplicate
-(
-  NSSPKIXTeletexOrganizationalUnitNames *ous,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTeletexOrganizationalUnitNames_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXTeletexOrganizationalUnitNames
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexOrganizationalUnitNames_verifyPointer
-(
-  NSSPKIXTeletexOrganizationalUnitNames *p
-);
-#endif /* DEBUG */
-
-/*
- * TeletexOrganizationalUnitName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitName ::= TeletexString
- *                          (SIZE (1..ub-organizational-unit-name-length))
- *  
- * The private calls for this type:
- *
- *  nssPKIXTeletexOrganizationalUnitName_Decode
- *  nssPKIXTeletexOrganizationalUnitName_CreateFromUTF8
- *  nssPKIXTeletexOrganizationalUnitName_Encode
- *
- */
-
-/*
- * nssPKIXTeletexOrganizationalUnitName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
-nssPKIXTeletexOrganizationalUnitName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
-nssPKIXTeletexOrganizationalUnitName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXTeletexOrganizationalUnitName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexOrganizationalUnitName_Encode
-(
-  NSSPKIXTeletexOrganizationalUnitName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PDSName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
- *
- * The private calls for this type:
- *
- *  nssPKIXPDSName_Decode
- *  nssPKIXPDSName_CreateFromUTF8
- *  nssPKIXPDSName_Encode
- *
- */
-
-/*
- * nssPKIXPDSName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSName *
-nssPKIXPDSName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPDSName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSName *
-nssPKIXPDSName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXPDSName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPDSName_Encode
-(
-  NSSPKIXPDSName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PhysicalDeliveryCountryName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PhysicalDeliveryCountryName ::= CHOICE {
- *     x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
- *     iso-3166-alpha2-code PrintableString
- *                          (SIZE (ub-country-name-alpha-length)) }
- *
- * The private calls for this type:
- *
- *  nssPKIXPhysicalDeliveryCountryName_Decode
- *  nssPKIXPhysicalDeliveryCountryName_CreateFromUTF8
- *  nssPKIXPhysicalDeliveryCountryName_Encode
- *
- */
-
-/*
- * nssPKIXPhysicalDeliveryCountryName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
-nssPKIXPhysicalDeliveryCountryName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPhysicalDeliveryCountryName_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
-nssPKIXPhysicalDeliveryCountryName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXPhysicalDeliveryCountryName_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PHYSICAL_DELIVERY_COUNTRY_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPhysicalDeliveryCountryName_Encode
-(
-  NSSPKIXPhysicalDeliveryCountryName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PostalCode
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PostalCode ::= CHOICE {
- *     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
- *     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
- *
- * The private calls for this type:
- *
- *  nssPKIXPostalCode_Decode
- *  nssPKIXPostalCode_CreateFromUTF8
- *  nssPKIXPostalCode_Encode
- *
- */
-
-/*
- * nssPKIXPostalCode_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPostalCode upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPostalCode *
-nssPKIXPostalCode_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPostalCode_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPostalCode upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPostalCode *
-nssPKIXPostalCode_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXPostalCode_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POSTAL_CODE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPostalCode_Encode
-(
-  NSSPKIXPostalCode *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PDSParameter
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSParameter ::= SET {
- *     printable-string PrintableString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXPDSParameter_Decode
- *  nssPKIXPDSParameter_CreateFromUTF8
- *  nssPKIXPDSParameter_Create
- *  nssPKIXPDSParameter_Delete
- *  nssPKIXPDSParameter_Encode
- *  nssPKIXPDSParameter_GetUTF8Encoding
- *  nssPKIXPDSParameter_HasPrintableString
- *  nssPKIXPDSParameter_GetPrintableString
- *  nssPKIXPDSParameter_SetPrintableString
- *  nssPKIXPDSParameter_RemovePrintableString
- *  nssPKIXPDSParameter_HasTeletexString
- *  nssPKIXPDSParameter_GetTeletexString
- *  nssPKIXPDSParameter_SetTeletexString
- *  nssPKIXPDSParameter_RemoveTeletexString
- *  nssPKIXPDSParameter_Equal
- *  nssPKIXPDSParameter_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPDSParameter_verifyPointer
- */
-
-/*
- * nssPKIXPDSParameter_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-nssPKIXPDSParameter_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPDSParameter_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-nssPKIXPDSParameter_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXPDSParameter_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-nssPKIXPDSParameter_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *printableStringOpt,
-  NSSUTF8 *teletexStringOpt
-);
-
-/*
- * nssPKIXPDSParameter_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPDSParameter_Destroy
-(
-  NSSPKIXPDSParameter *p
-);
-
-/*
- * nssPKIXPDSParameter_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPDSParameter_Encode
-(
-  NSSPKIXPDSParameter *p,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPDSParameter_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPDSParameter_GetUTF8Encoding
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPDSParameter_HasPrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPDSParameter_HasPrintableString
-(
-  NSSPKIXPDSParameter *p,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPDSParameter_GetPrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPDSParameter_GetPrintableString
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPDSParameter_SetPrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPDSParameter_SetPrintableString
-(
-  NSSPKIXPDSParameter *p,
-  NSSUTF8 *printableString
-);
-
-/*
- * nssPKIXPDSParameter_RemovePrintableString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPDSParameter_RemovePrintableString
-(
-  NSSPKIXPDSParameter *p
-);
-
-/*
- * nssPKIXPDSParameter_HasTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPDSParameter_HasTeletexString
-(
-  NSSPKIXPDSParameter *p,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPDSParameter_GetTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXPDSParameter_GetTeletexString
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPDSParameter_SetTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPDSParameter_SetTeletexString
-(
-  NSSPKIXPDSParameter *p,
-  NSSUTF8 *teletexString
-);
-
-/*
- * nssPKIXPDSParameter_RemoveTeletexString
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPDSParameter_RemoveTeletexString
-(
-  NSSPKIXPDSParameter *p
-);
-
-/*
- * nssPKIXPDSParameter_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPDSParameter_Equal
-(
-  NSSPKIXPDSParameter *p1,
-  NSSPKIXPDSParameter *p2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPDSParameter_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPDSParameter upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPDSParameter *
-nssPKIXPDSParameter_Duplicate
-(
-  NSSPKIXPDSParameter *p,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXPDSParameter_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPDSParameter
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPDSParameter_verifyPointer
-(
-  NSSPKIXPDSParameter *p
-);
-#endif /* DEBUG */
-
-/*
- * fgmr: what about these PDS types?
- *
- * PhysicalDeliveryOfficeName
- *
- * PhysicalDeliveryOfficeNumber
- *
- * ExtensionORAddressComponents
- *
- * PhysicalDeliveryPersonalName
- *
- * PhysicalDeliveryOrganizationName
- *
- * ExtensionPhysicalDeliveryAddressComponents
- *
- * StreetAddress
- *
- * PostOfficeBoxAddress
- *
- * PosteRestanteAddress
- *
- * UniquePostalName
- *
- * LocalPostalAttributes
- *
- */
-
-/*
- * UnformattedPostalAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UnformattedPostalAddress ::= SET {
- *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
- *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
- *
- * The private calls for the type:
- *
- *
- */
-
-/*
- * ExtendedNetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtendedNetworkAddress ::= CHOICE {
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- *     psap-address [0] PresentationAddress }
- *
- * The private calls for the type:
- *
- *  nssPKIXExtendedNetworkAddress_Decode
- *  nssPKIXExtendedNetworkAddress_Create
- *  nssPKIXExtendedNetworkAddress_Encode
- *  nssPKIXExtendedNetworkAddress_Destroy
- *  nssPKIXExtendedNetworkAddress_GetChoice
- *  nssPKIXExtendedNetworkAddress_Get
- *  nssPKIXExtendedNetworkAddress_GetE1634Address
- *  nssPKIXExtendedNetworkAddress_GetPsapAddress
- *  nssPKIXExtendedNetworkAddress_Set
- *  nssPKIXExtendedNetworkAddress_SetE163Address
- *  nssPKIXExtendedNetworkAddress_SetPsapAddress
- *  nssPKIXExtendedNetworkAddress_Equal
- *  nssPKIXExtendedNetworkAddress_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXExtendedNetworkAddress_verifyPointer
- *
- */
-
-/*
- * nssPKIXExtendedNetworkAddress_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-nssPKIXExtendedNetworkAddress_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-nssPKIXExtendedNetworkAddress_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXExtendedNetworkAddressChoice choice,
-  void *address
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_CreateFromE1634Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-nssPKIXExtendedNetworkAddress_CreateFromE1634Address
-(
-  NSSArena *arenaOpt,
-  NSSPKIXe1634Address *e1634address
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_CreateFromPresentationAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-nssPKIXExtendedNetworkAddress_CreateFromPresentationAddress
-(
-  NSSArena *arenaOpt,
-  NSSPKIXPresentationAddress *presentationAddress
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtendedNetworkAddress_Destroy
-(
-  NSSPKIXExtendedNetworkAddress *ena
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXExtendedNetworkAddress_Encode
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- * 
- * Return value:
- *  A valid element of the NSSPKIXExtendedNetworkAddressChoice upon
- *      success
- *  The value nssPKIXExtendedNetworkAddress_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddressChoice
-nssPKIXExtendedNetworkAddress_GetChoice
-(
-  NSSPKIXExtendedNetworkAddress *ena
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- * 
- * Return value:
- *  A pointer...
- *  NULL upon failure
- */
-
-NSS_EXTERN void *
-nssPKIXExtendedNetworkAddress_GetSpecifiedChoice
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXExtendedNetworkAddressChoice which,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_GetE1634Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1643Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1643Address *
-nssPKIXExtendedNetworkAddress_GetE1634Address
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_GetPresentationAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPresentationAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPresentationAddress *
-nssPKIXExtendedNetworkAddress_GetPresentationAddress
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_SetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtendedNetworkAddress_SetSpecifiedChoice
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXExtendedNetworkAddressChoice which,
-  void *address
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_SetE163Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtendedNetworkAddress_SetE163Address
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXe1634Address *e1634address
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_SetPresentationAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtendedNetworkAddress_SetPresentationAddress
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSPKIXPresentationAddress *presentationAddress
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXExtendedNetworkAddress_Equal
-(
-  NSSPKIXExtendedNetworkAddress *ena1,
-  NSSPKIXExtendedNetworkAddress *ena2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXExtendedNetworkAddress_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtendedNetworkAddress *
-nssPKIXExtendedNetworkAddress_Duplicate
-(
-  NSSPKIXExtendedNetworkAddress *ena,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXExtendedNetworkAddress_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXExtendedNetworkAddress
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtendedNetworkAddress_verifyPointer
-(
-  NSSPKIXExtendedNetworkAddress *p
-);
-#endif /* DEBUG */
-
-/*
- * e163-4-address
- *
- * Helper structure for ExtendedNetworkAddress.
- * -- fgmr comments --
- *
- * From RFC 2459:
- * 
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- * 
- * The private calls for the type:
- *
- *  nssPKIXe1634Address_Decode
- *  nssPKIXe1634Address_Create
- *  nssPKIXe1634Address_Destroy
- *  nssPKIXe1634Address_Encode
- *  nssPKIXe1634Address_GetNumber
- *  nssPKIXe1634Address_SetNumber
- *  nssPKIXe1634Address_HasSubAddress
- *  nssPKIXe1634Address_GetSubAddress
- *  nssPKIXe1634Address_SetSubAddress
- *  nssPKIXe1634Address_RemoveSubAddress
- *  nssPKIXe1634Address_Equal
- *  nssPKIXe1634Address_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXe1634Address_verifyPointer
- *
- */
-
-/*
- * nssPKIXe1634Address_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1634Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1634Address *
-nssPKIXe1634Address_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXe1634Address_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1634Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1634Address *
-nssPKIXe1634Address_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *number,
-  NSSUTF8 *subAddressOpt
-);
-
-/*
- * nssPKIXe1634Address_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXe1634Address_Destroy
-(
-  NSSPKIXe1634Address *e
-);
-
-/*
- * nssPKIXe1634Address_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXe1634Address_Encode
-(
-  NSSPKIXe1634Address *e,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXe1634Address_GetNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXe1634Address_GetNumber
-(
-  NSSPKIXe1634Address *e,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXe1634Address_SetNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXe1634Address_SetNumber
-(
-  NSSPKIXe1634Address *e,
-  NSSUTF8 *number
-);
-
-/*
- * nssPKIXe1634Address_HasSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXe1634Address_HasSubAddress
-(
-  NSSPKIXe1634Address *e,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXe1634Address_GetSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXe1634Address_GetSubAddress
-(
-  NSSPKIXe1634Address *e,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXe1634Address_SetSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXe1634Address_SetSubAddress
-(
-  NSSPKIXe1634Address *e,
-  NSSUTF8 *subAddress
-);
-
-/*
- * nssPKIXe1634Address_RemoveSubAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXe1634Address_RemoveSubAddress
-(
-  NSSPKIXe1634Address *e
-);
-
-/*
- * nssPKIXe1634Address_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXe1634Address_Equal
-(
-  NSSPKIXe1634Address *e1,
-  NSSPKIXe1634Address *e2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXe1634Address_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXe1634Address upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXe1634Address *
-nssPKIXe1634Address_Duplicate
-(
-  NSSPKIXe1634Address *e,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXe1634Address_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXe1634Address
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXe1634Address_verifyPointer
-(
-  NSSPKIXe1634Address *p
-);
-#endif /* DEBUG */
-
-/*
- * PresentationAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PresentationAddress ::= SEQUENCE {
- *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
- *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
- *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
- *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
- *
- * The private calls for the type:
- *
- *  nssPKIXPresentationAddress_Decode
- *  nssPKIXPresentationAddress_Create
- *  nssPKIXPresentationAddress_Destroy
- *  nssPKIXPresentationAddress_Encode
- *  nssPKIXPresentationAddress_HasPSelector
- *  nssPKIXPresentationAddress_GetPSelector
- *  nssPKIXPresentationAddress_SetPSelector
- *  nssPKIXPresentationAddress_RemovePSelector
- *  nssPKIXPresentationAddress_HasSSelector
- *  nssPKIXPresentationAddress_GetSSelector
- *  nssPKIXPresentationAddress_SetSSelector
- *  nssPKIXPresentationAddress_RemoveSSelector
- *  nssPKIXPresentationAddress_HasTSelector
- *  nssPKIXPresentationAddress_GetTSelector
- *  nssPKIXPresentationAddress_SetTSelector
- *  nssPKIXPresentationAddress_RemoveTSelector
- *  nssPKIXPresentationAddress_HasNAddresses
- *  nssPKIXPresentationAddress_GetNAddresses
- *  nssPKIXPresentationAddress_SetNAddresses
- *  nssPKIXPresentationAddress_RemoveNAddresses
- *{NAddresses must be more complex than that}
- *  nssPKIXPresentationAddress_Compare
- *  nssPKIXPresentationAddress_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  _verifyPointer
- *
- */
-
-/*
- * TeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
- * 
- * The private calls for the type:
- *
- *  nssPKIXTeletexDomainDefinedAttributes_Decode
- *  nssPKIXTeletexDomainDefinedAttributes_Create
- *  nssPKIXTeletexDomainDefinedAttributes_Destroy
- *  nssPKIXTeletexDomainDefinedAttributes_Encode
- *  nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
- *  nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
- *  nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
- *  nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
- *  nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
- *  nssPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
- *  nssPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
- *  nssPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
- *  nssPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
- *  nssPKIXTeletexDomainDefinedAttributes_Equal
- *  nssPKIXTeletexDomainDefinedAttributes_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXTeletexDomainDefinedAttributes_verifyPointer
- *
- */
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
-nssPKIXTeletexDomainDefinedAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
-nssPKIXTeletexDomainDefinedAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
-  ...
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_Destroy
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexDomainDefinedAttributes_Encode
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXTeletexDomainDefinedAttribute
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute **
-nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  PRInt32 i
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- * 
- * Return value:
- *  The nonnegative integer upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-nssPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexDomainDefinedAttributes_Equal
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas1,
-  NSSPKIXTeletexDomainDefinedAttributes *tddas2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
-nssPKIXTeletexDomainDefinedAttributes_Duplicate
-(
-  NSSPKIXTeletexDomainDefinedAttributes *tddas,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTeletexDomainDefinedAttributes_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttributes_verifyPointer
-(
-  NSSPKIXTeletexDomainDefinedAttributes *p
-);
-#endif /* DEBUG */
-
-/*
- * TeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttribute ::= SEQUENCE {
- *          type TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
- *          value TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
- * 
- * The private calls for the type:
- *
- *  nssPKIXTeletexDomainDefinedAttribute_Decode
- *  nssPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
- *  nssPKIXTeletexDomainDefinedAttribute_Create
- *  nssPKIXTeletexDomainDefinedAttribute_Destroy
- *  nssPKIXTeletexDomainDefinedAttribute_Encode
- *  nssPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
- *  nssPKIXTeletexDomainDefinedAttribute_GetType
- *  nssPKIXTeletexDomainDefinedAttribute_SetType
- *  nssPKIXTeletexDomainDefinedAttribute_GetValue
- *  nssPKIXTeletexDomainDefinedAttribute_GetValue
- *  nssPKIXTeletexDomainDefinedAttribute_Equal
- *  nssPKIXTeletexDomainDefinedAttribute_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXTeletexDomainDefinedAttribute_verifyPointer
- *
- */
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-nssPKIXTeletexDomainDefinedAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-nssPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-nssPKIXTeletexDomainDefinedAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *type,
-  NSSUTF8 *value
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttribute_Destroy
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXTeletexDomainDefinedAttribute_Encode
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_GetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexDomainDefinedAttribute_GetType
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_SetType
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttribute_SetType
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSUTF8 *type
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXTeletexDomainDefinedAttribute_GetValue
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttribute_SetValue
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSUTF8 *value
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXTeletexDomainDefinedAttribute_Equal
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
-  NSSPKIXTeletexDomainDefinedAttribute *tdda2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXTeletexDomainDefinedAttribute_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
-nssPKIXTeletexDomainDefinedAttribute_Duplicate
-(
-  NSSPKIXTeletexDomainDefinedAttribute *tdda,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXTeletexDomainDefinedAttribute_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXTeletexDomainDefinedAttribute_verifyPointer
-(
-  NSSPKIXTeletexDomainDefinedAttribute *p
-);
-#endif /* DEBUG */
-
-/*
- * AuthorityKeyIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityKeyIdentifier ::= SEQUENCE {
- *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
- *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
- *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
- *      -- authorityCertIssuer and authorityCertSerialNumber shall both
- *      -- be present or both be absent
- *
- * The private calls for the type:
- *
- *  nssPKIXAuthorityKeyIdentifier_Decode
- *  nssPKIXAuthorityKeyIdentifier_Create
- *  nssPKIXAuthorityKeyIdentifier_Destroy
- *  nssPKIXAuthorityKeyIdentifier_Encode
- *  nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier
- *  nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier
- *  nssPKIXAuthorityKeyIdentifier_SetKeyIdentifier
- *  nssPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
- *  nssPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
- *  nssPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
- *  nssPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
- *  nssPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
- *  nssPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
- *  nssPKIXAuthorityKeyIdentifier_Equal
- *  nssPKIXAuthorityKeyIdentifier_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXAuthorityKeyIdentifier_verifyPointer
- *
- */
-
-/*
- * nssPKIXAuthorityKeyIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
-nssPKIXAuthorityKeyIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARGUMENTS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
-nssPKIXAuthorityKeyIdentifier_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXKeyIdentifier *keyIdentifierOpt,
-  NSSPKIXGeneralNames *authorityCertIssuerOpt,
-  NSSPKIXCertificateSerialNumber *authorityCertSerialNumberOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityKeyIdentifier_Destroy
-(
-  NSSPKIXAuthorityKeyIdentifier *aki
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAuthorityKeyIdentifier_Encode
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyIdentifier *
-nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXKeyIdentifier *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_SetKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityKeyIdentifier_SetKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXKeyIdentifier *keyIdentifier
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
-(
-  NSSPKIXAuthorityKeyIdentifier *aki
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if it has them
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-nssPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificateSerialNumber *
-nssPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXCertificateSerialNumber *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSPKIXGeneralNames *issuer,
-  NSSPKIXCertificateSerialNumber *serialNumber
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAuthorityKeyIdentifier_Equal
-(
-  NSSPKIXAuthorityKeyIdentifier *aki1,
-  NSSPKIXAuthorityKeyIdentifier *aki2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAuthorityKeyIdentifier_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
-nssPKIXAuthorityKeyIdentifier_Duplicate
-(
-  NSSPKIXAuthorityKeyIdentifier *aki,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXAuthorityKeyIdentifier_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAuthorityKeyIdentifier
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityKeyIdentifier_verifyPointer
-(
-  NSSPKIXAuthorityKeyIdentifier *p
-);
-#endif /* DEBUG */
-
-/*
- * KeyUsage
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  KeyUsage ::= BIT STRING {
- *       digitalSignature        (0),
- *       nonRepudiation          (1),
- *       keyEncipherment         (2),
- *       dataEncipherment        (3),
- *       keyAgreement            (4),
- *       keyCertSign             (5),
- *       cRLSign                 (6),
- *       encipherOnly            (7),
- *       decipherOnly            (8) }
- *
- * The private calls for the type:
- *
- *  nssPKIXKeyUsage_Decode
- *  nssPKIXKeyUsage_CreateFromUTF8
- *  nssPKIXKeyUsage_CreateFromValue
- *  nssPKIXKeyUsage_Destroy
- *  nssPKIXKeyUsage_Encode
- *  nssPKIXKeyUsage_GetUTF8Encoding
- *  nssPKIXKeyUsage_GetValue
- *  nssPKIXKeyUsage_SetValue
- *    { bitwise accessors? }
- *  nssPKIXKeyUsage_Equal
- *  nssPKIXKeyUsage_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXKeyUsage_verifyPointer
- *
- */
-
-/*
- * nssPKIXKeyUsage_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-nssPKIXKeyUsage_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXKeyUsage_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-nssPKIXKeyUsage_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXKeyUsage_CreateFromValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-nssPKIXKeyUsage_CreateFromValue
-(
-  NSSArena *arenaOpt,
-  NSSPKIXKeyUsageValue value
-);
-
-/*
- * nssPKIXKeyUsage_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXKeyUsage_Destroy
-(
-  NSSPKIXKeyUsage *keyUsage
-);
-
-/*
- * nssPKIXKeyUsage_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXKeyUsage_Encode
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXKeyUsage_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXKeyUsage_GetUTF8Encoding
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXKeyUsage_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  A set of NSSKeyUsageValue values OR-d together upon success
- *  NSSKeyUsage_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSKeyUsageValue
-nssPKIXKeyUsage_GetValue
-(
-  NSSPKIXKeyUsage *keyUsage
-);
-
-/*
- * nssPKIXKeyUsage_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXKeyUsage_SetValue
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSPKIXKeyUsageValue value
-);
-
-/*
- * nssPKIXKeyUsage_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXKeyUsage_Equal
-(
-  NSSPKIXKeyUsage *keyUsage1,
-  NSSPKIXKeyUsage *keyUsage2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXKeyUsage_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXKeyUsage upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyUsage *
-nssPKIXKeyUsage_Duplicate
-(
-  NSSPKIXKeyUsage *keyUsage,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXKeyUsage_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXKeyUsage
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXKeyUsage_verifyPointer
-(
-  NSSPKIXKeyUsage *p
-);
-#endif /* DEBUG */
-
-/*
- * PrivateKeyUsagePeriod
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PrivateKeyUsagePeriod ::= SEQUENCE {
- *       notBefore       [0]     GeneralizedTime OPTIONAL,
- *       notAfter        [1]     GeneralizedTime OPTIONAL }
- *       -- either notBefore or notAfter shall be present
- *
- * The private calls for the type:
- *
- *  nssPKIXPrivateKeyUsagePeriod_Decode
- *  nssPKIXPrivateKeyUsagePeriod_Create
- *  nssPKIXPrivateKeyUsagePeriod_Destroy
- *  nssPKIXPrivateKeyUsagePeriod_Encode
- *  nssPKIXPrivateKeyUsagePeriod_HasNotBefore
- *  nssPKIXPrivateKeyUsagePeriod_GetNotBefore
- *  nssPKIXPrivateKeyUsagePeriod_SetNotBefore
- *  nssPKIXPrivateKeyUsagePeriod_RemoveNotBefore
- *  nssPKIXPrivateKeyUsagePeriod_HasNotAfter
- *  nssPKIXPrivateKeyUsagePeriod_GetNotAfter
- *  nssPKIXPrivateKeyUsagePeriod_SetNotAfter
- *  nssPKIXPrivateKeyUsagePeriod_RemoveNotAfter
- *  nssPKIXPrivateKeyUsagePeriod_Equal
- *  nssPKIXPrivateKeyUsagePeriod_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPrivateKeyUsagePeriod_verifyPointer
- *
- */
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
-nssPKIXPrivateKeyUsagePeriod_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_TIME
- *  NSS_ERROR_INVALID_ARGUMENTS
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
-nssPKIXPrivateKeyUsagePeriod_Create
-(
-  NSSArena *arenaOpt,
-  NSSTime *notBeforeOpt,
-  NSSTime *notAfterOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPrivateKeyUsagePeriod_Destroy
-(
-  NSSPKIXPrivateKeyUsagePeriod *period
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPrivateKeyUsagePeriod_Encode
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_HasNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPrivateKeyUsagePeriod_HasNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_GetNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NOT_BEFORE
- *
- * Return value:
- *  NSSTime {fgmr!}
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSTime *
-nssPKIXPrivateKeyUsagePeriod_GetNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_SetNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_TIME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPrivateKeyUsagePeriod_SetNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSTime *notBefore
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_RemoveNotBefore
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_HAS_NO_NOT_BEFORE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPrivateKeyUsagePeriod_RemoveNotBefore
-(
-  NSSPKIXPrivateKeyUsagePeriod *period
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_HasNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPrivateKeyUsagePeriod_HasNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_GetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NOT_AFTER
- *
- * Return value:
- *  NSSTime {fgmr!}
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSTime *
-nssPKIXPrivateKeyUsagePeriod_GetNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_SetNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_INVALID_TIME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPrivateKeyUsagePeriod_SetNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSTime *notAfter
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_RemoveNotAfter
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_HAS_NO_NOT_AFTER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPrivateKeyUsagePeriod_RemoveNotAfter
-(
-  NSSPKIXPrivateKeyUsagePeriod *period
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPrivateKeyUsagePeriod_Equal
-(
-  NSSPKIXPrivateKeyUsagePeriod *period1,
-  NSSPKIXPrivateKeyUsagePeriod *period2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPrivateKeyUsagePeriod_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
-nssPKIXPrivateKeyUsagePeriod_Duplicate
-(
-  NSSPKIXPrivateKeyUsagePeriod *period,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXPrivateKeyUsagePeriod_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPrivateKeyUsagePeriod
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPrivateKeyUsagePeriod_verifyPointer
-(
-  NSSPKIXPrivateKeyUsagePeriod *p
-);
-#endif /* DEBUG */
-
-/*
- * CertificatePolicies
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
- *
- * The private calls for the type:
- *
- *  nssPKIXCertificatePolicies_Decode
- *  nssPKIXCertificatePolicies_Create
- *  nssPKIXCertificatePolicies_Destroy
- *  nssPKIXCertificatePolicies_Encode
- *  nssPKIXCertificatePolicies_GetPolicyInformationCount
- *  nssPKIXCertificatePolicies_GetPolicyInformations
- *  nssPKIXCertificatePolicies_SetPolicyInformations
- *  nssPKIXCertificatePolicies_GetPolicyInformation
- *  nssPKIXCertificatePolicies_SetPolicyInformation
- *  nssPKIXCertificatePolicies_InsertPolicyInformation
- *  nssPKIXCertificatePolicies_AppendPolicyInformation
- *  nssPKIXCertificatePolicies_RemovePolicyInformation
- *  nssPKIXCertificatePolicies_FindPolicyInformation
- *  nssPKIXCertificatePolicies_Equal
- *  nssPKIXCertificatePolicies_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXCertificatePolicies_verifyPointer
- *
- */
-
-/*
- * nssPKIXCertificatePolicies_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificatePolicies upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificatePolicies *
-nssPKIXCertificatePolicies_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCertificatePolicies_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificatePolicies upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificatePolicies *
-nssPKIXCertificatePolicies_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXPolicyInformation *pi1,
-  ...
-);
-
-/*
- * nssPKIXCertificatePolicies_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_Destroy
-(
-  NSSPKIXCertificatePolicies *cp
-);
-
-/*
- * nssPKIXCertificatePolicies_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCertificatePolicies_Encode
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificatePolicies_GetPolicyInformationCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXCertificatePolicies_GetPolicyInformationCount
-(
-  NSSPKIXCertificatePolicies *cp
-);
-
-/*
- * nssPKIXCertificatePolicies_GetPolicyInformations
- *
- * We regret the function name.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXPolicyInformation pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation **
-nssPKIXCertificatePolicies_GetPolicyInformations
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificatePolicies_SetPolicyInformations
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_SetPolicyInformations
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *pi[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXCertificatePolicies_GetPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-nssPKIXCertificatePolicies_GetPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCertificatePolicies_SetPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_SetPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXCertificatePolicies_InsertPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_InsertPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXCertificatePolicies_AppendPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_AppendPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXCertificatePolicies_RemovePolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_RemovePolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  PRInt32 i
-);
-
-/*
- * nssPKIXCertificatePolicies_FindPolicyInformation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  The nonnegative integer upon success
- *  -1 upon failure
- */
-
-NSS_EXTERN PRInt32
-nssPKIXCertificatePolicies_FindPolicyInformation
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXCertificatePolicies_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXCertificatePolicies_Equal
-(
-  NSSPKIXCertificatePolicies *cp1,
-  NSSPKIXCertificatePolicies *cp2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXCertificatePolicies_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXCertificatePolicies upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertificatePolicies *
-nssPKIXCertificatePolicies_Duplicate
-(
-  NSSPKIXCertificatePolicies *cp,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXCertificatePolicies_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXCertificatePolicies
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCertificatePolicies_verifyPointer
-(
-  NSSPKIXCertificatePolicies *p
-);
-#endif /* DEBUG */
-
-/*
- * PolicyInformation
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyInformation ::= SEQUENCE {
- *       policyIdentifier   CertPolicyId,
- *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
- *               PolicyQualifierInfo OPTIONAL }
- *
- * The private calls for the type:
- *
- *  nssPKIXPolicyInformation_Decode
- *  nssPKIXPolicyInformation_Create
- *  nssPKIXPolicyInformation_Destroy
- *  nssPKIXPolicyInformation_Encode
- *  nssPKIXPolicyInformation_GetPolicyIdentifier
- *  nssPKIXPolicyInformation_SetPolicyIdentifier
- *  nssPKIXPolicyInformation_GetPolicyQualifierCount
- *  nssPKIXPolicyInformation_GetPolicyQualifiers
- *  nssPKIXPolicyInformation_SetPolicyQualifiers
- *  nssPKIXPolicyInformation_GetPolicyQualifier
- *  nssPKIXPolicyInformation_SetPolicyQualifier
- *  nssPKIXPolicyInformation_InsertPolicyQualifier
- *  nssPKIXPolicyInformation_AppendPolicyQualifier
- *  nssPKIXPolicyInformation_RemovePolicyQualifier
- *  nssPKIXPolicyInformation_Equal
- *  nssPKIXPolicyInformation_Duplicate
- *    { and accessors by specific policy qualifier ID }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPolicyInformation_verifyPointer
- *
- */
-
-/*
- * nssPKIXPolicyInformation_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-nssPKIXPolicyInformation_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPolicyInformation_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-nssPKIXPolicyInformation_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCertPolicyId *id,
-  NSSPKIXPolicyQualifierInfo *pqi1,
-  ...
-);
-
-/*
- * nssPKIXPolicyInformation_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_Destroy
-(
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXPolicyInformation_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPolicyInformation_Encode
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyInformation_GetPolicyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid OID upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-nssPKIXPolicyInformation_GetPolicyIdentifier
-(
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXPolicyInformation_SetPolicyIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_SetPolicyIdentifier
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSPKIXCertPolicyIdentifier *cpi
-);
-
-/*
- * nssPKIXPolicyInformation_GetPolicyQualifierCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyInformation_GetPolicyQualifierCount
-(
-  NSSPKIXPolicyInformation *pi
-);
-
-/*
- * nssPKIXPolicyInformation_GetPolicyQualifiers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXPolicyQualifierInfo pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo **
-nssPKIXPolicyInformation_GetPolicyQualifiers
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSPKIXPolicyQualifierInfo *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyInformation_SetPolicyQualifiers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_SetPolicyQualifiers
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSPKIXPolicyQualifierInfo *pqi[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXPolicyInformation_GetPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-nssPKIXPolicyInformation_GetPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyInformation_SetPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_SetPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * nssPKIXPolicyInformation_InsertPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_InsertPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * nssPKIXPolicyInformation_AppendPolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_AppendPolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i,
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * nssPKIXPolicyInformation_RemovePolicyQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_RemovePolicyQualifier
-(
-  NSSPKIXPolicyInformation *pi,
-  PRInt32 i
-);
-
-/*
- * nssPKIXPolicyInformation_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyInformation_Equal
-(
-  NSSPKIXPolicyInformation *pi1,
-  NSSPKIXPolicyInformation *pi2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPolicyInformation_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyInformation upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyInformation *
-nssPKIXPolicyInformation_Duplicate
-(
-  NSSPKIXPolicyInformation *pi,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and accessors by specific policy qualifier ID }
- *
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXPolicyInformation_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPolicyInformation
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyInformation_verifyPointer
-(
-  NSSPKIXPolicyInformation *p
-);
-#endif /* DEBUG */
-
-/*
- * PolicyQualifierInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyQualifierInfo ::= SEQUENCE {
- *         policyQualifierId  PolicyQualifierId,
- *         qualifier        ANY DEFINED BY policyQualifierId }
- *
- * The private calls for the type:
- *
- *  nssPKIXPolicyQualifierInfo_Decode
- *  nssPKIXPolicyQualifierInfo_Create
- *  nssPKIXPolicyQualifierInfo_Destroy
- *  nssPKIXPolicyQualifierInfo_Encode
- *  nssPKIXPolicyQualifierInfo_GetPolicyQualifierID
- *  nssPKIXPolicyQualifierInfo_SetPolicyQualifierID
- *  nssPKIXPolicyQualifierInfo_GetQualifier
- *  nssPKIXPolicyQualifierInfo_SetQualifier
- *  nssPKIXPolicyQualifierInfo_Equal
- *  nssPKIXPolicyQualifierInfo_Duplicate
- *    { and accessors by specific qualifier id/type }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPolicyQualifierInfo_verifyPointer
- *
- */
-
-/*
- * nssPKIXPolicyQualifierInfo_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-nssPKIXPolicyQualifierInfo_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-nssPKIXPolicyQualifierInfo_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXPolicyQualifierId *policyQualifierId,
-  NSSItem *qualifier
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyQualifierInfo_Destroy
-(
-  NSSPKIXPolicyQualifierInfo *pqi
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPolicyQualifierInfo_Encode
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_GetPolicyQualifierId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierId (an NSSOID) upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierId *
-nssPKIXPolicyQualifierInfo_GetPolicyQualifierId
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_SetPolicyQualifierId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyQualifierInfo_SetPolicyQualifierId
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSPKIXPolicyQualifierId *pqid
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_GetQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXPolicyQualifierInfo_GetQualifier
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_SetQualifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyQualifierInfo_SetQualifier
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSItem *qualifier
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyQualifierInfo_Equal
-(
-  NSSPKIXPolicyQualifierInfo *pqi1,
-  NSSPKIXPolicyQualifierInfo *pqi2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPolicyQualifierInfo_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyQualifierInfo *
-nssPKIXPolicyQualifierInfo_Duplicate
-(
-  NSSPKIXPolicyQualifierInfo *pqi,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and accessors by specific qualifier id/type }
- *
- */
-#ifdef DEBUG
-/*
- * nssPKIXPolicyQualifierInfo_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPolicyQualifierInfo
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyQualifierInfo_verifyPointer
-(
-  NSSPKIXPolicyQualifierInfo *p
-);
-#endif /* DEBUG */
-
-/*
- * CPSuri
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CPSuri ::= IA5String
- *
- * The private calls for this type:
- *
- *  nssPKIXCPSuri_Decode
- *  nssPKIXCPSuri_CreateFromUTF8
- *  nssPKIXCPSuri_Encode
- *
- */
-
-/*
- * nssPKIXCPSuri_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCPSuri upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCPSuri *
-nssPKIXCPSuri_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCPSuri_CreateFromUTF8
- *
- * { basically just enforces the length and charset limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCPSuri upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCPSuri *
-nssPKIXCPSuri_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXCPSuri_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CPS_URI
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCPSuri_Encode
-(
-  NSSPKIXCPSuri *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * UserNotice
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UserNotice ::= SEQUENCE {
- *       noticeRef        NoticeReference OPTIONAL,
- *       explicitText     DisplayText OPTIONAL}
- *
- * The private calls for this type:
- *
- *  nssPKIXUserNotice_Decode
- *  nssPKIXUserNotice_Create
- *  nssPKIXUserNotice_Destroy
- *  nssPKIXUserNotice_Encode
- *  nssPKIXUserNotice_HasNoticeRef
- *  nssPKIXUserNotice_GetNoticeRef
- *  nssPKIXUserNotice_SetNoticeRef
- *  nssPKIXUserNotice_RemoveNoticeRef
- *  nssPKIXUserNotice_HasExplicitText
- *  nssPKIXUserNotice_GetExplicitText
- *  nssPKIXUserNotice_SetExplicitText
- *  nssPKIXUserNotice_RemoveExplicitText
- *  nssPKIXUserNotice_Equal
- *  nssPKIXUserNotice_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXUserNotice_verifyPointer
- *
- */
-
-
-/*
- * nssPKIXUserNotice_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXUserNotice upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUserNotice *
-nssPKIXUserNotice_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXUserNotice_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXUserNotice upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUserNotice *
-nssPKIXUserNotice_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXNoticeReference *noticeRef,
-  NSSPKIXDisplayText *explicitText
-);
-
-/*
- * nssPKIXUserNotice_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXUserNotice_Destroy
-(
-  NSSPKIXUserNotice *userNotice
-);
-
-/*
- * nssPKIXUserNotice_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXUserNotice_Encode
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXUserNotice_HasNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXUserNotice_HasNoticeRef
-(
-  NSSPKIXUserNotice *userNotice,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXUserNotice_GetNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NOTICE_REF
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-nssPKIXUserNotice_GetNoticeRef
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXUserNotice_SetNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXUserNotice_SetNoticeRef
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSPKIXNoticeReference *noticeRef
-);
-
-/*
- * nssPKIXUserNotice_RemoveNoticeRef
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_HAS_NO_NOTICE_REF
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXUserNotice_RemoveNoticeRef
-(
-  NSSPKIXUserNotice *userNotice
-);
-
-/*
- * nssPKIXUserNotice_HasExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_TRUE if it has some
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXUserNotice_HasExplicitText
-(
-  NSSPKIXUserNotice *userNotice,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXUserNotice_GetExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-nssPKIXUserNotice_GetExplicitText
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXUserNotice_SetExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXUserNotice_SetExplicitText
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSPKIXDisplayText *explicitText
-);
-
-/*
- * nssPKIXUserNotice_RemoveExplicitText
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXUserNotice_RemoveExplicitText
-(
-  NSSPKIXUserNotice *userNotice
-);
-
-/*
- * nssPKIXUserNotice_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXUserNotice_Equal
-(
-  NSSPKIXUserNotice *userNotice1,
-  NSSPKIXUserNotice *userNotice2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXUserNotice_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXUserNotice upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXUserNotice *
-nssPKIXUserNotice_Duplicate
-(
-  NSSPKIXUserNotice *userNotice,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXUserNotice_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXUserNotice
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXUserNotice_verifyPointer
-(
-  NSSPKIXUserNotice *p
-);
-#endif /* DEBUG */
-
-/*
- * NoticeReference
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NoticeReference ::= SEQUENCE {
- *       organization     DisplayText,
- *       noticeNumbers    SEQUENCE OF INTEGER }
- *
- * The private calls for this type:
- *
- *  nssPKIXNoticeReference_Decode
- *  nssPKIXNoticeReference_Create
- *  nssPKIXNoticeReference_Destroy
- *  nssPKIXNoticeReference_Encode
- *  nssPKIXNoticeReference_GetOrganization
- *  nssPKIXNoticeReference_SetOrganization
- *  nssPKIXNoticeReference_GetNoticeNumberCount
- *  nssPKIXNoticeReference_GetNoticeNumbers
- *  nssPKIXNoticeReference_SetNoticeNumbers
- *  nssPKIXNoticeReference_GetNoticeNumber
- *  nssPKIXNoticeReference_SetNoticeNumber
- *  nssPKIXNoticeReference_InsertNoticeNumber
- *  nssPKIXNoticeReference_AppendNoticeNumber
- *  nssPKIXNoticeReference_RemoveNoticeNumber
- *    { maybe number-exists-p gettor? }
- *  nssPKIXNoticeReference_Equal
- *  nssPKIXNoticeReference_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXNoticeReference_verifyPointer
- *
- */
-
-/*
- * nssPKIXNoticeReference_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-nssPKIXNoticeReference_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXNoticeReference_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-nssPKIXNoticeReference_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDisplayText *organization,
-  PRUint32 noticeCount,
-  PRInt32 noticeNumber1,
-  ...
-);
-
-/*
- * { fgmr -- or should the call that takes PRInt32 be _CreateFromValues,
- *  and the _Create call take NSSBER integers? }
- */
-
-/*
- * nssPKIXNoticeReference_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_Destroy
-(
-  NSSPKIXNoticeReference *nr
-);
-
-/*
- * nssPKIXNoticeReference_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXNoticeReference_Encode
-(
-  NSSPKIXNoticeReference *nr,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXNoticeReference_GetOrganization
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-nssPKIXNoticeReference_GetOrganization
-(
-  NSSPKIXNoticeReference *nr,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXNoticeReference_SetOrganization
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_SetOrganization
-(
-  NSSPKIXNoticeReference *nr,
-  NSSPKIXDisplayText *organization
-);
-
-/*
- * nssPKIXNoticeReference_GetNoticeNumberCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXNoticeReference_GetNoticeNumberCount
-(
-  NSSPKIXNoticeReference *nr
-);
-
-/*
- * nssPKIXNoticeReference_GetNoticeNumbers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of PRInt32 values upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN PRInt32 *
-nssPKIXNoticeReference_GetNoticeNumbers
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXNoticeReference_SetNoticeNumbers
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_SetNoticeNumbers
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 noticeNumbers[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXNoticeReference_GetNoticeNumber
- *
- * -- fgmr comments --
- * Because there is no natural "invalid" notice number value, we must
- * pass the number by reference, and return an explicit status value.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_POINTER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_GetNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i,
-  PRInt32 *noticeNumberP
-);
-  
-/*
- * nssPKIXNoticeReference_SetNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_SetNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i,
-  PRInt32 noticeNumber
-);
-
-/*
- * nssPKIXNoticeReference_InsertNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_InsertNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i,
-  PRInt32 noticeNumber
-);
-
-/*
- * nssPKIXNoticeReference_AppendNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_AppendNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 noticeNumber
-);
-
-/*
- * nssPKIXNoticeReference_RemoveNoticeNumber
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_RemoveNoticeNumber
-(
-  NSSPKIXNoticeReference *nr,
-  PRInt32 i
-);
-
-/*
- *   { maybe number-exists-p gettor? }
- */
-
-/*
- * nssPKIXNoticeReference_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXNoticeReference_Equal
-(
-  NSSPKIXNoticeReference *nr1,
-  NSSPKIXNoticeReference *nr2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXNoticeReference_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNoticeReference upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNoticeReference *
-nssPKIXNoticeReference_Duplicate
-(
-  NSSPKIXNoticeReference *nr,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXNoticeReference_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXNoticeReference
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNoticeReference_verifyPointer
-(
-  NSSPKIXNoticeReference *p
-);
-#endif /* DEBUG */
-
-/*
- * DisplayText
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DisplayText ::= CHOICE {
- *       visibleString    VisibleString  (SIZE (1..200)),
- *       bmpString        BMPString      (SIZE (1..200)),
- *       utf8String       UTF8String     (SIZE (1..200)) }
- * 
- * The private calls for this type:
- *
- *  nssPKIXDisplayText_Decode
- *  nssPKIXDisplayText_CreateFromUTF8
- *  nssPKIXDisplayText_Encode
- *
- */
-
-/*
- * nssPKIXDisplayText_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-nssPKIXDisplayText_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXDisplayText_CreateFromUTF8
- *
- * { basically just enforces the length and charset limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDisplayText upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDisplayText *
-nssPKIXDisplayText_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXDisplayText_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXDisplayText_Encode
-(
-  NSSPKIXDisplayText *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * PolicyMappings
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- * The private calls for this type:
- *
- *  nssPKIXPolicyMappings_Decode
- *  nssPKIXPolicyMappings_Create
- *  nssPKIXPolicyMappings_Destroy
- *  nssPKIXPolicyMappings_Encode
- *  nssPKIXPolicyMappings_GetPolicyMappingCount
- *  nssPKIXPolicyMappings_GetPolicyMappings
- *  nssPKIXPolicyMappings_SetPolicyMappings
- *  nssPKIXPolicyMappings_GetPolicyMapping
- *  nssPKIXPolicyMappings_SetPolicyMapping
- *  nssPKIXPolicyMappings_InsertPolicyMapping
- *  nssPKIXPolicyMappings_AppendPolicyMapping
- *  nssPKIXPolicyMappings_RemovePolicyMapping
- *  nssPKIXPolicyMappings_FindPolicyMapping
- *  nssPKIXPolicyMappings_Equal
- *  nssPKIXPolicyMappings_Duplicate
- *  nssPKIXPolicyMappings_IssuerDomainPolicyExists
- *  nssPKIXPolicyMappings_SubjectDomainPolicyExists
- *  nssPKIXPolicyMappings_FindIssuerDomainPolicy
- *  nssPKIXPolicyMappings_FindSubjectDomainPolicy
- *  nssPKIXPolicyMappings_MapIssuerToSubject
- *  nssPKIXPolicyMappings_MapSubjectToIssuer
- *    { find's and map's: what if there's more than one? }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPolicyMappings_verifyPointer
- *
- */
-
-/*
- * nssPKIXPolicyMappings_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyMappings upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyMappings *
-nssPKIXPolicyMappings_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPolicyMappings_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyMappings upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyMappings *
-nssPKIXPolicyMappings_Decode
-(
-  NSSArena *arenaOpt,
-  NSSPKIXpolicyMapping *policyMapping1,
-  ...
-);
-
-/*
- * nssPKIXPolicyMappings_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_Destroy
-(
-  NSSPKIXPolicyMappings *policyMappings
-);
-
-/*
- * nssPKIXPolicyMappings_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPolicyMappings_Encode
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyMappings_GetPolicyMappingCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyMappings_GetPolicyMappingCount
-(
-  NSSPKIXPolicyMappings *policyMappings
-);
-
-/*
- * nssPKIXPolicyMappings_GetPolicyMappings
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXpolicyMapping pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping **
-nssPKIXPolicyMappings_GetPolicyMappings
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyMappings_SetPolicyMappings
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_SetPolicyMappings
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *policyMapping[]
-  PRInt32 count
-);
-
-/*
- * nssPKIXPolicyMappings_GetPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-nssPKIXPolicyMappings_GetPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyMappings_SetPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_SetPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i,
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXPolicyMappings_InsertPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_InsertPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i,
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXPolicyMappings_AppendPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_AppendPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXPolicyMappings_RemovePolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_RemovePolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  PRInt32 i
-);
-
-/*
- * nssPKIXPolicyMappings_FindPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyMappings_FindPolicyMapping
-(
-  NSSPKIXPolicyMappings *policyMappings
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXPolicyMappings_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyMappings_Equal
-(
-  NSSPKIXPolicyMappings *policyMappings1,
-  NSSPKIXpolicyMappings *policyMappings2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPolicyMappings_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyMappings upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyMappings *
-nssPKIXPolicyMappings_Duplicate
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXPolicyMappings_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPolicyMappings
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyMappings_verifyPointer
-(
-  NSSPKIXPolicyMappings *p
-);
-#endif /* DEBUG */
-
-/*
- * nssPKIXPolicyMappings_IssuerDomainPolicyExists
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- * 
- * Return value:
- *  PR_TRUE if the specified domain policy OID exists
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyMappings_IssuerDomainPolicyExists
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPolicyMappings_SubjectDomainPolicyExists
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- * 
- * Return value:
- *  PR_TRUE if the specified domain policy OID exists
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyMappings_SubjectDomainPolicyExists
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *subjectDomainPolicy,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPolicyMappings_FindIssuerDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyMappings_FindIssuerDomainPolicy
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * nssPKIXPolicyMappings_FindSubjectDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyMappings_FindSubjectDomainPolicy
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * nssPKIXPolicyMappings_MapIssuerToSubject
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-nssPKIXPolicyMappings_MapIssuerToSubject
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * nssPKIXPolicyMappings_MapSubjectToIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NOT_FOUND
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-nssPKIXPolicyMappings_MapSubjectToIssuer
-(
-  NSSPKIXPolicyMappings *policyMappings,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * policyMapping
- *
- * Helper structure for PolicyMappings
- *
- *                                               SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- * The private calls for this type:
- *
- *  nssPKIXpolicyMapping_Decode
- *  nssPKIXpolicyMapping_Create
- *  nssPKIXpolicyMapping_Destroy
- *  nssPKIXpolicyMapping_Encode
- *  nssPKIXpolicyMapping_GetIssuerDomainPolicy
- *  nssPKIXpolicyMapping_SetIssuerDomainPolicy
- *  nssPKIXpolicyMapping_GetSubjectDomainPolicy
- *  nssPKIXpolicyMapping_SetSubjectDomainPolicy
- *  nssPKIXpolicyMapping_Equal
- *  nssPKIXpolicyMapping_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXpolicyMapping_verifyPointer
- *
- */
-
-/*
- * nssPKIXpolicyMapping_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-nssPKIXpolicyMapping_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXpolicyMapping_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-nssPKIXpolicyMapping_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXCertPolicyId *issuerDomainPolicy,
-  NSSPKIXCertPolicyId *subjectDomainPolicy
-);
-
-/*
- * nssPKIXpolicyMapping_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXpolicyMapping_Destroy
-(
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXpolicyMapping_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXpolicyMapping_Encode
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXpolicyMapping_GetIssuerDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
- *  NULL upon faliure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-nssPKIXpolicyMapping_GetIssuerDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXpolicyMapping_SetIssuerDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXpolicyMapping_SetIssuerDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSPKIXCertPolicyId *issuerDomainPolicy
-);
-
-/*
- * nssPKIXpolicyMapping_GetSubjectDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
- *  NULL upon faliure
- */
-
-NSS_EXTERN NSSPKIXCertPolicyId *
-nssPKIXpolicyMapping_GetSubjectDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping
-);
-
-/*
- * nssPKIXpolicyMapping_SetSubjectDomainPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXpolicyMapping_SetSubjectDomainPolicy
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSPKIXCertPolicyId *subjectDomainPolicy
-);
-
-/*
- * nssPKIXpolicyMapping_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXpolicyMapping_Equal
-(
-  NSSPKIXpolicyMapping *policyMapping1,
-  NSSPKIXpolicyMapping *policyMapping2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXpolicyMapping_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXpolicyMapping upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXpolicyMapping *
-nssPKIXpolicyMapping_Duplicate
-(
-  NSSPKIXpolicyMapping *policyMapping,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXpolicyMapping_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXpolicyMapping
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXpolicyMapping_verifyPointer
-(
-  NSSPKIXpolicyMapping *p
-);
-#endif /* DEBUG */
-
-/*
- * GeneralName
- *
- * This structure contains a union of the possible general names,
- * of which there are several.
- *
- * From RFC 2459:
- *
- *  GeneralName ::= CHOICE {
- *       otherName                       [0]     AnotherName,
- *       rfc822Name                      [1]     IA5String,
- *       dNSName                         [2]     IA5String,
- *       x400Address                     [3]     ORAddress,
- *       directoryName                   [4]     Name,
- *       ediPartyName                    [5]     EDIPartyName,
- *       uniformResourceIdentifier       [6]     IA5String,
- *       iPAddress                       [7]     OCTET STRING,
- *       registeredID                    [8]     OBJECT IDENTIFIER }
- *
- * The private calls for this type:
- *
- *  nssPKIXGeneralName_Decode
- *  nssPKIXGeneralName_CreateFromUTF8
- *  nssPKIXGeneralName_Create
- *  nssPKIXGeneralName_CreateFromOtherName
- *  nssPKIXGeneralName_CreateFromRfc822Name
- *  nssPKIXGeneralName_CreateFromDNSName
- *  nssPKIXGeneralName_CreateFromX400Address
- *  nssPKIXGeneralName_CreateFromDirectoryName
- *  nssPKIXGeneralName_CreateFromEDIPartyName
- *  nssPKIXGeneralName_CreateFromUniformResourceIdentifier
- *  nssPKIXGeneralName_CreateFromIPAddress
- *  nssPKIXGeneralName_CreateFromRegisteredID
- *  nssPKIXGeneralName_Destroy
- *  nssPKIXGeneralName_Encode
- *  nssPKIXGeneralName_GetUTF8Encoding
- *  nssPKIXGeneralName_GetChoice
- *  nssPKIXGeneralName_GetOtherName
- *  nssPKIXGeneralName_GetRfc822Name
- *  nssPKIXGeneralName_GetDNSName
- *  nssPKIXGeneralName_GetX400Address
- *  nssPKIXGeneralName_GetDirectoryName
- *  nssPKIXGeneralName_GetEDIPartyName
- *  nssPKIXGeneralName_GetUniformResourceIdentifier
- *  nssPKIXGeneralName_GetIPAddress
- *  nssPKIXGeneralName_GetRegisteredID
- *  nssPKIXGeneralName_GetSpecifiedChoice
- *  nssPKIXGeneralName_Equal
- *  nssPKIXGeneralName_Duplicate
- *  (in pki1 I had specific attribute value gettors here too)
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXGeneralName_verifyPointer
- *
- */
-
-/*
- * nssPKIXGeneralName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXGeneralName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-);
-
-/*
- * nssPKIXGeneralName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INVALID_OID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralNameChoice choice,
-  void *content
-);
-
-/*
- * nssPKIXGeneralName_CreateFromOtherName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromOtherName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAnotherName *otherName
-);
-
-/*
- * nssPKIXGeneralName_CreateFromRfc822Name
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromRfc822Name
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *rfc822Name
-);
-
-/*
- * nssPKIXGeneralName_CreateFromDNSName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromDNSName
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *dNSName
-);
-
-/*
- * nssPKIXGeneralName_CreateFromX400Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromX400Address
-(
-  NSSArena *arenaOpt,
-  NSSPKIXORAddress *x400Address
-);
-
-/*
- * nssPKIXGeneralName_CreateFromDirectoryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromDirectoryName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXName *directoryName
-);
-
-/*
- * nssPKIXGeneralName_CreateFromEDIPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromEDIPartyName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXEDIPartyName *ediPartyname
-);
-
-/*
- * nssPKIXGeneralName_CreateFromUniformResourceIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_IA5_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromUniformResourceIdentifier
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *uniformResourceIdentifier
-);
-
-/*
- * nssPKIXGeneralName_CreateFromIPAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromIPAddress
-(
-  NSSArena *arenaOpt,
-  NSSItem *iPAddress
-);
-
-/*
- * nssPKIXGeneralName_CreateFromRegisteredID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_CreateFromRegisteredID
-(
-  NSSArena *arenaOpt,
-  NSSOID *registeredID
-);
-
-/*
- * nssPKIXGeneralName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralName_Destroy
-(
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXGeneralName_Encode
-(
-  NSSPKIXGeneralName *generalName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXGeneralName_GetUTF8Encoding
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  A valid NSSPKIXGeneralNameChoice value upon success
- *  NSSPKIXGeneralNameChoice_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNameChoice
-nssPKIXGeneralName_GetChoice
-(
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralName_GetOtherName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-nssPKIXGeneralName_GetOtherName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetRfc822Name
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXGeneralName_GetRfc822Name
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetDNSName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXGeneralName_GetDNSName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetX400Address
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXORAddress upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXORAddress *
-nssPKIXGeneralName_GetX400Address
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetDirectoryName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXName *
-nssPKIXGeneralName_GetDirectoryName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetEDIPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-nssPKIXGeneralName_GetEDIPartyName
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetUniformResourceIdentifier
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXGeneralName_GetUniformResourceIdentifier
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetIPAddress
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXGeneralName_GetIPAddress
-(
-  NSSPKIXGeneralName *generalName,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_GetRegisteredID
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSOID upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-nssPKIXGeneralName_GetRegisteredID
-(
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralName_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN void *
-nssPKIXGeneralName_GetSpecifiedChoice
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXGeneralName_Equal
-(
-  NSSPKIXGeneralName *generalName1,
-  NSSPKIXGeneralName *generalName2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXGeneralName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralName_Duplicate
-(
-  NSSPKIXGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * (in pki1 I had specific attribute value gettors here too)
- *
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXGeneralName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXGeneralName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralName_verifyPointer
-(
-  NSSPKIXGeneralName *p
-);
-#endif /* DEBUG */
-
-/*
- * GeneralNames
- *
- * This structure contains a sequence of GeneralName objects.
- *
- * From RFC 2459:
- *
- *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * The private calls for this type:
- *
- *  nssPKIXGeneralNames_Decode
- *  nssPKIXGeneralNames_Create
- *  nssPKIXGeneralNames_Destroy
- *  nssPKIXGeneralNames_Encode
- *  nssPKIXGeneralNames_GetGeneralNameCount
- *  nssPKIXGeneralNames_GetGeneralNames
- *  nssPKIXGeneralNames_SetGeneralNames
- *  nssPKIXGeneralNames_GetGeneralName
- *  nssPKIXGeneralNames_SetGeneralName
- *  nssPKIXGeneralNames_InsertGeneralName
- *  nssPKIXGeneralNames_AppendGeneralName
- *  nssPKIXGeneralNames_RemoveGeneralName
- *  nssPKIXGeneralNames_FindGeneralName
- *  nssPKIXGeneralNames_Equal
- *  nssPKIXGeneralNames_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXGeneralNames_verifyPointer
- *
- */
-
-/*
- * nssPKIXGeneralNames_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-nssPKIXGeneralNames_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXGeneralNames_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-nssPKIXGeneralNames_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralName *generalName1,
-  ...
-);
-
-/*
- * nssPKIXGeneralNames_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_Destroy
-(
-  NSSPKIXGeneralNames *generalNames
-);
-
-/*
- * nssPKIXGeneralNames_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXGeneralNames_Encode
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralNames_GetGeneralNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXGeneralNames_GetGeneralNameCount
-(
-  NSSPKIXGeneralNames *generalNames
-);
-
-/*
- * nssPKIXGeneralNames_GetGeneralNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXGeneralName pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName **
-nssPKIXGeneralNames_GetGeneralNames
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralNames_SetGeneralNames
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_SetGeneralNames
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *generalName[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXGeneralNames_GetGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralNames_GetGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralNames_SetGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_SetGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralNames_InsertGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_InsertGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralNames_AppendGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_AppendGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralNames_RemoveGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_RemoveGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  PRInt32 i
-);
-
-/*
- * nssPKIXGeneralNames_FindGeneralName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXGeneralNames_FindGeneralName
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSPKIXGeneralName *generalName
-);
-
-/*
- * nssPKIXGeneralNames_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXGeneralNames_Equal
-(
-  NSSPKIXGeneralNames *generalNames1,
-  NSSPKIXGeneralNames *generalNames2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXGeneralNames_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-nssPKIXGeneralNames_Duplicate
-(
-  NSSPKIXGeneralNames *generalNames,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXGeneralNames_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXGeneralNames
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralNames_verifyPointer
-(
-  NSSPKIXGeneralNames *p
-);
-#endif /* DEBUG */
-
-/*
- * AnotherName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AnotherName ::= SEQUENCE {
- *       type-id    OBJECT IDENTIFIER,
- *       value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- * The private calls for this type:
- *
- *  nssPKIXAnotherName_Decode
- *  nssPKIXAnotherName_Create
- *  nssPKIXAnotherName_Destroy
- *  nssPKIXAnotherName_Encode
- *  nssPKIXAnotherName_GetTypeId
- *  nssPKIXAnotherName_SetTypeId
- *  nssPKIXAnotherName_GetValue
- *  nssPKIXAnotherName_SetValue
- *  nssPKIXAnotherName_Equal
- *  nssPKIXAnotherName_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXAnotherName_verifyPointer
- *
- */
-
-/*
- * nssPKIXAnotherName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-nssPKIXAnotherName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAnotherName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-nssPKIXAnotherName_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *typeId,
-  NSSItem *value
-);
-
-/*
- * nssPKIXAnotherName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAnotherName_Destroy
-(
-  NSSPKIXAnotherName *anotherName
-);
-
-/*
- * nssPKIXAnotherName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAnotherName_Encode
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAnotherName_GetTypeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSOID upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-nssPKIXAnotherName_GetTypeId
-(
-  NSSPKIXAnotherName *anotherName
-);
-
-/*
- * nssPKIXAnotherName_SetTypeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAnotherName_SetTypeId
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSOID *typeId
-);
-
-/*
- * nssPKIXAnotherName_GetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSItem *
-nssPKIXAnotherName_GetValue
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAnotherName_SetValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ITEM
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAnotherName_SetValue
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSItem *value
-);
-
-/*
- * nssPKIXAnotherName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAnotherName_Equal
-(
-  NSSPKIXAnotherName *anotherName1,
-  NSSPKIXAnotherName *anotherName2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAnotherName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAnotherName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAnotherName *
-nssPKIXAnotherName_Duplicate
-(
-  NSSPKIXAnotherName *anotherName,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXAnotherName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAnotherName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAnotherName_verifyPointer
-(
-  NSSPKIXAnotherName *p
-);
-#endif /* DEBUG */
-
-/*
- * EDIPartyName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *
- *  EDIPartyName ::= SEQUENCE {
- *       nameAssigner            [0]     DirectoryString OPTIONAL,
- *       partyName               [1]     DirectoryString }
- *
- * The private calls for this type:
- *
- *  nssPKIXEDIPartyName_Decode
- *  nssPKIXEDIPartyName_Create
- *  nssPKIXEDIPartyName_Destroy
- *  nssPKIXEDIPartyName_Encode
- *  nssPKIXEDIPartyName_HasNameAssigner
- *  nssPKIXEDIPartyName_GetNameAssigner
- *  nssPKIXEDIPartyName_SetNameAssigner
- *  nssPKIXEDIPartyName_RemoveNameAssigner
- *  nssPKIXEDIPartyName_GetPartyName
- *  nssPKIXEDIPartyName_SetPartyName
- *  nssPKIXEDIPartyName_Equal
- *  nssPKIXEDIPartyName_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXEDIPartyName_verifyPointer
- *
- */
-
-/*
- * nssPKIXEDIPartyName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-nssPKIXEDIPartyName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXEDIPartyName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-nssPKIXEDIPartyName_Create
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *nameAssignerOpt,
-  NSSUTF8 *partyName
-);
-
-/*
- * nssPKIXEDIPartyName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXEDIPartyName_Destroy
-(
-  NSSPKIXEDIPartyName *ediPartyName
-);
-
-/*
- * nssPKIXEDIPartyName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXEDIPartyName_Encode
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXEDIPartyName_HasNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXEDIPartyName_HasNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName
-);
-
-/*
- * nssPKIXEDIPartyName_GetNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXEDIPartyName_GetNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXEDIPartyName_SetNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXEDIPartyName_SetNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSUTF8 *nameAssigner
-);
-
-/*
- * nssPKIXEDIPartyName_RemoveNameAssigner
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXEDIPartyName_RemoveNameAssigner
-(
-  NSSPKIXEDIPartyName *ediPartyName
-);
-
-/*
- * nssPKIXEDIPartyName_GetPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSUTF8 string upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSUTF8 *
-nssPKIXEDIPartyName_GetPartyName
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXEDIPartyName_SetPartyName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_STRING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXEDIPartyName_SetPartyName
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSUTF8 *partyName
-);
-
-/*
- * nssPKIXEDIPartyName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXEDIPartyName_Equal
-(
-  NSSPKIXEDIPartyName *ediPartyName1,
-  NSSPKIXEDIPartyName *ediPartyName2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXEDIPartyName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXEDIPartyName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXEDIPartyName *
-nssPKIXEDIPartyName_Duplicate
-(
-  NSSPKIXEDIPartyName *ediPartyName,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXEDIPartyName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXEDIPartyName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXEDIPartyName_verifyPointer
-(
-  NSSPKIXEDIPartyName *p
-);
-#endif /* DEBUG */
-
-/*
- * SubjectDirectoryAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
- *
- * The private calls for this type:
- *
- *  nssPKIXSubjectDirectoryAttributes_Decode
- *  nssPKIXSubjectDirectoryAttributes_Create
- *  nssPKIXSubjectDirectoryAttributes_Destroy
- *  nssPKIXSubjectDirectoryAttributes_Encode
- *  nssPKIXSubjectDirectoryAttributes_GetAttributeCount
- *  nssPKIXSubjectDirectoryAttributes_GetAttributes
- *  nssPKIXSubjectDirectoryAttributes_SetAttributes
- *  nssPKIXSubjectDirectoryAttributes_GetAttribute
- *  nssPKIXSubjectDirectoryAttributes_SetAttribute
- *  nssPKIXSubjectDirectoryAttributes_InsertAttribute
- *  nssPKIXSubjectDirectoryAttributes_AppendAttribute
- *  nssPKIXSubjectDirectoryAttributes_RemoveAttribute
- *  nssPKIXSubjectDirectoryAttributes_FindAttribute
- *  nssPKIXSubjectDirectoryAttributes_Equal
- *  nssPKIXSubjectDirectoryAttributes_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXSubjectDirectoryAttributes_verifyPointer
- *
- */
-
-/*
- * nssPKIXSubjectDirectoryAttributes_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
-nssPKIXSubjectDirectoryAttributes_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
-nssPKIXSubjectDirectoryAttributes_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttribute *attribute1,
-  ...
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_Destroy
-(
-  NSSPKIXSubjectDirectoryAttributes *sda
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXSubjectDirectoryAttributes_Encode
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_GetAttributeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXSubjectDirectoryAttributes_GetAttributeCount
-(
-  NSSPKIXSubjectDirectoryAttributes *sda
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_GetAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXAttribute pointers upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttribute **
-nssPKIXSubjectDirectoryAttributes_GetAttributes
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSPKIXAttribute *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_SetAttributes
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_SetAttributes
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSAttribute *attributes[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_GetAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon error
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nssPKIXSubjectDirectoryAttributes_GetAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_SetAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_SetAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_InsertAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_InsertAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_AppendAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_AppendAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_RemoveAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_RemoveAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  PRInt32 i
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_FindAttribute
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ATTRIBUTE
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXSubjectDirectoryAttributes_FindAttribute
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSPKIXAttribute *attribute
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXSubjectDirectoryAttributes_Equal
-(
-  NSSPKIXSubjectDirectoryAttributes *sda1,
-  NSSPKIXSubjectDirectoryAttributes *sda2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXSubjectDirectoryAttributes_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
-nssPKIXSubjectDirectoryAttributes_Duplicate
-(
-  NSSPKIXSubjectDirectoryAttributes *sda,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXSubjectDirectoryAttributes_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXSubjectDirectoryAttributes
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXSubjectDirectoryAttributes_verifyPointer
-(
-  NSSPKIXSubjectDirectoryAttributes *p
-);
-#endif /* DEBUG */
-
-/*
- * BasicConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BasicConstraints ::= SEQUENCE {
- *       cA                      BOOLEAN DEFAULT FALSE,
- *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXBasicConstraints_Decode
- *  nssPKIXBasicConstraints_Create
- *  nssPKIXBasicConstraints_Destroy
- *  nssPKIXBasicConstraints_Encode
- *  nssPKIXBasicConstraints_GetCA
- *  nssPKIXBasicConstraints_SetCA 
- *  nssPKIXBasicConstraints_HasPathLenConstraint
- *  nssPKIXBasicConstraints_GetPathLenConstraint
- *  nssPKIXBasicConstraints_SetPathLenConstraint
- *  nssPKIXBasicConstraints_RemovePathLenConstraint
- *  nssPKIXBasicConstraints_Equal
- *  nssPKIXBasicConstraints_Duplicate
- *  nssPKIXBasicConstraints_CompareToPathLenConstraint
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXBasicConstraints_verifyPointer
- *
- */
-
-/*
- * nssPKIXBasicConstraints_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBasicConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBasicConstraints *
-nssPKIXBasicConstraints_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXBasicConstraints_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBasicConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBasicConstraints *
-nssPKIXBasicConstraints_Create
-(
-  NSSArena *arenaOpt,
-  PRBool ca,
-  PRInt32 pathLenConstraint
-);
-
-/*
- * nssPKIXBasicConstraints_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBasicConstraints_Destroy
-(
-  NSSPKIXBasicConstraints *basicConstraints
-);
-
-/*
- * nssPKIXBasicConstraints_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXBasicConstraints_Encode
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXBasicConstraints_GetCA
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the CA bit is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBasicConstraints_GetCA
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBasicConstraints_SetCA
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBasicConstraints_SetCA
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRBool ca
-);
-
-/*
- * nssPKIXBasicConstraints_HasPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXBasicConstraints_HasPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBasicConstraints_GetPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXBasicConstraints_GetPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints
-);
-
-/*
- * nssPKIXBasicConstraints_SetPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBasicConstraints_SetPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRInt32 pathLenConstraint
-);
-
-/*
- * nssPKIXBasicConstraints_RemovePathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBasicConstraints_RemovePathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints
-);
-
-/*
- * nssPKIXBasicConstraints_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXBasicConstraints_Equal
-(
-  NSSPKIXBasicConstraints *basicConstraints1,
-  NSSPKIXBasicConstraints *basicConstraints2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXBasicConstraints_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXBasicConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXBasicConstraints *
-nssPKIXBasicConstraints_Duplicate
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXBasicConstraints_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXBasicConstraints
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXBasicConstraints_verifyPointer
-(
-  NSSPKIXBasicConstraints *p
-);
-#endif /* DEBUG */
-
-/*
- * nssPKIXBasicConstraints_CompareToPathLenConstraint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
- * 
- * Return value:
- *  1 if the specified value is greater than the pathLenConstraint
- *  0 if the specified value equals the pathLenConstraint
- *  -1 if the specified value is less than the pathLenConstraint
- *  -2 upon error
- */
-
-NSS_EXTERN PRInt32
-nssPKIXBasicConstraints_CompareToPathLenConstraint
-(
-  NSSPKIXBasicConstraints *basicConstraints,
-  PRInt32 value
-);
-
-/*
- * NameConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NameConstraints ::= SEQUENCE {
- *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
- *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXNameConstraints_Decode
- *  nssPKIXNameConstraints_Create
- *  nssPKIXNameConstraints_Destroy
- *  nssPKIXNameConstraints_Encode
- *  nssPKIXNameConstraints_HasPermittedSubtrees
- *  nssPKIXNameConstraints_GetPermittedSubtrees
- *  nssPKIXNameConstraints_SetPermittedSubtrees
- *  nssPKIXNameConstraints_RemovePermittedSubtrees
- *  nssPKIXNameConstraints_HasExcludedSubtrees
- *  nssPKIXNameConstraints_GetExcludedSubtrees
- *  nssPKIXNameConstraints_SetExcludedSubtrees
- *  nssPKIXNameConstraints_RemoveExcludedSubtrees
- *  nssPKIXNameConstraints_Equal
- *  nssPKIXNameConstraints_Duplicate
- *    { and the comparator functions }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXNameConstraints_verifyPointer
- *
- */
-
-/*
- * nssPKIXNameConstraints_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNameConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNameConstraints *
-nssPKIXNameConstraints_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXNameConstraints_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNameConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNameConstraints *
-nssPKIXNameConstraints_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralSubtrees *permittedSubtrees,
-  NSSPKIXGeneralSubtrees *excludedSubtrees
-);
-
-/*
- * nssPKIXNameConstraints_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNameConstraints_Destroy
-(
-  NSSPKIXNameConstraints *nameConstraints
-);
-
-/*
- * nssPKIXNameConstraints_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXNameConstraints_Encode
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXNameConstraints_HasPermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXNameConstraints_HasPermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXNameConstraints_GetPermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-nssPKIXNameConstraints_GetPermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXNameConstraints_SetPermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNameConstraints_SetPermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSPKIXGeneralSubtrees *permittedSubtrees
-);
-
-/*
- * nssPKIXNameConstraints_RemovePermittedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNameConstraints_RemovePermittedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints
-);
-
-/*
- * nssPKIXNameConstraints_HasExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXNameConstraints_HasExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXNameConstraints_GetExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-nssPKIXNameConstraints_GetExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXNameConstraints_SetExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNameConstraints_SetExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSPKIXGeneralSubtrees *excludedSubtrees
-);
-
-/*
- * nssPKIXNameConstraints_RemoveExcludedSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNameConstraints_RemoveExcludedSubtrees
-(
-  NSSPKIXNameConstraints *nameConstraints
-);
-
-/*
- * nssPKIXNameConstraints_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXNameConstraints_Equal
-(
-  NSSPKIXNameConstraints *nameConstraints1,
-  NSSPKIXNameConstraints *nameConstraints2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXNameConstraints_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXNameConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXNameConstraints *
-nssPKIXNameConstraints_Duplicate
-(
-  NSSPKIXNameConstraints *nameConstraints,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and the comparator functions }
- *
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXNameConstraints_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXNameConstraints
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXNameConstraints_verifyPointer
-(
-  NSSPKIXNameConstraints *p
-);
-#endif /* DEBUG */
-
-/*
- * GeneralSubtrees
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
- *
- * The private calls for this type:
- *
- *  nssPKIXGeneralSubtrees_Decode
- *  nssPKIXGeneralSubtrees_Create
- *  nssPKIXGeneralSubtrees_Destroy
- *  nssPKIXGeneralSubtrees_Encode
- *  nssPKIXGeneralSubtrees_GetGeneralSubtreeCount
- *  nssPKIXGeneralSubtrees_GetGeneralSubtrees
- *  nssPKIXGeneralSubtrees_SetGeneralSubtrees
- *  nssPKIXGeneralSubtrees_GetGeneralSubtree
- *  nssPKIXGeneralSubtrees_SetGeneralSubtree
- *  nssPKIXGeneralSubtrees_InsertGeneralSubtree
- *  nssPKIXGeneralSubtrees_AppendGeneralSubtree
- *  nssPKIXGeneralSubtrees_RemoveGeneralSubtree
- *  nssPKIXGeneralSubtrees_FindGeneralSubtree
- *  nssPKIXGeneralSubtrees_Equal
- *  nssPKIXGeneralSubtrees_Duplicate
- *    { and finders and comparators }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXGeneralSubtrees_verifyPointer
- *
- */
-
-/*
- * nssPKIXGeneralSubtrees_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-nssPKIXGeneralSubtrees_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXGeneralSubtrees_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-nssPKIXGeneralSubtrees_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralSubtree *generalSubtree1,
-  ...
-);
-
-/*
- * nssPKIXGeneralSubtrees_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_Destroy
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees
-);
-
-/*
- * nssPKIXGeneralSubtrees_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXGeneralSubtrees_Encode
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralSubtrees_GetGeneralSubtreeCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXGeneralSubtrees_GetGeneralSubtreeCount
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees
-);
-
-/*
- * nssPKIXGeneralSubtrees_GetGeneralSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXGeneralSubtree pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree **
-nssPKIXGeneralSubtrees_GetGeneralSubtrees
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralSubtrees_SetGeneralSubtrees
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_SetGeneralSubtrees
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *generalSubtree[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXGeneralSubtrees_GetGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-nssPKIXGeneralSubtrees_GetGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralSubtrees_SetGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_SetGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtrees_InsertGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_InsertGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtrees_AppendGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_AppendGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtrees_RemoveGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_RemoveGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  PRInt32 i
-);
-
-/*
- * nssPKIXGeneralSubtrees_FindGeneralSubtree
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXGeneralSubtrees_FindGeneralSubtree
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtrees_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXGeneralSubtrees_Equal
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees1,
-  NSSPKIXGeneralSubtrees *generalSubtrees2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXGeneralSubtrees_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtrees *
-nssPKIXGeneralSubtrees_Duplicate
-(
-  NSSPKIXGeneralSubtrees *generalSubtrees,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { and finders and comparators }
- *
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXGeneralSubtrees_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXGeneralSubtrees
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtrees_verifyPointer
-(
-  NSSPKIXGeneralSubtrees *p
-);
-#endif /* DEBUG */
-
-/*
- * GeneralSubtree
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtree ::= SEQUENCE {
- *       base                    GeneralName,
- *       minimum         [0]     BaseDistance DEFAULT 0,
- *       maximum         [1]     BaseDistance OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXGeneralSubtree_Decode
- *  nssPKIXGeneralSubtree_Create
- *  nssPKIXGeneralSubtree_Destroy
- *  nssPKIXGeneralSubtree_Encode
- *  nssPKIXGeneralSubtree_GetBase
- *  nssPKIXGeneralSubtree_SetBase
- *  nssPKIXGeneralSubtree_GetMinimum
- *  nssPKIXGeneralSubtree_SetMinimum
- *  nssPKIXGeneralSubtree_HasMaximum
- *  nssPKIXGeneralSubtree_GetMaximum
- *  nssPKIXGeneralSubtree_SetMaximum
- *  nssPKIXGeneralSubtree_RemoveMaximum
- *  nssPKIXGeneralSubtree_Equal
- *  nssPKIXGeneralSubtree_Duplicate
- *  nssPKIXGeneralSubtree_DistanceInRange
- *    {other tests and comparators}
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXGeneralSubtree_verifyPointer
- *
- */
-
-/*
- * nssPKIXGeneralSubtree_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-nssPKIXGeneralSubtree_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXGeneralSubtree_Create
- *
- * -- fgmr comments --
- * The optional maximum value may be omitted by specifying -1.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-nssPKIXGeneralSubtree_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXBaseDistance minimum,
-  NSSPKIXBaseDistance maximumOpt
-);
-
-/*
- * nssPKIXGeneralSubtree_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtree_Destroy
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtree_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXGeneralSubtree_Encode
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralSubtree_GetBase
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXGeneralSubtree_GetBase
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXGeneralSubtree_SetBase
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtree_SetBase
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXGeneralName *base
-);
-
-/*
- * nssPKIXGeneralSubtree_GetMinimum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN NSSPKIXBaseDistance
-nssPKIXGeneralSubtree_GetMinimum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtree_SetMinimum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtree_SetMinimum
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXBaseDistance *minimum
-);
-
-/*
- * nssPKIXGeneralSubtree_HasMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXGeneralSubtree_HasMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtree_GetMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN NSSPKIXBaseDistance
-nssPKIXGeneralSubtree_GetMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtree_SetMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtree_SetMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXBaseDistance *maximum
-);
-
-/*
- * nssPKIXGeneralSubtree_RemoveMaximum
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtree_RemoveMaximum
-(
-  NSSPKIXGeneralSubtree *generalSubtree
-);
-
-/*
- * nssPKIXGeneralSubtree_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXGeneralSubtree_Equal
-(
-  NSSPKIXGeneralSubtree *generalSubtree1,
-  NSSPKIXGeneralSubtree *generalSubtree2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXGeneralSubtree_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralSubtree upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralSubtree *
-nssPKIXGeneralSubtree_Duplicate
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXGeneralSubtree_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXGeneralSubtree
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXGeneralSubtree_verifyPointer
-(
-  NSSPKIXGeneralSubtree *p
-);
-#endif /* DEBUG */
-
-/*
- * nssPKIXGeneralSubtree_DistanceInRange
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_TRUE if the specified value is within the minimum and maximum
- *      base distances
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXGeneralSubtree_DistanceInRange
-(
-  NSSPKIXGeneralSubtree *generalSubtree,
-  NSSPKIXBaseDistance value,
-  PRStatus *statusOpt
-);
-
-/*
- *   {other tests and comparators}
- *
- */
-
-/*
- * PolicyConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyConstraints ::= SEQUENCE {
- *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
- *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
- * 
- * The private calls for this type:
- *
- *  nssPKIXPolicyConstraints_Decode
- *  nssPKIXPolicyConstraints_Create
- *  nssPKIXPolicyConstraints_Destroy
- *  nssPKIXPolicyConstraints_Encode
- *  nssPKIXPolicyConstraints_HasRequireExplicitPolicy
- *  nssPKIXPolicyConstraints_GetRequireExplicitPolicy
- *  nssPKIXPolicyConstraints_SetRequireExplicitPolicy
- *  nssPKIXPolicyConstraints_RemoveRequireExplicitPolicy
- *  nssPKIXPolicyConstraints_HasInhibitPolicyMapping
- *  nssPKIXPolicyConstraints_GetInhibitPolicyMapping
- *  nssPKIXPolicyConstraints_SetInhibitPolicyMapping
- *  nssPKIXPolicyConstraints_RemoveInhibitPolicyMapping
- *  nssPKIXPolicyConstraints_Equal
- *  nssPKIXPolicyConstraints_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXPolicyConstraints_verifyPointer
- *
- */
-
-/*
- * nssPKIXPolicyConstraints_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyConstraints *
-nssPKIXPolicyConstraints_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXPolicyConstraints_Create
- *
- * -- fgmr comments --
- * The optional values may be omitted by specifying -1.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyConstraints *
-nssPKIXPolicyConstraints_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXSkipCerts requireExplicitPolicy,
-  NSSPKIXSkipCerts inhibitPolicyMapping
-);
-
-/*
- * nssPKIXPolicyConstraints_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyConstraints_Destroy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXPolicyConstraints_Encode
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXPolicyConstraints_HasRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyConstraints_HasRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_GetRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyConstraints_GetRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_SetRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyConstraints_SetRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSPKIXSkipCerts requireExplicitPolicy
-);
-
-/*
- * nssPKIXPolicyConstraints_RemoveRequireExplicitPolicy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyConstraints_RemoveRequireExplicitPolicy
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_HasInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyConstraints_HasInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_GetInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXPolicyConstraints_GetInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_SetInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_INVALID_VALUE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyConstraints_SetInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSPKIXSkipCerts inhibitPolicyMapping
-);
-
-/*
- * nssPKIXPolicyConstraints_RemoveInhibitPolicyMapping
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyConstraints_RemoveInhibitPolicyMapping
-(
-  NSSPKIXPolicyConstraints *policyConstraints
-);
-
-/*
- * nssPKIXPolicyConstraints_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXPolicyConstraints_Equal
-(
-  NSSPKIXPolicyConstraints *policyConstraints1,
-  NSSPKIXPolicyConstraints *policyConstraints2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXPolicyConstraints_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXPolicyConstraints upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXPolicyConstraints *
-nssPKIXPolicyConstraints_Duplicate
-(
-  NSSPKIXPolicyConstraints *policyConstraints,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXPolicyConstraints_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXPolicyConstraints
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXPolicyConstraints_verifyPointer
-(
-  NSSPKIXPolicyConstraints *p
-);
-#endif /* DEBUG */
-
-/*
- * CRLDistPointsSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
- *
- * The private calls for this type:
- *
- *  nssPKIXCRLDistPointsSyntax_Decode
- *  nssPKIXCRLDistPointsSyntax_Create
- *  nssPKIXCRLDistPointsSyntax_Destroy
- *  nssPKIXCRLDistPointsSyntax_Encode
- *  nssPKIXCRLDistPointsSyntax_GetDistributionPointCount
- *  nssPKIXCRLDistPointsSyntax_GetDistributionPoints
- *  nssPKIXCRLDistPointsSyntax_SetDistributionPoints
- *  nssPKIXCRLDistPointsSyntax_GetDistributionPoint
- *  nssPKIXCRLDistPointsSyntax_SetDistributionPoint
- *  nssPKIXCRLDistPointsSyntax_InsertDistributionPoint
- *  nssPKIXCRLDistPointsSyntax_AppendDistributionPoint
- *  nssPKIXCRLDistPointsSyntax_RemoveDistributionPoint
- *  nssPKIXCRLDistPointsSyntax_FindDistributionPoint
- *  nssPKIXCRLDistPointsSyntax_Equal
- *  nssPKIXCRLDistPointsSyntax_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXCRLDistPointsSyntax_verifyPointer
- *
- */
-
-/*
- * nssPKIXCRLDistPointsSyntax_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
-nssPKIXCRLDistPointsSyntax_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
-nssPKIXCRLDistPointsSyntax_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPoint *distributionPoint1,
-  ...
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_Destroy
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXCRLDistPointsSyntax_Encode
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_GetDistributionPointCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXCRLDistPointsSyntax_GetDistributionPointCount
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_GetDistributionPoints
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXDistributionPoint pointers 
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoints **
-nssPKIXCRLDistPointsSyntax_GetDistributionPoints
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSDistributionPoint *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_SetDistributionPoints
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_SetDistributionPoints
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSDistributionPoint *distributionPoint[]
-  PRInt32 count
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_GetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-nssPKIXCRLDistPointsSyntax_GetDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_SetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_SetDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  PRInt32 i,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_InsertDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_InsertDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  PRInt32 i,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_AppendDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_AppendDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_RemoveDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_RemoveDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  PRInt32 i
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_FindDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXCRLDistPointsSyntax_FindDistributionPoint
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXCRLDistPointsSyntax_Equal
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax1,
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXCRLDistPointsSyntax_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
-nssPKIXCRLDistPointsSyntax_Duplicate
-(
-  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXCRLDistPointsSyntax_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXCRLDistPointsSyntax
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXCRLDistPointsSyntax_verifyPointer
-(
-  NSSPKIXCRLDistPointsSyntax *p
-);
-#endif /* DEBUG */
-
-/*
- * DistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0]     DistributionPointName OPTIONAL,
- *       reasons                 [1]     ReasonFlags OPTIONAL,
- *       cRLIssuer               [2]     GeneralNames OPTIONAL }
- *
- * The private calls for this type:
- *
- *  nssPKIXDistributionPoint_Decode
- *  nssPKIXDistributionPoint_Create
- *  nssPKIXDistributionPoint_Destroy
- *  nssPKIXDistributionPoint_Encode
- *  nssPKIXDistributionPoint_HasDistributionPoint
- *  nssPKIXDistributionPoint_GetDistributionPoint
- *  nssPKIXDistributionPoint_SetDistributionPoint
- *  nssPKIXDistributionPoint_RemoveDistributionPoint
- *  nssPKIXDistributionPoint_HasReasons
- *  nssPKIXDistributionPoint_GetReasons
- *  nssPKIXDistributionPoint_SetReasons
- *  nssPKIXDistributionPoint_RemoveReasons
- *  nssPKIXDistributionPoint_HasCRLIssuer
- *  nssPKIXDistributionPoint_GetCRLIssuer
- *  nssPKIXDistributionPoint_SetCRLIssuer
- *  nssPKIXDistributionPoint_RemoveCRLIssuer
- *  nssPKIXDistributionPoint_Equal
- *  nssPKIXDistributionPoint_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXDistributionPoint_verifyPointer
- *
- */
-
-/*
- * nssPKIXDistributionPoint_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-nssPKIXDistributionPoint_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXDistributionPoint_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-nssPKIXDistributionPoint_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPointName *distributionPoint,
-  NSSPKIXReasonFlags reasons,
-  NSSPKIXGeneralNames *cRLIssuer
-);
-
-/*
- * nssPKIXDistributionPoint_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_Destroy
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXDistributionPoint_Encode
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXDistributionPoint_HasDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXDistributionPoint_HasDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_GetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXDistributionPoint_GetDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXDistributionPoint_SetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_SetDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSPKIXDistributionPointName *name
-);
-
-/*
- * nssPKIXDistributionPoint_RemoveDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_RemoveDistributionPoint
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_HasReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXDistributionPoint_HasReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_GetReasons
- *
- * It is unlikely that the reason flags are all zero; so zero is
- * returned in error situations.
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_REASONS
- * 
- * Return value:
- *  A valid nonzero NSSPKIXReasonFlags value upon success
- *  A valid zero NSSPKIXReasonFlags if the value is indeed zero
- *  Zero upon error
- */
-
-NSS_EXTERN NSSPKIXReasonFlags
-nssPKIXDistributionPoint_GetReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXDistributionPoint_SetReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_SetReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSPKIXReasonFlags reasons
-);
-
-/*
- * nssPKIXDistributionPoint_RemoveReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_REASONS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_RemoveReasons
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_HasCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXDistributionPoint_HasCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_GetCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_CRL_ISSUER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralNames *
-nssPKIXDistributionPoint_GetCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXDistributionPoint_SetCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_SetCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSPKIXGeneralNames *cRLIssuer
-);
-
-/*
- * nssPKIXDistributionPoint_RemoveCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_CRL_ISSUER
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_RemoveCRLIssuer
-(
-  NSSPKIXDistributionPoint *distributionPoint
-);
-
-/*
- * nssPKIXDistributionPoint_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXDistributionPoint_Equal
-(
-  NSSPKIXDistributionPoint *distributionPoint1,
-  NSSPKIXDistributionPoint *distributionPoint2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXDistributionPoint_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPoint *
-nssPKIXDistributionPoint_Duplicate
-(
-  NSSPKIXDistributionPoint *distributionPoint,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXDistributionPoint_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXDistributionPoint
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPoint_verifyPointer
-(
-  NSSPKIXDistributionPoint *p
-);
-#endif /* DEBUG */
-
-/*
- * DistributionPointName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPointName ::= CHOICE {
- *       fullName                [0]     GeneralNames,
- *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
- *
- * The private calls for this type:
- *
- *  nssPKIXDistributionPointName_Decode
- *  nssPKIXDistributionPointName_Create
- *  nssPKIXDistributionPointName_CreateFromFullName
- *  nssPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
- *  nssPKIXDistributionPointName_Destroy
- *  nssPKIXDistributionPointName_Encode
- *  nssPKIXDistributionPointName_GetChoice
- *  nssPKIXDistributionPointName_GetFullName
- *  nssPKIXDistributionPointName_GetNameRelativeToCRLIssuer
- *  nssPKIXDistributionPointName_Equal
- *  nssPKIXDistributionPointName_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXDistributionPointName_verifyPointer
- *
- */
-
-/*
- * nssPKIXDistributionPointName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXDistributionPointName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXDistributionPointName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME_CHOICE
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXDistributionPointName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPointNameChoice which,
-  void *name
-);
-
-/*
- * nssPKIXDistributionPointName_CreateFromFullName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXDistributionPointName_CreateFromFullName
-(
-  NSSArena *arenaOpt,
-  NSSPKIXGeneralNames *fullName
-);
-
-/*
- * nssPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRelativeDistinguishedName *nameRelativeToCRLIssuer
-);
-
-/*
- * nssPKIXDistributionPointName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPointName_Destroy
-(
-  NSSPKIXDistributionPointName *dpn
-);
-
-/*
- * nssPKIXDistributionPointName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXDistributionPointName_Encode
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXDistributionPointName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- * 
- * Return value:
- *  A valid NSSPKIXDistributionPointNameChoice value upon success
- *  NSSPKIXDistributionPointNameChoice_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointNameChoice
-nssPKIXDistributionPointName_GetChoice
-(
-  NSSPKIXDistributionPointName *dpn
-);
-
-/*
- * nssPKIXDistributionPointName_GetFullName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralNames upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralnames *
-nssPKIXDistributionPointName_GetFullName
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXDistributionPointName_GetNameRelativeToCRLIssuer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nssPKIXDistributionPointName_GetNameRelativeToCRLIssuer
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXDistributionPointName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXDistributionPointName_Equal
-(
-  NSSPKIXDistributionPointName *dpn1,
-  NSSPKIXDistributionPointName *dpn2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXDistributionPointName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXDistributionPointName_Duplicate
-(
-  NSSPKIXDistributionPointName *dpn,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXDistributionPointName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXDistributionPointName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXDistributionPointName_verifyPointer
-(
-  NSSPKIXDistributionPointName *p
-);
-#endif /* DEBUG */
-
-/*
- * ReasonFlags
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ReasonFlags ::= BIT STRING {
- *       unused                  (0),
- *       keyCompromise           (1),
- *       cACompromise            (2),
- *       affiliationChanged      (3),
- *       superseded              (4),
- *       cessationOfOperation    (5),
- *       certificateHold         (6) }
- *
- * The private calls for this type:
- *
- *  nssPKIXReasonFlags_Decode
- *  nssPKIXReasonFlags_Create
- *  nssPKIXReasonFlags_CreateFromMask
- *  nssPKIXReasonFlags_Destroy
- *  nssPKIXReasonFlags_Encode
- *  nssPKIXReasonFlags_GetMask
- *  nssPKIXReasonFlags_SetMask
- *  nssPKIXReasonFlags_Equal
- *  nssPKIXReasonFlags_Duplicate
- *    { bitwise accessors? }
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXReasonFlags_verifyPointer
- *
- */
-
-/*
- * nssPKIXReasonFlags_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-nssPKIXReasonFlags_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXReasonFlags_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-nssPKIXReasonFlags_Create
-(
-  NSSArena *arenaOpt,
-  PRBool keyCompromise,
-  PRBool cACompromise,
-  PRBool affiliationChanged,
-  PRBool superseded,
-  PRBool cessationOfOperation,
-  PRBool certificateHold
-);
-
-/*
- * nssPKIXReasonFlags_CreateFromMask
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-nssPKIXReasonFlags_CreateFromMask
-(
-  NSSArena *arenaOpt,
-  NSSPKIXReasonFlagsMask why
-);
-
-/*
- * nssPKIXReasonFlags_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXReasonFlags_Destroy
-(
-  NSSPKIXReasonFlags *reasonFlags
-);
-
-/*
- * nssPKIXReasonFlags_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXReasonFlags_Encode
-(
-  NSSPKIXReasonFlags *reasonFlags,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXReasonFlags_GetMask
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  A valid mask of NSSPKIXReasonFlagsMask values upon success
- *  NSSPKIXReasonFlagsMask_NSSinvalid upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlagsMask
-nssPKIXReasonFlags_GetMask
-(
-  NSSPKIXReasonFlags *reasonFlags
-);
-
-/*
- * nssPKIXReasonFlags_SetMask
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXReasonFlags_SetMask
-(
-  NSSPKIXReasonFlags *reasonFlags,
-  NSSPKIXReasonFlagsMask mask
-);
-
-/*
- * nssPKIXReasonFlags_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXReasonFlags_Equal
-(
-  NSSPKIXReasonFlags *reasonFlags1,
-  NSSPKIXReasonFlags *reasonFlags2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXReasonFlags_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-nssPKIXReasonFlags_Duplicate
-(
-  NSSPKIXReasonFlags *reasonFlags,
-  NSSArena *arenaOpt
-);
-
-/*
- *   { bitwise accessors? }
- *
- */
-
-#ifdef DEBUG
-/*
- * nssPKIXReasonFlags_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXReasonFlags
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXReasonFlags_verifyPointer
-(
-  NSSPKIXReasonFlags *p
-);
-#endif /* DEBUG */
-
-/*
- * ExtKeyUsageSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
- *
- * The private calls for this type:
- *
- *  nssPKIXExtKeyUsageSyntax_Decode
- *  nssPKIXExtKeyUsageSyntax_Create
- *  nssPKIXExtKeyUsageSyntax_Destroy
- *  nssPKIXExtKeyUsageSyntax_Encode
- *  nssPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
- *  nssPKIXExtKeyUsageSyntax_GetKeyPurposeIds
- *  nssPKIXExtKeyUsageSyntax_SetKeyPurposeIds
- *  nssPKIXExtKeyUsageSyntax_GetKeyPurposeId
- *  nssPKIXExtKeyUsageSyntax_SetKeyPurposeId
- *  nssPKIXExtKeyUsageSyntax_InsertKeyPurposeId
- *  nssPKIXExtKeyUsageSyntax_AppendKeyPurposeId
- *  nssPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
- *  nssPKIXExtKeyUsageSyntax_FindKeyPurposeId
- *  nssPKIXExtKeyUsageSyntax_Equal
- *  nssPKIXExtKeyUsageSyntax_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXExtKeyUsageSyntax_verifyPointer
- *
- */
-
-/*
- * nssPKIXExtKeyUsageSyntax_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
-nssPKIXExtKeyUsageSyntax_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
-nssPKIXExtKeyUsageSyntax_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXKeyPurposeId *kpid1,
-  ...
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_Destroy
-(
-  NSSPKIXExtKeyUsageSyntax *eku
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXExtKeyUsageSyntax_Encode
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
-(
-  NSSPKIXExtKeyUsageSyntax *eku
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_GetKeyPurposeIds
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXKeyPurposeId pointers upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXKeyPurposeId **
-nssPKIXExtKeyUsageSyntax_GetKeyPurposeIds
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_SetKeyPurposeIds
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_SetKeyPurposeIds
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *ids[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_GetKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXKeyPurposeId upon success
- *  NULL upon error
- */
-
-NSS_EXTERN NSSPKIXKeyPurposeId *
-nssPKIXExtKeyUsageSyntax_GetKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_SetKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_SetKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_InsertKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_InsertKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_AppendKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_AppendKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  PRInt32 i
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_FindKeyPurposeId
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified key purpose id upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXExtKeyUsageSyntax_FindKeyPurposeId
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSPKIXKeyPurposeId *id
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXExtKeyUsageSyntax_Equal
-(
-  NSSPKIXExtKeyUsageSyntax *eku1,
-  NSSPKIXExtKeyUsageSyntax *eku2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXExtKeyUsageSyntax_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
-nssPKIXExtKeyUsageSyntax_Duplicate
-(
-  NSSPKIXExtKeyUsageSyntax *eku,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXExtKeyUsageSyntax_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXExtKeyUsageSyntax
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXExtKeyUsageSyntax_verifyPointer
-(
-  NSSPKIXExtKeyUsageSyntax *p
-);
-#endif /* DEBUG */
-
-/*
- * AuthorityInfoAccessSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityInfoAccessSyntax  ::=
- *          SEQUENCE SIZE (1..MAX) OF AccessDescription
- *
- * The private calls for this type:
- *
- *  nssPKIXAuthorityInfoAccessSyntax_Decode
- *  nssPKIXAuthorityInfoAccessSyntax_Create
- *  nssPKIXAuthorityInfoAccessSyntax_Destroy
- *  nssPKIXAuthorityInfoAccessSyntax_Encode
- *  nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
- *  nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
- *  nssPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
- *  nssPKIXAuthorityInfoAccessSyntax_GetAccessDescription
- *  nssPKIXAuthorityInfoAccessSyntax_SetAccessDescription
- *  nssPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
- *  nssPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
- *  nssPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
- *  nssPKIXAuthorityInfoAccessSyntax_FindAccessDescription
- *  nssPKIXAuthorityInfoAccessSyntax_Equal
- *  nssPKIXAuthorityInfoAccessSyntax_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXAuthorityInfoAccessSyntax_verifyPointer
- *
- */
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
-nssPKIXAuthorityInfoAccessSyntax_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
-nssPKIXAuthorityInfoAccessSyntax_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAccessDescription *ad1,
-  ...
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_Destroy
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAuthorityInfoAccessSyntax_Encode
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- * 
- * Return value:
- *  A valid pointer to an array of NSSPKIXAccessDescription pointers
- *      upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription **
-nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *ad[],
-  PRInt32 count
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_GetAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-nssPKIXAuthorityInfoAccessSyntax_GetAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_SetAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_SetAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  PRInt32 i
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_FindAccessDescription
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- * 
- * Return value:
- *  The index of the specified policy mapping upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-nssPKIXAuthorityInfoAccessSyntax_FindAccessDescription
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAuthorityInfoAccessSyntax_Equal
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias1,
-  NSSPKIXAuthorityInfoAccessSyntax *aias2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAuthorityInfoAccessSyntax_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
- *      success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
-nssPKIXAuthorityInfoAccessSyntax_Duplicate
-(
-  NSSPKIXAuthorityInfoAccessSyntax *aias,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXAuthorityInfoAccessSyntax_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAuthorityInfoAccessSyntax
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAuthorityInfoAccessSyntax_verifyPointer
-(
-  NSSPKIXAuthorityInfoAccessSyntax *p
-);
-#endif /* DEBUG */
-
-/*
- * AccessDescription
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AccessDescription  ::=  SEQUENCE {
- *          accessMethod          OBJECT IDENTIFIER,
- *          accessLocation        GeneralName  }
- *
- * The private calls for this type:
- *
- *  nssPKIXAccessDescription_Decode
- *  nssPKIXAccessDescription_Create
- *  nssPKIXAccessDescription_Destroy
- *  nssPKIXAccessDescription_Encode
- *  nssPKIXAccessDescription_GetAccessMethod
- *  nssPKIXAccessDescription_SetAccessMethod
- *  nssPKIXAccessDescription_GetAccessLocation
- *  nssPKIXAccessDescription_SetAccessLocation
- *  nssPKIXAccessDescription_Equal
- *  nssPKIXAccessDescription_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXAccessDescription_verifyPointer
- *
- */
-
-/*
- * nssPKIXAccessDescription_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-nssPKIXAccessDescription_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXAccessDescription_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-nssPKIXAccessDescription_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *accessMethod,
-  NSSPKIXGeneralName *accessLocation
-);
-
-/*
- * nssPKIXAccessDescription_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAccessDescription_Destroy
-(
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * nssPKIXAccessDescription_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAccessDescription_Encode
-(
-  NSSPKIXAccessDescription *ad,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAccessDescription_GetAccessMethod
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSOID pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSOID *
-nssPKIXAccessDescription_GetAccessMethod
-(
-  NSSPKIXAccessDescription *ad
-);
-
-/*
- * nssPKIXAccessDescription_SetAccessMethod
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAccessDescription_SetAccessMethod
-(
-  NSSPKIXAccessDescription *ad,
-  NSSOID *accessMethod
-);
-
-/*
- * nssPKIXAccessDescription_GetAccessLocation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXGeneralName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXGeneralName *
-nssPKIXAccessDescription_GetAccessLocation
-(
-  NSSPKIXAccessDescription *ad,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXAccessDescription_SetAccessLocation
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAccessDescription_SetAccessLocation
-(
-  NSSPKIXAccessDescription *ad,
-  NSSPKIXGeneralName *accessLocation
-);
-
-/*
- * nssPKIXAccessDescription_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXAccessDescription_Equal
-(
-  NSSPKIXAccessDescription *ad1,
-  NSSPKIXAccessDescription *ad2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXAccessDescription_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXAccessDescription upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAccessDescription *
-nssPKIXAccessDescription_Duplicate
-(
-  NSSPKIXAccessDescription *ad,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXAccessDescription_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAccessDescription
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAccessDescription_verifyPointer
-(
-  NSSPKIXAccessDescription *p
-);
-#endif /* DEBUG */
-
-/*
- * IssuingDistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  IssuingDistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0] DistributionPointName OPTIONAL,
- *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
- *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
- *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
- *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
- *
- * The private calls for this type:
- *
- *  nssPKIXIssuingDistributionPoint_Decode
- *  nssPKIXIssuingDistributionPoint_Create
- *  nssPKIXIssuingDistributionPoint_Destroy
- *  nssPKIXIssuingDistributionPoint_Encode
- *  nssPKIXIssuingDistributionPoint_HasDistributionPoint
- *  nssPKIXIssuingDistributionPoint_GetDistributionPoint
- *  nssPKIXIssuingDistributionPoint_SetDistributionPoint
- *  nssPKIXIssuingDistributionPoint_RemoveDistributionPoint
- *  nssPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
- *  nssPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
- *  nssPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
- *  nssPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
- *  nssPKIXIssuingDistributionPoint_HasOnlySomeReasons
- *  nssPKIXIssuingDistributionPoint_GetOnlySomeReasons
- *  nssPKIXIssuingDistributionPoint_SetOnlySomeReasons
- *  nssPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
- *  nssPKIXIssuingDistributionPoint_GetIndirectCRL
- *  nssPKIXIssuingDistributionPoint_SetIndirectCRL
- *  nssPKIXIssuingDistributionPoint_Equal
- *  nssPKIXIssuingDistributionPoint_Duplicate
- * 
- * In debug builds, the following call is available:
- *
- *  nssPKIXIssuingDistributionPoint_verifyPointer
- *
- */
-
-/*
- * nssPKIXIssuingDistributionPoint_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXIssuingDistributionPoint *
-nssPKIXIssuingDistributionPoint_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXIssuingDistributionPoint *
-nssPKIXIssuingDistributionPoint_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXDistributionPointName *distributionPointOpt,
-  PRBool onlyContainsUserCerts,
-  PRBool onlyContainsCACerts,
-  NSSPKIXReasonFlags *onlySomeReasons
-  PRBool indirectCRL
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_Destroy
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXIssuingDistributionPoint_Encode
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_HasDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXIssuingDistributionPoint_HasDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_GetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXDistributionPointName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXDistributionPointName *
-nssPKIXIssuingDistributionPoint_GetDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_SetDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_SetDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSPKIXDistributionPointName *dpn
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_RemoveDistributionPoint
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_RemoveDistributionPoint
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the onlyContainsUserCerts value is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRBool onlyContainsUserCerts
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the onlyContainsCACerts value is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRBool onlyContainsCACerts
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_HasOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if it has one
- *  PR_FALSE if it doesn't
- *  PR_FALSE upon failure
- */
-
-NSS_EXTERN PRBool
-nssPKIXIssuingDistributionPoint_HasOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_GetOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXReasonFlags upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXReasonFlags *
-nssPKIXIssuingDistributionPoint_GetOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_SetOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_SetOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSPKIXReasonFlags *onlySomeReasons
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
-(
-  NSSPKIXIssuingDistributionPoint *idp
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_GetIndirectCRL
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the indirectCRL value is true
- *  PR_FALSE if it isn't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXIssuingDistributionPoint_GetIndirectCRL
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_SetIndirectCRL
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_SetIndirectCRL
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  PRBool indirectCRL
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- * 
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssPKIXIssuingDistributionPoint_Equal
-(
-  NSSPKIXIssuingDistributionPoint *idp1,
-  NSSPKIXIssuingDistributionPoint *idp2,
-  PRStatus *statusOpt
-);
-
-/*
- * nssPKIXIssuingDistributionPoint_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXIssuingDistributionPoint *
-nssPKIXIssuingDistributionPoint_Duplicate
-(
-  NSSPKIXIssuingDistributionPoint *idp,
-  NSSArena *arenaOpt
-);
-
-#ifdef DEBUG
-/*
- * nssPKIXIssuingDistributionPoint_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXIssuingDistributionPoint
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssPKIXIssuingDistributionPoint_verifyPointer
-(
-  NSSPKIXIssuingDistributionPoint *p
-);
-#endif /* DEBUG */
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKIX_H */
diff --git a/security/nss/lib/pkix/include/pkixm.h b/security/nss/lib/pkix/include/pkixm.h
deleted file mode 100644
index c273848b5..000000000
--- a/security/nss/lib/pkix/include/pkixm.h
+++ /dev/null
@@ -1,969 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef PKIXM_H
-#define PKIXM_H
-
-#ifdef DEBUG
-static const char PKIXM_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * pkixm.h
- *
- * This file contains the private type definitions for the 
- * PKIX part-1 objects.  Mostly, this file contains the actual 
- * structure definitions for the NSSPKIX types declared in nsspkixt.h.
- */
-
-#ifndef PKIXTM_H
-#include "pkixtm.h"
-#endif /* PKIXTM_H */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nss_pkix_Attribute_v_create
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nss_pkix_Attribute_v_create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  PRUint32 count,
-  va_list ap
-);
-
-#ifdef DEBUG
-
-/*
- * nss_pkix_Attribute_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXAttribute pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nss_pkix_Attribute_add_pointer
-(
-  const NSSPKIXAttribute *p
-);
-
-/*
- * nss_pkix_Attribute_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXAttribute
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nss_pkix_Attribute_remove_pointer
-(
-  const NSSPKIXAttribute *p
-);
-
-#endif /* DEBUG */
-
-
-#ifdef DEBUG
-
-NSS_EXTERN PRStatus
-nss_pkix_AttributeTypeAndValue_add_pointer
-(
-  const NSSPKIXAttributeTypeAndValue *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AttributeTypeAndValue_remove_pointer
-(
-  const NSSPKIXAttributeTypeAndValue *p
-);
-
-#endif /* DEBUG */
-
-/*
- * nss_pkix_X520Name_DoUTF8
- *
- */
-
-NSS_EXTERN PR_STATUS
-nss_pkix_X520Name_DoUTF8
-(
-  NSSPKIXX520Name *name
-);
-
-#ifdef DEBUG
-
-NSS_EXTERN PRStatus
-nss_pkix_X520Name_add_pointer
-(
-  const NSSPKIXX520Name *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_X520Name_remove_pointer
-(
-  const NSSPKIXX520Name *p
-);
-
-#endif /* DEBUG */
-
-/*
- * nss_pkix_X520CommonName_DoUTF8
- *
- */
-
-NSS_EXTERN PR_STATUS
-nss_pkix_X520CommonName_DoUTF8
-(
-  NSSPKIXX520CommonName *name
-);
-
-#ifdef DEBUG
-
-NSS_EXTERN PRStatus
-nss_pkix_X520CommonName_add_pointer
-(
-  const NSSPKIXX520CommonName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_X520CommonName_remove_pointer
-(
-  const NSSPKIXX520CommonName *p
-);
-
-
-NSS_EXTERN PRStatus
-nss_pkix_Name_add_pointer
-(
-  const NSSPKIXName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_Name_remove_pointer
-(
-  const NSSPKIXName *p
-);
-
-/*
- * nss_pkix_RDNSequence_v_create
- */
-
-NSS_EXTERN NSSPKIXRDNSequence *
-nss_pkix_RDNSequence_v_create
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  va_list ap
-);
-
-/*
- * nss_pkix_RDNSequence_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_EXTERN PRStatus
-nss_pkix_RDNSequence_Clear
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-#ifdef DEBUG
-
-#ifdef NSSDEBUG
-
-NSS_EXTERN PRStatus
-nss_pkix_RDNSequence_register
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_RDNSequence_deregister
-(
-  NSSPKIXRDNSequence *rdnseq
-);
-
-#endif /* NSSDEBUG */
-
-NSS_EXTERN PRStatus
-nss_pkix_RDNSequence_add_pointer
-(
-  const NSSPKIXRDNSequence *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_RDNSequence_remove_pointer
-(
-  const NSSPKIXRDNSequence *p
-);
-
-#endif /* DEBUG */
-
-/*
- * nss_pkix_RelativeDistinguishedName_v_create
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nss_pkix_RelativeDistinguishedName_V_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  va_list ap
-);
-
-/*
- * nss_pkix_RelativeDistinguishedName_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_EXTERN PRStatus
-nss_pkix_RelativeDistinguishedName_Clear
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-#ifdef DEBUG
-
-#ifdef NSSDEBUG
-
-NSS_EXTERN PRStatus
-nss_pkix_RelativeDistinguishedName_register
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_RelativeDistinguishedName_deregister
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-);
-
-#endif /* NSSDEBUG */
-
-NSS_EXTERN PRStatus
-nss_pkix_RelativeDistinguishedName_add_pointer
-(
-  const NSSPKIXRelativeDistinguishedName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_RelativeDistinguishedName_remove_pointer
-(
-  const NSSPKIXRelativeDistinguishedName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_Certificate_add_pointer
-(
-  const NSSPKIXCertificate *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_Certificate_remove_pointer
-(
-  const NSSPKIXCertificate *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TBSCertificate_add_pointer
-(
-  const NSSPKIXTBSCertificate *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TBSCertificate_remove_pointer
-(
-  const NSSPKIXTBSCertificate *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_Validity_add_pointer
-(
-  const NSSPKIXValidity *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_Validity_remove_pointer
-(
-  const NSSPKIXValidity *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_SubjectPublicKeyInfo_add_pointer
-(
-  const NSSPKIXSubjectPublicKeyInfo *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_SubjectPublicKeyInfo_remove_pointer
-(
-  const NSSPKIXSubjectPublicKeyInfo *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_CertificateList_add_pointer
-(
-  const NSSPKIXCertificateList *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_CertificateList_remove_pointer
-(
-  const NSSPKIXCertificateList *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TBSCertList_add_pointer
-(
-  const NSSPKIXTBSCertList *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TBSCertList_remove_pointer
-(
-  const NSSPKIXTBSCertList *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_revokedCertificates_add_pointer
-(
-  const NSSPKIXrevokedCertificates *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_revokedCertificates_remove_pointer
-(
-  const NSSPKIXrevokedCertificates *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_revokedCertificate_add_pointer
-(
-  const NSSPKIXrevokedCertificate *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_revokedCertificate_remove_pointer
-(
-  const NSSPKIXrevokedCertificate *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AlgorithmIdentifier_add_pointer
-(
-  const NSSPKIXAlgorithmIdentifier *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AlgorithmIdentifier_remove_pointer
-(
-  const NSSPKIXAlgorithmIdentifier *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ORAddress_add_pointer
-(
-  const NSSPKIXORAddress *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ORAddress_remove_pointer
-(
-  const NSSPKIXORAddress *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BuiltInStandardAttributes_add_pointer
-(
-  const NSSPKIXBuiltInStandardAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BuiltInStandardAttributes_remove_pointer
-(
-  const NSSPKIXBuiltInStandardAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PersonalName_add_pointer
-(
-  const NSSPKIXPersonalName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PersonalName_remove_pointer
-(
-  const NSSPKIXPersonalName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_OrganizationalUnitNames_add_pointer
-(
-  const NSSPKIXOrganizationalUnitNames *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_OrganizationalUnitNames_remove_pointer
-(
-  const NSSPKIXOrganizationalUnitNames *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BuiltInDomainDefinedAttributes_add_pointer
-(
-  const NSSPKIXBuiltInDomainDefinedAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BuiltInDomainDefinedAttributes_remove_pointer
-(
-  const NSSPKIXBuiltInDomainDefinedAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BuiltInDomainDefinedAttribute_add_pointer
-(
-  const NSSPKIXBuiltInDomainDefinedAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BuiltInDomainDefinedAttribute_remove_pointer
-(
-  const NSSPKIXBuiltInDomainDefinedAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtensionAttributes_add_pointer
-(
-  const NSSPKIXExtensionAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtensionAttributes_remove_pointer
-(
-  const NSSPKIXExtensionAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtensionAttribute_add_pointer
-(
-  const NSSPKIXExtensionAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtensionAttribute_remove_pointer
-(
-  const NSSPKIXExtensionAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexPersonalName_add_pointer
-(
-  const NSSPKIXTeletexPersonalName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexPersonalName_remove_pointer
-(
-  const NSSPKIXTeletexPersonalName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexOrganizationalUnitNames_add_pointer
-(
-  const NSSPKIXTeletexOrganizationalUnitNames *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexOrganizationalUnitNames_remove_pointer
-(
-  const NSSPKIXTeletexOrganizationalUnitNames *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PDSParameter_add_pointer
-(
-  const NSSPKIXPDSParameter *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PDSParameter_remove_pointer
-(
-  const NSSPKIXPDSParameter *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtendedNetworkAddress_add_pointer
-(
-  const NSSPKIXExtendedNetworkAddress *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtendedNetworkAddress_remove_pointer
-(
-  const NSSPKIXExtendedNetworkAddress *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_e1634Address_add_pointer
-(
-  const NSSPKIXe1634Address *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_e1634Address_remove_pointer
-(
-  const NSSPKIXe1634Address *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexDomainDefinedAttributes_add_pointer
-(
-  const NSSPKIXTeletexDomainDefinedAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexDomainDefinedAttributes_remove_pointer
-(
-  const NSSPKIXTeletexDomainDefinedAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexDomainDefinedAttribute_add_pointer
-(
-  const NSSPKIXTeletexDomainDefinedAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_TeletexDomainDefinedAttribute_remove_pointer
-(
-  const NSSPKIXTeletexDomainDefinedAttribute *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AuthorityKeyIdentifier_add_pointer
-(
-  const NSSPKIXAuthorityKeyIdentifier *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AuthorityKeyIdentifier_remove_pointer
-(
-  const NSSPKIXAuthorityKeyIdentifier *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_KeyUsage_add_pointer
-(
-  const NSSPKIXKeyUsage *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_KeyUsage_remove_pointer
-(
-  const NSSPKIXKeyUsage *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PrivateKeyUsagePeriod_add_pointer
-(
-  const NSSPKIXPrivateKeyUsagePeriod *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PrivateKeyUsagePeriod_remove_pointer
-(
-  const NSSPKIXPrivateKeyUsagePeriod *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_CertificatePolicies_add_pointer
-(
-  const NSSPKIXCertificatePolicies *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_CertificatePolicies_remove_pointer
-(
-  const NSSPKIXCertificatePolicies *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyInformation_add_pointer
-(
-  const NSSPKIXPolicyInformation *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyInformation_remove_pointer
-(
-  const NSSPKIXPolicyInformation *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyQualifierInfo_add_pointer
-(
-  const NSSPKIXPolicyQualifierInfo *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyQualifierInfo_remove_pointer
-(
-  const NSSPKIXPolicyQualifierInfo *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_UserNotice_add_pointer
-(
-  const NSSPKIXUserNotice *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_UserNotice_remove_pointer
-(
-  const NSSPKIXUserNotice *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_NoticeReference_add_pointer
-(
-  const NSSPKIXNoticeReference *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_NoticeReference_remove_pointer
-(
-  const NSSPKIXNoticeReference *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyMappings_add_pointer
-(
-  const NSSPKIXPolicyMappings *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyMappings_remove_pointer
-(
-  const NSSPKIXPolicyMappings *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_policyMapping_add_pointer
-(
-  const NSSPKIXpolicyMapping *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_policyMapping_remove_pointer
-(
-  const NSSPKIXpolicyMapping *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralName_add_pointer
-(
-  const NSSPKIXGeneralName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralName_remove_pointer
-(
-  const NSSPKIXGeneralName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralNames_add_pointer
-(
-  const NSSPKIXGeneralNames *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralNames_remove_pointer
-(
-  const NSSPKIXGeneralNames *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AnotherName_add_pointer
-(
-  const NSSPKIXAnotherName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AnotherName_remove_pointer
-(
-  const NSSPKIXAnotherName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_EDIPartyName_add_pointer
-(
-  const NSSPKIXEDIPartyName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_EDIPartyName_remove_pointer
-(
-  const NSSPKIXEDIPartyName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_SubjectDirectoryAttributes_add_pointer
-(
-  const NSSPKIXSubjectDirectoryAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_SubjectDirectoryAttributes_remove_pointer
-(
-  const NSSPKIXSubjectDirectoryAttributes *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BasicConstraints_add_pointer
-(
-  const NSSPKIXBasicConstraints *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_BasicConstraints_remove_pointer
-(
-  const NSSPKIXBasicConstraints *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_NameConstraints_add_pointer
-(
-  const NSSPKIXNameConstraints *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_NameConstraints_remove_pointer
-(
-  const NSSPKIXNameConstraints *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralSubtrees_add_pointer
-(
-  const NSSPKIXGeneralSubtrees *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralSubtrees_remove_pointer
-(
-  const NSSPKIXGeneralSubtrees *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralSubtree_add_pointer
-(
-  const NSSPKIXGeneralSubtree *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_GeneralSubtree_remove_pointer
-(
-  const NSSPKIXGeneralSubtree *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyConstraints_add_pointer
-(
-  const NSSPKIXPolicyConstraints *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_PolicyConstraints_remove_pointer
-(
-  const NSSPKIXPolicyConstraints *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_CRLDistPointsSyntax_add_pointer
-(
-  const NSSPKIXCRLDistPointsSyntax *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_CRLDistPointsSyntax_remove_pointer
-(
-  const NSSPKIXCRLDistPointsSyntax *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_DistributionPoint_add_pointer
-(
-  const NSSPKIXDistributionPoint *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_DistributionPoint_remove_pointer
-(
-  const NSSPKIXDistributionPoint *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_DistributionPointName_add_pointer
-(
-  const NSSPKIXDistributionPointName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_DistributionPointName_remove_pointer
-(
-  const NSSPKIXDistributionPointName *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ReasonFlags_add_pointer
-(
-  const NSSPKIXReasonFlags *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ReasonFlags_remove_pointer
-(
-  const NSSPKIXReasonFlags *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtKeyUsageSyntax_add_pointer
-(
-  const NSSPKIXExtKeyUsageSyntax *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_ExtKeyUsageSyntax_remove_pointer
-(
-  const NSSPKIXExtKeyUsageSyntax *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AuthorityInfoAccessSyntax_add_pointer
-(
-  const NSSPKIXAuthorityInfoAccessSyntax *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AuthorityInfoAccessSyntax_remove_pointer
-(
-  const NSSPKIXAuthorityInfoAccessSyntax *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AccessDescription_add_pointer
-(
-  const NSSPKIXAccessDescription *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_AccessDescription_remove_pointer
-(
-  const NSSPKIXAccessDescription *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_IssuingDistributionPoint_add_pointer
-(
-  const NSSPKIXIssuingDistributionPoint *p
-);
-
-NSS_EXTERN PRStatus
-nss_pkix_IssuingDistributionPoint_remove_pointer
-(
-  const NSSPKIXIssuingDistributionPoint *p
-);
-
-#endif /* DEBUG */
-
-PR_END_EXTERN_C
-
-#endif /* PKIXM_H */
diff --git a/security/nss/lib/pkix/include/pkixt.h b/security/nss/lib/pkix/include/pkixt.h
deleted file mode 100644
index b620cfb8c..000000000
--- a/security/nss/lib/pkix/include/pkixt.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef PKIXT_H
-#define PKIXT_H
-
-#ifdef DEBUG
-static const char PKIXT_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * pkixt.h
- *
- * This file contains the private type definitions for the 
- * PKIX part-1 objects.  Mostly, this file contains the actual 
- * structure definitions for the NSSPKIX types declared in nsspkixt.h.
- */
-
-#ifndef NSSPKIXT_H
-#include "nsspkixt.h"
-#endif /* NSSPKIXT_H */
-
-PR_BEGIN_EXTERN_C
-
-PR_END_EXTERN_C
-
-#endif /* PKIXT_H */
diff --git a/security/nss/lib/pkix/include/pkixtm.h b/security/nss/lib/pkix/include/pkixtm.h
deleted file mode 100644
index 1a9e57af0..000000000
--- a/security/nss/lib/pkix/include/pkixtm.h
+++ /dev/null
@@ -1,1581 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef PKIXTM_H
-#define PKIXTM_H
-
-#ifdef DEBUG
-static const char PKIXTM_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-/*
- * pkixtm.h
- *
- * This file contains the module-private type definitions for the 
- * PKIX part-1 objects.  Mostly, this file contains the actual 
- * structure definitions for the NSSPKIX types declared in nsspkixt.h.
- */
-
-#ifndef NSSPKIXT_H
-#include "nsspkixt.h"
-#endif /* NSSPKIXT_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Attribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Attribute       ::=     SEQUENCE {
- *          type            AttributeType,
- *          values  SET OF AttributeValue
- *                  -- at least one value is required -- }
- *
- */
-
-struct NSSPKIXAttributeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSBER *ber;
-  NSSDER *der;
-  nssASN1Item asn1type;
-  nssASN1Item **asn1values;
-  NSSPKIXAttributeType *type;
-  PRUint32 valuesCount;
-};
-
-/*
- * AttributeTypeAndValue
- *
- * This structure contains an attribute type (indicated by an OID), 
- * and the type-specific value.  RelativeDistinguishedNamess consist
- * of a set of these.  These are distinct from Attributes (which have
- * SET of values), from AttributeDescriptions (which have qualifiers
- * on the types), and from AttributeValueAssertions (which assert a
- * a value comparison under some matching rule).
- *
- * From RFC 2459:
- *
- *  AttributeTypeAndValue           ::=     SEQUENCE {
- *          type    AttributeType,
- *          value   AttributeValue }
- * 
- */
-
-struct NSSPKIXAttributeTypeAndValueStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  nssASN1Item asn1type;
-  nssASN1Item asn1value;
-  NSSPKIXAttributeType *type;
-  NSSUTF8 *utf8;
-};
-
-/*
- * X520Name
- *
- * From RFC 2459:
- *
- *  X520name        ::= CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-name)),
- *        printableString       PrintableString (SIZE (1..ub-name)),
- *        universalString       UniversalString (SIZE (1..ub-name)),
- *        utf8String            UTF8String (SIZE (1..ub-name)),
- *        bmpString             BMPString (SIZE(1..ub-name))   }
- *
- *
- *  ub-name INTEGER ::=     32768
- *
- */
-
-struct NSSPKIXX520NameStr {
-  nssASN1Item string;
-  NSSUTF8 *utf8;
-  NSSDER *der;
-  PRBool wasPrintable;
-  PRBool inArena;
-};
-
-/*
- * From RFC 2459:
- *
- *  X520CommonName  ::=      CHOICE {
- *        teletexString         TeletexString (SIZE (1..ub-common-name)),
- *        printableString       PrintableString (SIZE (1..ub-common-name)),
- *        universalString       UniversalString (SIZE (1..ub-common-name)),
- *        utf8String            UTF8String (SIZE (1..ub-common-name)),
- *        bmpString             BMPString (SIZE(1..ub-common-name))   }
- * 
- *  ub-common-name  INTEGER ::=     64
- *
- */
-
-struct NSSPKIXX520CommonNameStr {
-};
-
-/*
- * Name
- *
- * This structure contains a union of the possible name formats,
- * which at the moment is limited to an RDNSequence.
- *
- * From RFC 2459:
- *
- *  Name            ::=   CHOICE { -- only one possibility for now --
- *                                   rdnSequence  RDNSequence }
- *
- */
-
-struct NSSPKIXNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *ber;
-  NSSDER *der;
-  NSSUTF8 *utf;
-  NSSPKIXNameChoice choice;
-  union {
-    NSSPKIXRDNSequence *rdnSequence;
-  } u;
-};
-
-/*
- * RDNSequence
- *
- * This structure contains a sequence of RelativeDistinguishedName
- * objects.
- *
- * From RFC 2459:
- *
- *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
- *
- */
-
-struct NSSPKIXRDNSequenceStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSBER *ber;
-  NSSDER *der;
-  NSSUTF8 *utf8;
-  PRUint32 count;
-  NSSPKIXRelativeDistinguishedName **rdns;
-};
-
-/*
- * RelativeDistinguishedName
- *
- * This structure contains an unordered set of AttributeTypeAndValue 
- * objects.  RDNs are used to distinguish a set of objects underneath 
- * a common object.
- *
- * Often, a single ATAV is sufficient to make a unique distinction.
- * For example, if a company assigns its people unique uid values,
- * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
- * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
- * needed.  For example, if a company needed to distinguish between
- * two Smiths by specifying their corporate divisions, then in the
- * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
- * set of ATAVs forms the RDN.
- *
- * From RFC 2459:
- *
- *  RelativeDistinguishedName  ::=
- *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
- *
- */
-
-struct NSSPKIXRelativeDistinguishedNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSBER *ber;
-  NSSUTF8 *utf8;
-  PRUint32 count;
-  NSSPKIXAttributeTypeAndValue **atavs;
-};
-
-/*
- * Certificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Certificate  ::=  SEQUENCE  {
- *       tbsCertificate       TBSCertificate,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- */
-
-struct NSSPKIXCertificateStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXTBSCertificate *tbsCertificate;
-  NSSPKIXAlgorithmIdentifier *signatureAlgorithm;
-  NSSItem *signature;
-};
-
-/*
- * TBSCertificate
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertificate  ::=  SEQUENCE  {
- *       version         [0]  Version DEFAULT v1,
- *       serialNumber         CertificateSerialNumber,
- *       signature            AlgorithmIdentifier,
- *       issuer               Name,
- *       validity             Validity,
- *       subject              Name,
- *       subjectPublicKeyInfo SubjectPublicKeyInfo,
- *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
- *                            -- If present, version shall be v2 or v3
- *       extensions      [3]  Extensions OPTIONAL
- *                            -- If present, version shall be v3 --  }
- *
- */
-
-struct NSSPKIXTBSCertificateStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXVersion version;
-  NSSPKIXCertificateSerialNumber serialNumber;
-  NSSPKIXAlgorithmIdentifier *signature;
-  NSSPKIXName *issuer;
-  NSSPKIXValidity *validity;
-  NSSPKIXName *subject;
-  NSSPKIXSubjectPublicKeyInfo *subjectPublicKeyInfo;
-  NSSPKIXUniqueIdentifier *issuerUniqueID;
-  NSSPKIXUniqueIdentifier *subjectUniqueID;
-  NSSPKIXExtensions *extensions;
-};
-
-/*
- * Validity
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Validity ::= SEQUENCE {
- *       notBefore      Time,
- *       notAfter       Time }
- *
- */
-
-struct NSSPKIXValidityStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * Time
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Time ::= CHOICE {
- *       utcTime        UTCTime,
- *       generalTime    GeneralizedTime }
- *
- */
-
-struct NSSPKIXTimeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSBER *ber;
-  nssASN1Item asn1item;
-  PRTime prTime;
-  PRBool prTimeValid;
-};
-
-/*
- * SubjectPublicKeyInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *       algorithm            AlgorithmIdentifier,
- *       subjectPublicKey     BIT STRING  }
- *
- */
-
-struct NSSPKIXSubjectPublicKeyInfoStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXAlgorithmIdentifier *algorithm;
-  NSSItem *subjectPublicKey;
-};
-
-/*
- * Extensions
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
- *
- */
-
-struct NSSPKIXExtensionsStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * Extension
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  Extension  ::=  SEQUENCE  {
- *       extnID      OBJECT IDENTIFIER,
- *       critical    BOOLEAN DEFAULT FALSE,
- *       extnValue   OCTET STRING  }
- *
- */
-
-struct NSSPKIXExtensionStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSOID *extnID;
-  PRBool critical;
-  NSSItem *extnValue;
-};
-
-/*
- * CertificateList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificateList  ::=  SEQUENCE  {
- *       tbsCertList          TBSCertList,
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING  }
- *
- */
-
-struct NSSPKIXCertificateListStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXTBSCertList *tbsCertList;
-  NSSPKIXAlgorithmIdentifier *signatureAlgorithm;
-  NSSItem *signature;
-};
-
-/*
- * TBSCertList
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TBSCertList  ::=  SEQUENCE  {
- *       version                 Version OPTIONAL,
- *                                    -- if present, shall be v2
- *       signature               AlgorithmIdentifier,
- *       issuer                  Name,
- *       thisUpdate              Time,
- *       nextUpdate              Time OPTIONAL,
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *       crlExtensions           [0] Extensions OPTIONAL
- *                                           -- if present, shall be v2 -- }
- *
- */
-
-struct NSSPKIXTBSCertListStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXVersion version;
-  NSSPKIXAlgorithmIdentifier *signature;
-  NSSPKIXName *issuer;
-  -time- thisUpdate;
-  -time- nextUpdate;
-  NSSPKIXrevokedCertificates *revokedCertificates;
-  NSSPKIXExtensions *crlExtensions;  
-};
-
-/*
- * revokedCertificates
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *       revokedCertificates     SEQUENCE OF SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- */
-
-struct NSSPKIXrevokedCertificatesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * revokedCertificate
- *
- * This is a "helper type" to simplify handling of TBSCertList objects.
- *
- *                                           SEQUENCE  {
- *            userCertificate         CertificateSerialNumber,
- *            revocationDate          Time,
- *            crlEntryExtensions      Extensions OPTIONAL
- *                                           -- if present, shall be v2
- *                                 }  OPTIONAL,
- *
- */
-
-struct NSSPKIXrevokedCertificateStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXCertificateSerialNumber *userCertificate;
-  -time- revocationDate;
-  NSSPKIXExtensions *crlEntryExtensions;
-};
-
-/*
- * AlgorithmIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- * (1988 syntax)
- *
- *  AlgorithmIdentifier  ::=  SEQUENCE  {
- *       algorithm               OBJECT IDENTIFIER,
- *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
- *                                  -- contains a value of the type
- *                                  -- registered for use with the
- *                                  -- algorithm object identifier value
- *
- *
- */
-
-struct NSSPKIXAlgorithmIdentifierStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSBER *ber;
-  NSSOID *algorithm;
-  NSSItem *parameters;
-};
-
-/*
- * -- types related to NSSPKIXAlgorithmIdentifiers:
- *
- *  Dss-Sig-Value  ::=  SEQUENCE  {
- *       r       INTEGER,
- *       s       INTEGER  }
- *  
- *  DomainParameters ::= SEQUENCE {
- *       p       INTEGER, -- odd prime, p=jq +1
- *       g       INTEGER, -- generator, g
- *       q       INTEGER, -- factor of p-1
- *       j       INTEGER OPTIONAL, -- subgroup factor, j>= 2
- *       validationParms  ValidationParms OPTIONAL }
- *  
- *  ValidationParms ::= SEQUENCE {
- *       seed             BIT STRING,
- *       pgenCounter      INTEGER }
- *  
- *  Dss-Parms  ::=  SEQUENCE  {
- *       p             INTEGER,
- *       q             INTEGER,
- *       g             INTEGER  }
- *
- */
-
-/*
- * ORAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ORAddress ::= SEQUENCE {
- *     built-in-standard-attributes BuiltInStandardAttributes,
- *     built-in-domain-defined-attributes
- *                          BuiltInDomainDefinedAttributes OPTIONAL,
- *     -- see also teletex-domain-defined-attributes
- *     extension-attributes ExtensionAttributes OPTIONAL }
- *  --      The OR-address is semantically absent from the OR-name if the
- *  --      built-in-standard-attribute sequence is empty and the
- *  --      built-in-domain-defined-attributes and extension-attributes are
- *  --      both omitted.
- *
- */
-
-struct NSSPKIXORAddressStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXBuiltInStandardAttributes *builtInStandardAttributes;
-  NSSPKIXBuiltInDomainDefinedAttributes *builtInDomainDefinedAttributes;
-  NSSPKIXExtensionsAttributes *extensionAttributes;
-};
-
-/*
- * BuiltInStandardAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInStandardAttributes ::= SEQUENCE {
- *     country-name CountryName OPTIONAL,
- *     administration-domain-name AdministrationDomainName OPTIONAL,
- *     network-address      [0] NetworkAddress OPTIONAL,
- *     -- see also extended-network-address
- *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
- *     private-domain-name  [2] PrivateDomainName OPTIONAL,
- *     organization-name    [3] OrganizationName OPTIONAL,
- *     -- see also teletex-organization-name
- *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
- *     personal-name        [5] PersonalName OPTIONAL,
- *     -- see also teletex-personal-name
- *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
- *     -- see also teletex-organizational-unit-names -- }
- *
- */
-
-struct NSSPKIXBuiltInStandardAttributesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXCountryName *countryName;
-  NSSPKIXAdministrationDomainName *administrationDomainName;
-  NSSPKIXNetworkAddress *networkAddress;
-  NSSPKIXTerminalIdentifier *terminalIdentifier;
-  NSSPKIXPrivateDomainName *privateDomainName;
-  NSSPKIXOrganizationName *organizationName;
-  NSSPKIXNumericUserIdentifier *numericUserIdentifier;
-  NSSPKIXPersonalName *personalName;
-  NSSPKIXOrganizationalUnitNames *organizationalUnitNames;
-};
-
-/*
- * PersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PersonalName ::= SET {
- *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
- *     given-name [1] PrintableString
- *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] PrintableString
- *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXPersonalNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSUTF8 *surname;
-  NSSUTF8 *givenName;
-  NSSUTF8 *initials;
-  NSSUTF8 *generationQualifier;
-};
-
-/*
- * OrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- *                                          OF OrganizationalUnitName
- * 
- */
-
-struct NSSPKIXOrganizationalUnitNamesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * BuiltInDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- *                                  (1..ub-domain-defined-attributes) OF
- *                                  BuiltInDomainDefinedAttribute
- *
- */
-
-struct NSSPKIXBuiltInDomainDefinedAttributesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * BuiltInDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
- *     type PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-type-length)),
- *     value PrintableString (SIZE
- *                          (1..ub-domain-defined-attribute-value-length))}
- *
- */
-
-struct NSSPKIXBuiltInDomainDefinedAttributeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSUTF8 *type;
-  NSSUTF8 *value;
-};
-
-/*
- * ExtensionAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- *                          ExtensionAttribute
- *
- */
-
-struct NSSPKIXExtensionAttributesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * ExtensionAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtensionAttribute ::=  SEQUENCE {
- *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
- *     extension-attribute-value [1]
- *                          ANY DEFINED BY extension-attribute-type }
- *
- */
-
-struct NSSPKIXExtensionAttributeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXExtensionsAttributeType extensionAttributeType;
-  NSSItem *extensionAttributeValue;
-};
-
-/*
- * TeletexPersonalName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexPersonalName ::= SET {
- *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
- *     given-name [1] TeletexString
- *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
- *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
- *     generation-qualifier [3] TeletexString (SIZE
- *                  (1..ub-generation-qualifier-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXTeletexPersonalNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSUTF8 *surname;
-  NSSUTF8 *givenName;
-  NSSUTF8 *initials;
-  NSSUTF8 *generationQualifier;
-};
-
-/*
- * TeletexOrganizationalUnitNames
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
- *
- */
-
-struct NSSPKIXTeletexOrganizationalUnitNamesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * PDSParameter
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PDSParameter ::= SET {
- *     printable-string PrintableString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXPDSParameterStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSUTF8 *printableString;
-  NSSTUF8 *teletexString;
-};
-
-/*
- * UnformattedPostalAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UnformattedPostalAddress ::= SET {
- *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
- *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
- *     teletex-string TeletexString
- *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
- *
- */
-
-struct NSSPKIXUnformattedPostalAddressStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-  NSSUTF8 *teletexString;
-};
-
-/*
- * ExtendedNetworkAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtendedNetworkAddress ::= CHOICE {
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- *     psap-address [0] PresentationAddress }
- *
- */
-
-struct NSSPKIXExtendedNetworkAddressStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXExtendedNetworkAddressChoice choice;
-  union {
-    NSSe1634address *e1634Address;
-    NSSPKIXPresentationAddress *psapAddress;
-  } u;
-};
-
-/*
- * e163-4-address
- *
- * Helper structure for ExtendedNetworkAddress.
- * -- fgmr comments --
- *
- * From RFC 2459:
- * 
- *     e163-4-address SEQUENCE {
- *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
- *          sub-address [1] NumericString
- *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
- * 
- */
-
-struct NSSe1634addressStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSUTF8 *number;
-  NSSUTF8 *subAddress;
-};
-
-/*
- * PresentationAddress
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PresentationAddress ::= SEQUENCE {
- *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
- *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
- *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
- *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
- *
- */
-
-struct NSSPKIXPresentationAddressStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSItem *pSelector;
-  NSSItem *sSelector;
-  NSSItem *tSelector;
-  NSSItem *nAddresses[]; --fgmr--
-};
-
-/*
- * TeletexDomainDefinedAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
- * 
- */
-
-struct NSSPKIXTeletexDomainDefinedAttributesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * TeletexDomainDefinedAttribute
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  TeletexDomainDefinedAttribute ::= SEQUENCE {
- *          type TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
- *          value TeletexString
- *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
- * 
- */
-
-struct NSSPKIXTeletexDomainDefinedAttributeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSUTF8 *type;
-  NSSUTF8 *value;
-};
-
-/*
- * AuthorityKeyIdentifier
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityKeyIdentifier ::= SEQUENCE {
- *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
- *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
- *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
- *      -- authorityCertIssuer and authorityCertSerialNumber shall both
- *      -- be present or both be absent
- *
- */
-
-struct NSSPKIXAuthorityKeyIdentifierStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXKeyIdentifier *keyIdentifier;
-  NSSPKIXGeneralNames *authorityCertIssuer;
-  NSSPKIXCertificateSerialNumber *authorityCertSerialNumber;
-};
-
-/*
- * KeyUsage
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  KeyUsage ::= BIT STRING {
- *       digitalSignature        (0),
- *       nonRepudiation          (1),
- *       keyEncipherment         (2),
- *       dataEncipherment        (3),
- *       keyAgreement            (4),
- *       keyCertSign             (5),
- *       cRLSign                 (6),
- *       encipherOnly            (7),
- *       decipherOnly            (8) }
- *
- */
-
-struct NSSPKIXKeyUsageStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXKeyUsageValue keyUsage;
-};
-
-/*
- * PrivateKeyUsagePeriod
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PrivateKeyUsagePeriod ::= SEQUENCE {
- *       notBefore       [0]     GeneralizedTime OPTIONAL,
- *       notAfter        [1]     GeneralizedTime OPTIONAL }
- *       -- either notBefore or notAfter shall be present
- *
- */
-
-struct NSSPKIXPrivateKeyUsagePeriodStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  --time--
-  --time--
-};
-
-/*
- * CertificatePolicies
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
- *
- */
-
-struct NSSPKIXCertificatePoliciesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * PolicyInformation
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyInformation ::= SEQUENCE {
- *       policyIdentifier   CertPolicyId,
- *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
- *               PolicyQualifierInfo OPTIONAL }
- *
- */
-
-struct NSSPKIXPolicyInformationStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXCertPolicyId *policyIdentifier;
-  NSSPKIXPolicyQualifierInfo *policyQualifiers[];
-  --fgmr--
-};
-
-/*
- * PolicyQualifierInfo
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyQualifierInfo ::= SEQUENCE {
- *         policyQualifierId  PolicyQualifierId,
- *         qualifier        ANY DEFINED BY policyQualifierId }
- *
- */
-
-struct NSSPKIXPolicyQualifierInfoStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXPolicyQualifierId *policyQualifierId;
-  NSSItem *qualifier;
-};
-
-/*
- * UserNotice
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  UserNotice ::= SEQUENCE {
- *       noticeRef        NoticeReference OPTIONAL,
- *       explicitText     DisplayText OPTIONAL}
- *
- */
-
-struct NSSPKIXUserNoticeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXNoticeReference *noticeRef;
-  NSSPKIXDisplayText *explicitText;
-};
-
-/*
- * NoticeReference
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NoticeReference ::= SEQUENCE {
- *       organization     DisplayText,
- *       noticeNumbers    SEQUENCE OF INTEGER }
- *
- */
-
-struct NSSPKIXNoticeReferenceStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXDisplayText *organization;
-  NSSItem *noticeNumbers[]; --fgmr--
-  ...
-};
-
-/*
- * PolicyMappings
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- */
-
-struct NSSPKIXPolicyMappingsStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXpolicyMapping *policyMappings[]; --fgmr--
-  ...
-};
-
-/*
- * policyMapping
- *
- * Helper structure for PolicyMappings
- *
- *                                               SEQUENCE {
- *       issuerDomainPolicy      CertPolicyId,
- *       subjectDomainPolicy     CertPolicyId }
- *
- */
-
-struct NSSPKIXpolicyMappingStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXCertPolicyId *issuerDomainPolicy;
-  NSSPKIXCertPolicyId *subjectDomainPolicy;
-};
-
-/*
- * GeneralName
- *
- * This structure contains a union of the possible general names,
- * of which there are several.
- *
- * From RFC 2459:
- *
- *  GeneralName ::= CHOICE {
- *       otherName                       [0]     AnotherName,
- *       rfc822Name                      [1]     IA5String,
- *       dNSName                         [2]     IA5String,
- *       x400Address                     [3]     ORAddress,
- *       directoryName                   [4]     Name,
- *       ediPartyName                    [5]     EDIPartyName,
- *       uniformResourceIdentifier       [6]     IA5String,
- *       iPAddress                       [7]     OCTET STRING,
- *       registeredID                    [8]     OBJECT IDENTIFIER }
- *
- */
-
-struct NSSPKIXGeneralNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXGeneralNameChoice choice;
-  union {
-    NSSPKIXAnotherName *otherName;
-    NSSUTF8 *rfc822Name;
-    NSSUTF8 *dNSName;
-    NSSPKIXORAddress *x400Address;
-    NSSPKIXName *directoryName;
-    NSSEDIPartyName *ediPartyName;
-    NSSUTF8 *uniformResourceIdentifier;
-    NSSItem *iPAddress;
-    NSSOID *registeredID;
-  } u;
-};
-
-/*
- * GeneralNames
- *
- * This structure contains a sequence of GeneralName objects.
- *
- * From RFC 2459:
- *
- *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- */
-
-struct NSSPKIXGeneralNamesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * AnotherName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AnotherName ::= SEQUENCE {
- *       type-id    OBJECT IDENTIFIER,
- *       value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- */
-
-struct NSSPKIXAnotherNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSOID *typeId;
-  NSSItem *value;
-};
-
-/*
- * EDIPartyName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *
- *  EDIPartyName ::= SEQUENCE {
- *       nameAssigner            [0]     DirectoryString OPTIONAL,
- *       partyName               [1]     DirectoryString }
- *
- */
-
-struct NSSPKIXEDIPartyNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXDirectoryString *nameAssigner;
-  NSSPKIXDirectoryString *partyname;
-};
-
-/*
- * SubjectDirectoryAttributes
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
- *
- */
-
-struct NSSPKIXSubjectDirectoryAttributesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * BasicConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  BasicConstraints ::= SEQUENCE {
- *       cA                      BOOLEAN DEFAULT FALSE,
- *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
- *
- */
-
-struct NSSPKIXBasicConstraintsStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  PRBool cA;
-  PRInt32 pathLenConstraint; --fgmr--
-};
-
-/*
- * NameConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  NameConstraints ::= SEQUENCE {
- *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
- *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
- *
- */
-
-struct NSSPKIXNameConstraintsStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXGeneralSubtrees *permittedSubtrees;
-  NSSPKIXGeneralSubtrees *excludedSubtrees;
-};
-
-/*
- * GeneralSubtrees
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
- *
- */
-
-struct NSSPKIXGeneralSubtreesStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * GeneralSubtree
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  GeneralSubtree ::= SEQUENCE {
- *       base                    GeneralName,
- *       minimum         [0]     BaseDistance DEFAULT 0,
- *       maximum         [1]     BaseDistance OPTIONAL }
- *
- */
-
-struct NSSPKIXGeneralSubtreeStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXGeneralName;
-  NSSPKIXBaseDistance minimum;
-  NSSPKIXBaseDistance maximum;
-};
-
-/*
- * PolicyConstraints
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  PolicyConstraints ::= SEQUENCE {
- *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
- *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
- * 
- */
-
-struct NSSPKIXPolicyConstraintsStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXSkipCerts *requireExplicitPolicy;
-  NSSPKIXSkipCerts *inhibitPolicyMapping;
-};
-
-/*
- * CRLDistPointsSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
- *
- */
-
-struct NSSPKIXCRLDistPointsSyntaxStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * DistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0]     DistributionPointName OPTIONAL,
- *       reasons                 [1]     ReasonFlags OPTIONAL,
- *       cRLIssuer               [2]     GeneralNames OPTIONAL }
- *
- */
-
-struct NSSPKIXDistributionPointStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXDistributionPointName *distributionPoint;
-  NSSPKIXReasonFlags *reasons;
-  NSSPKIXGeneralNames *cRLIssuer;
-};
-
-/*
- * DistributionPointName
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  DistributionPointName ::= CHOICE {
- *       fullName                [0]     GeneralNames,
- *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
- *
- */
-
-struct NSSPKIXDistributionPointNameStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXDistributionPointNameChoice choice;
-  union {
-    NSSPKIXGeneralNames *fullName;
-    NSSPKIXRelativeDistinguishedName *nameRelativeToCRLIssuer;
-  } u;
-};
-
-/*
- * ReasonFlags
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ReasonFlags ::= BIT STRING {
- *       unused                  (0),
- *       keyCompromise           (1),
- *       cACompromise            (2),
- *       affiliationChanged      (3),
- *       superseded              (4),
- *       cessationOfOperation    (5),
- *       certificateHold         (6) }
- *
- */
-
-struct NSSPKIXReasonFlagsStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXReasonFlagsMask reasonFlags;
-};
-
-/*
- * ExtKeyUsageSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
- *
- */
-
-struct NSSPKIXExtKeyUsageSyntaxStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * AuthorityInfoAccessSyntax
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AuthorityInfoAccessSyntax  ::=
- *          SEQUENCE SIZE (1..MAX) OF AccessDescription
- *
- */
-
-struct NSSPKIXAuthorityInfoAccessSyntaxStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  ...
-};
-
-/*
- * AccessDescription
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  AccessDescription  ::=  SEQUENCE {
- *          accessMethod          OBJECT IDENTIFIER,
- *          accessLocation        GeneralName  }
- *
- */
-
-struct NSSPKIXAccessDescriptionStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSOID *accessMethod;
-  NSSPKIXGeneralName *accessLocation;
-};
-
-/*
- * IssuingDistributionPoint
- *
- * -- fgmr comments --
- *
- * From RFC 2459:
- *
- *  IssuingDistributionPoint ::= SEQUENCE {
- *       distributionPoint       [0] DistributionPointName OPTIONAL,
- *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
- *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
- *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
- *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
- *
- */
-
-struct NSSPKIXIssuingDistributionPointStr {
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  NSSDER *der;
-  NSSPKIXDistributionPointName *distributionPoint;
-  PRBool onlyContainsUserCerts;
-  PRBool onlyContainsCACerts;
-  NSSPKIXReasonFlags onlySomeReasons;
-  PRBool indirectCRL;
-};
-
-PR_END_EXTERN_C
-
-#endif /* PKIXTM_H */
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Create.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Create.c
deleted file mode 100644
index cf95b4e26..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/Create.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
-NSSPKIXAlgorithmIdentifier_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *algorithm,
-  NSSItem *parameters
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAlgorithmIdentifier *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_Create(arenaOpt, algorithm, parameters);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Decode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Decode.c
deleted file mode 100644
index 1e4e47b03..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
-NSSPKIXAlgorithmIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAlgorithmIdentifier *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Destroy.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Destroy.c
deleted file mode 100644
index f2a901151..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/Destroy.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAlgorithmIdentifier_Destroy
-(
-  NSSPKIXAlgorithmIdentifier *algid
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_Destroy(algid);
-}
-
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Duplicate.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Duplicate.c
deleted file mode 100644
index 186ab49bc..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/Duplicate.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
-NSSPKIXAlgorithmIdentifier_Duplicate
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAlgorithmIdentifier *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_Duplicate(algid, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Encode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Encode.c
deleted file mode 100644
index d390b3595..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/Encode.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXAlgorithmIdentifier_Encode
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_Encode(algid, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Equal.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Equal.c
deleted file mode 100644
index 65c52a2ba..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/Equal.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKIXAlgorithmIdentifier_Equal
-(
-  NSSPKIXAlgorithmIdentifier *algid1,
-  NSSPKIXAlgorithmIdentifier *algid2,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_Equal(algid1, algid2, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/GetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/GetAlgorithm.c
deleted file mode 100644
index be7493a66..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/GetAlgorithm.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_GetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSOID pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSOID *
-NSSPKIXAlgorithmIdentifier_GetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_GetAlgorithm(algid);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/GetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/GetParameters.c
deleted file mode 100644
index e94622e23..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/GetParameters.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_GetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSItem *
-NSSPKIXAlgorithmIdentifier_GetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSItem *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_GetParameters(algid, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/MClear.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/MClear.c
deleted file mode 100644
index 0797fbd49..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/MClear.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_AlgorithmIdentifier_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_AlgorithmIdentifier_Clear
-(
-  NSSPKIXAlgorithmIdentifier *algid
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSBER *)NULL != algid->ber ) {
-    nss_ZFreeIf(algid->ber->data);
-    nss_ZFreeIf(algid->ber);
-  }
-
-  if( (NSSDER *)NULL != algid->der ) {
-    nss_ZFreeIf(algid->der->data);
-    nss_ZFreeIf(algid->der);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PCreate.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PCreate.c
deleted file mode 100644
index c527a6a56..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PCreate.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
-nssPKIXAlgorithmIdentifier_Create
-(
-  NSSArena *arenaOpt,
-  NSSOID *algorithm,
-  NSSItem *parameters
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAlgorithmIdentifier *rv = (NSSPKIXAlgorithmIdentifier *)NULL;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAlgorithmIdentifier *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAlgorithmIdentifier);
-  if( (NSSPKIXAlgorithmIdentifier *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->algorithm = algorithm;
-  rv->parameters = nssItem_Duplicate(parameters, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->parameters ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AlgorithmIdentifier_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAlgorithmIdentifier *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDecode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDecode.c
deleted file mode 100644
index 9713d34db..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDecode.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
-nssPKIXAlgorithmIdentifier_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAlgorithmIdentifier *rv = (NSSPKIXAlgorithmIdentifier *)NULL;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAlgorithmIdentifier *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAlgorithmIdentifier);
-  if( (NSSPKIXAlgorithmIdentifier *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, nssPKIXAlgorithmIdentifier_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AlgorithmIdentifier_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAlgorithmIdentifier *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDestroy.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDestroy.c
deleted file mode 100644
index 7ef4d1fe1..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDestroy.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAlgorithmIdentifier_Destroy
-(
-  NSSPKIXAlgorithmIdentifier *algid
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_AlgorithmIdentifier_remove_pointer(algid);
-#endif /* DEBUG */
-
-  if( PR_TRUE == algid->i_allocated_arena ) {
-    return nssArena_Destroy(algid->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDuplicate.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDuplicate.c
deleted file mode 100644
index ae3cf72b2..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDuplicate.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
-nssPKIXAlgorithmIdentifier_Duplicate
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSArena *arenaOpt
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAlgorithmIdentifier *rv = (NSSPKIXAlgorithmIdentifier *)NULL;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSPKIXAlgorithmIdentifier *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAlgorithmIdentifier *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAlgorithmIdentifier);
-  if( (NSSPKIXAlgorithmIdentifier *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  rv->ber = nssItem_Duplicate(algid->ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  rv->der = nssItem_Duplicate(algid->der, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->der ) {
-    goto loser;
-  }
-
-  rv->algorithm = algid->algorithm;
-
-  rv->parameters = nssItem_Duplicate(algid->parameters, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->parameters ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AlgorithmIdentifier_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAlgorithmIdentifier *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PEncode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PEncode.c
deleted file mode 100644
index c9939350a..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PEncode.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXAlgorithmIdentifier_Encode
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    if( (NSSBER *)NULL != algid->ber ) {
-      it = algid->ber;
-      goto done;
-    }
-    /*FALLTHROUGH*/
-  case NSSASN1DER:
-    if( (NSSDER *)NULL != algid->der ) {
-      it = algid->der;
-      goto done;
-    }
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
-    return (NSSBER *)NULL;
-  }
-
-  it = nssASN1_EncodeItem(algid->arena, (NSSItem *)NULL, algid,
-                          nssPKIXAlgorithmIdentifier_template, encoding);
-  if( (NSSBER *)NULL == it ) {
-    return (NSSBER *)NULL;
-  }
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    algid->ber = it;
-    break;
-  case NSSASN1DER:
-    algid->der = it;
-    break;
-  default:
-    PR_ASSERT(0);
-    break;
-  }
-
- done:
-  return nssItem_Duplicate(it, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PEqual.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PEqual.c
deleted file mode 100644
index 423dfdb74..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PEqual.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXAlgorithmIdentifier_Equal
-(
-  NSSPKIXAlgorithmIdentifier *algid1,
-  NSSPKIXAlgorithmIdentifier *algid2,
-  PRStatus *statusOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( algid1->algorithm != algid2->algorithm ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_SUCCESS;
-    }
-    return PR_FALSE;
-  }
-
-  return nssItem_Equal(algid1->parameters, algid2->parameters, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetAlgorithm.c
deleted file mode 100644
index 4c7c37b6e..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetAlgorithm.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_GetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSOID pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSOID *
-nssPKIXAlgorithmIdentifier_GetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSOID *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return algid->algorithm;
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetParameters.c
deleted file mode 100644
index 5d6f1decb..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetParameters.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_GetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSItem *
-nssPKIXAlgorithmIdentifier_GetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return (NSSItem *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return nssItem_Duplicate(algid->parameters, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetAlgorithm.c
deleted file mode 100644
index ccf9f23e2..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetAlgorithm.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_SetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAlgorithmIdentifier_SetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSOID *algorithm
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  algid->algorithm = algorithm;
-  return nss_pkix_AlgorithmIdentifier_Clear(algid);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetParameters.c
deleted file mode 100644
index d5a7e8424..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetParameters.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAlgorithmIdentifier_SetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAlgorithmIdentifier_SetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *parameters
-)
-{
-  NSSItem *prev;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  prev = algid->parameters;
-
-  algid->parameters = nssItem_Duplicate(parameters, algid->arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == algid->parameters ) {
-    algid->parameters = prev;
-    return PR_FAILURE;
-  }
-
-  (void)nssItem_Destroy(prev);
-  return nss_pkix_AlgorithmIdentifier_Clear(algid);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/SetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/SetAlgorithm.c
deleted file mode 100644
index d829643e0..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/SetAlgorithm.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_SetAlgorithm
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAlgorithmIdentifier_SetAlgorithm
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSOID *algorithm
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_SetAlgorithm(algid, algorithm);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/SetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/SetParameters.c
deleted file mode 100644
index d751fb689..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/SetParameters.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAlgorithmIdentifier_SetParameters
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAlgorithmIdentifier_SetParameters
-(
-  NSSPKIXAlgorithmIdentifier *algid,
-  NSSItem *parameters
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAlgorithmIdentifier_SetParameters(algid, parameters);
-}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/verifyPointer.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/verifyPointer.c
deleted file mode 100644
index c9a9f8072..000000000
--- a/security/nss/lib/pkix/src/AlgorithmIdentifier/verifyPointer.c
+++ /dev/null
@@ -1,182 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_algid_pointer_tracker;
-
-/*
- * nss_pkix_AlgorithmIdentifier_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXAlgorithmIdentifier pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_AlgorithmIdentifier_add_pointer
-(
-  const NSSPKIXAlgorithmIdentifier *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_algid_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_algid_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  rv = nssArena_registerDestructor(p->arena,
-         nss_pkix_AlgorithmIdentifier_remove_pointer, p);
-  if( PR_SUCCESS != rv ) {
-    (void)nss_pkix_AlgorithmIdentifier_remove_pointer(p);
-    return rv;
-  }
-
-  return rv;
-}
-
-/*
- * nss_pkix_AlgorithmIdentifier_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXAlgorithmIdentifier
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_AlgorithmIdentifier_remove_pointer
-(
-  const NSSPKIXAlgorithmIdentifier *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&pkix_algid_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  /*
-   * nssArena_deregisterDestructor(p->arena,
-   *   nss_pkix_AlgorithmIdentifier_remove_pointer, p);
-   */
-
-  return rv;
-}
-
-/*
- * nssPKIXAlgorithmIdentifier_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAlgorithmIdentifier
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAlgorithmIdentifier_verifyPointer
-(
-  NSSPKIXAlgorithmIdentifier *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_algid_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_algid_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
-
diff --git a/security/nss/lib/pkix/src/Attribute/AddValue.c b/security/nss/lib/pkix/src/Attribute/AddValue.c
deleted file mode 100644
index aad082c50..000000000
--- a/security/nss/lib/pkix/src/Attribute/AddValue.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_AddValue
- *
- * This routine adds the specified attribute value to the set in
- * the specified NSSPKIXAttribute.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttribute_AddValue
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue *value
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_AddValue(attribute, value);
-}
-
diff --git a/security/nss/lib/pkix/src/Attribute/Create.c b/security/nss/lib/pkix/src/Attribute/Create.c
deleted file mode 100644
index 9fe406b2d..000000000
--- a/security/nss/lib/pkix/src/Attribute/Create.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_Create
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INSUFFICIENT_VALUES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-NSSPKIXAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value1,
-  ...
-)
-{
-  va_list ap;
-  NSSPKIXAttribute *rv;
-  PRUint32 count;
-
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  if( (NSSPKIXAttributeValue *)NULL == value1 ) {
-    nss_SetError(NSS_ERROR_INSUFFICIENT_VALUES);
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  {
-    va_start(ap, typeOid);
-
-    while( 1 ) {
-      NSSPKIXAttributeValue *v;
-      v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
-      if( (NSSPKIXAttributeValue *)NULL == v ) {
-        break;
-      }
-    
-      if( PR_SUCCESS != nssItem_verifyPointer(v) ) {
-        va_end(ap);
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-
-    va_end(ap);
-  }
-#endif /* DEBUG */
-
-  va_start(ap, typeOid);
-
-  for( count = 0; ; count++ ) {
-    NSSPKIXAttributeValue *v;
-    v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
-    if( (NSSPKIXAttributeValue *)NULL == v ) {
-      break;
-    }
-
-#ifdef PEDANTIC
-    if( count == 0xFFFFFFFF ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      va_end(ap);
-      return (NSSPKIXAttribute *)NULL;
-    }
-#endif /* PEDANTIC */
-  }
-
-  va_end(ap);
-
-  va_start(ap, typeOid);
-  rv = nss_pkix_Attribute_V_Create(arenaOpt, typeOid, count, ap);
-  va_end(ap);
-
-  return rv;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/CreateFromArray.c b/security/nss/lib/pkix/src/Attribute/CreateFromArray.c
deleted file mode 100644
index 2928c3bcc..000000000
--- a/security/nss/lib/pkix/src/Attribute/CreateFromArray.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_CreateFromArray
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-NSSPKIXAttribute_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  PRUint32 count,
-  NSSPKIXAttributeValue values[]
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  {
-    PRUint32 i;
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssItem_verifyPointer(&values[i]) ) {
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_CreateFromArray(arenaOpt, typeOid, count, values);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/Decode.c b/security/nss/lib/pkix/src/Attribute/Decode.c
deleted file mode 100644
index a16f195cd..000000000
--- a/security/nss/lib/pkix/src/Attribute/Decode.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_Decode
- *
- * This routine creates an NSSPKIXAttribute by decoding a BER-
- * or DER-encoded Attribute as defined in RFC 2459.  This
- * routine may return NULL upon error, in which case it will
- * have created an error stack.  If the optional arena argument
- * is non-NULL, that arena will be used for the required memory.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-NSSPKIXAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/Destroy.c b/security/nss/lib/pkix/src/Attribute/Destroy.c
deleted file mode 100644
index bd9454fca..000000000
--- a/security/nss/lib/pkix/src/Attribute/Destroy.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_Destroy
- *
- * This routine destroys an NSSPKIXAttribute.  It should be called on
- * all such objects created without an arena.  It does not need to be
- * called for objects created with an arena, but it may be.  This
- * routine returns a PRStatus value.  Upon error, it will create an
- * error stack and return PR_FAILURE.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSPKIXAttribute_Destroy
-(
-  NSSPKIXAttribute *attribute
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_Destroy(attribute);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/Duplicate.c b/security/nss/lib/pkix/src/Attribute/Duplicate.c
deleted file mode 100644
index 146a49610..000000000
--- a/security/nss/lib/pkix/src/Attribute/Duplicate.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_Duplicate
- *
- * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-NSSPKIXAttribute_Duplicate
-(
-  NSSPKIXAttribute *attribute,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_Duplicate(attribute, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/Encode.c b/security/nss/lib/pkix/src/Attribute/Encode.c
deleted file mode 100644
index 179bd3d68..000000000
--- a/security/nss/lib/pkix/src/Attribute/Encode.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_Encode
- *
- * This routine returns an ASN.1 encoding of the specified 
- * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
- * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
- * if there are no attribute values (i.e., the last one was removed).
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXAttribute_Encode
-(
-  NSSPKIXAttribute *attribute,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_Encode(attribute, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/Equal.c b/security/nss/lib/pkix/src/Attribute/Equal.c
deleted file mode 100644
index d91782aea..000000000
--- a/security/nss/lib/pkix/src/Attribute/Equal.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_Equal
- *
- * This routine compares two NSSPKIXAttribute's for equality.
- * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
- * This routine also returns PR_FALSE upon error; if you're
- * that worried about it, check for an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKIXAttribute_Equal
-(
-  NSSPKIXAttribute *one,
-  NSSPKIXAttribute *two,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(one) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(two) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_Equal(one, two);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/FindValue.c b/security/nss/lib/pkix/src/Attribute/FindValue.c
deleted file mode 100644
index ba725051f..000000000
--- a/security/nss/lib/pkix/src/Attribute/FindValue.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_FindValue
- *
- * This routine searches the set of attribute values in the specified
- * NSSPKIXAttribute for the provided data.  If an exact match is found,
- * then that value's index is returned.  If an exact match is not 
- * found, -1 is returned.  If there is more than one exact match, one
- * index will be returned.  {notes about unorderdness of SET, etc}
- * If the index may not be represented as an integer, an error is
- * indicated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-NSSPKIXAttribute_FindValue
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue *value
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_FindValue(attribute, value);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/GetType.c b/security/nss/lib/pkix/src/Attribute/GetType.c
deleted file mode 100644
index 0bae2b988..000000000
--- a/security/nss/lib/pkix/src/Attribute/GetType.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_GetType
- *
- * This routine returns the attribute type oid of the specified
- * NSSPKIXAttribute.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeType *
-NSSPKIXAttribute_GetType
-(
-  NSSPKIXAttribute *attribute
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSPKIXAttributeType *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_GetType(attribute);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/GetValue.c b/security/nss/lib/pkix/src/Attribute/GetValue.c
deleted file mode 100644
index afce8d135..000000000
--- a/security/nss/lib/pkix/src/Attribute/GetValue.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_GetValue
- *
- * This routine returns the i'th attribute value of the set of
- * values in the specified NSSPKIXAttribute.  Although the set
- * is unordered, an arbitrary ordering will be maintained until
- * the data in the attribute is changed.  {usual comments about
- * itemOpt and arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeValue *
-NSSPKIXAttribute_GetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeValue *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_GetValue(attribute, i, itemOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/GetValueCount.c b/security/nss/lib/pkix/src/Attribute/GetValueCount.c
deleted file mode 100644
index 0cdc36b60..000000000
--- a/security/nss/lib/pkix/src/Attribute/GetValueCount.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_GetValueCount
- *
- * This routine returns the number of attribute values present in
- * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
- * Upon error, this routine returns -1.  This routine indicates an
- * error if the number of values cannot be expressed as a PRInt32.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-NSSPKIXAttribute_GetValueCount
-(
-  NSSPKIXAttribute *attribute
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return -1;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_GetValueCount(attribute);
-}
-
diff --git a/security/nss/lib/pkix/src/Attribute/GetValues.c b/security/nss/lib/pkix/src/Attribute/GetValues.c
deleted file mode 100644
index 986af03d1..000000000
--- a/security/nss/lib/pkix/src/Attribute/GetValues.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_GetValues
- *
- * This routine returns all of the attribute values in the specified
- * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
- * is non-null, then that array will be used and returned; otherwise,
- * an array will be allocated and returned.  If the limit is nonzero
- * (which is must be if the specified array is nonnull), then an
- * error is indicated if it is smaller than the value count.
- * {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSItem's upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeValue *
-NSSPKIXAttribute_GetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXAttributeValue *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_GetValues(attribute, rvOpt, limit, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/MClear.c b/security/nss/lib/pkix/src/Attribute/MClear.c
deleted file mode 100644
index 6fb77ba7d..000000000
--- a/security/nss/lib/pkix/src/Attribute/MClear.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nss_pkix_Attribute_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Attribute_Clear
-(
-  NSSPKIXAttribute *a
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSBER *)NULL != a->ber ) {
-    nss_ZFreeIf(a->ber->data);
-    nss_ZFreeIf(a->ber);
-  }
-
-  if( (NSSDER *)NULL != a->der ) {
-    nss_ZFreeIf(a->der->data);
-    nss_ZFreeIf(a->der);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/MCount.c b/security/nss/lib/pkix/src/Attribute/MCount.c
deleted file mode 100644
index abb0831cb..000000000
--- a/security/nss/lib/pkix/src/Attribute/MCount.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_Attribute_Count
- *
- * This module-private routine sets the valuesCount part of the
- * NSSPKIXAttribute argument.  It does no checking, and is intended
- * only for use inside the NSSPKIXAttribute implementation itself.
- * There is no error return.  There is no return value.
- */
-
-NSS_IMPLEMENT void
-nss_pkix_Attribute_Count
-(
-  NSSPKIXAttribute *a
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
-  if( (nssASN1Item *)NULL == a->asn1values ) {
-    nss_SetError(NSS_ERROR_ASSERTION_FAILED);
-    return;
-  }
-
-  if( 0 == a->valuesCount ) {
-    PRUint32 i;
-    for( i = 0; i < 0xFFFFFFFF; i++ ) {
-      if( (nssASN1Item *)NULL == a->asn1values[i] ) {
-        break;
-      }
-    }
-
-#ifdef PEDANTIC
-    if( 0xFFFFFFFF == i ) {
-      return;
-    }
-#endif /* PEDANTIC */
-
-    a->valuesCount = i;
-  }
-
-  return;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/MVCreate.c b/security/nss/lib/pkix/src/Attribute/MVCreate.c
deleted file mode 100644
index 1a54026d4..000000000
--- a/security/nss/lib/pkix/src/Attribute/MVCreate.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_Attribute_V_Create
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INTERNAL_ERROR;
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-nss_pkix_Attribute_V_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  PRUint32 count,
-  va_list ap
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttribute);
-  if( (NSSPKIXAttribute *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  rv->type = typeOid;
-  {
-    NSSItem typeder;
-    NSSItem *x = nssOID_GetDEREncoding(rv->type, &typeder, arena);
-    if( (NSSItem *)NULL == x ) {
-      goto loser;
-    }
-
-    rv->asn1type.size = typeder.size;
-    rv->asn1type.data = typeder.data;
-  }
-
-  rv->valuesCount = count;
-
-  rv->asn1values = nss_ZNEWARRAY(arena, nssASN1Item *, count);
-  if( (nssASN1Item **)NULL == rv->asn1values ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSItem tmp;
-    NSSPKIXAttributeValue *v = (NSSPKIXAttributeValue *)
-      va_arg(ap, NSSPKIXAttributeValue *);
-
-    rv->asn1values[i] = nss_ZNEW(arena, nssASN1Item);
-    if( (nssASN1Item *)NULL == rv->asn1values[i] ) {
-      goto loser;
-    }
-
-    if( (NSSItem *)NULL == nssItem_Duplicate(v, arena, &tmp) ) {
-      goto loser;
-    }
-
-    rv->asn1values[i].size = tmp.size;
-    rv->asn1values[i].data = tmp.data;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != 
-      nssArena_registerDestructor(arena,
-                                  nss_pkix_Attribute_remove_pointer, 
-                                  rv) ) {
-    (void)nss_pkix_Attribute_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttribute *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PAddValue.c b/security/nss/lib/pkix/src/Attribute/PAddValue.c
deleted file mode 100644
index 732845490..000000000
--- a/security/nss/lib/pkix/src/Attribute/PAddValue.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_AddValue
- *
- * This routine adds the specified attribute value to the set in
- * the specified NSSPKIXAttribute.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttribute_AddValue
-(
-  NSSPKIXAttribute *a,
-  NSSPKIXAttributeValue *value
-)
-{
-  PRUint32 newcount;
-  nssASN1Item **new_asn1_items = (nssASN1Item **)NULL;
-  NSSItem tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
-  if( (nssASN1Item **)NULL == a->asn1values ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  }
-
-  if( 0 == a->valuesCount ) {
-    PRUint32 i;
-
-    for( i = 0; i < 0xFFFFFFFF; i++ ) {
-      if( (nssASN1Item *)NULL == a->asn1values[i] ) {
-        break;
-      }
-    }
-
-#ifdef PEDANTIC
-    if( 0xFFFFFFFF == i ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-      /* Internal error is that we don't handle them this big */
-      return PR_FAILURE;
-    }
-#endif /* PEDANTIC */
-
-    a->valuesCount = i;
-  }
-
-  newcount = a->valuesCount + 1;
-  /* Check newcount for a rollover. */
-
-  /* Remember that our asn1values array is NULL-terminated */
-  new_asn1_items = (nssASN1Item **)nss_ZRealloc(a->asn1values,
-                     ((newcount+1) * sizeof(nssASN1Item *)));
-  if( (nssASN1Item **)NULL == new_asn1_items ) {
-    goto loser;
-  }
-
-  new_asn1_items[ a->valuesCount ] = nss_ZNEW(a->arena, nssASN1Item);
-  if( (nssASN1Item *)NULL == new_asn1_items[ a->valuesCount ] ) {
-    goto loser;
-  }
-
-  if( (NSSItem *)NULL == nssItem_Duplicate(value, a->arena, &tmp) ) {
-    goto loser;
-  }
-
-  new_asn1_items[ a->valuesCount ]->size = tmp.size;
-  new_asn1_items[ a->valuesCount ]->data = tmp.data;
-
-  a->valuesCount++;
-  a->asn1values = new_asn1_items;
-
-  return nss_pkix_Attribute_Clear(a);
-
- loser:
-  if( (nssASN1Item **)NULL != new_asn1_items ) {
-    nss_ZFreeIf(new_asn1_items[ newcount-1 ]);
-    /* We could realloc back down, but we actually know it's a no-op */
-    a->asn1values = new_asn1_items;
-  }
-
-  return PR_FAILURE;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PCreate.c b/security/nss/lib/pkix/src/Attribute/PCreate.c
deleted file mode 100644
index 40dc5c07c..000000000
--- a/security/nss/lib/pkix/src/Attribute/PCreate.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_Create
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_INSUFFICIENT_VALUES
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXAttribute *
-nssPKIXAttribute_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value1,
-  ...
-)
-{
-  va_list ap;
-  NSSPKIXAttribute *rv;
-  PRUint32 count;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  if( (NSSPKIXAttributeValue *)NULL == value1 ) {
-    nss_SetError(NSS_ERROR_INSUFFICIENT_VALUES);
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  {
-    va_start(ap, typeOid);
-
-    while( 1 ) {
-      NSSPKIXAttributeValue *v;
-      v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
-      if( (NSSPKIXAttributeValue *)NULL == v ) {
-        break;
-      }
-    
-      if( PR_SUCCESS != nssItem_verifyPointer(v) ) {
-        va_end(ap);
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-
-    va_end(ap);
-  }
-#endif /* NSSDEBUG */
-
-  va_start(ap, typeOid);
-
-  for( count = 0; ; count++ ) {
-    NSSPKIXAttributeValue *v;
-    v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
-    if( (NSSPKIXAttributeValue *)NULL == v ) {
-      break;
-    }
-
-#ifdef PEDANTIC
-    if( count == 0xFFFFFFFF ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      va_end(ap);
-      return (NSSPKIXAttribute *)NULL;
-    }
-#endif /* PEDANTIC */
-  }
-
-  va_end(ap);
-
-  va_start(ap, typeOid);
-  rv = nss_pkix_Attribute_V_Create(arenaOpt, typeOid, count, ap);
-  va_end(ap);
-
-  return rv;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PCreateFromArray.c b/security/nss/lib/pkix/src/Attribute/PCreateFromArray.c
deleted file mode 100644
index c2d301d12..000000000
--- a/security/nss/lib/pkix/src/Attribute/PCreateFromArray.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXAttribute_CreateFromArray
- *
- * This routine creates an NSSPKIXAttribute from specified components.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.  If the optional arena argument is non-NULL,
- * that arena will be used for the required memory.  There must be at
- * least one attribute value specified.  The final argument must be
- * NULL, to indicate the end of the set of attribute values.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-nssPKIXAttribute_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  PRUint32 count,
-  NSSPKIXAttributeValue values[]
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    if( PR_SUCCESS != nssItem_verifyPointer(&values[i]) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttribute);
-  if( (NSSPKIXAttribute *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  rv->type = typeOid;
-  {
-    NSSItem typeder;
-    NSSItem *x = nssOID_GetDEREncoding(rv->type, &typeder, arena);
-    if( (NSSItem *)NULL == x ) {
-      goto loser;
-    }
-
-    rv->asn1type.size = typeder.size;
-    rv->asn1type.data = typeder.data;
-  }
-
-  rv->valuesCount = count;
-
-  rv->asn1values = nss_ZNEWARRAY(arena, nssASN1Item *, count);
-  if( (nssASN1Item **)NULL == rv->asn1values ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSItem tmp;
-    NSSPKIXAttributeValue *v = &values[i];
-
-    rv->asn1values[i] = nss_ZNEW(arena, nssASN1Item);
-    if( (nssASN1Item *)NULL == rv->asn1values[i] ) {
-      goto loser;
-    }
-
-    if( (NSSItem *)NULL == nssItem_Duplicate(v, arena, &tmp) ) {
-      goto loser;
-    }
-
-    rv->asn1values[i].size = tmp.size;
-    rv->asn1values[i].data = tmp.data;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != 
-      nssArena_registerDestructor(arena, 
-                                  nss_pkix_Attribute_remove_pointer, 
-                                  rv) ) {
-    (void)nss_pkix_Attribute_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttribute *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PDecode.c b/security/nss/lib/pkix/src/Attribute/PDecode.c
deleted file mode 100644
index 49a059404..000000000
--- a/security/nss/lib/pkix/src/Attribute/PDecode.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXAttribute_Decode
- *
- * This routine creates an NSSPKIXAttribute by decoding a BER-
- * or DER-encoded Attribute as defined in RFC 2459.  This
- * routine may return NULL upon error, in which case it will
- * have created an error stack.  If the optional arena argument
- * is non-NULL, that arena will be used for the required memory.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-nssPKIXAttribute_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttribute);
-  if( (NSSPKIXAttribute *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, nssPKIXAttribute_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_Attribute_remove_pointer, rv) ) {
-    (void)nss_pkix_Attribute_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttribute *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PDestroy.c b/security/nss/lib/pkix/src/Attribute/PDestroy.c
deleted file mode 100644
index 5f2b5a135..000000000
--- a/security/nss/lib/pkix/src/Attribute/PDestroy.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_Destroy
- *
- * This routine destroys an NSSPKIXAttribute.  It should be called on
- * all such objects created without an arena.  It does not need to be
- * called for objects created with an arena, but it may be.  This
- * routine returns a PRStatus value.  Upon error, it place an error on 
- * the error stack and return PR_FAILURE.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttribute_Destroy
-(
-  NSSPKIXAttribute *attribute
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_Attribute_remove_pointer(attribute);
-  (void)nssArena_RemoveDestructor(arena, nss_pkix_Attribute_remove_pointer, 
-                                  attribute);
-#endif /* DEBUG */
-
-  if( PR_TRUE == attribute->i_allocated_arena ) {
-    return nssArena_Destroy(attribute->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PDuplicate.c b/security/nss/lib/pkix/src/Attribute/PDuplicate.c
deleted file mode 100644
index 765510e59..000000000
--- a/security/nss/lib/pkix/src/Attribute/PDuplicate.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_Duplicate
- *
- * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttribute upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttribute *
-nssPKIXAttribute_Duplicate
-(
-  NSSPKIXAttribute *attribute,
-  NSSArena *arenaOpt
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return PR_FAILURE;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttribute);
-  if( (NSSPKIXAttribute *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  if( (NSSBER *)NULL != attribute->ber ) {
-    rv->ber = nssItem_Duplicate(arena, attribute->ber, (NSSItem *)NULL);
-    if( (NSSBER *)NULL == rv->ber ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSDER *)NULL != attribute->der ) {
-    rv->der = nssItem_Duplicate(arena, attribute->der, (NSSItem *)NULL);
-    if( (NSSDER *)NULL == rv->der ) {
-      goto loser;
-    }
-  }
-
-  if( (void *)NULL != attribute->asn1type.data ) {
-    rv->asn1type.size = attribute->asn1type.size;
-    rv->asn1type.data = nss_ZAlloc(arena, attribute->asn1type.size);
-    if( (void *)NULL == rv->asn1type.data ) {
-      goto loser;
-    }
-    (void)nsslibc_memcpy(rv->asn1type.data, attribute->asn1type.data, 
-                         rv->asn1type.size);
-  }
-    
-  if( (nssASN1Item **)NULL != attribute->asn1values ) {
-    rv->asn1values = nss_ZNEWARRAY(arena, nssASN1Item *, attribute->valuesCount);
-    if( (nssASN1Item **)NULL == rv->asn1values ) {
-      goto loser;
-    }
-
-    for( i = 0; i < attribute->valuesCount; i++ ) {
-      nssASN1Item *src;
-      nssASN1Item *dst;
-
-      src = attribute->asn1values[i];
-      dst = nss_ZNEW(arena, nssASN1Item);
-      if( (nssASN1Item *)NULL == dst ) {
-        goto loser;
-      }
-
-      rv->asn1values[i] = dst;
-
-      dst->size = src->size;
-      dst->data = nss_ZAlloc(arena, dst->size);
-      if( (void *)NULL == dst->data ) {
-        goto loser;
-      }
-      (void)nsslibc_memcpy(dst->data, src->data, src->size);
-    }
-  }
-
-  rv->type = attribute->type; /* NULL or otherwise */
-  rv->valuescount = attribute->valuesCount;
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != 
-      nssArena_registerDestructor(arena,
-                                  nss_pkix_Attribute_remove_pointer, 
-                                  rv) ) {
-    (void)nss_pkix_Attribute_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttribute *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PEncode.c b/security/nss/lib/pkix/src/Attribute/PEncode.c
deleted file mode 100644
index 7fc647ed2..000000000
--- a/security/nss/lib/pkix/src/Attribute/PEncode.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXAttribute_Encode
- *
- * This routine returns an ASN.1 encoding of the specified 
- * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
- * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
- * if there are no attribute values (i.e., the last one was removed).
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_DATA
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXAttribute_Encode
-(
-  NSSPKIXAttribute *a,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  NSSBER *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    if( (NSSBER *)NULL != a->ber ) {
-      it = a->ber;
-      goto done;
-    }
-    /*FALLTHROUGH*/
-  case NSSASN1DER:
-    if( (NSSDER *)NULL != a->der ) {
-      it = a->der;
-      goto done;
-    }
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
-    return (NSSBER *)NULL;
-  }
-
-  it = nssASN1_EncodeItem(a->arena, (NSSItem *)NULL, a, 
-                          nssPKIXAttribute_template, encoding);
-  if( (NSSBER *)NULL == it ) {
-    return (NSSBER *)NULL;
-  }
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    a->ber = it;
-    break;
-  case NSSASN1DER:
-    a->der = it;
-    break;
-  default:
-    PR_ASSERT(0);
-    break;
-  }
-
- done:
-  return nssItem_Duplicate(it, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PEqual.c b/security/nss/lib/pkix/src/Attribute/PEqual.c
deleted file mode 100644
index 247bfd575..000000000
--- a/security/nss/lib/pkix/src/Attribute/PEqual.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_Equal
- *
- * This routine compares two NSSPKIXAttribute's for equality.
- * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
- * This routine also returns PR_FALSE upon error; if you're
- * that worried about it, check for an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXAttribute_Equal
-(
-  NSSPKIXAttribute *one,
-  NSSPKIXAttribute *two,
-  PRStatus *statusOpt
-)
-{
-  PRStatus dummyStatus = PR_SUCCESS; /* quiet warnings */
-  PRStatus *status;
-  PRUint32 i;
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    status = statusOpt;
-    *status = PR_SUCCESS;
-  } else {
-    status = &dummyStatus;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(one) ) {
-    *status = PR_FAILURE;
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(two) ) {
-    *status = PR_FAILURE;
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( ((NSSDER *)NULL != one->der) && ((NSSDER *)NULL != two->der) ) {
-    return nssItem_Equal(one->der, two->der, statusOpt);
-  }
-
-  if( (NSSPKIXAttributeType *)NULL == one->type ) {
-    NSSItem berOid;
-    berOid.size = one->asn1type.size;
-    berOid.data = one->asn1type.data;
-    one->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&berOid);
-  }
-
-  if( (NSSPKIXAttributeType *)NULL == two->type ) {
-    NSSItem berOid;
-    berOid.size = two->asn1type.size;
-    berOid.data = two->asn1type.data;
-    two->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&berOid);
-  }
-
-  if( one->type != two->type ) {
-    return PR_FALSE;
-  }
-
-  if( 0 == one->valuesCount ) {
-    nss_pkix_Attribute_Count(one);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == one->valuesCount ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    *statusOpt = PR_FAILURE;
-    return PR_FALSE;
-  }
-#endif /* PEDANTIC */
-
-  if( 0 == two->valuesCount ) {
-    nss_pkix_Attribute_Count(two);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == two->valuesCount ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    *statusOpt = PR_FAILURE;
-    return PR_FALSE;
-  }
-#endif /* PEDANTIC */
-
-  if( one->valuesCount != two->valuesCount ) {
-    return PR_FALSE;
-  }
-
-  *status = nss_pkix_Attribute_Distinguish(one);
-  if( PR_FAILURE == *status ) {
-    return PR_FALSE;
-  }
-
-  *status = nss_pkix_Attribute_Distinguish(two);
-  if( PR_FAILURE == *status ) {
-    return PR_FALSE;
-  }
-
-  for( i == 0; i < one->valuesCount; i++ ) {
-    NSSItem onetmp, twotmp;
-
-    onetmp.size = one->asn1values[i]->size;
-    onetmp.data = one->asn1values[i]->data;
-    twotmp.size = two->asn1values[i]->size;
-    twotmp.data = two->asn1values[i]->data;
-
-    if( PR_FALSE == nssItem_Equal(&one, &two, statusOpt) ) {
-      return PR_FALSE;
-    }
-  }
-
-  return PR_TRUE;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PFindValue.c b/security/nss/lib/pkix/src/Attribute/PFindValue.c
deleted file mode 100644
index 0f1095f0c..000000000
--- a/security/nss/lib/pkix/src/Attribute/PFindValue.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_FindValue
- *
- * This routine searches the set of attribute values in the specified
- * NSSPKIXAttribute for the provided data.  If an exact match is found,
- * then that value's index is returned.  If an exact match is not 
- * found, -1 is returned.  If there is more than one exact match, one
- * index will be returned.  {notes about unorderdness of SET, etc}
- * If the index may not be represented as an integer, an error is
- * indicated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-nssPKIXAttribute_FindValue
-(
-  NSSPKIXAttribute *a,
-  NSSPKIXAttributeValue *attributeValue
-)
-{
-  PRUint32 i;
-  nssASN1Item **a;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
-  if( (nssASN1Item **)NULL == a->asn1values ) {
-    nss_SetError(NSS_ERROR_ASSERTION_FAILED);
-    return -1;
-  }
-
-  for( i = 0, a = &a->asn1values[0]; *a; a++, (i > 0x7fffffff) || i++ ) {
-    NSSItem tmp;
-
-    tmp.size = (*a)->size;
-    tmp.data = (*a)->data;
-
-    if( PR_TRUE == nssItem_Equal(attributeValue, &tmp, (PRStatus *)NULL) ) {
-      if( i > 0x7fffffff ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return -1;
-      }
-      return (PRInt32)i;
-    }
-  }
-
-  nss_SetError(NSS_ERROR_NOT_FOUND);
-  return -1;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetType.c b/security/nss/lib/pkix/src/Attribute/PGetType.c
deleted file mode 100644
index 4b61431b8..000000000
--- a/security/nss/lib/pkix/src/Attribute/PGetType.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_GetType
- *
- * This routine returns the attribute type oid of the specified
- * NSSPKIXAttribute.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeType *
-nssPKIXAttribute_GetType
-(
-  NSSPKIXAttribute *a
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return (NSSPKIXAttributeType *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSPKIXAttributeType *)NULL == a->type ) {
-    NSSItem ber;
-
-    ber.size = a->asn1type.size;
-    ber.data = a->asn1type.data;
-
-    a->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&ber);
-  }
-
-  return a->type;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetValue.c b/security/nss/lib/pkix/src/Attribute/PGetValue.c
deleted file mode 100644
index bbf12ca67..000000000
--- a/security/nss/lib/pkix/src/Attribute/PGetValue.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_GetValue
- *
- * This routine returns the i'th attribute value of the set of
- * values in the specified NSSPKIXAttribute.  Although the set
- * is unordered, an arbitrary ordering will be maintained until
- * the data in the attribute is changed.  {usual comments about
- * itemOpt and arenaOpt} [0,valueCount)
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeValue *
-nssPKIXAttribute_GetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-)
-{
-  NSSItem tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeValue *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == attribute->valuesCount ) {
-    nss_pkix_Attribute_Count(attribute);
-  }
-
-  if( (i < 0) || (i >= attribute->valuesCount) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  tmp.size = attribute->asn1values[i]->size;
-  tmp.data = attribute->asn1values[i]->data;
-
-  return nssItem_Duplicate(&tmp, arenaOpt, itemOpt);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetValueCount.c b/security/nss/lib/pkix/src/Attribute/PGetValueCount.c
deleted file mode 100644
index ada1d403d..000000000
--- a/security/nss/lib/pkix/src/Attribute/PGetValueCount.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_GetValueCount
- *
- * This routine returns the number of attribute values present in
- * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
- * Upon error, this routine returns -1.  This routine indicates an
- * error if the number of values cannot be expressed as a PRInt32.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-nssPKIXAttribute_GetValueCount
-(
-  NSSPKIXAttribute *attribute
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return -1;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == attribute->valuesCount ) {
-    nss_pkix_Attribute_Count(attribute);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == attribute->valuesCount ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return -1;
-  }
-#endif /* PEDANTIC */
-
-  if( attribute->valuesCount > 0x7fffffff ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return -1;
-  }
-
-  return (PRInt32)(attribute->valuesCount);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetValues.c b/security/nss/lib/pkix/src/Attribute/PGetValues.c
deleted file mode 100644
index ccc11dbe0..000000000
--- a/security/nss/lib/pkix/src/Attribute/PGetValues.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_GetValues
- *
- * This routine returns all of the attribute values in the specified
- * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
- * is non-null, then that array will be used and returned; otherwise,
- * an array will be allocated and returned.  If the limit is nonzero
- * (which is must be if the specified array is nonnull), then an
- * error is indicated if it is smaller than the value count.
- * {arenaOpt}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSItem's upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeValue *
-nssPKIXAttribute_GetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-)
-{
-  NSSPKIXAttributeValue *rv = (NSSPKIXAttributeValue *)NULL;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXAttributeValue *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == attribute->valuesCount ) {
-    nss_pkix_Attribute_Count(attribute);
-  }
-  
-#ifdef PEDANTIC
-  if( 0 == attribute->valuesCount ) {
-    if( 0 == limit ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-    } else {
-      nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
-    }
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (limit < attribute->valuesCount) &&
-      !((0 == limit) && ((NSSPKIXAttributeValue *)NULL == rvOpt)) ) {
-    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  limit = attribute->valuesCount;
-  if( (NSSPKIXAttributeValue *)NULL == rvOpt ) {
-    rv = nss_ZNEWARRAY(arenaOpt, NSSPKIXAttributeValue, limit);
-    if( (NSSPKIXAttributeValue *)NULL == rv ) {
-      return (NSSPKIXAttributeValue *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  for( i = 0; i < limit; i++ ) {
-    NSSAttributeValue tmp;
-    nssASN1Item *p = attribute->asn1values[i];
-    NSSAttributeValue *r = &rv[i];
-
-    tmp.size = p->size;
-    tmp.data = p->data;
-
-    if( (NSSItem *)NULL == nssItem_Duplicate(&tmp, arenaOpt, r) ) {
-      goto loser;
-    }
-  }
-
-  return rv;
-
- loser:
-  for( i = 0; i < limit; i++ ) {
-    NSSAttributeValue *r = &rv[i];
-    nss_ZFreeIf(r->data);
-  }
-
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
-
-  return (NSSAttributeValue *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PRemoveValue.c b/security/nss/lib/pkix/src/Attribute/PRemoveValue.c
deleted file mode 100644
index 6da2ebc07..000000000
--- a/security/nss/lib/pkix/src/Attribute/PRemoveValue.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_RemoveValue
- *
- * This routine removes the i'th attribute value of the set in the
- * specified NSSPKIXAttribute.  An attempt to remove the last value
- * will fail.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-PR_IMPLEMENET(PRStatus)
-nssPKIXAttribute_RemoveValue
-(
-  NSSPKIXAttribute *a,
-  PRInt32 i
-)
-{
-  nssASN1Item **ip;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == a->valuesCount ) {
-    nss_pkix_Attribute_Count(a);
-  }
-
-  if( i < 0 ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return PR_FAILURE;
-  }
-
-  if( 1 == a->valuesCount ) {
-    nss_SetError(NSS_ERROR_AT_MINIMUM);
-    return PR_FAILURE;
-  }
-
-#ifdef PEDANTIC
-  if( 0 == a->valuesCount ) {
-    /* Too big.. but we can still remove one */
-    nss_ZFreeIf(a->asn1values[i].data);
-    for( ip = &a->asn1values[i]; *ip; ip++ ) {
-      ip[0] = ip[1];
-    }
-  } else
-#endif /* PEDANTIC */
-
-  {
-    nssASN1Item *si;
-    PRUint32 end;
-
-    if( i >= a->valueCount ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      return PR_FAILURE;
-    }
-
-    end = a->valuesCount - 1;
-
-    si = a->asn1values[i];
-    a->asn1values[i] = a->asn1values[ end ];
-    a->asn1values[ end ] = (nssASN1Item *)NULL;
-
-    nss_ZFreeIf(si->data);
-    nss_ZFreeIf(si);
-
-    /* We could realloc down, but we know it's a no-op */
-    a->valuesCount = end;
-  }
-
-  return nss_pkix_Attribute_Clear(a);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PSetType.c b/security/nss/lib/pkix/src/Attribute/PSetType.c
deleted file mode 100644
index 8f430aab3..000000000
--- a/security/nss/lib/pkix/src/Attribute/PSetType.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_SetType
- *
- * This routine sets the attribute type oid of the indicated
- * NSSPKIXAttribute to the specified value.  Since attributes
- * may be application-defined, no checking can be done on
- * either the correctness of the attribute type oid value nor
- * the suitability of the set of attribute values.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttribute_SetType
-(
-  NSSPKIXAttribute *a,
-  NSSPKIXAttributeType *attributeType
-)
-{
-  NSSDER tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  a->type = attributeType;
-
-  nss_ZFreeIf(a->asn1type.data);
-  if( (NSSDER *)NULL == nssOID_GetDEREncoding(a->type, &tmp, a->arena) ) {
-    return PR_FAILURE;
-  }
-
-  a->asn1type.size = tmp.size;
-  a->asn1type.data = tmp.data;
-
-  return nss_pkix_Attribute_Clear(a);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PSetValue.c b/security/nss/lib/pkix/src/Attribute/PSetValue.c
deleted file mode 100644
index 4fd490a6a..000000000
--- a/security/nss/lib/pkix/src/Attribute/PSetValue.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_SetValue
- *
- * This routine sets the i'th attribute value {blah blah; copies
- * memory contents over..}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttribute_SetValue
-(
-  NSSPKIXAttribute *a,
-  PRInt32 i,
-  NSSPKIXAttributeValue *value
-)
-{
-  NSSItem tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( i < 0 ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return PR_FAILURE;
-  }
-
-  if( 0 == a->valuesCount ) {
-    nss_pkix_Attribute_Count(a);
-  }
-
-  if( (0 != a->valuesCount) && (i > a->valuesCount) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return PR_FAILURE;
-  }
-
-  if( (NSSItem *)NULL == nssItem_Duplicate(value, a->arena, &tmp) ) {
-    return PR_FAILURE;
-  }
-
-  nss_ZFreeIf(a->asn1values[i]->data);
-  a->asn1values[i]->size = tmp.size;
-  a->asn1values[i]->data = tmp.data;
-
-  return nss_pkix_Attribute_Clear(a);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/PSetValues.c b/security/nss/lib/pkix/src/Attribute/PSetValues.c
deleted file mode 100644
index 64df8eb55..000000000
--- a/security/nss/lib/pkix/src/Attribute/PSetValues.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttribute_SetValues
- *
- * This routine sets all of the values of the specified 
- * NSSPKIXAttribute to the values in the specified NSSItem array.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttribute_SetValues
-(
-  NSSPKIXAttribute *a,
-  NSSPKIXAttributeValue values[],
-  PRInt32 count
-)
-{
-  nssASN1Item **ip;
-  nssASN1Item *newarray;
-  PRUint32 i;
-  nssArenaMark *mark;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSPKIXAttributeValue *)NULL == values ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( count < 1 ) {
-    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
-  if( (nssASN1Item **)NULL == a->asn1values ) {
-    nss_SetError(NSS_ERROR_ASSERTION_FAILED);
-    return PR_FAILURE;
-  }
-
-  mark = nssArena_Mark(a->arena);
-  if( (nssArenaMark *)NULL == mark ) {
-    return PR_FAILURE;
-  }
-
-  newarray = nss_ZNEWARRAY(a->arena, nssASN1Item *, count);
-  if( (nssASN1Item *)NULL == newarray ) {
-    return PR_FAILURE;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSItem tmp;
-
-    newarray[i] = nss_ZNEW(a->arena, nssASN1Item);
-    if( (nssASN1Item *)NULL == newarray[i] ) {
-      goto loser;
-    }
-
-    if( (NSSItem *)NULL == nssItem_Duplicate(&values[i], a->arena, &tmp) ) {
-      goto loser;
-    }
-
-    newarray[i]->size = tmp.size;
-    newarray[i]->data = tmp.data;
-  }
-
-  for( ip = &a->asn1values[0]; *ip; ip++ ) {
-    nss_ZFreeIf((*ip)->data);
-    nss_ZFreeIf(*ip);
-  }
-
-  nss_ZFreeIf(a->asn1values);
-  
-  a->asn1values = newarray;
-  a->valuesCount = count;
-
-  (void)nss_pkix_Attribute_Clear(a);
-  return nssArena_Unmark(a->arena, mark);
-
- loser:
-  (void)nssArena_Release(a->arena, mark);
-  return PR_FAILURE;
-}
diff --git a/security/nss/lib/pkix/src/Attribute/RemoveValue.c b/security/nss/lib/pkix/src/Attribute/RemoveValue.c
deleted file mode 100644
index e869fd96a..000000000
--- a/security/nss/lib/pkix/src/Attribute/RemoveValue.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_RemoveValue
- *
- * This routine removes the i'th attribute value of the set in the
- * specified NSSPKIXAttribute.  An attempt to remove the last value
- * will fail.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttribute_RemoveValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_RemoveValue(attribute, i);
-}
-
diff --git a/security/nss/lib/pkix/src/Attribute/SetType.c b/security/nss/lib/pkix/src/Attribute/SetType.c
deleted file mode 100644
index 4975c8f8a..000000000
--- a/security/nss/lib/pkix/src/Attribute/SetType.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_SetType
- *
- * This routine sets the attribute type oid of the indicated
- * NSSPKIXAttribute to the specified value.  Since attributes
- * may be application-defined, no checking can be done on
- * either the correctness of the attribute type oid value nor
- * the suitability of the set of attribute values.
- *
- * The error value may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttribute_SetType
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeType *attributeType
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_SetType(attribute, attributeType);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/SetValue.c b/security/nss/lib/pkix/src/Attribute/SetValue.c
deleted file mode 100644
index 43f74ad26..000000000
--- a/security/nss/lib/pkix/src/Attribute/SetValue.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_SetValue
- *
- * This routine sets the i'th attribute value {blah blah; copies
- * memory contents over..}
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttribute_SetValue
-(
-  NSSPKIXAttribute *attribute,
-  PRInt32 i,
-  NSSPKIXAttributeValue *value
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttribute_SetValue(attribute, i, value);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/SetValues.c b/security/nss/lib/pkix/src/Attribute/SetValues.c
deleted file mode 100644
index 7c3645cf7..000000000
--- a/security/nss/lib/pkix/src/Attribute/SetValues.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttribute_SetValues
- *
- * This routine sets all of the values of the specified 
- * NSSPKIXAttribute to the values in the specified NSSItem array.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttribute_SetValues
-(
-  NSSPKIXAttribute *attribute,
-  NSSPKIXAttributeValue values[],
-  PRInt32 count
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSPKIXAttributeValue *)NULL == values ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( count < 1 ) {
-    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKXIAttribute_SetValues(attribute, values, count);
-}
diff --git a/security/nss/lib/pkix/src/Attribute/template.c b/security/nss/lib/pkix/src/Attribute/template.c
deleted file mode 100644
index 850b6a9b0..000000000
--- a/security/nss/lib/pkix/src/Attribute/template.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXAttribute_template
- *
- *
- */
-
-const nssASN1Template nssPKIXAttribute_template[] = {
-  { nssASN1_SEQUENCE, 0, NULL, sizeof(NSSPKIXAttribute) },
-  { nssASN1_OBJECT_ID, offsetof(NSSPKIXAttribute, asn1type) },
-  { nssASN1_SET_OF, offsetof(NSSPKIXAttribute, asn1values), 
-    nssASN1Template_Any },
-  { 0 }
-};
diff --git a/security/nss/lib/pkix/src/Attribute/verifyPointer.c b/security/nss/lib/pkix/src/Attribute/verifyPointer.c
deleted file mode 100644
index c0ae3ed84..000000000
--- a/security/nss/lib/pkix/src/Attribute/verifyPointer.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_attribute_pointer_tracker;
-
-/*
- * nss_pkix_Attribute_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXAttribute pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Attribute_add_pointer
-(
-  const NSSPKIXAttribute *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_attribute_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_attribute_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nss_pkix_Attribute_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXAttribute
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Attribute_remove_pointer
-(
-  const NSSPKIXAttribute *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&pkix_attribute_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssPKIXAttribute_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXAttribute
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttribute_verifyPointer
-(
-  NSSPKIXAttribute *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_attribute_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_attribute_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
-
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Create.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Create.c
deleted file mode 100644
index 84e721f80..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/Create.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Create
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue(arenaOpt, typeOid, value);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/CreateFromUTF8.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/CreateFromUTF8.c
deleted file mode 100644
index 72e0a3114..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/CreateFromUTF8.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_CreateFromUTF8
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_CreateFromUTF8(arenaOpt, string);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Decode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Decode.c
deleted file mode 100644
index 33b657303..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Destroy.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Destroy.c
deleted file mode 100644
index b3c28a03f..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/Destroy.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Destroy
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttributeTypeAndValue_Destroy
-(
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_Destroy(atav);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Duplicate.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Duplicate.c
deleted file mode 100644
index 09d1f27c3..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/Duplicate.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-NSSPKIXAttributeTypeAndValue_Duplicate
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_Duplicate(atav, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Encode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Encode.c
deleted file mode 100644
index 1b67be84d..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/Encode.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Encode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXAttributeTypeAndValue_Encode
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_Encode(atav, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Equal.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Equal.c
deleted file mode 100644
index 0cbf06eca..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/Equal.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_Equal
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKIXAttributeTypeAndValue_Equal
-(
-  NSSPKIXAttributeTypeAndValue *atav1,
-  NSSPKIXAttributeTypeAndValue *atav2,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav1) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav2) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_Equal(atav1, atav2, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetType.c
deleted file mode 100644
index 68e2f48f6..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetType.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_GetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeType *
-NSSPKIXAttributeTypeAndValue_GetType
-(
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return (NSSPKIXAttributeType *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_GetType(atav);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetUTF8Encoding.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetUTF8Encoding.c
deleted file mode 100644
index 611e4bcb9..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetUTF8Encoding.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_GetUTF8Encoding(atav, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetValue.c
deleted file mode 100644
index 5516c63ea..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetValue.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_GetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeValue *
-NSSPKIXAttributeTypeAndValue_GetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *itemOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return (NSSPKIXAttributeValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeValue *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_GetValue(atav, itemOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/MClear.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/MClear.c
deleted file mode 100644
index eeae7db86..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/MClear.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nss_pkix_AttributeTypeAndValue_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_AttributeTypeAndValue_Clear
-(
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSBER *)NULL != atav->ber ) {
-    nss_ZFreeIf(atav->ber->data);
-    nss_ZFreeIf(atav->ber);
-  }
-
-  if( (NSSDER *)NULL != atav->der ) {
-    nss_ZFreeIf(atav->der->data);
-    nss_ZFreeIf(atav->der);
-  }
-
-  nss_ZFreeIf(atav->utf8);
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreate.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreate.c
deleted file mode 100644
index 2dc6d8ac5..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreate.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_Create
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeType *typeOid,
-  NSSPKIXAttributeValue *value
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-#endif /* DEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
-  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->type = typeOid;
-
-  {
-    NSSItem tmp;
-    if( (NSSItem *)NULL == nssOID_GetDEREncoding(typeOid, arena, &tmp) ) {
-      goto loser;
-    }
-
-    rv->asn1type.size = tmp.size;
-    rv->asn1type.data = tmp.data;
-  }
-
-  {
-    NSSItem tmp;
-    if( (NSSItem *)NULL == nssItem_Duplicate(value, arena, &tmp) ) {
-      goto loser;
-    }
-
-    rv->asn1value.size = tmp.size;
-    rv->asn1value.data = tmp.data;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttributeTypeAndValue *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreateFromUTF8.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreateFromUTF8.c
deleted file mode 100644
index a2fa289ea..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreateFromUTF8.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_CreateFromUTF8
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
-  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->utf8 = nssUTF8_Duplicate(string, arena);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-  
-  /* Fill this in later from ../pki1/atav.c implementation */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  goto loser;
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttributeTypeAndValue *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDecode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDecode.c
deleted file mode 100644
index 9e017526c..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDecode.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
-  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  /* For this object, BER is DER */
-  rv->der = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, 
-                             nssPKIXAttributeTypeAndValue_template,
-                             ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttributeTypeAndValue *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDestroy.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDestroy.c
deleted file mode 100644
index 47242f545..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDestroy.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_Destroy
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttributeTypeAndValue_Destroy
-(
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_AttributeTypeAndValue_remove_pointer(atav);
-  (void)nssArena_RemoveDestructor(arena, 
-    nss_pkix_AttributeTypeAndValue_remove_pointer, atav);
-#endif /* DEBUG */
-
-  if( PR_TRUE == atav->i_allocated_arena ) {
-    return nssArena_Destroy(atav->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDuplicate.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDuplicate.c
deleted file mode 100644
index 53fc85171..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDuplicate.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-nssPKIXAttributeTypeAndValue_Duplicate
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
-  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  if( (NSSDER *)NULL != atav->der ) {
-    rv->der = nssItem_Duplicate(atav->der, arena, (NSSItem *)NULL);
-    if( (NSSDER *)NULL == rv->der ) {
-      goto loser; /* actually, this isn't fatal */
-    }
-  }
-
-  {
-    NSSItem src, dst;
-    src.size = atav->asn1type.size;
-    src.data = atav->asn1type.data;
-    if( (NSSItem *)NULL == nssItem_Duplicate(&src, arena, &dst) ) {
-      goto loser;
-    }
-    rv->asn1type.size = dst.size;
-    rv->asn1type.data = dst.data;
-  }
-
-  {
-    NSSItem src, dst;
-    src.size = atav->asn1value.size;
-    src.data = atav->asn1value.data;
-    if( (NSSItem *)NULL == nssItem_Duplicate(&src, arena, &dst) ) {
-      goto loser;
-    }
-    rv->asn1value.size = dst.size;
-    rv->asn1value.data = dst.data;
-  }
-
-  rv->type = atav->type;
-
-  if( (NSSUTF8 *)NULL != atav->utf8 ) {
-    rv->utf8 = nssUTF8_Duplicate(atav->utf8, arena);
-    if( (NSSUTF8 *)NULL == rv->utf8 ) {
-      goto loser; /* actually, this isn't fatal */
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXAttributeTypeAndValue *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PEncode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PEncode.c
deleted file mode 100644
index 64a77e590..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PEncode.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_Encode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSBER *
-nssPKIXAttributeTypeAndValue_Encode
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-  case NSSASN1DER:
-    break;
-  case NSSASN1CER:
-  case NSSASN1LWER:
-  case NSSASN1PER:
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
-    return (NSSBER *)NULL;
-  }
-
-  /* For this item its DER is BER */
-
-  if( (NSSDER *)NULL == atav->der ) {
-    atav->der = nssASN1_EncodeDER(atav->arena, (NSSItem *)NULL, a,
-                  nssPKIXAtributeTypeAndValue_template, NSSASN1DER);
-    if( (NSSDER *)NULL == atav->der ) {
-      return (NSSBER *)NULL;
-    }
-  }
-
-  return nssItem_Duplicate(a->der, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PEqual.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PEqual.c
deleted file mode 100644
index 67dc970f1..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PEqual.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_Equal
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXAttributeTypeAndValue_Equal
-(
-  NSSPKIXAttributeTypeAndValue *atav1,
-  NSSPKIXAttributeTypeAndValue *atav2,
-  PRStatus *statusOpt
-)
-{
-  NSSItem one, two;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav1) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav2) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  one.size = atav1->asn1type.size;
-  one.data = atav1->asn1type.data;
-  two.size = atav2->asn1type.size;
-  two.data = atav2->asn1type.data;
-
-  if( PR_FALSE == nssItem_Equal(&one, &two, statusOpt) ) {
-    return PR_FALSE;
-  }
-
-  one.size = atav1->asn1value.size;
-  one.data = atav1->asn1value.data;
-  two.size = atav2->asn1value.size;
-  two.data = atav2->asn1value.data;
-
-  return nssItem_Equal(&one, &two, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetType.c
deleted file mode 100644
index 20411e8ee..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetType.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_GetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSPKIXAttributeType pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeType *
-nssPKIXAttributeTypeAndValue_GetType
-(
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSPKIXAttributeType *)NULL == atav->type ) {
-    NSSItem ber;
-
-    ber.size = atav->asn1type.size;
-    ber.data = atav->asn1type.data;
-
-    atav->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&ber);
-  }
-
-  return atav->type;
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetUTF8Encoding.c
deleted file mode 100644
index 41145b3cf..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetUTF8Encoding.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_GetUTF8Encoding
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssPKIXAttributeTypeAndValue_GetUTF8Encoding
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == atav->utf8 ) {
-    /* xxx fgmr fill this in from the ../pki1/atav.c implementation */
-  }
-
-  return nssUTF8_Duplicate(atav->utf8, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetValue.c
deleted file mode 100644
index 33f9e5b2b..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetValue.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_GetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSAttributeValue upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXAttributeValue *
-nssPKIXAttributeTypeAndValue_GetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  NSSItem tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  tmp.size = atav->asn1value.size;
-  tmp.data = atav->asn1value.data;
-
-  return nssItem_Duplicate(&tmp, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetType.c
deleted file mode 100644
index 4e25b88cc..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetType.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_SetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssPKIXAttributeTypeAndValue_SetType
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeType *attributeType
-)
-{
-  NSSDER tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  atav->type = attributeType;
-
-  nss_ZFreeIf(atav->asn1type.data);
-  if( (NSSDER *)NULL == nssOID_GetDEREncoding(atav->type, &tmp, atav->arena) ) {
-    return PR_FAILURE;
-  }
-
-  atav->asn1type.size = tmp.size;
-  atav->asn1type.data = tmp.data;
-
-  return nss_pkix_AttributeTypeAndValue_Clear(atav);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetValue.c
deleted file mode 100644
index 82de4db00..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetValue.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_SetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttributeTypeAndValue_SetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *value
-)
-{
-  NSSItem tmp;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSItem *)NULL == nssItem_Duplicate(value, atav->arena, &tmp) ) {
-    return PR_FAILURE;
-  }
-
-  nss_ZFreeIf(atav->asn1value.data);
-  atav->asn1value.size = tmp.size;
-  atav->asn1value.data = tmp.data;
-
-  return nss_pkix_AttributeTypeAndValue_Clear(atav);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/SetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/SetType.c
deleted file mode 100644
index 672b7b738..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/SetType.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_SetType
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_OID
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttributeTypeAndValue_SetType
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeType *attributeType
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_SetType(atav, attributeType);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/SetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/SetValue.c
deleted file mode 100644
index fafc54d6c..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/SetValue.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXAttributeTypeAndValue_SetValue
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXAttributeTypeAndValue_SetValue
-(
-  NSSPKIXAttributeTypeAndValue *atav,
-  NSSPKIXAttributeValue *value
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXAttributeTypeAndValue_SetValue(atav, value);
-}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/template.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/template.c
deleted file mode 100644
index 548a4fac9..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/template.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXAttributeTypeAndValue_template
- *
- */
-
-const nssASN1Template nssPKIXAttributeTypeAndValue_template[] = {
-  { nssASN1_SEQUENCE, 0, NULL, sizeof(NSSPKIXAttributeTypeAndValue) },
-  { nssASN1_OBJECT_ID, offsetof(NSSPKIXAttributeTypeAndValue, asn1type) },
-  { nssASN1_ANY, offsetof(NSSPKIXAttributeTypeAndValue, asn1value) },
-  { 0 }
-};
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/verifyPointer.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/verifyPointer.c
deleted file mode 100644
index 340e19c1b..000000000
--- a/security/nss/lib/pkix/src/AttributeTypeAndValue/verifyPointer.c
+++ /dev/null
@@ -1,184 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_atav_pointer_tracker;
-
-/*
- * nss_pkix_AttributeTypeAndValue_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXAttributeTypeAndValue 
- * pointer to the internal pointer-tracker.  This routine should only 
- * be used by the NSSPKIX module.  This routine returns a PRStatus 
- * value; upon error it will place an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_AttributeTypeAndValue_add_pointer
-(
-  const NSSPKIXAttributeTypeAndValue *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_atav_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_atav_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  rv = nssArena_registerDestructor(arena,
-         nss_pkix_AttributeTypeAndValue_remove_pointer, p);
-  if( PR_SUCCESS != rv ) {
-    (void)nss_pkix_AttributeTypeAndValue_remove_pointer(p);
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nss_pkix_AttributeTypeAndValue_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid 
- * NSSPKIXAttributeTypeAndValue pointer from the internal 
- * pointer-tracker.  This routine should only be used by the 
- * NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_AttributeTypeAndValue_remove_pointer
-(
-  const NSSPKIXAttributeTypeAndValue *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&pkix_atav_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  /*
-   * nssArena_deregisterDestructor(p->arena, 
-   *   nss_pkix_AttributeTypeAndValue_remove_pointer, p);
-   */
-
-  return rv;
-}
-
-/*
- * nssPKIXAttributeTypeAndValue_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an 
- * NSSPKIXAttributeTypeAndValue object, this routine will return 
- * PR_SUCCESS.  Otherwise, it will put an error on the error stack 
- * and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXAttributeTypeAndValue_verifyPointer
-(
-  NSSPKIXAttributeTypeAndValue *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_atav_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_atav_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
-
diff --git a/security/nss/lib/pkix/src/Name/Create.c b/security/nss/lib/pkix/src/Name/Create.c
deleted file mode 100644
index dc9059f0b..000000000
--- a/security/nss/lib/pkix/src/Name/Create.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-NSSPKIXName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXNameChoice choice,
-  void *arg
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  switch( choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    {
-      NSSPKIXRDNSequence *r = (NSSPKIXRDNSequence *)arg;
-      if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(r) ) {
-        return (NSSPKIXName *)NULL;
-      }
-    }
-
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INVALID_CHOICE);
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_Create(arenaOpt, choice, arg);
-}
diff --git a/security/nss/lib/pkix/src/Name/CreateFromRDNSequence.c b/security/nss/lib/pkix/src/Name/CreateFromRDNSequence.c
deleted file mode 100644
index da07742cc..000000000
--- a/security/nss/lib/pkix/src/Name/CreateFromRDNSequence.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_CreateFromRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-NSSPKIXName_CreateFromRDNSequence
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRDNSequence *rdnSequence
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnSequence) ) {
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_CreateFromRDNSequence(arenaOpt, rdnSequence);
-}
diff --git a/security/nss/lib/pkix/src/Name/CreateFromUTF8.c b/security/nss/lib/pkix/src/Name/CreateFromUTF8.c
deleted file mode 100644
index f2111ea75..000000000
--- a/security/nss/lib/pkix/src/Name/CreateFromUTF8.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-NSSPKIXName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_CreateFromUTF8(arenaOpt, string);
-}
diff --git a/security/nss/lib/pkix/src/Name/Decode.c b/security/nss/lib/pkix/src/Name/Decode.c
deleted file mode 100644
index b30fac01e..000000000
--- a/security/nss/lib/pkix/src/Name/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_CreateFromBER
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-NSSPKIXName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_CreateFromBER(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/Name/Destroy.c b/security/nss/lib/pkix/src/Name/Destroy.c
deleted file mode 100644
index c8c2bc9f2..000000000
--- a/security/nss/lib/pkix/src/Name/Destroy.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXName_Destroy
-(
-  NSSPKIXName *name
-)
-{
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_Destroy(name);
-}
diff --git a/security/nss/lib/pkix/src/Name/Duplicate.c b/security/nss/lib/pkix/src/Name/Duplicate.c
deleted file mode 100644
index 6c8831729..000000000
--- a/security/nss/lib/pkix/src/Name/Duplicate.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-NSSPKIXName_Duplicate
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_Duplicate(name, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/Encode.c b/security/nss/lib/pkix/src/Name/Encode.c
deleted file mode 100644
index 344a53724..000000000
--- a/security/nss/lib/pkix/src/Name/Encode.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXName_Encode
-(
-  NSSPKIXName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_Encode(name, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/Equal.c b/security/nss/lib/pkix/src/Name/Equal.c
deleted file mode 100644
index 9a74eef94..000000000
--- a/security/nss/lib/pkix/src/Name/Equal.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKIXName_Equal
-(
-  NSSPKIXName *name1,
-  NSSPKIXName *name2,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(name1) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(name2) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIX_Equal(name1, name2, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/GetChoice.c b/security/nss/lib/pkix/src/Name/GetChoice.c
deleted file mode 100644
index 8a36ada00..000000000
--- a/security/nss/lib/pkix/src/Name/GetChoice.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  A valid element of the NSSPKIXNameChoice enumeration upon success
- *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
- */
-
-NSS_IMPLEMENT NSSPKIXNameChoice
-NSSPKIXName_GetChoice
-(
-  NSSPKIXName *name
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return NSSPKIXNameChoice_NSSinvalid;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_GetChoice(name);
-}
diff --git a/security/nss/lib/pkix/src/Name/GetRDNSequence.c b/security/nss/lib/pkix/src/Name/GetRDNSequence.c
deleted file mode 100644
index 94562ae3c..000000000
--- a/security/nss/lib/pkix/src/Name/GetRDNSequence.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_GetRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A pointer to a valid NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-NSSPKIXName_GetRDNSequence
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_GetRDNSequence(name, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/GetSpecifiedChoice.c b/security/nss/lib/pkix/src/Name/GetSpecifiedChoice.c
deleted file mode 100644
index 3de2d5b84..000000000
--- a/security/nss/lib/pkix/src/Name/GetSpecifiedChoice.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A valid pointer ...
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT void *
-NSSPKIXName_GetSpecifiedChoice
-(
-  NSSPKIXName *name,
-  NSSPKIXNameChoice choice,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(name) ) {
-    return (void *)NULL;
-  }
-
-  switch( choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INVALID_CHOICE);
-    return (void *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (void *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_GetSpecifiedChoice(name, choice, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/GetUTF8Encoding.c b/security/nss/lib/pkix/src/Name/GetUTF8Encoding.c
deleted file mode 100644
index c86dd94b2..000000000
--- a/security/nss/lib/pkix/src/Name/GetUTF8Encoding.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSPKIXName_GetUTF8Encoding
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXName_GetUTF8Encoding(name, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/MClear.c b/security/nss/lib/pkix/src/Name/MClear.c
deleted file mode 100644
index e8d6b1961..000000000
--- a/security/nss/lib/pkix/src/Name/MClear.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nss_pkix_Name_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Name_Clear
-(
-  NSSPKIXName *name
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSBER *)NULL != name->ber ) {
-    nss_ZFreeIf(name->ber->data);
-    nss_ZFreeIf(name->ber);
-  }
-
-  if( (NSSDER *)NULL != name->der ) {
-    nss_ZFreeIf(name->der->data);
-    nss_ZFreeIf(name->der);
-  }
-
-  nss_ZFreeIf(name->utf8);
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/Name/Mregister.c b/security/nss/lib/pkix/src/Name/Mregister.c
deleted file mode 100644
index 09ddb9d99..000000000
--- a/security/nss/lib/pkix/src/Name/Mregister.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifdef NSSDEBUG
-/*
- * nss_pkix_Name_register
- *
- * Registers whatever sub-component exists within this Name.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Name_register
-(
-  NSSPKIXName *name
-)
-{
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return PR_FAILURE;
-  }
-
-  switch( name->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    /* add pointer */
-    /* (sub-)register pointer */
-    /* add destructor to arena */
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/Name/PCreate.c b/security/nss/lib/pkix/src/Name/PCreate.c
deleted file mode 100644
index e93737599..000000000
--- a/security/nss/lib/pkix/src/Name/PCreate.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-nssPKIXName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXNameChoice choice,
-  void *arg
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXName *rv = (NSSPKIXName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  switch( choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    if( (PR_SUCCESS != nssPKIXRDNSequence_verifyPointer((NSSPKIXRDNSequence *)arg) ) ) {
-      nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-      return (NSSPKIXName *)NULL;
-    }
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INVALID_CHOICE);
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  switch( choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INVALID_CHOICE);
-    goto loser;
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXName);
-  if( (NSSPKIXName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->utf8 = nssUTF8_Duplicate(string, arena);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-  
-  rv->choice = choice;
-  switch( choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    rv->u.rdnSequence = nssPKIXRDNSequence_Duplicate((NSSPKIXRDNSequence *)arg, arena);
-    if( (NSSPKIXRDNSequence *)NULL == rv->u.rdnSequence ) {
-      goto loser;
-    }
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INVALID_CHOICE);
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_Name_remove_pointer, rv) ) {
-    (void)nss_pkix_Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PCreateFromRDNSequence.c b/security/nss/lib/pkix/src/Name/PCreateFromRDNSequence.c
deleted file mode 100644
index 169e409a3..000000000
--- a/security/nss/lib/pkix/src/Name/PCreateFromRDNSequence.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_CreateFromRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-nssPKIXName_CreateFromRDNSequence
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRDNSequence *rdnSequence
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXName *rv = (NSSPKIXName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( (PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnSequence) ) ) {
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXName);
-  if( (NSSPKIXName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->utf8 = nssUTF8_Duplicate(string, arena);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-  
-  rv->choice = NSSPKIXNameChoice_rdnSequence;
-  rv->u.rdnSequence = nssPKIXRDNSequence_Duplicate(rdnSequence, arena);
-  if( (NSSPKIXRDNSequence *)NULL == rv->u.rdnSequence ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_Name_remove_pointer, rv) ) {
-    (void)nss_pkix_Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PCreateFromUTF8.c b/security/nss/lib/pkix/src/Name/PCreateFromUTF8.c
deleted file mode 100644
index 0939a19e3..000000000
--- a/security/nss/lib/pkix/src/Name/PCreateFromUTF8.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-nssPKIXName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXName *rv = (NSSPKIXName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXName);
-  if( (NSSPKIXName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->utf8 = nssUTF8_Duplicate(string, arena);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-  
-  /* Insert intelligence here -- fgmr */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  goto loser;
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_Name_remove_pointer, rv) ) {
-    (void)nss_pkix_Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PDecode.c b/security/nss/lib/pkix/src/Name/PDecode.c
deleted file mode 100644
index d3f20d473..000000000
--- a/security/nss/lib/pkix/src/Name/PDecode.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_CreateFromBER
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-nssPKIXName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXName *rv = (NSSPKIXName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXName *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXName);
-  if( (NSSPKIXName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, nssPKIXName_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PDestroy.c b/security/nss/lib/pkix/src/Name/PDestroy.c
deleted file mode 100644
index f1fd41721..000000000
--- a/security/nss/lib/pkix/src/Name/PDestroy.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXName_Destroy
-(
-  NSSPKIXName *name
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_Name_remove_pointer(name);
-#endif /* DEBUG */
-
-  if( PR_TRUE == name->i_allocated_arena ) {
-    return nssArena_Destroy(name->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/Name/PDuplicate.c b/security/nss/lib/pkix/src/Name/PDuplicate.c
deleted file mode 100644
index c5788a0f1..000000000
--- a/security/nss/lib/pkix/src/Name/PDuplicate.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXName *
-nssPKIXName_Duplicate
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXName *rv = (NSSPKIXName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXName *)NULL;
-    }
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXName);
-  if( (NSSPKIXName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  if( (NSSBER *)NULL != name->ber ) {
-    rv->ber = nssItem_Duplicate(name->ber, arena, (NSSItem *)NULL);
-    if( (NSSBER *)NULL == rv->ber ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSDER *)NULL != name->der ) {
-    rv->der = nssItem_Duplicate(name->der, arena, (NSSItem *)NULL);
-    if( (NSSDER *)NULL == rv->der ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL != name->utf8 ) {
-    rv->utf8 = nssUTF8_duplicate(name->utf8, arena);
-    if( (NSSUTF8 *)NULL == rv->utf8 ) {
-      goto loser;
-    }
-  }
-  
-  rv->choice = name->choice;
-  switch( name->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    rv->u.rdnSequence = nssPKIXRDNSequence_Duplicate(name->u.rdnSequence, arena);
-    if( (NSSPKIXRDNSequence *)NULL == rv->u.rdnSequence ) {
-      goto loser;
-    }
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_Name_remove_pointer, rv) ) {
-    (void)nss_pkix_Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PEncode.c b/security/nss/lib/pkix/src/Name/PEncode.c
deleted file mode 100644
index 469b528fb..000000000
--- a/security/nss/lib/pkix/src/Name/PEncode.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXName_Encode
-(
-  NSSPKIXName *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  NSSBER *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    if( (NSSBER *)NULL != name->ber ) {
-      it = name->ber;
-      goto done;
-    }
-    /*FALLTHROUGH*/
-  case NSSASN1DER:
-    if( (NSSDER *)NULL != name->der ) {
-      it = name->der;
-      goto done;
-    }
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
-    return (NSSBER *)NULL;
-  }
-
-  it = nssASN1_EncodeItem(name->arena, (NSSItem *)NULL, name,
-                          nssPKIXName_template, encoding);
-  if( (NSSBER *)NULL == it ) {
-    return (NSSBER *)NULL;
-  }
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    name->ber = it;
-    break;
-  case NSSASN1DER:
-    name->der = it;
-    break;
-  default:
-    PR_ASSERT(0);
-    break;
-  }
-
- done:
-  return nssItem_Duplicate(it, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/PEqual.c b/security/nss/lib/pkix/src/Name/PEqual.c
deleted file mode 100644
index 5ad91dd2a..000000000
--- a/security/nss/lib/pkix/src/Name/PEqual.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXName_Equal
-(
-  NSSPKIXName *one,
-  NSSPKIXName *two,
-  PRStatus *statusOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(one) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(two) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( ((NSSDER *)NULL != one->der) && ((NSSDER *)NULL != two->der) ) {
-    return nssItem_Equal(one->der, two->der, statusOpt);
-  }
-
-  if( one->choice != two->choice ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_SUCCESS;
-    }
-    return PR_FALSE;
-  }
-
-  switch( one->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    return nssPKIXRDNSequence_Equal(one->u.rdnSequence, two->u.rdnSequence, statusOpt);
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    break;
-  }
-
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_FAILURE;
-  }
-  return PR_FALSE;
-}
diff --git a/security/nss/lib/pkix/src/Name/PGetChoice.c b/security/nss/lib/pkix/src/Name/PGetChoice.c
deleted file mode 100644
index f34a93908..000000000
--- a/security/nss/lib/pkix/src/Name/PGetChoice.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_GetChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *
- * Return value:
- *  A valid element of the NSSPKIXNameChoice enumeration upon success
- *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
- */
-
-NSS_IMPLEMENT NSSPKIXNameChoice
-nssPKIXName_GetChoice
-(
-  NSSPKIXName *name
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return NSSPKIXNameChoice_NSSinvalid;
-  }
-#endif /* NSSDEBUG */
-
-  return name->choice;
-}
diff --git a/security/nss/lib/pkix/src/Name/PGetRDNSequence.c b/security/nss/lib/pkix/src/Name/PGetRDNSequence.c
deleted file mode 100644
index 0899e550d..000000000
--- a/security/nss/lib/pkix/src/Name/PGetRDNSequence.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_GetRDNSequence
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A pointer to a valid NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nssPKIXName_GetRDNSequence
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( name->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    return nssPKIXRDNSequence_Duplicate(name->u.rdnSequence, arenaOpt);
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    break;
-  }
-
-  nss_SetError(NSS_ERROR_WRONG_CHOICE);
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PGetSpecifiedChoice.c b/security/nss/lib/pkix/src/Name/PGetSpecifiedChoice.c
deleted file mode 100644
index a24c8ea86..000000000
--- a/security/nss/lib/pkix/src/Name/PGetSpecifiedChoice.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_GetSpecifiedChoice
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_WRONG_CHOICE
- *
- * Return value:
- *  A valid pointer ...
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT void *
-nssPKIXName_GetSpecifiedChoice
-(
-  NSSPKIXName *name,
-  NSSPKIXNameChoice choice,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (void *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (void *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( choice != name->choice ) {
-    nss_SetError(NSS_ERROR_WRONG_CHOICE);
-    return (void *)NULL;
-  }
-
-  switch( name->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    return (void *)nssPKIXRDNSequence_Duplicate(name->u.rdnSequence, arenaOpt);
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    break;
-  }
-
-  nss_SetError(NSS_ERROR_WRONG_CHOICE);
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Name/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/Name/PGetUTF8Encoding.c
deleted file mode 100644
index 164229277..000000000
--- a/security/nss/lib/pkix/src/Name/PGetUTF8Encoding.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_NAME
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssPKIXName_GetUTF8Encoding
-(
-  NSSPKIXName *name,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == name->utf8 ) {
-    /* xxx fgmr fill this in from pki1 implementation */
-  }
-
-  return nssUTF8_Duplicate(name->utf8, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Name/template.c b/security/nss/lib/pkix/src/Name/template.c
deleted file mode 100644
index 72ac85466..000000000
--- a/security/nss/lib/pkix/src/Name/template.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXName_template
- *
- */
-
-const nssASN1Template nssPKIXName_template[] = {
-  { nssASN1_CHOICE, offsetof(NSSPKIXName, choice), 0, sizeof(NSSPKIXName) },
-  { nssASN1_POINTER, offsetof(NSSPKIXName, u.rdnSequence), 
-    nssPKIXRDNSequence_template, NSSPKIXNameChoice_rdnSequence },
-  { 0 }
-};
diff --git a/security/nss/lib/pkix/src/Name/verifyPointer.c b/security/nss/lib/pkix/src/Name/verifyPointer.c
deleted file mode 100644
index 6c27e5910..000000000
--- a/security/nss/lib/pkix/src/Name/verifyPointer.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_name_pointer_tracker;
-
-/*
- * nss_pkix_Name_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXName pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Name_add_pointer
-(
-  const NSSPKIXName *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_name_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_name_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  rv = nssArena_registerDestructor(p->arena,
-         nss_pkix_Name_remove_pointer, p);
-  if( PR_SUCCESS != rv ) {
-    (void)nss_pkix_Name_remove_pointer(p);
-    return rv;
-  }
-
-#ifdef NSSDEBUG
-  switch( p->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    rv = nss_pkix_RDNSequence_register(p->u.rdnSequence);
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    rv = PR_FAILURE;
-    break;
-  }
-
-  if( PR_SUCCESS != rv ) {
-    (void)nss_pkix_Name_remove_pointer(p);
-  }
-#endif /* NSSDEBUG */
-
-  return rv;
-}
-
-/*
- * nss_pkix_Name_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXName
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_Name_remove_pointer
-(
-  const NSSPKIXName *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&pkix_name_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-#ifdef NSSDEBUG
-  switch( p->choice ) {
-  case NSSPKIXNameChoice_rdnSequence:
-    (void)nss_pkix_RDNSequence_register(p->u.rdnSequence);
-    break;
-  case NSSPKIXNameChoice_NSSinvalid:
-  default:
-    break;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * nssArena_deregisterDestructor(p->arena,
-   *   nss_pkix_Name_remove_pointer, p);
-   */
-
-  return rv;
-}
-
-/*
- * nssPKIXName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXName_verifyPointer
-(
-  NSSPKIXName *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_name_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_name_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
-
diff --git a/security/nss/lib/pkix/src/RDNSequence/AppendRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/AppendRelativeDistinguishedName.c
deleted file mode 100644
index 4e0d0d018..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/AppendRelativeDistinguishedName.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_AppendRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRDNSequence_AppendRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_AppendRelativeDistinguishedName(rdnseq, rdn);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Create.c b/security/nss/lib/pkix/src/RDNSequence/Create.c
deleted file mode 100644
index 52b8a851c..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/Create.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRelativeDistinguishedName *rdn1,
-  ...
-)
-{
-  va_list ap;
-  NSSPKIXRDNSequence *rv;
-  PRUint32 count;
-
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-
-  /* Is there a nonzero minimum number of RDNs required? */
-
-  {
-    va_start(ap, arenaOpt);
-
-    while( 1 ) {
-      NSSPKIXRelativeDistinguishedName *rdn;
-      rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
-      if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
-        break;
-      }
-
-      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-        va_end(ap);
-        return (NSSPKIXRDNSequence *)NULL;
-      }
-    }
-
-    va_end(ap);
-  }
-#endif /* DEBUG */
-
-  va_start(ap, arenaOpt);
-
-  for( count = 0; ; count++ ) {
-    NSSPKIXRelativeDistinguishedName *rdn;
-    rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
-      break;
-    }
-
-#ifdef PEDANTIC
-    if( count == 0xFFFFFFFF ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      va_end(ap);
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-#endif /* PEDANTIC */
-  }
-
-  va_end(ap);
-
-  va_start(ap, arenaOpt);
-  rv = nss_pkix_RDNSequence_V_Create(arenaOpt, count, ap);
-  va_end(ap);
-
-  return rv;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/CreateFromArray.c b/security/nss/lib/pkix/src/RDNSequence/CreateFromArray.c
deleted file mode 100644
index b6412187c..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/CreateFromArray.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXRelativeDistinguishedName *rdns[]
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  {
-    PRUint32 i;
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(&rdns[i]) ) {
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_CreateFromArray(arenaOpt, count, rnds);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/CreateFromUTF8.c b/security/nss/lib/pkix/src/RDNSequence/CreateFromUTF8.c
deleted file mode 100644
index dcdbc54a2..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/CreateFromUTF8.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_CreateFromUTF8(arenaOpt, string);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Decode.c b/security/nss/lib/pkix/src/RDNSequence/Decode.c
deleted file mode 100644
index ebbad116a..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Destroy.c b/security/nss/lib/pkix/src/RDNSequence/Destroy.c
deleted file mode 100644
index 5962364e5..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/Destroy.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRDNSequence_Destroy
-(
-  NSSPKIXRDNSequence *rdnseq
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_Destroy(rdnseq);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Duplicate.c b/security/nss/lib/pkix/src/RDNSequence/Duplicate.c
deleted file mode 100644
index 2bf53ba59..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/Duplicate.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-NSSPKIXRDNSequence_Duplicate
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_Duplicate(rdnseq, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Encode.c b/security/nss/lib/pkix/src/RDNSequence/Encode.c
deleted file mode 100644
index 84ab4db67..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/Encode.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXRDNSequence_Encode
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_Encode(rdnseq, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Equal.c b/security/nss/lib/pkix/src/RDNSequence/Equal.c
deleted file mode 100644
index fe0fa0f07..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/Equal.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKIXRDNSequence_Equal
-(
-  NSSPKIXRDNSequence *one,
-  NSSPKIXRDNSequence *two,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(one) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(two) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_Equal(one, two, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/FindRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/FindRelativeDistinguishedName.c
deleted file mode 100644
index cb04286d3..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/FindRelativeDistinguishedName.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_FindRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-NSSPKIXRDNSequence_FindRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_FindRelativeDistinguishedName(rdnseq, rdn);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedName.c
deleted file mode 100644
index 9b152f4da..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedName.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_GetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-NSSPKIXRDNSequence_GetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_GetRelativeDistinguishedName(rdnseq, i, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNameCount.c b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNameCount.c
deleted file mode 100644
index 05b5e89b4..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNameCount.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
-(
-  NSSPKIXRDNSequence *rdnseq
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return -1;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_GetRelativeDistinguishedNameCount(rdnseq);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNames.c
deleted file mode 100644
index 06d419bed..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNames.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_GetRelativeDistinguishedNames
- *
- * This routine returns all of the relative distinguished names in the
- * specified RDN Sequence.  {...} If the array is allocated, or if the
- * specified one has extra space, the array will be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
- *      pointers upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName **
-NSSPKIXRDNSequence_GetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRelativeDistinguishedName **)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXRelativeDistinguishedName **)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_GetRelativeDistinguishedNames(rdnseq, rvOpt, limit, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetUTF8Encoding.c b/security/nss/lib/pkix/src/RDNSequence/GetUTF8Encoding.c
deleted file mode 100644
index 4519a5ba4..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/GetUTF8Encoding.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSPKIXRDNSequence_GetUTF8Encoding
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_GetUTF8Encoding(rdnseq, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/InsertRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/InsertRelativeDistinguishedName.c
deleted file mode 100644
index 433c2a315..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/InsertRelativeDistinguishedName.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_InsertRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRDNSequence_InsertRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_InsertRelativeDistinguishedName(rdnseq, i, rdn);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/MClear.c b/security/nss/lib/pkix/src/RDNSequence/MClear.c
deleted file mode 100644
index 7df7eb099..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/MClear.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nss_pkix_RDNSequence_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_RDNSequence_Clear
-(
-  NSSPKIXRDNSequence *rdnseq
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSBER *)NULL != rdnseq->ber ) {
-    nss_ZFreeIf(rdnseq->ber->data);
-    nss_ZFreeIf(rdnseq->ber);
-  }
-
-  if( (NSSDER *)NULL != rdnseq->der ) {
-    nss_ZFreeIf(rdnseq->der->data);
-    nss_ZFreeIf(rdnseq->der);
-  }
-
-  nss_ZFreeIf(rdnseq->utf8);
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/MCount.c b/security/nss/lib/pkix/src/RDNSequence/MCount.c
deleted file mode 100644
index 649721c9f..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/MCount.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_RDNSequence_Count
- */
-
-NSS_IMPLEMENT void
-nss_pkix_RDNSequence_Count
-(
-  NSSPKIXRDNSequence *rdnseq
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((NSSPKIXRelativeDistinguishedName **)NULL != rdnseq->rdns);
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rdnseq->rdns ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  }
-
-  if( 0 == rdnseq->count ) {
-    PRUint32 i;
-    for( i = 0; i < 0xFFFFFFFF; i++ ) {
-      if( (NSSPKIXRelativeDistinguishedName *)NULL == rdnseq->rdns[i] ) {
-        break;
-      }
-    }
-
-#ifdef PEDANTIC
-    if( 0xFFFFFFFF == i ) {
-      return;
-    }
-#endif /* PEDANTIC */
-
-    rdnseq->count = i;
-  }
-
-  return;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/MVCreate.c b/security/nss/lib/pkix/src/RDNSequence/MVCreate.c
deleted file mode 100644
index caeb1995f..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/MVCreate.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nss_pkix_RDNSequence_v_create
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nss_pkix_RDNSequence_v_create
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  va_list ap
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
-  if( (NSSPKIXRDNSequence *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->count = count;
-
-  rv->rdns = nss_ZNEWARRAY(arena, NSSPKIXRelativeDistinguishedName *, count);
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rv->rdns ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSPKIXRelativeDistinguishedName *v = (NSSPKIXRelativeDistinguishedName *)
-      va_arg(ap, NSSPKIXRelativeDistinguishedName *);
-
-#ifdef NSSDEBUG
-    /* 
-     * It's okay to test this down here, since 
-     * supposedly these have already been checked.
-     */
-    if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(v) ) {
-      goto loser;
-    }
-#endif /* NSSDEBUG */
-
-    rv->rdns[i] = nssPKIXRelativeDistinguishedName_Duplicate(v, arena);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv->rdns[i] ) {
-      goto loser;
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PAppendRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PAppendRelativeDistinguishedName.c
deleted file mode 100644
index 9d1ea4875..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PAppendRelativeDistinguishedName.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_AppendRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_AppendRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  NSSPKIXRelativeDistinguishedName **na;
-  NSSPKIXRelativeDistinguishedName *dup;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  na = (NSSPKIXRelativeDistinguishedName **)
-    nss_ZRealloc(rdnseq->rdns, ((rdnseq->count+2) * 
-      sizeof(NSSPKIXRelativeDistinguishedName *)));
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == na ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  rdnseq->rdns = na;
-
-  dup = nssPKIXRelativeDistinguishedName_Duplicate(rdn, rdnseq->arena);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == dup ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  na[ rdnseq->count++ ] = dup;
-
-  return nss_pkix_RDNSequence_Clear(rdnseq);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PCreate.c b/security/nss/lib/pkix/src/RDNSequence/PCreate.c
deleted file mode 100644
index 0fdc6848f..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PCreate.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nssPKIXRDNSequence_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXRelativeDistinguishedName *rdn1,
-  ...
-)
-{
-  va_list ap;
-  NSSPKIXRDNSequence *rv;
-  PRUint32 count;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-
-  /* Is there a nonzero minimum number of RDNs required? */
-
-  {
-    va_start(ap, arenaOpt);
-
-    while( 1 ) {
-      NSSPKIXRelativeDistinguishedName *rdn;
-      rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
-      if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
-        break;
-      }
-
-      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-        va_end(ap);
-        return (NSSPKIXRDNSequence *)NULL;
-      }
-    }
-
-    va_end(ap);
-  }
-#endif /* NSSDEBUG */
-
-  va_start(ap, arenaOpt);
-
-  for( count = 0; ; count++ ) {
-    NSSPKIXRelativeDistinguishedName *rdn;
-    rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
-      break;
-    }
-
-#ifdef PEDANTIC
-    if( count == 0xFFFFFFFF ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      va_end(ap);
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-#endif /* PEDANTIC */
-  }
-
-  va_end(ap);
-
-  va_start(ap, arenaOpt);
-  rv = nss_pkix_RDNSequence_V_Create(arenaOpt, count, ap);
-  va_end(ap);
-
-  return rv;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PCreateFromArray.c b/security/nss/lib/pkix/src/RDNSequence/PCreateFromArray.c
deleted file mode 100644
index 0e244cb73..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PCreateFromArray.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nssPKIXRDNSequence_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXRelativeDistinguishedName *rdns[]
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  {
-    PRUint32 i;
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(&rdns[i]) ) {
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
-  if( (NSSPKIXRDNSequence *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->count = count;
-
-  rv->rdns = nss_ZNEWARRAY(arena, NSSPKIXRelativeDistinguishedName *, (count+1));
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rv->rdns ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSPKIXRelativeDistinguishedName *v = rdns[i];
-
-    rv->rdns[i] = nssPKIXRelativeDistinguishedName_Duplicate(v, arena);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv->rdns[i] ) {
-      goto loser;
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PCreateFromUTF8.c b/security/nss/lib/pkix/src/RDNSequence/PCreateFromUTF8.c
deleted file mode 100644
index 196332665..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PCreateFromUTF8.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nssPKIXRDNSequence_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
-  if( (NSSPKIXRDNSequence *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->utf8 = nssUTF8_Duplicate(string, arena);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-  
-  /* Insert intelligence here -- fgmr */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  goto loser;
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PDecode.c b/security/nss/lib/pkix/src/RDNSequence/PDecode.c
deleted file mode 100644
index 557f5bc32..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PDecode.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nssPKIXRDNSequence_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRDNSequence *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXRDNSequence *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
-  if( (NSSPKIXRDNSequence *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, nssPKIXRDNSequence_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PDestroy.c b/security/nss/lib/pkix/src/RDNSequence/PDestroy.c
deleted file mode 100644
index 17cc846cf..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PDestroy.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_Destroy
-(
-  NSSPKIXRDNSequence *rdnseq
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_RDNSequence_remove_pointer(rdnseq);
-#endif /* DEBUG */
-
-  if( PR_TRUE == rdnseq->i_allocated_arena ) {
-    return nssArena_Destroy(rdnseq->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PDuplicate.c b/security/nss/lib/pkix/src/RDNSequence/PDuplicate.c
deleted file mode 100644
index a57828692..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PDuplicate.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRDNSequence upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRDNSequence *
-nssPKIXRDNSequence_Duplicate
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
-  if( (NSSPKIXRDNSequence *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  if( (NSSBER *)NULL != rdnseq->ber ) {
-    rv->ber = nssItem_Duplicate(rdnseq->ber, arena, (NSSItem *)NULL);
-    if( (NSSBER *)NULL == rv->ber ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSDER *)NULL != rdnseq->der ) {
-    rv->der = nssItem_Duplicate(rdnseq->der, arena, (NSSItem *)NULL);
-    if( (NSSDER *)NULL == rv->der ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL != rdnseq->utf8 ) {
-    rv->utf8 = nssUTF8_duplicate(rdnseq->utf8, arena);
-    if( (NSSUTF8 *)NULL == rv->utf8 ) {
-      goto loser;
-    }
-  }
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  rv->count = rdnseq->count;
-
-  rv->rdns = nss_ZNEWARRAY(arena, NSSPKIXRelativeDistinguishedName *, (rv->count+1));
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rv->rdns ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSPKIXRelativeDistinguishedName *v = rdnseq->rdns[i];
-
-    rv->rdns[i] = nssPKIXRelativeDistinguishedName_Duplicate(v, arena);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv->rdns[i] ) {
-      goto loser;
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRDNSequence *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PEncode.c b/security/nss/lib/pkix/src/RDNSequence/PEncode.c
deleted file mode 100644
index 5700fa099..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PEncode.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXRDNSequence_Encode
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  NSSBER *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    if( (NSSBER *)NULL != rdnseq->ber ) {
-      it = rdnseq->ber;
-      goto done;
-    }
-    /*FALLTHROUGH*/
-  case NSSASN1DER:
-    if( (NSSDER *)NULL != rdnseq->der ) {
-      it = rdnseq->der;
-      goto done;
-    }
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
-    return (NSSBER *)NULL;
-  }
-
-  it = nssASN1_EncodeItem(rdnseq->arena, (NSSItem *)NULL, rdnseq,
-                          nssPKIXRDNSequence_template, encoding);
-  if( (NSSBER *)NULL == it ) {
-    return (NSSBER *)NULL;
-  }
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    rdnseq->ber = it;
-    break;
-  case NSSASN1DER:
-    rdnseq->der = it;
-    break;
-  default:
-    PR_ASSERT(0);
-    break;
-  }
-
- done:
-  return nssItem_Duplicate(it, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PEqual.c b/security/nss/lib/pkix/src/RDNSequence/PEqual.c
deleted file mode 100644
index a1dd5af53..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PEqual.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXRDNSequence_Equal
-(
-  NSSPKIXRDNSequence *one,
-  NSSPKIXRDNSequence *two,
-  PRStatus *statusOpt
-)
-{
-  NSSPKIXRelativeDistinguishedName **a;
-  NSSPKIXRelativeDistinguishedName **b;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(one) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(two) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( ((NSSDER *)NULL != one->der) && ((NSSDER *)NULL != two->der) ) {
-    return nssItem_Equal(one->der, two->der, statusOpt);
-  }
-
-  /*
-   * Since this is a sequence, the order is significant.
-   * So we just walk down both lists, comparing.
-   */
-
-  for( a = one->rdns, b = two->rdns; *a && *b; a++, b++ ) {
-    if( PR_FALSE == nssPKIXRelativeDistinguishedName_Equal(*a, *b, statusOpt) ) {
-      return PR_FALSE;
-    }
-  }
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  if( *a || *b ) {
-    return PR_FALSE;
-  }
-
-  return PR_TRUE;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PFindRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PFindRelativeDistinguishedName.c
deleted file mode 100644
index 8064b9636..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PFindRelativeDistinguishedName.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_FindRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-nssPKIXRDNSequence_FindRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  PRUint32 i;
-  NSSPKIXRelativeDistinguishedName **a;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  for( i = 0, a = rdnseq->rdns; *a; a++, (i > 0x7fffffff) || i++ ) {
-    if( PR_TRUE == nssPKIXRelativeDistinguishedName_Equal(*a, rdn) ) {
-      if( i > 0x7fffffff ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return -1;
-      }
-      return (PRInt32)i;
-    }
-  }
-
-  nss_SetError(NSS_ERROR_NOT_FOUND);
-  return -1;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedName.c
deleted file mode 100644
index 7ea20d259..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedName.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_GetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-nssPKIXRDNSequence_GetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSArena *arenaOpt
-)
-{
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (i < 0) || (i >= rdnseq->count) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  return nssPKIXRelativeDistinguishedName_Duplicate(rdnseq->rdns[i], arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNameCount.c b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNameCount.c
deleted file mode 100644
index a01077db1..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNameCount.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
-(
-  NSSPKIXRDNSequence *rdnseq
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return -1;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return -1;
-  }
-#endif /* PEDANTIC */
-
-  if( rdnseq->count > 0x7fffffff ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return -1;
-  }
-
-  return (PRInt32)(rdnseq->count);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNames.c
deleted file mode 100644
index 115480dfd..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNames.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_GetRelativeDistinguishedNames
- *
- * This routine returns all of the relative distinguished names in the
- * specified RDN Sequence.  {...} If the array is allocated, or if the
- * specified one has extra space, the array will be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
- *      pointers upon success
- *  NULL upon failure.
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName **
-nssPKIXRDNSequence_GetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-)
-{
-  NSSPKIXRelativeDistinguishedName **rv = (NSSPKIXRelativeDistinguishedName **)NULL;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSPKIXRelativeDistinguishedName **)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXRelativeDistinguishedName **)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName **)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (limit < rdnseq->count) &&
-      !((0 == limit) && ((NSSPKIXRelativeDistinguishedName **)NULL == rvOpt)) ) {
-    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
-    return (NSSPKIXRelativeDistinguishedName **)NULL;
-  }
-
-  limit = rdnseq->count;
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rvOpt ) {
-    rv = nss_ZNEWARRAY(arenaOpt, NSSPKIXRelativeDistinguishedName *, limit);
-    if( (NSSPKIXRelativeDistinguishedName **)NULL == rv ) {
-      return (NSSPKIXRelativeDistinguishedName **)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  for( i = 0; i < limit; i++ ) {
-    rv[i] = nssPKIXRelativedistinguishedName_Duplicate(rdnseq->rdns[i], arenaOpt);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv[i] ) {
-      goto loser;
-    }
-  }
-
-  return rv;
-
- loser:
-  for( i = 0; i < limit; i++ ) {
-    NSSPKIXRelativeDistinguishedName *x = rv[i];
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == x ) {
-      break;
-    }
-    (void)nssPKIXRelativeDistinguishedName_Destroy(x);
-  }
-
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
-
-  return (NSSPKIXRelativeDistinguishedName **)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/RDNSequence/PGetUTF8Encoding.c
deleted file mode 100644
index 2250bf960..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PGetUTF8Encoding.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssPKIXRDNSequence_GetUTF8Encoding
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == rdnseq->utf8 ) {
-    /* xxx fgmr fill this in from pki1 implementation */
-  }
-
-  return nssUTF8_Duplicate(rdnseq->utf8, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PInsertRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PInsertRelativeDistinguishedName.c
deleted file mode 100644
index 213866694..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PInsertRelativeDistinguishedName.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_InsertRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_InsertRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  NSSPKIXRelativeDistinguishedName **na;
-  NSSPKIXRelativeDistinguishedName *dup;
-  PRInt32 c;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (i < 0) || (i >= rdnseq->count) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  na = (NSSPKIXRelativeDistinguishedName **)
-    nss_ZRealloc(rdnseq->rdns, ((rdnseq->count+2) * 
-      sizeof(NSSPKIXRelativeDistinguishedName *)));
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == na ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  rdnseq->rdns = na;
-
-  dup = nssPKIXRelativeDistinguishedName_Duplicate(rdn, rdnseq->arena);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == dup ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  for( c = rdnseq->count; c > i; c-- ) {
-    na[ c ] = na[ c-1 ];
-  }
-
-  na[ i ] = dup;
-  rdnseq->count++;
-
-  return nss_pkix_RDNSequence_Clear(rdnseq);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PRemoveRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PRemoveRelativeDistinguishedName.c
deleted file mode 100644
index 447620c77..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PRemoveRelativeDistinguishedName.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_RemoveRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_RemoveRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i
-)
-{
-  NSSPKIXRelativeDistinguishedName **na;
-  PRInt32 c;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (i < 0) || (i >= rdnseq->count) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  nssPKIXRelativeDistinguishedName_Destroy(rdnseq->rdns[i]);
-
-  rdnseq->rdns[i] = rdnseq->rdns[ rdnseq->count ];
-  rdnseq->rdns[ rdnseq->count ] = (NSSPKIXRelativeDistinguishedName *)NULL;
-  rdnseq->count--;
-
-  na = (NSSPKIXRelativeDistinguishedName **)
-    nss_ZRealloc(rdnseq->rdns, ((rdnseq->count) * 
-      sizeof(NSSPKIXRelativeDistinguishedName *)));
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == na ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  rdnseq->rdns = na;
-
-  return nss_pkix_RDNSequence_Clear(rdnseq);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedName.c
deleted file mode 100644
index 5c8123266..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedName.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_SetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_SetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  NSSPKIXRelativeDistinguishedName *dup;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdnseq->count ) {
-    nss_pkix_RDNSequence_Count(rdnseq);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdnseq->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (i < 0) || (i >= rdnseq->count) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  dup = nssPKIXRelativeDistinguishedName_Duplicate(rdn, rdnseq->arena);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == dup ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  nssPKIXRelativeDistinguishedName_Destroy(rdnseq->rdns[i]);
-  rdnseq->rdns[i] = dup;
-
-  return nss_pkix_RDNSequence_Clear(rdnseq);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedNames.c
deleted file mode 100644
index b0320a4b7..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedNames.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRDNSequence_SetRelativeDistinguishedNames
- *
- * -- fgmr comments --
- * If the array pointer itself is null, the set is considered empty.
- * If the count is zero but the pointer nonnull, the array will be
- * assumed to be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_SetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdns[],
-  PRInt32 countOpt
-)
-{
-  NSSPKIXRelativeDistinguishedName **ip;
-  NSSPKIXRelativeDistinguishedName **newarray;
-  PRUint32 i;
-  nssArenaMark *mark;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rdns ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  {
-    PRUint32 i, count;
-
-    if( 0 == countOpt ) {
-      for( i = 0; i < 0x80000000; i++ ) {
-        if( (NSSPKIXRelativeDistinguishedName *)NULL == rdns[i] ) {
-          break;
-        }
-      }
-
-#ifdef PEDANTIC
-      if( 0x80000000 == i ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-#endif /* PEDANTIC */
-
-      count = (PRUint32)i;
-    } else {
-      if( countOpt < 0 ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-
-      count = (PRUint32)countOpt;
-    }
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdns[i]) ) {
-        return PR_FAILURE;
-      }
-    }
-  }
-#endif /* NSSDEBUG */
-
-  mark = nssArena_Mark(rdnseq->mark);
-  if( (nssArenaMark *)NULL == mark ) {
-    return PR_FAILURE;
-  }
-
-  newarray = nss_ZNEWARRAY(rdnseq->arena, NSSPKIXRelativeDistinguishedName *, countOpt);
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == newarray ) {
-    goto loser;
-  }
-
-  for( i = 0; i < countOpt; i++ ) {
-    newarray[i] = nssPKIXRelativeDistinguishedName_Duplicate(rdns[i], rdnseq->arena);
-    if( (NSSPKIXRelativeDistinguishedName *)NULL == newarray[i] ) {
-      goto loser;
-    }
-  }
-
-  for( i = 0; i < rdnseq->count; i++ ) {
-    if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_Destroy(rdnseq->rdns[i]) ) {
-      goto loser;
-    }
-  }
-
-  nss_ZFreeIf(rdnseq->rdns);
-
-  rdnseq->count = countOpt;
-  rdnseq->rdns = newarray;
-
-  (void)nss_pkix_RDNSequence_Clear(rdnseq);
-
-  return nssArena_Unmark(rdnseq->arena, mark);
-
- loser:
-  (void)nssArena_Release(a->arena, mark);
-  return PR_FAILURE;
-}
-
diff --git a/security/nss/lib/pkix/src/RDNSequence/RemoveRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/RemoveRelativeDistinguishedName.c
deleted file mode 100644
index 141ab7f37..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/RemoveRelativeDistinguishedName.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_RemoveRelativeDistinguishedName(rdnseq, i);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedName.c
deleted file mode 100644
index 7484eb55d..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedName.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_SetRelativeDistinguishedName
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRDNSequence_SetRelativeDistinguishedName
-(
-  NSSPKIXRDNSequence *rdnseq,
-  PRInt32 i,
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_SetRelativeDistinguishedName(rdnseq, i, rdn);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedNames.c
deleted file mode 100644
index 40e7c8247..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedNames.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRDNSequence_SetRelativeDistinguishedNames
- *
- * -- fgmr comments --
- * If the array pointer itself is null, the set is considered empty.
- * If the count is zero but the pointer nonnull, the array will be
- * assumed to be null-terminated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRDNSequence_SetRelativeDistinguishedNames
-(
-  NSSPKIXRDNSequence *rdnseq,
-  NSSPKIXRelativeDistinguishedName *rdns[],
-  PRInt32 countOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSPKIXRelativeDistinguishedName **)NULL == rdns ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  {
-    PRUint32 i, count;
-
-    if( 0 == countOpt ) {
-      for( i = 0; i < 0x80000000; i++ ) {
-        if( (NSSPKIXRelativeDistinguishedName *)NULL == rdns[i] ) {
-          break;
-        }
-      }
-
-#ifdef PEDANTIC
-      if( 0x80000000 == i ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-#endif /* PEDANTIC */
-
-      count = (PRUint32)i;
-    } else {
-      if( countOpt < 0 ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-
-      count = (PRUint32)countOpt;
-    }
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdns[i]) ) {
-        return PR_FAILURE;
-      }
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRDNSequence_SetRelativeDistinguishedNames(rdnseq, rdns, countOpt);
-}
diff --git a/security/nss/lib/pkix/src/RDNSequence/template.c b/security/nss/lib/pkix/src/RDNSequence/template.c
deleted file mode 100644
index ff5bbc0ba..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/template.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXRDNSequence_template
- *
- */
-
-const nssASN1Template nssPKIXRDNSequence_template[] = {
-  { nssASN1_SEQUENCE_OF, offsetof(NSSPKIXRDNSequence, rdns),
-    nssPKIXRelativeDistinguishedName_template },
-  { 0 }
-};
diff --git a/security/nss/lib/pkix/src/RDNSequence/verifyPointer.c b/security/nss/lib/pkix/src/RDNSequence/verifyPointer.c
deleted file mode 100644
index 47a53a5c4..000000000
--- a/security/nss/lib/pkix/src/RDNSequence/verifyPointer.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_rdnseq_pointer_tracker;
-
-/*
- * nss_pkix_RDNSequence_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXRDNSequence pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_RDNSequence_add_pointer
-(
-  const NSSPKIXRDNSequence *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_rdnseq_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_rdnseq_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  rv = nssArena_registerDestructor(arena,
-         nss_pkix_RDNSequence_remove_pointer, p);
-  if( PR_SUCCESS != rv ) {
-    (void)nss_pkix_RDNSequence_remove_pointer(p);
-    return rv;
-  }
-
-#ifdef NSSDEBUG
-  {
-    NSSPKIXRelativeDistinguishedName *r;
-
-    for( r = p->rdns; *r; r++ ) {
-      if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(*r) ) {
-        (void)nss_pkix_RDNSequence_remove_pointer(p);
-        return PR_FAILURE;
-      }
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nss_pkix_RDNSequence_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXRDNSequence
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_RDNSequence_remove_pointer
-(
-  const NSSPKIXRDNSequence *p
-)
-{
-  PRStatus rv;
-
-#ifdef NSSDEBUG
-  {
-    NSSPKIXRelativeDistinguishedName *r;
-
-    for( r = p->rdns; *r; r++ ) {
-      (void)nss_pkix_RelativeDistinguishedName_remove_pointer(*r);
-    }
-  }
-#endif /* NSSDEBUG */
-
-  rv = nssPointerTracker_remove(&pkix_rdnseq_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  /*
-   * nssArena_deregisterDestructor(p->arena,
-   *   nss_pkix_RDNSequence_remove_pointer, p);
-   */
-
-  return rv;
-}
-
-/*
- * nssPKIXRDNSequence_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXRDNSequence
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRDNSequence_verifyPointer
-(
-  NSSPKIXRDNSequence *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_rdnseq_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_rdnseq_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
-
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/AddAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/AddAttributeTypeAndValue.c
deleted file mode 100644
index efb142396..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/AddAttributeTypeAndValue.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue(rdn, atav);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Create.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Create.c
deleted file mode 100644
index 52e139c69..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/Create.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeTypeAndValue *atav1,
-  ...
-)
-{
-  va_list ap;
-  NSSPKIXRelativeDistinguishedName *rv;
-  PRUint32 count;
-
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  /* Is there a nonzero minimum number of ATAVs required? */
-
-  {
-    va_start(ap, arenaOpt);
-
-    while( 1 ) {
-      NSSPKIXAttributeTypeAndValue *atav;
-      atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
-      if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
-        break;
-      }
-
-      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-        va_end(ap);
-        return (NSSPKIXRelativeDistinguishedName *)NULL;
-      }
-    }
-
-    va_end(ap);
-  }
-#endif /* DEBUG */
-
-  va_start(ap, arenaOpt);
-
-  for( count = 0; ; count++ ) {
-    NSSPKIXAttributeTypeAndValue *atav;
-    atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
-      break;
-    }
-
-#ifdef PEDANTIC
-    if( count == 0xFFFFFFFF ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      va_end(ap);
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-#endif /* PEDANTIC */
-  }
-
-  va_end(ap);
-
-  va_start(ap, arenaOpt);
-  rv = nss_pkix_RelativeDistinguishedName_V_Create(arenaOpt, count, ap);
-  va_end(ap);
-
-  return rv;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromArray.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromArray.c
deleted file mode 100644
index 0c01be4da..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromArray.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXAttributeTypeAndValue *atavs[]
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  {
-    PRUint32 i;
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssAttributeTypeAndValue_verifyPointer(&atavs[i]) ) {
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_CreateFromArray(arenaOpt, count, atavs);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromUTF8.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromUTF8.c
deleted file mode 100644
index 990b7acd2..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromUTF8.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_CreateFromUTF8(arenaOpt, string);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Decode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Decode.c
deleted file mode 100644
index b8d0b243a..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Destroy.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Destroy.c
deleted file mode 100644
index ca8b1e85f..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/Destroy.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRelativeDistinguishedName_Destroy
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_Destroy(rdn);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Duplicate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Duplicate.c
deleted file mode 100644
index 416b405e8..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/Duplicate.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-NSSPKIXRelativeDistinguishedName_Duplicate
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_Duplicate(rdn, arenaOpt);
-}
-
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Encode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Encode.c
deleted file mode 100644
index ea6b82a55..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/Encode.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXRelativeDistinguishedName_Encode
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_Encode(rdn, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Equal.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Equal.c
deleted file mode 100644
index 3e4a3fc3e..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/Equal.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-NSSPKIXRelativeDistinguishedName_Equal
-(
-  NSSPKIXRelativeDistinguishedName *one,
-  NSSPKIXRelativeDistinguishedName *two,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(one) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(two) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_Equal(one, two, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/FindAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/FindAttributeTypeAndValue.c
deleted file mode 100644
index 65032b1c1..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/FindAttributeTypeAndValue.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_EXTERN PRInt32
-NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue(rdn, atav);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValue.c
deleted file mode 100644
index 1a58bd132..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValue.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue(rdn, i, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValueCount.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValueCount.c
deleted file mode 100644
index 1209e726c..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValueCount.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return -1;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount(rdn);
-}
-
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValues.c
deleted file mode 100644
index 7efc30173..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValues.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue **
-NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSPKIXAttributeTypeAndValue **)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXAttributeTypeAndValue **)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues(rdn, rvOpt, limit, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetUTF8Encoding.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetUTF8Encoding.c
deleted file mode 100644
index 9c428ae40..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetUTF8Encoding.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_GetUTF8Encoding(rdn, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/MClear.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/MClear.c
deleted file mode 100644
index 2b1a93820..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/MClear.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nss_pkix_RelativeDistinguishedName_Clear
- *
- * Wipes out cached data.
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_RelativeDistinguishedName_Clear
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSBER *)NULL != rdn->ber ) {
-    nss_ZFreeIf(rdn->ber->data);
-    nss_ZFreeIf(rdn->ber);
-  }
-
-  if( (NSSDER *)NULL != rdn->der ) {
-    nss_ZFreeIf(rdn->der->data);
-    nss_ZFreeIf(rdn->der);
-  }
-
-  nss_ZFreeIf(rdn->utf8);
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/MCount.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/MCount.c
deleted file mode 100644
index 23d976160..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/MCount.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_RelativeDistinguishedName_Count
- */
-
-NSS_IMPLEMENT void
-nss_pkix_RelativeDistinguishedName_Count
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  }
-
-  if( 0 == rdn->count ) {
-    PRUint32 i;
-    for( i = 0; i < 0xFFFFFFFF; i++ ) {
-      if( (NSSPKIXAttributeTypeAndValue *)NULL == rdn->atavs[i] ) {
-        break;
-      }
-    }
-
-#ifdef PEDANTIC
-    if( 0xFFFFFFFF == i ) {
-      return;
-    }
-#endif /* PEDANTIC */
-
-    rdn->count = i;
-  }
-
-  return;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/MVCreate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/MVCreate.c
deleted file mode 100644
index c40a4b6e7..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/MVCreate.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_RelativeDistinguishedName_v_create
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure.
- */
-
-NSS_EXTERN NSSPKIXRelativeDistinguishedName *
-nss_pkix_RelativeDistinguishedName_V_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  va_list ap
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->count = count;
-
-  rv->atav = nss_ZNEWARRAY(arena, NSSPKIXAttributeTypeAndValue *, count);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rv->atav ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSPKIXAttributeTypeAndValue *v = (NSSPKIXAttributeTypeAndValue *)
-      va_arg(ap, NSSPKIXAttributeTypeAndValue *);
-
-#ifdef NSSDEBUG
-    /* 
-     * It's okay to test this down here, since 
-     * supposedly these have already been checked.
-     */
-    if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(v) ) {
-      goto loser;
-    }
-#endif /* NSSDEBUG */
-
-    rv->atav[i] = nssPKIXAttributeTypeAndValue_Duplicate(v, arena);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv->atav[i] ) {
-      goto loser;
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_RelativeDistinguishedName_remove_pointer, rv) ) {
-    (void)nss_pkix_RelativeDistinguishedName_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRelativeDistinguishedName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PAddAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PAddAttributeTypeAndValue.c
deleted file mode 100644
index 68541d17e..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PAddAttributeTypeAndValue.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  PRUint32 newcount;
-  NSSPKIXAttributeTypeAndValue **newarray;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  }
-
-  if( 0 == rdn->count ) {
-    nss_pkix_RelativeDistinguishedName_Count(rdn);
-  }
-
-  newcount = rdn->count+1;
-  /* Check newcount for a rollover. */
-
-  /* Remember that our atavs array is NULL-terminated */
-  newarray = (NSSPKIXAttributeTypeAndValue **)nss_ZRealloc(rdn->atavs,
-               ((newcount+1) * sizeof(NSSPKIXAttributeTypeAndValue *)));
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == newarray ) {
-    return PR_FAILURE;
-  }
-
-  rdn->atavs = newarray;
-
-  rdn->atavs[ rdn->count ] = nssPKIXAttributeTypeAndValue_Duplicate(atav, rdn->arena);
-  if( (NSSPKIXAttributeTypeAndValue *)NULL == rdn->atavs[ rdn->count ] ) {
-    return PR_FAILURE; /* array is "too big" but whatever */
-  }
-
-  rdn->count = newcount;
-
-  return nss_pkix_RelativeDistinguishedName_Clear(rdn);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreate.c
deleted file mode 100644
index a3a1f7315..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreate.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_Create
-(
-  NSSArena *arenaOpt,
-  NSSPKIXAttributeTypeAndValue *atav1,
-  ...
-)
-{
-  va_list ap;
-  NSSPKIXRelativeDistinguishedName *rv;
-  PRUint32 count;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  /* Is there a nonzero minimum number of ATAVs required? */
-
-  {
-    va_start(ap, arenaOpt);
-
-    while( 1 ) {
-      NSSPKIXAttributeTypeAndValue *atav;
-      atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
-      if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
-        break;
-      }
-
-      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-        va_end(ap);
-        return (NSSPKIXRelativeDistinguishedName *)NULL;
-      }
-    }
-
-    va_end(ap);
-  }
-#endif /* NSSDEBUG */
-
-  va_start(ap, arenaOpt);
-
-  for( count = 0; ; count++ ) {
-    NSSPKIXAttributeTypeAndValue *atav;
-    atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
-      break;
-    }
-
-#ifdef PEDANTIC
-    if( count == 0xFFFFFFFF ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      va_end(ap);
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-#endif /* PEDANTIC */
-  }
-
-  va_end(ap);
-
-  va_start(ap, arenaOpt);
-  rv = nss_pkix_RelativeDistinguishedName_V_Create(arenaOpt, count, ap);
-  va_end(ap);
-
-  return rv;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromArray.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromArray.c
deleted file mode 100644
index fa7e27eed..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromArray.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_CreateFromArray
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_CreateFromArray
-(
-  NSSArena *arenaOpt,
-  PRUint32 count,
-  NSSPKIXAttributeTypeAndValue *atavs
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  {
-    PRUint32 i;
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssAttributeTypeAndValue_verifyPointer(&atavs[i]) ) {
-        return (NSSPKIXAttribute *)NULL;
-      }
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->count = count;
-
-  rv->atav = nss_ZNEWARRAY(arena, NSSPKIXAttributeTypeAndValue *, count);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rv->atav ) {
-    goto loser;
-  }
-
-  for( i = 0; i < count; i++ ) {
-    NSSPKIXAttributeTypeAndValue *v = atavs[i];
-
-    rv->atav[i] = nssPKIXAttributeTypeAndValue_Duplicate(v, arena);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv->atav[i] ) {
-      goto loser;
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRelativeDistinguishedName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromUTF8.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromUTF8.c
deleted file mode 100644
index 2f2f995be..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromUTF8.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_CreateFromUTF8
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *string
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->utf8 = nssUTF8_Duplicate(string, arena);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-  
-  /* Insert intelligence here -- fgmr */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  goto loser;
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRelativeDistinguishedName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDecode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDecode.c
deleted file mode 100644
index ad1766280..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDecode.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, nssPKIXRelativeDistinguishedName_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRelativeDistinguishedName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDestroy.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDestroy.c
deleted file mode 100644
index 94b8fcf00..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDestroy.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_Destroy
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRelativeDistinguishedName_Destroy
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_RelativeDistinguishedName_remove_pointer(rdn);
-#endif /* DEBUG */
-
-  if( PR_TRUE == rdn->i_allocated_arena ) {
-    return nssArena_Destroy(rdn->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDuplicate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDuplicate.c
deleted file mode 100644
index 0277b7b01..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDuplicate.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
-nssPKIXRelativeDistinguishedName_Duplicate
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
-  PRStatus status;
-  PRUint32 i;
-  NSSPKIXAttributeTypeAndValue **from, **to;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSPKIXRelativeDistinguishedName *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXRelativeDistinguishedName *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
-  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  if( (NSSDER *)NULL != rdn->der ) {
-    rv->der = nssItem_Duplicate(rdn->der, arena, (NSSItem *)NULL);
-    if( (NSSDER *)NULL == rv->der ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSBER *)NULL != rdn->ber ) {
-    rv->ber = nssItem_Duplicate(rdn->ber, arena, (NSSItem *)NULL);
-    if( (NSSBER *)NULL == rv->ber ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL != rdn->utf8 ) {
-    rv->utf8 = nssUTF8_Duplicate(rdn->utf8, arena);
-    if( (NSSUTF8 *)NULL == rv->utf8 ) {
-      goto loser;
-    }
-  }
-
-  rv->count = rdn->count;
-
-  {
-    if( 0 == rdn->count ) {
-      nss_pkix_RelativeDistinguishedName_Count(rdn);
-      if( 0 == rdn->count ) {
-        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-        goto loser;
-      }
-
-      rv->count = rdn->count; /* might as well save it */
-    }
-
-    rv->atavs = nss_ZNEWARRAY(arena, NSSPKIXAttributeTypeAndValue *, rdn->count + 1);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv->atavs ) {
-      goto loser;
-    }
-  }
-
-  for( from = &rdn->atavs[0], to = &rv->atavs[0]; *from; from++, to++ ) {
-    *to = nssPKIXAttributeTypeAndValue_Duplicate(*from, arena);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == *to ) {
-      goto loser;
-    }
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXRelativeDistinguishedName *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PEncode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PEncode.c
deleted file mode 100644
index d2af9470b..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PEncode.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_Encode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXRelativeDistinguishedName_Encode
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  NSSBER *it;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    if( (NSSBER *)NULL != rdn->ber ) {
-      it = rdn->ber;
-      goto done;
-    }
-    /*FALLTHROUGH*/
-  case NSSASN1DER:
-    if( (NSSDER *)NULL != rdn->der ) {
-      it = rdn->der;
-      goto done;
-    }
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
-    return (NSSBER *)NULL;
-  }
-
-  it = nssASN1_EncodeItem(rdn->arena, (NSSItem *)NULL, rdn,
-                          nssPKIXRelativeDistinguishedName_template,
-                          encoding);
-  if( (NSSBER *)NULL == it ) {
-    return (NSSBER *)NULL;
-  }
-
-  switch( encoding ) {
-  case NSSASN1BER:
-    rdn->ber = it;
-    break;
-  case NSSASN1DER:
-    rdn->der = it;
-    break;
-  default:
-    PR_ASSERT(0);
-    break;
-  }
-
- done:
-  return nssItem_Duplicate(it, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PEqual.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PEqual.c
deleted file mode 100644
index 2ac566a8b..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PEqual.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXRelativeDistinguishedName_Equal
-(
-  NSSPKIXRelativeDistinguishedName *one,
-  NSSPKIXRelativeDistinguishedName *two,
-  PRStatus *statusOpt
-)
-{
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(one) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(two) ) {
-    goto loser;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSDER *)NULL == one->der ) {
-    one->der = nssASN1_EncodeItem(one->arena, (NSSItem *)NULL, one,
-                                  nssPKIXRelativeDistinguishedName_template,
-                                  NSSASN1DER);
-    if( (NSSDER *)NULL == one->der ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSDER *)NULL == two->der ) {
-    two->der = nssASN1_EncodeItem(two->arena, (NSSItem *)NULL, two,
-                                  nssPKIXRelativeDistinguishedName_template,
-                                  NSSASN1DER);
-    if( (NSSDER *)NULL == two->der ) {
-      goto loser;
-    }
-  }
-
-  return nssItem_Equal(one->der, two->der, statusOpt);
-
- loser:
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_FAILURE;
-  }
-
-  return PR_FALSE;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PFindAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PFindAttributeTypeAndValue.c
deleted file mode 100644
index ee7c55e10..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PFindAttributeTypeAndValue.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NOT_FOUND
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  The index of the specified attribute value upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  PRUint32 i;
-  NSSPKIXAttributeTypeAndValue **a;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return -1;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return -1;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return -1;
-  }
-
-  for( i = 0, a = rdn->atavs; *a; a++, (i > 0x7fffffff) || i++ ) {
-    if( PR_TRUE == nssPKIXAttributeTypeAndValue_Equal(*a, atav) ) {
-      if( i > 0x7fffffff ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return -1;
-      }
-      return (PRInt32)i;
-    }
-  }
-
-  nss_SetError(NSS_ERROR_NOT_FOUND);
-  return -1;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValue.c
deleted file mode 100644
index 22c3abac6..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValue.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
-nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSArena *arenaOpt
-)
-{
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttributeTypeAndValue *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdn->count ) {
-    nss_pkix_RelativeDistinguishedName_Count(rdn);
-  }
-
-  if( (i < 0) || (i >= rdn->count) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXAttributeTypeAndValue *)NULL;
-  }
-
-  return nssPKIXAttributeTypeAndValue_Duplicate(rdn->atavs[i], arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValueCount.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValueCount.c
deleted file mode 100644
index df8e1b48e..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValueCount.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *
- * Return value:
- *  Nonnegative integer upon success
- *  -1 upon failure.
- */
-
-NSS_IMPLEMENT PRInt32
-nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
-(
-  NSSPKIXRelativeDistinguishedName *rdn
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return -1;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdn->count ) {
-    nss_pkix_RelativeDistinguishedName_Count(rdn);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdn->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return -1;
-  }
-#endif /* PEDANTIC */
-
-  if( rdn->count > 0x7fffffff ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return -1;
-  }
-
-  return (PRInt32)(rdn->count);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValues.c
deleted file mode 100644
index 7675d5ad3..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValues.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARRAY_TOO_SMALL
- *
- * Return value:
- *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
- *      pointers upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue **
-nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *rvOpt[],
-  PRInt32 limit,
-  NSSArena *arenaOpt
-)
-{
-  NSSPKIXAttributeTypeAndValue **rv = (NSSPKIXAttributeTypeAndValue **)NULL;
-  PRUint32 i;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSPKIXAttributeTypeAndValue **)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
-      return (NSSPKIXAttributeTypeAndValue **)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdn->count ) {
-    nss_pkix_RelativeDistinguishedName_Count(rdn);
-  }
-
-#ifdef PEDANTIC
-  if( 0 == rdn->count ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return (NSSPKIXAttributeTypeAndValue **)NULL;
-  }
-#endif /* PEDANTIC */
-
-  if( (limit < rdn->count) &&
-      !((0 == limit) && ((NSSPKIXAttributeTypeAndValue **)NULL == rvOpt)) ) {
-    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
-    return (NSSPKIXAttributeTypeAndValue **)NULL;
-  }
-
-  limit = rdn->count;
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rvOpt ) {
-    rv = nss_ZNEWARRAY(arenaOpt, NSSPKIXAttributeTypeAndValue *, limit);
-    if( (NSSPKIXAttributeTypeAndValue **)NULL == rv ) {
-      return (NSSPKIXAttributeTypeAndValue **)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  for( i = 0; i < limit; i++ ) {
-    rv[i] = nssPKIXAttributeTypeAndValue_Duplicate(rdn->atav[i], arenaOpt);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv[i] ) {
-      goto loser;
-    }
-  }
-
-  return rv;
-
- loser:
-  for( i = 0; i < limit; i++ ) {
-    NSSPKIXAttributeTypeAndValue *x = rv[i];
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == x ) {
-      break;
-    }
-    (void)nssPKIXAttributeTypeAndValue_Destroy(x);
-  }
-
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
-
-  return (NSSPKIXAttributeTypeAndValue **)NULL;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetUTF8Encoding.c
deleted file mode 100644
index 01abf228c..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetUTF8Encoding.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_GetUTF8Encoding
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSUTF8 pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssPKIXRelativeDistinguishedName_GetUTF8Encoding
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == rdn->utf8 ) {
-    /* xxx fgmr fill this in from pki1 implementation */
-  }
-
-  return nssUTF8_Duplicate(rdn->utf8, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PRemoveAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PRemoveAttributeTypeAndValue.c
deleted file mode 100644
index 84b5cc819..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PRemoveAttributeTypeAndValue.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i
-)
-{
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == rdn->count ) {
-    nss_pkix_RelativeDistinguishedName_Count(rdn);
-  }
-
-  if( i < 0 ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return PR_FAILURE;
-  }
-
-  /* Is there a technical minimum? */
-  /*
-   *  if( 1 == rdn->count ) {
-   *    nss_SetError(NSS_ERROR_AT_MINIMUM);
-   *    return PR_FAILURE;
-   *  }
-   */
-
-#ifdef PEDANTIC
-  if( 0 == rdn->count ) {
-    NSSPKIXAttributeTypeAndValue **ip;
-    /* Too big.. but we can still remove one */
-    nssPKIXAttributeTypeAndValue_Destroy(rdn->atavs[i]);
-    for( ip = &rdn->atavs[i]; *ip; ip++ ) {
-      ip[0] = ip[1];
-    }
-  } else
-#endif /* PEDANTIC */
-
-  {
-    NSSPKIXAttributeTypeAndValue *si;
-    PRUint32 end;
-
-    if( i >= rdn->count ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      return PR_FAILURE;
-    }
-
-    end = rdn->count - 1;
-    
-    si = rdn->atavs[i];
-    rdn->atavs[i] = rdn->atavs[end];
-    rdn->atavs[end] = (NSSPKIXAttributeTypeAndValue *)NULL;
-
-    nssPKIXAttributeTypeAndValue_Destroy(si);
-
-    /* We could realloc down, but we know it's a no-op */
-    rdn->count = end;
-  }
-
-  return nss_pkix_RelativeDistinguishedName_Clear(rdn);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValue.c
deleted file mode 100644
index 01439e2e7..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValue.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  NSSPKIXAttributeTypeAndValue *dup;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  }
-
-  if( 0 == rdn->count ) {
-    nss_pkix_RelativeDistinguishedName_Count(rdn);
-  }
-
-  if( (i < 0) || (i >= rdn->count) ) {
-    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-    return PR_FAILURE;
-  }
-
-  dup = nssPKIXAttributeTypeAndValue_Duplicate(atav, rdn->arena);
-  if( (NSSPKIXAttributeTypeAndValue *)NULL == dup ) {
-    return PR_FAILURE;
-  }
-
-  nssPKIXAttributeTypeAndValue_Destroy(rdn->atavs[i]);
-  rdn->atavs[i] = dup;
-
-  return nss_pkix_RelativeDistinguishedName_Clear(rdn);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValues.c
deleted file mode 100644
index 839839ea2..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValues.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atavs[],
-  PRInt32 countOpt
-)
-{
-  NSSPKIXAttributeTypeAndValue **ip;
-  NSSPKIXAttributeTypeAndValue **newarray;
-  PRUint32 i;
-  nssArenaMark *mark;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSPKIXAttributeTypeAndValues **)NULL == atavs ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  {
-    PRUint32 i, count;
-
-    if( 0 == countOpt ) {
-      for( i = 0; i < 0x80000000; i++ ) {
-        if( (NSSPKIXAttributeTypeAndValue *)NULL == atav[i] ) {
-          break;
-        }
-      }
-
-#ifdef PEDANTIC
-      if( 0x80000000 == i ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-#endif /* PEDANTIC */
-
-      count = (PRUint32)i;
-    } else {
-      if( countOpt < 0 ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-
-      count = (PRUint32)countOpt;
-    }
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav[i]) ) {
-        return PR_FAILURE;
-      }
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( 0 == countOpt ) {
-    for( i = 0; i < 0xffffffff; i++ ) {
-      if( (NSSPKIXAttributeTypeAndValue *)NULL == atavs[i] ) {
-        break;
-      }
-    }
-
-#ifdef PEDANTIC
-    if( 0xffffffff == 0 ) {
-      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-      reutrn PR_FAILURE;
-    }
-#endif /* PEDANTIC */
-
-    countOpt = i;
-  }
-
-  mark = nssArena_Mark(rdn->mark);
-  if( (nssArenaMark *)NULL == mark ) {
-    return PR_FAILURE;
-  }
-
-  newarray = nss_ZNEWARRAY(rdn->arena, NSSPKIXAttributeTypeAndValue *, countOpt);
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == newarray ) {
-    goto loser;
-  }
-
-  for( i = 0; i < countOpt; i++ ) {
-    newarray[i] = nssPKIXAttributeTypeAndValue_Duplicate(atavs[i], rdn->arena);
-    if( (NSSPKIXAttributeTypeAndValue *)NULL == newarray[i] ) {
-      goto loser;
-    }
-  }
-
-  for( i = 0; i < rdn->count; i++ ) {
-    if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_Destroy(rdn->atavs[i]) ) {
-      goto loser;
-    }
-  }
-
-  nss_ZFreeIf(rdn->atavs);
-
-  rdn->count = countOpt;
-  rdn->atavs = newarray;
-
-  (void)nss_pkix_RelativeDistinguishedName_Clear(rdn);
-
-  return nssArena_Unmark(rdn->arena, mark);
-
- loser:
-  (void)nssArena_Release(a->arena, mark);
-  return PR_FAILURE;
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/RemoveAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/RemoveAttributeTypeAndValue.c
deleted file mode 100644
index b9f1deb66..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/RemoveAttributeTypeAndValue.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_AT_MINIMUM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue(rdn, i);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValue.c
deleted file mode 100644
index fa2224a6b..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValue.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_INVALID_PKIX_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  PRInt32 i,
-  NSSPKIXAttributeTypeAndValue *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue(rdn, i, atav);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValues.c
deleted file mode 100644
index c6a8f0434..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValues.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_RDN
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
-(
-  NSSPKIXRelativeDistinguishedName *rdn,
-  NSSPKIXAttributeTypeAndValue *atavs[],
-  PRInt32 countOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
-    return PR_FAILURE;
-  }
-
-  if( (NSSPKIXAttributeTypeAndValue **)NULL == atavs ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  {
-    PRUint32 i, count;
-
-    if( 0 == countOpt ) {
-      for( i = 0; i < 0x80000000; i++ ) {
-        if( (NSSPKIXAttributeTypeAndValue *)NULL == atavs[i] ) {
-          break;
-        }
-      }
-
-#ifdef PEDANTIC
-      if( 0x80000000 == i ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-#endif /* PEDANTIC */
-
-      count = (PRUint32)i;
-    } else {
-      if( countOpt < 0 ) {
-        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
-        return PR_FAILURE;
-      }
-
-      count = (PRUint32)countOpt;
-    }
-
-    for( i = 0; i < count; i++ ) {
-      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atavs[i]) ) {
-        return PR_FAILURE;
-      }
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues(rdn, atavs, countOpt);
-}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/template.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/template.c
deleted file mode 100644
index fff01836a..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/template.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXRelativeDistinguishedName_template
- *
- */
-
-const nssASN1Template nssPKIXRelativeDistinguishedName_template[] = {
-  { nssASN1_SET_OF, offsetof(NSSPKIXRelativeDistinguishedName, atavs),
-    nssPKIXAttributeTypeAndValue_template, 
-    sizeof(NSSPKIXRelativeDistinguishedName) }
-};
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/verifyPointer.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/verifyPointer.c
deleted file mode 100644
index d7274abae..000000000
--- a/security/nss/lib/pkix/src/RelativeDistinguishedName/verifyPointer.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_rdn_pointer_tracker;
-
-/*
- * nss_pkix_RelativeDistinguishedName_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXRelativeDistinguishedName pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_RelativeDistinguishedName_add_pointer
-(
-  const NSSPKIXRelativeDistinguishedName *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_rdn_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_rdn_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  rv = nssArena_registerDestructor(p->arena,
-         nss_pkix_RelativeDistinguishedName_remove_pointer, p);
-  if( PR_SUCCESS != rv ) {
-    (void)nss_pkix_RelativeDistinguishedName_remove_pointer(p);
-    return rv;
-  }
-
-#ifdef NSSDEBUG
-  {
-    NSSPKIXAttributeTypeAndValue *a;
-
-    for( a = p->atavs; *a; a++ ) {
-      if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(*a) ) {
-        nss_pkix_RelativeDistinguishedName_remove_pointer(p);
-        return PR_FAILURE;
-      }
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nss_pkix_RelativeDistinguishedName_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXRelativeDistinguishedName
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_RelativeDistinguishedName_remove_pointer
-(
-  const NSSPKIXRelativeDistinguishedName *p
-)
-{
-  PRStatus rv;
-
-#ifdef NSSDEBUG
-  {
-    NSSPKIXAttributeTypeAndValue *a;
-
-    for( a = p->atavs; *a; a++ ) {
-      (void)nss_pkix_AttributeTypeAndValue_remove_pointer(*a);
-    }
-  }
-#endif /* NSSDEBUG */
-
-  rv = nssPointerTracker_remove(&pkix_rdn_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  /*
-   * nssArena_deregisterDestructor(p->arena, 
-   *   nss_pkix_RelativeDistinguishedName_remove_pointer, p);
-   */
-
-  return rv;
-}
-
-/*
- * nssPKIXRelativeDistinguishedName_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXRelativeDistinguishedName
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXRelativeDistinguishedName_verifyPointer
-(
-  NSSPKIXRelativeDistinguishedName *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_rdn_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_rdn_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
-
diff --git a/security/nss/lib/pkix/src/Time/Compare.c b/security/nss/lib/pkix/src/Time/Compare.c
deleted file mode 100644
index 6a125d6c6..000000000
--- a/security/nss/lib/pkix/src/Time/Compare.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_Compare
- *
- * Usual result: -1, 0, 1
- *  Returns 0 on error
- */
-
-NSS_IMPLEMENT PRInt32
-NSSPKIXTime_Compare
-(
-  NSSPKIXTime *time1,
-  NSSPKIXTime *tiem2,
-  PRStatus *statusOpt
-)
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time1) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return 0;
-  }
-
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time2) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return 0;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_Compare(time1, time2, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/Time/CreateFromPRTime.c b/security/nss/lib/pkix/src/Time/CreateFromPRTime.c
deleted file mode 100644
index 909adb14e..000000000
--- a/security/nss/lib/pkix/src/Time/CreateFromPRTime.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_CreateFromPRTime
- *
- */
-
-NSS_IMPLEMENT NSSPKIXTime *
-NSSPKIXTime_CreateFromPRTime
-(
-  NSSArena *arenaOpt,
-  PRTime prTime
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_CreateFromPRTime(arenaOpt, prTime);
-}
diff --git a/security/nss/lib/pkix/src/Time/CreateFromUTF8.c b/security/nss/lib/pkix/src/Time/CreateFromUTF8.c
deleted file mode 100644
index 469741ac6..000000000
--- a/security/nss/lib/pkix/src/Time/CreateFromUTF8.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_CreateFromUTF8
- *
- */
-
-NSS_EXTERN NSSPKIXTime *
-NSSPKIXTime_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == utf8 ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXTime *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_CreateFromUTF8(arenaOpt, utf8);
-}
diff --git a/security/nss/lib/pkix/src/Time/Decode.c b/security/nss/lib/pkix/src/Time/Decode.c
deleted file mode 100644
index 948dc0b93..000000000
--- a/security/nss/lib/pkix/src/Time/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTime upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXTime *
-NSSPKIXTime_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXTime *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/Time/Destroy.c b/security/nss/lib/pkix/src/Time/Destroy.c
deleted file mode 100644
index d694850ef..000000000
--- a/security/nss/lib/pkix/src/Time/Destroy.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_Destroy
- *
- */
-
-NSS_IMPLEMENT PR_STATUS
-NSSPKIXTime_Destroy
-(
-  NSSPKIXTime *time
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_Destroy(time);
-}
diff --git a/security/nss/lib/pkix/src/Time/Duplicate.c b/security/nss/lib/pkix/src/Time/Duplicate.c
deleted file mode 100644
index dee6f61e9..000000000
--- a/security/nss/lib/pkix/src/Time/Duplicate.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_Duplicate
- *
- */
-
-NSS_IMPLEMENT NSSPKIXTime *
-NSSPKXITime_Duplicate
-(
-  NSSPKIXTime *time,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return (NSSPKXITime *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_Duplicate(time, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Time/Encode.c b/security/nss/lib/pkix/src/Time/Encode.c
deleted file mode 100644
index 9063e4f3a..000000000
--- a/security/nss/lib/pkix/src/Time/Encode.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_Encode
- *
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXTime_Encode
-(
-  NSSPKIXTime *time,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_Encode(time, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Time/Equal.c b/security/nss/lib/pkix/src/Time/Equal.c
deleted file mode 100644
index 4ed05acd5..000000000
--- a/security/nss/lib/pkix/src/Time/Equal.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_Equal
- *
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKXITime_Equal
-(
-  NSSPKXITime *time1,
-  NSSPKXITime *time2,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time1) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time2) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_Equal(time1, time2, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/Time/GetPRTime.c b/security/nss/lib/pkix/src/Time/GetPRTime.c
deleted file mode 100644
index 5871a482d..000000000
--- a/security/nss/lib/pkix/src/Time/GetPRTime.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_GetPRTime
- *
- * Returns a zero on error
- */
-
-NSS_IMPLEMENT PRTime
-NSSPKIXTime_GetPRTime
-(
-  NSSPKIXTime *time,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return (PRTime)0;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_GetPRTime(time, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/Time/GetUTF8Encoding.c b/security/nss/lib/pkix/src/Time/GetUTF8Encoding.c
deleted file mode 100644
index 7fc383b81..000000000
--- a/security/nss/lib/pkix/src/Time/GetUTF8Encoding.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXTime_GetUTF8Encoding
- *
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSPKXITime_GetUTF8Encoding
-(
-  NSSPKIXTime *time,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXTime_GetUTF8Encoding(time, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/Time/PCreateFromPRTime.c b/security/nss/lib/pkix/src/Time/PCreateFromPRTime.c
deleted file mode 100644
index 13805e65d..000000000
--- a/security/nss/lib/pkix/src/Time/PCreateFromPRTime.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXTime_CreateFromPRTime
- *
- */
-
-NSS_IMPLEMENT NSSPKIXTime *
-nssPKIXTime_CreateFromPRTime
-(
-  NSSArena *arenaOpt,
-  PRTime prTime
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXTime *rv = (NSSPKIXTime *)NULL;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXTime);
-  if( (NSSPKIXTime *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  rv->prTime = prTime;
-  rv->prTimeValid = PR_TRUE;
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Time_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXTime *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Time/PCreateFromUTF8.c b/security/nss/lib/pkix/src/Time/PCreateFromUTF8.c
deleted file mode 100644
index 1a15639ed..000000000
--- a/security/nss/lib/pkix/src/Time/PCreateFromUTF8.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXTime_CreateFromUTF8
- *
- */
-
-NSS_IMPLEMENT NSSPKIXTime *
-nssPKIXTime_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXTime *rv = (NSSPKIXTime *)NULL;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == utf8 ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXTime *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXTime);
-  if( (NSSPKIXTime *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-
-  /* fgmr base on nspr's pl implementation? */
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Time_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXTime *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Time/PDecode.c b/security/nss/lib/pkix/src/Time/PDecode.c
deleted file mode 100644
index 385665468..000000000
--- a/security/nss/lib/pkix/src/Time/PDecode.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXTime_Decode
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  A valid pointer to an NSSPKIXTime upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXTime *
-nssPKIXTime_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSArena *arena;
-  PRBool arena_allocated = PR_FALSE;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  NSSPKIXTime *rv = (NSSPKIXTime *)NULL;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXTime *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXTime *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    arena = nssArena_Create();
-    if( (NSSArena *)NULL == arena ) {
-      goto loser;
-    }
-    arena_allocated = PR_TRUE;
-  } else {
-    arena = arenaOpt;
-    mark = nssArena_Mark(arena);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arena, NSSPKIXTime);
-  if( (NSSPKIXTime *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  rv->i_allocated_arena = arena_allocated;
-  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
-  if( (NSSItem *)NULL == rv->ber ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arena, rv, nssPKIXTime_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_Time_add_pointer(rv) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arena, mark);
-  }
-
-  if( PR_TRUE == arena_allocated ) {
-    (void)nssArena_Destroy(arena);
-  }
-
-  return (NSSPKIXTime *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/Time/PDestroy.c b/security/nss/lib/pkix/src/Time/PDestroy.c
deleted file mode 100644
index 973974b51..000000000
--- a/security/nss/lib/pkix/src/Time/PDestroy.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXTime_Destroy
- *
- */
-
-NSS_IMPLEMENT PR_STATUS
-nssPKIXTime_Destroy
-(
-  NSSPKIXTime *time
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-#ifdef DEBUG
-  (void)nss_pkix_Time_remove_pointer(time);
-#endif /* DEBUG */
-
-  if( PR_TRUE == time->i_allocated_arena ) {
-    return nssArena_Destroy(time->arena);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/Time/PEncode.c b/security/nss/lib/pkix/src/Time/PEncode.c
deleted file mode 100644
index 8904fac50..000000000
--- a/security/nss/lib/pkix/src/Time/PEncode.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXTime_Encode
- *
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXTime_Encode
-(
-  NSSPKIXTime *time,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
diff --git a/security/nss/lib/pkix/src/Time/template.c b/security/nss/lib/pkix/src/Time/template.c
deleted file mode 100644
index 38c4f3c78..000000000
--- a/security/nss/lib/pkix/src/Time/template.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXTime_template
- *
- */
-
-const nssASN1Template nssPKIXTime_template[] = {
-  { nssASN1_INLINE, offsetof(NSSPKIXTime, asn1item), 
-    nssASN1Template_Any, sizeof(NSSPKIXTime) }
-};
diff --git a/security/nss/lib/pkix/src/X520Name/CreateFromUTF8.c b/security/nss/lib/pkix/src/X520Name/CreateFromUTF8.c
deleted file mode 100644
index 84df20054..000000000
--- a/security/nss/lib/pkix/src/X520Name/CreateFromUTF8.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-NSSPKIXX520Name_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-)
-{
-  PRStatus status = PR_SUCCESS;
-  PRUint32 length;
-  nss_ClearErrorStack();
-  
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXX520Name *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == utf8 ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXX520Name *)NULL;
-  }
-#endif /* DEBUG */
-
-  length = nssUTF8_Length(utf8, &status); 
-  if( PR_SUCCESS != status ) {
-    if( NSS_ERROR_VALUE_TOO_LARGE == NSS_GetError() ) {
-      nss_SetError(NSS_ERROR_STRING_TOO_LONG);
-    }
-    return (NSSPKIXX520Name *)NULL;
-  }
-
-  if( (length < 1 ) || (length > NSSPKIXX520Name_MAXIMUM_LENGTH) ) {
-    nss_SetError(NSS_ERROR_STRING_TOO_LONG);
-  }
-
-  return nssPKIXX520Name_CreateFromUTF8(arenaOpt, utf8);
-}
-
-/*
- * NSSPKIXX520Name_MAXIMUM_LENGTH
- *
- * From RFC 2459:
- *
- *  ub-name INTEGER ::=     32768
- */
-
-const PRUint32 NSSPKIXX520Name_MAXIMUM_LENGTH = 32768;
diff --git a/security/nss/lib/pkix/src/X520Name/Decode.c b/security/nss/lib/pkix/src/X520Name/Decode.c
deleted file mode 100644
index ac59d5598..000000000
--- a/security/nss/lib/pkix/src/X520Name/Decode.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-NSSPKIXX520Name_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXX520Name_Decode(arenaOpt, ber);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/Destroy.c b/security/nss/lib/pkix/src/X520Name/Destroy.c
deleted file mode 100644
index 49037d3b4..000000000
--- a/security/nss/lib/pkix/src/X520Name/Destroy.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_Destroy
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT NSSDER *
-NSSPKIXX520Name_Destroy
-(
-  NSSPKIXX520Name *name
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSDER *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXX520Name_Destroy(name);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/Duplicate.c b/security/nss/lib/pkix/src/X520Name/Duplicate.c
deleted file mode 100644
index bcb4b5a2b..000000000
--- a/security/nss/lib/pkix/src/X520Name/Duplicate.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-NSSPKIXX520Name_Duplicate
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXX520Name_Duplicate(name, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/Encode.c b/security/nss/lib/pkix/src/X520Name/Encode.c
deleted file mode 100644
index 83cfd5442..000000000
--- a/security/nss/lib/pkix/src/X520Name/Encode.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-NSSPKIXX520Name_Encode
-(
-  NSSPKIXX520Name *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXX520Name_Encode(name, encoding, rvOpt, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/Equal.c b/security/nss/lib/pkix/src/X520Name/Equal.c
deleted file mode 100644
index 75842e8f5..000000000
--- a/security/nss/lib/pkix/src/X520Name/Equal.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_Equal
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-NSSPKIXX520Name_Equal
-(
-  NSSPKIXX520Name *name1,
-  NSSPKIXX520Name *name2,
-  PRStatus *statusOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name1) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name2) ) {
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssPKIXX520Name_Equal(name1, name2, statusOpt);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/GetUTF8Encoding.c b/security/nss/lib/pkix/src/X520Name/GetUTF8Encoding.c
deleted file mode 100644
index 2e42124eb..000000000
--- a/security/nss/lib/pkix/src/X520Name/GetUTF8Encoding.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * NSSPKIXX520Name_GetUTF8Encoding
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSDER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSPKIXX520Name_GetUTF8Encoding
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssPKIXX520Name_GetUTF8Encoding(name, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/MDoUTF8.c b/security/nss/lib/pkix/src/X520Name/MDoUTF8.c
deleted file mode 100644
index 69cbf691e..000000000
--- a/security/nss/lib/pkix/src/X520Name/MDoUTF8.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-/*
- * nss_pkix_X520Name_DoUTF8
- *
- */
-
-NSS_IMPLEMENT PR_STATUS
-nss_pkix_X520Name_DoUTF8
-(
-  NSSPKIXX520Name *name
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == name->utf8 ) {
-    PRUint8 tag = (*(PRUint8 *)name->string.data) & nssASN1_TAG_MASK;
-    nssStringType type;
-    void *data = (void *)&((PRUint8 *)name->string.data)[1];
-    PRUint32 size = name->string.size-1;
-
-    switch( tag ) {
-    case nssASN1_TELETEX_STRING:
-      type = nssStringType_TeletexString;
-      break;
-    case nssASN1_PRINTABLE_STRING:
-      type = nssStringType_PrintableString;
-      break;
-    case nssASN1_UNIVERSAL_STRING:
-      type = nssStringType_UniversalString;
-      break;
-    case nssASN1_BMP_STRING:
-      type = nssStringType_BMPString;
-      break;
-    case nssASN1_UTF8_STRING:
-      type = nssStringType_UTF8String;
-      break;
-    default:
-      nss_SetError(NSS_ERROR_INVALID_BER);
-      return PR_FAILURE;
-    }
-
-    name->utf8 = nssUTF8_Create(arenaOpt, type, data, size);
-    if( (NSSUTF8 *)NULL == name->utf8 ) {
-      return PR_FAILURE;
-    }
-
-    if( nssASN1_PRINTABLE_STRING == tag ) {
-      name->wasPrintable = PR_TRUE;
-    }
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PCreate.c b/security/nss/lib/pkix/src/X520Name/PCreate.c
deleted file mode 100644
index c507a8f75..000000000
--- a/security/nss/lib/pkix/src/X520Name/PCreate.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_Create
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING_TYPE
- *  NSS_ERROR_INVALID_ITEM
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-nssPKIXX520Name_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSItem *data
-)
-{
-  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXX520Name *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(data) ) {
-    return (NSSPKIXX520Name *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  switch( type ) {
-  case nssStringType_TeletexString:
-  case nssStringType_PrintableString:
-  case nssStringType_UniversalString:
-  case nssStringType_UTF8String:
-  case nssStringType_BMPString:
-    break;
-  default:
-    nss_SetError(NSS_ERROR_INVALID_STRING_TYPE);
-    goto loser;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    mark = nssArena_Mark(arenaOpt);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
-  if( (NSSPKIXX520Name *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->utf8 = nssUTF8_Create(arenaOpt, type, data->data, data->size);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-
-  if( nssStringType_PrintableString == type ) {
-    rv->wasPrintable = PR_TRUE;
-  }
-
-  rv->der = nssUTF8_GetDEREncoding(arenaOpt, type, rv->utf8);
-  if( (NSSDER *)NULL == rv->der ) {
-    goto loser;
-  }
-
-  rv->string.size = rv->der->size;
-  rv->string.data = nss_ZAlloc(arenaOpt, rv->string.size);
-  if( (void *)NULL == rv->string.data ) {
-    goto loser;
-  }
-
-  (void)nsslibc_memcpy(rv->string.data, rv->der->data, rv->string.size);
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    rv->inArena = PR_TRUE;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_X520Name_remove_pointer, rv) ) {
-    (void)nss_pkix_X520Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arenaOpt, mark);
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    if( (NSSPKIXX520Name *)NULL != rv ) {
-      if( (NSSDER *)NULL != rv->der ) {
-        nss_ZFreeIf(rv->der->data);
-        nss_ZFreeIf(rv->der);
-      }
-
-      nss_ZFreeIf(rv->string.data);
-      nss_ZFreeIf(rv->utf8);
-      nss_ZFreeIf(rv);
-    }
-  }
-
-  return (NSSPKIXX520Name *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PCreateFromUTF8.c b/security/nss/lib/pkix/src/X520Name/PCreateFromUTF8.c
deleted file mode 100644
index 0459f8c51..000000000
--- a/security/nss/lib/pkix/src/X520Name/PCreateFromUTF8.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_CreateFromUTF8
- *
- * { basically just enforces the length limit }
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-nssPKIXX520Name_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *utf8
-)
-{
-  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXX520Name *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == utf8 ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSPKIXX520Name *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    mark = nssArena_Mark(arenaOpt);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
-  if( (NSSPKIXX520Name *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->utf8 = nssUTF8_Duplicate(utf8, arenaOpt);
-  if( (NSSUTF8 *)NULL == rv->utf8 ) {
-    goto loser;
-  }
-
-  /*
-   * RFC 2459 states (s. 4.1.2.4) that certificates issued after
-   * 2003-12-31 MUST encode strings as UTF8Strings, and until
-   * then they may be encoded as PrintableStrings, BMPStrings,
-   * or UTF8Strings (when the character sets allow).  However, it
-   * specifically notes that even before 2003-12-31, strings may
-   * be encoded as UTF8Strings.  So unless something important
-   * breaks, I'll do UTF8Strings.
-   */
-
-  rv->der = nssUTF8_GetDEREncoding(arenaOpt, nssStringType_UTF8String, 
-                                   utf8);
-  if( (NSSDER *)NULL == rv->der ) {
-    goto loser;
-  }
-
-  rv->string.size = rv->der->size;
-  rv->string.data = nss_ZAlloc(arenaOpt, rv->string.size);
-  if( (void *)NULL == rv->string.data ) {
-    goto loser;
-  }
-
-  (void)nsslibc_memcpy(rv->string.data, rv->der->size, rv->string.size);
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    rv->inArena = PR_TRUE;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_X520Name_remove_pointer, rv) ) {
-    (void)nss_pkix_X520Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arenaOpt, mark);
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    if( (NSSPKIXX520Name *)NULL != rv ) {
-      if( (NSSDER *)NULL != rv->der ) {
-        nss_ZFreeIf(rv->der->data);
-        nss_ZFreeIf(rv->der);
-      }
-
-      nss_ZFreeIf(rv->string.data);
-      nss_ZFreeIf(rv->utf8);
-      nss_ZFreeIf(rv);
-    }
-  }
-
-  return (NSSPKIXX520Name *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PDecode.c b/security/nss/lib/pkix/src/X520Name/PDecode.c
deleted file mode 100644
index 8228c8db4..000000000
--- a/security/nss/lib/pkix/src/X520Name/PDecode.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_Decode
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-nssPKIXX520Name_Decode
-(
-  NSSArena *arenaOpt,
-  NSSBER *ber
-)
-{
-  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    mark = nssArena_Mark(arenaOpt);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
-  if( (NSSPKIXX520Name *)NULL == rv ) {
-    goto loser;
-  }
-
-  status = nssASN1_DecodeBER(arenaOpt, rv, nssPKIXX520_template, ber);
-  if( PR_SUCCESS != status ) {
-    goto loser;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    rv->inArena = PR_TRUE;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_X520Name_remove_pointer, rv) ) {
-    (void)nss_pkix_X520Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arenaOpt, mark);
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    if( (NSSPKIXX520Name *)NULL != rv ) {
-      nss_ZFreeIf(rv->string.data);
-      nss_ZFreeIf(rv->utf8);
-      nss_ZFreeIf(rv);
-    }
-  }
-
-  return (NSSPKIXX520Name *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PDestroy.c b/security/nss/lib/pkix/src/X520Name/PDestroy.c
deleted file mode 100644
index 9a9bdaaa2..000000000
--- a/security/nss/lib/pkix/src/X520Name/PDestroy.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_Destroy
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN NSSDER *
-nssPKIXX520Name_Destroy
-(
-  NSSPKIXX520Name *name
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( PR_TRUE != name->inArena ) {
-    /*
-     * Note that inArena is merely a hint.  If this object was
-     * created passively, this flag will be NULL no matter if
-     * it was in an arena or not.  However, you may safely
-     * (try to) free memory in an NSSArena, so this isn't a
-     * problem.
-     */
-
-    if( (NSSDER *)NULL != name->der ) {
-      nss_ZFreeIf(name->der->data);
-      nss_ZFreeIf(name->der);
-    }
-
-    nss_ZFreeIf(name->utf8);
-    nss_ZFreeIf(name->string.data);
-    nss_ZFreeIf(name);
-  }
-
-  return PR_SUCCESS;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PDuplicate.c b/security/nss/lib/pkix/src/X520Name/PDuplicate.c
deleted file mode 100644
index a2b6d7e53..000000000
--- a/security/nss/lib/pkix/src/X520Name/PDuplicate.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_Duplicate
- *
- * 
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- * 
- * Return value:
- *  A valid pointer to an NSSPKIXX520Name upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSPKIXX520Name *
-nssPKIXX520Name_Duplicate
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-)
-{
-  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
-  nssArenaMark *mark = (nssArenaMark *)NULL;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSPKIXAttribute *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSPKIXAttribute *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    mark = nssArena_Mark(arenaOpt);
-    if( (nssArenaMark *)NULL == mark ) {
-      goto loser;
-    }
-  }
-
-  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
-  if( (NSSPKIXX520Name *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->string.size = name->string.size;
-  rv->string.data = nss_ZAlloc(arenaOpt, name->string.size);
-  if( (void *)NULL == rv->string.data ) {
-    goto loser;
-  }
-
-  (void)nsslibc_memcpy(rv->string.data, name->string.data, name->string.size);
-
-  if( (NSSUTF8 *)NULL != name->utf8 ) {
-    rv->utf8 = nssUTF8_Duplicate(name->utf8, arenaOpt);
-    if( (NSSUTF8 *)NULL == rv->utf8 ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSDER *)NULL != name->der ) {
-    rv->der = nssItem_Duplicate(name->der, arenaOpt, (NSSItem *)NULL);
-    if( (NSSDER *)NULL == rv->der ) {
-      goto loser;
-    }
-  }
-
-  rv->wasPrintable = name->wasPrintable;
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    rv->inArena = PR_TRUE;
-  }
-
-  if( (nssArenaMark *)NULL != mark ) {
-    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
-        nss_pkix_X520Name_remove_pointer, rv) ) {
-    (void)nss_pkix_X520Name_remove_pointer(rv);
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (nssArenaMark *)NULL != mark ) {
-    (void)nssArena_Release(arenaOpt, mark);
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    if( (NSSPKIXX520Name *)NULL != rv ) {
-      if( (NSSDER *)NULL != rv->der ) {
-        nss_ZFreeIf(rv->der->data);
-        nss_ZFreeIf(rv->der);
-      }
-
-      nss_ZFreeIf(rv->string.data);
-      nss_ZFreeIf(rv->utf8);
-      nss_ZFreeIf(rv);
-    }
-  }
-
-  return (NSSPKIXX520Name *)NULL;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PEncode.c b/security/nss/lib/pkix/src/X520Name/PEncode.c
deleted file mode 100644
index d9f001bae..000000000
--- a/security/nss/lib/pkix/src/X520Name/PEncode.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_Encode
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSBER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSBER *
-nssPKIXX520Name_Encode
-(
-  NSSPKIXX520Name *name,
-  NSSASN1EncodingType encoding,
-  NSSBER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSBER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSBER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSDER *)NULL == name->der ) {
-    /* XXX fgmr */
-    if( (NSSUTF8 *)NULL == name->utf8 ) {
-      if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name) ) {
-        return (NSSBER *)NULL;
-      }
-    }
-
-    rv->der = nssUTF8_GetDEREncoding(arenaOpt, type, rv->utf8);
-    if( (NSSDER *)NULL == rv->der ) {
-      return (NSSBER *)NULL;
-    }
-  }
-
-  return nssItem_Duplicate(name->der, arenaOpt, rvOpt);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PEqual.c b/security/nss/lib/pkix/src/X520Name/PEqual.c
deleted file mode 100644
index 9ebe75005..000000000
--- a/security/nss/lib/pkix/src/X520Name/PEqual.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_Equal
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *
- * Return value:
- *  PR_TRUE if the two objects have equal values
- *  PR_FALSE otherwise
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssPKIXX520Name_Equal
-(
-  NSSPKIXX520Name *name1,
-  NSSPKIXX520Name *name2,
-  PRStatus *statusOpt
-)
-{
-  PRBool rv;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name1) ) {
-    goto loser;
-  }
-
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name2) ) {
-    goto loser;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == name1->utf8 ) {
-    if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name1) ) {
-      goto loser;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == name2->utf8 ) {
-    if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name2) ) {
-      goto loser;
-    }
-  }
-
-  if( (PR_TRUE == name1->wasPrintable) && (PR_TRUE == name2->wasPrintable) ) {
-    return nssUTF8_PrintableMatch(name1->utf8, name2->utf8, statusOpt);
-  }
-
-  return nssUTF8_Equal(name1->utf8, name2->utf8, statusOpt);
-
- loser:
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_FAILURE;
-  }
-
-  return PR_FALSE;
-}
diff --git a/security/nss/lib/pkix/src/X520Name/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/X520Name/PGetUTF8Encoding.c
deleted file mode 100644
index b023b1fea..000000000
--- a/security/nss/lib/pkix/src/X520Name/PGetUTF8Encoding.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-/*
- * nssPKIXX520Name_GetUTF8Encoding
- *
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_X520_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  A valid NSSDER pointer upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssPKIXX520Name_GetUTF8Encoding
-(
-  NSSPKIXX520Name *name,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == name->utf8 ) {
-    if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-  
-  return nssUTF8_Duplicate(rv->utf8, arenaOpt);
-}
diff --git a/security/nss/lib/pkix/src/X520Name/template.c b/security/nss/lib/pkix/src/X520Name/template.c
deleted file mode 100644
index 63f18e724..000000000
--- a/security/nss/lib/pkix/src/X520Name/template.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIX_H
-#include "pkix.h"
-#endif /* PKIX_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-/*
- * nssPKIXX520Name_template
- *
- *
- */
-
-const nssASN1Template nssPKIXX520Name_template[] = {
-  { nssASN1_ANY, offsetof(NSSPKIXX520Name, string), NULL, 
-    sizeof(NSSPKIXX520Name) },
-  { 0 }
-};
diff --git a/security/nss/lib/pkix/src/X520Name/verifyPointer.c b/security/nss/lib/pkix/src/X520Name/verifyPointer.c
deleted file mode 100644
index 9e447797d..000000000
--- a/security/nss/lib/pkix/src/X520Name/verifyPointer.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#ifndef PKIXM_H
-#include "pkixm.h"
-#endif /* PKIXM_H */
-
-#ifdef DEBUG
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker pkix_x520_name_pointer_tracker;
-
-/*
- * nss_pkix_X520Name_add_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine adds an NSSPKIXX520Name pointer to
- * the internal pointer-tracker.  This routine should only be used 
- * by the NSSPKIX module.  This routine returns a PRStatus value; 
- * upon error it will place an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_X520Name_add_pointer
-(
-  const NSSPKIXX520Name *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_x520_name_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&pkix_x520_name_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nss_pkix_X520Name_remove_pointer
- *
- * This method is only present in debug builds.
- *
- * This module-private routine removes a valid NSSPKIXX520Name
- * pointer from the internal pointer-tracker.  This routine should 
- * only be used by the NSSPKIX module.  This routine returns a 
- * PRStatus value; upon error it will place an error on the error 
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INTERNAL_ERROR
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nss_pkix_X520Name_remove_pointer
-(
-  const NSSPKIXX520Name *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&pkix_x520_name_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssPKIXX520Name_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSPKIXX520Name
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_PKIX_X520_NAME
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssPKIXX520Name_verifyPointer
-(
-  NSSPKIXX520Name *p
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&pkix_x520_name_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_X520_NAME);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&pkix_x520_name_pointer_tracker, p);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_PKIX_X520_NAME);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
diff --git a/security/nss/lib/smime/Makefile b/security/nss/lib/smime/Makefile
deleted file mode 100644
index cb85677bc..000000000
--- a/security/nss/lib/smime/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
deleted file mode 100644
index cb9a9001a..000000000
--- a/security/nss/lib/smime/cms.h
+++ /dev/null
@@ -1,1065 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Interfaces of the CMS implementation.
- *
- * $Id$
- */
-
-#ifndef _CMS_H_
-#define _CMS_H_
-
-#include "seccomon.h"
-#include "mcom_db.h"	/* needed by certt.h */
-
-#include "secoidt.h"
-#include "secder.h"	/* needed by certt.h; XXX go away when possible */
-#include "certt.h"
-#include "keyt.h"
-#include "hasht.h"
-#include "cmst.h"
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/************************************************************************
- * cmsdecode.c - CMS decoding
- ************************************************************************/
-
-/*
- * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
- *
- * "poolp" - pointer to arena for message, or NULL if new pool should be created
- * "cb", "cb_arg" - callback function and argument for delivery of inner content
- *                  inner content will be stored in the message if cb is NULL.
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- */
-extern NSSCMSDecoderContext *
-NSS_CMSDecoder_Start(PRArenaPool *poolp,
-		      NSSCMSContentCallback cb, void *cb_arg,
-		      PK11PasswordFunc pwfn, void *pwfn_arg,
-		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
-
-/*
- * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
- */
-extern SECStatus
-NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len);
-
-/*
- * NSS_CMSDecoder_Cancel - cancel a decoding process
- */
-extern void
-NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx);
-
-/*
- * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
- */
-extern NSSCMSMessage *
-NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx);
-
-/*
- * NSS_CMSMessage_CreateFromDER - decode a CMS message from DER encoded data
- */
-extern NSSCMSMessage *
-NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
-		    NSSCMSContentCallback cb, void *cb_arg,
-		    PK11PasswordFunc pwfn, void *pwfn_arg,
-		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
-
-/************************************************************************
- * cmsencode.c - CMS encoding
- ************************************************************************/
-
-/*
- * NSS_CMSEncoder_Start - set up encoding of a CMS message
- *
- * "cmsg" - message to encode
- * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
- *                           will not be called if NULL.
- * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
- * "destpoolp" - pool to allocate DER-encoded output in
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- */
-extern NSSCMSEncoderContext *
-NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
-			NSSCMSContentCallback outputfn, void *outputarg,
-			SECItem *dest, PLArenaPool *destpoolp,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
-
-/*
- * NSS_CMSEncoder_Update - take content data delivery from the user
- *
- * "p7ecx" - encoder context
- * "data" - content data
- * "len" - length of content data
- */
-extern SECStatus
-NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
-
-/*
- * NSS_CMSEncoder_Finish - signal the end of data
- *
- * we need to walk down the chain of encoders and the finish them from the innermost out
- */
-extern SECStatus
-NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx);
-
-/************************************************************************
- * cmsmessage.c - CMS message object
- ************************************************************************/
-
-/*
- * NSS_CMSMessage_Create - create a CMS message object
- *
- * "poolp" - arena to allocate memory from, or NULL if new arena should be created
- */
-extern NSSCMSMessage *
-NSS_CMSMessage_Create(PLArenaPool *poolp);
-
-/*
- * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
- *
- * "cmsg" - message object
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- *
- * used internally.
- */
-extern void
-NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
-
-/*
- * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
- */
-extern void
-NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_Copy - return a copy of the given message. 
- *
- * The copy may be virtual or may be real -- either way, the result needs
- * to be passed to NSS_CMSMessage_Destroy later (as does the original).
- */
-extern NSSCMSMessage *
-NSS_CMSMessage_Copy(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
- */
-extern PLArenaPool *
-NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg);
-
-/*
- * Return a pointer to the actual content. 
- * In the case of those types which are encrypted, this returns the *plain* content.
- * In case of nested contentInfos, this descends and retrieves the innermost content.
- */
-extern SECItem *
-NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
- *
- * CMS data content objects do not count.
- */
-extern int
-NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_ContentLevel - find content level #n
- *
- * CMS data content objects do not count.
- */
-extern NSSCMSContentInfo *
-NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n);
-
-/*
- * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
- */
-extern PRBool
-NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
- */
-extern PRBool
-NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
- *
- * If the CMS message has a SignedData with a signature (not just a SignedData)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-extern PRBool
-NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_IsContentEmpty - see if content is empty
- *
- * returns PR_TRUE is innermost content length is < minLen
- * XXX need the encrypted content length (why?)
- */
-extern PRBool
-NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen);
-
-/************************************************************************
- * cmscinfo.c - CMS contentInfo methods
- ************************************************************************/
-
-/*
- * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
- */
-extern void
-NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
- */
-extern NSSCMSContentInfo *
-NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_SetContent - set cinfo's content type & content to CMS object
- */
-extern SECStatus
-NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr);
-
-/*
- * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetType
- *   set cinfo's content type & content to CMS object
- */
-extern SECStatus
-NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSContentInfo_GetContent - get pointer to inner content
- *
- * needs to be casted...
- */
-extern void *
-NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo);
-
-/* 
- * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
- *
- * this is typically only called by NSS_CMSMessage_GetContent()
- */
-extern SECItem *
-NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
- * for future reference) and return the inner content type.
- */
-extern SECOidTag
-NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo);
-
-extern SECItem *
-NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
- * for future reference) and return the content encryption algorithm tag.
- */
-extern SECOidTag
-NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
- */
-extern SECAlgorithmID *
-NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECOidTag bulkalgtag, SECItem *parameters, int keysize);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECAlgorithmID *algid, int keysize);
-
-extern void
-NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey);
-
-extern PK11SymKey *
-NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo);
-
-extern int
-NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo);
-
-/************************************************************************
- * cmsutil.c - CMS misc utility functions
- ************************************************************************/
-
-/*
- * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
- *
- * make sure that the order of the objects guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in objs).
- */
-extern SECStatus
-NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2);
-
-/*
- * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
- *  sort arrays of SECItems containing DER
- */
-extern int
-NSS_CMSUtil_DERCompare(void *a, void *b);
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algid - algorithmid of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-extern int
-NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid);
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algiddata - id of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-extern int
-NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag);
-
-extern SECHashObject *
-NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid);
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-extern SECOidTag
-NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg);
-
-extern const SEC_ASN1Template *
-NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type);
-
-extern size_t
-NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type);
-
-extern NSSCMSContentInfo *
-NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type);
-
-extern const char *
-NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs);
-
-/************************************************************************
- * cmssigdata.c - CMS signedData methods
- ************************************************************************/
-
-extern NSSCMSSignedData *
-NSS_CMSSignedData_Create(NSSCMSMessage *cmsg);
-
-extern void
-NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
- *     before start of encoding.
- *
- * In detail:
- *  - find out about the right value to put into sigd->version
- *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
- *         in the signerinfos).
- *         If we happen to have a pre-set list of algorithms (and digest values!), we
- *         check if we have all the signerinfos' algorithms. If not, this is an error.
- */
-extern SECStatus
-NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - create the signatures in all the SignerInfos
- *
- * Please note that nothing is done to the Certificates and CRLs in the message - this
- * is entirely the responsibility of our callers.
- */
-extern SECStatus
-NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the decoder.
- */
-extern SECStatus
-NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
- *     after all decoding is finished.
- */
-extern SECStatus
-NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd);
-
-/* 
- * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
- */
-extern NSSCMSSignerInfo **
-NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd);
-
-extern int
-NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd);
-
-extern NSSCMSSignerInfo *
-NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i);
-
-/* 
- * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
- */
-extern SECAlgorithmID **
-NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd);
-
-/* 
- * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
- */
-extern SECItem **
-NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
-				SECCertUsage certusage, PRBool keepcerts);
-
-/*
- * NSS_CMSSignedData_HasDigests - see if we have digests in place
- */
-extern PRBool
-NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_VerifySignerInfo - check a signature.
- *
- * The digests were either calculated during decoding (and are stored in the
- * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
- *
- * The verification checks if the signing cert is valid and has a trusted chain
- * for the purpose specified by "certusage".
- */
-extern SECStatus
-NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, CERTCertDBHandle *certdb,
-				    SECCertUsage certusage);
-
-extern SECStatus
-NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist);
-
-/*
- * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
- */
-extern SECStatus
-NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert);
-
-extern SECStatus
-NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
-
-extern PRBool
-NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
-				NSSCMSSignerInfo *signerinfo);
-
-extern SECItem *
-NSS_CMSSignedData_GetDigestByAlgTag(NSSCMSSignedData *sigd, SECOidTag algtag);
-
-extern SECStatus
-NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
-				SECAlgorithmID **digestalgs,
-				SECItem **digests);
-
-extern SECStatus
-NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digestdata);
-
-extern SECStatus
-NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
-				NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digest);
-
-extern SECItem *
-NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag);
-
-/*
- * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
- *
- * cert          - base certificates that will be included
- * include_chain - if true, include the complete cert chain for cert
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- */
-extern NSSCMSSignedData *
-NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain);
-
-/************************************************************************
- * cmssiginfo.c - signerinfo methods
- ************************************************************************/
-
-extern NSSCMSSignerInfo *
-NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag);
-
-/*
- * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
- */
-extern void
-NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si);
-
-/*
- * NSS_CMSSignerInfo_Sign - sign something
- *
- */
-extern SECStatus
-NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
-
-extern SECStatus
-NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
-			    SECCertUsage certusage);
-
-/*
- * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
- *
- * Just verifies the signature. The assumption is that verification of the certificate
- * is done already.
- */
-extern SECStatus
-NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
-
-extern NSSCMSVerificationStatus
-NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo);
-
-extern SECOidData *
-NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo);
-
-extern SECOidTag
-NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo);
-
-extern int
-NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo);
-
-extern CERTCertificateList *
-NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo);
-
-/*
- * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
- *				      in UTCTime format, of a CMS signerInfo.
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to XXXX (what?)
- * A return value of NULL is an error.
- */
-extern SECStatus
-NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime);
-
-/*
- * Return the signing cert of a CMS signerInfo.
- *
- * the certs in the enclosing SignedData must have been imported already
- */
-extern CERTCertificate *
-NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb);
-
-/*
- * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A return value of NULL is an error.
- */
-extern char *
-NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo);
-
-/*
- * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A return value of NULL is an error.
- */
-extern char *
-NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo);
-
-/*
- * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
- * unauthenticated attributes of "signerinfo". 
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
-
-/* 
- * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will do nothing.
- *
- * XXX This will probably just shove the current time into "signerinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t);
-
-/*
- * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo".
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME).
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo);
-
-/*
- * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo".
- *
- * This is expected to be included in outgoing signed messages for email (S/MIME).
- */
-SECStatus
-NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
-
-/* 
- * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
-				    SECOidTag digestalg, CERTCertificate signingcert);
-
-/*
- * XXXX the following needs to be done in the S/MIME layer code
- * after signature of a signerinfo is verified
- */
-extern SECStatus
-NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo);
-
-/*
- * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
- */
-extern SECStatus
-NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage);
-
-/************************************************************************
- * cmsenvdata.c - CMS envelopedData methods
- ************************************************************************/
-
-/*
- * NSS_CMSEnvelopedData_Create - create an enveloped data message
- */
-extern NSSCMSEnvelopedData *
-NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
-
-/*
- * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
- */
-extern void
-NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp);
-
-/*
- * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
- *
- * rip must be created on the same pool as edp - this is not enforced, though.
- */
-extern SECStatus
-NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip);
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
- *
- * at this point, we need
- * - recipientinfos set up with recipient's certificates
- * - a content encryption algorithm (if none, 3DES will be used)
- *
- * this function will generate a random content encryption key (aka bulk key),
- * initialize the recipientinfos with certificate identification and wrap the bulk key
- * using the proper algorithm for every certificiate.
- * it will finally set the bulk algorithm and key so that the encode step can find it.
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
- * derive bulk key & set up our contentinfo
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd);
-
-
-/************************************************************************
- * cmsrecinfo.c - CMS recipientInfo methods
- ************************************************************************/
-
-/*
- * NSS_CMSRecipientInfo_Create - create a recipientinfo
- *
- * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys
- * the certificate is supposed to have been verified by the caller
- */
-extern NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert);
-
-extern void
-NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri);
-
-extern int
-NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri);
-
-extern SECItem *
-NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex);
-
-
-extern SECOidTag
-NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri);
-
-extern SECStatus
-NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag);
-
-extern PK11SymKey *
-NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
-		CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag);
-
-/************************************************************************
- * cmsencdata.c - CMS encryptedData methods
- ************************************************************************/
-/*
- * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * "keysize" is the key size.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern NSSCMSEncryptedData *
-NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
-
-/*
- * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
- */
-extern void
-NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the correct version value.
- *  - get the encryption key
- */
-extern SECStatus
-NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
- */
-extern SECStatus
-NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
- */
-extern SECStatus
-NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
- */
-extern SECStatus
-NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
- */
-extern SECStatus
-NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
- */
-extern SECStatus
-NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd);
-
-/************************************************************************
- * cmsdigdata.c - CMS encryptedData methods
- ************************************************************************/
-/*
- * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
- *
- * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
- * digestAlg is passed as parameter
- * contentInfo must be filled by the user
- * digest will be calculated while encoding
- */
-extern NSSCMSDigestedData *
-NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg);
-
-/*
- * NSS_CMSDigestedData_Destroy - destroy a digestedData object
- */
-extern void
-NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the right version number. The contentInfo's content type must be set up already.
- */
-extern SECStatus
-NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-extern SECStatus
-NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-extern SECStatus
-NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-extern SECStatus
-NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-extern SECStatus
-NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
- *
- * In detail:
- *  - check the digests for equality
- */
-extern SECStatus
-NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd);
-
-/************************************************************************
- * cmsdigest.c - digestion routines
- ************************************************************************/
-
-/*
- * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
- *  digest algorithms in "digestalgs" in parallel.
- */
-extern NSSCMSDigestContext *
-NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs);
-
-/*
- * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but
- *  only one algorithm.
- */
-extern NSSCMSDigestContext *
-NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg);
-
-/*
- * NSS_CMSDigestContext_Update - feed more data into the digest machine
- */
-extern void
-NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len);
-
-/*
- * NSS_CMSDigestContext_Cancel - cancel digesting operation
- */
-extern void
-NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx);
-
-/*
- * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
- *  into an array of SECItems (allocated on poolp)
- */
-extern SECStatus
-NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
-			    SECItem ***digestsp);
-
-/*
- * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple,
- *  but for one digest.
- */
-extern SECStatus
-NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
-			    SECItem *digest);
-
-/************************************************************************
- * 
- ************************************************************************/
-
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _CMS_H_ */
diff --git a/security/nss/lib/smime/cmsarray.c b/security/nss/lib/smime/cmsarray.c
deleted file mode 100644
index 68d7e1963..000000000
--- a/security/nss/lib/smime/cmsarray.c
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS array functions.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secerr.h"
-
-/*
- * ARRAY FUNCTIONS
- *
- * In NSS, arrays are rather primitive arrays of pointers.
- * Makes it easy to walk the array, but hard to count elements
- * and manage the storage.
- *
- * This is a feeble attempt to encapsulate the functionality
- * and get rid of hundreds of lines of similar code
- */
-
-/*
- * NSS_CMSArray_Alloc - allocate an array in an arena
- *
- * This allocates space for the array of pointers
- */
-void **
-NSS_CMSArray_Alloc(PRArenaPool *poolp, int n)
-{
-    return (void **)PORT_ArenaZAlloc(poolp, n * sizeof(void *));
-}
-
-/*
- * NSS_CMSArray_Add - add an element to the end of an array
- *
- * The array of pointers is either created (if array was empty before) or grown.
- */
-SECStatus
-NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj)
-{
-    void **p;
-    int n;
-    void **dest;
-
-    PORT_Assert(array != NULL);
-    if (array == NULL)
-	return SECFailure;
-
-    if (*array == NULL) {
-	dest = (void **)PORT_ArenaAlloc(poolp, 2 * sizeof(void *));
-	n = 0;
-    } else {
-	n = 0; p = *array;
-	while (*p++)
-	    n++;
-	dest = (void **)PORT_ArenaGrow (poolp, 
-			      *array,
-			      (n + 1) * sizeof(void *),
-			      (n + 2) * sizeof(void *));
-    }
-    dest[n] = obj;
-    dest[n+1] = NULL;
-    *array = dest;
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSArray_IsEmpty - check if array is empty
- */
-PRBool
-NSS_CMSArray_IsEmpty(void **array)
-{
-    return (array == NULL || array[0] == NULL);
-}
-
-/*
- * NSS_CMSArray_Count - count number of elements in array
- */
-int
-NSS_CMSArray_Count(void **array)
-{
-    int n = 0;
-
-    if (array == NULL)
-	return 0;
-
-    while (*array++ != NULL)
-	n++;
-
-    return n;
-}
-
-/*
- * NSS_CMSArray_Sort - sort an array in place
- *
- * If "secondary" or "tertiary are not NULL, it must be arrays with the same
- *  number of elements as "primary". The same reordering will get applied to it.
- *
- * "compare" is a function that returns 
- *  < 0 when the first element is less than the second
- *  = 0 when the first element is equal to the second
- *  > 0 when the first element is greater than the second
- * to acheive ascending ordering.
- */
-void
-NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary)
-{
-    int n, i, limit, lastxchg;
-    void *tmp;
-
-    n = NSS_CMSArray_Count(primary);
-
-    PORT_Assert(secondary == NULL || NSS_CMSArray_Count(secondary) == n);
-    PORT_Assert(tertiary == NULL || NSS_CMSArray_Count(tertiary) == n);
-    
-    if (n <= 1)	/* ordering is fine */
-	return;
-    
-    /* yes, ladies and gentlemen, it's BUBBLE SORT TIME! */
-    limit = n - 1;
-    while (1) {
-	lastxchg = 0;
-	for (i = 0; i < limit; i++) {
-	    if ((*compare)(primary[i], primary[i+1]) > 0) {
-		/* exchange the neighbours */
-		tmp = primary[i+1];
-		primary[i+1] = primary[i];
-		primary[i] = tmp;
-		if (secondary) {		/* secondary array? */
-		    tmp = secondary[i+1];	/* exchange there as well */
-		    secondary[i+1] = secondary[i];
-		    secondary[i] = tmp;
-		}
-		if (tertiary) {			/* tertiary array? */
-		    tmp = tertiary[i+1];	/* exchange there as well */
-		    tertiary[i+1] = tertiary[i];
-		    tertiary[i] = tmp;
-		}
-		lastxchg = i+1;	/* index of the last element bubbled up */
-	    }
-	}
-	if (lastxchg == 0)	/* no exchanges, so array is sorted */
-	    break;		/* we're done */
-	limit = lastxchg;	/* array is sorted up to [limit] */
-    }
-}
-
-#if 0
-
-/* array iterator stuff... not used */
-
-typedef void **NSSCMSArrayIterator;
-
-/* iterator */
-NSSCMSArrayIterator
-NSS_CMSArray_First(void **array)
-{
-    if (array == NULL || array[0] == NULL)
-	return NULL;
-    return (NSSCMSArrayIterator)&(array[0]);
-}
-
-void *
-NSS_CMSArray_Obj(NSSCMSArrayIterator iter)
-{
-    void **p = (void **)iter;
-
-    return *iter;	/* which is NULL if we are at the end of the array */
-}
-
-NSSCMSArrayIterator
-NSS_CMSArray_Next(NSSCMSArrayIterator iter)
-{
-    void **p = (void **)iter;
-
-    return (NSSCMSArrayIterator)(p + 1);
-}
-
-#endif
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
deleted file mode 100644
index d649c4192..000000000
--- a/security/nss/lib/smime/cmsasn1.c
+++ /dev/null
@@ -1,560 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS ASN.1 templates
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "prtime.h"
-#include "secerr.h"
-
-
-extern const SEC_ASN1Template nss_cms_set_of_attribute_template[];
-
-/* -----------------------------------------------------------------------------
- * MESSAGE
- * (uses NSSCMSContentInfo)
- */
-
-/* forward declaration */
-static const SEC_ASN1Template *
-nss_cms_choose_content_template(void *src_or_dest, PRBool encoding);
-
-static SEC_ChooseASN1TemplateFunc nss_cms_chooser
-	= nss_cms_choose_content_template;
-
-const SEC_ASN1Template NSSCMSMessageTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSMessage) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSMessage,contentInfo.contentType) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSMessage,contentInfo.content),
-	  &nss_cms_chooser },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSS_PointerToCMSMessageTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSMessageTemplate }
-};
-
-/* -----------------------------------------------------------------------------
- * ENCAPSULATED & ENCRYPTED CONTENTINFO
- * (both use a NSSCMSContentInfo)
- */
-static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSContentInfo,contentType) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_MAY_STREAM |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSContentInfo,rawContent),
-	  SEC_PointerToOctetStringTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSEncryptedContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSContentInfo,contentType) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSContentInfo,contentEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSContentInfo,rawContent),
-	  SEC_OctetStringTemplate },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * SIGNED DATA
- */
-
-const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
-
-const SEC_ASN1Template NSSCMSSignedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSSignedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSSignedData,version) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSSignedData,digestAlgorithms),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSSignedData,contentInfo),
-	  NSSCMSEncapsulatedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSSignedData,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSSignedData,crls),
-	  CERT_SetOfSignedCrlTemplate },
-    { SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSSignedData,signerInfos),
-	  NSSCMSSignerInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSSignedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSSignedDataTemplate }
-};
-
-/* -----------------------------------------------------------------------------
- * signeridentifier
- */
-
-static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSSignerIdentifier,identifierType), NULL,
-	  sizeof(NSSCMSSignerIdentifier) },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSSignerIdentifier,id.subjectKeyID),
-	  SEC_OctetStringTemplate,
-	  NSSCMSRecipientID_SubjectKeyID },
-    { SEC_ASN1_POINTER,
-	  offsetof(NSSCMSSignerIdentifier,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
-	  NSSCMSRecipientID_IssuerSN },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * signerinfo
- */
-
-const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSignerInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSSignerInfo,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSSignerInfo,signerIdentifier),
-	  NSSCMSSignerIdentifierTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSSignerInfo,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSSignerInfo,authAttr),
-	  nss_cms_set_of_attribute_template },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSSignerInfo,digestEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSignerInfo,encDigest) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSSignerInfo,unAuthAttr),
-	  nss_cms_set_of_attribute_template },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * ENVELOPED DATA
- */
-
-static const SEC_ASN1Template NSSCMSOriginatorInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSOriginatorInfo) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSOriginatorInfo,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSOriginatorInfo,crls),
-	  CERT_SetOfSignedCrlTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
-
-const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSEnvelopedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSEnvelopedData,version) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSEnvelopedData,originatorInfo),
-	  NSSCMSOriginatorInfoTemplate },
-    { SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSEnvelopedData,recipientInfos),
-	  NSSCMSRecipientInfoTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSEnvelopedData,contentInfo),
-	  NSSCMSEncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSEnvelopedData,unprotectedAttr),
-	  nss_cms_set_of_attribute_template },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSEnvelopedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSEnvelopedDataTemplate }
-};
-
-/* here come the 15 gazillion templates for all the v3 varieties of RecipientInfo */
-
-/* -----------------------------------------------------------------------------
- * key transport recipient info
- */
-
-static const SEC_ASN1Template NSSCMSRecipientIdentifierTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSRecipientIdentifier,identifierType), NULL,
-	  sizeof(NSSCMSRecipientIdentifier) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSRecipientIdentifier,id.subjectKeyID),
-	  SEC_PointerToOctetStringTemplate,
-	  NSSCMSRecipientID_SubjectKeyID },
-    { SEC_ASN1_POINTER,
-	  offsetof(NSSCMSRecipientIdentifier,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
-	  NSSCMSRecipientID_IssuerSN },
-    { 0 }
-};
-
-
-static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKeyTransRecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSKeyTransRecipientInfo,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKeyTransRecipientInfo,recipientIdentifier),
-	  NSSCMSRecipientIdentifierTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKeyTransRecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKeyTransRecipientInfo,encKey) },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * key agreement recipient info
- */
-
-static const SEC_ASN1Template NSSCMSOriginatorPublicKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSOriginatorPublicKey) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSOriginatorPublicKey,algorithmIdentifier),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSOriginatorPublicKey,publicKey),
-	  SEC_BitStringTemplate },
-    { 0 }
-};
-
-
-static const SEC_ASN1Template NSSCMSOriginatorIdentifierOrKeyTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,identifierType), NULL,
-	  sizeof(NSSCMSOriginatorIdentifierOrKey) },
-    { SEC_ASN1_POINTER,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
-	  NSSCMSOriginatorIDOrKey_IssuerSN },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.subjectKeyID),
-	  SEC_PointerToOctetStringTemplate,
-	  NSSCMSOriginatorIDOrKey_SubjectKeyID },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.originatorPublicKey),
-	  NSSCMSOriginatorPublicKeyTemplate,
-	  NSSCMSOriginatorIDOrKey_OriginatorPublicKey },
-    { 0 }
-};
-
-const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSRecipientKeyIdentifier) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSRecipientKeyIdentifier,subjectKeyIdentifier) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSRecipientKeyIdentifier,date) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSRecipientKeyIdentifier,other) },
-    { 0 }
-};
-
-
-static const SEC_ASN1Template NSSCMSKeyAgreeRecipientIdentifierTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,identifierType), NULL,
-	  sizeof(NSSCMSKeyAgreeRecipientIdentifier) },
-    { SEC_ASN1_POINTER,
-	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
-	  NSSCMSKeyAgreeRecipientID_IssuerSN },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.recipientKeyIdentifier),
-	  NSSCMSRecipientKeyIdentifierTemplate,
-	  NSSCMSKeyAgreeRecipientID_RKeyID },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSRecipientEncryptedKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSRecipientEncryptedKey) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSRecipientEncryptedKey,recipientIdentifier),
-	  NSSCMSKeyAgreeRecipientIdentifierTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSRecipientEncryptedKey,encKey),
-	  SEC_BitStringTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKeyAgreeRecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,version) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,originatorIdentifierOrKey),
-	  NSSCMSOriginatorIdentifierOrKeyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-						    SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,ukm),
-	  SEC_OctetStringTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,recipientEncryptedKeys),
-	  NSSCMSRecipientEncryptedKeyTemplate },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * KEK recipient info
- */
-
-static const SEC_ASN1Template NSSCMSKEKIdentifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKEKIdentifier) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKIdentifier,keyIdentifier) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKIdentifier,date) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKIdentifier,other) },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKEKRecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSKEKRecipientInfo,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKEKRecipientInfo,kekIdentifier),
-	  NSSCMSKEKIdentifierTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKEKRecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKRecipientInfo,encKey) },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * recipient info
- */
-const SEC_ASN1Template NSSCMSRecipientInfoTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSRecipientInfo,recipientInfoType), NULL,
-	  sizeof(NSSCMSRecipientInfo) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSRecipientInfo,ri.keyAgreeRecipientInfo),
-	  NSSCMSKeyAgreeRecipientInfoTemplate,
-	  NSSCMSRecipientInfoID_KeyAgree },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(NSSCMSRecipientInfo,ri.kekRecipientInfo),
-	  NSSCMSKEKRecipientInfoTemplate,
-	  NSSCMSRecipientInfoID_KEK },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSRecipientInfo,ri.keyTransRecipientInfo),
-	  NSSCMSKeyTransRecipientInfoTemplate,
-	  NSSCMSRecipientInfoID_KeyTrans },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- *
- */
-
-const SEC_ASN1Template NSSCMSDigestedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSDigestedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSDigestedData,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSDigestedData,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSDigestedData,contentInfo),
-	  NSSCMSEncapsulatedContentInfoTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSDigestedData,digest) },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSDigestedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSDigestedDataTemplate }
-};
-
-const SEC_ASN1Template NSSCMSEncryptedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSEncryptedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSEncryptedData,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSEncryptedData,contentInfo),
-	  NSSCMSEncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSEncryptedData,unprotectedAttr),
-	  nss_cms_set_of_attribute_template },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSEncryptedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSEncryptedDataTemplate }
-};
-
-/* -----------------------------------------------------------------------------
- * FORTEZZA KEA
- */
-const SEC_ASN1Template NSS_SMIMEKEAParamTemplateSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
-	{ 0 }
-};
-
-const SEC_ASN1Template NSS_SMIMEKEAParamTemplateNoSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
-	{ 0 }
-};
-
-const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(NSSCMSSMIMEKEAParameters,bulkKeySize) },
-	{ 0 }
-};
-
-const SEC_ASN1Template *
-nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate)
-{
-	const SEC_ASN1Template *returnVal = NULL;
-
-	switch(whichTemplate)
-	{
-	case NSSCMSKEAUsesNonSkipjack:
-		returnVal = NSS_SMIMEKEAParamTemplateNoSkipjack;
-		break;
-	case NSSCMSKEAUsesSkipjack:
-		returnVal = NSS_SMIMEKEAParamTemplateSkipjack;
-		break;
-	case NSSCMSKEAUsesNonSkipjackWithPaddedEncKey:
-	default:
-		returnVal = NSS_SMIMEKEAParamTemplateAllParams;
-		break;
-	}
-	return returnVal;
-}
-
-/* -----------------------------------------------------------------------------
- *
- */
-static const SEC_ASN1Template *
-nss_cms_choose_content_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    NSSCMSContentInfo *cinfo;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    cinfo = (NSSCMSContentInfo *)src_or_dest;
-    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-    default:
-	theTemplate = SEC_PointerToAnyTemplate;
-	break;
-    case SEC_OID_PKCS7_DATA:
-	theTemplate = SEC_PointerToOctetStringTemplate;
-	break;
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	theTemplate = NSS_PointerToCMSSignedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	theTemplate = NSS_PointerToCMSEnvelopedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	theTemplate = NSS_PointerToCMSDigestedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	theTemplate = NSS_PointerToCMSEncryptedDataTemplate;
-	break;
-    }
-    return theTemplate;
-}
diff --git a/security/nss/lib/smime/cmsattr.c b/security/nss/lib/smime/cmsattr.c
deleted file mode 100644
index 34016bd55..000000000
--- a/security/nss/lib/smime/cmsattr.c
+++ /dev/null
@@ -1,453 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS attributes.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-/*
- * -------------------------------------------------------------------
- * XXX The following Attribute stuff really belongs elsewhere.
- * The Attribute type is *not* part of CMS but rather X.501.
- * But for now, since CMS is the only customer of attributes,
- * we define them here.  Once there is a use outside of CMS,
- * then change the attribute types and functions from internal
- * to external naming convention, and move them elsewhere!
- */
-
-
-/*
- * NSS_CMSAttribute_Create - create an attribute
- *
- * if value is NULL, the attribute won't have a value. It can be added later
- * with NSS_CMSAttribute_AddValue.
- */
-NSSCMSAttribute *
-NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded)
-{
-    NSSCMSAttribute *attr;
-    SECItem *copiedvalue;
-    void *mark;
-
-    PORT_Assert (poolp != NULL);
-
-    mark = PORT_ArenaMark (poolp);
-
-    attr = (NSSCMSAttribute *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSAttribute));
-    if (attr == NULL)
-	goto loser;
-
-    attr->typeTag = SECOID_FindOIDByTag(oidtag);
-    if (attr->typeTag == NULL)
-	goto loser;
-
-    if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
-	goto loser;
-
-    if (value != NULL) {
-	if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, value->len)) == NULL)
-	    goto loser;
-
-	if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess)
-	    goto loser;
-
-	NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue);
-    }
-
-    attr->encoded = encoded;
-
-    PORT_ArenaUnmark (poolp, mark);
-
-    return attr;
-
-loser:
-    PORT_Assert (mark != NULL);
-    PORT_ArenaRelease (poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSAttribute_AddValue - add another value to an attribute
- */
-SECStatus
-NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value)
-{
-    SECItem copiedvalue;
-    void *mark;
-
-    PORT_Assert (poolp != NULL);
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* XXX we need an object memory model #$%#$%! */
-    if (SECITEM_CopyItem(poolp, &copiedvalue, value) != SECSuccess)
-	goto loser;
-
-    if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)&copiedvalue) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_Assert (mark != NULL);
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/*
- * NSS_CMSAttribute_GetType - return the OID tag
- */
-SECOidTag
-NSS_CMSAttribute_GetType(NSSCMSAttribute *attr)
-{
-    SECOidData *typetag;
-
-    typetag = SECOID_FindOID(&(attr->type));
-    if (typetag == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return typetag->offset;
-}
-
-/*
- * NSS_CMSAttribute_GetValue - return the first attribute value
- *
- * We do some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-SECItem *
-NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr)
-{
-    SECItem *value;
-
-    if (attr == NULL)
-	return NULL;
-
-    value = attr->values[0];
-
-    if (value == NULL || value->data == NULL || value->len == 0)
-	return NULL;
-
-    if (attr->values[1] != NULL)
-	return NULL;
-
-    return value;
-}
-
-/*
- * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
- */
-PRBool
-NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av)
-{
-    SECItem *value;
-    
-    if (attr == NULL)
-	return PR_FALSE;
-
-    value = NSS_CMSAttribute_GetValue(attr);
-
-    return (value != NULL && value->len == av->len &&
-	PORT_Memcmp (value->data, av->data, value->len) == 0);
-}
-
-/*
- * templates and functions for separate ASN.1 encoding of attributes
- *
- * used in NSS_CMSAttributeArray_Reorder
- */
-
-/*
- * helper function for dynamic template determination of the attribute value
- */
-static const SEC_ASN1Template *
-cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    NSSCMSAttribute *attribute;
-    SECOidData *oiddata;
-    PRBool encoded;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    attribute = (NSSCMSAttribute *)src_or_dest;
-
-    if (encoding && attribute->encoded)
-	/* we're encoding, and the attribute value is already encoded. */
-	return SEC_AnyTemplate;
-
-    /* get attribute's typeTag */
-    oiddata = attribute->typeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&attribute->type);
-	attribute->typeTag = oiddata;
-    }
-
-    if (oiddata == NULL) {
-	/* still no OID tag? OID is unknown then. en/decode value as ANY. */
-	encoded = PR_TRUE;
-	theTemplate = SEC_AnyTemplate;
-    } else {
-	switch (oiddata->offset) {
-	SEC_OID_PKCS9_SMIME_CAPABILITIES:
-	SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE:
-	    /* these guys need to stay DER-encoded */
-	default:
-	    /* same goes for OIDs that are not handled here */
-	    encoded = PR_TRUE;
-	    theTemplate = SEC_AnyTemplate;
-	    break;
-	    /* otherwise choose proper template */
-	case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	case SEC_OID_RFC1274_MAIL:
-	case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_IA5StringTemplate;
-	    break;
-	case SEC_OID_PKCS9_CONTENT_TYPE:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ObjectIDTemplate;
-	    break;
-	case SEC_OID_PKCS9_MESSAGE_DIGEST:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_OctetStringTemplate;
-	    break;
-	case SEC_OID_PKCS9_SIGNING_TIME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_UTCTimeTemplate;
-	    break;
-	  /* XXX Want other types here, too */
-	}
-    }
-
-    if (encoding) {
-	/*
-	 * If we are encoding and we think we have an already-encoded value,
-	 * then the code which initialized this attribute should have set
-	 * the "encoded" property to true (and we would have returned early,
-	 * up above).  No devastating error, but that code should be fixed.
-	 * (It could indicate that the resulting encoded bytes are wrong.)
-	 */
-	PORT_Assert (!encoded);
-    } else {
-	/*
-	 * We are decoding; record whether the resulting value is
-	 * still encoded or not.
-	 */
-	attribute->encoded = encoded;
-    }
-    return theTemplate;
-}
-
-static SEC_ChooseASN1TemplateFunc cms_attr_chooser
-	= cms_attr_choose_attr_value_template;
-
-const SEC_ASN1Template nss_cms_attribute_template[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSAttribute) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSAttribute,type) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSAttribute,values),
-	  &cms_attr_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template nss_cms_set_of_attribute_template[] = {
-    { SEC_ASN1_SET_OF, 0, nss_cms_attribute_template },
-};
-
-/* =============================================================================
- * Attribute Array methods
- */
-
-/*
- * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
- *
- * If you are wondering why this routine does not reorder the attributes
- * first, and might be tempted to make it do so, see the comment by the
- * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
- * and think long and hard about the implications of making it always
- * do the reordering.)
- */
-SECItem *
-NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest)
-{
-    return SEC_ASN1EncodeItem (poolp, dest, (void *)attrs, nss_cms_set_of_attribute_template);
-}
-
-/*
- * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
- *
- * make sure that the order of the attributes guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in attrs).
- */
-SECStatus
-NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs)
-{
-    return NSS_CMSArray_SortByDER((void **)attrs, nss_cms_attribute_template, NULL);
-}
-
-/*
- * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
- * find one that matches the specified object ID.
- *
- * If "only" is true, then make sure that there is not more than one attribute
- * of the same type.  Otherwise, just return the first one found. (XXX Does
- * anybody really want that first-found behavior?  It was like that when I found it...)
- */
-NSSCMSAttribute *
-NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only)
-{
-    SECOidData *oid;
-    NSSCMSAttribute *attr1, *attr2;
-
-    if (attrs == NULL)
-	return NULL;
-
-    oid = SECOID_FindOIDByTag(oidtag);
-    if (oid == NULL)
-	return NULL;
-
-    while ((attr1 = *attrs++) != NULL) {
-	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr1 == NULL)
-	return NULL;
-
-    if (!only)
-	return attr1;
-
-    while ((attr2 = *attrs++) != NULL) {
-	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr2 != NULL)
-	return NULL;
-
-    return attr1;
-}
-
-/*
- * NSS_CMSAttributeArray_AddAttr - add an attribute to an
- * array of attributes. 
- */
-SECStatus
-NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr)
-{
-    NSSCMSAttribute *oattr;
-    void *mark;
-    SECOidTag type;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* find oidtag of attr */
-    type = NSS_CMSAttribute_GetType(attr);
-
-    /* see if we have one already */
-    oattr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
-    PORT_Assert (oattr == NULL);
-    if (oattr != NULL)
-	goto loser;	/* XXX or would it be better to replace it? */
-
-    /* no, shove it in */
-    if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-/*
- * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
- */
-SECStatus
-NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded)
-{
-    NSSCMSAttribute *attr;
-    void *mark;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* see if we have one already */
-    attr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
-    if (attr == NULL) {
-	/* not found? create one! */
-	attr = NSS_CMSAttribute_Create(poolp, type, value, encoded);
-	if (attr == NULL)
-	    goto loser;
-	/* and add it to the list */
-	if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
-	    goto loser;
-    } else {
-	/* found, shove it in */
-	/* XXX we need a decent memory model @#$#$!#!!! */
-	attr->values[0] = value;
-	attr->encoded = encoded;
-    }
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
deleted file mode 100644
index 9e4a2dc5e..000000000
--- a/security/nss/lib/smime/cmscinfo.c
+++ /dev/null
@@ -1,327 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS contentInfo methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSContentInfo_Create - create a content info
- *
- * version is set in the _Finalize procedures for each content type
- */
-
-/*
- * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
- */
-void
-NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
-{
-    SECOidTag kind;
-
-    kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-    switch (kind) {
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData);
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	NSS_CMSSignedData_Destroy(cinfo->content.signedData);
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	NSS_CMSEncryptedData_Destroy(cinfo->content.encryptedData);
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	NSS_CMSDigestedData_Destroy(cinfo->content.digestedData);
-	break;
-      default:
-	/* XXX Anything else that needs to be "manually" freed/destroyed? */
-	break;
-    }
-    if (cinfo->bulkkey)
-	PK11_FreeSymKey(cinfo->bulkkey);
-    
-    /* we live in a pool, so no need to worry about storage */
-}
-
-/*
- * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
- */
-NSSCMSContentInfo *
-NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
-{
-    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-    case SEC_OID_PKCS7_DATA:
-	return NULL;
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	return &(cinfo->content.signedData->contentInfo);
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	return &(cinfo->content.envelopedData->contentInfo);
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	return &(cinfo->content.digestedData->contentInfo);
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return &(cinfo->content.encryptedData->contentInfo);
-    default:
-	return NULL;
-    }
-}
-
-/*
- * NSS_CMSContentInfo_SetContent - set content type & content
- */
-SECStatus
-NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr)
-{
-    SECStatus rv;
-
-    cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
-    if (cinfo->contentTypeTag == NULL)
-	return SECFailure;
-    
-    /* do not copy the oid, just create a reference */
-    rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
-	return SECFailure;
-
-    cinfo->content.pointer = ptr;
-
-    if (type != SEC_OID_PKCS7_DATA) {
-	/* as we always have some inner data,
-	 * we need to set it to something, just to fool the encoder enough to work on it
-	 * and get us into nss_cms_encoder_notify at that point */
-	cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
-	if (cinfo->rawContent == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return SECFailure;
-	}
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetContent
- */
-
-/*
- * data == NULL -> pass in data via NSS_CMSEncoder_Update
- * data != NULL -> take this data
- */
-SECStatus
-NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached)
-{
-    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
-	return SECFailure;
-    cinfo->rawContent = (detached) ? 
-			    NULL : (data) ? 
-				data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
-    return SECSuccess;
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_SIGNED_DATA, (void *)sigd);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENVELOPED_DATA, (void *)envd);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DIGESTED_DATA, (void *)digd);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENCRYPTED_DATA, (void *)encd);
-}
-
-/*
- * NSS_CMSContentInfo_GetContent - get pointer to inner content
- *
- * needs to be casted...
- */
-void *
-NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
-{
-    switch (cinfo->contentTypeTag->offset) {
-    case SEC_OID_PKCS7_DATA:
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return cinfo->content.pointer;
-    default:
-	return NULL;
-    }
-}
-
-/* 
- * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
- *
- * this is typically only called by NSS_CMSMessage_GetContent()
- */
-SECItem *
-NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
-{
-    NSSCMSContentInfo *ccinfo;
-
-    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-    case SEC_OID_PKCS7_DATA:
-	return cinfo->content.data;	/* end of recursion - every message has to have a data cinfo */
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	if ((ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) == NULL)
-	    break;
-	return NSS_CMSContentInfo_GetContent(ccinfo);
-    default:
-	PORT_Assert(0);
-	break;
-    }
-    return NULL;
-}
-
-/*
- * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
- * for future reference) and return the inner content type.
- */
-SECOidTag
-NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->contentTypeTag == NULL)
-	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-
-    if (cinfo->contentTypeTag == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return cinfo->contentTypeTag->offset;
-}
-
-SECItem *
-NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->contentTypeTag == NULL)
-	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-
-    if (cinfo->contentTypeTag == NULL)
-	return NULL;
-
-    return &(cinfo->contentTypeTag->oid);
-}
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
- * for future reference) and return the content encryption algorithm tag.
- */
-SECOidTag
-NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
-	cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
-
-    return cinfo->contentEncAlgTag;
-}
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
- */
-SECAlgorithmID *
-NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
-{
-    return &(cinfo->contentEncAlg);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECOidTag bulkalgtag, SECItem *parameters, int keysize)
-{
-    SECStatus rv;
-
-    rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
-    if (rv != SECSuccess)
-	return SECFailure;
-    cinfo->keysize = keysize;
-    return SECSuccess;
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECAlgorithmID *algid, int keysize)
-{
-    SECStatus rv;
-
-    rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
-    if (rv != SECSuccess)
-	return SECFailure;
-    if (keysize >= 0)
-	cinfo->keysize = keysize;
-    return SECSuccess;
-}
-
-void
-NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
-{
-    cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
-    cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
-}
-
-PK11SymKey *
-NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->bulkkey == NULL)
-	return NULL;
-
-    return PK11_ReferenceSymKey(cinfo->bulkkey);
-}
-
-int
-NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
-{
-    return cinfo->keysize;
-}
diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c
deleted file mode 100644
index 27e5668aa..000000000
--- a/security/nss/lib/smime/cmscipher.c
+++ /dev/null
@@ -1,792 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Encryption/decryption routines for CMS implementation, none of which are exported.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "secpkcs5.h"
-
-/*
- * -------------------------------------------------------------------
- * Cipher stuff.
- */
-
-typedef SECStatus (*nss_cms_cipher_function) (void *, unsigned char *, unsigned int *,
-					unsigned int, const unsigned char *, unsigned int);
-typedef SECStatus (*nss_cms_cipher_destroy) (void *, PRBool);
-
-#define BLOCK_SIZE 4096
-
-struct NSSCMSCipherContextStr {
-    void *		cx;			/* PK11 cipher context */
-    nss_cms_cipher_function doit;
-    nss_cms_cipher_destroy destroy;
-    PRBool		encrypt;		/* encrypt / decrypt switch */
-    int			block_size;		/* block & pad sizes for cipher */
-    int			pad_size;
-    int			pending_count;		/* pending data (not yet en/decrypted */
-    unsigned char	pending_buf[BLOCK_SIZE];/* because of blocking */
-};
-
-/*
- * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
- * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function below (for starting up encryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-NSSCMSCipherContext *
-NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid)
-{
-    NSSCMSCipherContext *cc;
-    void *ciphercx;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *param;
-    PK11SlotInfo *slot;
-    SECOidTag algtag;
-
-    algtag = SECOID_GetAlgorithmTag(algid);
-
-    /* set param and mechanism */
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams;
-	SEC_PKCS5KeyAndPassword *keyPwd;
-
-	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
-	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
-
-	/* HACK ALERT!
-	 * in this case, key is not actually a PK11SymKey *, but a SEC_PKCS5KeyAndPassword *
-	 */
-	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
-	key = keyPwd->key;
-
-	/* find correct PK11 mechanism and parameters to initialize pbeMech */
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if (!pbeParams)
-	    return NULL;
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-
-	/* now map pbeMech to cryptoMech */
-	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, keyPwd->pwitem,
-						  PR_FALSE) != CKR_OK) { 
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	/* and use it to initialize param & mechanism */
-	if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL)
-	     return NULL;
-
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	if ((param = PK11_ParamFromAlgid(algid)) == NULL)
-	    return NULL;
-    }
-
-    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
-    if (cc == NULL) {
-	SECITEM_FreeItem(param,PR_TRUE);
-	return NULL;
-    }
-
-    /* figure out pad and block sizes */
-    cc->pad_size = PK11_GetBlockSize(mechanism, param);
-    slot = PK11_GetSlotFromKey(key);
-    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
-    PK11_FreeSlot(slot);
-
-    /* create PK11 cipher context */
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param);
-    SECITEM_FreeItem(param, PR_TRUE);
-    if (ciphercx == NULL) {
-	PORT_Free (cc);
-	return NULL;
-    }
-
-    cc->cx = ciphercx;
-    cc->doit =  (nss_cms_cipher_function) PK11_CipherOp;
-    cc->destroy = (nss_cms_cipher_destroy) PK11_DestroyContext;
-    cc->encrypt = PR_FALSE;
-    cc->pending_count = 0;
-
-    return cc;
-}
-
-/*
- * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
- * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
- * identifier (which may include an iv) appropriately.
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function above (for starting up decryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-NSSCMSCipherContext *
-NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid)
-{
-    NSSCMSCipherContext *cc;
-    void *ciphercx;
-    SECItem *param;
-    SECStatus rv;
-    CK_MECHANISM_TYPE mechanism;
-    PK11SlotInfo *slot;
-    PRBool needToEncodeAlgid = PR_FALSE;
-    SECOidTag algtag = SECOID_GetAlgorithmTag(algid);
-
-    /* set param and mechanism */
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams;
-	SEC_PKCS5KeyAndPassword *keyPwd;
-
-	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
-	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
-
-	/* HACK ALERT!
-	 * in this case, key is not actually a PK11SymKey *, but a SEC_PKCS5KeyAndPassword *
-	 */
-	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
-	key = keyPwd->key;
-
-	/* find correct PK11 mechanism and parameters to initialize pbeMech */
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if (!pbeParams)
-	    return NULL;
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-
-	/* now map pbeMech to cryptoMech */
-	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, keyPwd->pwitem,
-						  PR_FALSE) != CKR_OK) { 
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	/* and use it to initialize param & mechanism */
-	if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL)
-	    return NULL;
-
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	if ((param = PK11_GenerateNewParam(mechanism, key)) == NULL)
-	    return NULL;
-	needToEncodeAlgid = PR_TRUE;
-    }
-
-    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
-    if (cc == NULL)
-	return NULL;
-
-    /* now find pad and block sizes for our mechanism */
-    cc->pad_size = PK11_GetBlockSize(mechanism,param);
-    slot = PK11_GetSlotFromKey(key);
-    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
-    PK11_FreeSlot(slot);
-
-    /* and here we go, creating a PK11 cipher context */
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, key, param);
-    if (ciphercx == NULL) {
-	PORT_Free(cc);
-	cc = NULL;
-	goto loser;
-    }
-
-    /*
-     * These are placed after the CreateContextBySymKey() because some
-     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
-     * Don't move it from here.
-     * XXX is that right? the purpose of this is to get the correct algid
-     *     containing the IVs etc. for encoding. this means we need to set this up
-     *     BEFORE encoding the algid in the contentInfo, right?
-     */
-    if (needToEncodeAlgid) {
-	rv = PK11_ParamToAlgid(algtag, param, poolp, algid);
-	if(rv != SECSuccess) {
-	    PORT_Free(cc);
-	    cc = NULL;
-	    goto loser;
-	}
-    }
-
-    cc->cx = ciphercx;
-    cc->doit = (nss_cms_cipher_function)PK11_CipherOp;
-    cc->destroy = (nss_cms_cipher_destroy)PK11_DestroyContext;
-    cc->encrypt = PR_TRUE;
-    cc->pending_count = 0;
-
-loser:
-    SECITEM_FreeItem(param, PR_TRUE);
-
-    return cc;
-}
-
-void
-NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc)
-{
-    PORT_Assert(cc != NULL);
-    if (cc == NULL)
-	return;
-    (*cc->destroy)(cc->cx, PR_TRUE);
-    PORT_Free(cc);
-}
-
-/*
- * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and bsize).
- *
- * Note that this can return zero, which does not mean that the decrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent decrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
-{
-    int blocks, block_size;
-
-    PORT_Assert (! cc->encrypt);
-
-    block_size = cc->block_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we will always use up all of the pending
-     * bytes plus all of the input bytes, *but*, there will be padding
-     * at the end and we cannot predict how many bytes of padding we
-     * will end up removing.  The amount given here is actually known
-     * to be at least 1 byte too long (because we know we will have
-     * at least 1 byte of padding), but seemed clearer/better to me.
-     */
-    if (final)
-	return cc->pending_count + input_len;
-
-    /*
-     * Okay, this amount is exactly what we will output on the
-     * next cipher operation.  We will always hang onto the last
-     * 1 - block_size bytes for non-final operations.  That is,
-     * we will do as many complete blocks as we can *except* the
-     * last block (complete or partial).  (This is because until
-     * we know we are at the end, we cannot know when to interpret
-     * and removing the padding byte(s), which are guaranteed to
-     * be there.)
-     */
-    blocks = (cc->pending_count + input_len - 1) / block_size;
-    return blocks * block_size;
-}
-
-/*
- * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.
- *
- * Note that this can return zero, which does not mean that the encrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent encrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
-{
-    int blocks, block_size;
-    int pad_size;
-
-    PORT_Assert (cc->encrypt);
-
-    block_size = cc->block_size;
-    pad_size = cc->pad_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we only send out what we need for
-     * remaining bytes plus the padding.  (There is always padding,
-     * so even if we have an exact number of blocks as input, we
-     * will add another full block that is just padding.)
-     */
-    if (final) {
-	if (pad_size == 0) {
-    	    return cc->pending_count + input_len;
-	} else {
-    	    blocks = (cc->pending_count + input_len) / pad_size;
-	    blocks++;
-	    return blocks*pad_size;
-	}
-    }
-
-    /*
-     * Now, count the number of complete blocks of data we have.
-     */
-    blocks = (cc->pending_count + input_len) / block_size;
-
-
-    return blocks * block_size;
-}
-
-
-/*
- * NSS_CMSCipherContext_Decrypt - do the decryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Decrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
- * When "final" is true, this is the last of the data to be decrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the decryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "cc".
- * We also need to determine which bytes are padding, and remove
- * them from the output.  We can only do this step when we know we
- * have the final block of data.  PKCS #7 specifies that the padding
- * used for a block cipher is a string of bytes, each of whose value is
- * the same as the length of the padding, and that all data is padded.
- * (Even data that starts out with an exact multiple of blocks gets
- * added to it another block, all of which is padding.)
- */ 
-SECStatus
-NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (! cc->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = NSS_CMSCipherContext_DecryptLength(cc, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    /*
-     * hardware encryption does not like small decryption sizes here, so we
-     * allow both blocking and padding.
-     */
-    bsize = cc->block_size;
-    padsize = cc->pad_size;
-
-    /*
-     * When no blocking or padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (* cc->doit) (cc->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = cc->pending_count;
-    pbuf = cc->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we have at most a whole block and this is not our last call,
-	 * then we are done for now.  (We do not try to decrypt a lone
-	 * single block because we cannot interpret the padding bytes
-	 * until we know we are handling the very last block of all input.)
-	 */
-	if (input_len == 0 && !final) {
-	    cc->pending_count = pcount;
-	    if (output_len_p)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * Given the logic above, we expect to have a full block by now.
-	 * If we do not, there is something wrong, either with our own
-	 * logic or with (length of) the data given to us.
-	 */
-	PORT_Assert ((padsize == 0) || (pcount % padsize) == 0);
-	if ((padsize != 0) && (pcount % padsize) != 0) {
-	    PORT_Assert (final);	
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	/*
-	 * Decrypt the block.
-	 */
-	rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then NSS_CMSCipherContext_DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert(ofraglen == pcount);
-
-	/*
-	 * Account for the bytes now in output.
-	 */
-	max_output_len -= ofraglen;
-	output_len += ofraglen;
-	output += ofraglen;
-    }
-
-    /*
-     * If this is our last call, we expect to have an exact number of
-     * blocks left to be decrypted; we will decrypt them all.
-     * 
-     * If not our last call, we always save between 1 and bsize bytes
-     * until next time.  (We must do this because we cannot be sure
-     * that none of the decrypted bytes are padding bytes until we
-     * have at least another whole block of data.  You cannot tell by
-     * looking -- the data could be anything -- you can only tell by
-     * context, knowing you are looking at the last block.)  We could
-     * decrypt a whole block now but it is easier if we just treat it
-     * the same way we treat partial block bytes.
-     */
-    if (final) {
-	if (padsize) {
-	    blocks = input_len / padsize;
-	    ifraglen = blocks * padsize;
-	} else ifraglen = input_len;
-	PORT_Assert (ifraglen == input_len);
-
-	if (ifraglen != input_len) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-    } else {
-	blocks = (input_len - 1) / bsize;
-	ifraglen = blocks * bsize;
-	PORT_Assert (ifraglen < input_len);
-
-	pcount = input_len - ifraglen;
-	PORT_Memcpy (pbuf, input + ifraglen, pcount);
-	cc->pending_count = pcount;
-    }
-
-    if (ifraglen) {
-	rv = (* cc->doit)(cc->cx, output, &ofraglen, max_output_len,
-			    input, ifraglen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ifraglen == ofraglen);
-	if (ifraglen != ofraglen) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-
-	output_len += ofraglen;
-    } else {
-	ofraglen = 0;
-    }
-
-    /*
-     * If we just did our very last block, "remove" the padding by
-     * adjusting the output length.
-     */
-    if (final && (padsize != 0)) {
-	unsigned int padlen = *(output + ofraglen - 1);
-	PORT_Assert (padlen > 0 && padlen <= padsize);
-	if (padlen == 0 || padlen > padsize) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	output_len -= padlen;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSCipherContext_Encrypt - do the encryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Encrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
- * When "final" is true, this is the last of the data to be encrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the encryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "cc".
- * We also need to add padding bytes at the end.  PKCS #7 specifies
- * that the padding used for a block cipher is a string of bytes,
- * each of whose value is the same as the length of the padding,
- * and that all data is padded.  (Even data that starts out with
- * an exact multiple of blocks gets added to it another block,
- * all of which is padding.)
- *
- * XXX I would kind of like to combine this with the function above
- * which does decryption, since they have a lot in common.  But the
- * tricky parts about padding and filling blocks would be much
- * harder to read that way, so I left them separate.  At least for
- * now until it is clear that they are right.
- */ 
-SECStatus
-NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, padlen, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (cc->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = NSS_CMSCipherContext_EncryptLength (cc, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    bsize = cc->block_size;
-    padsize = cc->pad_size;
-
-    /*
-     * When no blocking and padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (*cc->doit)(cc->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = cc->pending_count;
-    pbuf = cc->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we do not have a full block and we know we will be
-	 * called again, then we are done for now.
-	 */
-	if (pcount < bsize && !final) {
-	    cc->pending_count = pcount;
-	    if (output_len_p != NULL)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * If we have a whole block available, encrypt it.
-	 */
-	if ((padsize == 0) || (pcount % padsize) == 0) {
-	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
-				pbuf, pcount);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ofraglen == pcount);
-
-	    /*
-	     * Account for the bytes now in output.
-	     */
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-
-	    pcount = 0;
-	}
-    }
-
-    if (input_len) {
-	PORT_Assert (pcount == 0);
-
-	blocks = input_len / bsize;
-	ifraglen = blocks * bsize;
-
-	if (ifraglen) {
-	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
-				input, ifraglen);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ifraglen == ofraglen);
-
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-	}
-
-	pcount = input_len - ifraglen;
-	PORT_Assert (pcount < bsize);
-	if (pcount)
-	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
-    }
-
-    if (final) {
-	padlen = padsize - (pcount % padsize);
-	PORT_Memset (pbuf + pcount, padlen, padlen);
-	rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount+padlen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7EncryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ofraglen == (pcount+padlen));
-	output_len += ofraglen;
-    } else {
-	cc->pending_count = pcount;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
deleted file mode 100644
index c1b78cc3e..000000000
--- a/security/nss/lib/smime/cmsdecode.c
+++ /dev/null
@@ -1,688 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS decoding.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "prtime.h"
-#include "secerr.h"
-
-struct NSSCMSDecoderContextStr {
-    SEC_ASN1DecoderContext *		dcx;		/* ASN.1 decoder context */
-    NSSCMSMessage *			cmsg;		/* backpointer to the root message */
-    SECOidTag				type;		/* type of message */
-    NSSCMSContent			content;	/* pointer to message */
-    NSSCMSDecoderContext *		childp7dcx;	/* inner CMS decoder context */
-    PRBool				saw_contents;
-    int					error;
-    NSSCMSContentCallback		cb;
-    void *				cb_arg;
-};
-
-static void nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
-                          int depth, SEC_ASN1EncodingPart data_kind);
-static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
-static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
-static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
-static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
-			     const unsigned char *data, unsigned long len, PRBool final);
-
-extern const SEC_ASN1Template NSSCMSMessageTemplate[];
-
-/* 
- * nss_cms_decoder_notify -
- *  this is the driver of the decoding process. It gets called by the ASN.1
- *  decoder before and after an object is decoded.
- *  at various points in the decoding process, we intercept to set up and do
- *  further processing.
- */
-static void
-nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
-{
-    NSSCMSDecoderContext *p7dcx;
-    NSSCMSContentInfo *rootcinfo, *cinfo;
-    PRBool after = !before;
-
-    p7dcx = (NSSCMSDecoderContext *)arg;
-    rootcinfo = &(p7dcx->cmsg->contentInfo);
-
-    /* XXX error handling: need to set p7dcx->error */
-
-#ifdef CMSDEBUG 
-    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
-#endif
-
-    /* so what are we working on right now? */
-    switch (p7dcx->type) {
-    case SEC_OID_UNKNOWN:
-	/*
-	 * right now, we are still decoding the OUTER (root) cinfo
-	 * As soon as we know the inner content type, set up the info,
-	 * but NO inner decoder or filter. The root decoder handles the first
-	 * level children by itself - only for encapsulated contents (which
-	 * are encoded as DER inside of an OCTET STRING) we need to set up a
-	 * child decoder...
-	 */
-	if (after && dest == &(rootcinfo->contentType)) {
-	    p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
-	    p7dcx->content = rootcinfo->content;	/* is this ready already ? need to alloc? */
-	    /* XXX yes we need to alloc -- continue here */
-	}
-	break;
-    case SEC_OID_PKCS7_DATA:
-	/* this can only happen if the outermost cinfo has DATA in it */
-	/* otherwise, we handle this type implicitely in the inner decoders */
-
-	if (before && dest == &(rootcinfo->content)) {
-	    /* fake it to cause the filter to put the data in the right place... */
-	    /* we want the ASN.1 decoder to deliver the decoded bytes to us from now on */
-	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
-					  nss_cms_decoder_update_filter,
-					  p7dcx,
-					  (PRBool)(p7dcx->cb != NULL));
-	    break;
-	}
-
-	if (after && dest == &(rootcinfo->content.data)) {
-	    /* remove the filter */
-	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
-	}
-	break;
-
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-
-	if (before && dest == &(rootcinfo->content))
-	    break;					/* we're not there yet */
-
-	if (p7dcx->content.pointer == NULL)
-	    p7dcx->content = rootcinfo->content;
-
-	/* get this data type's inner contentInfo */
-	cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
-
-	if (before && dest == &(cinfo->contentType)) {
-	    /* at this point, set up the &%$&$ back pointer */
-	    /* we cannot do it later, because the content itself is optional! */
-	    /* please give me C++ */
-	    switch (p7dcx->type) {
-	    case SEC_OID_PKCS7_SIGNED_DATA:
-		p7dcx->content.signedData->cmsg = p7dcx->cmsg;
-		break;
-	    case SEC_OID_PKCS7_DIGESTED_DATA:
-		p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
-		break;
-	    case SEC_OID_PKCS7_ENVELOPED_DATA:
-		p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
-		break;
-	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-		p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
-		break;
-	    }
-	}
-
-	if (before && dest == &(cinfo->rawContent)) {
-	    /* we want the ASN.1 decoder to deliver the decoded bytes to us from now on */
-	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, nss_cms_decoder_update_filter,
-					  p7dcx, (PRBool)(p7dcx->cb != NULL));
-
-
-	    /* we're right in front of the data */
-	    if (nss_cms_before_data(p7dcx) != SECSuccess) {
-		SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);	/* stop all processing */
-		p7dcx->error = PORT_GetError();
-	    }
-	}
-	if (after && dest == &(cinfo->rawContent)) {
-	    /* we're right after of the data */
-	    if (nss_cms_after_data(p7dcx) != SECSuccess)
-		p7dcx->error = PORT_GetError();
-
-	    /* we don't need to see the contents anymore */
-	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
-	}
-	break;
-
-#if 0 /* NIH */
-    case SEC_OID_PKCS7_AUTHENTICATED_DATA:
-#endif
-    default:
-	/* unsupported or unknown message type - fail (more or less) gracefully */
-	p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
-	break;
-    }
-}
-
-/*
- * nss_cms_before_data - set up the current encoder to receive data
- */
-static SECStatus
-nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
-{
-    SECStatus rv;
-    SECOidTag childtype;
-    PLArenaPool *poolp;
-    NSSCMSDecoderContext *childp7dcx;
-    NSSCMSContentInfo *cinfo;
-    const SEC_ASN1Template *template;
-    void *mark = NULL;
-    size_t size;
-    
-    poolp = p7dcx->cmsg->poolp;
-
-    /* call _Decode_BeforeData handlers */
-    switch (p7dcx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* we're decoding a signedData, so set up the digests */
-	rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData);
-	if (rv != SECSuccess)
-	    return SECFailure;
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	/* we're encoding a digestedData, so set up the digest */
-	rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData);
-	if (rv != SECSuccess)
-	    return SECFailure;
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Decode_BeforeData(p7dcx->content.envelopedData);
-	if (rv != SECSuccess)
-	    return SECFailure;
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Decode_BeforeData(p7dcx->content.encryptedData);
-	if (rv != SECSuccess)
-	    return SECFailure;
-	break;
-    default:
-	return SECFailure;
-    }
-
-    /* ok, now we have a pointer to cinfo */
-    /* find out what kind of data is encapsulated */
-    
-    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
-    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-    if (childtype == SEC_OID_PKCS7_DATA) {
-	cinfo->content.data = SECITEM_AllocItem(poolp, NULL, 0);
-	if (cinfo->content.data == NULL)
-	    /* set memory error */
-	    return SECFailure;
-
-	p7dcx->childp7dcx = NULL;
-	return SECSuccess;
-    }
-
-    /* set up inner decoder */
-
-    if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL)
-	return SECFailure;
-
-    childp7dcx = (NSSCMSDecoderContext *)PORT_ZAlloc(sizeof(NSSCMSDecoderContext));
-    if (childp7dcx == NULL)
-	return SECFailure;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* allocate space for the stuff we're creating */
-    size = NSS_CMSUtil_GetSizeByTypeTag(childtype);
-    childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size);
-    if (childp7dcx->content.pointer == NULL)
-	goto loser;
-
-    /* start the child decoder */
-    childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, template);
-    if (childp7dcx->dcx == NULL)
-	goto loser;
-
-    /* the new decoder needs to notify, too */
-    SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, childp7dcx);
-
-    /* tell the parent decoder that it needs to feed us the content data */
-    p7dcx->childp7dcx = childp7dcx;
-
-    childp7dcx->type = childtype;	/* our type */
-
-    childp7dcx->cmsg = p7dcx->cmsg;	/* backpointer to root message */
-
-    /* should the child decoder encounter real data, it needs to give it to the caller */
-    childp7dcx->cb = p7dcx->cb;
-    childp7dcx->cb_arg = p7dcx->cb_arg;
-
-    /* now set up the parent to hand decoded data to the next level decoder */
-    p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update;
-    p7dcx->cb_arg = childp7dcx;
-
-    PORT_ArenaUnmark(poolp, mark);
-
-    return SECSuccess;
-
-loser:
-    if (mark)
-	PORT_ArenaRelease(poolp, mark);
-    if (childp7dcx)
-	PORT_Free(childp7dcx);
-    p7dcx->childp7dcx = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
-{
-    PLArenaPool *poolp;
-    NSSCMSDecoderContext *childp7dcx;
-    SECStatus rv;
-
-    poolp = p7dcx->cmsg->poolp;
-
-    /* Handle last block. This is necessary to flush out the last bytes
-     * of a possibly incomplete block */
-    nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE);
-
-    /* finish any "inner" decoders - there's no more data coming... */
-    if (p7dcx->childp7dcx != NULL) {
-	childp7dcx = p7dcx->childp7dcx;
-	if (childp7dcx->dcx != NULL) {
-	    if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) {
-		/* do what? free content? */
-		rv = SECFailure;
-	    } else {
-		rv = nss_cms_after_end(childp7dcx);
-	    }
-	    if (rv != SECSuccess)
-		goto done;
-	}
-	PORT_Free(p7dcx->childp7dcx);
-	p7dcx->childp7dcx = NULL;
-    }
-
-    switch (p7dcx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* this will finish the digests and verify */
-	rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Decode_AfterData(p7dcx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Decode_AfterData(p7dcx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Decode_AfterData(p7dcx->content.encryptedData);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	/* do nothing */
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-done:
-    return rv;
-}
-
-static SECStatus
-nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
-{
-    SECStatus rv;
-    PLArenaPool *poolp;
-
-    poolp = p7dcx->cmsg->poolp;
-
-    switch (p7dcx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Decode_AfterEnd(p7dcx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Decode_AfterEnd(p7dcx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Decode_AfterEnd(p7dcx->content.encryptedData);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	rv = SECSuccess;
-	break;
-    default:
-	rv = SECFailure;	/* we should not have got that far... */
-	break;
-    }
-    return rv;
-}
-
-/*
- * nss_cms_decoder_work_data - handle decoded data bytes.
- *
- * This function either decrypts the data if needed, and/or calculates digests
- * on it, then either stores it or passes it on to the next level decoder.
- */
-static void
-nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
-			     const unsigned char *data, unsigned long len,
-			     PRBool final)
-{
-    NSSCMSContentInfo *cinfo;
-    unsigned char *buf = NULL;
-    unsigned char *dest;
-    unsigned int offset;
-    SECStatus rv;
-    SECItem *storage;
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
-
-    if (cinfo->ciphcx != NULL) {
-	/*
-	 * we are decrypting.
-	 * 
-	 * XXX If we get an error, we do not want to do the digest or callback,
-	 * but we want to keep decoding.  Or maybe we want to stop decoding
-	 * altogether if there is a callback, because obviously we are not
-	 * sending the data back and they want to know that.
-	 */
-
-	unsigned int outlen = 0;	/* length of decrypted data */
-	unsigned int buflen;		/* length available for decrypted data */
-
-	/* find out about the length of decrypted data */
-	buflen = NSS_CMSCipherContext_DecryptLength(cinfo->ciphcx, len, final);
-
-	/*
-	 * it might happen that we did not provide enough data for a full
-	 * block (decryption unit), and that there is no output available
-	 */
-
-	/* no output available, AND no input? */
-	if (buflen == 0 && len == 0)
-	    goto loser;	/* bail out */
-
-	/*
-	 * have inner decoder: pass the data on (means inner content type is NOT data)
-	 * no inner decoder: we have DATA in here: either call callback or store
-	 */
-	if (buflen != 0) {
-	    /* there will be some output - need to make room for it */
-	    /* allocate buffer from the heap */
-	    buf = (unsigned char *)PORT_Alloc(buflen);
-	    if (buf == NULL) {
-		p7dcx->error = SEC_ERROR_NO_MEMORY;
-		goto loser;
-	    }
-	}
-
-	/*
-	 * decrypt incoming data
-	 * buf can still be NULL here (and buflen == 0) here if we don't expect
-	 * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
-	 * keep track of incoming data
-	 */
-	rv = NSS_CMSCipherContext_Decrypt(cinfo->ciphcx, buf, &outlen, buflen,
-			       data, len, final);
-	if (rv != SECSuccess) {
-	    p7dcx->error = PORT_GetError();
-	    goto loser;
-	}
-
-	PORT_Assert (final || outlen == buflen);
-	
-	/* swap decrypted data in */
-	data = buf;
-	len = outlen;
-    }
-
-    if (len == 0)
-	return;		/* nothing more to do */
-
-    /*
-     * Update the running digests with plaintext bytes (if we need to).
-     */
-    if (cinfo->digcx)
-	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
-
-    /* at this point, we have the plain decoded & decrypted data */
-    /* which is either more encoded DER which we need to hand to the child decoder */
-    /*              or data we need to hand back to our caller */
-
-    /* pass the content back to our caller or */
-    /* feed our freshly decrypted and decoded data into child decoder */
-    if (p7dcx->cb != NULL) {
-	(*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
-    }
-#if 1
-    else
-#endif
-    if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
-	/* store it in "inner" data item as well */
-	/* find the DATA item in the encapsulated cinfo and store it there */
-	storage = cinfo->content.data;
-
-	offset = storage->len;
-	if (storage->len == 0) {
-	    dest = (unsigned char *)PORT_ArenaAlloc(p7dcx->cmsg->poolp, len);
-	} else {
-	    dest = (unsigned char *)PORT_ArenaGrow(p7dcx->cmsg->poolp, 
-				  storage->data,
-				  storage->len,
-				  storage->len + len);
-	}
-	if (dest == NULL) {
-	    p7dcx->error = SEC_ERROR_NO_MEMORY;
-	    goto loser;
-	}
-
-	storage->data = dest;
-	storage->len += len;
-
-	/* copy it in */
-	PORT_Memcpy(storage->data + offset, data, len);
-    }
-
-loser:
-    if (buf)
-	PORT_Free (buf);
-}
-
-/*
- * nss_cms_decoder_update_filter - process ASN.1 data
- *
- * once we have set up a filter in nss_cms_decoder_notify(),
- * all data processed by the ASN.1 decoder is also passed through here.
- * we pass the content bytes (as opposed to length and tag bytes) on to
- * nss_cms_decoder_work_data().
- */
-static void
-nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
-			  int depth, SEC_ASN1EncodingPart data_kind)
-{
-    NSSCMSDecoderContext *p7dcx;
-
-    PORT_Assert (len);	/* paranoia */
-    if (len == 0)
-	return;
-
-    p7dcx = (NSSCMSDecoderContext*)arg;
-
-    p7dcx->saw_contents = PR_TRUE;
-
-    /* pass on the content bytes only */
-    if (data_kind == SEC_ASN1_Contents)
-	nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len, PR_FALSE);
-}
-
-/*
- * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
- *
- * "poolp" - pointer to arena for message, or NULL if new pool should be created
- * "cb", "cb_arg" - callback function and argument for delivery of inner content
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- */
-NSSCMSDecoderContext *
-NSS_CMSDecoder_Start(PRArenaPool *poolp,
-		      NSSCMSContentCallback cb, void *cb_arg,
-		      PK11PasswordFunc pwfn, void *pwfn_arg,
-		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg)
-{
-    NSSCMSDecoderContext *p7dcx;
-    NSSCMSMessage *cmsg;
-
-    cmsg = NSS_CMSMessage_Create(poolp);
-    if (cmsg == NULL)
-	return NULL;
-
-    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
-					NULL, NULL);
-
-    p7dcx = (NSSCMSDecoderContext*)PORT_ZAlloc(sizeof(NSSCMSDecoderContext));
-    if (p7dcx == NULL) {
-	NSS_CMSMessage_Destroy(cmsg);
-	return NULL;
-    }
-
-    p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate);
-    if (p7dcx->dcx == NULL) {
-	PORT_Free (p7dcx);
-	NSS_CMSMessage_Destroy(cmsg);
-	return NULL;
-    }
-
-    SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx);
-
-    p7dcx->cmsg = cmsg;
-    p7dcx->type = SEC_OID_UNKNOWN;
-
-    p7dcx->cb = cb;
-    p7dcx->cb_arg = cb_arg;
-
-    return p7dcx;
-}
-
-/*
- * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
- */
-SECStatus
-NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len)
-{
-    if (p7dcx->dcx != NULL && p7dcx->error == 0) {	/* if error is set already, don't bother */
-	if (SEC_ASN1DecoderUpdate (p7dcx->dcx, buf, len) != SECSuccess) {
-	    p7dcx->error = PORT_GetError();
-	    PORT_Assert (p7dcx->error);
-	    if (p7dcx->error == 0)
-		p7dcx->error = -1;
-	}
-    }
-
-    if (p7dcx->error == 0)
-	return SECSuccess;
-
-    /* there has been a problem, let's finish the decoder */
-    if (p7dcx->dcx != NULL) {
-	(void) SEC_ASN1DecoderFinish (p7dcx->dcx);
-	p7dcx->dcx = NULL;
-    }
-    PORT_SetError (p7dcx->error);
-
-    return SECFailure;
-}
-
-/*
- * NSS_CMSDecoder_Cancel - stop decoding in case of error
- */
-void
-NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx)
-{
-    /* XXXX what about inner decoders? running digests? decryption? */
-    /* XXXX there's a leak here! */
-    NSS_CMSMessage_Destroy(p7dcx->cmsg);
-    (void)SEC_ASN1DecoderFinish(p7dcx->dcx);
-    PORT_Free(p7dcx);
-}
-
-/*
- * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
- */
-NSSCMSMessage *
-NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx)
-{
-    NSSCMSMessage *cmsg;
-
-    cmsg = p7dcx->cmsg;
-
-    if (p7dcx->dcx == NULL || SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
-	nss_cms_after_end(p7dcx) != SECSuccess)
-    {
-	NSS_CMSMessage_Destroy(cmsg);	/* needs to get rid of pool if it's ours */
-	cmsg = NULL;
-    }
-
-    PORT_Free(p7dcx);
-    return cmsg;
-}
-
-NSSCMSMessage *
-NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
-		    NSSCMSContentCallback cb, void *cb_arg,
-		    PK11PasswordFunc pwfn, void *pwfn_arg,
-		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg)
-{
-    NSSCMSDecoderContext *p7dcx;
-
-    /* first arg(poolp) == NULL => create our own pool */
-    p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg);
-    (void) NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len);
-    return NSS_CMSDecoder_Finish(p7dcx);
-}
-
diff --git a/security/nss/lib/smime/cmsdigdata.c b/security/nss/lib/smime/cmsdigdata.c
deleted file mode 100644
index 04a670b68..000000000
--- a/security/nss/lib/smime/cmsdigdata.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS digestedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secitem.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
- *
- * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
- * digestAlg is passed as parameter
- * contentInfo must be filled by the user
- * digest will be calculated while encoding
- */
-NSSCMSDigestedData *
-NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg)
-{
-    void *mark;
-    NSSCMSDigestedData *digd;
-    PLArenaPool *poolp;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    digd = (NSSCMSDigestedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSDigestedData));
-    if (digd == NULL)
-	goto loser;
-
-    digd->cmsg = cmsg;
-
-    if (SECOID_CopyAlgorithmID (poolp, &(digd->digestAlg), digestalg) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return digd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSDigestedData_Destroy - destroy a digestedData object
- */
-void
-NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
-{
-    /* everything's in a pool, so don't worry about the storage */
-    return;
-}
-
-/*
- * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
- */
-NSSCMSContentInfo *
-NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd)
-{
-    return &(digd->contentInfo);
-}
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the right version number. The contentInfo's content type must be set up already.
- */
-SECStatus
-NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd)
-{
-    unsigned long version;
-    SECItem *dummy;
-
-    version = NSS_CMS_DIGESTED_DATA_VERSION_DATA;
-    if (NSS_CMSContentInfo_GetContentTypeTag(&(digd->contentInfo)) != SEC_OID_PKCS7_DATA)
-	version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP;
-
-    dummy = SEC_ASN1EncodeInteger(digd->cmsg->poolp, &(digd->version), version);
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-SECStatus
-NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd)
-{
-    /* set up the digests */
-    if (digd->digestAlg.algorithm.len != 0 && digd->digest.len == 0) {
-	/* if digest is already there, do nothing */
-	digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
-	if (digd->contentInfo.digcx == NULL)
-	    return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-SECStatus
-NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd)
-{
-    /* did we have digest calculation going on? */
-    if (digd->contentInfo.digcx) {
-	if (NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
-				    digd->cmsg->poolp, &(digd->digest)) != SECSuccess)
-	    return SECFailure;		/* error has been set by NSS_CMSDigestContext_FinishSingle */
-	digd->contentInfo.digcx = NULL;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-SECStatus
-NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd)
-{
-    /* is there a digest algorithm yet? */
-    if (digd->digestAlg.algorithm.len == 0)
-	return SECFailure;
-
-    digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
-    if (digd->contentInfo.digcx == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-SECStatus
-NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd)
-{
-    /* did we have digest calculation going on? */
-    if (digd->contentInfo.digcx) {
-	if (NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
-				    digd->cmsg->poolp, &(digd->cdigest)) != SECSuccess)
-	    return SECFailure;		/* error has been set by NSS_CMSDigestContext_FinishSingle */
-	digd->contentInfo.digcx = NULL;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
- *
- * In detail:
- *  - check the digests for equality
- */
-SECStatus
-NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd)
-{
-    /* did we have digest calculation going on? */
-    if (digd->cdigest.len != 0) {
-	/* XXX comparision btw digest & cdigest */
-	/* XXX set status */
-	/* TODO!!!! */
-    }
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c
deleted file mode 100644
index ce3f59228..000000000
--- a/security/nss/lib/smime/cmsdigest.c
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS digesting.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-
-struct NSSCMSDigestContextStr {
-    PRBool		saw_contents;
-    int			digcnt;
-    void **		digcxs;
-    SECHashObject **	digobjs;
-};
-
-/*
- * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
- *  digest algorithms in "digestalgs" in parallel.
- */
-NSSCMSDigestContext *
-NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs)
-{
-    NSSCMSDigestContext *cmsdigcx;
-    SECHashObject *digobj;
-    void *digcx;
-    int digcnt;
-    int i;
-
-    digcnt = (digestalgs == NULL) ? 0 : NSS_CMSArray_Count((void **)digestalgs);
-
-    cmsdigcx = (NSSCMSDigestContext *)PORT_Alloc(sizeof(NSSCMSDigestContext));
-    if (cmsdigcx == NULL)
-	return NULL;
-
-    if (digcnt > 0) {
-	cmsdigcx->digcxs = (void **)PORT_Alloc(digcnt * sizeof (void *));
-	cmsdigcx->digobjs = (SECHashObject **)PORT_Alloc(digcnt * sizeof(SECHashObject *));
-	if (cmsdigcx->digcxs == NULL || cmsdigcx->digobjs == NULL)
-	    goto loser;
-    }
-
-    cmsdigcx->digcnt = 0;
-
-    /*
-     * Create a digest object context for each algorithm.
-     */
-    for (i = 0; i < digcnt; i++) {
-	digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]);
-	/*
-	 * Skip any algorithm we do not even recognize; obviously,
-	 * this could be a problem, but if it is critical then the
-	 * result will just be that the signature does not verify.
-	 * We do not necessarily want to error out here, because
-	 * the particular algorithm may not actually be important,
-	 * but we cannot know that until later.
-	 */
-	if (digobj == NULL)
-	    continue;
-
-	digcx = (*digobj->create)();
-	if (digcx != NULL) {
-	    (*digobj->begin) (digcx);
-	    cmsdigcx->digobjs[cmsdigcx->digcnt] = digobj;
-	    cmsdigcx->digcxs[cmsdigcx->digcnt] = digcx;
-	    cmsdigcx->digcnt++;
-	}
-    }
-
-    cmsdigcx->saw_contents = PR_FALSE;
-
-    return cmsdigcx;
-
-loser:
-    if (cmsdigcx) {
-	if (cmsdigcx->digobjs)
-	    PORT_Free(cmsdigcx->digobjs);
-	if (cmsdigcx->digcxs)
-	    PORT_Free(cmsdigcx->digcxs);
-    }
-    return NULL;
-}
-
-/*
- * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but
- *  only one algorithm.
- */
-NSSCMSDigestContext *
-NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg)
-{
-    SECAlgorithmID *digestalgs[] = { NULL, NULL };		/* fake array */
-
-    digestalgs[0] = digestalg;
-    return NSS_CMSDigestContext_StartMultiple(digestalgs);
-}
-
-/*
- * NSS_CMSDigestContext_Update - feed more data into the digest machine
- */
-void
-NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len)
-{
-    int i;
-
-    cmsdigcx->saw_contents = PR_TRUE;
-
-    for (i = 0; i < cmsdigcx->digcnt; i++)
-	(*cmsdigcx->digobjs[i]->update)(cmsdigcx->digcxs[i], data, len);
-}
-
-/*
- * NSS_CMSDigestContext_Cancel - cancel digesting operation
- */
-void
-NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx)
-{
-    int i;
-
-    for (i = 0; i < cmsdigcx->digcnt; i++)
-	(*cmsdigcx->digobjs[i]->destroy)(cmsdigcx->digcxs[i], PR_TRUE);
-}
-
-/*
- * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
- *  into an array of SECItems (allocated on poolp)
- */
-SECStatus
-NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
-			    SECItem ***digestsp)
-{
-    SECHashObject *digobj;
-    void *digcx;
-    SECItem **digests, *digest;
-    int i;
-    void *mark;
-    SECStatus rv = SECFailure;
-
-    /* no contents? do not update digests */
-    if (digestsp == NULL || !cmsdigcx->saw_contents) {
-	for (i = 0; i < cmsdigcx->digcnt; i++)
-	    (*cmsdigcx->digobjs[i]->destroy)(cmsdigcx->digcxs[i], PR_TRUE);
-	rv = SECSuccess;
-	goto cleanup;
-    }
-
-    mark = PORT_ArenaMark (poolp);
-
-    /* allocate digest array & SECItems on arena */
-    digests = (SECItem **)PORT_ArenaAlloc(poolp, (cmsdigcx->digcnt+1) * sizeof(SECItem *));
-    digest = (SECItem *)PORT_ArenaZAlloc(poolp, cmsdigcx->digcnt * sizeof(SECItem));
-    if (digests == NULL || digest == NULL) {
-	goto loser;
-    }
-
-    for (i = 0; i < cmsdigcx->digcnt; i++, digest++) {
-	digcx = cmsdigcx->digcxs[i];
-	digobj = cmsdigcx->digobjs[i];
-
-	digest->data = (unsigned char*)PORT_ArenaAlloc(poolp, digobj->length);
-	if (digest->data == NULL)
-	    goto loser;
-	digest->len = digobj->length;
-	(* digobj->end)(digcx, digest->data, &(digest->len), digest->len);
-	digests[i] = digest;
-	(* digobj->destroy)(digcx, PR_TRUE);
-    }
-    digests[i] = NULL;
-    *digestsp = digests;
-
-    rv = SECSuccess;
-
-loser:
-    if (rv == SECSuccess)
-	PORT_ArenaUnmark(poolp, mark);
-    else
-	PORT_ArenaRelease(poolp, mark);
-
-cleanup:
-    if (cmsdigcx->digcnt > 0) {
-	PORT_Free(cmsdigcx->digcxs);
-	PORT_Free(cmsdigcx->digobjs);
-    }
-    PORT_Free(cmsdigcx);
-
-    return rv;
-}
-
-/*
- * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple,
- *  but for one digest.
- */
-SECStatus
-NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
-			    SECItem *digest)
-{
-    SECStatus rv = SECFailure;
-    SECItem **dp;
-    PLArenaPool *arena = NULL;
-
-    if ((arena = PORT_NewArena(1024)) == NULL)
-	goto loser;
-
-    /* get the digests into arena, then copy the first digest into poolp */
-    if (NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp) != SECSuccess)
-	goto loser;
-
-    /* now copy it into poolp */
-    if (SECITEM_CopyItem(poolp, digest, dp[0]) != SECSuccess)
-	goto loser;
-
-    rv = SECSuccess;
-
-loser:
-    if (arena)
-	PORT_FreeArena(arena, PR_FALSE);
-
-    return rv;
-}
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
deleted file mode 100644
index 0dc23a317..000000000
--- a/security/nss/lib/smime/cmsencdata.c
+++ /dev/null
@@ -1,279 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS encryptedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * "keysize" is the key size.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-NSSCMSEncryptedData *
-NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
-{
-    void *mark;
-    NSSCMSEncryptedData *encd;
-    PLArenaPool *poolp;
-    SECAlgorithmID *pbe_algid;
-    SECStatus rv;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    encd = (NSSCMSEncryptedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEncryptedData));
-    if (encd == NULL)
-	goto loser;
-
-    encd->cmsg = cmsg;
-
-    /* version is set in NSS_CMSEncryptedData_Encode_BeforeStart() */
-
-    switch (algorithm) {
-    /* XXX hmmm... hardcoded algorithms? */
-    case SEC_OID_RC2_CBC:
-    case SEC_OID_DES_EDE3_CBC:
-    case SEC_OID_DES_CBC:
-	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), algorithm, NULL, keysize);
-	break;
-    default:
-	/* Assume password-based-encryption.  At least, try that. */
-	pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL);
-	if (pbe_algid == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, &(encd->contentInfo), pbe_algid, keysize);
-	SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
-	break;
-    }
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return encd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
- */
-void
-NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
-{
-    /* everything's in a pool, so don't worry about the storage */
-    return;
-}
-
-/*
- * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
- */
-NSSCMSContentInfo *
-NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd)
-{
-    return &(encd->contentInfo);
-}
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the correct version value.
- *  - get the encryption key
- */
-SECStatus
-NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd)
-{
-    int version;
-    PK11SymKey *bulkkey = NULL;
-    SECItem *dummy;
-    NSSCMSContentInfo *cinfo = &(encd->contentInfo);
-
-    if (NSS_CMSArray_IsEmpty((void **)encd->unprotectedAttr))
-	version = NSS_CMS_ENCRYPTED_DATA_VERSION;
-    else
-	version = NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR;
-    
-    dummy = SEC_ASN1EncodeInteger (encd->cmsg->poolp, &(encd->version), version);
-    if (dummy == NULL)
-	return SECFailure;
-
-    /* now get content encryption key (bulk key) by using our cmsg callback */
-    if (encd->cmsg->decrypt_key_cb)
-	bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, 
-		    NSS_CMSContentInfo_GetContentEncAlg(cinfo));
-    if (bulkkey == NULL)
-	return SECFailure;
-
-    /* store the bulk key in the contentInfo so that the encoder can find it */
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
- */
-SECStatus
-NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
-{
-    NSSCMSContentInfo *cinfo;
-    PK11SymKey *bulkkey;
-    SECAlgorithmID *algid;
-
-    cinfo = &(encd->contentInfo);
-
-    /* find bulkkey and algorithm - must have been set by NSS_CMSEncryptedData_Encode_BeforeStart */
-    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
-    if (bulkkey == NULL)
-	return SECFailure;
-    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-    if (algid == NULL)
-	return SECFailure;
-
-    /* this may modify algid (with IVs generated in a token).
-     * it is therefore essential that algid is a pointer to the "real" contentEncAlg,
-     * not just to a copy */
-    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid);
-    PK11_FreeSymKey(bulkkey);
-    if (cinfo->ciphcx == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
- */
-SECStatus
-NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd)
-{
-    if (encd->contentInfo.ciphcx)
-	NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
-
-    /* nothing to do after data */
-    return SECSuccess;
-}
-
-
-/*
- * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
- */
-SECStatus
-NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd)
-{
-    PK11SymKey *bulkkey = NULL;
-    NSSCMSContentInfo *cinfo;
-    SECAlgorithmID *bulkalg;
-    SECStatus rv = SECFailure;
-
-    cinfo = &(encd->contentInfo);
-
-    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-
-    if (encd->cmsg->decrypt_key_cb == NULL)	/* no callback? no key../ */
-	goto loser;
-
-    bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, bulkalg);
-    if (bulkkey == NULL)
-	/* no success finding a bulk key */
-	goto loser;
-
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
-    if (cinfo->ciphcx == NULL)
-	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
-
-    /* 
-     * HACK ALERT!!
-     * For PKCS5 Encryption Algorithms, the bulkkey is actually a different
-     * structure.  Therefore, we need to set the bulkkey to the actual key 
-     * prior to freeing it.
-     */
-    if (SEC_PKCS5IsAlgorithmPBEAlg(bulkalg)) {
-	SEC_PKCS5KeyAndPassword *keyPwd = (SEC_PKCS5KeyAndPassword *)bulkkey;
-	bulkkey = keyPwd->key;
-    }
-
-    /* we are done with (this) bulkkey now. */
-    PK11_FreeSymKey(bulkkey);
-
-    rv = SECSuccess;
-
-loser:
-    return rv;
-}
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
- */
-SECStatus
-NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd)
-{
-    NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
- */
-SECStatus
-NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd)
-{
-    /* apply final touches */
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
deleted file mode 100644
index cc0303cd6..000000000
--- a/security/nss/lib/smime/cmsencode.c
+++ /dev/null
@@ -1,740 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS encoding.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secrng.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-struct nss_cms_encoder_output {
-    NSSCMSContentCallback outputfn;
-    void *outputarg;
-    PLArenaPool *destpoolp;
-    SECItem *dest;
-};
-
-struct NSSCMSEncoderContextStr {
-    SEC_ASN1EncoderContext *	ecx;		/* ASN.1 encoder context */
-    PRBool			ecxupdated;	/* true if data was handed in */
-    NSSCMSMessage *		cmsg;		/* pointer to the root message */
-    SECOidTag			type;		/* type tag of the current content */
-    NSSCMSContent		content;	/* pointer to current content */
-    struct nss_cms_encoder_output output;	/* output function */
-    int				error;		/* error code */
-    NSSCMSEncoderContext *	childp7ecx;	/* link to child encoder context */
-};
-
-static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx);
-static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx);
-static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
-static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final, PRBool innermost);
-
-extern const SEC_ASN1Template NSSCMSMessageTemplate[];
-
-/*
- * The little output function that the ASN.1 encoder calls to hand
- * us bytes which we in turn hand back to our caller (via the callback
- * they gave us).
- */
-static void
-nss_cms_encoder_out(void *arg, const char *buf, unsigned long len,
-		      int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct nss_cms_encoder_output *output = (struct nss_cms_encoder_output *)arg;
-    unsigned char *dest;
-    unsigned long offset;
-
-#ifdef CMSDEBUG
-    int i;
-
-    fprintf(stderr, "kind = %d, depth = %d, len = %d\n", data_kind, depth, len);
-    for (i=0; i < len; i++) {
-	fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : "");
-    }
-    if ((i % 16) != 0)
-	fprintf(stderr, "\n");
-#endif
-
-    if (output->outputfn != NULL)
-	/* call output callback with DER data */
-	output->outputfn(output->outputarg, buf, len);
-
-    if (output->dest != NULL) {
-	/* store DER data in SECItem */
-	offset = output->dest->len;
-	if (offset == 0) {
-	    dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len);
-	} else {
-	    dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, 
-				  output->dest->data,
-				  output->dest->len,
-				  output->dest->len + len);
-	}
-	if (dest == NULL)
-	    /* oops */
-	    return;
-
-	output->dest->data = dest;
-	output->dest->len += len;
-
-	/* copy it in */
-	PORT_Memcpy(output->dest->data + offset, buf, len);
-    }
-}
-
-/*
- * nss_cms_encoder_notify - ASN.1 encoder callback
- *
- * this function is called by the ASN.1 encoder before and after the encoding of
- * every object. here, it is used to keep track of data structures, set up
- * encryption and/or digesting and possibly set up child encoders.
- */
-static void
-nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
-{
-    NSSCMSEncoderContext *p7ecx;
-    NSSCMSContentInfo *rootcinfo, *cinfo;
-    PRBool after = !before;
-    PLArenaPool *poolp;
-    SECOidTag childtype;
-    SECItem *item;
-
-    p7ecx = (NSSCMSEncoderContext *)arg;
-    PORT_Assert(p7ecx != NULL);
-
-    rootcinfo = &(p7ecx->cmsg->contentInfo);
-    poolp = p7ecx->cmsg->poolp;
-
-#ifdef CMSDEBUG
-    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
-#endif
-
-    /*
-     * Watch for the content field, at which point we want to instruct
-     * the ASN.1 encoder to start taking bytes from the buffer.
-     */
-    switch (p7ecx->type) {
-    default:
-    case SEC_OID_UNKNOWN:
-	/* we're still in the root message */
-	if (after && dest == &(rootcinfo->contentType)) {
-	    /* got the content type OID now - so find out the type tag */
-	    p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
-	    /* set up a pointer to our current content */
-	    p7ecx->content = rootcinfo->content;
-	}
-	break;
-
-    case SEC_OID_PKCS7_DATA:
-	if (before && dest == &(rootcinfo->rawContent)) {
-	    /* just set up encoder to grab from user - no encryption or digesting */
-	    if ((item = rootcinfo->content.data) != NULL)
-		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
-	    else
-		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
-	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
-	}
-	break;
-
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-
-	/* when we know what the content is, we encode happily until we reach the inner content */
-	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-	if (after && dest == &(cinfo->contentType)) {
-	    /* we're right before encoding the data (if we have some or not) */
-	    /* (for encrypted data, we're right before the contentEncAlg which may change */
-	    /*  in nss_cms_before_data because of IV calculation when setting up encryption) */
-	    if (nss_cms_before_data(p7ecx) != SECSuccess)
-		p7ecx->error = PORT_GetError();
-	}
-	if (before && dest == &(cinfo->rawContent)) {
-	    if (childtype == SEC_OID_PKCS7_DATA && (item = cinfo->content.data) != NULL)
-		/* we have data - feed it in */
-		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
-	    else
-		/* else try to get it from user */
-		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
-	}
-	if (after && dest == &(cinfo->rawContent)) {
-	    if (nss_cms_after_data(p7ecx) != SECSuccess)
-		p7ecx->error = PORT_GetError();
-	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
-	}
-	break;
-    }
-}
-
-/*
- * nss_cms_before_data - setup the current encoder to receive data
- */
-static SECStatus
-nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv;
-    SECOidTag childtype;
-    NSSCMSContentInfo *cinfo;
-    PLArenaPool *poolp;
-    NSSCMSEncoderContext *childp7ecx;
-    const SEC_ASN1Template *template;
-
-    poolp = p7ecx->cmsg->poolp;
-
-    /* call _Encode_BeforeData handlers */
-    switch (p7ecx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* we're encoding a signedData, so set up the digests */
-	rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	/* we're encoding a digestedData, so set up the digest */
-	rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData);
-	break;
-    default:
-	rv = SECFailure;
-    }
-    if (rv != SECSuccess)
-	return SECFailure;
-
-    /* ok, now we have a pointer to cinfo */
-    /* find out what kind of data is encapsulated */
-    
-    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-    switch (childtype) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-#if 0
-    case SEC_OID_PKCS7_DATA:		/* XXX here also??? maybe yes! */
-#endif
-	/* in these cases, we need to set up a child encoder! */
-	/* create new encoder context */
-	childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
-	if (childp7ecx == NULL)
-	    return SECFailure;
-
-	/* the CHILD encoder needs to hand its encoded data to the CURRENT encoder
-	 * (which will encrypt and/or digest it)
-	 * this needs to route back into our update function
-	 * which finds the lowest encoding context & encrypts and computes digests */
-	childp7ecx->type = childtype;
-	childp7ecx->content = cinfo->content;
-	/* use the non-recursive update function here, of course */
-	childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update;
-	childp7ecx->output.outputarg = p7ecx;
-	childp7ecx->output.destpoolp = NULL;
-	childp7ecx->output.dest = NULL;
-	childp7ecx->cmsg = p7ecx->cmsg;
-
-	template = NSS_CMSUtil_GetTemplateByTypeTag(childtype);
-	if (template == NULL)
-	    goto loser;		/* cannot happen */
-
-	/* now initialize the data for encoding the first third */
-	switch (childp7ecx->type) {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
-	    break;
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	    rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
-	    break;
-	case SEC_OID_PKCS7_DIGESTED_DATA:
-	    rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
-	    break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
-	    break;
-	case SEC_OID_PKCS7_DATA:
-	    rv = SECSuccess;
-	    break;
-	}
-	if (rv != SECSuccess)
-	    goto loser;
-
-	/*
-	 * Initialize the BER encoder.
-	 */
-	childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template,
-					   nss_cms_encoder_out, &(childp7ecx->output));
-	if (childp7ecx->ecx == NULL)
-	    goto loser;
-
-	childp7ecx->ecxupdated = PR_FALSE;
-
-	/*
-	 * Indicate that we are streaming.  We will be streaming until we
-	 * get past the contents bytes.
-	 */
-	SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);
-
-	/*
-	 * The notify function will watch for the contents field.
-	 */
-	SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx);
-
-	/* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */
-	/* encoding process - we'll do that from the update function instead */
-	/* otherwise we'd be encoding data from a call of the notify function of the */
-	/* parent encoder (which would not work) */
-
-	/* this will kick off the encoding process & encode everything up to the content bytes,
-	 * at which point the notify function sets streaming mode (and possibly creates
-	 * another child encoder). */
-	if (SEC_ASN1EncoderUpdate(childp7ecx->ecx, NULL, 0) != SECSuccess)
-	    goto loser;
-
-	p7ecx->childp7ecx = childp7ecx;
-	break;
-
-    case SEC_OID_PKCS7_DATA:
-	p7ecx->childp7ecx = NULL;
-	break;
-    default:
-	/* we do not know this type */
-	p7ecx->error = SEC_ERROR_BAD_DER;
-	break;
-    }
-
-    return SECSuccess;
-
-loser:
-    if (childp7ecx) {
-	if (childp7ecx->ecx)
-	    SEC_ASN1EncoderFinish(childp7ecx->ecx);
-	PORT_Free(childp7ecx);
-    }
-    return SECFailure;
-}
-
-static SECStatus
-nss_cms_after_data(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv;
-
-    switch (p7ecx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* this will finish the digests and sign */
-	rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	/* do nothing */
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-    return rv;
-}
-
-/*
- * nss_cms_encoder_work_data - process incoming data
- *
- * (from the user or the next encoding layer)
- * Here, we need to digest and/or encrypt, then pass it on
- */
-static SECStatus
-nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final, PRBool innermost)
-{
-    unsigned char *buf = NULL;
-    SECStatus rv;
-    NSSCMSContentInfo *cinfo;
-
-    rv = SECSuccess;		/* may as well be optimistic */
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    /* we got data (either from the caller, or from a lower level encoder) */
-    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-
-    /* Update the running digest. */
-    if (len && cinfo->digcx != NULL)
-	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
-
-    /* Encrypt this chunk. */
-    if (cinfo->ciphcx != NULL) {
-	unsigned int inlen;	/* length of data being encrypted */
-	unsigned int outlen;	/* length of encrypted data */
-	unsigned int buflen;	/* length available for encrypted data */
-
-	inlen = len;
-	buflen = NSS_CMSCipherContext_EncryptLength(cinfo->ciphcx, inlen, final);
-	if (buflen == 0) {
-	    /*
-	     * No output is expected, but the input data may be buffered
-	     * so we still have to call Encrypt.
-	     */
-	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, NULL, NULL, 0,
-				   data, inlen, final);
-	    if (final) {
-		len = 0;
-		goto done;
-	    }
-	    return rv;
-	}
-
-	if (dest != NULL)
-	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen);
-	else
-	    buf = (unsigned char*)PORT_Alloc(buflen);
-
-	if (buf == NULL) {
-	    rv = SECFailure;
-	} else {
-	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, buf, &outlen, buflen,
-				   data, inlen, final);
-	    data = buf;
-	    len = outlen;
-	}
-	if (rv != SECSuccess)
-	    /* encryption or malloc failed? */
-	    return rv;
-    }
-
-
-    /*
-     * at this point (data,len) has everything we'd like to give to the CURRENT encoder
-     * (which will encode it, then hand it back to the user or the parent encoder)
-     * We don't encode the data if we're innermost and we're told not to include the data
-     */
-    if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != NULL))
-	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len);
-
-done:
-
-    if (cinfo->ciphcx != NULL) {
-	if (dest != NULL) {
-	    dest->data = buf;
-	    dest->len = len;
-	} else if (buf != NULL) {
-	    PORT_Free (buf);
-	}
-    }
-    return rv;
-}
-
-/*
- * nss_cms_encoder_update - deliver encoded data to the next higher level
- *
- * no recursion here because we REALLY want to end up at the next higher encoder!
- */
-static SECStatus
-nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
-{
-    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
-    return nss_cms_encoder_work_data (p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_FALSE);
-}
-
-/*
- * NSS_CMSEncoder_Start - set up encoding of a CMS message
- *
- * "cmsg" - message to encode
- * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
- *                           will not be called if NULL.
- * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
- * "destpoolp" - pool to allocate DER-encoded output in
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- */
-NSSCMSEncoderContext *
-NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
-			NSSCMSContentCallback outputfn, void *outputarg,
-			SECItem *dest, PLArenaPool *destpoolp,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
-{
-    NSSCMSEncoderContext *p7ecx;
-    SECStatus rv;
-    NSSCMSContentInfo *cinfo;
-
-    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
-					detached_digestalgs, detached_digests);
-
-    p7ecx = (NSSCMSEncoderContext *)PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
-    if (p7ecx == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    p7ecx->cmsg = cmsg;
-    p7ecx->output.outputfn = outputfn;
-    p7ecx->output.outputarg = outputarg;
-    p7ecx->output.dest = dest;
-    p7ecx->output.destpoolp = destpoolp;
-    p7ecx->type = SEC_OID_UNKNOWN;
-
-    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-
-    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-    if (rv != SECSuccess)
-	return NULL;
-
-    /* Initialize the BER encoder.
-     * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */
-    p7ecx->ecx = SEC_ASN1EncoderStart(cmsg, NSSCMSMessageTemplate,
-				       nss_cms_encoder_out, &(p7ecx->output));
-    if (p7ecx->ecx == NULL) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-    p7ecx->ecxupdated = PR_FALSE;
-
-    /*
-     * Indicate that we are streaming.  We will be streaming until we
-     * get past the contents bytes.
-     */
-    SEC_ASN1EncoderSetStreaming(p7ecx->ecx);
-
-    /*
-     * The notify function will watch for the contents field.
-     */
-    SEC_ASN1EncoderSetNotifyProc(p7ecx->ecx, nss_cms_encoder_notify, p7ecx);
-
-    /* this will kick off the encoding process & encode everything up to the content bytes,
-     * at which point the notify function sets streaming mode (and possibly creates
-     * a child encoder). */
-    if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-
-    return p7ecx;
-}
-
-/*
- * NSS_CMSEncoder_Update - take content data delivery from the user
- *
- * "p7ecx" - encoder context
- * "data" - content data
- * "len" - length of content data
- *
- * need to find the lowest level (and call SEC_ASN1EncoderUpdate on the way down),
- * then hand the data to the work_data fn
- */
-SECStatus
-NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
-{
-    SECStatus rv;
-    NSSCMSContentInfo *cinfo;
-    SECOidTag childtype;
-
-    if (p7ecx->error)
-	return SECFailure;
-
-    /* hand data to the innermost decoder */
-    if (p7ecx->childp7ecx) {
-	/* recursion here */
-	rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);
-    } else {
-	/* we are at innermost decoder */
-	/* find out about our inner content type - must be data */
-	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-	if (childtype != SEC_OID_PKCS7_DATA)
-	    return SECFailure;
-	/* and we must not have preset data */
-	if (cinfo->content.data != NULL)
-	    return SECFailure;
-
-	/*  hand it the data so it can encode it (let DER trickle up the chain) */
-	rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE);
-    }
-    return rv;
-}
-
-/*
- * NSS_CMSEncoder_Cancel - stop all encoding
- *
- * we need to walk down the chain of encoders and the finish them from the innermost out
- */
-SECStatus
-NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv = SECFailure;
-
-    /* XXX do this right! */
-
-    /*
-     * Finish any inner decoders before us so that all the encoded data is flushed
-     * This basically finishes all the decoders from the innermost to the outermost.
-     * Finishing an inner decoder may result in data being updated to the outer decoder
-     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
-     */
-    if (p7ecx->childp7ecx) {
-	rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
-	/* remember rv for now */
-    }
-
-    /*
-     * On the way back up, there will be no more data (if we had an
-     * inner encoder, it is done now!)
-     * Flush out any remaining data and/or finish digests.
-     */
-    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
-    if (rv != SECSuccess)
-	goto loser;
-
-    p7ecx->childp7ecx = NULL;
-
-    /* kick the encoder back into working mode again.
-     * We turn off streaming stuff (which will cause the encoder to continue
-     * encoding happily, now that we have all the data (like digests) ready for it).
-     */
-    SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
-    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
-
-    /* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
-    rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
-
-loser:
-    SEC_ASN1EncoderFinish(p7ecx->ecx);
-    PORT_Free (p7ecx);
-    return rv;
-}
-
-/*
- * NSS_CMSEncoder_Finish - signal the end of data
- *
- * we need to walk down the chain of encoders and the finish them from the innermost out
- */
-SECStatus
-NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv = SECFailure;
-    NSSCMSContentInfo *cinfo;
-    SECOidTag childtype;
-
-    /*
-     * Finish any inner decoders before us so that all the encoded data is flushed
-     * This basically finishes all the decoders from the innermost to the outermost.
-     * Finishing an inner decoder may result in data being updated to the outer decoder
-     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
-     */
-    if (p7ecx->childp7ecx) {
-	rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /*
-     * On the way back up, there will be no more data (if we had an
-     * inner encoder, it is done now!)
-     * Flush out any remaining data and/or finish digests.
-     */
-    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
-    if (rv != SECSuccess)
-	goto loser;
-
-    p7ecx->childp7ecx = NULL;
-
-    /* find out about our inner content type - must be data */
-    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-    if (childtype == SEC_OID_PKCS7_DATA && cinfo->content.data == NULL) {
-	SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
-	/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
-	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
-    }
-
-    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
-
-    if (p7ecx->error)
-	rv = SECFailure;
-
-loser:
-    SEC_ASN1EncoderFinish(p7ecx->ecx);
-    PORT_Free (p7ecx);
-    return rv;
-}
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
deleted file mode 100644
index d6e45a10a..000000000
--- a/security/nss/lib/smime/cmsenvdata.c
+++ /dev/null
@@ -1,416 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS envelopedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSEnvelopedData_Create - create an enveloped data message
- */
-NSSCMSEnvelopedData *
-NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
-{
-    void *mark;
-    NSSCMSEnvelopedData *envd;
-    PLArenaPool *poolp;
-    SECStatus rv;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    envd = (NSSCMSEnvelopedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEnvelopedData));
-    if (envd == NULL)
-	goto loser;
-
-    envd->cmsg = cmsg;
-
-    /* version is set in NSS_CMSEnvelopedData_Encode_BeforeStart() */
-
-    rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(envd->contentInfo), algorithm, NULL, keysize);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return envd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
- */
-void
-NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp)
-{
-    NSSCMSRecipientInfo **recipientinfos;
-    NSSCMSRecipientInfo *ri;
-
-    if (edp == NULL)
-	return;
-
-    recipientinfos = edp->recipientInfos;
-    if (recipientinfos == NULL)
-	return;
-
-    while ((ri = *recipientinfos++) != NULL)
-	NSS_CMSRecipientInfo_Destroy(ri);
-
-    /* XXX storage ??? */
-}
-
-/*
- * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
- */
-NSSCMSContentInfo *
-NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd)
-{
-    return &(envd->contentInfo);
-}
-
-/*
- * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
- *
- * rip must be created on the same pool as edp - this is not enforced, though.
- */
-SECStatus
-NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip)
-{
-    void *mark;
-    SECStatus rv;
-
-    /* XXX compare pools, if not same, copy rip into edp's pool */
-
-    PR_ASSERT(edp != NULL);
-    PR_ASSERT(rip != NULL);
-
-    mark = PORT_ArenaMark(edp->cmsg->poolp);
-
-    rv = NSS_CMSArray_Add(edp->cmsg->poolp, (void ***)&(edp->recipientInfos), (void *)rip);
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(edp->cmsg->poolp, mark);
-	return SECFailure;
-    }
-
-    PORT_ArenaUnmark (edp->cmsg->poolp, mark);
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
- *
- * at this point, we need
- * - recipientinfos set up with recipient's certificates
- * - a content encryption algorithm (if none, 3DES will be used)
- *
- * this function will generate a random content encryption key (aka bulk key),
- * initialize the recipientinfos with certificate identification and wrap the bulk key
- * using the proper algorithm for every certificiate.
- * it will finally set the bulk algorithm and key so that the encode step can find it.
- */
-SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
-{
-    int version;
-    NSSCMSRecipientInfo **recipientinfos;
-    NSSCMSContentInfo *cinfo;
-    PK11SymKey *bulkkey = NULL;
-    SECOidTag bulkalgtag;
-    CK_MECHANISM_TYPE type;
-    PK11SlotInfo *slot;
-    SECStatus rv;
-    SECItem *dummy;
-    PLArenaPool *poolp;
-    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
-    void *mark = NULL;
-    int i;
-
-    poolp = envd->cmsg->poolp;
-    cinfo = &(envd->contentInfo);
-
-    recipientinfos = envd->recipientInfos;
-    if (recipientinfos == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-#if 0
-	PORT_SetErrorString("Cannot find recipientinfos to encode.");
-#endif
-	goto loser;
-    }
-
-    version = NSS_CMS_ENVELOPED_DATA_VERSION_REG;
-    if (envd->originatorInfo != NULL || envd->unprotectedAttr != NULL) {
-	version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
-    } else {
-	for (i = 0; recipientinfos[i] != NULL; i++) {
-	    if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) {
-		version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
-		break;
-	    }
-	}
-    }
-    dummy = SEC_ASN1EncodeInteger(poolp, &(envd->version), version);
-    if (dummy == NULL)
-	goto loser;
-
-    /* now we need to have a proper content encryption algorithm
-     * on the SMIME level, we would figure one out by looking at SMIME capabilities
-     * we cannot do that on our level, so if none is set already, we'll just go
-     * with one of the mandatory algorithms (3DES) */
-    if ((bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo)) == SEC_OID_UNKNOWN) {
-	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168);
-	if (rv != SECSuccess)
-	    goto loser;
-	bulkalgtag = SEC_OID_DES_EDE3_CBC;
-    } 
-
-    /* generate a random bulk key suitable for content encryption alg */
-    type = PK11_AlgtagToMechanism(bulkalgtag);
-    slot = PK11_GetBestSlot(type, envd->cmsg->pwfn_arg);
-    if (slot == NULL)
-	goto loser;	/* error has been set by PK11_GetBestSlot */
-
-    /* this is expensive... */
-    bulkkey = PK11_KeyGen(slot, type, NULL, NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, envd->cmsg->pwfn_arg);
-    PK11_FreeSlot(slot);
-    if (bulkkey == NULL)
-	goto loser;	/* error has been set by PK11_KeyGen */
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* Encrypt the bulk key with the public key of each recipient.  */
-    for (i = 0; recipientinfos[i] != NULL; i++) {
-	rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag);
-	if (rv != SECSuccess)
-	    goto loser;	/* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */
-	    		/* could be: alg not supported etc. */
-    }
-
-    /* the recipientinfos are all finished. now sort them by DER for SET OF encoding */
-    rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, NSSCMSRecipientInfoTemplate, NULL);
-    if (rv != SECSuccess)
-	goto loser;	/* error has been set by NSS_CMSArray_SortByDER */
-
-    /* store the bulk key in the contentInfo so that the encoder can find it */
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    PORT_ArenaUnmark(poolp, mark);
-
-    PK11_FreeSymKey(bulkkey);
-
-    return SECSuccess;
-
-loser:
-    if (mark != NULL)
-	PORT_ArenaRelease (poolp, mark);
-    if (bulkkey)
-	PK11_FreeSymKey(bulkkey);
-
-    return SECFailure;
-}
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
- *
- * it is essential that this is called before the contentEncAlg is encoded, because
- * setting up the encryption may generate IVs and thus change it!
- */
-SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
-{
-    NSSCMSContentInfo *cinfo;
-    PK11SymKey *bulkkey;
-    SECAlgorithmID *algid;
-
-    cinfo = &(envd->contentInfo);
-
-    /* find bulkkey and algorithm - must have been set by NSS_CMSEnvelopedData_Encode_BeforeStart */
-    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
-    if (bulkkey == NULL)
-	return SECFailure;
-    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-    if (algid == NULL)
-	return SECFailure;
-
-    /* this may modify algid (with IVs generated in a token).
-     * it is essential that algid is a pointer to the contentEncAlg data, not a
-     * pointer to a copy! */
-    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid);
-    PK11_FreeSymKey(bulkkey);
-    if (cinfo->ciphcx == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
- */
-SECStatus
-NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd)
-{
-    if (envd->contentInfo.ciphcx) {
-	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
-	envd->contentInfo.ciphcx = NULL;
-    }
-
-    /* nothing else to do after data */
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
- * derive bulk key & set up our contentinfo
- */
-SECStatus
-NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd)
-{
-    NSSCMSRecipientInfo *ri;
-    PK11SymKey *bulkkey = NULL;
-    SECOidTag bulkalgtag;
-    SECAlgorithmID *bulkalg;
-    SECStatus rv = SECFailure;
-    NSSCMSContentInfo *cinfo;
-    NSSCMSRecipient **recipient_list;
-    int rlIndex;
-
-    if (NSS_CMSArray_Count((void **)envd->recipientInfos) == 0) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-#if 0
-	PORT_SetErrorString("No recipient data in envelope.");
-#endif
-	goto loser;
-    }
-
-    /* look if one of OUR cert's issuerSN is on the list of recipients, and if so,  */
-    /* get the cert and private key for it right away */
-    recipient_list = nss_cms_recipient_list_create(envd->recipientInfos);
-    if (recipient_list == NULL)
-	goto loser;
-
-    /* what about multiple recipientInfos that match?
-     * especially if, for some reason, we could not produce a bulk key with the first match?!
-     * we could loop & feed partial recipient_list to PK11_FindCertAndKeyByRecipientList...
-     * maybe later... */
-    rlIndex = PK11_FindCertAndKeyByRecipientListNew(recipient_list, envd->cmsg->pwfn_arg);
-
-    /* if that fails, then we're not an intended recipient and cannot decrypt */
-    if (rlIndex < 0) {
-	PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT);
-#if 0
-	PORT_SetErrorString("Cannot decrypt data because proper key cannot be found.");
-#endif
-	goto loser;
-    }
-
-    /* get a pointer to "our" recipientinfo */
-    ri = envd->recipientInfos[recipient_list[rlIndex]->riIndex];
-
-    cinfo = &(envd->contentInfo);
-    bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
-    bulkkey = NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient_list[rlIndex]->subIndex,
-						    recipient_list[rlIndex]->cert,
-						    recipient_list[rlIndex]->privkey,
-						    bulkalgtag);
-    if (bulkkey == NULL) {
-	/* no success finding a bulk key */
-	goto loser;
-    }
-
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-
-    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
-    if (cinfo->ciphcx == NULL)
-	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
-
-    /* 
-     * HACK ALERT!!
-     * For PKCS5 Encryption Algorithms, the bulkkey is actually a different
-     * structure.  Therefore, we need to set the bulkkey to the actual key 
-     * prior to freeing it.
-     */
-    if (SEC_PKCS5IsAlgorithmPBEAlg(bulkalg)) {
-	SEC_PKCS5KeyAndPassword *keyPwd = (SEC_PKCS5KeyAndPassword *)bulkkey;
-	bulkkey = keyPwd->key;
-    }
-
-    rv = SECSuccess;
-
-loser:
-    if (bulkkey)
-	PK11_FreeSymKey(bulkkey);
-    if (recipient_list != NULL)
-	nss_cms_recipient_list_destroy(recipient_list);
-    return rv;
-}
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
- */
-SECStatus
-NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd)
-{
-    if (envd->contentInfo.ciphcx) {
-	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
-	envd->contentInfo.ciphcx = NULL;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
- */
-SECStatus
-NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd)
-{
-    /* apply final touches */
-    return SECSuccess;
-}
-
diff --git a/security/nss/lib/smime/cmslocal.h b/security/nss/lib/smime/cmslocal.h
deleted file mode 100644
index e7f15c4e1..000000000
--- a/security/nss/lib/smime/cmslocal.h
+++ /dev/null
@@ -1,330 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support routines for CMS implementation, none of which are exported.
- *
- * Do not export this file!  If something in here is really needed outside
- * of smime code, first try to add a CMS interface which will do it for
- * you.  If that has a problem, then just move out what you need, changing
- * its name as appropriate!
- *
- * $Id$
- */
-
-#ifndef _CMSLOCAL_H_
-#define _CMSLOCAL_H_
-
-#include "cms.h"
-#include "cmsreclist.h"
-#include "secasn1t.h"
-
-extern const SEC_ASN1Template NSSCMSContentInfoTemplate[];
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/***********************************************************************
- * cmscipher.c - en/decryption routines
- ***********************************************************************/
-
-/*
- * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
- * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
- */
-extern NSSCMSCipherContext *
-NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid);
-
-/*
- * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
- * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
- * identifier (which may include an iv) appropriately.
- */
-extern NSSCMSCipherContext *
-NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid);
-
-extern void
-NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc);
-
-/*
- * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and bsize).
- */
-extern unsigned int
-NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
-
-/*
- * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.
- */
-extern unsigned int
-NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
-
-/*
- * NSS_CMSCipherContext_Decrypt - do the decryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Decrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
- * When "final" is true, this is the last of the data to be decrypted.
- */ 
-extern SECStatus
-NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final);
-
-/*
- * NSS_CMSCipherContext_Encrypt - do the encryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Encrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
- * When "final" is true, this is the last of the data to be encrypted.
- */ 
-extern SECStatus
-NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final);
-
-/************************************************************************
- * cmspubkey.c - public key operations
- ************************************************************************/
-
-/*
- * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
- *
- * this function takes a symmetric key and encrypts it using an RSA public key
- * according to PKCS#1 and RFC2633 (S/MIME)
- */
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECItem *encKey);
-
-/*
- * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
- *
- * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
- * key handle. Please note that the actual unwrapped key data may not be allowed to leave
- * a hardware token...
- */
-extern PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag);
-
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg);
-
-extern PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey,
-			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
-
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
-			SECItem *originatorPubKey);
-
-extern PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
-			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
-
-/************************************************************************
- * cmsreclist.c - recipient list stuff
- ************************************************************************/
-extern NSSCMSRecipient **nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos);
-extern void nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list);
-extern NSSCMSRecipientEncryptedKey *NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp);
-
-/************************************************************************
- * cmsarray.c - misc array functions
- ************************************************************************/
-/*
- * NSS_CMSArray_Alloc - allocate an array in an arena
- */
-extern void **
-NSS_CMSArray_Alloc(PRArenaPool *poolp, int n);
-
-/*
- * NSS_CMSArray_Add - add an element to the end of an array
- */
-extern SECStatus
-NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj);
-
-/*
- * NSS_CMSArray_IsEmpty - check if array is empty
- */
-extern PRBool
-NSS_CMSArray_IsEmpty(void **array);
-
-/*
- * NSS_CMSArray_Count - count number of elements in array
- */
-extern int
-NSS_CMSArray_Count(void **array);
-
-/*
- * NSS_CMSArray_Sort - sort an array ascending, in place
- *
- * If "secondary" is not NULL, the same reordering gets applied to it.
- * If "tertiary" is not NULL, the same reordering gets applied to it.
- * "compare" is a function that returns 
- *  < 0 when the first element is less than the second
- *  = 0 when the first element is equal to the second
- *  > 0 when the first element is greater than the second
- */
-extern void
-NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary);
-
-/************************************************************************
- * cmsattr.c - misc attribute functions
- ************************************************************************/
-/*
- * NSS_CMSAttribute_Create - create an attribute
- *
- * if value is NULL, the attribute won't have a value. It can be added later
- * with NSS_CMSAttribute_AddValue.
- */
-extern NSSCMSAttribute *
-NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded);
-
-/*
- * NSS_CMSAttribute_AddValue - add another value to an attribute
- */
-extern SECStatus
-NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value);
-
-/*
- * NSS_CMSAttribute_GetType - return the OID tag
- */
-extern SECOidTag
-NSS_CMSAttribute_GetType(NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSAttribute_GetValue - return the first attribute value
- *
- * We do some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-extern SECItem *
-NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
- */
-extern PRBool
-NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av);
-
-/*
- * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
- *
- * If you are wondering why this routine does not reorder the attributes
- * first, and might be tempted to make it do so, see the comment by the
- * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
- * and think long and hard about the implications of making it always
- * do the reordering.)
- */
-extern SECItem *
-NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest);
-
-/*
- * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
- *
- * make sure that the order of the attributes guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in attrs).
- */
-extern SECStatus
-NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs);
-
-/*
- * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
- * find one that matches the specified object ID.
- *
- * If "only" is true, then make sure that there is not more than one attribute
- * of the same type.  Otherwise, just return the first one found. (XXX Does
- * anybody really want that first-found behavior?  It was like that when I found it...)
- */
-extern NSSCMSAttribute *
-NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only);
-
-/*
- * NSS_CMSAttributeArray_AddAttr - add an attribute to an
- * array of attributes. 
- */
-extern SECStatus
-NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
- */
-extern SECStatus
-NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _CMSLOCAL_H_ */
diff --git a/security/nss/lib/smime/cmsmessage.c b/security/nss/lib/smime/cmsmessage.c
deleted file mode 100644
index a25445627..000000000
--- a/security/nss/lib/smime/cmsmessage.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS message methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSMessage_Create - create a CMS message object
- *
- * "poolp" - arena to allocate memory from, or NULL if new arena should be created
- */
-NSSCMSMessage *
-NSS_CMSMessage_Create(PLArenaPool *poolp)
-{
-    void *mark;
-    NSSCMSMessage *cmsg;
-    PRBool poolp_is_ours = PR_FALSE;
-
-    if (poolp == NULL) {
-	poolp = PORT_NewArena (1024);           /* XXX what is right value? */
-	if (poolp == NULL)
-	    return NULL;
-	poolp_is_ours = PR_TRUE;
-    }
-
-    if (!poolp_is_ours)
-	mark = PORT_ArenaMark(poolp);
-
-    cmsg = (NSSCMSMessage *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSMessage));
-    if (cmsg == NULL) {
-	if (!poolp_is_ours)
-	    PORT_ArenaRelease(poolp, mark);
-	else
-	    PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-
-    cmsg->poolp = poolp;
-    cmsg->poolp_is_ours = poolp_is_ours;
-    cmsg->refCount = 1;
-
-    if (!poolp_is_ours)
-	PORT_ArenaUnmark(poolp, mark);
-
-    return cmsg;
-}
-
-/*
- * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
- *
- * "cmsg" - message object
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- */
-void
-NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
-{
-    if (pwfn)
-	PK11_SetPasswordFunc(pwfn);
-    cmsg->pwfn_arg = pwfn_arg;
-    cmsg->decrypt_key_cb = decrypt_key_cb;
-    cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
-    cmsg->detached_digestalgs = detached_digestalgs;
-    cmsg->detached_digests = detached_digests;
-}
-
-/*
- * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
- */
-void
-NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
-{
-    PORT_Assert (cmsg->refCount > 0);
-    if (cmsg->refCount <= 0)	/* oops */
-	return;
-
-    cmsg->refCount--;		/* thread safety? */
-    if (cmsg->refCount > 0)
-	return;
-
-    NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
-
-    /* if poolp is not NULL, cmsg is the owner of its arena */
-    if (cmsg->poolp_is_ours)
-	PORT_FreeArena (cmsg->poolp, PR_FALSE);	/* XXX clear it? */
-}
-
-/*
- * NSS_CMSMessage_Copy - return a copy of the given message. 
- *
- * The copy may be virtual or may be real -- either way, the result needs
- * to be passed to NSS_CMSMessage_Destroy later (as does the original).
- */
-NSSCMSMessage *
-NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
-{
-    if (cmsg == NULL)
-	return NULL;
-
-    PORT_Assert (cmsg->refCount > 0);
-
-    cmsg->refCount++; /* XXX chrisk thread safety? */
-    return cmsg;
-}
-
-/*
- * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
- */
-PLArenaPool *
-NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
-{
-    return cmsg->poolp;
-}
-
-/*
- * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
- */
-NSSCMSContentInfo *
-NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
-{
-    return &(cmsg->contentInfo);
-}
-
-/*
- * Return a pointer to the actual content. 
- * In the case of those types which are encrypted, this returns the *plain* content.
- * In case of nested contentInfos, this descends and retrieves the innermost content.
- */
-SECItem *
-NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
-{
-    /* this is a shortcut */
-    return NSS_CMSContentInfo_GetInnerContent(NSS_CMSMessage_GetContentInfo(cmsg));
-}
-
-/*
- * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
- *
- * CMS data content objects do not count.
- */
-int
-NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
-{
-    int count = 0;
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
-	count++;
-    }
-    return count;
-}
-
-/*
- * NSS_CMSMessage_ContentLevel - find content level #n
- *
- * CMS data content objects do not count.
- */
-NSSCMSContentInfo *
-NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
-{
-    int count = 0;
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
-	count++;
-    }
-
-    return cinfo;
-}
-
-/*
- * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
- */
-PRBool
-NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
-{
-    NSSCMSContentInfo *cinfo;
-
-    /* descend into CMS message */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
-	if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	    continue;	/* next level */
-	
-	if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData))
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/*
- * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
- */
-PRBool
-NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
-{
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
-    {
-	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    return PR_TRUE;
-	default:
-	    break;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
- *
- * If the CMS message has a SignedData with a signature (not just a SignedData)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-PRBool
-NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
-{
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
-    {
-	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
-		return PR_TRUE;
-	    break;
-	default:
-	    break;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * NSS_CMSMessage_IsContentEmpty - see if content is empty
- *
- * returns PR_TRUE is innermost content length is < minLen
- * XXX need the encrypted content length (why?)
- */
-PRBool
-NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
-{
-    SECItem *item = NULL;
-
-    if (cmsg == NULL)
-	return PR_TRUE;
-
-    item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
-
-    if (!item) {
-	return PR_TRUE;
-    } else if(item->len <= minLen) {
-	return PR_TRUE;
-    }
-
-    return PR_FALSE;
-}
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
deleted file mode 100644
index 9654ef26c..000000000
--- a/security/nss/lib/smime/cmspubkey.c
+++ /dev/null
@@ -1,531 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS public key crypto
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/* ====== RSA ======================================================================= */
-
-/*
- * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
- *
- * this function takes a symmetric key and encrypts it using an RSA public key
- * according to PKCS#1 and RFC2633 (S/MIME)
- */
-SECStatus
-NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
-			SECItem *encKey)
-{
-    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
-    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
-    SECStatus rv;
-    SECKEYPublicKey *publickey;
-    int data_len;
-    void *mark;
-
-    /* sanity check */
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    PORT_Assert(certalgtag == SEC_OID_PKCS1_RSA_ENCRYPTION);
-
-    encalgtag = SEC_OID_PKCS1_RSA_ENCRYPTION;
-    publickey = CERT_ExtractPublicKey(cert);
-    if (publickey == NULL)
-	goto loser;
-	
-    mark = PORT_ArenaMark(poolp);
-
-    /* allocate memory for the encrypted key */
-    data_len = SECKEY_PublicKeyStrength(publickey);	/* block size (assumed to be > keylen) */
-    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len);
-    encKey->len = data_len;
-    if (encKey->data == NULL)
-	goto loser;
-
-    /* encrypt the key now */
-    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(SEC_OID_PKCS1_RSA_ENCRYPTION),
-				publickey, bulkkey, encKey);
-
-    SECKEY_DestroyPublicKey(publickey);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-/*
- * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
- *
- * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
- * key handle. Please note that the actual unwrapped key data may not be allowed to leave
- * a hardware token...
- */
-PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag)
-{
-    /* that's easy */
-    return PK11_PubUnwrapSymKey(privkey, encKey, PK11_AlgtagToMechanism(bulkalgtag), CKA_DECRYPT, 0);
-}
-
-/* ====== MISSI (Fortezza) ========================================================== */
-
-extern const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[];
-
-SECStatus
-NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
-			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg)
-{
-    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
-    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
-    SECStatus rv = SECFailure;
-    SECItem *params = NULL;
-    SECStatus err;
-    PK11SymKey *tek;
-    CERTCertificate *ourCert;
-    SECKEYPublicKey *ourPubKey, *publickey = NULL;
-    SECKEYPrivateKey *ourPrivKey = NULL;
-    NSSCMSKEATemplateSelector whichKEA;
-    NSSCMSSMIMEKEAParameters keaParams;
-    PLArenaPool *arena;
-    extern const SEC_ASN1Template *nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate);
-
-    /* Clear keaParams, since cleanup code checks the lengths */
-    (void) memset(&keaParams, 0, sizeof(keaParams));
-
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
-		certalgtag == SEC_OID_MISSI_KEA_DSS ||
-		certalgtag == SEC_OID_MISSI_KEA);
-
-#define SMIME_FORTEZZA_RA_LENGTH 128
-#define SMIME_FORTEZZA_IV_LENGTH 24
-#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
-
-    /* We really want to show our KEA tag as the key exchange algorithm tag. */
-    encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
-
-    /* Get the public key of the recipient. */
-    publickey = CERT_ExtractPublicKey(cert);
-    if (publickey == NULL) goto loser;
-
-    /* Find our own cert, and extract its keys. */
-    ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
-    if (ourCert == NULL) goto loser;
-
-    arena = PORT_NewArena(1024);
-    if (arena == NULL)
-	goto loser;
-
-    ourPubKey = CERT_ExtractPublicKey(ourCert);
-    if (ourPubKey == NULL) {
-	CERT_DestroyCertificate(ourCert);
-	goto loser;
-    }
-
-    /* While we're here, copy the public key into the outgoing
-     * KEA parameters. */
-    SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
-    SECKEY_DestroyPublicKey(ourPubKey);
-    ourPubKey = NULL;
-
-    /* Extract our private key in order to derive the KEA key. */
-    ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
-    CERT_DestroyCertificate(ourCert); /* we're done with this */
-    if (!ourPrivKey)
-	goto loser;
-
-    /* Prepare raItem with 128 bytes (filled with zeros). */
-    keaParams.originatorRA.data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
-    keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
-
-    /* Generate the TEK (token exchange key) which we use
-     * to wrap the bulk encryption key. (keaparams.originatorRA) will be
-     * filled with a random seed which we need to send to
-     * the recipient. (user keying material in RFC2630/DSA speak) */
-    tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
-			 &keaParams.originatorRA, NULL,
-			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0,  pwfn_arg);
-
-    SECKEY_DestroyPublicKey(publickey);
-    SECKEY_DestroyPrivateKey(ourPrivKey);
-    publickey = NULL;
-    ourPrivKey = NULL;
-    
-    if (!tek)
-	goto loser;
-
-    /* allocate space for the wrapped key data */
-    encKey->data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
-    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
-
-    if (encKey->data == NULL) {
-	PK11_FreeSymKey(tek);
-	goto loser;
-    }
-
-    /* Wrap the bulk key. What we do with the resulting data
-       depends on whether we're using Skipjack to wrap the key. */
-    switch (PK11_AlgtagToMechanism(symalgtag)) {
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-	/* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
-	err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
-	whichKEA = NSSCMSKEAUsesSkipjack;
-	break;
-    default:
-	/* Not SKIPJACK, we encrypt the raw key data */
-	keaParams.nonSkipjackIV.data = 
-	  (unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
-	keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
-	err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
-	if (err != SECSuccess)
-	    goto loser;
-
-	if (encKey->len != PK11_GetKeyLength(bulkkey)) {
-	    /* The size of the encrypted key is not the same as
-	       that of the original bulk key, presumably due to
-	       padding. Encode and store the real size of the
-	       bulk key. */
-	    if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
-		err = (SECStatus)PORT_GetError();
-	    else
-		/* use full template for encoding */
-		whichKEA = NSSCMSKEAUsesNonSkipjackWithPaddedEncKey;
-	}
-	else
-	    /* enc key length == bulk key length */
-	    whichKEA = NSSCMSKEAUsesNonSkipjack; 
-	break;
-    }
-
-    PK11_FreeSymKey(tek);
-    if (err != SECSuccess)
-	goto loser;
-
-    /* Encode the KEA parameters into the recipient info. */
-    params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
-    if (params == NULL)
-	goto loser;
-
-    /* pass back the algorithm params */
-    *pparams = params;
-
-    rv = SECSuccess;
-
-loser:
-    if (arena)
-	PORT_FreeArena(arena, PR_FALSE);
-    if (publickey)
-        SECKEY_DestroyPublicKey(publickey);
-    if (ourPrivKey)
-        SECKEY_DestroyPrivateKey(ourPrivKey);
-    return rv;
-}
-
-PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
-{
-    /* fortezza: do a key exchange */
-    SECStatus err;
-    CK_MECHANISM_TYPE bulkType;
-    PK11SymKey *tek;
-    SECKEYPublicKey *originatorPubKey;
-    NSSCMSSMIMEKEAParameters keaParams;
-    PK11SymKey *bulkkey;
-    int bulkLength;
-
-    (void) memset(&keaParams, 0, sizeof(keaParams));
-
-    /* NOTE: this uses the SMIME v2 recipientinfo for compatibility.
-       All additional KEA parameters are DER-encoded in the encryption algorithm parameters */
-
-    /* Decode the KEA algorithm parameters. */
-    err = SEC_ASN1DecodeItem(NULL, &keaParams, NSS_SMIMEKEAParamTemplateAllParams,
-			     &(keyEncAlg->parameters));
-    if (err != SECSuccess)
-	goto loser;
-
-    /* get originator's public key */
-   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
-			   keaParams.originatorKEAKey.len);
-   if (originatorPubKey == NULL)
-	  goto loser;
-    
-   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
-      The Derive function generates a shared secret and combines it with the originatorRA
-      data to come up with an unique session key */
-   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
-			 &keaParams.originatorRA, NULL,
-			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0, pwfn_arg);
-   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
-   if (tek == NULL)
-	goto loser;
-    
-    /* Now that we have the TEK, unwrap the bulk key
-       with which to decrypt the message. We have to
-       do one of two different things depending on 
-       whether Skipjack was used for *bulk* encryption 
-       of the message. */
-    bulkType = PK11_AlgtagToMechanism(bulkalgtag);
-    switch (bulkType) {
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-	/* Skipjack is being used as the bulk encryption algorithm.*/
-	/* Unwrap the bulk key. */
-	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
-				    encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-	break;
-    default:
-	/* Skipjack was not used for bulk encryption of this
-	   message. Use Skipjack CBC64, with the nonSkipjackIV
-	   part of the KEA key parameters, to decrypt 
-	   the bulk key. If the optional parameter bulkKeySize is present,
-	   bulk key size is different than the encrypted key size */
-	if (keaParams.bulkKeySize.len > 0) {
-	    err = SEC_ASN1DecodeItem(NULL, &bulkLength,
-					      SEC_IntegerTemplate,
-					      &keaParams.bulkKeySize);
-	    if (err != SECSuccess)
-		goto loser;
-	}
-	
-	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, 
-				    encKey, bulkType, CKA_DECRYPT, bulkLength);
-	break;
-    }
-    return bulkkey;
-loser:
-    return NULL;
-}
-
-/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
-
-SECStatus
-NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
-			SECItem *pubKey)
-{
-#if 0 /* not yet done */
-    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
-    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
-    SECStatus rv;
-    SECItem *params = NULL;
-    int data_len;
-    SECStatus err;
-    PK11SymKey *tek;
-    CERTCertificate *ourCert;
-    SECKEYPublicKey *ourPubKey;
-    NSSCMSKEATemplateSelector whichKEA;
-
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
-
-    /* We really want to show our KEA tag as the key exchange algorithm tag. */
-    encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
-
-    /* Get the public key of the recipient. */
-    publickey = CERT_ExtractPublicKey(cert);
-    if (publickey == NULL) goto loser;
-
-    /* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
-    /* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
-    if (ourCert == NULL) goto loser;
-
-    arena = PORT_NewArena(1024);
-    if (arena == NULL) goto loser;
-
-    /* While we're here, extract the key pair's public key data and copy it into */
-    /* the outgoing parameters. */
-    /* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
-    if (ourPubKey == NULL)
-    {
-	goto loser;
-    }
-    SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
-    SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
-    ourPubKey = NULL;
-
-    /* Extract our private key in order to derive the KEA key. */
-    ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
-    CERT_DestroyCertificate(ourCert); /* we're done with this */
-    if (!ourPrivKey) goto loser;
-
-    /* If ukm desired, prepare it - allocate enough space (filled with zeros). */
-    if (ukm) {
-	ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
-	ukm->len = /* XXXX */;
-    }
-
-    /* Generate the KEK (key exchange key) according to RFC2631 which we use
-     * to wrap the bulk encryption key. */
-    kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
-			 ukm, NULL,
-			 /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0, wincx);
-
-    SECKEY_DestroyPublicKey(publickey);
-    SECKEY_DestroyPrivateKey(ourPrivKey);
-    publickey = NULL;
-    ourPrivKey = NULL;
-    
-    if (!kek)
-	goto loser;
-
-    /* allocate space for the encrypted CEK (bulk key) */
-    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
-    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
-
-    if (encKey->data == NULL)
-    {
-	PK11_FreeSymKey(kek);
-	goto loser;
-    }
-
-
-    /* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
-    /* bulk encryption algorithm */
-    switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
-    {
-    case /* XXXX */CKM_SKIPJACK_CFB8:
-	err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
-	whichKEA = NSSCMSKEAUsesSkipjack;
-	break;
-    case /* XXXX */CKM_SKIPJACK_CFB8:
-	err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
-	whichKEA = NSSCMSKEAUsesSkipjack;
-	break;
-    default:
-	/* XXXX what do we do here? Neither RC2 nor 3DES... */
-	break;
-    }
-
-    PK11_FreeSymKey(kek);	/* we do not need the KEK anymore */
-    if (err != SECSuccess)
-	goto loser;
-
-    /* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
-    /* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
-    params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
-    if (params == NULL)
-	goto loser;
-
-    /* now set keyEncAlg */
-    rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /* XXXXXXX this is not right yet */
-loser:
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (publickey) {
-        SECKEY_DestroyPublicKey(publickey);
-    }
-    if (ourPrivKey) {
-        SECKEY_DestroyPrivateKey(ourPrivKey);
-    }
-#endif
-    return SECFailure;
-}
-
-PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
-{
-#if 0 /* not yet done */
-    SECStatus err;
-    CK_MECHANISM_TYPE bulkType;
-    PK11SymKey *tek;
-    SECKEYPublicKey *originatorPubKey;
-    NSSCMSSMIMEKEAParameters keaParams;
-
-   /* XXXX get originator's public key */
-   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
-			   keaParams.originatorKEAKey.len);
-   if (originatorPubKey == NULL)
-      goto loser;
-    
-   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
-      The Derive function generates a shared secret and combines it with the originatorRA
-      data to come up with an unique session key */
-   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
-			 &keaParams.originatorRA, NULL,
-			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0, pwfn_arg);
-   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
-   if (tek == NULL)
-	goto loser;
-    
-    /* Now that we have the TEK, unwrap the bulk key
-       with which to decrypt the message. */
-    /* Skipjack is being used as the bulk encryption algorithm.*/
-    /* Unwrap the bulk key. */
-    bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
-				encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-
-    return bulkkey;
-
-loser:
-#endif
-    return NULL;
-}
-
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
deleted file mode 100644
index 45ac16658..000000000
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ /dev/null
@@ -1,421 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS recipientInfo methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSRecipientInfo_Create - create a recipientinfo
- *
- * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys
- * the certificate is supposed to have been verified by the caller
- */
-NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert)
-{
-    NSSCMSRecipientInfo *ri;
-    void *mark;
-    SECOidTag certalgtag;
-    SECStatus rv;
-    NSSCMSRecipientEncryptedKey *rek;
-    NSSCMSOriginatorIdentifierOrKey *oiok;
-    unsigned long version;
-    SECItem *dummy;
-    PLArenaPool *poolp;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    ri = (NSSCMSRecipientInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientInfo));
-    if (ri == NULL)
-	goto loser;
-
-    ri->cmsg = cmsg;
-    ri->cert = CERT_DupCertificate(cert);
-    if (ri->cert == NULL)
-	goto loser;
-
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-
-    switch (certalgtag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
-	/* hardcoded issuerSN choice for now */
-	ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = NSSCMSRecipientID_IssuerSN;
-	ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	break;
-    case SEC_OID_MISSI_KEA_DSS_OLD:
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_KEA:
-	/* backward compatibility - this is not really a keytrans operation */
-	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
-	/* hardcoded issuerSN choice for now */
-	ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = NSSCMSRecipientID_IssuerSN;
-	ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	break;
-    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
-	/* a key agreement op */
-	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyAgree;
-
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	/* we do not support the case where multiple recipients 
-	 * share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys
-	 * in this case, we would need to walk all the recipientInfos, take the
-	 * ones that do KeyAgreement algorithms and join them, algorithm by algorithm
-	 * Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */
-
-	/* only epheremal-static Diffie-Hellman is supported for now
-	 * this is the only form of key agreement that provides potential anonymity
-	 * of the sender, plus we do not have to include certs in the message */
-
-	/* force single recipientEncryptedKey for now */
-	if ((rek = NSS_CMSRecipientEncryptedKey_Create(poolp)) == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	/* hardcoded IssuerSN choice for now */
-	rek->recipientIdentifier.identifierType = NSSCMSKeyAgreeRecipientID_IssuerSN;
-	if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
-
-	/* see RFC2630 12.3.1.1 */
-	oiok->identifierType = NSSCMSOriginatorIDOrKey_OriginatorPublicKey;
-
-	rv = NSS_CMSArray_Add(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys,
-				    (void *)rek);
-
-	break;
-    default:
-	/* other algorithms not supported yet */
-	/* NOTE that we do not support any KEK algorithm */
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	rv = SECFailure;
-	break;
-    }
-
-    if (rv == SECFailure)
-	goto loser;
-
-    /* set version */
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == NSSCMSRecipientID_IssuerSN)
-	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN;
-	else
-	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY;
-	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version);
-	if (dummy == NULL)
-	    goto loser;
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version),
-						NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION);
-	if (dummy == NULL)
-	    goto loser;
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	/* NOTE: this cannot happen as long as we do not support any KEK algorithm */
-	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version),
-						NSS_CMS_KEK_RECIPIENT_INFO_VERSION);
-	if (dummy == NULL)
-	    goto loser;
-	break;
-    
-    }
-
-    PORT_ArenaUnmark (poolp, mark);
-    return ri;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return NULL;
-}
-
-void
-NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri)
-{
-    /* version was allocated on the pool, so no need to destroy it */
-    /* issuerAndSN was allocated on the pool, so no need to destroy it */
-    if (ri->cert != NULL)
-	CERT_DestroyCertificate(ri->cert);
-    /* recipientInfo structure itself was allocated on the pool, so no need to destroy it */
-    /* we're done. */
-}
-
-int
-NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
-{
-    unsigned long version;
-    SECItem *versionitem;
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	/* ignore subIndex */
-	versionitem = &(ri->ri.keyTransRecipientInfo.version);
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	/* ignore subIndex */
-	versionitem = &(ri->ri.kekRecipientInfo.version);
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	versionitem = &(ri->ri.keyAgreeRecipientInfo.version);
-	break;
-    }
-    /* always take apart the SECItem */
-    if (SEC_ASN1DecodeInteger(versionitem, &version) != SECSuccess)
-	return 0;
-    else
-	return (int)version;
-}
-
-SECItem *
-NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
-{
-    SECItem *enckey;
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	/* ignore subIndex */
-	enckey = &(ri->ri.keyTransRecipientInfo.encKey);
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	/* ignore subIndex */
-	enckey = &(ri->ri.kekRecipientInfo.encKey);
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
-	break;
-    }
-    return enckey;
-}
-
-
-SECOidTag
-NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri)
-{
-    SECOidTag encalgtag;
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
-	break;
-    }
-    return encalgtag;
-}
-
-SECStatus
-NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag)
-{
-    CERTCertificate *cert;
-    SECOidTag certalgtag;
-    SECStatus rv;
-    SECItem *params = NULL;
-    NSSCMSRecipientEncryptedKey *rek;
-    NSSCMSOriginatorIdentifierOrKey *oiok;
-    PLArenaPool *poolp;
-
-    poolp = ri->cmsg->poolp;
-    cert = ri->cert;
-    PORT_Assert (cert != NULL);
-    if (cert == NULL)
-	return SECFailure;
-
-    /* XXX set ri->recipientInfoType to the proper value here */
-    /* or should we look if it's been set already ? */
-
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    switch (certalgtag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	/* wrap the symkey */
-	if (NSS_CMSUtil_EncryptSymKey_RSA(poolp, cert, bulkkey, &ri->ri.keyTransRecipientInfo.encKey) != SECSuccess) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
-	break;
-    case SEC_OID_MISSI_KEA_DSS_OLD:
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_KEA:
-	rv = NSS_CMSUtil_EncryptSymKey_MISSI(poolp, cert, bulkkey,
-					bulkalgtag,
-					&ri->ri.keyTransRecipientInfo.encKey,
-					&params, ri->cmsg->pwfn_arg);
-	if (rv != SECSuccess)
-	    break;
-
-	/* here, we DO need to pass the params to the wrap function because, with
-	 * RSA, there is no funny stuff going on with generation of IV vectors or so */
-	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, params);
-	break;
-    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
-	rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
-	if (rek == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
-	PORT_Assert(oiok->identifierType == NSSCMSOriginatorIDOrKey_OriginatorPublicKey);
-
-	/* see RFC2630 12.3.1.1 */
-	if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
-				    SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	/* this will generate a key pair, compute the shared secret, */
-	/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
-	/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
-	rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey,
-					&rek->encKey,
-					&ri->ri.keyAgreeRecipientInfo.ukm,
-					&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
-					&oiok->id.originatorPublicKey.publicKey);
-
-	break;
-    default:
-	/* other algorithms not supported yet */
-	/* NOTE that we do not support any KEK algorithm */
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	rv = SECFailure;
-	break;
-    }
-    return rv;
-}
-
-PK11SymKey *
-NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag)
-{
-    PK11SymKey *bulkkey = NULL;
-    SECAlgorithmID *encalg;
-    SECOidTag encalgtag;
-    SECItem *enckey;
-    int error;
-
-    ri->cert = cert;		/* mark the recipientInfo so we can find it later */
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	encalg = &(ri->ri.keyTransRecipientInfo.keyEncAlg);
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
-	enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */
-	switch (encalgtag) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    /* RSA encryption algorithm: */
-	    /* get the symmetric (bulk) key by unwrapping it using our private key */
-	    bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
-	    break;
-	case SEC_OID_NETSCAPE_SMIME_KEA:
-	    /* FORTEZZA key exchange algorithm */
-	    /* the supplemental data is in the parameters of encalg */
-	    bulkkey = NSS_CMSUtil_DecryptSymKey_MISSI(privkey, enckey, encalg, bulkalgtag, ri->cmsg->pwfn_arg);
-	    break;
-	default:
-	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	    goto loser;
-	}
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	encalg = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg);
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
-	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
-	switch (encalgtag) {
-	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	    /* Diffie-Helman key exchange */
-	    /* XXX not yet implemented */
-	    /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
-	    /* we support ephemeral-static DH only, so if the recipientinfo */
-	    /* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */
-	    /* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */
-	    /* content encryption key using a Unwrap op */
-	    /* the derive operation has to generate the key using the algorithm in RFC2631 */
-	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	    break;
-	default:
-	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	    goto loser;
-	}
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	encalg = &(ri->ri.kekRecipientInfo.keyEncAlg);
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
-	enckey = &(ri->ri.kekRecipientInfo.encKey);
-	/* not supported yet */
-	error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	goto loser;
-	break;
-    }
-    /* XXXX continue here */
-    return bulkkey;
-
-loser:
-    return NULL;
-}
diff --git a/security/nss/lib/smime/cmsreclist.c b/security/nss/lib/smime/cmsreclist.c
deleted file mode 100644
index b6fc62ee4..000000000
--- a/security/nss/lib/smime/cmsreclist.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS recipient list functions
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-static int
-nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, NSSCMSRecipient **recipient_list)
-{
-    int count = 0;
-    int rlindex = 0;
-    int i, j;
-    NSSCMSRecipient *rle;
-    NSSCMSRecipientInfo *ri;
-    NSSCMSRecipientEncryptedKey *rek;
-
-    for (i = 0; recipientinfos[i] != NULL; i++) {
-	ri = recipientinfos[i];
-	switch (ri->recipientInfoType) {
-	case NSSCMSRecipientInfoID_KeyTrans:
-	    if (recipient_list) {
-		/* alloc one & fill it out */
-		rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
-		if (rle == NULL)
-		    return -1;
-		
-		rle->riIndex = i;
-		rle->subIndex = -1;
-		switch (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType) {
-		case NSSCMSRecipientID_IssuerSN:
-		    rle->kind = RLIssuerSN;
-		    rle->id.issuerAndSN = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN;
-		    break;
-		case NSSCMSRecipientID_SubjectKeyID:
-		    rle->kind = RLSubjKeyID;
-		    rle->id.subjectKeyID = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.subjectKeyID;
-		    break;
-		}
-		recipient_list[rlindex++] = rle;
-	    } else {
-		count++;
-	    }
-	    break;
-	case NSSCMSRecipientInfoID_KeyAgree:
-	    if (ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys == NULL)
-		break;
-	    for (j=0; ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j] != NULL; j++) {
-		if (recipient_list) {
-		    rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j];
-		    /* alloc one & fill it out */
-		    rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
-		    if (rle == NULL)
-			return -1;
-		    
-		    rle->riIndex = i;
-		    rle->subIndex = j;
-		    switch (rek->recipientIdentifier.identifierType) {
-		    case NSSCMSKeyAgreeRecipientID_IssuerSN:
-			rle->kind = RLIssuerSN;
-			rle->id.issuerAndSN = rek->recipientIdentifier.id.issuerAndSN;
-			break;
-		    case NSSCMSKeyAgreeRecipientID_RKeyID:
-			rle->kind = RLSubjKeyID;
-			rle->id.subjectKeyID = rek->recipientIdentifier.id.recipientKeyIdentifier.subjectKeyIdentifier;
-			break;
-		    }
-		    recipient_list[rlindex++] = rle;
-		} else {
-		    count++;
-		}
-	    }
-	    break;
-	case NSSCMSRecipientInfoID_KEK:
-	    /* KEK is not implemented */
-	    break;
-	}
-    }
-    /* if we have a recipient list, we return on success (-1, above, on failure) */
-    /* otherwise, we return the count. */
-    if (recipient_list) {
-	recipient_list[rlindex] = NULL;
-	return 0;
-    } else {
-	return count;
-    }
-}
-
-NSSCMSRecipient **
-nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos)
-{
-    int count, rv;
-    NSSCMSRecipient **recipient_list;
-
-    /* count the number of recipient identifiers */
-    count = nss_cms_recipients_traverse(recipientinfos, NULL);
-    if (count <= 0) {
-	/* no recipients? */
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-#if 0
-	PORT_SetErrorString("Cannot find recipient data in envelope.");
-#endif
-	return NULL;
-    }
-
-    /* allocate an array of pointers */
-    recipient_list = (NSSCMSRecipient **)
-		    PORT_ZAlloc((count + 1) * sizeof(NSSCMSRecipient *));
-    if (recipient_list == NULL)
-	return NULL;
-
-    /* now fill in the recipient_list */
-    rv = nss_cms_recipients_traverse(recipientinfos, recipient_list);
-    if (rv < 0) {
-	nss_cms_recipient_list_destroy(recipient_list);
-	return NULL;
-    }
-    return recipient_list;
-}
-
-void
-nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list)
-{
-    int i;
-    NSSCMSRecipient *recipient;
-
-    for (i=0; recipient_list[i] != NULL; i++) {
-	recipient = recipient_list[i];
-	if (recipient->cert)
-	    CERT_DestroyCertificate(recipient->cert);
-	if (recipient->privkey)
-	    SECKEY_DestroyPrivateKey(recipient->privkey);
-	if (recipient->slot)
-	    PK11_FreeSlot(recipient->slot);
-	PORT_Free(recipient);
-    }
-    PORT_Free(recipient_list);
-}
-
-NSSCMSRecipientEncryptedKey *
-NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp)
-{
-    return (NSSCMSRecipientEncryptedKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientEncryptedKey));
-}
diff --git a/security/nss/lib/smime/cmsreclist.h b/security/nss/lib/smime/cmsreclist.h
deleted file mode 100644
index 32ff188ef..000000000
--- a/security/nss/lib/smime/cmsreclist.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * $Id$
- */
-
-#ifndef _CMSRECLIST_H
-#define _CMSRECLIST_H
-
-struct NSSCMSRecipientStr {
-    int				riIndex;	/* this recipient's index in recipientInfo array */
-    int				subIndex;	/* index into recipientEncryptedKeys */
-						/* (only in NSSCMSKeyAgreeRecipientInfoStr) */
-    enum {RLIssuerSN, RLSubjKeyID} kind;	/* for conversion recipientinfos -> recipientlist */
-    union {
-	CERTIssuerAndSN *	issuerAndSN;
-	SECItem *		subjectKeyID;
-    } id;
-
-    /* result data (filled out for each recipient that's us) */
-    CERTCertificate *		cert;
-    SECKEYPrivateKey *		privkey;
-    PK11SlotInfo *		slot;
-};
-
-typedef struct NSSCMSRecipientStr NSSCMSRecipient;
-
-#endif /* _CMSRECLIST_H */
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c
deleted file mode 100644
index 9b39871cd..000000000
--- a/security/nss/lib/smime/cmssigdata.c
+++ /dev/null
@@ -1,850 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS signedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "cdbhdl.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-NSSCMSSignedData *
-NSS_CMSSignedData_Create(NSSCMSMessage *cmsg)
-{
-    void *mark;
-    NSSCMSSignedData *sigd;
-    PLArenaPool *poolp;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData));
-    if (sigd == NULL)
-	goto loser;
-
-    sigd->cmsg = cmsg;
-
-    /* signerInfos, certs, certlists, crls are all empty */
-    /* version is set in NSS_CMSSignedData_Finalize() */
-
-    PORT_ArenaUnmark(poolp, mark);
-    return sigd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-void
-NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd)
-{
-    CERTCertificate **certs, *cert;
-    CERTCertificateList **certlists, *certlist;
-    NSSCMSSignerInfo **signerinfos, *si;
-
-    if (sigd == NULL)
-	return;
-
-    certs = sigd->certs;
-    certlists = sigd->certLists;
-    signerinfos = sigd->signerInfos;
-
-    if (certs != NULL) {
-	while ((cert = *certs++) != NULL)
-	    CERT_DestroyCertificate (cert);
-    }
-
-    if (certlists != NULL) {
-	while ((certlist = *certlists++) != NULL)
-	    CERT_DestroyCertificateList (certlist);
-    }
-
-    if (signerinfos != NULL) {
-	while ((si = *signerinfos++) != NULL)
-	    NSS_CMSSignerInfo_Destroy(si);
-    }
-
-    /* everything's in a pool, so don't worry about the storage */
-}
-
-/*
- * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
- *     before start of encoding.
- *
- * In detail:
- *  - find out about the right value to put into sigd->version
- *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
- *         in the signerinfos).
- *         If we happen to have a pre-set list of algorithms (and digest values!), we
- *         check if we have all the signerinfos' algorithms. If not, this is an error.
- */
-SECStatus
-NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
-{
-    NSSCMSSignerInfo **signerinfos, *signerinfo;
-    SECOidTag digestalgtag;
-    SECItem *dummy;
-    int version;
-    SECStatus rv;
-    PRBool haveDigests = PR_FALSE;
-    int n, i;
-    PLArenaPool *poolp;
-
-    poolp = sigd->cmsg->poolp;
-
-    /* we assume that we have precomputed digests if there is a list of algorithms, and */
-    /* a chunk of data for each of those algorithms */
-    if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
-	for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
-	    if (sigd->digests[i] == NULL)
-		break;
-	}
-	if (sigd->digestAlgorithms[i] == NULL)	/* reached the end of the array? */
-	    haveDigests = PR_TRUE;		/* yes: we must have all the digests */
-    }
-	    
-    version = NSS_CMS_SIGNED_DATA_VERSION_BASIC;
-
-    /* RFC2630 5.1 "version is the syntax version number..." */
-    if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
-	version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
-
-    signerinfos = sigd->signerInfos;
-    /* prepare all the SignerInfos */
-    for (i = 0; signerinfos[i] != NULL; i++) {
-	signerinfo = signerinfos[i];
-
-	/* RFC2630 5.1 "version is the syntax version number..." */
-	if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN)
-	    version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
-	
-	/* collect digestAlgorithms from SignerInfos */
-	/* (we need to know which algorithms we have when the content comes in) */
-	/* do not overwrite any existing digestAlgorithms (and digest) */
-	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-	if (n < 0 && haveDigests) {
-	    /* oops, there is a digestalg we do not have a digest for */
-	    /* but we were supposed to have all the digests already... */
-	    goto loser;
-	} else if (n < 0) {
-	    /* add the digestAlgorithm & a NULL digest */
-	    rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL);
-	    if (rv != SECSuccess)
-		goto loser;
-	} else {
-	    /* found it, nothing to do */
-	}
-    }
-
-    dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
-    if (dummy == NULL)
-	return SECFailure;
-
-    /* this is a SET OF, so we need to sort them guys */
-    rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, SECOID_AlgorithmIDTemplate,
-				(void **)sigd->digests);
-    if (rv != SECSuccess)
-	return SECFailure;
-    
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-SECStatus
-NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
-{
-    /* set up the digests */
-    if (sigd->digestAlgorithms != NULL) {
-	sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
-	if (sigd->contentInfo.digcx == NULL)
-	    return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - create the signatures in all the SignerInfos
- *
- * Please note that nothing is done to the Certificates and CRLs in the message - this
- * is entirely the responsibility of our callers.
- */
-SECStatus
-NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
-{
-    NSSCMSSignerInfo **signerinfos, *signerinfo;
-    NSSCMSContentInfo *cinfo;
-    SECOidTag digestalgtag;
-    SECStatus ret = SECFailure;
-    SECStatus rv;
-    SECItem *contentType;
-    int certcount;
-    int i, ci, cli, n, rci, si;
-    PLArenaPool *poolp;
-    CERTCertificateList *certlist;
-    extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
-
-    poolp = sigd->cmsg->poolp;
-    cinfo = &(sigd->contentInfo);
-
-    /* did we have digest calculation going on? */
-    if (cinfo->digcx) {
-	rv = NSS_CMSDigestContext_FinishMultiple(cinfo->digcx, poolp, &(sigd->digests));
-	if (rv != SECSuccess)
-	    goto loser;		/* error has been set by NSS_CMSDigestContext_FinishMultiple */
-	cinfo->digcx = NULL;
-    }
-
-    signerinfos = sigd->signerInfos;
-    certcount = 0;
-
-    /* prepare all the SignerInfos */
-    for (i = 0; signerinfos[i] != NULL; i++) {
-	signerinfo = signerinfos[i];
-
-	/* find correct digest for this signerinfo */
-	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-	if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
-	    /* oops - digest not found */
-	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
-	    goto loser;
-	}
-
-	/* XXX if our content is anything else but data, we need to force the
-	 * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
-	 * collection...") */
-
-	/* pass contentType here as we want a contentType attribute */
-	if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL)
-	    goto loser;
-
-	/* sign the thing */
-	rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	/* while we're at it, count number of certs in certLists */
-	certlist = NSS_CMSSignerInfo_GetCertList(signerinfo);
-	if (certlist)
-	    certcount += certlist->len;
-    }
-
-    /* this is a SET OF, so we need to sort them guys */
-    rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * now prepare certs & crls
-     */
-
-    /* count the rest of the certs */
-    if (sigd->certs != NULL) {
-	for (ci = 0; sigd->certs[ci] != NULL; ci++)
-	    certcount++;
-    }
-
-    if (sigd->certLists != NULL) {
-	for (cli = 0; sigd->certLists[cli] != NULL; cli++)
-	    certcount += sigd->certLists[cli]->len;
-    }
-
-    if (certcount == 0) {
-	sigd->rawCerts = NULL;
-    } else {
-	/*
-	 * Combine all of the certs and cert chains into rawcerts.
-	 * Note: certcount is an upper bound; we may not need that many slots
-	 * but we will allocate anyway to avoid having to do another pass.
-	 * (The temporary space saving is not worth it.)
-	 *
-	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
-	 *  SetOfDERcertficates implementation
-	 */
-	sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *));
-	if (sigd->rawCerts == NULL)
-	    return SECFailure;
-
-	/*
-	 * XXX Want to check for duplicates and not add *any* cert that is
-	 * already in the set.  This will be more important when we start
-	 * dealing with larger sets of certs, dual-key certs (signing and
-	 * encryption), etc.  For the time being we can slide by...
-	 *
-	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
-	 *  SetOfDERcertficates implementation
-	 */
-	rci = 0;
-	if (signerinfos != NULL) {
-	    for (si = 0; signerinfos[si] != NULL; si++) {
-		signerinfo = signerinfos[si];
-		for (ci = 0; ci < signerinfo->certList->len; ci++)
-		    sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]);
-	    }
-	}
-
-	if (sigd->certs != NULL) {
-	    for (ci = 0; sigd->certs[ci] != NULL; ci++)
-		sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert);
-	}
-
-	if (sigd->certLists != NULL) {
-	    for (cli = 0; sigd->certLists[cli] != NULL; cli++) {
-		for (ci = 0; ci < sigd->certLists[cli]->len; ci++)
-		    sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]);
-	    }
-	}
-
-	sigd->rawCerts[rci] = NULL;
-
-	/* this is a SET OF, so we need to sort them guys - we have the DER already, though */
-	NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL);
-    }
-
-    ret = SECSuccess;
-
-loser:
-    return ret;
-}
-
-SECStatus
-NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
-{
-    /* set up the digests */
-    if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
-	/* if digests are already there, do nothing */
-	sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
-	if (sigd->contentInfo.digcx == NULL)
-	    return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the decoder.
- */
-SECStatus
-NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
-{
-    /* did we have digest calculation going on? */
-    if (sigd->contentInfo.digcx) {
-	if (NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.digcx, sigd->cmsg->poolp, &(sigd->digests)) != SECSuccess)
-	    return SECFailure;	/* error has been set by NSS_CMSDigestContext_FinishMultiple */
-	sigd->contentInfo.digcx = NULL;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
- *     after all decoding is finished.
- */
-SECStatus
-NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd)
-{
-    NSSCMSSignerInfo **signerinfos;
-    int i;
-
-    /* set cmsg for all the signerinfos */
-    signerinfos = sigd->signerInfos;
-
-    /* set cmsg for all the signerinfos */
-    for (i = 0; signerinfos[i] != NULL; i++)
-	signerinfos[i]->cmsg = sigd->cmsg;
-
-    return SECSuccess;
-}
-
-/* 
- * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
- */
-NSSCMSSignerInfo **
-NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd)
-{
-    return sigd->signerInfos;
-}
-
-int
-NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
-{
-    return NSS_CMSArray_Count((void **)sigd->signerInfos);
-}
-
-NSSCMSSignerInfo *
-NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
-{
-    return sigd->signerInfos[i];
-}
-
-/* 
- * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
- */
-SECAlgorithmID **
-NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd)
-{
-    return sigd->digestAlgorithms;
-}
-
-/*
- * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
- */
-NSSCMSContentInfo *
-NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd)
-{
-    return &(sigd->contentInfo);
-}
-
-/* 
- * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
- */
-SECItem **
-NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd)
-{
-    return sigd->rawCerts;
-}
-
-SECStatus
-NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
-				SECCertUsage certusage, PRBool keepcerts)
-{
-    int certcount;
-    SECStatus rv;
-    int i;
-
-    certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
-
-    rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, NULL,
-			  keepcerts, PR_FALSE, NULL);
-
-    /* XXX CRL handling */
-
-    if (sigd->signerInfos != NULL) {
-	/* fill in all signerinfo's certs */
-	for (i = 0; sigd->signerInfos[i] != NULL; i++)
-	    (void)NSS_CMSSignerInfo_GetSigningCertificate(sigd->signerInfos[i], certdb);
-    }
-
-    return rv;
-}
-
-/*
- * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
- *     of external signatures!
- */
-
-/*
- * NSS_CMSSignedData_VerifySignerInfo - check the signatures.
- *
- * The digests were either calculated during decoding (and are stored in the
- * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
- *
- * The verification checks if the signing cert is valid and has a trusted chain
- * for the purpose specified by "certusage".
- */
-SECStatus
-NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, 
-			    CERTCertDBHandle *certdb, SECCertUsage certusage)
-{
-    NSSCMSSignerInfo *signerinfo;
-    NSSCMSContentInfo *cinfo;
-    SECOidData *algiddata;
-    SECItem *contentType, *digest;
-
-    cinfo = &(sigd->contentInfo);
-
-    signerinfo = sigd->signerInfos[i];
-
-    /* verify certificate */
-    if (NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage) != SECSuccess)
-	return SECFailure;		/* error is set by NSS_CMSSignerInfo_VerifyCertificate */
-
-    /* find digest and contentType for signerinfo */
-    algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo);
-    digest = NSS_CMSSignedData_GetDigestByAlgTag(sigd, algiddata->offset);
-    contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo);
-
-    /* now verify signature */
-    return NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType);
-}
-
-/*
- * NSS_CMSSignedData_HasDigests - see if we have digests in place
- */
-PRBool
-NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd)
-{
-    return (sigd->digests != NULL);
-}
-
-SECStatus
-NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist)
-{
-    SECStatus rv;
-
-    PORT_Assert(certlist != NULL);
-
-    if (certlist == NULL)
-	return SECFailure;
-
-    /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
-    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist);
-
-    return rv;
-}
-
-/*
- * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
- */
-SECStatus
-NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert)
-{
-    CERTCertificateList *certlist;
-    SECCertUsage usage;
-    SECStatus rv;
-
-    usage = certUsageEmailSigner;
-
-    /* do not include root */
-    certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
-    if (certlist == NULL)
-	return SECFailure;
-
-    rv = NSS_CMSSignedData_AddCertList(sigd, certlist);
-    CERT_DestroyCertificateList(certlist);
-
-    return rv;
-}
-
-SECStatus
-NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
-{
-    CERTCertificate *c;
-    SECStatus rv;
-
-    PORT_Assert(cert != NULL);
-
-    if (cert == NULL)
-	return SECFailure;
-
-    c = CERT_DupCertificate(cert);
-    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c);
-    return rv;
-}
-
-PRBool
-NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd)
-{
-    if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
-	return PR_TRUE;
-    else if (sigd->crls != NULL && sigd->crls[0] != NULL)
-	return PR_TRUE;
-    else
-	return PR_FALSE;
-}
-
-SECStatus
-NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
-				NSSCMSSignerInfo *signerinfo)
-{
-    void *mark;
-    SECStatus rv;
-    SECOidTag digestalgtag;
-    PLArenaPool *poolp;
-
-    poolp = sigd->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* add signerinfo */
-    rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * add empty digest
-     * Empty because we don't have it yet. Either it gets created during encoding
-     * (if the data is present) or has to be set externally.
-     * XXX maybe pass it in optionally?
-     */
-    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-    rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * The last thing to get consistency would be adding the digest.
-     */
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-SECItem *
-NSS_CMSSignedData_GetDigestByAlgTag(NSSCMSSignedData *sigd, SECOidTag algtag)
-{
-    int idx;
-
-    idx = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, algtag);
-    return sigd->digests[idx];
-}
-
-/*
- * NSS_CMSSignedData_SetDigests - set a signedData's digests member
- *
- * "digestalgs" - array of digest algorithm IDs
- * "digests"    - array of digests corresponding to the digest algorithms
- */
-SECStatus
-NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
-				SECAlgorithmID **digestalgs,
-				SECItem **digests)
-{
-    int cnt, i, idx;
-
-    if (sigd->digestAlgorithms == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* we assume that the digests array is just not there yet */
-    PORT_Assert(sigd->digests == NULL);
-    if (sigd->digests != NULL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-
-    /* now allocate one (same size as digestAlgorithms) */
-    cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
-    sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
-    if (sigd->digests == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
-	/* try to find the sigd's i'th digest algorithm in the array we passed in */
-	idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
-	if (idx < 0) {
-	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
-	    return SECFailure;
-	}
-
-	/* found it - now set it */
-	if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
-	    SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
-	{
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digestdata)
-{
-    SECItem *digest = NULL;
-    PLArenaPool *poolp;
-    void *mark;
-    int n;
-
-    poolp = sigd->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    if (digestdata) {
-	/* copy digestdata item to arena (in case we have it and are not only making room) */
-	if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
-	    goto loser;
-    }
-
-    n = -1;
-    if (sigd->digestAlgorithms != NULL)
-	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-
-    /* if not found, add a digest */
-    if (n < 0) {
-	if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess)
-	    goto loser;
-    } else {
-	/* replace NULL pointer with digest item (and leak previous value) */
-	sigd->digests[n] = digest;
-    }
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus
-NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
-				NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digest)
-{
-    SECAlgorithmID *digestalg;
-    void *mark;
-
-    mark = PORT_ArenaMark(poolp);
-
-    digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
-    if (digestalg == NULL)
-	goto loser;
-
-    if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
-	goto loser;
-
-    if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
-	/* even if digest is NULL, add dummy to have same-size array */
-	NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
-    {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECItem *
-NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag)
-{
-    int n;
-
-    if (sigd->digestAlgorithms == NULL)
-	return NULL;
-
-    n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-
-    return (n < 0) ? NULL : sigd->digests[n];
-}
-
-/* =============================================================================
- * Misc. utility functions
- */
-
-/*
- * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
- *
- * cert          - base certificates that will be included
- * include_chain - if true, include the complete cert chain for cert
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- *
- * XXXX CRLs
- */
-NSSCMSSignedData *
-NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
-{
-    NSSCMSSignedData *sigd;
-    void *mark;
-    PLArenaPool *poolp;
-    SECStatus rv;
-
-    poolp = cmsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    sigd = NSS_CMSSignedData_Create(cmsg);
-    if (sigd == NULL)
-	goto loser;
-
-    /* no signerinfos, thus no digestAlgorithms */
-
-    /* but certs */
-    if (include_chain) {
-	rv = NSS_CMSSignedData_AddCertChain(sigd, cert);
-    } else {
-	rv = NSS_CMSSignedData_AddCertificate(sigd, cert);
-    }
-    if (rv != SECSuccess)
-	goto loser;
-
-    /* RFC2630 5.2 sez:
-     * In the degenerate case where there are no signers, the
-     * EncapsulatedContentInfo value being "signed" is irrelevant.  In this
-     * case, the content type within the EncapsulatedContentInfo value being
-     * "signed" should be id-data (as defined in section 4), and the content
-     * field of the EncapsulatedContentInfo value should be omitted.
-     */
-    rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return sigd;
-
-loser:
-    if (sigd)
-	NSS_CMSSignedData_Destroy(sigd);
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/* TODO:
- * NSS_CMSSignerInfo_GetReceiptRequest()
- * NSS_CMSSignedData_HasReceiptRequest()
- * easy way to iterate over signers
- */
-
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
deleted file mode 100644
index 76e5d8d66..000000000
--- a/security/nss/lib/smime/cmssiginfo.c
+++ /dev/null
@@ -1,871 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS signerInfo methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-#include "cryptohi.h"
-
-#include "smime.h"
-
-/* =============================================================================
- * SIGNERINFO
- */
-
-NSSCMSSignerInfo *
-NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag)
-{
-    void *mark;
-    NSSCMSSignerInfo *signerinfo;
-    int version;
-    PLArenaPool *poolp;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    signerinfo = (NSSCMSSignerInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignerInfo));
-    if (signerinfo == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL)
-	goto loser;
-
-    signerinfo->cmsg = cmsg;
-
-    signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_IssuerSN;	/* hardcoded for now */
-    if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL)
-	goto loser;
-
-    /* set version right now */
-    version = NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN;
-    /* RFC2630 5.3 "version is the syntax version number. If the .... " */
-    if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID)
-	version = NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY;
-    (void)SEC_ASN1EncodeInteger(poolp, &(signerinfo->version), (long)version);
-
-    if (SECOID_SetAlgorithmID(poolp, &signerinfo->digestAlg, digestalgtag, NULL) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return signerinfo;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
- */
-void
-NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
-{
-    if (si->cert != NULL)
-	CERT_DestroyCertificate(si->cert);
-
-    /* XXX storage ??? */
-}
-
-/*
- * NSS_CMSSignerInfo_Sign - sign something
- *
- */
-SECStatus
-NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
-{
-    CERTCertificate *cert;
-    SECKEYPrivateKey *privkey = NULL;
-    SECOidTag digestalgtag;
-    SECOidTag signalgtag;
-    SECItem signature = { 0 };
-    SECStatus rv;
-    PLArenaPool *poolp, *tmppoolp; 
-
-    PORT_Assert (digest != NULL);
-
-    poolp = signerinfo->cmsg->poolp;
-
-    cert = signerinfo->cert;
-
-    if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL)
-	goto loser;
-
-    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-    /*
-     * XXX I think there should be a cert-level interface for this,
-     * so that I do not have to know about subjectPublicKeyInfo...
-     */
-    signalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-
-    /* Fortezza MISSI have weird signature formats.  Map them to standard DSA formats */
-    signalgtag = PK11_FortezzaMapSig(signalgtag);
-
-    if (signerinfo->authAttr != NULL) {
-	SECItem encoded_attrs;
-
-	/* find and fill in the message digest attribute. */
-	rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	if (contentType != NULL) {
-	    /* if the caller wants us to, find and fill in the content type attribute. */
-	    rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
-	    if (rv != SECSuccess)
-		goto loser;
-	}
-
-	if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-
-	/*
-	 * Before encoding, reorder the attributes so that when they
-	 * are encoded, they will be conforming DER, which is required
-	 * to have a specific order and that is what must be used for
-	 * the hash/signature.  We do this here, rather than building
-	 * it into EncodeAttributes, because we do not want to do
-	 * such reordering on incoming messages (which also uses
-	 * EncodeAttributes) or our old signatures (and other "broken"
-	 * implementations) will not verify.  So, we want to guarantee
-	 * that we send out good DER encodings of attributes, but not
-	 * to expect to receive them.
-	 */
-	if (NSS_CMSAttributeArray_Reorder(signerinfo->authAttr) != SECSuccess)
-	    goto loser;
-
-	encoded_attrs.data = NULL;
-	encoded_attrs.len = 0;
-	if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), &encoded_attrs) == NULL)
-	    goto loser;
-
-	rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, privkey,
-			   NSS_CMSUtil_MakeSignatureAlgorithm(digestalgtag, signalgtag));
-	PORT_FreeArena(tmppoolp, PR_FALSE);	/* awkward memory management :-( */
-    } else {
-	rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
-    }
-
-    SECKEY_DestroyPrivateKey(privkey);
-    privkey = NULL;
-
-    if (rv != SECSuccess)
-	goto loser;
-
-    if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) != SECSuccess)
-	goto loser;
-
-    SECITEM_FreeItem(&signature, PR_FALSE);
-
-    if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), signalgtag, NULL) != SECSuccess)
-	goto loser;
-
-    return SECSuccess;
-
-loser:
-    if (signature.len != 0)
-	SECITEM_FreeItem (&signature, PR_FALSE);
-    if (privkey)
-	SECKEY_DestroyPrivateKey(privkey);
-    return SECFailure;
-}
-
-SECStatus
-NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
-			    SECCertUsage certusage)
-{
-    CERTCertificate *cert;
-    int64 stime;
-
-    if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb)) == NULL) {
-	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotFound;
-	return SECFailure;
-    }
-
-    /*
-     * Get and convert the signing time; if available, it will be used
-     * both on the cert verification and for importing the sender
-     * email profile.
-     */
-    if (NSS_CMSSignerInfo_GetSigningTime (signerinfo, &stime) != SECSuccess)
-	stime = PR_Now();	/* not found or conversion failed, so check against now */
-    
-    /*
-     * XXX  This uses the signing time, if available.  Additionally, we
-     * might want to, if there is no signing time, get the message time
-     * from the mail header itself, and use that.  That would require
-     * a change to our interface though, and for S/MIME callers to pass
-     * in a time (and for non-S/MIME callers to pass in nothing, or
-     * maybe make them pass in the current time, always?).
-     */
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certusage, stime, signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotTrusted;
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
- *
- * Just verifies the signature. The assumption is that verification of the certificate
- * is done already.
- */
-SECStatus
-NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
-{
-    SECKEYPublicKey *publickey = NULL;
-    NSSCMSAttribute *attr;
-    SECItem encoded_attrs;
-    CERTCertificate *cert;
-    NSSCMSVerificationStatus vs = NSSCMSVS_Unverified;
-    PLArenaPool *poolp;
-
-    if (signerinfo == NULL)
-	return SECFailure;
-
-    /* NSS_CMSSignerInfo_GetSigningCertificate will fail if 2nd parm is NULL and */
-    /* cert has not been verified */
-    if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, NULL)) == NULL) {
-	vs = NSSCMSVS_SigningCertNotFound;
-	goto loser;
-    }
-
-    if ((publickey = CERT_ExtractPublicKey(cert)) == NULL) {
-	vs = NSSCMSVS_ProcessingError;
-	goto loser;
-    }
-
-    /*
-     * XXX This may not be the right set of algorithms to check.
-     * I'd prefer to trust that just calling VFY_Verify{Data,Digest}
-     * would do the right thing (and set an error if it could not);
-     * then additional algorithms could be handled by that code
-     * and we would Just Work.  So this check should just be removed,
-     * but not until the VFY code is better at setting errors.
-     */
-    switch (SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg))) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-    case SEC_OID_ANSIX9_DSA_SIGNATURE:
-    case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-	/* ok */
-	break;
-    case SEC_OID_UNKNOWN:
-	vs = NSSCMSVS_SignatureAlgorithmUnknown;
-	goto loser;
-    default:
-	vs = NSSCMSVS_SignatureAlgorithmUnsupported;
-	goto loser;
-    }
-
-    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
-	if (contentType) {
-	    /*
-	     * Check content type
-	     *
-	     * RFC2630 sez that if there are any authenticated attributes,
-	     * then there must be one for content type which matches the
-	     * content type of the content being signed, and there must
-	     * be one for message digest which matches our message digest.
-	     * So check these things first.
-	     */
-	    if ((attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-					SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE)) == NULL)
-	    {
-		vs = NSSCMSVS_MalformedSignature;
-		goto loser;
-	    }
-		
-	    if (NSS_CMSAttribute_CompareValue(attr, contentType) == PR_FALSE) {
-		vs = NSSCMSVS_MalformedSignature;
-		goto loser;
-	    }
-	}
-
-	/*
-	 * Check digest
-	 */
-	if ((attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE)) == NULL)
-	{
-	    vs = NSSCMSVS_MalformedSignature;
-	    goto loser;
-	}
-	if (NSS_CMSAttribute_CompareValue(attr, digest) == PR_FALSE) {
-	    vs = NSSCMSVS_DigestMismatch;
-	    goto loser;
-	}
-
-	if ((poolp = PORT_NewArena (1024)) == NULL) {
-	    vs = NSSCMSVS_ProcessingError;
-	    goto loser;
-	}
-
-	/*
-	 * Check signature
-	 *
-	 * The signature is based on a digest of the DER-encoded authenticated
-	 * attributes.  So, first we encode and then we digest/verify.
-	 * we trust the decoder to have the attributes in the right (sorted) order
-	 */
-	encoded_attrs.data = NULL;
-	encoded_attrs.len = 0;
-
-	if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr), &encoded_attrs) == NULL ||
-		encoded_attrs.data == NULL || encoded_attrs.len == 0)
-	{
-	    vs = NSSCMSVS_ProcessingError;
-	    goto loser;
-	}
-
-	vs = (VFY_VerifyData (encoded_attrs.data, encoded_attrs.len,
-			publickey, &(signerinfo->encDigest),
-			SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
-			signerinfo->cmsg->pwfn_arg) != SECSuccess) ? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
-
-	PORT_FreeArena(poolp, PR_FALSE);	/* awkward memory management :-( */
-
-    } else {
-	SECItem *sig;
-
-	/* No authenticated attributes. The signature is based on the plain message digest. */
-	sig = &(signerinfo->encDigest);
-	if (sig->len == 0)
-	    goto loser;
-
-	vs = (VFY_VerifyDigest(digest, publickey, sig,
-			SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
-			signerinfo->cmsg->pwfn_arg) != SECSuccess) ? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
-    }
-
-    if (vs == NSSCMSVS_BadSignature) {
-	/*
-	 * XXX Change the generic error into our specific one, because
-	 * in that case we get a better explanation out of the Security
-	 * Advisor.  This is really a bug in our error strings (the
-	 * "generic" error has a lousy/wrong message associated with it
-	 * which assumes the signature verification was done for the
-	 * purposes of checking the issuer signature on a certificate)
-	 * but this is at least an easy workaround and/or in the
-	 * Security Advisor, which specifically checks for the error
-	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
-	 * in that case but does not similarly check for
-	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
-	 * probably say the wrong thing in the case that it *was* the
-	 * certificate signature check that failed during the cert
-	 * verification done above.  Our error handling is really a mess.
-	 */
-	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
-	    PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
-    }
-
-    if (publickey != NULL)
-	SECKEY_DestroyPublicKey (publickey);
-
-    signerinfo->verificationStatus = vs;
-
-    return (vs == NSSCMSVS_GoodSignature) ? SECSuccess : SECFailure;
-
-loser:
-    if (publickey != NULL)
-	SECKEY_DestroyPublicKey (publickey);
-
-    signerinfo->verificationStatus = vs;
-
-    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-    return SECFailure;
-}
-
-NSSCMSVerificationStatus
-NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo)
-{
-    return signerinfo->verificationStatus;
-}
-
-SECOidData *
-NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo)
-{
-    return SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
-}
-
-SECOidTag
-NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo)
-{
-    SECOidData *algdata;
-
-    algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
-    if (algdata != NULL)
-	return algdata->offset;
-    else
-	return SEC_OID_UNKNOWN;
-}
-
-CERTCertificateList *
-NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo)
-{
-    return signerinfo->certList;
-}
-
-int
-NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo)
-{
-    unsigned long version;
-
-    /* always take apart the SECItem */
-    if (SEC_ASN1DecodeInteger(&(signerinfo->version), &version) != SECSuccess)
-	return 0;
-    else
-	return (int)version;
-}
-
-/*
- * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
- *				      in UTCTime format, of a CMS signerInfo.
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to XXXX (what?)
- * A return value of NULL is an error.
- */
-SECStatus
-NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime)
-{
-    NSSCMSAttribute *attr;
-    SECItem *value;
-
-    if (sinfo == NULL)
-	return SECFailure;
-
-    if (sinfo->signingTime != 0) {
-	*stime = sinfo->signingTime;	/* cached copy */
-	return SECSuccess;
-    }
-
-    attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
-    /* XXXX multi-valued attributes NIH */
-    if (attr == NULL || (value = NSS_CMSAttribute_GetValue(attr)) == NULL)
-	return SECFailure;
-    if (DER_UTCTimeToTime(stime, value) != SECSuccess)
-	return SECFailure;
-    sinfo->signingTime = *stime;	/* make cached copy */
-    return SECSuccess;
-}
-
-/*
- * Return the signing cert of a CMS signerInfo.
- *
- * the certs in the enclosing SignedData must have been imported already
- */
-CERTCertificate *
-NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb)
-{
-    CERTCertificate *cert;
-
-    if (signerinfo->cert != NULL)
-	return signerinfo->cert;
-
-    /* no certdb, and cert hasn't been set yet? */
-    if (certdb == NULL)
-	return NULL;
-
-    /*
-     * This cert will also need to be freed, but since we save it
-     * in signerinfo for later, we do not want to destroy it when
-     * we leave this function -- we let the clean-up of the entire
-     * cinfo structure later do the destroy of this cert.
-     */
-    switch (signerinfo->signerIdentifier.identifierType) {
-    case NSSCMSSignerID_IssuerSN:
-	cert = CERT_FindCertByIssuerAndSN(certdb, signerinfo->signerIdentifier.id.issuerAndSN);
-	break;
-    case NSSCMSSignerID_SubjectKeyID:
-#if 0 /* not yet implemented */
-	cert = CERT_FindCertBySubjectKeyID(certdb, signerinfo->signerIdentifier.id.subjectKeyID);
-#else
-	cert = NULL;
-#endif
-	break;
-    default:
-	cert = NULL;
-	break;
-    }
-
-    /* cert can be NULL at that point */
-    signerinfo->cert = cert;	/* earmark it */
-
-    return cert;
-}
-
-/*
- * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A return value of NULL is an error.
- */
-char *
-NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo)
-{
-    CERTCertificate *signercert;
-
-    /* will fail if cert is not verified */
-    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
-	return NULL;
-
-    return (CERT_GetCommonName(&signercert->subject));
-}
-
-/*
- * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A return value of NULL is an error.
- */
-char *
-NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo)
-{
-    CERTCertificate *signercert;
-
-    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
-	return NULL;
-
-    if (signercert->emailAddr == NULL)
-	return NULL;
-
-    return (PORT_Strdup(signercert->emailAddr));
-}
-
-/*
- * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- */
-SECStatus
-NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
-{
-    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->authAttr), attr);
-}
-
-/*
- * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
- * unauthenticated attributes of "signerinfo". 
- */
-SECStatus
-NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
-{
-    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->unAuthAttr), attr);
-}
-
-/* 
- * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will do nothing.
- *
- * XXX This will probably just shove the current time into "signerinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- */
-SECStatus
-NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t)
-{
-    NSSCMSAttribute *attr;
-    SECItem stime;
-    void *mark;
-    PLArenaPool *poolp;
-
-    poolp = signerinfo->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* create new signing time attribute */
-    if (DER_TimeToUTCTime(&stime, t) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SIGNING_TIME, &stime, PR_FALSE)) == NULL) {
-	SECITEM_FreeItem (&stime, PR_FALSE);
-	goto loser;
-    }
-
-    SECITEM_FreeItem (&stime, PR_FALSE);
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME).
- */
-SECStatus
-NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo)
-{
-    NSSCMSAttribute *attr;
-    SECItem *smimecaps = NULL;
-    void *mark;
-    PLArenaPool *poolp;
-
-    poolp = signerinfo->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    smimecaps = SECITEM_AllocItem(poolp, NULL, 0);
-    if (smimecaps == NULL)
-	goto loser;
-
-    /* create new signing time attribute */
-    if (NSS_SMIMEUtil_CreateSMIMECapabilities(poolp, smimecaps,
-			    PK11_FortezzaHasKEA(signerinfo->cert)) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL)
-	goto loser;
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed messages for email (S/MIME).
- */
-SECStatus
-NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
-{
-    NSSCMSAttribute *attr;
-    SECItem *smimeekp = NULL;
-    void *mark;
-    PLArenaPool *poolp;
-
-    /* verify this cert for encryption */
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	return SECFailure;
-    }
-
-    poolp = signerinfo->cmsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
-    if (smimeekp == NULL)
-	goto loser;
-
-    /* create new signing time attribute */
-    if (NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
-	goto loser;
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
- *
- * 1. digest the DER-encoded signature value of the original signerinfo
- * 2. create new signerinfo with correct version, sid, digestAlg
- * 3. add message-digest authAttr, but NO content-type
- * 4. sign the authAttrs
- * 5. DER-encode the new signerInfo
- * 6. add the whole thing to original signerInfo's unAuthAttrs
- *    as a SEC_OID_PKCS9_COUNTER_SIGNATURE attribute
- *
- * XXXX give back the new signerinfo?
- */
-SECStatus
-NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
-				    SECOidTag digestalg, CERTCertificate signingcert)
-{
-    /* XXXX TBD XXXX */
-    return SECFailure;
-}
-
-/*
- * XXXX the following needs to be done in the S/MIME layer code
- * after signature of a signerinfo is verified
- */
-SECStatus
-NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo)
-{
-    CERTCertificate *cert = NULL;
-    SECItem *profile = NULL;
-    NSSCMSAttribute *attr;
-    SECItem *utc_stime = NULL;
-    SECItem *ekp;
-    CERTCertDBHandle *certdb;
-    int save_error;
-    SECStatus rv;
-
-    certdb = CERT_GetDefaultCertDB();
-
-    /* sanity check - see if verification status is ok (unverified does not count...) */
-    if (signerinfo->verificationStatus != NSSCMSVS_GoodSignature)
-	return SECFailure;
-
-    /* find preferred encryption cert */
-    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr) &&
-	(attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-			       SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
-    { /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */
-	ekp = NSS_CMSAttribute_GetValue(attr);
-	if (ekp == NULL)
-	    return SECFailure;
-
-	/* we assume that all certs coming with the message have been imported to the */
-	/* temporary database */
-	cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp);
-	if (cert == NULL)
-	    return SECFailure;
-    }
-
-    if (cert == NULL) {
-	/* no preferred cert found?
-	 * find the cert the signerinfo is signed with instead */
-	cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb);
-	if (cert == NULL || cert->emailAddr == NULL)
-	    return SECFailure;
-    }
-
-    /* verify this cert for encryption (has been verified for signing so far) */
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	return SECFailure;
-    }
-
-    /* XXX store encryption cert permanently? */
-
-    /*
-     * Remember the current error set because we do not care about
-     * anything set by the functions we are about to call.
-     */
-    save_error = PORT_GetError();
-
-    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
-	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-				       SEC_OID_PKCS9_SMIME_CAPABILITIES,
-				       PR_TRUE);
-	profile = NSS_CMSAttribute_GetValue(attr);
-	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-				       SEC_OID_PKCS9_SIGNING_TIME,
-				       PR_TRUE);
-	utc_stime = NSS_CMSAttribute_GetValue(attr);
-    }
-
-    rv = CERT_SaveSMimeProfile (cert, profile, utc_stime);
-
-    /*
-     * Restore the saved error in case the calls above set a new
-     * one that we do not actually care about.
-     */
-    PORT_SetError (save_error);
-
-    return rv;
-}
-
-/*
- * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
- */
-SECStatus
-NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage)
-{
-    if (signerinfo->cert == NULL)
-	return SECFailure;
-
-    switch (cm) {
-    case NSSCMSCM_None:
-	signerinfo->certList = NULL;
-	break;
-    case NSSCMSCM_CertOnly:
-	signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
-	break;
-    case NSSCMSCM_CertChain:
-	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
-	break;
-    case NSSCMSCM_CertChainWithRoot:
-	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
-	break;
-    }
-
-    if (cm != NSSCMSCM_None && signerinfo->certList == NULL)
-	return SECFailure;
-    
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
deleted file mode 100644
index 5f7fd0984..000000000
--- a/security/nss/lib/smime/cmst.h
+++ /dev/null
@@ -1,489 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Header for CMS types.
- *
- * $Id$
- */
-
-#ifndef _CMST_H_
-#define _CMST_H_
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "certt.h"
-#include "secmodt.h"
-#include "secmodt.h"
-
-#include "plarena.h"
-
-/* Non-opaque objects.  NOTE, though: I want them to be treated as
- * opaque as much as possible.  If I could hide them completely,
- * I would.  (I tried, but ran into trouble that was taking me too
- * much time to get out of.)  I still intend to try to do so.
- * In fact, the only type that "outsiders" should even *name* is
- * NSSCMSMessage, and they should not reference its fields.
- */
-/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
- * This is because when we search the recipient list for the cert and key we
- * want, we need to invert the order of the loops we used to have. The old
- * loops were:
- *
- *  For each recipient {
- *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
- *       [which unrolls to... ]
- *       For each slot {
- *            Log into slot;
- *            search slot for cert;
- *      }
- *  }
- *
- *  the new loop searchs all the recipients at once on a slot. this allows
- *  PKCS #11 to order slots in such a way that logout slots don't get checked
- *  if we can find the cert on a logged in slot. This eliminates lots of
- *  spurious password prompts when smart cards are installed... so why this
- *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
- *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
- *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
- *  function.
- */
-
-typedef struct NSSCMSMessageStr NSSCMSMessage;
-
-typedef union NSSCMSContentUnion NSSCMSContent;
-typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
-
-typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
-typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
-typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
-
-typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
-typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
-typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
-
-typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
-typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
-
-typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
-
-typedef struct NSSCMSAttributeStr NSSCMSAttribute;
-
-typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
-typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
-
-typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
-typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
-
-/*
- * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
- * If specified, this is where the content bytes (only) will be "sent"
- * as they are recovered during the decoding.
- * And:
- * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
- * This is where the DER-encoded bytes will be "sent".
- *
- * XXX Should just combine this with NSSCMSEncoderContentCallback type
- * and use a simpler, common name.
- */
-typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
-
-/*
- * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
- * to retrieve the decryption key.  This function is intended to be
- * used for EncryptedData content info's which do not have a key available
- * in a certificate, etc.
- */
-typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
-
-
-/* =============================================================================
- * ENCAPSULATED CONTENTINFO & CONTENTINFO
- */
-
-union NSSCMSContentUnion {
-    /* either unstructured */
-    SECItem *			data;
-    /* or structured data */
-    NSSCMSDigestedData *	digestedData;
-    NSSCMSEncryptedData	*	encryptedData;
-    NSSCMSEnvelopedData	*	envelopedData;
-    NSSCMSSignedData *		signedData;
-    /* or anonymous pointer to something */
-    void *			pointer;
-};
-
-struct NSSCMSContentInfoStr {
-    SECItem			contentType;
-    NSSCMSContent		content;
-    /* --------- local; not part of encoding --------- */
-    SECOidData *		contentTypeTag;	
-
-    /* additional info for encryptedData and envelopedData */
-    /* we waste this space for signedData and digestedData. sue me. */
-
-    SECAlgorithmID		contentEncAlg;
-    SECItem *			rawContent;		/* encrypted DER, optional */
-							/* XXXX bytes not encrypted, but encoded? */
-    /* --------- local; not part of encoding --------- */
-    PK11SymKey *		bulkkey;		/* bulk encryption key */
-    int				keysize;		/* size of bulk encryption key
-							 * (only used by creation code) */
-    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
-							 * (only used by creation code) */
-    NSSCMSCipherContext		*ciphcx;		/* context for en/decryption going on */
-    NSSCMSDigestContext		*digcx;			/* context for digesting going on */
-};
-
-/* =============================================================================
- * MESSAGE
- */
-
-struct NSSCMSMessageStr {
-    NSSCMSContentInfo	contentInfo;		/* "outer" cinfo */
-    /* --------- local; not part of encoding --------- */
-    PLArenaPool *	poolp;
-    PRBool		poolp_is_ours;
-    int			refCount;
-    /* properties of the "inner" data */
-    SECAlgorithmID **	detached_digestalgs;
-    SECItem **		detached_digests;
-    void *		pwfn_arg;
-    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
-    void *		decrypt_key_cb_arg;
-};
-
-/* =============================================================================
- * SIGNEDDATA
- */
-
-struct NSSCMSSignedDataStr {
-    SECItem			version;
-    SECAlgorithmID **		digestAlgorithms;
-    NSSCMSContentInfo		contentInfo;
-    SECItem **			rawCerts;
-    CERTSignedCrl **		crls;
-    NSSCMSSignerInfo **		signerInfos;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-    SECItem **			digests;
-    CERTCertificate **		certs;
-    CERTCertificateList **	certLists;
-};
-#define NSS_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
-#define NSS_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */
-
-typedef enum {
-    NSSCMSVS_Unverified = 0,
-    NSSCMSVS_GoodSignature,
-    NSSCMSVS_BadSignature,
-    NSSCMSVS_DigestMismatch,
-    NSSCMSVS_SigningCertNotFound,
-    NSSCMSVS_SigningCertNotTrusted,
-    NSSCMSVS_SignatureAlgorithmUnknown,
-    NSSCMSVS_SignatureAlgorithmUnsupported,
-    NSSCMSVS_MalformedSignature,
-    NSSCMSVS_ProcessingError
-} NSSCMSVerificationStatus;
-
-typedef enum {
-    NSSCMSSignerID_IssuerSN,
-    NSSCMSSignerID_SubjectKeyID
-} NSSCMSSignerIDSelector;
-
-struct NSSCMSSignerIdentifierStr {
-    NSSCMSSignerIDSelector identifierType;
-    union {
-	CERTIssuerAndSN *issuerAndSN;
-	SECItem *subjectKeyID;
-    } id;
-};
-
-struct NSSCMSSignerInfoStr {
-    SECItem			version;
-    NSSCMSSignerIdentifier	signerIdentifier;
-    SECAlgorithmID		digestAlg;
-    NSSCMSAttribute **		authAttr;
-    SECAlgorithmID		digestEncAlg;
-    SECItem			encDigest;
-    NSSCMSAttribute **		unAuthAttr;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-    CERTCertificate *		cert;
-    CERTCertificateList *	certList;
-    PRTime			signingTime;
-    NSSCMSVerificationStatus	verificationStatus;
-};
-#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
-#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */
-
-typedef enum {
-    NSSCMSCM_None = 0,
-    NSSCMSCM_CertOnly,
-    NSSCMSCM_CertChain,
-    NSSCMSCM_CertChainWithRoot
-} NSSCMSCertChainMode;
-
-/* =============================================================================
- * ENVELOPED DATA
- */
-struct NSSCMSEnvelopedDataStr {
-    SECItem			version;
-    NSSCMSOriginatorInfo *	originatorInfo;		/* optional */
-    NSSCMSRecipientInfo **	recipientInfos;
-    NSSCMSContentInfo		contentInfo;
-    NSSCMSAttribute **		unprotectedAttr;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-};
-#define NSS_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
-#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */
-
-struct NSSCMSOriginatorInfoStr {
-    SECItem **			rawCerts;
-    CERTSignedCrl **		crls;
-    /* --------- local; not part of encoding --------- */
-    CERTCertificate **		certs;
-};
-
-/* -----------------------------------------------------------------------------
- * key transport recipient info
- */
-typedef enum {
-    NSSCMSRecipientID_IssuerSN,
-    NSSCMSRecipientID_SubjectKeyID
-} NSSCMSRecipientIDSelector;
-
-struct NSSCMSRecipientIdentifierStr {
-    NSSCMSRecipientIDSelector	identifierType;
-    union {
-	CERTIssuerAndSN		*issuerAndSN;
-	SECItem 		*subjectKeyID;
-    } id;
-};
-typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
-
-struct NSSCMSKeyTransRecipientInfoStr {
-    SECItem			version;
-    NSSCMSRecipientIdentifier	recipientIdentifier;
-    SECAlgorithmID		keyEncAlg;
-    SECItem			encKey;
-};
-typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
-
-#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
-#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */
-
-/* -----------------------------------------------------------------------------
- * key agreement recipient info
- */
-struct NSSCMSOriginatorPublicKeyStr {
-    SECAlgorithmID			algorithmIdentifier;
-    SECItem				publicKey;			/* bit string! */
-};
-typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
-
-typedef enum {
-    NSSCMSOriginatorIDOrKey_IssuerSN,
-    NSSCMSOriginatorIDOrKey_SubjectKeyID,
-    NSSCMSOriginatorIDOrKey_OriginatorPublicKey
-} NSSCMSOriginatorIDOrKeySelector;
-
-struct NSSCMSOriginatorIdentifierOrKeyStr {
-    NSSCMSOriginatorIDOrKeySelector identifierType;
-    union {
-	CERTIssuerAndSN			*issuerAndSN;		/* static-static */
-	SECItem				*subjectKeyID;		/* static-static */
-	NSSCMSOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
-    } id;
-};
-typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
-
-struct NSSCMSRecipientKeyIdentifierStr {
-    SECItem *				subjectKeyIdentifier;
-    SECItem *				date;			/* optional */
-    SECItem *				other;			/* optional */
-};
-typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
-
-typedef enum {
-    NSSCMSKeyAgreeRecipientID_IssuerSN,
-    NSSCMSKeyAgreeRecipientID_RKeyID
-} NSSCMSKeyAgreeRecipientIDSelector;
-
-struct NSSCMSKeyAgreeRecipientIdentifierStr {
-    NSSCMSKeyAgreeRecipientIDSelector	identifierType;
-    union {
-	CERTIssuerAndSN			*issuerAndSN;
-	NSSCMSRecipientKeyIdentifier	recipientKeyIdentifier;
-    } id;
-};
-typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
-
-struct NSSCMSRecipientEncryptedKeyStr {
-    NSSCMSKeyAgreeRecipientIdentifier	recipientIdentifier;
-    SECItem				encKey;
-};
-typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
-
-struct NSSCMSKeyAgreeRecipientInfoStr {
-    SECItem				version;
-    NSSCMSOriginatorIdentifierOrKey	originatorIdentifierOrKey;
-    SECItem *				ukm;				/* optional */
-    SECAlgorithmID			keyEncAlg;
-    NSSCMSRecipientEncryptedKey **	recipientEncryptedKeys;
-};
-typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
-
-#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */
-
-/* -----------------------------------------------------------------------------
- * KEK recipient info
- */
-struct NSSCMSKEKIdentifierStr {
-    SECItem			keyIdentifier;
-    SECItem *			date;			/* optional */
-    SECItem *			other;			/* optional */
-};
-typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
-
-struct NSSCMSKEKRecipientInfoStr {
-    SECItem			version;
-    NSSCMSKEKIdentifier		kekIdentifier;
-    SECAlgorithmID		keyEncAlg;
-    SECItem			encKey;
-};
-typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
-
-#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */
-
-/* -----------------------------------------------------------------------------
- * recipient info
- */
-
-typedef enum {
-    NSSCMSRecipientInfoID_KeyTrans,
-    NSSCMSRecipientInfoID_KeyAgree,
-    NSSCMSRecipientInfoID_KEK
-} NSSCMSRecipientInfoIDSelector;
-
-struct NSSCMSRecipientInfoStr {
-    NSSCMSRecipientInfoIDSelector recipientInfoType;
-    union {
-	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
-	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
-	NSSCMSKEKRecipientInfo kekRecipientInfo;
-    } ri;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-    CERTCertificate *		cert;			/* recipient's certificate */
-};
-
-/* =============================================================================
- * DIGESTED DATA
- */
-struct NSSCMSDigestedDataStr {
-    SECItem			version;
-    SECAlgorithmID		digestAlg;
-    NSSCMSContentInfo		contentInfo;
-    SECItem			digest;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;		/* back pointer */
-    SECItem			cdigest;	/* calculated digest */
-};
-#define NSS_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
-#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */
-
-/* =============================================================================
- * ENCRYPTED DATA
- */
-struct NSSCMSEncryptedDataStr {
-    SECItem			version;
-    NSSCMSContentInfo		contentInfo;
-    NSSCMSAttribute **		unprotectedAttr;	/* optional */
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;		/* back pointer */
-};
-#define NSS_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
-#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */
-
-/* =============================================================================
- * FORTEZZA KEA
- */
-
-/* An enumerated type used to select templates based on the encryption
-   scenario and data specifics. */
-typedef enum {
-    NSSCMSKEAUsesSkipjack,
-    NSSCMSKEAUsesNonSkipjack,
-    NSSCMSKEAUsesNonSkipjackWithPaddedEncKey
-} NSSCMSKEATemplateSelector;
-
-/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
-                but I cannot think of a more appropriate place at this time. */
-struct NSSCMSSMIMEKEAParametersStr {
-    SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
-    SECItem originatorRA;	/* random number generated by sender */
-    SECItem nonSkipjackIV;	/* init'n vector for SkipjackCBC64
-			           decryption of KEA key if Skipjack
-				   is not the bulk algorithm used on
-				   the message */
-    SECItem bulkKeySize;	/* if Skipjack is not the bulk
-			           algorithm used on the message,
-				   and the size of the bulk encryption
-				   key is not the same as that of
-				   originatorKEAKey (due to padding
-				   perhaps), this field will contain
-				   the real size of the bulk encryption
-				   key. */
-};
-
-/*
- * *****************************************************************************
- * *****************************************************************************
- * *****************************************************************************
- */
-
-/*
- * See comment above about this type not really belonging to CMS.
- */
-struct NSSCMSAttributeStr {
-    /* The following fields make up an encoded Attribute: */
-    SECItem			type;
-    SECItem **			values;	/* data may or may not be encoded */
-    /* The following fields are not part of an encoded Attribute: */
-    SECOidData *		typeTag;
-    PRBool			encoded;	/* when true, values are encoded */
-};
-
-#endif /* _CMST_H_ */
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
deleted file mode 100644
index c71d144f6..000000000
--- a/security/nss/lib/smime/cmsutil.c
+++ /dev/null
@@ -1,362 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS miscellaneous utility functions.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
- *
- * make sure that the order of the objects guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in objs).
- */
-SECStatus
-NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2)
-{
-    PRArenaPool *poolp;
-    int num_objs;
-    SECItem **enc_objs;
-    SECStatus rv = SECFailure;
-    int i;
-
-    if (objs == NULL)					/* already sorted */
-	return SECSuccess;
-
-    num_objs = NSS_CMSArray_Count((void **)objs);
-    if (num_objs == 0 || num_objs == 1)		/* already sorted. */
-	return SECSuccess;
-
-    poolp = PORT_NewArena (1024);	/* arena for temporaries */
-    if (poolp == NULL)
-	return SECFailure;		/* no memory; nothing we can do... */
-
-    /*
-     * Allocate arrays to hold the individual encodings which we will use
-     * for comparisons and the reordered attributes as they are sorted.
-     */
-    enc_objs = (SECItem **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SECItem *));
-    if (enc_objs == NULL)
-	goto loser;
-
-    /* DER encode each individual object. */
-    for (i = 0; i < num_objs; i++) {
-	enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
-	if (enc_objs[i] == NULL)
-	    goto loser;
-    }
-    enc_objs[num_objs] = NULL;
-
-    /* now compare and sort objs by the order of enc_objs */
-    NSS_CMSArray_Sort((void **)enc_objs, NSS_CMSUtil_DERCompare, objs, objs2);
-
-    rv = SECSuccess;
-
-loser:
-    PORT_FreeArena (poolp, PR_FALSE);
-    return rv;
-}
-
-/*
- * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
- *  sort arrays of SECItems containing DER
- */
-int
-NSS_CMSUtil_DERCompare(void *a, void *b)
-{
-    SECItem *der1 = (SECItem *)a;
-    SECItem *der2 = (SECItem *)b;
-    int j;
-
-    /*
-     * Find the lowest (lexigraphically) encoding.  One that is
-     * shorter than all the rest is known to be "less" because each
-     * attribute is of the same type (a SEQUENCE) and so thus the
-     * first octet of each is the same, and the second octet is
-     * the length (or the length of the length with the high bit
-     * set, followed by the length, which also works out to always
-     * order the shorter first).  Two (or more) that have the
-     * same length need to be compared byte by byte until a mismatch
-     * is found.
-     */
-    if (der1->len != der2->len)
-	return (der1->len < der2->len) ? -1 : 1;
-
-    for (j = 0; j < der1->len; j++) {
-	if (der1->data[j] == der2->data[j])
-	    continue;
-	return (der1->data[j] < der2->data[j]) ? -1 : 1;
-    }
-    return 0;
-}
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algid - algorithmid of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-int
-NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid)
-{
-    int i;
-
-    if (algorithmArray == NULL || algorithmArray[0] == NULL)
-	return -1;
-
-    for (i = 0; algorithmArray[i] != NULL; i++) {
-	if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual)
-	    break;	/* bingo */
-    }
-
-    if (algorithmArray[i] == NULL)
-	return -1;	/* not found */
-
-    return i;
-}
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgTag - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algtag - algorithm tag of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-int
-NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag)
-{
-    SECOidData *algid;
-    int i;
-
-    if (algorithmArray == NULL || algorithmArray[0] == NULL)
-	return -1;
-
-    for (i = 0; algorithmArray[i] != NULL; i++) {
-	algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
-	if (algid->offset == algtag)
-	    break;	/* bingo */
-    }
-
-    if (algorithmArray[i] == NULL)
-	return -1;	/* not found */
-
-    return i;
-}
-
-SECHashObject *
-NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid)
-{
-    SECOidData *oiddata;
-    SECHashObject *digobj;
-
-    /* here are the algorithms we know */
-    oiddata = SECOID_FindOID(&(algid->algorithm));
-    if (oiddata == NULL) {
-	digobj = NULL;
-    } else {
-	switch (oiddata->offset) {
-	case SEC_OID_MD2:
-	    digobj = &SECHashObjects[HASH_AlgMD2];
-	    break;
-	case SEC_OID_MD5:
-	    digobj = &SECHashObjects[HASH_AlgMD5];
-	    break;
-	case SEC_OID_SHA1:
-	    digobj = &SECHashObjects[HASH_AlgSHA1];
-	    break;
-	default:
-	    digobj = NULL;
-	    break;
-	}
-    }
-    return digobj;
-}
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-SECOidTag
-NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
-{
-    switch (encalg) {
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	switch (hashalg) {
-	  case SEC_OID_MD2:
-	    return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_MD5:
-	    return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA1:
-	    return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS:
-	switch (hashalg) {
-	  case SEC_OID_SHA1:
-	    return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      default:
-	break;
-    }
-
-    return encalg;		/* maybe it is already the right algid */
-}
-
-const SEC_ASN1Template *
-NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type)
-{
-    const SEC_ASN1Template *template;
-    extern const SEC_ASN1Template NSSCMSSignedDataTemplate[];
-    extern const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[];
-    extern const SEC_ASN1Template NSSCMSEncryptedDataTemplate[];
-    extern const SEC_ASN1Template NSSCMSDigestedDataTemplate[];
-
-    switch (type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	template = NSSCMSSignedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	template = NSSCMSEnvelopedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	template = NSSCMSEncryptedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	template = NSSCMSDigestedDataTemplate;
-	break;
-    default:
-    case SEC_OID_PKCS7_DATA:
-	template = NULL;
-	break;
-    }
-    return template;
-}
-
-size_t
-NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type)
-{
-    size_t size;
-
-    switch (type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	size = sizeof(NSSCMSSignedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	size = sizeof(NSSCMSEnvelopedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	size = sizeof(NSSCMSEncryptedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	size = sizeof(NSSCMSDigestedData);
-	break;
-    default:
-    case SEC_OID_PKCS7_DATA:
-	size = 0;
-	break;
-    }
-    return size;
-}
-
-NSSCMSContentInfo *
-NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type)
-{
-    NSSCMSContent c;
-    NSSCMSContentInfo *cinfo;
-
-    PORT_Assert(msg != NULL);
-
-    c.pointer = msg;
-    switch (type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	cinfo = &(c.signedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	cinfo = &(c.envelopedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	cinfo = &(c.encryptedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	cinfo = &(c.digestedData->contentInfo);
-	break;
-    default:
-	cinfo = NULL;
-    }
-    return cinfo;
-}
-
-const char *
-NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs)
-{
-    switch (vs) {
-    case NSSCMSVS_Unverified:			return "Unverified";
-    case NSSCMSVS_GoodSignature:		return "GoodSignature";
-    case NSSCMSVS_BadSignature:			return "BadSignature";
-    case NSSCMSVS_DigestMismatch:		return "DigestMismatch";
-    case NSSCMSVS_SigningCertNotFound:		return "SigningCertNotFound";
-    case NSSCMSVS_SigningCertNotTrusted:	return "SigningCertNotTrusted";
-    case NSSCMSVS_SignatureAlgorithmUnknown:	return "SignatureAlgorithmUnknown";
-    case NSSCMSVS_SignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported";
-    case NSSCMSVS_MalformedSignature:		return "MalformedSignature";
-    case NSSCMSVS_ProcessingError:		return "ProcessingError";
-    default:					return "Unknown";
-    }
-}
diff --git a/security/nss/lib/smime/config.mk b/security/nss/lib/smime/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/smime/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/smime/manifest.mn b/security/nss/lib/smime/manifest.mn
deleted file mode 100644
index c7fef112b..000000000
--- a/security/nss/lib/smime/manifest.mn
+++ /dev/null
@@ -1,74 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	cms.h \
-	cmst.h \
-	smime.h \
-	cmsreclist.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	cmslocal.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	cmsarray.c \
-	cmsasn1.c \
-	cmsattr.c \
-	cmscinfo.c \
-	cmscipher.c \
-	cmsdecode.c \
-	cmsdigdata.c \
-	cmsdigest.c \
-	cmsencdata.c \
-	cmsencode.c \
-	cmsenvdata.c \
-	cmsmessage.c \
-	cmspubkey.c \
-	cmsrecinfo.c \
-	cmsreclist.c \
-	cmssigdata.c \
-	cmssiginfo.c \
-	cmsutil.c \
-	smimemessage.c \
-	smimeutil.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = smime
diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h
deleted file mode 100644
index 1832634f7..000000000
--- a/security/nss/lib/smime/smime.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Header file for routines specific to S/MIME.  Keep things that are pure
- * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
- *
- * $Id$
- */
-
-#ifndef _SECMIME_H_
-#define _SECMIME_H_ 1
-
-#include "cms.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * Initialize the local recording of the user S/MIME cipher preferences.
- * This function is called once for each cipher, the order being
- * important (first call records greatest preference, and so on).
- * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
- * If the function is called again after that, it is assumed that
- * the preferences are being reset, and the old preferences are
- * discarded.
- *
- * XXX This is for a particular user, and right now the storage is
- * XXX local, static.  The preference should be stored elsewhere to allow
- * XXX for multiple uses of one library?  How does SSL handle this;
- * XXX it has something similar?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.  (It is not necessary to call the function for
- *    ciphers that are disabled, however, as that is the default.)
- *
- * If the cipher preference is successfully recorded, SECSuccess
- * is returned.  Otherwise SECFailure is returned.  The only errors
- * are due to failure allocating memory or bad parameters/calls:
- *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
- *	SEC_ERROR_XXX (function is being called more times than there
- *		are known/expected ciphers)
- */
-extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on);
-
-/*
- * Initialize the local recording of the S/MIME policy.
- * This function is called to allow/disallow a particular cipher.
- *
- * XXX This is for a the current module, I think, so local, static storage
- * XXX is okay.  Is that correct, or could multiple uses of the same
- * XXX library expect to operate under different policies?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.
- */
-extern SECStatus NSS_SMIMEUtils_AllowCipher(long which, int on);
-
-/*
- * Does the current policy allow S/MIME decryption of this particular
- * algorithm and keysize?
- */
-extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
-
-/*
- * Does the current policy allow *any* S/MIME encryption (or decryption)?
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-extern PRBool NSS_SMIMEUtil_EncryptionPossible(void);
-
-/*
- * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities attr value
- *
- * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
- * S/MIME capabilities attribute value.
- */
-extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers);
-
-/*
- * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
- */
-extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
-
-/*
- * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference
- *          attribute
- */
-extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp);
-
-/*
- * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
- */
-extern SECStatus
-NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/smime/smimemessage.c b/security/nss/lib/smime/smimemessage.c
deleted file mode 100644
index 519f8b8d9..000000000
--- a/security/nss/lib/smime/smimemessage.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * SMIME message methods
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-#include "smime.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-
-#if 0
-/*
- * NSS_SMIMEMessage_CreateEncrypted - start an S/MIME encrypting context.
- *
- * "scert" is the cert for the sender.  It will be checked for validity.
- * "rcerts" are the certs for the recipients.  They will also be checked.
- *
- * "certdb" is the cert database to use for verifying the certs.
- * It can be NULL if a default database is available (like in the client).
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-NSSCMSMessage *
-NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert,
-			CERTCertificate **rcerts,
-			CERTCertDBHandle *certdb,
-			PK11PasswordFunc pwfn,
-			void *pwfn_arg)
-{
-    NSSCMSMessage *cmsg;
-    long cipher;
-    SECOidTag encalg;
-    int keysize;
-    int mapi, rci;
-
-    cipher = smime_choose_cipher (scert, rcerts);
-    if (cipher < 0)
-	return NULL;
-
-    mapi = smime_mapi_by_cipher (cipher);
-    if (mapi < 0)
-	return NULL;
-
-    /*
-     * XXX This is stretching it -- CreateEnvelopedData should probably
-     * take a cipher itself of some sort, because we cannot know what the
-     * future will bring in terms of parameters for each type of algorithm.
-     * For example, just an algorithm and keysize is *not* sufficient to
-     * fully specify the usage of RC5 (which also needs to know rounds and
-     * block size).  Work this out into a better API!
-     */
-    encalg = smime_cipher_map[mapi].algtag;
-    keysize = smime_keysize_by_cipher (cipher);
-    if (keysize < 0)
-	return NULL;
-
-    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
-					  certdb, encalg, keysize,
-					  pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    for (rci = 0; rcerts[rci] != NULL; rci++) {
-	if (rcerts[rci] == scert)
-	    continue;
-	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
-				   NULL) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    return NULL;
-	}
-    }
-
-    return cinfo;
-}
-#endif
-
-
-/*
- * Start an S/MIME signing context.
- *
- * "scert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "ecert" is the signer's encryption cert.  If it is different from
- * scert, then it will be included in the signed message so that the
- * recipient can save it for future encryptions.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- * XXX There should be SECMIME functions for hashing, or the hashing should
- * be built into this interface, which we would like because we would
- * support more smartcards that way, and then this argument should go away.)
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-
-NSSCMSMessage *
-NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert,
-		      CERTCertificate *ecert,
-		      CERTCertDBHandle *certdb,
-		      SECOidTag digestalgtag,
-		      SECItem *digest,
-		      PK11PasswordFunc pwfn,
-		      void *pwfn_arg)
-{
-    NSSCMSMessage *cmsg;
-    NSSCMSSignedData *sigd;
-    NSSCMSSignerInfo *signerinfo;
-
-    /* See note in header comment above about digestalg. */
-    PORT_Assert (digestalgtag == SEC_OID_SHA1);
-
-    cmsg = NSS_CMSMessage_Create(NULL);
-    if (cmsg == NULL)
-	return NULL;
-
-    sigd = NSS_CMSSignedData_Create(cmsg);
-    if (sigd == NULL)
-	goto loser;
-
-    /* create just one signerinfo */
-    signerinfo = NSS_CMSSignerInfo_Create(cmsg, scert, digestalgtag);
-    if (signerinfo == NULL)
-	goto loser;
-
-    /* Add the signing time to the signerinfo.  */
-    if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess)
-	goto loser;
-    
-    /* and add the SMIME profile */
-    if (NSS_SMIMESignerInfo_AddSMIMEProfile(signerinfo, scert) != SECSuccess)
-	goto loser;
-
-    /* now add the signerinfo to the signeddata */
-    if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess)
-	goto loser;
-
-    /* include the signing cert and its entire chain */
-    /* note that there are no checks for duplicate certs in place, as all the */
-    /* essential data structures (like set of certificate) are not there */
-    if (NSS_CMSSignedData_AddCertChain(sigd, scert) != SECSuccess)
-	goto loser;
-
-    /* If the encryption cert and the signing cert differ, then include
-     * the encryption cert too. */
-    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
-	if (NSS_CMSSignedData_AddCertificate(sigd, ecert) != SECSuccess)
-	    goto loser;
-    }
-
-    return cmsg;
-loser:
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    return NULL;
-}
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
deleted file mode 100644
index 7d98b6a09..000000000
--- a/security/nss/lib/smime/smimeutil.c
+++ /dev/null
@@ -1,714 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Stuff specific to S/MIME policy and interoperability.
- *
- * $Id$
- */
-
-#include "secmime.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
-#include "secasn1.h"
-#include "secitem.h"
-#include "cert.h"
-#include "key.h"
-#include "secerr.h"
-#include "cms.h"
-
-/* various integer's ASN.1 encoding */
-static unsigned char asn1_int40[] = { SEC_ASN1_INTEGER, 0x01, 0x28 };
-static unsigned char asn1_int64[] = { SEC_ASN1_INTEGER, 0x01, 0x40 };
-static unsigned char asn1_int128[] = { SEC_ASN1_INTEGER, 0x02, 0x00, 0x80 };
-
-/* RC2 algorithm parameters (used in smime_cipher_map) */
-static SECItem param_int40 = { siBuffer, asn1_int40, sizeof(asn1_int40) };
-static SECItem param_int64 = { siBuffer, asn1_int64, sizeof(asn1_int64) };
-static SECItem param_int128 = { siBuffer, asn1_int128, sizeof(asn1_int128) };
-
-/*
- * XXX Would like the "parameters" field to be a SECItem *, but the
- * encoder is having trouble with optional pointers to an ANY.  Maybe
- * once that is fixed, can change this back...
- */
-typedef struct {
-    SECItem capabilityID;
-    SECItem parameters;
-    long cipher;		/* optimization */
-} NSSSMIMECapability;
-
-static const SEC_ASN1Template NSSSMIMECapabilityTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSSMIMECapability) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSSMIMECapability,capabilityID), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(NSSSMIMECapability,parameters), },
-    { 0, }
-};
-
-static const SEC_ASN1Template NSSSMIMECapabilitiesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, NSSSMIMECapabilityTemplate }
-};
-
-/*
- * NSSSMIMEEncryptionKeyPreference - if we find one of these, it needs to prompt us
- *  to store this and only this certificate permanently for the sender email address.
- */
-typedef enum {
-    NSSSMIMEEncryptionKeyPref_IssuerSN,
-    NSSSMIMEEncryptionKeyPref_RKeyID,
-    NSSSMIMEEncryptionKeyPref_SubjectKeyID
-} NSSSMIMEEncryptionKeyPrefSelector;
-
-typedef struct {
-    NSSSMIMEEncryptionKeyPrefSelector selector;
-    union {
-	CERTIssuerAndSN			*issuerAndSN;
-	NSSCMSRecipientKeyIdentifier	*recipientKeyID;
-	SECItem				*subjectKeyID;
-    } id;
-} NSSSMIMEEncryptionKeyPreference;
-
-extern const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[];
-
-static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
-	  sizeof(NSSSMIMEEncryptionKeyPreference) },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
-	  NSSSMIMEEncryptionKeyPref_IssuerSN },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID),
-	  NSSCMSRecipientKeyIdentifierTemplate,
-	  NSSSMIMEEncryptionKeyPref_IssuerSN },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID),
-	  SEC_OctetStringTemplate,
-	  NSSSMIMEEncryptionKeyPref_SubjectKeyID },
-    { 0, }
-};
-
-/* smime_cipher_map - map of SMIME symmetric "ciphers" to algtag & parameters */
-typedef struct {
-    unsigned long cipher;
-    SECOidTag algtag;
-    SECItem *parms;
-    PRBool enabled;	/* in the user's preferences */
-    PRBool allowed;	/* per export policy */
-} smime_cipher_map_entry;
-
-/* global: list of supported SMIME symmetric ciphers, ordered roughly by increasing strength */
-static smime_cipher_map_entry smime_cipher_map[] = {
-/*    cipher			algtag			parms		enabled  allowed */
-/*    ---------------------------------------------------------------------------------- */
-    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&param_int40,	PR_TRUE, PR_TRUE },
-    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL,		PR_TRUE, PR_TRUE },
-    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&param_int64,	PR_TRUE, PR_TRUE },
-    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&param_int128,	PR_TRUE, PR_TRUE },
-    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL,		PR_TRUE, PR_TRUE },
-    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL,	PR_TRUE, PR_TRUE }
-};
-static const int smime_cipher_map_count = sizeof(smime_cipher_map) / sizeof(smime_cipher_map_entry);
-
-/*
- * smime_mapi_by_cipher - find index into smime_cipher_map by cipher
- */
-static int
-smime_mapi_by_cipher(unsigned long cipher)
-{
-    int i;
-
-    for (i = 0; i < smime_cipher_map_count; i++) {
-	if (smime_cipher_map[i].cipher == cipher)
-	    return i;	/* bingo */
-    }
-    return -1;		/* should not happen if we're consistent, right? */
-}
-
-/*
- * NSS_SMIME_EnableCipher - this function locally records the user's preference
- */
-SECStatus 
-NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on)
-{
-    unsigned long mask;
-    int mapi;
-
-    mask = which & CIPHER_FAMILYID_MASK;
-
-    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
-    if (mask != CIPHER_FAMILYID_SMIME)
-	/* XXX set an error! */
-    	return SECFailure;
-
-    mapi = smime_mapi_by_cipher(which);
-    if (mapi < 0)
-	/* XXX set an error */
-	return SECFailure;
-
-    /* do we try to turn on a forbidden cipher? */
-    if (!smime_cipher_map[mapi].allowed && on) {
-	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
-	return SECFailure;
-    }
-
-    if (smime_cipher_map[mapi].enabled != on)
-	smime_cipher_map[mapi].enabled = on;
-
-    return SECSuccess;
-}
-
-
-/*
- * this function locally records the export policy
- */
-SECStatus 
-NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on)
-{
-    unsigned long mask;
-    int mapi;
-
-    mask = which & CIPHER_FAMILYID_MASK;
-
-    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
-    if (mask != CIPHER_FAMILYID_SMIME)
-	/* XXX set an error! */
-    	return SECFailure;
-
-    mapi = smime_mapi_by_cipher(which);
-    if (mapi < 0)
-	/* XXX set an error */
-	return SECFailure;
-
-    if (smime_cipher_map[mapi].allowed != on)
-	smime_cipher_map[mapi].allowed = on;
-
-    return SECSuccess;
-}
-
-/*
- * Based on the given algorithm (including its parameters, in some cases!)
- * and the given key (may or may not be inspected, depending on the
- * algorithm), find the appropriate policy algorithm specification
- * and return it.  If no match can be made, -1 is returned.
- */
-static SECStatus
-nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, unsigned long *cipher)
-{
-    SECOidTag algtag;
-    unsigned int keylen_bits;
-    SECStatus rv = SECSuccess;
-    unsigned long c;
-
-    algtag = SECOID_GetAlgorithmTag(algid);
-    switch (algtag) {
-    case SEC_OID_RC2_CBC:
-	keylen_bits = PK11_GetKeyStrength(key, algid);
-	switch (keylen_bits) {
-	case 40:
-	    c = SMIME_RC2_CBC_40;
-	case 64:
-	    c = SMIME_RC2_CBC_64;
-	case 128:
-	    c = SMIME_RC2_CBC_128;
-	default:
-	    rv = SECFailure;
-	    break;
-	}
-	break;
-    case SEC_OID_DES_CBC:
-	c = SMIME_DES_CBC_56;
-    case SEC_OID_DES_EDE3_CBC:
-	c = SMIME_DES_EDE3_168;
-    case SEC_OID_FORTEZZA_SKIPJACK:
-	c = SMIME_FORTEZZA;
-    default:
-	rv = SECFailure;
-    }
-    if (rv == SECSuccess)
-	*cipher = c;
-    return rv;
-}
-
-static PRBool
-nss_smime_cipher_allowed(unsigned long which)
-{
-    int mapi;
-
-    mapi = smime_mapi_by_cipher(which);
-    if (mapi < 0)
-	return PR_FALSE;
-    return smime_cipher_map[mapi].allowed;
-}
-
-PRBool
-NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
-{
-    unsigned long which;
-
-    if (nss_smime_get_cipher_for_alg_and_key(algid, key, &which) != SECSuccess)
-	return PR_FALSE;
-
-    return nss_smime_cipher_allowed(which);
-}
-
-
-/*
- * NSS_SMIME_EncryptionPossible - check if any encryption is allowed
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-PRBool
-NSS_SMIMEUtil_EncryptionPossible(void)
-{
-    int i;
-
-    for (i = 0; i < smime_cipher_map_count; i++) {
-	if (smime_cipher_map[i].allowed)
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-
-static int
-nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap)
-{
-    int i;
-    SECOidTag capIDTag;
-
-    /* we need the OIDTag here */
-    capIDTag = SECOID_FindOIDTag(&(cap->capabilityID));
-
-    /* go over all the SMIME ciphers we know and see if we find a match */
-    for (i = 0; i < smime_cipher_map_count; i++) {
-	if (smime_cipher_map[i].algtag != capIDTag)
-	    continue;
-	/*
-	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
-	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
-	 * use that here instead of all of the following comparison code.
-	 */
-	if (cap->parameters.data == NULL && smime_cipher_map[i].parms == NULL)
-	    break;	/* both empty: bingo */
-
-	if (cap->parameters.data != NULL && smime_cipher_map[i].parms != NULL &&
-	    cap->parameters.len == smime_cipher_map[i].parms->len &&
-	    PORT_Memcmp (cap->parameters.data, smime_cipher_map[i].parms->data,
-			     cap->parameters.len) == 0)
-	{
-	    break;	/* both not empty, same length & equal content: bingo */
-	}
-    }
-
-    if (i == smime_cipher_map_count)
-	return 0;				/* no match found */
-    else
-	return smime_cipher_map[i].cipher;	/* match found, point to cipher */
-}
-
-/*
- * smime_choose_cipher - choose a cipher that works for all the recipients
- *
- * "scert"  - sender's certificate
- * "rcerts" - recipient's certificates
- */
-static long
-smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts)
-{
-    PRArenaPool *poolp;
-    long cipher;
-    long chosen_cipher;
-    int *cipher_abilities;
-    int *cipher_votes;
-    int weak_mapi;
-    int strong_mapi;
-    int rcount, mapi, max, i;
-    PRBool scert_is_fortezza = (scert == NULL) ? PR_FALSE : PK11_FortezzaHasKEA(scert);
-
-    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
-    weak_mapi = smime_mapi_by_cipher(chosen_cipher);
-
-    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
-    if (poolp == NULL)
-	goto done;
-
-    cipher_abilities = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
-    cipher_votes     = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
-    if (cipher_votes == NULL || cipher_abilities == NULL)
-	goto done;
-
-    /* If the user has the Fortezza preference turned on, make
-     *  that the strong cipher. Otherwise, use triple-DES. */
-    strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
-    if (scert_is_fortezza) {
-	mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
-	if (mapi >= 0 && smime_cipher_map[mapi].enabled)
-	    strong_mapi = mapi;
-    }
-
-    /* walk all the recipient's certs */
-    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
-	SECItem *profile;
-	NSSSMIMECapability **caps;
-	int pref;
-
-	/* the first cipher that matches in the user's SMIME profile gets
-	 * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1
-	 * and so on. If every cipher matches, the last one gets 1 (one) vote */
-	pref = smime_cipher_map_count;
-
-	/* find recipient's SMIME profile */
-	profile = CERT_FindSMimeProfile(rcerts[rcount]);
-
-	if (profile != NULL && profile->data != NULL && profile->len > 0) {
-	    /* we have a profile (still DER-encoded) */
-	    caps = NULL;
-	    /* decode it */
-	    if (SEC_ASN1DecodeItem(poolp, &caps, NSSSMIMECapabilitiesTemplate, profile) == SECSuccess &&
-		    caps != NULL)
-	    {
-		/* walk the SMIME capabilities for this recipient */
-		for (i = 0; caps[i] != NULL; i++) {
-		    cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]);
-		    mapi = smime_mapi_by_cipher(cipher);
-		    if (mapi >= 0) {
-			/* found the cipher */
-			cipher_abilities[mapi]++;
-			cipher_votes[mapi] += pref;
-			--pref;
-		    }
-		}
-	    }
-	} else {
-	    /* no profile found - so we can only assume that the user can do
-	     * the mandatory algorithms which is RC2-40 (weak crypto) and 3DES (strong crypto) */
-	    SECKEYPublicKey *key;
-	    unsigned int pklen_bits;
-
-	    /*
-	     * if recipient's public key length is > 512, vote for a strong cipher
-	     * please not that the side effect of this is that if only one recipient
-	     * has an export-level public key, the strong cipher is disabled.
-	     *
-	     * XXX This is probably only good for RSA keys.  What I would
-	     * really like is a function to just say;  Is the public key in
-	     * this cert an export-length key?  Then I would not have to
-	     * know things like the value 512, or the kind of key, or what
-	     * a subjectPublicKeyInfo is, etc.
-	     */
-	    key = CERT_ExtractPublicKey(rcerts[rcount]);
-	    pklen_bits = 0;
-	    if (key != NULL) {
-		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
-		SECKEY_DestroyPublicKey (key);
-	    }
-
-	    if (pklen_bits > 512) {
-		/* cast votes for the strong algorithm */
-		cipher_abilities[strong_mapi]++;
-		cipher_votes[strong_mapi] += pref;
-		pref--;
-	    } 
-
-	    /* always cast (possibly less) votes for the weak algorithm */
-	    cipher_abilities[weak_mapi]++;
-	    cipher_votes[weak_mapi] += pref;
-	}
-	if (profile != NULL)
-	    SECITEM_FreeItem(profile, PR_TRUE);
-    }
-
-    /* find cipher that is agreeable by all recipients and that has the most votes */
-    max = 0;
-    for (mapi = 0; mapi < smime_cipher_map_count; mapi++) {
-	/* if not all of the recipients can do this, forget it */
-	if (cipher_abilities[mapi] != rcount)
-	    continue;
-	/* if cipher is not enabled or not allowed by policy, forget it */
-	if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed)
-	    continue;
-	/* if we're not doing fortezza, but the cipher is fortezza, forget it */
-	if (!scert_is_fortezza  && (smime_cipher_map[mapi].cipher == SMIME_FORTEZZA))
-	    continue;
-	/* now see if this one has more votes than the last best one */
-	if (cipher_votes[mapi] >= max) {
-	    /* if equal number of votes, prefer the ones further down in the list */
-	    /* with the expectation that these are higher rated ciphers */
-	    chosen_cipher = smime_cipher_map[mapi].cipher;
-	    max = cipher_votes[mapi];
-	}
-    }
-    /* if no common cipher was found, chosen_cipher stays at the default */
-
-done:
-    if (poolp != NULL)
-	PORT_FreeArena (poolp, PR_FALSE);
-
-    return chosen_cipher;
-}
-
-/*
- * XXX This is a hack for now to satisfy our current interface.
- * Eventually, with more parameters needing to be specified, just
- * looking up the keysize is not going to be sufficient.
- */
-static int
-smime_keysize_by_cipher (unsigned long which)
-{
-    int keysize;
-
-    switch (which) {
-      case SMIME_RC2_CBC_40:
-	keysize = 40;
-	break;
-      case SMIME_RC2_CBC_64:
-	keysize = 64;
-	break;
-      case SMIME_RC2_CBC_128:
-	keysize = 128;
-	break;
-      case SMIME_DES_CBC_56:
-      case SMIME_DES_EDE3_168:
-      case SMIME_FORTEZZA:
-	/*
-	 * These are special; since the key size is fixed, we actually
-	 * want to *avoid* specifying a key size.
-	 */
-	keysize = 0;
-	break;
-      default:
-	keysize = -1;
-	break;
-    }
-
-    return keysize;
-}
-
-/*
- * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
- *
- * it would be great for UI purposes if there would be a way to find out which recipients
- * prevented a strong cipher from being used...
- */
-SECStatus
-NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize)
-{
-    unsigned long cipher;
-    int mapi;
-
-    cipher = smime_choose_cipher(NULL, rcerts);
-    mapi = smime_mapi_by_cipher(cipher);
-
-    *bulkalgtag = smime_cipher_map[mapi].algtag;
-    *keysize = smime_keysize_by_cipher(smime_cipher_map[mapi].algtag);
-
-    return SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS
- *
- * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
- * S/MIME capabilities attribute value.
- *
- * XXX Please note that, in contradiction to RFC2633 2.5.2, the capabilities only include
- * symmetric ciphers, NO signature algorithms or key encipherment algorithms.
- *
- * "poolp" - arena pool to create the S/MIME capabilities data on
- * "dest" - SECItem to put the data in
- * "includeFortezzaCiphers" - PR_TRUE if fortezza ciphers should be included
- */
-SECStatus
-NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers)
-{
-    NSSSMIMECapability *cap;
-    NSSSMIMECapability **smime_capabilities;
-    smime_cipher_map_entry *map;
-    SECOidData *oiddata;
-    SECItem *dummy;
-    int i, capIndex;
-
-    /* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */
-    /* smime_cipher_map_count + 1 is an upper bound - we might end up with less */
-    smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1)
-				      * sizeof(NSSSMIMECapability *));
-    if (smime_capabilities == NULL)
-	return SECFailure;
-
-    capIndex = 0;
-
-    /* Add all the symmetric ciphers
-     * We walk the cipher list backwards, as it is ordered by increasing strength,
-     * we prefer the stronger cipher over a weaker one, and we have to list the
-     * preferred algorithm first */
-    for (i = smime_cipher_map_count - 1; i >= 0; i--) {
-	/* Find the corresponding entry in the cipher map. */
-	map = &(smime_cipher_map[i]);
-	if (!map->enabled)
-	    continue;
-
-	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
-	   capabilities. (We advertise all capabilities if we have a 
-	   Fortezza cert.) */
-	if ((!includeFortezzaCiphers) && (map->cipher == SMIME_FORTEZZA))
-	    continue;
-
-	/* get next SMIME capability */
-	cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability));
-	if (cap == NULL)
-	    break;
-	smime_capabilities[capIndex++] = cap;
-
-	oiddata = SECOID_FindOIDByTag(map->algtag);
-	if (oiddata == NULL)
-	    break;
-
-	cap->capabilityID.data = oiddata->oid.data;
-	cap->capabilityID.len = oiddata->oid.len;
-	cap->parameters.data = map->parms ? map->parms->data : NULL;
-	cap->parameters.len = map->parms ? map->parms->len : 0;
-	cap->cipher = smime_cipher_map[i].cipher;
-    }
-
-    /* XXX add signature algorithms */
-    /* XXX add key encipherment algorithms */
-
-    smime_capabilities[capIndex] = NULL;	/* last one - now encode */
-    dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate);
-
-    /* now that we have the proper encoded SMIMECapabilities (or not),
-     * free the work data */
-    for (i = 0; smime_capabilities[i] != NULL; i++)
-	PORT_Free(smime_capabilities[i]);
-    PORT_Free(smime_capabilities);
-
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
- *
- * "poolp" - arena pool to create the attr value on
- * "dest" - SECItem to put the data in
- * "cert" - certificate that should be marked as preferred encryption key
- *          cert is expected to have been verified for EmailRecipient usage.
- */
-SECStatus
-NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
-{
-    NSSSMIMEEncryptionKeyPreference ekp;
-    SECItem *dummy = NULL;
-    PLArenaPool *tmppoolp;
-
-    if (cert == NULL)
-	goto loser;
-
-    tmppoolp = PORT_NewArena(1024);
-    if (tmppoolp == NULL)
-	goto loser;
-
-    /* XXX hardcoded IssuerSN choice for now */
-    ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN;
-    ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert);
-    if (ekp.id.issuerAndSN == NULL)
-	goto loser;
-
-    dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template);
-
-loser:
-    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
-
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference -
- *				find cert marked by EncryptionKeyPreference attribute
- *
- * "certdb" - handle for the cert database to look in
- * "DERekp" - DER-encoded value of S/MIME Encryption Key Preference attribute
- *
- * if certificate is supposed to be found among the message's included certificates,
- * they are assumed to have been imported already.
- */
-CERTCertificate *
-NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp)
-{
-    PLArenaPool *tmppoolp = NULL;
-    CERTCertificate *cert = NULL;
-    NSSSMIMEEncryptionKeyPreference ekp;
-
-    tmppoolp = PORT_NewArena(1024);
-    if (tmppoolp == NULL)
-	return NULL;
-
-    /* decode DERekp */
-    if (SEC_ASN1DecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template, DERekp) != SECSuccess)
-	goto loser;
-
-    /* find cert */
-    switch (ekp.selector) {
-    case NSSSMIMEEncryptionKeyPref_IssuerSN:
-	cert = CERT_FindCertByIssuerAndSN(certdb, ekp.id.issuerAndSN);
-	break;
-    case NSSSMIMEEncryptionKeyPref_RKeyID:
-    case NSSSMIMEEncryptionKeyPref_SubjectKeyID:
-	/* XXX not supported yet - we need to be able to look up certs by SubjectKeyID */
-	break;
-    default:
-	PORT_Assert(0);
-    }
-loser:
-    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
-
-    return cert;
-}
diff --git a/security/nss/lib/softoken/Makefile b/security/nss/lib/softoken/Makefile
deleted file mode 100644
index ad4d0cc4d..000000000
--- a/security/nss/lib/softoken/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-
diff --git a/security/nss/lib/softoken/alghmac.c b/security/nss/lib/softoken/alghmac.c
deleted file mode 100644
index ff320da09..000000000
--- a/security/nss/lib/softoken/alghmac.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "alghmac.h"
-#include "sechash.h"
-#include "secoid.h"
-#include "secport.h"
-
-#define HMAC_PAD_SIZE 64
-
-struct HMACContextStr {
-    void *hash;
-    SECHashObject *hashobj;
-    unsigned char ipad[HMAC_PAD_SIZE];
-    unsigned char opad[HMAC_PAD_SIZE];
-};
-
-void
-HMAC_Destroy(HMACContext *cx)
-{
-    if (cx == NULL)
-	return;
-
-    if (cx->hash != NULL)
-	cx->hashobj->destroy(cx->hash, PR_TRUE);
-    PORT_ZFree(cx, sizeof(HMACContext));
-}
-
-HMACContext *
-HMAC_Create(SECOidTag      hash_alg, 
-      const unsigned char *secret, 
-            unsigned int   secret_len)
-{
-    HMACContext *cx;
-    int i;
-    unsigned char hashed_secret[SHA1_LENGTH];
-
-    cx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
-    if (cx == NULL)
-	return NULL;
-
-    switch (hash_alg) {
-      case SEC_OID_MD5:
-	cx->hashobj = &SECRawHashObjects[HASH_AlgMD5];
-	break;
-      case SEC_OID_MD2:
-	cx->hashobj = &SECRawHashObjects[HASH_AlgMD2];
-	break;
-      case SEC_OID_SHA1:
-	cx->hashobj = &SECRawHashObjects[HASH_AlgSHA1];
-	break;
-      default:
-	goto loser;
-    }
-
-    cx->hash = cx->hashobj->create();
-    if (cx->hash == NULL)
-	goto loser;
-
-    if (secret_len > HMAC_PAD_SIZE) {
-	cx->hashobj->begin( cx->hash);
-	cx->hashobj->update(cx->hash, secret, secret_len);
-	cx->hashobj->end(   cx->hash, hashed_secret, &secret_len, 
-	                 sizeof hashed_secret);
-	if (secret_len != cx->hashobj->length)
-	    goto loser;
-	secret = (const unsigned char *)&hashed_secret[0];
-    }
-
-    PORT_Memset(cx->ipad, 0x36, sizeof cx->ipad);
-    PORT_Memset(cx->opad, 0x5c, sizeof cx->opad);
-
-    /* fold secret into padding */
-    for (i = 0; i < secret_len; i++) {
-	cx->ipad[i] ^= secret[i];
-	cx->opad[i] ^= secret[i];
-    }
-    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
-    return cx;
-
-loser:
-    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
-    HMAC_Destroy(cx);
-    return NULL;
-}
-
-void
-HMAC_Begin(HMACContext *cx)
-{
-    /* start inner hash */
-    cx->hashobj->begin(cx->hash);
-    cx->hashobj->update(cx->hash, cx->ipad, sizeof(cx->ipad));
-}
-
-void
-HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
-{
-    cx->hashobj->update(cx->hash, data, data_len);
-}
-
-SECStatus
-HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len)
-{
-    if (max_result_len < cx->hashobj->length)
-	return SECFailure;
-
-    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
-    if (*result_len != cx->hashobj->length)
-	return SECFailure;
-
-    cx->hashobj->begin(cx->hash);
-    cx->hashobj->update(cx->hash, cx->opad, sizeof(cx->opad));
-    cx->hashobj->update(cx->hash, result, *result_len);
-    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
-    return SECSuccess;
-}
-
-HMACContext *
-HMAC_Clone(HMACContext *cx)
-{
-    HMACContext *newcx;
-
-    newcx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
-    if (newcx == NULL)
-	goto loser;
-
-    newcx->hashobj = cx->hashobj;
-    newcx->hash = cx->hashobj->clone(cx->hash);
-    if (newcx->hash == NULL)
-	goto loser;
-    PORT_Memcpy(newcx->ipad, cx->ipad, sizeof(cx->ipad));
-    PORT_Memcpy(newcx->opad, cx->opad, sizeof(cx->opad));
-    return newcx;
-
-loser:
-    HMAC_Destroy(newcx);
-    return NULL;
-}
diff --git a/security/nss/lib/softoken/alghmac.h b/security/nss/lib/softoken/alghmac.h
deleted file mode 100644
index 10d598267..000000000
--- a/security/nss/lib/softoken/alghmac.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _ALGHMAC_H_
-#define _ALGHMAC_H_
-
-#include "secoid.h"
-
-typedef struct HMACContextStr HMACContext;
-
-SEC_BEGIN_PROTOS
-
-/* destroy HMAC context */
-extern void
-HMAC_Destroy(HMACContext *cx);
-
-/* create HMAC context
- *  hash_alg	the algorithm with which the HMAC is performed.  This 
- *		should be, SEC_OID_MD5, SEC_OID_SHA1, or SEC_OID_MD2.
- *  secret	the secret with which the HMAC is performed.
- *  secret_len	the length of the secret, limited to at most 64 bytes.
- *
- * NULL is returned if an error occurs or the secret is > 64 bytes.
- */
-extern HMACContext *
-HMAC_Create(SECOidTag hash_alg, const unsigned char *secret, 
-	    unsigned int secret_len);
-
-/* reset HMAC for a fresh round */
-extern void
-HMAC_Begin(HMACContext *cx);
-
-/* update HMAC 
- *  cx		HMAC Context
- *  data	the data to perform HMAC on
- *  data_len	the length of the data to process
- */
-extern void 
-HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len);
-
-/* Finish HMAC -- place the results within result
- *  cx		HMAC context
- *  result	buffer for resulting hmac'd data
- *  result_len	where the resultant hmac length is stored
- *  max_result_len  maximum possible length that can be stored in result
- */
-extern SECStatus
-HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len);
-
-/* clone a copy of the HMAC state.  this is usefult when you would
- * need to keep a running hmac but also need to extract portions 
- * partway through the process.
- */
-extern HMACContext *
-HMAC_Clone(HMACContext *cx);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/softoken/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
deleted file mode 100644
index a96a70959..000000000
--- a/security/nss/lib/softoken/fipstest.c
+++ /dev/null
@@ -1,1093 +0,0 @@
-/*
- * PKCS #11 FIPS Power-Up Self Test.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
-                        /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
-                        /*              and DSA.                         */
-#include "seccomon.h"   /* Required for RSA and DSA. */
-#include "keylow.h"     /* Required for RSA and DSA. */
-#include "pkcs11.h"     /* Required for PKCS #11. */
-#include "secerr.h"
-
-/* FIPS preprocessor directives for RC2-ECB and RC2-CBC.        */
-#define FIPS_RC2_KEY_LENGTH                      5  /*  40-bits */
-#define FIPS_RC2_ENCRYPT_LENGTH                  8  /*  64-bits */
-#define FIPS_RC2_DECRYPT_LENGTH                  8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for RC4.                        */
-#define FIPS_RC4_KEY_LENGTH                      5  /*  40-bits */
-#define FIPS_RC4_ENCRYPT_LENGTH                  8  /*  64-bits */
-#define FIPS_RC4_DECRYPT_LENGTH                  8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for DES-ECB and DES-CBC.        */
-#define FIPS_DES_ENCRYPT_LENGTH                  8  /*  64-bits */
-#define FIPS_DES_DECRYPT_LENGTH                  8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for DES3-CBC and DES3-ECB.      */
-#define FIPS_DES3_ENCRYPT_LENGTH                 8  /*  64-bits */
-#define FIPS_DES3_DECRYPT_LENGTH                 8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for MD2.                        */
-#define FIPS_MD2_HASH_MESSAGE_LENGTH            64  /* 512-bits */
-
-
-/* FIPS preprocessor directives for MD5.                        */
-#define FIPS_MD5_HASH_MESSAGE_LENGTH            64  /* 512-bits */
-
-
-/* FIPS preprocessor directives for SHA-1.                      */
-#define FIPS_SHA1_HASH_MESSAGE_LENGTH           64  /* 512-bits */
-
-
-/* FIPS preprocessor directives for RSA.                        */
-#define FIPS_RSA_TYPE                           siBuffer
-#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH          1  /*   8-bits */
-#define FIPS_RSA_PRIVATE_VERSION_LENGTH          1  /*   8-bits */
-#define FIPS_RSA_MESSAGE_LENGTH                 16  /* 128-bits */
-#define FIPS_RSA_COEFFICIENT_LENGTH             32  /* 256-bits */
-#define FIPS_RSA_PRIME0_LENGTH                  33  /* 264-bits */
-#define FIPS_RSA_PRIME1_LENGTH                  33  /* 264-bits */
-#define FIPS_RSA_EXPONENT0_LENGTH               33  /* 264-bits */
-#define FIPS_RSA_EXPONENT1_LENGTH               33  /* 264-bits */
-#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH        64  /* 512-bits */
-#define FIPS_RSA_ENCRYPT_LENGTH                 64  /* 512-bits */
-#define FIPS_RSA_DECRYPT_LENGTH                 64  /* 512-bits */
-#define FIPS_RSA_CRYPTO_LENGTH                  64  /* 512-bits */
-#define FIPS_RSA_SIGNATURE_LENGTH               64  /* 512-bits */
-#define FIPS_RSA_MODULUS_LENGTH                 65  /* 520-bits */
-
-
-/* FIPS preprocessor directives for DSA.                        */
-#define FIPS_DSA_TYPE                           siBuffer
-#define FIPS_DSA_DIGEST_LENGTH                  20  /* 160-bits */
-#define FIPS_DSA_SUBPRIME_LENGTH                20  /* 160-bits */
-#define FIPS_DSA_SIGNATURE_LENGTH               40  /* 320-bits */
-#define FIPS_DSA_PRIME_LENGTH                   64  /* 512-bits */
-#define FIPS_DSA_BASE_LENGTH                    64  /* 512-bits */
-
-static CK_RV
-pk11_fips_RC2_PowerUpSelfTest( void )
-{
-    /* RC2 Known Key (40-bits). */
-    static PRUint8 rc2_known_key[] = { "RSARC" };
-
-    /* RC2-CBC Known Initialization Vector (64-bits). */
-    static PRUint8 rc2_cbc_known_initialization_vector[] = {"Security"};
-
-    /* RC2 Known Plaintext (64-bits). */
-    static PRUint8 rc2_ecb_known_plaintext[] = {"Netscape"};
-    static PRUint8 rc2_cbc_known_plaintext[] = {"Netscape"};
-
-    /* RC2 Known Ciphertext (64-bits). */
-    static PRUint8 rc2_ecb_known_ciphertext[] = {
-				  0x1a,0x71,0x33,0x54,0x8d,0x5c,0xd2,0x30};
-    static PRUint8 rc2_cbc_known_ciphertext[] = {
-				  0xff,0x41,0xdb,0x94,0x8a,0x4c,0x33,0xb3};
-
-    /* RC2 variables. */
-    PRUint8        rc2_computed_ciphertext[FIPS_RC2_ENCRYPT_LENGTH];
-    PRUint8        rc2_computed_plaintext[FIPS_RC2_DECRYPT_LENGTH];
-    RC2Context *   rc2_context;
-    unsigned int   rc2_bytes_encrypted;
-    unsigned int   rc2_bytes_decrypted;
-    SECStatus      rc2_status;
-
-
-    /******************************************************/
-    /* RC2-ECB Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     NULL, NSS_RC2,
-                                     FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
-                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
-                              rc2_ecb_known_plaintext,
-                              FIPS_RC2_DECRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_ecb_known_ciphertext,
-                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* RC2-ECB Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     NULL, NSS_RC2,
-                                     FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
-                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
-                              rc2_ecb_known_ciphertext,
-                              FIPS_RC2_ENCRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
-                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* RC2-CBC Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     rc2_cbc_known_initialization_vector,
-                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
-                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
-                              rc2_cbc_known_plaintext,
-                              FIPS_RC2_DECRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_cbc_known_ciphertext,
-                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* RC2-CBC Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     rc2_cbc_known_initialization_vector,
-                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
-                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
-                              rc2_cbc_known_ciphertext,
-                              FIPS_RC2_ENCRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
-                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_RC4_PowerUpSelfTest( void )
-{
-    /* RC4 Known Key (40-bits). */
-    static PRUint8 rc4_known_key[] = { "RSARC" };
-
-    /* RC4 Known Plaintext (64-bits). */
-    static PRUint8 rc4_known_plaintext[] = { "Netscape" };
-
-    /* RC4 Known Ciphertext (64-bits). */
-    static PRUint8 rc4_known_ciphertext[] = {
-				0x29,0x33,0xc7,0x9a,0x9d,0x6c,0x09,0xdd};
-
-    /* RC4 variables. */
-    PRUint8        rc4_computed_ciphertext[FIPS_RC4_ENCRYPT_LENGTH];
-    PRUint8        rc4_computed_plaintext[FIPS_RC4_DECRYPT_LENGTH];
-    RC4Context *   rc4_context;
-    unsigned int   rc4_bytes_encrypted;
-    unsigned int   rc4_bytes_decrypted;
-    SECStatus      rc4_status;
-
-
-    /**************************************************/
-    /* RC4 Single-Round Known Answer Encryption Test: */
-    /**************************************************/
-
-    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
-
-    if( rc4_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc4_status = RC4_Encrypt( rc4_context, rc4_computed_ciphertext,
-                              &rc4_bytes_encrypted, FIPS_RC4_ENCRYPT_LENGTH,
-                              rc4_known_plaintext, FIPS_RC4_DECRYPT_LENGTH );
-
-    RC4_DestroyContext( rc4_context, PR_TRUE );
-
-    if( ( rc4_status != SECSuccess ) ||
-        ( rc4_bytes_encrypted != FIPS_RC4_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc4_computed_ciphertext, rc4_known_ciphertext,
-                       FIPS_RC4_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /**************************************************/
-    /* RC4 Single-Round Known Answer Decryption Test: */
-    /**************************************************/
-
-    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
-
-    if( rc4_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc4_status = RC4_Decrypt( rc4_context, rc4_computed_plaintext,
-                              &rc4_bytes_decrypted, FIPS_RC4_DECRYPT_LENGTH,
-                              rc4_known_ciphertext, FIPS_RC4_ENCRYPT_LENGTH );
-
-    RC4_DestroyContext( rc4_context, PR_TRUE );
-
-    if( ( rc4_status != SECSuccess ) ||
-        ( rc4_bytes_decrypted != FIPS_RC4_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc4_computed_plaintext, rc4_known_plaintext,
-                       FIPS_RC4_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_DES_PowerUpSelfTest( void )
-{
-    /* DES Known Key (56-bits). */
-    static PRUint8 des_known_key[] = { "ANSI DES" };
-
-    /* DES-CBC Known Initialization Vector (64-bits). */
-    static PRUint8 des_cbc_known_initialization_vector[] = { "Security" };
-
-    /* DES Known Plaintext (64-bits). */
-    static PRUint8 des_ecb_known_plaintext[] = { "Netscape" };
-    static PRUint8 des_cbc_known_plaintext[] = { "Netscape" };
-
-    /* DES Known Ciphertext (64-bits). */
-    static PRUint8 des_ecb_known_ciphertext[] = {
-			       0x26,0x14,0xe9,0xc3,0x28,0x80,0x50,0xb0};
-    static PRUint8 des_cbc_known_ciphertext[]  = {
-			       0x5e,0x95,0x94,0x5d,0x76,0xa2,0xd3,0x7d};
-
-    /* DES variables. */
-    PRUint8        des_computed_ciphertext[FIPS_DES_ENCRYPT_LENGTH];
-    PRUint8        des_computed_plaintext[FIPS_DES_DECRYPT_LENGTH];
-    DESContext *   des_context;
-    unsigned int   des_bytes_encrypted;
-    unsigned int   des_bytes_decrypted;
-    SECStatus      des_status;
-
-
-    /******************************************************/
-    /* DES-ECB Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_TRUE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
-                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
-                              des_ecb_known_plaintext,
-                              FIPS_DES_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_ciphertext, des_ecb_known_ciphertext,
-                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* DES-ECB Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_FALSE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Decrypt( des_context, des_computed_plaintext,
-                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
-                              des_ecb_known_ciphertext,
-                              FIPS_DES_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_plaintext, des_ecb_known_plaintext,
-                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* DES-CBC Single-Round Known Answer Encryption Test. */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key,
-                                     des_cbc_known_initialization_vector,
-                                     NSS_DES_CBC, PR_TRUE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
-                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
-                              des_cbc_known_plaintext,
-                              FIPS_DES_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_ciphertext, des_cbc_known_ciphertext,
-                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* DES-CBC Single-Round Known Answer Decryption Test. */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key,
-                                     des_cbc_known_initialization_vector,
-                                     NSS_DES_CBC, PR_FALSE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Decrypt( des_context, des_computed_plaintext,
-                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
-                              des_cbc_known_ciphertext,
-                              FIPS_DES_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_plaintext, des_cbc_known_plaintext,
-                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_DES3_PowerUpSelfTest( void )
-{
-    /* DES3 Known Key (56-bits). */
-    static PRUint8 des3_known_key[] = { "ANSI Triple-DES Key Data" };
-
-    /* DES3-CBC Known Initialization Vector (64-bits). */
-    static PRUint8 des3_cbc_known_initialization_vector[] = { "Security" };
-
-    /* DES3 Known Plaintext (64-bits). */
-    static PRUint8 des3_ecb_known_plaintext[] = { "Netscape" };
-    static PRUint8 des3_cbc_known_plaintext[] = { "Netscape" };
-
-    /* DES3 Known Ciphertext (64-bits). */
-    static PRUint8 des3_ecb_known_ciphertext[] = {
-			   0x55,0x8e,0xad,0x3c,0xee,0x49,0x69,0xbe};
-    static PRUint8 des3_cbc_known_ciphertext[] = {
-			   0x43,0xdc,0x6a,0xc1,0xaf,0xa6,0x32,0xf5};
-
-    /* DES3 variables. */
-    PRUint8        des3_computed_ciphertext[FIPS_DES3_ENCRYPT_LENGTH];
-    PRUint8        des3_computed_plaintext[FIPS_DES3_DECRYPT_LENGTH];
-    DESContext *   des3_context;
-    unsigned int   des3_bytes_encrypted;
-    unsigned int   des3_bytes_decrypted;
-    SECStatus      des3_status;
-
-
-    /*******************************************************/
-    /* DES3-ECB Single-Round Known Answer Encryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key, NULL,
-                                     NSS_DES_EDE3, PR_TRUE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
-                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
-                               des3_ecb_known_plaintext,
-                               FIPS_DES3_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_ciphertext, des3_ecb_known_ciphertext,
-                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /*******************************************************/
-    /* DES3-ECB Single-Round Known Answer Decryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key, NULL,
-                                     NSS_DES_EDE3, PR_FALSE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
-                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
-                               des3_ecb_known_ciphertext,
-                               FIPS_DES3_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_plaintext, des3_ecb_known_plaintext,
-                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /*******************************************************/
-    /* DES3-CBC Single-Round Known Answer Encryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key,
-                                      des3_cbc_known_initialization_vector,
-                                      NSS_DES_EDE3_CBC, PR_TRUE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
-                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
-                               des3_cbc_known_plaintext,
-                               FIPS_DES3_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_ciphertext, des3_cbc_known_ciphertext,
-                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /*******************************************************/
-    /* DES3-CBC Single-Round Known Answer Decryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key,
-                                      des3_cbc_known_initialization_vector,
-                                      NSS_DES_EDE3_CBC, PR_FALSE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
-                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
-                               des3_cbc_known_ciphertext,
-                               FIPS_DES3_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_plaintext, des3_cbc_known_plaintext,
-                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_MD2_PowerUpSelfTest( void )
-{
-    /* MD2 Known Hash Message (512-bits). */
-    static PRUint8 md2_known_hash_message[] = {
-	"The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
-
-    /* MD2 Known Digest Message (128-bits). */
-    static PRUint8 md2_known_digest[]  = {
-				   0x41,0x5a,0x12,0xb2,0x3f,0x28,0x97,0x17,
-				   0x0c,0x71,0x4e,0xcc,0x40,0xc8,0x1d,0x1b};
-
-    /* MD2 variables. */
-    MD2Context * md2_context;
-    unsigned int md2_bytes_hashed;
-    PRUint8      md2_computed_digest[MD2_LENGTH];
-
-
-    /***********************************************/
-    /* MD2 Single-Round Known Answer Hashing Test. */
-    /***********************************************/
-
-    md2_context = MD2_NewContext();
-
-    if( md2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    MD2_Begin( md2_context );
-
-    MD2_Update( md2_context, md2_known_hash_message,
-                FIPS_MD2_HASH_MESSAGE_LENGTH );
-
-    MD2_End( md2_context, md2_computed_digest, &md2_bytes_hashed, MD2_LENGTH );
-
-    MD2_DestroyContext( md2_context , PR_TRUE );
-
-    if( ( md2_bytes_hashed != MD2_LENGTH ) ||
-        ( PORT_Memcmp( md2_computed_digest, md2_known_digest,
-                       MD2_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_MD5_PowerUpSelfTest( void )
-{
-    /* MD5 Known Hash Message (512-bits). */
-    static PRUint8 md5_known_hash_message[] = {
-	"The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
-
-    /* MD5 Known Digest Message (128-bits). */
-    static PRUint8 md5_known_digest[]  = {
-				   0x25,0xc8,0xc0,0x10,0xc5,0x6e,0x68,0x28,
-				   0x28,0xa4,0xa5,0xd2,0x98,0x9a,0xea,0x2d};
-
-    /* MD5 variables. */
-    PRUint8        md5_computed_digest[MD5_LENGTH];
-    SECStatus      md5_status;
-
-
-    /***********************************************/
-    /* MD5 Single-Round Known Answer Hashing Test. */
-    /***********************************************/
-
-    md5_status = MD5_HashBuf( md5_computed_digest, md5_known_hash_message,
-                              FIPS_MD5_HASH_MESSAGE_LENGTH );
-
-    if( ( md5_status != SECSuccess ) ||
-        ( PORT_Memcmp( md5_computed_digest, md5_known_digest,
-                       MD5_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_SHA1_PowerUpSelfTest( void )
-{
-    /* SHA-1 Known Hash Message (512-bits). */
-    static PRUint8 sha1_known_hash_message[] = {
-	 "The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
-
-    /* SHA-1 Known Digest Message (160-bits). */
-    static PRUint8 sha1_known_digest[] = {
-			       0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b,
-			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
-			       0xe0,0x68,0x47,0x7a};
-
-    /* SHA-1 variables. */
-    PRUint8        sha1_computed_digest[SHA1_LENGTH];
-    SECStatus      sha1_status;
-
-
-    /*************************************************/
-    /* SHA-1 Single-Round Known Answer Hashing Test. */
-    /*************************************************/
-
-    sha1_status = SHA1_HashBuf( sha1_computed_digest, sha1_known_hash_message,
-                                FIPS_SHA1_HASH_MESSAGE_LENGTH );
-
-    if( ( sha1_status != SECSuccess ) ||
-        ( PORT_Memcmp( sha1_computed_digest, sha1_known_digest,
-                       SHA1_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-pk11_fips_RSA_PowerUpSelfTest( void )
-{
-    /* RSA Known Modulus used in both Public/Private Key Values (520-bits). */
-    static PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
-                                 0x00,0xa1,0xe9,0x5e,0x66,0x88,0xe2,0xf2,
-                                 0x2b,0xe7,0x70,0x36,0x33,0xbc,0xeb,0x55,
-                                 0x55,0xf1,0x60,0x18,0x3c,0xfb,0xd2,0x79,
-                                 0xf6,0xc4,0xb8,0x09,0xe3,0x12,0xf6,0x63,
-                                 0x6d,0xc7,0x8e,0x19,0xc0,0x0e,0x10,0x78,
-                                 0xc1,0xfe,0x2a,0x41,0x74,0x2d,0xf7,0xc4,
-                                 0x69,0xa7,0x3c,0xbc,0x8a,0xc8,0x31,0x2b,
-                                 0x4f,0x60,0xf0,0xf1,0xec,0x5a,0x29,0xec,
-                                 0x6b};
-
-    /* RSA Known Public Key Values (8-bits). */
-    static PRUint8 rsa_public_exponent[] = { 0x03 };
-
-    /* RSA Known Private Key Values (version                 is   8-bits), */
-    /*                              (private exponent        is 512-bits), */
-    /*                              (private prime0          is 264-bits), */
-    /*                              (private prime1          is 264-bits), */
-    /*                              (private prime exponent0 is 264-bits), */
-    /*                              (private prime exponent1 is 264-bits), */
-    /*                          and (private coefficient     is 256-bits). */
-    static PRUint8 rsa_version[] = { 0x00 };
-    static PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = {
-				  0x6b,0xf0,0xe9,0x99,0xb0,0x97,0x4c,0x1d,
-				  0x44,0xf5,0x79,0x77,0xd3,0x47,0x8e,0x39,
-				  0x4b,0x95,0x65,0x7d,0xfd,0x36,0xfb,0xf9,
-				  0xd8,0x7a,0xb1,0x42,0x0c,0xa4,0x42,0x48,
-				  0x20,0x1c,0x6b,0x7d,0x5d,0xa3,0x58,0xd6,
-				  0x95,0xd6,0x41,0xe3,0xd6,0x73,0xad,0xdb,
-				  0x3b,0x89,0x00,0x8a,0xcd,0x1d,0xb9,0x06,
-				  0xac,0xac,0x0e,0x02,0x72,0x1c,0xf8,0xab };
-    static PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH]   = {
-				      0x00,0xd2,0x2c,0x9d,0xef,0x7c,0x8f,0x58,
-				      0x93,0x19,0xa1,0x77,0x0e,0x38,0x3e,0x85,
-				      0xb4,0xaf,0xcc,0x99,0xa5,0x43,0xbf,0x97,
-				      0xdc,0x46,0xb8,0x3f,0x6e,0x85,0x18,0x00,
-				      0x81};
-    static PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH]   = {
-				      0x00,0xc5,0x36,0xda,0x94,0x85,0x0c,0x1a,
-				      0xed,0x03,0xc7,0x67,0x90,0x34,0x0b,0xb9,
-				      0xec,0x1e,0x22,0xa2,0x15,0x50,0xc4,0xfd,
-				      0xe9,0x17,0x36,0x9d,0x7a,0x29,0xe6,0x76,
-				      0xeb};
-    static PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
-					 0x00,0x8c,0x1d,0xbe,0x9f,0xa8,
-					 0x5f,0x90,0x62,0x11,0x16,0x4f,
-					 0x5e,0xd0,0x29,0xae,0x78,0x75,
-					 0x33,0x11,0x18,0xd7,0xd5,0x0f,
-					 0xe8,0x2f,0x25,0x7f,0x9f,0x03,
-					 0x65,0x55,0xab};
-    static PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
-					 0x00,0x83,0x79,0xe7,0x0d,0xae,
-					 0x08,0x11,0xf3,0x57,0xda,0x45,
-					 0x0a,0xcd,0x5d,0x26,0x9d,0x69,
-					 0x6c,0x6c,0x0e,0x35,0xd8,0xa9,
-					 0x46,0x0f,0x79,0xbe,0x51,0x71,
-					 0x44,0x4f,0x47};
-    static PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
-					 0x54,0x8d,0xb8,0xdc,0x8b,0xde,0xbb,
-					 0x08,0xc9,0x67,0xb7,0xa9,0x5f,0xa5,
-					 0xc4,0x5e,0x67,0xaa,0xfe,0x1a,0x08,
-					 0xeb,0x48,0x43,0xcb,0xb0,0xb9,0x38,
-					 0x3a,0x31,0x39,0xde};
-
-
-    /* RSA Known Plaintext (512-bits). */
-    static PRUint8 rsa_known_plaintext[] = {
-                                         "Known plaintext utilized for RSA"
-                                         " Encryption and Decryption test." };
-
-    /* RSA Known Ciphertext (512-bits). */
-    static PRUint8 rsa_known_ciphertext[] = {
-				      0x12,0x80,0x3a,0x53,0xee,0x93,0x81,0xa5,
-				      0xf7,0x40,0xc5,0xb1,0xef,0xd9,0x27,0xaf,
-				      0xef,0x4b,0x87,0x44,0x00,0xd0,0xda,0xcf,
-				      0x10,0x57,0x4c,0xd5,0xc3,0xed,0x84,0xdc,
-				      0x74,0x03,0x19,0x69,0x2c,0xd6,0x54,0x3e,
-				      0xd2,0xe3,0x90,0xb6,0x67,0x91,0x2f,0x1f,
-				      0x54,0x13,0x99,0x00,0x0b,0xfd,0x52,0x7f,
-				      0xd8,0xc6,0xdb,0x8a,0xfe,0x06,0xf3,0xb1};
-
-    /* RSA Known Message (128-bits). */
-    static PRUint8 rsa_known_message[]  = { "Netscape Forever" };
-
-    /* RSA Known Signed Hash (512-bits). */
-    static PRUint8 rsa_known_signature[] = {
-				     0x27,0x23,0xa6,0x71,0x57,0xc8,0x70,0x5f,
-				     0x70,0x0e,0x06,0x7b,0x96,0x6a,0xaa,0x41,
-				     0x6e,0xab,0x67,0x4b,0x5f,0x76,0xc4,0x53,
-				     0x23,0xd7,0x57,0x7a,0x3a,0xbc,0x4c,0x27,
-				     0x65,0xca,0xde,0x9f,0xd3,0x1d,0xa4,0x5a,
-				     0xf9,0x8f,0xb2,0x05,0xa3,0x86,0xf9,0x66,
-				     0x55,0x4c,0x68,0x50,0x66,0xa4,0xe9,0x17,
-				     0x45,0x11,0xb8,0x1a,0xfc,0xbc,0x79,0x3b};
-
-
-    static RSAPublicKey    bl_public_key = { NULL, 
-      { FIPS_RSA_TYPE, rsa_modulus,         FIPS_RSA_MODULUS_LENGTH },
-      { FIPS_RSA_TYPE, rsa_public_exponent, FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
-    };
-    static RSAPrivateKey   bl_private_key = { NULL,
-      { FIPS_RSA_TYPE, rsa_version,          FIPS_RSA_PRIVATE_VERSION_LENGTH },
-      { FIPS_RSA_TYPE, rsa_modulus,          FIPS_RSA_MODULUS_LENGTH },
-      { FIPS_RSA_TYPE, rsa_public_exponent,  FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
-      { FIPS_RSA_TYPE, rsa_private_exponent, FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
-      { FIPS_RSA_TYPE, rsa_prime0,           FIPS_RSA_PRIME0_LENGTH },
-      { FIPS_RSA_TYPE, rsa_prime1,           FIPS_RSA_PRIME1_LENGTH },
-      { FIPS_RSA_TYPE, rsa_exponent0,        FIPS_RSA_EXPONENT0_LENGTH },
-      { FIPS_RSA_TYPE, rsa_exponent1,        FIPS_RSA_EXPONENT1_LENGTH },
-      { FIPS_RSA_TYPE, rsa_coefficient,      FIPS_RSA_COEFFICIENT_LENGTH }
-    };
-
-    /* RSA variables. */
-#ifdef CREATE_TEMP_ARENAS
-    PLArenaPool *         rsa_public_arena;
-    PLArenaPool *         rsa_private_arena;
-#endif
-    SECKEYLowPublicKey *  rsa_public_key;
-    SECKEYLowPrivateKey * rsa_private_key;
-    unsigned int          rsa_bytes_signed;
-    SECStatus             rsa_status;
-
-    SECKEYLowPublicKey    low_public_key   = { NULL, rsaKey, };
-    SECKEYLowPrivateKey   low_private_key  = { NULL, rsaKey, };
-    PRUint8               rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH];
-    PRUint8               rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH];
-    PRUint8               rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
-
-    /****************************************/
-    /* Compose RSA Public/Private Key Pair. */
-    /****************************************/
-
-    low_public_key.u.rsa  = bl_public_key;
-    low_private_key.u.rsa = bl_private_key;
-
-    rsa_public_key  = &low_public_key;
-    rsa_private_key = &low_private_key;
-
-#ifdef CREATE_TEMP_ARENAS
-    /* Create some space for the RSA public key. */
-    rsa_public_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
-
-    if( rsa_public_arena == NULL ) {
-        PORT_SetError( SEC_ERROR_NO_MEMORY );
-        return( CKR_HOST_MEMORY );
-    }
-
-    /* Create some space for the RSA private key. */
-    rsa_private_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
-
-    if( rsa_private_arena == NULL ) {
-        PORT_FreeArena( rsa_public_arena, PR_TRUE );
-        PORT_SetError( SEC_ERROR_NO_MEMORY );
-        return( CKR_HOST_MEMORY );
-    }
-
-    rsa_public_key->arena = rsa_public_arena;
-    rsa_private_key->arena = rsa_private_arena;
-#endif
-
-    /**************************************************/
-    /* RSA Single-Round Known Answer Encryption Test. */
-    /**************************************************/
-
-    /* Perform RSA Public Key Encryption. */
-    rsa_status = RSA_PublicKeyOp(&rsa_public_key->u.rsa, 
-                                 rsa_computed_ciphertext, rsa_known_plaintext);
-
-    if( ( rsa_status != SECSuccess ) ||
-        ( PORT_Memcmp( rsa_computed_ciphertext, rsa_known_ciphertext,
-                       FIPS_RSA_ENCRYPT_LENGTH ) != 0 ) )
-        goto rsa_loser;
-
-    /**************************************************/
-    /* RSA Single-Round Known Answer Decryption Test. */
-    /**************************************************/
-
-    /* Perform RSA Private Key Decryption. */
-    rsa_status = RSA_PrivateKeyOp(&rsa_private_key->u.rsa, 
-                                  rsa_computed_plaintext, rsa_known_ciphertext);
-
-    if( ( rsa_status != SECSuccess ) ||
-        ( PORT_Memcmp( rsa_computed_plaintext, rsa_known_plaintext,
-                       FIPS_RSA_DECRYPT_LENGTH ) != 0 ) )
-        goto rsa_loser;
-
-
-    /*************************************************/
-    /* RSA Single-Round Known Answer Signature Test. */
-    /*************************************************/
-
-    /* Perform RSA signature with the RSA private key. */
-    rsa_status = RSA_Sign( rsa_private_key, rsa_computed_signature,
-                           &rsa_bytes_signed,
-                           FIPS_RSA_SIGNATURE_LENGTH, rsa_known_message,
-                           FIPS_RSA_MESSAGE_LENGTH );
-
-    if( ( rsa_status != SECSuccess ) ||
-        ( rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH ) ||
-        ( PORT_Memcmp( rsa_computed_signature, rsa_known_signature,
-                       FIPS_RSA_SIGNATURE_LENGTH ) != 0 ) )
-        goto rsa_loser;
-
-
-    /****************************************************/
-    /* RSA Single-Round Known Answer Verification Test. */
-    /****************************************************/
-
-    /* Perform RSA verification with the RSA public key. */
-    rsa_status = RSA_CheckSign( rsa_public_key,
-                                rsa_computed_signature,
-                                FIPS_RSA_SIGNATURE_LENGTH,
-                                rsa_known_message,
-                                FIPS_RSA_MESSAGE_LENGTH );
-
-    if( rsa_status != SECSuccess )
-        goto rsa_loser;
-
-    /* Dispose of all RSA key material. */
-    SECKEY_LowDestroyPublicKey( rsa_public_key );
-    SECKEY_LowDestroyPrivateKey( rsa_private_key );
-
-    return( CKR_OK );
-
-
-rsa_loser:
-
-    SECKEY_LowDestroyPublicKey( rsa_public_key );
-    SECKEY_LowDestroyPrivateKey( rsa_private_key );
-
-    return( CKR_DEVICE_ERROR );
-}
-
-
-static CK_RV
-pk11_fips_DSA_PowerUpSelfTest( void )
-{
-    /* DSA Known P (512-bits), Q (160-bits), and G (512-bits) Values. */
-    static PRUint8 dsa_P[] = {
-                           0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
-                           0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
-                           0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
-                           0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
-                           0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
-                           0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
-                           0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
-                           0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91};
-    static PRUint8 dsa_Q[] = {
-                           0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
-                           0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
-                           0xda,0xce,0x91,0x5f};
-    static PRUint8 dsa_G[] = {
-                           0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
-                           0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
-                           0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
-                           0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
-                           0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
-                           0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
-                           0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
-                           0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02};
-
-    /* DSA Known Random Values (known random key block       is 160-bits)  */
-    /*                     and (known random signature block is 160-bits). */
-    static PRUint8 dsa_known_random_key_block[] = {
-                                                      "Mozilla Rules World!"};
-    static PRUint8 dsa_known_random_signature_block[] = {
-                                                      "Random DSA Signature"};
-
-    /* DSA Known Digest (160-bits) */
-    static PRUint8 dsa_known_digest[] = { "DSA Signature Digest" };
-
-    /* DSA Known Signature (320-bits). */
-    static PRUint8 dsa_known_signature[] = {
-			     0x39,0x0d,0x84,0xb1,0xf7,0x52,0x89,0xba,
-			     0xec,0x1e,0xa8,0xe2,0x00,0x8e,0x37,0x8f,
-			     0xc2,0xf5,0xf8,0x70,0x11,0xa8,0xc7,0x02,
-			     0x0e,0x75,0xcf,0x6b,0x54,0x4a,0x52,0xe8,
-			     0xd8,0x6d,0x4a,0xe8,0xee,0x56,0x8e,0x59};
-
-    /* DSA variables. */
-    DSAPrivateKey *        dsa_private_key;
-    SECStatus              dsa_status;
-    SECItem                dsa_signature_item;
-    SECItem                dsa_digest_item;
-    DSAPublicKey           dsa_public_key;
-    PRUint8                dsa_computed_signature[FIPS_DSA_SIGNATURE_LENGTH];
-    static PQGParams       dsa_pqg = { NULL,
-			    { FIPS_DSA_TYPE, dsa_P, FIPS_DSA_PRIME_LENGTH },
-			    { FIPS_DSA_TYPE, dsa_Q, FIPS_DSA_SUBPRIME_LENGTH },
-			    { FIPS_DSA_TYPE, dsa_G, FIPS_DSA_BASE_LENGTH }};
-
-    /*******************************************/
-    /* Generate a DSA public/private key pair. */
-    /*******************************************/
-
-    /* Generate a DSA public/private key pair. */
-
-    dsa_status = DSA_NewKeyFromSeed(&dsa_pqg, dsa_known_random_key_block,
-                                    &dsa_private_key);
-
-    if( dsa_status != SECSuccess )
-	return( CKR_HOST_MEMORY );
-
-    /* construct public key from private key. */
-    dsa_public_key.params      = dsa_private_key->params;
-    dsa_public_key.publicValue = dsa_private_key->publicValue;
-
-    /*************************************************/
-    /* DSA Single-Round Known Answer Signature Test. */
-    /*************************************************/
-
-    dsa_signature_item.data = dsa_computed_signature;
-    dsa_signature_item.len  = sizeof dsa_computed_signature;
-
-    dsa_digest_item.data    = dsa_known_digest;
-    dsa_digest_item.len     = SHA1_LENGTH;
-
-    /* Perform DSA signature process. */
-    dsa_status = DSA_SignDigestWithSeed( dsa_private_key, 
-                                         &dsa_signature_item,
-					 &dsa_digest_item,
-					 dsa_known_random_signature_block );
-
-    if( ( dsa_status != SECSuccess ) ||
-        ( dsa_signature_item.len != FIPS_DSA_SIGNATURE_LENGTH ) ||
-        ( PORT_Memcmp( dsa_computed_signature, dsa_known_signature,
-                       FIPS_DSA_SIGNATURE_LENGTH ) != 0 ) ) {
-        dsa_status = SECFailure;
-    } else {
-
-    /****************************************************/
-    /* DSA Single-Round Known Answer Verification Test. */
-    /****************************************************/
-
-    /* Perform DSA verification process. */
-    dsa_status = DSA_VerifyDigest( &dsa_public_key, 
-                                   &dsa_signature_item,
-				   &dsa_digest_item);
-    }
-
-    PORT_FreeArena(dsa_private_key->params.arena, PR_TRUE);
-    /* Don't free public key, it uses same arena as private key */
-
-    /* Verify DSA signature. */
-    if( dsa_status != SECSuccess )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-
-
-}
-
-
-CK_RV
-pk11_fipsPowerUpSelfTest( void )
-{
-    CK_RV rv;
-
-    /* RC2 Power-Up SelfTest(s). */
-    rv = pk11_fips_RC2_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* RC4 Power-Up SelfTest(s). */
-    rv = pk11_fips_RC4_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* DES Power-Up SelfTest(s). */
-    rv = pk11_fips_DES_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* DES3 Power-Up SelfTest(s). */
-    rv = pk11_fips_DES3_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* MD2 Power-Up SelfTest(s). */
-    rv = pk11_fips_MD2_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* MD5 Power-Up SelfTest(s). */
-    rv = pk11_fips_MD5_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* SHA-1 Power-Up SelfTest(s). */
-    rv = pk11_fips_SHA1_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* RSA Power-Up SelfTest(s). */
-    rv = pk11_fips_RSA_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* DSA Power-Up SelfTest(s). */
-    rv = pk11_fips_DSA_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* Passed Power-Up SelfTest(s). */
-    return( CKR_OK );
-}
-
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
deleted file mode 100644
index e72a9965a..000000000
--- a/security/nss/lib/softoken/fipstokn.c
+++ /dev/null
@@ -1,951 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This file implements PKCS 11 on top of our existing security modules
- *
- * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *   This implementation has two slots:
- *	slot 1 is our generic crypto support. It does not require login
- *   (unless you've enabled FIPS). It supports Public Key ops, and all they
- *   bulk ciphers and hashes. It can also support Private Key ops for imported
- *   Private keys. It does not have any token storage.
- *	slot 2 is our private key support. It requires a login before use. It
- *   can store Private Keys and Certs as token objects. Currently only private
- *   keys and their associated Certificates are saved on the token.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-#include "seccomon.h"
-#include "softoken.h"
-#include "key.h"
-#include "pkcs11.h"
-#include "pkcs11i.h"
-
-/* The next two strings must be exactly 64 characters long, with the
-   first 32 characters meaningful  */
-static char *slotDescription     = 
-	"Netscape Internal FIPS-140-1 Cryptographic Services             ";
-static char *privSlotDescription = 
-	"Netscape FIPS-140-1 User Private Key Services                   ";
-
-
-/*
- * Configuration utils
- */
-void
-PK11_ConfigureFIPS(char *slotdes, char *pslotdes) 
-{
-    if (slotdes && (PORT_Strlen(slotdes) == 65)) {
-	slotDescription = slotdes;
-    }
-    if (pslotdes && (PORT_Strlen(pslotdes) == 65)) {
-	privSlotDescription = pslotdes;
-    }
-    return;
-}
-
-/*
- * ******************** Password Utilities *******************************
- */
-static PRBool isLoggedIn = PR_FALSE;
-static PRBool fatalError = PR_FALSE;
-
-/* Fips required checks before any useful crypto graphic services */
-static CK_RV pk11_fipsCheck(void) {
-    if (isLoggedIn != PR_TRUE) 
-	return CKR_USER_NOT_LOGGED_IN;
-    if (fatalError) 
-	return CKR_DEVICE_ERROR;
-    return CKR_OK;
-}
-
-
-#define PK11_FIPSCHECK() \
-    CK_RV rv; \
-    if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
-
-#define PK11_FIPSFATALCHECK() \
-    if (fatalError) return CKR_DEVICE_ERROR;
-
-
-/* grab an attribute out of a raw template */
-void *
-fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate, 
-				CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type)
-{
-    int i;
-
-    for (i=0; i < (int) ulCount; i++) {
-	if (pTemplate[i].type == type) {
-	    return pTemplate[i].pValue;
-	}
-    }
-    return NULL;
-}
-
-
-#define __PASTE(x,y)	x##y
-
-/* ------------- forward declare all the NSC_ functions ------------- */
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS,name)
-#define CK_NEED_ARG_LIST 1
-
-#include "pkcs11f.h"
-
-/* ------------- forward declare all the FIPS functions ------------- */
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F,name)
-#define CK_NEED_ARG_LIST 1
-
-#include "pkcs11f.h"
-
-/* ------------- build the CK_CRYPTO_TABLE ------------------------- */
-static CK_FUNCTION_LIST pk11_fipsTable = {
-    { 1, 10 },
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) __PASTE(F,name),
-
-
-#include "pkcs11f.h"
-
-};
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-#undef __PASTE
-
-
-/**********************************************************************
- *
- *     Start of PKCS 11 functions 
- *
- **********************************************************************/
-/* return the function list */
-CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
-    *pFunctionList = &pk11_fipsTable;
-    return CKR_OK;
-}
-
-
-/* FC_Initialize initializes the PKCS #11 library. */
-CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
-    CK_RV rv;
-    static PRBool init= PR_FALSE;
-
-
-    rv = PK11_LowInitialize(pReserved);
-
-    if (rv == CKR_OK && !init) {
-	init = PR_TRUE;
-	rv = PK11_SlotInit(FIPS_SLOT_ID,PR_TRUE);
-	/* fall through to check below */
-    }
-
-    /* not an 'else' rv can be set by either PK11_LowInit or PK11_SlotInit*/
-    if (rv != CKR_OK) {
-	fatalError = PR_TRUE;
-	return rv;
-    }
-
-    fatalError = PR_FALSE; /* any error has been reset */
-
-    rv = pk11_fipsPowerUpSelfTest();
-    if (rv != CKR_OK) {
-	fatalError = PR_TRUE;
-	return rv;
-    }
-
-    return CKR_OK;
-}
-
-/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
-CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
-   /* this should free up FIPS Slot */
-   return NSC_Finalize (pReserved);
-}
-
-
-/* FC_GetInfo returns general information about PKCS #11. */
-CK_RV  FC_GetInfo(CK_INFO_PTR pInfo) {
-    return NSC_GetInfo(pInfo);
-}
-
-/* FC_GetSlotList obtains a list of slots in the system. */
-CK_RV FC_GetSlotList(CK_BBOOL tokenPresent,
-	 		CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
-    *pulCount = 1;
-    if (pSlotList != NULL) {
-	pSlotList[0] = FIPS_SLOT_ID;
-    }
-    return CKR_OK;
-}
-	
-/* FC_GetSlotInfo obtains information about a particular slot in the system. */
-CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
-
-    CK_RV crv;
-
-    if (slotID != FIPS_SLOT_ID) return CKR_SLOT_ID_INVALID;
-
-    /* Use NETSCAPE_SLOT_ID as a basis so that we get Library version number,
-     * not key_DB version number */
-    crv = NSC_GetSlotInfo(NETSCAPE_SLOT_ID,pInfo);
-    if (crv != CKR_OK) {
-	return crv;
-    }
-
-    PORT_Memcpy(pInfo->slotDescription,slotDescription,64);
-    return CKR_OK;
-}
-
-
-/*FC_GetTokenInfo obtains information about a particular token in the system.*/
- CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) {
-    CK_RV crv;
-
-    if (slotID != FIPS_SLOT_ID) return CKR_SLOT_ID_INVALID;
-
-    /* use PRIVATE_KEY_SLOT_ID so we get the correct 
-						Authentication information */
-    crv = NSC_GetTokenInfo(PRIVATE_KEY_SLOT_ID,pInfo);
-    pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED;
-    /* yes virginia, FIPS can do random number generation:) */
-    return crv;
-
-}
-
-
-
-/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
- CK_RV FC_GetMechanismList(CK_SLOT_ID slotID,
-	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) {
-    PK11_FIPSFATALCHECK();
-    if (slotID != FIPS_SLOT_ID) return CKR_SLOT_ID_INVALID;
-    /* FIPS Slot supports all functions */
-    return NSC_GetMechanismList(NETSCAPE_SLOT_ID,pMechanismList,pusCount);
-}
-
-
-/* FC_GetMechanismInfo obtains information about a particular mechanism 
- * possibly supported by a token. */
- CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
-    					CK_MECHANISM_INFO_PTR pInfo) {
-    PK11_FIPSFATALCHECK();
-    if (slotID != FIPS_SLOT_ID) return CKR_SLOT_ID_INVALID;
-    /* FIPS Slot supports all functions */
-    return NSC_GetMechanismInfo(NETSCAPE_SLOT_ID,type,pInfo);
-}
-
-
-/* FC_InitToken initializes a token. */
- CK_RV FC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
- 				CK_ULONG usPinLen,CK_CHAR_PTR pLabel) {
-    return CKR_HOST_MEMORY; /*is this the right function for not implemented*/
-}
-
-
-/* FC_InitPIN initializes the normal user's PIN. */
- CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
-    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
-    return NSC_InitPIN(hSession,pPin,ulPinLen);
-}
-
-
-/* FC_SetPIN modifies the PIN of user that is currently logged in. */
-/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
- CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
-    CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) {
-    CK_RV rv;
-    if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
-    return NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen);
-}
-
-/* FC_OpenSession opens a session between an application and a token. */
- CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
-   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) {
-    PK11_FIPSFATALCHECK();
-    return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession);
-}
-
-
-/* FC_CloseSession closes a session between an application and a token. */
- CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) {
-    return NSC_CloseSession(hSession);
-}
-
-
-/* FC_CloseAllSessions closes all sessions with a token. */
- CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) {
-    return NSC_CloseAllSessions (slotID);
-}
-
-
-/* FC_GetSessionInfo obtains information about the session. */
- CK_RV FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
-						CK_SESSION_INFO_PTR pInfo) {
-    CK_RV rv;
-    PK11_FIPSFATALCHECK();
-
-    rv = NSC_GetSessionInfo(hSession,pInfo);
-    if (rv == CKR_OK) {
-	if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
-		pInfo->state = CKS_RO_USER_FUNCTIONS;
-	}
-	if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
-		pInfo->state = CKS_RW_USER_FUNCTIONS;
-	}
-    }
-    return rv;
-}
-
-/* FC_Login logs a user into a token. */
- CK_RV FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
-				    CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
-    CK_RV rv;
-    PK11_FIPSFATALCHECK();
-    rv = NSC_Login(hSession,userType,pPin,usPinLen);
-    if (rv == CKR_OK)
-	isLoggedIn = PR_TRUE;
-    else if (rv == CKR_USER_ALREADY_LOGGED_IN)
-    {
-	isLoggedIn = PR_TRUE;
-
-	/* Provide FIPS PUB 140-1 power-up self-tests on demand. */
-	rv = pk11_fipsPowerUpSelfTest();
-	if (rv == CKR_OK)
-		return CKR_USER_ALREADY_LOGGED_IN;
-	else
-		fatalError = PR_TRUE;
-    }
-    return rv;
-}
-
-/* FC_Logout logs a user out from a token. */
- CK_RV FC_Logout(CK_SESSION_HANDLE hSession) {
-    PK11_FIPSCHECK();
- 
-    rv = NSC_Logout(hSession);
-    isLoggedIn = PR_FALSE;
-    return rv;
-}
-
-
-/* FC_CreateObject creates a new object. */
- CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
-		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
-					CK_OBJECT_HANDLE_PTR phObject) {
-    CK_OBJECT_CLASS * classptr;
-    PK11_FIPSCHECK();
-    classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
-    if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
-
-    /* FIPS can't create keys from raw key material */
-    if ((*classptr == CKO_SECRET_KEY) || (*classptr == CKO_PRIVATE_KEY)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    return NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
-}
-
-
-
-
-
-/* FC_CopyObject copies an object, creating a new object for the copy. */
- CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession,
-       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
-					CK_OBJECT_HANDLE_PTR phNewObject) {
-    PK11_FIPSCHECK();
-    return NSC_CopyObject(hSession,hObject,pTemplate,usCount,phNewObject);
-}
-
-
-/* FC_DestroyObject destroys an object. */
- CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession,
-		 				CK_OBJECT_HANDLE hObject) {
-    PK11_FIPSCHECK();
-    return NSC_DestroyObject(hSession,hObject);
-}
-
-
-/* FC_GetObjectSize gets the size of an object in bytes. */
- CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession,
-    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pusSize) {
-    PK11_FIPSCHECK();
-    return NSC_GetObjectSize(hSession, hObject, pusSize);
-}
-
-
-/* FC_GetAttributeValue obtains the value of one or more object attributes. */
- CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    PK11_FIPSCHECK();
-    return NSC_GetAttributeValue(hSession,hObject,pTemplate,usCount);
-}
-
-
-/* FC_SetAttributeValue modifies the value of one or more object attributes */
- CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    PK11_FIPSCHECK();
-    return NSC_SetAttributeValue(hSession,hObject,pTemplate,usCount);
-}
-
-
-
-/* FC_FindObjectsInit initializes a search for token and session objects 
- * that match a template. */
- CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
-    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    PK11_FIPSCHECK();
-    return NSC_FindObjectsInit(hSession,pTemplate,usCount);
-}
-
-
-/* FC_FindObjects continues a search for token and session objects 
- * that match a template, obtaining additional object handles. */
- CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
-    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
-    					CK_ULONG_PTR pusObjectCount) {
-    PK11_FIPSCHECK();
-    return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
-    							pusObjectCount);
-}
-
-
-/*
- ************** Crypto Functions:     Encrypt ************************
- */
-
-/* FC_EncryptInit initializes an encryption operation. */
- CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_EncryptInit(hSession,pMechanism,hKey);
-}
-
-/* FC_Encrypt encrypts single-part data. */
- CK_RV FC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    		CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
-					 CK_ULONG_PTR pusEncryptedDataLen) {
-    PK11_FIPSCHECK();
-    return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData,
-							pusEncryptedDataLen);
-}
-
-
-/* FC_EncryptUpdate continues a multiple-part encryption operation. */
- CK_RV FC_EncryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,	
-					CK_ULONG_PTR pusEncryptedPartLen) {
-    PK11_FIPSCHECK();
-    return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart,
-						pusEncryptedPartLen);
-}
-
-
-/* FC_EncryptFinal finishes a multiple-part encryption operation. */
- CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) {
-
-    PK11_FIPSCHECK();
-    return NSC_EncryptFinal(hSession,pLastEncryptedPart,
-						pusLastEncryptedPartLen);
-}
-
-/*
- ************** Crypto Functions:     Decrypt ************************
- */
-
-
-/* FC_DecryptInit initializes a decryption operation. */
- CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_DecryptInit(hSession,pMechanism,hKey);
-}
-
-/* FC_Decrypt decrypts encrypted data in a single part. */
- CK_RV FC_Decrypt(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData,
-    						CK_ULONG_PTR pusDataLen) {
-    PK11_FIPSCHECK();
-    return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData,
-    								pusDataLen);
-}
-
-
-/* FC_DecryptUpdate continues a multiple-part decryption operation. */
- CK_RV FC_DecryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
-    				CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) {
-    PK11_FIPSCHECK();
-    return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen,
-    							pPart,pusPartLen);
-}
-
-
-/* FC_DecryptFinal finishes a multiple-part decryption operation. */
- CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) {
-    PK11_FIPSCHECK();
-    return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen);
-}
-
-
-/*
- ************** Crypto Functions:     Digest (HASH)  ************************
- */
-
-/* FC_DigestInit initializes a message-digesting operation. */
- CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession,
-    					CK_MECHANISM_PTR pMechanism) {
-    PK11_FIPSFATALCHECK();
-    return NSC_DigestInit(hSession, pMechanism);
-}
-
-
-/* FC_Digest digests data in a single part. */
- CK_RV FC_Digest(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pusDigestLen) {
-    PK11_FIPSFATALCHECK();
-    return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen);
-}
-
-
-/* FC_DigestUpdate continues a multiple-part message-digesting operation. */
- CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-					    CK_ULONG usPartLen) {
-    PK11_FIPSFATALCHECK();
-    return NSC_DigestUpdate(hSession,pPart,usPartLen);
-}
-
-
-/* FC_DigestFinal finishes a multiple-part message-digesting operation. */
- CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pusDigestLen) {
-    PK11_FIPSFATALCHECK();
-    return NSC_DigestFinal(hSession,pDigest,pusDigestLen);
-}
-
-
-/*
- ************** Crypto Functions:     Sign  ************************
- */
-
-/* FC_SignInit initializes a signature (private key encryption) operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_SignInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_SignInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_Sign signs (encrypts with private key) data in a single part,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_Sign(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature,
-    					CK_ULONG_PTR pusSignatureLen) {
-    PK11_FIPSCHECK();
-    return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen);
-}
-
-
-/* FC_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-    							CK_ULONG usPartLen) {
-    PK11_FIPSCHECK();
-    return NSC_SignUpdate(hSession,pPart,usPartLen);
-}
-
-
-/* FC_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
- CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
-					    CK_ULONG_PTR pusSignatureLen) {
-    PK11_FIPSCHECK();
-    return NSC_SignFinal(hSession,pSignature,pusSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     Sign Recover  ************************
- */
-/* FC_SignRecoverInit initializes a signature operation,
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
- CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_SignRecoverInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_SignRecover signs data in a single operation
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
- CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-  CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) {
-    PK11_FIPSCHECK();
-    return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     verify  ************************
- */
-
-/* FC_VerifyInit initializes a verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature (e.g. DSA) */
- CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession,
-			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_VerifyInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) {
-    /* make sure we're legal */
-    PK11_FIPSCHECK();
-    return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen);
-}
-
-
-/* FC_VerifyUpdate continues a multiple-part verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-						CK_ULONG usPartLen) {
-    PK11_FIPSCHECK();
-    return NSC_VerifyUpdate(hSession,pPart,usPartLen);
-}
-
-
-/* FC_VerifyFinal finishes a multiple-part verification operation, 
- * checking the signature. */
- CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession,
-			CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) {
-    PK11_FIPSCHECK();
-    return NSC_VerifyFinal(hSession,pSignature,usSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     Verify  Recover ************************
- */
-
-/* FC_VerifyRecoverInit initializes a signature verification operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
- CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
-			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_VerifyRecoverInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_VerifyRecover verifies a signature in a single-part operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
- CK_RV FC_VerifyRecover(CK_SESSION_HANDLE hSession,
-		 CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen,
-    				CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) {
-    PK11_FIPSCHECK();
-    return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData,
-								pusDataLen);
-}
-
-/*
- **************************** Key Functions:  ************************
- */
-
-/* FC_GenerateKey generates a secret key, creating a new key object. */
- CK_RV FC_GenerateKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
-    						CK_OBJECT_HANDLE_PTR phKey) {
-    CK_BBOOL *boolptr;
-
-    PK11_FIPSCHECK();
-
-    /* all secret keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-
-    return NSC_GenerateKey(hSession,pMechanism,pTemplate,ulCount,phKey);
-}
-
-
-/* FC_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
- CK_RV FC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-    CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-    CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
-					CK_OBJECT_HANDLE_PTR phPrivateKey) {
-    CK_BBOOL *boolptr;
-
-    PK11_FIPSCHECK();
-
-    /* all private keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pPrivateKeyTemplate, 
-				usPrivateKeyAttributeCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-    return NSC_GenerateKeyPair (hSession,pMechanism,pPublicKeyTemplate,
-    		usPublicKeyAttributeCount,pPrivateKeyTemplate,
-		usPrivateKeyAttributeCount,phPublicKey,phPrivateKey);
-}
-
-
-/* FC_WrapKey wraps (i.e., encrypts) a key. */
- CK_RV FC_WrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
-    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
-					 CK_ULONG_PTR pusWrappedKeyLen) {
-    PK11_FIPSCHECK();
-    return NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
-							pusWrappedKeyLen);
-}
-
-
-/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
- CK_RV FC_UnwrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
-    CK_BYTE_PTR pWrappedKey, CK_ULONG usWrappedKeyLen,
-    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount,
-						 CK_OBJECT_HANDLE_PTR phKey) {
-    CK_BBOOL *boolptr;
-
-    PK11_FIPSCHECK();
-
-    /* all secret keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
-					usAttributeCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-    return NSC_UnwrapKey(hSession,pMechanism,hUnwrappingKey,pWrappedKey,
-			usWrappedKeyLen,pTemplate,usAttributeCount,phKey);
-}
-
-
-/* FC_DeriveKey derives a key from a base key, creating a new key object. */
- CK_RV FC_DeriveKey( CK_SESSION_HANDLE hSession,
-	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
-	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount, 
-						CK_OBJECT_HANDLE_PTR phKey) {
-    CK_BBOOL *boolptr;
-
-    PK11_FIPSCHECK();
-
-    /* all secret keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
-					usAttributeCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-    return NSC_DeriveKey(hSession,pMechanism,hBaseKey,pTemplate,
-			usAttributeCount, phKey);
-}
-
-/*
- **************************** Radom Functions:  ************************
- */
-
-/* FC_SeedRandom mixes additional seed material into the token's random number 
- * generator. */
- CK_RV FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
-    CK_ULONG usSeedLen) {
-    CK_RV crv;
-
-    PK11_FIPSFATALCHECK();
-    crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
-    if (crv != CKR_OK) {
-	fatalError = PR_TRUE;
-    }
-    return crv;
-}
-
-
-/* FC_GenerateRandom generates random data. */
- CK_RV FC_GenerateRandom(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR	pRandomData, CK_ULONG usRandomLen) {
-    CK_RV crv;
-
-    PK11_FIPSFATALCHECK();
-    crv = NSC_GenerateRandom(hSession,pRandomData,usRandomLen);
-    if (crv != CKR_OK) {
-	fatalError = PR_TRUE;
-    }
-    return crv;
-}
-
-
-/* FC_GetFunctionStatus obtains an updated status of a function running 
- * in parallel with an application. */
- CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
-    PK11_FIPSCHECK();
-    return NSC_GetFunctionStatus(hSession);
-}
-
-
-/* FC_CancelFunction cancels a function running in parallel */
- CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) {
-    PK11_FIPSCHECK();
-    return NSC_CancelFunction(hSession);
-}
-
-/*
- ****************************  Version 1.1 Functions:  ************************
- */
-
-/* FC_GetOperationState saves the state of the cryptographic 
- *operation in a session. */
-CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen) {
-    PK11_FIPSFATALCHECK();
-    return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen);
-}
-
-
-/* FC_SetOperationState restores the state of the cryptographic operation 
- * in a session. */
-CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
-        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) {
-    PK11_FIPSFATALCHECK();
-    return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen,
-        				hEncryptionKey,hAuthenticationKey);
-}
-
-/* FC_FindObjectsFinal finishes a search for token and session objects. */
-CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
-    PK11_FIPSCHECK();
-    return NSC_FindObjectsFinal(hSession);
-}
-
-
-/* Dual-function cryptographic operations */
-
-/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
- * operation. */
-CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen) {
-    PK11_FIPSCHECK();
-    return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
-					 pulEncryptedPartLen);
-}
-
-
-/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting 
- * operation. */
-CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
-     CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
-    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen) {
-
-    PK11_FIPSCHECK();
-    return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen,
-    				pPart,pulPartLen);
-}
-
-/* FC_SignEncryptUpdate continues a multiple-part signing and encryption 
- * operation. */
-CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen) {
-
-    PK11_FIPSCHECK();
-    return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
-					 pulEncryptedPartLen);
-}
-
-/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify 
- * operation. */
-CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
-				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen) {
-
-    PK11_FIPSCHECK();
-    return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen, 
-				pData,pulDataLen);
-}
-
-
-/* FC_DigestKey continues a multi-part message-digesting operation,
- * by digesting the value of a secret key as part of the data already digested.
- */
-CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
-    PK11_FIPSCHECK();
-    return NSC_DigestKey(hSession,hKey);
-}
-
-
-CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
-							 CK_VOID_PTR pReserved)
-{
-    return NSC_WaitForSlotEvent(flags, pSlot, pReserved);
-}
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
deleted file mode 100644
index e224c18d9..000000000
--- a/security/nss/lib/softoken/keydb.c
+++ /dev/null
@@ -1,2308 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * Private Key Database code
- *
- * $Id$
- */
-
-#include "keylow.h"
-#include "keydbt.h"
-#include "seccomon.h"
-#include "sechash.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "blapi.h"
-#include "secitem.h"
-#include "cert.h"
-#include "mcom_db.h"
-#include "secpkcs5.h"
-#include "secerr.h"
-
-#include "private.h"
-
-/*
- * Record keys for keydb
- */
-#define SALT_STRING "global-salt"
-#define VERSION_STRING "Version"
-#define KEYDB_PW_CHECK_STRING	"password-check"
-#define KEYDB_PW_CHECK_LEN	14
-
-/* Size of the global salt for key database */
-#define SALT_LENGTH     16
-
-/* ASN1 Templates for new decoder/encoder */
-/*
- * Attribute value for PKCS8 entries (static?)
- */
-const SEC_ASN1Template SECKEY_AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(SECKEYAttribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SECKEYAttribute, attrType) },
-    { SEC_ASN1_SET_OF, offsetof(SECKEYAttribute, attrValue), 
-	SEC_AnyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_SetOfAttributeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SECKEY_AttributeTemplate },
-};
-
-const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(SECKEYPrivateKeyInfo) },
-    { SEC_ASN1_INTEGER,
-	offsetof(SECKEYPrivateKeyInfo,version) },
-    { SEC_ASN1_INLINE,
-	offsetof(SECKEYPrivateKeyInfo,algorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(SECKEYPrivateKeyInfo,privateKey) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(SECKEYPrivateKeyInfo,attributes),
-	SECKEY_SetOfAttributeTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SECKEY_PrivateKeyInfoTemplate }
-};
-
-const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
-    { SEC_ASN1_INLINE,
-	offsetof(SECKEYEncryptedPrivateKeyInfo,algorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(SECKEYEncryptedPrivateKeyInfo,encryptedData) },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[] = {
-	{ SEC_ASN1_POINTER, 0, SECKEY_EncryptedPrivateKeyInfoTemplate }
-};
-
-/* ====== Default key databse encryption algorithm ====== */
-
-static SECOidTag defaultKeyDBAlg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-
-/*
- * Default algorithm for encrypting data in the key database
- */
-SECOidTag
-SECKEY_GetDefaultKeyDBAlg(void)
-{
-    return(defaultKeyDBAlg);
-}
-
-void
-SECKEY_SetDefaultKeyDBAlg(SECOidTag alg)
-{
-    defaultKeyDBAlg = alg;
-
-    return;
-}
-
-static void
-sec_destroy_dbkey(SECKEYDBKey *dbkey)
-{
-    if ( dbkey && dbkey->arena ) {
-	PORT_FreeArena(dbkey->arena, PR_FALSE);
-    }
-}
-
-static void
-free_dbt(DBT *dbt)
-{
-    if ( dbt ) {
-	PORT_Free(dbt->data);
-	PORT_Free(dbt);
-    }
-    
-    return;
-}
-
-/*
- * format of key database entries for version 3 of database:
- *	byte offset	field
- *	-----------	-----
- *	0		version
- *	1		salt-len
- *	2		nn-len
- *	3..		salt-data
- *	...		nickname
- *	...		encrypted-key-data
- */
-static DBT *
-encode_dbkey(SECKEYDBKey *dbkey)
-{
-    DBT *bufitem = NULL;
-    unsigned char *buf;
-    int nnlen;
-    char *nn;
-    
-    bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT));
-    if ( bufitem == NULL ) {
-	goto loser;
-    }
-    
-    if ( dbkey->nickname ) {
-	nn = dbkey->nickname;
-	nnlen = PORT_Strlen(nn) + 1;
-    } else {
-	nn = "";
-	nnlen = 1;
-    }
-    
-    /* compute the length of the record */
-    /* 1 + 1 + 1 == version number header + salt length + nn len */
-    bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1;
-    
-    bufitem->data = (void *)PORT_ZAlloc(bufitem->size);
-    if ( bufitem->data == NULL ) {
-	goto loser;
-    }
-
-    buf = (unsigned char *)bufitem->data;
-    
-    /* set version number */
-    buf[0] = PRIVATE_KEY_DB_FILE_VERSION;
-
-    /* set length of salt */
-    PORT_Assert(dbkey->salt.len < 256);
-    buf[1] = dbkey->salt.len;
-
-    /* set length of nickname */
-    PORT_Assert(nnlen < 256);
-    buf[2] = nnlen;
-
-    /* copy salt */
-    PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len);
-
-    /* copy nickname */
-    PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen);
-
-    /* copy encrypted key */
-    PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data,
-	      dbkey->derPK.len);
-    
-    return(bufitem);
-    
-loser:
-    if ( bufitem ) {
-	free_dbt(bufitem);
-    }
-    
-    return(NULL);
-}
-
-static SECKEYDBKey *
-decode_dbkey(DBT *bufitem, int expectedVersion)
-{
-    SECKEYDBKey *dbkey;
-    PLArenaPool *arena = NULL;
-    unsigned char *buf;
-    int version;
-    int keyoff;
-    int nnlen;
-    int saltoff;
-    
-    buf = (unsigned char *)bufitem->data;
-
-    version = buf[0];
-    
-    if ( version != expectedVersion ) {
-	goto loser;
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    dbkey = (SECKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYDBKey));
-    if ( dbkey == NULL ) {
-	goto loser;
-    }
-
-    dbkey->arena = arena;
-    dbkey->salt.data = NULL;
-    dbkey->derPK.data = NULL;
-    
-    dbkey->salt.len = buf[1];
-    dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len);
-    if ( dbkey->salt.data == NULL ) {
-	goto loser;
-    }
-
-    saltoff = 2;
-    keyoff = 2 + dbkey->salt.len;
-    
-    if ( expectedVersion == PRIVATE_KEY_DB_FILE_VERSION ) {
-	nnlen = buf[2];
-	if ( nnlen ) {
-	    dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1);
-	    if ( dbkey->nickname ) {
-		PORT_Memcpy(dbkey->nickname, &buf[keyoff+1], nnlen);
-	    }
-	}
-	keyoff += ( nnlen + 1 );
-	saltoff = 3;
-    }
-
-    PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len);
-    
-    dbkey->derPK.len = bufitem->size - keyoff;
-    dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena,dbkey->derPK.len);
-    if ( dbkey->derPK.data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len);
-    
-    return(dbkey);
-    
-loser:
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-static SECKEYDBKey *
-get_dbkey(SECKEYKeyDBHandle *handle, DBT *index)
-{
-    SECKEYDBKey *dbkey;
-    DBT entry;
-    SECStatus rv;
-    
-    /* get it from the database */
-    rv = (SECStatus)(* handle->db->get)(handle->db, index, &entry, 0);
-    if ( rv ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return NULL;
-    }
-
-    /* set up dbkey struct */
-
-    dbkey = decode_dbkey(&entry, PRIVATE_KEY_DB_FILE_VERSION);
-
-    return(dbkey);
-}
-
-static SECStatus
-put_dbkey(SECKEYKeyDBHandle *handle, DBT *index, SECKEYDBKey *dbkey, PRBool update)
-{
-    DBT *keydata = NULL;
-    int status;
-    
-    keydata = encode_dbkey(dbkey);
-    if ( keydata == NULL ) {
-	goto loser;
-    }
-    
-    /* put it in the database */
-    if ( update ) {
-	status = (* handle->db->put)(handle->db, index, keydata, 0);
-    } else {
-	status = (* handle->db->put)(handle->db, index, keydata,
-				     R_NOOVERWRITE);
-    }
-    
-    if ( status ) {
-	goto loser;
-    }
-
-    /* sync the database */
-    status = (* handle->db->sync)(handle->db, 0);
-    if ( status ) {
-	goto loser;
-    }
-
-    free_dbt(keydata);
-    return(SECSuccess);
-
-loser:
-    if ( keydata ) {
-	free_dbt(keydata);
-    }
-    
-    return(SECFailure);
-}
-
-SECStatus
-SECKEY_TraverseKeys(SECKEYKeyDBHandle *handle, 
-		 SECStatus (* keyfunc)(DBT *k, DBT *d, void *pdata),
-		 void *udata )
-{
-    DBT data;
-    DBT key;
-    SECStatus status;
-    int rv;
-
-    if (handle == NULL) {
-	return(SECFailure);
-    }
-
-    rv = (* handle->db->seq)(handle->db, &key, &data, R_FIRST);
-    if ( rv ) {
-	return(SECFailure);
-    }
-    
-    do {
-	/* skip version record */
-	if ( data.size > 1 ) {
-	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
-		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-
-	    /* skip password check */
-	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
-		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
-				 KEYDB_PW_CHECK_LEN) == 0 ) {
-		    continue;
-		}
-	    }
-	    
-	    status = (* keyfunc)(&key, &data, udata);
-	    if (status != SECSuccess) {
-		return(status);
-	    }
-	}
-    } while ( (* handle->db->seq)(handle->db, &key, &data, R_NEXT) == 0 );
-
-    return(SECSuccess);
-}
-
-typedef struct keyNode {
-    struct keyNode *next;
-    DBT key;
-} keyNode;
-
-typedef struct {
-    PLArenaPool *arena;
-    keyNode *head;
-} keyList;
-
-static SECStatus
-sec_add_key_to_list(DBT *key, DBT *data, void *arg)
-{
-    keyList *keylist;
-    keyNode *node;
-    void *keydata;
-    
-    keylist = (keyList *)arg;
-
-    /* allocate the node struct */
-    node = (keyNode*)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode));
-    if ( node == NULL ) {
-	return(SECFailure);
-    }
-    
-    /* allocate room for key data */
-    keydata = PORT_ArenaZAlloc(keylist->arena, key->size);
-    if ( keydata == NULL ) {
-	return(SECFailure);
-    }
-
-    /* link node into list */
-    node->next = keylist->head;
-    keylist->head = node;
-
-    /* copy key into node */
-    PORT_Memcpy(keydata, key->data, key->size);
-    node->key.size = key->size;
-    node->key.data = keydata;
-    
-    return(SECSuccess);
-}
-
-static SECItem *
-decodeKeyDBGlobalSalt(DBT *saltData)
-{
-    SECItem *saltitem;
-    
-    saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if ( saltitem == NULL ) {
-	return(NULL);
-    }
-    
-    saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size);
-    if ( saltitem->data == NULL ) {
-	PORT_Free(saltitem);
-	return(NULL);
-    }
-    
-    saltitem->len = saltData->size;
-    PORT_Memcpy(saltitem->data, saltData->data, saltitem->len);
-    
-    return(saltitem);
-}
-
-static SECItem *
-GetKeyDBGlobalSalt(SECKEYKeyDBHandle *handle)
-{
-    DBT saltKey;
-    DBT saltData;
-    int ret;
-    
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    ret = (* handle->db->get)(handle->db, &saltKey, &saltData, 0);
-    if ( ret ) {
-	return(NULL);
-    }
-
-    return(decodeKeyDBGlobalSalt(&saltData));
-}
-
-static SECStatus
-makeGlobalVersion(SECKEYKeyDBHandle *handle)
-{
-    unsigned char version;
-    DBT versionData;
-    DBT versionKey;
-    int status;
-    
-    version = PRIVATE_KEY_DB_FILE_VERSION;
-    versionData.data = &version;
-    versionData.size = 1;
-    versionKey.data = VERSION_STRING;
-    versionKey.size = sizeof(VERSION_STRING)-1;
-		
-    /* put version string into the database now */
-    status = (* handle->db->put)(handle->db, &versionKey, &versionData, 0);
-    if ( status ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-
-static SECStatus
-makeGlobalSalt(SECKEYKeyDBHandle *handle)
-{
-    DBT saltKey;
-    DBT saltData;
-    unsigned char saltbuf[16];
-    int status;
-    
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    saltData.data = (void *)saltbuf;
-    saltData.size = sizeof(saltbuf);
-    RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
-
-    /* put global salt into the database now */
-    status = (* handle->db->put)( handle->db, &saltKey, &saltData, 0);
-    if ( status ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-static char *
-keyDBFilenameCallback(void *arg, int dbVersion)
-{
-    return((char *)arg);
-}
-
-SECKEYKeyDBHandle *
-SECKEY_OpenKeyDBFilename(char *dbname, PRBool readOnly)
-{
-    return(SECKEY_OpenKeyDB(readOnly, keyDBFilenameCallback,
-			   (void *)dbname));
-}
-
-SECKEYKeyDBHandle *
-SECKEY_OpenKeyDB(PRBool readOnly, SECKEYDBNameFunc namecb, void *cbarg)
-{
-    SECKEYKeyDBHandle *handle;
-    DBT versionKey;
-    DBT versionData;
-    int rv;
-    int openflags;
-    char *dbname = NULL;
-    PRBool updated = PR_FALSE;
-    
-    handle = (SECKEYKeyDBHandle *)PORT_ZAlloc (sizeof(SECKEYKeyDBHandle));
-    if (handle == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    versionKey.data = VERSION_STRING;
-    versionKey.size = sizeof(VERSION_STRING)-1;
-    
-    if ( readOnly ) {
-	openflags = O_RDONLY;
-    } else {
-	openflags = O_RDWR;
-    }
-
-    dbname = (*namecb)(cbarg, PRIVATE_KEY_DB_FILE_VERSION);
-    if ( dbname == NULL ) {
-	goto loser;
-    }
-    
-    handle->db = dbopen( dbname, openflags, 0600, DB_HASH, 0 );
-
-    /* check for correct version number */
-    if (handle->db != NULL) {
-	/* lookup version string in database */
-	rv = (* handle->db->get)( handle->db, &versionKey, &versionData, 0 );
-
-	/* error accessing the database */
-	if ( rv < 0 ) {
-	    goto loser;
-	}
-
-	if ( rv == 1 ) {
-	    /* no version number record, reset the database */
-	    (* handle->db->close)( handle->db );
-	    handle->db = NULL;
-
-	    goto newdb;
-	    
-	}
-	
-	handle->version = *( (unsigned char *)versionData.data);
-	    
-	if (handle->version != PRIVATE_KEY_DB_FILE_VERSION ) {
-	    /* bogus version number record, reset the database */
-	    (* handle->db->close)( handle->db );
-	    handle->db = NULL;
-
-	    goto newdb;
-	}
-
-    }
-
-newdb:
-	
-    /* if first open fails, try to create a new DB */
-    if ( handle->db == NULL ) {
-	if ( readOnly ) {
-	    goto loser;
-	}
-	
-	handle->db = dbopen( dbname,
-			     O_RDWR | O_CREAT | O_TRUNC, 0600, DB_HASH, 0 );
-
-    PORT_Free( dbname );
-    dbname = NULL;
-
-	/* if create fails then we lose */
-	if ( handle->db == NULL ) {
-	    goto loser;
-	}
-
-	rv = makeGlobalVersion(handle);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-	/*
-	 * try to update from v2 db
-	 */
-	dbname = (*namecb)(cbarg, 2);
-	if ( dbname != NULL ) {
-	    handle->updatedb = dbopen( dbname, O_RDONLY, 0600, DB_HASH, 0 );
-
-	    if ( handle->updatedb ) {
-
-
-		/*
-		 * Try to update the db using a null password.  If the db
-		 * doesn't have a password, then this will work.  If it does
-		 * have a password, then this will fail and we will do the
-		 * update later
-		 */
-		rv = SECKEY_UpdateKeyDBPass1(handle);
-		if ( rv == SECSuccess ) {
-		    updated = PR_TRUE;
-		}
-	    }
-	    
-        PORT_Free( dbname );
-        dbname = NULL;
-	}
-
-	/* we are using the old salt if we updated from an old db */
-	if ( ! updated ) {
-	    rv = makeGlobalSalt(handle);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	}
-	
-	/* sync the database */
-	rv = (* handle->db->sync)(handle->db, 0);
-	if ( rv ) {
-	    goto loser;
-	}
-    }
-
-    handle->global_salt = GetKeyDBGlobalSalt(handle);
-    return handle;
-
-loser:
-
-    if ( dbname )
-        PORT_Free( dbname );
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-
-    if ( handle->db ) {
-	(* handle->db->close)(handle->db);
-    }
-    if ( handle->updatedb ) {
-	(* handle->updatedb->close)(handle->updatedb);
-    }
-    PORT_Free(handle);
-    return NULL;
-}
-
-/*
- * Close the database
- */
-void
-SECKEY_CloseKeyDB(SECKEYKeyDBHandle *handle)
-{
-    if (handle != NULL) {
-	if (handle == SECKEY_GetDefaultKeyDB()) {
-	    SECKEY_SetDefaultKeyDB(NULL);
-	}
-	if (handle->db != NULL) {
-	    (* handle->db->close)(handle->db);
-	}
-	PORT_Free(handle);
-    }
-}
-
-/* Get the key database version */
-int
-SECKEY_GetKeyDBVersion(SECKEYKeyDBHandle *handle)
-{
-    PORT_Assert(handle != NULL);
-
-    return handle->version;
-}
-
-/*
- * Allow use of default key database, so that apps (such as mozilla) do
- * not have to pass the handle all over the place.
- */
-
-static SECKEYKeyDBHandle *sec_default_key_db = NULL;
-
-void
-SECKEY_SetDefaultKeyDB(SECKEYKeyDBHandle *handle)
-{
-    sec_default_key_db = handle;
-}
-
-SECKEYKeyDBHandle *
-SECKEY_GetDefaultKeyDB(void)
-{
-    return sec_default_key_db;
-}
-
-/*
- * Delete a private key that was stored in the database
- */
-SECStatus
-SECKEY_DeleteKey(SECKEYKeyDBHandle *handle, SECItem *pubkey)
-{
-    DBT namekey;
-    int rv;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    /* set up db key and data */
-    namekey.data = pubkey->data;
-    namekey.size = pubkey->len;
-
-    /* delete it from the database */
-    rv = (* handle->db->del)(handle->db, &namekey, 0);
-    if ( rv ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    /* sync the database */
-    rv = (* handle->db->sync)(handle->db, 0);
-    if ( rv ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Store a key in the database, indexed by its public key modulus.(value!)
- */
-SECStatus
-SECKEY_StoreKeyByPublicKey(SECKEYKeyDBHandle *handle, 
-			   SECKEYLowPrivateKey *privkey,
-			   SECItem *pubKeyData,
-			   char *nickname,
-			   SECKEYGetPasswordKey f, void *arg)
-{
-    return SECKEY_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, nickname,
-					 f, arg, SECKEY_GetDefaultKeyDBAlg());
-}
-
-/* see if the public key for this cert is in the database filed
- * by modulus
- */
-SECStatus
-SECKEY_KeyForCertExists(SECKEYKeyDBHandle *handle, CERTCertificate *cert)
-{
-    SECKEYPublicKey *pubkey = NULL;
-    DBT namekey;
-    DBT dummy;
-    int status;
-    
-    /* get cert's public key */
-    pubkey = CERT_ExtractPublicKey(cert);
-    if ( pubkey == NULL ) {
-	return SECFailure;
-    }
-
-    /* TNH - make key from SECKEYPublicKey */
-    switch (pubkey->keyType) {
-      case rsaKey:
-	namekey.data = pubkey->u.rsa.modulus.data;
-	namekey.size = pubkey->u.rsa.modulus.len;
-	break;
-      case dsaKey:
-	namekey.data = pubkey->u.dsa.publicValue.data;
-	namekey.size = pubkey->u.dsa.publicValue.len;
-	break;
-      case dhKey:
-	namekey.data = pubkey->u.dh.publicValue.data;
-	namekey.size = pubkey->u.dh.publicValue.len;
-	break;
-      default:
-	/* XXX We don't do Fortezza or DH yet. */
-	return SECFailure;
-    }
-
-    status = (* handle->db->get)(handle->db, &namekey, &dummy, 0);
-    SECKEY_DestroyPublicKey(pubkey);
-    if ( status ) {
-	/* TNH - should this really set an error? */
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return SECFailure;
-    }
-    
-    return SECSuccess;
-}
-
-/*
- * find the private key for a cert
- */
-SECKEYLowPrivateKey *
-SECKEY_FindKeyByCert(SECKEYKeyDBHandle *handle, CERTCertificate *cert,
-		     SECKEYGetPasswordKey f, void *arg)
-{
-    SECKEYPublicKey *pubkey = NULL;
-    SECItem *keyItem;
-    SECKEYLowPrivateKey *privKey = NULL;
-    
-    /* get cert's public key */
-    pubkey = CERT_ExtractPublicKey(cert);
-    if ( !pubkey ) {
-	goto loser;
-    }
-
-    /* TNH - make record key from SECKEYPublicKey (again) */
-    switch (pubkey->keyType) {
-      case rsaKey:
-	keyItem = &pubkey->u.rsa.modulus;
-	break;
-      case dsaKey:
-	keyItem = &pubkey->u.dsa.publicValue;
-	break;
-      case dhKey:
-	keyItem = &pubkey->u.dh.publicValue;
-	break;
-	/* fortezza an NULL keys are not stored in the data base */
-      case fortezzaKey:
-      case nullKey:
-	goto loser;
-    }
-
-    privKey = SECKEY_FindKeyByPublicKey(handle, keyItem, f, arg);
-
-    /* success falls through */
-loser:
-    SECKEY_DestroyPublicKey(pubkey);
-    return(privKey);
-}
-
-/*
- * check to see if the user has a password
- */
-SECStatus
-SECKEY_HasKeyDBPassword(SECKEYKeyDBHandle *handle)
-{
-    DBT checkkey, checkdata;
-    int rv;
-
-    if (handle == NULL) {
-	return(SECFailure);
-    }
-
-    checkkey.data = KEYDB_PW_CHECK_STRING;
-    checkkey.size = KEYDB_PW_CHECK_LEN;
-    
-    rv = (* handle->db->get)(handle->db, &checkkey, &checkdata, 0 );
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Set up the password checker in the key database.
- * This is done by encrypting a known plaintext with the user's key.
- */
-SECStatus
-SECKEY_SetKeyDBPassword(SECKEYKeyDBHandle *handle, SECItem *pwitem)
-{
-    return SECKEY_SetKeyDBPasswordAlg(handle, pwitem,
-				      SECKEY_GetDefaultKeyDBAlg());
-}
-
-/*
- * Re-encrypt the entire key database with a new password.
- * NOTE: This really should create a new database rather than doing it
- * in place in the original
- */
-SECStatus
-SECKEY_ChangeKeyDBPassword(SECKEYKeyDBHandle *handle,
-			   SECItem *oldpwitem, SECItem *newpwitem)
-{
-    return SECKEY_ChangeKeyDBPasswordAlg(handle, oldpwitem, newpwitem,
-					 SECKEY_GetDefaultKeyDBAlg());
-}
-
-static SECStatus
-HashPassword(unsigned char *hashresult, char *pw, SECItem *salt)
-{
-    SHA1Context *cx;
-    unsigned int outlen;
-    cx = SHA1_NewContext();
-    if ( cx == NULL ) {
-	return(SECFailure);
-    }
-    
-    SHA1_Begin(cx);
-    if ( ( salt != NULL ) && ( salt->data != NULL ) ) {
-	SHA1_Update(cx, salt->data, salt->len);
-    }
-    
-    SHA1_Update(cx, (unsigned char *)pw, PORT_Strlen(pw));
-    SHA1_End(cx, hashresult, &outlen, SHA1_LENGTH);
-    
-    SHA1_DestroyContext(cx, PR_TRUE);
-    
-    return(SECSuccess);
-}
-
-SECItem *
-SECKEY_HashPassword(char *pw, SECItem *salt)
-{
-    SECItem *pwitem;
-    SECStatus rv;
-    
-    pwitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if ( pwitem == NULL ) {
-	return(NULL);
-    }
-    pwitem->len = SHA1_LENGTH;
-    pwitem->data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
-    if ( pwitem->data == NULL ) {
-	PORT_Free(pwitem);
-	return(NULL);
-    }
-    if ( pw ) {
-	rv = HashPassword(pwitem->data, pw, salt);
-	if ( rv != SECSuccess ) {
-	    SECITEM_ZfreeItem(pwitem, PR_TRUE);
-	    return(NULL);
-	}
-    }
-    
-    return(pwitem);
-}
-
-/* Derive the actual password value for the database from a pw string */
-SECItem *
-SECKEY_DeriveKeyDBPassword(SECKEYKeyDBHandle *keydb, char *pw)
-{
-    PORT_Assert(keydb != NULL);
-    PORT_Assert(pw != NULL);
-    if (keydb == NULL || pw == NULL) return(NULL);
-
-    return SECKEY_HashPassword(pw, keydb->global_salt);
-}
-
-#if 0
-/* Appears obsolete - TNH */
-/* get the algorithm with which a private key
- * is encrypted.
- */
-SECOidTag 
-seckey_get_private_key_algorithm(SECKEYKeyDBHandle *keydb, DBT *index)   
-{
-    SECKEYDBKey *dbkey = NULL;
-    SECOidTag algorithm = SEC_OID_UNKNOWN;
-    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-    PLArenaPool *poolp = NULL;
-    SECStatus rv;
-
-    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(poolp == NULL)
-	return (SECOidTag)SECFailure;  /* TNH - this is bad */
-
-    dbkey = get_dbkey(keydb, index);
-    if(dbkey == NULL)
-	return (SECOidTag)SECFailure;
-
-    epki = (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SECKEYEncryptedPrivateKeyInfo));
-    if(epki == NULL)
-	goto loser;
-    rv = SEC_ASN1DecodeItem(poolp, epki, 
-	SECKEY_EncryptedPrivateKeyInfoTemplate, &dbkey->derPK);
-    if(rv == SECFailure)
-	goto loser;
-
-    algorithm = SECOID_GetAlgorithmTag(&epki->algorithm);
-
-    /* let success fall through */
-loser:
-    if(poolp != NULL)
-	PORT_FreeArena(poolp, PR_TRUE);\
-    if(dbkey != NULL)
-	sec_destroy_dbkey(dbkey);
-
-    return algorithm;
-}
-#endif
-	
-/*
- * Derive an RC4 key from a password key and a salt.  This
- * was the method to used to encrypt keys in the version 2?
- * database
- */
-SECItem *
-seckey_create_rc4_key(SECItem *pwitem, SECItem *salt)
-{
-    MD5Context *md5 = NULL;
-    unsigned int part;
-    SECStatus rv = SECFailure;
-    SECItem *key = NULL;
-
-    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(key != NULL)
-    {
-	key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-		MD5_LENGTH);
-	key->len = MD5_LENGTH;
-	if(key->data != NULL)
-	{
-	    md5 = MD5_NewContext();
-	    if ( md5 != NULL ) 
-	    {
-		MD5_Begin(md5);
-		MD5_Update(md5, salt->data, salt->len);
-		MD5_Update(md5, pwitem->data, pwitem->len);
-		MD5_End(md5, key->data, &part, MD5_LENGTH);
-		MD5_DestroyContext(md5, PR_TRUE);
-		rv = SECSuccess;
-	    }
-	}
-	
-	if(rv != SECSuccess)
-	{
-	    SECITEM_FreeItem(key, PR_TRUE);
-	    key = NULL;
-	}
-    }
-
-    return key;
-}
-
-SECItem *
-seckey_create_rc4_salt(void)
-{
-    SECItem *salt = NULL;
-    SECStatus rv = SECFailure;
-
-    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(salt == NULL)
-	return NULL;
-
-    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-	SALT_LENGTH);
-    if(salt->data != NULL)
-    {
-	salt->len = SALT_LENGTH;
-	RNG_GenerateGlobalRandomBytes(salt->data, salt->len);
-	rv = SECSuccess;
-    }
-	
-    if(rv == SECFailure)
-    {
-	SECITEM_FreeItem(salt, PR_TRUE);
-	salt = NULL;
-    }
-
-    return salt;
-}
-
-SECItem *
-seckey_rc4_cipher(SECItem *key, SECItem *src, PRBool encrypt)
-{
-    SECItem *dest = NULL;
-    RC4Context *ctxt = NULL;
-    SECStatus rv = SECFailure;
-
-    if((key == NULL) || (src == NULL))
-	return NULL;
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest == NULL)
-	return NULL;
-
-    dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-	(src->len + 64));  /* TNH - padding? */
-    if(dest->data != NULL)
-    {
-	ctxt = RC4_CreateContext(key->data, key->len);
-	if(ctxt != NULL)
-	{
-	    if(encrypt == PR_TRUE)
-	    rv = RC4_Encrypt(ctxt, dest->data, &dest->len,
-		src->len + 64, src->data, src->len);
-	    else
-		rv = RC4_Decrypt(ctxt, dest->data, &dest->len,
-		    src->len + 64, src->data, src->len);
-	    RC4_DestroyContext(ctxt, PR_TRUE);
-	}
-    }
-
-    if(rv == SECFailure)
-	if(dest != NULL)
-	{
-	    SECITEM_FreeItem(dest, PR_TRUE);
-	    dest = NULL;
-	}
-
-    return dest;
-}
-
-/* TNH - keydb is unused */
-/* TNH - the pwitem should be the derived key for RC4 */
-SECKEYEncryptedPrivateKeyInfo *
-seckey_encrypt_private_key(
-	SECKEYLowPrivateKey *pk, SECItem *pwitem, SECKEYKeyDBHandle *keydb,
-	SECOidTag algorithm)
-{
-    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-    SECKEYPrivateKeyInfo *pki = NULL;
-    SECStatus rv = SECFailure;
-    SECAlgorithmID *algid = NULL;
-    PLArenaPool *temparena = NULL, *permarena = NULL;
-    SECItem *key = NULL, *salt = NULL, *der_item = NULL;
-    SECItem *dummy = NULL, *dest = NULL;
-
-    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(permarena == NULL)
-	return NULL;
-
-    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(temparena == NULL)
-	goto loser;
-
-    /* allocate structures */
-    epki = (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(permarena,
-	sizeof(SECKEYEncryptedPrivateKeyInfo));
-    pki = (SECKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
-	sizeof(SECKEYPrivateKeyInfo));
-    der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem));
-    if((epki == NULL) || (pki == NULL) || (der_item == NULL))
-	goto loser;
-
-    epki->arena = permarena;
-
-    /* setup private key info */
-    dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), 
-	SEC_PRIVATE_KEY_INFO_VERSION);
-    if(dummy == NULL)
-	goto loser;
-
-    /* Encode the key, and set the algorithm (with params) */
-    switch (pk->keyType) {
-      case rsaKey:
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, 
-				   SECKEY_RSAPrivateKeyTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), 
-				   SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	
-	break;
-      case dsaKey:
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   SECKEY_DSAPrivateKeyTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params,
-				   SECKEY_PQGParamsTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
-				   SEC_OID_ANSIX9_DSA_SIGNATURE, dummy);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	
-	break;
-      case dhKey:
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   SECKEY_DHPrivateKeyTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
-				   SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	break;
-      default:
-	/* We don't support DH or Fortezza private keys yet */
-	PORT_Assert(PR_FALSE);
-	break;
-    }
-
-    /* setup encrypted private key info */
-    dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, 
-	SECKEY_PrivateKeyInfoTemplate);
-    if(dummy == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SECFailure; /* assume failure */
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    salt = seckey_create_rc4_salt();
-	    if(salt != NULL)
-	    {
-		key = seckey_create_rc4_key(pwitem, salt);
-		if(key != NULL)
-		{
-		    dest = seckey_rc4_cipher(key, der_item, PR_TRUE);
-		    if(dest != NULL)
-		    {
-			rv = SECITEM_CopyItem(permarena, &epki->encryptedData,
-			    dest);
-			if(rv == SECSuccess)
-			rv = SECOID_SetAlgorithmID(permarena, 
-			&epki->algorithm, SEC_OID_RC4, salt);
-		    }
-		}
-	    }
-	    if(dest != NULL)
-		SECITEM_FreeItem(dest, PR_TRUE);
-	    if(key != NULL)
-		SECITEM_ZfreeItem(key, PR_TRUE);
-	    break;
-	default:
-	    algid = SEC_PKCS5CreateAlgorithmID(algorithm, NULL, 1);
-	    if(algid != NULL)
-	    {
-		dest = SEC_PKCS5CipherData(algid, pwitem, 
-		der_item, PR_TRUE, NULL);
-		if(dest != NULL)
-		{
-		    rv = SECITEM_CopyItem(permarena, &epki->encryptedData,
-			    dest);
-		    if(rv == SECSuccess)
-			rv = SECOID_CopyAlgorithmID(permarena, 
-			    &epki->algorithm, algid);
-		}
-	    }
-	    if(dest != NULL)
-		SECITEM_FreeItem(dest, PR_TRUE);
-	    if(algid != NULL)
-		SECOID_DestroyAlgorithmID(algid, PR_TRUE);
-	    break;
-    }
-
-    /* let success fall through */
-loser:
-
-    if(rv == SECFailure)
-    {
-	PORT_FreeArena(permarena, PR_TRUE);
-	    epki = NULL;
-    }
-
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-	
-    if(salt != NULL)
-	SECITEM_FreeItem(salt, PR_TRUE);
-
-    return epki;
-}
-
-SECStatus 
-seckey_put_private_key(SECKEYKeyDBHandle *keydb, DBT *index, SECItem *pwitem,
-		       SECKEYLowPrivateKey *pk, char *nickname, PRBool update,
-		       SECOidTag algorithm)
-{
-    SECKEYDBKey *dbkey = NULL;
-    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-    PLArenaPool *temparena = NULL, *permarena = NULL;
-    SECItem *dummy = NULL;
-    SECItem *salt = NULL;
-    SECStatus rv = SECFailure;
-
-    if((keydb == NULL) || (index == NULL) || (pwitem == NULL) ||
-	(pk == NULL))
-	return SECFailure;
-	
-    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(permarena == NULL)
-	return SECFailure;
-
-    dbkey = (SECKEYDBKey *)PORT_ArenaZAlloc(permarena, sizeof(SECKEYDBKey));
-    if(dbkey == NULL)
-	goto loser;
-    dbkey->arena = permarena;
-    dbkey->nickname = nickname;
-
-    /* TNH - for RC4, the salt should be created here */
-	
-    epki = seckey_encrypt_private_key(pk, pwitem, keydb, algorithm);
-    if(epki == NULL)
-	goto loser;
-    temparena = epki->arena;
-
-    /* extract salt for db key */
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    rv = SECITEM_CopyItem(permarena, &(dbkey->salt), 
-		&(epki->algorithm.parameters));
-	    epki->algorithm.parameters.len = 0;
-		epki->algorithm.parameters.data = NULL;
-	    break;
-	default:
-            /* TNH - this should not be necessary */
-	    salt = SEC_PKCS5GetSalt(&epki->algorithm);
-	    if(salt != NULL)
-	    {
-		rv = SECITEM_CopyItem(permarena, &(dbkey->salt), salt);
-		SECITEM_ZfreeItem(salt, PR_TRUE);
-	    }
-	    break;
-    }
-
-    dummy = SEC_ASN1EncodeItem(permarena, &(dbkey->derPK), epki, 
-	SECKEY_EncryptedPrivateKeyInfoTemplate);
-    if(dummy == NULL)
-	rv = SECFailure;
-    else
-	rv = put_dbkey(keydb, index, dbkey, update);
-
-    /* let success fall through */
-loser:
-    if(rv != SECSuccess)
-	if(permarena != NULL)
-	    PORT_FreeArena(permarena, PR_TRUE);
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-
-    return rv;
-}
-
-/*
- * Store a key in the database, indexed by its public key modulus.
- * Note that the nickname is optional.  It was only used by keyutil.
- */
-SECStatus
-SECKEY_StoreKeyByPublicKeyAlg(SECKEYKeyDBHandle *handle, 
-			      SECKEYLowPrivateKey *privkey,
-			      SECItem *pubKeyData,
-			      char *nickname,
-			      SECKEYGetPasswordKey f, void *arg,
-			      SECOidTag algorithm)
-{
-    DBT namekey;
-    SECItem *pwitem = NULL;
-    SECStatus rv;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    /* set up db key and data */
-    namekey.data = pubKeyData->data;
-    namekey.size = pubKeyData->len;
-
-    pwitem = (*f )(arg, handle);
-    if ( pwitem == NULL ) {
-	return(SECFailure);
-    }
-    
-    /* encrypt the private key */
-    rv = seckey_put_private_key(handle, &namekey, pwitem, privkey, nickname,
-				PR_FALSE, algorithm);
-    SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    
-    return(rv);
-}
-
-SECKEYLowPrivateKey *
-seckey_decrypt_private_key(SECKEYEncryptedPrivateKeyInfo *epki,
-			   SECItem *pwitem)
-{
-    SECKEYLowPrivateKey *pk = NULL;
-    SECKEYPrivateKeyInfo *pki = NULL;
-    SECStatus rv = SECFailure;
-    SECOidTag algorithm;
-    PLArenaPool *temparena = NULL, *permarena = NULL;
-    SECItem *salt = NULL, *dest = NULL, *key = NULL;
-
-    if((epki == NULL) || (pwitem == NULL))
-	goto loser;
-
-    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if((temparena == NULL) || (permarena == NULL))
-	goto loser;
-
-    /* allocate temporary items */
-    pki = (SECKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
-	sizeof(SECKEYPrivateKeyInfo));
-
-    /* allocate permanent arena items */
-    pk = (SECKEYLowPrivateKey *)PORT_ArenaZAlloc(permarena,
-	sizeof(SECKEYLowPrivateKey));
-
-    if((pk == NULL) || (pki == NULL))
-	goto loser;
-
-    pk->arena = permarena;
-	
-    algorithm = SECOID_GetAlgorithmTag(&(epki->algorithm));
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    salt = SECITEM_DupItem(&epki->algorithm.parameters);
-	    if(salt != NULL)
-	    {
-		key = seckey_create_rc4_key(pwitem, salt);
-		if(key != NULL)
-		{
-		    dest = seckey_rc4_cipher(key, &epki->encryptedData, 
-			PR_FALSE);
-		}
-	    }	
-	    if(salt != NULL)
-		SECITEM_ZfreeItem(salt, PR_TRUE);
-	    if(key != NULL)
-		SECITEM_ZfreeItem(key, PR_TRUE);
-	    break;
-	default:
-	    /* we depend on the fact that if this key was encoded with
-	     * DES, that the pw was also encoded with DES, so we don't have
-	     * to do the update here, the password code will handle it. */
-	    dest = SEC_PKCS5CipherData(&epki->algorithm, pwitem, 
-		&epki->encryptedData, PR_FALSE, NULL);
-	    break;
-    }
-
-    if(dest != NULL)
-    {
-	rv = SEC_ASN1DecodeItem(temparena, pki, 
-	    SECKEY_PrivateKeyInfoTemplate, dest);
-	if(rv == SECSuccess)
-	{
-	    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
-	      case SEC_OID_X500_RSA_ENCRYPTION:
-	      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-		pk->keyType = rsaKey;
-		rv = SEC_ASN1DecodeItem(permarena, pk,
-					SECKEY_RSAPrivateKeyTemplate,
-					&pki->privateKey);
-		break;
-	      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-		pk->keyType = dsaKey;
-		rv = SEC_ASN1DecodeItem(permarena, pk,
-					SECKEY_DSAPrivateKeyTemplate,
-					&pki->privateKey);
-		if (rv != SECSuccess)
-		    goto loser;
-		rv = SEC_ASN1DecodeItem(permarena, &pk->u.dsa.params,
-					SECKEY_PQGParamsTemplate,
-					&pki->algorithm.parameters);
-		break;
-	      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-		pk->keyType = dhKey;
-		rv = SEC_ASN1DecodeItem(permarena, pk,
-					SECKEY_DHPrivateKeyTemplate,
-					&pki->privateKey);
-		break;
-	      default:
-		rv = SECFailure;
-		break;
-	    }
-	}
-	else if(PORT_GetError() == SEC_ERROR_BAD_DER)
-	{
-	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	    goto loser;
-	}
-    }
-
-    /* let success fall through */
-loser:
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-    if(dest != NULL)
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-
-    if(rv != SECSuccess)
-    {
-	if(permarena != NULL)
-	    PORT_FreeArena(permarena, PR_TRUE);
-	pk = NULL;
-    }
-
-    return pk;
-}
-
-static SECKEYLowPrivateKey *
-seckey_decode_encrypted_private_key(SECKEYDBKey *dbkey, SECItem *pwitem)
-{
-    SECKEYLowPrivateKey *pk = NULL;
-    SECKEYEncryptedPrivateKeyInfo *epki;
-    PLArenaPool *temparena = NULL;
-    SECStatus rv;
-    SECOidTag algorithm;
-
-    if( ( dbkey == NULL ) || ( pwitem == NULL ) ) {
-	return NULL;
-    }
-
-    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(temparena == NULL) {
-	return NULL;
-    }
-
-    epki = (SECKEYEncryptedPrivateKeyInfo *)
-	PORT_ArenaZAlloc(temparena, sizeof(SECKEYEncryptedPrivateKeyInfo));
-
-    if(epki == NULL) {
-	goto loser;
-    }
-
-    rv = SEC_ASN1DecodeItem(temparena, epki,
-			    SECKEY_EncryptedPrivateKeyInfoTemplate,
-			    &(dbkey->derPK)); 
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    algorithm = SECOID_GetAlgorithmTag(&(epki->algorithm));
-    switch(algorithm)
-    {
-      case SEC_OID_RC4:
-	/* TNH - this code should derive the actual RC4 key from salt and
-           pwitem */
-	rv = SECITEM_CopyItem(temparena, &(epki->algorithm.parameters),
-			      &(dbkey->salt));
-	break;
-      default:
-	break;
-    }
-
-    pk = seckey_decrypt_private_key(epki, pwitem);
-
-    /* let success fall through */
-loser:
-
-    PORT_FreeArena(temparena, PR_TRUE);
-    return pk;
-}
-
-SECKEYLowPrivateKey *
-seckey_get_private_key(SECKEYKeyDBHandle *keydb, DBT *index, char **nickname,
-		       SECItem *pwitem)
-{
-    SECKEYDBKey *dbkey = NULL;
-    SECKEYLowPrivateKey *pk = NULL;
-
-    if( ( keydb == NULL ) || ( index == NULL ) || ( pwitem == NULL ) ) {
-	return NULL;
-    }
-
-    dbkey = get_dbkey(keydb, index);
-    if(dbkey == NULL) {
-	goto loser;
-    }
-    
-    if ( nickname ) {
-	if ( dbkey->nickname && ( dbkey->nickname[0] != 0 ) ) {
-	    *nickname = PORT_Strdup(dbkey->nickname);
-	} else {
-	    *nickname = NULL;
-	}
-    }
-    
-    pk = seckey_decode_encrypted_private_key(dbkey, pwitem);
-    
-    /* let success fall through */
-loser:
-
-    if ( dbkey != NULL ) {
-	sec_destroy_dbkey(dbkey);
-    }
-
-    return pk;
-}
-
-/*
- * used by pkcs11 to import keys into it's object format... In the future
- * we really need a better way to tie in...
- */
-SECKEYLowPrivateKey *
-SECKEY_DecryptKey(DBT *key, SECItem *pwitem,
-					 SECKEYKeyDBHandle *handle) {
-    return seckey_get_private_key(handle,key,NULL,pwitem);
-}
-
-/*
- * Find a key in the database, indexed by its public key modulus
- * This is used to find keys that have been stored before their
- * certificate arrives.  Once the certificate arrives the key
- * is looked up by the public modulus in the certificate, and the
- * re-stored by its nickname.
- */
-SECKEYLowPrivateKey *
-SECKEY_FindKeyByPublicKey(SECKEYKeyDBHandle *handle, SECItem *modulus,
-			  SECKEYGetPasswordKey f, void *arg)
-{
-    DBT namekey;
-    SECKEYLowPrivateKey *pk = NULL;
-    SECItem *pwitem = NULL;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return NULL;
-    }
-
-    /* set up db key */
-    namekey.data = modulus->data;
-    namekey.size = modulus->len;
-
-    pwitem = (*f )(arg, handle);
-    if ( pwitem == NULL ) {
-	return(NULL);
-    }
-
-    pk = seckey_get_private_key(handle, &namekey, NULL, pwitem);
-    SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    
-    /* no need to free dbkey, since its on the stack, and the data it
-     * points to is owned by the database
-     */
-    return(pk);
-}
-
-/* ===== ENCODING ROUTINES ===== */
-
-static SECStatus
-encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
-		   SECItem *encCheck)
-{
-    SECOidData *oidData;
-    SECStatus rv;
-    
-    oidData = SECOID_FindOIDByTag(alg);
-    if ( oidData == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    entry->len = 1 + oidData->oid.len + encCheck->len;
-    if ( arena ) {
-	entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len);
-    } else {
-	entry->data = (unsigned char *)PORT_Alloc(entry->len);
-    }
-    
-    if ( entry->data == NULL ) {
-	goto loser;
-    }
-	
-    /* first length of oid */
-    entry->data[0] = (unsigned char)oidData->oid.len;
-    /* next oid itself */
-    PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len);
-    /* finally the encrypted check string */
-    PORT_Memcpy(&entry->data[1+oidData->oid.len], encCheck->data,
-		encCheck->len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Set up the password checker in the key database.
- * This is done by encrypting a known plaintext with the user's key.
- */
-SECStatus
-SECKEY_SetKeyDBPasswordAlg(SECKEYKeyDBHandle *handle, 
-			   SECItem *pwitem, SECOidTag algorithm)
-{
-    DBT checkkey;
-    SECAlgorithmID *algid = NULL;
-    SECStatus rv = SECFailure;
-    SECKEYDBKey *dbkey = NULL;
-    PLArenaPool *arena;
-    SECItem *key = NULL, *salt = NULL;
-    SECItem *dest = NULL, test_key;
-    
-    if (handle == NULL) {
-	return(SECFailure);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    dbkey = (SECKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYDBKey));
-    if ( dbkey == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    dbkey->arena = arena;
-
-    /* encrypt key */
-    checkkey.data = test_key.data = (unsigned char *)KEYDB_PW_CHECK_STRING;
-    checkkey.size = test_key.len = KEYDB_PW_CHECK_LEN;
-
-    salt = seckey_create_rc4_salt();
-    if(salt == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    key = seckey_create_rc4_key(pwitem, salt);
-	    if(key != NULL)
-	    {
-		dest = seckey_rc4_cipher(key, &test_key, PR_TRUE);
-		SECITEM_FreeItem(key, PR_TRUE);
-	    }
-	    break;
-	default:
-	    algid = SEC_PKCS5CreateAlgorithmID(algorithm, salt, 1);
-	    if(algid != NULL)
-		dest = SEC_PKCS5CipherData(algid, pwitem, &test_key,
-							 PR_TRUE, NULL);
-	    break;
-    }
-
-    if(dest != NULL)
-    {
-	rv = SECITEM_CopyItem(arena, &dbkey->salt, salt);
-	if(rv == SECFailure)
-	    goto loser;
-   
-	rv = encodePWCheckEntry(arena, &dbkey->derPK, algorithm, dest);
-	
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	
-	rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE);
-    } else {
-	rv = SECFailure;
-    }
-    
-    /* let success fall through */
-loser: 
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-    
-    if ( dest != NULL ) {
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-    }
-    
-    if ( salt != NULL ) {
-	SECITEM_ZfreeItem(salt, PR_TRUE);
-    }
-	
-    return(rv);
-}
-
-/*
- * check to see if the user has typed the right password
- */
-SECStatus
-SECKEY_CheckKeyDBPassword(SECKEYKeyDBHandle *handle, SECItem *pwitem)
-{
-    DBT checkkey;
-    SECAlgorithmID *algid = NULL;
-    SECStatus rv = SECFailure;
-    SECKEYDBKey *dbkey = NULL;
-    SECItem *key = NULL;
-    SECItem *dest = NULL;
-    SECOidTag algorithm;
-    SECItem oid;
-    SECItem encstring;
-    PRBool update = PR_FALSE;
-    
-    if (handle == NULL) {
-	goto loser;
-    }
-
-    checkkey.data = KEYDB_PW_CHECK_STRING;
-    checkkey.size = KEYDB_PW_CHECK_LEN;
-    
-    dbkey = get_dbkey(handle, &checkkey);
-    
-    if ( dbkey == NULL ) {
-	goto loser;
-    }
-
-    /* build the oid item */
-    oid.len = dbkey->derPK.data[0];
-    oid.data = &dbkey->derPK.data[1];
-    
-    /* make sure entry is the correct length
-     * since we are probably using a block cipher, the block will be
-     * padded, so we may get a bit more than the exact size we need.
-     */
-    if ( dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 + oid.len ) ) {
-	goto loser;
-    }
-
-    /* find the algorithm tag */
-    algorithm = SECOID_FindOIDTag(&oid);
-
-    /* make a secitem of the encrypted check string */
-    encstring.len = dbkey->derPK.len - ( oid.len + 1 );
-    encstring.data = &dbkey->derPK.data[oid.len+1];
-    
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    key = seckey_create_rc4_key(pwitem, &dbkey->salt);
-	    if(key != NULL) {
-		dest = seckey_rc4_cipher(key, &encstring, PR_FALSE);
-		SECITEM_FreeItem(key, PR_TRUE);
-	    }
-	    break;
-	default:
-	    algid = SEC_PKCS5CreateAlgorithmID(algorithm, 
-					       &dbkey->salt, 1);
-	    if(algid != NULL) {
-                /* Decrypt - this function implements a workaround for
-                 * a previous coding error.  It will decrypt values using
-                 * DES rather than 3DES, if the initial try at 3DES
-                 * decryption fails.  In this case, the update flag is
-                 * set to TRUE.  This indication is used later to force
-                 * an update of the database to "real" 3DES encryption.
-                 */
-		dest = SEC_PKCS5CipherData(algid, pwitem, 
-					   &encstring, PR_FALSE, &update);
-		SECOID_DestroyAlgorithmID(algid, PR_TRUE);
-	    }	
-	    break;
-    }
-
-    if(dest == NULL) {
-	goto loser;
-    }
-
-    if ((dest->len == KEYDB_PW_CHECK_LEN) &&
-	(PORT_Memcmp(dest->data, 
-		     KEYDB_PW_CHECK_STRING, KEYDB_PW_CHECK_LEN) == 0)) {
-	rv = SECSuccess;
-	/* we succeeded */
-	if ( algorithm == SEC_OID_RC4 ) {
-	    /* partially updated database */
-	    SECKEY_UpdateKeyDBPass2(handle, pwitem);
-	}
-        /* Force an update of the password to remove the incorrect DES
-         * encryption (see the note above)
-         */
-	if (update && 
-	     (algorithm == SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC)) {
-	    /* data base was encoded with DES not triple des, fix it */
-	    SECKEY_UpdateKeyDBPass2(handle,pwitem);
-	}
-    }
-			
-loser:
-    sec_destroy_dbkey(dbkey);
-    if(dest != NULL) {
-    	SECITEM_ZfreeItem(dest, PR_TRUE);
-    }
-
-    return(rv);
-}
-
-/*
- *  Change the database password and/or algorithm.  This internal
- *  routine does not check the old password.  That must be done by 
- *  the caller.
- */
-static SECStatus
-ChangeKeyDBPasswordAlg(SECKEYKeyDBHandle *handle,
-		       SECItem *oldpwitem, SECItem *newpwitem,
-		       SECOidTag new_algorithm)
-{
-    SECStatus rv;
-    keyList keylist;
-    keyNode *node = NULL;
-    SECKEYLowPrivateKey *privkey = NULL;
-    char *nickname;
-    DBT newkey;
-    int ret;
-
-    /* traverse the database, collecting the keys of all records */
-    keylist.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( keylist.arena == NULL ) 
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(SECFailure);
-    }
-    keylist.head = NULL;
-    
-    /* TNH - TraverseKeys should not be public, since it exposes
-       the underlying DBT data type. */
-    rv = SECKEY_TraverseKeys(handle, sec_add_key_to_list, (void *)&keylist);
-    if ( rv != SECSuccess ) 
-	goto loser;
-
-    /* walk the list, re-encrypting each entry */
-    node = keylist.head;
-    while ( node != NULL ) 
-    {
-	privkey = seckey_get_private_key(handle, &node->key, &nickname,
-					 oldpwitem);
-	
-	if (privkey == NULL) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* delete the old record */
-	ret = (* handle->db->del)(handle->db, &node->key, 0);
-	if ( ret ) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	/* get the public key, which we use as the database index */
-
-	switch (privkey->keyType) {
-	  case rsaKey:
-	    newkey.data = privkey->u.rsa.modulus.data;
-	    newkey.size = privkey->u.rsa.modulus.len;
-	    break;
-	  case dsaKey:
-	    newkey.data = privkey->u.dsa.publicValue.data;
-	    newkey.size = privkey->u.dsa.publicValue.len;
-	    break;
-	  case dhKey:
-	    newkey.data = privkey->u.dh.publicValue.data;
-	    newkey.size = privkey->u.dh.publicValue.len;
-	    break;
-	  default:
-	    /* XXX We don't do Fortezza. */
-	    return SECFailure;
-	}
-
-	rv = seckey_put_private_key(handle, &newkey, newpwitem, privkey,
-				    nickname, PR_TRUE, new_algorithm);
-	
-	if ( rv != SECSuccess ) 
-	{
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* next node */
-	node = node->next;
-    }
-
-    rv = SECKEY_SetKeyDBPasswordAlg(handle, newpwitem, new_algorithm);
-
-loser:
-
-    /* free the arena */
-    if ( keylist.arena ) {
-	PORT_FreeArena(keylist.arena, PR_FALSE);
-    }
-    
-    return(rv);
-}
-
-/*
- * Re-encrypt the entire key database with a new password.
- * NOTE: The really  should create a new database rather than doing it
- * in place in the original
- */
-SECStatus
-SECKEY_ChangeKeyDBPasswordAlg(SECKEYKeyDBHandle *handle,
-			      SECItem *oldpwitem, SECItem *newpwitem,
-			      SECOidTag new_algorithm)
-{
-    SECStatus rv;
-    
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SECKEY_CheckKeyDBPassword(handle, oldpwitem);
-    if ( rv != SECSuccess ) {
-	return(SECFailure);  /* return rv? */
-    }
-
-    rv = ChangeKeyDBPasswordAlg(handle, oldpwitem, newpwitem, new_algorithm);
-
-loser:
-    return(rv);
-}
-    
-/*
- * Second pass of updating the key db.  This time we have a password.
- */
-SECStatus
-SECKEY_UpdateKeyDBPass2(SECKEYKeyDBHandle *handle, SECItem *pwitem)
-{
-    SECStatus rv;
-    
-    rv = ChangeKeyDBPasswordAlg(handle, pwitem, pwitem,
-			     SECKEY_GetDefaultKeyDBAlg());
-    
-    return(rv);
-}
-
-/*
- * currently updates key database from v2 to v3
- */
-SECStatus
-SECKEY_UpdateKeyDBPass1(SECKEYKeyDBHandle *handle)
-{
-    SECStatus rv;
-    DBT versionKey;
-    DBT versionData;
-    DBT checkKey;
-    DBT checkData;
-    DBT saltKey;
-    DBT saltData;
-    DBT key;
-    DBT data;
-    SECItem *rc4key = NULL;
-    SECKEYDBKey *dbkey = NULL;
-    SECItem *oldSalt = NULL;
-    int ret;
-    SECItem checkitem;
-
-    if ( handle->updatedb == NULL ) {
-	return(SECSuccess);
-    }
-
-    /*
-     * check the version record
-     */
-    versionKey.data = VERSION_STRING;
-    versionKey.size = sizeof(VERSION_STRING)-1;
-
-    ret = (* handle->updatedb->get)(handle->updatedb, &versionKey,
-				    &versionData, 0 );
-
-    if (ret) {
-	/* no version record, so old db never used */
-	goto done;
-    }
-
-    if ( ( versionData.size != 1 ) ||
-	( *((unsigned char *)versionData.data) != 2 ) ) {
-	/* corrupt or wrong version number so don't update */
-	goto done;
-    }
-
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    ret = (* handle->updatedb->get)(handle->updatedb, &saltKey, &saltData, 0);
-    if ( ret ) {
-	/* no salt in old db, so it is corrupted */
-	goto done;
-    }
-
-    oldSalt = decodeKeyDBGlobalSalt(&saltData);
-    if ( oldSalt == NULL ) {
-	/* bad salt in old db, so it is corrupted */
-	goto done;
-    }
-
-    /*
-     * look for a pw check entry
-     */
-    checkKey.data = KEYDB_PW_CHECK_STRING;
-    checkKey.size = KEYDB_PW_CHECK_LEN;
-    
-    rv = (SECStatus)(* handle->updatedb->get)(handle->updatedb, &checkKey,
-				   &checkData, 0 );
-    if (rv) {
-	/* no pw check, so old db never used */
-	goto done;
-    }
-
-    dbkey = decode_dbkey(&checkData, 2);
-    if ( dbkey == NULL ) {
-	goto done;
-    }
-    
-    /* put global salt into the new database now */
-    ret = (* handle->db->put)( handle->db, &saltKey, &saltData, 0);
-    if ( ret ) {
-	goto done;
-    }
-
-    checkitem = dbkey->derPK;
-    dbkey->derPK.data = NULL;
-    
-    /* format the new pw check entry */
-    rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem);
-    if ( rv != SECSuccess ) {
-	goto done;
-    }
-
-    rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE);
-    if ( rv != SECSuccess ) {
-	goto done;
-    }
-
-    /* free the dbkey */
-    sec_destroy_dbkey(dbkey);
-    dbkey = NULL;
-    
-    /* now traverse the database */
-    ret = (* handle->updatedb->seq)(handle->updatedb, &key, &data, R_FIRST);
-    if ( ret ) {
-	goto done;
-    }
-    
-    do {
-	/* skip version record */
-	if ( data.size > 1 ) {
-	    /* skip salt */
-	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
-		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-	    /* skip pw check entry */
-	    if ( key.size == checkKey.size ) {
-		if ( PORT_Memcmp(key.data, checkKey.data, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-
-	    /* keys stored by nickname will have 0 as the last byte of the
-	     * db key.  Other keys must be stored by modulus.  We will not
-	     * update those because they are left over from a keygen that
-	     * never resulted in a cert.
-	     */
-	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
-		continue;
-	    }
-	    
-	    dbkey = decode_dbkey(&data, 2);
-	    if ( dbkey == NULL ) {
-		continue;
-	    }
-
-	    /* This puts the key into the new database with the same
-	     * index (nickname) that it had before.  The second pass
-	     * of the update will have the password.  It will decrypt
-	     * and re-encrypt the entries using a new algorithm.
-	     */
-	    dbkey->nickname = (char *)key.data;
-	    rv = put_dbkey(handle, &key, dbkey, PR_FALSE);
-	    dbkey->nickname = NULL;
-
-	    sec_destroy_dbkey(dbkey);
-	}
-    } while ( (* handle->updatedb->seq)(handle->updatedb, &key, &data,
-					R_NEXT) == 0 );
-
-    dbkey = NULL;
-
-done:
-    /* sync the database */
-    ret = (* handle->db->sync)(handle->db, 0);
-
-    (* handle->updatedb->close)(handle->updatedb);
-    handle->updatedb = NULL;
-    
-    if ( rc4key ) {
-	SECITEM_FreeItem(rc4key, PR_TRUE);
-    }
-    
-    if ( oldSalt ) {
-	SECITEM_FreeItem(oldSalt, PR_TRUE);
-    }
-    
-    if ( dbkey ) {
-	sec_destroy_dbkey(dbkey);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Clear out all the keys in the existing database
- */
-SECStatus
-SECKEY_ResetKeyDB(SECKEYKeyDBHandle *handle)
-{
-    SECStatus rv;
-    DBT key;
-    DBT data;
-    int ret;
-    int errors = 0;
-
-    if ( handle->db == NULL ) {
-	return(SECSuccess);
-    }
-
-    
-    /* now traverse the database */
-    ret = (* handle->db->seq)(handle->db, &key, &data, R_FIRST);
-    if ( ret ) {
-	goto done;
-    }
-    
-    do {
-        /* delete each entry */
-	ret = (* handle->db->del)(handle->db, &key, 0);
-	if ( ret ) errors++;
-
-    } while ( (* handle->db->seq)(handle->db, &key, &data,
-					R_NEXT) == 0 );
-    rv = makeGlobalVersion(handle);
-    if ( rv != SECSuccess ) {
-	errors++;
-	goto done;
-    }
-
-    rv = makeGlobalSalt(handle);
-    if ( rv != SECSuccess ) {
-	errors++;
-	goto done;
-    }
-
-    if (handle->global_salt) {
-	SECITEM_FreeItem(handle->global_salt,PR_TRUE);
-    }
-    handle->global_salt = GetKeyDBGlobalSalt(handle);
-
-done:
-    /* sync the database */
-    ret = (* handle->db->sync)(handle->db, 0);
-
-    return (errors == 0 ? SECSuccess : SECFailure);
-}
diff --git a/security/nss/lib/softoken/keydbt.h b/security/nss/lib/softoken/keydbt.h
deleted file mode 100644
index 1b781b939..000000000
--- a/security/nss/lib/softoken/keydbt.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * keydbt.h - private data structures for the private key library
- *
- * $Id$
- */
-
-#ifndef _KEYDBT_H_
-#define _KEYDBT_H_
-
-#include "prtypes.h"
-#include "plarena.h"
-#include "secitem.h"
-#include "secasn1t.h"
-#include "secmodt.h"
-#include "pkcs11t.h"
-
-
-/*
- * a key in/for the data base
- */
-struct SECKEYDBKeyStr {
-    PLArenaPool *arena;
-    int version;
-    char *nickname;
-    SECItem salt;
-    SECItem derPK;
-};
-typedef struct SECKEYDBKeyStr SECKEYDBKey;
-
-typedef struct SECKEYKeyDBHandleStr SECKEYKeyDBHandle;
-
-#define PRIVATE_KEY_DB_FILE_VERSION 3
-
-#define SEC_PRIVATE_KEY_VERSION			0	/* what we *create* */
-
-/*
-** Typedef for callback to get a password "key".
-*/
-typedef SECItem * (* SECKEYGetPasswordKey)(void *arg,
-					   SECKEYKeyDBHandle *handle);
-
-extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
-extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_RSAPrivateKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DSAPrivateKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
-extern const SEC_ASN1Template SECKEY_DHPrivateKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[];
-extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
-extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
-extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
-extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
-extern const SEC_ASN1Template SECKEY_AttributeTemplate[];
-
-#endif /* _KEYDBT_H_ */
diff --git a/security/nss/lib/softoken/keylow.h b/security/nss/lib/softoken/keylow.h
deleted file mode 100644
index dc84ed426..000000000
--- a/security/nss/lib/softoken/keylow.h
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * key.h - public data structures and prototypes for the private key library
- *
- * $Id$
- */
-
-#ifndef _KEYLOW_H_
-#define _KEYLOW_H_
-
-#include "prtypes.h"
-#include "seccomon.h"
-#include "keydbt.h"
-#include "secoidt.h"
-#include "certt.h"
-#include "keythi.h"
-
-SEC_BEGIN_PROTOS
-
-typedef char * (* SECKEYDBNameFunc)(void *arg, int dbVersion);
-    
-/*
-** Open a key database.
-*/
-extern SECKEYKeyDBHandle *SECKEY_OpenKeyDB(PRBool readOnly,
-					   SECKEYDBNameFunc namecb,
-					   void *cbarg);
-
-extern SECKEYKeyDBHandle *SECKEY_OpenKeyDBFilename(char *filename,
-						   PRBool readOnly);
-
-/*
-** Update the database
-*/
-extern SECStatus SECKEY_UpdateKeyDBPass1(SECKEYKeyDBHandle *handle);
-extern SECStatus SECKEY_UpdateKeyDBPass2(SECKEYKeyDBHandle *handle,
-					 SECItem *pwitem);
-
-/*
- * Clear out all the keys in the existing database
- */
-extern SECStatus SECKEY_ResetKeyDB(SECKEYKeyDBHandle *handle);
-
-/*
-** Close the specified key database.
-*/
-extern void SECKEY_CloseKeyDB(SECKEYKeyDBHandle *handle);
-
-/*
- * Get the version number of the database
- */
-extern int SECKEY_GetKeyDBVersion(SECKEYKeyDBHandle *handle);
-
-/*
-** Support a default key database.
-*/
-extern void SECKEY_SetDefaultKeyDB(SECKEYKeyDBHandle *handle);
-extern SECKEYKeyDBHandle *SECKEY_GetDefaultKeyDB(void);
-
-/* set the alg id of the key encryption algorithm */
-extern void SECKEY_SetDefaultKeyDBAlg(SECOidTag alg);
-
-/*
- * given a password and salt, produce a hash of the password
- */
-extern SECItem *SECKEY_HashPassword(char *pw, SECItem *salt);
-
-/*
- * Derive the actual password value for a key database from the
- * password string value.  The derivation uses global salt value
- * stored in the key database.
- */
-extern SECItem *
-SECKEY_DeriveKeyDBPassword(SECKEYKeyDBHandle *handle, char *pw);
-
-/*
-** Delete a key from the database
-*/
-extern SECStatus SECKEY_DeleteKey(SECKEYKeyDBHandle *handle, 
-				  SECItem *pubkey);
-
-/*
-** Store a key in the database, indexed by its public key modulus.
-**	"pk" is the private key to store
-**	"f" is a the callback function for getting the password
-**	"arg" is the argument for the callback
-*/
-extern SECStatus SECKEY_StoreKeyByPublicKey(SECKEYKeyDBHandle *handle, 
-					    SECKEYLowPrivateKey *pk,
-					    SECItem *pubKeyData,
-					    char *nickname,
-					    SECKEYGetPasswordKey f, void *arg);
-
-/* does the key for this cert exist in the database filed by modulus */
-extern SECStatus SECKEY_KeyForCertExists(SECKEYKeyDBHandle *handle,
-					 CERTCertificate *cert);
-
-SECKEYLowPrivateKey *
-SECKEY_FindKeyByCert(SECKEYKeyDBHandle *handle, CERTCertificate *cert,
-		     SECKEYGetPasswordKey f, void *arg);
-
-extern SECStatus SECKEY_HasKeyDBPassword(SECKEYKeyDBHandle *handle);
-extern SECStatus SECKEY_SetKeyDBPassword(SECKEYKeyDBHandle *handle,
-				     SECItem *pwitem);
-extern SECStatus SECKEY_CheckKeyDBPassword(SECKEYKeyDBHandle *handle,
-					   SECItem *pwitem);
-extern SECStatus SECKEY_ChangeKeyDBPassword(SECKEYKeyDBHandle *handle,
-					    SECItem *oldpwitem,
-					    SECItem *newpwitem);
-
-/*
-** Destroy a private key object.
-**	"key" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SECKEY_LowDestroyPrivateKey(SECKEYLowPrivateKey *key);
-
-/*
-** Destroy a public key object.
-**	"key" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SECKEY_LowDestroyPublicKey(SECKEYLowPublicKey *key);
-
-/*
-** Return the modulus length of "pubKey".
-*/
-extern unsigned int SECKEY_LowPublicModulusLen(SECKEYLowPublicKey *pubKey);
-
-
-/*
-** Return the modulus length of "privKey".
-*/
-extern unsigned int SECKEY_LowPrivateModulusLen(SECKEYLowPrivateKey *privKey);
-
-
-/*
-** Convert a low private key "privateKey" into a public low key
-*/
-extern SECKEYLowPublicKey 
-		*SECKEY_LowConvertToPublicKey(SECKEYLowPrivateKey *privateKey);
-
-/*
- * Set the Key Database password.
- *   handle is a handle to the key database
- *   pwitem is the new password
- *   algorithm is the algorithm by which the key database 
- *   	password is to be encrypted.
- * On failure, SECFailure is returned, otherwise SECSuccess is 
- * returned.
- */
-extern SECStatus 
-SECKEY_SetKeyDBPasswordAlg(SECKEYKeyDBHandle *handle,
-			SECItem *pwitem, 
-			SECOidTag algorithm);
-
-/* Check the key database password.
- *   handle is a handle to the key database
- *   pwitem is the suspect password
- *   algorithm is the algorithm by which the key database 
- *   	password is to be encrypted.
- * The password is checked against plaintext to see if it is the
- * actual password.  If it is not, SECFailure is returned.
- */
-extern SECStatus 
-SECKEY_CheckKeyDBPasswordAlg(SECKEYKeyDBHandle *handle,
-				SECItem *pwitem, 
-				SECOidTag algorithm);
-
-/* Change the key database password and/or algorithm by which
- * the password is stored with.  
- *   handle is a handle to the key database
- *   old_pwitem is the current password
- *   new_pwitem is the new password
- *   old_algorithm is the algorithm by which the key database 
- *   	password is currently encrypted.
- *   new_algorithm is the algorithm with which the new password
- *      is to be encrypted.
- * A return of anything but SECSuccess indicates failure.
- */
-extern SECStatus 
-SECKEY_ChangeKeyDBPasswordAlg(SECKEYKeyDBHandle *handle,
-			      SECItem *oldpwitem, SECItem *newpwitem,
-			      SECOidTag old_algorithm);
-
-/* Store key by modulus and specify an encryption algorithm to use.
- *   handle is the pointer to the key database,
- *   privkey is the private key to be stored,
- *   f and arg are the function and arguments to the callback
- *       to get a password,
- *   algorithm is the algorithm which the privKey is to be stored.
- * A return of anything but SECSuccess indicates failure.
- */
-extern SECStatus 
-SECKEY_StoreKeyByPublicKeyAlg(SECKEYKeyDBHandle *handle, 
-			      SECKEYLowPrivateKey *privkey, 
-			      SECItem *pubKeyData,
-			      char *nickname,
-			      SECKEYGetPasswordKey f, void *arg,
-			      SECOidTag algorithm); 
-
-/* Find key by modulus.  This function is the inverse of store key
- * by modulus.  An attempt to locate the key with "modulus" is 
- * performed.  If the key is found, the private key is returned,
- * else NULL is returned.
- *   modulus is the modulus to locate
- */
-extern SECKEYLowPrivateKey *
-SECKEY_FindKeyByPublicKey(SECKEYKeyDBHandle *handle, SECItem *modulus, 
-			  SECKEYGetPasswordKey f, void *arg);
-
-/* Make a copy of a low private key in it's own arena.
- * a return of NULL indicates an error.
- */
-extern SECKEYLowPrivateKey *
-SECKEY_CopyLowPrivateKey(SECKEYLowPrivateKey *privKey);
-
-
-SEC_END_PROTOS
-
-#endif /* _KEYLOW_H_ */
diff --git a/security/nss/lib/softoken/keytboth.h b/security/nss/lib/softoken/keytboth.h
deleted file mode 100644
index 50f6b0ebe..000000000
--- a/security/nss/lib/softoken/keytboth.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _KEYTBOTH_H_
-#define _KEYTBOTH_H_ 1
-
-#include "blapit.h"
-#include "secoidt.h"
-
-/*
-** Attributes
-*/
-struct SECKEYAttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-typedef struct SECKEYAttributeStr SECKEYAttribute;
-
-/*
-** A PKCS#8 private key info object
-*/
-struct SECKEYPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID algorithm;
-    SECItem privateKey;
-    SECKEYAttribute **attributes;
-};
-typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
-#define SEC_PRIVATE_KEY_INFO_VERSION		0	/* what we *create* */
-
-/*
-** A PKCS#8 private key info object
-*/
-struct SECKEYEncryptedPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem encryptedData;
-};
-typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
-
-
-struct DiffPQGParamsStr {
-    PQGParams DiffKEAParams;
-    PQGParams DiffDSAParams;
-};
-typedef struct DiffPQGParamsStr DiffPQGParams;
-
-struct PQGDualParamsStr {
-    PQGParams CommParams;
-    DiffPQGParams DiffParams;
-};
-typedef struct PQGDualParamsStr PQGDualParams;
-
-
-struct KEAParamsStr {
-    PLArenaPool *arena;
-    SECItem hash;
-};
-typedef struct KEAParamsStr KEAParams;
- 
-struct KEAPublicKeyStr {
-    KEAParams params;
-    SECItem publicValue;
-};
-typedef struct KEAPublicKeyStr KEAPublicKey;
-
-
-
-#endif /* _KEYT_H_ */
diff --git a/security/nss/lib/softoken/keytlow.h b/security/nss/lib/softoken/keytlow.h
deleted file mode 100644
index 0b47ceb99..000000000
--- a/security/nss/lib/softoken/keytlow.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _KEYTLOW_H_
-#define _KEYTLOW_H_ 1
-
-#include "blapit.h"
-
-typedef enum { 
-    nullKey, 
-    rsaKey, 
-    dsaKey, 
-    fortezzaKey,
-    dhKey, 
-    keaKey 
-} KeyType;
-
-struct FortezzaPublicKeyStr {
-    int      KEAversion;
-    int      DSSversion;
-    unsigned char    KMID[8];
-    SECItem clearance;
-    SECItem KEApriviledge;
-    SECItem DSSpriviledge;
-    SECItem KEAKey;
-    SECItem DSSKey;
-    PQGParams params;
-    PQGParams keaParams;
-};
-typedef struct FortezzaPublicKeyStr FortezzaPublicKey;
-
-struct FortezzaPrivateKeyStr {
-     int certificate;
-     unsigned char serial[8];
-     int socket;
-};
-typedef struct FortezzaPrivateKeyStr FortezzaPrivateKey;
-
-/*
-** An RSA public key object.
-*/
-struct SECKEYLowPublicKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType ;
-    union {
-        RSAPublicKey rsa;
-	DSAPublicKey dsa;
-	DHPublicKey  dh;
-    } u;
-};
-typedef struct SECKEYLowPublicKeyStr SECKEYLowPublicKey;
-
-/*
-** Low Level private key object
-** This is only used by the raw Crypto engines (crypto), keydb (keydb),
-** and PKCS #11. Everyone else uses the high level key structure.
-*/
-struct SECKEYLowPrivateKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType;
-    union {
-        RSAPrivateKey rsa;
-	DSAPrivateKey dsa;
-	DHPrivateKey  dh;
-        FortezzaPrivateKey fortezza; /* includes DSA and KEA private
-                                        keys used with fortezza      */
-    } u;
-};
-typedef struct SECKEYLowPrivateKeyStr SECKEYLowPrivateKey;
-
-#endif	/* _KEYTLOW_H_ */
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
deleted file mode 100644
index 653b18785..000000000
--- a/security/nss/lib/softoken/lowkey.c
+++ /dev/null
@@ -1,330 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "keylow.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secder.h"
-#include "base64.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "secerr.h"
-
-
-const SEC_ASN1Template SECKEY_RSAPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.version) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.modulus) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.publicExponent) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.privateExponent) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.prime1) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.prime2) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.exponent1) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.exponent2) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.rsa.coefficient) },
-    { 0 }                                                                     
-};                                                                            
-
-
-const SEC_ASN1Template SECKEY_DSAPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYLowPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dsa.publicValue) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dsa.privateValue) },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dsa.privateValue) },
-};
-
-const SEC_ASN1Template SECKEY_DHPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYLowPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.publicValue) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.privateValue) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.base) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.prime) },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.privateValue) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.base) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYLowPrivateKey,u.dh.prime) },
-};
-
-void
-SECKEY_LowDestroyPrivateKey(SECKEYLowPrivateKey *privk)
-{
-    if (privk && privk->arena) {
-	PORT_FreeArena(privk->arena, PR_TRUE);
-    }
-}
-
-void
-SECKEY_LowDestroyPublicKey(SECKEYLowPublicKey *pubk)
-{
-    if (pubk && pubk->arena) {
-	PORT_FreeArena(pubk->arena, PR_FALSE);
-    }
-}
-unsigned
-SECKEY_LowPublicModulusLen(SECKEYLowPublicKey *pubk)
-{
-    unsigned char b0;
-
-    /* interpret modulus length as key strength... in
-     * fortezza that's the public key length */
-
-    switch (pubk->keyType) {
-    case rsaKey:
-    	b0 = pubk->u.rsa.modulus.data[0];
-    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
-    default:
-	break;
-    }
-    return 0;
-}
-
-unsigned
-SECKEY_LowPrivateModulusLen(SECKEYLowPrivateKey *privk)
-{
-
-    unsigned char b0;
-
-    switch (privk->keyType) {
-    case rsaKey:
-	b0 = privk->u.rsa.modulus.data[0];
-	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
-    default:
-	break;
-    }
-    return 0;
-}
-
-SECKEYLowPublicKey *
-SECKEY_LowConvertToPublicKey(SECKEYLowPrivateKey *privk)
-{
-    SECKEYLowPublicKey *pubk;
-    PLArenaPool *arena;
-
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-        PORT_SetError (SEC_ERROR_NO_MEMORY);
-        return NULL;
-    }
-
-    switch(privk->keyType) {
-      case rsaKey:
-      case nullKey:
-	pubk = (SECKEYLowPublicKey *)PORT_ArenaZAlloc(arena,
-						sizeof (SECKEYLowPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    if (privk->keyType == nullKey) return pubk;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
-				  &privk->u.rsa.modulus);
-	    if (rv == SECSuccess) {
-		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
-				       &privk->u.rsa.publicExponent);
-		if (rv == SECSuccess)
-		    return pubk;
-	    }
-	    SECKEY_LowDestroyPublicKey (pubk);
-	} else {
-	    PORT_SetError (SEC_ERROR_NO_MEMORY);
-	}
-	break;
-      case dsaKey:
-	pubk = (SECKEYLowPublicKey *)PORT_ArenaZAlloc(arena,
-						    sizeof(SECKEYLowPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
-				  &privk->u.dsa.publicValue);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
-				  &privk->u.dsa.params.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
-				  &privk->u.dsa.params.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
-				  &privk->u.dsa.params.base);
-	    if (rv == SECSuccess) return pubk;
-	}
-	break;
-      case dhKey:
-	pubk = (SECKEYLowPublicKey *)PORT_ArenaZAlloc(arena,
-						    sizeof(SECKEYLowPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
-				  &privk->u.dh.publicValue);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
-				  &privk->u.dh.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
-				  &privk->u.dh.base);
-	    if (rv == SECSuccess) return pubk;
-	}
-	break;
-	/* No Fortezza in Low Key implementations (Fortezza keys aren't
-	 * stored in our data base */
-    default:
-	break;
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-SECKEYLowPrivateKey *
-SECKEY_CopyLowPrivateKey(SECKEYLowPrivateKey *privKey)
-{
-    SECKEYLowPrivateKey *returnKey = NULL;
-    SECStatus rv = SECFailure;
-    PLArenaPool *poolp;
-
-    if(!privKey) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(!poolp) {
-	return NULL;
-    }
-
-    returnKey = (SECKEYLowPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(SECKEYLowPrivateKey));
-    if(!returnKey) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    returnKey->keyType = privKey->keyType;
-    returnKey->arena = poolp;
-
-    switch(privKey->keyType) {
-	case rsaKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus), 
-	    				&(privKey->u.rsa.modulus));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version), 
-	    				&(privKey->u.rsa.version));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent), 
-	    				&(privKey->u.rsa.publicExponent));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent), 
-	    				&(privKey->u.rsa.privateExponent));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1), 
-	    				&(privKey->u.rsa.prime1));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2), 
-	    				&(privKey->u.rsa.prime2));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1), 
-	    				&(privKey->u.rsa.exponent1));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2), 
-	    				&(privKey->u.rsa.exponent2));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient), 
-	    				&(privKey->u.rsa.coefficient));
-	    if(rv != SECSuccess) break;
-	    break;
-	case dsaKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue),
-	    				&(privKey->u.dsa.publicValue));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue),
-	    				&(privKey->u.dsa.privateValue));
-	    if(rv != SECSuccess) break;
-	    returnKey->u.dsa.params.arena = poolp;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime),
-					&(privKey->u.dsa.params.prime));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime),
-					&(privKey->u.dsa.params.subPrime));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base),
-					&(privKey->u.dsa.params.base));
-	    if(rv != SECSuccess) break;
-	    break;
-	case dhKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue),
-	    				&(privKey->u.dh.publicValue));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue),
-	    				&(privKey->u.dh.privateValue));
-	    if(rv != SECSuccess) break;
-	    returnKey->u.dsa.params.arena = poolp;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
-					&(privKey->u.dh.prime));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
-					&(privKey->u.dh.base));
-	    if(rv != SECSuccess) break;
-	    break;
-	case fortezzaKey:
-	    returnKey->u.fortezza.certificate = 
-	    				privKey->u.fortezza.certificate;
-	    returnKey->u.fortezza.socket = 
-	    				privKey->u.fortezza.socket;
-	    PORT_Memcpy(returnKey->u.fortezza.serial, 
-	    				privKey->u.fortezza.serial, 8);
-	    rv = SECSuccess;
-	    break;
-	default:
-	    rv = SECFailure;
-    }
-
-loser:
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	returnKey = NULL;
-    }
-
-    return returnKey;
-}
diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn
deleted file mode 100644
index 75d5e9fc2..000000000
--- a/security/nss/lib/softoken/manifest.mn
+++ /dev/null
@@ -1,77 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-MODULE = security
-
-REQUIRES = dbm
-
-LIBRARY_NAME = softoken
-
-
-EXPORTS = \
-	keydbt.h \
-	keylow.h \
-	keytboth.h \
-	keytlow.h \
-	secpkcs5.h \
-	pkcs11.h \
-	pkcs11f.h \
-	pkcs11p.h \
-	pkcs11t.h \
-	pkcs11u.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	alghmac.h \
-	pkcs11i.h \
-	softoken.h \
-	softoknt.h \
-	$(NULL)
-
-CSRCS = \
-	alghmac.c \
-	rsawrapr.c  \
-	pkcs11.c   \
-	pkcs11c.c  \
-	pkcs11u.c  \
-	secpkcs5.c \
-	keydb.c    \
-	lowkey.c   \
-	padbuf.c   \
-	fipstest.c \
-	fipstokn.c \
-	rawhash.c \
-	$(NULL)
-
-
diff --git a/security/nss/lib/softoken/padbuf.c b/security/nss/lib/softoken/padbuf.c
deleted file mode 100644
index a4e28947a..000000000
--- a/security/nss/lib/softoken/padbuf.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "blapit.h"
-#include "secport.h"
-#include "secerr.h"
-
-/*
- * Prepare a buffer for DES encryption, growing to the appropriate boundary,
- * filling with the appropriate padding.
- *
- * NOTE: If arena is non-NULL, we re-allocate from there, otherwise
- * we assume (and use) XP memory (re)allocation.
- */
-unsigned char *
-DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, unsigned int inlen,
-	      unsigned int *outlen)
-{
-    unsigned char *outbuf;
-    unsigned int   des_len;
-    unsigned int   i;
-    unsigned char  des_pad_len;
-
-    /*
-     * We need from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
-     * The extra bytes contain the value of the length of the padding:
-     * if we have 2 bytes of padding, then the padding is "0x02, 0x02".
-     */
-    des_len = (inlen + DES_KEY_LENGTH) & ~(DES_KEY_LENGTH - 1);
-
-    if (arena != NULL) {
-	outbuf = (unsigned char*)PORT_ArenaGrow (arena, inbuf, inlen, des_len);
-    } else {
-	outbuf = (unsigned char*)PORT_Realloc (inbuf, des_len);
-    }
-
-    if (outbuf == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    des_pad_len = des_len - inlen;
-    for (i = inlen; i < des_len; i++)
-	outbuf[i] = des_pad_len;
-
-    *outlen = des_len;
-    return outbuf;
-}
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
deleted file mode 100644
index fc70b782a..000000000
--- a/security/nss/lib/softoken/pkcs11.c
+++ /dev/null
@@ -1,4031 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This file implements PKCS 11 on top of our existing security modules
- *
- * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *   This implementation has two slots:
- *	slot 1 is our generic crypto support. It does not require login.
- *   It supports Public Key ops, and all they bulk ciphers and hashes. 
- *   It can also support Private Key ops for imported Private keys. It does 
- *   not have any token storage.
- *	slot 2 is our private key support. It requires a login before use. It
- *   can store Private Keys and Certs as token objects. Currently only private
- *   keys and their associated Certificates are saved on the token.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-#include "seccomon.h"
-#include "secitem.h"
-#include "pkcs11.h"
-#include "pkcs11i.h"
-#include "softoken.h"
-#include "cert.h"
-#include "keylow.h"
-#include "blapi.h"
-#include "secder.h"
-#include "secport.h"
-#include "certdb.h"
-
-#include "private.h"
-
- 
-/*
- * ******************** Static data *******************************
- */
-
-/* The next three strings must be exactly 32 characters long */
-static char *manufacturerID      = "Netscape Communications Corp    ";
-static char *libraryDescription  = "Communicator Internal Crypto Svc";
-static char *tokDescription      = "Communicator Generic Crypto Svcs";
-static char *privTokDescription  = "Communicator Certificate DB     ";
-/* The next two strings must be exactly 64 characters long, with the
-   first 32 characters meaningful  */
-static char *slotDescription     = 
-	"Communicator Internal Cryptographic Services Version 4.0        ";
-static char *privSlotDescription = 
-	"Communicator User Private Key and Certificate Services          ";
-static int minimumPinLen = 0;
-
-#define __PASTE(x,y)    x##y
-
-/*
- * we renamed all our internal functions, get the correct
- * definitions for them...
- */ 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
-
-#define CK_EXTERN extern
-#define CK_PKCS11_FUNCTION_INFO(func) \
-		CK_RV __PASTE(NS,func)
-#define CK_NEED_ARG_LIST	1
- 
-#include "pkcs11f.h"
- 
- 
- 
-/* build the crypto module table */
-static CK_FUNCTION_LIST pk11_funcList = {
-    { 1, 10 },
- 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
- 
-#define CK_PKCS11_FUNCTION_INFO(func) \
-				__PASTE(NS,func),
-#include "pkcs11f.h"
- 
-};
- 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
- 
- 
-#undef __PASTE
-
-/* List of DES Weak Keys */ 
-typedef unsigned char desKey[8];
-static desKey  pk11_desWeakTable[] = {
-#ifdef noParity
-    /* weak */
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e },
-    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 },
-    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
-    /* semi-weak */
-    { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe },
-    { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe },
-
-    { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 },
-    { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e },
-
-    { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f },
-    { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 },
-
-    { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
-    { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e },
-
-    { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e },
-    { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 },
-
-    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe },
-    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 },
-#else
-    /* weak */
-    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
-    { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e },
-    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 },
-    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
-
-    /* semi-weak */
-    { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe },
-    { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 },
-
-    { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 },
-    { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e },
-
-    { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 },
-    { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 },
-
-    { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
-    { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e },
-
-    { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e },
-    { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 },
-
-    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe },
-    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 }
-#endif
-};
-
-    
-static int pk11_desWeakTableSize = sizeof(pk11_desWeakTable)/
-						sizeof(pk11_desWeakTable[0]);
-
-/* DES KEY Parity conversion table. Takes each byte/2 as an index, returns
- * that byte with the proper parity bit set */
-static unsigned char parityTable[256] = {
-/* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
-/* E */   0x01,0x02,0x04,0x07,0x08,0x0b,0x0d,0x0e,
-/* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
-/* O */   0x10,0x13,0x15,0x16,0x19,0x1a,0x1c,0x1f,
-/* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
-/* O */   0x20,0x23,0x25,0x26,0x29,0x2a,0x2c,0x2f,
-/* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
-/* E */   0x31,0x32,0x34,0x37,0x38,0x3b,0x3d,0x3e,
-/* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
-/* O */   0x40,0x43,0x45,0x46,0x49,0x4a,0x4c,0x4f,
-/* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
-/* E */   0x51,0x52,0x54,0x57,0x58,0x5b,0x5d,0x5e,
-/* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
-/* E */   0x61,0x62,0x64,0x67,0x68,0x6b,0x6d,0x6e,
-/* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
-/* O */   0x70,0x73,0x75,0x76,0x79,0x7a,0x7c,0x7f,
-/* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
-/* O */   0x80,0x83,0x85,0x86,0x89,0x8a,0x8c,0x8f,
-/* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
-/* E */   0x91,0x92,0x94,0x97,0x98,0x9b,0x9d,0x9e,
-/* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
-/* E */   0xa1,0xa2,0xa4,0xa7,0xa8,0xab,0xad,0xae,
-/* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */
-/* O */   0xb0,0xb3,0xb5,0xb6,0xb9,0xba,0xbc,0xbf,
-/* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */
-/* E */   0xc1,0xc2,0xc4,0xc7,0xc8,0xcb,0xcd,0xce,
-/* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */
-/* O */   0xd0,0xd3,0xd5,0xd6,0xd9,0xda,0xdc,0xdf,
-/* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */
-/* O */   0xe0,0xe3,0xe5,0xe6,0xe9,0xea,0xec,0xef,
-/* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */
-/* E */   0xf1,0xf2,0xf4,0xf7,0xf8,0xfb,0xfd,0xfe,
-};
-
-/* Mechanisms */
-struct mechanismList {
-    CK_MECHANISM_TYPE	type;
-    CK_MECHANISM_INFO	domestic;
-    PRBool		privkey;
-};
-
-/*
- * the following table includes a complete list of mechanism defined by
- * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11
- * module are ifdef'ed out.
- */
-#define CKF_EN_DE		CKF_ENCRYPT      | CKF_DECRYPT
-#define CKF_WR_UN		CKF_WRAP         | CKF_UNWRAP
-#define CKF_SN_VR		CKF_SIGN         | CKF_VERIFY
-#define CKF_SN_RE		CKF_SIGN_RECOVER | CKF_VERIFY_RECOVER
-
-#define CKF_EN_DE_WR_UN 	CKF_EN_DE       | CKF_WR_UN
-#define CKF_SN_VR_RE		CKF_SN_VR       | CKF_SN_RE
-#define CKF_DUZ_IT_ALL		CKF_EN_DE_WR_UN | CKF_SN_VR_RE
-
-static struct mechanismList mechanisms[] = {
-     /* ------------------------- RSA Operations ---------------------------*/
-     {CKM_RSA_PKCS_KEY_PAIR_GEN,{128, 2048, CKF_GENERATE_KEY_PAIR}, PR_TRUE},
-     {CKM_RSA_PKCS,		{ 16,  256, CKF_DUZ_IT_ALL},	PR_TRUE},
-#ifdef PK11_RSA9796_SUPPORTED
-     {CKM_RSA_9796,		{ 16,  256, CKF_DUZ_IT_ALL},	PR_TRUE}, 
-#endif
-     {CKM_RSA_X_509,		{ 16,  256, CKF_DUZ_IT_ALL},	PR_TRUE}, 
-     /* -------------- RSA Multipart Signing Operations -------------------- */
-     {CKM_MD2_RSA_PKCS,		{16, 256, CKF_SN_VR}, 		PR_TRUE},
-     {CKM_MD5_RSA_PKCS,		{16, 256, CKF_SN_VR}, 		PR_TRUE},
-     {CKM_SHA1_RSA_PKCS,	{16, 256, CKF_SN_VR}, 		PR_TRUE},
-     /* ------------------------- DSA Operations --------------------------- */
-     {CKM_DSA_KEY_PAIR_GEN,	{64, 128, CKF_GENERATE_KEY_PAIR}, PR_TRUE},
-     {CKM_DSA,			{64, 128, CKF_SN_VR}, 		PR_TRUE},
-     {CKM_DSA_SHA1,		{64, 128, CKF_SN_VR}, 		PR_TRUE},
-     /* -------------------- Diffie Hellman Operations --------------------- */
-     /* no diffie hellman yet */
-     {CKM_DH_PKCS_KEY_PAIR_GEN,	{16, 128, CKF_GENERATE_KEY_PAIR}, PR_TRUE}, 
-     {CKM_DH_PKCS_DERIVE,	{16, 128, CKF_DERIVE}, 		PR_TRUE}, 
-     /* ------------------------- RC2 Operations --------------------------- */
-     {CKM_RC2_KEY_GEN,		{1, 128, CKF_GENERATE},		PR_FALSE},
-     {CKM_RC2_ECB,		{1, 128, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_RC2_CBC,		{1, 128, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_RC2_MAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_RC2_MAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_RC2_CBC_PAD,		{1, 128, CKF_EN_DE_WR_UN},	PR_FALSE},
-     /* ------------------------- RC4 Operations --------------------------- */
-     {CKM_RC4_KEY_GEN,		{1, 256, CKF_GENERATE},		PR_FALSE},
-     {CKM_RC4,			{1, 256, CKF_EN_DE_WR_UN},	PR_FALSE},
-     /* ------------------------- DES Operations --------------------------- */
-     {CKM_DES_KEY_GEN,		{ 8,  8, CKF_GENERATE},		PR_FALSE},
-     {CKM_DES_ECB,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_DES_CBC,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_DES_MAC,		{ 8,  8, CKF_SN_VR},		PR_FALSE},
-     {CKM_DES_MAC_GENERAL,	{ 8,  8, CKF_SN_VR},		PR_FALSE},
-     {CKM_DES_CBC_PAD,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_DES2_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_FALSE},
-     {CKM_DES3_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_TRUE },
-     {CKM_DES3_ECB,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
-     {CKM_DES3_CBC,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
-     {CKM_DES3_MAC,		{24, 24, CKF_SN_VR},		PR_TRUE },
-     {CKM_DES3_MAC_GENERAL,	{24, 24, CKF_SN_VR},		PR_TRUE },
-     {CKM_DES3_CBC_PAD,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
-     /* ------------------------- CDMF Operations --------------------------- */
-     {CKM_CDMF_KEY_GEN,		{8,  8, CKF_GENERATE},		PR_FALSE},
-     {CKM_CDMF_ECB,		{8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_CDMF_CBC,		{8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_CDMF_MAC,		{8,  8, CKF_SN_VR},		PR_FALSE},
-     {CKM_CDMF_MAC_GENERAL,	{8,  8, CKF_SN_VR},		PR_FALSE},
-     {CKM_CDMF_CBC_PAD,		{8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
-     /* ------------------------- Hashing Operations ----------------------- */
-     {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_MD2_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_MD5,			{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_MD5_HMAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_MD5_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_SHA_1,		{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_SHA_1_HMAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_SHA_1_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
-     {CKM_TLS_PRF_GENERAL,	{0, 512, CKF_SN_VR},		PR_FALSE},
-     /* ------------------------- CAST Operations --------------------------- */
-#ifdef PK11_CAST_SUPPORTED
-     /* Cast operations are not supported ( yet? ) */
-     {CKM_CAST_KEY_GEN,		{1,  8, CKF_GENERATE},		PR_FALSE}, 
-     {CKM_CAST_ECB,		{1,  8, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST_CBC,		{1,  8, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST_MAC,		{1,  8, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_CAST_MAC_GENERAL,	{1,  8, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_CAST_CBC_PAD,		{1,  8, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST3_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_FALSE}, 
-     {CKM_CAST3_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST3_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST3_MAC,		{1, 16, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_CAST3_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_CAST3_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST5_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_FALSE}, 
-     {CKM_CAST5_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST5_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_CAST5_MAC,		{1, 16, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_CAST5_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_CAST5_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-#endif
-     /* ------------------------- RC5 Operations --------------------------- */
-     {CKM_RC5_KEY_GEN,		{1, 255, CKF_GENERATE}, 	PR_FALSE},
-     {CKM_RC5_ECB,		{1, 255, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_RC5_CBC,		{1, 255, CKF_EN_DE_WR_UN},	PR_FALSE},
-     {CKM_RC5_MAC,		{1, 255, CKF_SN_VR},  		PR_FALSE},
-     {CKM_RC5_MAC_GENERAL,	{1, 255, CKF_SN_VR},  		PR_FALSE},
-     {CKM_RC5_CBC_PAD,		{1, 255, CKF_EN_DE_WR_UN}, 	PR_FALSE},
-     /* ------------------------- IDEA Operations -------------------------- */
-#ifdef PK11_IDEA_SUPPORTED
-     {CKM_IDEA_KEY_GEN,		{16, 16, CKF_GENERATE}, 	PR_FALSE}, 
-     {CKM_IDEA_ECB,		{16, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_IDEA_CBC,		{16, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
-     {CKM_IDEA_MAC,		{16, 16, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_IDEA_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_FALSE}, 
-     {CKM_IDEA_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN}, 	PR_FALSE}, 
-#endif
-     /* --------------------- Secret Key Operations ------------------------ */
-     {CKM_GENERIC_SECRET_KEY_GEN,	{1, 256, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_CONCATENATE_BASE_AND_KEY,	{1, 256, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_CONCATENATE_BASE_AND_DATA,	{1, 256, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_CONCATENATE_DATA_AND_BASE,	{1, 256, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_XOR_BASE_AND_DATA,		{1, 256, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_EXTRACT_KEY_FROM_KEY,		{1, 256, CKF_DERIVE},   PR_FALSE}, 
-     /* ---------------------- SSL Key Derivations ------------------------- */
-     {CKM_SSL3_PRE_MASTER_KEY_GEN,	{48, 48, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_SSL3_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_MD5_MAC,			{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_SHA1_MAC,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_MD5_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_MD2_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SHA1_KEY_DERIVATION,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_TLS_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_TLS_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     /* ---------------------- PBE Key Derivations  ------------------------ */
-     {CKM_PBE_MD2_DES_CBC,		{64, 64, CKF_DERIVE},   PR_TRUE},
-     {CKM_PBE_MD5_DES_CBC,		{64, 64, CKF_DERIVE},   PR_TRUE},
-     /* ------------------ NETSCAPE PBE Key Derivations  ------------------- */
-     {CKM_NETSCAPE_PBE_SHA1_DES_CBC,	     { 64,  64, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC,  {192, 192, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, {192, 192, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC,  { 40,  40, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, {128, 128, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4,	     { 40,  40, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4,     {128, 128, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_DES3_EDE_CBC,	     {192, 192, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_DES2_EDE_CBC,	     {192, 192, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC2_40_CBC,		     { 40,  40, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC2_128_CBC,		     {128, 128, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC4_40,		     { 40,  40, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC4_128,		     {128, 128, CKF_GENERATE}, PR_TRUE},
-};
-static CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
-/* load up our token database */
-static CK_RV pk11_importKeyDB(PK11Slot *slot);
-
-/*
- * Configuration utils
- */
-void
-PK11_ConfigurePKCS11(char *man, char *libdes, char *tokdes, char *ptokdes,
-	char *slotdes, char *pslotdes, char *fslotdes, char *fpslotdes,
-	int minPwd, int pwRequired) 
-{
-
-    /* make sure the internationalization was done correctly... */
-    if (man && (PORT_Strlen(man) == 33)) {
-	manufacturerID = man;
-    }
-    if (libdes && (PORT_Strlen(libdes) == 33)) {
-	libraryDescription = libdes;
-    }
-    if (tokdes && (PORT_Strlen(tokdes) == 33)) {
-	tokDescription = tokdes;
-    }
-    if (ptokdes && (PORT_Strlen(ptokdes) == 33)) {
-	privTokDescription = ptokdes;
-    }
-    if (slotdes && (PORT_Strlen(slotdes) == 65)) {
-	slotDescription = slotdes;
-    }
-    if (pslotdes && (PORT_Strlen(pslotdes) == 65)) {
-	privSlotDescription = pslotdes;
-    }
-
-    if (minimumPinLen <= PK11_MAX_PIN) {
-	minimumPinLen = minPwd;
-    }
-    if ((minimumPinLen == 0) && (pwRequired) && 
-		(minimumPinLen <= PK11_MAX_PIN)) {
-	minimumPinLen = 1;
-    }
-
-    PK11_ConfigureFIPS(fslotdes,fpslotdes);
-
-    return;
-}
-
-/*
- * ******************** Password Utilities *******************************
- */
-
-/* Handle to give the password to the database. user arg should be a pointer
- * to the slot. */
-static SECItem *pk11_givePass(void *sp,SECKEYKeyDBHandle *handle)
-{
-    PK11Slot *slot = (PK11Slot *)sp;
-
-    if (slot->password == NULL) return NULL;
-
-    return SECITEM_DupItem(slot->password);
-}
-
-/*
- * see if the key DB password is enabled
- */
-PRBool
-pk11_hasNullPassword(SECItem **pwitem)
-{
-    PRBool pwenabled;
-    SECKEYKeyDBHandle *keydb;
-    
-    keydb = SECKEY_GetDefaultKeyDB();
-    pwenabled = PR_FALSE;
-    *pwitem = NULL;
-    if (SECKEY_HasKeyDBPassword (keydb) == SECSuccess) {
-	*pwitem = SECKEY_HashPassword("", keydb->global_salt);
-	if ( *pwitem ) {
-	    if (SECKEY_CheckKeyDBPassword (keydb, *pwitem) == SECSuccess) {
-		pwenabled = PR_TRUE;
-	    } else {
-	    	SECITEM_ZfreeItem(*pwitem, PR_TRUE);
-		*pwitem = NULL;
-	    }
-	}
-    }
-
-    return pwenabled;
-}
-
-/*
- * ******************** Object Creation Utilities ***************************
- */
-
-
-/* Make sure a given attribute exists. If it doesn't, initialize it to
- * value and len
- */
-CK_RV
-pk11_defaultAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *value,
-							unsigned int len)
-{
-    if ( !pk11_hasAttribute(object, type)) {
-	return pk11_AddAttributeType(object,type,value,len);
-    }
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Data Object 
- */
-static CK_RV
-pk11_handleDataObject(PK11Session *session,PK11Object *object)
-{
-    CK_RV crv;
-
-    /* first reject private and token data objects */
-    if (pk11_isTrue(object,CKA_PRIVATE) || pk11_isTrue(object,CKA_TOKEN)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* now just verify the required date fields */
-    crv = pk11_defaultAttribute(object,CKA_APPLICATION,NULL,0);
-    if (crv != CKR_OK) return crv;
-    crv = pk11_defaultAttribute(object,CKA_VALUE,NULL,0);
-    if (crv != CKR_OK) return crv;
-
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Certificate Object 
- */
-static CK_RV
-pk11_handleCertObject(PK11Session *session,PK11Object *object)
-{
-    PK11Attribute *attribute;
-    CK_CERTIFICATE_TYPE type;
-    SECItem derCert;
-    char *label;
-    CERTCertDBHandle *handle;
-    CERTCertificate *cert;
-    CK_RV crv;
-
-    /* certificates must have a type */
-    if ( !pk11_hasAttribute(object,CKA_CERTIFICATE_TYPE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* we can't store any certs private */
-    if (pk11_isTrue(object,CKA_PRIVATE)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-	
-    /* We only support X.509 Certs for now */
-    attribute = pk11_FindAttribute(object,CKA_CERTIFICATE_TYPE);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-    type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue;
-    pk11_FreeAttribute(attribute);
-
-    if (type != CKC_X_509) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* X.509 Certificate */
-
-    /* make sure we have a cert */
-    if ( !pk11_hasAttribute(object,CKA_VALUE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* in PKCS #11, Subject is a required field */
-    if ( !pk11_hasAttribute(object,CKA_SUBJECT) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /*
-     * now parse the certificate
-     */
-    handle = CERT_GetDefaultCertDB();
-
-    /* get the nickname */
-    label = pk11_getString(object,CKA_LABEL);
-    object->label = label;
-    if (label == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-  
-    /* get the der cert */ 
-    attribute = pk11_FindAttribute(object,CKA_VALUE);
-    derCert.data = (unsigned char *)attribute->attrib.pValue;
-    derCert.len = attribute->attrib.ulValueLen ;
-    
-    cert = CERT_NewTempCertificate(handle, &derCert, label, PR_FALSE, PR_TRUE);
-    pk11_FreeAttribute(attribute);
-    if (cert == NULL) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* add it to the object */
-    object->objectInfo = cert;
-    object->infoFree = (PK11Free) CERT_DestroyCertificate;
-    
-    /* now just verify the required date fields */
-    crv = pk11_defaultAttribute(object, CKA_ID, NULL, 0);
-    if (crv != CKR_OK) { return crv; }
-    crv = pk11_defaultAttribute(object,CKA_ISSUER,
-				pk11_item_expand(&cert->derIssuer));
-    if (crv != CKR_OK) { return crv; }
-    crv = pk11_defaultAttribute(object,CKA_SERIAL_NUMBER,
-				pk11_item_expand(&cert->serialNumber));
-    if (crv != CKR_OK) { return crv; }
-
-
-    if (pk11_isTrue(object,CKA_TOKEN)) {
-	SECCertUsage *certUsage = NULL;
-	CERTCertTrust trust = { CERTDB_USER, CERTDB_USER, CERTDB_USER };
-
-	attribute = pk11_FindAttribute(object,CKA_NETSCAPE_TRUST);
-	if(attribute) {
-	    certUsage = (SECCertUsage*)attribute->attrib.pValue;
-	    pk11_FreeAttribute(attribute);
-	}
-
-	/* Temporary for PKCS 12 */
-	if(cert->nickname == NULL) {
-	    /* use the arena so we at least don't leak memory  */
-	    cert->nickname = (char *)PORT_ArenaAlloc(cert->arena,
-							PORT_Strlen(label)+1);
-	    if(cert->nickname == NULL) {
-		return CKR_HOST_MEMORY;
-	    }
-	    PORT_Memcpy(cert->nickname, label, PORT_Strlen(label));
-	}
-
-	/* only add certs that have a private key */
-	if (SECKEY_KeyForCertExists(SECKEY_GetDefaultKeyDB(),cert) 
-							!= SECSuccess) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-	if (CERT_AddTempCertToPerm(cert, label, &trust) != SECSuccess) {
-	    return CKR_HOST_MEMORY;
-	}
-	if(certUsage) {
-	    if(CERT_ChangeCertTrustByUsage(CERT_GetDefaultCertDB(),
-				cert, *certUsage) != SECSuccess) {
-		return CKR_HOST_MEMORY;
-	    }
-	}
-	object->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_CERT);
-	object->inDB = PR_TRUE;
-    }
-
-    /* label has been adopted by object->label */
-    /*PORT_Free(label); */
-
-    return CKR_OK;
-}
-
-SECKEYLowPublicKey * pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key);
-/*
- * check the consistancy and initialize a Public Key Object 
- */
-static CK_RV
-pk11_handlePublicKeyObject(PK11Object *object,CK_KEY_TYPE key_type)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL encrypt = CK_TRUE;
-    CK_BBOOL recover = CK_TRUE;
-    CK_BBOOL wrap = CK_TRUE;
-    CK_RV crv;
-
-    switch (key_type) {
-    case CKK_RSA:
-	if ( !pk11_hasAttribute(object, CKA_MODULUS)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	break;
-    case CKK_DSA:
-	if ( !pk11_hasAttribute(object, CKA_PRIME)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_SUBPRIME)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_BASE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_VALUE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	break;
-    case CKK_DH:
-    default:
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* make sure the required fields exist */
-    crv = pk11_defaultAttribute(object,CKA_SUBJECT,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_ENCRYPT,&encrypt,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_VERIFY_RECOVER,
-						&recover,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_WRAP,&wrap,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    object->objectInfo = pk11_GetPubKey(object,key_type);
-    object->infoFree = (PK11Free) SECKEY_LowDestroyPublicKey;
-
-    if (pk11_isTrue(object,CKA_TOKEN)) {
-        object->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PUB);
-    }
-
-    return CKR_OK;
-}
-/* pk11_GetPubItem returns data associated with the public key.
- * one only needs to free the public key. This comment is here
- * because this sematic would be non-obvious otherwise. All callers
- * should include this comment.
- */
-static SECItem *
-pk11_GetPubItem(SECKEYPublicKey *pubKey) {
-    SECItem *pubItem = NULL;
-    /* get value to compare from the cert's public key */
-    switch ( pubKey->keyType ) {
-    case rsaKey:
-	    pubItem = &pubKey->u.rsa.modulus;
-	    break;
-    case dsaKey:
-	    pubItem = &pubKey->u.dsa.publicValue;
-	    break;
-    default:
-	    break;
-    }
-    return pubItem;
-}
-
-typedef struct {
-    CERTCertificate *cert;
-    SECItem *pubKey;
-} find_cert_callback_arg;
-
-static SECStatus
-find_cert_by_pub_key(CERTCertificate *cert, SECItem *k, void *arg)
-{
-    find_cert_callback_arg *cbarg;
-    SECKEYPublicKey *pubKey = NULL;
-    SECItem *pubItem;
-
-    if((cert == NULL) || (arg == NULL)) {
-	return SECFailure;
-    }
-
-    /* if this cert doesn't look like a user cert, we aren't interested */
-    if (!((cert->isperm) && (cert->trust) && 
-    	  (( cert->trust->sslFlags & CERTDB_USER ) ||
-	   ( cert->trust->emailFlags & CERTDB_USER ) ||
-	   ( cert->trust->objectSigningFlags & CERTDB_USER )) &&
-					  ( cert->nickname != NULL ) ) ) {
-	goto done;
-    }
-
-    /* get cert's public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if ( pubKey == NULL ) {
-	goto done;
-    }
-    /* pk11_GetPubItem returns data associated with the public key.
-     * one only needs to free the public key. This comment is here
-     * because this sematic would be non-obvious otherwise. All callers
-     * should include this comment.
-     */
-    pubItem = pk11_GetPubItem(pubKey);
-    if (pubItem == NULL) goto done;
-    
-    cbarg = (find_cert_callback_arg *)arg;
-
-    if(SECITEM_CompareItem(pubItem, cbarg->pubKey) == SECEqual) {
-	cbarg->cert = CERT_DupCertificate(cert);
-	return SECFailure;
-    }
-
-done:
-    if ( pubKey ) {
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-
-    return (SECSuccess);
-}
-
-static PK11Object *pk11_importCertificate(PK11Slot *slot,CERTCertificate *cert,
-		 unsigned char *data, unsigned int size, PRBool needCert);
-/* 
- * find a cert associated with the key and load it.
- */
-static SECStatus
-reload_existing_certificate(PK11Object *privKeyObject,SECItem *pubKey)
-{
-    find_cert_callback_arg cbarg;
-    SECItem nickName;
-    CERTCertificate *cert = NULL;
-    CK_RV crv;
-    SECStatus rv;
-		    
-    cbarg.pubKey = pubKey;
-    cbarg.cert = NULL;
-    SEC_TraversePermCerts(CERT_GetDefaultCertDB(),
-				       find_cert_by_pub_key, (void *)&cbarg);
-    if (cbarg.cert != NULL) {
-	CERTCertificate *cert = NULL;
-	/* can anyone tell me why this is call is necessary? rjr */
-	cert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
-							&cbarg.cert->derCert);
-
-	/* does the certificate in the database have a 
-	 * nickname?  if not, it probably was inserted 
-	 * through SMIME and a nickname needs to be 
-	 * set.
-	 */
-	if (cert && !cert->nickname) {
-	    crv=pk11_Attribute2SecItem(NULL,&nickName,privKeyObject,CKA_LABEL);
-	    if (crv != CKR_OK) {
-		goto loser;
-	    }
-	    rv = CERT_AddPermNickname(cert, (char *)nickName.data);
-	    SECITEM_ZfreeItem(&nickName, PR_FALSE);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
-
-	/* associate the certificate with the key */
-	pk11_importCertificate(privKeyObject->slot, cert, pubKey->data, 
-				pubKey->len, PR_FALSE);
-    }
-
-    return SECSuccess;
-loser:
-    if (cert) CERT_DestroyCertificate(cert);
-    if (cbarg.cert) CERT_DestroyCertificate(cbarg.cert);
-    return SECFailure;
-}
-
-static SECKEYLowPrivateKey * pk11_mkPrivKey(PK11Object *object,CK_KEY_TYPE key);
-/*
- * check the consistancy and initialize a Private Key Object 
- */
-static CK_RV
-pk11_handlePrivateKeyObject(PK11Object *object,CK_KEY_TYPE key_type)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL encrypt = CK_TRUE;
-    CK_BBOOL recover = CK_TRUE;
-    CK_BBOOL wrap = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    SECItem mod;
-    CK_RV crv;
-
-    switch (key_type) {
-    case CKK_RSA:
-	if ( !pk11_hasAttribute(object, CKA_MODULUS)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_PRIVATE_EXPONENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_PRIME_1)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_PRIME_2)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_EXPONENT_1)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_EXPONENT_2)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_COEFFICIENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	/* make sure Netscape DB attribute is set correctly */
-	crv = pk11_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
-	if (crv != CKR_OK) return crv;
-	crv = pk11_forceAttribute(object, CKA_NETSCAPE_DB, 
-						pk11_item_expand(&mod));
-	if (mod.data) PORT_Free(mod.data);
-	if (crv != CKR_OK) return crv;
-	
-	break;
-    case CKK_DSA:
-	if ( !pk11_hasAttribute(object, CKA_PRIME)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_SUBPRIME)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_BASE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_VALUE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !pk11_hasAttribute(object, CKA_NETSCAPE_DB)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	break;
-    case CKK_DH:
-    default:
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    crv = pk11_defaultAttribute(object,CKA_SUBJECT,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_DECRYPT,&encrypt,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_SIGN_RECOVER,&recover,
-							     sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_UNWRAP,&wrap,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    /* the next two bits get modified only in the key gen and token cases */
-    crv = pk11_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    if (pk11_isTrue(object,CKA_TOKEN)) {
-	SECKEYLowPrivateKey *privKey;
-	char *label;
-	SECStatus rv = SECSuccess;
-	SECItem pubKey;
-
-	privKey=pk11_mkPrivKey(object,key_type);
-	if (privKey == NULL) return CKR_HOST_MEMORY;
-	label = object->label = pk11_getString(object,CKA_LABEL);
-
-	crv = pk11_Attribute2SecItem(NULL,&pubKey,object,CKA_NETSCAPE_DB);
-	if (crv == CKR_OK) {
-	    rv = SECKEY_StoreKeyByPublicKey(SECKEY_GetDefaultKeyDB(),
-			privKey, &pubKey, label,
-			(SECKEYGetPasswordKey) pk11_givePass, object->slot);
-
-	    /* check for the existance of an existing certificate and activate
-	     * it if necessary */
-	    if (rv == SECSuccess) {
-	        reload_existing_certificate(object,&pubKey);
-	    }
-
-	    if (pubKey.data) PORT_Free(pubKey.data);
-	} else {
-	    rv = SECFailure;
-	}
-
-	SECKEY_LowDestroyPrivateKey(privKey);
-	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-	object->inDB = PR_TRUE;
-        object->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    } else {
-	object->objectInfo = pk11_mkPrivKey(object,key_type);
-	if (object->objectInfo == NULL) return CKR_HOST_MEMORY;
-	object->infoFree = (PK11Free) SECKEY_LowDestroyPrivateKey;
-    }
-    /* now NULL out the sensitive attributes */
-    if (pk11_isTrue(object,CKA_SENSITIVE)) {
-	pk11_nullAttribute(object,CKA_PRIVATE_EXPONENT);
-	pk11_nullAttribute(object,CKA_PRIME_1);
-	pk11_nullAttribute(object,CKA_PRIME_2);
-	pk11_nullAttribute(object,CKA_EXPONENT_1);
-	pk11_nullAttribute(object,CKA_EXPONENT_2);
-	pk11_nullAttribute(object,CKA_COEFFICIENT);
-    }
-    return CKR_OK;
-}
-
-/* forward delcare the DES formating function for handleSecretKey */
-void pk11_FormatDESKey(unsigned char *key, int length);
-static SECKEYLowPrivateKey *pk11_mkSecretKeyRep(PK11Object *object);
-
-/* Validate secret key data, and set defaults */
-static CK_RV
-validateSecretKey(PK11Object *object, CK_KEY_TYPE key_type, PRBool isFIPS)
-{
-    CK_RV crv;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    PK11Attribute *attribute = NULL;
-    crv = pk11_defaultAttribute(object,CKA_SENSITIVE,
-				isFIPS?&cktrue:&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_EXTRACTABLE,
-						&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_ENCRYPT,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_DECRYPT,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_SIGN,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_VERIFY,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_WRAP,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_UNWRAP,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    if ( !pk11_hasAttribute(object, CKA_VALUE)) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    /* the next two bits get modified only in the key gen and token cases */
-    crv = pk11_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    /* some types of keys have a value length */
-    crv = CKR_OK;
-    switch (key_type) {
-    /* force CKA_VALUE_LEN to be set */
-    case CKK_GENERIC_SECRET:
-    case CKK_RC2:
-    case CKK_RC4:
-    case CKK_RC5:
-    case CKK_CAST:
-    case CKK_CAST3:
-    case CKK_CAST5:
-	attribute = pk11_FindAttribute(object,CKA_VALUE);
-	/* shouldn't happen */
-	if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-	crv = pk11_forceAttribute(object, CKA_VALUE_LEN, 
-			&attribute->attrib.ulValueLen, sizeof(CK_ULONG));
-	pk11_FreeAttribute(attribute);
-	break;
-    /* force the value to have the correct parity */
-    case CKK_DES:
-    case CKK_DES2:
-    case CKK_DES3:
-    case CKK_CDMF:
-	attribute = pk11_FindAttribute(object,CKA_VALUE);
-	/* shouldn't happen */
-	if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-	pk11_FormatDESKey((unsigned char*)attribute->attrib.pValue,
-						 attribute->attrib.ulValueLen);
-	pk11_FreeAttribute(attribute);
-	break;
-    default:
-	break;
-    }
-
-    return crv;
-}
-/*
- * check the consistancy and initialize a Secret Key Object 
- */
-static CK_RV
-pk11_handleSecretKeyObject(PK11Object *object,CK_KEY_TYPE key_type,
-								PRBool isFIPS)
-{
-    CK_RV crv;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    PK11Attribute *attribute = NULL;
-    SECKEYLowPrivateKey *privKey = NULL;
-    SECItem pubKey;
-
-    pubKey.data = 0;
-
-    /* First validate and set defaults */
-    crv = validateSecretKey(object, key_type, isFIPS);
-    if (crv != CKR_OK) goto loser;
-
-    /* If the object is a TOKEN object, store in the database */
-    if (pk11_isTrue(object,CKA_TOKEN)) {
-	char *label;
-	SECStatus rv = SECSuccess;
-
-	privKey=pk11_mkSecretKeyRep(object);
-	if (privKey == NULL) return CKR_HOST_MEMORY;
-
-	label = object->label = pk11_getString(object,CKA_LABEL);
-
-	crv = pk11_Attribute2SecItem(NULL,&pubKey,object,CKA_ID);  /* Should this be ID? */
-	if (crv != CKR_OK) goto loser;
-
-	rv = SECKEY_StoreKeyByPublicKey(SECKEY_GetDefaultKeyDB(),
-			privKey, &pubKey, label,
-			(SECKEYGetPasswordKey) pk11_givePass, object->slot);
-
-	object->inDB = PR_TRUE;
-        object->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    }
-
-loser:
-    if (privKey) SECKEY_LowDestroyPrivateKey(privKey);
-    if (pubKey.data) PORT_Free(pubKey.data);
-
-    return crv;
-}
-
-/*
- * check the consistancy and initialize a Key Object 
- */
-static CK_RV
-pk11_handleKeyObject(PK11Session *session, PK11Object *object)
-{
-    PK11Attribute *attribute;
-    CK_KEY_TYPE key_type;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_RV crv;
-
-    /* verify the required fields */
-    if ( !pk11_hasAttribute(object,CKA_KEY_TYPE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* now verify the common fields */
-    crv = pk11_defaultAttribute(object,CKA_ID,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_START_DATE,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_END_DATE,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = pk11_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    /* get the key type */
-    attribute = pk11_FindAttribute(object,CKA_KEY_TYPE);
-    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
-    pk11_FreeAttribute(attribute);
-
-    switch (object->objclass) {
-    case CKO_PUBLIC_KEY:
-	return pk11_handlePublicKeyObject(object,key_type);
-    case CKO_PRIVATE_KEY:
-	return pk11_handlePrivateKeyObject(object,key_type);
-    case CKO_SECRET_KEY:
-	/* make sure the required fields exist */
-	return pk11_handleSecretKeyObject(object,key_type,
-			     (PRBool)(session->slot->slotID == FIPS_SLOT_ID));
-    default:
-	break;
-    }
-    return CKR_ATTRIBUTE_VALUE_INVALID;
-}
-
-/* 
- * Handle Object does all the object consistancy checks, automatic attribute
- * generation, attribute defaulting, etc. If handleObject succeeds, the object
- * will be assigned an object handle, and the object pointer will be adopted
- * by the session. (that is don't free object).
- */
-CK_RV
-pk11_handleObject(PK11Object *object, PK11Session *session)
-{
-    PK11Slot *slot = session->slot;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL cktrue = CK_TRUE;
-    PK11Attribute *attribute;
-    CK_RV crv;
-
-    /* make sure all the base object types are defined. If not set the
-     * defaults */
-    crv = pk11_defaultAttribute(object,CKA_TOKEN,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK) return crv;
-    crv = pk11_defaultAttribute(object,CKA_PRIVATE,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK) return crv;
-    crv = pk11_defaultAttribute(object,CKA_LABEL,NULL,0);
-    if (crv != CKR_OK) return crv;
-    crv = pk11_defaultAttribute(object,CKA_MODIFIABLE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK) return crv;
-
-    /* don't create a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(pk11_isTrue(object,CKA_PRIVATE))) {
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-
-    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
-				(pk11_isTrue(object,CKA_TOKEN))) {
-	return CKR_SESSION_READ_ONLY;
-    }
-
-    if (pk11_isTrue(object, CKA_TOKEN)) {
-	if (slot->DB_loaded == PR_FALSE) {
-	    /* we are creating a token object, make sure we load the database
-	     * first so we don't get duplicates....
-	     * ... NOTE: This assumes we are logged in as well!
-	     */
-	    pk11_importKeyDB(slot);
-	    slot->DB_loaded = PR_TRUE;
-	}
-    }
-	
-    /* PKCS #11 object ID's are unique for all objects on a
-     * token */
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    object->handle = slot->tokenIDCount++;
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-
-    /* get the object class */
-    attribute = pk11_FindAttribute(object,CKA_CLASS);
-    if (attribute == NULL) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue;
-    pk11_FreeAttribute(attribute);
-
-    /* now handle the specific. Get a session handle for these functions
-     * to use */
-    switch (object->objclass) {
-    case CKO_DATA:
-	crv = pk11_handleDataObject(session,object);
-    case CKO_CERTIFICATE:
-	crv = pk11_handleCertObject(session,object);
-	break;
-    case CKO_PRIVATE_KEY:
-    case CKO_PUBLIC_KEY:
-    case CKO_SECRET_KEY:
-	crv = pk11_handleKeyObject(session,object);
-	break;
-    default:
-	crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	break;
-    }
-
-    /* can't fail from here on out unless the pk_handlXXX functions have
-     * failed the request */
-    if (crv != CKR_OK) {
-	return crv;
-    }
-
-    /* now link the object into the slot and session structures */
-    object->slot = slot;
-    pk11_AddObject(session,object);
-
-    return CKR_OK;
-}
-
-/* import a private key as an object. We don't call handle object.
- * because we the private key came from the key DB and we don't want to
- * write back out again */
-static PK11Object *
-pk11_importPrivateKey(PK11Slot *slot,SECKEYLowPrivateKey *lowPriv,
-							SECItem *dbKey)
-{
-    PK11Object *privateKey;
-    CK_KEY_TYPE key_type;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL sign = CK_TRUE;
-    CK_BBOOL recover = CK_TRUE;
-    CK_BBOOL decrypt = CK_TRUE;
-    CK_BBOOL derive = CK_FALSE;
-    CK_RV crv = CKR_OK;
-    CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
-    unsigned char cka_id[SHA1_LENGTH];
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    privateKey = pk11_NewObject(slot); /* fill in the handle later */
-    if (privateKey == NULL) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-
-    /* Netscape Private Attribute for dealing with database storeage */	
-    if (pk11_AddAttributeType(privateKey, CKA_NETSCAPE_DB,
-					pk11_item_expand(dbKey)) ) {
-	 pk11_FreeObject(privateKey);
-	 return NULL;
-    }
-
-    /* now force the CKA_ID */
-    SHA1_HashBuf(cka_id, (unsigned char *)dbKey->data, (uint32)dbKey->len);
-    if (pk11_AddAttributeType(privateKey, CKA_ID, cka_id, sizeof(cka_id))) {
-	 pk11_FreeObject(privateKey);
-	 return NULL;
-    }
-
-
-    /* Fill in the common Default values */
-    if (pk11_AddAttributeType(privateKey,CKA_CLASS, &privClass,
-					sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
-	 pk11_FreeObject(privateKey);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_TOKEN, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_PRIVATE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_MODIFIABLE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_LABEL, NULL, 0) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_DERIVE, &ckfalse,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    /* local: well we really don't know for sure... it could have been an 
-     * imported key, but it's not a useful attribute anyway. */
-    if (pk11_AddAttributeType(privateKey,CKA_LOCAL, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_SENSITIVE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_EXTRACTABLE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    /* is this really true? Maybe we should just say false here? */
-    if (pk11_AddAttributeType(privateKey,CKA_ALWAYS_SENSITIVE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_NEVER_EXTRACTABLE, &ckfalse,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-
-    /* Now Set up the parameters to generate the key (based on mechanism) */
-    /* NOTE: for safety sake we *DO NOT* remember critical attributes. PKCS #11
-     * will look them up again from the database when it needs them.
-     */
-    switch (lowPriv->keyType) {
-    case rsaKey:
-	/* format the keys */
-	key_type = CKK_RSA;
-	sign = CK_TRUE;
-	recover = CK_TRUE;
-	decrypt = CK_TRUE;
-	derive = CK_FALSE;
-        /* now fill in the RSA dependent parameters in the public key */
-        crv = pk11_AddAttributeType(privateKey,CKA_MODULUS,
-			   pk11_item_expand(&lowPriv->u.rsa.modulus));
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIVATE_EXPONENT,NULL,0);
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_PUBLIC_EXPONENT,
-			   pk11_item_expand(&lowPriv->u.rsa.publicExponent));
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_1,NULL,0);
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_2,NULL,0);
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_1,NULL,0);
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_2,NULL,0);
-	if (crv != CKR_OK)  break;
-        crv = pk11_AddAttributeType(privateKey,CKA_COEFFICIENT,NULL,0);
-	break;
-    case dsaKey:
-	key_type = CKK_DSA;
-	sign = CK_TRUE;
-	recover = CK_FALSE;
-	decrypt = CK_FALSE;
-	derive = CK_FALSE;
-	crv = pk11_AddAttributeType(privateKey,CKA_PRIME,
-			   pk11_item_expand(&lowPriv->u.dsa.params.prime));
-	if (crv != CKR_OK) break;
-	crv = pk11_AddAttributeType(privateKey,CKA_SUBPRIME,
-			   pk11_item_expand(&lowPriv->u.dsa.params.subPrime));
-	if (crv != CKR_OK) break;
-	crv = pk11_AddAttributeType(privateKey,CKA_BASE,
-			   pk11_item_expand(&lowPriv->u.dsa.params.base));
-	if (crv != CKR_OK) break;
-	crv = pk11_AddAttributeType(privateKey,CKA_VALUE,NULL,0);
-	if (crv != CKR_OK) break;
-	break;
-    case dhKey:
-	key_type = CKK_DH;
-	sign = CK_FALSE;
-	decrypt = CK_FALSE;
-	recover = CK_FALSE;
-	derive = CK_TRUE;
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-
-    if (crv != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-
-
-    if (pk11_AddAttributeType(privateKey,CKA_SIGN, &sign,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_SIGN_RECOVER, &recover,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_DECRYPT, &decrypt,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_UNWRAP, &decrypt,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_DERIVE, &derive,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	return NULL;
-    }
-    if (pk11_AddAttributeType(privateKey,CKA_KEY_TYPE,&key_type,
-					     sizeof(CK_KEY_TYPE)) != CKR_OK) {
-	 pk11_FreeObject(privateKey);
-	 return NULL;
-    }
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    privateKey->handle = slot->tokenIDCount++;
-    privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-    privateKey->objclass = privClass;
-    privateKey->slot = slot;
-    privateKey->inDB = PR_TRUE;
-
-    return privateKey;
-}
-
-/* import a private key or cert as a public key object.*/
-static PK11Object *
-pk11_importPublicKey(PK11Slot *slot,
-	SECKEYLowPrivateKey *lowPriv, CERTCertificate *cert, SECItem *dbKey)
-{
-    PK11Object *publicKey = NULL;
-    CK_KEY_TYPE key_type;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL verify = CK_TRUE;
-    CK_BBOOL recover = CK_TRUE;
-    CK_BBOOL encrypt = CK_TRUE;
-    CK_BBOOL derive = CK_FALSE;
-    CK_RV crv = CKR_OK;
-    CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
-    unsigned char cka_id[SHA1_LENGTH];
-    KeyType keyType = nullKey;
-    SECKEYPublicKey *pubKey = NULL;
-    CK_ATTRIBUTE theTemplate[2];
-    PK11ObjectListElement *objectList = NULL;
-
-    if (lowPriv == NULL) {
-	pubKey = CERT_ExtractPublicKey(cert);
-	if (pubKey == NULL) {
-	    goto failed;
-	}
-	/* pk11_GetPubItem returns data associated with the public key.
-	 * one only needs to free the public key. This comment is here
-	 * because this sematic would be non-obvious otherwise. All callers
-	 * should include this comment.
-	 */
-	dbKey = pk11_GetPubItem(pubKey);
-	if (dbKey == NULL) {
-	    goto failed;
-	}
-    }
-    SHA1_HashBuf(cka_id, (unsigned char *)dbKey->data, (uint32)dbKey->len);
-    theTemplate[0].type = CKA_ID;
-    theTemplate[0].pValue = cka_id;
-    theTemplate[0].ulValueLen = sizeof(cka_id);
-    theTemplate[1].type = CKA_CLASS;
-    theTemplate[1].pValue = &pubClass;
-    theTemplate[1].ulValueLen = sizeof(CK_OBJECT_CLASS);
-    crv = pk11_searchObjectList(&objectList,slot->tokObjects,
-		slot->objectLock, theTemplate, 2, slot->isLoggedIn);
-    if ((crv == CKR_OK) && (objectList != NULL)) {
-	goto failed;
-    }
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    publicKey = pk11_NewObject(slot); /* fill in the handle later */
-    if (publicKey == NULL) {
-	goto failed;
-    }
-
-    /* now force the CKA_ID */
-    if (pk11_AddAttributeType(publicKey, CKA_ID, cka_id, sizeof(cka_id))) {
-	goto failed;
-    }
-
-    /* Fill in the common Default values */
-    if (pk11_AddAttributeType(publicKey,CKA_CLASS,&pubClass,
-					sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_TOKEN, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_PRIVATE, &ckfalse,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_MODIFIABLE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_LABEL, NULL, 0) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
-	goto failed;
-    }
-    /* local: well we really don't know for sure... it could have been an 
-     * imported key, but it's not a useful attribute anyway. */
-    if (pk11_AddAttributeType(publicKey,CKA_LOCAL, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_SENSITIVE, &ckfalse,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_EXTRACTABLE, &cktrue,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_ALWAYS_SENSITIVE, &ckfalse,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_NEVER_EXTRACTABLE, &ckfalse,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-
-    /* Now Set up the parameters to generate the key (based on mechanism) */
-    if (lowPriv == NULL) {
-
-	keyType = pubKey->keyType;
-    } else {
-	keyType = lowPriv->keyType;
-    } 
-
-
-    switch (keyType) {
-    case rsaKey:
-	/* format the keys */
-	key_type = CKK_RSA;
-	verify = CK_TRUE;
-	recover = CK_TRUE;
-	encrypt = CK_TRUE;
-	derive = CK_FALSE;
-        /* now fill in the RSA dependent parameters in the public key */
- 	if (lowPriv) {
-            crv = pk11_AddAttributeType(publicKey,CKA_MODULUS,
-			   pk11_item_expand(&lowPriv->u.rsa.modulus));
-	    if (crv != CKR_OK) break;
-            crv = pk11_AddAttributeType(publicKey,CKA_PUBLIC_EXPONENT,
-			   pk11_item_expand(&lowPriv->u.rsa.publicExponent));
-	    if (crv != CKR_OK) break;
-	} else {
-            crv = pk11_AddAttributeType(publicKey,CKA_MODULUS,
-			   pk11_item_expand(&pubKey->u.rsa.modulus));
-	    if (crv != CKR_OK) break;
-            crv = pk11_AddAttributeType(publicKey,CKA_PUBLIC_EXPONENT,
-			   pk11_item_expand(&pubKey->u.rsa.publicExponent));
-	    if (crv != CKR_OK) break;
-	}
-	break;
-    case dsaKey:
-	key_type = CKK_DSA;
-	verify = CK_TRUE;
-	recover = CK_FALSE;
-	encrypt = CK_FALSE;
-	derive = CK_FALSE;
- 	if (lowPriv) {
-	    crv = pk11_AddAttributeType(publicKey,CKA_PRIME,
-			   pk11_item_expand(&lowPriv->u.dsa.params.prime));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(publicKey,CKA_SUBPRIME,
-			   pk11_item_expand(&lowPriv->u.dsa.params.subPrime));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(publicKey,CKA_BASE,
-			   pk11_item_expand(&lowPriv->u.dsa.params.base));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(publicKey,CKA_VALUE,
-			   pk11_item_expand(&lowPriv->u.dsa.publicValue));
-	    if (crv != CKR_OK) break;
-	} else {
-	    crv = pk11_AddAttributeType(publicKey,CKA_PRIME,
-			   pk11_item_expand(&pubKey->u.dsa.params.prime));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(publicKey,CKA_SUBPRIME,
-			   pk11_item_expand(&pubKey->u.dsa.params.subPrime));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(publicKey,CKA_BASE,
-			   pk11_item_expand(&pubKey->u.dsa.params.base));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(publicKey,CKA_VALUE,
-			   pk11_item_expand(&pubKey->u.dsa.publicValue));
-	    if (crv != CKR_OK) break;
-	}
-	break;
-    case dhKey:
-	key_type = CKK_DH;
-	verify = CK_FALSE;
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	derive = CK_TRUE;
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-
-    if (pubKey) {
-	SECKEY_DestroyPublicKey(pubKey);
-	pubKey = NULL;
-    }
-
-    if (crv != CKR_OK) {
-	goto failed;
-    }
-
-    if (pk11_AddAttributeType(publicKey,CKA_VERIFY, &verify,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_VERIFY_RECOVER, &recover,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_ENCRYPT, &encrypt,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_WRAP, &encrypt,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_DERIVE, &derive,
-					      sizeof(CK_BBOOL)) != CKR_OK) {
-	goto failed;
-    }
-    if (pk11_AddAttributeType(publicKey,CKA_KEY_TYPE,&key_type,
-					     sizeof(CK_KEY_TYPE)) != CKR_OK) {
-	goto failed;
-    }
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    publicKey->handle = slot->tokenIDCount++;
-    publicKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PUB);
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-    publicKey->objclass = pubClass;
-    publicKey->slot = slot;
-    publicKey->inDB = PR_FALSE; /* not really in the Database */
-
-    return publicKey;
-failed:
-    if (pubKey) SECKEY_DestroyPublicKey(pubKey);
-    if (publicKey) pk11_FreeObject(publicKey);
-    return NULL;
-}
-
-/*
- * Question.. Why doesn't import Cert call pk11_handleObject, or
- * pk11 handleCertObject? Answer: because they will try to write
- * this cert back out to the Database, even though it is already in
- * the database.
- */
-static PK11Object *
-pk11_importCertificate(PK11Slot *slot, CERTCertificate *cert, 
-		unsigned char *data, unsigned int size, PRBool needObject)
-{
-    PK11Object *certObject = NULL;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_CERTIFICATE_TYPE certType = CKC_X_509;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    unsigned char cka_id[SHA1_LENGTH];
-    CK_ATTRIBUTE theTemplate;
-    PK11ObjectListElement *objectList = NULL;
-    CK_RV crv;
-
-
-    /*
-     * first make sure that no object for this cert already exists.
-     */
-    theTemplate.type = CKA_VALUE;
-    theTemplate.pValue = cert->derCert.data;
-    theTemplate.ulValueLen = cert->derCert.len;
-    crv = pk11_searchObjectList(&objectList,slot->tokObjects,
-		slot->objectLock, &theTemplate, 1, slot->isLoggedIn);
-    if ((crv == CKR_OK) && (objectList != NULL)) {
-	if (needObject) {
-    	    pk11_ReferenceObject(objectList->object);
-	    certObject = objectList->object;
-	}
-	pk11_FreeObjectList(objectList);
-	return certObject;
-    }
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    certObject = pk11_NewObject(slot); /* fill in the handle later */
-    if (certObject == NULL) {
-	return NULL;
-    }
-
-    /* First set the CKA_ID */
-    if (data == NULL) {
-	SECKEYPublicKey *pubKey = CERT_ExtractPublicKey(cert);
-	SECItem *pubItem;
-	if (pubKey == NULL) {
-	    pk11_FreeObject(certObject);
-	    return NULL;
-	}
-	/* pk11_GetPubItem returns data associated with the public key.
-	 * one only needs to free the public key. This comment is here
-	 * because this sematic would be non-obvious otherwise.
-	 */
-	pubItem =pk11_GetPubItem(pubKey);
-	if (pubItem == NULL)  {
-	    SECKEY_DestroyPublicKey(pubKey);
-	    pk11_FreeObject(certObject);
-	    return NULL;
-	} 
-    	SHA1_HashBuf(cka_id, (unsigned char *)pubItem->data, 
-							(uint32)pubItem->len);
-	SECKEY_DestroyPublicKey(pubKey);
-    } else {
-	SHA1_HashBuf(cka_id, (unsigned char *)data, (uint32)size);
-    }
-    if (pk11_AddAttributeType(certObject, CKA_ID, cka_id, sizeof(cka_id))) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-
-    /* initalize the certificate attributes */
-    if (pk11_AddAttributeType(certObject, CKA_CLASS, &certClass,
-					 sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_TOKEN, &cktrue,
-					       sizeof(CK_BBOOL)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_PRIVATE, &ckfalse,
-					       sizeof(CK_BBOOL)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_LABEL, cert->nickname,
-					PORT_Strlen(cert->nickname))
-								!= CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_MODIFIABLE, &cktrue,
-					       sizeof(CK_BBOOL)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_CERTIFICATE_TYPE,  &certType,
-					sizeof(CK_CERTIFICATE_TYPE))!=CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_VALUE, 
-			 	pk11_item_expand(&cert->derCert)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_ISSUER, 
-			 	pk11_item_expand(&cert->derIssuer)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_SUBJECT, 
-		 	pk11_item_expand(&cert->derSubject)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-    if (pk11_AddAttributeType(certObject, CKA_SERIAL_NUMBER, 
-		 	pk11_item_expand(&cert->serialNumber)) != CKR_OK) {
-	 pk11_FreeObject(certObject);
-	 return NULL;
-    }
-
-  
-    certObject->objectInfo = CERT_DupCertificate(cert);
-    certObject->infoFree = (PK11Free) CERT_DestroyCertificate;
-    
-    /* now just verify the required date fields */
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    certObject->handle = slot->tokenIDCount++;
-    certObject->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_CERT);
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-    certObject->objclass = certClass;
-    certObject->slot = slot;
-    certObject->inDB = PR_TRUE;
-    pk11_AddSlotObject(slot, certObject);
-    if (needObject) {
-	pk11_ReferenceObject(certObject);
-    } else {
-	certObject = NULL;
-    }
-
-    return certObject;
-}
-
-/*
- * ******************** Public Key Utilities ***************************
- */
-/* Generate a low public key structure from an object */
-SECKEYLowPublicKey *pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key_type)
-{
-    SECKEYLowPublicKey *pubKey;
-    PLArenaPool *arena;
-    CK_RV crv;
-
-    if (object->objclass != CKO_PUBLIC_KEY) {
-	return NULL;
-    }
-
-    /* If we already have a key, use it */
-    if (object->objectInfo) {
-	return (SECKEYLowPublicKey *)object->objectInfo;
-    }
-
-    /* allocate the structure */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-
-    pubKey = (SECKEYLowPublicKey *)
-			PORT_ArenaAlloc(arena,sizeof(SECKEYLowPublicKey));
-    if (pubKey == NULL) {
-    	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-
-    /* fill in the structure */
-    pubKey->arena = arena;
-    switch (key_type) {
-    case CKK_RSA:
-	pubKey->keyType = rsaKey;
-	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus,
-							object,CKA_MODULUS);
-    	if (crv != CKR_OK) break;
-    	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent,
-						object,CKA_PUBLIC_EXPONENT);
-	break;
-    case CKK_DSA:
-	pubKey->keyType = dsaKey;
-	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.params.prime,
-							object,CKA_PRIME);
-    	if (crv != CKR_OK) break;
-	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.params.subPrime,
-							object,CKA_SUBPRIME);
-    	if (crv != CKR_OK) break;
-	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.params.base,
-							object,CKA_BASE);
-    	if (crv != CKR_OK) break;
-    	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.publicValue,
-							object,CKA_VALUE);
-	break;
-    case CKK_DH:
-    default:
-	crv = CKR_KEY_TYPE_INCONSISTENT;
-	break;
-    }
-    if (crv != CKR_OK) {
-    	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-
-    object->objectInfo = pubKey;
-    object->infoFree = (PK11Free) SECKEY_LowDestroyPublicKey;
-    return pubKey;
-}
-
-/* make a private key from a verified object */
-static SECKEYLowPrivateKey *
-pk11_mkPrivKey(PK11Object *object,CK_KEY_TYPE key_type)
-{
-    SECKEYLowPrivateKey *privKey;
-    PLArenaPool *arena;
-    CK_RV crv = CKR_OK;
-    SECStatus rv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-
-    privKey = (SECKEYLowPrivateKey *)
-			PORT_ArenaAlloc(arena,sizeof(SECKEYLowPrivateKey));
-    if (privKey == NULL)  {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-
-    /* in future this would be a switch on key_type */
-    privKey->arena = arena;
-    switch (key_type) {
-    case CKK_RSA:
-	privKey->keyType = rsaKey;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.modulus,
-							object,CKA_MODULUS);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.publicExponent,object,
-							CKA_PUBLIC_EXPONENT);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.privateExponent,object,
-							CKA_PRIVATE_EXPONENT);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.prime1,object,
-								CKA_PRIME_1);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.prime2,object,
-								CKA_PRIME_2);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.exponent1,
-						object, CKA_EXPONENT_1);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.exponent2,
-							object, CKA_EXPONENT_2);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.coefficient,object,
-							      CKA_COEFFICIENT);
-	if (crv != CKR_OK) break;
-        rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
-                          SEC_PRIVATE_KEY_VERSION);
-	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
-	break;
-
-    case CKK_DSA:
-	privKey->keyType = dsaKey;
-	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.params.prime,
-							object,CKA_PRIME);
-    	if (crv != CKR_OK) break;
-	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.params.subPrime,
-							object,CKA_SUBPRIME);
-    	if (crv != CKR_OK) break;
-	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.params.base,
-							object,CKA_BASE);
-    	if (crv != CKR_OK) break;
-    	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.privateValue,
-							object,CKA_VALUE);
-    	if (crv != CKR_OK) break;
-    	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.publicValue,
-							object,CKA_NETSCAPE_DB);
-	/* can't set the public value.... */
-	break;
-    case CKK_DH:
-    default:
-	crv = CKR_KEY_TYPE_INCONSISTENT;
-	break;
-    }
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-    return privKey;
-}
-
-
-/* Generate a low private key structure from an object */
-SECKEYLowPrivateKey *
-pk11_GetPrivKey(PK11Object *object,CK_KEY_TYPE key_type)
-{
-    SECKEYLowPrivateKey *priv = NULL;
-
-    if (object->objclass != CKO_PRIVATE_KEY) {
-	return NULL;
-    }
-    if (object->objectInfo) {
-	return (SECKEYLowPrivateKey *)object->objectInfo;
-    }
-
-    if (pk11_isTrue(object,CKA_TOKEN)) {
-	/* grab it from the data base */
-	char *label = pk11_getString(object,CKA_LABEL);
-	SECItem pubKey;
-	CK_RV crv;
-
-	/* KEYID is the public KEY for DSA and DH, and the MODULUS for
-	 *  RSA */
-	crv=pk11_Attribute2SecItem(NULL,&pubKey,object,CKA_NETSCAPE_DB);
-	if (crv != CKR_OK) return NULL;
-	
-	priv=SECKEY_FindKeyByPublicKey(SECKEY_GetDefaultKeyDB(),&pubKey,
-				       (SECKEYGetPasswordKey) pk11_givePass,
-				       object->slot);
-	if (pubKey.data) PORT_Free(pubKey.data);
-
-	/* don't 'cache' DB private keys */
-	return priv;
-    } 
-
-    priv = pk11_mkPrivKey(object, key_type);
-    object->objectInfo = priv;
-    object->infoFree = (PK11Free) SECKEY_LowDestroyPrivateKey;
-    return priv;
-}
-
-/*
- **************************** Symetric Key utils ************************
- */
-/*
- * set the DES key with parity bits correctly
- */
-void
-pk11_FormatDESKey(unsigned char *key, int length)
-{
-    int i;
-
-    /* format the des key */
-    for (i=0; i < length; i++) {
-	key[i] = parityTable[key[i]>>1];
-    }
-}
-
-/*
- * check a des key (des2 or des3 subkey) for weak keys.
- */
-PRBool
-pk11_CheckDESKey(unsigned char *key)
-{
-    int i;
-
-    /* format the des key with parity  */
-    pk11_FormatDESKey(key, 8);
-
-    for (i=0; i < pk11_desWeakTableSize; i++) {
-	if (PORT_Memcmp(key,pk11_desWeakTable[i],8) == 0) {
-	    return PR_TRUE;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * check if a des or triple des key is weak.
- */
-PRBool
-pk11_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type)
-{
-
-    switch(key_type) {
-    case CKK_DES:
-	return pk11_CheckDESKey(key);
-    case CKM_DES2_KEY_GEN:
-	if (pk11_CheckDESKey(key)) return PR_TRUE;
-	return pk11_CheckDESKey(&key[8]);
-    case CKM_DES3_KEY_GEN:
-	if (pk11_CheckDESKey(key)) return PR_TRUE;
-	if (pk11_CheckDESKey(&key[8])) return PR_TRUE;
-	return pk11_CheckDESKey(&key[16]);
-    default:
-	break;
-    }
-    return PR_FALSE;
-}
-
-
-/* make a fake private key representing a symmetric key */
-static SECKEYLowPrivateKey *
-pk11_mkSecretKeyRep(PK11Object *object)
-{
-    SECKEYLowPrivateKey *privKey;
-    PLArenaPool *arena = 0;
-    CK_RV crv;
-    SECStatus rv;
-    static unsigned char derZero[1] = { 0 };
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
-
-    privKey = (SECKEYLowPrivateKey *)
-			PORT_ArenaAlloc(arena,sizeof(SECKEYLowPrivateKey));
-    if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
-
-    privKey->arena = arena;
-
-    /* Secret keys are represented in the database as "fake" RSA keys.  The RSA key
-     * is marked as a secret key representation by setting the public exponent field
-     * to 0, which is an invalid RSA exponent.  The other fields are set as follows:
-     *   modulus - CKA_ID value for the secret key
-     *   private exponent - CKA_VALUE (the key itself)
-     *   coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
-     *      is used for the key.
-     *   all others - set to integer 0
-     */
-    privKey->keyType = rsaKey;
-
-    /* The modulus is set to the key id of the symmetric key */
-    crv=pk11_Attribute2SecItem(arena,&privKey->u.rsa.modulus,object,CKA_ID);
-    if (crv != CKR_OK) goto loser;
-
-    /* The public exponent is set to 0 length to indicate a special key */
-    privKey->u.rsa.publicExponent.len = sizeof derZero;
-    privKey->u.rsa.publicExponent.data = derZero;
-
-    /* The private exponent is the actual key value */
-    crv=pk11_Attribute2SecItem(arena,&privKey->u.rsa.privateExponent,object,CKA_VALUE);
-    if (crv != CKR_OK) goto loser;
-
-    /* All other fields empty - needs testing */
-    privKey->u.rsa.prime1.len = sizeof derZero;
-    privKey->u.rsa.prime1.data = derZero;
-
-    privKey->u.rsa.prime2.len = sizeof derZero;
-    privKey->u.rsa.prime2.data = derZero;
-
-    privKey->u.rsa.exponent1.len = sizeof derZero;
-    privKey->u.rsa.exponent1.data = derZero;
-
-    privKey->u.rsa.exponent2.len = sizeof derZero;
-    privKey->u.rsa.exponent2.data = derZero;
-
-    /* Coeficient set to KEY_TYPE */
-    crv=pk11_Attribute2SecItem(arena,&privKey->u.rsa.coefficient,object,CKA_KEY_TYPE);
-    if (crv != CKR_OK) goto loser;
-
-    /* Private key version field set normally for compatibility */
-    rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,SEC_PRIVATE_KEY_VERSION);
-    if (rv != SECSuccess) { crv = CKR_HOST_MEMORY; goto loser; }
-
-loser:
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	privKey = 0;
-    }
-
-    return privKey;
-}
-
-static PRBool
-isSecretKey(SECKEYLowPrivateKey *privKey)
-{
-  if (privKey->keyType == rsaKey && privKey->u.rsa.publicExponent.len == 1 &&
-      privKey->u.rsa.publicExponent.data[0] == 0)
-    return PR_TRUE;
-
-  return PR_FALSE;
-}
-
-/* Import a Secret Key */
-static PRBool
-importSecretKey(PK11Slot *slot, SECKEYLowPrivateKey *priv)
-{
-    PK11Object *object;
-    CK_OBJECT_CLASS secretClass = CKO_SECRET_KEY;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_KEY_TYPE key_type;
-
-    /* Check for secret key representation, return if it isn't one */
-    if (!isSecretKey(priv))
-        return PR_FALSE;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    object = pk11_NewObject(slot); /* fill in the handle later */
-    if (object == NULL) {
-	goto loser;
-    }
-
-    /* Set the ID value */
-    if (pk11_AddAttributeType(object, CKA_ID, 
-          priv->u.rsa.modulus.data, priv->u.rsa.modulus.len)) {
-	 pk11_FreeObject(object);
-	 goto loser;
-    }
-
-    /* initalize the object attributes */
-    if (pk11_AddAttributeType(object, CKA_CLASS, &secretClass,
-					 sizeof(secretClass)) != CKR_OK) {
-	 pk11_FreeObject(object);
-	 goto loser;
-    }
-
-    if (pk11_AddAttributeType(object, CKA_TOKEN, &cktrue,
-					       sizeof(cktrue)) != CKR_OK) {
-	 pk11_FreeObject(object);
-	 goto loser;
-    }
-
-    if (pk11_AddAttributeType(object, CKA_PRIVATE, &ckfalse,
-					       sizeof(CK_BBOOL)) != CKR_OK) {
-	 pk11_FreeObject(object);
-	 goto loser;
-    }
-
-    if (pk11_AddAttributeType(object, CKA_VALUE, 
-			 	pk11_item_expand(&priv->u.rsa.privateExponent)) != CKR_OK) {
-	 pk11_FreeObject(object);
-	 goto loser;
-    }
-
-    if (pk11_AddAttributeType(object, CKA_KEY_TYPE, 
-			 	pk11_item_expand(&priv->u.rsa.coefficient)) != CKR_OK) {
-	 pk11_FreeObject(object);
-	 goto loser;
-    }
-    key_type = *(CK_KEY_TYPE*)priv->u.rsa.coefficient.data;
-
-    /* Validate and add default attributes */
-    validateSecretKey(object, key_type, (PRBool)(slot->slotID == FIPS_SLOT_ID));
-
-    /* now just verify the required date fields */
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    object->handle = slot->tokenIDCount++;
-    object->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-
-    object->objclass = secretClass;
-    object->slot = slot;
-    object->inDB = PR_TRUE;
-    pk11_AddSlotObject(slot, object);
-
-loser:
-    return PR_TRUE;
-}
-
-
-/**********************************************************************
- *
- *     Start of PKCS 11 functions 
- *
- **********************************************************************/
-
-
-/* return the function list */
-CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
-{
-    *pFunctionList = &pk11_funcList;
-    return CKR_OK;
-}
-
-/*
- * initialize one of the slot structures. figure out which by the ID
- */
-CK_RV
-PK11_SlotInit(CK_SLOT_ID slotID, PRBool needLogin)
-{
-    int i;
-    PK11Slot *slot = pk11_SlotFromID(slotID);
-#ifdef PKCS11_USE_THREADS
-    slot->sessionLock = PR_NewLock();
-    if (slot->sessionLock == NULL) return CKR_HOST_MEMORY;
-    slot->objectLock = PR_NewLock();
-    if (slot->objectLock == NULL) return CKR_HOST_MEMORY;
-#else
-    slot->sessionLock = NULL;
-    slot->objectLock = NULL;
-#endif
-    for(i=0; i < SESSION_HASH_SIZE; i++) {
-	slot->head[i] = NULL;
-    }
-    for(i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
-	slot->tokObjects[i] = NULL;
-    }
-    slot->password = NULL;
-    slot->hasTokens = PR_FALSE;
-    slot->sessionIDCount = 1;
-    slot->sessionCount = 0;
-    slot->rwSessionCount = 0;
-    slot->tokenIDCount = 1;
-    slot->needLogin = PR_FALSE;
-    slot->isLoggedIn = PR_FALSE;
-    slot->ssoLoggedIn = PR_FALSE;
-    slot->DB_loaded = PR_FALSE;
-    slot->slotID = slotID;
-    if (needLogin) {
-	/* if the data base is initialized with a null password,remember that */
-	slot->needLogin = (PRBool)!pk11_hasNullPassword(&slot->password);
-    }
-    return CKR_OK;
-}
-
-/*
- * common initialization routines between PKCS #11 and FIPS
- */
-CK_RV PK11_LowInitialize(CK_VOID_PTR pReserved)
-{
-    SECStatus rv = SECSuccess;
-
-    /* initialize the Random number generater */
-    rv =  RNG_RNGInit();
-
-    if (rv != SECSuccess) {
-	return CKR_DEVICE_ERROR;
-    }
-
-    SECKEY_SetDefaultKeyDBAlg(SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC);
-    return CKR_OK;
-}
-
-/* NSC_Initialize initializes the Cryptoki library. */
-CK_RV NSC_Initialize(CK_VOID_PTR pReserved)
-{
-    static PRBool init = PR_FALSE;
-    CK_RV crv = CKR_OK;
-
-    crv = PK11_LowInitialize(pReserved);
-    if (crv != CKR_OK) return crv;
-
-    /* intialize all the slots */
-    if (!init) {
-	crv = PK11_SlotInit(NETSCAPE_SLOT_ID,PR_FALSE);
-	if (crv != CKR_OK) return crv;
-	crv = PK11_SlotInit(PRIVATE_KEY_SLOT_ID,PR_TRUE);
-	init = PR_TRUE;
-    }
-
-    return crv;
-}
-
-/* NSC_Finalize indicates that an application is done with the 
- * Cryptoki library.*/
-CK_RV NSC_Finalize (CK_VOID_PTR pReserved)
-{
-    return CKR_OK;
-}
-
-
-/* NSC_GetInfo returns general information about Cryptoki. */
-CK_RV  NSC_GetInfo(CK_INFO_PTR pInfo)
-{
-    pInfo->cryptokiVersion.major = 2;
-    pInfo->cryptokiVersion.minor = 1;
-    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-    pInfo->libraryVersion.major = 4;
-    pInfo->libraryVersion.minor = 0;
-    PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
-    pInfo->flags = 0;
-    return CKR_OK;
-}
-
-/* NSC_GetSlotList obtains a list of slots in the system. */
-CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent,
-	 		CK_SLOT_ID_PTR	pSlotList, CK_ULONG_PTR pulCount)
-{
-    *pulCount = 2;
-    if (pSlotList != NULL) {
-	pSlotList[0] = NETSCAPE_SLOT_ID;
-	pSlotList[1] = PRIVATE_KEY_SLOT_ID;
-    }
-    return CKR_OK;
-}
-	
-/* NSC_GetSlotInfo obtains information about a particular slot in the system. */
-CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
-{
-    pInfo->firmwareVersion.major = 0;
-    pInfo->firmwareVersion.minor = 0;
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-	PORT_Memcpy(pInfo->slotDescription,slotDescription,64);
-	pInfo->flags = CKF_TOKEN_PRESENT;
-        pInfo->hardwareVersion.major = 4;
-        pInfo->hardwareVersion.minor = 1;
-	return CKR_OK;
-    case PRIVATE_KEY_SLOT_ID:
-	PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-	PORT_Memcpy(pInfo->slotDescription,privSlotDescription,64);
-	pInfo->flags = CKF_TOKEN_PRESENT;
-	/* ok we really should read it out of the keydb file. */
-        pInfo->hardwareVersion.major = PRIVATE_KEY_DB_FILE_VERSION;
-        pInfo->hardwareVersion.minor = 0;
-	return CKR_OK;
-    default:
-	break;
-    }
-    return CKR_SLOT_ID_INVALID;
-}
-
-#define CKF_THREAD_SAFE 0x8000 /* for now */
-
-/* NSC_GetTokenInfo obtains information about a particular token in 
- * the system. */
-CK_RV NSC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo)
-{
-    PK11Slot *slot = pk11_SlotFromID(slotID);
-    SECKEYKeyDBHandle *handle;
-
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-    PORT_Memcpy(pInfo->model,"Libsec 4.0      ",16);
-    PORT_Memcpy(pInfo->serialNumber,"0000000000000000",16);
-    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
-    pInfo->ulSessionCount = slot->sessionCount;
-    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
-    pInfo->ulRwSessionCount = slot->rwSessionCount;
-    pInfo->firmwareVersion.major = 0;
-    pInfo->firmwareVersion.minor = 0;
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	PORT_Memcpy(pInfo->label,tokDescription,32);
-        pInfo->flags= CKF_RNG | CKF_WRITE_PROTECTED | CKF_THREAD_SAFE;
-	pInfo->ulMaxPinLen = 0;
-	pInfo->ulMinPinLen = 0;
-	pInfo->ulTotalPublicMemory = 0;
-	pInfo->ulFreePublicMemory = 0;
-	pInfo->ulTotalPrivateMemory = 0;
-	pInfo->ulFreePrivateMemory = 0;
-	pInfo->hardwareVersion.major = 4;
-	pInfo->hardwareVersion.minor = 0;
-	return CKR_OK;
-    case PRIVATE_KEY_SLOT_ID:
-	PORT_Memcpy(pInfo->label,privTokDescription,32);
-    	handle = SECKEY_GetDefaultKeyDB();
-	/*
-	 * we have three possible states which we may be in:
-	 *   (1) No DB password has been initialized. This also means we
-	 *   have no keys in the key db.
-	 *   (2) Password initialized to NULL. This means we have keys, but
-	 *   the user has chosen not use a password.
-	 *   (3) Finally we have an initialized password whicn is not NULL, and
-	 *   we will need to prompt for it.
-	 */
-	if (SECKEY_HasKeyDBPassword(handle) == SECFailure) {
-	    pInfo->flags = CKF_THREAD_SAFE | CKF_LOGIN_REQUIRED;
-	} else if (!slot->needLogin) {
-	    pInfo->flags = CKF_THREAD_SAFE | CKF_USER_PIN_INITIALIZED;
-	} else {
-	    pInfo->flags = CKF_THREAD_SAFE | 
-				CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED;
-	}
-	pInfo->ulMaxPinLen = PK11_MAX_PIN;
-	pInfo->ulMinPinLen = 0;
-	if (minimumPinLen > 0) {
-	    pInfo->ulMinPinLen = (CK_ULONG)minimumPinLen;
-	}
-	pInfo->ulTotalPublicMemory = 1;
-	pInfo->ulFreePublicMemory = 1;
-	pInfo->ulTotalPrivateMemory = 1;
-	pInfo->ulFreePrivateMemory = 1;
-	pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION;
-	pInfo->hardwareVersion.minor = 0;
-	return CKR_OK;
-    default:
-	break;
-    }
-    return CKR_SLOT_ID_INVALID;
-}
-
-
-
-/* NSC_GetMechanismList obtains a list of mechanism types 
- * supported by a token. */
-CK_RV NSC_GetMechanismList(CK_SLOT_ID slotID,
-	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount)
-{
-    int i;
-
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	*pulCount = mechanismCount;
-	if (pMechanismList != NULL) {
-	    for (i=0; i < (int) mechanismCount; i++) {
-		pMechanismList[i] = mechanisms[i].type;
-	    }
-	}
-	return CKR_OK;
-    case PRIVATE_KEY_SLOT_ID:
-	*pulCount = 0;
-	for (i=0; i < (int) mechanismCount; i++) {
-	    if (mechanisms[i].privkey) {
-		(*pulCount)++;
-		if (pMechanismList != NULL) {
-		    *pMechanismList++ = mechanisms[i].type;
-		}
-	    }
-	}
-	return CKR_OK;
-    default:
-	break;
-    }
-    return CKR_SLOT_ID_INVALID;
-}
-
-
-/* NSC_GetMechanismInfo obtains information about a particular mechanism 
- * possibly supported by a token. */
-CK_RV NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
-    					CK_MECHANISM_INFO_PTR pInfo)
-{
-    PRBool isPrivateKey;
-    int i;
-
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	isPrivateKey = PR_FALSE;
-	break;
-    case PRIVATE_KEY_SLOT_ID:
-	isPrivateKey = PR_TRUE;
-	break;
-    default:
-	return CKR_SLOT_ID_INVALID;
-    }
-    for (i=0; i < (int) mechanismCount; i++) {
-        if (type == mechanisms[i].type) {
-	    if (isPrivateKey && !mechanisms[i].privkey) {
-    		return CKR_MECHANISM_INVALID;
-	    }
-	    PORT_Memcpy(pInfo,&mechanisms[i].domestic,
-						sizeof(CK_MECHANISM_INFO));
-	    return CKR_OK;
-	}
-    }
-    return CKR_MECHANISM_INVALID;
-}
-
-static SECStatus
-pk11_TurnOffUser(CERTCertificate *cert, SECItem *k, void *arg)
-{
-   CERTCertTrust trust;
-   SECStatus rv;
-
-   rv = CERT_GetCertTrust(cert,&trust);
-   if (rv == SECSuccess && ((trust.emailFlags & CERTDB_USER) ||
-			    (trust.sslFlags & CERTDB_USER) ||
-			    (trust.objectSigningFlags & CERTDB_USER))) {
-	trust.emailFlags &= ~CERTDB_USER;
-	trust.sslFlags &= ~CERTDB_USER;
-	trust.objectSigningFlags &= ~CERTDB_USER;
-	CERT_ChangeCertTrust(cert->dbhandle,cert,&trust);
-   }
-   return SECSuccess;
-}
-
-/* NSC_InitToken initializes a token. */
-CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
- 				CK_ULONG ulPinLen,CK_CHAR_PTR pLabel) {
-    PK11Slot *slot = pk11_SlotFromID(slotID);
-    SECKEYKeyDBHandle *handle;
-    CERTCertDBHandle *certHandle;
-    SECStatus rv;
-    int i;
-    PK11Object *object;
-
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    /* don't initialize the database if we aren't talking to a token
-     * that uses the key database.
-     */
-    if (slotID == NETSCAPE_SLOT_ID) {
-	return CKR_TOKEN_WRITE_PROTECTED;
-    }
-
-    /* first, delete all our loaded key and cert objects from our 
-     * internal list. */
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    for (i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
-	do {
-	    object = slot->tokObjects[i];
-	    /* hand deque */
-	    /* this duplicates function of NSC_close session functions, but 
-	     * because we know that we are freeing all the sessions, we can
-	     * do more efficient processing */
-	    if (object) {
-		slot->tokObjects[i] = object->next;
-
-		if (object->next) object->next->prev = NULL;
-		object->next = object->prev = NULL;
-	    }
-	    if (object) pk11_FreeObject(object);
-	} while (object != NULL);
-    }
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-
-    /* then clear out the key database */
-    handle = SECKEY_GetDefaultKeyDB();
-    if (handle == NULL) {
-	return CKR_TOKEN_WRITE_PROTECTED;
-    }
-
-    /* what to do on an error here? */
-    rv = SECKEY_ResetKeyDB(handle);
-
-    /* finally  mark all the user certs as non-user certs */
-    certHandle = CERT_GetDefaultCertDB();
-    if (certHandle == NULL) return CKR_OK;
-
-    SEC_TraversePermCerts(certHandle,pk11_TurnOffUser, NULL);
-
-    return CKR_OK; /*is this the right function for not implemented*/
-}
-
-
-/* NSC_InitPIN initializes the normal user's PIN. */
-CK_RV NSC_InitPIN(CK_SESSION_HANDLE hSession,
-    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
-{
-    PK11Session *sp;
-    PK11Slot *slot;
-    SECKEYKeyDBHandle *handle;
-    SECItem *newPin;
-    char newPinStr[256];
-    SECStatus rv;
-
-    
-    sp = pk11_SessionFromHandle(hSession);
-    if (sp == NULL) {
-	return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    if (sp->info.slotID == NETSCAPE_SLOT_ID) {
-	pk11_FreeSession(sp);
-	return CKR_PIN_LEN_RANGE;
-    }
-
-    /* should be an assert */
-    if (!((sp->info.slotID == PRIVATE_KEY_SLOT_ID) || 
-				(sp->info.slotID == FIPS_SLOT_ID)) ) {
-	pk11_FreeSession(sp);
-	return CKR_SESSION_HANDLE_INVALID;;
-    }
-
-    if (sp->info.state != CKS_RW_SO_FUNCTIONS) {
-	pk11_FreeSession(sp);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    slot = pk11_SlotFromSession(sp);
-    pk11_FreeSession(sp);
-
-    /* make sure the pins aren't too long */
-    if (ulPinLen > 255) {
-	return CKR_PIN_LEN_RANGE;
-    }
-
-    handle = SECKEY_GetDefaultKeyDB();
-    if (handle == NULL) {
-	return CKR_TOKEN_WRITE_PROTECTED;
-    }
-    if (SECKEY_HasKeyDBPassword(handle) != SECFailure) {
-	return CKR_DEVICE_ERROR;
-    }
-
-    /* convert to null terminated string */
-    PORT_Memcpy(newPinStr,pPin,ulPinLen);
-    newPinStr[ulPinLen] = 0; 
-
-    /* build the hashed pins which we pass around */
-    newPin = SECKEY_HashPassword(newPinStr,handle->global_salt);
-    PORT_Memset(newPinStr,0,sizeof(newPinStr));
-
-    /* change the data base */
-    rv = SECKEY_SetKeyDBPassword(handle,newPin);
-
-    /* Now update our local copy of the pin */
-    if (rv == SECSuccess) {
-	if (slot->password) {
-    	    SECITEM_ZfreeItem(slot->password, PR_TRUE);
-	}
-	slot->password = newPin;
-	if (ulPinLen == 0) slot->needLogin = PR_FALSE;
-	return CKR_OK;
-    }
-    SECITEM_ZfreeItem(newPin, PR_TRUE);
-    return CKR_PIN_INCORRECT;
-}
-
-
-/* NSC_SetPIN modifies the PIN of user that is currently logged in. */
-/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
-CK_RV NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
-    CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen)
-{
-    PK11Session *sp;
-    PK11Slot *slot;
-    SECKEYKeyDBHandle *handle;
-    SECItem *newPin;
-    SECItem *oldPin;
-    char newPinStr[256],oldPinStr[256];
-    SECStatus rv;
-
-    
-    sp = pk11_SessionFromHandle(hSession);
-    if (sp == NULL) {
-	return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    if (sp->info.slotID == NETSCAPE_SLOT_ID) {
-	pk11_FreeSession(sp);
-	return CKR_PIN_LEN_RANGE;
-    }
-
-    /* should be an assert */
-    /* should be an assert */
-    if (!((sp->info.slotID == PRIVATE_KEY_SLOT_ID) || 
-				(sp->info.slotID == FIPS_SLOT_ID)) ) {
-	pk11_FreeSession(sp);
-	return CKR_SESSION_HANDLE_INVALID;;
-    }
-
-    slot = pk11_SlotFromSession(sp);
-    if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
-	pk11_FreeSession(sp);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    pk11_FreeSession(sp);
-
-    /* make sure the pins aren't too long */
-    if ((ulNewLen > 255) || (ulOldLen > 255)) {
-	return CKR_PIN_LEN_RANGE;
-    }
-
-
-    handle = SECKEY_GetDefaultKeyDB();
-    if (handle == NULL) {
-	return CKR_TOKEN_WRITE_PROTECTED;
-    }
-
-    /* convert to null terminated string */
-    PORT_Memcpy(newPinStr,pNewPin,ulNewLen);
-    newPinStr[ulNewLen] = 0; 
-    PORT_Memcpy(oldPinStr,pOldPin,ulOldLen);
-    oldPinStr[ulOldLen] = 0; 
-
-    /* build the hashed pins which we pass around */
-    newPin = SECKEY_HashPassword(newPinStr,handle->global_salt);
-    oldPin = SECKEY_HashPassword(oldPinStr,handle->global_salt);
-    PORT_Memset(newPinStr,0,sizeof(newPinStr));
-    PORT_Memset(oldPinStr,0,sizeof(oldPinStr));
-
-    /* change the data base */
-    rv = SECKEY_ChangeKeyDBPassword(handle,oldPin,newPin);
-
-    /* Now update our local copy of the pin */
-    SECITEM_ZfreeItem(oldPin, PR_TRUE);
-    if (rv == SECSuccess) {
-	if (slot->password) {
-    	    SECITEM_ZfreeItem(slot->password, PR_TRUE);
-	}
-	slot->password = newPin;
-	slot->needLogin = (PRBool)(ulNewLen != 0);
-	return CKR_OK;
-    }
-    SECITEM_ZfreeItem(newPin, PR_TRUE);
-    return CKR_PIN_INCORRECT;
-}
-
-/* NSC_OpenSession opens a session between an application and a token. */
-CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
-   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession)
-{
-    PK11Slot *slot;
-    CK_SESSION_HANDLE sessionID;
-    PK11Session *session;
-
-    slot = pk11_SlotFromID(slotID);
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    /* new session (we only have serial sessions) */
-    session = pk11_NewSession(slotID, Notify, pApplication,
-						 flags | CKF_SERIAL_SESSION);
-    if (session == NULL) return CKR_HOST_MEMORY;
-
-    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-    sessionID = slot->sessionIDCount++;
-    if (slotID == PRIVATE_KEY_SLOT_ID) {
-	sessionID |= PK11_PRIVATE_KEY_FLAG;
-    } else if (slotID == FIPS_SLOT_ID) {
-	sessionID |= PK11_FIPS_FLAG;
-    } else if (flags & CKF_RW_SESSION) {
-	/* NETSCAPE_SLOT_ID is Read ONLY */
-	session->info.flags &= ~CKF_RW_SESSION;
-    }
-
-    session->handle = sessionID;
-    pk11_update_state(slot, session);
-    pk11queue_add(session, sessionID, slot->head, SESSION_HASH_SIZE);
-    slot->sessionCount++;
-    if (session->info.flags & CKF_RW_SESSION) {
-	slot->rwSessionCount++;
-    }
-    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-
-    *phSession = sessionID;
-    return CKR_OK;
-}
-
-
-/* NSC_CloseSession closes a session between an application and a token. */
-CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession)
-{
-    PK11Slot *slot;
-    PK11Session *session;
-    SECItem *pw = NULL;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    slot = pk11_SlotFromSession(session);
-
-    /* lock */
-    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-    if (pk11queue_is_queued(session,hSession,slot->head,SESSION_HASH_SIZE)) {
-	pk11queue_delete(session,hSession,slot->head,SESSION_HASH_SIZE);
-	session->refCount--; /* can't go to zero while we hold the reference */
-	slot->sessionCount--;
-	if (session->info.flags & CKF_RW_SESSION) {
-	    slot->rwSessionCount--;
-	}
-    }
-    if (slot->sessionCount == 0) {
-	pw = slot->password;
-	slot->isLoggedIn = PR_FALSE;
-	slot->password = NULL;
-    }
-    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-
-    pk11_FreeSession(session);
-    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
-    return CKR_OK;
-}
-
-
-/* NSC_CloseAllSessions closes all sessions with a token. */
-CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID)
-{
-    PK11Slot *slot;
-    SECItem *pw = NULL;
-    PK11Session *session;
-    int i;
-
-    slot = pk11_SlotFromID(slotID);
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    /* first log out the card */
-    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-    pw = slot->password;
-    slot->isLoggedIn = PR_FALSE;
-    slot->password = NULL;
-    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
-
-    /* now close all the current sessions */
-    /* NOTE: If you try to open new sessions before NSC_CloseAllSessions
-     * completes, some of those new sessions may or may not be closed by
-     * NSC_CloseAllSessions... but any session running when this code starts
-     * will guarrenteed be close, and no session will be partially closed */
-    for (i=0; i < SESSION_HASH_SIZE; i++) {
-	do {
-	    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-	    session = slot->head[i];
-	    /* hand deque */
-	    /* this duplicates function of NSC_close session functions, but 
-	     * because we know that we are freeing all the sessions, we can
-	     * do more efficient processing */
-	    if (session) {
-		slot->head[i] = session->next;
-		if (session->next) session->next->prev = NULL;
-		session->next = session->prev = NULL;
-		slot->sessionCount--;
-		if (session->info.flags & CKF_RW_SESSION) {
-		    slot->rwSessionCount--;
-		}
-	    }
-	    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-	    if (session) pk11_FreeSession(session);
-	} while (session != NULL);
-    }
-    return CKR_OK;
-}
-
-
-/* NSC_GetSessionInfo obtains information about the session. */
-CK_RV NSC_GetSessionInfo(CK_SESSION_HANDLE hSession,
-    						CK_SESSION_INFO_PTR pInfo)
-{
-    PK11Session *session;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    PORT_Memcpy(pInfo,&session->info,sizeof(CK_SESSION_INFO));
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_Login logs a user into a token. */
-CK_RV NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
-				    CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
-{
-    PK11Slot *slot;
-    PK11Session *session;
-    SECKEYKeyDBHandle *handle;
-    SECItem *pin;
-    char pinStr[256];
-
-
-    /* get the slot */
-    slot = pk11_SlotFromSessionHandle(hSession);
-
-    /* make sure the session is valid */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    }
-    pk11_FreeSession(session);
-
-    /* can't log into the Netscape Slot */
-    if (slot->slotID == NETSCAPE_SLOT_ID)
-	 return CKR_USER_TYPE_INVALID;
-
-    if (slot->isLoggedIn) return CKR_USER_ALREADY_LOGGED_IN;
-    slot->ssoLoggedIn = PR_FALSE;
-
-    if (ulPinLen > 255) return CKR_PIN_LEN_RANGE;
-
-    /* convert to null terminated string */
-    PORT_Memcpy(pinStr,pPin,ulPinLen);
-    pinStr[ulPinLen] = 0; 
-
-    handle = SECKEY_GetDefaultKeyDB();
-
-    /*
-     * Deal with bootstrap. We allow the SSO to login in with a NULL
-     * password if and only if we haven't initialized the KEY DB yet.
-     * We only allow this on a RW session.
-     */
-    if (SECKEY_HasKeyDBPassword(handle) == SECFailure) {
-	/* allow SSO's to log in only if there is not password on the
-	 * key database */
-	if (((userType == CKU_SO) && (session->info.flags & CKF_RW_SESSION))
-	    /* fips always needs to authenticate, even if there isn't a db */
-					|| (slot->slotID == FIPS_SLOT_ID)) {
-	    /* should this be a fixed password? */
-	    if (ulPinLen == 0) {
-		SECItem *pw;
-    		PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-		pw = slot->password;
-		slot->password = NULL;
-		slot->isLoggedIn = PR_TRUE;
-		slot->ssoLoggedIn = (PRBool)(userType == CKU_SO);
-		PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-		pk11_update_all_states(slot);
-		SECITEM_ZfreeItem(pw,PR_TRUE);
-		return CKR_OK;
-	    }
-	    return CKR_PIN_INCORRECT;
-	} 
-	return CKR_USER_TYPE_INVALID;
-    } 
-
-    /* don't allow the SSO to log in if the user is already initialized */
-    if (userType != CKU_USER) { return CKR_USER_TYPE_INVALID; }
-
-
-    /* build the hashed pins which we pass around */
-    pin = SECKEY_HashPassword(pinStr,handle->global_salt);
-    if (pin == NULL) return CKR_HOST_MEMORY;
-
-    if (SECKEY_CheckKeyDBPassword(handle,pin) == SECSuccess) {
-	SECItem *tmp;
-	PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-	tmp = slot->password;
-	slot->isLoggedIn = PR_TRUE;
-	slot->password = pin;
-	PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-        if (tmp) SECITEM_ZfreeItem(tmp, PR_TRUE);
-
-	/* update all sessions */
-	pk11_update_all_states(slot);
-	return CKR_OK;
-    }
-
-    SECITEM_ZfreeItem(pin, PR_TRUE);
-    return CKR_PIN_INCORRECT;
-}
-
-/* NSC_Logout logs a user out from a token. */
-CK_RV NSC_Logout(CK_SESSION_HANDLE hSession)
-{
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    SECItem *pw = NULL;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    if (!slot->isLoggedIn) return CKR_USER_NOT_LOGGED_IN;
-
-    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-    pw = slot->password;
-    slot->isLoggedIn = PR_FALSE;
-    slot->ssoLoggedIn = PR_FALSE;
-    slot->password = NULL;
-    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
-
-    pk11_update_all_states(slot);
-    return CKR_OK;
-}
-
-
-/* NSC_CreateObject creates a new object. */
-CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
-		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
-					CK_OBJECT_HANDLE_PTR phObject)
-{
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    PK11Object *object;
-    CK_RV crv;
-    int i;
-
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    object = pk11_NewObject(slot); /* fill in the handle later */
-    if (object == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulCount; i++) {
-	crv = pk11_AddAttributeType(object,pk11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) {
-	    pk11_FreeObject(object);
-	    return crv;
-	}
-    }
-
-    /* get the session */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	pk11_FreeObject(object);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    /*
-     * handle the base object stuff
-     */
-    crv = pk11_handleObject(object,session);
-    pk11_FreeSession(session);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(object);
-	return crv;
-    }
-
-    *phObject = object->handle;
-    return CKR_OK;
-}
-
-
-/* NSC_CopyObject copies an object, creating a new object for the copy. */
-CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
-       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
-					CK_OBJECT_HANDLE_PTR phNewObject) 
-{
-    PK11Object *destObject,*srcObject;
-    PK11Session *session;
-    CK_RV crv = CKR_OK;
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    int i;
-
-    /* Get srcObject so we can find the class */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-    srcObject = pk11_ObjectFromHandle(hObject,session);
-    if (srcObject == NULL) {
-	pk11_FreeSession(session);
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-    /*
-     * create an object to hang the attributes off of
-     */
-    destObject = pk11_NewObject(slot); /* fill in the handle later */
-    if (destObject == NULL) {
-	pk11_FreeSession(session);
-        pk11_FreeObject(srcObject);
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulCount; i++) {
-	if (pk11_modifyType(pTemplate[i].type,srcObject->objclass) == PK11_NEVER) {
-	    crv = CKR_ATTRIBUTE_READ_ONLY;
-	    break;
-	}
-	crv = pk11_AddAttributeType(destObject,pk11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) { break; }
-    }
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-        pk11_FreeObject(srcObject);
-	pk11_FreeObject(destObject);
-	return crv;
-    }
-
-    /* sensitive can only be changed to CK_TRUE */
-    if (pk11_hasAttribute(destObject,CKA_SENSITIVE)) {
-	if (!pk11_isTrue(destObject,CKA_SENSITIVE)) {
-	    pk11_FreeSession(session);
-            pk11_FreeObject(srcObject);
-	    pk11_FreeObject(destObject);
-	    return CKR_ATTRIBUTE_READ_ONLY;
-	}
-    }
-
-    /*
-     * now copy the old attributes from the new attributes
-     */
-    /* don't create a token object if we aren't in a rw session */
-    /* we need to hold the lock to copy a consistant version of
-     * the object. */
-    crv = pk11_CopyObject(destObject,srcObject);
-
-    destObject->objclass = srcObject->objclass;
-    pk11_FreeObject(srcObject);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(destObject);
-	pk11_FreeSession(session);
-    }
-
-    crv = pk11_handleObject(destObject,session);
-    *phNewObject = destObject->handle;
-    pk11_FreeSession(session);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(destObject);
-	return crv;
-    }
-    
-    return CKR_OK;
-}
-
-
-/* NSC_GetObjectSize gets the size of an object in bytes. */
-CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
-    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
-    *pulSize = 0;
-    return CKR_OK;
-}
-
-
-/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
-CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
-    CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    PK11Object *object;
-    PK11Attribute *attribute;
-    PRBool sensitive;
-    int i;
-
-    /*
-     * make sure we're allowed
-     */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    object = pk11_ObjectFromHandle(hObject,session);
-    pk11_FreeSession(session);
-    if (object == NULL) {
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-
-    /* don't read a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(pk11_isTrue(object,CKA_PRIVATE))) {
-	pk11_FreeObject(object);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    sensitive = pk11_isTrue(object,CKA_SENSITIVE);
-    for (i=0; i < (int) ulCount; i++) {
-	/* Make sure that this attribute is retrievable */
-	if (sensitive && pk11_isSensitive(pTemplate[i].type,object->objclass)) {
-	    pk11_FreeObject(object);
-	    return CKR_ATTRIBUTE_SENSITIVE;
-	}
-	attribute = pk11_FindAttribute(object,pTemplate[i].type);
-	if (attribute == NULL) {
-	    pk11_FreeObject(object);
-	    return CKR_ATTRIBUTE_TYPE_INVALID;
-	}
-	if (pTemplate[i].pValue != NULL) {
-	    PORT_Memcpy(pTemplate[i].pValue,attribute->attrib.pValue,
-						attribute->attrib.ulValueLen);
-	}
-	pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
-	pk11_FreeAttribute(attribute);
-    }
-
-    pk11_FreeObject(object);
-    return CKR_OK;
-}
-
-/* NSC_SetAttributeValue modifies the value of one or more object attributes */
-CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    PK11Attribute *attribute;
-    PK11Object *object;
-    PRBool isToken;
-    CK_RV crv = CKR_OK;
-    CK_BBOOL legal;
-    int i;
-
-    /*
-     * make sure we're allowed
-     */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    object = pk11_ObjectFromHandle(hObject,session);
-    if (object == NULL) {
-        pk11_FreeSession(session);
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-
-    /* don't modify a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(pk11_isTrue(object,CKA_PRIVATE))) {
-	pk11_FreeSession(session);
-	pk11_FreeObject(object);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    /* don't modify a token object if we aren't in a rw session */
-    isToken = pk11_isTrue(object,CKA_TOKEN);
-    if (((session->info.flags & CKF_RW_SESSION) == 0) && isToken) {
-	pk11_FreeSession(session);
-	pk11_FreeObject(object);
-	return CKR_SESSION_READ_ONLY;
-    }
-    pk11_FreeSession(session);
-
-    /* only change modifiable objects */
-    if (!pk11_isTrue(object,CKA_MODIFIABLE)) {
-	pk11_FreeObject(object);
-	return CKR_ATTRIBUTE_READ_ONLY;
-    }
-
-    for (i=0; i < (int) ulCount; i++) {
-	/* Make sure that this attribute is changeable */
-	switch (pk11_modifyType(pTemplate[i].type,object->objclass)) {
-	case PK11_NEVER:
-	case PK11_ONCOPY:
-        default:
-	    crv = CKR_ATTRIBUTE_READ_ONLY;
-	    break;
-
-        case PK11_SENSITIVE:
-	    legal = (pTemplate[i].type == CKA_EXTRACTABLE) ? CK_FALSE : CK_TRUE;
-	    if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) {
-	        crv = CKR_ATTRIBUTE_READ_ONLY;
-	    }
-	    break;
-        case PK11_ALWAYS:
-	    break;
-	}
-	if (crv != CKR_OK) break;
-
-	/* find the old attribute */
-	attribute = pk11_FindAttribute(object,pTemplate[i].type);
-	if (attribute == NULL) {
-	    crv =CKR_ATTRIBUTE_TYPE_INVALID;
-	    break;
-	}
-    	pk11_FreeAttribute(attribute);
-	crv = pk11_forceAttribute(object,pk11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-
-    }
-
-    pk11_FreeObject(object);
-    return CKR_OK;
-}
-
-/* stolen from keydb.c */
-#define KEYDB_PW_CHECK_STRING   "password-check"
-#define KEYDB_PW_CHECK_LEN      14
-
-SECKEYLowPrivateKey * SECKEY_DecryptKey(DBT *key, SECItem *pwitem,
-					SECKEYKeyDBHandle *handle);
-typedef struct pk11keyNodeStr {
-    struct pk11keyNodeStr *next;
-    SECKEYLowPrivateKey *privKey;
-    CERTCertificate *cert;
-    SECItem *pubItem;
-} pk11keyNode;
-
-typedef struct {
-    PLArenaPool *arena;
-    pk11keyNode *head;
-    PK11Slot *slot;
-} keyList;
-
-static SECStatus
-add_key_to_list(DBT *key, DBT *data, void *arg)
-{
-    keyList *keylist;
-    pk11keyNode *node;
-    void *keydata;
-    SECKEYLowPrivateKey *privKey = NULL;
-    
-    keylist = (keyList *)arg;
-
-    privKey = SECKEY_DecryptKey(key, keylist->slot->password,
-				SECKEY_GetDefaultKeyDB());
-    if ( privKey == NULL ) {
-	goto loser;
-    }
-
-    /* allocate the node struct */
-    node = (pk11keyNode*)PORT_ArenaZAlloc(keylist->arena, sizeof(pk11keyNode));
-    if ( node == NULL ) {
-	goto loser;
-    }
-    
-    /* allocate room for key data */
-    keydata = PORT_ArenaZAlloc(keylist->arena, key->size);
-    if ( keydata == NULL ) {
-	goto loser;
-    }
-
-    /* link node into list */
-    node->next = keylist->head;
-    keylist->head = node;
-    
-    node->privKey = privKey;
-    switch (privKey->keyType) {
-      case rsaKey:
-	node->pubItem = &privKey->u.rsa.modulus;
-	break;
-      case dsaKey:
-	node->pubItem = &privKey->u.dsa.publicValue;
-	break;
-      default:
-	break;
-    }
-    
-    return(SECSuccess);
-loser:
-    if ( privKey ) {
-	SECKEY_LowDestroyPrivateKey(privKey);
-    }
-    return(SECSuccess);
-}
-
-/*
- * If the cert is a user cert, then try to match it to a key on the
- * linked list of private keys built earlier.
- * If the cert matches one on the list, then save it.
- */
-static SECStatus
-add_cert_to_list(CERTCertificate *cert, SECItem *k, void *pdata)
-{
-    keyList *keylist;
-    pk11keyNode *node;
-    SECKEYPublicKey *pubKey = NULL;
-    SECItem *pubItem;
-    CERTCertificate *oldcert;
-    
-    keylist = (keyList *)pdata;
-    
-    /* only if it is a user cert and has a nickname!! */
-    if ( ( ( cert->trust->sslFlags & CERTDB_USER ) ||
-	  ( cert->trust->emailFlags & CERTDB_USER ) ||
-	  ( cert->trust->objectSigningFlags & CERTDB_USER ) ) &&
-	( cert->nickname != NULL ) ) {
-
-	/* get cert's public key */
-	pubKey = CERT_ExtractPublicKey(cert);
-	if ( pubKey == NULL ) {
-	    goto done;
-	}
-
-	/* pk11_GetPubItem returns data associated with the public key.
-	 * one only needs to free the public key. This comment is here
-	 * because this sematic would be non-obvious otherwise.
-	 */
-	pubItem = pk11_GetPubItem(pubKey);
-	if (pubItem == NULL) goto done;
-
-	node = keylist->head;
-	while ( node ) {
-	    /* if key type is different, then there is no match */
-	    if ( node->privKey->keyType == pubKey->keyType ) {
-
-		/* compare public value from cert with public value from
-		 * the key
-		 */
-		if ( SECITEM_CompareItem(pubItem, node->pubItem) == SECEqual ){
-		    /* this is a match */
-
-		    /* if no cert has yet been found for this key, or this
-		     * cert is newer, then save this cert
-		     */
-		    if ( ( node->cert == NULL ) || 
-			CERT_IsNewer(cert, node->cert ) ) {
-
-			oldcert = node->cert;
-			
-			/* get a real DB copy of the cert, since the one
-			 * passed in here is not properly recorded in the
-			 * temp database
-			 */
-
-			/* We need a better way to deal with this */
-			node->cert =
-			    CERT_FindCertByKeyNoLocking(CERT_GetDefaultCertDB(),
-						        &cert->certKey);
-
-			/* free the old cert if there was one */
-			if ( oldcert ) {
-			    CERT_DestroyCertificate(oldcert);
-			}
-		    }
-		}
-	    }
-	    
-	    node = node->next;
-	}
-    }
-done:
-    if ( pubKey ) {
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-
-    return(SECSuccess);
-}
-
-#if 0
-/* This appears to be obsolete - TNH */
-static SECItem *
-decodeKeyDBGlobalSalt(DBT *saltData)
-{
-    SECItem *saltitem;
-    
-    saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if ( saltitem == NULL ) {
-	return(NULL);
-    }
-    
-    saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size);
-    if ( saltitem->data == NULL ) {
-	PORT_Free(saltitem);
-	return(NULL);
-    }
-    
-    saltitem->len = saltData->size;
-    PORT_Memcpy(saltitem->data, saltData->data, saltitem->len);
-    
-    return(saltitem);
-}
-#endif
-
-#if 0
-/*
- * Create a (fixed) DES3 key [ testing ]
- */
-static unsigned char keyValue[] = {
-  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
-};
-
-static SECItem keyItem = {
-  0,
-  keyValue,
-  sizeof keyValue
-};
-
-static unsigned char keyID[] = {
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-static SECItem keyIDItem = {
-  0,
-  keyID,
-  sizeof keyID
-};
-/* +AAA */
-static CK_RV
-pk11_createFixedDES3Key(PK11Slot *slot)
-{
-    CK_RV rv = CKR_OK;
-    PK11Object *keyObject;
-    CK_BBOOL true = CK_TRUE;
-    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
-    CK_KEY_TYPE keyType = CKK_DES3;
-
-    /*
-     * Create the object
-     */
-    keyObject = pk11_NewObject(slot); /* fill in the handle later */
-    if (keyObject == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /* Add attributes to the object */
-    rv = pk11_AddAttributeType(keyObject, CKA_ID, keyID, sizeof keyID);
-    if (rv != CKR_OK) {
-	 pk11_FreeObject(keyObject);
-	 return rv;
-    }
-
-    rv = pk11_AddAttributeType(keyObject, CKA_VALUE, keyValue, sizeof keyValue);
-    if (rv != CKR_OK) {
-	 pk11_FreeObject(keyObject);
-	 return rv;
-    }
-
-    rv = pk11_AddAttributeType(keyObject, CKA_TOKEN, &true, sizeof true);
-    if (rv != CKR_OK) {
-	 pk11_FreeObject(keyObject);
-	 return rv;
-    }
-
-    rv = pk11_AddAttributeType(keyObject, CKA_CLASS, &class, sizeof class);
-    if (rv != CKR_OK) {
-	 pk11_FreeObject(keyObject);
-	 return rv;
-    }
-
-    rv = pk11_AddAttributeType(keyObject, CKA_KEY_TYPE, &keyType, sizeof keyType);
-    if (rv != CKR_OK) {
-	 pk11_FreeObject(keyObject);
-	 return rv;
-    }
-
-    pk11_handleSecretKeyObject(keyObject, keyType, PR_TRUE);
-
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    keyObject->handle = slot->tokenIDCount++;
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-    keyObject->slot = slot;
-    keyObject->objclass = CKO_SECRET_KEY;
-    pk11_AddSlotObject(slot, keyObject);
-
-    return rv;
-}
-#endif /* Fixed DES key */
-
-/*
- * load up our token database
- */
-static CK_RV
-pk11_importKeyDB(PK11Slot *slot)
-{
-    keyList keylist;
-    pk11keyNode *node;
-    CK_RV crv;
-    SECStatus rv;
-    PK11Object *privateKeyObject;
-    PK11Object *publicKeyObject;
-    PK11Object *certObject;
-
-    /* traverse the database, collecting the index keys of all
-     * records into a linked list
-     */
-    keylist.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( keylist.arena  == NULL ) {
-	return CKR_HOST_MEMORY;
-    }
-    keylist.head = NULL;
-    keylist.slot = slot;
-	
-    /* collect all of the keys */
-    rv = SECKEY_TraverseKeys(SECKEY_GetDefaultKeyDB(),
-			      add_key_to_list, (void *)&keylist);
-    if (rv != SECSuccess) {
-	PORT_FreeArena(keylist.arena, PR_FALSE);
-	return CKR_HOST_MEMORY;
-    }
-
-    /* find certs that match any of the keys */
-    crv = SEC_TraversePermCerts(CERT_GetDefaultCertDB(),
-				       add_cert_to_list, (void *)&keylist);
-    if ( crv != SECSuccess ) {
-	PORT_FreeArena(keylist.arena, PR_FALSE);
-	return CKR_HOST_MEMORY;
-    }
-
-    /* now traverse the list and entry certs/keys into the
-     * pkcs11 world
-     */
-    for (node = keylist.head;  node != NULL; node=node->next ) {
-        /* Check for "special" private key that wraps a symmetric key */
-        if (isSecretKey(node->privKey)) {
-          importSecretKey(slot, node->privKey);
-          goto end_loop;
-        }
-
-	/* create the private key object */
-	privateKeyObject = pk11_importPrivateKey(slot, node->privKey, 
-								node->pubItem);
-	if ( privateKeyObject == NULL ) {
-	    goto end_loop;
-	}
-
-	publicKeyObject = pk11_importPublicKey(slot, node->privKey, NULL,
-								node->pubItem);
-	if ( node->cert ) {
-	    /* Now import the Cert */
-	    certObject = pk11_importCertificate(slot, node->cert,
-						node->pubItem->data,
-						node->pubItem->len, PR_TRUE);
-
-	    /* Copy the subject */
-	    if ( certObject ) {
-		/* NOTE: cert has been adopted */
-		PK11Attribute *attribute;
-
-		/* Copy the Subject */
-		attribute = pk11_FindAttribute(certObject,CKA_SUBJECT);
-		if (attribute) {
-		    pk11_forceAttribute(privateKeyObject,
-				pk11_attr_expand(&attribute->attrib));
-		    if (publicKeyObject) {
-			pk11_forceAttribute(publicKeyObject,
-				pk11_attr_expand(&attribute->attrib));
-		    }
-		    pk11_FreeAttribute(attribute);
-		}
-		pk11_FreeObject(certObject);
-	    }
-	}
-
-	if ( publicKeyObject != NULL ) {
-	    pk11_AddSlotObject(slot, publicKeyObject);
-	}
-
-	pk11_AddSlotObject(slot, privateKeyObject);
-
-end_loop:
-	SECKEY_LowDestroyPrivateKey(node->privKey);
-	if ( node->cert ) {
-	    CERT_DestroyCertificate(node->cert);
-	}
-		
-    }
-    PORT_FreeArena(keylist.arena, PR_FALSE);
-
-    return CKR_OK;
-}
-
-/*
- * structure to collect certs into
- */
-typedef struct pk11CertDataStr {
-    int cert_count;
-    int max_cert_count;
-    CERTCertificate **certs;
-} pk11CertData;
-
-/*
- * collect all the certs from the traverse call.
- */	
-static SECStatus
-pk11_cert_collect(CERTCertificate *cert,void *arg) {
-    pk11CertData *cd = (pk11CertData *)arg;
-
-    /* shouldn't happen, but don't crash if it does */
-    if (cd->cert_count >= cd->max_cert_count) {
-	PORT_Assert(0);
-	return SECFailure;
-    }
-
-    cd->certs[cd->cert_count++] = CERT_DupCertificate(cert);
-    return SECSuccess;
-}
-
-/*
- * find any certs that may match the template and load them.
- */
-static void
-pk11_searchCerts(PK11Slot *slot, CK_ATTRIBUTE *pTemplate, CK_LONG ulCount) {
-    int i;
-    SECItem derCert = { siBuffer, NULL, 0 };
-    SECItem derSubject = { siBuffer, NULL, 0 };
-    SECItem name = { siBuffer, NULL, 0 };
-    CERTIssuerAndSN issuerSN = {
-	{ siBuffer, NULL, 0 },
-	{ NULL, NULL },
-	{ siBuffer, NULL, 0 }
-    };
-    SECItem *copy = NULL;
-    CERTCertDBHandle *handle = NULL;
-    SECKEYKeyDBHandle *keyHandle = NULL;
-    pk11CertData certData;
-
-
-    /*
-     * These should be stored in the slot some day in the future
-     */
-    handle = CERT_GetDefaultCertDB();
-    if (handle == NULL) return;
-    keyHandle = SECKEY_GetDefaultKeyDB();
-    if (keyHandle == NULL) return;
-
-    /*
-     * look for things to search on certs for. We only need one of these
-     * items. If we find all the certs that match that item, import them
-     * (as long as they are user certs). We'll let find objects filter out
-     * the ones that don't apply.
-     */
-    for (i=0 ;i < (int)ulCount; i++) {
-
-	switch (pTemplate[i].type) {
-	case CKA_SUBJECT: copy = &derSubject; break;
-	case CKA_ISSUER: copy = &issuerSN.derIssuer; break;
-	case CKA_SERIAL_NUMBER: copy = &issuerSN.serialNumber; break;
-	case CKA_VALUE: copy = &derCert; break;
-	case CKA_LABEL: copy = &name; break;
-	case CKA_CLASS:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
-		return;
-	    }
-	    if (*((CK_OBJECT_CLASS *)pTemplate[i].pValue) != CKO_CERTIFICATE) {
-		return;
-	    }
-	    copy = NULL; break;
-	case CKA_PRIVATE:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
-		return;
-	    }
-	    if (*((CK_BBOOL *)pTemplate[i].pValue) != CK_FALSE) {
-		return;
-	    }
-	    copy = NULL; break;
-	case CKA_TOKEN:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
-		return;
-	    }
-	    if (*((CK_BBOOL *)pTemplate[i].pValue) != CK_TRUE) {
-		return;
-	    }
-	    copy = NULL; break;
-	case CKA_CERTIFICATE_TYPE:
-	case CKA_ID:
-	case CKA_MODIFIABLE:
-	     copy = NULL; break;
-	/* can't be a certificate if it doesn't match one of the above 
-	 * attributes */
-	default: return;
-	}
- 	if (copy) {
-	    copy->data = (unsigned char*)pTemplate[i].pValue;
-	    copy->len = pTemplate[i].ulValueLen;
-	}
-    }
-
-    certData.max_cert_count = 0;
-    certData.certs = NULL;
-    certData.cert_count = 0;
-
-    if (derCert.data != NULL) {
-	CERTCertificate *cert = CERT_FindCertByDERCert(handle,&derCert);
-	if (cert != NULL) {
-	   certData.certs = 
-		(CERTCertificate **) PORT_Alloc(sizeof (CERTCertificate *));
-	   if (certData.certs) {
-		certData.certs[0] = cert;
-	   	certData.cert_count = 1;
-	   } else CERT_DestroyCertificate(cert);
-	}
-    } else if (name.data != NULL) {
-	char *tmp_name = (char*)PORT_Alloc(name.len+1);
-
-	if (tmp_name == NULL) {
-	    return;
-	}
-	PORT_Memcpy(tmp_name,name.data,name.len);
-	tmp_name[name.len] = 0;
-
-	certData.max_cert_count=CERT_NumPermCertsForNickname(handle,tmp_name);
-	if (certData.max_cert_count > 0) {
-	    certData.certs = (CERTCertificate **) 
-		PORT_Alloc(certData.max_cert_count *sizeof(CERTCertificate *));
-	    if (certData.certs) {
-	    	CERT_TraversePermCertsForNickname(handle,tmp_name,
-				pk11_cert_collect, &certData);
-	    }
-	   
-	}
-
-	PORT_Free(tmp_name);
-    } else if (derSubject.data != NULL) {
-	certData.max_cert_count=CERT_NumPermCertsForSubject(handle,&derSubject);
-	if (certData.max_cert_count > 0) {
-	    certData.certs = (CERTCertificate **) 
-		PORT_Alloc(certData.max_cert_count *sizeof(CERTCertificate *));
-	    if (certData.certs) {
-	    	CERT_TraversePermCertsForSubject(handle,&derSubject,
-				pk11_cert_collect, &certData);
-	    }
-	}
-    } else if ((issuerSN.derIssuer.data != NULL) && 
-			(issuerSN.serialNumber.data != NULL)) {
-	CERTCertificate *cert = CERT_FindCertByIssuerAndSN(handle,&issuerSN);
-
-	if (cert != NULL) {
-	   certData.certs = 
-		(CERTCertificate **) PORT_Alloc(sizeof (CERTCertificate *));
-	   if (certData.certs) {
-		certData.certs[0] = cert;
-	   	certData.cert_count = 1;
-	   } else CERT_DestroyCertificate(cert);
-	}
-    } else {
-	/* PORT_Assert(0); may get called when not looking for certs */
-	/* look up all the certs sometime, and get rid of the assert */;
-    }
-
-
-    for (i=0 ; i < certData.cert_count ; i++) {
-	CERTCertificate *cert = certData.certs[i];
-
-	/* we are only interested in permanment user certs here */
-	if ((cert->isperm) && (cert->trust) && 
-    	  (( cert->trust->sslFlags & CERTDB_USER ) ||
-	   ( cert->trust->emailFlags & CERTDB_USER ) ||
-	   ( cert->trust->objectSigningFlags & CERTDB_USER )) &&
-	  ( cert->nickname != NULL )  &&
-		(SECKEY_KeyForCertExists(keyHandle, cert) == SECSuccess)) {
-	    PK11Object *obj;
-	    pk11_importCertificate(slot, cert, NULL, 0, PR_FALSE);
-	    obj = pk11_importPublicKey(slot, NULL, cert, NULL);
-	    if (obj) pk11_AddSlotObject(slot, obj);
-	}
-	CERT_DestroyCertificate(cert);
-    }
-    if (certData.certs) PORT_Free(certData.certs);
-
-    return;
-}
-	
-
-/* NSC_FindObjectsInit initializes a search for token and session objects 
- * that match a template. */
-CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
-    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
-{
-    PK11ObjectListElement *objectList = NULL;
-    PK11ObjectListElement *olp;
-    PK11SearchResults *search,*freeSearch;
-    PK11Session *session;
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    int count, i;
-    CK_RV crv;
-    
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	return CKR_SESSION_HANDLE_INVALID;
-    }
-    
-    /* resync token objects with the data base */
-    if ((session->info.slotID == PRIVATE_KEY_SLOT_ID) || 
-    			(session->info.slotID == FIPS_SLOT_ID)) {
-	if (slot->DB_loaded == PR_FALSE) {
-	    /* if we aren't logged in, we can't unload all key keys
-	     * and certs. Just unload those certs we need for this search
-	     */
-    	    if ((!slot->isLoggedIn) && (slot->needLogin)) {
-		pk11_searchCerts(slot,pTemplate,ulCount);
-	    } else {
-		pk11_importKeyDB(slot);
-		slot->DB_loaded = PR_TRUE;
-	   }
-	}
-    }
-
-    
-    /* build list of found objects in the session */
-    crv = pk11_searchObjectList(&objectList,slot->tokObjects,
-	slot->objectLock, pTemplate, ulCount, (PRBool)((!slot->needLogin) ||
-							slot->isLoggedIn));
-    if (crv != CKR_OK) {
-	pk11_FreeObjectList(objectList);
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-
-    /* copy list to session */
-    count = 0;
-    for (olp = objectList; olp != NULL; olp = olp->next) {
-	count++;
-    }
-    search = (PK11SearchResults *)PORT_Alloc(sizeof(PK11SearchResults));
-    if (search == NULL) {
-	pk11_FreeObjectList(objectList);
-	pk11_FreeSession(session);
-	return CKR_HOST_MEMORY;
-    }
-    search->handles = (CK_OBJECT_HANDLE *)
-				PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * count);
-    if (search->handles == NULL) {
-	PORT_Free(search);
-	pk11_FreeObjectList(objectList);
-	pk11_FreeSession(session);
-	return CKR_HOST_MEMORY;
-    }
-    for (i=0; i < count; i++) {
-	search->handles[i] = objectList->object->handle;
-	objectList = pk11_FreeObjectListElement(objectList);
-    }
-
-    /* store the search info */
-    search->index = 0;
-    search->size = count;
-    if ((freeSearch = session->search) != NULL) {
-	session->search = NULL;
-	pk11_FreeSearch(freeSearch);
-    }
-    session->search = search;
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_FindObjects continues a search for token and session objects 
- * that match a template, obtaining additional object handles. */
-CK_RV NSC_FindObjects(CK_SESSION_HANDLE hSession,
-    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG ulMaxObjectCount,
-    					CK_ULONG_PTR pulObjectCount)
-{
-    PK11Session *session;
-    PK11SearchResults *search;
-    int	transfer;
-    int left;
-
-    *pulObjectCount = 0;
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    if (session->search == NULL) {
-	pk11_FreeSession(session);
-	return CKR_OK;
-    }
-    search = session->search;
-    left = session->search->size - session->search->index;
-    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
-    PORT_Memcpy(phObject,&search->handles[search->index],
-					transfer*sizeof(CK_OBJECT_HANDLE_PTR));
-    search->index += transfer;
-    if (search->index == search->size) {
-	session->search = NULL;
-	pk11_FreeSearch(search);
-    }
-    *pulObjectCount = transfer;
-    return CKR_OK;
-}
-
-/* NSC_FindObjectsFinal finishes a search for token and session objects. */
-CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
-{
-    PK11Session *session;
-    PK11SearchResults *search;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    search = session->search;
-    session->search = NULL;
-    if (search == NULL) {
-	pk11_FreeSession(session);
-	return CKR_OK;
-    }
-    pk11_FreeSearch(search);
-    return CKR_OK;
-}
-
-
-
-CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
-							 CK_VOID_PTR pReserved)
-{
-    return CKR_FUNCTION_NOT_SUPPORTED;
-}
diff --git a/security/nss/lib/softoken/pkcs11.h b/security/nss/lib/softoken/pkcs11.h
deleted file mode 100644
index 28fd0cd8e..000000000
--- a/security/nss/lib/softoken/pkcs11.h
+++ /dev/null
@@ -1,316 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-#ifndef _PKCS11_H_
-#define _PKCS11_H_ 1
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Before including this file (pkcs11.h) (or pkcs11t.h by
- * itself), 6 platform-specific macros must be defined.  These
- * macros are described below, and typical definitions for them
- * are also given.  Be advised that these definitions can depend
- * on both the platform and the compiler used (and possibly also
- * on whether a PKCS #11 library is linked statically or
- * dynamically).
- *
- * In addition to defining these 6 macros, the packing convention
- * for PKCS #11 structures should be set.  The PKCS #11
- * convention on packing is that structures should be 1-byte
- * aligned.
- *
- * In a Win32 environment, this might be done by using the
- * following preprocessor directive before including pkcs11.h
- * or pkcs11t.h:
- *
- * #pragma pack(push, cryptoki, 1)
- *
- * and using the following preprocessor directive after including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(pop, cryptoki)
- *
- * In a Win16 environment, this might be done by using the
- * following preprocessor directive before including pkcs11.h
- * or pkcs11t.h:
- *
- * #pragma pack(1)
- *
- * In a UNIX environment, you're on your own here.  You might
- * not need to do anything.
- *
- *
- * Now for the macros:
- *
- *
- * 1. CK_PTR: The indirection string for making a pointer to an
- * object.  It can be used like this:
- *
- * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
- *
- * In a Win32 environment, it might be defined by
- *
- * #define CK_PTR *
- *
- * In a Win16 environment, it might be defined by
- *
- * #define CK_PTR far *
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_PTR *
- *
- *
- * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
- * an exportable PKCS #11 library function definition out of a
- * return type and a function name.  It should be used in the
- * following fashion to define the exposed PKCS #11 functions in
- * a PKCS #11 library:
- *
- * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * )
- * {
- *   ...
- * }
- *
- * For defining a function in a Win32 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllexport) name
- *
- * For defining a function in a Win16 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
- * an importable PKCS #11 library function declaration out of a
- * return type and a function name.  It should be used in the
- * following fashion:
- *
- * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * );
- *
- * For declaring a function in a Win32 PKCS #11 .dll, it might
- * be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllimport) name
- *
- * For declaring a function in a Win16 PKCS #11 .dll, it might
- * be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
- * which makes a PKCS #11 API function pointer declaration or
- * function pointer type declaration out of a return type and a
- * function name.  It should be used in the following fashion:
- *
- * // Define funcPtr to be a pointer to a PKCS #11 API function
- * // taking arguments args and returning CK_RV.
- * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
- *
- * or
- *
- * // Define funcPtrType to be the type of a pointer to a
- * // PKCS #11 API function taking arguments args and returning
- * // CK_RV, and then define funcPtr to be a variable of type
- * // funcPtrType.
- * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
- * funcPtrType funcPtr;
- *
- * For accessing functions in a Win32 PKCS #11 .dll, in might be
- * defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __declspec(dllimport) (* name)
- *
- * For accessing functions in a Win16 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __export _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType (* name)
- *
- *
- * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
- * a function pointer type for an application callback out of
- * a return type for the callback and a name for the callback.
- * It should be used in the following fashion:
- *
- * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
- *
- * to declare a function pointer, myCallback, to a callback
- * which takes arguments args and returns a CK_RV.  It can also
- * be used like this:
- *
- * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
- * myCallbackType myCallback;
- *
- * In a Win32 environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- * In a Win16 environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- *
- * 6. NULL_PTR: This macro is the value of a NULL pointer.
- *
- * In any ANSI/ISO C environment (and in many others as well),
- * this should be defined by
- *
- * #ifndef NULL_PTR
- * #define NULL_PTR 0
- * #endif
- */
-
-
-/* All the various PKCS #11 types and #define'd values are in the
- * file pkcs11t.h. */
-#include "pkcs11t.h"
-
-#define __PASTE(x,y)      x##y
-
-
-/* packing defines */
-#include "pkcs11p.h"
-/* ==============================================================
- * Define the "extern" form of all the entry points.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  CK_DECLARE_FUNCTION(CK_RV, name)
-
-/* pkcs11f.h has all the information about the PKCS #11
- * function prototypes. */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define the typedef form of all the entry points.  That is, for
- * each PKCS #11 function C_XXX, define a type CK_C_XXX which is
- * a pointer to that kind of function.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-
-/* pkcs11f.h has all the information about the PKCS #11
- * function prototypes. */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define structed vector of entry points.  A CK_FUNCTION_LIST
- * contains a CK_VERSION indicating a library's PKCS #11 version
- * and then a whole slew of function pointers to the routines in
- * the library.  This type was declared, but not defined, in
- * pkcs11t.h.
- * ==============================================================
- */
-
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  __PASTE(CK_,name) name;
-  
-struct CK_FUNCTION_LIST {
-
-  CK_VERSION    version;  /* PKCS #11 version */
-
-/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-/* pkcs11f.h has all the information about the PKCS #11
- * function prototypes. */
-#include "pkcs11f.h" 
-
-};
-
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-#undef __PASTE
-
-/* unpack */
-#include "pkcs11u.h"
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
deleted file mode 100644
index 9689982ba..000000000
--- a/security/nss/lib/softoken/pkcs11c.c
+++ /dev/null
@@ -1,5323 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * This file implements PKCS 11 on top of our existing security modules
- *
- * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *   This implementation has two slots:
- *	slot 1 is our generic crypto support. It does not require login.
- *   It supports Public Key ops, and all they bulk ciphers and hashes. 
- *   It can also support Private Key ops for imported Private keys. It does 
- *   not have any token storage.
- *	slot 2 is our private key support. It requires a login before use. It
- *   can store Private Keys and Certs as token objects. Currently only private
- *   keys and their associated Certificates are saved on the token.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-#include "seccomon.h"
-#include "secitem.h"
-#include "secport.h"
-#include "blapi.h"
-#include "pkcs11.h"
-#include "pkcs11i.h"
-#include "keylow.h"
-#include "cert.h"
-#include "sechash.h"
-#include "secder.h"
-#include "secdig.h"
-#include "secpkcs5.h"	/* We do PBE below */
-#include "pkcs11t.h"
-#include "secoid.h"
-#include "alghmac.h"
-#include "softoken.h"
-#include "secasn1.h"
-#include "secmodi.h"
-
-#include "certdb.h"
-#include "ssl3prot.h" 	/* for SSL3_RANDOM_LENGTH */
-
-#define __PASTE(x,y)    x##y
-
-/*
- * we renamed all our internal functions, get the correct
- * definitions for them...
- */ 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
-
-#define CK_EXTERN extern
-#define CK_PKCS11_FUNCTION_INFO(func) \
-		CK_RV __PASTE(NS,func)
-#define CK_NEED_ARG_LIST	1
- 
-#include "pkcs11f.h"
-
-
-/* forward static declaration. */
-static SECStatus pk11_PRF(const SECItem *secret, const char *label, 
-                          SECItem *seed, SECItem *result);  
-
-#define PK11_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
-
-static void pk11_Null(void *data, PRBool freeit)
-{
-    return;
-} 
-
-/*
- * free routines.... Free local type  allocated data, and convert
- * other free routines to the destroy signature.
- */
-static void
-pk11_FreePrivKey(SECKEYLowPrivateKey *key, PRBool freeit)
-{
-    SECKEY_LowDestroyPrivateKey(key);
-}
-
-static void
-pk11_HMAC_Destroy(HMACContext *context, PRBool freeit)
-{
-    HMAC_Destroy(context);
-}
-
-static void
-pk11_Space(void *data, PRBool freeit)
-{
-    PORT_Free(data);
-} 
-
-static void pk11_FreeSignInfo(PK11HashSignInfo *data, PRBool freeit)
-{
-    SECKEY_LowDestroyPrivateKey(data->key);
-    PORT_Free(data);
-} 
-
-static DSAPublicKey *
-DSA_CreateVerifyContext(SECKEYLowPublicKey *pubKey)
-{
-    PLArenaPool * arena;
-    DSAPublicKey * dsaKey;
-    SECStatus      rv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) goto loser; 
-    dsaKey = (DSAPublicKey *)PORT_ArenaZAlloc(arena, sizeof (DSAPublicKey));
-    if (!dsaKey) goto loser;
-    dsaKey->params.arena = arena;
-
-#define COPY_DSA_ITEM(item) \
-    rv = SECITEM_CopyItem(arena, &dsaKey->item, &pubKey->u.dsa.item); \
-    if (rv != SECSuccess) goto loser;
-
-    COPY_DSA_ITEM(params.prime);
-    COPY_DSA_ITEM(params.subPrime);
-    COPY_DSA_ITEM(params.base);
-    COPY_DSA_ITEM(publicValue);
-    return dsaKey;
-
-loser:
-    if (arena)
-	PORT_FreeArena(arena, PR_TRUE);
-    return NULL;
-
-#undef COPY_DSA_ITEM
-}
-
-static void 
-DSA_DestroyVerifyContext(DSAPublicKey * key)
-{
-    if (key && key->params.arena)
-	PORT_FreeArena(key->params.arena, PR_TRUE);
-}
-
-static DSAPrivateKey *
-DSA_CreateSignContext(SECKEYLowPrivateKey *privKey)
-{
-    PLArenaPool *  arena;
-    DSAPrivateKey * dsaKey;
-    SECStatus       rv;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) goto loser; 
-    dsaKey = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof (DSAPrivateKey));
-    if (!dsaKey) goto loser;
-    dsaKey->params.arena = arena;
-
-#define COPY_DSA_ITEM(item) \
-    rv = SECITEM_CopyItem(arena, &dsaKey->item, &privKey->u.dsa.item); \
-    if (rv != SECSuccess) goto loser;
-
-    COPY_DSA_ITEM(params.prime);
-    COPY_DSA_ITEM(params.subPrime);
-    COPY_DSA_ITEM(params.base);
-    COPY_DSA_ITEM(publicValue);
-    COPY_DSA_ITEM(privateValue);
-    return dsaKey;
-
-loser:
-    if (arena)
-	PORT_FreeArena(arena, PR_TRUE);
-    return NULL;
-
-#undef COPY_DSA_ITEM
-}
-
-static void 
-DSA_DestroySignContext(DSAPrivateKey * key)
-{
-    if (key && key->params.arena)
-	PORT_FreeArena(key->params.arena, PR_TRUE);
-}
-
-/*
- * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by
- * Deprecating a full des key to 40 bit key strenth.
- */
-static CK_RV
-pk11_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey)
-{
-    unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae };
-    unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 };
-    unsigned char enc_src[8];
-    unsigned char enc_dest[8];
-    unsigned int leng,i;
-    DESContext *descx;
-    SECStatus rv;
-    
-    
-    /* zero the parity bits */
-    for (i=0; i < 8; i++) {
-	enc_src[i] = cdmfkey[i] & 0xfe;
-    }
-
-    /* encrypt with key 1 */
-    descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE);
-    if (descx == NULL) return CKR_HOST_MEMORY;
-    rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8);
-    DES_DestroyContext(descx,PR_TRUE);
-    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-
-    /* xor source with des, zero the parity bits and depricate the key*/
-    for (i=0; i < 8; i++) {
-	if (i & 1) {
-	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe;
-	} else {
-	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e;
-	}
-    }
-
-    /* encrypt with key 2 */
-    descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE);
-    if (descx == NULL) return CKR_HOST_MEMORY;
-    rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8);
-    DES_DestroyContext(descx,PR_TRUE);
-    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-
-    /* set the corret parity on our new des key */	
-    pk11_FormatDESKey(deskey, 8);
-    return CKR_OK;
-}
-
-
-static CK_RV
-pk11_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
-		 PK11ContextType contextType);
-/*
- * Calculate a Lynx checksum for CKM_LYNX_WRAP mechanism.
- */
-static CK_RV
-pk11_calcLynxChecksum(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hWrapKey,
-	unsigned char *checksum, unsigned char *key, CK_ULONG len)
-{
-
-    CK_BYTE E[10];
-    CK_ULONG Elen = sizeof (E);
-    CK_BYTE C[8];
-    CK_ULONG Clen = sizeof (C);
-    unsigned short sum1 = 0, sum2 = 0;
-    CK_MECHANISM mech = { CKM_DES_ECB, NULL, 0 };
-    int i;
-    CK_RV crv;
-
-    if (len != 8) return CKR_WRAPPED_KEY_LEN_RANGE;
-    
-    /* zero the parity bits */
-    for (i=0; i < 8; i++) {
-	sum1 = sum1 + key[i];
-	sum2 = sum2 + sum1;
-    }
-
-    /* encrypt with key 1 */
-
-    crv = pk11_EncryptInit(hSession,&mech,hWrapKey,CKA_WRAP, PK11_ENCRYPT);
-    if (crv != CKR_OK) return crv;
-
-    crv = NSC_Encrypt(hSession,key,len,E,&Elen);
-    if (crv != CKR_OK) return crv;
-
-    E[8] = (sum2 >> 8) & 0xff;
-    E[9] = sum2 & 0xff;
-
-    crv = pk11_EncryptInit(hSession,&mech,hWrapKey,CKA_WRAP, PK11_ENCRYPT);
-    if (crv != CKR_OK) return crv;
-
-    crv = NSC_Encrypt(hSession,&E[2],len,C,&Clen);
-    if (crv != CKR_OK) return crv;
-
-    checksum[0] = C[6];
-    checksum[1] = C[7];
-    
-    return CKR_OK;
-}
-/* NSC_DestroyObject destroys an object. */
-CK_RV
-NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    PK11Session *session;
-    PK11Object *object;
-    PK11FreeStatus status;
-
-    /*
-     * This whole block just makes sure we really can destroy the
-     * requested object.
-     */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    object = pk11_ObjectFromHandle(hObject,session);
-    if (object == NULL) {
-	pk11_FreeSession(session);
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-
-    /* don't destroy a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(pk11_isTrue(object,CKA_PRIVATE))) {
-	pk11_FreeSession(session);
-	pk11_FreeObject(object);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    /* don't destroy a token object if we aren't in a rw session */
-
-    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
-				(pk11_isTrue(object,CKA_TOKEN))) {
-	pk11_FreeSession(session);
-	pk11_FreeObject(object);
-	return CKR_SESSION_READ_ONLY;
-    }
-
-    pk11_DeleteObject(session,object);
-
-    pk11_FreeSession(session);
-
-    /*
-     * get some indication if the object is destroyed. Note: this is not
-     * 100%. Someone may have an object reference outstanding (though that
-     * should not be the case by here. Also note that the object is "half"
-     * destroyed. Our internal representation is destroyed, but it may still
-     * be in the data base.
-     */
-    status = pk11_FreeObject(object);
-
-    return (status != PK11_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/*
- ************** Crypto Functions:     Utilities ************************
- */
-
-
-/* 
- * return a context based on the PK11Context type.
- */
-PK11SessionContext *
-pk11_ReturnContextByType(PK11Session *session, PK11ContextType type)
-{
-    switch (type) {
-	case PK11_ENCRYPT:
-	case PK11_DECRYPT:
-	    return session->enc_context;
-	case PK11_HASH:
-	    return session->hash_context;
-	case PK11_SIGN:
-	case PK11_SIGN_RECOVER:
-	case PK11_VERIFY:
-	case PK11_VERIFY_RECOVER:
-	    return session->hash_context;
-    }
-    return NULL;
-}
-
-/* 
- * change a context based on the PK11Context type.
- */
-void
-pk11_SetContextByType(PK11Session *session, PK11ContextType type, 
-						PK11SessionContext *context)
-{
-    switch (type) {
-	case PK11_ENCRYPT:
-	case PK11_DECRYPT:
-	    session->enc_context = context;
-	    break;
-	case PK11_HASH:
-	    session->hash_context = context;
-	    break;
-	case PK11_SIGN:
-	case PK11_SIGN_RECOVER:
-	case PK11_VERIFY:
-	case PK11_VERIFY_RECOVER:
-	    session->hash_context = context;
-	    break;
-    }
-    return;
-}
-
-/*
- * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal,
- * and C_XXX function. The function takes a session handle, the context type,
- * and wether or not the session needs to be multipart. It returns the context,
- * and optionally returns the session pointer (if sessionPtr != NULL) if session
- * pointer is returned, the caller is responsible for freeing it.
- */
-static CK_RV
-pk11_GetContext(CK_SESSION_HANDLE handle,PK11SessionContext **contextPtr,
-	PK11ContextType type, PRBool needMulti, PK11Session **sessionPtr)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-
-    session = pk11_SessionFromHandle(handle);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    context = pk11_ReturnContextByType(session,type);
-    /* make sure the context is valid */
-    if((context==NULL)||(context->type!=type)||(needMulti&&!(context->multi))){
-        pk11_FreeSession(session);
-	return CKR_OPERATION_NOT_INITIALIZED;
-    }
-    *contextPtr = context;
-    if (sessionPtr != NULL) {
-	*sessionPtr = session;
-    } else {
-	pk11_FreeSession(session);
-    }
-    return CKR_OK;
-}
-
-/*
- ************** Crypto Functions:     Encrypt ************************
- */
-
-/*
- * All the NSC_InitXXX functions have a set of common checks and processing they
- * all need to do at the beginning. This is done here.
- */
-static CK_RV
-pk11_InitGeneric(PK11Session *session,PK11SessionContext **contextPtr,
-		 PK11ContextType ctype,PK11Object **keyPtr,
-		 CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,
-		 CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation)
-{
-    PK11Object *key = NULL;
-    PK11Attribute *att;
-    PK11SessionContext *context;
-
-    /* We can only init if there is not current context active */
-    if (pk11_ReturnContextByType(session,ctype) != NULL) {
-	return CKR_OPERATION_ACTIVE;
-    }
-
-    /* find the key */
-    if (keyPtr) {
-        key = pk11_ObjectFromHandle(hKey,session);
-        if (key == NULL) {
-	    return CKR_KEY_HANDLE_INVALID;
-    	}
-
-	/* make sure it's a valid  key for this operation */
-	if (((key->objclass != CKO_SECRET_KEY) && (key->objclass != pubKeyType))
-					|| !pk11_isTrue(key,operation)) {
-	    pk11_FreeObject(key);
-	    return CKR_KEY_TYPE_INCONSISTENT;
-	}
-	/* get the key type */
-	att = pk11_FindAttribute(key,CKA_KEY_TYPE);
-	PORT_Assert(att != NULL);
-	*keyTypePtr = *(CK_KEY_TYPE *)att->attrib.pValue;
-	pk11_FreeAttribute(att);
-	*keyPtr = key;
-    }
-
-    /* allocate the context structure */
-    context = (PK11SessionContext *)PORT_Alloc(sizeof(PK11SessionContext));
-    if (context == NULL) {
-	if (key) pk11_FreeObject(key);
-	return CKR_HOST_MEMORY;
-    }
-    context->type = ctype;
-    context->multi = PR_TRUE;
-    context->cipherInfo = NULL;
-    context->hashInfo = NULL;
-    context->doPad = PR_FALSE;
-    context->padDataLength = 0;
-
-    *contextPtr = context;
-    return CKR_OK;
-}
-
-/* NSC_EncryptInit initializes an encryption operation. */
-/* This function is used by NSC_EncryptInit and NSC_WrapKey. The only difference
- * in their uses if whether or not etype is CKA_ENCRYPT or CKA_WRAP */
-static CK_RV
-pk11_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
-		 PK11ContextType contextType)
-{
-    PK11Session *session;
-    PK11Object *key;
-    PK11SessionContext *context;
-    PK11Attribute *att;
-    CK_RC2_CBC_PARAMS *rc2_param;
-    CK_RC5_CBC_PARAMS *rc5_param;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    SECKEYLowPublicKey *pubKey;
-    unsigned effectiveKeyLength;
-    unsigned char newdeskey[8];
-    PRBool useNewKey=PR_FALSE;
-    SECItem rc5Key;
-    int t;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    crv = pk11_InitGeneric(session,&context,contextType,&key,hKey,&key_type,
-    						CKO_PUBLIC_KEY, etype);
-						
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-    context->doPad = PR_FALSE;
-    switch(pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	pubKey = pk11_GetPubKey(key,CKK_RSA);
-	if (pubKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = pubKey;
-	context->update = (PK11Cipher) (pMechanism->mechanism == CKM_RSA_X_509
-			? RSA_EncryptRaw : RSA_EncryptBlock);
-	context->destroy = pk11_Null;
-	break;
-    case CKM_RC2_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-	if (key_type != CKK_RC2) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;
-	effectiveKeyLength = (rc2_param->ulEffectiveBits+7)/8;
-	context->cipherInfo = 
-	    RC2_CreateContext((unsigned char*)att->attrib.pValue,
-			      att->attrib.ulValueLen, rc2_param->iv,
-			      pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 :
-			      NSS_RC2_CBC,effectiveKeyLength);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) RC2_Encrypt;
-	context->destroy = (PK11Destroy) RC2_DestroyContext;
-	break;
-    case CKM_RC5_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-	if (key_type != CKK_RC5) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter;
-	if (context->doPad) {
-	   context->blockSize = rc5_param->ulWordsize*2;
-	}
-	rc5Key.data = (unsigned char*)att->attrib.pValue;
-	rc5Key.len = att->attrib.ulValueLen;
-	context->cipherInfo = RC5_CreateContext(&rc5Key,rc5_param->ulRounds,
-	   rc5_param->ulWordsize,rc5_param->pIv,
-		 pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) RC5_Encrypt;
-	context->destroy = (PK11Destroy) RC5_DestroyContext;
-	break;
-    case CKM_RC4:
-	if (key_type != CKK_RC4) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	context->cipherInfo = 
-	    RC4_CreateContext((unsigned char*)att->attrib.pValue,
-			      att->attrib.ulValueLen);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;  /* WRONG !!! */
-	    break;
-	}
-	context->update = (PK11Cipher) RC4_Encrypt;
-	context->destroy = (PK11Destroy) RC4_DestroyContext;
-	break;
-    case CKM_CDMF_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-	if (key_type != CKK_CDMF) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
-	useNewKey=PR_TRUE;
-	if (crv != CKR_OK) break;
-	goto finish_des;
-    case CKM_DES_ECB:
-	if (key_type != CKK_DES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES;
-	goto finish_des;
-    case CKM_DES_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_DES_CBC:
-	if (key_type != CKK_DES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_CBC;
-	goto finish_des;
-    case CKM_DES3_ECB:
-	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_EDE3;
-	goto finish_des;
-    case CKM_DES3_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_DES3_CBC:
-	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_EDE3_CBC;
-finish_des:
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	if (useNewKey) {
-	    crv = pk11_cdmf2des((unsigned char*)att->attrib.pValue,newdeskey);
-	    if (crv != CKR_OK) {
-		pk11_FreeAttribute(att);
-		break;
-	     }
-	}
-	context->cipherInfo = DES_CreateContext(
-		useNewKey ? newdeskey : (unsigned char*)att->attrib.pValue,
-		(unsigned char*)pMechanism->pParameter,t, PR_TRUE);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) DES_Encrypt;
-	context->destroy = (PK11Destroy) DES_DestroyContext;
-
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    pk11_FreeObject(key);
-    if (crv != CKR_OK) {
-        pk11_FreeContext(context);
-	pk11_FreeSession(session);
-	return crv;
-    }
-    pk11_SetContextByType(session, contextType, context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_EncryptInit initializes an encryption operation. */
-CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
-{
-    return pk11_EncryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, 
-							PK11_ENCRYPT);
-}
-
-/* NSC_EncryptUpdate continues a multiple-part encryption operation. */
-CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,	
-					CK_ULONG_PTR pulEncryptedPartLen)
-{
-    PK11SessionContext *context;
-    unsigned int outlen,i;
-    unsigned int padoutlen = 0;
-    unsigned int maxout = *pulEncryptedPartLen;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_ENCRYPT,PR_TRUE,NULL);
-    if (crv != CKR_OK) return crv;
-
-    /* do padding */
-    if (context->doPad) {
-	/* deal with previous buffered data */
-	if (context->padDataLength != 0) {
-	    /* fill in the padded to a full block size */
-	    for (i=context->padDataLength; 
-			(ulPartLen != 0) && i < context->blockSize; i++) {
-		context->padBuf[i] = *pPart++;
-		ulPartLen--;
-		context->padDataLength++;
-	    }
-
-	    /* not enough data to encrypt yet? then return */
-	    if (context->padDataLength != context->blockSize) {
-		*pulEncryptedPartLen = 0;
-		return CKR_OK;
-	    }
-	    /* encrypt the current padded data */
-    	    rv = (*context->update)(context->cipherInfo,pEncryptedPart, 
-		&outlen,context->blockSize,context->padBuf,context->blockSize);
-    	    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-	    pEncryptedPart += padoutlen;
-	    maxout -= padoutlen;
-	}
-	/* save the residual */
-	context->padDataLength = ulPartLen % context->blockSize;
-	if (context->padDataLength) {
-	    PORT_Memcpy(context->padBuf,
-			&pPart[ulPartLen-context->padDataLength],
-							context->padDataLength);
-	    ulPartLen -= context->padDataLength;
-	}
-	/* if we've exhausted our new buffer, we're done */
-	if (ulPartLen == 0) {
-	    *pulEncryptedPartLen = padoutlen;
-	    return CKR_OK;
-	}
-    }
-	
-
-
-    /* do it: NOTE: this assumes buf size in is >= buf size out! */
-    rv = (*context->update)(context->cipherInfo,pEncryptedPart, 
-					&outlen, maxout, pPart, ulPartLen);
-    *pulEncryptedPartLen = (CK_ULONG) (outlen + padoutlen);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/* NSC_EncryptFinal finishes a multiple-part encryption operation. */
-CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen,i;
-    unsigned int maxout = *pulLastEncryptedPartLen;
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_ENCRYPT,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    *pulLastEncryptedPartLen = 0;
-
-    /* do padding */
-    if (context->doPad) {
-	unsigned char  padbyte = (unsigned char) 
-				(context->blockSize - context->padDataLength); 
-	/* fill out rest of pad buffer with pad magic*/
-	for (i=context->padDataLength; i < context->blockSize; i++) {
-	    context->padBuf[i] = padbyte;
-	}
-	rv = (*context->update)(context->cipherInfo,pLastEncryptedPart, 
-			&outlen, maxout, context->padBuf, context->blockSize);
-	if (rv == SECSuccess) *pulLastEncryptedPartLen = (CK_ULONG) outlen;
-    }
-
-    /* do it */
-    pk11_SetContextByType(session, PK11_ENCRYPT, NULL);
-    pk11_FreeContext(context);
-    pk11_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_Encrypt encrypts single-part data. */
-CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    		CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
-					 CK_ULONG_PTR pulEncryptedDataLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulEncryptedDataLen;
-    CK_RV crv;
-    CK_RV crv2;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_ENCRYPT,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (context->doPad) {
-	CK_ULONG finalLen;
-	/* padding is fairly complicated, have the update and final 
-	 * code deal with it */
-        pk11_FreeSession(session);
-	crv = NSC_EncryptUpdate(hSession,pData,ulDataLen,pEncryptedData,
-							pulEncryptedDataLen);
-	if (crv != CKR_OK) *pulEncryptedDataLen = 0;
-	maxoutlen -= *pulEncryptedDataLen;
-	pEncryptedData += *pulEncryptedDataLen;
-	finalLen = maxoutlen;
-	crv2 = NSC_EncryptFinal(hSession, pEncryptedData, &finalLen);
-	if (crv2 == CKR_OK) { *pulEncryptedDataLen += finalLen; }
-	return crv == CKR_OK ? crv2 :crv;
-    }
-	
-
-    /* do it: NOTE: this assumes buf size is big enough. */
-    rv = (*context->update)(context->cipherInfo, pEncryptedData, 
-					&outlen, maxoutlen, pData, ulDataLen);
-    *pulEncryptedDataLen = (CK_ULONG) outlen;
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_ENCRYPT, NULL);
-    pk11_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/*
- ************** Crypto Functions:     Decrypt ************************
- */
-
-/* NSC_DecryptInit initializes a decryption operation. */
-static CK_RV pk11_DecryptInit( CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE dtype,
-				PK11ContextType contextType)
-{
-    PK11Session *session;
-    PK11Object *key;
-    PK11Attribute *att;
-    PK11SessionContext *context;
-    CK_RC2_CBC_PARAMS *rc2_param;
-    CK_RC5_CBC_PARAMS *rc5_param;
-    SECItem rc5Key;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    unsigned effectiveKeyLength;
-    SECKEYLowPrivateKey *privKey;
-    unsigned char newdeskey[8];
-    PRBool useNewKey=PR_FALSE;
-    int t;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    crv = pk11_InitGeneric(session,&context,contextType,&key,hKey,&key_type,
-						CKO_PRIVATE_KEY,dtype);
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-    /*
-     * now handle each mechanism
-     */
-    switch(pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	privKey = pk11_GetPrivKey(key,CKK_RSA);
-	if (privKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = privKey;
-	context->update = (PK11Cipher) (pMechanism->mechanism == CKM_RSA_X_509
-			? RSA_DecryptRaw : RSA_DecryptBlock);
-	context->destroy = (context->cipherInfo == key->objectInfo) ?
-		(PK11Destroy) pk11_Null : (PK11Destroy) pk11_FreePrivKey;
-	break;
-    case CKM_RC2_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-	if (key_type != CKK_RC2) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;
-	effectiveKeyLength = (rc2_param->ulEffectiveBits+7)/8;
-	context->cipherInfo = RC2_CreateContext((unsigned char*)att->attrib.pValue,
-		att->attrib.ulValueLen, rc2_param->iv,
-		 pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 :
-					 NSS_RC2_CBC, effectiveKeyLength);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) RC2_Decrypt;
-	context->destroy = (PK11Destroy) RC2_DestroyContext;
-	break;
-    case CKM_RC5_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-	if (key_type != CKK_RC5) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter;
-	if (context->doPad) {
-	   context->blockSize = rc5_param->ulWordsize*2;
-	}
-	rc5Key.data = (unsigned char*)att->attrib.pValue;
-	rc5Key.len = att->attrib.ulValueLen;
-	context->cipherInfo = RC5_CreateContext(&rc5Key,rc5_param->ulRounds,
-	   rc5_param->ulWordsize,rc5_param->pIv,
-		 pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) RC5_Decrypt;
-	context->destroy = (PK11Destroy) RC5_DestroyContext;
-	break;
-    case CKM_RC4:
-	if (key_type != CKK_RC4) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	context->cipherInfo = 
-	    RC4_CreateContext((unsigned char*)att->attrib.pValue,
-			      att->attrib.ulValueLen);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) RC4_Decrypt;
-	context->destroy = (PK11Destroy) RC4_DestroyContext;
-	break;
-    case CKM_CDMF_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-	if (key_type != CKK_CDMF) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
-	useNewKey = PR_TRUE;
-	if (crv != CKR_OK) break;
-	goto finish_des;
-    case CKM_DES_ECB:
-	if (key_type != CKK_DES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES;
-	goto finish_des;
-    case CKM_DES_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_DES_CBC:
-	if (key_type != CKK_DES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_CBC;
-	goto finish_des;
-    case CKM_DES3_ECB:
-	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_EDE3;
-	goto finish_des;
-    case CKM_DES3_CBC_PAD:
-	context->doPad = PR_TRUE;
-	context->blockSize = 8;
-	/* fall thru */
-    case CKM_DES3_CBC:
-	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_EDE3_CBC;
-finish_des:
-	att = pk11_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	if (useNewKey) {
-	    crv = pk11_cdmf2des((unsigned char*)att->attrib.pValue,newdeskey);
-	    if (crv != CKR_OK) {
-		pk11_FreeAttribute(att);
-		break;
-	     }
-	}
-	context->cipherInfo = DES_CreateContext(
-		useNewKey ? newdeskey : (unsigned char*)att->attrib.pValue,
-		(unsigned char*)pMechanism->pParameter,t, PR_FALSE);
-	pk11_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (PK11Cipher) DES_Decrypt;
-	context->destroy = (PK11Destroy) DES_DestroyContext;
-
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    pk11_FreeObject(key);
-    if (crv != CKR_OK) {
-        pk11_FreeContext(context);
-	pk11_FreeSession(session);
-	return crv;
-    }
-    pk11_SetContextByType(session, contextType, context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_DecryptInit initializes a decryption operation. */
-CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
-{
-    return pk11_DecryptInit(hSession,pMechanism,hKey,CKA_DECRYPT,PK11_DECRYPT);
-}
-
-/* NSC_DecryptUpdate continues a multiple-part decryption operation. */
-CK_RV NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
-    				CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
-{
-    PK11SessionContext *context;
-    unsigned int padoutlen = 0;
-    unsigned int outlen;
-    unsigned int maxout = *pulPartLen;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_DECRYPT,PR_TRUE,NULL);
-    if (crv != CKR_OK) return crv;
-
-    if (context->doPad) {
-	/* first decrypt our saved buffer */
-	if (context->padDataLength != 0) {
-    	    rv = (*context->update)(context->cipherInfo, pPart, &padoutlen,
-		 maxout, context->padBuf, context->blockSize);
-    	    if (rv != SECSuccess)  return CKR_DEVICE_ERROR;
-	    pPart += padoutlen;
-	    maxout -= padoutlen;
-	}
-	/* now save the final block for the next decrypt or the final */
-	PORT_Memcpy(context->padBuf,&pEncryptedPart[ulEncryptedPartLen -
-				context->blockSize], context->blockSize);
-	context->padDataLength = context->blockSize;
-	ulEncryptedPartLen -= context->padDataLength;
-    }
-
-    /* do it: NOTE: this assumes buf size in is >= buf size out! */
-    rv = (*context->update)(context->cipherInfo,pPart, &outlen,
-		 maxout, pEncryptedPart, ulEncryptedPartLen);
-    *pulPartLen = (CK_ULONG) (outlen + padoutlen);
-    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/* NSC_DecryptFinal finishes a multiple-part decryption operation. */
-CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int maxout = *pulLastPartLen;
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_DECRYPT,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    *pulLastPartLen = 0;
-    if (context->doPad) {
-	/* decrypt our saved buffer */
-	if (context->padDataLength != 0) {
-	    /* this assumes that pLastPart is big enough to hold the *whole*
-	     * buffer!!! */
-    	    rv = (*context->update)(context->cipherInfo, pLastPart, &outlen,
-		 maxout, context->padBuf, context->blockSize);
-    	    if (rv == SECSuccess) {
-		unsigned int padSize = 
-			    (unsigned int) pLastPart[context->blockSize-1];
-
-		*pulLastPartLen = outlen - padSize;
-	    }
-	}
-    }
-
-    /* do it */
-    pk11_SetContextByType(session, PK11_DECRYPT, NULL);
-    pk11_FreeContext(context);
-    pk11_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_Decrypt decrypts encrypted data in a single part. */
-CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,CK_BYTE_PTR pData,
-    						CK_ULONG_PTR pulDataLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulDataLen;
-    CK_RV crv;
-    CK_RV crv2;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_DECRYPT,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (context->doPad) {
-	CK_ULONG finalLen;
-	/* padding is fairly complicated, have the update and final 
-	 * code deal with it */
-        pk11_FreeSession(session);
-	crv = NSC_DecryptUpdate(hSession,pEncryptedData,ulEncryptedDataLen,
-							pData, pulDataLen);
-	if (crv != CKR_OK) *pulDataLen = 0;
-	maxoutlen -= *pulDataLen;
-	pData += *pulDataLen;
-	finalLen = maxoutlen;
-	crv2 = NSC_DecryptFinal(hSession, pData, &finalLen);
-	if (crv2 == CKR_OK) { *pulDataLen += finalLen; }
-	return crv == CKR_OK ? crv2 :crv;
-    }
-
-    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
-					pEncryptedData, ulEncryptedDataLen);
-    *pulDataLen = (CK_ULONG) outlen;
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_DECRYPT, NULL);
-    pk11_FreeSession(session);
-    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-
-/*
- ************** Crypto Functions:     Digest (HASH)  ************************
- */
-
-/* NSC_DigestInit initializes a message-digesting operation. */
-CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
-    					CK_MECHANISM_PTR pMechanism)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    MD2Context *md2_context;
-    MD5Context *md5_context;
-    SHA1Context *sha1_context;
-    CK_RV crv = CKR_OK;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = pk11_InitGeneric(session,&context,PK11_HASH,NULL,0,NULL, 0, 0);
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-    switch(pMechanism->mechanism) {
-    case CKM_MD2:
-	md2_context = MD2_NewContext();
-	context->cipherInfo = (void *)md2_context;
-	context->cipherInfoLen = MD2_FlattenSize(md2_context);
-	context->currentMech = CKM_MD2;
-        if (context->cipherInfo == NULL) {
-	    crv= CKR_HOST_MEMORY;
-	    
-	}
-	context->hashUpdate = (PK11Hash) MD2_Update;
-	context->end = (PK11End) MD2_End;
-	context->destroy = (PK11Destroy) MD2_DestroyContext;
-	MD2_Begin(md2_context);
-	break;
-    case CKM_MD5:
-	md5_context = MD5_NewContext();
-	context->cipherInfo = (void *)md5_context;
-	context->cipherInfoLen = MD5_FlattenSize(md5_context);
-	context->currentMech = CKM_MD5;
-        if (context->cipherInfo == NULL) {
-	    crv= CKR_HOST_MEMORY;
-	    
-	}
-	context->hashUpdate = (PK11Hash) MD5_Update;
-	context->end = (PK11End) MD5_End;
-	context->destroy = (PK11Destroy) MD5_DestroyContext;
-	MD5_Begin(md5_context);
-	break;
-    case CKM_SHA_1:
-	sha1_context = SHA1_NewContext();
-	context->cipherInfo = (void *)sha1_context;
-	context->cipherInfoLen = SHA1_FlattenSize(sha1_context);
-	context->currentMech = CKM_SHA_1;
-        if (context->cipherInfo == NULL) {
-	    crv= CKR_HOST_MEMORY;
-	    break;
-	}
-	context->hashUpdate = (PK11Hash) SHA1_Update;
-	context->end = (PK11End) SHA1_End;
-	context->destroy = (PK11Destroy) SHA1_DestroyContext;
-	SHA1_Begin(sha1_context);
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        pk11_FreeContext(context);
-	pk11_FreeSession(session);
-	return crv;
-    }
-    pk11_SetContextByType(session, PK11_HASH, context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_Digest digests data in a single part. */
-CK_RV NSC_Digest(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pulDigestLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int digestLen;
-    unsigned int maxout = *pulDigestLen;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_HASH,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    /* do it: */
-    (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
-    /*  NOTE: this assumes buf size is bigenough for the algorithm */
-    (*context->end)(context->cipherInfo, pDigest, &digestLen,maxout);
-    *pulDigestLen = digestLen;
-
-    pk11_SetContextByType(session, PK11_HASH, NULL);
-    pk11_FreeContext(context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_DigestUpdate continues a multiple-part message-digesting operation. */
-CK_RV NSC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-					    CK_ULONG ulPartLen)
-{
-    PK11SessionContext *context;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_HASH,PR_TRUE,NULL);
-    if (crv != CKR_OK) return crv;
-    /* do it: */
-    (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
-    return CKR_OK;
-}
-
-
-/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
-CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pulDigestLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int maxout = *pulDigestLen;
-    unsigned int digestLen;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession, &context, PK11_HASH, PR_TRUE, &session);
-    if (crv != CKR_OK) return crv;
-
-    if (pDigest != NULL) {
-        (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
-        *pulDigestLen = digestLen;
-    } else {
-	*pulDigestLen = 0;
-    }
-
-    pk11_SetContextByType(session, PK11_HASH, NULL);
-    pk11_FreeContext(context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-/*
- * this helper functions are used by Generic Macing and Signing functions
- * that use hashes as part of their operations. 
- */
-static CK_RV
-pk11_doSubMD2(PK11SessionContext *context) {
-	MD2Context *md2_context = MD2_NewContext();
-	context->hashInfo = (void *)md2_context;
-        if (context->hashInfo == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	context->hashUpdate = (PK11Hash) MD2_Update;
-	context->end = (PK11End) MD2_End;
-	context->hashdestroy = (PK11Destroy) MD2_DestroyContext;
-	MD2_Begin(md2_context);
-	return CKR_OK;
-}
-
-static CK_RV
-pk11_doSubMD5(PK11SessionContext *context) {
-	MD5Context *md5_context = MD5_NewContext();
-	context->hashInfo = (void *)md5_context;
-        if (context->hashInfo == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	context->hashUpdate = (PK11Hash) MD5_Update;
-	context->end = (PK11End) MD5_End;
-	context->hashdestroy = (PK11Destroy) MD5_DestroyContext;
-	MD5_Begin(md5_context);
-	return CKR_OK;
-}
-
-static CK_RV
-pk11_doSubSHA1(PK11SessionContext *context) {
-	SHA1Context *sha1_context = SHA1_NewContext();
-	context->hashInfo = (void *)sha1_context;
-        if (context->hashInfo == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	context->hashUpdate = (PK11Hash) SHA1_Update;
-	context->end = (PK11End) SHA1_End;
-	context->hashdestroy = (PK11Destroy) SHA1_DestroyContext;
-	SHA1_Begin(sha1_context);
-	return CKR_OK;
-}
-
-/*
- * HMAC General copies only a portion of the result. This update routine likes
- * the final HMAC output with the signature.
- */
-static SECStatus
-pk11_HMACCopy(CK_ULONG *copyLen,unsigned char *sig,unsigned int *sigLen,
-		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
-{
-    if (maxLen < *copyLen) return SECFailure;
-    PORT_Memcpy(sig,hash,*copyLen);
-    *sigLen = *copyLen;
-    return SECSuccess;
-}
-
-/* Verify is just a compare for HMAC */
-static SECStatus
-pk11_HMACCmp(CK_ULONG *copyLen,unsigned char *sig,unsigned int sigLen,
-				unsigned char *hash, unsigned int hashLen)
-{
-    return PORT_Memcmp(sig,hash,*copyLen) ? SECSuccess : SECFailure ;
-}
-
-/*
- * common HMAC initalization routine
- */
-static CK_RV
-pk11_doHMACInit(PK11SessionContext *context,SECOidTag oid,
-					PK11Object *key, CK_ULONG mac_size)
-{
-    PK11Attribute *keyval;
-    HMACContext *HMACcontext;
-    CK_ULONG *intpointer;
-
-    keyval = pk11_FindAttribute(key,CKA_VALUE);
-    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
-
-    HMACcontext = HMAC_Create(oid, (const unsigned char*)keyval->attrib.pValue,
-						 keyval->attrib.ulValueLen);
-    context->hashInfo = HMACcontext;
-    context->multi = PR_TRUE;
-    pk11_FreeAttribute(keyval);
-    if (context->hashInfo == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-    context->hashUpdate = (PK11Hash) HMAC_Update;
-    context->end = (PK11End) HMAC_Finish;
-
-    context->hashdestroy = (PK11Destroy) pk11_HMAC_Destroy;
-    intpointer = (CK_ULONG *) PORT_Alloc(sizeof(CK_ULONG));
-    if (intpointer == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-    *intpointer = mac_size;
-    context->cipherInfo = (void *) intpointer;
-    context->destroy = (PK11Destroy) pk11_Space;
-    context->update = (PK11Cipher) pk11_HMACCopy;
-    context->verify = (PK11Verify) pk11_HMACCmp;
-    HMAC_Begin(HMACcontext);
-    return CKR_OK;
-}
-
-/*
- *  SSL Macing support. SSL Macs are inited, then update with the base
- * hashing algorithm, then finalized in sign and verify
- */
-
-/*
- * FROM SSL:
- * 60 bytes is 3 times the maximum length MAC size that is supported.
- * We probably should have one copy of this table. We still need this table
- * in ssl to 'sign' the handshake hashes.
- */
-static unsigned char ssl_pad_1 [60] = {
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36
-};
-static unsigned char ssl_pad_2 [60] = {
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c
-};
-
-static SECStatus
-pk11_SSLMACSign(PK11SSLMACInfo *info,unsigned char *sig,unsigned int *sigLen,
-		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
-{
-    unsigned char tmpBuf[PK11_MAX_MAC_LENGTH];
-    unsigned int out;
-
-    info->begin(info->hashContext);
-    info->update(info->hashContext,info->key,info->keySize);
-    info->update(info->hashContext,ssl_pad_2,info->padSize);
-    info->update(info->hashContext,hash,hashLen);
-    info->end(info->hashContext,tmpBuf,&out,PK11_MAX_MAC_LENGTH);
-    PORT_Memcpy(sig,tmpBuf,info->macSize);
-    *sigLen = info->macSize;
-    return SECSuccess;
-}
-
-static SECStatus
-pk11_SSLMACVerify(PK11SSLMACInfo *info,unsigned char *sig,unsigned int sigLen,
-		unsigned char *hash, unsigned int hashLen)
-{
-    unsigned char tmpBuf[PK11_MAX_MAC_LENGTH];
-    unsigned int out;
-
-    info->begin(info->hashContext);
-    info->update(info->hashContext,info->key,info->keySize);
-    info->update(info->hashContext,ssl_pad_2,info->padSize);
-    info->update(info->hashContext,hash,hashLen);
-    info->end(info->hashContext,tmpBuf,&out,PK11_MAX_MAC_LENGTH);
-    return (PORT_Memcmp(sig,tmpBuf,info->macSize) == 0) ? 
-						SECSuccess : SECFailure;
-}
-
-/*
- * common HMAC initalization routine
- */
-static CK_RV
-pk11_doSSLMACInit(PK11SessionContext *context,SECOidTag oid,
-					PK11Object *key, CK_ULONG mac_size)
-{
-    PK11Attribute *keyval;
-    PK11Begin begin;
-    int padSize;
-    PK11SSLMACInfo *sslmacinfo;
-    CK_RV crv = CKR_MECHANISM_INVALID;
-
-    if (oid == SEC_OID_SHA1) {
-	crv = pk11_doSubSHA1(context);
-	begin = (PK11Begin) SHA1_Begin;
-	if (crv != CKR_OK) return crv;
-	padSize = 40;
-    } else {
-	crv = pk11_doSubMD5(context);
-	if (crv != CKR_OK) return crv;
-	begin = (PK11Begin) MD5_Begin;
-	padSize = 48;
-    }
-    context->multi = PR_TRUE;
-
-    keyval = pk11_FindAttribute(key,CKA_VALUE);
-    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
-
-    context->hashUpdate(context->hashInfo,keyval->attrib.pValue,
-						 keyval->attrib.ulValueLen);
-    context->hashUpdate(context->hashInfo,ssl_pad_1,padSize);
-    sslmacinfo = (PK11SSLMACInfo *) PORT_Alloc(sizeof(PK11SSLMACInfo));
-    if (sslmacinfo == NULL) {
-        pk11_FreeAttribute(keyval);
-	return CKR_HOST_MEMORY;
-    }
-    sslmacinfo->macSize = mac_size;
-    sslmacinfo->hashContext = context->hashInfo;
-    PORT_Memcpy(sslmacinfo->key,keyval->attrib.pValue,
-					keyval->attrib.ulValueLen);
-    sslmacinfo->keySize = keyval->attrib.ulValueLen;
-    sslmacinfo->begin = begin;
-    sslmacinfo->end = context->end;
-    sslmacinfo->update = context->hashUpdate;
-    sslmacinfo->padSize = padSize;
-    pk11_FreeAttribute(keyval);
-    context->cipherInfo = (void *) sslmacinfo;
-    context->destroy = (PK11Destroy) pk11_Space;
-    context->update = (PK11Cipher) pk11_SSLMACSign;
-    context->verify = (PK11Verify) pk11_SSLMACVerify;
-    return CKR_OK;
-}
-
-typedef struct {
-    PRUint32	cxSize;		/* size of allocated block, in bytes.        */
-    PRUint32	cxKeyLen;	/* number of bytes of cxBuf containing key.  */
-    PRUint32	cxDataLen;	/* number of bytes of cxBuf containing data. */
-    SECStatus	cxRv;		/* records failure of void functions.        */
-    unsigned char cxBuf[512];	/* actual size may be larger than 512.       */
-} TLSPRFContext;
-
-static void
-pk11_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, 
-                        unsigned int data_len)
-{
-    PRUint32 bytesUsed = PK11_OFFSETOF(TLSPRFContext, cxBuf) + 
-                         cx->cxKeyLen + cx->cxDataLen;
-
-    if (cx->cxRv != SECSuccess)	/* function has previously failed. */
-    	return;
-    if (bytesUsed + data_len > cx->cxSize) {
-	/* We don't use realloc here because 
-	** (a) realloc doesn't zero out the old block, and 
-	** (b) if realloc fails, we lose the old block.
-	*/
-	PRUint32 blockSize = bytesUsed + data_len + 512;
-    	TLSPRFContext *new_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
-	if (!new_cx) {
-	   cx->cxRv = SECFailure;
-	   return;
-	}
-	PORT_Memcpy(new_cx, cx, cx->cxSize);
-	new_cx->cxSize = blockSize;
-
-	PORT_ZFree(cx, cx->cxSize);
-	cx = new_cx;
-    }
-    PORT_Memcpy(cx->cxBuf + cx->cxKeyLen + cx->cxDataLen, data, data_len);
-    cx->cxDataLen += data_len;
-}
-
-static void 
-pk11_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
-	 unsigned int *pDigestLen, unsigned int maxDigestLen)
-{
-    *pDigestLen = 0; /* tells Verify that no data has been input yet. */
-}
-
-/* Compute the PRF values from the data previously input. */
-static SECStatus
-pk11_TLSPRFUpdate(TLSPRFContext *cx, 
-                  unsigned char *sig,		/* output goes here. */
-		  unsigned int * sigLen, 	/* how much output.  */
-		  unsigned int   maxLen, 	/* output buffer size */
-		  unsigned char *hash, 		/* unused. */
-		  unsigned int   hashLen)	/* unused. */
-{
-    SECStatus rv;
-    SECItem sigItem;
-    SECItem seedItem;
-    SECItem secretItem;
-
-    if (cx->cxRv != SECSuccess)
-    	return cx->cxRv;
-
-    secretItem.data = cx->cxBuf;
-    secretItem.len  = cx->cxKeyLen;
-
-    seedItem.data = cx->cxBuf + cx->cxKeyLen;
-    seedItem.len  = cx->cxDataLen;
-
-    sigItem.data = sig;
-    sigItem.len  = maxLen;
-
-    rv = pk11_PRF(&secretItem, NULL, &seedItem, &sigItem);
-    if (rv == SECSuccess && sigLen != NULL)
-    	*sigLen = sigItem.len;
-    return rv;
-
-}
-
-static SECStatus
-pk11_TLSPRFVerify(TLSPRFContext *cx, 
-                  unsigned char *sig, 		/* input, for comparison. */
-		  unsigned int   sigLen,	/* length of sig.         */
-		  unsigned char *hash, 		/* data to be verified.   */
-		  unsigned int   hashLen)	/* size of hash data.     */
-{
-    unsigned char * tmp    = (unsigned char *)PORT_Alloc(sigLen);
-    unsigned int    tmpLen = sigLen;
-    SECStatus       rv;
-
-    if (!tmp)
-    	return SECFailure;
-    if (hashLen) {
-    	/* hashLen is non-zero when the user does a one-step verify.
-	** In this case, none of the data has been input yet.
-	*/
-    	pk11_TLSPRFHashUpdate(cx, hash, hashLen);
-    }
-    rv = pk11_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
-    if (rv == SECSuccess) {
-    	rv = (SECStatus)(1 - !PORT_Memcmp(tmp, sig, sigLen));
-    }
-    PORT_ZFree(tmp, sigLen);
-    return rv;
-}
-
-static void
-pk11_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
-{
-    if (freeit)
-	PORT_ZFree(cx, cx->cxSize);
-}
-
-static CK_RV
-pk11_TLSPRFInit(PK11SessionContext *context, 
-		  PK11Object *        key, 
-		  CK_KEY_TYPE         key_type)
-{
-    PK11Attribute * keyVal;
-    TLSPRFContext * prf_cx;
-    CK_RV           crv = CKR_HOST_MEMORY;
-    PRUint32        keySize;
-    PRUint32        blockSize;
-
-    if (key_type != CKK_GENERIC_SECRET)
-    	return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
-
-    context->multi = PR_TRUE;
-
-    keyVal = pk11_FindAttribute(key, CKA_VALUE);
-    keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
-    blockSize = keySize + sizeof(TLSPRFContext);
-    prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
-    if (!prf_cx) 
-    	goto done;
-    prf_cx->cxSize    = blockSize;
-    prf_cx->cxKeyLen  = keySize;
-    prf_cx->cxDataLen = 0;
-    prf_cx->cxRv        = SECSuccess;
-    if (keySize)
-	PORT_Memcpy(prf_cx->cxBuf, keyVal->attrib.pValue, keySize);
-
-    context->hashInfo    = (void *) prf_cx;
-    context->cipherInfo  = (void *) prf_cx;
-    context->hashUpdate  = (PK11Hash)    pk11_TLSPRFHashUpdate;
-    context->end         = (PK11End)     pk11_TLSPRFEnd;
-    context->update      = (PK11Cipher)  pk11_TLSPRFUpdate;
-    context->verify      = (PK11Verify)  pk11_TLSPRFVerify;
-    context->destroy     = (PK11Destroy) pk11_Null;
-    context->hashdestroy = (PK11Destroy) pk11_TLSPRFHashDestroy;
-    crv = CKR_OK;
-
-done:
-    if (keyVal) 
-	pk11_FreeAttribute(keyVal);
-    return crv;
-}
-
-/*
- ************** Crypto Functions:     Sign  ************************
- */
-
-/*
- * Check if We're using CBCMacing and initialize the session context if we are.
- */
-static CK_RV
-pk11_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- 	CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE keyUsage,
-						 PK11ContextType contextType)
-	
-{
-    CK_MECHANISM cbc_mechanism;
-    CK_ULONG mac_bytes = PK11_INVALID_MAC_SIZE;
-    CK_RC2_CBC_PARAMS rc2_params;
-    CK_RC5_CBC_PARAMS rc5_params;
-    CK_RC5_MAC_GENERAL_PARAMS *rc5_mac;
-    unsigned char ivBlock[PK11_MAX_BLOCK_SIZE];
-    PK11SessionContext *context;
-    CK_RV crv;
-    int blockSize;
-
-    switch (pMechanism->mechanism) {
-    case CKM_RC2_MAC_GENERAL:
-	mac_bytes = 
-	    ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
-	/* fall through */
-    case CKM_RC2_MAC:
-	/* this works because ulEffectiveBits is in the same place in both the
-	 * CK_RC2_MAC_GENERAL_PARAMS and CK_RC2_CBC_PARAMS */
-	rc2_params.ulEffectiveBits = ((CK_RC2_MAC_GENERAL_PARAMS *)
-				pMechanism->pParameter)->ulEffectiveBits;
-	PORT_Memset(rc2_params.iv,0,sizeof(rc2_params.iv));
-	cbc_mechanism.mechanism = CKM_RC2_CBC;
-	cbc_mechanism.pParameter = &rc2_params;
-	cbc_mechanism.ulParameterLen = sizeof(rc2_params);
-	blockSize = 8;
-	break;
-    case CKM_RC5_MAC_GENERAL:
-	mac_bytes = 
-	    ((CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
-	/* fall through */
-    case CKM_RC5_MAC:
-	/* this works because ulEffectiveBits is in the same place in both the
-	 * CK_RC5_MAC_GENERAL_PARAMS and CK_RC5_CBC_PARAMS */
-	rc5_mac = (CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
-	rc5_params.ulWordsize = rc5_mac->ulWordsize;
-	rc5_params.ulRounds = rc5_mac->ulRounds;
-	rc5_params.pIv = ivBlock;
-	blockSize = rc5_mac->ulWordsize*2;
-	rc5_params.ulIvLen = blockSize;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_RC5_CBC;
-	cbc_mechanism.pParameter = &rc5_params;
-	cbc_mechanism.ulParameterLen = sizeof(rc5_params);
-	break;
-    /* add cast and idea later */
-    case CKM_DES_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_DES_MAC:
-	blockSize = 8;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_DES_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    case CKM_DES3_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_DES3_MAC:
-	blockSize = 8;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_DES3_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    case CKM_CDMF_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_CDMF_MAC:
-	blockSize = 8;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_CDMF_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    default:
-	return CKR_FUNCTION_NOT_SUPPORTED;
-    }
-
-    crv = pk11_EncryptInit(hSession, &cbc_mechanism, hKey, keyUsage,
-								contextType);
-    if (crv != CKR_OK) return crv;
-    crv = pk11_GetContext(hSession,&context,contextType,PR_TRUE,NULL);
-
-    /* this shouldn't happen! */
-    PORT_Assert(crv == CKR_OK);
-    if (crv != CKR_OK) return crv;
-    context->blockSize = blockSize;
-    if (mac_bytes == PK11_INVALID_MAC_SIZE) mac_bytes = blockSize/2;
-    context->macSize = mac_bytes;
-    return CKR_OK;
-}
-
-/*
- * encode RSA PKCS #1 Signature data before signing... 
- */
-static SECStatus
-pk11_HashSign(PK11HashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
-		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
-{
-    
-    SECStatus rv = SECFailure;
-    SECItem digder;
-    PLArenaPool *arena = NULL;
-    SGNDigestInfo *di = NULL;
-
-    digder.data = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) { goto loser; }
-    
-    /* Construct digest info */
-    di = SGN_CreateDigestInfo(info->hashOid, hash, hashLen);
-    if (!di) { goto loser; }
-
-    /* Der encode the digest as a DigestInfo */
-    rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /*
-    ** Encrypt signature after constructing appropriate PKCS#1 signature
-    ** block
-    */
-    rv = RSA_Sign(info->key,sig,sigLen,maxLen,digder.data,digder.len);
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-
-static SECStatus
-nsc_DSA_Verify_Stub(void *ctx, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen,
-			    CK_BYTE_PTR pData, CK_ULONG ulDataLen)
-{
-    SECItem signature, digest;
-
-    signature.data = pSignature;
-    signature.len = ulSignatureLen;
-    digest.data = pData;
-    digest.len = ulDataLen;
-    return DSA_VerifyDigest((DSAPublicKey *)ctx, &signature, &digest);
-}
-
-static SECStatus
-nsc_DSA_Sign_Stub(void *ctx, CK_BYTE_PTR pSignature,
-			    CK_ULONG_PTR ulSignatureLen, CK_ULONG maxulSignatureLen,
-			    CK_BYTE_PTR pData, CK_ULONG ulDataLen)
-{
-    SECItem signature = { 0 }, digest;
-    SECStatus rv;
-
-    (void)SECITEM_AllocItem(NULL, &signature, maxulSignatureLen);
-    digest.data = pData;
-    digest.len = ulDataLen;
-    rv = DSA_SignDigest((DSAPrivateKey *)ctx, &signature, &digest);
-    *ulSignatureLen = signature.len;
-    PORT_Memcpy(pSignature, signature.data, signature.len);
-    SECITEM_FreeItem(&signature, PR_FALSE);
-    return rv;
-}
-
-/* NSC_SignInit setups up the signing operations. There are three basic
- * types of signing:
- *	(1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
- *  to data in a single Sign operation (which often looks a lot like an
- *  encrypt, with data coming in and data going out).
- *	(2) Hash based signing, where we continually hash the data, then apply
- *  some sort of signature to the end.
- *	(3) Block Encryption CBC MAC's, where the Data is encrypted with a key,
- *  and only the final block is part of the mac.
- *
- *  For case number 3, we initialize a context much like the Encryption Context
- *  (in fact we share code). We detect case 3 in C_SignUpdate, C_Sign, and 
- *  C_Final by the following method... if it's not multi-part, and it's doesn't
- *  have a hash context, it must be a block Encryption CBC MAC.
- *
- *  For case number 2, we initialize a hash structure, as well as make it 
- *  multi-part. Updates are simple calls to the hash update function. Final
- *  calls the hashend, then passes the result to the 'update' function (which
- *  operates as a final signature function). In some hash based MAC'ing (as
- *  opposed to hash base signatures), the update function is can be simply a 
- *  copy (as is the case with HMAC).
- */
-CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
-{
-    PK11Session *session;
-    PK11Object *key;
-    PK11SessionContext *context;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    SECKEYLowPrivateKey *privKey;
-    PK11HashSignInfo *info = NULL;
-
-    /* Block Cipher MACing Algorithms use a different Context init method..*/
-    crv = pk11_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, PK11_SIGN);
-    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
-
-    /* we're not using a block cipher mac */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = pk11_InitGeneric(session,&context,PK11_SIGN,&key,hKey,&key_type,
-						CKO_PRIVATE_KEY,CKA_SIGN);
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-    context->multi = PR_FALSE;
-
-    switch(pMechanism->mechanism) {
-    case CKM_MD5_RSA_PKCS:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubMD2(context);
-	if (crv != CKR_OK) break;
-	context->update = (PK11Cipher) pk11_HashSign;
-	info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
-	if (info == NULL) {
-	   crv = CKR_HOST_MEMORY;
-	   break;
-	}
-	info->hashOid = SEC_OID_MD5;
-	goto finish_rsa;
-    case CKM_MD2_RSA_PKCS:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubMD2(context);
-	if (crv != CKR_OK) break;
-	context->update = (PK11Cipher) pk11_HashSign;
-	info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
-	if (info == NULL) {
-	   crv = CKR_HOST_MEMORY;
-	   break;
-	}
-	info->hashOid = SEC_OID_MD2;
-	goto finish_rsa;
-    case CKM_SHA1_RSA_PKCS:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	context->update = (PK11Cipher) pk11_HashSign;
-	info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
-	if (info == NULL) {
-	   crv = CKR_HOST_MEMORY;
-	   break;
-	}
-	info->hashOid = SEC_OID_SHA1;
-	goto finish_rsa;
-    case CKM_RSA_PKCS:
-	context->update = (PK11Cipher) RSA_Sign;
-	goto finish_rsa;
-    case CKM_RSA_X_509:
-	context->update = (PK11Cipher)  RSA_SignRaw;
-finish_rsa:
-	if (key_type != CKK_RSA) {
-	    if (info) PORT_Free(info);
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	privKey = pk11_GetPrivKey(key,CKK_RSA);
-	if (privKey == NULL) {
-	    if (info) PORT_Free(info);
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	/* OK, info is allocated only if we're doing hash and sign mechanism.
-	 * It's necessary to be able to set the correct OID in the final 
-	 * signature.
-	 * Second, what's special about privKey == key->objectInfo?
-	 * Well we don't 'cache' token versions
-	 * of private keys because (1) it's sensitive data, and (2) it never
-	 * gets destroyed. Instead we grab the key out of the database as
-	 * necessary, but now the key is our context, and we need to free
-	 * it when we are done. Non-token private keys will get freed when
-	 * the user destroys the session object (or the session the session
-	 * object lives in) */
-	if (info) {
-	    info->key = privKey;
-	    context->cipherInfo = info;
-	    context->destroy = (privKey == key->objectInfo) ?
-		(PK11Destroy)pk11_Space:(PK11Destroy)pk11_FreeSignInfo;
-	} else {
-	    context->cipherInfo = privKey;
-	    context->destroy = (privKey == key->objectInfo) ?
-		(PK11Destroy)pk11_Null:(PK11Destroy)pk11_FreePrivKey;
-	}
-	break;
-
-    case CKM_DSA_SHA1:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	/* fall through */
-    case CKM_DSA:
-	if (key_type != CKK_DSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	privKey = pk11_GetPrivKey(key,CKK_DSA);
-	if (privKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = &(privKey->u.dsa);
-	context->update     = (PK11Cipher) nsc_DSA_Sign_Stub;
-	context->destroy    = pk11_Null;
-
-        if (key->objectInfo != privKey) SECKEY_LowDestroyPrivateKey(privKey);
-	break;
-    case CKM_MD2_HMAC_GENERAL:
-	crv = pk11_doHMACInit(context,SEC_OID_MD2,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_MD2_HMAC:
-	crv = pk11_doHMACInit(context,SEC_OID_MD2,key,MD2_LENGTH);
-	break;
-    case CKM_MD5_HMAC_GENERAL:
-	crv = pk11_doHMACInit(context,SEC_OID_MD5,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_MD5_HMAC:
-	crv = pk11_doHMACInit(context,SEC_OID_MD5,key,MD5_LENGTH);
-	break;
-    case CKM_SHA_1_HMAC_GENERAL:
-	crv = pk11_doHMACInit(context,SEC_OID_SHA1,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SHA_1_HMAC:
-	crv = pk11_doHMACInit(context,SEC_OID_SHA1,key,SHA1_LENGTH);
-	break;
-    case CKM_SSL3_MD5_MAC:
-	crv = pk11_doSSLMACInit(context,SEC_OID_MD5,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SSL3_SHA1_MAC:
-	crv = pk11_doSSLMACInit(context,SEC_OID_SHA1,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_TLS_PRF_GENERAL:
-	crv = pk11_TLSPRFInit(context, key, key_type);
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    pk11_FreeObject(key);
-    if (crv != CKR_OK) {
-        PORT_Free(context);
-	pk11_FreeSession(session);
-	return crv;
-    }
-    pk11_SetContextByType(session, PK11_SIGN, context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* MACUpdate is the common implementation for SignUpdate and VerifyUpdate.
- * (sign and verify only very in their setup and final operations) */
-static CK_RV 
-pk11_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-    					CK_ULONG ulPartLen,PK11ContextType type)
-{
-    unsigned int outlen;
-    PK11SessionContext *context;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,type,PR_FALSE,NULL);
-    if (crv != CKR_OK) return crv;
-
-    if (context->hashInfo) {
-	(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
-	return CKR_OK;
-    }
-
-    /* must be block cipher macing */
-
-    /* deal with previous buffered data */
-    if (context->padDataLength != 0) {
-	int i;
-	/* fill in the padded to a full block size */
-	for (i=context->padDataLength; (ulPartLen != 0) && 
-					i < (int)context->blockSize; i++) {
-	    context->padBuf[i] = *pPart++;
-	    ulPartLen--;
-	    context->padDataLength++;
-	}
-
-	/* not enough data to encrypt yet? then return */
-	if (context->padDataLength != context->blockSize)  return CKR_OK;
-	/* encrypt the current padded data */
-    	rv = (*context->update)(context->cipherInfo,context->macBuf,&outlen,
-			PK11_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-    	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-    }
-
-    /* save the residual */
-    context->padDataLength = ulPartLen % context->blockSize;
-    if (context->padDataLength) {
-	    PORT_Memcpy(context->padBuf,
-			&pPart[ulPartLen-context->padDataLength],
-							context->padDataLength);
-	    ulPartLen -= context->padDataLength;
-    }
-
-    /* if we've exhausted our new buffer, we're done */
-    if (ulPartLen == 0) { return CKR_OK; }
-
-    /* run the data through out encrypter */	
-    while (ulPartLen) {
-    	rv = (*context->update)(context->cipherInfo, context->padBuf, &outlen, 
-			PK11_MAX_BLOCK_SIZE, pPart, context->blockSize);
-	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-	/* paranoia.. make sure we exit the loop */
-	PORT_Assert(ulPartLen >= context->blockSize);
-	if (ulPartLen < context->blockSize) break;
-	ulPartLen -= context->blockSize;
-    }
-
-    return CKR_OK;
-	
-}
-
-/* NSC_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-    							CK_ULONG ulPartLen)
-{
-    return pk11_MACUpdate(hSession, pPart, ulPartLen, PK11_SIGN);
-}
-
-
-/* NSC_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
-CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
-					    CK_ULONG_PTR pulSignatureLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int digestLen;
-    unsigned int maxoutlen = *pulSignatureLen;
-    unsigned char tmpbuf[PK11_MAX_MAC_LENGTH];
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    *pulSignatureLen = 0;
-    crv = pk11_GetContext(hSession,&context,PK11_SIGN,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (context->hashInfo) {
-        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
-	rv = (*context->update)(context->cipherInfo, pSignature,
-					&outlen, maxoutlen, tmpbuf, digestLen);
-        *pulSignatureLen = (CK_ULONG) outlen;
-    } else {
-	/* deal with the last block if any residual */
-	if (context->padDataLength) {
-	    /* fill out rest of pad buffer with pad magic*/
-	    int i;
-	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
-		context->padBuf[i] = 0;
-	    }
-	    rv = (*context->update)(context->cipherInfo,context->macBuf,
-		&outlen,PK11_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-	}
-	if (rv == SECSuccess) {
-	    PORT_Memcpy(pSignature,context->macBuf,context->macSize);
-	    *pulSignatureLen = context->macSize;
-	}
-    }
-
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_SIGN, NULL);
-    pk11_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_Sign signs (encrypts with private key) data in a single part,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,
-    					CK_ULONG_PTR pulSignatureLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulSignatureLen;
-    CK_RV crv,crv2;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_SIGN,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    /* multi part Signing are completely implemented by SignUpdate and
-     * sign Final */
-    if (context->multi) {
-        pk11_FreeSession(session);
-	crv = NSC_SignUpdate(hSession,pData,ulDataLen);
-	if (crv != CKR_OK) *pulSignatureLen = 0;
-	crv2 = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
-	return crv == CKR_OK ? crv2 :crv;
-    }
-
-    rv = (*context->update)(context->cipherInfo, pSignature,
-					&outlen, maxoutlen, pData, ulDataLen);
-    *pulSignatureLen = (CK_ULONG) outlen;
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_SIGN, NULL);
-    pk11_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/*
- ************** Crypto Functions:     Sign Recover  ************************
- */
-/* NSC_SignRecoverInit initializes a signature operation,
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
-{
-    switch (pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	return NSC_SignInit(hSession,pMechanism,hKey);
-    default:
-	break;
-    }
-    return CKR_MECHANISM_INVALID;
-}
-
-
-/* NSC_SignRecover signs data in a single operation
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-CK_RV NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
-{
-    return NSC_Sign(hSession,pData,ulDataLen,pSignature,pulSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     verify  ************************
- */
-
-/* Handle RSA Signature formating */
-static SECStatus
-pk11_hashCheckSign(PK11HashVerifyInfo *info, unsigned char *sig, 
-	unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
-{
-
-    SECItem it;
-    SGNDigestInfo *di = NULL;
-    SECStatus rv = SECSuccess;
-    
-    it.data = NULL;
-
-    if (info->key == NULL) goto loser;
-
-    it.len = SECKEY_LowPublicModulusLen(info->key); 
-    if (!it.len) goto loser;
-
-    it.data = (unsigned char *) PORT_Alloc(it.len);
-    if (it.data == NULL) goto loser;
-
-    /* decrypt the block */
-    rv = RSA_CheckSignRecover(info->key, it.data, &it.len, it.len, sig, sigLen);
-    if (rv != SECSuccess) goto loser;
-
-    di = SGN_DecodeDigestInfo(&it);
-    if (di == NULL) goto loser;
-    if (di->digest.len != digestLen)  goto loser; 
-
-    /* make sure the tag is OK */
-    if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != info->hashOid) {
-	goto loser;
-    }
-    /* Now check the signature */
-    if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
-	goto done;
-    }
-
-  loser:
-    rv = SECFailure;
-
-  done:
-    if (it.data != NULL) PORT_Free(it.data);
-    if (di != NULL) SGN_DestroyDigestInfo(di);
-    
-    return rv;
-}
-
-/* NSC_VerifyInit initializes a verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature (e.g. DSA) */
-CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
-			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) 
-{
-    PK11Session *session;
-    PK11Object *key;
-    PK11SessionContext *context;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    SECKEYLowPublicKey *pubKey;
-    PK11HashVerifyInfo *info = NULL;
-
-    /* Block Cipher MACing Algorithms use a different Context init method..*/
-    crv = pk11_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, PK11_VERIFY);
-    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = pk11_InitGeneric(session,&context,PK11_VERIFY,&key,hKey,&key_type,
-						CKO_PUBLIC_KEY,CKA_VERIFY);
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-    context->multi = PR_FALSE;
-
-    switch(pMechanism->mechanism) {
-    case CKM_MD5_RSA_PKCS:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubMD5(context);
-	if (crv != CKR_OK) break;
-	context->verify = (PK11Verify) pk11_hashCheckSign;
-	info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
-	if (info == NULL) {
-	   crv = CKR_HOST_MEMORY;
-	   break;
-	}
-	info->hashOid = SEC_OID_MD5;
-	goto finish_rsa;
-    case CKM_MD2_RSA_PKCS:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubMD2(context);
-	if (crv != CKR_OK) break;
-	context->verify = (PK11Verify) pk11_hashCheckSign;
-	info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
-	if (info == NULL) {
-	   crv = CKR_HOST_MEMORY;
-	   break;
-	}
-	info->hashOid = SEC_OID_MD2;
-	goto finish_rsa;
-    case CKM_SHA1_RSA_PKCS:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	context->verify = (PK11Verify) pk11_hashCheckSign;
-	info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
-	if (info == NULL) {
-	   crv = CKR_HOST_MEMORY;
-	   break;
-	}
-	info->hashOid = SEC_OID_SHA1;
-	goto finish_rsa;
-    case CKM_RSA_PKCS:
-	context->verify = (PK11Verify) RSA_CheckSign;
-	goto finish_rsa;
-    case CKM_RSA_X_509:
-	context->verify = (PK11Verify) RSA_CheckSignRaw;
-finish_rsa:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	pubKey = pk11_GetPubKey(key,CKK_RSA);
-	if (pubKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	if (info) {
-	    info->key = pubKey;
-	    context->cipherInfo = info;
-	    context->destroy = pk11_Space;
-	} else {
-	    context->cipherInfo = pubKey;
-	    context->destroy = pk11_Null;
-	}
-	break;
-    case CKM_DSA_SHA1:
-        context->multi = PR_TRUE;
-	crv = pk11_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	/* fall through */
-    case CKM_DSA:
-	if (key_type != CKK_DSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	pubKey = pk11_GetPubKey(key,CKK_DSA);
-	if (pubKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = &(pubKey->u.dsa);
-	context->verify     = (PK11Verify) nsc_DSA_Verify_Stub;
-	context->destroy    = pk11_Null;
-	break;
-
-    case CKM_MD2_HMAC_GENERAL:
-	crv = pk11_doHMACInit(context,SEC_OID_MD2,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_MD2_HMAC:
-	crv = pk11_doHMACInit(context,SEC_OID_MD2,key,MD2_LENGTH);
-	break;
-    case CKM_MD5_HMAC_GENERAL:
-	crv = pk11_doHMACInit(context,SEC_OID_MD5,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_MD5_HMAC:
-	crv = pk11_doHMACInit(context,SEC_OID_MD5,key,MD5_LENGTH);
-	break;
-    case CKM_SHA_1_HMAC_GENERAL:
-	crv = pk11_doHMACInit(context,SEC_OID_SHA1,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SHA_1_HMAC:
-	crv = pk11_doHMACInit(context,SEC_OID_SHA1,key,SHA1_LENGTH);
-	break;
-    case CKM_SSL3_MD5_MAC:
-	crv = pk11_doSSLMACInit(context,SEC_OID_MD5,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SSL3_SHA1_MAC:
-	crv = pk11_doSSLMACInit(context,SEC_OID_SHA1,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_TLS_PRF_GENERAL:
-	crv = pk11_TLSPRFInit(context, key, key_type);
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    pk11_FreeObject(key);
-    if (crv != CKR_OK) {
-        PORT_Free(context);
-	pk11_FreeSession(session);
-	return crv;
-    }
-    pk11_SetContextByType(session, PK11_VERIFY, context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_VERIFY,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    rv = (*context->verify)(context->cipherInfo,pSignature, ulSignatureLen,
-							 pData, ulDataLen);
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_VERIFY, NULL);
-    pk11_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
-
-}
-
-
-/* NSC_VerifyUpdate continues a multiple-part verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-						CK_ULONG ulPartLen)
-{
-    return pk11_MACUpdate(hSession, pPart, ulPartLen, PK11_VERIFY);
-}
-
-
-/* NSC_VerifyFinal finishes a multiple-part verification operation, 
- * checking the signature. */
-CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
-			CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int digestLen;
-    unsigned char tmpbuf[PK11_MAX_MAC_LENGTH];
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_VERIFY,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (context->hashInfo) {
-        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
-	rv = (*context->verify)(context->cipherInfo, pSignature, 
-					ulSignatureLen, tmpbuf, digestLen);
-    } else {
-	if (context->padDataLength) {
-	    /* fill out rest of pad buffer with pad magic*/
-	    int i;
-	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
-		context->padBuf[i] = 0;
-	    }
-	    rv = (*context->update)(context->cipherInfo,context->macBuf, 
-		&outlen,PK11_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-	}
-	if (rv == SECSuccess) {
-	    rv =(PORT_Memcmp(pSignature,context->macBuf,context->macSize) == 0)
-				 ? SECSuccess : SECFailure;
-	}
-    }
-
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_VERIFY, NULL);
-    pk11_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
-
-}
-
-/*
- ************** Crypto Functions:     Verify  Recover ************************
- */
-
-/* NSC_VerifyRecoverInit initializes a signature verification operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-CK_RV NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
-			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
-{
-    PK11Session *session;
-    PK11Object *key;
-    PK11SessionContext *context;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    SECKEYLowPublicKey *pubKey;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = pk11_InitGeneric(session,&context,PK11_VERIFY_RECOVER,
-			&key,hKey,&key_type,CKO_PUBLIC_KEY,CKA_VERIFY_RECOVER);
-    if (crv != CKR_OK) {
-	pk11_FreeSession(session);
-	return crv;
-    }
-
-    context->multi = PR_TRUE;
-
-    switch(pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	pubKey = pk11_GetPubKey(key,CKK_RSA);
-	if (pubKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = pubKey;
-	context->update = (PK11Cipher) (pMechanism->mechanism == CKM_RSA_X_509
-			? RSA_CheckSignRecoverRaw : RSA_CheckSignRecover);
-	context->destroy = pk11_Null;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    pk11_FreeObject(key);
-    if (crv != CKR_OK) {
-        PORT_Free(context);
-	pk11_FreeSession(session);
-	return crv;
-    }
-    pk11_SetContextByType(session, PK11_VERIFY_RECOVER, context);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_VerifyRecover verifies a signature in a single-part operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
-		 CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen,
-    				CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)
-{
-    PK11Session *session;
-    PK11SessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulDataLen;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession,&context,PK11_VERIFY_RECOVER,
-							PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
-						pSignature, ulSignatureLen);
-    *pulDataLen = (CK_ULONG) outlen;
-    pk11_FreeContext(context);
-    pk11_SetContextByType(session, PK11_VERIFY_RECOVER, NULL);
-    pk11_FreeSession(session);
-    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/*
- **************************** Random Functions:  ************************
- */
-
-/* NSC_SeedRandom mixes additional seed material into the token's random number 
- * generator. */
-CK_RV NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
-    CK_ULONG ulSeedLen) 
-{
-    SECStatus rv;
-
-    rv = RNG_RandomUpdate(pSeed, ulSeedLen);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_GenerateRandom generates random data. */
-CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR	pRandomData, CK_ULONG ulRandomLen)
-{
-    SECStatus rv;
-
-    rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/*
- **************************** Key Functions:  ************************
- */
-
-/*
- * generate a password based encryption key. This code uses
- * PKCS5 to do the work. Note that it calls PBE_PK11ParamToAlgid, which is
- * a utility function in secpkcs5.c.  This function is used in here
- * and in PK11_ParamToAlgid.
- */
-CK_RV
-pk11_pbe_key_gen(SECOidTag algtag,CK_MECHANISM_PTR pMechanism,
-				char *buf,int *key_length, PRBool faulty3DES)
-{
-    SECAlgorithmID algid;
-    SECItem *pbe_key = NULL, mech;
-    CK_PBE_PARAMS *pbe_params = NULL;
-    SECStatus pbe_rv;
-
-    *key_length = 0;
-
-    mech.data = (unsigned char *)pMechanism->pParameter;
-    mech.len = (unsigned int)pMechanism->ulParameterLen;
-
-    /* A common routine to map from Params to AlgIDs for PBE
-     * algorithms was created in secpkcs5.c.  This function is
-     * called both by PK11_ParamToAlgid and this function.
-     */
-    pbe_rv = PBE_PK11ParamToAlgid(algtag, &mech, NULL, &algid);
-    if (pbe_rv != SECSuccess) {
-	return CKR_DATA_INVALID;
-    }
-    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
-    mech.data = (unsigned char *)pbe_params->pPassword;
-    mech.len = (unsigned int)pbe_params->ulPasswordLen;
-    pbe_key = SEC_PKCS5GetKey(&algid, &mech, faulty3DES);
-    if (pbe_key == NULL) {
-	SECOID_DestroyAlgorithmID(&algid, PR_FALSE);
-	return CKR_HOST_MEMORY;
-    }
-    PORT_Memcpy(buf, pbe_key->data, pbe_key->len);
-    *key_length = pbe_key->len;
-    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
-    pbe_key = NULL;
-
-    if (pbe_params->pInitVector == NULL) {
-	pbe_key = SEC_PKCS5GetIV(&algid, &mech, faulty3DES);
-	if (pbe_key == NULL) {
-	    SECOID_DestroyAlgorithmID(&algid, PR_FALSE);
-	    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
-	    return CKR_HOST_MEMORY;
-	}
-	pbe_params->pInitVector = (CK_CHAR_PTR)PORT_ZAlloc(pbe_key->len);
-	if (pbe_params->pInitVector == NULL) {
-	    SECOID_DestroyAlgorithmID(&algid, PR_FALSE);
-	    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
-	    return CKR_HOST_MEMORY;
-	}
-	PORT_Memcpy(pbe_params->pInitVector, pbe_key->data, pbe_key->len);
-    }
-    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
-    SECOID_DestroyAlgorithmID(&algid, PR_FALSE);
-    return CKR_OK;
-}
-
-/* NSC_GenerateKey generates a secret key, creating a new key object. */
-CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
-    						CK_OBJECT_HANDLE_PTR phKey)
-{
-    PK11Object *key;
-    PK11Session *session;
-    PRBool checkWeak = PR_FALSE;
-    int key_length = 0;
-    CK_KEY_TYPE key_type;
-    CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
-    CK_RV crv = CKR_OK;
-    CK_BBOOL cktrue = CK_TRUE;
-    int i;
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    char buf[MAX_KEY_LEN];
-    enum {pk11_pbe, pk11_ssl, pk11_bulk} key_gen_type;
-    SECOidTag algtag = SEC_OID_UNKNOWN;
-    SSL3RSAPreMasterSecret *rsa_pms;
-    CK_VERSION *version;
-    /* in very old versions of NSS, there were implementation errors with key 
-     * generation methods.  We want to beable to read these, but not 
-     * produce them any more.  The affected algorithm was 3DES.
-     */
-    PRBool faultyPBE3DES = PR_FALSE;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    key = pk11_NewObject(slot); /* fill in the handle later */
-    if (key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulCount; i++) {
-	if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
-	    continue;
-	}
-
-	crv = pk11_AddAttributeType(key,pk11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	return crv;
-    }
-
-    /* make sure we don't have any class, key_type, or value fields */
-    pk11_DeleteAttributeType(key,CKA_CLASS);
-    pk11_DeleteAttributeType(key,CKA_KEY_TYPE);
-    pk11_DeleteAttributeType(key,CKA_VALUE);
-
-    /* Now Set up the parameters to generate the key (based on mechanism) */
-    key_gen_type = pk11_bulk; /* bulk key by default */
-    switch (pMechanism->mechanism) {
-    case CKM_RC2_KEY_GEN:
-	key_type = CKK_RC2;
-	if (key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    case CKM_RC5_KEY_GEN:
-	key_type = CKK_RC5;
-	if (key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    case CKM_RC4_KEY_GEN:
-	key_type = CKK_RC4;
-	if (key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    case CKM_GENERIC_SECRET_KEY_GEN:
-	key_type = CKK_GENERIC_SECRET;
-	if (key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    case CKM_CDMF_KEY_GEN:
-	key_type = CKK_CDMF;
-	key_length = 8;
-	checkWeak = PR_TRUE;
-	break;
-    case CKM_DES_KEY_GEN:
-	key_type = CKK_DES;
-	key_length = 8;
-	checkWeak = PR_TRUE;
-	break;
-    case CKM_DES2_KEY_GEN:
-	key_type = CKK_DES2;
-	key_length = 16;
-	checkWeak = PR_TRUE;
-	break;
-    case CKM_DES3_KEY_GEN:
-	key_type = CKK_DES3;
-	key_length = 24;
-	checkWeak = PR_TRUE;
-	break;
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-	key_type = CKK_GENERIC_SECRET;
-	key_length = 48;
-	key_gen_type = pk11_ssl;
-	break;
-    case CKM_PBE_MD2_DES_CBC:
-	algtag = SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC;
-	key_type = CKK_DES;
-	goto have_key_type;
-    case CKM_PBE_MD5_DES_CBC:
-	algtag = SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC;
-	key_type = CKK_DES;
-	goto have_key_type;
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-	algtag = SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
-	key_type = CKK_DES;
-	goto have_key_type;
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-	faultyPBE3DES = PR_TRUE;
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-	algtag = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-	key_type = CKK_DES3;
-	goto have_key_type;
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-	algtag = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-	key_type = CKK_RC2;
-	goto have_key_type;
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-	algtag = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-	key_type = CKK_RC2;
-	goto have_key_type;
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-	algtag = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4;
-	key_type = CKK_RC4;
-	goto have_key_type;
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-	algtag = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4;
-	key_type = CKK_RC4;
-	goto have_key_type;
-    case CKM_PBE_SHA1_RC4_40:
-	algtag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4;
-	key_length = 5;
-	key_type = CKK_RC4;
-	goto have_key_type;
-    case CKM_PBE_SHA1_RC4_128:
-	algtag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4;
-	key_length = 16;
-	key_type = CKK_RC4;
-	goto have_key_type;
-    case CKM_PBE_SHA1_RC2_40_CBC:
-	algtag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-	key_length = 5;
-	key_type = CKK_RC2;
-	goto have_key_type;
-    case CKM_PBE_SHA1_RC2_128_CBC:
-	algtag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-	key_length = 16;
-	key_type = CKK_RC2;
-	goto have_key_type;
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-	algtag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
-	key_length = 24;
-	key_type = CKK_DES3;
-	goto have_key_type;
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-	algtag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC;
-	key_length = 16;
-	key_type = CKK_DES2;
-	checkWeak = PR_FALSE;
-have_key_type:
-	key_gen_type = pk11_pbe;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-    /* make sure we aren't going to overflow the buffer */
-    if (sizeof(buf) < key_length) {
-	/* someone is getting pretty optimistic about how big their key can
-	 * be... */
-        crv = CKR_TEMPLATE_INCONSISTENT;
-    }
-
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-
-    /*
-     * now to the actual key gen.
-     */
-    switch (key_gen_type) {
-    case pk11_pbe:
-	crv = pk11_pbe_key_gen(algtag, pMechanism, buf, &key_length,
-			       faultyPBE3DES);
-	break;
-    case pk11_ssl:
-	rsa_pms = (SSL3RSAPreMasterSecret *)buf;
-	version = (CK_VERSION *)pMechanism->pParameter;
-	rsa_pms->client_version[0] = version->major;
-        rsa_pms->client_version[1] = version->minor;
-        crv = 
-	    NSC_GenerateRandom(0,&rsa_pms->random[0], sizeof(rsa_pms->random));
-	break;
-    case pk11_bulk:
-	/* get the key, check for weak keys and repeat if found */
-	do {
-            crv = NSC_GenerateRandom(0, (unsigned char *)buf, key_length);
-	} while (crv == CKR_OK && checkWeak && 
-			pk11_IsWeakKey((unsigned char *)buf,key_type));
-	break;
-    }
-
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-
-    /* Add the class, key_type, and value */
-    crv = pk11_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-    crv = pk11_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE));
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-    crv = pk11_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-    crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-
-    /* get the session */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	pk11_FreeObject(key);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    /*
-     * handle the base object stuff
-     */
-    crv = pk11_handleObject(key,session);
-    pk11_FreeSession(session);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	return crv;
-    }
-    if (pk11_isTrue(key,CKA_SENSITIVE)) {
-	pk11_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
-    }
-    if (!pk11_isTrue(key,CKA_EXTRACTABLE)) {
-	pk11_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
-    }
-
-    *phKey = key->handle;
-    return CKR_OK;
-}
-
-
-
-/* NSC_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
-CK_RV NSC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-    CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-    CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPrivateKey,
-    					CK_OBJECT_HANDLE_PTR phPublicKey)
-{
-    PK11Object *	publicKey,*privateKey;
-    PK11Session *	session;
-    CK_KEY_TYPE 	key_type;
-    CK_RV 		crv 	= CKR_OK;
-    CK_BBOOL 		cktrue 	= CK_TRUE;
-    SECStatus 		rv;
-    CK_OBJECT_CLASS 	pubClass = CKO_PUBLIC_KEY;
-    CK_OBJECT_CLASS 	privClass = CKO_PRIVATE_KEY;
-    int 		i;
-    PK11Slot *		slot 	= pk11_SlotFromSessionHandle(hSession);
-
-    /* RSA */
-    int 		public_modulus_bits = 0;
-    SECItem 		pubExp;
-    RSAPrivateKey *	rsaPriv;
-
-    /* DSA */
-    PQGParams 		pqgParam;
-    DHParams  		dhParam;
-    DSAPrivateKey *	dsaPriv;
-
-    /* Diffie Hellman */
-    int 		private_value_bits = 0;
-    DHPrivateKey *	dhPriv;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    publicKey = pk11_NewObject(slot); /* fill in the handle later */
-    if (publicKey == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the publicKey
-     */
-    for (i=0; i < (int) ulPublicKeyAttributeCount; i++) {
-	if (pPublicKeyTemplate[i].type == CKA_MODULUS_BITS) {
-	    public_modulus_bits = *(CK_ULONG *)pPublicKeyTemplate[i].pValue;
-	    continue;
-	}
-
-	crv = pk11_AddAttributeType(publicKey,
-				    pk11_attr_expand(&pPublicKeyTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-
-    if (crv != CKR_OK) {
-	pk11_FreeObject(publicKey);
-	return CKR_HOST_MEMORY;
-    }
-
-    privateKey = pk11_NewObject(slot); /* fill in the handle later */
-    if (privateKey == NULL) {
-	pk11_FreeObject(publicKey);
-	return CKR_HOST_MEMORY;
-    }
-    /*
-     * now load the private key template
-     */
-    for (i=0; i < (int) ulPrivateKeyAttributeCount; i++) {
-	if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) {
-	    private_value_bits = *(CK_ULONG *)pPrivateKeyTemplate[i].pValue;
-	    continue;
-	}
-
-	crv = pk11_AddAttributeType(privateKey,
-				    pk11_attr_expand(&pPrivateKeyTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-
-    if (crv != CKR_OK) {
-	pk11_FreeObject(publicKey);
-	pk11_FreeObject(privateKey);
-	return CKR_HOST_MEMORY;
-    }
-    pk11_DeleteAttributeType(privateKey,CKA_CLASS);
-    pk11_DeleteAttributeType(privateKey,CKA_KEY_TYPE);
-    pk11_DeleteAttributeType(privateKey,CKA_VALUE);
-    pk11_DeleteAttributeType(publicKey,CKA_CLASS);
-    pk11_DeleteAttributeType(publicKey,CKA_KEY_TYPE);
-    pk11_DeleteAttributeType(publicKey,CKA_VALUE);
-
-    /* Now Set up the parameters to generate the key (based on mechanism) */
-    switch (pMechanism->mechanism) {
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-	/* format the keys */
-    	pk11_DeleteAttributeType(publicKey,CKA_MODULUS);
-    	pk11_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
-    	pk11_DeleteAttributeType(privateKey,CKA_MODULUS);
-    	pk11_DeleteAttributeType(privateKey,CKA_PRIVATE_EXPONENT);
-    	pk11_DeleteAttributeType(privateKey,CKA_PUBLIC_EXPONENT);
-    	pk11_DeleteAttributeType(privateKey,CKA_PRIME_1);
-    	pk11_DeleteAttributeType(privateKey,CKA_PRIME_2);
-    	pk11_DeleteAttributeType(privateKey,CKA_EXPONENT_1);
-    	pk11_DeleteAttributeType(privateKey,CKA_EXPONENT_2);
-    	pk11_DeleteAttributeType(privateKey,CKA_COEFFICIENT);
-	key_type = CKK_RSA;
-	if (public_modulus_bits == 0) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    break;
-	}
-
-	/* extract the exponent */
-	crv=pk11_Attribute2SSecItem(NULL,&pubExp,publicKey,CKA_PUBLIC_EXPONENT);
-	if (crv != CKR_OK) break;
-        crv = pk11_AddAttributeType(privateKey,CKA_PUBLIC_EXPONENT,
-				    		    pk11_item_expand(&pubExp));
-	if (crv != CKR_OK) {
-	    PORT_Free(pubExp.data);
-	    break;
-	}
-
-	rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp);
-	PORT_Free(pubExp.data);
-	if (rsaPriv == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-        /* now fill in the RSA dependent paramenters in the public key */
-        crv = pk11_AddAttributeType(publicKey,CKA_MODULUS,
-			   pk11_item_expand(&rsaPriv->modulus));
-	if (crv != CKR_OK) goto kpg_done;
-        /* now fill in the RSA dependent paramenters in the private key */
-        crv = pk11_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
-			   pk11_item_expand(&rsaPriv->modulus));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_MODULUS,
-			   pk11_item_expand(&rsaPriv->modulus));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIVATE_EXPONENT,
-			   pk11_item_expand(&rsaPriv->privateExponent));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_1,
-			   pk11_item_expand(&rsaPriv->prime1));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_2,
-			   pk11_item_expand(&rsaPriv->prime2));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_1,
-			   pk11_item_expand(&rsaPriv->exponent1));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_2,
-			   pk11_item_expand(&rsaPriv->exponent2));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_COEFFICIENT,
-			   pk11_item_expand(&rsaPriv->coefficient));
-kpg_done:
-	/* Should zeroize the contents first, since this func doesn't. */
-	PORT_FreeArena(rsaPriv->arena, PR_TRUE);
-	break;
-    case CKM_DSA_KEY_PAIR_GEN:
-    	pk11_DeleteAttributeType(publicKey,CKA_VALUE);
-    	pk11_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
-	pk11_DeleteAttributeType(privateKey,CKA_PRIME);
-	pk11_DeleteAttributeType(privateKey,CKA_SUBPRIME);
-	pk11_DeleteAttributeType(privateKey,CKA_BASE);
-	key_type = CKK_DSA;
-
-	/* extract the necessary paramters and copy them to the private key */
-	crv=pk11_Attribute2SSecItem(NULL,&pqgParam.prime,publicKey,CKA_PRIME);
-	if (crv != CKR_OK) break;
-	crv=pk11_Attribute2SSecItem(NULL,&pqgParam.subPrime,publicKey,
-	                            CKA_SUBPRIME);
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    break;
-	}
-	crv=pk11_Attribute2SSecItem(NULL,&pqgParam.base,publicKey,CKA_BASE);
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    break;
-	}
-        crv = pk11_AddAttributeType(privateKey,CKA_PRIME,
-				    pk11_item_expand(&pqgParam.prime));
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-        crv = pk11_AddAttributeType(privateKey,CKA_SUBPRIME,
-			    	    pk11_item_expand(&pqgParam.subPrime));
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-        crv = pk11_AddAttributeType(privateKey,CKA_BASE,
-			    	    pk11_item_expand(&pqgParam.base));
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-
-	/* Generate the key */
-	rv = DSA_NewKey(&pqgParam, &dsaPriv);
-
-	PORT_Free(pqgParam.prime.data);
-	PORT_Free(pqgParam.subPrime.data);
-	PORT_Free(pqgParam.base.data);
-
-	if (rv != SECSuccess) { crv = CKR_HOST_MEMORY; break; }
-
-	/* store the generated key into the attributes */
-        crv = pk11_AddAttributeType(publicKey,CKA_VALUE,
-			   pk11_item_expand(&dsaPriv->publicValue));
-	if (crv != CKR_OK) goto dsagn_done;
-
-        /* now fill in the RSA dependent paramenters in the private key */
-        crv = pk11_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
-			   pk11_item_expand(&dsaPriv->publicValue));
-	if (crv != CKR_OK) goto dsagn_done;
-        crv = pk11_AddAttributeType(privateKey,CKA_VALUE,
-			   pk11_item_expand(&dsaPriv->privateValue));
-
-dsagn_done:
-	/* should zeroize, since this function doesn't. */
-	PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
-	break;
-
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-	pk11_DeleteAttributeType(privateKey,CKA_PRIME);
-	pk11_DeleteAttributeType(privateKey,CKA_BASE);
-	pk11_DeleteAttributeType(privateKey,CKA_VALUE);
-	key_type = CKK_DH;
-
-	/* extract the necessary parameters and copy them to private keys */
-        crv = pk11_Attribute2SSecItem(NULL, &dhParam.prime, publicKey, 
-				      CKA_PRIME);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attribute2SSecItem(NULL, &dhParam.base, publicKey, CKA_BASE);
-	if (crv != CKR_OK) {
-	  PORT_Free(dhParam.prime.data);
-	  break;
-	}
-	crv = pk11_AddAttributeType(privateKey, CKA_PRIME, 
-				    pk11_item_expand(&dhParam.prime));
-	if (crv != CKR_OK) {
-	  PORT_Free(dhParam.prime.data);
-	  PORT_Free(dhParam.base.data);
-	  break;
-	}
-	crv = pk11_AddAttributeType(privateKey, CKA_BASE, 
-				    pk11_item_expand(&dhParam.base));
-	if (crv != CKR_OK) goto dhgn_done;
-
-	rv = DH_NewKey(&dhParam, &dhPriv);
-	PORT_Free(dhParam.prime.data);
-	PORT_Free(dhParam.base.data);
-	if (rv != SECSuccess) { 
-	  crv = CKR_HOST_MEMORY; 
-	  break;
-	}
-
-	crv=pk11_AddAttributeType(publicKey, CKA_VALUE, 
-				pk11_item_expand(&dhPriv->publicValue));
-	if (crv != CKR_OK) goto dhgn_done;
-
-	crv=pk11_AddAttributeType(privateKey, CKA_VALUE, 
-			      pk11_item_expand(&dhPriv->privateValue));
-
-dhgn_done:
-	/* should zeroize, since this function doesn't. */
-	PORT_FreeArena(dhPriv->arena, PR_TRUE);
-	break;
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-
-    if (crv != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	pk11_FreeObject(publicKey);
-	return crv;
-    }
-
-
-    /* Add the class, key_type The loop lets us check errors blow out
-     *  on errors and clean up at the bottom */
-    session = NULL; /* make pedtantic happy... session cannot leave the*/
-		    /* loop below NULL unless an error is set... */
-    do {
-	crv = pk11_AddAttributeType(privateKey,CKA_CLASS,&privClass,
-						sizeof(CK_OBJECT_CLASS));
-        if (crv != CKR_OK) break;
-	crv = pk11_AddAttributeType(publicKey,CKA_CLASS,&pubClass,
-						sizeof(CK_OBJECT_CLASS));
-        if (crv != CKR_OK) break;
-	crv = pk11_AddAttributeType(privateKey,CKA_KEY_TYPE,&key_type,
-						sizeof(CK_KEY_TYPE));
-        if (crv != CKR_OK) break;
-	crv = pk11_AddAttributeType(publicKey,CKA_KEY_TYPE,&key_type,
-						sizeof(CK_KEY_TYPE));
-        if (crv != CKR_OK) break;
-        session = pk11_SessionFromHandle(hSession);
-        if (session == NULL) crv = CKR_SESSION_HANDLE_INVALID;
-    } while (0);
-
-    if (crv != CKR_OK) {
-	 pk11_FreeObject(privateKey);
-	 pk11_FreeObject(publicKey);
-	 return crv;
-    }
-
-    /*
-     * handle the base object cleanup for the public Key
-     */
-    crv = pk11_handleObject(publicKey,session);
-    if (crv != CKR_OK) {
-        pk11_FreeSession(session);
-	pk11_FreeObject(privateKey);
-	pk11_FreeObject(publicKey);
-	return crv;
-    }
-
-    /*
-     * handle the base object cleanup for the private Key
-     * If we have any problems, we destroy the public Key we've
-     * created and linked.
-     */
-    crv = pk11_handleObject(privateKey,session);
-    pk11_FreeSession(session);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(privateKey);
-	NSC_DestroyObject(hSession,publicKey->handle);
-	return crv;
-    }
-    if (pk11_isTrue(privateKey,CKA_SENSITIVE)) {
-	pk11_forceAttribute(privateKey,CKA_ALWAYS_SENSITIVE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    if (pk11_isTrue(publicKey,CKA_SENSITIVE)) {
-	pk11_forceAttribute(publicKey,CKA_ALWAYS_SENSITIVE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    if (!pk11_isTrue(privateKey,CKA_EXTRACTABLE)) {
-	pk11_forceAttribute(privateKey,CKA_NEVER_EXTRACTABLE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    if (!pk11_isTrue(publicKey,CKA_EXTRACTABLE)) {
-	pk11_forceAttribute(publicKey,CKA_NEVER_EXTRACTABLE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    *phPrivateKey = privateKey->handle;
-    *phPublicKey = publicKey->handle;
-
-    return CKR_OK;
-}
-
-static SECItem *pk11_PackagePrivateKey(PK11Object *key)
-{
-    SECKEYLowPrivateKey *lk = NULL;
-    SECKEYPrivateKeyInfo *pki = NULL;
-    PK11Attribute *attribute = NULL;
-    PLArenaPool *arena = NULL;
-    SECOidTag algorithm = SEC_OID_UNKNOWN;
-    void *dummy, *param = NULL;
-    SECStatus rv = SECSuccess;
-    SECItem *encodedKey = NULL;
-
-    if(!key) {
-	return NULL;
-    }
-
-    attribute = pk11_FindAttribute(key, CKA_KEY_TYPE);
-    if(!attribute) {
-	return NULL;
-    }
-
-    lk = pk11_GetPrivKey(key, *(CK_KEY_TYPE *)attribute->attrib.pValue);
-    pk11_FreeAttribute(attribute);
-    if(!lk) {
-	return NULL;
-    }
-
-    arena = PORT_NewArena(2048); 	/* XXX different size? */
-    if(!arena) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    pki = (SECKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
-						sizeof(SECKEYPrivateKeyInfo));
-    if(!pki) {
-	rv = SECFailure;
-	goto loser;
-    }
-    pki->arena = arena;
-
-    param = NULL;
-    switch(lk->keyType) {
-	case rsaKey:
-	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
-				       SECKEY_RSAPrivateKeyTemplate);
-	    algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	    break;
-	case dsaKey:
-	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
-				       SECKEY_DSAPrivateKeyExportTemplate);
-	    param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
-				       SECKEY_PQGParamsTemplate);
-	    algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
-	    break;
-	case fortezzaKey:
-	case dhKey:
-	default:
-	    dummy = NULL;
-	    break;
-    }
- 
-    if(!dummy || ((lk->keyType == dsaKey) && !param)) {
-	goto loser;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, 
-			       (SECItem*)param);
-    if(rv != SECSuccess) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(arena, &pki->version,
-				  SEC_PRIVATE_KEY_INFO_VERSION);
-    if(!dummy) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
-				    SECKEY_PrivateKeyInfoTemplate);
-
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    if(lk && (lk != key->objectInfo)) {
-	SECKEY_LowDestroyPrivateKey(lk);
-    }
- 
-    if(param) {
-	SECITEM_ZfreeItem((SECItem*)param, PR_TRUE);
-    }
-
-    if(rv != SECSuccess) {
-	return NULL;
-    }
-
-    return encodedKey;
-}
-    
-/* it doesn't matter yet, since we colapse error conditions in the
- * level above, but we really should map those few key error differences */
-CK_RV pk11_mapWrap(CK_RV crv) { return crv; }
-
-/* NSC_WrapKey wraps (i.e., encrypts) a key. */
-CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
-    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
-					 CK_ULONG_PTR pulWrappedKeyLen)
-{
-    PK11Session *session;
-    PK11Attribute *attribute;
-    PK11Object *key;
-    CK_RV crv;
-    PRBool isLynks = PR_FALSE;
-    CK_ULONG len = 0;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-    	return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    key = pk11_ObjectFromHandle(hKey,session);
-    pk11_FreeSession(session);
-    if (key == NULL) {
-	return CKR_KEY_HANDLE_INVALID;
-    }
-
-    switch(key->objclass) {
-	case CKO_SECRET_KEY:
-	    attribute = pk11_FindAttribute(key,CKA_VALUE);
-
-	    if (attribute == NULL) {
-		crv = CKR_KEY_TYPE_INCONSISTENT;
-		break;
-	    }
-	    if (pMechanism->mechanism == CKM_KEY_WRAP_LYNKS) {
-		isLynks = PR_TRUE;
-		pMechanism->mechanism = CKM_DES_ECB;
-		len = *pulWrappedKeyLen;
-	    }
-     
-	    crv = pk11_EncryptInit(hSession, pMechanism, hWrappingKey, 
-						CKA_WRAP, PK11_ENCRYPT);
-	    if (crv != CKR_OK) {
-		pk11_FreeAttribute(attribute);
-		break;
-	    }
-	    crv = NSC_Encrypt(hSession, (CK_BYTE_PTR)attribute->attrib.pValue, 
-		    attribute->attrib.ulValueLen,pWrappedKey,pulWrappedKeyLen);
-
-	    if (isLynks && (crv == CKR_OK)) {
-		unsigned char buf[2];
-		crv = pk11_calcLynxChecksum(hSession,hWrappingKey,buf,
-			(unsigned char*)attribute->attrib.pValue,
-			attribute->attrib.ulValueLen);
-		if (len >= 10) {
-		    pWrappedKey[8] = buf[0];
-		    pWrappedKey[9] = buf[1];
-		    *pulWrappedKeyLen = 10;
-		}
-	    }
-	    pk11_FreeAttribute(attribute);
-	    break;
-
-	case CKO_PRIVATE_KEY:
-	    {
-		SECItem *bpki = pk11_PackagePrivateKey(key);
-
-		if(!bpki) {
-		    crv = CKR_KEY_TYPE_INCONSISTENT;
-		    break;
-		}
-
-		crv = pk11_EncryptInit(hSession, pMechanism, hWrappingKey,
-						CKA_WRAP, PK11_ENCRYPT);
-		if(crv != CKR_OK) {
-		    SECITEM_ZfreeItem(bpki, PR_TRUE);
-		    crv = CKR_KEY_TYPE_INCONSISTENT;
-		    break;
-		}
-
-		crv = NSC_Encrypt(hSession, bpki->data, bpki->len,
-					pWrappedKey, pulWrappedKeyLen);
-		SECITEM_ZfreeItem(bpki, PR_TRUE);
-		break;
-	    }
-
-	default:
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-    }
-    pk11_FreeObject(key);
-
-    return pk11_mapWrap(crv);
-}
-
-/*
- * import a pprivate key info into the desired slot
- */
-static SECStatus
-pk11_unwrapPrivateKey(PK11Object *key, SECItem *bpki)
-{
-    CK_BBOOL cktrue = CK_TRUE; 
-    CK_KEY_TYPE keyType = CKK_RSA;
-    SECStatus rv = SECFailure;
-    const SEC_ASN1Template *keyTemplate, *paramTemplate;
-    void *paramDest = NULL;
-    PLArenaPool *arena;
-    SECKEYLowPrivateKey *lpk = NULL;
-    SECKEYPrivateKeyInfo *pki = NULL;
-    SECItem *ck_id = NULL;
-    CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
-
-    arena = PORT_NewArena(2048);
-    if(!arena) {
-	return SECFailure;
-    }
-
-    pki = (SECKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
-						sizeof(SECKEYPrivateKeyInfo));
-    if(!pki) {
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-
-    if(SEC_ASN1DecodeItem(arena, pki, SECKEY_PrivateKeyInfoTemplate, bpki) 
-				!= SECSuccess) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return SECFailure;
-    }
-
-    lpk = (SECKEYLowPrivateKey *)PORT_ArenaZAlloc(arena,
-						  sizeof(SECKEYLowPrivateKey));
-    if(lpk == NULL) {
-	goto loser;
-    }
-    lpk->arena = arena;
-
-    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    keyTemplate = SECKEY_RSAPrivateKeyTemplate;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    lpk->keyType = rsaKey;
-	    break;
-	case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
-	    paramTemplate = SECKEY_PQGParamsTemplate;
-	    paramDest = &(lpk->u.dsa.params);
-	    lpk->keyType = dsaKey;
-	    break;
-	/* case dhKey: */
-	/* case fortezzaKey: */
-	default:
-	    keyTemplate = NULL;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    break;
-    }
-
-    if(!keyTemplate) {
-	goto loser;
-    }
-
-    /* decode the private key and any algorithm parameters */
-    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-    if(paramDest && paramTemplate) {
-	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
-				 &(pki->algorithm.parameters));
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    rv = SECFailure;
-
-    switch (lpk->keyType) {
-        case rsaKey:
-	    keyType = CKK_RSA;
-	    if(pk11_hasAttribute(key, CKA_NETSCAPE_DB)) {
-		pk11_DeleteAttributeType(key, CKA_NETSCAPE_DB);
-	    }
-	    crv = pk11_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
-					sizeof(keyType));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_UNWRAP, &cktrue, 
-					sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_DECRYPT, &cktrue, 
-					sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_SIGN, &cktrue, 
-					sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
-				    sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_MODULUS, 
-				pk11_item_expand(&lpk->u.rsa.modulus));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_PUBLIC_EXPONENT, 
-	     			pk11_item_expand(&lpk->u.rsa.publicExponent));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_PRIVATE_EXPONENT, 
-	     			pk11_item_expand(&lpk->u.rsa.privateExponent));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_PRIME_1, 
-				pk11_item_expand(&lpk->u.rsa.prime1));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_PRIME_2, 
-	     			pk11_item_expand(&lpk->u.rsa.prime2));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_EXPONENT_1, 
-	     			pk11_item_expand(&lpk->u.rsa.exponent1));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_EXPONENT_2, 
-	     			pk11_item_expand(&lpk->u.rsa.exponent2));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_COEFFICIENT, 
-	     			pk11_item_expand(&lpk->u.rsa.coefficient));
-	    break;
-        case dsaKey:
-	    keyType = CKK_DSA;
-	    crv = (pk11_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
-						CKR_KEY_TYPE_INCONSISTENT;
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
-						sizeof(keyType));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_SIGN, &cktrue, 
-						sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
-						sizeof(CK_BBOOL)); 
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_PRIME,    
-				    pk11_item_expand(&lpk->u.dsa.params.prime));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_SUBPRIME,
-				 pk11_item_expand(&lpk->u.dsa.params.subPrime));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_BASE,  
-				    pk11_item_expand(&lpk->u.dsa.params.base));
-	    if(crv != CKR_OK) break;
-	    crv = pk11_AddAttributeType(key, CKA_VALUE, 
-			pk11_item_expand(&lpk->u.dsa.privateValue));
-	    if(crv != CKR_OK) break;
-	    break;
-#ifdef notdef
-        case dhKey:
-	    template = dhTemplate;
-	    templateCount = sizeof(dhTemplate)/sizeof(CK_ATTRIBUTE);
-	    keyType = CKK_DH;
-	    break;
-#endif
-	/* what about fortezza??? */
-	default:
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-    }
-
-loser:
-    if(ck_id) {
-	SECITEM_ZfreeItem(ck_id, PR_TRUE);
-    }
-
-    if(lpk) {
-	SECKEY_LowDestroyPrivateKey(lpk);
-    }
-
-    if(crv != CKR_OK) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/* NSC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
-CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
-    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
-    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
-						 CK_OBJECT_HANDLE_PTR phKey)
-{
-    PK11Object *key = NULL;
-    PK11Session *session;
-    int key_length = 0;
-    unsigned char * buf = NULL;
-    CK_RV crv = CKR_OK;
-    int i;
-    CK_ULONG bsize = ulWrappedKeyLen;
-    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
-    PK11Attribute *attr = NULL;
-    SECItem bpki;
-    CK_OBJECT_CLASS target_type = CKO_SECRET_KEY;
-    PRBool isLynks = PR_FALSE;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    key = pk11_NewObject(slot); /* fill in the handle later */
-    if (key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulAttributeCount; i++) {
-	if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
-	    continue;
-	}
-        if (pTemplate[i].type == CKA_CLASS) {
-	    target_type = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
-	}
-	crv = pk11_AddAttributeType(key,pk11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	return crv;
-    }
-
-    /* LYNKS is a special key wrapping mechanism */
-    if (pMechanism->mechanism == CKM_KEY_WRAP_LYNKS) {
-	isLynks = PR_TRUE;
-	pMechanism->mechanism = CKM_DES_ECB;
-	ulWrappedKeyLen -= 2; /* don't decrypt the checksum */
-    }
-
-    crv = pk11_DecryptInit(hSession,pMechanism,hUnwrappingKey,CKA_UNWRAP,
-								PK11_DECRYPT);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	return pk11_mapWrap(crv);
-    }
-
-    /* allocate the buffer to decrypt into 
-     * this assumes the unwrapped key is never larger than the
-     * wrapped key. For all the mechanisms we support this is true */
-    buf = (unsigned char *)PORT_Alloc( ulWrappedKeyLen);
-    bsize = ulWrappedKeyLen;
-
-    crv = NSC_Decrypt(hSession, pWrappedKey, ulWrappedKeyLen, buf, &bsize);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	PORT_Free(buf);
-	return pk11_mapWrap(crv);
-    }
-
-    switch(target_type) {
-	case CKO_SECRET_KEY:
-	    if (!pk11_hasAttribute(key,CKA_KEY_TYPE)) {
-		crv = CKR_TEMPLATE_INCOMPLETE;
-		break;
-	    }
-
-	    /* verify the Lynx checksum */
-	    if (isLynks) {
-		unsigned char checkSum[2];
-		crv = pk11_calcLynxChecksum(hSession,hUnwrappingKey,checkSum,
-								buf,bsize);
-		if (crv != CKR_OK) break;
-		if ((ulWrappedKeyLen != 8) || (pWrappedKey[8] != checkSum[0]) 
-			|| (pWrappedKey[9] != checkSum[1])) {
-		    crv = CKR_WRAPPED_KEY_INVALID;
-		    break;
-		}
-	    }
-
-	    if(key_length == 0) {
-		key_length = bsize;
-	    }
-	    if (key_length > MAX_KEY_LEN) {
-		crv = CKR_TEMPLATE_INCONSISTENT;
-		break;
-	    }
-    
-	    /* add the value */
-	    crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
-	    break;
-	case CKO_PRIVATE_KEY:
-	    bpki.data = (unsigned char *)buf;
-	    bpki.len = bsize;
-	    crv = CKR_OK;
-	    if(pk11_unwrapPrivateKey(key, &bpki) != SECSuccess) {
-		crv = CKR_TEMPLATE_INCOMPLETE;
-	    }
-	    break;
-	default:
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-    }
-
-    PORT_ZFree(buf, bsize);
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-
-    /* get the session */
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	pk11_FreeObject(key);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    /*
-     * handle the base object stuff
-     */
-    crv = pk11_handleObject(key,session);
-    pk11_FreeSession(session);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	return crv;
-    }
-
-    *phKey = key->handle;
-    return CKR_OK;
-
-}
-
-/*
- * The SSL key gen mechanism create's lots of keys. This function handles the
- * details of each of these key creation.
- */
-static CK_RV
-pk11_buildSSLKey(CK_SESSION_HANDLE hSession, PK11Object *baseKey, 
-    PRBool isMacKey, unsigned char *keyBlock, unsigned int keySize,
-						 CK_OBJECT_HANDLE *keyHandle)
-{
-    PK11Object *key;
-    PK11Session *session;
-    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_RV crv = CKR_HOST_MEMORY;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    *keyHandle = CK_INVALID_KEY;
-    key = pk11_NewObject(baseKey->slot); 
-    if (key == NULL) return CKR_HOST_MEMORY;
-    key->wasDerived = PR_TRUE;
-
-    crv = pk11_CopyObject(key,baseKey);
-    if (crv != CKR_OK) goto loser;
-    if (isMacKey) {
-	crv = pk11_forceAttribute(key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_ENCRYPT,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_DECRYPT,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_WRAP,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = pk11_forceAttribute(key,CKA_UNWRAP,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-    }
-    crv = pk11_forceAttribute(key,CKA_VALUE,keyBlock,keySize);
-    if (crv != CKR_OK) goto loser;
-
-    /* get the session */
-    crv = CKR_HOST_MEMORY;
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) { goto loser; }
-
-    crv = pk11_handleObject(key,session);
-    pk11_FreeSession(session);
-    if (crv == CKR_OK) {
-	*keyHandle = key->handle;
-	return crv;
-    }
-loser:
-    if (key) pk11_FreeObject(key);
-    return crv;
-}
-
-/*
- * if there is an error, we need to free the keys we already created in SSL
- * This is the routine that will do it..
- */
-static void
-pk11_freeSSLKeys(CK_SESSION_HANDLE session,
-				CK_SSL3_KEY_MAT_OUT *returnedMaterial ) {
-	if (returnedMaterial->hClientMacSecret != CK_INVALID_KEY) {
-	   NSC_DestroyObject(session,returnedMaterial->hClientMacSecret);
-	}
-	if (returnedMaterial->hServerMacSecret != CK_INVALID_KEY) {
-	   NSC_DestroyObject(session, returnedMaterial->hServerMacSecret);
-	}
-	if (returnedMaterial->hClientKey != CK_INVALID_KEY) {
-	   NSC_DestroyObject(session, returnedMaterial->hClientKey);
-	}
-	if (returnedMaterial->hServerKey != CK_INVALID_KEY) {
-	   NSC_DestroyObject(session, returnedMaterial->hServerKey);
-	}
-}
-
-/*
- * when deriving from sensitive and extractable keys, we need to preserve some
- * of the semantics in the derived key. This helper routine maintains these
- * semantics.
- */
-static CK_RV
-pk11_DeriveSensitiveCheck(PK11Object *baseKey,PK11Object *destKey) {
-    PRBool hasSensitive;
-    PRBool sensitive;
-    PRBool hasExtractable;
-    PRBool extractable;
-    CK_RV crv = PR_TRUE;
-    PK11Attribute *att;
-
-    hasSensitive = PR_FALSE;
-    att = pk11_FindAttribute(destKey,CKA_SENSITIVE);
-    if (att) {
-        hasSensitive = PR_FALSE;
-	sensitive = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
-	pk11_FreeAttribute(att);
-    }
-
-    hasExtractable = PR_FALSE;
-    att = pk11_FindAttribute(destKey,CKA_EXTRACTABLE);
-    if (att) {
-        hasExtractable = PR_FALSE;
-	extractable = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
-	pk11_FreeAttribute(att);
-    }
-
-
-    /* don't make a key more accessible */
-    if (pk11_isTrue(baseKey,CKA_SENSITIVE) && hasSensitive && 
-						(sensitive == PR_FALSE)) {
-	return CKR_KEY_FUNCTION_NOT_PERMITTED;
-    }
-    if (!pk11_isTrue(baseKey,CKA_EXTRACTABLE) && hasExtractable && 
-						(extractable == PR_TRUE)) {
-	return CKR_KEY_FUNCTION_NOT_PERMITTED;
-    }
-
-    /* inherit parent's sensitivity */
-    if (!hasSensitive) {
-        att = pk11_FindAttribute(baseKey,CKA_SENSITIVE);
-	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
-	crv = pk11_defaultAttribute(destKey,pk11_attr_expand(&att->attrib));
-	pk11_FreeAttribute(att);
-	if (crv != CKR_OK) return crv;
-    }
-    if (!hasExtractable) {
-        att = pk11_FindAttribute(baseKey,CKA_EXTRACTABLE);
-	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
-	crv = pk11_defaultAttribute(destKey,pk11_attr_expand(&att->attrib));
-	pk11_FreeAttribute(att);
-	if (crv != CKR_OK) return crv;
-    }
-
-    /* we should inherit the parent's always extractable/ never sensitive info,
-     * but handleObject always forces this attributes, so we would need to do
-     * something special. */
-    return CKR_OK;
-}
-
-/*
- * make known fixed PKCS #11 key types to their sizes in bytes
- */	
-static unsigned long
-pk11_MapKeySize(CK_KEY_TYPE keyType) {
-    switch (keyType) {
-    case CKK_CDMF:
-	return 8;
-    case CKK_DES:
-	return 8;
-    case CKK_DES2:
-	return 16;
-    case CKK_DES3:
-	return 24;
-    /* IDEA and CAST need to be added */
-    default:
-	break;
-    }
-    return 0;
-}
-
-#define PHASH_STATE_MAX_LEN 20
-
-/* TLS P_hash function */
-static SECStatus
-pk11_P_hash(SECOidTag alg, const SECItem *secret, const char *label, 
-	SECItem *seed, SECItem *result)
-{
-    unsigned char state[PHASH_STATE_MAX_LEN];
-    unsigned char outbuf[PHASH_STATE_MAX_LEN];
-    unsigned int state_len = 0, label_len = 0, outbuf_len = 0, chunk_size;
-    unsigned int remaining;
-    unsigned char *res;
-    SECStatus status;
-    HMACContext *cx;
-    SECStatus rv = SECFailure;
-
-    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
-    PORT_Assert((seed != NULL) && (seed->data != NULL));
-    PORT_Assert((result != NULL) && (result->data != NULL));
-
-    remaining = result->len;
-    res = result->data;
-
-    if (label != NULL)
-	label_len = PORT_Strlen(label);
-
-    cx = HMAC_Create(alg, secret->data, secret->len);
-    if (cx == NULL)
-	goto loser;
-
-    /* initialize the state = A(1) = HMAC_hash(secret, seed) */
-    HMAC_Begin(cx);
-    HMAC_Update(cx, (unsigned char *)label, label_len);
-    HMAC_Update(cx, seed->data, seed->len);
-    status = HMAC_Finish(cx, state, &state_len, PHASH_STATE_MAX_LEN);
-    if (status != SECSuccess)
-	goto loser;
-
-    /* generate a block at a time until we're done */
-    while (remaining > 0) {
-
-	HMAC_Begin(cx);
-	HMAC_Update(cx, state, state_len);
-	if (label_len)
-	    HMAC_Update(cx, (unsigned char *)label, label_len);
-	HMAC_Update(cx, seed->data, seed->len);
-	status = HMAC_Finish(cx, outbuf, &outbuf_len, PHASH_STATE_MAX_LEN);
-	if (status != SECSuccess)
-	    goto loser;
-
-        /* Update the state = A(i) = HMAC_hash(secret, A(i-1)) */
-	HMAC_Begin(cx); 
-	HMAC_Update(cx, state, state_len); 
-	status = HMAC_Finish(cx, state, &state_len, PHASH_STATE_MAX_LEN);
-	if (status != SECSuccess)
-	    goto loser;
-
-	chunk_size = PR_MIN(outbuf_len, remaining);
-	PORT_Memcpy(res, &outbuf, chunk_size);
-	res += chunk_size;
-	remaining -= chunk_size;
-    }
-
-    rv = SECSuccess;
-
-loser:
-    /* if (cx) HMAC_Destroy(cx); */
-    /* clear out state so it's not left on the stack */
-    if (cx) HMAC_Destroy(cx);
-    PORT_Memset(state, 0, sizeof(state));
-    PORT_Memset(outbuf, 0, sizeof(outbuf));
-    return rv;
-}
-
-static SECStatus
-pk11_PRF(const SECItem *secret, const char *label, SECItem *seed, 
-         SECItem *result)
-{
-    SECStatus rv = SECFailure, status;
-    unsigned int i;
-    SECItem tmp = { siBuffer, NULL, 0};
-    SECItem S1;
-    SECItem S2;
-
-    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
-    PORT_Assert((seed != NULL) && (seed->data != NULL));
-    PORT_Assert((result != NULL) && (result->data != NULL));
-
-    S1.type = siBuffer;
-    S1.len  = (secret->len / 2) + (secret->len & 1);
-    S1.data = secret->data;
-
-    S2.type = siBuffer;
-    S2.len  = S1.len;
-    S2.data = secret->data + (secret->len - S2.len);
-
-    tmp.data = (unsigned char*)PORT_Alloc(result->len);
-    if (tmp.data == NULL)
-	goto loser;
-    tmp.len = result->len;
-
-    status = pk11_P_hash(SEC_OID_MD5, &S1, label, seed, result);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = pk11_P_hash(SEC_OID_SHA1, &S2, label, seed, &tmp);
-    if (status != SECSuccess)
-	goto loser;
-
-    for (i = 0; i < result->len; i++)
-	result->data[i] ^= tmp.data[i];
-
-    rv = SECSuccess;
-
-loser:
-    if (tmp.data != NULL)
-	PORT_ZFree(tmp.data, tmp.len);
-    return rv;
-}
-
-/*
- * SSL Key generation given pre master secret
- */
-static char *mixers[] = { "A", "BB", "CCC", "DDDD", "EEEEE", "FFFFFF", "GGGGGGG"};
-#define NUM_MIXERS 7
-#define SSL3_PMS_LENGTH 48
-#define SSL3_MASTER_SECRET_LENGTH 48
-
-
-/* NSC_DeriveKey derives a key from a base key, creating a new key object. */
-CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession,
-	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
-	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 
-						CK_OBJECT_HANDLE_PTR phKey)
-{
-    PK11Session *   session;
-    PK11Slot    *   slot	= pk11_SlotFromSessionHandle(hSession);
-    PK11Object  *   key;
-    PK11Object  *   sourceKey;
-    PK11Attribute * att;
-    PK11Attribute * att2;
-    unsigned char * buf;
-    SHA1Context *   sha;
-    MD5Context *    md5;
-    MD2Context *    md2;
-    CK_ULONG        macSize;
-    CK_ULONG        tmpKeySize;
-    CK_ULONG        IVSize;
-    CK_ULONG        keySize	= 0;
-    CK_RV           crv 	= CKR_OK;
-    CK_BBOOL        cktrue	= CK_TRUE;
-    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
-    CK_OBJECT_CLASS classType	= CKO_SECRET_KEY;
-    CK_KEY_DERIVATION_STRING_DATA *stringPtr;
-    PRBool          isTLS = PR_FALSE;
-    SECStatus       rv;
-    int             i;
-    unsigned int    outLen;
-    unsigned char   sha_out[SHA1_LENGTH];
-    unsigned char   key_block[NUM_MIXERS * MD5_LENGTH];
-    unsigned char   key_block2[MD5_LENGTH];
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    if (phKey) *phKey = CK_INVALID_KEY;
-
-    key = pk11_NewObject(slot); /* fill in the handle later */
-    if (key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulAttributeCount; i++) {
-	crv = pk11_AddAttributeType(key,pk11_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-
-	if (pTemplate[i].type == CKA_KEY_TYPE) {
-	    keyType = *(CK_KEY_TYPE *)pTemplate[i].pValue;
-	}
-	if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    keySize = *(CK_ULONG *)pTemplate[i].pValue;
-	}
-    }
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-
-    if (keySize == 0) {
-	keySize = pk11_MapKeySize(keyType);
-    }
-
-    /* Derive can only create SECRET KEY's currently... */
-    classType = CKO_SECRET_KEY;
-    crv = pk11_forceAttribute (key,CKA_CLASS,&classType,sizeof(classType));
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	return crv;
-    }
-
-    /* look up the base key we're deriving with */ 
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) {
-	pk11_FreeObject(key);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    sourceKey = pk11_ObjectFromHandle(hBaseKey,session);
-    pk11_FreeSession(session);
-    if (sourceKey == NULL) {
-	pk11_FreeObject(key);
-        return CKR_KEY_HANDLE_INVALID;
-    }
-
-    /* don't use key derive to expose sensitive keys */
-    crv = pk11_DeriveSensitiveCheck(sourceKey,key);
-    if (crv != CKR_OK) {
-	pk11_FreeObject(key);
-	pk11_FreeObject(sourceKey);
-        return crv;
-    }
-
-    /* get the value of the base key */
-    att = pk11_FindAttribute(sourceKey,CKA_VALUE);
-    if (att == NULL) {
-	pk11_FreeObject(key);
-	pk11_FreeObject(sourceKey);
-        return CKR_KEY_HANDLE_INVALID;
-    }
-
-    switch (pMechanism->mechanism) {
-    /*
-     * generate the master secret 
-     */
-    case CKM_TLS_MASTER_KEY_DERIVE:
-	isTLS = PR_TRUE;
-	/* fall thru */
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-      {
-	CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master;
-	SSL3RSAPreMasterSecret *rsa_pms;
-
-	/* first do the consistancy checkes */
-	if (att->attrib.ulValueLen != SSL3_PMS_LENGTH) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att2 = pk11_FindAttribute(sourceKey,CKA_KEY_TYPE);
-	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
-					CKK_GENERIC_SECRET)) {
-	    if (att2) pk11_FreeAttribute(att2);
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	pk11_FreeAttribute(att2);
-	if (keyType != CKK_GENERIC_SECRET) {
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-
-
-	/* finally do the key gen */
-	ssl3_master = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)
-					pMechanism->pParameter;
-	if (ssl3_master->pVersion) {
-	    rsa_pms = (SSL3RSAPreMasterSecret *) att->attrib.pValue;
-	    /* don't leak more key material then necessary for SSL to work */
-	    if (key->wasDerived) {
-		ssl3_master->pVersion->major = 0xff;
-		ssl3_master->pVersion->minor = 0xff;
-	    } else {
-		ssl3_master->pVersion->major = rsa_pms->client_version[0];
-		ssl3_master->pVersion->minor = rsa_pms->client_version[1];
-	    }
-	}
-	if (ssl3_master->RandomInfo.ulClientRandomLen != SSL3_RANDOM_LENGTH) {
-	   crv = CKR_MECHANISM_PARAM_INVALID;
-	   break;
-	}
-	if (ssl3_master->RandomInfo.ulServerRandomLen != SSL3_RANDOM_LENGTH) {
-	   crv = CKR_MECHANISM_PARAM_INVALID;
-	   break;
-	}
-
-        if (isTLS) {
-	    unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
-	    SECItem crsr = { siBuffer, NULL, 0 };
-	    SECItem master = { siBuffer, NULL, 0 };
-	    SECItem pms = { siBuffer, NULL, 0 };
-	    SECStatus status;
-
-	    pms.data = (unsigned char*)att->attrib.pValue;
-	    pms.len = att->attrib.ulValueLen;
-	    master.data = key_block;
-	    master.len = SSL3_MASTER_SECRET_LENGTH;
-	    crsr.data = crsrdata;
-	    crsr.len = sizeof(crsrdata);
-
-	    PORT_Memcpy(crsrdata, ssl3_master->RandomInfo.pClientRandom,
-							 SSL3_RANDOM_LENGTH);
-	    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
-		ssl3_master->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
-
-	    status = pk11_PRF(&pms, "master secret", &crsr, &master);
-	    if (status != SECSuccess) {
-	    	crv = CKR_FUNCTION_FAILED;
-		break;
-	    }
-	} else {
-	    /* now allocate the hash contexts */
-	    md5 = MD5_NewContext();
-	    if (md5 == NULL) { 
-		crv = CKR_HOST_MEMORY;
-		break;
-	    }
-	    sha = SHA1_NewContext();
-	    if (sha == NULL) { 
-		PORT_Free(md5);
-		crv = CKR_HOST_MEMORY;
-		break;
-	    }
-            for (i = 0; i < 3; i++) {
-              SHA1_Begin(sha);
-              SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
-              SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
-			  att->attrib.ulValueLen);
-              SHA1_Update(sha, ssl3_master->RandomInfo.pClientRandom,
-				ssl3_master->RandomInfo.ulClientRandomLen);
-              SHA1_Update(sha, ssl3_master->RandomInfo.pServerRandom, 
-				ssl3_master->RandomInfo.ulServerRandomLen);
-              SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
-              PORT_Assert(outLen == SHA1_LENGTH);
-              MD5_Begin(md5);
-              MD5_Update(md5, (const unsigned char*)att->attrib.pValue, 
-			 att->attrib.ulValueLen);
-              MD5_Update(md5, sha_out, outLen);
-              MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
-              PORT_Assert(outLen == MD5_LENGTH);
-            }
-	    PORT_Free(md5);
-	    PORT_Free(sha);
-	}
-
-	/* store the results */
-	crv = pk11_forceAttribute
-			(key,CKA_VALUE,key_block,SSL3_MASTER_SECRET_LENGTH);
-	if (crv != CKR_OK) break;
-	keyType = CKK_GENERIC_SECRET;
-	crv = pk11_forceAttribute (key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
-	if (isTLS) {
-	    /* TLS's master secret is used to "sign" finished msgs with PRF. */
-	    /* XXX This seems like a hack.   But PK11_Derive only accepts 
-	     * one "operation" argument. */
-	    crv = pk11_forceAttribute(key,CKA_SIGN,  &cktrue,sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) break;
-	    crv = pk11_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) break;
-	    /* While we're here, we might as well force this, too. */
-	    crv = pk11_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) break;
-	}
-	break;
-      }
-
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-	isTLS = PR_TRUE;
-	/* fall thru */
-    case CKM_SSL3_KEY_AND_MAC_DERIVE:
-      {
-	CK_SSL3_KEY_MAT_PARAMS *ssl3_keys;
-	CK_SSL3_KEY_MAT_OUT *   ssl3_keys_out;
-	CK_ULONG                effKeySize;
-
-	crv = pk11_DeriveSensitiveCheck(sourceKey,key);
-	if (crv != CKR_OK) break;
-
-	if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) {
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	att2 = pk11_FindAttribute(sourceKey,CKA_KEY_TYPE);
-	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
-					CKK_GENERIC_SECRET)) {
-	    if (att2) pk11_FreeAttribute(att2);
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	pk11_FreeAttribute(att2);
-	md5 = MD5_NewContext();
-	if (md5 == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	sha = SHA1_NewContext();
-	if (sha == NULL) { 
-	    PORT_Free(md5);
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	ssl3_keys = (CK_SSL3_KEY_MAT_PARAMS *) pMechanism->pParameter;
-	/*
-	 * clear out our returned keys so we can recover on failure
-	 */
-	ssl3_keys_out = ssl3_keys->pReturnedKeyMaterial;
-	ssl3_keys_out->hClientMacSecret = CK_INVALID_KEY;
-	ssl3_keys_out->hServerMacSecret = CK_INVALID_KEY;
-	ssl3_keys_out->hClientKey       = CK_INVALID_KEY;
-	ssl3_keys_out->hServerKey       = CK_INVALID_KEY;
-
-	/*
-	 * generate the key material: This looks amazingly similar to the
-	 * PMS code, and is clearly crying out for a function to provide it.
-	 */
-	if (isTLS) {
-	    SECStatus     status;
-	    SECItem       master = { siBuffer, NULL, 0 };
-	    SECItem       srcr   = { siBuffer, NULL, 0 };
-	    SECItem       keyblk = { siBuffer, NULL, 0 };
-	    unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2];
-
-	    master.data = (unsigned char*)att->attrib.pValue;
-	    master.len  = att->attrib.ulValueLen;
-	    srcr.data   = srcrdata;
-	    srcr.len    = sizeof srcrdata;
-	    keyblk.data = key_block;
-	    keyblk.len  = sizeof key_block;
-
-	    PORT_Memcpy(srcrdata, 
-	                ssl3_keys->RandomInfo.pServerRandom,
-			SSL3_RANDOM_LENGTH);
-	    PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, 
-		        ssl3_keys->RandomInfo.pClientRandom, 
-			SSL3_RANDOM_LENGTH);
-
-	    status = pk11_PRF(&master, "key expansion", &srcr, &keyblk);
-	    if (status != SECSuccess) {
-		goto key_and_mac_derive_fail;
-	    }
-	} else {
-	    /* key_block = 
-	     *     MD5(master_secret + SHA('A' + master_secret + 
-	     *                      ServerHello.random + ClientHello.random)) +
-	     *     MD5(master_secret + SHA('BB' + master_secret + 
-	     *                      ServerHello.random + ClientHello.random)) +
-	     *     MD5(master_secret + SHA('CCC' + master_secret + 
-	     *                      ServerHello.random + ClientHello.random)) +
-	     *     [...];
-	     */
-	    for (i = 0; i < NUM_MIXERS; i++) {
-	      SHA1_Begin(sha);
-	      SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
-	      SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
-			  att->attrib.ulValueLen);
-              SHA1_Update(sha, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-              SHA1_Update(sha, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-	      SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
-	      PORT_Assert(outLen == SHA1_LENGTH);
-	      MD5_Begin(md5);
-	      MD5_Update(md5, (const unsigned char*)att->attrib.pValue,
-			 att->attrib.ulValueLen);
-	      MD5_Update(md5, sha_out, outLen);
-	      MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
-	      PORT_Assert(outLen == MD5_LENGTH);
-	    }
-	}
-
-	/*
-	 * Put the key material where it goes.
-	 */
-	i = 0;			/* now shows how much consumed */
-	macSize    = ssl3_keys->ulMacSizeInBits/8;
-	effKeySize = ssl3_keys->ulKeySizeInBits/8;
-	IVSize     = ssl3_keys->ulIVSizeInBits/8;
-	if (keySize == 0) {
-	    effKeySize = keySize;
-	}
-
-	/* 
-	 * The key_block is partitioned as follows:
-	 * client_write_MAC_secret[CipherSpec.hash_size]
-	 */
-	crv = pk11_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
-					 &ssl3_keys_out->hClientMacSecret);
-	if (crv != CKR_OK)
-	    goto key_and_mac_derive_fail;
-
-	i += macSize;
-
-	/* 
-	 * server_write_MAC_secret[CipherSpec.hash_size]
-	 */
-	crv = pk11_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
-					    &ssl3_keys_out->hServerMacSecret);
-	if (crv != CKR_OK) {
-	    goto key_and_mac_derive_fail;
-	}
-	i += macSize;
-
-	if (keySize) {
-	    if (!ssl3_keys->bIsExport) {
-		/* 
-		** Generate Domestic write keys and IVs.
-		** client_write_key[CipherSpec.key_material]
-		*/
-		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
-					keySize, &ssl3_keys_out->hClientKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-		i += keySize;
-
-		/* 
-		** server_write_key[CipherSpec.key_material]
-		*/
-		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
-					keySize, &ssl3_keys_out->hServerKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-		i += keySize;
-
-		/* 
-		** client_write_IV[CipherSpec.IV_size]
-		*/
-		PORT_Memcpy(ssl3_keys_out->pIVClient, &key_block[i], IVSize);
-		i += IVSize;
-
-		/* 
-		** server_write_IV[CipherSpec.IV_size]
-		*/
-		PORT_Memcpy(ssl3_keys_out->pIVServer, &key_block[i], IVSize);
-	    	i += IVSize;
-
-	    } else if (!isTLS) {
-
-		/*
-		** Generate SSL3 Export write keys and IVs.
-		** client_write_key[CipherSpec.key_material]
-		** final_client_write_key = MD5(client_write_key +
-		**                   ClientHello.random + ServerHello.random);
-		*/
-		MD5_Begin(md5);
-		MD5_Update(md5, &key_block[i], effKeySize);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		i += effKeySize;
-		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,key_block2,
-				 	keySize,&ssl3_keys_out->hClientKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** server_write_key[CipherSpec.key_material]
-		** final_server_write_key = MD5(server_write_key +
-		**                    ServerHello.random + ClientHello.random);
-		*/
-		MD5_Begin(md5);
-		MD5_Update(md5, &key_block[i], effKeySize);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		i += effKeySize;
-		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,key_block2,
-					 keySize,&ssl3_keys_out->hServerKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** client_write_IV = 
-		**	MD5(ClientHello.random + ServerHello.random);
-		*/
-		MD5_Begin(md5);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		PORT_Memcpy(ssl3_keys_out->pIVClient, key_block2, IVSize);
-
-		/*
-		** server_write_IV = 
-		**	MD5(ServerHello.random + ClientHello.random);
-		*/
-		MD5_Begin(md5);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		PORT_Memcpy(ssl3_keys_out->pIVServer, key_block2, IVSize);
-
-	    } else {
-
-		/*
-		** Generate TLS Export write keys and IVs.
-		*/
-		SECStatus     status;
-		SECItem       secret = { siBuffer, NULL, 0 };
-		SECItem       crsr   = { siBuffer, NULL, 0 };
-		SECItem       keyblk = { siBuffer, NULL, 0 };
-		unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
-
-		crsr.data   = crsrdata;
-		crsr.len    = sizeof crsrdata;
-
-		PORT_Memcpy(crsrdata, 
-		            ssl3_keys->RandomInfo.pClientRandom, 
-			    SSL3_RANDOM_LENGTH);
-		PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
-			    ssl3_keys->RandomInfo.pServerRandom,
-			    SSL3_RANDOM_LENGTH);
-
-
-		/*
-		** client_write_key[CipherSpec.key_material]
-		** final_client_write_key = PRF(client_write_key, 
-		**                              "client write key",
-		**                              client_random + server_random);
-		*/
-		secret.data = &key_block[i];
-		secret.len  = effKeySize;
-		i          += effKeySize;
-		keyblk.data = key_block2;
-		keyblk.len  = sizeof key_block2;
-		status = pk11_PRF(&secret, "client write key", &crsr, &keyblk);
-		if (status != SECSuccess) {
-		    goto key_and_mac_derive_fail;
-		}
-		crv = pk11_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
-				       keySize, &ssl3_keys_out->hClientKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** server_write_key[CipherSpec.key_material]
-		** final_server_write_key = PRF(server_write_key,
-		**                              "server write key",
-		**                              client_random + server_random);
-		*/
-		secret.data = &key_block[i];
-		secret.len  = effKeySize;
-		i          += effKeySize;
-		keyblk.data = key_block2;
-		keyblk.len  = sizeof key_block2;
-		status = pk11_PRF(&secret, "server write key", &crsr, &keyblk);
-		if (status != SECSuccess) {
-		    goto key_and_mac_derive_fail;
-		}
-		crv = pk11_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
-				       keySize, &ssl3_keys_out->hServerKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** iv_block = PRF("", "IV block", 
-		**                    client_random + server_random);
-		** client_write_IV[SecurityParameters.IV_size]
-		** server_write_IV[SecurityParameters.IV_size]
-		*/
-		if (IVSize) {
-		    secret.data = NULL;
-		    secret.len  = 0;
-		    keyblk.data = &key_block[i];
-		    keyblk.len  = 2 * IVSize;
-		    status = pk11_PRF(&secret, "IV block", &crsr, &keyblk);
-		    if (status != SECSuccess) {
-			goto key_and_mac_derive_fail;
-		    }
-		    PORT_Memcpy(ssl3_keys_out->pIVClient, keyblk.data, IVSize);
-		    PORT_Memcpy(ssl3_keys_out->pIVServer, keyblk.data + IVSize,
-                                IVSize);
-		}
-	    }
-	}
-
-	crv = CKR_OK;
-
-	if (0) {
-key_and_mac_derive_fail:
-	    if (crv == CKR_OK)
-	    	crv = CKR_FUNCTION_FAILED;
-	    pk11_freeSSLKeys(hSession, ssl3_keys_out);
-	}
-	MD5_DestroyContext(md5, PR_TRUE);
-	SHA1_DestroyContext(sha, PR_TRUE);
-	pk11_FreeObject(key);
-	key = NULL;
-	break;
-      }
-
-    case CKM_CONCATENATE_BASE_AND_KEY:
-      {
-	PK11Object *newKey;
-
-	crv = pk11_DeriveSensitiveCheck(sourceKey,key);
-	if (crv != CKR_OK) break;
-
-	session = pk11_SessionFromHandle(hSession);
-	if (session == NULL) {
-            crv = CKR_SESSION_HANDLE_INVALID;
-	    break;
-    	}
-
-	newKey = pk11_ObjectFromHandle(*(CK_OBJECT_HANDLE *)
-					pMechanism->pParameter,session);
-	pk11_FreeSession(session);
-	if ( newKey == NULL) {
-            crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-
-	if (pk11_isTrue(newKey,CKA_SENSITIVE)) {
-	    crv = pk11_forceAttribute(newKey,CKA_SENSITIVE,&cktrue,
-							sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) {
-		pk11_FreeObject(newKey);
-		break;
-	    }
-	}
-
-	att2 = pk11_FindAttribute(newKey,CKA_VALUE);
-	if (att2 == NULL) {
-	    pk11_FreeObject(newKey);
-            crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	tmpKeySize = att->attrib.ulValueLen+att2->attrib.ulValueLen;
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    pk11_FreeObject(newKey);
-	    pk11_FreeAttribute(att2);
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
-	if (buf == NULL) {
-	    pk11_FreeAttribute(att2);
-	    pk11_FreeObject(newKey);
-	    crv = CKR_HOST_MEMORY;	
-	    break;
-	}
-
-	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
-	PORT_Memcpy(buf+att->attrib.ulValueLen,
-				att2->attrib.pValue,att2->attrib.ulValueLen);
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,tmpKeySize);
-	pk11_FreeAttribute(att2);
-	pk11_FreeObject(newKey);
-	break;
-      }
-
-    case CKM_CONCATENATE_BASE_AND_DATA:
-	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
-	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
-	PORT_Memcpy(buf+att->attrib.ulValueLen,stringPtr->pData,
-							stringPtr->ulLen);
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,tmpKeySize);
-	break;
-    case CKM_CONCATENATE_DATA_AND_BASE:
-	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
-	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	PORT_Memcpy(buf,stringPtr->pData,stringPtr->ulLen);
-	PORT_Memcpy(buf+stringPtr->ulLen,att->attrib.pValue,
-							att->attrib.ulValueLen);
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,tmpKeySize);
-	break;
-    case CKM_XOR_BASE_AND_DATA:
-	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
-	tmpKeySize = PR_MIN(att->attrib.ulValueLen,stringPtr->ulLen);
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(keySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	
-	PORT_Memcpy(buf,att->attrib.pValue,keySize);
-	for (i=0; i < (int)keySize; i++) {
-	    buf[i] ^= stringPtr->pData[i];
-	}
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,keySize);
-	break;
-
-    case CKM_EXTRACT_KEY_FROM_KEY:
-      {
-	/* the following assumes 8 bits per byte */
-	CK_ULONG extract = *(CK_EXTRACT_PARAMS *)pMechanism->pParameter;
-	CK_ULONG shift   = extract & 0x7;      /* extract mod 8 the fast way */
-	CK_ULONG offset  = extract >> 3;       /* extract div 8 the fast way */
-
-	if (keySize == 0)  {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    break;
-	}
-	/* make sure we have enough bits in the original key */
-	if (att->attrib.ulValueLen < 
-			(offset + keySize + ((shift != 0)? 1 :0)) ) {
-	    crv = CKR_MECHANISM_PARAM_INVALID;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(keySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	/* copy the bits we need into the new key */	
-	for (i=0; i < (int)keySize; i++) {
-	    unsigned char *value =
-			 ((unsigned char *)att->attrib.pValue)+offset+i;
-	    if (shift) {
-	        buf[i] = (value[0] << (shift)) | (value[1] >> (8 - shift));
-	    } else {
-		buf[i] = value[0];
-	    }
-	}
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,keySize);
-	break;
-      }
-    case CKM_MD2_KEY_DERIVATION:
-	if (keySize == 0) keySize = MD2_LENGTH;
-	if (keySize > MD2_LENGTH) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	/* now allocate the hash contexts */
-	md2 = MD2_NewContext();
-	if (md2 == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	MD2_Begin(md2);
-	MD2_Update(md2,(const unsigned char*)att->attrib.pValue,
-		   att->attrib.ulValueLen);
-	MD2_End(md2,key_block,&outLen,MD2_LENGTH);
-	MD2_DestroyContext(md2, PR_TRUE);
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,key_block,keySize);
-	break;
-    case CKM_MD5_KEY_DERIVATION:
-	if (keySize == 0) keySize = MD5_LENGTH;
-	if (keySize > MD5_LENGTH) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	/* now allocate the hash contexts */
-	md5 = MD5_NewContext();
-	if (md5 == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	MD5_Begin(md5);
-	MD5_Update(md5,(const unsigned char*)att->attrib.pValue,
-		   att->attrib.ulValueLen);
-	MD5_End(md5,key_block,&outLen,MD5_LENGTH);
-	MD5_DestroyContext(md5, PR_TRUE);
-
-	crv = pk11_forceAttribute (key,CKA_VALUE,key_block,keySize);
-	break;
-     case CKM_SHA1_KEY_DERIVATION:
-	if (keySize == 0) keySize = SHA1_LENGTH;
-	if (keySize > SHA1_LENGTH) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	/* now allocate the hash contexts */
-	sha = SHA1_NewContext();
-	if (sha == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	SHA1_Begin(sha);
-	SHA1_Update(sha,(const unsigned char*)att->attrib.pValue,
-		    att->attrib.ulValueLen);
-	SHA1_End(sha,key_block,&outLen,SHA1_LENGTH);
-	SHA1_DestroyContext(sha, PR_TRUE);
-
-	crv = pk11_forceAttribute(key,CKA_VALUE,key_block,keySize);
-	break;
-
-    case CKM_DH_PKCS_DERIVE:
-      {
-	SECItem  derived,  dhPublic;
-	SECItem  dhPrime,  dhValue;
-	/* sourceKey - values for the local existing low key */
-	/* get prime and value attributes */
-	crv = pk11_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME); 
-	if (crv != SECSuccess) break;
-	crv = pk11_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE); 
-	if (crv != SECSuccess) {
- 	    PORT_Free(dhPrime.data);
-	    break;
-	}
-
-	dhPublic.data = pMechanism->pParameter;
-	dhPublic.len  = pMechanism->ulParameterLen;
-
-	/* calculate private value - oct */
-	rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); 
-
-	PORT_Free(dhPrime.data);
-	PORT_Free(dhValue.data);
-     
-	if (rv == SECSuccess) {
-	    pk11_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
-	    PORT_ZFree(derived.data, derived.len);
-	} else
-	    crv = CKR_HOST_MEMORY;
-	    
-	break;
-      }
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-    pk11_FreeAttribute(att);
-    pk11_FreeObject(sourceKey);
-    if (crv != CKR_OK) { 
-	if (key) pk11_FreeObject(key);
-	return crv;
-    }
-
-    /* link the key object into the list */
-    if (key) {
-	/* get the session */
-	key->wasDerived = PR_TRUE;
-	session = pk11_SessionFromHandle(hSession);
-	if (session == NULL) {
-	    pk11_FreeObject(key);
-	    return CKR_HOST_MEMORY;
-	}
-
-	crv = pk11_handleObject(key,session);
-	pk11_FreeSession(session);
-	if (crv == CKR_OK) {
-	    *phKey = key->handle;
-	     return crv;
-	}
-	pk11_FreeObject(key);
-    }
-    return crv;
-}
-
-
-/* NSC_GetFunctionStatus obtains an updated status of a function running 
- * in parallel with an application. */
-CK_RV NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
-{
-    return CKR_FUNCTION_NOT_PARALLEL;
-}
-
-/* NSC_CancelFunction cancels a function running in parallel */
-CK_RV NSC_CancelFunction(CK_SESSION_HANDLE hSession)
-{
-    return CKR_FUNCTION_NOT_PARALLEL;
-}
-
-/* NSC_GetOperationState saves the state of the cryptographic 
- *operation in a session.
- * NOTE: This code only works for digest functions for now. eventually need
- * to add full flatten/resurect to our state stuff so that all types of state
- * can be saved */
-CK_RV NSC_GetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen)
-{
-    PK11SessionContext *context;
-    PK11Session *session;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = pk11_GetContext(hSession, &context, PK11_HASH, PR_TRUE, &session);
-    if (crv != CKR_OK) return crv;
-
-    *pulOperationStateLen = context->cipherInfoLen + sizeof(CK_MECHANISM_TYPE)
-				+ sizeof(PK11ContextType);
-    if (pOperationState == NULL) {
-        pk11_FreeSession(session);
-	return CKR_OK;
-    }
-    PORT_Memcpy(pOperationState,&context->type,sizeof(PK11ContextType));
-    pOperationState += sizeof(PK11ContextType);
-    PORT_Memcpy(pOperationState,&context->currentMech,
-						sizeof(CK_MECHANISM_TYPE));
-    pOperationState += sizeof(CK_MECHANISM_TYPE);
-    PORT_Memcpy(pOperationState,context->cipherInfo,context->cipherInfoLen);
-    pk11_FreeSession(session);
-    return CKR_OK;
-}
-
-
-#define pk11_Decrement(stateSize,len) \
-	stateSize = ((stateSize) > (CK_ULONG)(len)) ? \
-				((stateSize) - (CK_ULONG)(len)) : 0;
-
-/* NSC_SetOperationState restores the state of the cryptographic 
- * operation in a session. This is coded like it can restore lots of
- * states, but it only works for truly flat cipher structures. */
-CK_RV NSC_SetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
-        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey)
-{
-    PK11SessionContext *context;
-    PK11Session *session;
-    PK11ContextType type;
-    CK_MECHANISM mech;
-    CK_RV crv = CKR_OK;
-
-    while (ulOperationStateLen != 0) {
-	/* get what type of state we're dealing with... */
-	PORT_Memcpy(&type,pOperationState, sizeof(PK11ContextType));
-
-	/* fix up session contexts based on type */
-	session = pk11_SessionFromHandle(hSession);
-	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-	context = pk11_ReturnContextByType(session, type);
-	pk11_SetContextByType(session, type, NULL);
-	if (context) { 
-	     pk11_FreeContext(context);
-	}
-	pOperationState += sizeof(PK11ContextType);
-	pk11_Decrement(ulOperationStateLen,sizeof(PK11ContextType));
-
-
-	/* get the mechanism structure */
-	PORT_Memcpy(&mech.mechanism,pOperationState,sizeof(CK_MECHANISM_TYPE));
-	pOperationState += sizeof(CK_MECHANISM_TYPE);
-	pk11_Decrement(ulOperationStateLen, sizeof(CK_MECHANISM_TYPE));
-	/* should be filled in... but not necessary for hash */
-	mech.pParameter = NULL;
-	mech.ulParameterLen = 0;
-	switch (type) {
-	case PK11_HASH:
-	    crv = NSC_DigestInit(hSession,&mech);
-	    if (crv != CKR_OK) break;
-	    crv = pk11_GetContext(hSession, &context, PK11_HASH, PR_TRUE, 
-								NULL);
-	    if (crv != CKR_OK) break;
-	    PORT_Memcpy(context->cipherInfo,pOperationState,
-						context->cipherInfoLen);
-	    pOperationState += context->cipherInfoLen;
-	    pk11_Decrement(ulOperationStateLen,context->cipherInfoLen);
-	    break;
-	default:
-	    /* do sign/encrypt/decrypt later */
-	    crv = CKR_SAVED_STATE_INVALID;
-         }
-         pk11_FreeSession(session);
-	 if (crv != CKR_OK) break;
-    }
-    return crv;
-}
-
-/* Dual-function cryptographic operations */
-
-/* NSC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
- * operation. */
-CK_RV NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen)
-{
-    CK_RV crv;
-
-    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
-						      pulEncryptedPartLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_DigestUpdate(hSession,pPart,ulPartLen);
-
-    return crv;
-}
-
-
-/* NSC_DecryptDigestUpdate continues a multiple-part decryption and 
- * digesting operation. */
-CK_RV NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
-    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen)
-{
-    CK_RV crv;
-
-    crv = NSC_DecryptUpdate(hSession,pEncryptedPart, ulEncryptedPartLen, 
-							pPart,	pulPartLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_DigestUpdate(hSession,pPart,*pulPartLen);
-
-    return crv;
-}
-
-
-/* NSC_SignEncryptUpdate continues a multiple-part signing and 
- * encryption operation. */
-CK_RV NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen)
-{
-    CK_RV crv;
-
-    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
-						      pulEncryptedPartLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_SignUpdate(hSession,pPart,ulPartLen);
-
-    return crv;
-}
-
-
-/* NSC_DecryptVerifyUpdate continues a multiple-part decryption 
- * and verify operation. */
-CK_RV NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
-				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen)
-{
-    CK_RV crv;
-
-    crv = NSC_DecryptUpdate(hSession,pEncryptedData, ulEncryptedDataLen, 
-							pData,	pulDataLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_VerifyUpdate(hSession, pData, *pulDataLen);
-
-    return crv;
-}
-
-/* NSC_DigestKey continues a multi-part message-digesting operation,
- * by digesting the value of a secret key as part of the data already digested.
- */
-CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) 
-{
-    PK11Session *session = NULL;
-    PK11Object *key = NULL;
-    PK11Attribute *att;
-    CK_RV crv;
-
-    session = pk11_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    key = pk11_ObjectFromHandle(hKey,session);
-    pk11_FreeSession(session);
-    if (key == NULL)  return CKR_KEY_HANDLE_INVALID;
-
-    /* PUT ANY DIGEST KEY RESTRICTION CHECKS HERE */
-
-    /* make sure it's a valid  key for this operation */
-    if (key->objclass != CKO_SECRET_KEY) {
-	pk11_FreeObject(key);
-	return CKR_KEY_TYPE_INCONSISTENT;
-    }
-    /* get the key value */
-    att = pk11_FindAttribute(key,CKA_VALUE);
-    pk11_FreeObject(key);
-
-    crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
-			   att->attrib.ulValueLen);
-    pk11_FreeAttribute(att);
-    return crv;
-}
-
-
diff --git a/security/nss/lib/softoken/pkcs11f.h b/security/nss/lib/softoken/pkcs11f.h
deleted file mode 100644
index 71ee2676a..000000000
--- a/security/nss/lib/softoken/pkcs11f.h
+++ /dev/null
@@ -1,933 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* This function contains pretty much everything about all the */
-/* PKCS #11  function prototypes.  Because this information is */
-/* used for more than just declaring function prototypes, the */
-/* order of the functions appearing herein is important, and */
-/* should not be altered. */
-
-
-
-/* General-purpose */
-
-/* C_Initialize initializes the PKCS #11 library. */
-CK_PKCS11_FUNCTION_INFO(C_Initialize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-                            * cast to CK_C_INITIALIZE_ARGS_PTR
-                            * and dereferenced */
-);
-#endif
-
-
-/* C_Finalize indicates that an application is done with the
- * PKCS #11 library. */
-CK_PKCS11_FUNCTION_INFO(C_Finalize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_GetInfo returns general information about PKCS #11. */
-CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_INFO_PTR   pInfo  /* location that receives information */
-);
-#endif
-
-
-/* C_GetFunctionList returns the function list. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-                                            * function list */
-);
-#endif
-
-
-
-/* Slot and token management */
-
-/* C_GetSlotList obtains a list of slots in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
-  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives number of slots */
-);
-#endif
-
-
-/* C_GetSlotInfo obtains information about a particular slot in
- * the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID       slotID,  /* the ID of the slot */
-  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-);
-#endif
-
-
-/* C_GetTokenInfo obtains information about a particular token
- * in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-);
-#endif
-
-
-/* C_GetMechanismList obtains a list of mechanism types
- * supported by a token. */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,          /* ID of token's slot */
-  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-);
-#endif
-
-
-/* C_GetMechanismInfo obtains information about a particular
- * mechanism possibly supported by a token. */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-);
-#endif
-
-
-/* C_InitToken initializes a token. */
-CK_PKCS11_FUNCTION_INFO(C_InitToken)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID,    /* ID of the token's slot */
-  CK_CHAR_PTR    pPin,      /* the SO's initial PIN */
-  CK_ULONG       ulPinLen,  /* length in bytes of the PIN */
-  CK_CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
-);
-#endif
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_CHAR_PTR       pPin,      /* the normal user's PIN */
-  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-);
-#endif
-
-
-/* C_SetPIN modifies the PIN of the user who is logged in. */
-CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_CHAR_PTR       pOldPin,   /* the old PIN */
-  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_CHAR_PTR       pNewPin,   /* the new PIN */
-  CK_ULONG          ulNewLen   /* length of the new PIN */
-);
-#endif
-
-
-
-/* Session management */
-
-/* C_OpenSession opens a session between an application and a
- * token. */
-CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,        /* the slot's ID */
-  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-  CK_VOID_PTR           pApplication,  /* passed to callback */
-  CK_NOTIFY             Notify,        /* callback function */
-  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-);
-#endif
-
-
-/* C_CloseSession closes a session between an application and a
- * token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID  /* the token's slot */
-);
-#endif
-
-
-/* C_GetSessionInfo obtains information about the session. */
-CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-);
-#endif
-
-
-/* C_GetOperationState obtains the state of the cryptographic operation
- * in a session. */
-CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,             /* session's handle */
-  CK_BYTE_PTR       pOperationState,      /* gets state */
-  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-);
-#endif
-
-
-/* C_SetOperationState restores the state of the cryptographic
- * operation in a session. */
-CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR      pOperationState,      /* holds state */
-  CK_ULONG         ulOperationStateLen,  /* holds state length */
-  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-);
-#endif
-
-
-/* C_Login logs a user into a token. */
-CK_PKCS11_FUNCTION_INFO(C_Login)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_USER_TYPE      userType,  /* the user type */
-  CK_CHAR_PTR       pPin,      /* the user's PIN */
-  CK_ULONG          ulPinLen   /* the length of the PIN */
-);
-#endif
-
-
-/* C_Logout logs a user out from a token. */
-CK_PKCS11_FUNCTION_INFO(C_Logout)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Object management */
-
-/* C_CreateObject creates a new object. */
-CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-  CK_ULONG          ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-);
-#endif
-
-
-/* C_CopyObject copies an object, creating a new object for the
- * copy. */
-CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-  CK_ULONG             ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-);
-#endif
-
-
-/* C_DestroyObject destroys an object. */
-CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-);
-#endif
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-  CK_ULONG_PTR      pulSize    /* receives size of object */
-);
-#endif
-
-
-/* C_GetAttributeValue obtains the value of one or more object
- * attributes. */
-CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_SetAttributeValue modifies the value of one or more object
- * attributes */
-CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_FindObjectsInit initializes a search for token and session
- * objects that match a template. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-  CK_ULONG          ulCount     /* attrs in search template */
-);
-#endif
-
-
-/* C_FindObjects continues a search for token and session
- * objects that match a template, obtaining additional object
- * handles. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-#ifdef CK_NEED_ARG_LIST
-(
- CK_SESSION_HANDLE    hSession,          /* session's handle */
- CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
- CK_ULONG             ulMaxObjectCount,  /* max handles to get */
- CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-);
-#endif
-
-
-/* C_FindObjectsFinal finishes a search for token and session
- * objects. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Encryption and decryption */
-
-/* C_EncryptInit initializes an encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-);
-#endif
-
-
-/* C_Encrypt encrypts single-part data. */
-CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pData,               /* the plaintext data */
-  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptUpdate continues a multiple-part encryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pPart,              /* the plaintext data */
-  CK_ULONG          ulPartLen,          /* plaintext data len */
-  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptFinal finishes a multiple-part encryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,                /* session handle */
-  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-);
-#endif
-
-
-/* C_DecryptInit initializes a decryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-);
-#endif
-
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-  CK_BYTE_PTR       pData,              /* gets plaintext */
-  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-);
-#endif
-
-
-/* C_DecryptUpdate continues a multiple-part decryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* input length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* p-text size */
-);
-#endif
-
-
-/* C_DecryptFinal finishes a multiple-part decryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-);
-#endif
-
-
-
-/* Message digesting */
-
-/* C_DigestInit initializes a message-digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-);
-#endif
-
-
-/* C_Digest digests data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Digest)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pData,        /* data to be digested */
-  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-);
-#endif
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* data to be digested */
-  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-);
-#endif
-
-
-/* C_DigestKey continues a multi-part message-digesting
- * operation, by digesting the value of a secret key as part of
- * the data already digested. */
-CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-);
-#endif
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-);
-#endif
-
-
-
-/* Signing and MACing */
-
-/* C_SignInit initializes a signature (private key encryption)
- * operation, where the signature is (will be) an appendix to
- * the data, and plaintext cannot be recovered from the
- *signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-);
-#endif
-
-
-/* C_Sign signs (encrypts with private key) data in a single
- * part, where the signature is (will be) an appendix to the
- * data, and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_Sign)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* the data to sign */
-  CK_ULONG          ulPartLen  /* count of bytes to sign */
-);
-#endif
-
-
-/* C_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignRecoverInit initializes a signature operation, where
- * the data can be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-);
-#endif
-
-
-/* C_SignRecover signs data in a single operation, where the
- * data can be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-
-/* Verifying signatures and MACs */
-
-/* C_VerifyInit initializes a verification operation, where the
- * signature is an appendix to the data, and plaintext cannot
- *  cannot be recovered from the signature (e.g. DSA). */
-CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */ 
-);
-#endif
-
-
-/* C_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, and plaintext
- * cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_Verify)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pData,          /* signed data */
-  CK_ULONG          ulDataLen,      /* length of signed data */
-  CK_BYTE_PTR       pSignature,     /* signature */
-  CK_ULONG          ulSignatureLen  /* signature length*/
-);
-#endif
-
-
-/* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* signed data */
-  CK_ULONG          ulPartLen  /* length of signed data */
-);
-#endif
-
-
-/* C_VerifyFinal finishes a multiple-part verification
- * operation, checking the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pSignature,     /* signature to verify */
-  CK_ULONG          ulSignatureLen  /* signature length */
-);
-#endif
-
-
-/* C_VerifyRecoverInit initializes a signature verification
- * operation, where the data is recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_VerifyRecover verifies a signature in a single-part
- * operation, where the data is recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* signature to verify */
-  CK_ULONG          ulSignatureLen,  /* signature length */
-  CK_BYTE_PTR       pData,           /* gets signed data */
-  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-);
-#endif
-
-
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting
- * and encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-);
-#endif
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-);
-#endif
-
-
-
-/* Key management */
-
-/* C_GenerateKey generates a secret key, creating a new key
- * object. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-  CK_ULONG             ulCount,     /* # of attrs in template */
-  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-);
-#endif
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,                    /* session
-                                                     * handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
-                                                     * mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
-                                                     * for pub.
-                                                     * key */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
-                                                     * attrs. */
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
-                                                     * for priv.
-                                                     * key */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
-                                                     * attrs. */
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
-                                                     * key
-                                                     * handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
-                                                     * priv. key
-                                                     * handle */
-);
-#endif
-
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-);
-#endif
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
- * key object. */
-CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key
- * object. */
-CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-
-/* Random number generation */
-
-/* C_SeedRandom mixes additional seed material into the token's
- * random number generator. */
-CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pSeed,     /* the seed material */
-  CK_ULONG          ulSeedLen  /* length of seed material */
-);
-#endif
-
-
-/* C_GenerateRandom generates random data. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_BYTE_PTR       RandomData,  /* receives the random data */
-  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-);
-#endif
-
-
-
-/* Parallel function management */
-
-/* C_GetFunctionStatus is a legacy function; it obtains an
- * updated status of a function running in parallel with an
- * application. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CancelFunction is a legacy function; it cancels a function
- * running in parallel. */
-CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Functions added in for PKCS #11 Version 2.01 or later */
-
-/* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur. */
-CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FLAGS flags,        /* blocking/nonblocking flag */
-  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-);
-#endif
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
deleted file mode 100644
index 495817aef..000000000
--- a/security/nss/lib/softoken/pkcs11i.h
+++ /dev/null
@@ -1,428 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Internal data structures and functions used by pkcs11.c
- */
-#ifndef _PKCS11I_H_
-#define _PKCS11I_H_ 1
-
-#include "prlock.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "keytlow.h"
-#include "pkcs11t.h"
-
-#define PKCS11_USE_THREADS
-
-#define NO_ARENA
-#define MAX_OBJS_ATTRS 45
-#define ATTR_SPACE 50  /* hold up to a SSL premaster secret */
-
-
-#ifdef PKCS11_USE_THREADS
-#define PK11_USE_THREADS(x) x
-#else
-#define PK11_USE_THREADS(x) 
-#endif
-
-/* define typedefs, double as forward declarations as well */
-typedef struct PK11AttributeStr PK11Attribute;
-typedef struct PK11ObjectListStr PK11ObjectList;
-typedef struct PK11ObjectListElementStr PK11ObjectListElement;
-typedef struct PK11ObjectStr PK11Object;
-typedef struct PK11SessionStr PK11Session;
-typedef struct PK11SlotStr PK11Slot;
-typedef struct PK11SessionContextStr PK11SessionContext;
-typedef struct PK11SearchResultsStr PK11SearchResults;
-typedef struct PK11HashVerifyInfoStr PK11HashVerifyInfo;
-typedef struct PK11HashSignInfoStr PK11HashSignInfo;
-typedef struct PK11SSLMACInfoStr PK11SSLMACInfo;
-
-/* define function pointer typdefs for pointer tables */
-typedef void (*PK11Destroy)(void *, PRBool);
-typedef void (*PK11Begin)(void *);
-typedef SECStatus (*PK11Cipher)(void *,void *,unsigned int *,unsigned int,
-					void *, unsigned int);
-typedef SECStatus (*PK11Verify)(void *,void *,unsigned int,void *,unsigned int);
-typedef void (*PK11Hash)(void *,void *,unsigned int);
-typedef void (*PK11End)(void *,void *,unsigned int *,unsigned int);
-typedef void (*PK11Free)(void *);
-
-/*
- * these are data base storage hashes, not cryptographic hashes.. The define
- * the effective size of the various object hash tables
- */
-#define ATTRIBUTE_HASH_SIZE 32
-#define SESSION_OBJECT_HASH_SIZE 32
-#define TOKEN_OBJECT_HASH_SIZE 1024
-#define SESSION_HASH_SIZE 512
-#define MAX_KEY_LEN 256
-#define MAX_OBJECT_LIST_SIZE 800
-
-/* Value to tell if an attribute is modifiable or not.
- *    NEVER: attribute is only set on creation.
- *    ONCOPY: attribute is set on creation and can only be changed on copy.
- *    SENSITIVE: attribute can only be changed to TRUE.
- *    ALWAYS: attribute can always be changed.
- */
-typedef enum {
-	PK11_NEVER = 0,
-	PK11_ONCOPY = 1,
-	PK11_SENSITIVE = 2,
-	PK11_ALWAYS = 3
-} PK11ModifyType;
-
-/*
- * Free Status Enum... tell us more information when we think we're
- * deleting an object.
- */
-typedef enum {
-	PK11_DestroyFailure,
-	PK11_Destroyed,
-	PK11_Busy
-} PK11FreeStatus;
-
-/*
- * attribute values of an object.
- */
-struct PK11AttributeStr {
-    PK11Attribute  	*next;
-    PK11Attribute  	*prev;
-#ifdef REF_COUNT_ATTRIBUTE
-    int 		refCount;
-    PRLock 		*refLock;
-#endif
-    /*must be called handle to make pk11queue_find work */
-    CK_ATTRIBUTE_TYPE	handle;
-    CK_ATTRIBUTE 	attrib;
-#ifdef NO_ARENA
-    unsigned char space[ATTR_SPACE];
-#endif
-};
-
-
-/*
- * doubly link list of objects
- */
-struct PK11ObjectListStr {
-    PK11ObjectList *next;
-    PK11ObjectList *prev;
-    PK11Object	   *parent;
-};
-
-/*
- * PKCS 11 crypto object structure
- */
-struct PK11ObjectStr {
-    PK11Object *next;
-    PK11Object *prev;
-    PK11ObjectList sessionList;
-    CK_OBJECT_HANDLE handle;
-#ifdef NO_ARENA
-    int nextAttr;
-#else
-    PLArenaPool	*arena;
-#endif
-    int refCount;
-    PRLock 		*refLock;
-    PRLock		*attributeLock;
-    PK11Session   	*session;
-    PK11Slot	   	*slot;
-    CK_OBJECT_CLASS 	objclass;
-    void 		*objectInfo;
-    PK11Free 		infoFree;
-    char		*label;
-    PRBool		inDB;
-    PRBool		wasDerived;
-    PK11Attribute 	*head[ATTRIBUTE_HASH_SIZE];
-#ifdef NO_ARENA
-    PK11Attribute	attrList[MAX_OBJS_ATTRS];
-#endif
-};
-
-/*
- * struct to deal with a temparary list of objects
- */
-struct PK11ObjectListElementStr {
-    PK11ObjectListElement	*next;
-    PK11Object 			*object;
-};
-
-/*
- * Area to hold Search results
- */
-struct PK11SearchResultsStr {
-    CK_OBJECT_HANDLE	*handles;
-    int			size;
-    int			index;
-};
-
-
-/* 
- * the universal crypto/hash/sign/verify context structure
- */
-typedef enum {
-    PK11_ENCRYPT,
-    PK11_DECRYPT,
-    PK11_HASH,
-    PK11_SIGN,
-    PK11_SIGN_RECOVER,
-    PK11_VERIFY,
-    PK11_VERIFY_RECOVER
-} PK11ContextType;
-
-
-#define PK11_MAX_BLOCK_SIZE 16
-/* currently SHA1 is the biggest hash length */
-#define PK11_MAX_MAC_LENGTH 20
-#define PK11_INVALID_MAC_SIZE 0xffffffff
-
-struct PK11SessionContextStr {
-    PK11ContextType	type;
-    PRBool		multi; 		/* is multipart */
-    PRBool		doPad; 		/* use PKCS padding for block ciphers */
-    unsigned int	blockSize; 	/* blocksize for padding */
-    unsigned int	padDataLength; 	/* length of the valid data in padbuf */
-    unsigned char	padBuf[PK11_MAX_BLOCK_SIZE];
-    unsigned char	macBuf[PK11_MAX_BLOCK_SIZE];
-    CK_ULONG		macSize;	/* size of a general block cipher mac*/
-    void		*cipherInfo;
-    void		*hashInfo;
-    unsigned int	cipherInfoLen;
-    CK_MECHANISM_TYPE	currentMech;
-    PK11Cipher		update;
-    PK11Hash		hashUpdate;
-    PK11End		end;
-    PK11Destroy		destroy;
-    PK11Destroy		hashdestroy;
-    PK11Verify		verify;
-    unsigned int	maxLen;
-};
-
-/*
- * Sessions (have objects)
- */
-struct PK11SessionStr {
-    PK11Session        *next;
-    PK11Session        *prev;
-    CK_SESSION_HANDLE	handle;
-    int			refCount;
-    PRLock 		*refLock;
-    PRLock		*objectLock;
-    int			objectIDCount;
-    CK_SESSION_INFO	info;
-    CK_NOTIFY		notify;
-    CK_VOID_PTR		appData;
-    PK11Slot		*slot;
-    PK11SearchResults	*search;
-    PK11SessionContext	*enc_context;
-    PK11SessionContext	*hash_context;
-    PK11SessionContext	*sign_context;
-    PK11ObjectList	*objects[1];
-};
-
-/*
- * slots (have sessions and objects)
- */
-struct PK11SlotStr {
-    CK_SLOT_ID		slotID;
-    PRLock		*sessionLock;
-    PRLock		*objectLock;
-    SECItem		*password;
-    PRBool		hasTokens;
-    PRBool		isLoggedIn;
-    PRBool		ssoLoggedIn;
-    PRBool		needLogin;
-    PRBool		DB_loaded;
-    int			sessionIDCount;
-    int			sessionCount;
-    int			rwSessionCount;
-    int			tokenIDCount;
-    PK11Object		*tokObjects[TOKEN_OBJECT_HASH_SIZE];
-    PK11Session		*head[SESSION_HASH_SIZE];
-};
-
-/*
- * special joint operations Contexts
- */
-struct PK11HashVerifyInfoStr {
-    SECOidTag   	hashOid;
-    SECKEYLowPublicKey	*key;
-};
-
-struct PK11HashSignInfoStr {
-    SECOidTag   	hashOid;
-    SECKEYLowPrivateKey	*key;
-};
-
-/* context for the Final SSLMAC message */
-struct PK11SSLMACInfoStr {
-    void 		*hashContext;
-    PK11Begin		begin;
-    PK11Hash		update;
-    PK11End		end;
-    CK_ULONG		macSize;
-    int			padSize;
-    unsigned char	key[MAX_KEY_LEN];
-    unsigned int	keySize;
-};
-
-/*
- * session handle modifiers
- */
-#define PK11_PRIVATE_KEY_FLAG	0x80000000L
-#define PK11_FIPS_FLAG		0x40000000L
-
-/*
- * object handle modifiers
- */
-#define PK11_TOKEN_MASK		0x80000000L
-#define PK11_TOKEN_MAGIC	0x80000000L
-#define PK11_TOKEN_TYPE_MASK	0x70000000L
-#define PK11_TOKEN_TYPE_CERT	0x00000000L
-#define PK11_TOKEN_TYPE_PRIV	0x10000000L
-#define PK11_TOKEN_TYPE_PUB	0x20000000L
-
-/* how big a password/pin we can deal with */
-#define PK11_MAX_PIN	255
-
-/* slot ID's */
-#define NETSCAPE_SLOT_ID 1
-#define PRIVATE_KEY_SLOT_ID 2
-#define FIPS_SLOT_ID 3
-
-/* slot helper macros */
-#define pk11_SlotFromSession(sp) ((sp)->slot)
-#define pk11_isToken(id) (((id) & PK11_TOKEN_MASK) == PK11_TOKEN_MAGIC)
-
-/* queueing helper macros */
-#define pk11_hash(value,size) ((value) & (size-1))/*size must be a power of 2*/
-#define pk11queue_add(element,id,head,hash_size) \
-	{ int tmp = pk11_hash(id,hash_size); \
-	(element)->next = (head)[tmp]; \
-	(element)->prev = NULL; \
-	if ((head)[tmp]) (head)[tmp]->prev = (element); \
-	(head)[tmp] = (element); }
-#define pk11queue_find(element,id,head,hash_size) \
-	for( (element) = (head)[pk11_hash(id,hash_size)]; (element) != NULL; \
-					 (element) = (element)->next) { \
-	    if ((element)->handle == (id)) { break; } }
-#define pk11queue_is_queued(element,id,head,hash_size) \
-	( ((element)->next) || ((element)->prev) || \
-	 ((head)[pk11_hash(id,hash_size)] == (element)) )
-#define pk11queue_delete(element,id,head,hash_size) \
-	if ((element)->next) (element)->next->prev = (element)->prev; \
-	if ((element)->prev) (element)->prev->next = (element)->next; \
-	   else (head)[pk11_hash(id,hash_size)] = ((element)->next); \
-	(element)->next = NULL; \
-	(element)->prev = NULL; \
-
-/* expand an attribute & secitem structures out */
-#define pk11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
-#define pk11_item_expand(ip) (ip)->data,(ip)->len
-
-SEC_BEGIN_PROTOS
-
-/* shared functions between PKCS11.c and PK11FIPS.c */
-extern CK_RV PK11_LowInitialize(CK_VOID_PTR pReserved);
-extern CK_RV PK11_SlotInit(CK_SLOT_ID slotID, PRBool needLogin);
-
-/* internal utility functions used by pkcs11.c */
-extern PK11Attribute *pk11_FindAttribute(PK11Object *object,
-					 CK_ATTRIBUTE_TYPE type);
-extern void pk11_FreeAttribute(PK11Attribute *attribute);
-extern CK_RV pk11_AddAttributeType(PK11Object *object, CK_ATTRIBUTE_TYPE type,
-				   void *valPtr,
-				  CK_ULONG length);
-extern CK_RV pk11_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
-				    PK11Object *object, CK_ATTRIBUTE_TYPE type);
-extern PRBool pk11_hasAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type);
-extern PRBool pk11_isTrue(PK11Object *object, CK_ATTRIBUTE_TYPE type);
-extern void pk11_DeleteAttributeType(PK11Object *object,
-				     CK_ATTRIBUTE_TYPE type);
-extern CK_RV pk11_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
-				    PK11Object *object, CK_ATTRIBUTE_TYPE type);
-extern CK_RV pk11_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
-				     PK11Object *object,
-				     CK_ATTRIBUTE_TYPE type);
-extern PK11ModifyType pk11_modifyType(CK_ATTRIBUTE_TYPE type,
-				      CK_OBJECT_CLASS inClass);
-extern PRBool pk11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
-extern char *pk11_getString(PK11Object *object, CK_ATTRIBUTE_TYPE type);
-extern void pk11_nullAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type);
-extern CK_RV pk11_forceAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
-				 void *value, unsigned int len);
-extern CK_RV pk11_defaultAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
-				   void *value, unsigned int len);
-
-extern PK11Object *pk11_NewObject(PK11Slot *slot);
-extern CK_RV pk11_CopyObject(PK11Object *destObject, PK11Object *srcObject);
-extern PK11FreeStatus pk11_FreeObject(PK11Object *object);
-extern void pk11_DeleteObject(PK11Session *session, PK11Object *object);
-extern void pk11_ReferenceObject(PK11Object *object);
-extern PK11Object *pk11_ObjectFromHandle(CK_OBJECT_HANDLE handle,
-					 PK11Session *session);
-extern void pk11_AddSlotObject(PK11Slot *slot, PK11Object *object);
-extern void pk11_AddObject(PK11Session *session, PK11Object *object);
-
-extern CK_RV pk11_searchObjectList(PK11ObjectListElement **objectList,
-				   PK11Object **head, PRLock *lock,
-				   CK_ATTRIBUTE_PTR inTemplate, int count,
-				   PRBool isLoggedIn);
-extern PK11ObjectListElement *pk11_FreeObjectListElement(
-					     PK11ObjectListElement *objectList);
-extern void pk11_FreeObjectList(PK11ObjectListElement *objectList);
-extern void pk11_FreeSearch(PK11SearchResults *search);
-extern CK_RV pk11_handleObject(PK11Object *object, PK11Session *session);
-
-extern PK11Slot *pk11_SlotFromID(CK_SLOT_ID slotID);
-extern PK11Slot *pk11_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
-extern PK11Session *pk11_SessionFromHandle(CK_SESSION_HANDLE handle);
-extern void pk11_FreeSession(PK11Session *session);
-extern PK11Session *pk11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
-				    CK_VOID_PTR pApplication, CK_FLAGS flags);
-extern void pk11_update_state(PK11Slot *slot,PK11Session *session);
-extern void pk11_update_all_states(PK11Slot *slot);
-extern void pk11_FreeContext(PK11SessionContext *context);
-
-extern SECKEYLowPublicKey *pk11_GetPubKey(PK11Object *object,
-					  CK_KEY_TYPE key_type);
-extern SECKEYLowPrivateKey *pk11_GetPrivKey(PK11Object *object,
-					    CK_KEY_TYPE key_type);
-extern void pk11_FormatDESKey(unsigned char *key, int length);
-extern PRBool pk11_CheckDESKey(unsigned char *key);
-extern PRBool pk11_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
-
-SEC_END_PROTOS
-
-#endif /* _PKCS11I_H_ */
diff --git a/security/nss/lib/softoken/pkcs11p.h b/security/nss/lib/softoken/pkcs11p.h
deleted file mode 100644
index 9876ad3ac..000000000
--- a/security/nss/lib/softoken/pkcs11p.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* these data types are platform/implementation dependent. */
-/*
- * Packing was removed from the shipped RSA header files, even
- * though it's still needed. put in a central file to help merging..
- */
-#if defined(XP_WIN) 
-#if defined(_WIN32)
-#pragma warning(disable:4103)
-#pragma pack(push, cryptoki, 1)
-#endif
-#endif
diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h
deleted file mode 100644
index 254b6dd1e..000000000
--- a/security/nss/lib/softoken/pkcs11t.h
+++ /dev/null
@@ -1,1115 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* See top of pkcs11.h for information about the macros that
- * must be defined and the structure-packing conventions that
- * must be set before including this file.
- */
-
-#ifndef _PKCS11T_H_
-#define _PKCS11T_H_ 1
-
-#ifndef CK_FALSE
-#define CK_FALSE             0
-#endif
-
-#ifndef CK_TRUE
-#define CK_TRUE              (!CK_FALSE)
-#endif
-
-#include "prtypes.h"
-
-#define CK_PTR *
-#define CK_NULL_PTR 0
-#define CK_CALLBACK_FUNCTION(rv,func) rv (PR_CALLBACK * func)
-#define CK_DECLARE_FUNCTION(rv,func) PR_EXTERN(rv) func
-#define CK_DECLARE_FUNCTION_POINTER(rv,func) rv (PR_CALLBACK * func)
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-
-/* pack */
-#include "pkcs11p.h"
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  CK_VERSION    cryptokiVersion;     /* PKCS #11 interface ver */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
-  CK_CHAR       libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * PKCS #11 provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  CK_CHAR       slotDescription[64];  /* blank padded */
-  CK_CHAR       manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  CK_CHAR       label[32];           /* blank padded */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_CHAR       model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning 
- */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the PKCS #11 library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a PKCS #11-assigned value that
- * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 
-
-
-/* CK_USER_TYPE enumerates the types of PKCS #11 users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO    0
-/* Normal user */
-#define CKU_USER  1
-
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that PKCS #11 recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA            0x00000000
-#define CKO_CERTIFICATE     0x00000001
-#define CKO_PUBLIC_KEY      0x00000002
-#define CKO_PRIVATE_KEY     0x00000003
-#define CKO_SECRET_KEY      0x00000004
-#define CKO_VENDOR_DEFINED  0x80000000
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
-
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-
-/* PKCS #11 V2.01 probably won't actually have ECDSA in it */
-#define CKK_ECDSA           0x00000003
-
-#define CKK_KEA             0x00000005
-
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018  /* CAST128=CAST5 */
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-
-#define CKK_VENDOR_DEFINED  0x80000000
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-#define CKC_X_509           0x00000000
-#define CKC_VENDOR_DEFINED  0x80000000
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, and CKA_MODIFIABLE are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-#define CKA_MODIFIABLE         0x00000170
-
-#define CKA_VENDOR_DEFINED     0x80000000
-
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* All of the following mechanisms are new for v2.0 */
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST128_KEY_GEN            0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST128_ECB                0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST128_CBC                0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST128_MAC                0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST128_MAC_GENERAL        0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_CAST128_CBC_PAD            0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-
-/* PKCS #11 V2.01 probably won't actually have ECDSA in it */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-
-#define CKM_VENDOR_DEFINED             0x80000000
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism  */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-
-  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask        Meaning */
-#define CKF_HW                 0x00000001  /* performed by HW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
- * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
- * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
- * and CKF_DERIVE are new for v2.0.  They specify whether or not
- * a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100
-#define CKF_DECRYPT            0x00000200
-#define CKF_DIGEST             0x00000400
-#define CKF_SIGN               0x00000800
-#define CKF_SIGN_RECOVER       0x00001000
-#define CKF_VERIFY             0x00002000
-#define CKF_VERIFY_RECOVER     0x00004000
-#define CKF_GENERATE           0x00008000
-#define CKF_GENERATE_KEY_PAIR  0x00010000
-#define CKF_WRAP               0x00020000
-#define CKF_UNWRAP             0x00040000
-#define CKF_DERIVE             0x00080000
-
-#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a
- * PKCS #11 function */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
- * v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and
- * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-#define CKR_VENDOR_DEFINED                    0x80000000
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-
-/* CK_FUNCTION_LIST is a structure holding a PKCS #11 spec
- * version and pointers of appropriate types to all the
- * PKCS #11 functions */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize */
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-#define CKF_OS_LOCKING_OK                  0x00000002
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism */
-typedef struct CK_RC2_CBC_PARAMS {
-  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_CHAR_PTR  pInitVector;
-  CK_CHAR_PTR  pPassword;
-  CK_ULONG     ulPasswordLen;
-  CK_CHAR_PTR  pSalt;
-  CK_ULONG     ulSaltLen;
-  CK_ULONG     ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-/* Do not attempt to use these. They are only used by NETSCAPE's internal
- * PKCS #11 interface. Most of these are place holders for other mechanism
- * and will change in the future.
- */
-#define CKM_NETSCAPE_PBE_KEY_GEN		0x80000001L
-#define CKM_NETSCAPE_PBE_SHA1_DES_CBC		0x80000002L
-#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC	0x80000003L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC	0x80000004L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC	0x80000005L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4	0x80000006L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4	0x80000007L
-#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC	0x80000008L
-#define CKM_TLS_MASTER_KEY_DERIVE		0x80000371L
-#define CKM_TLS_KEY_AND_MAC_DERIVE		0x80000372L
-#define CKM_TLS_PRF_GENERAL                     0x80000373L
-
-/* define used to pass in the database key for DSA private keys */
-#define CKA_NETSCAPE_DB				0xD5A0DB00L
-#define CKA_NETSCAPE_TRUST			0x80000001L
-
-/* undo packing */
-#include "pkcs11u.h"
-
-#endif
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
deleted file mode 100644
index fdb03a543..000000000
--- a/security/nss/lib/softoken/pkcs11u.c
+++ /dev/null
@@ -1,1270 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Internal PKCS #11 functions. Should only be called by pkcs11.c
- */
-#include "pkcs11.h"
-#include "pkcs11i.h"
-#include "key.h"
-#include "certdb.h"
-
-
-/* declare the internal pkcs11 slot structures:
- *  There are threee:
- *	slot 0 is the generic crypto service token.
- *	slot 1 is the Database service token.
- *	slot 2 is the FIPS token (both generic and database).
- */
-static PK11Slot pk11_slot[3];
-
-/*
- * ******************** Attribute Utilities *******************************
- */
-
-/*
- * create a new attribute with type, value, and length. Space is allocated
- * to hold value.
- */
-static PK11Attribute *
-pk11_NewAttribute(PK11Object *object,
-	CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len)
-{
-    PK11Attribute *attribute;
-
-#ifdef NO_ARENA
-    int index;
-    /* 
-     * NO_ARENA attempts to keep down contention on Malloc and Arena locks
-     * by limiting the number of these calls on high traversed paths. this
-     * is done for attributes by 'allocating' them from a pool already allocated
-     * by the parent object.
-     */
-    PK11_USE_THREADS(PR_Lock(object->attributeLock);)
-    index = object->nextAttr++;
-    PK11_USE_THREADS(PR_Unlock(object->attributeLock);)
-    PORT_Assert(index < MAX_OBJS_ATTRS);
-    if (index >= MAX_OBJS_ATTRS) return NULL;
-
-    attribute = &object->attrList[index];
-    attribute->attrib.type = type;
-    if (value) {
-        if (len <= ATTR_SPACE) {
-	    attribute->attrib.pValue = attribute->space;
-	} else {
-	    attribute->attrib.pValue = PORT_Alloc(len);
-	}
-	if (attribute->attrib.pValue == NULL) {
-	    return NULL;
-	}
-	PORT_Memcpy(attribute->attrib.pValue,value,len);
-	attribute->attrib.ulValueLen = len;
-    } else {
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-#else
-#ifdef REF_COUNT_ATTRIBUTE
-    attribute = (PK11Attribute*)PORT_Alloc(sizeof(PK11Attribute));
-#else
-    attribute = (PK11Attribute*)PORT_ArenaAlloc(object->arena,sizeof(PK11Attribute));
-#endif /* REF_COUNT_ATTRIBUTE */
-    if (attribute == NULL) return NULL;
-
-    if (value) {
-#ifdef REF_COUNT_ATTRIBUTE
-	attribute->attrib.pValue = PORT_Alloc(len);
-#else
-	attribute->attrib.pValue = PORT_ArenaAlloc(object->arena,len);
-#endif /* REF_COUNT_ATTRIBUTE */
-	if (attribute->attrib.pValue == NULL) {
-#ifdef REF_COUNT_ATTRIBUTE
-	    PORT_Free(attribute);
-#endif /* REF_COUNT_ATTRIBUTE */
-	    return NULL;
-	}
-	PORT_Memcpy(attribute->attrib.pValue,value,len);
-	attribute->attrib.ulValueLen = len;
-    } else {
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-#endif /* NO_ARENA */
-    attribute->attrib.type = type;
-    attribute->handle = type;
-    attribute->next = attribute->prev = NULL;
-#ifdef REF_COUNT_ATTRIBUTE
-    attribute->refCount = 1;
-#ifdef PKCS11_USE_THREADS
-    attribute->refLock = PR_NewLock();
-    if (attribute->refLock == NULL) {
-	if (attribute->attrib.pValue) PORT_Free(attribute->attrib.pValue);
-	PORT_Free(attribute);
-	return NULL;
-    }
-#else
-    attribute->refLock = NULL;
-#endif
-#endif /* REF_COUNT_ATTRIBUTE */
-    return attribute;
-}
-
-/*
- * Free up all the memory associated with an attribute. Reference count
- * must be zero to call this.
- */
-static void
-pk11_DestroyAttribute(PK11Attribute *attribute)
-{
-#ifdef REF_COUNT_ATTRIBUTE
-    PORT_Assert(attribute->refCount == 0);
-    PK11_USE_THREADS(PR_DestroyLock(attribute->refLock);)
-    if (attribute->attrib.pValue) {
-	 /* clear out the data in the attribute value... it may have been
-	  * sensitive data */
-	 PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
-	 PORT_Free(attribute->attrib.pValue);
-    }
-    PORT_Free(attribute);
-#endif
-}
-    
-    
-/*
- * look up and attribute structure from a type and Object structure.
- * The returned attribute is referenced and needs to be freed when 
- * it is no longer needed.
- */
-PK11Attribute *
-pk11_FindAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type)
-{
-    PK11Attribute *attribute;
-
-    PK11_USE_THREADS(PR_Lock(object->attributeLock);)
-    pk11queue_find(attribute,type,object->head,ATTRIBUTE_HASH_SIZE);
-#ifdef REF_COUNT_ATTRIBUTE
-    if (attribute) {
-	/* atomic increment would be nice here */
-	PK11_USE_THREADS(PR_Lock(attribute->refLock);)
-	attribute->refCount++;
-	PK11_USE_THREADS(PR_Unlock(attribute->refLock);)
-    }
-#endif
-    PK11_USE_THREADS(PR_Unlock(object->attributeLock);)
-
-    return(attribute);
-}
-
-
-/*
- * release a reference to an attribute structure
- */
-void
-pk11_FreeAttribute(PK11Attribute *attribute)
-{
-#ifdef REF_COUNT_ATTRIBUTE
-    PRBool destroy = PR_FALSE;
-
-    PK11_USE_THREADS(PR_Lock(attribute->refLock);)
-    if (attribute->refCount == 1) destroy = PR_TRUE;
-    attribute->refCount--;
-    PK11_USE_THREADS(PR_Unlock(attribute->refLock);)
-
-    if (destroy) pk11_DestroyAttribute(attribute);
-#endif
-}
-
-
-/*
- * return true if object has attribute
- */
-PRBool
-pk11_hasAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type)
-{
-    PK11Attribute *attribute;
-
-    PK11_USE_THREADS(PR_Lock(object->attributeLock);)
-    pk11queue_find(attribute,type,object->head,ATTRIBUTE_HASH_SIZE);
-    PK11_USE_THREADS(PR_Unlock(object->attributeLock);)
-
-    return (PRBool)(attribute != NULL);
-}
-
-/*
- * add an attribute to an object
- */
-static
-void pk11_AddAttribute(PK11Object *object,PK11Attribute *attribute)
-{
-    PK11_USE_THREADS(PR_Lock(object->attributeLock);)
-    pk11queue_add(attribute,attribute->handle,object->head,ATTRIBUTE_HASH_SIZE);
-    PK11_USE_THREADS(PR_Unlock(object->attributeLock);)
-}
-
-/* 
- * copy an unsigned attribute into a 'signed' SECItem. Secitem is allocated in
- * the specified arena.
- */
-CK_RV
-pk11_Attribute2SSecItem(PLArenaPool *arena,SECItem *item,PK11Object *object,
-                                      CK_ATTRIBUTE_TYPE type)
-{
-    int len;
-    PK11Attribute *attribute;
-    unsigned char *start;
-    int real_len;
-
-    attribute = pk11_FindAttribute(object, type);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-    real_len = len = attribute->attrib.ulValueLen;
-    if ((*((unsigned char *)attribute->attrib.pValue) & 0x80) != 0) {
-	real_len++;
-    }
-
-    if (arena) {
-	start = item->data = (unsigned char *) PORT_ArenaAlloc(arena,real_len);
-    } else {
-	start = item->data = (unsigned char *) PORT_Alloc(real_len);
-    }
-    if (item->data == NULL) {
-	pk11_FreeAttribute(attribute);
-	return CKR_HOST_MEMORY;
-    }
-    item->len = real_len;
-    if (real_len != len) {
-	*start = 0;
-	start++;
-    }
-    PORT_Memcpy(start, attribute->attrib.pValue, len);
-    pk11_FreeAttribute(attribute);
-    return CKR_OK;
-}
-
-
-/*
- * delete an attribute from an object
- */
-static void
-pk11_DeleteAttribute(PK11Object *object, PK11Attribute *attribute)
-{
-    PK11_USE_THREADS(PR_Lock(object->attributeLock);)
-    if (pk11queue_is_queued(attribute,attribute->handle,
-					object->head,ATTRIBUTE_HASH_SIZE)) {
-	pk11queue_delete(attribute,attribute->handle,
-					object->head,ATTRIBUTE_HASH_SIZE);
-    }
-    PK11_USE_THREADS(PR_Unlock(object->attributeLock);)
-    pk11_FreeAttribute(attribute);
-}
-
-/*
- * this is only valid for CK_BBOOL type attributes. Return the state
- * of that attribute.
- */
-PRBool
-pk11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type)
-{
-    PK11Attribute *attribute;
-    PRBool tok = PR_FALSE;
-
-    attribute=pk11_FindAttribute(object,type);
-    if (attribute == NULL) { return PR_FALSE; }
-    tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
-    pk11_FreeAttribute(attribute);
-
-    return tok;
-}
-
-/*
- * force an attribute to null.
- * this is for sensitive keys which are stored in the database, we don't
- * want to keep this info around in memory in the clear.
- */
-void
-pk11_nullAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type)
-{
-    PK11Attribute *attribute;
-
-    attribute=pk11_FindAttribute(object,type);
-    if (attribute == NULL) return;
-
-    if (attribute->attrib.pValue != NULL) {
-	PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
-#ifdef REF_COUNT_ATTRIBUTE
-	PORT_Free(attribute->attrib.pValue);
-#endif /* REF_COUNT_ATTRIBUTE */
-#ifdef NO_ARENA
-	if (attribute->attrib.pValue != attribute->space) {
-	    PORT_Free(attribute->attrib.pValue);
-	}
-#endif /* NO_ARENA */
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    pk11_FreeAttribute(attribute);
-}
-
-/*
- * force an attribute to a spaecif value.
- */
-CK_RV
-pk11_forceAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type, void *value,
-						unsigned int len)
-{
-    PK11Attribute *attribute;
-    void *att_val = NULL;
-
-    attribute=pk11_FindAttribute(object,type);
-    if (attribute == NULL) return pk11_AddAttributeType(object,type,value,len);
-
-
-    if (value) {
-#ifdef NO_ARENA
-        if (len <= ATTR_SPACE) {
-	    att_val = attribute->space;
-	} else {
-	    att_val = PORT_Alloc(len);
-	}
-#else
-#ifdef REF_COUNT_ATTRIBUTE
-	att_val = PORT_Alloc(len);
-#else
-	att_val = PORT_ArenaAlloc(object->arena,len);
-#endif /* REF_COUNT_ATTRIBUTE */
-#endif /* NO_ARENA */
-	if (att_val == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	if (attribute->attrib.pValue == att_val) {
-	    PORT_Memset(attribute->attrib.pValue,0,
-					attribute->attrib.ulValueLen);
-	}
-	PORT_Memcpy(att_val,value,len);
-    }
-    if (attribute->attrib.pValue != NULL) {
-	if (attribute->attrib.pValue != att_val) {
-	    PORT_Memset(attribute->attrib.pValue,0,
-					attribute->attrib.ulValueLen);
-	}
-#ifdef REF_COUNT_ATTRIBUTE
-	PORT_Free(attribute->attrib.pValue);
-#endif /* REF_COUNT_ATTRIBUTE */
-#ifdef NO_ARENA
-	if (attribute->attrib.pValue != attribute->space) {
-	    PORT_Free(attribute->attrib.pValue);
-	}
-#endif /* NO_ARENA */
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    if (att_val) {
-	attribute->attrib.pValue = att_val;
-	attribute->attrib.ulValueLen = len;
-    }
-    return CKR_OK;
-}
-
-/*
- * return a null terminated string from attribute 'type'. This string
- * is allocated and needs to be freed with PORT_Free() When complete.
- */
-char *
-pk11_getString(PK11Object *object,CK_ATTRIBUTE_TYPE type)
-{
-    PK11Attribute *attribute;
-    char *label = NULL;
-
-    attribute=pk11_FindAttribute(object,type);
-    if (attribute == NULL) return NULL;
-
-    if (attribute->attrib.pValue != NULL) {
-	label = (char *) PORT_Alloc(attribute->attrib.ulValueLen+1);
-	if (label == NULL) {
-    	    pk11_FreeAttribute(attribute);
-	    return NULL;
-	}
-
-	PORT_Memcpy(label,attribute->attrib.pValue,
-						attribute->attrib.ulValueLen);
-	label[attribute->attrib.ulValueLen] = 0;
-    }
-    pk11_FreeAttribute(attribute);
-    return label;
-}
-
-/*
- * decode when a particular attribute may be modified
- * 	PK11_NEVER: This attribute must be set at object creation time and
- *  can never be modified.
- *	PK11_ONCOPY: This attribute may be modified only when you copy the
- *  object.
- *	PK11_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
- *  CK_FALSE to CK_TRUE.
- *	PK11_ALWAYS: This attribute can always be modified.
- * Some attributes vary their modification type based on the class of the 
- *   object.
- */
-PK11ModifyType
-pk11_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
-{
-    /* if we don't know about it, user user defined, always allow modify */
-    PK11ModifyType mtype = PK11_ALWAYS; 
-
-    switch(type) {
-    /* NEVER */
-    case CKA_CLASS:
-    case CKA_CERTIFICATE_TYPE:
-    case CKA_KEY_TYPE:
-    case CKA_MODULUS:
-    case CKA_MODULUS_BITS:
-    case CKA_PUBLIC_EXPONENT:
-    case CKA_PRIVATE_EXPONENT:
-    case CKA_PRIME:
-    case CKA_SUBPRIME:
-    case CKA_BASE:
-    case CKA_PRIME_1:
-    case CKA_PRIME_2:
-    case CKA_EXPONENT_1:
-    case CKA_EXPONENT_2:
-    case CKA_COEFFICIENT:
-    case CKA_VALUE_LEN:
-    case CKA_ALWAYS_SENSITIVE:
-    case CKA_NEVER_EXTRACTABLE:
-    case CKA_NETSCAPE_DB:
-	mtype = PK11_NEVER;
-	break;
-
-    /* ONCOPY */
-    case CKA_TOKEN:
-    case CKA_PRIVATE:
-    case CKA_MODIFIABLE:
-	mtype = PK11_ONCOPY;
-	break;
-
-    /* SENSITIVE */
-    case CKA_SENSITIVE:
-    case CKA_EXTRACTABLE:
-	mtype = PK11_SENSITIVE;
-	break;
-
-    /* ALWAYS */
-    case CKA_LABEL:
-    case CKA_APPLICATION:
-    case CKA_ID:
-    case CKA_SERIAL_NUMBER:
-    case CKA_START_DATE:
-    case CKA_END_DATE:
-    case CKA_DERIVE:
-    case CKA_ENCRYPT:
-    case CKA_DECRYPT:
-    case CKA_SIGN:
-    case CKA_VERIFY:
-    case CKA_SIGN_RECOVER:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-    case CKA_UNWRAP:
-	mtype = PK11_ALWAYS;
-	break;
-
-    /* DEPENDS ON CLASS */
-    case CKA_VALUE:
-	mtype = (inClass == CKO_DATA) ? PK11_ALWAYS : PK11_NEVER;
-	break;
-
-    case CKA_SUBJECT:
-	mtype = (inClass == CKO_CERTIFICATE) ? PK11_NEVER : PK11_ALWAYS;
-	break;
-    default:
-	break;
-    }
-    return mtype;
-}
-
-/* decode if a particular attribute is sensitive (cannot be read
- * back to the user of if the object is set to SENSITIVE) */
-PRBool
-pk11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
-{
-    switch(type) {
-    /* ALWAYS */
-    case CKA_PRIVATE_EXPONENT:
-    case CKA_PRIME_1:
-    case CKA_PRIME_2:
-    case CKA_EXPONENT_1:
-    case CKA_EXPONENT_2:
-    case CKA_COEFFICIENT:
-	return PR_TRUE;
-
-    /* DEPENDS ON CLASS */
-    case CKA_VALUE:
-	/* PRIVATE and SECRET KEYS have SENSITIVE values */
-	return (PRBool)((inClass == CKO_PRIVATE_KEY) || (inClass == CKO_SECRET_KEY));
-
-    default:
-	break;
-    }
-    return PR_FALSE;
-}
-
-/* 
- * copy an attribute into a SECItem. Secitem is allocated in the specified
- * arena.
- */
-CK_RV
-pk11_Attribute2SecItem(PLArenaPool *arena,SECItem *item,PK11Object *object,
-					CK_ATTRIBUTE_TYPE type)
-{
-    int len;
-    PK11Attribute *attribute;
-
-    attribute = pk11_FindAttribute(object, type);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-    len = attribute->attrib.ulValueLen;
-
-    if (arena) {
-    	item->data = (unsigned char *) PORT_ArenaAlloc(arena,len);
-    } else {
-    	item->data = (unsigned char *) PORT_Alloc(len);
-    }
-    if (item->data == NULL) {
-	pk11_FreeAttribute(attribute);
-	return CKR_HOST_MEMORY;
-    }
-    item->len = len;
-    PORT_Memcpy(item->data,attribute->attrib.pValue, len);
-    pk11_FreeAttribute(attribute);
-    return CKR_OK;
-}
-
-void
-pk11_DeleteAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type)
-{
-    PK11Attribute *attribute;
-    attribute = pk11_FindAttribute(object, type);
-    if (attribute == NULL) return ;
-    pk11_DeleteAttribute(object,attribute);
-    pk11_FreeAttribute(attribute);
-}
-
-CK_RV
-pk11_AddAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
-							CK_ULONG length)
-{
-    PK11Attribute *attribute;
-    attribute = pk11_NewAttribute(object,type,valPtr,length);
-    if (attribute == NULL) { return CKR_HOST_MEMORY; }
-    pk11_AddAttribute(object,attribute);
-    return CKR_OK;
-}
-
-/*
- * ******************** Object Utilities *******************************
- */
-
-/* allocation hooks that allow us to recycle old object structures */
-#ifdef MAX_OBJECT_LIST_SIZE
-static PK11Object * objectFreeList = NULL;
-static PRLock *objectLock = NULL;
-static int object_count = 0;
-#endif
-PK11Object *
-pk11_GetObjectFromList(PRBool *hasLocks) {
-    PK11Object *object;
-
-#if MAX_OBJECT_LIST_SIZE
-    if (objectLock == NULL) {
-	objectLock = PR_NewLock();
-    }
-
-    PK11_USE_THREADS(PR_Lock(objectLock));
-    object = objectFreeList;
-    if (object) {
-	objectFreeList = object->next;
-	object_count--;
-    }    	
-    PK11_USE_THREADS(PR_Unlock(objectLock));
-    if (object) {
-	object->next = object->prev = NULL;
-        *hasLocks = PR_TRUE;
-	return object;
-    }
-#endif
-
-    object  = (PK11Object*)PORT_ZAlloc(sizeof(PK11Object));
-    *hasLocks = PR_FALSE;
-    return object;
-}
-
-static void
-pk11_PutObjectToList(PK11Object *object) {
-#ifdef MAX_OBJECT_LIST_SIZE
-    if (object_count < MAX_OBJECT_LIST_SIZE) {
-	PK11_USE_THREADS(PR_Lock(objectLock));
-	object->next = objectFreeList;
-	objectFreeList = object;
-	object_count++;
-	PK11_USE_THREADS(PR_Unlock(objectLock));
-	return;
-     }
-#endif
-    PK11_USE_THREADS(PR_DestroyLock(object->attributeLock);)
-    PK11_USE_THREADS(PR_DestroyLock(object->refLock);)
-    object->attributeLock = object->refLock = NULL;
-    PORT_Free(object);
-}
-
-
-/*
- * Create a new object
- */
-PK11Object *
-pk11_NewObject(PK11Slot *slot)
-{
-    PK11Object *object;
-    PLArenaPool *arena;
-    PRBool hasLocks = PR_FALSE;
-    int i;
-
-
-#ifdef NO_ARENA
-    object = pk11_GetObjectFromList(&hasLocks);
-    if (object == NULL) {
-	return NULL;
-    }
-    object->nextAttr = 0;
-#else
-    arena = PORT_NewArena(2048);
-    if (arena == NULL) return NULL;
-
-    object = (PK11Object*)PORT_ArenaAlloc(arena,sizeof(PK11Object));
-    if (object == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-    object->arena = arena;
-
-    for (i=0; i < MAX_OBJS_ATTRS; i++) {
-	object->attrList[i].attrib.pValue = NULL;
-    }
-#endif
-
-    object->handle = 0;
-    object->next = object->prev = NULL;
-    object->sessionList.next = NULL;
-    object->sessionList.prev = NULL;
-    object->sessionList.parent = object;
-    object->inDB = PR_FALSE;
-    object->label = NULL;
-    object->refCount = 1;
-    object->session = NULL;
-    object->slot = slot;
-    object->objclass = 0xffff;
-    object->wasDerived = PR_FALSE;
-#ifdef PKCS11_USE_THREADS
-    if (!hasLocks) object->refLock = PR_NewLock();
-    if (object->refLock == NULL) {
-#ifdef NO_ARENA
-	PORT_Free(object);
-#else
-	PORT_FreeArena(arena,PR_FALSE);
-#endif
-	return NULL;
-    }
-    if (!hasLocks) object->attributeLock = PR_NewLock();
-    if (object->attributeLock == NULL) {
-	PK11_USE_THREADS(PR_DestroyLock(object->refLock);)
-#ifdef NO_ARENA
-	PORT_Free(object);
-#else
-	PORT_FreeArena(arena,PR_FALSE);
-#endif
-	return NULL;
-    }
-#else
-    object->attributeLock = NULL;
-    object->refLock = NULL;
-#endif
-    for (i=0; i < ATTRIBUTE_HASH_SIZE; i++) {
-	object->head[i] = NULL;
-    }
-    object->objectInfo = NULL;
-    object->infoFree = NULL;
-    return object;
-}
-
-/*
- * free all the data associated with an object. Object reference count must
- * be 'zero'.
- */
-static CK_RV
-pk11_DestroyObject(PK11Object *object)
-{
-#if defined(REF_COUNT_ATTRIBUTE) || defined(NO_ARENA)
-    int i;
-#endif
-    SECItem pubKey;
-    CK_RV crv = CKR_OK;
-    SECStatus rv;
-    PLArenaPool *arena = NULL;
-
-    PORT_Assert(object->refCount == 0);
-
-    /* delete the database value */
-    if (object->inDB) {
-	if (pk11_isToken(object->handle)) {
-	/* remove the objects from the real data base */
-	    switch (object->handle & PK11_TOKEN_TYPE_MASK) {
-	      case PK11_TOKEN_TYPE_PRIV:
-		/* KEYID is the public KEY for DSA and DH, and the MODULUS for
-		 *  RSA */
-		crv=pk11_Attribute2SecItem(NULL,&pubKey,object,CKA_NETSCAPE_DB);
-		if (crv != CKR_OK) break;
-		rv = SECKEY_DeleteKey(SECKEY_GetDefaultKeyDB(), &pubKey);
-		if (rv != SECSuccess) crv= CKR_DEVICE_ERROR;
-		break;
-	      case PK11_TOKEN_TYPE_CERT:
-		rv = SEC_DeletePermCertificate((CERTCertificate *)object->objectInfo);
-		if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
-		break;
-	    }
-	}
-    } 
-    if (object->label) PORT_Free(object->label);
-
-    object->inDB = PR_FALSE;
-    object->label = NULL;
-
-#ifdef NO_ARENA
-    for (i=0; i < MAX_OBJS_ATTRS; i++) {
-	unsigned char *value = object->attrList[i].attrib.pValue;
-	if (value) {
-	    PORT_Memset(value,0,object->attrList[i].attrib.ulValueLen);
-	    if (value != object->attrList[i].space) {
-		PORT_Free(value);
-	    }
-	    object->attrList[i].attrib.pValue = NULL;
-	}
-    }
-#endif
-
-#ifdef REF_COUNT_ATTRIBUTE
-    /* clean out the attributes */
-    /* since no one is referencing us, it's safe to walk the chain
-     * without a lock */
-    for (i=0; i < ATTRIBUTE_HASH_SIZE; i++) {
-	PK11Attribute *ap,*next;
-	for (ap = object->head[i]; ap != NULL; ap = next) {
-	    next = ap->next;
-	    /* paranoia */
-	    ap->next = ap->prev = NULL;
-	    pk11_FreeAttribute(ap);
-	}
-	object->head[i] = NULL;
-    }
-#endif
-    if (object->objectInfo) {
-	(*object->infoFree)(object->objectInfo);
-    }
-#ifdef NO_ARENA
-    pk11_PutObjectToList(object);
-#else
-    PK11_USE_THREADS(PR_DestroyLock(object->attributeLock);)
-    PK11_USE_THREADS(PR_DestroyLock(object->refLock);)
-    arena = object->arena;
-    PORT_FreeArena(arena,PR_FALSE);
-#endif
-    return crv;
-}
-
-void
-pk11_ReferenceObject(PK11Object *object)
-{
-    PK11_USE_THREADS(PR_Lock(object->refLock);)
-    object->refCount++;
-    PK11_USE_THREADS(PR_Unlock(object->refLock);)
-}
-
-static PK11Object *
-pk11_ObjectFromHandleOnSlot(CK_OBJECT_HANDLE handle, PK11Slot *slot)
-{
-    PK11Object **head;
-    PRLock *lock;
-    PK11Object *object;
-
-    head = slot->tokObjects;
-    lock = slot->objectLock;
-
-    PK11_USE_THREADS(PR_Lock(lock);)
-    pk11queue_find(object,handle,head,TOKEN_OBJECT_HASH_SIZE);
-    if (object) {
-	pk11_ReferenceObject(object);
-    }
-    PK11_USE_THREADS(PR_Unlock(lock);)
-
-    return(object);
-}
-/*
- * look up and object structure from a handle. OBJECT_Handles only make
- * sense in terms of a given session.  make a reference to that object
- * structure returned.
- */
-PK11Object *
-pk11_ObjectFromHandle(CK_OBJECT_HANDLE handle, PK11Session *session)
-{
-    PK11Slot *slot = pk11_SlotFromSession(session);
-
-    return pk11_ObjectFromHandleOnSlot(handle,slot);
-}
-
-
-/*
- * release a reference to an object handle
- */
-PK11FreeStatus
-pk11_FreeObject(PK11Object *object)
-{
-    PRBool destroy = PR_FALSE;
-    CK_RV crv;
-
-    PK11_USE_THREADS(PR_Lock(object->refLock);)
-    if (object->refCount == 1) destroy = PR_TRUE;
-    object->refCount--;
-    PK11_USE_THREADS(PR_Unlock(object->refLock);)
-
-    if (destroy) {
-	crv = pk11_DestroyObject(object);
-	if (crv != CKR_OK) {
-	   return PK11_DestroyFailure;
-	} 
-	return PK11_Destroyed;
-    }
-    return PK11_Busy;
-}
- 
-/*
- * add an object to a slot and session queue. These two functions
- * adopt the object.
- */
-void
-pk11_AddSlotObject(PK11Slot *slot, PK11Object *object)
-{
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    pk11queue_add(object,object->handle,slot->tokObjects,TOKEN_OBJECT_HASH_SIZE);
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-}
-
-void
-pk11_AddObject(PK11Session *session, PK11Object *object)
-{
-    PK11Slot *slot = pk11_SlotFromSession(session);
-
-    if (!pk11_isToken(object->handle)) {
-	PK11_USE_THREADS(PR_Lock(session->objectLock);)
-	pk11queue_add(&object->sessionList,0,session->objects,0);
-	object->session = session;
-	PK11_USE_THREADS(PR_Unlock(session->objectLock);)
-    }
-    pk11_AddSlotObject(slot,object);
-} 
-
-/*
- * add an object to a slot andsession queue
- */
-void
-pk11_DeleteObject(PK11Session *session, PK11Object *object)
-{
-    PK11Slot *slot = pk11_SlotFromSession(session);
-
-    if (object->session) {
-	PK11Session *session = object->session;
-	PK11_USE_THREADS(PR_Lock(session->objectLock);)
-	pk11queue_delete(&object->sessionList,0,session->objects,0);
-	PK11_USE_THREADS(PR_Unlock(session->objectLock);)
-    }
-    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
-    pk11queue_delete(object,object->handle,slot->tokObjects,
-						TOKEN_OBJECT_HASH_SIZE);
-    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
-    pk11_FreeObject(object);
-}
-
-/*
- * copy the attributes from one object to another. Don't overwrite existing
- * attributes. NOTE: This is a pretty expensive operation since it
- * grabs the attribute locks for the src object for a *long* time.
- */
-CK_RV
-pk11_CopyObject(PK11Object *destObject,PK11Object *srcObject)
-{
-    PK11Attribute *attribute;
-    int i;
-
-    PK11_USE_THREADS(PR_Lock(srcObject->attributeLock);)
-    for(i=0; i < ATTRIBUTE_HASH_SIZE; i++) {
-	attribute = srcObject->head[i];
-	do {
-	    if (attribute) {
-		if (!pk11_hasAttribute(destObject,attribute->handle)) {
-		    /* we need to copy the attribute since each attribute
-		     * only has one set of link list pointers */
-		    PK11Attribute *newAttribute = pk11_NewAttribute(
-			  destObject,pk11_attr_expand(&attribute->attrib));
-		    if (newAttribute == NULL) {
-			PK11_USE_THREADS(PR_Unlock(srcObject->attributeLock);)
-			return CKR_HOST_MEMORY;
-		    }
-		    pk11_AddAttribute(destObject,newAttribute);
-		}
-		attribute=attribute->next;
-	    }
-	} while (attribute != NULL);
-    }
-    PK11_USE_THREADS(PR_Unlock(srcObject->attributeLock);)
-    return CKR_OK;
-}
-
-/*
- * ******************** Search Utilities *******************************
- */
-
-/* add an object to a search list */
-CK_RV
-AddToList(PK11ObjectListElement **list,PK11Object *object)
-{
-     PK11ObjectListElement *newElem = 
-	(PK11ObjectListElement *)PORT_Alloc(sizeof(PK11ObjectListElement));
-
-     if (newElem == NULL) return CKR_HOST_MEMORY;
-
-     newElem->next = *list;
-     newElem->object = object;
-     pk11_ReferenceObject(object);
-
-    *list = newElem;
-    return CKR_OK;
-}
-
-
-/* return true if the object matches the template */
-PRBool
-pk11_objectMatch(PK11Object *object,CK_ATTRIBUTE_PTR theTemplate,int count)
-{
-    int i;
-
-    for (i=0; i < count; i++) {
-	PK11Attribute *attribute = pk11_FindAttribute(object,theTemplate[i].type);
-	if (attribute == NULL) {
-	    return PR_FALSE;
-	}
-	if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
-	    if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
-					theTemplate[i].ulValueLen) == 0) {
-        	pk11_FreeAttribute(attribute);
-		continue;
-	    }
-	}
-        pk11_FreeAttribute(attribute);
-	return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-/* search through all the objects in the queue and return the template matches
- * in the object list.
- */
-CK_RV
-pk11_searchObjectList(PK11ObjectListElement **objectList,PK11Object **head,
-        PRLock *lock, CK_ATTRIBUTE_PTR theTemplate, int count, PRBool isLoggedIn)
-{
-    int i;
-    PK11Object *object;
-    CK_RV crv = CKR_OK;
-
-    for(i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
-        /* We need to hold the lock to copy a consistant version of
-         * the linked list. */
-        PK11_USE_THREADS(PR_Lock(lock);)
-	for (object = head[i]; object != NULL; object= object->next) {
-	    if (pk11_objectMatch(object,theTemplate,count)) {
-		/* don't return objects that aren't yet visible */
-		if ((!isLoggedIn) && pk11_isTrue(object,CKA_PRIVATE)) continue;
-	        crv = AddToList(objectList,object);
-		if (crv != CKR_OK) {
-		    break;
-		}
-	    }
-	}
-        PK11_USE_THREADS(PR_Unlock(lock);)
-    }
-    return crv;
-}
-
-/*
- * free a single list element. Return the Next object in the list.
- */
-PK11ObjectListElement *
-pk11_FreeObjectListElement(PK11ObjectListElement *objectList)
-{
-    PK11ObjectListElement *ol = objectList->next;
-
-    pk11_FreeObject(objectList->object);
-    PORT_Free(objectList);
-    return ol;
-}
-
-/* free an entire object list */
-void
-pk11_FreeObjectList(PK11ObjectListElement *objectList)
-{
-    PK11ObjectListElement *ol;
-
-    for (ol= objectList; ol != NULL; ol = pk11_FreeObjectListElement(ol)) {}
-}
-
-/*
- * free a search structure
- */
-void
-pk11_FreeSearch(PK11SearchResults *search)
-{
-    if (search->handles) {
-	PORT_Free(search->handles);
-    }
-    PORT_Free(search);
-}
-
-/*
- * ******************** Session Utilities *******************************
- */
-
-/* update the sessions state based in it's flags and wether or not it's
- * logged in */
-void
-pk11_update_state(PK11Slot *slot,PK11Session *session)
-{
-    if (slot->isLoggedIn) {
-	if (slot->ssoLoggedIn) {
-    	    session->info.state = CKS_RW_SO_FUNCTIONS;
-	} else if (session->info.flags & CKF_RW_SESSION) {
-    	    session->info.state = CKS_RW_USER_FUNCTIONS;
-	} else {
-    	    session->info.state = CKS_RO_USER_FUNCTIONS;
-	}
-    } else {
-	if (session->info.flags & CKF_RW_SESSION) {
-    	    session->info.state = CKS_RW_PUBLIC_SESSION;
-	} else {
-    	    session->info.state = CKS_RO_PUBLIC_SESSION;
-	}
-    }
-}
-
-/* update the state of all the sessions on a slot */
-void
-pk11_update_all_states(PK11Slot *slot)
-{
-    int i;
-    PK11Session *session;
-
-    for (i=0; i < SESSION_HASH_SIZE; i++) {
-	PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-	for (session = slot->head[i]; session; session = session->next) {
-	    pk11_update_state(slot,session);
-	}
-	PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-    }
-}
-
-/*
- * context are cipher and digest contexts that are associated with a session
- */
-void
-pk11_FreeContext(PK11SessionContext *context)
-{
-    if (context->cipherInfo) {
-	(*context->destroy)(context->cipherInfo,PR_TRUE);
-    }
-    if (context->hashInfo) {
-	(*context->hashdestroy)(context->hashInfo,PR_TRUE);
-    }
-    PORT_Free(context);
-}
-
-/* look up a slot structure from the ID (used to be a macro when we only
- * had two slots) */
-PK11Slot *
-pk11_SlotFromID(CK_SLOT_ID slotID)
-{
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	return &pk11_slot[0];
-    case PRIVATE_KEY_SLOT_ID:
-	return &pk11_slot[1];
-    case FIPS_SLOT_ID:
-	return &pk11_slot[2];
-    default:
-	break; /* fall through to NULL */
-    }
-    return NULL;
-}
-
-PK11Slot *
-pk11_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
-{
-    if (handle & PK11_PRIVATE_KEY_FLAG) {
-	return &pk11_slot[1];
-    }
-    if (handle & PK11_FIPS_FLAG) {
-	return &pk11_slot[2];
-    }
-    return &pk11_slot[0];
-}
-
-/*
- * create a new nession. NOTE: The session handle is not set, and the
- * session is not added to the slot's session queue.
- */
-PK11Session *
-pk11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
-							     CK_FLAGS flags)
-{
-    PK11Session *session;
-    PK11Slot *slot = pk11_SlotFromID(slotID);
-
-    if (slot == NULL) return NULL;
-
-    session = (PK11Session*)PORT_Alloc(sizeof(PK11Session));
-    if (session == NULL) return NULL;
-
-    session->next = session->prev = NULL;
-    session->refCount = 1;
-    session->enc_context = NULL;
-    session->hash_context = NULL;
-    session->sign_context = NULL;
-    session->search = NULL;
-    session->objectIDCount = 1;
-#ifdef PKCS11_USE_THREADS
-    session->refLock = PR_NewLock();
-    if (session->refLock == NULL) {
-	PORT_Free(session);
-	return NULL;
-    }
-    session->objectLock = PR_NewLock();
-    if (session->objectLock == NULL) {
-	PK11_USE_THREADS(PR_DestroyLock(session->refLock);)
-	PORT_Free(session);
-	return NULL;
-    }
-#else
-    session->refLock = NULL;
-    session->objectLock = NULL;
-#endif
-    session->objects[0] = NULL;
-
-    session->slot = slot;
-    session->notify = notify;
-    session->appData = pApplication;
-    session->info.flags = flags;
-    session->info.slotID = slotID;
-    pk11_update_state(slot,session);
-    return session;
-}
-
-
-/* free all the data associated with a session. */
-static void
-pk11_DestroySession(PK11Session *session)
-{
-    PK11ObjectList *op,*next;
-    PORT_Assert(session->refCount == 0);
-
-    /* clean out the attributes */
-    /* since no one is referencing us, it's safe to walk the chain
-     * without a lock */
-    for (op = session->objects[0]; op != NULL; op = next) {
-        next = op->next;
-        /* paranoia */
-	op->next = op->prev = NULL;
-	pk11_DeleteObject(session,op->parent);
-    }
-    PK11_USE_THREADS(PR_DestroyLock(session->objectLock);)
-    PK11_USE_THREADS(PR_DestroyLock(session->refLock);)
-    if (session->enc_context) {
-	pk11_FreeContext(session->enc_context);
-    }
-    if (session->hash_context) {
-	pk11_FreeContext(session->hash_context);
-    }
-    if (session->sign_context) {
-	pk11_FreeContext(session->sign_context);
-    }
-    if (session->search) {
-	pk11_FreeSearch(session->search);
-    }
-    PORT_Free(session);
-}
-
-
-/*
- * look up a session structure from a session handle
- * generate a reference to it.
- */
-PK11Session *
-pk11_SessionFromHandle(CK_SESSION_HANDLE handle)
-{
-    PK11Slot	*slot = pk11_SlotFromSessionHandle(handle);
-    PK11Session *session;
-
-    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-    pk11queue_find(session,handle,slot->head,SESSION_HASH_SIZE);
-    if (session) session->refCount++;
-    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-
-    return (session);
-}
-
-/*
- * release a reference to a session handle
- */
-void
-pk11_FreeSession(PK11Session *session)
-{
-    PRBool destroy = PR_FALSE;
-    PK11_USE_THREADS(PK11Slot *slot = pk11_SlotFromSession(session);)
-
-    PK11_USE_THREADS(PR_Lock(slot->sessionLock);)
-    if (session->refCount == 1) destroy = PR_TRUE;
-    session->refCount--;
-    PK11_USE_THREADS(PR_Unlock(slot->sessionLock);)
-
-    if (destroy) pk11_DestroySession(session);
-}
diff --git a/security/nss/lib/softoken/pkcs11u.h b/security/nss/lib/softoken/pkcs11u.h
deleted file mode 100644
index 8b3c6dbd5..000000000
--- a/security/nss/lib/softoken/pkcs11u.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/*
- * reset any packing set by pkcs11p.h
- */
-#if defined(XP_WIN)
-#if defined (_WIN32)
-#pragma warning(disable:4103)
-#pragma pack(pop, cryptoki)
-#endif
-#endif
-
diff --git a/security/nss/lib/softoken/private.h b/security/nss/lib/softoken/private.h
deleted file mode 100644
index b90ceaaea..000000000
--- a/security/nss/lib/softoken/private.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * private.h - Private data structures for the software token library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _PRIVATE_H_
-#define _PRIVATE_H_
-
-#include "nspr.h"
-#include "seccomon.h"
-#include "mcom_db.h"
-
-/*
- * Handle structure for open key databases
- */
-struct SECKEYKeyDBHandleStr {
-    DB *db;
-    DB *updatedb;		/* used when updating an old version */
-    SECItem *global_salt;	/* password hashing salt for this db */
-    int version;		/* version of the database */
-};
-
-/*
-** Typedef for callback for traversing key database.
-**      "key" is the key used to index the data in the database (nickname)
-**      "data" is the key data
-**      "pdata" is the user's data 
-*/
-typedef SECStatus (* SECKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata);
-
-
-SEC_BEGIN_PROTOS
-
-/*
-** Traverse the entire key database, and pass the nicknames and keys to a 
-** user supplied function.
-**      "f" is the user function to call for each key
-**      "udata" is the user's data, which is passed through to "f"
-*/
-extern SECStatus SECKEY_TraverseKeys(SECKEYKeyDBHandle *handle, 
-				SECKEYTraverseKeysFunc f,
-				void *udata);
-
-SEC_END_PROTOS
-
-#endif /* _PRIVATE_H_ */
diff --git a/security/nss/lib/softoken/rawhash.c b/security/nss/lib/softoken/rawhash.c
deleted file mode 100644
index 4d19b3cdb..000000000
--- a/security/nss/lib/softoken/rawhash.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "nspr.h"
-#include "sechash.h"
-#include "blapi.h"	/* below the line */
-
-
-static void *
-null_hash_new_context(void)
-{
-    return NULL;
-}
-
-static void *
-null_hash_clone_context(void *v)
-{
-    PORT_Assert(v == NULL);
-    return NULL;
-}
-
-static void
-null_hash_begin(void *v)
-{
-}
-
-static void
-null_hash_update(void *v, const unsigned char *input, unsigned int length)
-{
-}
-
-static void
-null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
-	      unsigned int maxOut)
-{
-    *outLen = 0;
-}
-
-static void
-null_hash_destroy_context(void *v, PRBool b)
-{
-    PORT_Assert(v == NULL);
-}
-
-
-SECHashObject SECRawHashObjects[] = {
-  { 0,
-    (void * (*)(void)) null_hash_new_context,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) null_hash_destroy_context,
-    (void (*)(void *)) null_hash_begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) null_hash_end
-  },
-  { MD2_LENGTH,
-    (void * (*)(void)) MD2_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) MD2_DestroyContext,
-    (void (*)(void *)) MD2_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) MD2_Update,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD2_End
-  },
-  { MD5_LENGTH,
-    (void * (*)(void)) MD5_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) MD5_DestroyContext,
-    (void (*)(void *)) MD5_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) MD5_Update,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD5_End
-  },
-  { SHA1_LENGTH,
-    (void * (*)(void)) SHA1_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) SHA1_DestroyContext,
-    (void (*)(void *)) SHA1_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) SHA1_Update,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) SHA1_End
-  },
-};
-
diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c
deleted file mode 100644
index ca853269d..000000000
--- a/security/nss/lib/softoken/rsawrapr.c
+++ /dev/null
@@ -1,1049 +0,0 @@
-/*
- * PKCS#1 encoding and decoding functions.
- * This file is believed to contain no code licensed from other parties.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "blapi.h"
-#include "softoken.h"
-#include "sechash.h"
-
-#include "keylow.h"
-#include "secerr.h"
-
-#define RSA_BLOCK_MIN_PAD_LEN		8
-#define RSA_BLOCK_FIRST_OCTET		0x00
-#define RSA_BLOCK_PRIVATE0_PAD_OCTET	0x00
-#define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
-#define RSA_BLOCK_AFTER_PAD_OCTET	0x00
-
-#define OAEP_SALT_LEN		8
-#define OAEP_PAD_LEN		8
-#define OAEP_PAD_OCTET		0x00
-
-#define FLAT_BUFSIZE 512	/* bytes to hold flattened SHA1Context. */
-
-static SHA1Context *
-SHA1_CloneContext(SHA1Context *original)
-{
-    SHA1Context *  clone	= NULL;
-    unsigned char *pBuf;
-    int            sha1ContextSize = SHA1_FlattenSize(original);
-    SECStatus      frv;
-    unsigned char  buf[FLAT_BUFSIZE];
-
-    PORT_Assert(sizeof buf >= sha1ContextSize);
-    if (sizeof buf >= sha1ContextSize) {
-    	pBuf = buf;
-    } else {
-        pBuf = PORT_Alloc(sha1ContextSize);
-	if (!pBuf)
-	    goto done;
-    }
-
-    frv = SHA1_Flatten(original, pBuf);
-    if (frv == SECSuccess) {
-	clone = SHA1_Resurrect(pBuf, NULL);
-	memset(pBuf, 0, sha1ContextSize);
-    }
-done:
-    if (pBuf != buf)
-    	PORT_Free(pBuf);
-    return clone;
-}
-
-/*
- * Modify data by XORing it with a special hash of salt.
- */
-static SECStatus
-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
-		 unsigned char *salt, unsigned int saltlen)
-{
-    SHA1Context *sha1cx;
-    unsigned char *dp, *dataend;
-    unsigned char end_octet;
-
-    sha1cx = SHA1_NewContext();
-    if (sha1cx == NULL) {
-	return SECFailure;
-    }
-
-    /*
-     * Get a hash of salt started; we will use it several times,
-     * adding in a different end octet (x00, x01, x02, ...).
-     */
-    SHA1_Begin (sha1cx);
-    SHA1_Update (sha1cx, salt, saltlen);
-    end_octet = 0;
-
-    dp = data;
-    dataend = data + datalen;
-
-    while (dp < dataend) {
-	SHA1Context *sha1cx_h1;
-	unsigned int sha1len, sha1off;
-	unsigned char sha1[SHA1_LENGTH];
-
-	/*
-	 * Create hash of (salt || end_octet)
-	 */
-	sha1cx_h1 = SHA1_CloneContext (sha1cx);
-	SHA1_Update (sha1cx_h1, &end_octet, 1);
-	SHA1_End (sha1cx_h1, sha1, &sha1len, sizeof(sha1));
-	SHA1_DestroyContext (sha1cx_h1, PR_TRUE);
-	PORT_Assert (sha1len == SHA1_LENGTH);
-
-	/*
-	 * XOR that hash with the data.
-	 * When we have fewer than SHA1_LENGTH octets of data
-	 * left to xor, use just the low-order ones of the hash.
-	 */
-	sha1off = 0;
-	if ((dataend - dp) < SHA1_LENGTH)
-	    sha1off = SHA1_LENGTH - (dataend - dp);
-	while (sha1off < SHA1_LENGTH)
-	    *dp++ ^= sha1[sha1off++];
-
-	/*
-	 * Bump for next hash chunk.
-	 */
-	end_octet++;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * Modify salt by XORing it with a special hash of data.
- */
-static SECStatus
-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
-		 unsigned char *data, unsigned int datalen)
-{
-    unsigned char sha1[SHA1_LENGTH];
-    unsigned char *psalt, *psha1, *saltend;
-    SECStatus rv;
-
-    /*
-     * Create a hash of data.
-     */
-    rv = SHA1_HashBuf (sha1, data, datalen);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    /*
-     * XOR the low-order octets of that hash with salt.
-     */
-    PORT_Assert (saltlen <= SHA1_LENGTH);
-    saltend = salt + saltlen;
-    psalt = salt;
-    psha1 = sha1 + SHA1_LENGTH - saltlen;
-    while (psalt < saltend) {
-	*psalt++ ^= *psha1++;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * Format one block of data for public/private key encryption using
- * the rules defined in PKCS #1.
- */
-unsigned char *
-RSA_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
-		   SECItem *data)
-{
-    unsigned char *block;
-    unsigned char *bp;
-    int padLen;
-    int i;
-
-    block = (unsigned char *) PORT_Alloc(modulusLen);
-    if (block == NULL)
-	return NULL;
-
-    bp = block;
-
-    /*
-     * All RSA blocks start with two octets:
-     *	0x00 || BlockType
-     */
-    *bp++ = RSA_BLOCK_FIRST_OCTET;
-    *bp++ = (unsigned char) blockType;
-
-    switch (blockType) {
-
-      /*
-       * Blocks intended for private-key operation.
-       */
-      case RSA_BlockPrivate0: /* essentially unused */
-      case RSA_BlockPrivate:	 /* preferred method */
-	/*
-	 * 0x00 || BT || Pad || 0x00 || ActualData
-	 *   1      1   padLen    1      data->len
-	 * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
-	 */
-	padLen = modulusLen - data->len - 3;
-	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-	PORT_Memset (bp,
-		   blockType == RSA_BlockPrivate0
-			? RSA_BLOCK_PRIVATE0_PAD_OCTET
-			: RSA_BLOCK_PRIVATE_PAD_OCTET,
-		   padLen);
-	bp += padLen;
-	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-	PORT_Memcpy (bp, data->data, data->len);
-	break;
-
-      /*
-       * Blocks intended for public-key operation.
-       */
-      case RSA_BlockPublic:
-
-	/*
-	 * 0x00 || BT || Pad || 0x00 || ActualData
-	 *   1      1   padLen    1      data->len
-	 * Pad is all non-zero random bytes.
-	 */
-	padLen = modulusLen - data->len - 3;
-	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-	for (i = 0; i < padLen; i++) {
-	    /* Pad with non-zero random data. */
-	    do {
-		RNG_GenerateGlobalRandomBytes(bp + i, 1);
-	    } while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
-	}
-	bp += padLen;
-	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-	PORT_Memcpy (bp, data->data, data->len);
-
-	break;
-
-      /*
-       * Blocks intended for public-key operation, using
-       * Optimal Asymmetric Encryption Padding (OAEP).
-       */
-      case RSA_BlockOAEP:
-	/*
-	 * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
-	 *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
-	 *
-	 * where:
-	 *   PaddedData is "Pad1 || ActualData [|| Pad2]"
-	 *   Salt is random data.
-	 *   Pad1 is all zeros.
-	 *   Pad2, if present, is random data.
-	 *   (The "modified" fields are all the same length as the original
-	 * unmodified values; they are just xor'd with other values.)
-	 *
-	 *   Modified1 is an XOR of PaddedData with a special octet
-	 * string constructed of iterated hashing of Salt (see below).
-	 *   Modified2 is an XOR of Salt with the low-order octets of
-	 * the hash of Modified1 (see farther below ;-).
-	 *
-	 * Whew!
-	 */
-
-
-	/*
-	 * Salt
-	 */
-	RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
-	bp += OAEP_SALT_LEN;
-
-	/*
-	 * Pad1
-	 */
-	PORT_Memset (bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
-	bp += OAEP_PAD_LEN;
-
-	/*
-	 * Data
-	 */
-	PORT_Memcpy (bp, data->data, data->len);
-	bp += data->len;
-
-	/*
-	 * Pad2
-	 */
-	if (bp < (block + modulusLen))
-	    RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
-
-	/*
-	 * Now we have the following:
-	 * 0x00 || BT || Salt || PaddedData
-	 * (From this point on, "Pad1 || Data [|| Pad2]" is treated
-	 * as the one entity PaddedData.)
-	 *
-	 * We need to turn PaddedData into Modified1.
-	 */
-	if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
-			     modulusLen - 2 - OAEP_SALT_LEN,
-			     block + 2, OAEP_SALT_LEN) != SECSuccess) {
-	    PORT_Free (block);
-	    return NULL;
-	}
-
-	/*
-	 * Now we have:
-	 * 0x00 || BT || Salt || Modified1(PaddedData)
-	 *
-	 * The remaining task is to turn Salt into Modified2.
-	 */
-	if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
-			     block + 2 + OAEP_SALT_LEN,
-			     modulusLen - 2 - OAEP_SALT_LEN) != SECSuccess) {
-	    PORT_Free (block);
-	    return NULL;
-	}
-
-	break;
-
-      default:
-	PORT_Assert (0);
-	PORT_Free (block);
-	return NULL;
-    }
-
-    return block;
-}
-
-SECStatus
-RSA_FormatBlock(SECItem *result, unsigned modulusLen,
-		RSA_BlockType blockType, SECItem *data)
-{
-    /*
-     * XXX For now assume that the data length fits in a single
-     * XXX encryption block; the ASSERTs below force this.
-     * XXX To fix it, each case will have to loop over chunks whose
-     * XXX lengths satisfy the assertions, until all data is handled.
-     * XXX (Unless RSA has more to say about how to handle data
-     * XXX which does not fit in a single encryption block?)
-     * XXX And I do not know what the result is supposed to be,
-     * XXX so the interface to this function may need to change
-     * XXX to allow for returning multiple blocks, if they are
-     * XXX not wanted simply concatenated one after the other.
-     */
-
-    switch (blockType) {
-      case RSA_BlockPrivate0:
-      case RSA_BlockPrivate:
-      case RSA_BlockPublic:
-	/*
-	 * 0x00 || BT || Pad || 0x00 || ActualData
-	 *
-	 * The "3" below is the first octet + the second octet + the 0x00
-	 * octet that always comes just before the ActualData.
-	 */
-	PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
-
-	result->data = RSA_FormatOneBlock(modulusLen, blockType, data);
-	if (result->data == NULL) {
-	    result->len = 0;
-	    return SECFailure;
-	}
-	result->len = modulusLen;
-
-	break;
-
-      case RSA_BlockOAEP:
-	/*
-	 * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
-	 *
-	 * The "2" below is the first octet + the second octet.
-	 * (The other fields do not contain the clear values, but are
-	 * the same length as the clear values.)
-	 */
-	PORT_Assert (data->len <= (modulusLen - (2 + OAEP_SALT_LEN
-						 + OAEP_PAD_LEN)));
-
-	result->data = RSA_FormatOneBlock(modulusLen, blockType, data);
-	if (result->data == NULL) {
-	    result->len = 0;
-	    return SECFailure;
-	}
-	result->len = modulusLen;
-
-	break;
-
-      case RSA_BlockRaw:
-	/*
-	 * Pad || ActualData
-	 * Pad is zeros. The application is responsible for recovering
-	 * the actual data.
-	 */
-	result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
-	result->len = modulusLen;
-	PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
-	break;
-
-      default:
-	PORT_Assert (0);
-	result->data = NULL;
-	result->len = 0;
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * Takes a formatted block and returns the data part.
- * (This is the inverse of RSA_FormatOneBlock().)
- * In some formats the start of the data is ambiguous;
- * if it is non-zero, expectedLen will disambiguate.
- *
- * NOTE: this routine is not yet used/tested! (XXX please
- * remove this comment once that is no longer the case ;-)
- */
-unsigned char *
-RSA_DecodeOneBlock(unsigned char *data,
-		   unsigned int modulusLen,
-		   unsigned int expectedLen,
-		   RSA_BlockType *pResultType,
-		   unsigned int *pResultLen)
-{
-    RSA_BlockType blockType;
-    unsigned char *dp, *res;
-    unsigned int i, len, padLen;
-
-    dp = data;
-    if (*dp++ != RSA_BLOCK_FIRST_OCTET) {
-	PORT_SetError (SEC_ERROR_BAD_DATA);
-	return NULL;
-    }
-
-    blockType = (RSA_BlockType)*dp++;
-    switch (blockType) {
-      case RSA_BlockPrivate0:
-	if (expectedLen) {
-	    padLen = modulusLen - expectedLen - 3;
-	    PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-	    for (i = 0; i < padLen; i++) {
-		if (*dp++ != RSA_BLOCK_PRIVATE0_PAD_OCTET)
-		    break;
-	    }
-	    if ((i != padLen) || (*dp != RSA_BLOCK_AFTER_PAD_OCTET)) {
-		PORT_SetError (SEC_ERROR_BAD_DATA);
-		return NULL;
-	    }
-	    dp++;
-	    len = expectedLen;
-	} else {
-	    for (i = 0; i < modulusLen; i++) {
-		if (*dp++ != RSA_BLOCK_PRIVATE0_PAD_OCTET)
-		    break;
-	    }
-	    if (i == modulusLen) {
-		PORT_SetError (SEC_ERROR_BAD_DATA);
-		return NULL;
-	    }
-	    if (RSA_BLOCK_PRIVATE0_PAD_OCTET == RSA_BLOCK_AFTER_PAD_OCTET)
-		dp--;
-	    padLen = dp - data - 2;
-	    if ((padLen < RSA_BLOCK_MIN_PAD_LEN)
-		|| (*dp != RSA_BLOCK_AFTER_PAD_OCTET)) {
-		PORT_SetError (SEC_ERROR_BAD_DATA);
-		return NULL;
-	    }
-	    dp++;
-	    len = modulusLen - (dp - data);
-	}
-	res = (unsigned char *) PORT_Alloc(len);
-	if (res == NULL) {
-	    return NULL;
-	}
-	PORT_Memcpy (res, dp, len);
-	break;
-
-      case RSA_BlockPrivate:
-	for (i = 0; i < modulusLen; i++) {
-	    if (*dp++ != RSA_BLOCK_PRIVATE_PAD_OCTET)
-		break;
-	}
-	if ((i == modulusLen) || (*dp != RSA_BLOCK_AFTER_PAD_OCTET)) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return NULL;
-	}
-	padLen = dp - data - 2;
-	dp++;
-	len = modulusLen - (dp - data);
-	if ((padLen < RSA_BLOCK_MIN_PAD_LEN) || (expectedLen
-						 && (expectedLen != len))) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return NULL;
-	}
-	res = (unsigned char *) PORT_Alloc(len);
-	if (res == NULL) {
-	    return NULL;
-	}
-	PORT_Memcpy (res, dp, len);
-	break;
-
-      case RSA_BlockPublic:
-	for (i = 0; i < modulusLen; i++) {
-	    if (*dp++ == RSA_BLOCK_AFTER_PAD_OCTET)
-		break;
-	}
-	if (i == modulusLen) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return NULL;
-	}
-	padLen = dp - data - 2;
-	dp++;
-	len = modulusLen - (dp - data);
-	if ((padLen < RSA_BLOCK_MIN_PAD_LEN) || (expectedLen
-						 && (expectedLen != len))) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return NULL;
-	}
-	res = (unsigned char *) PORT_Alloc(len);
-	if (res == NULL) {
-	    return NULL;
-	}
-	PORT_Memcpy (res, dp, len);
-	break;
-
-      case RSA_BlockOAEP:
-	{
-	    unsigned char *salt, *tmp_res;
-	    SECStatus rv;
-
-	    len = modulusLen - 2 - OAEP_SALT_LEN;
-	    /*
-	     * dp points to:
-	     *	Modified2(Salt) || Modified1(PaddedData)
-	     * To recover Salt we need to XOR it with the low-order hash
-	     * of Modified1.
-	     */
-	    salt = (unsigned char *) PORT_Alloc(OAEP_SALT_LEN);
-	    if (salt == NULL) {
-		return NULL;
-	    }
-	    PORT_Memcpy (salt, dp, OAEP_SALT_LEN);
-	    dp += OAEP_SALT_LEN;
-	    rv = oaep_xor_with_h2 (salt, OAEP_SALT_LEN, dp, len);
-	    if (rv != SECSuccess) {
-		PORT_Free (salt);
-		return NULL;
-	    }
-	    if (expectedLen) {
-		PORT_Assert (expectedLen <= len);
-		len = expectedLen;
-	    }
-	    tmp_res = (unsigned char *) PORT_Alloc(len);
-	    if (tmp_res == NULL) {
-		PORT_Free (salt);
-		return NULL;
-	    }
-	    PORT_Memcpy (tmp_res, dp, len);
-	    rv = oaep_xor_with_h1 (tmp_res, len, salt, OAEP_SALT_LEN);
-	    PORT_Free (salt);
-	    if (rv != SECSuccess) {
-		return NULL;
-	    }
-	    for (i = 0; i < OAEP_PAD_LEN; i++) {
-		if (tmp_res[i] != OAEP_PAD_OCTET) {
-		    PORT_SetError (SEC_ERROR_BAD_DATA);
-		    PORT_Free (tmp_res);
-		    return NULL;
-		}
-	    }
-	    len -= OAEP_PAD_LEN;
-	    res = (unsigned char *) PORT_Alloc(len);
-	    if (res == NULL) {
-		PORT_Free (tmp_res);
-		return NULL;
-	    }
-	    PORT_Memcpy (res, tmp_res + OAEP_PAD_LEN, len);
-	    PORT_Free (tmp_res);
-	}
-	break;
-
-      default:
-	PORT_SetError (SEC_ERROR_BAD_DATA);
-	return NULL;
-    }
-
-    PORT_Assert (res != NULL);
-    *pResultLen = len;
-    *pResultType = blockType;
-    return res;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_Sign(SECKEYLowPrivateKey *key, 
-         unsigned char *      output, 
-	 unsigned int *       output_len,
-         unsigned int         maxOutputLen, 
-	 unsigned char *      input, 
-	 unsigned int         input_len)
-{
-    SECStatus     rv          = SECSuccess;
-    unsigned int  modulus_len = SECKEY_LowPrivateModulusLen(key);
-    SECItem       formatted;
-    SECItem       unformatted;
-
-    if (maxOutputLen < modulus_len) 
-    	return SECFailure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	return SECFailure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = RSA_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
-			 &unformatted);
-    if (rv != SECSuccess) 
-    	goto done;
-
-    rv = RSA_PrivateKeyOp(&key->u.rsa, output, formatted.data);
-    *output_len = modulus_len;
-
-    goto done;
-
-done:
-    if (formatted.data != NULL) 
-    	PORT_ZFree(formatted.data, modulus_len);
-    return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSign(SECKEYLowPublicKey *key,
-              unsigned char *     sign, 
-	      unsigned int        sign_len, 
-	      unsigned char *     hash, 
-	      unsigned int        hash_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = SECKEY_LowPublicModulusLen(key);
-    unsigned int    i;
-    unsigned char * buffer;
-
-    modulus_len = SECKEY_LowPublicModulusLen(key);
-    if (sign_len != modulus_len) 
-    	goto failure;
-    if (hash_len > modulus_len - 8) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * check the padding that was used
-     */
-    if (buffer[0] != 0 || buffer[1] != 1) 
-    	goto loser;
-    for (i = 2; i < modulus_len - hash_len - 1; i++) {
-	if (buffer[i] == 0) 
-	    break;
-	if (buffer[i] != 0xff) 
-	    goto loser;
-    }
-
-    /*
-     * make sure we get the same results
-     */
-    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
-	goto loser;
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecover(SECKEYLowPublicKey *key,
-                     unsigned char *     data,
-                     unsigned int *      data_len, 
-		     unsigned int        max_output_len, 
-		     unsigned char *     sign,
-		     unsigned int        sign_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = SECKEY_LowPublicModulusLen(key);
-    unsigned int    i;
-    unsigned char * buffer;
-
-    if (sign_len != modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
-    if (rv != SECSuccess)
-    	goto loser;
-    *data_len = 0;
-
-    /*
-     * check the padding that was used
-     */
-    if (buffer[0] != 0 || buffer[1] != 1) 
-    	goto loser;
-    for (i = 2; i < modulus_len; i++) {
-	if (buffer[i] == 0) {
-	    *data_len = modulus_len - i - 1;
-	    break;
-	}
-	if (buffer[i] != 0xff) 
-	    goto loser;
-    }
-    if (*data_len == 0) 
-    	goto loser;
-    if (*data_len > max_output_len) 
-    	goto loser;
-
-    /*
-     * make sure we get the same results
-     */
-    PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptBlock(SECKEYLowPublicKey *key, 
-                 unsigned char *     output, 
-		 unsigned int *      output_len,
-                 unsigned int        max_output_len, 
-		 unsigned char *     input, 
-		 unsigned int        input_len)
-{
-    SECStatus     rv;
-    unsigned int  modulus_len = SECKEY_LowPublicModulusLen(key);
-    SECItem       formatted;
-    SECItem       unformatted;
-
-    formatted.data = NULL;
-    if (max_output_len < modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = RSA_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
-			 &unformatted);
-    if (rv != SECSuccess) 
-	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
-    if (rv != SECSuccess) 
-    	goto failure;
-
-    PORT_ZFree(formatted.data, modulus_len);
-    *output_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    if (formatted.data != NULL) 
-	PORT_ZFree(formatted.data, modulus_len);
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptBlock(SECKEYLowPrivateKey *key, 
-                 unsigned char *      output, 
-		 unsigned int *       output_len,
-                 unsigned int         max_output_len, 
-		 unsigned char *      input, 
-		 unsigned int         input_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = SECKEY_LowPrivateModulusLen(key);
-    unsigned int    i;
-    unsigned char * buffer;
-
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-    if (input_len != modulus_len)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
-    if (rv != SECSuccess) 
-    	goto loser;
-
-    if (buffer[0] != 0 || buffer[1] != 2) 
-    	goto loser;
-    *output_len = 0;
-    for (i = 2; i < modulus_len; i++) {
-	if (buffer[i] == 0) {
-	    *output_len = modulus_len - i - 1;
-	    break;
-	}
-    }
-    if (*output_len == 0) 
-    	goto loser;
-    if (*output_len > max_output_len) 
-    	goto loser;
-
-    PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-/*
- * added to make pkcs #11 happy
- *   RAW is RSA_X_509
- */
-SECStatus
-RSA_SignRaw(SECKEYLowPrivateKey *key, 
-            unsigned char *      output, 
-	    unsigned int *       output_len,
-            unsigned int         maxOutputLen, 
-	    unsigned char *      input, 
-	    unsigned int         input_len)
-{
-    SECStatus    rv          = SECSuccess;
-    unsigned int modulus_len = SECKEY_LowPrivateModulusLen(key);
-    SECItem      formatted;
-    SECItem      unformatted;
-
-    if (maxOutputLen < modulus_len) 
-    	return SECFailure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	return SECFailure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = RSA_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
-    if (rv != SECSuccess) 
-    	goto done;
-
-    rv = RSA_PrivateKeyOp(&key->u.rsa, output, formatted.data);
-    *output_len = modulus_len;
-
-done:
-    if (formatted.data != NULL) 
-    	PORT_ZFree(formatted.data, modulus_len);
-    return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRaw(SECKEYLowPublicKey *key,
-                 unsigned char *     sign, 
-		 unsigned int        sign_len, 
-		 unsigned char *     hash, 
-		 unsigned int        hash_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = SECKEY_LowPublicModulusLen(key);
-    unsigned char * buffer;
-
-    if (sign_len != modulus_len) 
-    	goto failure;
-    if (hash_len > modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * make sure we get the same results
-     */
-    /* NOTE: should we verify the leading zeros? */
-    if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
-	goto loser;
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecoverRaw(SECKEYLowPublicKey *key,
-                        unsigned char *     data,
-                        unsigned int *      data_len, 
-			unsigned int        max_output_len, 
-			unsigned char *     sign,
-			unsigned int        sign_len)
-{
-    SECStatus      rv;
-    unsigned int   modulus_len = SECKEY_LowPublicModulusLen(key);
-
-    if (sign_len != modulus_len) 
-    	goto failure;
-    if (max_output_len < modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
-    if (rv != SECSuccess)
-	goto failure;
-
-    *data_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    return SECFailure;
-}
-
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptRaw(SECKEYLowPublicKey *key, 
-	       unsigned char *     output, 
-	       unsigned int *      output_len,
-               unsigned int        max_output_len, 
-	       unsigned char *     input, 
-	       unsigned int        input_len)
-{
-    SECStatus rv;
-    unsigned int  modulus_len = SECKEY_LowPublicModulusLen(key);
-    SECItem       formatted;
-    SECItem       unformatted;
-
-    formatted.data = NULL;
-    if (max_output_len < modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = RSA_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
-    if (rv != SECSuccess)
-	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
-    if (rv != SECSuccess) 
-    	goto failure;
-
-    PORT_ZFree(formatted.data, modulus_len);
-    *output_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    if (formatted.data != NULL) 
-	PORT_ZFree(formatted.data, modulus_len);
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptRaw(SECKEYLowPrivateKey *key, 
-               unsigned char *      output, 
-	       unsigned int *       output_len,
-               unsigned int         max_output_len, 
-	       unsigned char *      input, 
-	       unsigned int         input_len)
-{
-    SECStatus     rv;
-    unsigned int  modulus_len = SECKEY_LowPrivateModulusLen(key);
-
-    if (modulus_len <= 0) 
-    	goto failure;
-    if (modulus_len > max_output_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == rsaKey);
-    if (key->keyType != rsaKey)
-    	goto failure;
-    if (input_len != modulus_len) 
-    	goto failure;
-
-    rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
-    if (rv != SECSuccess)
-    	goto failure;
-
-    *output_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    return SECFailure;
-}
diff --git a/security/nss/lib/softoken/secpkcs5.c b/security/nss/lib/softoken/secpkcs5.c
deleted file mode 100644
index 6cc8dd4a4..000000000
--- a/security/nss/lib/softoken/secpkcs5.c
+++ /dev/null
@@ -1,1827 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "secport.h"
-#include "hasht.h"
-#include "pkcs11t.h"
-#include "blapi.h"
-#include "sechash.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "secpkcs5.h"
-#include "secoid.h"
-#include "alghmac.h"
-#include "softoken.h"
-#include "secerr.h"
-
-#define DES_IV_LENGTH		8
-#define RC2_IV_LENGTH		8
-#define MD2_LENGTH		16
-#define MD5_LENGTH		16
-#define SHA1_LENGTH		20
-#define SEED_LENGTH 		16
-#define SALT_LENGTH		8
-#define PBE_SALT_LENGTH		16
-
-/* template for PKCS 5 PBE Parameter.  This template has been expanded
- * based upon the additions in PKCS 12.  This should eventually be moved
- * if RSA updates PKCS 5.
- */
-const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(SEC_PKCS5PBEParameter) },
-    { SEC_ASN1_OCTET_STRING, 
-	offsetof(SEC_PKCS5PBEParameter, salt) },
-    { SEC_ASN1_INTEGER,
-	offsetof(SEC_PKCS5PBEParameter, iteration) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] =
-{   
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) },
-    { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) },
-    { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) },
-    { 0 }
-};
-
-pbeBitGenParameters pbeHashAlgorithmParams[] = {
-    {   0,   0, SEC_OID_UNKNOWN },
-    { 128, 512, SEC_OID_MD2 },
-    { 128, 512, SEC_OID_MD5 },
-    { 160, 512, SEC_OID_SHA1 },
-};
-
-/* generate some random bytes.  this is used to generate the 
- * salt if it is not specified.
- */
-static SECStatus 
-sec_pkcs5_generate_random_bytes(PRArenaPool *poolp, 
-				SECItem *dest, int len)
-{
-    SECStatus rv = SECFailure;
-
-    if(dest != NULL)
-    {
-	void *mark = PORT_ArenaMark(poolp);
-	dest->data = (unsigned char *)PORT_ArenaZAlloc(poolp, len);
-	if(dest->data != NULL)
-	{
-	    dest->len = len;
-	    RNG_GenerateGlobalRandomBytes(dest->data, dest->len);
-	    PORT_ArenaUnmark(poolp, mark);
-	    rv = SECSuccess;
-	} else
-	    PORT_ArenaRelease(poolp, mark);
-    }
-
-    return rv;
-}
-
-/* maps hash algorithm from PBE algorithm.
- */
-static SECOidTag 
-sec_pkcs5_hash_algorithm(SECOidTag algorithm)
-{
-    switch(algorithm)
-    {
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return SEC_OID_SHA1;
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	    return SEC_OID_MD5;
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	    return SEC_OID_MD2;
-	default:
-	    break;
-    }
-    return SEC_OID_UNKNOWN;
-}
-
-/* get the iv length needed for the PBE algorithm 
- */
-static int 
-sec_pkcs5_iv_length(SECOidTag algorithm)
-{
-    switch(algorithm)
-    {
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	    return DES_IV_LENGTH;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	    return RC2_IV_LENGTH;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	    return 0;
-	default:
-	    break;
-    }
-    return -1;
-}
-
-/* get the key length needed for the PBE algorithm
- */
-static int 
-sec_pkcs5_key_length(SECOidTag algorithm)
-{
-    switch(algorithm)
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	    return 24;
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	    return 8;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return 5;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	    return 16;
-	default:
-	    break;
-    }
-    return -1;
-}
-
-/* the V2 algorithms only encode the salt, there is no iteration
- * count so we need a check for V2 algorithm parameters.
- */
-static PRBool
-sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm)
-{
-    switch(algorithm) 
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return PR_TRUE;
-	default:
-	    break;
-    }
-
-    return PR_FALSE;
-}
-
-/* creates a PBE parameter based on the PBE algorithm.  the only required
- * parameters are algorithm and interation.  the return is a PBE parameter
- * which conforms to PKCS 5 parameter unless an extended parameter is needed.
- * this is primarily if keyLen and a variable key length algorithm are
- * specified.
- *   salt -  if null, a salt will be generated from random bytes.
- *   iteration - number of iterations to perform hashing.
- *   keyLen - only used in variable key length algorithms
- *   iv - if null, the IV will be generated based on PKCS 5 when needed.
- *   params - optional, currently unsupported additional parameters.
- * once a parameter is allocated, it should be destroyed calling 
- * sec_pkcs5_destroy_pbe_parameter or SEC_PKCS5DestroyPBEParameter.
- */
-static SEC_PKCS5PBEParameter *
-sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, 
-			SECItem *salt, 
-			int iteration)
-{
-    PRArenaPool *poolp = NULL;
-    SEC_PKCS5PBEParameter *pbe_param = NULL;
-    SECStatus rv; 
-    void *dummy = NULL;
-
-    if(iteration < 0) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(poolp == NULL)
-	return NULL;
-
-    pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp,
-	sizeof(SEC_PKCS5PBEParameter));
-    if(!pbe_param) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	return NULL;
-    }
-
-    pbe_param->poolp = poolp;
-    pbe_param->algorithm = algorithm;
-
-    /* should we generate the salt? */
-    if(!salt || !salt->data) {
-	rv = sec_pkcs5_generate_random_bytes(poolp, &pbe_param->salt, 
-						SALT_LENGTH);
-    } else {
-	rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt);
-    }
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	return NULL;
-    }
-
-    /* encode the integer */
-    dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, 
-		iteration);
-    rv = (dummy) ? SECSuccess : SECFailure;
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-
-    return pbe_param;
-}
-
-/* generate bits for key and iv using MD5 hashing 
- */
-static SECItem *
-sec_pkcs5_compute_md5_hash(SECItem *salt, SECItem *pwd, int iter,
-			   PRBool dummy)
-{
-    SECItem *hash = NULL, *pre_hash = NULL;
-    SECStatus rv = SECFailure;
-
-    if((salt == NULL) || (pwd == NULL) || (iter < 0)) {
-	return NULL;
-    }
-	
-    hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if((hash != NULL) && (pre_hash != NULL)) {
-	unsigned int i, ph_len;
-
-	ph_len = MD5_LENGTH;
-	if(ph_len < (salt->len + pwd->len)) {
-	    ph_len = salt->len + pwd->len;
-	}
-
-	rv = SECFailure;
-	hash->data = (unsigned char *)PORT_ZAlloc(MD5_LENGTH);
-	hash->len = MD5_LENGTH;
-	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
-	pre_hash->len = salt->len + pwd->len;
-
-	if((hash->data != NULL) && (pre_hash->data != NULL)) {
-	    rv = SECSuccess;
-	    /* handle 0 length password */
-	    if(pwd->len > 0) {
-		PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
-	    }
-	    if(salt->len > 0) {
-	 	PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
-	    }
-	    for(i = 0; ((i < (unsigned int)iter) && (rv == SECSuccess)); i++) {
-		rv = MD5_HashBuf(hash->data, pre_hash->data, pre_hash->len);
-		if(rv != SECFailure) {
-		    PORT_Memcpy(pre_hash->data, hash->data, MD5_LENGTH);
-		    pre_hash->len = MD5_LENGTH;
-		}
-	    }
-	}
-    }
-
-    if(pre_hash != NULL)
-	SECITEM_FreeItem(pre_hash, PR_TRUE);
-
-    if((rv == SECFailure) && (hash)) {
-	SECITEM_FreeItem(hash, PR_TRUE);
-	hash = NULL;
-    }
-
-    return hash;
-}
-
-/* generate bits for key and iv using MD2 hashing 
- */
-static SECItem *
-sec_pkcs5_compute_md2_hash(SECItem *salt, SECItem *pwd, int iter,
-			   PRBool dummy)
-{
-    SECItem *hash = NULL, *pre_hash = NULL;
-    SECStatus rv = SECFailure;
-
-    if((salt == NULL) || (pwd == NULL) || (iter < 0))
-	return NULL;
-
-    hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if((hash != NULL) && (pre_hash != NULL))
-    {
-	int i, ph_len;
-
-	ph_len = MD2_LENGTH;
-	if((salt->len + pwd->len) > MD2_LENGTH)
-	    ph_len = salt->len+pwd->len;
-
-	rv = SECFailure;
-	hash->data = (unsigned char *)PORT_ZAlloc(MD2_LENGTH);
-	hash->len = MD2_LENGTH;
-	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
-	pre_hash->len = salt->len + pwd->len;
-
-	if((hash->data != NULL) && (pre_hash->data != NULL))
-	{
-	    MD2Context *ctxt;
-
-	    rv = SECSuccess;
-	    if(pwd->len > 0) {
-		PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
-	    }
-	    if(salt->len > 0) {
-		PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
-	    }
-
-	    for(i = 0; ((i < iter) && (rv == SECSuccess)); i++)
-	    {
-		ctxt = MD2_NewContext();
-		if(ctxt == NULL)
-		    rv = SECFailure;		
-		else
-		{
-		    MD2_Update(ctxt, pre_hash->data, pre_hash->len);
-		    MD2_End(ctxt, hash->data, &hash->len, hash->len);
-		    PORT_Memcpy(pre_hash->data, hash->data, MD2_LENGTH);
-		    pre_hash->len = MD2_LENGTH;
-		    MD2_DestroyContext(ctxt, PR_TRUE);
-		}
-	    }		
-	}
-    }
-
-    if(pre_hash != NULL)
-	SECITEM_FreeItem(pre_hash, PR_TRUE);
-
-    if(rv != SECSuccess)
-	if(hash != NULL)
-	{
-	    SECITEM_FreeItem(hash, PR_TRUE);
-	    hash = NULL;
-	}
-
-    return hash;
-}
-
-/* generate bits using SHA1 hash 
- */
-static SECItem *
-sec_pkcs5_compute_sha1_hash(SECItem *salt, SECItem *pwd, int iter, 
-			    PRBool faulty3DES) 
-{
-    SECItem *hash = NULL, *pre_hash = NULL;
-    SECStatus rv = SECFailure;
-
-    if((salt == NULL) || (pwd == NULL) || (iter < 0)) {
-	return NULL;
-    }
-	
-    hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-
-    if((hash != NULL) && (pre_hash != NULL)) {
-	int i, ph_len;
-
-	ph_len = SHA1_LENGTH;
-	if((salt->len + pwd->len) > SHA1_LENGTH) {
-	    ph_len = salt->len + pwd->len;
-	}
-
-	rv = SECFailure;
-
-	/* allocate buffers */
-	hash->data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
-	hash->len = SHA1_LENGTH;
-	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
-
-	/* in pbeSHA1TripleDESCBC there was an allocation error that made
-	 * it into the caller.  We do not want to propagate those errors
-	 * further, so we are doing it correctly, but reading the old method.
-	 */
-	if(faulty3DES) {
-	    pre_hash->len = ph_len;
-	} else {
-	    pre_hash->len = salt->len + pwd->len;
-	}
-
-	/* preform hash */
-	if((hash->data != NULL) && (pre_hash->data != NULL)) {
-	    rv = SECSuccess;
-	    /* check for 0 length password */
-	    if(pwd->len > 0) {
-		PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
-	    }
-	    if(salt->len > 0) {
-		PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
-	    }
-	    for(i = 0; ((i < iter) && (rv == SECSuccess)); i++) {
-		rv = SHA1_HashBuf(hash->data, pre_hash->data, pre_hash->len);
-		if(rv != SECFailure) {
-		    pre_hash->len = SHA1_LENGTH;
-		    PORT_Memcpy(pre_hash->data, hash->data, SHA1_LENGTH);
-		}
-	    }
-	}
-    }
-
-    if(pre_hash != NULL) {
-	SECITEM_FreeItem(pre_hash, PR_TRUE);
-    }
-
-    if((rv != SECSuccess) && (hash != NULL)) {
-	SECITEM_FreeItem(hash, PR_TRUE);
-	hash = NULL;
-    }
-
-    return hash;
-}
-
-/* bit generation/key and iv generation routines. */
-typedef SECItem *(* sec_pkcs5_hash_func)(SECItem *s, SECItem *p, 
-					 int iter, PRBool faulty3DES);
-
-/* generates bits needed for the key and iv based on PKCS 5,
- * be concatenating the password and salt and using the appropriate
- * hash algorithm.  This function serves as a front end to the 
- * specific hash functions above.  a return of NULL indicates an
- * error.
- */
-static SECItem *
-sec_pkcs5_compute_hash(SEC_PKCS5PBEParameter *pbe_param, SECItem *pwitem,
-		       PRBool faulty3DES)
-{
-    sec_pkcs5_hash_func hash_func;
-    SECOidTag hash_alg;
-    SECItem *hash = NULL;
-    SECItem *salt = NULL;
-	
-    hash_alg = sec_pkcs5_hash_algorithm(pbe_param->algorithm);
-    salt = &(pbe_param->salt);
-    switch(hash_alg)
-    {
-	case SEC_OID_SHA1:
-	    hash_func = sec_pkcs5_compute_sha1_hash;
-	    break;
-	case SEC_OID_MD2:
-	    hash_func = sec_pkcs5_compute_md2_hash;
-	    break;
-	case SEC_OID_MD5:
-	    hash_func = sec_pkcs5_compute_md5_hash;
-	    break;
-	default:
-	    hash_func = NULL;
-    }
-
-    if(hash_func) {
-	hash = (* hash_func)(salt, pwitem, pbe_param->iter, faulty3DES);
-    }
-
-    return hash;
-}
-
-/* determines the number of bits needed for key and iv generation
- * based upon the algorithm identifier.  if a number of
- * bits greater than the hash algorithm can produce are needed,
- * the bits will be generated based upon the extended PKCS 5 
- * described in PKCS 12.
- *
- * a return of -1 indicates an error.
- */
-static int 
-sec_pkcs5_bits_needed(SEC_PKCS5PBEParameter *pbe_param)
-{
-    int iv_bits;
-    int key_bits;
-    
-    if(pbe_param == NULL) {
-	return -1;
-    }
-
-    iv_bits = sec_pkcs5_iv_length(pbe_param->algorithm) * 8;
-    key_bits = sec_pkcs5_key_length(pbe_param->algorithm) * 8;
-
-    if(key_bits != 0) {
-	return iv_bits + key_bits;
-    }
-
-    return -1;
-}
-
-/* determines the number of bits generated by each hash algorithm.
- * in case of an error, -1 is returned. 
- */
-static int
-sec_pkcs5_hash_bits_generated(SEC_PKCS5PBEParameter *pbe_param)
-{
-    if(pbe_param == NULL) {
-	return -1;
-    }
-
-    switch(sec_pkcs5_hash_algorithm(pbe_param->algorithm)) {
-	case SEC_OID_SHA1:
-	    return SHA1_LENGTH * 8;
-	case SEC_OID_MD2:
-	    return MD2_LENGTH * 8;
-	case SEC_OID_MD5:
-	    return MD5_LENGTH * 8;
-	default:
-	    break;
-    }
-
-    return -1;
-}
-
-/* this bit generation routine is described in PKCS 12 and the proposed
- * extensions to PKCS 5.  an initial hash is generated following the
- * instructions laid out in PKCS 5.  If the number of bits generated is
- * insufficient, then the method discussed in the proposed extensions to
- * PKCS 5 in PKCS 12 are used.  This extension makes use of the HMAC
- * function.  And the P_Hash function from the TLS standard.
- */
-static SECItem *
-sec_pkcs5_bit_generator(SEC_PKCS5PBEParameter *pbe_param,
-			SECItem *init_hash, 
-			unsigned int bits_needed)
-{
-    SECItem *ret_bits = NULL;
-    int hash_size = 0;
-    unsigned int i;
-    unsigned int hash_iter;
-    unsigned int dig_len;
-    SECStatus rv = SECFailure;
-    unsigned char *state = NULL;
-    unsigned int state_len;
-    HMACContext *cx = NULL;
-
-    hash_size = sec_pkcs5_hash_bits_generated(pbe_param);
-    if(hash_size == -1)
-	return NULL;
-
-    hash_iter = (bits_needed + (unsigned int)hash_size - 1) / hash_size;
-    hash_size /= 8;
-
-    /* allocate return buffer */
-    ret_bits = (SECItem  *)PORT_ZAlloc(sizeof(SECItem));
-    if(ret_bits == NULL)
-	return NULL;
-    ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1);
-    ret_bits->len = (hash_iter * hash_size);
-    if(ret_bits->data == NULL) {
-	PORT_Free(ret_bits);
-	return NULL;
-    }
-
-    /* allocate intermediate hash buffer.  8 is for the 8 bytes of
-     * data which are added based on iteration number 
-     */
-
-    if ((unsigned int)hash_size > pbe_param->salt.len) {
-	state_len = hash_size;
-    } else {
-	state_len = pbe_param->salt.len;
-    }
-    state = (unsigned char *)PORT_ZAlloc(state_len);
-    if(state == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    if(pbe_param->salt.len > 0) {
-	PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len);
-    }
-
-    cx = HMAC_Create(sec_pkcs5_hash_algorithm(pbe_param->algorithm),
-		     init_hash->data, init_hash->len);
-    if (cx == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    for(i = 0; i < hash_iter; i++) { 
-
-	/* generate output bits */
-	HMAC_Begin(cx);
-	HMAC_Update(cx, state, state_len);
-	HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len);
-	rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size),
-			 &dig_len, hash_size);
-	if (rv != SECSuccess)
-	    goto loser;
-	PORT_Assert((unsigned int)hash_size == dig_len);
-
-	/* generate new state */
-	HMAC_Begin(cx);
-	HMAC_Update(cx, state, state_len);
-	rv = HMAC_Finish(cx, state, &state_len, state_len);
-	if (rv != SECSuccess)
-	    goto loser;
-	PORT_Assert(state_len == dig_len);
-    }
-
-loser:
-    if (state != NULL)
-	PORT_ZFree(state, state_len);
-    HMAC_Destroy(cx);
-
-    if(rv != SECSuccess) {
-	SECITEM_ZfreeItem(ret_bits, PR_TRUE);
-	ret_bits = NULL;
-    }
-
-    return ret_bits;
-}
-
-/* generate bits for the key and iv determination.  if enough bits
- * are not generated using PKCS 5, then we need to generate more bits
- * based on the extension proposed in PKCS 12
- */
-static SECItem *
-sec_pkcs5_generate_bits(SEC_PKCS5PBEParameter *pbe_param, SECItem *pwitem, 
-			PRBool faulty3DES)
-{
-    SECItem * hash 		= NULL;
-    SECItem * newHash 		= NULL;
-    int       bits_needed;
-    int       bits_available;
-    
-    bits_needed = sec_pkcs5_bits_needed(pbe_param);
-    bits_available = sec_pkcs5_hash_bits_generated(pbe_param);
-
-    if((bits_needed == -1) || (bits_available == -1)) {
-	return NULL;
-    }
-
-    hash = sec_pkcs5_compute_hash(pbe_param, pwitem, faulty3DES);
-    if(hash == NULL) {
-	return NULL;
-    }
-
-    if(bits_needed <= bits_available) {
-	return hash;
-    } 
-
-    newHash = sec_pkcs5_bit_generator(pbe_param, hash, bits_needed);
-    if (hash != newHash)
-	SECITEM_FreeItem(hash, PR_TRUE);
-    return newHash;
-}
-
-/* compute the IV as per PKCS 5
- */
-static SECItem *
-sec_pkcs5_compute_iv(SEC_PKCS5PBEParameter *pbe_param, SECItem *pwitem,
-		     PRBool faulty3DES)
-{
-    SECItem *hash = NULL, *iv = NULL;
-
-    if((pbe_param == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    /* generate iv */
-    iv = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(!iv) {
-	return NULL;
-    }
-
-    iv->len = sec_pkcs5_iv_length(pbe_param->algorithm);
-    if(iv->len == -1) {
-	PORT_Free(iv);
-	return NULL;
-    }
-
-    iv->data = (unsigned char *)PORT_ZAlloc(iv->len);
-    if(iv->data == NULL) {
-	PORT_Free(iv);
-	return NULL;
-    }
-
-    if(sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(pbe_param->algorithm)) {
-	SECOidTag hashAlg;
-	PBEBitGenContext *ctxt;
-	hashAlg = sec_pkcs5_hash_algorithm(pbe_param->algorithm);
-	ctxt = PBE_CreateContext(hashAlg, pbeBitGenCipherIV,
-				 pwitem, &pbe_param->salt,
-				 iv->len * 8, pbe_param->iter);
-	if(!ctxt) {
-	    SECITEM_FreeItem(iv, PR_TRUE);
-	    return NULL;
-	}
-
-	hash = PBE_GenerateBits(ctxt);
-	PBE_DestroyContext(ctxt);
-    } else {
-	hash = sec_pkcs5_generate_bits(pbe_param, pwitem, faulty3DES);
-    }
-
-    if(!hash) {
-	SECITEM_FreeItem(iv, PR_TRUE);
-	return NULL;
-    }
-
-    PORT_Memcpy(iv->data, (hash->data+(hash->len - iv->len)), iv->len);
-    SECITEM_FreeItem(hash, PR_TRUE);
-
-    return iv;
-}
-
-/* generate key as per PKCS 5
- */
-static SECItem *
-sec_pkcs5_compute_key(SEC_PKCS5PBEParameter *pbe_param, SECItem *pwitem,
-		      PRBool faulty3DES)
-{
-    SECItem *hash = NULL, *key = NULL;
-
-    if((pbe_param == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(!key) {
-	return NULL;
-    }
-
-    key->len = sec_pkcs5_key_length(pbe_param->algorithm);
-    if(key->len == -1) {
-	PORT_Free(key);
-	return NULL;
-    }
-	
-    key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-					     key->len);
-    if(!key->data) {
-	PORT_Free(key);
-	return NULL;
-    }
-
-
-    if(sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(pbe_param->algorithm)) {
-	SECOidTag hashAlg;
-	PBEBitGenContext *ctxt;
-	hashAlg = sec_pkcs5_hash_algorithm(pbe_param->algorithm);
-	ctxt = PBE_CreateContext(hashAlg, pbeBitGenCipherKey,
-				 pwitem, &pbe_param->salt,
-				 key->len * 8, pbe_param->iter);
-	if(!ctxt) {
-	    SECITEM_FreeItem(key, PR_TRUE);
-	    return NULL;
-	}
-
-	hash = PBE_GenerateBits(ctxt);
-	PBE_DestroyContext(ctxt);
-    } else {
-	hash = sec_pkcs5_generate_bits(pbe_param, pwitem, faulty3DES);
-    }
-   
-    if(!hash) {
-	SECITEM_FreeItem(key, PR_TRUE);
-	return NULL;
-    }
-
-    if(pbe_param->algorithm ==
-		   SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC) {
-	PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
-	PORT_Memcpy(&(key->data[(key->len  * 2) / 3]), key->data,
-		    key->len / 3);
-    } else {
-	PORT_Memcpy(key->data, hash->data, key->len);
-    }
-
-    SECITEM_FreeItem(hash, PR_TRUE);
-    return key;
-}
-
-/* decode the algid and generate a PKCS 5 parameter from it
- */
-static SEC_PKCS5PBEParameter *
-sec_pkcs5_convert_algid(SECAlgorithmID *algid)
-{
-    PRArenaPool *poolp;
-    SEC_PKCS5PBEParameter *pbe_param = NULL;
-    SECOidTag algorithm;
-    SECStatus rv = SECFailure;
-
-    if(algid == NULL)
-	return NULL;
-
-    algorithm = SECOID_GetAlgorithmTag(algid);
-   
-    if(sec_pkcs5_hash_algorithm(algorithm) == SEC_OID_UNKNOWN)
-	return NULL;
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(poolp == NULL)
-	return NULL;
-
-    /* allocate memory for the parameter */
-    pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS5PBEParameter));
-
-    /* decode parameter */
-    if(pbe_param && !sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
-	pbe_param->poolp = poolp;
-	rv = SEC_ASN1DecodeItem(poolp, pbe_param, 
-	    SEC_PKCS5PBEParameterTemplate, &algid->parameters);
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-	pbe_param->algorithm = algorithm;
-	pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
-    } else if(sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
-	pbe_param->algorithm = algorithm;
-	pbe_param->poolp = poolp;
-	rv = SEC_ASN1DecodeItem(poolp, pbe_param, SEC_V2PKCS12PBEParameterTemplate,
-				&algid->parameters);
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-	pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
-    }
-
-loser:
-    if((pbe_param == NULL) || (rv != SECSuccess)) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	pbe_param = NULL;
-    }
-
-    return pbe_param;
-}
-
-/* destroy a pbe parameter.  it assumes that the parameter was 
- * generated using the appropriate create function and therefor
- * contains an arena pool.
- */
-static void 
-sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param)
-{
-    if(pbe_param != NULL)
-	PORT_FreeArena(pbe_param->poolp, PR_TRUE);
-}
-
-
-/* crypto routines */
-
-/* function pointer template for crypto functions */
-typedef SECItem *(* pkcs5_crypto_func)(SECItem *key, SECItem *iv, 
-					 SECItem *src, PRBool op1, PRBool op2);
-
-/* map PBE algorithm to crypto algorithm */
-static SECOidTag 
-sec_pkcs5_encryption_algorithm(SECOidTag algorithm)
-{
-    switch(algorithm)
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	    return SEC_OID_DES_EDE3_CBC;
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	    return SEC_OID_DES_CBC;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return SEC_OID_RC2_CBC;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	    return SEC_OID_RC4;
-	default:
-	    break;
-    }
-    return SEC_OID_UNKNOWN;
-}
-
-/* perform DES encryption and decryption.  these routines are called
- * by SEC_PKCS5CipherData.  In the case of an error, NULL is returned.
- */
-static SECItem *
-sec_pkcs5_des(SECItem *key, 
-	      SECItem *iv, 
-	      SECItem *src,
-	      PRBool triple_des, 
-	      PRBool encrypt)
-{
-    SECItem *dest;
-    SECItem *dup_src;
-    SECStatus rv = SECFailure;
-    int pad;
-
-    if((src == NULL) || (key == NULL) || (iv == NULL))
-	return NULL;
-
-    dup_src = SECITEM_DupItem(src);
-    if(dup_src == NULL) {
-	return NULL;
-    }
-
-    if(encrypt != PR_FALSE) {
-	void *dummy;
-
-	dummy = DES_PadBuffer(NULL, dup_src->data, 
-	    dup_src->len, &dup_src->len);
-	if(dummy == NULL) {
-	    SECITEM_FreeItem(dup_src, PR_TRUE);
-	    return NULL;
-	}
-	dup_src->data = (unsigned char*)dummy;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest != NULL) {
-	/* allocate with over flow */
-	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
-	if(dest->data != NULL) {
-	    DESContext *ctxt;
-	    ctxt = DES_CreateContext(key->data, iv->data, 
-			(triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC), 
-			encrypt);
-	
-	    if(ctxt != NULL) {
-		rv = ((encrypt != PR_TRUE) ? DES_Decrypt : DES_Encrypt)(
-			ctxt, dest->data, &dest->len,
-			dup_src->len + 64, dup_src->data, dup_src->len);
-
-		/* remove padding -- assumes 64 bit blocks */
-		if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
-		    pad = dest->data[dest->len-1];
-		    if((pad > 0) && (pad <= 8)) {
-			if(dest->data[dest->len-pad] != pad) {
-			    rv = SECFailure;
-			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-			} else {
-			    dest->len -= pad;
-			}
-		    } else {
-			rv = SECFailure;
-			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-		    }
-		}
-		DES_DestroyContext(ctxt, PR_TRUE);
-	    }
-	}
-    }
-
-    if(rv == SECFailure) {
-	if(dest != NULL) {
-	    SECITEM_FreeItem(dest, PR_TRUE);
-	}
-	dest = NULL;
-    }
-
-    if(dup_src != NULL) {
-	SECITEM_FreeItem(dup_src, PR_TRUE);
-    }
-
-    return dest;
-}
-
-/* perform rc2 encryption/decryption if an error occurs, NULL is returned
- */
-static SECItem *
-sec_pkcs5_rc2(SECItem *key, 
-	      SECItem *iv, 
-	      SECItem *src,
-	      PRBool cbc_mode, 
-	      PRBool encrypt)
-{
-    SECItem *dest;
-    SECItem *dup_src;
-    SECStatus rv = SECFailure;
-    int pad;
-
-    if((src == NULL) || (key == NULL) || (iv == NULL)) {
-	return NULL;
-    }
-
-    dup_src = SECITEM_DupItem(src);
-    if(dup_src == NULL) {
-	return NULL;
-    }
-
-    if(encrypt != PR_FALSE) {
-	void *dummy;
-
-	dummy = DES_PadBuffer(NULL, dup_src->data, 
-			      dup_src->len, &dup_src->len);
-	if(dummy == NULL) {
-	    SECITEM_FreeItem(dup_src, PR_TRUE);
-	    return NULL;
-	}
-	dup_src->data = (unsigned char*)dummy;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest != NULL) {
-	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
-	if(dest->data != NULL) {
-	    RC2Context *ctxt;
-
-	    ctxt = RC2_CreateContext(key->data, key->len, iv->data, 
-			((cbc_mode != PR_TRUE) ? NSS_RC2 : NSS_RC2_CBC), 
-			key->len);
-
-	    if(ctxt != NULL) {
-		rv = ((encrypt != PR_TRUE) ? RC2_Decrypt : RC2_Encrypt)(
-			ctxt, dest->data, &dest->len,
-			dup_src->len + 64, dup_src->data, dup_src->len);
-
-		/* assumes 8 byte blocks  -- remove padding */	
-		if((rv == SECSuccess) && (encrypt != PR_TRUE) && 
-			(cbc_mode == PR_TRUE)) {
-		    pad = dest->data[dest->len-1];
-		    if((pad > 0) && (pad <= 8)) {
-			if(dest->data[dest->len-pad] != pad) {
-			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-			    rv = SECFailure;
-			} else {
-			    dest->len -= pad;
-			}
-		    } else {
-			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-			rv = SECFailure;
-		    }
-		}
-
-	    }
-	}
-    }
-
-    if((rv != SECSuccess) && (dest != NULL)) {
-	SECITEM_FreeItem(dest, PR_TRUE);
-	dest = NULL;
-    }
-
-    if(dup_src != NULL) {
-	SECITEM_FreeItem(dup_src, PR_TRUE);
-    }
-
-    return dest;
-}
-
-/* perform rc4 encryption and decryption */
-static SECItem *
-sec_pkcs5_rc4(SECItem *key, 
-	      SECItem *iv, 
-	      SECItem *src, 
-	      PRBool dummy_op,
-	      PRBool encrypt)
-{
-    SECItem *dest;
-    SECStatus rv = SECFailure;
-
-    if((src == NULL) || (key == NULL) || (iv == NULL)) {
-	return NULL;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest != NULL) {
-	dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-	    (src->len + 64));
-	if(dest->data != NULL) {
-	    RC4Context *ctxt;
-
-	    ctxt = RC4_CreateContext(key->data, key->len);
-	    if(ctxt) { 
-		rv = ((encrypt != PR_FALSE) ? RC4_Decrypt : RC4_Encrypt)(
-				ctxt, dest->data, &dest->len,
-				src->len + 64, src->data, src->len);
-		RC4_DestroyContext(ctxt, PR_TRUE);
-	    }
-	}
-    }
-
-    if((rv != SECSuccess) && (dest)) {
-	SECITEM_FreeItem(dest, PR_TRUE);
-	dest = NULL;
-    }
-
-    return dest;
-}
-
-/* performs the cipher operation on the src and returns the result.
- * if an error occurs, NULL is returned. 
- *
- * a null length password is allowed.  this corresponds to encrypting
- * the data with ust the salt.
- */
-/* change this to use PKCS 11? */
-SECItem *
-SEC_PKCS5CipherData(SECAlgorithmID *algid, 
-		    SECItem *pwitem,
-		    SECItem *src, 
-		    PRBool encrypt, PRBool *update)
-{
-    SEC_PKCS5PBEParameter *pbe_param;
-    SECOidTag enc_alg;
-    SECItem *key = NULL, *iv = NULL;
-    SECItem *dest = NULL;
-    int iv_len;
-
-    if (update) { 
-        *update = PR_FALSE;
-    }
-
-    if((algid == NULL) || (pwitem == NULL) || (src == NULL)) {
-	return NULL;
-    }
-
-    /* convert algid to pbe parameter */
-    pbe_param = sec_pkcs5_convert_algid(algid);
-    if(pbe_param == NULL) {
-	return NULL;
-    }
-
-    /* get algorithm, key, and iv */
-    enc_alg = sec_pkcs5_encryption_algorithm(pbe_param->algorithm);
-    key = sec_pkcs5_compute_key(pbe_param, pwitem, PR_FALSE);
-    if(key != NULL) {
-	iv_len = sec_pkcs5_iv_length(pbe_param->algorithm);
-    	iv = sec_pkcs5_compute_iv(pbe_param, pwitem, PR_FALSE);
-
-	if((iv != NULL) || (iv_len == 0)) {
-	    /*perform encryption / decryption */
-	    PRBool op1 = PR_TRUE;
-	    pkcs5_crypto_func cryptof;
-
-	    switch(enc_alg) {
-		case SEC_OID_DES_EDE3_CBC:
-		    cryptof = sec_pkcs5_des;
-		    break;
-		case SEC_OID_DES_CBC:
-		    cryptof = sec_pkcs5_des;
-		    op1 = PR_FALSE;
-		    break;
-		case SEC_OID_RC2_CBC:
-		    cryptof = sec_pkcs5_rc2;
-		    break;
-		case SEC_OID_RC4:
-		    cryptof = sec_pkcs5_rc4;
-		    break;
-		default:
-		    cryptof = NULL;
-		    break;
-	    }
-
-	    if(cryptof) {
-		dest = (*cryptof)(key, iv, src, op1, encrypt);
-		/* 
-		 * it's possible for some keys and keydb's to claim to
-		 * be triple des when they're really des. In this case
-		 * we simply try des. If des works we set the update flag
-		 * so the key db knows it needs to update all it's entries.
-		 *  The case can only happen on decrypted of a 
-		 *  SEC_OID_DES_EDE3_CBD.
-		 */
-		if ((dest == NULL) && (encrypt == PR_FALSE) && 
-					(enc_alg == SEC_OID_DES_EDE3_CBC)) {
-		    dest = (*cryptof)(key, iv, src, PR_FALSE, encrypt);
-		    if (update && (dest != NULL)) *update = PR_TRUE;
-		}
-	    }
-	}
-    }
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    if(key != NULL) {
-	SECITEM_ZfreeItem(key, PR_TRUE);
-    }
-    if(iv != NULL) {
-	SECITEM_ZfreeItem(iv, PR_TRUE);
-    }
-
-    return dest;
-}
-
-/* creates a algorithm ID containing the PBE algorithm and appropriate
- * parameters.  the required parameter is the algorithm.  if salt is
- * not specified, it is generated randomly.  if IV is specified, it overrides
- * the PKCS 5 generation of the IV.  
- *
- * the returned SECAlgorithmID should be destroyed using 
- * SECOID_DestroyAlgorithmID
- */
-SECAlgorithmID *
-SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, 
-			   SECItem *salt, 
-			   int iteration)
-{
-    PRArenaPool *poolp = NULL;
-    SECAlgorithmID *algid, *ret_algid;
-    SECItem der_param;
-    SECStatus rv = SECFailure;
-    SEC_PKCS5PBEParameter *pbe_param;
-
-    if(sec_pkcs5_hash_algorithm(algorithm) == SEC_OID_UNKNOWN)
-	return NULL;
-
-    if(iteration <= 0) {
-	return NULL;
-    }
-
-    der_param.data = NULL;
-    der_param.len = 0;
-
-    /* generate the parameter */
-    pbe_param = sec_pkcs5_create_pbe_parameter(algorithm, salt, iteration);
-    if(!pbe_param) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(!poolp) {
-	sec_pkcs5_destroy_pbe_param(pbe_param);
-	return NULL;
-    }
-
-    /* generate the algorithm id */
-    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
-    if(algid != NULL) {
-	void *dummy;
-	if(!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
-	    dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
-					SEC_PKCS5PBEParameterTemplate);
-	} else {
-	    dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
-	    				SEC_V2PKCS12PBEParameterTemplate);
-	}
-	
-	if(dummy) {
-	    rv = SECOID_SetAlgorithmID(poolp, algid, algorithm, &der_param);
-	}
-    }
-
-    ret_algid = NULL;
-    if(algid != NULL) {
-	ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
-	if(ret_algid != NULL) {
-	    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
-	    if(rv != SECSuccess) {
-		SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
-		ret_algid = NULL;
-	    }
-	}
-    }
-	
-    if(poolp != NULL) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	algid = NULL;
-    }
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return ret_algid;
-}
-
-/* wrapper for converting the algid to a pbe parameter. 
- */
-SEC_PKCS5PBEParameter *
-SEC_PKCS5GetPBEParameter(SECAlgorithmID *algid)
-{
-    if(algid) {
-	return sec_pkcs5_convert_algid(algid);
-    }
-
-    return NULL;
-}
-
-/* destroy a pbe parameter */
-void
-SEC_PKCS5DestroyPBEParameter(SEC_PKCS5PBEParameter *pbe_param)
-{
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-}
-
-/* return the initialization vector either the preset one if it 
- * exists or generated based on pkcs 5.
- *
- * a null length password is allowed...but not a null password
- * secitem.
- */
-SECItem *
-SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES)
-{
-    SECItem *iv;
-    SEC_PKCS5PBEParameter *pbe_param;
-
-    if((algid == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    pbe_param = sec_pkcs5_convert_algid(algid);
-    if(!pbe_param) {
-	return NULL;
-    }
-
-    iv = sec_pkcs5_compute_iv(pbe_param, pwitem, faulty3DES);
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return iv;
-}
-
-/* generate the key 
- * a 0 length password is allowed.  corresponds to a key generated
- * from just the salt.
- */
-SECItem *
-SEC_PKCS5GetKey(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES)
-{
-    SECItem *key;
-    SEC_PKCS5PBEParameter *pbe_param;
-
-    if((algid == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    pbe_param = sec_pkcs5_convert_algid(algid);
-    if(pbe_param == NULL) {
-	return NULL;
-    }
-
-    key = sec_pkcs5_compute_key(pbe_param, pwitem, faulty3DES);
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return key;
-}
-
-/* retrieve the salt */
-SECItem *
-SEC_PKCS5GetSalt(SECAlgorithmID *algid)
-{
-    SECItem *salt;
-    SEC_PKCS5PBEParameter *pbe_param;
-
-    if(algid == NULL)
-	return NULL;
-
-    pbe_param = sec_pkcs5_convert_algid(algid);
-    if(pbe_param == NULL)
-	return NULL;
-
-    if(pbe_param->salt.data) {
-	salt = SECITEM_DupItem(&pbe_param->salt);
-    } else {
-	salt = NULL;
-    }
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return salt;
-}
-
-/* check to see if an oid is a pbe algorithm
- */ 
-PRBool 
-SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid)
-{
-    SECOidTag algorithm;
-
-    algorithm = SECOID_GetAlgorithmTag(algid);
-    if(sec_pkcs5_hash_algorithm(algorithm) == SEC_OID_UNKNOWN) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-int 
-SEC_PKCS5GetKeyLength(SECAlgorithmID *algid)
-{
-    SEC_PKCS5PBEParameter *pbe_param;
-    int keyLen = -1;
-
-    if(algid == NULL)
-	return -1;
-
-    pbe_param = sec_pkcs5_convert_algid(algid);
-    if(pbe_param == NULL)
-	return -1;
-
-    keyLen = sec_pkcs5_key_length(pbe_param->algorithm);
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return keyLen;
-}
-
-/* maps crypto algorithm from PBE algorithm.
- */
-SECOidTag 
-SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid)
-{
-    SEC_PKCS5PBEParameter *pbe_param;
-
-    if(algid == NULL)
-	return SEC_OID_UNKNOWN;
-
-    pbe_param = sec_pkcs5_convert_algid(algid);
-    if(pbe_param == NULL)
-	return SEC_OID_UNKNOWN;
-
-    switch(pbe_param->algorithm)
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	    return SEC_OID_DES_EDE3_CBC;
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	    return SEC_OID_DES_CBC;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return SEC_OID_RC2_CBC;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	    return SEC_OID_RC4;
-	default:
-	    break;
-    }
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return SEC_OID_UNKNOWN;
-}
-
-/* maps PBE algorithm from crypto algorithm, assumes SHA1 hashing.
- */
-SECOidTag 
-SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen)
-{
-    switch(algTag)
-    {
-	case SEC_OID_DES_EDE3_CBC:
-	    switch(keyLen) {
-		case 168:
-		case 192:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
-		case 128:
-		case 92:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC;
-		default:
-		    break;
-	    }
-	    break;
-	case SEC_OID_DES_CBC:
-	    return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
-	case SEC_OID_RC2_CBC:
-	    switch(keyLen) {
-		case 40:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-		case 128:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-		default:
-		    break;
-	    }
-	    break;
-	case SEC_OID_RC4:
-	    switch(keyLen) {
-		case 40:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4;
-		case 128:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4;
-		default:
-		    break;
-	    }
-	    break;
-	default:
-	    break;
-    }
-
-    return SEC_OID_UNKNOWN;
-}
-
-/* zero length password and salts are allowed.  however, the items
- * containing the salt and password must be non-null.
- */
-PBEBitGenContext *
-PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
-		  SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
-		  unsigned int iterations)
-{
-    PRArenaPool *arena = NULL;
-    PBEBitGenContext *pbeCtxt = NULL;
-    HASH_HashType pbeHash;
-    int vbytes, ubytes;
-    
-    unsigned int c;
-
-    if(!pwitem || !salt) {
-	return NULL;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(!arena) {
-	return NULL;
-    }
-
-    pbeCtxt = (PBEBitGenContext*)PORT_ArenaZAlloc(arena, sizeof(PBEBitGenContext));
-    if(!pbeCtxt) {
-	goto loser;
-    }
-
-    switch(hashAlgorithm) {
-	case SEC_OID_MD2:
-	    pbeHash = HASH_AlgMD2;
-	    break;
-	case SEC_OID_MD5:
-	    pbeHash = HASH_AlgMD5;
-	    break;
-	case SEC_OID_SHA1:
-	    pbeHash = HASH_AlgSHA1;
-	    break;
-	default:
-	    goto loser;
-    }
-
-    pbeCtxt->hashObject = &SECRawHashObjects[pbeHash]; 
-    PORT_Memcpy(&pbeCtxt->pbeParams, &pbeHashAlgorithmParams[pbeHash], 
-    		sizeof(pbeBitGenParameters));
-    PORT_Assert(pbeCtxt->pbeParams.hashAlgorithm == hashAlgorithm);
-
-    vbytes = pbeCtxt->pbeParams.v / 8;
-    ubytes = pbeCtxt->pbeParams.u / 8;
-
-    c = (bitsNeeded / pbeCtxt->pbeParams.u);
-    c += ((bitsNeeded - (pbeCtxt->pbeParams.u * c)) > 0) ? 1 : 0;
-    pbeCtxt->c = c;
-    pbeCtxt->n = bitsNeeded;
-    pbeCtxt->iterations = iterations;
-
-    /* allocate buffers */
-    pbeCtxt->D.len = vbytes;
-    pbeCtxt->S.len = (((salt->len * 8) / pbeCtxt->pbeParams.v) + 
-    	      ((((salt->len * 8) % pbeCtxt->pbeParams.v) > 0) ? 1 : 0)) *
-    	      vbytes;
-    pbeCtxt->P.len = (((pwitem->len * 8) / pbeCtxt->pbeParams.v) + 
-    	      ((((pwitem->len * 8) % pbeCtxt->pbeParams.v) > 0) ? 1 : 0)) *
-	      vbytes;
-    pbeCtxt->I.len = pbeCtxt->S.len + pbeCtxt->P.len;
-    pbeCtxt->A.len = c * ubytes;
-    pbeCtxt->B.len = pbeCtxt->D.len;
-
-    pbeCtxt->D.data = (unsigned char*)PORT_ArenaZAlloc(arena, pbeCtxt->D.len);
-    if(pbeCtxt->S.len) {
-	pbeCtxt->S.data = (unsigned char*)PORT_ArenaZAlloc(arena, pbeCtxt->S.len);
-    }
-    if(pbeCtxt->P.len) {
-	pbeCtxt->P.data = (unsigned char*)PORT_ArenaZAlloc(arena, pbeCtxt->P.len);
-    }
-    if(pbeCtxt->I.len) {
-	pbeCtxt->I.data = (unsigned char*)PORT_ArenaZAlloc(arena, pbeCtxt->I.len);
-    }
-    pbeCtxt->A.data = (unsigned char*)PORT_ArenaZAlloc(arena, pbeCtxt->A.len);
-    pbeCtxt->B.data = (unsigned char*)PORT_ArenaZAlloc(arena, pbeCtxt->B.len);
-
-    if(!pbeCtxt->D.data || !pbeCtxt->A.data || !pbeCtxt->B.data ||
-       (!pbeCtxt->S.data && pbeCtxt->S.len) || 
-       (!pbeCtxt->P.data && pbeCtxt->P.len) ||
-       (!pbeCtxt->I.data && pbeCtxt->I.len)) {
-	goto loser;
-    }
-
-    PORT_Memset(pbeCtxt->D.data, (char)bitGenPurpose, pbeCtxt->D.len);
-    if(pbeCtxt->P.len) {
-	unsigned int z = 0;
-	while(z < pbeCtxt->P.len) {
-	    PORT_Memcpy(&(pbeCtxt->P.data[z]), pwitem->data,  
-	    	((z + pwitem->len > pbeCtxt->P.len) ? (pbeCtxt->P.len - z) :
-	    					      (pwitem->len)));
-	    z += pwitem->len;
-	}
-    } 
-    if(pbeCtxt->S.len) {
-	unsigned int z = 0;
-	while(z < pbeCtxt->S.len) {
-	    PORT_Memcpy(&(pbeCtxt->S.data[z]), salt->data,  
-	    	((z + salt->len > pbeCtxt->S.len) ? (pbeCtxt->S.len - z) :
-	    					    (salt->len)));
-	    z += salt->len;
-	}
-    } 
-    if(pbeCtxt->I.len) {
-	if(pbeCtxt->S.len) {
-	    PORT_Memcpy(pbeCtxt->I.data, pbeCtxt->S.data, pbeCtxt->S.len);
-	}
-	if(pbeCtxt->P.len) {
-	    PORT_Memcpy(&(pbeCtxt->I.data[pbeCtxt->S.len]), pbeCtxt->P.data, 
-	    		pbeCtxt->P.len);
-	}
-    }
-
-    pbeCtxt->arena = arena;
-
-    return pbeCtxt;
-
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    return NULL;
-}
-
-SECItem *
-PBE_GenerateBits(PBEBitGenContext *pbeCtxt)
-{
-    unsigned int i;
-    SECItem *A, *D, *I, *B, *S, *P;
-    unsigned int u, v, c, z, hashLen, n, iter;
-    unsigned int vbyte, ubyte;
-    unsigned char *iterBuf;
-    void *hash = NULL;
-
-    if(!pbeCtxt) {
-	return NULL;
-    }
-
-    A = &pbeCtxt->A;
-    B = &pbeCtxt->B;
-    I = &pbeCtxt->I;
-    D = &pbeCtxt->D;
-    S = &pbeCtxt->S;
-    P = &pbeCtxt->P;
-    u = pbeCtxt->pbeParams.u;
-    v = pbeCtxt->pbeParams.v;
-    vbyte = v / 8;
-    ubyte = u / 8;
-    c = pbeCtxt->c;
-    n = pbeCtxt->n;
-    z = 0;
-
-    iterBuf = (unsigned char*)PORT_Alloc(ubyte);
-    if(!iterBuf) {
-	goto loser;
-    }
-
-    for(i = 1; i <= c; i++) {
-	unsigned int Bidx;
-	unsigned int k, j;
-
-
-	for(iter = 1; iter <= pbeCtxt->iterations; iter++) {
-	    hash = pbeCtxt->hashObject->create();
-	    if(!hash) {
-		goto loser;
-	    }
-
-	    pbeCtxt->hashObject->begin(hash);
-
-	    if(iter == 1) {
-		pbeCtxt->hashObject->update(hash, D->data, D->len);
-		pbeCtxt->hashObject->update(hash, I->data, I->len); 
-	    } else {
-		pbeCtxt->hashObject->update(hash, iterBuf, hashLen);
-	    }
-
-	    pbeCtxt->hashObject->end(hash, iterBuf, &hashLen, (ubyte));
-	    pbeCtxt->hashObject->destroy(hash, PR_TRUE);
-	    if(hashLen != (ubyte)) {
-		goto loser;
-	    }
-	}
-
-	PORT_Memcpy(&(A->data[z]), iterBuf, (ubyte));
-
-	Bidx = 0;
-	while(Bidx < B->len) {
-	    PORT_Memcpy(&(B->data[Bidx]), &(A->data[z]), 
-			(((Bidx + (ubyte)) > B->len) ? (B->len - Bidx) : 
-						       (ubyte)));
-	    Bidx += (ubyte);
-	}
-
-	k = (S->len / (vbyte)) + (P->len / (vbyte));
-	for(j = 0; j < k; j++) {
-	    unsigned int byteIdx = (vbyte);
-	    unsigned int q, carryBit = 0;
-
-	    while(byteIdx > 0) {
-		q = (unsigned int)I->data[(j * (vbyte)) + byteIdx - 1];
-		q += (unsigned int)B->data[byteIdx - 1];
-		q += carryBit;
-		if(byteIdx == (vbyte)) {
-		    q += 1;
-		}
-
-		carryBit = ((q > 255) ? 1 : 0);
-
-		I->data[(j * (vbyte)) + byteIdx - 1] = (unsigned char)(q & 255);
-
-		byteIdx--;
-	    }
-	}
-
-	z += (ubyte);
-    }
-
-    A->len = (n / 8);
-    
-    return SECITEM_DupItem(A);
-
-loser:
-    return NULL;
-} 
-
-void
-PBE_DestroyContext(PBEBitGenContext *pbeCtxt) {
-    if(pbeCtxt) {
-	PORT_FreeArena(pbeCtxt->arena, PR_TRUE);
-    }
-}
-
-SECStatus
-PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PRArenaPool *arena, 
-		     SECAlgorithmID *algId)
-{
-    CK_PBE_PARAMS *pbe_param;
-    SECItem pbeSalt;
-    SECAlgorithmID *pbeAlgID = NULL;
-    SECStatus rv;
-
-    if(!param || !algId) {
-	return SECFailure;
-    }
-
-    pbe_param = (CK_PBE_PARAMS *)param->data;
-    pbeSalt.data = (unsigned char *)pbe_param->pSalt;
-    pbeSalt.len = pbe_param->ulSaltLen;
-    pbeAlgID = SEC_PKCS5CreateAlgorithmID(algTag, &pbeSalt, 
-					  (int)pbe_param->ulIteration);
-    if(!pbeAlgID) {
-	return SECFailure;
-    }
-
-    rv = SECOID_CopyAlgorithmID(arena, algId, pbeAlgID);
-    SECOID_DestroyAlgorithmID(pbeAlgID, PR_TRUE);
-    return rv;
-}
diff --git a/security/nss/lib/softoken/secpkcs5.h b/security/nss/lib/softoken/secpkcs5.h
deleted file mode 100644
index 4efe99900..000000000
--- a/security/nss/lib/softoken/secpkcs5.h
+++ /dev/null
@@ -1,185 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECPKCS5_H_
-#define _SECPKCS5_H_
-
-#include "plarena.h"
-#include "secitem.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "hasht.h"
-
-typedef SECItem * (* SEC_PKCS5GetPBEPassword)(void *arg);
-
-/* used for V2 PKCS 12 Draft Spec */ 
-typedef enum {
-    pbeBitGenIDNull,
-    pbeBitGenCipherKey = 0x01,
-    pbeBitGenCipherIV = 0x02,
-    pbeBitGenIntegrityKey = 0x03
-} PBEBitGenID;
-
-typedef struct _pbeBitGenParameters {
-    unsigned int u, v;
-    SECOidTag hashAlgorithm;
-} pbeBitGenParameters;
-
-typedef struct _PBEBitGenContext {
-    PRArenaPool *arena;
-
-    /* hash algorithm information */
-    pbeBitGenParameters pbeParams;
-    SECHashObject *hashObject;
-    void *hash;
-
-    /* buffers used in generation of bits */
-    SECItem D, S, P, I, A, B;
-    unsigned int c, n;
-    unsigned int iterations;
-} PBEBitGenContext;
-
-extern const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[];
-typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
-
-struct SEC_PKCS5PBEParameterStr {
-    PRArenaPool *poolp;
-    SECItem	salt;		/* octet string */
-    SECItem	iteration;	/* integer */
-
-    /* used locally */
-    SECOidTag	algorithm;
-    int		iter;
-};
-
-
-SEC_BEGIN_PROTOS
-/* Create a PKCS5 Algorithm ID
- * The algorithm ID is set up using the PKCS #5 parameter structure
- *  algorithm is the PBE algorithm ID for the desired algorithm
- *  salt can be specified or can be NULL, if salt is NULL then the
- *    salt is generated from random bytes
- *  iteration is the number of iterations for which to perform the
- *    hash prior to key and iv generation.
- * If an error occurs or the algorithm specified is not supported 
- * or is not a password based encryption algorithm, NULL is returned.
- * Otherwise, a pointer to the algorithm id is returned.
- */
-extern SECAlgorithmID *
-SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm,
-			   SECItem *salt, 
-			   int iteration);
-
-/* Get the initialization vector.  The password is passed in, hashing
- * is performed, and the initialization vector is returned.
- *  algid is a pointer to a PBE algorithm ID
- *  pwitem is the password
- * If an error occurs or the algorithm id is not a PBE algrithm,
- * NULL is returned.  Otherwise, the iv is returned in a secitem.
- */
-extern SECItem *
-SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
-
-/* Get the key.  The password is passed in, hashing is performed,
- * and the key is returned.
- *  algid is a pointer to a PBE algorithm ID
- *  pwitem is the password
- * If an error occurs or the algorithm id is not a PBE algrithm,
- * NULL is returned.  Otherwise, the key is returned in a secitem.
- */
-extern SECItem *
-SEC_PKCS5GetKey(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
-
-/* Get PBE salt.  The salt for the password based algorithm is returned.
- *  algid is the PBE algorithm identifier
- * If an error occurs NULL is returned, otherwise the salt is returned
- * in a SECItem.
- */
-extern SECItem *
-SEC_PKCS5GetSalt(SECAlgorithmID *algid);
-
-/* Encrypt/Decrypt data using password based encryption.  
- *  algid is the PBE algorithm identifier,
- *  pwitem is the password,
- *  src is the source for encryption/decryption,
- *  encrypt is PR_TRUE for encryption, PR_FALSE for decryption.
- * The key and iv are generated based upon PKCS #5 then the src
- * is either encrypted or decrypted.  If an error occurs, NULL
- * is returned, otherwise the ciphered contents is returned.
- */
-extern SECItem *
-SEC_PKCS5CipherData(SECAlgorithmID *algid, SECItem *pwitem,
-		    SECItem *src, PRBool encrypt, PRBool *update);
-
-/* Checks to see if algid algorithm is a PBE algorithm.  If
- * so, PR_TRUE is returned, otherwise PR_FALSE is returned.
- */
-extern PRBool 
-SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
-
-/* Destroys PBE parameter */
-extern void
-SEC_PKCS5DestroyPBEParameter(SEC_PKCS5PBEParameter *param);
-
-/* Convert Algorithm ID to PBE parameter */
-extern SEC_PKCS5PBEParameter *
-SEC_PKCS5GetPBEParameter(SECAlgorithmID *algid);
-
-/* Determine how large the key generated is */
-extern int
-SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);
-
-/* map crypto algorithm to pbe algorithm, assume sha 1 hashing for DES
- */
-extern SECOidTag
-SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
-
-/* return the underlying crypto algorithm */
-extern SECOidTag
-SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
-
-extern PBEBitGenContext *
-PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
-		  SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
-		  unsigned int interations);
-		
-extern SECItem *
-PBE_GenerateBits(PBEBitGenContext *pbeCtxt);
-
-extern void PBE_DestroyContext(PBEBitGenContext *pbeCtxt);
-
-extern SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param,
-				  PRArenaPool *arena, SECAlgorithmID *algId);
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
deleted file mode 100644
index 733fdbede..000000000
--- a/security/nss/lib/softoken/softoken.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * softoken.h - private data structures and prototypes for the softoken lib
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _SOFTOKEN_H_
-#define _SOFTOKEN_H_
-
-#include "blapi.h"
-#include "keytlow.h"
-#include "keytboth.h"
-#include "softoknt.h"
-#include "secoidt.h"
-
-#include "pkcs11t.h"     /* CK_RV Required for pk11_fipsPowerUpSelfTest(). */
-
-SEC_BEGIN_PROTOS
-
-/*
-** RSA encryption/decryption. When encrypting/decrypting the output
-** buffer must be at least the size of the public key modulus.
-*/
-
-/*
-** Format some data into a PKCS#1 encryption block, preparing the
-** data for RSA encryption.
-**	"result" where the formatted block is stored (memory is allocated)
-**	"modulusLen" the size of the formatted block
-**	"blockType" what block type to use (SEC_RSABlock*)
-**	"data" the data to format
-*/
-extern SECStatus RSA_FormatBlock(SECItem *result,
-				 unsigned int modulusLen,
-				 RSA_BlockType blockType,
-				 SECItem *data);
-/*
-** Similar, but just returns a pointer to the allocated memory, *and*
-** will *only* format one block, even if we (in the future) modify
-** RSA_FormatBlock() to loop over multiples of modulusLen.
-*/
-extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
-					 RSA_BlockType blockType,
-					 SECItem *data);
-
-
-
-/*
- * convenience wrappers for doing single RSA operations. They create the
- * RSA context internally and take care of the formatting
- * requirements. Blinding happens automagically within RSA_SignHash and
- * RSA_DecryptBlock.
- */
-extern
-SECStatus RSA_Sign(SECKEYLowPrivateKey *key, unsigned char *output,
-		       unsigned int *outputLen, unsigned int maxOutputLen,
-		       unsigned char *input, unsigned int inputLen);
-extern
-SECStatus RSA_CheckSign(SECKEYLowPublicKey *key, unsigned char *sign,
-			    unsigned int signLength, unsigned char *hash,
-			    unsigned int hashLength);
-extern
-SECStatus RSA_CheckSignRecover(SECKEYLowPublicKey *key, unsigned char *data,
-    			    unsigned int *data_len,unsigned int max_output_len, 
-			    unsigned char *sign, unsigned int sign_len);
-extern
-SECStatus RSA_EncryptBlock(SECKEYLowPublicKey *key, unsigned char *output,
-			   unsigned int *outputLen, unsigned int maxOutputLen,
-			   unsigned char *input, unsigned int inputLen);
-extern
-SECStatus RSA_DecryptBlock(SECKEYLowPrivateKey *key, unsigned char *output,
-			   unsigned int *outputLen, unsigned int maxOutputLen,
-			   unsigned char *input, unsigned int inputLen);
-
-/*
- * added to make pkcs #11 happy
- *   RAW is RSA_X_509
- */
-extern
-SECStatus RSA_SignRaw( SECKEYLowPrivateKey *key, unsigned char *output,
-			 unsigned int *output_len, unsigned int maxOutputLen,
-			 unsigned char *input, unsigned int input_len);
-extern
-SECStatus RSA_CheckSignRaw( SECKEYLowPublicKey *key, unsigned char *sign, 
-			    unsigned int sign_len, unsigned char *hash, 
-			    unsigned int hash_len);
-extern
-SECStatus RSA_CheckSignRecoverRaw( SECKEYLowPublicKey *key, unsigned char *data,
-			    unsigned int *data_len, unsigned int max_output_len,
-			    unsigned char *sign, unsigned int sign_len);
-extern
-SECStatus RSA_EncryptRaw( SECKEYLowPublicKey *key, unsigned char *output,
-			    unsigned int *output_len,
-			    unsigned int max_output_len, 
-			    unsigned char *input, unsigned int input_len);
-extern
-SECStatus RSA_DecryptRaw(SECKEYLowPrivateKey *key, unsigned char *output,
-			     unsigned int *output_len,
-    			     unsigned int max_output_len,
-			     unsigned char *input, unsigned int input_len);
-
-
-/* 
-** Functions called directly by applications to configure the FIPS token.
-*/
-extern void PK11_ConfigurePKCS11(char *man, char *libdes, char *tokdes, 
-		char *ptokdes, char *slotdes, char *pslotdes, char *fslotdes, 
-		char *fpslotdes, int minPwd, int pwdRequired);
-extern void PK11_ConfigureFIPS(char *slotdes, char *pslotdes);
-
-/*
-** Prepare a buffer for DES encryption, growing to the appropriate boundary,
-** filling with the appropriate padding.
-** We add from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
-** The extra bytes contain the value of the length of the padding:
-** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
-**
-** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
-** we assume (and use) PR memory (re)allocation.
-** Maybe this belongs in util?
-*/
-extern unsigned char * DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, 
-                                     unsigned int inlen, unsigned int *outlen);
-
-
-/****************************************/
-/*
-** Power-Up selftests required for FIPS and invoked only
-** under PKCS #11 FIPS mode.
-*/
-extern CK_RV pk11_fipsPowerUpSelfTest( void ); 
-
-
-SEC_END_PROTOS
-
-#endif /* _SOFTOKEN_H_ */
diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h
deleted file mode 100644
index da66c9042..000000000
--- a/security/nss/lib/softoken/softoknt.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * softoknt.h - public data structures for the software token library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _SOFTOKNT_H_
-#define _SOFTOKNT_H_
-
-/*
- * RSA block types
- *
- * The actual values are important -- they are fixed, *not* arbitrary.
- * The explicit value assignments are not needed (because C would give
- * us those same values anyway) but are included as a reminder...
- */
-typedef enum {
-    RSA_BlockPrivate0 = 0,	/* unused, really */
-    RSA_BlockPrivate = 1,	/* pad for a private-key operation */
-    RSA_BlockPublic = 2,	/* pad for a public-key operation */
-    RSA_BlockOAEP = 3,		/* use OAEP padding */
-				/* XXX is this only for a public-key
-				   operation? If so, add "Public" */
-    RSA_BlockRaw = 4,		/* simply justify the block appropriately */
-    RSA_BlockTotal
-} RSA_BlockType;
-
-#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE   2048
-
-#endif /* _SOFTOKNT_H_ */
diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
deleted file mode 100644
index 577dc8ac6..000000000
--- a/security/nss/lib/ssl/Makefile
+++ /dev/null
@@ -1,82 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-ifeq ($(OS_ARCH),WINNT)
-CSRCS	+= win32err.c
-else
-CSRCS	+= unix_err.c
-endif
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
deleted file mode 100644
index 5a9c45e5a..000000000
--- a/security/nss/lib/ssl/authcert.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * NSS utility functions
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include <stdio.h>
-#include <string.h>
-#include "prerror.h"
-#include "secitem.h"
-#include "prnetdb.h"
-#include "cert.h"
-#include "nspr.h"
-#include "secder.h"
-#include "key.h"
-#include "nss.h"
-#include "ssl.h"
-#include "pk11func.h"	/* for PK11_ function calls */
-
-/*
- * This callback used by SSL to pull client sertificate upon
- * server request
- */
-SECStatus 
-NSS_GetClientAuthData(void *                       arg, 
-                      PRFileDesc *                 socket, 
-		      struct CERTDistNamesStr *    caNames, 
-		      struct CERTCertificateStr ** pRetCert, 
-		      struct SECKEYPrivateKeyStr **pRetKey)
-{
-  CERTCertificate *  cert;
-  SECKEYPrivateKey * privkey;
-  char *             chosenNickName = (char *)arg;    /* CONST */
-  void *             proto_win  = NULL;
-  SECStatus          rv         = SECFailure;
-  
-  proto_win = SSL_RevealPinArg(socket);
-  
-  if (chosenNickName) {
-    cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
-    if ( cert ) {
-      privkey = PK11_FindKeyByAnyCert(cert, proto_win);
-      if ( privkey ) {
-	rv = SECSuccess;
-      } else {
-	CERT_DestroyCertificate(cert);
-      }
-    }
-  } else { /* no name given, automatically find the right cert. */
-    CERTCertNicknames * names;
-    int                 i;
-      
-    names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
-				  SEC_CERT_NICKNAMES_USER, proto_win);
-    if (names != NULL) {
-      for (i = 0; i < names->numnicknames; i++) {
-	cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win);
-	if ( !cert )
-	  continue;
-	/* Only check unexpired certs */
-	if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != 
-	    secCertTimeValid ) {
-	  CERT_DestroyCertificate(cert);
-	  continue;
-	}
-	rv = NSS_CmpCertChainWCANames(cert, caNames);
-	if ( rv == SECSuccess ) {
-	  privkey = PK11_FindKeyByAnyCert(cert, proto_win);
-	  if ( privkey )
-	    break;
-	}
-	rv = SECFailure;
-	CERT_DestroyCertificate(cert);
-      } 
-      CERT_FreeNicknames(names);
-    }
-  }
-  if (rv == SECSuccess) {
-    *pRetCert = cert;
-    *pRetKey  = privkey;
-  }
-  return rv;
-}
-
diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c
deleted file mode 100644
index 5e557828e..000000000
--- a/security/nss/lib/ssl/cmpcert.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * NSS utility functions
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include <stdio.h>
-#include <string.h>
-#include "prerror.h"
-#include "secitem.h"
-#include "prnetdb.h"
-#include "cert.h"
-#include "nspr.h"
-#include "secder.h"
-#include "key.h"
-#include "nss.h"
-
-/*
- * Look to see if any of the signers in the cert chain for "cert" are found
- * in the list of caNames.  
- * Returns SECSuccess if so, SECFailure if not.
- */
-SECStatus
-NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
-{
-  SECItem *         caname;
-  CERTCertificate * curcert;
-  CERTCertificate * oldcert;
-  PRInt32           contentlen;
-  int               j;
-  int               headerlen;
-  int               depth;
-  SECStatus         rv;
-  SECItem           issuerName;
-  SECItem           compatIssuerName;
-  
-  depth=0;
-  curcert = CERT_DupCertificate(cert);
-  
-  while( curcert ) {
-    issuerName = curcert->derIssuer;
-    
-    /* compute an alternate issuer name for compatibility with 2.0
-     * enterprise server, which send the CA names without
-     * the outer layer of DER hearder
-     */
-    rv = DER_Lengths(&issuerName, &headerlen, (uint32 *)&contentlen);
-    if ( rv == SECSuccess ) {
-      compatIssuerName.data = &issuerName.data[headerlen];
-      compatIssuerName.len = issuerName.len - headerlen;
-    } else {
-      compatIssuerName.data = NULL;
-      compatIssuerName.len = 0;
-    }
-    
-    for (j = 0; j < caNames->nnames; j++) {
-      caname = &caNames->names[j];
-      if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
-	rv = SECSuccess;
-	CERT_DestroyCertificate(curcert);
-	goto done;
-      } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
-	rv = SECSuccess;
-	CERT_DestroyCertificate(curcert);
-	goto done;
-      }
-    }
-    if ( ( depth <= 20 ) &&
-	 ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
-	   != SECEqual ) ) {
-      oldcert = curcert;
-      curcert = CERT_FindCertByName(curcert->dbhandle,
-				    &curcert->derIssuer);
-      CERT_DestroyCertificate(oldcert);
-      depth++;
-    } else {
-      CERT_DestroyCertificate(curcert);
-      curcert = NULL;
-    }
-  }
-  rv = SECFailure;
-  
-done:
-  return rv;
-}
-
diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/ssl/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/ssl/emulate.c b/security/nss/lib/ssl/emulate.c
deleted file mode 100644
index bb6efc140..000000000
--- a/security/nss/lib/ssl/emulate.c
+++ /dev/null
@@ -1,626 +0,0 @@
-/*
- * Functions that emulate PR_AcceptRead and PR_TransmitFile for SSL sockets.
- * Each Layered NSPR protocol (like SSL) must unfortunately contain its 
- * own implementation of these functions.  This code was taken from NSPR.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "nspr.h"
-
-#if defined( XP_UNIX )
-#include <fcntl.h>
-#endif
-#if defined(WIN32)
-#include <windef.h>
-#include <winbase.h>
-#endif
-#include <string.h>
-
-#define AMASK 7	/* mask for alignment of PRNetAddr */
-
-/*
- * _PR_EmulateAcceptRead
- *
- *  Accept an incoming connection on sd, set *nd to point to the
- *  newly accepted socket, read 'amount' bytes from the accepted
- *  socket.
- *
- *  buf is a buffer of length = amount + (2 * sizeof(PRNetAddr)) + 32
- *  *raddr points to the PRNetAddr of the accepted connection upon
- *  return
- *
- *  return number of bytes read or -1 on error
- *
- */
-PRInt32 
-ssl_EmulateAcceptRead(	PRFileDesc *   sd, 
-			PRFileDesc **  nd,
-			PRNetAddr **   raddr, 
-			void *         buf, 
-			PRInt32        amount, 
-			PRIntervalTime timeout)
-{
-    PRFileDesc *   newsockfd;
-    PRInt32        rv;
-    PRNetAddr      remote;
-
-    if (!(newsockfd = PR_Accept(sd, &remote, PR_INTERVAL_NO_TIMEOUT))) {
-	return -1;
-    }
-
-    rv = PR_Recv(newsockfd, buf, amount, 0, timeout);
-    if (rv >= 0) {
-	ptrdiff_t pNetAddr = (((ptrdiff_t)buf) + amount + AMASK) & ~AMASK;
-
-	*nd = newsockfd;
-	*raddr = (PRNetAddr *)pNetAddr;
-	memcpy((void *)pNetAddr, &remote, sizeof(PRNetAddr));
-	return rv;
-    }
-
-    PR_Close(newsockfd);
-    return -1;
-}
-
-
-#if !defined( XP_UNIX ) && !defined( WIN32 )
-/*
- * _PR_EmulateTransmitFile
- *
- *  Send file fd across socket sd. If headers is non-NULL, 'hlen'
- *  bytes of headers is sent before sending the file.
- *
- *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *  return number of bytes sent or -1 on error
- *
- */
-#define _TRANSMITFILE_BUFSIZE	(16 * 1024)
-
-PRInt32 
-ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
-			    PRFileDesc *        fd,
-			    const void *        headers, 
-			    PRInt32             hlen, 
-			    PRTransmitFileFlags flags,
-			    PRIntervalTime      timeout)
-{
-    char *  buf 	= NULL;
-    PRInt32 count 	= 0;
-    PRInt32 rlen;
-    PRInt32 rv;
-
-    buf = PR_MALLOC(_TRANSMITFILE_BUFSIZE);
-    if (buf == NULL) {
-	PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
-	return -1;
-    }
-
-    /*
-     * send headers, first
-     */
-    while (hlen) {
-	rv =  PR_Send(sd, headers, hlen, 0, timeout);
-	if (rv < 0) {
-	    /* PR_Send() has invoked PR_SetError(). */
-	    rv = -1;
-	    goto done;
-	} 
-	count += rv;
-	headers = (const void*) ((const char*)headers + rv);
-	hlen -= rv;
-    }
-    /*
-     * send file, next
-     */
-    while ((rlen = PR_Read(fd, buf, _TRANSMITFILE_BUFSIZE)) > 0) {
-	while (rlen) {
-	    char *bufptr = buf;
-
-	    rv =  PR_Send(sd, bufptr, rlen,0,PR_INTERVAL_NO_TIMEOUT);
-	    if (rv < 0) {
-		/* PR_Send() has invoked PR_SetError(). */
-		rv = -1;
-		goto done;
-	    } 
-	    count += rv;
-	    bufptr = ((char*)bufptr + rv);
-	    rlen -= rv;
-	}
-    }
-    if (rlen == 0) {
-	/*
-	 * end-of-file
-	 */
-	if (flags & PR_TRANSMITFILE_CLOSE_SOCKET)
-	    PR_Close(sd);
-	rv = count;
-    } else {
-	PR_ASSERT(rlen < 0);
-	/* PR_Read() has invoked PR_SetError(). */
-	rv = -1;
-    }
-
-done:
-    if (buf)
-	PR_DELETE(buf);
-    return rv;
-}
-#else
-
-#define TRANSMITFILE_MMAP_CHUNK (256 * 1024)
-
-/*
- * _PR_UnixTransmitFile
- *
- *  Send file fd across socket sd. If headers is non-NULL, 'hlen'
- *  bytes of headers is sent before sending the file.
- *
- *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *  return number of bytes sent or -1 on error
- *
- */
-
-PRInt32 
-ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
-			    PRFileDesc *        fd,
-			    const void *        headers, 
-			    PRInt32             hlen, 
-			    PRTransmitFileFlags flags,
-			    PRIntervalTime      timeout)
-{
-    void *            addr;
-    PRFileMap *       mapHandle = NULL;
-    PRInt32           count     = 0;
-    PRInt32           index     = 0;
-    PRInt32           len	= 0;
-    PRInt32           rv;
-    struct PRFileInfo info;
-    struct PRIOVec    iov[2];
-
-    /* Get file size */
-    if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &info)) {
-	count = -1;
-	goto done;
-    }
-    if (hlen) {
-	iov[index].iov_base = (char *) headers;
-	iov[index].iov_len  = hlen;
-	index++;
-    }
-    if (info.size > 0) {
-	mapHandle = PR_CreateFileMap(fd, info.size, PR_PROT_READONLY);
-	if (mapHandle == NULL) {
-	    count = -1;
-	    goto done;
-	}
-	/*
-	 * If the file is large, mmap and send the file in chunks so as
-	 * to not consume too much virtual address space
-	 */
-	len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
-	/*
-	 * Map in (part of) file. Take care of zero-length files.
-	 */
-	if (len) {
-	    addr = PR_MemMap(mapHandle, 0, len);
-	    if (addr == NULL) {
-		count = -1;
-		goto done;
-	    }
-	}
-	iov[index].iov_base = (char*)addr;
-	iov[index].iov_len = len;
-	index++;
-    }
-    if (!index)
-    	goto done;
-    rv = PR_Writev(sd, iov, index, timeout);
-    if (len) {
-	PR_MemUnmap(addr, len);
-    }
-    if (rv >= 0) {
-	PR_ASSERT(rv == hlen + len);
-	info.size -= len;
-	count     += rv;
-    } else {
-	count = -1;
-	goto done;
-    }
-    /*
-     * send remaining bytes of the file, if any
-     */
-    len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
-    while (len > 0) {
-	/*
-	 * Map in (part of) file
-	 */
-	PR_ASSERT((count - hlen) % TRANSMITFILE_MMAP_CHUNK == 0);
-	addr = PR_MemMap(mapHandle, count - hlen, len);
-	if (addr == NULL) {
-	    count = -1;
-	    goto done;
-	}
-	rv =  PR_Send(sd, addr, len, 0, timeout);
-	PR_MemUnmap(addr, len);
-	if (rv >= 0) {
-	    PR_ASSERT(rv == len);
-	    info.size -= rv;
-	    count     += rv;
-	    len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
-	} else {
-	    count = -1;
-	    goto done;
-	}
-    }
-done:
-    if ((count >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
-	PR_Close(sd);
-    if (mapHandle != NULL)
-    	PR_CloseFileMap(mapHandle);
-    return count;
-}
-#endif  /* XP_UNIX */
-
-
-
-
-#if !defined( XP_UNIX ) && !defined( WIN32 )
-/*
- * _PR_EmulateSendFile
- *
- *  Send file sfd->fd across socket sd. The header and trailer buffers
- *  specified in the 'sfd' argument are sent before and after the file,
- *  respectively.
- *
- *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *  return number of bytes sent or -1 on error
- *
- */
-
-PRInt32 
-ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
-                    PRTransmitFileFlags flags, PRIntervalTime timeout)
-{
-    char *       buf = NULL;
-    const void * buffer;
-    PRInt32      rv;
-    PRInt32      count = 0;
-    PRInt32      rlen;
-    PRInt32      buflen;
-    PRInt32      sendbytes;
-    PRInt32      readbytes;
-
-#define _SENDFILE_BUFSIZE   (16 * 1024)
-
-    buf = (char*)PR_MALLOC(_SENDFILE_BUFSIZE);
-    if (buf == NULL) {
-        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
-        return -1;
-    }
-
-    /*
-     * send header, first
-     */
-    buflen = sfd->hlen;
-    buffer = sfd->header;
-    while (buflen) {
-        rv =  PR_Send(sd, buffer, buflen, 0, timeout);
-        if (rv < 0) {
-            /* PR_Send() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        } else {
-            count += rv;
-            buffer = (const void*) ((const char*)buffer + rv);
-            buflen -= rv;
-        }
-    }
-    /*
-     * send file, next
-     */
-
-    if (PR_Seek(sfd->fd, sfd->file_offset, PR_SEEK_SET) < 0) {
-        rv = -1;
-        goto done;
-    }
-    sendbytes = sfd->file_nbytes;
-    if (sendbytes == 0) {
-        /* send entire file */
-        while ((rlen = PR_Read(sfd->fd, buf, _SENDFILE_BUFSIZE)) > 0) {
-            while (rlen) {
-                char *bufptr = buf;
-
-                rv =  PR_Send(sd, bufptr, rlen, 0, timeout);
-                if (rv < 0) {
-                    /* PR_Send() has invoked PR_SetError(). */
-                    rv = -1;
-                    goto done;
-                } else {
-                    count += rv;
-                    bufptr = ((char*)bufptr + rv);
-                    rlen -= rv;
-                }
-            }
-        }
-        if (rlen < 0) {
-            /* PR_Read() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        }
-    } else {
-        readbytes = PR_MIN(sendbytes, _SENDFILE_BUFSIZE);
-        while (readbytes && ((rlen = PR_Read(sfd->fd, buf, readbytes)) > 0)) {
-            while (rlen) {
-                char *bufptr = buf;
-
-                rv =  PR_Send(sd, bufptr, rlen, 0, timeout);
-                if (rv < 0) {
-                    /* PR_Send() has invoked PR_SetError(). */
-                    rv = -1;
-                    goto done;
-                } else {
-                    count += rv;
-                    sendbytes -= rv;
-                    bufptr = ((char*)bufptr + rv);
-                    rlen -= rv;
-                }
-            }
-	    readbytes = PR_MIN(sendbytes, _SENDFILE_BUFSIZE);
-        }
-        if (rlen < 0) {
-            /* PR_Read() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        } else if (sendbytes != 0) {
-            /*
-             * there are fewer bytes in file to send than specified
-             */
-	    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-            rv = -1;
-            goto done;
-        }
-    }
-    /*
-     * send trailer, last
-     */
-    buflen = sfd->tlen;
-    buffer = sfd->trailer;
-    while (buflen) {
-        rv =  PR_Send(sd, buffer, buflen, 0, timeout);
-        if (rv < 0) {
-            /* PR_Send() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        } else {
-            count += rv;
-            buffer = (const void*) ((const char*)buffer + rv);
-            buflen -= rv;
-        }
-    }
-    rv = count;
-
-done:
-    if (buf)
-        PR_DELETE(buf);
-    if ((rv >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
-	PR_Close(sd);
-    return rv;
-}
-
-#else /* UNIX and NT handled below */
-
-/*
- * _PR_UnixSendFile
- *
- *    Send file sfd->fd across socket sd. If header/trailer are specified
- *    they are sent before and after the file, respectively.
- *
- *    PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *    return number of bytes sent or -1 on error
- *
- */
-#define SENDFILE_MMAP_CHUNK    (256 * 1024)
-
-PRInt32 
-ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
-                    PRTransmitFileFlags flags, PRIntervalTime timeout)
-{
-    void *            addr;
-    PRFileMap *       mapHandle  	= NULL;
-    PRInt32           count 		= 0;
-    PRInt32           file_bytes;
-    PRInt32           index 		= 0;
-    PRInt32           len;
-    PRInt32           rv;
-    PRUint32          addr_offset;
-    PRUint32          file_mmap_offset;
-    PRUint32          mmap_len;
-    PRUint32          pagesize;
-    struct PRFileInfo info;
-    struct PRIOVec    iov[3];
-
-    /* Get file size */
-    if (PR_SUCCESS != PR_GetOpenFileInfo(sfd->fd, &info)) {
-	count = -1;
-	goto done;
-    }
-    if (sfd->file_nbytes && 
-		(info.size < (sfd->file_offset + sfd->file_nbytes))) {
-        /*
-         * there are fewer bytes in file to send than specified
-         */
-	PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-        count = -1;
-        goto done;
-    }
-    if (sfd->file_nbytes)
-        file_bytes = sfd->file_nbytes;
-    else
-        file_bytes = info.size - sfd->file_offset;
-
-#if defined(WIN32)
-    {
-        SYSTEM_INFO sysinfo;
-        GetSystemInfo(&sysinfo);
-        pagesize = sysinfo.dwAllocationGranularity;
-    }
-#else
-    pagesize = PR_GetPageSize();
-#endif
-    /*
-     * If the file is large, mmap and send the file in chunks so as
-     * to not consume too much virtual address space
-     */
-    if (!sfd->file_offset || !(sfd->file_offset & (pagesize - 1))) {
-        /*
-         * case 1: page-aligned file offset
-         */
-        mmap_len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
-        len      = mmap_len;
-        file_mmap_offset = sfd->file_offset;
-        addr_offset = 0;
-    } else {
-        /*
-         * case 2: non page-aligned file offset
-         */
-        /* find previous page boundary */
-        file_mmap_offset = (sfd->file_offset & ~(pagesize - 1));
-
-        /* number of initial bytes to skip in mmap'd segment */
-        addr_offset = sfd->file_offset - file_mmap_offset;
-        PR_ASSERT(addr_offset > 0);
-        mmap_len = PR_MIN(file_bytes + addr_offset, SENDFILE_MMAP_CHUNK);
-        len      = mmap_len - addr_offset;
-    }
-    /*
-     * Map in (part of) file. Take care of zero-length files.
-     */
-    if (len > 0) {
-	mapHandle = PR_CreateFileMap(sfd->fd, info.size, PR_PROT_READONLY);
-	if (!mapHandle) {
-	    count = -1;
-	    goto done;
-	}
-	addr = PR_MemMap(mapHandle, file_mmap_offset, mmap_len);
-        if (!addr) {
-            count = -1;
-            goto done;
-        }
-    }
-    /*
-     * send headers, first, followed by the file
-     */
-    if (sfd->hlen) {
-        iov[index].iov_base = (char *) sfd->header;
-        iov[index].iov_len  = sfd->hlen;
-        index++;
-    }
-    if (len) {
-        iov[index].iov_base = (char*)addr + addr_offset;
-        iov[index].iov_len  = len;
-        index++;
-    }
-    if ((file_bytes == len) && (sfd->tlen)) {
-        /*
-         * all file data is mapped in; send the trailer too
-         */
-        iov[index].iov_base = (char *) sfd->trailer;
-        iov[index].iov_len  = sfd->tlen;
-        index++;
-    }
-    rv = PR_Writev(sd, iov, index, timeout);
-    if (len)
-        PR_MemUnmap(addr, mmap_len);
-    if (rv < 0) {
-        count = -1;
-        goto done;
-    }
-
-    PR_ASSERT(rv == sfd->hlen + len + ((len == file_bytes) ? sfd->tlen : 0));
-
-    file_bytes -= len;
-    count      += rv;
-    if (!file_bytes)    /* header, file and trailer are sent */
-	goto done;
-
-    /*
-     * send remaining bytes of the file, if any
-     */
-    len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
-    while (len > 0) {
-	/*
-	 * Map in (part of) file
-	 */
-	file_mmap_offset = sfd->file_offset + count - sfd->hlen;
-	PR_ASSERT((file_mmap_offset % pagesize) == 0);
-
-	addr = PR_MemMap(mapHandle, file_mmap_offset, len);
-        if (!addr) {
-            count = -1;
-            goto done;
-        }
-	rv = PR_Send(sd, addr, len, 0, timeout);
-	PR_MemUnmap(addr, len);
-	if (rv < 0) {
-	    count = -1;
-	    goto done;
-	}
-
-	PR_ASSERT(rv == len);
-	file_bytes -= rv;
-	count      += rv;
-	len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
-    }
-    PR_ASSERT(0 == file_bytes);
-    if (sfd->tlen) {
-        rv =  PR_Send(sd, sfd->trailer, sfd->tlen, 0, timeout);
-        if (rv >= 0) {
-            PR_ASSERT(rv == sfd->tlen);
-            count += rv;
-        } else
-            count = -1;
-    }
-done:
-    if (mapHandle)
-    	PR_CloseFileMap(mapHandle);
-    if ((count >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
-	PR_Close(sd);
-    return count;
-}
-#endif /* UNIX and NT */
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
deleted file mode 100644
index 5e1d50719..000000000
--- a/security/nss/lib/ssl/manifest.mn
+++ /dev/null
@@ -1,77 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-# DEFINES = -DTRACE
-
-
-PRIVATE_EXPORTS = \
-	ssl3prot.h \
-	sslimpl.h \
-	$(NULL)
-
-EXPORTS = \
-	ssl.h \
-	sslerr.h \
-	sslproto.h \
-	preenc.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	emulate.c \
-	prelib.c \
-	ssl3con.c \
-	ssl3gthr.c \
-	sslauth.c \
-	sslcon.c \
-	ssldef.c \
-	sslenum.c \
-	sslerr.c \
-	sslgathr.c \
-	sslnonce.c \
-	sslreveal.c \
-	sslsecur.c \
-	sslsnce.c \
-	sslsock.c \
-	sslsocks.c \
-	ssltrace.c \
-	authcert.c \
-	cmpcert.c \
-	nsskea.c \
-	$(NULL)
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = ssl
diff --git a/security/nss/lib/ssl/notes.txt b/security/nss/lib/ssl/notes.txt
deleted file mode 100644
index a36f242ee..000000000
--- a/security/nss/lib/ssl/notes.txt
+++ /dev/null
@@ -1,161 +0,0 @@
-The contents of this file are subject to the Mozilla Public
-License Version 1.1 (the "License"); you may not use this file
-except in compliance with the License. You may obtain a copy of
-the License at http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS
-IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-implied. See the License for the specific language governing
-rights and limitations under the License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the
-terms of the GNU General Public License Version 2 or later (the
-"GPL"), in which case the provisions of the GPL are applicable 
-instead of those above.  If you wish to allow use of your 
-version of this file only under the terms of the GPL and not to
-allow others to use your version of this file under the MPL,
-indicate your decision by deleting the provisions above and
-replace them with the notice and other provisions required by
-the GPL.  If you do not delete the provisions above, a recipient
-may use your version of this file under either the MPL or the
-GPL.
-
-SSL's Buffers: enumerated and explained.
-
----------------------------------------------------------------------------
-incoming:
-
-gs = ss->gather
-hs = ss->ssl3->hs
-
-gs->inbuf	SSL3 only: incoming (encrypted) ssl records are placed here,
-		and then decrypted (or copied) to gs->buf.
-
-gs->buf		SSL2: incoming SSL records are put here, and then decrypted
-		in place.
-		SSL3: ssl3_HandleHandshake puts decrypted ssl records here.
-
-hs.msg_body	(SSL3 only) When an incoming handshake message spans more 
-		than one ssl record, the first part(s) of it are accumulated 
-		here until it all arrives.
-
-hs.msgState	(SSL3 only) an alternative set of pointers/lengths for gs->buf.
-		Used only when a handleHandshake function returns SECWouldBlock.
-		ssl3_HandleHandshake remembers how far it previously got by
-		using these pointers instead of gs->buf when it is called 
-		after a previous SECWouldBlock return.
-
----------------------------------------------------------------------------
-outgoing:
-
-sec = ss->sec
-ci  = ss->sec->ci	/* connect info */
-
-ci->sendBuf	Outgoing handshake messages are appended to this buffer.
-		This buffer will then be sent as a single SSL record.
-
-sec->writeBuf	outgoing ssl records are constructed here and encrypted in 
-		place before being written or copied to pendingBuf.
-
-ss->pendingBuf	contains outgoing ciphertext that was saved after a write
-		attempt to the socket failed, e.g. EWouldBlock. 
-		Generally empty with blocking sockets (should be no incomplete
-		writes).
-
-ss->saveBuf	Used only by socks code.  Intended to be used to buffer 
-		outgoing data until a socks handshake completes.  However,
-		this buffer is always empty.  There is no code to put 
-		anything into it.
-
----------------------------------------------------------------------------
-
-SECWouldBlock means that the function cannot make progress because it is 
-waiting for some event OTHER THAN socket I/O completion (e.g. waiting for 
-user dialog to finish).  It is not the same as EWOULDBLOCK.
-
----------------------------------------------------------------------------
-
-Rank (order) of locks
-
-[ReadLock ->]\ [firstHandshake ->] [ssl3Handshake ->] recvbuf \ -> "spec"
-[WriteLock->]/                                        xmitbuf /
-
-crypto and hash Data that must be protected while turning plaintext into
-ciphertext:
-
-SSL2: 	(in ssl2_Send*)
-	sec->hash*
-	sec->hashcx 	(ptr and data)
-	sec->enc
-	sec->writecx*	(ptr and content)
-	sec->sendSecret*(ptr and content)
-	sec->sendSequence		locked by xmitBufLock
-	sec->blockSize
-	sec->writeBuf*  (ptr & content)	locked by xmitBufLock
-	"in"				locked by xmitBufLock
-
-SSl3:	(in ssl3_SendPlainText)
-	ss->ssl3		    (the pointer)
-	ss->ssl3->current_write*    (the pointer and the data in the spec
-				     and any data referenced by the spec.
-
-	ss->sec->isServer
-	ss->sec->writebuf* (ptr & content) locked by xmitBufLock
-	"buf" 				   locked by xmitBufLock
-
-crypto and hash data that must be protected while turning ciphertext into 
-plaintext:
-
-SSL2:	(in ssl2_GatherData)
-	gs->*				(locked by recvBufLock )
-	sec->dec
-	sec->readcx
-	sec->hash* 		(ptr and data)
-	sec->hashcx 		(ptr and data)
-
-SSL3:	(in ssl3_HandleRecord )
-	ssl3->current_read*	(the pointer and all data refernced)
-	ss->sec->isServer
-
-
-Data that must be protected while being used by a "writer":
-
-ss->pendingBuf.*
-ss->saveBuf.*		(which is dead)
-
-in ssl3_sendPlainText
-
-ss->ssl3->current_write-> (spec)
-ss->sec->writeBuf.*
-ss->sec->isServer 
-
-in SendBlock
-
-ss->sec->hash->length
-ss->sec->blockSize
-ss->sec->writeBuf.*
-ss->sec->sendSecret
-ss->sec->sendSequence
-ss->sec->writecx	*
-ss->pendingBuf
-
---------------------------------------------------------------------------
-
-Data variables (not const) protected by the "sslGlobalDataLock".  
-Note, this really should be a reader/writer lock.
-
-allowedByPolicy		sslcon.c
-maybeAllowedByPolicy	sslcon.c
-chosenPreference	sslcon.c
-policyWasSet		sslcon.c
-
-cipherSuites[] 		ssl3con.c
diff --git a/security/nss/lib/ssl/nsskea.c b/security/nss/lib/ssl/nsskea.c
deleted file mode 100644
index ec7be1735..000000000
--- a/security/nss/lib/ssl/nsskea.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Return SSLKEAType derived from cert's Public Key algorithm info.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- # $Id$
- */
-
-#include "cert.h"
-#include "ssl.h"	/* for SSLKEAType */
-#include "secoid.h"
-
-SSLKEAType
-NSS_FindCertKEAType(CERTCertificate * cert)
-{
-  SSLKEAType keaType = kt_null; 
-  int tag;
-  
-  if (!cert) goto loser;
-  
-  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-  
-  switch (tag) {
-  case SEC_OID_X500_RSA_ENCRYPTION:
-  case SEC_OID_PKCS1_RSA_ENCRYPTION:
-    keaType = kt_rsa;
-    break;
-  case SEC_OID_MISSI_KEA_DSS_OLD:
-  case SEC_OID_MISSI_KEA_DSS:
-  case SEC_OID_MISSI_DSS_OLD:
-  case SEC_OID_MISSI_DSS:
-    keaType = kt_fortezza;
-    break;
-  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-    keaType = kt_dh;
-    break;
-  default:
-    keaType = kt_null;
-  }
-  
- loser:
-  
-  return keaType;
-
-}
-
diff --git a/security/nss/lib/ssl/preenc.h b/security/nss/lib/ssl/preenc.h
deleted file mode 100644
index 3dfbe1e92..000000000
--- a/security/nss/lib/ssl/preenc.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
-
-/*
- * Functions and types used by https servers to send (download) pre-encrypted 
- * files over SSL connections that use Fortezza ciphersuites.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "prio.h"
-
-typedef struct PEHeaderStr PEHeader;
-
-#define PE_MIME_TYPE "application/pre-encrypted"
-
-
-/*
- * unencrypted header. The 'top' half of this header is generic. The union
- * is type specific, and may include bulk cipher type information
- * (Fortezza supports only Fortezza Bulk encryption). Only fortezza 
- * pre-encrypted is defined.
- */
-typedef struct PEFortezzaHeaderStr PEFortezzaHeader;
-typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader;
-typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader;
-typedef struct PERSAKeyHeaderStr PERSAKeyHeader;
-
-struct PEFortezzaHeaderStr {
-    unsigned char key[12];      /* Ks wrapped MEK */
-    unsigned char iv[24];       /* iv for this MEK */
-    unsigned char hash[20];     /* SHA hash of file */
-    unsigned char serial[8];    /* serial number of the card that owns
-                                     * Ks */
-};
-
-struct PEFortezzaGeneratedHeaderStr {
-    unsigned char key[12];      /* TEK wrapped MEK */
-    unsigned char iv[24];       /* iv for this MEK */
-    unsigned char hash[20];     /* SHA hash of file */
-    unsigned char Ra[128];      /* RA to generate TEK */
-    unsigned char Y[128];       /* Y to generate TEK */
-};
-
-struct PEFixedKeyHeaderStr {
-    unsigned char pkcs11Mech[4];  /* Symetric key operation */
-    unsigned char labelLen[2];	  /* length of the token label */
-    unsigned char keyIDLen[2];	  /* length of the token Key ID */
-    unsigned char ivLen[2];	  /* length of IV */
-    unsigned char keyLen[2];	  /* length of key (DES3_ECB encrypted) */
-    unsigned char data[1];	  /* start of data */
-};
-
-struct PERSAKeyHeaderStr {
-    unsigned char pkcs11Mech[4];  /* Symetric key operation */
-    unsigned char issuerLen[2];	  /* length of cert issuer */
-    unsigned char serialLen[2];	  /* length of the cert serial */
-    unsigned char ivLen[2];	  /* length of IV */
-    unsigned char keyLen[2];	  /* length of key (RSA encrypted) */
-    unsigned char data[1];	  /* start of data */
-};
-
-/* macros to get at the variable length data fields */
-#define PEFIXED_Label(header) (header->data)
-#define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)])
-#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\
-						+GetInt2(header->keyIDLen)])
-#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen)\
-			+GetInt2(header->keyIDLen)+GetInt2(header->keyLen)])
-#define PERSA_Issuer(header) (header->data)
-#define PERSA_Serial(header) (&header->data[GetInt2(header->issuerLen)])
-#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen)\
-						+GetInt2(header->serialLen)])
-#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\
-			+GetInt2(header->serialLen)+GetInt2(header->keyLen)])
-struct PEHeaderStr {
-    unsigned char magic  [2];		/* always 0xC0DE */
-    unsigned char len    [2];		/* length of PEHeader */
-    unsigned char type   [2];		/* FORTEZZA, DIFFIE-HELMAN, RSA */
-    unsigned char version[2];		/* version number: 1.0 */
-    union {
-        PEFortezzaHeader          fortezza;
-        PEFortezzaGeneratedHeader g_fortezza;
-	PEFixedKeyHeader          fixed;
-	PERSAKeyHeader            rsa;
-    } u;
-};
-
-#define PE_CRYPT_INTRO_LEN 8
-#define PE_INTRO_LEN 4
-#define PE_BASE_HEADER_LEN  8
-
-#define PRE_BLOCK_SIZE 8         /* for decryption blocks */
-
-
-/*
- * Platform neutral encode/decode macros.
- */
-#define GetInt2(c) ((c[0] << 8) | c[1])
-#define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\
-			|((unsigned long)c[2] << 8)| ((unsigned long)c[3]))
-#define PutInt2(c,i) ((c[1] = (i) & 0xff), (c[0] = ((i) >> 8) & 0xff))
-#define PutInt4(c,i) ((c[0]=((i) >> 24) & 0xff),(c[1]=((i) >> 16) & 0xff),\
-			(c[2] = ((i) >> 8) & 0xff), (c[3] = (i) & 0xff))
-
-/*
- * magic numbers.
- */
-#define PRE_MAGIC		0xc0de
-#define PRE_VERSION		0x1010
-#define PRE_FORTEZZA_FILE	0x00ff  /* pre-encrypted file on disk */
-#define PRE_FORTEZZA_STREAM	0x00f5  /* pre-encrypted file in stream */
-#define PRE_FORTEZZA_GEN_STREAM	0x00f6  /* Generated pre-encrypted file */
-#define PRE_FIXED_FILE		0x000f  /* fixed key on disk */
-#define PRE_RSA_FILE		0x001f  /* RSA in file */
-#define PRE_FIXED_STREAM	0x0005  /* fixed key in stream */
-
-/*
- * internal implementation info
- */
-
-
-/* convert an existing stream header to a version with local parameters */
-PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *,
-				       int *headerSize);
-
-/* convert an existing file header to one suitable for streaming out */
-PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *,
-				       int *headerSize);
-
diff --git a/security/nss/lib/ssl/prelib.c b/security/nss/lib/ssl/prelib.c
deleted file mode 100644
index b6ea428e2..000000000
--- a/security/nss/lib/ssl/prelib.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
-
-/*
- * Functions used by https servers to send (download) pre-encrypted files
- * over SSL connections that use Fortezza ciphersuites.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "ssl.h"
-#include "keyhi.h"
-#include "secitem.h"
-#include "sslimpl.h"
-#include "pkcs11t.h"
-#include "preenc.h"
-#include "pk11func.h"
-
-static unsigned char fromHex(char x) {
-    if ((x >= '0') && (x <= '9')) return x-'0';
-    if ((x >= 'a') && (x <= 'f')) return x-'a'+10;
-    return x-'A'+10;
-}
-
-PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, 
-								int *headerSize)
-{
-    PK11SymKey *key, *tek, *Ks;
-    sslSocket *ss;
-    PK11SlotInfo *slot;
-    CK_TOKEN_INFO info;
-    int oldHeaderSize;
-    PEHeader *header;
-    SECStatus rv;
-    SECItem item;
-    int i;
-    
-    if (fd == NULL) {
-        /* XXX set an error */
-        return NULL;
-    }
-    
-    ss = ssl_FindSocket(fd);
-    if (ss == NULL) {
-        /* XXX set an error */
-        return NULL;
-    }
-    
-    PORT_Assert(ss->ssl3 != NULL);
-    if (ss->ssl3 == NULL) {
-	return NULL;
-    }
-
-    if (GetInt2(inHeader->magic) != PRE_MAGIC) {
-	return NULL;
-    }
-
-    oldHeaderSize = GetInt2(inHeader->len);
-    header = (PEHeader *) PORT_ZAlloc(oldHeaderSize);
-    if (header == NULL) {
-	return NULL;
-    }
-
-    switch (GetInt2(inHeader->type)) {
-    case PRE_FORTEZZA_FILE:
-    case PRE_FORTEZZA_GEN_STREAM:
-    case PRE_FIXED_FILE:
-    case PRE_RSA_FILE:
-    default:
-	*headerSize = oldHeaderSize;
-	PORT_Memcpy(header,inHeader,oldHeaderSize);
-	return header;
-
-    case PRE_FORTEZZA_STREAM:
-	*headerSize = PE_BASE_HEADER_LEN + sizeof(PEFortezzaHeader);
-        PutInt2(header->magic,PRE_MAGIC);
-	PutInt2(header->len,*headerSize);
-	PutInt2(header->type, PRE_FORTEZZA_FILE);
-	PORT_Memcpy(header->version,inHeader->version,sizeof(header->version));
-	PORT_Memcpy(header->u.fortezza.hash,inHeader->u.fortezza.hash,
-					     sizeof(header->u.fortezza.hash));
-	PORT_Memcpy(header->u.fortezza.iv,inHeader->u.fortezza.iv,
-					      sizeof(header->u.fortezza.iv));
-
-	/* get the kea context from the session */
-	tek = ss->ssl3->fortezza.tek;
-	if (tek == NULL) {
-	    PORT_Free(header);
-	    return NULL;
-	}
-
-
-	/* get the slot and the serial number */
-	slot = PK11_GetSlotFromKey(tek);
-	if (slot == NULL) {
-	    PORT_Free(header);
-	    return NULL;
-	}
-	rv = PK11_GetTokenInfo(slot,&info);
-	if (rv != SECSuccess) {
-	    PORT_Free(header);
-	    PK11_FreeSlot(slot);
-	    return NULL;
-	}
-
-	/* Look up the Token Fixed Key */
-	Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg);
-	PK11_FreeSlot(slot);
-	if (Ks == NULL) {
-	    PORT_Free(header);
-	    return NULL;
-	}
-
-	/* unwrap the key with the TEK */
-	item.data = inHeader->u.fortezza.key;
-	item.len = sizeof(inHeader->u.fortezza.key);
-	key = PK11_UnwrapSymKey(tek,CKM_SKIPJACK_WRAP,
-                        NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-	if (key == NULL) {
-	    PORT_Free(header);
-	    PK11_FreeSymKey(Ks);
-	    return NULL;
-	}
-
-	/* rewrap with the local Ks */
-	item.data = header->u.fortezza.key;
-	item.len = sizeof(header->u.fortezza.key);
-	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, key, &item);
-	PK11_FreeSymKey(Ks);
-	PK11_FreeSymKey(key);
-	if (rv != SECSuccess) {
-	    PORT_Free(header);
-	    return NULL;
-	}
-    
-	/* copy our local serial number into header */
-	for (i=0; i < sizeof(header->u.fortezza.serial); i++) {
-	    header->u.fortezza.serial[i] = 
-		(fromHex(info.serialNumber[i*2]) << 4) 	|
-					fromHex(info.serialNumber[i*2 + 1]);
-	}
-	break;
-    case PRE_FIXED_STREAM:
-	/* not implemented yet */
-	PORT_Free(header);
-	return NULL;
-    }
-    
-    return(header);
-}
-
-/*
- * this one needs to allocate space and work for RSA & FIXED key files as well
- */
-PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, 
-							int *headerSize)
-{
-    PK11SymKey *key, *tek, *Ks;
-    sslSocket *ss;
-    PK11SlotInfo *slot;
-    SECStatus rv;
-    SECItem item;
-    
-    *headerSize = 0; /* hack */
- 
-    if (fd == NULL) {
-        /* XXX set an error */
-        return NULL;
-    }
-    
-    ss = ssl_FindSocket(fd);
-    if (ss == NULL) {
-        /* XXX set an error */
-        return NULL;
-    }
-    
-    PORT_Assert(ss->ssl3 != NULL);
-    if (ss->ssl3 == NULL) {
-	return NULL;
-    }
-
-    /* get the kea context from the session */
-    tek = ss->ssl3->fortezza.tek;
-    if (tek == NULL) {
-	return NULL;
-    }
-
-    slot = PK11_GetSlotFromKey(tek);
-    if (slot == NULL) return NULL;
-    Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, PK11_GetWindow(tek));
-    PK11_FreeSlot(slot);
-    if (Ks == NULL) return NULL;
-
-
-    /* unwrap with the local Ks */
-    item.data = header->u.fortezza.key;
-    item.len = sizeof(header->u.fortezza.key);
-    /* rewrap the key with the TEK */
-    key = PK11_UnwrapSymKey(Ks,CKM_SKIPJACK_WRAP,
-                        NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-    if (key == NULL) {
-        PK11_FreeSymKey(Ks);
-	return NULL;
-    }
-
-    rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, key, &item);
-    PK11_FreeSymKey(Ks);
-    PK11_FreeSymKey(key);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-    
-    /* copy over our local serial number */
-    PORT_Memset(header->u.fortezza.serial,0,sizeof(header->u.fortezza.serial));
-    
-    /* change type to stream */
-    PutInt2(header->type, PRE_FORTEZZA_STREAM);
-    
-    return(header);
-}
-
-
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
deleted file mode 100644
index 97a97759b..000000000
--- a/security/nss/lib/ssl/ssl.h
+++ /dev/null
@@ -1,423 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef __ssl_h_
-#define __ssl_h_
-
-#include "prtypes.h"
-#include "prerror.h"
-#include "prio.h"
-#include "seccomon.h"
-#include "cert.h"
-#include "keyt.h"
-
-/* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
-extern const PRUint16 SSL_ImplementedCiphers[];
-
-/* number of entries in the above table. */
-extern const PRUint16 SSL_NumImplementedCiphers;
-
-/* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
-#define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)
-
-SEC_BEGIN_PROTOS
-
-
-/*
-** Imports fd into SSL, returning a new socket.  Copies SSL configuration
-** from model.
-*/
-extern PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
-
-/*
-** Enable/disable an ssl mode
-**
-** 	SSL_SECURITY:
-** 		enable/disable use of SSL security protocol before connect
-**
-** 	SSL_SOCKS:
-** 		enable/disable use of socks before connect
-**		(No longer supported).
-**
-** 	SSL_REQUEST_CERTIFICATE:
-** 		require a certificate during secure connect
-*/
-/* options */
-#define SSL_SECURITY			1
-#define SSL_SOCKS			2
-#define SSL_REQUEST_CERTIFICATE		3
-#define SSL_HANDSHAKE_AS_CLIENT		5 /* force accept to hs as client */
-#define SSL_HANDSHAKE_AS_SERVER		6 /* force connect to hs as server */
-#define SSL_ENABLE_SSL2			7 /* enable ssl v2 (on by default) */
-#define SSL_ENABLE_SSL3		        8 /* enable ssl v3 (on by default) */
-#define SSL_NO_CACHE		        9 /* don't use the session cache */
-#define SSL_REQUIRE_CERTIFICATE        10
-#define SSL_ENABLE_FDX                 11 /* permit simultaneous read/write */
-#define SSL_V2_COMPATIBLE_HELLO        12 /* send v3 client hello in v2 fmt */
-#define SSL_ENABLE_TLS		       13 /* enable TLS (off by default) */
-#define SSL_ROLLBACK_DETECTION         14 /* for compatibility, default: on */
-
-/* Old deprecated function names */
-extern SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
-extern SECStatus SSL_EnableDefault(int option, PRBool on);
-
-/* New function names */
-extern SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on);
-extern SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on);
-extern SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
-extern SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
-extern SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
-
-/*
-** Control ciphers that SSL uses. If on is non-zero then the named cipher
-** is enabled, otherwise it is disabled. 
-** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
-** EnableCipher records user preferences.
-** SetPolicy sets the policy according to the policy module.
-*/
-/* Old deprecated function names */
-extern SECStatus SSL_EnableCipher(long which, PRBool enabled);
-extern SECStatus SSL_SetPolicy(long which, int policy);
-
-/* New function names */
-extern SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled);
-extern SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
-extern SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
-extern SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
-extern SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
-extern SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
-
-/* Values for "policy" argument to SSL_PolicySet */
-/* Values returned by SSL_CipherPolicyGet. */
-#define SSL_NOT_ALLOWED		 0	      /* or invalid or unimplemented */
-#define SSL_ALLOWED		 1
-#define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */
-
-/*
-** Reset the handshake state for fd. This will make the complete SSL
-** handshake protocol execute from the ground up on the next i/o
-** operation.
-*/
-extern SECStatus SSL_ResetHandshake(PRFileDesc *fd, PRBool asServer);
-
-/*
-** Force the handshake for fd to complete immediately.  This blocks until
-** the complete SSL handshake protocol is finished.
-*/
-extern int SSL_ForceHandshake(PRFileDesc *fd);
-
-/*
-** Query security status of socket. *on is set to one if security is
-** enabled. *keySize will contain the stream key size used. *issuer will
-** contain the RFC1485 verison of the name of the issuer of the
-** certificate at the other end of the connection. For a client, this is
-** the issuer of the server's certificate; for a server, this is the
-** issuer of the client's certificate (if any). Subject is the subject of
-** the other end's certificate. The pointers can be zero if the desired
-** data is not needed.  All strings returned by this function are owned
-** by SSL, and will be freed when the socket is closed.
-*/
-extern int SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher,
-			      int *keySize, int *secretKeySize,
-			      char **issuer, char **subject);
-
-/* Values for "on" */
-#define SSL_SECURITY_STATUS_NOOPT	-1
-#define SSL_SECURITY_STATUS_OFF		0
-#define SSL_SECURITY_STATUS_ON_HIGH	1
-#define SSL_SECURITY_STATUS_ON_LOW	2
-#define SSL_SECURITY_STATUS_FORTEZZA	3
-
-/*
-** Return the certificate for our SSL peer. If the client calls this
-** it will always return the server's certificate. If the server calls
-** this, it may return NULL if client authentication is not enabled or
-** if the client had no certificate when asked.
-**	"fd" the socket "file" descriptor
-*/
-extern CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
-
-/*
-** Authenticate certificate hook. Called when a certificate comes in
-** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
-** certificate.
-*/
-typedef int (*SSLAuthCertificate)(void *arg, PRFileDesc *fd, PRBool checkSig,
-				  PRBool isServer);
-extern int SSL_AuthCertificateHook(PRFileDesc *fd, SSLAuthCertificate f,
-				   void *arg);
-
-/* An implementation of the certificate authentication hook */
-extern int SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
-			       PRBool isServer);
-
-/*
- * Prototype for SSL callback to get client auth data from the application.
- *	arg - application passed argument
- *	caNames - pointer to distinguished names of CAs that the server likes
- *	pRetCert - pointer to pointer to cert, for return of cert
- *	pRetKey - pointer to key pointer, for return of key
- */
-typedef int (*SSLGetClientAuthData)(void *arg, PRFileDesc *fd,
-				    CERTDistNames *caNames,
-				    CERTCertificate **pRetCert,/*return */
-				    SECKEYPrivateKey **pRetKey);/* return */
-
-/*
- * Set the client side callback for SSL to retrieve user's private key
- * and certificate.
- *	fd - the file descriptor for the connection in question
- *	f - the application's callback that delivers the key and cert
- *	a - application specific data
- */
-extern int SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f,
-				     void *a);
-
-
-/*
- * Set the client side argument for SSL to retrieve PKCS #11 pin.
- *	fd - the file descriptor for the connection in question
- *	a - pkcs11 application specific data
- */
-extern int SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
-
-/*
-** This is a callback for dealing with server certs that are not authenticated
-** by the client.  The client app can decide that it actually likes the
-** cert by some external means and restart the connection.
-*/
-typedef int (*SSLBadCertHandler)(void *arg, PRFileDesc *fd);
-extern int SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg);
-
-/*
-** Configure ssl for running a secure server. Needs the
-** certificate for the server and the servers private key. The arguments
-** are copied.
-*/
-/* Key Exchange values */
-typedef enum {
-    kt_null = 0,
-    kt_rsa,
-    kt_dh,
-    kt_fortezza,
-    kt_kea_size
-} SSLKEAType;
-
-extern SECStatus SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
-				SECKEYPrivateKey *key, SSLKEAType kea);
-
-/*
-** Configure a secure servers session-id cache. Define the maximum number
-** of entries in the cache, the longevity of the entires, and the directory
-** where the cache files will be placed.  These values can be zero, and 
-** if so, the implementation will choose defaults.
-** This version of the function is for use in applications that have only one 
-** process that uses the cache (even if that process has multiple threads).
-*/
-extern int SSL_ConfigServerSessionIDCache(int      maxCacheEntries,
-					  PRUint32 timeout,
-					  PRUint32 ssl3_timeout,
-				    const char *   directory);
-/*
-** Like SSL_ConfigServerSessionIDCache, with one important difference.
-** If the application will run multiple processes (as opposed to, or in 
-** addition to multiple threads), then it must call this function, instead
-** of calling SSL_ConfigServerSessionIDCache().
-** This has nothing to do with the number of processORs, only processEs.
-** This function sets up a Server Session ID (SID) cache that is safe for
-** access by multiple processes on the same system.
-*/
-extern int SSL_ConfigMPServerSIDCache(int      maxCacheEntries, 
-				      PRUint32 timeout,
-			       	      PRUint32 ssl3_timeout, 
-		                const char *   directory);
-
-/* environment variable set by SSL_ConfigMPServerSIDCache, and queried by
- * SSL_InheritMPServerSIDCache when envString is NULL.
- */
-#define SSL_ENV_VAR_NAME            "SSL_INHERITANCE"
-
-/* called in child to inherit SID Cache variables. 
- * If envString is NULL, this function will use the value of the environment
- * variable "SSL_INHERITANCE", otherwise the string value passed in will be 
- * used.
- */
-extern SECStatus SSL_InheritMPServerSIDCache(const char * envString);
-
-/*
-** Set the callback on a particular socket that gets called when we finish
-** performing a handshake.
-*/
-typedef void (*SSLHandshakeCallback)(PRFileDesc *fd, void *client_data);
-extern int SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
-				 void *client_data);
-
-/*
-** For the server, request a new handshake.  For the client, begin a new
-** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
-** flushed first, ensuring that a full SSL handshake will be done.
-** If flushCache is zero, and an SSL connection is established, it will 
-** do the much faster session restart handshake.  This will change the 
-** session keys without doing another private key operation.
-*/
-extern int SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache);
-
-/*
-** For the server, request a new handshake.  For the client, begin a new
-** handshake.  Flushes SSL3 session cache entry first, ensuring that a 
-** full handshake will be done.  
-** This call is equivalent to SSL_ReHandshake(fd, PR_TRUE)
-*/
-extern int SSL_RedoHandshake(PRFileDesc *fd);
-
-/*
-** Return 1 if the socket is direct, 0 if not, -1 on error
-*/
-extern int SSL_CheckDirectSock(PRFileDesc *s);
-
-/*
-** A cousin to SSL_Bind, this takes an extra arg: dsthost, so we can
-** set up sockd connection. This should be used with socks enabled.
-*/
-extern int SSL_BindForSockd(PRFileDesc *s, PRNetAddr *sa, long dsthost);
-
-/*
-** Configure ssl for using socks.
-*/
-extern SECStatus SSL_ConfigSockd(PRFileDesc *fd, PRUint32 host, PRUint16 port);
-
-/*
- * Allow the application to pass a URL or hostname into the SSL library
- */
-extern int SSL_SetURL(PRFileDesc *fd, const char *url);
-
-/*
-** Return the number of bytes that SSL has waiting in internal buffers.
-** Return 0 if security is not enabled.
-*/
-extern int SSL_DataPending(PRFileDesc *fd);
-
-/*
-** Invalidate the SSL session associated with fd.
-*/
-extern int SSL_InvalidateSession(PRFileDesc *fd);
-
-/*
-** Return a SECItem containing the SSL session ID associated with the fd.
-*/
-extern SECItem *SSL_GetSessionID(PRFileDesc *fd);
-
-/*
-** Clear out the SSL session cache.
-*/
-extern void SSL_ClearSessionCache(void);
-
-/*
-** Set peer information so we can correctly look up SSL session later.
-** You only have to do this if you're tunneling through a proxy.
-*/
-extern int SSL_SetSockPeerID(PRFileDesc *fd, char *peerID);
-
-/*
-** Read the socks config file.  You must do this before doing anything with
-** socks.
-*/
-extern int SSL_ReadSocksConfFile(PRFileDesc *fp);
-
-/*
-** Reveal the security information for the peer. 
-*/
-extern CERTCertificate * SSL_RevealCert(PRFileDesc * socket);
-extern void * SSL_RevealPinArg(PRFileDesc * socket);
-extern char * SSL_RevealURL(PRFileDesc * socket);
-
-
-/* This callback may be passed to the SSL library via a call to
- * SSL_GetClientAuthDataHook() for each SSL client socket.
- * It will be invoked when SSL needs to know what certificate and private key
- * (if any) to use to respond to a request for client authentication.
- * If arg is non-NULL, it is a pointer to a NULL-terminated string containing
- * the nickname of the cert/key pair to use.
- * If arg is NULL, this function will search the cert and key databases for 
- * a suitable match and send it if one is found.
- */
-extern SECStatus
-NSS_GetClientAuthData(void *                       arg,
-                      PRFileDesc *                 socket,
-                      struct CERTDistNamesStr *    caNames,
-                      struct CERTCertificateStr ** pRetCert,
-                      struct SECKEYPrivateKeyStr **pRetKey);
-
-/*
- * Look to see if any of the signers in the cert chain for "cert" are found
- * in the list of caNames.  
- * Returns SECSuccess if so, SECFailure if not.
- * Used by NSS_GetClientAuthData.  May be used by other callback functions.
- */
-extern SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, 
-                                          CERTDistNames *caNames);
-
-/* 
- * Returns key exchange type of the keys in an SSL server certificate.
- */
-extern SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
-
-/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
- * This essentially enables all supported ciphers.
- */
-extern SECStatus NSS_SetDomesticPolicy(void);
-
-/* Set cipher policies to a predefined Policy that is exportable from the USA
- *   according to present U.S. policies as we understand them.
- * See documentation for the list.
- * Note that your particular application program may be able to obtain
- *   an export license with more or fewer capabilities than those allowed
- *   by this function.  In that case, you should use SSL_SetPolicy()
- *   to explicitly allow those ciphers you may legally export.
- */
-extern SECStatus NSS_SetExportPolicy(void);
-
-/* Set cipher policies to a predefined Policy that is exportable from the USA
- *   according to present U.S. policies as we understand them, and that the 
- *   nation of France will permit to be imported into their country.
- * See documentation for the list.
- */
-extern SECStatus NSS_SetFrancePolicy(void);
-
-SEC_END_PROTOS
-
-#endif /* __ssl_h_ */
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
deleted file mode 100644
index 93d5b2773..000000000
--- a/security/nss/lib/ssl/ssl3con.c
+++ /dev/null
@@ -1,7521 +0,0 @@
-/*
- * SSL3 Protocol
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "ssl.h"
-#include "cryptohi.h"	/* for DSAU_ stuff */
-#include "keyhi.h"
-#include "secder.h"
-#include "secitem.h"
-
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "sslerr.h"
-#include "prtime.h"
-#include "prinrval.h"
-#include "prerror.h"
-#include "pratom.h"
-#include "prthread.h"
-
-#include "pk11func.h"
-#include "secmod.h"
-#include "nsslocks.h"
-
-#include <stdio.h>
-
-#ifndef PK11_SETATTRS
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
-#endif
-
-static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
-                                       PK11SlotInfo * serverKeySlot);
-static SECStatus ssl3_GenerateSessionKeys(sslSocket *ss, const PK11SymKey *pms);
-static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
-static SECStatus ssl3_InitState(             sslSocket *ss);
-static sslSessionID *ssl3_NewSessionID(      sslSocket *ss, PRBool is_server);
-static SECStatus ssl3_SendCertificate(       sslSocket *ss);
-static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
-static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
-static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
-static SECStatus ssl3_SendServerHello(       sslSocket *ss);
-static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
-static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
-
-static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
-			     int maxOutputLen, const unsigned char *input,
-			     int inputLen);
-
-#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
-#define MIN_SEND_BUF_LENGTH  4000
-
-#define MAX_CIPHER_SUITES 20
-
-/* This list of SSL3 cipher suites is sorted in descending order of
- * precedence (desirability).  It only includes cipher suites we implement.
- * This table is modified by SSL3_SetPolicy().
- */
-static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
-   /*      cipher_suite                         policy      enabled is_present*/
- { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,      SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_FORTEZZA_DMS_WITH_NULL_SHA,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}
-};
-
-static const /*SSL3CompressionMethod*/ uint8 compressions [] = {
-    compression_null
-};
-
-static const int compressionMethodsCount =
-		sizeof(compressions) / sizeof(compressions[0]);
-
-static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
-    ct_RSA_sign,
-    ct_DSS_sign,
-};
-
-static const /*SSL3ClientCertificateType */ uint8 fortezza_certificate_types [] = {
-    ct_Fortezza,
-};
-
-/*
- * make sure there is room in the write buffer for padding and
- * other compression and cryptographic expansions
- */
-#define SSL3_BUFFER_FUDGE     100
-
-#undef BPB
-#define BPB 8 /* Bits Per Byte */
-
-#define SET_ERROR_CODE		/* reminder */
-#define SEND_ALERT		/* reminder */
-#define TEST_FOR_FAILURE	/* reminder */
-#define DEAL_WITH_FAILURE	/* reminder */
-
-
-/* This is a hack to make sure we don't do double handshakes for US policy */
-PRBool ssl3_global_policy_some_restricted = PR_FALSE;
-
-/* This global item is used only in servers.  It is is initialized by
-** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
-*/
-CERTDistNames *ssl3_server_ca_list = NULL;
-
-/* statistics from ssl3_SendClientHello (sch) */
-long ssl3_sch_sid_cache_hits;
-long ssl3_sch_sid_cache_misses;
-long ssl3_sch_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleServerHello (hsh) */
-long ssl3_hsh_sid_cache_hits;
-long ssl3_hsh_sid_cache_misses;
-long ssl3_hsh_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleClientHello (hch) */
-long ssl3_hch_sid_cache_hits;
-long ssl3_hch_sid_cache_misses;
-long ssl3_hch_sid_cache_not_ok;
-
-/* indexed by SSL3BulkCipher */
-static const ssl3BulkCipherDef bulk_cipher_defs[] = {
-    /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
-    {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
-    {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
-    {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
-    {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
-    {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
-    {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
-    {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
-    {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
-    {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
-    {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
-    {cipher_fortezza,  calg_fortezza, 10, 10, type_block,  24, 8, kg_null},
-    {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
-};
-
-static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */
-    /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
-    {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
-    {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
-    {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dh_dss_export,  kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dh_rsa,         kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
-    {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
-    {kea_fortezza,       kt_fortezza, sign_dsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
-};
-
-static const CK_MECHANISM_TYPE kea_alg_defs[] = {
-    0x80000000L,
-    CKM_RSA_PKCS,
-    CKM_DH_PKCS_DERIVE,
-    CKM_KEA_KEY_DERIVE
-};
-
-
-static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
-    /* mac      malg        pad_size  mac_size                       */
-    { mac_null, malg_null,      0,     0          },
-    { mac_md5,  malg_md5,      48,     MD5_LENGTH },
-    { mac_sha,  malg_sha,      40,     SHA1_LENGTH},
-    {hmac_md5,  malg_md5_hmac, 48,     MD5_LENGTH },
-    {hmac_sha,  malg_sha_hmac, 40,     SHA1_LENGTH},
-};
-
-/* must use ssl_LookupCipherSuiteDef to access */
-static const ssl3CipherSuiteDef cipher_suite_defs[] = {
-/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
-
-    {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
-    {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
-    {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
-    {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
-    {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-                                    cipher_rc2_40, mac_md5, kea_rsa_export},
-#if 0 /* not implemented */
-    {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_rsa_export},
-#endif
-    {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
-    {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
-
-#if 0 /* not implemented */
-    {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_dss_export},
-    {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
-    {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
-    {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
-    {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
-    {SSL_DH_RSA_3DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_rsa},
-    {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_dss_export},
-    {SSL_DHE_DSS_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_dss},
-    {SSL_DHE_DSS_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_dss},
-    {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
-    {SSL_DHE_RSA_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_rsa},
-    {SSL_DHE_RSA_3DES_CBC_SHA,      cipher_des,    mac_sha, kea_dh_rsa},
-    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
-    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4,    mac_md5, kea_dh_anon_export},
-    {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_anon_export},
-    {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
-    {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
-#endif
-
-    {SSL_FORTEZZA_DMS_WITH_NULL_SHA, cipher_null,  mac_sha, kea_fortezza},
-    {SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
-                                  cipher_fortezza, mac_sha, kea_fortezza},
-    {SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_fortezza},
-
-    {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                                    cipher_des,    mac_sha,kea_rsa_export_1024},
-    {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024},
-
-    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
-    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
-
-};
-
-/* indexed by SSL3BulkCipher */
-const char * const ssl3_cipherName[] = {
-    "NULL",
-    "RC4",
-    "RC4-40",
-    "RC4-56",
-    "RC2-CBC",
-    "RC2-CBC-40",
-    "DES-CBC",
-    "3DES-EDE-CBC",
-    "DES-CBC-40",
-    "IDEA-CBC",
-    "FORTEZZA",
-    "missing"
-};
-
-#if defined(TRACE)
-
-static char *
-ssl3_DecodeHandshakeType(int msgType)
-{
-    char * rv;
-    static char line[40];
-
-    switch(msgType) {
-    case hello_request:	        rv = "hello_request (0)";               break;
-    case client_hello:	        rv = "client_hello  (1)";               break;
-    case server_hello:	        rv = "server_hello  (2)";               break;
-    case certificate:	        rv = "certificate  (11)";               break;
-    case server_key_exchange:	rv = "server_key_exchange (12)";        break;
-    case certificate_request:	rv = "certificate_request (13)";        break;
-    case server_hello_done:	rv = "server_hello_done   (14)";        break;
-    case certificate_verify:	rv = "certificate_verify  (15)";        break;
-    case client_key_exchange:	rv = "client_key_exchange (16)";        break;
-    case finished:	        rv = "finished     (20)";               break;
-    default:
-        sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
-	rv = line;
-    }
-    return rv;
-}
-
-static char *
-ssl3_DecodeContentType(int msgType)
-{
-    char * rv;
-    static char line[40];
-
-    switch(msgType) {
-    case content_change_cipher_spec:
-                                rv = "change_cipher_spec (20)";         break;
-    case content_alert:	        rv = "alert      (21)";                 break;
-    case content_handshake:	rv = "handshake  (22)";                 break;
-    case content_application_data:
-                                rv = "application_data (23)";           break;
-    default:
-        sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
-	rv = line;
-    }
-    return rv;
-}
-
-#endif
-
-/* return pointer to ssl3CipherSuiteDef for suite, or NULL */
-/* XXX This does a linear search.  A binary search would be better. */
-static const ssl3CipherSuiteDef *
-ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
-{
-    int cipher_suite_def_len =
-	sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
-    int i;
-
-    for (i = 0; i < cipher_suite_def_len; i++) {
-	if (cipher_suite_defs[i].cipher_suite == suite)
-	    return &cipher_suite_defs[i];
-    }
-    PORT_Assert(PR_FALSE);  /* We should never get here. */
-    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    return NULL;
-}
-
-/* Find the cipher configuration struct associate with suite */
-/* XXX This does a linear search.  A binary search would be better. */
-static ssl3CipherSuiteCfg *
-ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
-{
-    int i;
-
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	if (suites[i].cipher_suite == suite)
-	    return &suites[i];
-    }
-    /* return NULL and let the caller handle it.  */
-    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    return NULL;
-}
-
-
-/* Initialize the suite->isPresent value for config_match
- * Returns count of enabled ciphers supported by extant tokens,
- * regardless of policy or user preference.
- * If this returns zero, the user cannot do SSL v3.
- */
-int
-ssl3_config_match_init(sslSocket *ss)
-{
-    ssl3CipherSuiteCfg *      suite;
-    const ssl3CipherSuiteDef *cipher_def;
-    CipherAlgorithm           cipher_alg;
-    SSL3KEAType               exchKeyType;
-    int                       i;
-    int                       numPresent		= 0;
-    int                       numEnabled		= 0;
-    PRBool                    isServer;
-
-    if (!ss->enableSSL3 && !ss->enableTLS) {
-    	return 0;
-    }
-    isServer = (PRBool)( ss && ss->sec && ss->sec->isServer );
-
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	suite = &ss->cipherSuites[i];
-	if (suite->enabled) {
-	    ++numEnabled;
-	    /* We need the cipher defs to see if we have a token that can handle
-	     * this cipher.  It isn't part of the static definition.
-	     */
-	    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
-	    if (!cipher_def) {
-	    	suite->isPresent = PR_FALSE;
-		continue;
-	    }
-	    cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
-	    exchKeyType =
-	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
-
-	    /* Mark the suites that are backed by real tokens, certs and keys */
-	    suite->isPresent = (PRBool)
-		(((exchKeyType == kt_null) ||
-		    (!isServer || (ss->serverKey[exchKeyType] &&
-				   ss->serverCertChain[exchKeyType])) &&
-		    PK11_TokenExists(kea_alg_defs[exchKeyType])) &&
-		((cipher_alg == calg_null) || PK11_TokenExists(cipher_alg)));
-	    if (suite->isPresent)
-	    	++numPresent;
-	}
-    }
-    PORT_Assert(numPresent > 0 || numEnabled == 0);
-    if (numPresent <= 0) {
-	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
-    }
-    return numPresent;
-}
-
-
-/* return PR_TRUE if suite matches policy and enabled state */
-/* It would be a REALLY BAD THING (tm) if we ever permitted the use
-** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
-** policy == SSL_NOT_ALLOWED, report no match.
-*/
-/* adjust suite enabled to the availability of a token that can do the
- * cipher suite. */
-static PRBool
-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
-{
-    PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
-    if (policy == SSL_NOT_ALLOWED || !enabled)
-    	return PR_FALSE;
-    return (PRBool)(suite->enabled &&
-                    suite->isPresent &&
-	            suite->policy != SSL_NOT_ALLOWED &&
-		    suite->policy <= policy);
-}
-
-/* return number of cipher suites that match policy and enabled state */
-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
-static int
-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
-{
-    int i, count = 0;
-
-    if (!ss->enableSSL3 && !ss->enableTLS) {
-    	return 0;
-    }
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	if (config_match(&ss->cipherSuites[i], policy, enabled))
-	    count++;
-    }
-    if (count <= 0) {
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-    }
-    return count;
-}
-
-static PRBool
-anyRestrictedEnabled(sslSocket *ss)
-{
-    int i;
-
-    if (!ss->enableSSL3 && !ss->enableTLS) {
-    	return PR_FALSE;
-    }
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (suite->policy == SSL_RESTRICTED &&
-	    suite->enabled &&
-	    suite->isPresent)
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/*
- * Null compression, mac and encryption functions
- */
-
-static SECStatus
-Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
-	    const unsigned char *input, int inputLen)
-{
-    *outputLen = inputLen;
-    if (input != output)
-	PORT_Memcpy(output, input, inputLen);
-    return SECSuccess;
-}
-
-
-/*
- * SSL3 Utility functions
- */
-
-SECStatus
-ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
-{
-    SSL3ProtocolVersion version;
-    SSL3ProtocolVersion maxVersion;
-
-    if (ss->enableTLS) {
-	maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
-    } else if (ss->enableSSL3) {
-	maxVersion = SSL_LIBRARY_VERSION_3_0;
-    } else {
-    	/* what are we doing here? */
-	PORT_Assert(ss->enableSSL3 || ss->enableTLS);
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-	return SECFailure;
-    }
-
-    ss->version = version = PR_MIN(maxVersion, peerVersion);
-
-    if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->enableTLS) ||
-    	(version == SSL_LIBRARY_VERSION_3_0     && ss->enableSSL3)) {
-	return SECSuccess;
-    }
-
-    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-    return SECFailure;
-
-}
-
-static SECStatus
-ssl3_GetNewRandom(SSL3Random *random)
-{
-    PRIntervalTime gmt = PR_IntervalToSeconds(PR_IntervalNow());
-    SECStatus rv;
-
-    random->rand[0] = (unsigned char)(gmt >> 24);
-    random->rand[1] = (unsigned char)(gmt >> 16);
-    random->rand[2] = (unsigned char)(gmt >>  8);
-    random->rand[3] = (unsigned char)(gmt);
-
-    /* first 4 bytes are reserverd for time */
-    rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
-    }
-    return rv;
-}
-
-static SECStatus
-ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 
-                PRBool isTLS)
-{
-    SECStatus rv		= SECFailure;
-    PRBool    doDerEncode       = PR_FALSE;
-    int       signatureLen;
-    SECItem   hashItem;
-
-    buf->data    = NULL;
-    signatureLen = PK11_SignatureLen(key);
-    if (signatureLen <= 0) {
-	PORT_SetError(SEC_ERROR_INVALID_KEY);
-        goto done;
-    }
-
-    buf->len  = (unsigned)signatureLen;
-    buf->data = (unsigned char *)PORT_Alloc(signatureLen + 1);
-    if (!buf->data)
-        goto done;	/* error code was set. */
-
-    switch (key->keyType) {
-    case rsaKey:
-    	hashItem.data = hash->md5;
-    	hashItem.len = sizeof(SSL3Hashes);
-	break;
-    case dsaKey:
-    case fortezzaKey:
-	doDerEncode = isTLS;
-	hashItem.data = hash->sha;
-	hashItem.len = sizeof(hash->sha);
-	break;
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_KEY);
-	goto done;
-    }
-    PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
-
-    rv = PK11_Sign(key, buf, &hashItem);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
-    } else if (doDerEncode) {
-	SECItem   derSig	= {siBuffer, NULL, 0};
-
-    	rv = DSAU_EncodeDerSig(&derSig, buf);
-	if (rv == SECSuccess) {
-	    PORT_Free(buf->data);	/* discard unencoded signature. */
-	    *buf = derSig;		/* give caller encoded signature. */
-	} else if (derSig.data) {
-	    PORT_Free(derSig.data);
-	}
-    }
-
-    PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
-done:
-    if (rv != SECSuccess && buf->data) {
-	PORT_Free(buf->data);
-	buf->data = NULL;
-    }
-    return rv;
-}
-
-
-static SECStatus
-ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 
-                        SECItem *buf, PRBool isTLS, void *pwArg)
-{
-    SECKEYPublicKey * key;
-    SECItem *         signature	= NULL;
-    SECStatus         rv;
-    SECItem           hashItem;
-
-
-    PRINT_BUF(60, (NULL, "check signed hashes",
-                  buf->data, buf->len));
-
-    key = CERT_ExtractPublicKey(cert);
-    if (key == NULL) {
-	/* CERT_ExtractPublicKey doesn't set error code */
-	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-    	return SECFailure;
-    }
-
-    switch (key->keyType) {
-    case rsaKey:
-    	hashItem.data = hash->md5;
-    	hashItem.len = sizeof(SSL3Hashes);
-	break;
-    case dsaKey:
-    case fortezzaKey:
-	hashItem.data = hash->sha;
-	hashItem.len = sizeof(hash->sha);
-	if (isTLS) {
-	    signature = DSAU_DecodeDerSig(buf);
-	    if (!signature) {
-	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-		return SECFailure;
-	    }
-	    buf = signature;
-	}
-	break;
-    default:
-    	SECKEY_DestroyPublicKey(key);
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	return SECFailure;
-    }
-
-    PRINT_BUF(60, (NULL, "hash(es) to be verified",
-                  hashItem.data, hashItem.len));
-
-    rv = PK11_Verify(key, buf, &hashItem, pwArg);
-    SECKEY_DestroyPublicKey(key);
-    if (signature) {
-    	SECITEM_FreeItem(signature, PR_TRUE);
-    }
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-    }
-    return rv;
-}
-
-
-/* Caller must set hiLevel error code. */
-static SECStatus
-ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent,
-			     SSL3Random *client_rand, SSL3Random *server_rand,
-			     SSL3Hashes *hashes)
-{
-    PK11Context * md5 		= NULL;
-    PK11Context * sha 		= NULL;
-    PRUint8     * hashBuf;
-    PRUint8     * pBuf;
-    SECStatus     rv 		= SECSuccess;
-    unsigned int  outLen;
-    unsigned int  bufLen;
-    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
-
-    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
-    if (bufLen <= sizeof buf) {
-    	hashBuf = buf;
-    } else {
-    	hashBuf = PORT_Alloc(bufLen);
-	if (!hashBuf) {
-	    return SECFailure;
-	}
-    }
-
-    md5 = PK11_CreateDigestContext(SEC_OID_MD5);
-    if (md5 == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	rv = SECFailure; /* Caller must set hiLevel error code. */
-	goto done;
-    }
-    sha = PK11_CreateDigestContext(SEC_OID_SHA1);
-    if (sha == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	rv = SECFailure; /* Caller must set hiLevel error code. */
-	goto done;
-    }
-
-    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
-    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
-    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
-    	pBuf += SSL3_RANDOM_LENGTH;
-    pBuf[0]  = (PRUint8)(modulus.len >> 8);
-    pBuf[1]  = (PRUint8)(modulus.len);
-    	pBuf += 2;
-    memcpy(pBuf, modulus.data, modulus.len);
-    	pBuf += modulus.len;
-    pBuf[0] = (PRUint8)(publicExponent.len >> 8);
-    pBuf[1] = (PRUint8)(publicExponent.len);
-    	pBuf += 2;
-    memcpy(pBuf, publicExponent.data, publicExponent.len);
-    	pBuf += publicExponent.len;
-    PORT_Assert(pBuf - hashBuf == bufLen);
-
-    rv  = PK11_DigestBegin(md5);
-    rv |= PK11_DigestOp(md5, hashBuf, bufLen);
-    rv |= PK11_DigestFinal(md5, hashes->md5, &outLen, MD5_LENGTH);
-    PORT_Assert(rv != SECSuccess || outLen == MD5_LENGTH);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-    	rv = SECFailure;
-	goto done;
-    }
-
-    rv  = PK11_DigestBegin(sha);
-    rv |= PK11_DigestOp(sha, hashBuf, bufLen);
-    rv |= PK11_DigestFinal(sha, hashes->sha, &outLen, SHA1_LENGTH);
-    PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-    	rv = SECFailure;
-	goto done;
-    }
-
-    PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
-    PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH));
-    PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
-
-done:
-    if (md5 != NULL) PK11_DestroyContext(md5, PR_TRUE);
-    if (sha != NULL) PK11_DestroyContext(sha, PR_TRUE);
-    if (hashBuf != buf && hashBuf != NULL)
-    	PORT_Free(hashBuf);
-    return rv;
-}
-
-/* Caller must set hiLevel error code. */
-static SECStatus
-ssl3_ComputeFortezzaPublicKeyHash(SECItem publicValue, unsigned char * hash)
-{
-    PK11Context *sha 	= NULL;
-    SECStatus    rv	= SECFailure;
-    unsigned int outLen;
-
-    sha = PK11_CreateDigestContext(SEC_OID_SHA1);
-    if (sha == NULL) {
-	return rv; /* Caller must set hiLevel error code. */
-    }
-
-    rv  = PK11_DigestBegin(sha);
-    rv |= PK11_DigestOp(sha, (unsigned char *)publicValue.data, publicValue.len);
-    rv |= PK11_DigestFinal(sha, hash, &outLen, SHA1_LENGTH);
-    PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH);
-    if (rv != SECSuccess)
-    	rv = SECFailure;
-    PK11_DestroyContext(sha, PR_TRUE);
-
-    return rv;
-}
-
-
-static void
-ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
-{
-    num->low++;
-    if (num->low == 0)
-	num->high++;
-}
-
-/* Called only from ssl3_DestroyCipherSpec (immediately below). */
-static void
-ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
-{
-    if (mat->write_key != NULL) {
-	PK11_FreeSymKey(mat->write_key);
-	mat->write_key = NULL;
-    }
-    if (mat->write_mac_key != NULL) {
-	PK11_FreeSymKey(mat->write_mac_key);
-	mat->write_mac_key = NULL;
-    }
-    if (mat->write_mac_context != NULL) {
-	PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
-	mat->write_mac_context = NULL;
-    }
-}
-
-/* Called from ssl3_SendChangeCipherSpecs() and ssl3_HandleChangeCipherSpecs()
-** Caller must hold SpecWriteLock.
-*/
-static void
-ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
-{
-
-/*  PORT_Assert( ssl_HaveSpecWriteLock(ss)); Don't have ss! */
-
-    if (spec->destroy) {
-	spec->destroy(spec->encodeContext,PR_TRUE);
-	spec->destroy(spec->decodeContext,PR_TRUE);
-	spec->encodeContext = NULL; /* paranoia */
-	spec->decodeContext = NULL;
-    }
-    if (spec->master_secret != NULL) {
-	PK11_FreeSymKey(spec->master_secret);
-	spec->master_secret = NULL;
-    }
-    ssl3_CleanupKeyMaterial(&spec->client);
-    ssl3_CleanupKeyMaterial(&spec->server);
-    spec->destroy=NULL;
-}
-
-/* Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
-** Caller must hold the ssl3 handshake lock.
-** Acquires & releases SpecWriteLock.
-*/
-static SECStatus
-ssl3_SetupPendingCipherSpec(sslSocket *ss, ssl3State *ssl3)
-{
-    ssl3CipherSpec *          pwSpec;
-    ssl3CipherSuite           suite     = ssl3->hs.cipher_suite;
-    sslSecurityInfo *         sec       = ss->sec;
-    SSL3MACAlgorithm          mac;
-    SSL3BulkCipher            cipher;
-    SSL3KeyExchangeAlgorithm  kea;
-    const ssl3CipherSuiteDef *suite_def;
-    PRBool                    isTLS;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    ssl_GetSpecWriteLock(ss);  /*******************************/
-
-    pwSpec = ssl3->pwSpec;
-    PORT_Assert(pwSpec == ssl3->prSpec);
-
-    pwSpec->version  = ss->version;
-    isTLS  = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
-		SSL_GETPID(), ss->fd, suite));
-
-    suite_def = ssl_LookupCipherSuiteDef(suite);
-    if (suite_def == NULL) {
-	ssl_ReleaseSpecWriteLock(ss);
-	return SECFailure;	/* error code set by ssl_LookupCipherSuiteDef */
-    }
-
-
-    cipher = suite_def->bulk_cipher_alg;
-    kea    = suite_def->key_exchange_alg;
-    mac    = suite_def->mac_alg;
-    if (isTLS)
-	mac += 2;
-
-    ssl3->hs.suite_def = suite_def;
-    ssl3->hs.kea_def   = &kea_defs[kea];
-    PORT_Assert(ssl3->hs.kea_def->kea == kea);
-
-    pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
-    PORT_Assert(pwSpec->cipher_def->cipher == cipher);
-
-    pwSpec->mac_def = &mac_defs[mac];
-    PORT_Assert(pwSpec->mac_def->mac == mac);
-
-
-    sec->keyBits       = pwSpec->cipher_def->key_size        * BPB;
-    sec->secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
-    sec->cipherType    = cipher;
-
-    pwSpec->encodeContext = NULL;
-    pwSpec->decodeContext = NULL;
-
-    pwSpec->mac_size = pwSpec->mac_def->mac_size;
-
-    ssl_ReleaseSpecWriteLock(ss);  /*******************************/
-    return SECSuccess;
-}
-
-/*
- * Called from: ssl3_SendClientKeyExchange 	(for Full handshake)
- *              ssl3_HandleClientKeyExchange	(for Full handshake)
- *              ssl3_HandleServerHello		(for session restart)
- *              ssl3_HandleClientHello		(for session restart)
- * Sets error code, but caller probably should override to disambiguate.
- * NULL pms means re-use old master_secret.
- */
-static SECStatus
-ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
-{
-      ssl3CipherSpec  *  pwSpec;
-      sslSecurityInfo *  sec           = ss->sec;
-const ssl3BulkCipherDef *cipher_def;
-      PK11Context *      serverContext = NULL;
-      PK11Context *      clientContext = NULL;
-      SECItem *          param;
-      CK_ULONG           macLength;
-      SECStatus          rv;
-      CK_MECHANISM_TYPE  mechanism;
-      CK_MECHANISM_TYPE  mac_mech;
-      SECItem            iv;
-      SECItem            mac_param;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    ssl_GetSpecWriteLock(ss);	/**************************************/
-
-    PORT_Assert(ss->ssl3->prSpec == ss->ssl3->pwSpec);
-
-    pwSpec        = ss->ssl3->pwSpec;
-    cipher_def    = pwSpec->cipher_def;
-    macLength     = pwSpec->mac_size;
-
-    /* generate session keys from pms (if pms is not NULL) or ms */
-    rv = ssl3_GenerateSessionKeys(ss, pms);
-    if (rv != SECSuccess) {
-    	goto bail_out;	/* err code set by ssl3_GenerateSessionKeys */
-    }
-
-    pwSpec->client.write_mac_context = NULL;
-    pwSpec->server.write_mac_context = NULL;
-
-    mac_param.data = (unsigned char *)&macLength;
-    mac_param.len  = sizeof(macLength);
-    mac_mech       = (CK_MECHANISM_TYPE) pwSpec->mac_def->malg;
-
-    if (cipher_def->calg == calg_null) {
-	pwSpec->encode  = Null_Cipher;
-	pwSpec->decode  = Null_Cipher;
-        pwSpec->destroy = NULL;
-	pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
-		mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
-	if (pwSpec->client.write_mac_context == NULL)  {
-	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-	    goto fail;
-	}
-	pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
-		mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
-	if (pwSpec->server.write_mac_context == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-	    goto fail;
-	}
-	goto success;
-    }
-
-    mechanism = (CK_MECHANISM_TYPE) cipher_def->calg;
-
-    /*
-     * build the server context
-     */
-    iv.data = pwSpec->server.write_iv;
-    iv.len  = cipher_def->iv_size;
-    param = PK11_ParamFromIV(mechanism, &iv);
-    if (param == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
-    	goto fail;
-    }
-    serverContext = PK11_CreateContextBySymKey(mechanism,
-				(sec->isServer ? CKA_ENCRYPT : CKA_DECRYPT),
-				pwSpec->server.write_key, param);
-    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
-    if (iv.data)
-    	PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
-    SECITEM_FreeItem(param, PR_TRUE);
-    if (serverContext == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-    	goto fail;
-    }
-
-    /*
-     * build the client context
-     */
-    iv.data = pwSpec->client.write_iv;
-    iv.len  = cipher_def->iv_size;
-    param = PK11_ParamFromIV(mechanism, &iv);
-    if (param == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
-    	goto fail;
-    }
-    clientContext = PK11_CreateContextBySymKey(mechanism,
-				(sec->isServer ? CKA_DECRYPT : CKA_ENCRYPT),
-				pwSpec->client.write_key, param);
-    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
-    if (iv.data)
-    	PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
-    SECITEM_FreeItem(param,PR_TRUE);
-    if (clientContext == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-    	goto fail;
-    }
-
-    pwSpec->encodeContext = (sec->isServer) ? serverContext : clientContext;
-    pwSpec->decodeContext = (sec->isServer) ? clientContext : serverContext;
-    pwSpec->encode  = (SSLCipher) PK11_CipherOp;
-    pwSpec->decode  = (SSLCipher) PK11_CipherOp;
-    pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
-
-    serverContext = NULL;
-    clientContext = NULL;
-
-    pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
-		mac_mech,CKA_SIGN, pwSpec->client.write_mac_key,&mac_param);
-    if (pwSpec->client.write_mac_context == NULL)  {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-    	goto fail;
-    }
-    pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
-		mac_mech, CKA_SIGN, pwSpec->server.write_mac_key,&mac_param);
-    if (pwSpec->server.write_mac_context == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-    	goto fail;
-    }
-success:
-    ssl_ReleaseSpecWriteLock(ss);	/******************************/
-    return SECSuccess;
-
-fail:
-    if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
-    if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
-    if (pwSpec->client.write_mac_context != NULL) {
-    	PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
-	pwSpec->client.write_mac_context = NULL;
-    }
-    if (pwSpec->server.write_mac_context != NULL) {
-    	PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
-	pwSpec->server.write_mac_context = NULL;
-    }
-bail_out:
-    ssl_ReleaseSpecWriteLock(ss);
-    return SECFailure;
-}
-
-/*
- * 60 bytes is 3 times the maximum length MAC size that is supported.
- */
-static const unsigned char mac_pad_1 [60] = {
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36
-};
-static const unsigned char mac_pad_2 [60] = {
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c
-};
-
-/* Called from: ssl3_SendRecord()
-**		ssl3_HandleRecord()
-** Caller must already hold the SpecReadLock. (wish we could assert that!)
-*/
-static SECStatus
-ssl3_ComputeRecordMAC(
-    ssl3CipherSpec *   spec,
-    PK11Context *      mac_context,
-    SSL3ContentType    type,
-    SSL3ProtocolVersion version,
-    SSL3SequenceNumber seq_num,
-    SSL3Opaque *       input,
-    int                inputLength,
-    unsigned char *    outbuf,
-    unsigned int *     outLength)
-{
-    const ssl3MACDef * mac_def;
-    SECStatus          rv;
-    unsigned int       tempLen;
-    unsigned char      temp[MAX_MAC_LENGTH];
-
-/*  ssl_GetSpecReadLock(ss);  Don't have "ss"! */
-
-    mac_def = spec->mac_def;
-    if (mac_def->malg == malg_null) {
-	*outLength = 0;
-/*	ssl_ReleaseSpecReadLock(ss); */
-	return SECSuccess;
-    }
-
-    temp[0] = (unsigned char)(seq_num.high >> 24);
-    temp[1] = (unsigned char)(seq_num.high >> 16);
-    temp[2] = (unsigned char)(seq_num.high >>  8);
-    temp[3] = (unsigned char)(seq_num.high >>  0);
-    temp[4] = (unsigned char)(seq_num.low  >> 24);
-    temp[5] = (unsigned char)(seq_num.low  >> 16);
-    temp[6] = (unsigned char)(seq_num.low  >>  8);
-    temp[7] = (unsigned char)(seq_num.low  >>  0);
-    temp[8] = type;
-
-    /* TLS MAC includes the record's version field, SSL's doesn't.
-    ** We decide which MAC defintion to use based on the version of 
-    ** the protocol that was negotiated when the spec became current,
-    ** NOT based on the version value in the record itself.
-    ** But, we use the record'v version value in the computation.
-    */
-    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
-	temp[9]  = MSB(inputLength);
-	temp[10] = LSB(inputLength);
-	tempLen  = 11;
-    } else {
-    	/* New TLS hash includes version. */
-	temp[9]  = MSB(version);
-	temp[10] = LSB(version);
-	temp[11] = MSB(inputLength);
-	temp[12] = LSB(inputLength);
-	tempLen  = 13;
-    }
-
-    PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
-    PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
-
-    rv  = PK11_DigestBegin(mac_context);
-    rv |= PK11_DigestOp(mac_context, temp, tempLen);
-    rv |= PK11_DigestOp(mac_context, input, inputLength);
-
-    rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
-    PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
-
-/*  ssl_ReleaseSpecReadLock(ss); */
-
-    PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
-
-    if (rv != SECSuccess) {
-    	rv = SECFailure;
-	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-    }
-    return rv;
-}
-
-/* Process the plain text before sending it.
- * Returns the number of bytes of plaintext that were succesfully sent
- * 	plus the number of bytes of plaintext that were copied into the
- *	output (write) buffer.
- * Returns SECFailure on a hard IO error, memory error, or crypto error.
- * Does NOT return SECWouldBlock.
- */
-static PRInt32
-ssl3_SendRecord(   sslSocket *        ss,
-                   SSL3ContentType    type,
-		   const SSL3Opaque * buf,
-		   PRInt32            bytes,
-		   PRInt32            flags)
-{
-    ssl3CipherSpec *          cwSpec;
-    sslBuffer      *          write 	  = &ss->sec->writeBuf;
-    const ssl3BulkCipherDef * cipher_def;
-    SECStatus                 rv;
-    PRUint32                  bufSize     =  0;
-    PRInt32                   sent        =  0;
-    PRInt32                   cipherBytes = -1;
-    PRBool                    isBlocking  = ssl_SocketIsBlocking(ss);
-    PRBool                    ssl3WasNull = PR_FALSE;
-
-    SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s bytes=%d",
-		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
-		bytes));
-    PRINT_BUF(3, (ss, "Send record (plain text)", buf, bytes));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    if (ss->ssl3 == NULL) {
-	/* This can happen on a server if the very first incoming record
-	** looks like a defective ssl3 record (e.g. too long), and we're
-	** trying to send an alert.
-	*/
-	ssl3WasNull = PR_TRUE;
-	PR_ASSERT(type == content_alert);
-	rv = ssl3_InitState(ss);
-	if (rv != SECSuccess) {
-	    return SECFailure;	/* ssl3_InitState has set the error code. */
-    	}
-    }
-
-    while (bytes > 0) {
-    	PRInt32   count;
-	PRUint32  contentLen;
-	PRUint32  fragLen;
-	PRUint32  macLen;
-
-	contentLen = PR_MIN(bytes, MAX_FRAGMENT_LENGTH);
-	if (write->space < contentLen + SSL3_BUFFER_FUDGE) {
-	    rv = sslBuffer_Grow(write, contentLen + SSL3_BUFFER_FUDGE);
-	    if (rv != SECSuccess) {
-		SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
-			 SSL_GETPID(), ss->fd, contentLen + SSL3_BUFFER_FUDGE));
-		return SECFailure; /* sslBuffer_Grow set a memory error code. */
-	    }
-	}
-
-	/* This variable records 
-	 * the actual size of the buffer we allocated above. Some
-	 * algorithms (FORTEZZA) will expand the number of bytes it needs to
-	 * send data. If we only supply the output buffer with the same number
-	 * of bytes as the input buffer, we will fail.
-	 */
-	bufSize = contentLen + SSL3_BUFFER_FUDGE;
-
-	/*
-	 * null compression is easy to do
-	 */
-	PORT_Memcpy(write->buf + SSL3_RECORD_HEADER_LENGTH, buf, contentLen);
-	buf   += contentLen;
-	bytes -= contentLen;
-	PORT_Assert( bytes >= 0 );
-
-	ssl_GetSpecReadLock(ss);	/********************************/
-
-	cwSpec = ss->ssl3->cwSpec;
-	cipher_def = cwSpec->cipher_def;
-	/*
-	 * Add the MAC
-	 */
-	rv = ssl3_ComputeRecordMAC(
-	    cwSpec, (ss->sec->isServer) ? cwSpec->server.write_mac_context
-	                                : cwSpec->client.write_mac_context,
-	    type, cwSpec->version, cwSpec->write_seq_num,
-	    write->buf + SSL3_RECORD_HEADER_LENGTH, contentLen,
-	    write->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-	    goto spec_locked_loser;
-	}
-	fragLen = contentLen + macLen;	/* needs to be encrypted */
-	PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
-
-	/*
-	 * Pad the text (if we're doing a block cipher)
-	 * then Encrypt it
-	 */
-	if (cipher_def->type == type_block) {
-	    int             padding_length;
-	    int             i;
-	    unsigned char * pBuf;
-
-	    /* Assume blockSize is a power of two */
-	    padding_length = cipher_def->block_size - 1 -
-		((fragLen) & (cipher_def->block_size - 1));
-	    fragLen += padding_length + 1;
-	    PORT_Assert((fragLen % cipher_def->block_size) == 0);
-
-	    /* Pad according to TLS rules (also acceptable to SSL3). */
-	    pBuf = &write->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1];
-	    for (i = padding_length + 1; i > 0; --i) {
-	    	*pBuf-- = padding_length;
-	    }
-	}
-	rv = cwSpec->encode(
-	    cwSpec->encodeContext, write->buf + SSL3_RECORD_HEADER_LENGTH,
-	    &cipherBytes, bufSize, write->buf + SSL3_RECORD_HEADER_LENGTH,
-	    fragLen);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_ENCRYPTION_FAILURE);
-spec_locked_loser:
-	    ssl_ReleaseSpecReadLock(ss);
-	    return SECFailure;
-	}
-	PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
-
-	/*
-	 * XXX should we zero out our copy of the buffer after compressing
-	 * and encryption ??
-	 */
-
-	ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
-
-	ssl_ReleaseSpecReadLock(ss); /************************************/
-
-	/* PORT_Assert(fragLen == cipherBytes); */
-	write->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
-	write->buf[0] = type;
-	write->buf[1] = MSB(cwSpec->version);
-	write->buf[2] = LSB(cwSpec->version);
-	write->buf[3] = MSB(cipherBytes);
-	write->buf[4] = LSB(cipherBytes);
-
-	PRINT_BUF(50, (ss, "send (encrypted) record data:", write->buf, write->len));
-
-	/* If there's still some previously saved ciphertext,
-	 * or the caller doesn't want us to send the data yet,
-	 * then add all our new ciphertext to the amount previously saved.
-	 */
-	if ((ss->pendingBuf.len > 0) ||
-	    (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
-
-	    rv = ssl_SaveWriteData(ss, &ss->pendingBuf,
-				   write->buf, write->len);
-	    if (rv != SECSuccess) {
-		/* presumably a memory error, SEC_ERROR_NO_MEMORY */
-		return SECFailure;
-	    }
-	    write->len = 0;	/* All cipher text is saved away. */
-
-	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
-
-		count = ssl_SendSavedWriteData(ss, &ss->pendingBuf,
-		                               &ssl_DefSend);
-		if (count < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
-		    return SECFailure;
-		}
-	    }
-	} else if (write->len > 0) {
-	    count = ssl_DefSend(ss, write->buf, write->len,
-				flags & ~ssl_SEND_FLAG_MASK);
-	    if (count < 0) {
-		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
-		    return (sent > 0) ? sent : SECFailure;
-		}
-		/* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
-		count = 0;
-	    }
-	    /* now take all the remaining unsent newly-generated ciphertext and
-	     * append it to the buffer of previously unsent ciphertext.
-	     */
-	    if ((unsigned)count < write->len) {
-		rv = ssl_SaveWriteData(ss, &ss->pendingBuf,
-				       write->buf + (unsigned)count,
-				       write->len - (unsigned)count);
-		if (rv != SECSuccess) {
-		    /* presumably a memory error, SEC_ERROR_NO_MEMORY */
-		    return SECFailure;
-		}
-	    }
-	    write->len = 0;
-	}
-	sent += contentLen;
-	if ((flags & ssl_SEND_FLAG_NO_BUFFER) &&
-	    (isBlocking || (ss->pendingBuf.len > 0))) {
-	    break;
-	}
-    }
-    return sent;
-}
-
-/* Attempt to send the content of "in" in an SSL application_data record.
- * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
- */
-int
-ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
-			 PRInt32 len, PRInt32 flags)
-{
-    PRInt32   sent	= 0;
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    while (len > 0) {
-	PRInt32   count;
-
-	if (sent > 0) {
-	    ssl_ReleaseXmitBufLock(ss);
-	    PR_Sleep(PR_INTERVAL_NO_WAIT);	/* PR_Yield(); */
-	    ssl_GetXmitBufLock(ss);
-	}
-	count = ssl3_SendRecord(ss, content_application_data, in, len,
-	                           flags | ssl_SEND_FLAG_NO_BUFFER);
-	if (count < 0) {
-	    return (sent > 0) ? sent : count;
-				    /* error code set by ssl3_SendRecord */
-	}
-	sent += count;
-	len  -= count;
-	in   += count;
-    }
-    return sent;
-}
-
-/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
- * This function returns SECSuccess or SECFailure, never SECWouldBlock.
- * It used to always set sendBuf.len to 0, even when returning SECFailure.
- * Now it does not.
- *
- * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
- *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
- *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
- *             ssl3_SendFinished(),
- */
-static SECStatus
-ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
-{
-    PRInt32 rv;
-    sslConnectInfo *ci;
-
-    PORT_Assert(ss->sec != NULL);
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    ci = &ss->sec->ci;
-
-    if (!ci->sendBuf.buf || !ci->sendBuf.len)
-	return SECSuccess;
-
-    rv = ssl3_SendRecord(ss, content_handshake, ci->sendBuf.buf,
-			    ci->sendBuf.len, flags);
-    if (rv < 0) {
-	return (SECStatus)rv;	/* error code set by ssl3_SendRecord */
-    }
-    ci->sendBuf.len = 0;
-    return SECSuccess;
-}
-
-/*
- * Called from ssl3_HandleAlert and from ssl3_HandleCertificates when
- * the remote client sends a negative response to our certificate request.
- * Returns SECFailure if the application has required client auth.
- *         SECSuccess otherwise.
- */
-static SECStatus
-ssl3_HandleNoCertificate(sslSocket *ss)
-{
-    if (ss->sec->peerCert != NULL) {
-	if (ss->sec->peerKey != NULL) {
-	    SECKEY_DestroyPublicKey(ss->sec->peerKey);
-	    ss->sec->peerKey = NULL;
-	}
-	CERT_DestroyCertificate(ss->sec->peerCert);
-	ss->sec->peerCert = NULL;
-    }
-
-    /* If the server has required client-auth blindly but doesn't
-     * actually look at the certificate it won't know that no
-     * certificate was presented so we shutdown the socket to ensure
-     * an error.  We only do this if we aren't connected because
-     * if we're redoing the handshake we know the server is paying
-     * attention to the certificate.
-     */
-    if ((ss->requireCertificate == 1) ||
-	(!ss->connected && (ss->requireCertificate > 1))) {
-	PRFileDesc * lower;
-
-	ss->sec->uncache(ss->sec->ci.sid);
-	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
-
-	lower = ss->fd->lower;
-	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
-	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/************************************************************************
- * Alerts
- */
-
-/*
-** Acquires both handshake and XmitBuf locks.
-** Called from: ssl3_IllegalParameter	<-
-**              ssl3_HandshakeFailure	<-
-**              ssl3_HandleAlert	<- ssl3_HandleRecord.
-**              ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
-**              ssl3_ConsumeHandshakeVariable <-
-**              ssl3_HandleHelloRequest	<-
-**              ssl3_HandleServerHello	<-
-**              ssl3_HandleServerKeyExchange <-
-**              ssl3_HandleCertificateRequest <-
-**              ssl3_HandleServerHelloDone <-
-**              ssl3_HandleClientHello	<-
-**              ssl3_HandleV2ClientHello <-
-**              ssl3_HandleCertificateVerify <-
-**              ssl3_HandleFortezzaClientKeyExchange <-
-**              ssl3_HandleClientKeyExchange <-
-**              ssl3_HandleCertificate	<-
-**              ssl3_HandleFinished	<-
-**              ssl3_HandleHandshakeMessage <-
-**              ssl3_HandleRecord	<-
-**
-*/
-SECStatus
-SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
-{
-    uint8 	bytes[2];
-    SECStatus	rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
-		SSL_GETPID(), ss->fd, level, desc));
-
-    bytes[0] = level;
-    bytes[1] = desc;
-
-    ssl_GetSSL3HandshakeLock(ss);
-    if (level == alert_fatal) {
-	if (ss->sec->ci.sid) {
-	    ss->sec->uncache(ss->sec->ci.sid);
-	}
-    }
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (rv == SECSuccess) {
-	PRInt32 sent;
-	sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 0);
-	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-    }
-    ssl_ReleaseXmitBufLock(ss);
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    return rv;	/* error set by ssl3_FlushHandshake or ssl3_SendRecord */
-}
-
-/*
- * Send illegal_parameter alert.  Set generic error number.
- */
-static SECStatus
-ssl3_IllegalParameter(sslSocket *ss)
-{
-    PRBool isTLS;
-
-    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-    PORT_SetError(ss->sec->isServer ? SSL_ERROR_BAD_CLIENT
-                                    : SSL_ERROR_BAD_SERVER );
-    return SECFailure;
-}
-
-/*
- * Send handshake_Failure alert.  Set generic error number.
- */
-static SECStatus
-ssl3_HandshakeFailure(sslSocket *ss)
-{
-    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
-    PORT_SetError( ss->sec->isServer ? SSL_ERROR_BAD_CLIENT
-                                     : SSL_ERROR_BAD_SERVER );
-    return SECFailure;
-}
-
-/*
- * Send handshake_Failure alert.  Set generic error number.
- */
-static SECStatus
-ssl3_DecodeError(sslSocket *ss)
-{
-    (void)SSL3_SendAlert(ss, alert_fatal, 
-		  ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
-							: illegal_parameter);
-    PORT_SetError( ss->sec->isServer ? SSL_ERROR_BAD_CLIENT
-                                     : SSL_ERROR_BAD_SERVER );
-    return SECFailure;
-}
-
-/* Called from ssl3_HandleRecord.
-** Caller must hold both RecvBuf and Handshake locks.
-*/
-static SECStatus
-ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
-{
-    SSL3AlertLevel       level;
-    SSL3AlertDescription desc;
-    int                  error;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
-
-    if (buf->len != 2) {
-	(void)ssl3_DecodeError(ss);
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
-	return SECFailure;
-    }
-    level = (SSL3AlertLevel)buf->buf[0];
-    desc  = (SSL3AlertDescription)buf->buf[1];
-    buf->len = 0;
-    SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
-        SSL_GETPID(), ss->fd, level, desc));
-
-    switch (desc) {
-    case close_notify:		ss->recvdCloseNotify = 1;
-		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
-    case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
-									  break;
-    case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
-    case decryption_failed: 	error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 
-    									  break;
-    case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
-    case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
-									  break;
-    case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
-			        					  break;
-    case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
-    case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
-    case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
-    case certificate_revoked: 	error = SSL_ERROR_REVOKED_CERT_ALERT; 	  break;
-    case certificate_expired: 	error = SSL_ERROR_EXPIRED_CERT_ALERT; 	  break;
-    case certificate_unknown: 	error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
-			        					  break;
-    case illegal_parameter: 	error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
-
-    /* All alerts below are TLS only. */
-    case unknown_ca: 		error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
-    case access_denied: 	error = SSL_ERROR_ACCESS_DENIED_ALERT;    break;
-    case decode_error: 		error = SSL_ERROR_DECODE_ERROR_ALERT;     break;
-    case decrypt_error: 	error = SSL_ERROR_DECRYPT_ERROR_ALERT;    break;
-    case export_restriction: 	error = SSL_ERROR_EXPORT_RESTRICTION_ALERT; 
-    									  break;
-    case protocol_version: 	error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
-    case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT; 
-    									  break;
-    case internal_error: 	error = SSL_ERROR_INTERNAL_ERROR_ALERT;   break;
-    case user_canceled: 	error = SSL_ERROR_USER_CANCELED_ALERT;    break;
-    case no_renegotiation: 	error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
-    default: 			error = SSL_ERROR_RX_UNKNOWN_ALERT; 	  break;
-    }
-    if (level == alert_fatal) {
-	ss->sec->uncache(ss->sec->ci.sid);
-	if ((ss->ssl3->hs.ws == wait_server_hello) &&
-	    (desc == handshake_failure)) {
-	    /* XXX This is a hack.  We're assuming that any handshake failure
-	     * XXX on the client hello is a failure to match ciphers.
-	     */
-	    error = SSL_ERROR_NO_CYPHER_OVERLAP;
-	}
-	PORT_SetError(error);
-	return SECFailure;
-    }
-    if ((desc == no_certificate) && (ss->ssl3->hs.ws == wait_client_cert)) {
-    	/* I'm a server. I've requested a client cert. He hasn't got one. */
-	SECStatus rv;
-
-	PORT_Assert(ss->sec->isServer);
-	ss->ssl3->hs.ws = wait_client_key;
-	rv = ssl3_HandleNoCertificate(ss);
-	return rv;
-    }
-    return SECSuccess;
-}
-
-/*
- * Change Cipher Specs
- * Called from ssl3_HandleServerHelloDone,
- *             ssl3_HandleClientHello,
- * and         ssl3_HandleFinished
- *
- * Acquires and releases spec write lock, to protect switching the current
- * and pending write spec pointers.
- */
-
-static SECStatus
-ssl3_SendChangeCipherSpecs(sslSocket *ss)
-{
-    uint8             change = change_cipher_spec_choice;
-    ssl3State *       ssl3   = ss->ssl3;
-    ssl3CipherSpec *  pwSpec;
-    SECStatus         rv;
-    PRInt32           sent;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
-                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (sent < 0) {
-	return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
-    }
-
-    /* swap the pending and current write specs. */
-    ssl_GetSpecWriteLock(ss);	/**************************************/
-    pwSpec                     = ss->ssl3->pwSpec;
-    pwSpec->write_seq_num.high = 0;
-    pwSpec->write_seq_num.low  = 0;
-
-    ssl3->pwSpec = ssl3->cwSpec;
-    ssl3->cwSpec = pwSpec;
-
-    SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
-		SSL_GETPID(), ss->fd ));
-
-    /* We need to free up the contexts, keys and certs ! */
-    /* If we are really through with the old cipher spec
-     * (Both the read and write sides have changed) destroy it.
-     */
-    if (ss->ssl3->prSpec == ss->ssl3->pwSpec) {
-    	ssl3_DestroyCipherSpec(ss->ssl3->pwSpec);
-    }
-    ssl_ReleaseSpecWriteLock(ss); /**************************************/
-
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleRecord.
-** Caller must hold both RecvBuf and Handshake locks.
- *
- * Acquires and releases spec write lock, to protect switching the current
- * and pending write spec pointers.
-*/
-static SECStatus
-ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
-{
-    ssl3CipherSpec *           prSpec;
-    SSL3WaitState              ws      = ss->ssl3->hs.ws;
-    SSL3ChangeCipherSpecChoice change;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
-		SSL_GETPID(), ss->fd));
-
-    if (ws != wait_change_cipher && ws != wait_cert_verify) {
-	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
-	return SECFailure;
-    }
-
-    if(buf->len != 1) {
-	(void)ssl3_DecodeError(ss);
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-	return SECFailure;
-    }
-    change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
-    if (change != change_cipher_spec_choice) {
-	/* illegal_parameter is correct here for both SSL3 and TLS. */
-	(void)ssl3_IllegalParameter(ss);
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-	return SECFailure;
-    }
-    buf->len = 0;
-
-    /* Swap the pending and current read specs. */
-    ssl_GetSpecWriteLock(ss);   /*************************************/
-    prSpec                    = ss->ssl3->prSpec;
-    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
-
-    ss->ssl3->prSpec  = ss->ssl3->crSpec;
-    ss->ssl3->crSpec  = prSpec;
-    ss->ssl3->hs.ws         = wait_finished;
-
-    SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
-		SSL_GETPID(), ss->fd ));
-
-    /* If we are really through with the old cipher prSpec
-     * (Both the read and write sides have changed) destroy it.
-     */
-    if (ss->ssl3->prSpec == ss->ssl3->pwSpec) {
-    	ssl3_DestroyCipherSpec(ss->ssl3->prSpec);
-    }
-    ssl_ReleaseSpecWriteLock(ss);   /*************************************/
-    return SECSuccess;
-}
-
-/*
- * Key generation given pre master secret, or master secret (if !pms).
- * Sets a useful error code when returning SECFailure.
- *
- * Called only from ssl3_InitPendingCipherSpec(),
- *
- * which in turn is called from
- *              ssl3_SendClientKeyExchange      (for Full handshake)
- *              ssl3_HandleClientKeyExchange    (for Full handshake)
- *              ssl3_HandleServerHello          (for session restart)
- *              ssl3_HandleClientHello          (for session restart)
- * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
- * ssl3_InitPendingCipherSpec does that.
- */
-static SECStatus
-ssl3_GenerateSessionKeys(sslSocket *ss, const PK11SymKey *pms)
-{
-    ssl3CipherSpec *         pwSpec     = ss->ssl3->pwSpec;
-    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
-    const ssl3KEADef *       kea_def    = ss->ssl3->hs.kea_def;
-    unsigned char *   cr     = (unsigned char *)&ss->ssl3->hs.client_random;
-    unsigned char *   sr     = (unsigned char *)&ss->ssl3->hs.server_random;
-    PK11SymKey *      symKey = NULL;
-    PK11SlotInfo *    slot   = NULL;
-    void *            pwArg  = ss->pkcs11PinArg;
-    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
-                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
-    PRBool            skipKeysAndIVs = (PRBool)
-    					((cipher_def->calg == calg_fortezza) ||
-					 (cipher_def->calg == calg_null));
-    CK_MECHANISM_TYPE master_derive;
-    CK_MECHANISM_TYPE key_derive;
-    CK_MECHANISM_TYPE bulk_mechanism;
-    SECItem           params;
-    int               keySize;
-    CK_FLAGS          keyFlags;
-    CK_VERSION        pms_version;
-    CK_SSL3_KEY_MAT_PARAMS key_material_params;
-    CK_SSL3_KEY_MAT_OUT    returnedKeys;
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ssl_HaveSpecWriteLock(ss));
-    PORT_Assert(ss->ssl3->prSpec == ss->ssl3->pwSpec);
-
-    if (isTLS) {
-	master_derive = CKM_TLS_MASTER_KEY_DERIVE;
-	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
-	keyFlags      = CKF_SIGN | CKF_VERIFY;
-    } else {
-	master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
-	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
-	keyFlags      = 0;
-    }
-
-    if (pms || !pwSpec->master_secret) {
-	master_params.pVersion                     = &pms_version;
-	master_params.RandomInfo.pClientRandom     = cr;
-	master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
-	master_params.RandomInfo.pServerRandom     = sr;
-	master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
-
-	params.data = (unsigned char *) &master_params;
-	params.len  = sizeof master_params;
-    }
-
-    if (pms != NULL) {
-	pwSpec->master_secret = PK11_DeriveWithFlags((PK11SymKey *)pms, 
-					master_derive, &params, key_derive, 
-					CKA_DERIVE, 0, keyFlags);
-	if (pwSpec->master_secret != NULL && ss->detectRollBack) {
-	    SSL3ProtocolVersion client_version;
-	    client_version = pms_version.major << 8 | pms_version.minor;
-	    if (client_version != ss->clientHelloVersion) {
-		/* Destroy it.  Version roll-back detected. */
-		PK11_FreeSymKey(pwSpec->master_secret);
-	    	pwSpec->master_secret = NULL;
-	    }
-	}
-	if (pwSpec->master_secret == NULL) {
-	    /* Generate a faux master secret in the same slot as the old one. */
-	    PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
-	    PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
-
-	    PK11_FreeSlot(slot);
-	    if (fpms != NULL) {
-		pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
-					master_derive, &params, key_derive, 
-					CKA_DERIVE, 0, keyFlags);
-		PK11_FreeSymKey(fpms);
-	    }
-	}
-    }
-    if (pwSpec->master_secret == NULL) {
-	/* Generate a faux master secret from the internal slot. */
-	PK11SlotInfo *  slot = PK11_GetInternalSlot();
-	PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
-
-	PK11_FreeSlot(slot);
-	if (fpms != NULL) {
-	    pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
-					master_derive, &params, key_derive, 
-					CKA_DERIVE, 0, keyFlags);
-	    if (pwSpec->master_secret == NULL) {
-	    	pwSpec->master_secret = fpms; /* use the fpms as the master. */
-		fpms = NULL;
-	    }
-	}
-	if (fpms) {
-	    PK11_FreeSymKey(fpms);
-    	}
-    }
-    if (pwSpec->master_secret == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-	return SECFailure;
-    }
-
-    /*
-     * generate the key material
-     */
-    key_material_params.ulMacSizeInBits = pwSpec->mac_size           * BPB;
-    key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
-    key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
-
-    key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
-    /* was:	(CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
-
-    key_material_params.RandomInfo.pClientRandom     = cr;
-    key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
-    key_material_params.RandomInfo.pServerRandom     = sr;
-    key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
-    key_material_params.pReturnedKeyMaterial         = &returnedKeys;
-
-    returnedKeys.pIVClient = pwSpec->client.write_iv;
-    returnedKeys.pIVServer = pwSpec->server.write_iv;
-    keySize                = cipher_def->key_size;
-
-    if (skipKeysAndIVs) {
-	keySize                             = 0;
-        key_material_params.ulKeySizeInBits = 0;
-        key_material_params.ulIVSizeInBits  = 0;
-    	returnedKeys.pIVClient              = NULL;
-    	returnedKeys.pIVServer              = NULL;
-    }
-    bulk_mechanism = (CK_MECHANISM_TYPE) cipher_def->calg;
-    params.data    = (unsigned char *)&key_material_params;
-    params.len     = sizeof(key_material_params);
-
-    /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
-     * DERIVE by DEFAULT */
-    symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
-                         bulk_mechanism, CKA_ENCRYPT, keySize);
-    if (!symKey) {
-	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-	return SECFailure;
-    }
-    /* we really should use the actual mac'ing mechanism here, but we
-     * don't because these types are used to map keytype anyway and both
-     * mac's map to the same keytype.
-     */
-    slot  = PK11_GetSlotFromKey(symKey);
-
-    PK11_FreeSlot(slot); /* slot is held until the key is freed */
-    pwSpec->client.write_mac_key =
-    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-	    CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
-    if (pwSpec->client.write_mac_key == NULL ) {
-	goto loser;	/* loser sets err */
-    }
-    pwSpec->server.write_mac_key =
-    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-	    CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
-    if (pwSpec->server.write_mac_key == NULL ) {
-	goto loser;	/* loser sets err */
-    }
-    if (!skipKeysAndIVs) {
-	pwSpec->client.write_key =
-		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-		     bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
-	if (pwSpec->client.write_key == NULL ) {
-	    goto loser;	/* loser sets err */
-	}
-	pwSpec->server.write_key =
-		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-		     bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
-	if (pwSpec->server.write_key == NULL ) {
-	    goto loser;	/* loser sets err */
-	}
-    }
-    PK11_FreeSymKey(symKey);
-    return SECSuccess;
-
-
-loser:
-    if (symKey) PK11_FreeSymKey(symKey);
-    ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-    return SECFailure;
-}
-
-/*
- * Handshake messages
- */
-/* Called from	ssl3_AppendHandshake()
-**		ssl3_StartHandshakeHash()
-**		ssl3_HandleV2ClientHello()
-**		ssl3_HandleHandshakeMessage()
-** Caller must hold the ssl3Handshake lock.
-*/
-static SECStatus
-ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
-{
-    ssl3State *ssl3	= ss->ssl3;
-    SECStatus  rv;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
-
-    rv = PK11_DigestOp(ssl3->hs.md5, b, l);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	return rv;
-    }
-    rv = PK11_DigestOp(ssl3->hs.sha, b, l);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	return rv;
-    }
-    return rv;
-}
-
-/**************************************************************************
- * Append Handshake functions.
- * All these functions set appropriate error codes.
- * Most rely on ssl3_AppendHandshake to set the error code.
- **************************************************************************/
-static SECStatus
-ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
-{
-    sslConnectInfo * ci   = &ss->sec->ci;
-    unsigned char *  src  = (unsigned char *)void_src;
-    int              room = ci->sendBuf.space - ci->sendBuf.len;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
-
-    if (ci->sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
-	rv = sslBuffer_Grow(&ci->sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
-					 PR_MIN(MAX_SEND_BUF_LENGTH,
-						ci->sendBuf.len + bytes)));
-	if (rv != SECSuccess)
-	    return rv;	/* sslBuffer_Grow has set a memory error code. */
-	room = ci->sendBuf.space - ci->sendBuf.len;
-    }
-
-    PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
-    rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
-    if (rv != SECSuccess)
-	return rv;	/* error code set by ssl3_UpdateHandshakeHashes */
-
-    while (bytes > room) {
-	if (room > 0)
-	    PORT_Memcpy(ci->sendBuf.buf + ci->sendBuf.len, src, room);
-	ci->sendBuf.len += room;
-	rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-	if (rv != SECSuccess) {
-	    return rv;	/* error code set by ssl3_FlushHandshake */
-	}
-	bytes -= room;
-	src += room;
-	room = ci->sendBuf.space;
-	PORT_Assert(ci->sendBuf.len == 0);
-    }
-    PORT_Memcpy(ci->sendBuf.buf + ci->sendBuf.len, src, bytes);
-    ci->sendBuf.len += bytes;
-    return SECSuccess;
-}
-
-static SECStatus
-ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
-{
-    SECStatus rv;
-    uint8     b[4];
-    uint8 *   p = b;
-
-    switch (lenSize) {
-      case 4:
-	*p++ = (num >> 24) & 0xff;
-      case 3:
-	*p++ = (num >> 16) & 0xff;
-      case 2:
-	*p++ = (num >> 8) & 0xff;
-      case 1:
-	*p = num & 0xff;
-    }
-    SSL_TRC(60, ("%d: number:", SSL_GETPID()));
-    rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
-    return rv;	/* error code set by AppendHandshake, if applicable. */
-}
-
-static SECStatus
-ssl3_AppendHandshakeVariable(
-    sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
-{
-    SECStatus rv;
-
-    PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
-	      (bytes < (1L<<16) && lenSize == 2) ||
-	      (bytes < (1L<<24) && lenSize == 3));
-
-    SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
-    rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by AppendHandshake, if applicable. */
-    }
-    SSL_TRC(60, ("data:"));
-    rv = ssl3_AppendHandshake(ss, src, bytes);
-    return rv;	/* error code set by AppendHandshake, if applicable. */
-}
-
-static SECStatus
-ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
-{
-    SECStatus rv;
-
-    SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
-    	SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
-    PRINT_BUF(60, (ss, "MD5 handshake hash:",
-    	          (unsigned char*)ss->ssl3->hs.md5, MD5_LENGTH));
-    PRINT_BUF(95, (ss, "SHA handshake hash:",
-    	          (unsigned char*)ss->ssl3->hs.sha, SHA1_LENGTH));
-
-    rv = ssl3_AppendHandshakeNumber(ss, t, 1);
-    if (rv != SECSuccess) {
-    	return rv;	/* error code set by AppendHandshake, if applicable. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, length, 3);
-    return rv;		/* error code set by AppendHandshake, if applicable. */
-}
-
-/**************************************************************************
- * Consume Handshake functions.
- *
- * All data used in these functions is protected by two locks,
- * the RecvBufLock and the SSL3HandshakeLock
- **************************************************************************/
-
-/* Read up the next "bytes" number of bytes from the (decrypted) input
- * stream "b" (which is *length bytes long). Copy them into buffer "v".
- * Reduces *length by bytes.  Advances *b by bytes.
- *
- * If this function returns SECFailure, it has already sent an alert,
- * and has set a generic error code.  The caller should probably
- * override the generic error code by setting another.
- */
-static SECStatus
-ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
-		      PRUint32 *length)
-{
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (bytes > *length) {
-	return ssl3_DecodeError(ss);
-    }
-    PORT_Memcpy(v, *b, bytes);
-    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
-    *b      += bytes;
-    *length -= bytes;
-    return SECSuccess;
-}
-
-/* Read up the next "bytes" number of bytes from the (decrypted) input
- * stream "b" (which is *length bytes long), and interpret them as an
- * integer in network byte order.  Returns the received value.
- * Reduces *length by bytes.  Advances *b by bytes.
- *
- * Returns SECFailure (-1) on failure.
- * This value is indistinguishable from the equivalent received value.
- * Only positive numbers are to be received this way.
- * Thus, the largest value that may be sent this way is 0x7fffffff.
- * On error, an alert has been sent, and a generic error code has been set.
- */
-static PRInt32
-ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
-			    PRUint32 *length)
-{
-    PRInt32   num = 0;
-    int       i;
-    SECStatus status;
-    uint8     buf[4];
-
-    status = ssl3_ConsumeHandshake(ss, buf, bytes, b, length);
-    if (status != SECSuccess) {
-	/* ssl3_DecodeError has already been called */
-	return SECFailure;
-    }
-    for (i = 0; i < bytes; i++)
-	num = (num << 8) + buf[i];
-    return num;
-}
-
-/* Read in two values from the incoming decrypted byte stream "b", which is
- * *length bytes long.  The first value is a number whose size is "bytes"
- * bytes long.  The second value is a byte-string whose size is the value
- * of the first number received.  The latter byte-string, and its length,
- * is returned in the SECItem i.
- *
- * Returns SECFailure (-1) on failure.
- * On error, an alert has been sent, and a generic error code has been set.
- */
-static SECStatus
-ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
-			      SSL3Opaque **b, PRUint32 *length)
-{
-    PRInt32   count;
-    SECStatus rv;
-
-    PORT_Assert(bytes <= 3);
-    i->len  = 0;
-    i->data = NULL;
-    count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
-    if (count < 0) { 		/* Can't test for SECSuccess here. */
-    	return SECFailure;
-    }
-    if (count > 0) {
-	i->data = (unsigned char*)PORT_Alloc(count);
-	if (i->data == NULL) {
-	    /* XXX inconsistent.  In other places, we don't send alerts for
-	     * our own memory failures.  But here we do... */
-	    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return SECFailure;
-	}
-	i->len = count;
-	rv = ssl3_ConsumeHandshake(ss, i->data, i->len, b, length);
-	if (rv != SECSuccess) {
-	    PORT_Free(i->data);
-	    i->data = NULL;
-	    return rv;	/* alert has already been sent. */
-	}
-    }
-    return SECSuccess;
-}
-
-/**************************************************************************
- * end of Consume Handshake functions.
- **************************************************************************/
-
-/* Extract the hashes of handshake messages to this point.
- * Called from ssl3_SendCertificateVerify
- *             ssl3_SendFinished
- *             ssl3_HandleHandshakeMessage
- *
- * Caller must hold the SSL3HandshakeLock.
- * Caller must hold a read or write lock on the Spec R/W lock.
- *	(There is presently no way to assert on a Read lock.)
- */
-static SECStatus
-ssl3_ComputeHandshakeHashes(sslSocket *     ss,
-                            ssl3CipherSpec *spec,   /* uses ->master_secret */
-			    SSL3Hashes *    hashes, /* output goes here. */
-			    uint32          sender)
-{
-    ssl3State *   ssl3      = ss->ssl3;
-    PK11Context * md5;
-    PK11Context * sha       = NULL;
-    SECStatus     rv        = SECSuccess;
-    unsigned int  outLength;
-    PRBool        isTLS;
-    SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
-    SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
-    unsigned char s[4];
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
-
-    md5 = PK11_CloneContext(ssl3->hs.md5);
-    if (md5 == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-    	return SECFailure;
-    }
-
-    sha = PK11_CloneContext(ssl3->hs.sha);
-    if (sha == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	goto loser;
-    }
-
-    if (!isTLS) {
-	/* compute hashes for SSL3. */
-
-	s[0] = (unsigned char)(sender >> 24);
-	s[1] = (unsigned char)(sender >> 16);
-	s[2] = (unsigned char)(sender >> 8);
-	s[3] = (unsigned char)sender;
-
-	if (sender != 0) {
-	    rv |= PK11_DigestOp(md5, s, 4);
-	    PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
-	}
-
-	PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, mac_defs[mac_md5].pad_size));
-
-	rv |= PK11_DigestKey(md5,spec->master_secret);
-	rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
-	rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
-	PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
-
-	if (sender != 0) {
-	    rv |= PK11_DigestOp(sha, s, 4);
-	    PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
-	}
-
-	PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, mac_defs[mac_sha].pad_size));
-
-
-	rv |= PK11_DigestKey(sha, spec->master_secret);
-	rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
-	rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
-	PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
-
-	PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, mac_defs[mac_md5].pad_size));
-	PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
-
-	rv |= PK11_DigestBegin(md5);
-	rv |= PK11_DigestKey(md5, spec->master_secret);
-	rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
-	rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
-    }
-    rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH);
-    PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
-
-    if (!isTLS) {
-	PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, mac_defs[mac_sha].pad_size));
-	PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
-
-	rv |= PK11_DigestBegin(sha);
-	rv |= PK11_DigestKey(sha,spec->master_secret);
-	rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
-	rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
-    }
-    rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH);
-    PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
-
-    rv = SECSuccess;
-
-loser:
-    if (md5) PK11_DestroyContext(md5, PR_TRUE);
-    if (sha) PK11_DestroyContext(sha, PR_TRUE);
-
-    return rv;
-}
-
-/*
- * SSL 2 based implementations pass in the initial outbound buffer
- * so that the handshake hash can contain the included information.
- *
- * Called from ssl2_BeginClientHandshake() in sslcon.c
- */
-SECStatus
-ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
-{
-    SECStatus rv;
-
-    ssl_GetSSL3HandshakeLock(ss);  /**************************************/
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	goto done;		/* ssl3_InitState has set the error code. */
-    }
-
-    PORT_Memset(&ss->ssl3->hs.client_random, 0, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(
-	&ss->ssl3->hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
-	&ss->sec->ci.clientChallenge,
-	SSL_CHALLENGE_BYTES);
-
-    rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
-    /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
-
-done:
-    ssl_ReleaseSSL3HandshakeLock(ss);  /**************************************/
-    return rv;
-}
-
-/**************************************************************************
- * end of Handshake Hash functions.
- * Begin Send and Handle functions for handshakes.
- **************************************************************************/
-
-/* Called from ssl3_HandleHelloRequest(),
- *             ssl3_HandleFinished() (for step-up)
- *             ssl3_RedoHandshake()
- *             ssl2_BeginClientHandshake (when resuming ssl3 session)
- */
-SECStatus
-ssl3_SendClientHello(sslSocket *ss)
-{
-    sslSecurityInfo *sec = ss->sec;
-    sslSessionID *   sid;
-    SECStatus        rv;
-    int              i;
-    int              length;
-    int              num_suites;
-    int              actual_count = 0;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
-		ss->fd));
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* ssl3_InitState has set the error code. */
-    }
-
-    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
-	    SSL_GETPID(), ss->fd ));
-    rv = PK11_DigestBegin(ss->ssl3->hs.md5);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	return rv;
-    }
-    rv = PK11_DigestBegin(ss->ssl3->hs.sha);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	return rv;
-    }
-
-    PORT_Assert(sec);
-
-    /* We ignore ss->sec->ci.sid here, and use ssl_Lookup because Lookup
-     * handles expired entries and other details.
-     * XXX If we've been called from ssl2_BeginClientHandshake, then
-     * this lookup is duplicative and wasteful.
-     */
-    sid = (ss->noCache) ? NULL
-	    : ssl_LookupSID(sec->ci.peer, sec->ci.port, ss->peerID, ss->url);
-
-    /* We can't resume based on a different token. If the sid exists,
-     * make sure the token that holds the master secret still exists ...
-     * If we previously did client-auth, make sure that the token that holds
-     * the private key still exists, is logged in, hasn't been removed, etc.
-     * Also for fortezza, make sure that the card that holds the session keys
-     * exist as well... */
-    if (sid) {
-	PK11SlotInfo *slot;
-	PRBool sidOK = PR_TRUE;
-	slot = (!sid->u.ssl3.masterValid) ? NULL :
-	                     SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
-	                                       sid->u.ssl3.masterSlotID);
-	if (slot == NULL) {
-	   sidOK = PR_FALSE;
-	} else {
-	    PK11SymKey *wrapKey = NULL;
-	    if (!PK11_IsPresent(slot) ||
-		((wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
-					    sid->u.ssl3.masterWrapMech,
-					    sid->u.ssl3.masterWrapSeries,
-					    ss->pkcs11PinArg)) == NULL) ) {
-		sidOK = PR_FALSE;
-	    }
-	    if (wrapKey) PK11_FreeSymKey(wrapKey);
-	    PK11_FreeSlot(slot);
-	    slot = NULL;
-	}
-	/* do sid-has-FORTEZZA-slot check */
-    	if (sid->u.ssl3.hasFortezza) {
-	    /* do has fortezza check */
-	    if (!PK11_VerifyKeyOK(sid->u.ssl3.tek))
-	    	sidOK = PR_FALSE;
-	}
-
-	/* If we previously did client-auth, make sure that the token that
-	** holds the private key still exists, is logged in, hasn't been
-	** removed, etc.
-	*/
-	if (sidOK && sid->u.ssl3.clAuthValid) {
-	    slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
-	                             sid->u.ssl3.clAuthSlotID);
-	    if (slot == NULL ||
-	        !PK11_IsPresent(slot) ||
-		sid->u.ssl3.clAuthSeries     != PK11_GetSlotSeries(slot) ||
-		sid->u.ssl3.clAuthSlotID     != PK11_GetSlotID(slot)     ||
-		sid->u.ssl3.clAuthModuleID   != PK11_GetModuleID(slot)   ) {
-	        sidOK = PR_FALSE;
-	    }
-	    if (slot) {
-		PK11_FreeSlot(slot);
-		slot = NULL;
-	    }
-	}
-
-	if (!sidOK) {
-	    ++ssl3_sch_sid_cache_not_ok;
-	    (*ss->sec->uncache)(sid);
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	}
-    }
-
-    if (sid) {
-	++ssl3_sch_sid_cache_hits;
-
-	rv = ssl3_NegotiateVersion(ss, sid->version);
-	if (rv != SECSuccess)
-	    return rv;	/* error code was set */
-
-	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
-		      sid->u.ssl3.sessionIDLength));
-	ss->ssl3->policy = sid->u.ssl3.policy;
-    } else {
-	++ssl3_sch_sid_cache_misses;
-
-	rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS);
-	if (rv != SECSuccess)
-	    return rv;	/* error code was set */
-
-	sid = ssl3_NewSessionID(ss, PR_FALSE);
-	if (!sid) {
-	    return SECFailure;	/* memory error is set */
-        }
-    }
-
-    if (sec->ci.sid != NULL) {
-	ssl_FreeSID(sec->ci.sid);	/* decrement ref count, free if zero */
-    }
-    sec->ci.sid = sid;
-
-    sec->send = ssl3_SendApplicationData;
-
-    /* shouldn't get here if SSL3 is disabled, but ... */
-    PORT_Assert(ss->enableSSL3 || ss->enableTLS);
-    if (!ss->enableSSL3 && !ss->enableTLS) {
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-    	return SECFailure;
-    }
-
-    /* how many suites does our PKCS11 support (regardless of policy)? */
-    num_suites = ssl3_config_match_init(ss);
-    if (!num_suites)
-    	return SECFailure;	/* ssl3_config_match_init has set error code. */
-
-    /* how many suites are permitted by policy and user preference? */
-    num_suites = count_cipher_suites(ss, ss->ssl3->policy, PR_TRUE);
-    if (!num_suites)
-    	return SECFailure;	/* count_cipher_suites has set error code. */
-
-    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
-	1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
-	2 + num_suites*sizeof(ssl3CipherSuite) +
-	1 + compressionMethodsCount;
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    ss->clientHelloVersion = ss->version;
-    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-    rv = ssl3_GetNewRandom(&ss->ssl3->hs.client_random);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by GetNewRandom. */
-    }
-    rv = ssl3_AppendHandshake(ss, &ss->ssl3->hs.client_random,
-                              SSL3_RANDOM_LENGTH);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    if (sid)
-	rv = ssl3_AppendHandshakeVariable(
-	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
-    else
-	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (config_match(suite, ss->ssl3->policy, PR_TRUE)) {
-	    actual_count++;
-	    if (actual_count > num_suites) {
-		/* set error card removal/insertion error */
-		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
-		return SECFailure;
-	    }
-	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
-					    sizeof(ssl3CipherSuite));
-	    if (rv != SECSuccess) {
-		return rv;	/* err set by ssl3_AppendHandshake* */
-	    }
-	}
-    }
-
-    /* if cards were removed or inserted between count_cipher_suites and
-     * generating our list, detect the error here rather than send it off to
-     * the server.. */
-    if (actual_count != num_suites) {
-	/* Card removal/insertion error */
-	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
-	return SECFailure;
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, compressionMethodsCount, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-    for (i = 0; i < compressionMethodsCount; i++) {
-	rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
-	if (rv != SECSuccess) {
-	    return rv;	/* err set by ssl3_AppendHandshake* */
-	}
-    }
-
-    rv = ssl3_FlushHandshake(ss, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-
-    ss->ssl3->hs.ws = wait_server_hello;
-    return rv;
-}
-
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Hello Request.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleHelloRequest(sslSocket *ss)
-{
-    sslSessionID *sid = ss->sec->ci.sid;
-    SECStatus     rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert(ss->ssl3);
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3->hs.ws == wait_server_hello)
-	return SECSuccess;
-    if (ss->ssl3->hs.ws != idle_handshake || ss->sec->isServer) {
-	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
-	return SECFailure;
-    }
-    if (sid) {
-	ss->sec->uncache(sid);
-	ssl_FreeSID(sid);
-	ss->sec->ci.sid = NULL;
-    }
-
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendClientHello(ss);
-    ssl_ReleaseXmitBufLock(ss);
-
-    return rv;
-}
-
-#define UNKNOWN_WRAP_MECHANISM 0x7fffffff
-
-static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
-    CKM_DES3_ECB,
-    CKM_CAST5_ECB,
-    CKM_DES_ECB,
-    CKM_KEY_WRAP_LYNKS,
-    CKM_IDEA_ECB,
-    CKM_CAST3_ECB,
-    CKM_CAST_ECB,
-    CKM_RC5_ECB,
-    CKM_RC2_ECB,
-    CKM_CDMF_ECB,
-    CKM_SKIPJACK_WRAP,
-    CKM_SKIPJACK_CBC64,
-    UNKNOWN_WRAP_MECHANISM
-};
-
-static int
-ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
-{
-    const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
-
-    while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
-    	++pMech;
-    }
-    return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
-                                              : (pMech - wrapMechanismList);
-}
-
-static PK11SymKey *
-ssl_UnwrapSymWrappingKey(
-	SSLWrappedSymWrappingKey *pWswk,
-	SECKEYPrivateKey *        svrPrivKey,
-	SSL3KEAType               exchKeyType,
-	CK_MECHANISM_TYPE         masterWrapMech,
-	void *                    pwArg)
-{
-    PK11SymKey *             unwrappedWrappingKey  = NULL;
-    SECItem                  wrappedKey;
-
-    /* found the wrapping key on disk. */
-    PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
-    PORT_Assert(pWswk->exchKeyType      == exchKeyType);
-    if (pWswk->symWrapMechanism != masterWrapMech ||
-	pWswk->exchKeyType      != exchKeyType) {
-	goto loser;
-    }
-    wrappedKey.type = siBuffer;
-    wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
-    wrappedKey.len  = pWswk->wrappedSymKeyLen;
-    PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
-
-    switch (exchKeyType) {
-    PK11SymKey *      Ks;
-    PK11SlotInfo *    slot;
-    SECItem           param;
-
-    case kt_fortezza:
-	/* get the slot that the fortezza server private key is in. */
-	slot = PK11_GetSlotFromPrivateKey(svrPrivKey);
-	if (slot == NULL) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-
-	/* Look up the Token Fixed Key */
-	Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_CBC64, NULL, pwArg);
-	PK11_FreeSlot(slot);
-	if (Ks == NULL) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-
-	/* unwrap client write key with the local Ks and IV */
-	param.type = siBuffer;
-    	param.data = pWswk->wrapIV;
-    	param.len  = pWswk->wrapIVLen;
-	unwrappedWrappingKey =
-	    PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_CBC64, &param, &wrappedKey,
-			      masterWrapMech, CKA_UNWRAP, 0);
-	PK11_FreeSymKey(Ks);
-	break;
-
-    case kt_rsa:
-	unwrappedWrappingKey =
-	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
-				 masterWrapMech, CKA_UNWRAP, 0);
-	break;
-    }
-loser:
-    return unwrappedWrappingKey;
-}
-
-/* Each process sharing the server session ID cache has its own array of
- * SymKey pointers for the symmetric wrapping keys that are used to wrap
- * the master secrets.  There is one key for each KEA type.  These Symkeys
- * correspond to the wrapped SymKeys kept in the server session cache.
- */
-
-typedef struct {
-    PK11SymKey *      symWrapKey[kt_kea_size];
-} ssl3SymWrapKey;
-
-/* Try to get wrapping key for mechanism from in-memory array.
- * If that fails, look for one on disk.
- * If that fails, generate a new one, put the new one on disk,
- * Put the new key in the in-memory array.
- */
-static PK11SymKey *
-getWrappingKey( sslSocket *       ss,
-		PK11SlotInfo *    masterSecretSlot,
-		SSL3KEAType       exchKeyType,
-                CK_MECHANISM_TYPE masterWrapMech,
-	        void *            pwArg)
-{
-    CERTCertificate *        svrCert;
-    SECKEYPrivateKey *       svrPrivKey;
-    SECKEYPublicKey *        svrPubKey             = NULL;
-    PK11SymKey *             unwrappedWrappingKey  = NULL;
-    PK11SymKey **            pSymWrapKey;
-    CK_MECHANISM_TYPE        asymWrapMechanism;
-    int                      length;
-    int                      symWrapMechIndex;
-    SECStatus                rv;
-    SECItem                  wrappedKey;
-    SSLWrappedSymWrappingKey wswk;
-
-    static PRLock *          symWrapKeysLock;
-    static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
-
-    svrPrivKey  = ss->serverKey[exchKeyType];
-    PORT_Assert(svrPrivKey != NULL);
-    if (!svrPrivKey) {
-    	return NULL;	/* why are we here?!? */
-    }
-
-    symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
-    PORT_Assert(symWrapMechIndex >= 0);
-    if (symWrapMechIndex < 0)
-    	return NULL;	/* invalid masterWrapMech. */
-
-    pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
-
-    /* atomically initialize the lock */
-    if (!symWrapKeysLock)
-	nss_InitLock(&symWrapKeysLock);
-
-    PR_Lock(symWrapKeysLock);
-
-    unwrappedWrappingKey = *pSymWrapKey;
-    if (unwrappedWrappingKey != NULL) {
-	if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
-	    unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
-	    goto done;
-	}
-	/* slot series has changed, so this key is no good any more. */
-	PK11_FreeSymKey(unwrappedWrappingKey);
-	*pSymWrapKey = unwrappedWrappingKey = NULL;
-    }
-
-    /* Try to get wrapped SymWrapping key out of the (disk) cache. */
-    /* Following call fills in wswk on success. */
-    if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
-    	/* found the wrapped sym wrapping key on disk. */
-	unwrappedWrappingKey =
-	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
-                                     masterWrapMech, pwArg);
-	if (unwrappedWrappingKey) {
-	    goto install;
-	}
-    }
-
-no_wrapped_key:
-
-    if (!masterSecretSlot) 	/* caller doesn't want to create a new one. */
-    	goto loser;
-
-    length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
-    /* Zero length means fixed key length algorithm, or error.
-     * It's ambiguous.
-     */
-    unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
-                                       length, pwArg);
-    if (!unwrappedWrappingKey) {
-    	goto loser;
-    }
-
-    /* Prepare the buffer to receive the wrappedWrappingKey,
-     * the symmetric wrapping key wrapped using the server's pub key.
-     */
-    PORT_Memset(&wswk, 0, sizeof wswk);	/* eliminate UMRs. */
-
-    svrCert         = ss->serverCert[exchKeyType];
-    svrPubKey       = CERT_ExtractPublicKey(svrCert);
-    if (svrPubKey == NULL) {
-	/* CERT_ExtractPublicKey doesn't set error code */
-	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-    	goto loser;
-    }
-    wrappedKey.type = siBuffer;
-    wrappedKey.len  = SECKEY_PublicKeyStrength(svrPubKey);
-    wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
-
-    PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
-    if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
-    	goto loser;
-
-    /* wrap symmetric wrapping key in server's public key. */
-    switch (exchKeyType) {
-    PK11SymKey *      Ks;
-    PK11SlotInfo *    fSlot;
-    SECItem           param;
-
-    case kt_fortezza:
-	/* get the slot that the fortezza server private key is in. */
-	fSlot = PK11_GetSlotFromPrivateKey(svrPrivKey);
-	if (fSlot == NULL) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-
-	/* Look up the Token Fixed Key */
-	Ks = PK11_FindFixedKey(fSlot, CKM_SKIPJACK_CBC64, NULL, pwArg);
-	PK11_FreeSlot(fSlot);
-	if (Ks == NULL) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-
-	/* wrap symmetricWrapping key with the local Ks */
-	param.type = siBuffer;
-    	param.data = wswk.wrapIV;
-    	param.len  = sizeof wswk.wrapIV;
-	rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &param, Ks,
-	                     unwrappedWrappingKey, &wrappedKey);
-	wswk.wrapIVLen = param.len;
-	PK11_FreeSymKey(Ks);
-	asymWrapMechanism = CKM_SKIPJACK_CBC64;
-	break;
-
-    case kt_rsa:
-	asymWrapMechanism = CKM_RSA_PKCS;
-	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
-	                        unwrappedWrappingKey, &wrappedKey);
-	break;
-
-    default:
-	rv = SECFailure;
-	break;
-    }
-
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    wswk.symWrapMechanism  = masterWrapMech;
-    wswk.symWrapMechIndex  = symWrapMechIndex;
-    wswk.asymWrapMechanism = asymWrapMechanism;
-    wswk.exchKeyType       = exchKeyType;
-    wswk.wrappedSymKeyLen  = wrappedKey.len;
-
-    /* put it on disk. */
-    /* If the wrapping key for this KEA type has already been set, 
-     * then abandon the value we just computed and 
-     * use the one we got from the disk.
-     */
-    if (ssl_SetWrappingKey(&wswk)) {
-    	/* somebody beat us to it.  The original contents of our wswk
-	 * has been replaced with the content on disk.  Now, discard
-	 * the key we just created and unwrap this new one.
-	 */
-    	PK11_FreeSymKey(unwrappedWrappingKey);
-
-	unwrappedWrappingKey =
-	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
-                                     masterWrapMech, pwArg);
-    }
-
-install:
-    if (unwrappedWrappingKey) {
-	*pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
-    }
-
-loser:
-done:
-    if (svrPubKey) {
-    	SECKEY_DestroyPublicKey(svrPubKey);
-	svrPubKey = NULL;
-    }
-    PR_Unlock(symWrapKeysLock);
-    return unwrappedWrappingKey;
-}
-
-
-static SECStatus
-ssl3_FortezzaAppendHandshake(sslSocket *ss, unsigned char * data, int len)
-{
-    SSL3FortezzaKeys *fortezza_CKE  = NULL;
-    SECStatus         rv            = SECFailure;
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
-	    (sizeof(*fortezza_CKE)-sizeof(fortezza_CKE->y_c)) + 1 + len);
-    if (rv == SECSuccess) {
-        rv = ssl3_AppendHandshakeVariable(ss, data, len, 1);
-    }
-    return rv;	/* err set by ssl3_AppendHandshake* */
-}
-
-/* Called from ssl3_SendClientKeyExchange(). */
-static SECStatus
-sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
-{
-    PK11SymKey *	pms 		= NULL;
-    SECStatus           rv    		= SECFailure;
-    SECItem 		enc_pms 	= {siBuffer, NULL, 0};
-    PRBool              isTLS;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-
-    /* Generate the pre-master secret ...  */
-    ssl_GetSpecWriteLock(ss);
-    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3->pwSpec, NULL);
-    ssl_ReleaseSpecWriteLock(ss);
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    /* Get the wrapped (encrypted) pre-master secret, enc_pms */
-    enc_pms.len  = SECKEY_PublicKeyStrength(svrPubKey);
-    enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
-    if (enc_pms.data == NULL) {
-	goto loser;	/* err set by PORT_Alloc */
-    }
-
-    /* wrap pre-master secret in server's public key. */
-    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
-    if (rv != SECSuccess) {
-	PORT_Free(enc_pms.data);
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
-				    isTLS ? enc_pms.len + 2 : enc_pms.len);
-    if (rv != SECSuccess) {
-	goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-    if (isTLS) {
-    	rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
-    } else {
-	rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
-    }
-    if (rv != SECSuccess) {
-	goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = SECSuccess;
-
-loser:
-    if (enc_pms.data != NULL) {
-	PORT_Free(enc_pms.data);
-    }
-    if (pms != NULL) {
-    	PK11_FreeSymKey(pms);
-    }
-    return rv;
-}
-
-/* fortezza client-auth portion of ClientKeyExchange message
- * This function appends the KEA public key from the client's  V3 cert
- * (empty for a V1 cert) to the outgoing ClientKeyExchange message.
- * For a V3 cert, it also computes the Fortezza public key hash of that key
- * and signs that hash with the client's signing private key.
- * It also finds and returns the client's KEA private key.
- *
- * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange()
- */
-static SECKEYPrivateKey *
-sendFortezzaCKXClientAuth(sslSocket *ss, SSL3FortezzaKeys * fortezza_CKE)
-{
-    SECKEYPublicKey *	pubKey 		= NULL;
-    SECKEYPrivateKey *	privKeaKey 	= NULL;
-    CERTCertificate *	peerCert 	= ss->sec->peerCert;
-    void *		pwArg 		= ss->pkcs11PinArg;
-    SECStatus 		rv 		= SECFailure;
-    SECItem 		sigItem;
-    SECItem 		hashItem;
-
-    /* extract our own local public key. */
-    pubKey = CERT_ExtractPublicKey(ss->ssl3->clientCertificate);
-    if (!pubKey) {
-	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	goto loser;
-    }
-
-    if (pubKey->keyType == fortezzaKey) {
-	/* fortezza clientauth with fortezza V1 certificate */
-	rv = ssl3_FortezzaAppendHandshake(ss, NULL, 0);
-	if (rv != SECSuccess) {
-	    goto loser;	/* err was set by AppendHandshake. */
-	}
-	privKeaKey = PK11_FindKeyByAnyCert(ss->ssl3->clientCertificate, pwArg);
-	if (!privKeaKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
-	}
-
-    } else {
-	/* fortezza clientauth w/ V3 certificate or non fortezza cert*/
-	CERTCertificate *   ccert 		= NULL;
-	SECKEYPublicKey *   foundPubKey 	= NULL;
-	unsigned char       hash[SHA1_LENGTH];
-
-	ccert = PK11_FindBestKEAMatch(peerCert, pwArg);
-	if (ccert == NULL) {
-	    PORT_SetError(SSL_ERROR_FORTEZZA_PQG);
-	    goto v3_loser;
-	}
-
-	foundPubKey = CERT_ExtractPublicKey(ccert);
-	if (foundPubKey == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	    goto v3_loser;
-	}
-
-	if (foundPubKey->keyType == keaKey) {
-	    rv = ssl3_FortezzaAppendHandshake(ss,
-			    foundPubKey->u.kea.publicValue.data,
-			    foundPubKey->u.kea.publicValue.len);
-	    if (rv != SECSuccess) {
-		goto v3_loser; /* err was set by AppendHandshake. */
-	    }
-
-	    rv = ssl3_ComputeFortezzaPublicKeyHash(
-			    foundPubKey->u.kea.publicValue, hash);
-	    if (rv != SECSuccess) {
-		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-		goto v3_loser;
-	    }
-	} else {
-	    rv = ssl3_FortezzaAppendHandshake(ss,
-			    foundPubKey->u.fortezza.KEAKey.data,
-			    foundPubKey->u.fortezza.KEAKey.len);
-	    if (rv != SECSuccess) {
-		goto v3_loser; /* err was set by AppendHandshake. */
-	    }
-
-	    rv = ssl3_ComputeFortezzaPublicKeyHash(
-			    foundPubKey->u.fortezza.KEAKey, hash);
-	    if (rv != SECSuccess) {
-		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-		goto v3_loser;
-	    }
-	}
-
-	hashItem.data = (unsigned char *) hash;
-	hashItem.len  = SHA1_LENGTH;
-
-	sigItem.data  = fortezza_CKE->y_signature;
-	sigItem.len   = sizeof fortezza_CKE->y_signature;
-
-	rv = PK11_Sign(ss->ssl3->clientPrivateKey, &sigItem, &hashItem);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto v3_loser;
-	}
-
-	privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg);
-	if (!privKeaKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
-	}
-
-v3_loser:
-	if (foundPubKey)
-	    SECKEY_DestroyPublicKey(foundPubKey);
-	if (ccert)
-	    CERT_DestroyCertificate(ccert);
-    } /* fortezza clientauth w/ V3 certificate or non fortezza cert*/
-
-loser:
-
-    if (pubKey)
-	SECKEY_DestroyPublicKey(pubKey);
-    return privKeaKey;
-} /* End of fortezza client-auth. */
-
-
-/* fortezza without client-auth */
-/* fortezza client-auth portion of ClientKeyExchange message
- * This function appends the public KEA key from the client's cert
- * to the outgoing ClientKeyExchange message.
- * It also finds and returns the client's KEA private key.
- *
- * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange()
- */
-static SECKEYPrivateKey *
-sendFortezzaCKXNoClientAuth(sslSocket *ss)
-{
-    SECKEYPublicKey *   foundPubKey 	= NULL;
-    SECKEYPrivateKey *	privKeaKey 	= NULL;
-    CERTCertificate *	ccert 		= NULL;
-    CERTCertificate *	peerCert 	= ss->sec->peerCert;
-    void *		pwArg 		= ss->pkcs11PinArg;
-    SECStatus 		rv 		= SECFailure;
-
-    ccert = PK11_FindBestKEAMatch(peerCert, pwArg);
-    if (ccert == NULL) {
-	PORT_SetError(SSL_ERROR_FORTEZZA_PQG);
-	goto loser;
-    }
-
-    foundPubKey = CERT_ExtractPublicKey(ccert);
-    if (foundPubKey == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	goto loser;
-    }
-
-    if (foundPubKey->keyType == fortezzaKey) {
-	/* fortezza V1 cert */
-	rv = ssl3_FortezzaAppendHandshake(ss,
-				    foundPubKey->u.fortezza.KEAKey.data,
-				    foundPubKey->u.fortezza.KEAKey.len);
-	if (rv != SECSuccess) {
-	    goto loser; /* err was set by AppendHandshake. */
-	}
-	privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg);
-	if (!privKeaKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
-	}
-    } else {
-	/* fortezza V3 cert */
-	rv = ssl3_FortezzaAppendHandshake(ss,
-				    foundPubKey->u.kea.publicValue.data,
-				    foundPubKey->u.kea.publicValue.len);
-	if (rv != SECSuccess) {
-	    goto loser; /* err was set by AppendHandshake. */
-	}
-	privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg);
-	if (!privKeaKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
-	}
-    }
-
-loser:
-    if (foundPubKey)
-	SECKEY_DestroyPublicKey(foundPubKey);
-    if (ccert)
-	CERT_DestroyCertificate(ccert);
-    return privKeaKey;
-}
-
-/* Called from ssl3_SendClientKeyExchange().  */
-static SECStatus
-sendFortezzaClientKeyExchange(sslSocket * ss, SECKEYPublicKey * serverKey)
-{
-    ssl3CipherSpec *	pwSpec;
-    sslSessionID *	sid 		= ss->sec->ci.sid;
-    PK11SlotInfo *	slot		= NULL;
-    PK11SymKey *	pms 		= NULL;
-    PK11SymKey *	tek		= NULL;
-    PK11SymKey *	client_write_key = NULL;
-    PK11SymKey *	server_write_key = NULL;
-    SECKEYPrivateKey *	privKeaKey 	= NULL;
-    void *		pwArg 		= ss->pkcs11PinArg;
-    SECStatus 		rv 		= SECFailure;
-    CK_VERSION 		version;
-    SECItem 		param;
-    SECItem 		raItem;
-    SECItem 		rbItem;
-    SECItem 		enc_pms;
-    SECItem 		item;
-    SSL3FortezzaKeys	fortezza_CKE;
-    PRBool              releaseSpecWriteLock = PR_FALSE;
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    /* first get an appropriate slot for doing MACing.
-     * Note: This slot will NOT be a Fortezza slot because Fortezza
-     * cannot generate an SSL3 pre-master-secret.
-     */
-    slot = PK11_GetBestSlot(CKM_SSL3_PRE_MASTER_KEY_GEN, pwArg);
-    if (slot == NULL) {
-	PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
-	goto loser;
-    }
-
-    /* create a pre-Master secret */
-    version.major = MSB(ss->version);
-    version.minor = LSB(ss->version);
-
-    param.data = (unsigned char *)&version;
-    param.len  = sizeof version;
-
-    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN,
-			 &param, 0, pwArg);
-    PK11_FreeSlot(slot);
-    slot = NULL;
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    /* If we don't have a certificate, we need to read out your public key.
-     * This changes a bit when we need to deal with the PQG stuff
-     */
-    PORT_Memset(fortezza_CKE.y_signature, 0, sizeof fortezza_CKE.y_signature);
-
-    /* Send the KEA public key and get the KEA private key. */
-    if (ss->ssl3->clientCertificate != NULL) {
-	/* with client-auth */
-	privKeaKey = sendFortezzaCKXClientAuth(ss, &fortezza_CKE);
-    } else {
-	/* without client-auth */
-	privKeaKey = sendFortezzaCKXNoClientAuth(ss);
-    }
-    if (privKeaKey == NULL) {
-	rv = SECFailure;
-	goto loser;	/* error was already set. */
-    }
-
-    /* Now we derive the TEK, and generate r_c the client's "random" public key.
-     * r_c is generated and filled in by the PubDerive call below.
-     */
-    raItem.data = fortezza_CKE.r_c;
-    raItem.len  = sizeof fortezza_CKE.r_c;
-
-    /* R_s == server's "random" public key, sent in the Server Key Exchange */
-    rbItem.data = ss->ssl3->fortezza.R_s;
-    rbItem.len  = sizeof ss->ssl3->fortezza.R_s;
-
-    tek = PK11_PubDerive(privKeaKey, serverKey, PR_TRUE, /* generate r_c */
-                         &raItem, &rbItem, CKM_KEA_KEY_DERIVE,
-			 CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg);
-    SECKEY_DestroyPrivateKey(privKeaKey);
-    privKeaKey = NULL;
-    if (tek == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek); /* can't fail. */
-
-    /* encrypt the pms with the TEK.
-     * NB: PK11_WrapSymKey will generate and output the encrypted PMS
-     *     AND the IV for decrypting the PMS.
-     */
-    param.data   = fortezza_CKE.master_secret_iv;
-    param.len    = sizeof fortezza_CKE.master_secret_iv;
-
-    enc_pms.data = fortezza_CKE.encrypted_preMasterSecret;
-    enc_pms.len  = sizeof fortezza_CKE.encrypted_preMasterSecret;
-
-    rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &param, tek, pms, &enc_pms);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-    rv = SECFailure;	/* not there yet. */
-
-    slot = PK11_GetSlotFromKey(tek);
-
-    ssl_GetSpecWriteLock(ss); releaseSpecWriteLock = PR_TRUE;
-
-    pwSpec  = ss->ssl3->pwSpec;
-    pwSpec->client.write_key = client_write_key =
-		    PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, 0, pwArg);
-    if (client_write_key == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-    /* the -1 is a hack. It's supposed to be key size, but we use it
-     * to tell the wrapper that we're doing a weird PKCS #11 key gen.
-     * Usually the result of key gen is an encrypt key. This is not
-     * the case with SSL, where this key is a decrypt key.
-     */
-    pwSpec->server.write_key = server_write_key =
-		    PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, -1, pwArg);
-    if (server_write_key == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    /* copy the keys and IVs out now */
-    item.data = fortezza_CKE.wrapped_client_write_key;
-    item.len  = sizeof fortezza_CKE.wrapped_client_write_key;
-    rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, client_write_key, &item);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    item.data = fortezza_CKE.wrapped_server_write_key;
-    item.len  = sizeof fortezza_CKE.wrapped_server_write_key;
-    rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, server_write_key, &item);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    /* we only get the generated IV's if we're doing skipjack.  */
-    if (pwSpec->cipher_def->calg == calg_fortezza) {
-	PORT_Memcpy(fortezza_CKE.client_write_iv, pwSpec->client.write_iv,
-				    sizeof fortezza_CKE.client_write_iv);
-	PORT_Memcpy(fortezza_CKE.server_write_iv, pwSpec->server.write_iv,
-				    sizeof fortezza_CKE.server_write_iv);
-    } else {
-	/* generate IVs to make old servers happy */
-	rv = PK11_GenerateFortezzaIV(client_write_key,
-	                             fortezza_CKE.client_write_iv,
-	                             sizeof fortezza_CKE.client_write_iv);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto loser;
-	}
-	rv = PK11_GenerateFortezzaIV(server_write_key,
-	                             fortezza_CKE.server_write_iv,
-	                             sizeof fortezza_CKE.server_write_iv);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto loser;
-	}
-    }
-
-    /* NOTE: This technique of writing out the struct, rather than writing
-     * out the individual members works only because all the rest of the
-     * values are fixed-length strings of well-defined byte order.
-     * Add one SECItem or one Number and we will need to break the elements out.
-     */
-    rv = ssl3_AppendHandshake(ss, &fortezza_CKE.r_c,
-			      (sizeof fortezza_CKE - sizeof fortezza_CKE.y_c));
-    if (rv != SECSuccess) {
-	goto loser;	/* err was set by AppendHandshake. */
-    }
-
-    /* now we initialize our contexts */
-    sid->u.ssl3.hasFortezza = PR_TRUE;
-    sid->u.ssl3.tek         = tek; tek = NULL; 	/* adopt.. */
-
-    if (pwSpec->cipher_def->calg == calg_fortezza) {
-	sid->u.ssl3.clientWriteKey =
-			    PK11_ReferenceSymKey(pwSpec->client.write_key);
-	sid->u.ssl3.serverWriteKey=
-			    PK11_ReferenceSymKey(pwSpec->server.write_key);
-
-	PORT_Memcpy(sid->u.ssl3.keys.client_write_iv,
-	            pwSpec->client.write_iv,
-		    sizeof sid->u.ssl3.keys.client_write_iv);
-	PORT_Memcpy(sid->u.ssl3.keys.server_write_iv,
-	            pwSpec->server.write_iv,
-		    sizeof sid->u.ssl3.keys.server_write_iv);
-
-	rv = PK11_SaveContext((PK11Context *)pwSpec->encodeContext,
-			      sid->u.ssl3.clientWriteSave,
-			      &sid->u.ssl3.clientWriteSaveLen,
-			      sizeof sid->u.ssl3.clientWriteSave);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto loser;
-	}
-    } else {
-	PK11_FreeSymKey(client_write_key);
-	pwSpec->client.write_key = client_write_key = NULL;
-
-	PK11_FreeSymKey(server_write_key);
-	pwSpec->server.write_key = server_write_key = NULL;
-
-	rv = SECSuccess;
-    }
-    /* FALL THROUGH */
-
-loser:
-    if (tek)    PK11_FreeSymKey(tek);
-    if (slot)   PK11_FreeSlot(slot);
-    if (pms)    PK11_FreeSymKey(pms);
-    if (rv != SECSuccess) {
-    	if (client_write_key) {
-	    PK11_FreeSymKey(client_write_key);
-	    pwSpec->client.write_key = client_write_key = NULL;
-	}
-    	if (server_write_key) {
-	    PK11_FreeSymKey(server_write_key);
-	    pwSpec->server.write_key = server_write_key = NULL;
-	}
-    }
-    if (releaseSpecWriteLock)
-	ssl_GetSpecWriteLock(ss);
-    return rv;
-}
-
-/* Called from ssl3_HandleServerHelloDone(). */
-static SECStatus
-ssl3_SendClientKeyExchange(sslSocket *ss)
-{
-    SECKEYPublicKey *	serverKey 	= NULL;
-    SECStatus 		rv 		= SECFailure;
-    PRBool              isTLS;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    if (ss->sec->peerKey == NULL) {
-	serverKey = CERT_ExtractPublicKey(ss->sec->peerCert);
-	if (serverKey == NULL) {
-	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	    return SECFailure;
-	}
-    } else {
-	serverKey = ss->sec->peerKey;
-	ss->sec->peerKey = NULL; /* we're done with it now */
-    }
-
-    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    /* enforce limits on kea key sizes. */
-    if (ss->ssl3->hs.kea_def->is_limited) {
-	int keyLen = SECKEY_PublicKeyStrength(serverKey);	/* bytes */
-
-	if (keyLen * BPB > ss->ssl3->hs.kea_def->key_size_limit) {
-	    if (isTLS)
-		(void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
-	    else
-		(void)ssl3_HandshakeFailure(ss);
-	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
-	    goto loser;
-	}
-    }
-
-    switch (ss->ssl3->hs.kea_def->exchKeyType) {
-    case kt_rsa:
-	rv = sendRSAClientKeyExchange(ss, serverKey);
-	break;
-
-    case kt_fortezza:
-	rv = sendFortezzaClientKeyExchange(ss, serverKey);
-	break;
-
-    default:
-	/* got an unknown or unsupported Key Exchange Algorithm.  */
-	SEND_ALERT
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	break;
-    }
-
-    SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
-		SSL_GETPID(), ss->fd));
-
-loser:
-    if (serverKey) SECKEY_DestroyPublicKey(serverKey);
-    return rv;	/* err code already set. */
-}
-
-/* Called from ssl3_HandleServerHelloDone(). */
-static SECStatus
-ssl3_SendCertificateVerify(sslSocket *ss)
-{
-    ssl3State *   ssl3 		= ss->ssl3;
-    SECStatus     rv		= SECFailure;
-    PRBool        isTLS;
-    SECItem       buf           = {siBuffer, NULL, 0};
-    SSL3Hashes    hashes;
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
-		SSL_GETPID(), ss->fd));
-
-    ssl_GetSpecReadLock(ss);
-    rv = ssl3_ComputeHandshakeHashes(ss, ssl3->pwSpec, &hashes, 0);
-    ssl_ReleaseSpecReadLock(ss);
-    if (rv != SECSuccess) {
-	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
-    }
-
-    isTLS = (PRBool)(ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    rv = ssl3_SignHashes(&hashes, ssl3->clientPrivateKey, &buf, isTLS);
-    if (rv == SECSuccess) {
-	PK11SlotInfo * slot;
-	sslSessionID * sid   = ss->sec->ci.sid;
-
-    	/* Remember the info about the slot that did the signing.
-	** Later, when doing an SSL restart handshake, verify this.
-	** These calls are mere accessors, and can't fail.
-	*/
-	slot = PK11_GetSlotFromPrivateKey(ss->ssl3->clientPrivateKey);
-	sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
-	sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
-	sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
-	sid->u.ssl3.clAuthValid      = PR_TRUE;
-	PK11_FreeSlot(slot);
-    }
-    /* If we're doing RSA key exchange, we're all done with the private key
-     * here.  Diffie-Hellman & Fortezza key exchanges need the client's
-     * private key for the key exchange.
-     */
-    if (ssl3->hs.kea_def->exchKeyType == kt_rsa) {
-	SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
-	ssl3->clientPrivateKey = NULL;
-    }
-    if (rv != SECSuccess) {
-	goto done;	/* err code was set by ssl3_SignHashes */
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
-    if (rv != SECSuccess) {
-	goto done;	/* error code set by AppendHandshake */
-    }
-    rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
-    if (rv != SECSuccess) {
-	goto done;	/* error code set by AppendHandshake */
-    }
-
-done:
-    if (buf.data)
-	PORT_Free(buf.data);
-    return rv;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 ServerHello message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    sslSessionID *sid		= ss->sec->ci.sid;
-    PRInt32       temp;		/* allow for consume number failure */
-    PRBool        suite_found   = PR_FALSE;
-    int           i;
-    int           errCode	= SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
-    SECStatus     rv;
-    SECItem       sidBytes 	= {siBuffer, NULL, 0};
-    PRBool        sid_match;
-    PRBool        isTLS		= PR_FALSE;
-    SSL3AlertDescription desc   = illegal_parameter;
-    SSL3ProtocolVersion version;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
-    	SSL_GETPID(), ss->fd));
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
-	goto alert_loser;
-    }
-    if (ss->ssl3->hs.ws != wait_server_hello) {
-        errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
-	desc    = unexpected_message;
-	goto alert_loser;
-    }
-
-    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (temp < 0) {
-    	goto loser; 	/* alert has been sent */
-    }
-    version = (SSL3ProtocolVersion)temp;
-
-    /* this is appropriate since the negotiation is complete, and we only
-    ** know SSL 3.x.
-    */
-    if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-    	desc = handshake_failure;
-	goto alert_loser;
-    }
-
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-    	desc    = handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-    isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
-
-    rv = ssl3_ConsumeHandshake(
-	ss, &ss->ssl3->hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
-    if (rv != SECSuccess) {
-    	goto loser; 	/* alert has been sent */
-    }
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
-    if (rv != SECSuccess) {
-    	goto loser; 	/* alert has been sent */
-    }
-    if (sidBytes.len > SSL3_SESSIONID_BYTES) {
-	if (isTLS)
-	    desc = decode_error;
-	goto alert_loser;	/* malformed. */
-    }
-
-    /* find selected cipher suite in our list. */
-    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (temp < 0) {
-    	goto loser; 	/* alert has been sent */
-    }
-    ssl3_config_match_init(ss);
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if ((temp == suite->cipher_suite) &&
-	    (config_match(suite, ss->ssl3->policy, PR_TRUE))) {
-	    suite_found = PR_TRUE;
-	    break;	/* success */
-	}
-    }
-    if (!suite_found) {
-    	desc    = handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-    ss->ssl3->hs.cipher_suite = (ssl3CipherSuite)temp;
-    ss->ssl3->hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
-    PORT_Assert(ss->ssl3->hs.suite_def);
-    if (!ss->ssl3->hs.suite_def) {
-    	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
-	goto loser;	/* we don't send alerts for our screw-ups. */
-    }
-
-    /* find selected compression method in our list. */
-    temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
-    if (temp < 0) {
-    	goto loser; 	/* alert has been sent */
-    }
-    suite_found = PR_FALSE;
-    for (i = 0; i < compressionMethodsCount; i++) {
-	if (temp == compressions[i])  {
-	    suite_found = PR_TRUE;
-	    break;	/* success */
-    	}
-    }
-    if (!suite_found) {
-    	desc    = handshake_failure;
-	errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
-	goto alert_loser;
-    }
-    ss->ssl3->hs.compression = (SSL3CompressionMethod)temp;
-
-    if (length != 0) {	/* malformed */
-	goto alert_loser;
-    }
-
-    /* Any errors after this point are not "malformed" errors. */
-    desc    = handshake_failure;
-
-    /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
-     * key exchange algorithm. */
-    rv = ssl3_SetupPendingCipherSpec(ss, ss->ssl3);
-    if (rv != SECSuccess) {
-	goto alert_loser;	/* error code is set. */
-    }
-
-    /* We may or may not have sent a session id, we may get one back or
-     * not and if so it may match the one we sent.
-     * Attempt to restore the master secret to see if this is so...
-     * Don't consider failure to find a matching SID an error.
-     */
-    sid_match = (PRBool)(sidBytes.len > 0 &&
-	sidBytes.len == sid->u.ssl3.sessionIDLength &&
-	!PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
-
-    if (sid_match &&
-	sid->version == ss->version &&
-	sid->u.ssl3.cipherSuite == ss->ssl3->hs.cipher_suite) do {
-	PK11SlotInfo *slot;
-	PK11SymKey *  wrapKey;     /* wrapping key */
-	SECItem       wrappedMS;   /* wrapped master secret. */
-	CK_FLAGS      keyFlags      = 0;
-
-	slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
-	                         sid->u.ssl3.masterSlotID);
-	if (slot == NULL) {
-	    break;		/* not considered an error. */
-	}
-	if (!PK11_IsPresent(slot)) {
-	    PK11_FreeSlot(slot);
-	    break;		/* not considered an error. */
-	}
-	wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
-				  sid->u.ssl3.masterWrapMech,
-				  sid->u.ssl3.masterWrapSeries,
-				  ss->pkcs11PinArg);
-	PK11_FreeSlot(slot);
-	if (wrapKey == NULL) {
-	    break;		/* not considered an error. */
-	}
-
-	if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
-	    keyFlags = CKF_SIGN | CKF_VERIFY;
-	}
-
-        wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-	ss->ssl3->pwSpec->master_secret =
-	    PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
-	    		NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
-		        CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
-	errCode = PORT_GetError();
-	PK11_FreeSymKey(wrapKey);
-	if (ss->ssl3->pwSpec->master_secret == NULL) {
-	    break;	/* errorCode set just after call to UnwrapSymKey. */
-	}
-
-	/* Got a Match */
-	++ssl3_hsh_sid_cache_hits;
-	ss->ssl3->hs.ws         = wait_change_cipher;
-	ss->ssl3->hs.isResuming = PR_TRUE;
-
-	/* copy the peer cert from the SID */
-	if (sid->peerCert != NULL) {
-	    ss->sec->peerCert = CERT_DupCertificate(sid->peerCert);
-	}
-
-	/* reload the FORTEZZA key material. These keys aren't generated
-	 * by the master secret, but by the key exchange. We restart by
-	 * reusing these keys. */
-	if (sid->u.ssl3.hasFortezza) {
-	    ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(sid->u.ssl3.tek);
-	}
-	if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) {
-	    ss->ssl3->pwSpec->client.write_key =
-	    		PK11_ReferenceSymKey(sid->u.ssl3.clientWriteKey);
-	    ss->ssl3->pwSpec->server.write_key =
-	    		PK11_ReferenceSymKey(sid->u.ssl3.serverWriteKey);
-	    /* add the tek later for pre-encrypted files */
-	    PORT_Memcpy(ss->ssl3->pwSpec->client.write_iv,
-			sid->u.ssl3.keys.client_write_iv,
-			sizeof sid->u.ssl3.keys.client_write_iv);
-	    PORT_Memcpy(ss->ssl3->pwSpec->server.write_iv,
-			sid->u.ssl3.keys.server_write_iv,
-			sizeof sid->u.ssl3.keys.server_write_iv);
-	}
-
-	/* NULL value for PMS signifies re-use of the old MS */
-	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
-	if (rv != SECSuccess) {
-	    goto alert_loser;	/* err code was set by ssl3_InitPendingCipherSpec */
-	}
-	if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) {
-	    rv = PK11_RestoreContext(
-			(PK11Context *)ss->ssl3->pwSpec->encodeContext,
-			sid->u.ssl3.clientWriteSave,
-			sid->u.ssl3.clientWriteSaveLen);
-	    if (rv != SECSuccess) {
-		goto alert_loser;	/* err is set. */
-	    }
-	}
-	SECITEM_ZfreeItem(&sidBytes, PR_FALSE);	
-	return SECSuccess;
-    } while (0);
-
-    if (sid_match)
-	++ssl3_hsh_sid_cache_not_ok;
-    else
-	++ssl3_hsh_sid_cache_misses;
-
-    /* throw the old one away */
-    sid->u.ssl3.resumable = PR_FALSE;
-    (*ss->sec->uncache)(sid);
-    ssl_FreeSID(sid);
-
-    /* get a new sid */
-    ss->sec->ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
-    if (sid == NULL) {
-	goto alert_loser;	/* memory error is set. */
-    }
-
-    sid->version = ss->version;
-    sid->u.ssl3.sessionIDLength = sidBytes.len;
-    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
-    SECITEM_ZfreeItem(&sidBytes, PR_FALSE);
-
-    ss->ssl3->hs.isResuming = PR_FALSE;
-    ss->ssl3->hs.ws         = wait_server_cert;
-    return SECSuccess;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-
-loser:
-    if (sidBytes.data != NULL)
-	SECITEM_ZfreeItem(&sidBytes, PR_FALSE);
-    errCode = ssl_MapLowLevelError(errCode);
-    return SECFailure;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 ServerKeyExchange message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    PRArenaPool *    arena;
-    SECKEYPublicKey *peerKey;
-    PRBool           isTLS;
-    SECStatus        rv;
-    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
-    SSL3AlertDescription desc  = illegal_parameter;
-    SECItem          modulus   = {siBuffer, NULL, 0};
-    SECItem          exponent  = {siBuffer, NULL, 0};
-    SECItem          signature = {siBuffer, NULL, 0};
-    SSL3Hashes       hashes;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3->hs.ws != wait_server_key &&
-	ss->ssl3->hs.ws != wait_server_cert) {
-	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
-	desc    = unexpected_message;
-	goto alert_loser;
-    }
-    if (ss->sec->peerCert == NULL) {
-	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
-	desc    = unexpected_message;
-	goto alert_loser;
-    }
-
-    isTLS = (PRBool)(ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    switch (ss->ssl3->hs.kea_def->exchKeyType) {
-    case kt_rsa:
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	if (length != 0) {
-	    if (isTLS)
-		desc = decode_error;
-	    goto alert_loser;		/* malformed. */
-	}
-
-	/* failures after this point are not malformed handshakes. */
-	/* TLS: send decrypt_error if signature failed. */
-    	desc = isTLS ? decrypt_error : handshake_failure;
-
-    	/*
-     	 *  check to make sure the hash is signed by right guy
-     	 */
-    	rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
-					  &ss->ssl3->hs.client_random,
-					  &ss->ssl3->hs.server_random, &hashes);
-        if (rv != SECSuccess) {
-	    errCode =
-	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto alert_loser;
-	}
-        rv = ssl3_VerifySignedHashes(&hashes, ss->sec->peerCert, &signature,
-				    isTLS, ss->pkcs11PinArg);
-	if (rv != SECSuccess)  {
-	    errCode =
-	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto alert_loser;
-	}
-
-	/*
-	 * we really need to build a new key here because we can no longer
-	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
-	 * pkcs11 slots and ID's.
-	 */
-    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-	    goto no_memory;
-	}
-
-    	ss->sec->peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
-    	if (peerKey == NULL) {
-	    goto no_memory;
-	}
-
-	peerKey->arena              = arena;
-	peerKey->keyType            = rsaKey;
-	peerKey->pkcs11Slot         = NULL;
-	peerKey->pkcs11ID           = CK_INVALID_KEY;
-    	peerKey->u.rsa.modulus.data =
-	    (unsigned char*)PORT_ArenaAlloc(arena, modulus.len);
-	if (peerKey->u.rsa.modulus.data == NULL)
-	    goto no_memory;
-
-    	PORT_Memcpy(peerKey->u.rsa.modulus.data, modulus.data, modulus.len);
-    	peerKey->u.rsa.modulus.len = modulus.len;
-
-    	peerKey->u.rsa.publicExponent.data =
-	    (unsigned char*)PORT_ArenaAlloc(arena, exponent.len);
-        if (peerKey->u.rsa.publicExponent.data == NULL)
-	    goto no_memory;
-
-    	PORT_Memcpy(peerKey->u.rsa.publicExponent.data,
-		    exponent.data, exponent.len);
-    	peerKey->u.rsa.publicExponent.len = exponent.len;
-
-    	PORT_Free(modulus.data);
-    	PORT_Free(exponent.data);
-	PORT_Free(signature.data);
-    	ss->ssl3->hs.ws = wait_cert_request;
-    	return SECSuccess;
-
-    case kt_fortezza:
-
-	/* Fortezza needs *BOTH* a server cert message
-	 * and a server key exchange message.
- 	 */
-	if (ss->ssl3->hs.ws == wait_server_cert) {
-	    errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
-	    desc    = unexpected_message;
-	    goto alert_loser;
-	}
-	/* Get the server's "random" public key. */
-    	rv = ssl3_ConsumeHandshake(ss, ss->ssl3->fortezza.R_s,
-				   sizeof ss->ssl3->fortezza.R_s, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed */
-	}
-
-    	ss->ssl3->hs.ws = wait_cert_request;
-    	return SECSuccess;
-
-    default:
-    	desc    = handshake_failure;
-	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
-	break;		/* goto alert_loser; */
-    }
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    if (modulus.data   != NULL) SECITEM_FreeItem(&modulus,   PR_FALSE);
-    if (exponent.data  != NULL) SECITEM_FreeItem(&exponent,  PR_FALSE);
-    if (signature.data != NULL) SECITEM_FreeItem(&signature, PR_FALSE);
-    PORT_SetError( errCode );
-    return SECFailure;
-
-no_memory:	/* no-memory error has already been set. */
-    if (modulus.data   != NULL) SECITEM_FreeItem(&modulus,   PR_FALSE);
-    if (exponent.data  != NULL) SECITEM_FreeItem(&exponent,  PR_FALSE);
-    if (signature.data != NULL) SECITEM_FreeItem(&signature, PR_FALSE);
-    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-    return SECFailure;
-}
-
-
-typedef struct dnameNode {
-    struct dnameNode *next;
-    SECItem           name;
-} dnameNode;
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate Request message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    ssl3State *          ssl3        = ss->ssl3;
-    PRArenaPool *        arena       = NULL;
-    dnameNode *          node;
-    unsigned char *      data;
-    PRInt32              remaining;
-    PRInt32              len;
-    PRBool               isTLS       = PR_FALSE;
-    int                  i;
-    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
-    int                  nnames      = 0;
-    SECStatus            rv;
-    SSL3AlertDescription desc        = illegal_parameter;
-    SECItem              cert_types  = {siBuffer, NULL, 0};
-    CERTDistNames        ca_list;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ssl3->hs.ws != wait_cert_request &&
-    	ssl3->hs.ws != wait_server_key) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
-	goto alert_loser;
-    }
-    isTLS = (PRBool)(ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
-    rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
-    if (rv != SECSuccess)
-    	goto loser;		/* malformed, alert has been sent */
-
-    arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-    	goto no_mem;
-
-    remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (remaining < 0)
-    	goto loser;	 	/* malformed, alert has been sent */
-
-    ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
-    if (node == NULL)
-    	goto no_mem;
-
-    while (remaining != 0) {
-	if (remaining < 2)
-	    goto alert_loser;	/* malformed */
-
-	node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-	if (len < 0)
-	    goto loser;		/* malformed, alert has been sent */
-
-	remaining -= 2;
-	if (remaining < len)
-	    goto alert_loser;	/* malformed */
-
-	data = node->name.data = (unsigned char*)PORT_ArenaAlloc(arena, len);
-	if (data == NULL)
-	    goto no_mem;
-
-	rv = ssl3_ConsumeHandshake(ss, data, len, &b, &length);
-	if (rv != SECSuccess)
-	    goto loser;		/* malformed, alert has been sent */
-
-	remaining -= len;
-	nnames++;
-	if (remaining == 0)
-	    break;		/* success */
-
-	node->next = PORT_ArenaZNew(arena, dnameNode);
-	node = node->next;
-	if (node == NULL)
-	    goto no_mem;
-    }
-
-    ca_list.nnames = nnames;
-    ca_list.names  = (SECItem*)PORT_ArenaAlloc(arena, nnames * sizeof(SECItem));
-    if (ca_list.names == NULL)
-        goto no_mem;
-
-    for(i = 0, node = (dnameNode*)ca_list.head;
-	i < nnames;
-	i++, node = node->next) {
-	ca_list.names[i] = node->name;
-    }
-
-    if (length != 0)
-        goto alert_loser;   	/* malformed */
-
-    desc = no_certificate;
-    ssl3->hs.ws = wait_hello_done;
-
-    if (ss->getClientAuthData == NULL) {
-	rv = SECFailure; /* force it to send a no_certificate alert */
-    } else {
-	/* XXX Should pass cert_types in this call!! */
-	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
-						 ss->fd, &ca_list,
-						 &ssl3->clientCertificate,
-						 &ssl3->clientPrivateKey);
-    }
-    switch (rv) {
-    case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
-	ssl_SetAlwaysBlock(ss);
-	break;	/* not an error */
-
-    case SECSuccess:
-	/* Setting ssl3->clientCertChain non-NULL will cause
-	 * ssl3_HandleServerHelloDone to call SendCertificate.
-	 */
-	ssl3->clientCertChain = CERT_CertChainFromCert(ssl3->clientCertificate,
-			certUsageSSLClient, PR_FALSE);
-	if (ssl3->clientCertChain == NULL) {
-	    if (ssl3->clientCertificate != NULL) {
-		CERT_DestroyCertificate(ssl3->clientCertificate);
-		ssl3->clientCertificate = NULL;
-	    }
-	    if (ssl3->clientPrivateKey != NULL) {
-		SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
-		ssl3->clientPrivateKey = NULL;
-	    }
-	    goto send_no_certificate;
-	}
-	break;	/* not an error */
-
-    case SECFailure:
-    default:
-send_no_certificate:
-	if (isTLS) {
-	    ssl3->sendEmptyCert = PR_TRUE;
-	} else {
-	    (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
-	}
-	rv = SECSuccess;
-	break;
-    }
-    goto done;
-
-no_mem:
-    rv = SECFailure;
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    goto done;
-
-alert_loser:
-    if (isTLS && desc == illegal_parameter)
-    	desc = decode_error;
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    PORT_SetError(errCode);
-    rv = SECFailure;
-done:
-    if (arena != NULL)
-    	PORT_FreeArena(arena, PR_FALSE);
-    if (cert_types.data != NULL)
-    	SECITEM_FreeItem(&cert_types, PR_FALSE);
-    return rv;
-}
-
-/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:
- *	cert	Client cert chosen by application.
- *		Note: ssl takes this reference, and does not bump the
- *		reference count.  The caller should drop its reference
- *		without calling CERT_DestroyCert after calling this function.
- *
- *	key	Private key associated with cert.  This function makes a
- *		copy of the private key, so the caller remains responsible
- *		for destroying its copy after this function returns.
- *
- *	certChain  Chain of signers for cert.
- *		Note: ssl takes this reference, and does not copy the chain.
- *		The caller should drop its reference without destroying the
- *		chain.  SSL will free the chain when it is done with it.
- *
- * Return value: XXX
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Caller holds 1stHandshakeLock.
- */
-SECStatus
-ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
-				CERTCertificate *    cert,
-				SECKEYPrivateKey *   key,
-				CERTCertificateList *certChain)
-{
-    SECStatus        rv          = SECSuccess;
-
-    if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) {
-	/* XXX This code only works on the initial handshake on a connection,
-	** XXX It does not work on a subsequent handshake (redo).
-	*/
-	if (ss->handshake != 0) {
-	    ss->handshake               = ssl_GatherRecord1stHandshake;
-	    ss->ssl3->clientCertificate = cert;
-	    ss->ssl3->clientCertChain   = certChain;
-	    if (key == NULL) {
-		(void)SSL3_SendAlert(ss, alert_warning, no_certificate);
-		ss->ssl3->clientPrivateKey = NULL;
-	    } else {
-		ss->ssl3->clientPrivateKey = SECKEY_CopyPrivateKey(key);
-	    }
-	    ssl_GetRecvBufLock(ss);
-	    if (ss->ssl3->hs.msgState.buf != NULL) {
-		rv = ssl3_HandleRecord(ss, NULL, &ss->gather->buf);
-	    }
-	    ssl_ReleaseRecvBufLock(ss);
-	}
-    }
-    return rv;
-}
-
-
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Server Hello Done message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleServerHelloDone(sslSocket *ss)
-{
-    SECStatus     rv;
-    SSL3WaitState ws          = ss->ssl3->hs.ws;
-    PRBool        send_verify = PR_FALSE;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ws != wait_hello_done  &&
-        ws != wait_server_cert &&
-	ws != wait_server_key  &&
-	ws != wait_cert_request) {
-	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
-	return SECFailure;
-    }
-
-    ssl_GetXmitBufLock(ss);		/*******************************/
-
-    if (ss->ssl3->sendEmptyCert) {
-	ss->ssl3->sendEmptyCert = PR_FALSE;
-	rv = ssl3_SendEmptyCertificate(ss);
-	/* Don't send verify */
-	if (rv != SECSuccess) {
-	    goto loser;	/* error code is set. */
-    	}
-    } else
-    if (ss->ssl3->clientCertChain  != NULL &&
-	ss->ssl3->clientPrivateKey != NULL) {
-	send_verify = PR_TRUE;
-	rv = ssl3_SendCertificate(ss);
-	if (rv != SECSuccess) {
-	    goto loser;	/* error code is set. */
-    	}
-    }
-
-    rv = ssl3_SendClientKeyExchange(ss);
-    if (rv != SECSuccess) {
-    	goto loser;	/* err is set. */
-    }
-
-    if (send_verify) {
-	rv = ssl3_SendCertificateVerify(ss);
-	if (rv != SECSuccess) {
-	    goto loser;	/* err is set. */
-        }
-    }
-    rv = ssl3_SendChangeCipherSpecs(ss);
-    if (rv != SECSuccess) {
-	goto loser;	/* err code was set. */
-    }
-    rv = ssl3_SendFinished(ss, 0);
-    if (rv != SECSuccess) {
-	goto loser;	/* err code was set. */
-    }
-
-    ssl_ReleaseXmitBufLock(ss);		/*******************************/
-
-    ss->ssl3->hs.ws = wait_change_cipher;
-    return SECSuccess;
-
-loser:
-    ssl_ReleaseXmitBufLock(ss);
-    return rv;
-}
-
-/*
- * Routines used by servers
- */
-static SECStatus
-ssl3_SendHelloRequest(sslSocket *ss)
-{
-    SECStatus rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
-		ss->fd));
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake */
-    }
-    rv = ssl3_FlushHandshake(ss, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-    ss->ssl3->hs.ws = wait_client_hello;
-    return SECSuccess;
-}
-
-/* Sets memory error when returning NULL.
- * Called from:
- *	ssl3_SendClientHello()
- *	ssl3_HandleServerHello()
- *	ssl3_HandleClientHello()
- *	ssl3_HandleV2ClientHello()
- */
-static sslSessionID *
-ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
-{
-    sslSessionID *sid;
-
-    sid = PORT_ZNew(sslSessionID);
-    if (sid == NULL)
-    	return sid;
-
-    sid->peerID		= (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
-    sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
-    sid->addr           = ss->sec->ci.peer;
-    sid->port           = ss->sec->ci.port;
-    sid->references     = 1;
-    sid->cached         = never_cached;
-    sid->version        = ss->version;
-
-    sid->u.ssl3.resumable      = PR_TRUE;
-    sid->u.ssl3.policy         = SSL_ALLOWED;
-    sid->u.ssl3.hasFortezza    = PR_FALSE;
-    sid->u.ssl3.clientWriteKey = NULL;
-    sid->u.ssl3.serverWriteKey = NULL;
-    sid->u.ssl3.tek            = NULL;
-
-    if (is_server) {
-	SECStatus rv;
-	int       pid = SSL_GETPID();
-
-	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
-	sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
-	sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
-	rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
-	                         SSL3_SESSIONID_BYTES -2);
-	if (rv != SECSuccess) {
-	    ssl_FreeSID(sid);
-	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
-	    return NULL;
-    	}
-    }
-    return sid;
-}
-
-/* Called from:  ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
-static SECStatus
-ssl3_SendServerHelloSequence(sslSocket *ss)
-{
-    const ssl3KEADef *kea_def;
-    SECStatus         rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    rv = ssl3_SendServerHello(ss);
-    if (rv != SECSuccess) {
-	return rv;	/* err code is set. */
-    }
-    rv = ssl3_SendCertificate(ss);
-    if (rv != SECSuccess) {
-	return rv;	/* error code is set. */
-    }
-    /* We have to do this after the call to ssl3_SendServerHello,
-     * because kea_def is set up by ssl3_SendServerHello().
-     */
-    kea_def = ss->ssl3->hs.kea_def;
-    ss->ssl3->hs.usedStepDownKey = PR_FALSE;
-    if (kea_def->kea == kea_fortezza) {
-	rv = ssl3_SendServerKeyExchange(ss);
-	if (rv != SECSuccess) {
-	    return rv;	/* err code was set. */
-	}
-    } else if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
-	/* see if we can legally use the key in the cert. */
-	int keyLen;  /* bytes */
-
-	keyLen = PK11_GetPrivateModulusLen(
-				    ss->serverKey[kea_def->exchKeyType]);
-
-	if (keyLen > 0 &&
-	    keyLen * BPB <= kea_def->key_size_limit ) {
-	    /* XXX AND cert is not signing only!! */
-	    /* just fall through and use it. */
-	} else if (ss->stepDownKeyPair != NULL) {
-	    ss->ssl3->hs.usedStepDownKey = PR_TRUE;
-	    rv = ssl3_SendServerKeyExchange(ss);
-	    if (rv != SECSuccess) {
-		return rv;	/* err code was set. */
-	    }
-	} else {
-#ifndef HACKED_EXPORT_SERVER
-	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
-	    return rv;
-#endif
-	}
-    }
-
-    if (ss->requestCertificate) {
-	rv = ssl3_SendCertificateRequest(ss);
-	if (rv != SECSuccess) {
-	    return rv;		/* err code is set. */
-	}
-    }
-    rv = ssl3_SendServerHelloDone(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* err code is set. */
-    }
-
-    ss->ssl3->hs.ws = (ss->requestCertificate) ? wait_client_cert
-                                               : wait_client_key;
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Client Hello message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    sslSessionID *      sid      = NULL;
-    ssl3State *         ssl3;
-    sslConnectInfo *    ci;
-    PRInt32		tmp;
-    unsigned int        i;
-    int                 j;
-    SECStatus           rv;
-    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
-    SSL3AlertDescription desc    = illegal_parameter;
-    SSL3ProtocolVersion version;
-    SECItem             sidBytes = {siBuffer, NULL, 0};
-    SECItem             suites   = {siBuffer, NULL, 0};
-    SECItem             comps    = {siBuffer, NULL, 0};
-    PRBool              haveSpecWriteLock = PR_FALSE;
-    PRBool              haveXmitBufLock   = PR_FALSE;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
-    	SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    /* Get peer name of client */
-    rv = ssl_GetPeerInfo(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* error code is set. */
-    }
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* ssl3_InitState has set the error code. */
-    }
-    ssl3 = ss->ssl3;
-
-    if ((ssl3->hs.ws != wait_client_hello) &&
-	(ssl3->hs.ws != idle_handshake)) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
-	goto alert_loser;
-    }
-    ci = &ss->sec->ci;
-
-    tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (tmp < 0)
-	goto loser;		/* malformed, alert already sent */
-    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-	/* We can't do the usual isTLS test here, because the negotiated
-	** version is definitely not 3.1.  So the question is, are we 
-	** willing/able to do TLS here on our side? 
-	*/
-    	desc = ss->enableTLS ? protocol_version : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-
-    /* grab the client random data. */
-    rv = ssl3_ConsumeHandshake(
-	ss, &ssl3->hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    /* grab the client's SID, if present. */
-    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    if (sidBytes.len > 0) {
-	SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x",
-                    SSL_GETPID(), ss->fd, ci->peer));
-	sid = (*ssl_sid_lookup)(ci->peer, sidBytes.data, sidBytes.len,
-	                        ss->dbHandle);
-    }
-    SECITEM_FreeItem(&sidBytes, PR_FALSE);
-
-    /* grab the list of cipher suites. */
-    rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    /* grab the list of compression methods. */
-    rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    /* It's OK for length to be non-zero here.
-     * Non-zero length means that some new protocol revision has extended
-     * the client hello message.
-     */
-
-    desc = handshake_failure;
-
-    if (sid != NULL) {
-	/* We've found a session cache entry for this client.
-	 * Now, if we're going to require a client-auth cert,
-	 * and we don't already have this client's cert in the session cache,
-	 * and this is the first handshake on this connection (not a redo),
-	 * then drop this old cache entry and start a new session.
-	 */
-	if ((sid->peerCert == NULL) && ss->requestCertificate &&
-	    ((ss->requireCertificate == 1) ||
-	     ((ss->requireCertificate == 2) && !ss->connected))) {
-
-	    ++ssl3_hch_sid_cache_not_ok;
-	    ss->sec->uncache(sid);
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	}
-    }
-
-    /* Look for a matching cipher suite. */
-    j = ssl3_config_match_init(ss);
-    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
-    	errCode = PORT_GetError();	/* error code is already set. */
-	goto alert_loser;
-    }
-    /* If we already have a session for this client, be sure to pick the
-    ** same cipher suite we picked before.
-    ** This is not a loop, despite appearances.
-    */
-    if (sid) do {
-	ssl3CipherSuiteCfg *suite = ss->cipherSuites;
-	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
-	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
-		break;
-	}
-	if (!j)
-	    break;
-	if (!config_match(suite, ssl3->policy, PR_TRUE))
-	    break;
-	for (i = 0; i < suites.len; i += 2) {
-	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
-	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
-
-		ssl3->hs.cipher_suite = suite->cipher_suite;
-		ssl3->hs.suite_def =
-		    ssl_LookupCipherSuiteDef(ssl3->hs.cipher_suite);
-		goto suite_found;
-	    }
-	}
-    } while (0);
-
-    /* Select a cipher suite.
-    ** NOTE: This suite selection algorithm should be the same as the one in
-    ** ssl3_HandleV2ClientHello().  
-    */
-    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-	if (!config_match(suite, ssl3->policy, PR_TRUE))
-	    continue;
-	for (i = 0; i < suites.len; i += 2) {
-	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
-	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
-
-		ssl3->hs.cipher_suite = suite->cipher_suite;
-		ssl3->hs.suite_def =
-		    ssl_LookupCipherSuiteDef(ssl3->hs.cipher_suite);
-		goto suite_found;
-	    }
-	}
-    }
-    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-    goto alert_loser;
-
-suite_found:
-    /* Look for a matching compression algorithm. */
-    for (i = 0; i < comps.len; i++) {
-	for (j = 0; j < compressionMethodsCount; j++) {
-	    if (comps.data[i] == compressions[j]) {
-		ssl3->hs.compression = (SSL3CompressionMethod)compressions[j];
-		goto compression_found;
-	    }
-	}
-    }
-    errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
-    				/* null compression must be supported */
-    goto alert_loser;
-
-compression_found:
-    PORT_Free(suites.data);
-    suites.data = NULL;
-    PORT_Free(comps.data);
-    comps.data = NULL;
-
-    ss->sec->send = ssl3_SendApplicationData;
-
-    /* If there are any failures while processing the old sid,
-     * we don't consider them to be errors.  Instead, We just behave
-     * as if the client had sent us no sid to begin with, and make a new one.
-     */
-    if (sid != NULL) do {
-	PK11SlotInfo *  slot;
-	PK11SymKey *    wrapKey; 	/* wrapping key */
-	SECItem         wrappedKey;  	/* wrapped key */
-	ssl3CipherSpec *pwSpec;
-	CK_FLAGS        keyFlags      = 0;
-
-	if (sid->version != ss->version  ||
-	    sid->u.ssl3.cipherSuite != ssl3->hs.cipher_suite) {
-	    break;	/* not an error */
-	}
-
-	if (ci->sid) {
-	    ss->sec->uncache(ci->sid);
-	    PORT_Assert(ci->sid != sid);  /* should be impossible, but ... */
-	    if (ci->sid != sid) {
-		ssl_FreeSID(ci->sid);
-	    }
-	    ci->sid = NULL;
-	}
-	/* we need to resurrect the master secret.... */
-
-	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
-	pwSpec = ssl3->pwSpec;
-
-	wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
-	                         sid->u.ssl3.masterWrapMech, ss->pkcs11PinArg);
-	if (!wrapKey) {
-	    /* we have a SID cache entry, but no wrapping key for it??? */
-	    break;
-	}
-
-	if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
-	    keyFlags = CKF_SIGN | CKF_VERIFY;
-	}
-
-        wrappedKey.data = sid->u.ssl3.keys.wrapped_master_secret;
-	wrappedKey.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-
-	/* unwrap the master secret. */
-	pwSpec->master_secret =
-	    PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
-	    		NULL, &wrappedKey, CKM_SSL3_MASTER_KEY_DERIVE,
-			CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
-	PK11_FreeSymKey(wrapKey);
-	if (pwSpec->master_secret == NULL) {
-	    break;	/* not an error */
-	}
-	ci->sid = sid;
-	if (sid->peerCert != NULL) {
-	    ss->sec->peerCert = CERT_DupCertificate(sid->peerCert);
-	}
-
-	/*
-	 * Old SID passed all tests, so resume this old session.
-	 *
-	 * XXX make sure compression still matches
-	 */
-	++ssl3_hch_sid_cache_hits;
-	ssl3->hs.isResuming = PR_TRUE;
-
-	ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
-
-	rv = ssl3_SendServerHello(ss);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-
-	/* reload the FORTEZZA key material.
-	 * On Fortezza, the following keys & IVs are generated by the KEA,
-	 * not from the PMS.  Since we're not going to redo the KEA, we
-	 * have to save & restore them for Fortezza.
-	 * use kea because we haven't call InitCipher Specs yet...?
-	 */
-	if (ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) {
-	    PK11SymKey *      Ks;
-	    SECItem           item;
-
-	    PORT_Memcpy(pwSpec->client.write_iv,
-		sid->u.ssl3.keys.client_write_iv,
-		sizeof sid->u.ssl3.keys.client_write_iv);
-	    PORT_Memcpy(pwSpec->server.write_iv,
-		sid->u.ssl3.keys.server_write_iv,
-		sizeof sid->u.ssl3.keys.server_write_iv);
-
-	    /* Now, unwrap the client and server write keys with Ks */
-
-	    /* get the slot that the fortezza server private key is in. */
-	    slot = PK11_GetSlotFromPrivateKey(ss->serverKey[kt_fortezza]);
-	    if (slot == NULL) {
-		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-		goto loser;
-	    }
-
-	    /* Look up the Token Fixed Key */
-	    Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL,
-	                           ss->pkcs11PinArg);
-	    PK11_FreeSlot(slot);
-	    if (Ks == NULL) {
-		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-		goto loser;
-	    }
-
-	    /* unwrap client write key with the local Ks */
-	    item.data = sid->u.ssl3.keys.wrapped_client_write_key;
-	    item.len  = sizeof sid->u.ssl3.keys.wrapped_client_write_key;
-
-	    pwSpec->client.write_key =
-		    PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item,
-				      CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-	    if (pwSpec->client.write_key == NULL) {
-		SEND_ALERT
-		ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
-		goto loser;
-	    }
-
-	    /* unwrap server write key with the local Ks */
-	    item.data = sid->u.ssl3.keys.wrapped_server_write_key;
-	    item.len  = sizeof sid->u.ssl3.keys.wrapped_server_write_key;
-
-	    pwSpec->server.write_key =
-		    PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item,
-				      CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0);
-	    if (pwSpec->server.write_key == NULL) {
-		PK11_FreeSymKey(pwSpec->client.write_key);
-		pwSpec->client.write_key = NULL;
-		SEND_ALERT
-		ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
-		goto loser;
-	    }
-	    /* Set flag that says "generate 8 byte random prefix plaintext." */
-	    PK11_SetFortezzaHack(pwSpec->server.write_key);	/* can't fail */
-
-	}
-
-	if (haveSpecWriteLock) {
-	    ssl_ReleaseSpecWriteLock(ss);
-	    haveSpecWriteLock = PR_FALSE;
-	}
-
-	/* NULL value for PMS signifies re-use of the old MS */
-	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-
-	rv = ssl3_SendChangeCipherSpecs(ss);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-	rv = ssl3_SendFinished(ss, 0);
-	ssl3->hs.ws = wait_change_cipher;
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-
-	if (haveXmitBufLock) {
-	    ssl_ReleaseXmitBufLock(ss);
-	    haveXmitBufLock = PR_FALSE;
-	}
-
-        return SECSuccess;
-    } while (0);
-
-    if (haveSpecWriteLock) {
-	ssl_ReleaseSpecWriteLock(ss);
-	haveSpecWriteLock = PR_FALSE;
-    }
-
-    if (sid) { 	/* we had a sid, but it's no longer valid, free it */
-	++ssl3_hch_sid_cache_not_ok;
-	ss->sec->uncache(sid);
-	ssl_FreeSID(sid);
-	sid = NULL;
-    }
-    ++ssl3_hch_sid_cache_misses;
-
-    sid = ssl3_NewSessionID(ss, PR_TRUE);
-    if (sid == NULL) {
-	errCode = PORT_GetError();
-	goto loser;	/* memory error is set. */
-    }
-    ci->sid = sid;
-
-    ssl3->hs.isResuming = PR_FALSE;
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendServerHelloSequence(ss);
-    ssl_ReleaseXmitBufLock(ss);
-    if (rv != SECSuccess) {
-	errCode = PORT_GetError();
-	goto loser;
-    }
-
-    if (haveXmitBufLock) {
-	ssl_ReleaseXmitBufLock(ss);
-	haveXmitBufLock = PR_FALSE;
-    }
-
-    return SECSuccess;
-
-alert_loser:
-    if (haveSpecWriteLock) {
-	ssl_ReleaseSpecWriteLock(ss);
-	haveSpecWriteLock = PR_FALSE;
-    }
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-    /* FALLTHRU */
-loser:
-    if (haveSpecWriteLock) {
-	ssl_ReleaseSpecWriteLock(ss);
-	haveSpecWriteLock = PR_FALSE;
-    }
-
-    if (sidBytes.data != NULL) SECITEM_FreeItem(&sidBytes, PR_FALSE);
-    if (suites.data   != NULL) SECITEM_FreeItem(&suites,   PR_FALSE);
-    if (comps.data    != NULL) SECITEM_FreeItem(&comps,    PR_FALSE);
-
-    if (haveXmitBufLock) {
-	ssl_ReleaseXmitBufLock(ss);
-	haveXmitBufLock = PR_FALSE;
-    }
-
-    PORT_SetError(errCode);
-    return SECFailure;
-}
-
-/*
- * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
- * in asking to use the V3 handshake.
- * Called from ssl2_HandleClientHelloMessage() in sslcon.c
- */
-SECStatus
-ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
-{
-    sslSessionID *      sid 		= NULL;
-    unsigned char *     suites;
-    unsigned char *     random;
-    SSL3ProtocolVersion version;
-    SECStatus           rv;
-    int                 i;
-    int                 j;
-    int                 sid_length;
-    int                 suite_length;
-    int                 rand_length;
-    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
-    SSL3AlertDescription desc    = handshake_failure;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-
-    ssl_GetSSL3HandshakeLock(ss);
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	return rv;		/* ssl3_InitState has set the error code. */
-    }
-
-    if (ss->ssl3->hs.ws != wait_client_hello) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
-	goto loser;	/* alert_loser */
-    }
-
-    version      = (buffer[1] << 8) | buffer[2];
-    suite_length = (buffer[3] << 8) | buffer[4];
-    sid_length   = (buffer[5] << 8) | buffer[6];
-    rand_length  = (buffer[7] << 8) | buffer[8];
-    ss->clientHelloVersion = version;
-
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-    	desc = ss->enableTLS ? protocol_version : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	/* It's not appropriate to send back SSL3/TLS alert records in 
-	** response to an SSL2 client hello, unless the version is 
-	** succesfully negotiated to 3.0 or greater, so just goto loser. */
-	goto loser;	/* alert_loser */
-    }
-
-    /* if we get a non-zero SID, just ignore it. */
-    if (length !=
-        SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
-	SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
-		 SSL_GETPID(), ss->fd, length,
-		 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
-		 rand_length));
-	goto loser;	/* malformed */	/* alert_loser */
-    }
-
-    suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
-    random = suites + suite_length + sid_length;
-
-    if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
-	rand_length > SSL_MAX_CHALLENGE_BYTES) {
-	goto loser;	/* malformed */	/* alert_loser */
-    }
-
-    PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
-
-    PORT_Memset(&ss->ssl3->hs.client_random, 0, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(
-	&ss->ssl3->hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
-	random, rand_length);
-
-    PRINT_BUF(60, (ss, "client random:", &ss->ssl3->hs.client_random.rand[0],
-		   SSL3_RANDOM_LENGTH));
-
-    i = ssl3_config_match_init(ss);
-    if (i <= 0) {
-    	errCode = PORT_GetError();	/* error code is already set. */
-	goto alert_loser;
-    }
-
-    /* Select a cipher suite.
-    ** NOTE: This suite selection algorithm should be the same as the one in
-    ** ssl3_HandleClientHello().  
-    */
-    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-	if (!config_match(suite, ss->ssl3->policy, PR_TRUE))
-	    continue;
-	for (i = 0; i < suite_length; i += 3) {
-	    if ((suites[i]   == 0) &&
-		(suites[i+1] == MSB(suite->cipher_suite)) &&
-		(suites[i+2] == LSB(suite->cipher_suite))) {
-
-		ss->ssl3->hs.cipher_suite = suite->cipher_suite;
-		ss->ssl3->hs.suite_def =
-		    ssl_LookupCipherSuiteDef(ss->ssl3->hs.cipher_suite);
-		goto suite_found;
-	    }
-	}
-    }
-    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-    goto alert_loser;
-
-suite_found:
-
-    ss->ssl3->hs.compression = compression_null;
-    ss->sec->send            = ssl3_SendApplicationData;
-
-    /* we don't even search for a cache hit here.  It's just a miss. */
-    ++ssl3_hch_sid_cache_misses;
-    sid = ssl3_NewSessionID(ss, PR_TRUE);
-    if (sid == NULL) {
-    	errCode = PORT_GetError();
-	goto loser;	/* memory error is set. */
-    }
-    ss->sec->ci.sid = sid;
-    /* do not worry about memory leak of sid since it now belongs to ci */
-
-    /* We have to update the handshake hashes before we can send stuff */
-    rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
-    if (rv != SECSuccess) {
-    	errCode = PORT_GetError();
-	goto loser;
-    }
-
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendServerHelloSequence(ss);
-    ssl_ReleaseXmitBufLock(ss);
-    if (rv != SECSuccess) {
-    	errCode = PORT_GetError();
-	goto loser;
-    }
-
-    /* XXX_1 	The call stack to here is:
-     * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
-     * ssl2_HandleClientHelloMessage returns whatever we return here.
-     * ssl_Do1stHandshake will continue looping if it gets back either
-     *		SECSuccess or SECWouldBlock.
-     * SECSuccess is preferable here.  See XXX_1 in sslgathr.c.
-     */
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    return SECSuccess;
-
-alert_loser:
-    SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    PORT_SetError(errCode);
-    return SECFailure;
-}
-
-/* The negotiated version number has been already placed in ss->version.
-**
-** Called from:  ssl3_HandleClientHello                     (resuming session),
-** 	ssl3_SendServerHelloSequence <- ssl3_HandleClientHello   (new session),
-** 	ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
-*/
-static SECStatus
-ssl3_SendServerHello(sslSocket *ss)
-{
-    sslSessionID *sid;
-    SECStatus     rv;
-    PRUint32      length;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
-		ss->fd));
-
-    PORT_Assert(ss->sec);
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
-
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	return SECFailure;
-    }
-
-    sid = ss->sec->ci.sid;
-    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
-             ((sid == NULL) ? 0: SSL3_SESSIONID_BYTES) +
-	     sizeof(ssl3CipherSuite) + 1;
-    rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-    rv = ssl3_GetNewRandom(&ss->ssl3->hs.server_random);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
-	return rv;
-    }
-    rv = ssl3_AppendHandshake(
-	ss, &ss->ssl3->hs.server_random, SSL3_RANDOM_LENGTH);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-
-    if (sid)
-	rv = ssl3_AppendHandshakeVariable(
-	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
-    else
-	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3->hs.cipher_suite, 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3->hs.compression, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-    rv = ssl3_SetupPendingCipherSpec(ss, ss->ssl3);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_SetupPendingCipherSpec */
-    }
-
-    return SECSuccess;
-}
-
-
-static SECStatus
-ssl3_SendServerKeyExchange(sslSocket *ss)
-{
-const ssl3KEADef *     kea_def     = ss->ssl3->hs.kea_def;
-    SECStatus          rv          = SECFailure;
-    int                length;
-    PRBool             isTLS;
-    SECItem            signed_hash = {siBuffer, NULL, 0};
-    SSL3Hashes         hashes;
-    SECKEYPublicKey *  sdPub;	/* public key for step-down */
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    switch (kea_def->exchKeyType) {
-    case kt_rsa:
-	/* Perform SSL Step-Down here. */
-	sdPub = ss->stepDownKeyPair->pubKey;
-	PORT_Assert(sdPub != NULL);
-	if (!sdPub) {
-	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    return SECFailure;
-	}
-    	rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
-					  sdPub->u.rsa.publicExponent,
-	                                  &ss->ssl3->hs.client_random,
-	                                  &ss->ssl3->hs.server_random,
-	                                  &hashes);
-        if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    return rv;
-	}
-
-	isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-	rv = ssl3_SignHashes(&hashes, ss->serverKey[kt_rsa], &signed_hash, 
-	                     isTLS);
-        if (rv != SECSuccess) {
-	    goto loser;		/* ssl3_SignHashes has set err. */
-	}
-	if (signed_hash.data == NULL) {
-	    /* how can this happen and rv == SECSuccess ?? */
-	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto loser;
-	}
-	length = 2 + sdPub->u.rsa.modulus.len +
-	         2 + sdPub->u.rsa.publicExponent.len +
-	         2 + signed_hash.len;
-
-	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
-					  sdPub->u.rsa.modulus.len, 2);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshakeVariable(
-				ss, sdPub->u.rsa.publicExponent.data,
-				sdPub->u.rsa.publicExponent.len, 2);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
-	                                  signed_hash.len, 2);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-	PORT_Free(signed_hash.data);
-	return SECSuccess;
-
-    case kt_fortezza:
-
-	/* Set server's "random" public key R_s to the email value == 1 */
-	PORT_Memset(ss->ssl3->fortezza.R_s, 0, sizeof(ss->ssl3->fortezza.R_s));
-	ss->ssl3->fortezza.R_s[127] = 1;
-
-	/* don't waste time signing the random number */
-	length = sizeof (ss->ssl3->fortezza.R_s) /*+ 2 + signed_hash.len*/;
-
-	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshake( ss, &ss->ssl3->fortezza.R_s,
-					sizeof(ss->ssl3->fortezza.R_s));
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-	return SECSuccess;
-
-    case kt_dh:
-    case kt_null:
-    default:
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	break;
-    }
-loser:
-    if (signed_hash.data != NULL) 
-    	PORT_Free(signed_hash.data);
-    return SECFailure;
-}
-
-
-static SECStatus
-ssl3_SendCertificateRequest(sslSocket *ss)
-{
-    SECItem *      name;
-    CERTDistNames *ca_list;
-const uint8 *      certTypes;
-    SECItem *      names	= NULL;
-    SECStatus      rv;
-    int            length;
-    int            i;
-    int            calen	= 0;
-    int            nnames	= 0;
-    int            certTypesLength;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    /* ssl3->ca_list is initialized to NULL, and never changed. */
-    ca_list = ss->ssl3->ca_list;
-    if (!ca_list) {
-	ca_list = ssl3_server_ca_list;
-    }
-
-    if (ca_list != NULL) {
-	names = ca_list->names;
-	nnames = ca_list->nnames;
-    }
-
-    if (!nnames) {
-	PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
-	return SECFailure;
-    }
-
-    for (i = 0, name = names; i < nnames; i++, name++) {
-	calen += 2 + name->len;
-    }
-
-    if (ss->ssl3->hs.kea_def->exchKeyType == kt_fortezza) {
-	certTypes       = fortezza_certificate_types;
-	certTypesLength = sizeof fortezza_certificate_types;
-    } else {
-	certTypes       = certificate_types;
-	certTypesLength = sizeof certificate_types;
-    }
-
-    length = 1 + certTypesLength + 2 + calen;
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    for (i = 0, name = names; i < nnames; i++, name++) {
-	rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
-	if (rv != SECSuccess) {
-	    return rv; 		/* err set by AppendHandshake. */
-	}
-    }
-
-    return SECSuccess;
-}
-
-static SECStatus
-ssl3_SendServerHelloDone(sslSocket *ss)
-{
-    SECStatus rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_FlushHandshake(ss, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate Verify message
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
-			     SSL3Hashes *hashes)
-{
-    SECItem              signed_hash = {siBuffer, NULL, 0};
-    SECStatus            rv;
-    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
-    SSL3AlertDescription desc        = handshake_failure;
-    PRBool               isTLS;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3->hs.ws != wait_cert_verify || ss->sec->peerCert == NULL) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
-	goto alert_loser;
-    }
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
-    }
-
-    isTLS = (PRBool)(ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* XXX verify that the key & kea match */
-    rv = ssl3_VerifySignedHashes(hashes, ss->sec->peerCert, &signed_hash,
-				 isTLS, ss->pkcs11PinArg);
-    if (rv != SECSuccess) {
-    	errCode = PORT_GetError();
-	desc = isTLS ? decrypt_error : handshake_failure;
-	goto alert_loser;
-    }
-
-    PORT_Free(signed_hash.data);
-    signed_hash.data = NULL;
-
-    if (length != 0) {
-	desc    = isTLS ? decode_error : illegal_parameter;
-	goto alert_loser;	/* malformed */
-    }
-    ss->ssl3->hs.ws = wait_change_cipher;
-    return SECSuccess;
-
-alert_loser:
-    SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    if (signed_hash.data != NULL) SECITEM_FreeItem(&signed_hash, PR_FALSE);
-    PORT_SetError(errCode);
-    return SECFailure;
-}
-
-/*
-** Called from ssl3_HandleClientKeyExchange()
-*/
-static SECStatus
-ssl3_HandleFortezzaClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
-				     PRUint32 length,
-                                     SECKEYPrivateKey *serverKey)
-{
-    SECKEYPublicKey * pubKey            = NULL;
-    PK11SymKey *      tek               = NULL;
-    PK11SymKey *      pms;
-    PK11SymKey *      Ks		= NULL;
-    sslSessionID *    sid 		= ss->sec->ci.sid;
-    ssl3CipherSpec *  pwSpec 		= ss->ssl3->pwSpec;
-    void *            pwArg             = ss->pkcs11PinArg;
-    SECStatus         rv;
-    SECItem           raItem;
-    SECItem           rbItem;
-    SECItem           param;
-    SECItem           item;
-    SECItem           enc_pms;
-    SSL3FortezzaKeys  fortezza_CKE;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    fortezza_CKE.y_c.data = NULL;
-    rv = ssl3_ConsumeHandshakeVariable(ss, &fortezza_CKE.y_c, 1, &b, &length);
-    if (rv != SECSuccess) {
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
-	goto fortezza_loser;
-    }
-    rv = ssl3_ConsumeHandshake(ss, &fortezza_CKE.r_c,
-	                       sizeof fortezza_CKE - sizeof fortezza_CKE.y_c,
-	                       &b, &length);
-    if (rv != SECSuccess) {
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
-	goto fortezza_loser;
-    }
-
-    /* Build a Token Encryption key (tek). TEK's can never be unloaded
-     * from the card, but given these parameters, and *OUR* fortezza
-     * card, we can always regenerate the same one on the fly.
-     */
-    if (ss->sec->peerCert != NULL) {
-	/* client-auth case */
-
-	pubKey = CERT_ExtractPublicKey(ss->sec->peerCert);
-	if (pubKey == NULL) {
-	    SEND_ALERT
-	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	    rv = SECFailure;
-	    goto fortezza_loser;
-	}
-
-	if (pubKey->keyType != fortezzaKey) {
-	    /* handle V3 client-auth case */
-	    SECItem       sigItem;
-	    SECItem       hashItem;
-	    unsigned char hash[SHA1_LENGTH];
-
-	    rv = ssl3_ComputeFortezzaPublicKeyHash(fortezza_CKE.y_c, hash);
-	    if (rv != SECSuccess) {
-		SEND_ALERT
-		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-		goto fortezza_loser;
-	    }
-	    sigItem.data  = fortezza_CKE.y_signature;
-	    sigItem.len   = sizeof fortezza_CKE.y_signature;
-
-	    hashItem.data = hash;
-	    hashItem.len  = sizeof hash;
-
-	    rv = PK11_Verify(pubKey, &sigItem, &hashItem, pwArg);
-	    if (rv != SECSuccess) {
-		SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-		goto fortezza_loser;
-	    }
-	    SECKEY_DestroyPublicKey(pubKey); pubKey = NULL;
-	}
-    }
-    rv = SECFailure;
-
-    /* Make the public key if necessary */
-    if (fortezza_CKE.y_c.len != 0) {
-	if (pubKey != NULL) {
-	    /* The client is not allowed to send the public key
-	     * if it can be extracted from the certificate. */
-	    SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto fortezza_loser;
-	}
-	pubKey = PK11_MakeKEAPubKey(fortezza_CKE.y_c.data,
-				    fortezza_CKE.y_c.len);
-    }
-    if (pubKey == NULL) {
-	/* no public Key in either the cert or the protocol message*/
-	SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-	PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto fortezza_loser;
-    }
-
-    /* Now we derive the TEK.  r_c is the client's "random" public key. */
-    raItem.data = fortezza_CKE.r_c;
-    raItem.len  = sizeof(fortezza_CKE.r_c);
-
-    /* R_s == server's "random" public key, sent in the Server Key Exchange */
-    rbItem.data = ss->ssl3->fortezza.R_s;
-    rbItem.len  = sizeof ss->ssl3->fortezza.R_s;
-
-    tek = PK11_PubDerive(serverKey, pubKey, PR_FALSE, /* don't gen r_c */
-                         &raItem, &rbItem, CKM_KEA_KEY_DERIVE,
-			 CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg);
-    SECKEY_DestroyPublicKey(pubKey); pubKey = NULL;
-    if (tek == NULL) {
-	SEND_ALERT
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto fortezza_loser;
-    }
-
-    ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek);
-
-    if (pwSpec->cipher_def->calg == calg_fortezza) {
-	item.data = fortezza_CKE.wrapped_client_write_key;
-	item.len  = sizeof fortezza_CKE.wrapped_client_write_key;
-
-	pwSpec->client.write_key =
-		PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item,
-		                  CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-	if (pwSpec->client.write_key == NULL) {
-	    SEND_ALERT
-	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
-	    goto fortezza_loser;
-	}
-
-	item.data = fortezza_CKE.wrapped_server_write_key;
-	item.len  = sizeof fortezza_CKE.wrapped_server_write_key;
-
-	pwSpec->server.write_key =
-		PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item,
-		                  CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0);
-	if (pwSpec->server.write_key == NULL) {
-	    PK11_FreeSymKey(pwSpec->client.write_key);
-	    pwSpec->client.write_key = NULL;
-	    SEND_ALERT
-	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
-	    goto fortezza_loser;
-	}
-	/* Set a flag that says "generate 8 byte random prefix plaintext." */
-	PK11_SetFortezzaHack(pwSpec->server.write_key);	/* can't fail */
-
-	PORT_Memcpy(pwSpec->client.write_iv, fortezza_CKE.client_write_iv,
-		    sizeof fortezza_CKE.client_write_iv);
-	PORT_Memcpy(pwSpec->server.write_iv, fortezza_CKE.server_write_iv,
-		    sizeof fortezza_CKE.server_write_iv);
-
-    }
-
-    /* decrypt the pms with the TEK */
-    enc_pms.data = fortezza_CKE.encrypted_preMasterSecret;
-    enc_pms.len  = sizeof fortezza_CKE.encrypted_preMasterSecret;
-
-    param.data = fortezza_CKE.master_secret_iv;
-    param.len  = sizeof fortezza_CKE.master_secret_iv;
-
-    pms = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &param, &enc_pms,
-			    CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
-    if (pms == NULL) {
-	SEND_ALERT
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
-	goto fortezza_loser;
-    }
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms);
-    if (rv != SECSuccess) {
-	SEND_ALERT
-	goto fortezza_loser; 	/* err code is set. */
-    }
-
-    if (pwSpec->cipher_def->calg == calg_fortezza) {
-	PK11SlotInfo *    slot;
-
-	sid->u.ssl3.clientWriteKey =
-			    PK11_ReferenceSymKey(pwSpec->client.write_key);
-	sid->u.ssl3.serverWriteKey =
-			    PK11_ReferenceSymKey(pwSpec->server.write_key);
-
-	PORT_Memcpy(sid->u.ssl3.keys.client_write_iv, pwSpec->client.write_iv,
-		    sizeof sid->u.ssl3.keys.client_write_iv);
-	PORT_Memcpy(sid->u.ssl3.keys.server_write_iv, pwSpec->server.write_iv,
-		    sizeof sid->u.ssl3.keys.server_write_iv);
-
-	/* Now, wrap the client and server write keys in Ks for storage
-	 * in the on-disk sid.
-	 */
-
-	slot = PK11_GetSlotFromKey(tek); 	/* get ref to the slot */
-	if (slot == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto fortezza_loser;
-	}
-
-	/* Look up the Token Fixed Key */
-	Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg);
-	PK11_FreeSlot(slot);
-	if (Ks == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto fortezza_loser;
-	}
-
-	/* rewrap server write key with the local Ks */
-	item.data = sid->u.ssl3.keys.wrapped_server_write_key;
-	item.len  = sizeof sid->u.ssl3.keys.wrapped_server_write_key;
-	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks,
-	                     pwSpec->server.write_key, &item);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto fortezza_loser;
-	}
-
-	/* rewrap client write key with the local Ks */
-	item.data = sid->u.ssl3.keys.wrapped_client_write_key;
-	item.len  = sizeof sid->u.ssl3.keys.wrapped_client_write_key;
-	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks,
-	                     pwSpec->client.write_key, &item);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    goto fortezza_loser;
-	}
-
-	/* wrap the master secret later, when we handle the client's
-	 * finished message.
-	 */
-    }
-
-    sid->u.ssl3.hasFortezza = PR_TRUE;
-    sid->u.ssl3.tek = tek; tek = NULL;
-
-    rv = SECSuccess;
-
-fortezza_loser:
-    if (Ks)  PK11_FreeSymKey(Ks);
-    if (tek) PK11_FreeSymKey(tek);
-    if (pubKey) SECKEY_DestroyPublicKey(pubKey);
-    if (fortezza_CKE.y_c.data != NULL)
-    	SECITEM_FreeItem(&fortezza_CKE.y_c, PR_FALSE);
-    return rv;
-}
-
-/* find a slot that is able to generate a PMS and wrap it with RSA.
- * Then generate and return the PMS.
- * If the serverKeySlot parameter is non-null, this function will use
- * that slot to do the job, otherwise it will find a slot.
- *
- * Called from  ssl3_GenerateSessionKeys()         (above)
- *		sendRSAClientKeyExchange()         (above)
- *		ssl3_HandleRSAClientKeyExchange()  (below)
- * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
- */
-static PK11SymKey *
-ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
-                    PK11SlotInfo * serverKeySlot)
-{
-    PK11SymKey *      pms		= NULL;
-    PK11SlotInfo *    slot		= serverKeySlot;
-    void *	      pwArg 		= ss->pkcs11PinArg;
-    SECItem           param;
-    CK_VERSION 	      version;
-    CK_MECHANISM_TYPE mechanism_array[3];
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (slot == NULL) {
-	/* The specReadLock would suffice here, but we cannot assert on
-	** read locks.  Also, all the callers who call with a non-null
-	** slot already hold the SpecWriteLock.
-	*/
-	PORT_Assert( ssl_HaveSpecWriteLock(ss));
-	PORT_Assert(ss->ssl3->prSpec == ss->ssl3->pwSpec);
-
-	/* First get an appropriate slot.  */
-	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
-	mechanism_array[1] = CKM_RSA_PKCS;
-	mechanism_array[2] = (CK_MECHANISM_TYPE) spec->cipher_def->calg;
-	slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
-	if (slot == NULL) {
-	   /* can't find a slot with all three, find a slot with the minimum */
-	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
-	    if (slot == NULL) {
-		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
-		return pms;	/* which is NULL */
-	    }
-	}
-    }
-
-    /* Generate the pre-master secret ...  */
-    version.major = MSB(ss->clientHelloVersion);
-    version.minor = LSB(ss->clientHelloVersion);
-
-    param.data = (unsigned char *)&version;
-    param.len  = sizeof version;
-
-    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
-    if (!serverKeySlot)
-	PK11_FreeSlot(slot);
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-    }
-    return pms;
-}
-
-/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
- * return any indication of failure of the Client Key Exchange message,
- * where that failure is caused by the content of the client's message.
- * This function must not return SECFailure for any reason that is directly
- * or indirectly caused by the content of the client's encrypted PMS.
- * We must not send an alert and also not drop the connection.
- * Instead, we generate a random PMS.  This will cause a failure
- * in the processing the finished message, which is exactly where
- * the failure must occur.
- *
- * Called from ssl3_HandleClientKeyExchange
- */
-static SECStatus
-ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
-                                SSL3Opaque *b,
-				PRUint32 length,
-				SECKEYPrivateKey *serverKey)
-{
-    PK11SymKey *      pms;
-    SECStatus         rv;
-    SECItem           enc_pms;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    enc_pms.data = b;
-    enc_pms.len  = length;
-
-    if (ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
-	PRInt32 kLen;
-	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
-	if (kLen < 0) {
-	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    return SECFailure;
-	}
-	if ((unsigned)kLen < enc_pms.len) {
-	    enc_pms.len = kLen;
-	}
-    }
-    /*
-     * decrypt pms out of the incoming buffer
-     * Note: CKM_SSL3_PRE_MASTER_KEY_GEN is NOT the mechanism used to do 
-     *	the unwrap.  Rather, it is the mechanism with which the unwrapped
-     *	pms will be used.
-     */
-    pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
-			       CKM_SSL3_PRE_MASTER_KEY_GEN, CKA_DERIVE, 0);
-    if (pms != NULL) {
-	PRINT_BUF(60, (ss, "decrypted premaster secret:",
-		       PK11_GetKeyData(pms)->data,
-		       PK11_GetKeyData(pms)->len));
-    } else {
-	/* unwrap failed.  Generate a bogus pre-master secret and carry on. */
-	PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
-
-	ssl_GetSpecWriteLock(ss);
-	pms = ssl3_GenerateRSAPMS(ss, ss->ssl3->prSpec, slot);
-	ssl_ReleaseSpecWriteLock(ss);
-
-	PK11_FreeSlot(slot);
-    }
-
-    if (pms == NULL) {
-	/* last gasp.  */
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	return SECFailure;
-    }
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms);
-    if (rv != SECSuccess) {
-	SEND_ALERT
-	return SECFailure;	/* error code set by ssl3_InitPendingCipherSpec */
-    }
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 ClientKeyExchange message from the remote client
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    SECKEYPrivateKey *serverKey         = NULL;
-    SECStatus         rv;
-const ssl3KEADef *    kea_def;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3->hs.ws != wait_client_key) {
-	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
-	return SECFailure;
-    }
-
-    kea_def   = ss->ssl3->hs.kea_def;
-
-    serverKey =  (ss->ssl3->hs.usedStepDownKey
-#ifdef DEBUG
-		 && kea_def->is_limited /* XXX OR cert is signing only */
-		 && kea_def->exchKeyType == kt_rsa 
-		 && ss->stepDownKeyPair != NULL
-#endif
-		 ) ? ss->stepDownKeyPair->privKey
-		   : ss->serverKey[kea_def->exchKeyType];
-
-    if (serverKey == NULL) {
-    	SEND_ALERT
-	PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
-	return SECFailure;
-    }
-
-    switch (kea_def->exchKeyType) {
-    case kt_rsa:
-	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
-	if (rv != SECSuccess) {
-	    SEND_ALERT
-	    return SECFailure;	/* error code set by ssl3_InitPendingCipherSpec */
-	}
-	break;
-
-    case kt_fortezza:
-	rv = ssl3_HandleFortezzaClientKeyExchange(ss, b, length, serverKey);
-	if (rv != SECSuccess) {
-	    return SECFailure;	/* error code set */
-	}
-	break;
-
-    default:
-	(void) ssl3_HandshakeFailure(ss);
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	return SECFailure;
-    }
-    ss->ssl3->hs.ws = ss->sec->peerCert ? wait_cert_verify : wait_change_cipher;
-    return SECSuccess;
-
-}
-
-/* This is TLS's equivalent of sending a no_certificate alert. */
-static SECStatus
-ssl3_SendEmptyCertificate(sslSocket *ss)
-{
-    SECStatus            rv;
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
-    if (rv == SECSuccess) {
-	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
-    }
-    return rv;	/* error, if any, set by functions called above. */
-}
-
-/*
- * Used by both client and server.
- * Called from HandleServerHelloDone and from SendServerHelloSequence.
- */
-static SECStatus
-ssl3_SendCertificate(sslSocket *ss)
-{
-    SECStatus            rv;
-    CERTCertificateList *certChain;
-    int                  len 		= 0;
-    int                  i;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    certChain = (ss->sec->isServer)
-		      ? ss->serverCertChain[ss->ssl3->hs.kea_def->exchKeyType]
-		      : ss->ssl3->clientCertChain;
-
-    if (certChain) {
-	for (i = 0; i < certChain->len; i++) {
-	    len += certChain->certs[i].len + 3;
-	}
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, len, 3);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    for (i = 0; i < certChain->len; i++) {
-	rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
-					  certChain->certs[i].len, 3);
-	if (rv != SECSuccess) {
-	    return rv; 		/* err set by AppendHandshake. */
-	}
-    }
-
-    return SECSuccess;
-}
-
-/* This is used to delete the CA certificates in the peer certificate chain
- * from the cert database after they've been validated.
- */
-static void
-ssl3_CleanupPeerCerts(ssl3State *ssl3)
-{
-    PRArenaPool * arena = ssl3->peerCertArena;
-    ssl3CertNode *certs = (ssl3CertNode *)ssl3->peerCertChain;
-
-    for (; certs; certs = certs->next) {
-	CERT_DestroyCertificate(certs->cert);
-    }
-    if (arena) PORT_FreeArena(arena, PR_FALSE);
-    ssl3->peerCertArena = NULL;
-    ssl3->peerCertChain = NULL;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    ssl3CertNode *   c;
-    ssl3CertNode *   certs 	= NULL;
-    PRArenaPool *    arena 	= NULL;
-    ssl3State *      ssl3  	= ss->ssl3;
-    sslSecurityInfo *sec   	= ss->sec;
-    CERTCertificate *cert;
-    PRInt32          remaining;
-    PRInt32          size;
-    SECStatus        rv;
-    PRBool           isServer	= (PRBool)(!!sec->isServer);
-    PRBool           trusted 	= PR_FALSE;
-    PRBool           isTLS;
-    SSL3AlertDescription desc	= bad_certificate;
-    int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
-    SECItem          certItem;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if ((ssl3->hs.ws != wait_server_cert) &&
-	(ssl3->hs.ws != wait_client_cert)) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
-	goto alert_loser;
-    }
-
-    PORT_Assert(ssl3->peerCertArena == NULL);
-
-    if (sec->peerCert != NULL) {
-	if (sec->peerKey) {
-	    SECKEY_DestroyPublicKey(sec->peerKey);
-	    sec->peerKey = NULL;
-	}
-	CERT_DestroyCertificate(sec->peerCert);
-	sec->peerCert = NULL;
-    }
-
-    remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-    if (remaining < 0)
-	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-    isTLS = (PRBool)(ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
-    if (!remaining && isTLS && isServer) { 
-    	/* This is TLS's version of a no_certificate alert. */
-    	/* I'm a server. I've requested a client cert. He hasn't got one. */
-	rv = ssl3_HandleNoCertificate(ss);
-	goto cert_block;
-    }
-
-    ssl3->peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;	/* don't send alerts on memory errors */
-    }
-
-    /* First get the peer cert. */
-    remaining -= 3;
-    if (remaining < 0)
-	goto decode_loser;
-
-    size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-    if (size < 0)
-	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-    remaining -= size;
-    if (remaining < 0)
-	goto decode_loser;
-
-    certItem.data = (unsigned char*)PORT_ArenaAlloc(arena, size);
-    if (certItem.data == NULL) {
-	goto loser;	/* don't send alerts on memory errors */
-    }
-
-    certItem.len = size;
-    rv = ssl3_ConsumeHandshake(ss, certItem.data, certItem.len, &b, &length);
-    if (rv != SECSuccess)
-	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-    sec->peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-                                            PR_FALSE, PR_TRUE);
-    if (sec->peerCert == NULL) {
-	/* We should report an alert if the cert was bad, but not if the
-	 * problem was just some local problem, like memory error.
-	 */
-	goto ambiguous_err;
-    }
-
-    /* Now get all of the CA certs. */
-    while (remaining != 0) {
-	remaining -= 3;
-	if (remaining < 0)
-	    goto decode_loser;
-
-	size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-	if (size < 0)
-	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-	remaining -= size;
-	if (remaining < 0)
-	    goto decode_loser;
-
-	certItem.data = (unsigned char*)PORT_ArenaAlloc(arena, size);
-	if (certItem.data == NULL) {
-	    goto loser;	/* don't send alerts on memory errors */
-	}
-
-	certItem.len = size;
-	rv = ssl3_ConsumeHandshake(ss, certItem.data, certItem.len,
-				   &b, &length);
-	if (rv != SECSuccess)
-	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-	c = PORT_ArenaNew(arena, ssl3CertNode);
-	if (c == NULL) {
-	    goto loser;	/* don't send alerts on memory errors */
-	}
-
-	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-	                                  PR_FALSE, PR_TRUE);
-	if (c->cert == NULL) {
-	    goto ambiguous_err;
-	}
-
-	if (c->cert->trust)
-	    trusted = PR_TRUE;
-
-	c->next = certs;
-	certs = c;
-    }
-
-    if (remaining != 0)
-        goto decode_loser;
-
-    SECKEY_UpdateCertPQG(sec->peerCert);
-
-    /*
-     * We're making a fortezza connection, and the card hasn't unloaded it's
-     * certs, try to  unload those certs now.
-     */
-    if (!trusted) {
-	CERTCertificate *ccert;
-
-	ccert = PK11_FindBestKEAMatch(sec->peerCert, ss->pkcs11PinArg);
-	if (ccert) 
-	    CERT_DestroyCertificate(ccert);
-    }
-
-
-    rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
-					   PR_TRUE, isServer);
-    if (rv) {
-	errCode = PORT_GetError();
-	if (!ss->handleBadCert) {
-	    goto bad_cert;
-	}
-	rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
-	if ( rv ) {
-	    if ( rv == SECWouldBlock ) {
-		/* someone will handle this connection asynchronously*/
-		SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
-			 SSL_GETPID(), ss->fd));
-		ssl3->peerCertChain = certs;
-		certs               = NULL;
-		ssl_SetAlwaysBlock(ss);
-		goto cert_block;
-	    }
-	    /* cert is bad */
-	    goto bad_cert;
-	}
-	/* cert is good */
-    }
-
-    /* start SSL Step Up, if appropriate */
-    cert = sec->peerCert;
-    if (!isServer &&
-    	ssl3_global_policy_some_restricted &&
-        ssl3->policy == SSL_ALLOWED &&
-	anyRestrictedEnabled(ss) &&
-	SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
-	                                 PR_FALSE, /* checkSig */
-				         certUsageSSLServerWithStepUp,
-/*XXX*/				         ss->authCertificateArg) ) {
-	ssl3->policy         = SSL_RESTRICTED;
-	ssl3->hs.rehandshake = PR_TRUE;
-    }
-
-    sec->ci.sid->peerCert = CERT_DupCertificate(sec->peerCert);
-
-    /* We don't need the CA certs now that we've authenticated the peer cert. */
-    ssl3->peerCertChain = certs;  certs = NULL;  arena = NULL;
-    ssl3_CleanupPeerCerts(ssl3);
-
-cert_block:
-    if (sec->isServer) {
-	ssl3->hs.ws = wait_client_key;
-    } else {
-	ssl3->hs.ws = wait_cert_request; /* disallow server_key_exchange */
-	if (ssl3->hs.kea_def->is_limited ||
-	    /* XXX OR server cert is signing only. */
-	    ssl3->hs.kea_def->kea == kea_fortezza) {
-	    ssl3->hs.ws = wait_server_key; /* allow server_key_exchange */
-	}
-    }
-
-    /* rv must normally be equal to SECSuccess here.  If we called
-     * handleBadCert, it can also be SECWouldBlock.
-     */
-    return rv;
-
-ambiguous_err:
-    errCode = PORT_GetError();
-    switch (errCode) {
-    case PR_OUT_OF_MEMORY_ERROR:
-    case SEC_ERROR_BAD_DATABASE:
-    case SEC_ERROR_NO_MEMORY:
-	if (isTLS) {
-	    desc = internal_error;
-	    goto alert_loser;
-	}
-	goto loser;
-    }
-    /* fall through to bad_cert. */
-
-bad_cert:	/* caller has set errCode. */
-    switch (errCode) {
-    case SEC_ERROR_LIBRARY_FAILURE:     desc = unsupported_certificate; break;
-    case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired;     break;
-    case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked;     break;
-    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-    case SEC_ERROR_INADEQUATE_CERT_TYPE:
-		                        desc = certificate_unknown;     break;
-    case SEC_ERROR_UNTRUSTED_CERT:
-		    desc = isTLS ? access_denied : certificate_unknown; break;
-    case SEC_ERROR_UNKNOWN_ISSUER:      
-    case SEC_ERROR_UNTRUSTED_ISSUER:    
-		    desc = isTLS ? unknown_ca : certificate_unknown; break;
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-		    desc = isTLS ? unknown_ca : certificate_expired; break;
-
-    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
-    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
-    case SEC_ERROR_CA_CERT_INVALID:
-    case SEC_ERROR_BAD_SIGNATURE:
-    default:                            desc = bad_certificate;     break;
-    }
-    SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
-	     SSL_GETPID(), ss->fd, errCode));
-
-    goto alert_loser;
-
-decode_loser:
-    desc = isTLS ? decode_error : bad_certificate;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-
-loser:
-    ssl3->peerCertChain = certs;  certs = NULL;  arena = NULL;
-    ssl3_CleanupPeerCerts(ssl3);
-
-    if (sec->peerCert != NULL) {
-	CERT_DestroyCertificate(sec->peerCert);
-	sec->peerCert = NULL;
-    }
-    (void)ssl_MapLowLevelError(errCode);
-    return SECFailure;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
-*/
-int
-ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    CERTCertificate * cert;
-    ssl3State       * ssl3	= ss->ssl3;
-    int               rv	= SECSuccess;
-
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-    if (!ss->sec || !ss->ssl3) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-
-    cert = ss->sec->peerCert;
-
-    /* Permit step up if user decided to accept the cert */
-    if (!ss->sec->isServer &&
-    	ssl3_global_policy_some_restricted &&
-        ssl3->policy == SSL_ALLOWED &&
-	anyRestrictedEnabled(ss) &&
-	(SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
-	                                  PR_FALSE, /* checksig */
-				          certUsageSSLServerWithStepUp,
-/*XXX*/				          ss->authCertificateArg) )) {
-	ssl3->policy         = SSL_RESTRICTED;
-	ssl3->hs.rehandshake = PR_TRUE;
-    }
-
-    if (ss->handshake != NULL) {
-	ss->handshake = ssl_GatherRecord1stHandshake;
-	ssl3_CleanupPeerCerts(ssl3);
-	ss->sec->ci.sid->peerCert = CERT_DupCertificate(ss->sec->peerCert);
-
-	ssl_GetRecvBufLock(ss);
-	if (ssl3->hs.msgState.buf != NULL) {
-	    rv = ssl3_HandleRecord(ss, NULL, &ss->gather->buf);
-	}
-	ssl_ReleaseRecvBufLock(ss);
-    }
-
-    return rv;
-}
-
-static SECStatus
-ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
-			PRBool          isServer,
-                const   SSL3Finished *  hashes,
-                        TLSFinished  *  tlsFinished)
-{
-    PK11Context *prf_context;
-    const char * label;
-    unsigned int len;
-    SECStatus    rv;
-    SECItem      param 		= {siBuffer, NULL, 0};
-
-    label = isServer ? "server finished" : "client finished";
-    len   = 15;
-
-    prf_context = 
-	PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 
-	                           spec->master_secret, &param);
-    if (!prf_context)
-    	return SECFailure;
-
-    rv  = PK11_DigestBegin(prf_context);
-    rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
-    rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
-    rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, 
-                           &len, sizeof *tlsFinished);
-    PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
-
-    PK11_DestroyContext(prf_context, PR_TRUE);
-    return rv;
-}
-
-/* called from ssl3_HandleServerHelloDone
- *             ssl3_HandleClientHello
- *             ssl3_HandleFinished
- */
-static SECStatus
-ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
-{
-    ssl3CipherSpec *cwSpec;
-    PRBool          isTLS;
-    PRBool          isServer = ss->sec->isServer;
-    SECStatus       rv;
-    SSL3Sender      sender = isServer ? sender_server : sender_client;
-    SSL3Finished    hashes;
-    TLSFinished     tlsFinished;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    ssl_GetSpecReadLock(ss);
-    cwSpec = ss->ssl3->cwSpec;
-    isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
-    if (isTLS && rv == SECSuccess) {
-	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
-    }
-    ssl_ReleaseSpecReadLock(ss);
-    if (rv != SECSuccess) {
-	goto fail;	/* err code was set by ssl3_ComputeHandshakeHashes */
-    }
-
-    if (isTLS) {
-	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-	rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-    } else {
-	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-	rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_FlushHandshake(ss, flags);
-    if (rv != SECSuccess) {
-	goto fail;	/* error code set by ssl3_FlushHandshake */
-    }
-    return SECSuccess;
-
-fail:
-    return rv;
-}
-
-
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Finished message from the peer.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
-		    const SSL3Hashes *hashes)
-{
-    sslSecurityInfo * sec	   = ss->sec;
-    ssl3State *       ssl3	   = ss->ssl3;
-    sslSessionID *    sid	   = sec->ci.sid;
-    PK11SymKey *      wrappingKey  = NULL;
-    PK11SlotInfo *    symKeySlot;
-    void *            pwArg        = ss->pkcs11PinArg;
-    SECStatus         rv;
-    PRBool            isServer     = sec->isServer;
-    PRBool            isTLS;
-    PRBool            doStepUp;
-    CK_MECHANISM_TYPE mechanism;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
-    	SSL_GETPID(), ss->fd));
-
-    if (ssl3->hs.ws != wait_finished) {
-	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
-	return SECFailure;
-    }
-
-    isTLS = (PRBool)(ssl3->crSpec->version > SSL_LIBRARY_VERSION_3_0);
-    if (isTLS) {
-	TLSFinished tlsFinished;
-
-	if (length != sizeof tlsFinished) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
-	    return SECFailure;
-	}
-	rv = ssl3_ComputeTLSFinished(ssl3->crSpec, !isServer, 
-	                             hashes, &tlsFinished);
-	if (rv != SECSuccess ||
-	    0 != PORT_Memcmp(&tlsFinished, b, length)) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
-	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-	    return SECFailure;
-	}
-    } else {
-	if (length != sizeof(SSL3Hashes)) {
-	    (void)ssl3_IllegalParameter(ss);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
-	    return SECFailure;
-	}
-
-	if (0 != PORT_Memcmp(hashes, b, length)) {
-	    (void)ssl3_HandshakeFailure(ss);
-	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-	    return SECFailure;
-	}
-    }
-
-    doStepUp = (PRBool)(!isServer && ssl3->hs.rehandshake);
-
-    ssl_GetXmitBufLock(ss);	/*************************************/
-
-    if ((isServer && !ssl3->hs.isResuming) ||
-	(!isServer && ssl3->hs.isResuming)) {
-
-	rv = ssl3_SendChangeCipherSpecs(ss);
-	if (rv != SECSuccess) {
-	    goto xmit_loser;	/* err is set. */
-	}
-	/* XXX Right here, if we knew, somehow, that this thread was in
-	** SSL_SecureSend (trying to write some data) and we weren't going
-	** to step up, then we could set the ssl_SEND_FLAG_FORCE_INTO_BUFFER
-	** flag, so that the last two handshake messages
-	** (e.g. change cipher spec and finished) would get
-	** sent out in the same send/write call as the application data.
-	*/
-	rv = ssl3_SendFinished(ss, 0);
-	if (rv != SECSuccess) {
-	    goto xmit_loser;	/* err is set. */
-	}
-    }
-
-    /* Optimization: don't cache this connection if we're going to step up. */
-    if (doStepUp) {
-	ssl_FreeSID(sid);
-	ss->sec->ci.sid     = sid = NULL;
-	ssl3->hs.rehandshake = PR_FALSE;
-	rv = ssl3_SendClientHello(ss);
-xmit_loser:
-	ssl_ReleaseXmitBufLock(ss);
-	return rv;	/* err code is set if appropriate. */
-    }
-
-    ssl_ReleaseXmitBufLock(ss);	/*************************************/
-
-    /* we're connected now. */
-    ss->handshake           = NULL;
-    ss->connected           = PR_TRUE;
-    ss->gather->writeOffset = 0;
-    ss->gather->readOffset  = 0;
-
-  if (sid->cached == never_cached) {
-
-    /* fill in the sid */
-    sid->u.ssl3.cipherSuite = ssl3->hs.cipher_suite;
-    sid->u.ssl3.compression = ssl3->hs.compression;
-    sid->u.ssl3.policy      = ssl3->policy;
-    sid->u.ssl3.exchKeyType = ssl3->hs.kea_def->exchKeyType;
-    sid->version            = ss->version;
-
-    ssl_GetSpecReadLock(ss);	/*************************************/
-    symKeySlot = PK11_GetSlotFromKey(ssl3->crSpec->master_secret);
-    if (!isServer) {
-	int  wrapKeyIndex;
-	int  incarnation;
-
-	/* these next few functions are mere accessors and don't fail. */
-	sid->u.ssl3.masterWrapIndex  = wrapKeyIndex =
-				       PK11_GetCurrentWrapIndex(symKeySlot);
-	PORT_Assert(wrapKeyIndex == 0);	/* array has only one entry! */
-
-	sid->u.ssl3.masterWrapSeries = incarnation =
-				       PK11_GetSlotSeries(symKeySlot);
-	sid->u.ssl3.masterSlotID   = PK11_GetSlotID(symKeySlot);
-	sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
-	sid->u.ssl3.masterValid    = PR_TRUE;
-
-	/* Get the default wrapping key, for wrapping the master secret before
-	 * placing it in the SID cache entry. */
-	wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
-				      CKM_INVALID_MECHANISM, incarnation,
-				      pwArg);
-	if (wrappingKey) {
-	    mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
-	} else {
-	    int keyLength;
-	    /* if the wrappingKey doesn't exist, attempt to create it.
-	     * Note: we intentionally ignore errors here.  If we cannot
-	     * generate a wrapping key, it is not fatal to this SSL connection,
-	     * but we will not be able to restart this session.
-	     */
-	    mechanism = PK11_GetBestWrapMechanism(symKeySlot);
-	    keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
-	    /* Zero length means fixed key length algorithm, or error.
-	     * It's ambiguous.
-	     */
-	    wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
-                                      keyLength, pwArg);
-	    if (wrappingKey) {
-	    	PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
-	    }
-	}
-    } else {
-	/* server. */
-	mechanism = PK11_GetBestWrapMechanism(symKeySlot);
-	if (mechanism != CKM_INVALID_MECHANISM) {
-	    wrappingKey =
-	    	getWrappingKey(ss, symKeySlot, ssl3->hs.kea_def->exchKeyType,
-			       mechanism, pwArg);
-	    if (wrappingKey) {
-		mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
-	    }
-	}
-    }
-
-    sid->u.ssl3.masterWrapMech = mechanism;
-    PK11_FreeSlot(symKeySlot);
-
-    rv = SECFailure;
-    if (wrappingKey) {
-	SECItem msItem;
-
-	msItem.data = sid->u.ssl3.keys.wrapped_master_secret;
-	msItem.len  = sizeof sid->u.ssl3.keys.wrapped_master_secret;
-	rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
-			     ssl3->crSpec->master_secret, &msItem);
-	/* rv is examined below. */
-	sid->u.ssl3.keys.wrapped_master_secret_len = msItem.len;
-	PK11_FreeSymKey(wrappingKey);
-    }
-    ssl_ReleaseSpecReadLock(ss);  /*************************************/
-
-    /* If the wrap failed, we don't cache the sid.
-     * The connection continues normally however.
-     */
-    if (!ss->noCache && rv == SECSuccess) {
-	(*sec->cache)(sid);
-    }
-  }
-    ss->ssl3->hs.ws = idle_handshake;
-
-    /* Do the handshake callback for sslv3 here. */
-    if (ss->handshakeCallback != NULL) {
-	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-    }
-
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
- * hanshake message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    SECStatus         rv 	= SECSuccess;
-    SSL3HandshakeType type 	= ss->ssl3->hs.msg_type;
-    SSL3Hashes        hashes;	/* computed hashes are put here. */
-    PRUint8           hdr[4];
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-    /*
-     * We have to compute the hashes before we update them with the
-     * current message.
-     */
-    ssl_GetSpecReadLock(ss);	/************************************/
-    if((type == finished) || (type == certificate_verify)) {
-	SSL3Sender      sender = (SSL3Sender)0;
-	ssl3CipherSpec *rSpec  = ss->ssl3->prSpec;
-
-	if (type == finished) {
-	    sender = ss->sec->isServer ? sender_client : sender_server;
-	    rSpec  = ss->ssl3->crSpec;
-	}
-	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
-    }
-    ssl_ReleaseSpecReadLock(ss); /************************************/
-    if (rv != SECSuccess) {
-	return rv;	/* error code was set by ssl3_ComputeHandshakeHashes*/
-    }
-    SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
-		ss->fd, ssl3_DecodeHandshakeType(ss->ssl3->hs.msg_type)));
-    PRINT_BUF(60, (ss, "MD5 handshake hash:",
-    	      (unsigned char*)ss->ssl3->hs.md5, MD5_LENGTH));
-    PRINT_BUF(95, (ss, "SHA handshake hash:",
-    	      (unsigned char*)ss->ssl3->hs.sha, SHA1_LENGTH));
-
-    hdr[0] = (PRUint8)ss->ssl3->hs.msg_type;
-    hdr[1] = (PRUint8)(length >> 16);
-    hdr[2] = (PRUint8)(length >>  8);
-    hdr[3] = (PRUint8)(length      );
-
-    /* Start new handshake hashes when we start a new handshake */
-    if (ss->ssl3->hs.msg_type == client_hello) {
-	SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
-		SSL_GETPID(), ss->fd ));
-	rv = PK11_DigestBegin(ss->ssl3->hs.md5);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    return rv;
-	}
-	rv = PK11_DigestBegin(ss->ssl3->hs.sha);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    return rv;
-	}
-    }
-    /* We should not include hello_request messages in the handshake hashes */
-    if (ss->ssl3->hs.msg_type != hello_request) {
-	rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
-	if (rv != SECSuccess) return rv;	/* err code already set. */
-	rv = ssl3_UpdateHandshakeHashes(ss, b, length);
-	if (rv != SECSuccess) return rv;	/* err code already set. */
-    }
-
-    PORT_SetError(0);	/* each message starts with no error. */
-    switch (ss->ssl3->hs.msg_type) {
-    case hello_request:
-	if (length != 0) {
-	    (void)ssl3_DecodeError(ss);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
-	    return SECFailure;
-	}
-	if (ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleHelloRequest(ss);
-	break;
-    case client_hello:
-	if (!ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleClientHello(ss, b, length);
-	break;
-    case server_hello:
-	if (ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleServerHello(ss, b, length);
-	break;
-    case certificate:
-	rv = ssl3_HandleCertificate(ss, b, length);
-	break;
-    case server_key_exchange:
-	if (ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleServerKeyExchange(ss, b, length);
-	break;
-    case certificate_request:
-	if (ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleCertificateRequest(ss, b, length);
-	break;
-    case server_hello_done:
-	if (length != 0) {
-	    (void)ssl3_DecodeError(ss);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
-	    return SECFailure;
-	}
-	if (ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleServerHelloDone(ss);
-	break;
-    case certificate_verify:
-	if (!ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
-	break;
-    case client_key_exchange:
-	if (!ss->sec->isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleClientKeyExchange(ss, b, length);
-	break;
-    case finished:
-        rv = ssl3_HandleFinished(ss, b, length, &hashes);
-	break;
-    default:
-	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
- * origBuf is the decrypted ssl record content.
- * Caller must hold the handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
-{
-    /*
-     * There may be a partial handshake message already in the handshake
-     * state. The incoming buffer may contain another portion, or a
-     * complete message or several messages followed by another portion.
-     *
-     * Each message is made contiguous before being passed to the actual
-     * message parser.
-     */
-    ssl3State *ssl3 = ss->ssl3;
-    sslBuffer *buf = &ssl3->hs.msgState; /* do not lose the original buffer pointer */
-    SECStatus rv;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (buf->buf == NULL) {
-	*buf = *origBuf;
-    }
-    while (buf->len > 0) {
-	while (ssl3->hs.header_bytes < 4) {
-	    uint8 t;
-	    t = *(buf->buf++);
-	    buf->len--;
-	    if (ssl3->hs.header_bytes++ == 0)
-		ssl3->hs.msg_type = (SSL3HandshakeType)t;
-	    else
-		ssl3->hs.msg_len = (ssl3->hs.msg_len << 8) + t;
-
-#define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
-
-	    if (ssl3->hs.header_bytes == 4) {
-		if (ssl3->hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
-		    (void)ssl3_DecodeError(ss);
-		    PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-		    return SECFailure;
-		}
-	    }
-#undef MAX_HANDSHAKE_MSG_LEN
-	    if (buf->len == 0 && ssl3->hs.msg_len > 0) {
-		buf->buf = NULL;
-		return SECSuccess;
-	    }
-	}
-
-	/*
-	 * Header has been gathered and there is at least one byte of new
-	 * data available for this message. If it can be done right out
-	 * of the original buffer, then use it from there.
-	 */
-	if (ssl3->hs.msg_body.len == 0 && buf->len >= ssl3->hs.msg_len) {
-	    /* handle it from input buffer */
-	    rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ssl3->hs.msg_len);
-	    if (rv == SECFailure) {
-		/* This test wants to fall through on either
-		 * SECSuccess or SECWouldBlock.
-		 * ssl3_HandleHandshakeMessage MUST set the error code.
-		 */
-		return rv;
-	    }
-	    buf->buf += ssl3->hs.msg_len;
-	    buf->len -= ssl3->hs.msg_len;
-	    ssl3->hs.msg_len = 0;
-	    ssl3->hs.header_bytes = 0;
-	    if (rv != SECSuccess) { /* return if SECWouldBlock. */
-		return rv;
-	    }
-	} else {
-	    /* must be copied to msg_body and dealt with from there */
-	    unsigned int bytes;
-
-	    bytes = PR_MIN(buf->len, ssl3->hs.msg_len);
-
-	    /* Grow the buffer if needed */
-	    if (bytes > ssl3->hs.msg_body.space - ssl3->hs.msg_body.len) {
-		rv = sslBuffer_Grow(&ssl3->hs.msg_body,
-		                  ssl3->hs.msg_body.len + bytes);
-		if (rv != SECSuccess) {
-		    /* sslBuffer_Grow has set a memory error code. */
-		    return SECFailure;
-	    	}
-	    }
-	    PORT_Memcpy(ssl3->hs.msg_body.buf + ssl3->hs.msg_body.len,
-		      buf->buf, buf->len);
-	    buf->buf += bytes;
-	    buf->len -= bytes;
-
-	    /* should not be more than one message in msg_body */
-	    PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len);
-
-	    /* if we have a whole message, do it */
-	    if (ssl3->hs.msg_body.len == ssl3->hs.msg_len) {
-		rv = ssl3_HandleHandshakeMessage(
-		    ss, ssl3->hs.msg_body.buf, ssl3->hs.msg_len);
-		/*
-		 * XXX This appears to be wrong.  This error handling
-		 * should clean up after a SECWouldBlock return, like the
-		 * error handling used 40 lines before/above this one,
-		 */
-		if (rv != SECSuccess) {
-		    /* ssl3_HandleHandshakeMessage MUST set error code. */
-		    return rv;
-		}
-		ssl3->hs.msg_body.len = 0;
-		ssl3->hs.msg_len      = 0;
-		ssl3->hs.header_bytes = 0;
-	    } else {
-		PORT_Assert(buf->len == 0);
-		break;
-	    }
-	}
-    }	/* end loop */
-
-    origBuf->len = 0;	/* So ssl3_GatherAppDataRecord will keep looping. */
-    buf->buf = NULL;	/* not a leak. */
-    return SECSuccess;
-}
-
-/* if cText is non-null, then decipher, check MAC, and decompress the
- * SSL record from cText->buf (typically gs->inbuf)
- * into databuf (typically gs->buf), and any previous contents of databuf
- * is lost.  Then handle databuf according to its SSL record type,
- * unless it's an application record.
- *
- * If cText is NULL, then the ciphertext has previously been deciphered and
- * checked, and is already sitting in databuf.  It is processed as an SSL
- * Handshake message.
- *
- * DOES NOT process the decrypted/decompressed application data.
- * On return, databuf contains the decrypted/decompressed record.
- *
- * Called from ssl3_GatherCompleteHandshake
- *             ssl3_RestartHandshakeAfterCertReq
- *             ssl3_RestartHandshakeAfterServerCert
- *
- * Caller must hold the RecvBufLock.
- *
- * This function aquires and releases the SSL3Handshake Lock, holding the
- * lock around any calls to functions that handle records other than
- * Application Data records.
- */
-SECStatus
-ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
-{
-const ssl3BulkCipherDef *cipher_def;
-    ssl3State *          ssl3 			= ss->ssl3;
-    ssl3CipherSpec *     crSpec;
-    SECStatus            rv;
-    unsigned int         hashBytes;
-    unsigned int         padding_length;
-    PRBool               isTLS;
-    SSL3ContentType      rType;
-    SSL3Opaque           hash[MAX_MAC_LENGTH];
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-
-    if (ssl3 == NULL) {
-	ssl_GetSSL3HandshakeLock(ss);
-	rv = ssl3_InitState(ss);
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	if (rv != SECSuccess) {
-	    return rv;		/* ssl3_InitState has set the error code. */
-    	}
-    }
-
-    ssl3 = ss->ssl3;
-
-    /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
-     * This implies that databuf holds a previously deciphered SSL Handshake
-     * message.
-     */
-    if (cText == NULL) {
-	SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
-		 SSL_GETPID(), ss->fd));
-	rType = content_handshake;
-	goto process_it;
-    }
-
-    databuf->len = 0; /* filled in by decode call below. */
-    if (databuf->space < MAX_FRAGMENT_LENGTH) {
-	rv = sslBuffer_Grow(databuf, MAX_FRAGMENT_LENGTH + 2048);
-	if (rv != SECSuccess) {
-	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
-		     SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
-	    /* sslBuffer_Grow has set a memory error code. */
-	    return SECFailure;
-	}
-    }
-
-    PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len));
-
-    ssl_GetSpecReadLock(ss); /******************************************/
-
-    crSpec = ssl3->crSpec;
-    cipher_def = crSpec->cipher_def;
-    isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) {
-	SSL3_SendAlert(ss, alert_fatal, record_overflow);
-	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-	return SECFailure;
-    }
-    /* decrypt from cText buf to databuf. */
-    rv = crSpec->decode(
-	crSpec->decodeContext, databuf->buf, (int *)&databuf->len,
-	databuf->space, cText->buf->buf, cText->buf->len);
-
-    PRINT_BUF(80, (ss, "cleartext:", databuf->buf, databuf->len));
-    if (rv != SECSuccess) {
-	ssl_ReleaseSpecReadLock(ss);
-	ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
-	if (isTLS)
-	    (void)SSL3_SendAlert(ss, alert_fatal, decryption_failed);
-	ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
-	return SECFailure;
-    }
-
-    /* If it's a block cipher, check and strip the padding. */
-    if (cipher_def->type == type_block) {
-	padding_length = *(databuf->buf + databuf->len - 1);
-	/* TLS permits padding to exceed the block size, up to 255 bytes. */
-	if (padding_length + crSpec->mac_size >= databuf->len)
-	    goto bad_pad;
-	/* if TLS, check value of first padding byte. */
-	if (padding_length && isTLS && padding_length != 
-		*(databuf->buf + databuf->len - 1 - padding_length))
-	    goto bad_pad;
-	databuf->len -= padding_length + 1;
-	if (databuf->len <= 0) {
-bad_pad:
-	    /* must not hold spec lock when calling SSL3_SendAlert. */
-	    ssl_ReleaseSpecReadLock(ss);
-	    /* SSL3 doesn't have an alert for bad padding, so use bad mac. */
-	    SSL3_SendAlert(ss, alert_fatal, 
-			   isTLS ? decryption_failed : bad_record_mac);
-	    PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
-	    return SECFailure;
-	}
-    }
-
-    /* Check the MAC. */
-    if (databuf->len < crSpec->mac_size) {
-    	/* record is too short to have a valid mac. */
-	goto bad_mac;
-    }
-    databuf->len -= crSpec->mac_size;
-    rType = cText->type;
-    rv = ssl3_ComputeRecordMAC(
-    	crSpec, (ss->sec->isServer) ? crSpec->client.write_mac_context
-				    : crSpec->server.write_mac_context,
-	rType, cText->version, crSpec->read_seq_num, 
-	databuf->buf, databuf->len, hash, &hashBytes);
-    if (rv != SECSuccess) {
-	ssl_ReleaseSpecReadLock(ss);
-	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-	return rv;
-    }
-
-    if (hashBytes != (unsigned)crSpec->mac_size ||
-	PORT_Memcmp(databuf->buf + databuf->len, hash, crSpec->mac_size) != 0) {
-bad_mac:
-	/* must not hold spec lock when calling SSL3_SendAlert. */
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-	PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-
-	SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
-
-	return SECFailure;
-    }
-
-    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
-
-    ssl_ReleaseSpecReadLock(ss); /*****************************************/
-
-    /*
-     * The decrypted data is now in databuf.
-     *
-     * the null decompression routine is right here
-     */
-
-    /*
-    ** Having completed the decompression, check the length again. 
-    */
-    if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
-	SSL3_SendAlert(ss, alert_fatal, record_overflow);
-	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-	return SECFailure;
-    }
-
-    /* Application data records are processed by the caller of this
-    ** function, not by this function.
-    */
-    if (rType == content_application_data) {
-    	return SECSuccess;
-    }
-
-    /* It's a record that must be handled by ssl itself, not the application.
-    */
-process_it:
-    /* XXX  Get the xmit lock here.  Odds are very high that we'll be xmiting
-     * data ang getting the xmit lock here prevents deadlocks.
-     */
-    ssl_GetSSL3HandshakeLock(ss);
-
-    /* All the functions called in this switch MUST set error code if
-    ** they return SECFailure or SECWouldBlock.
-    */
-    switch (rType) {
-    case content_change_cipher_spec:
-	rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
-	break;
-    case content_alert:
-	rv = ssl3_HandleAlert(ss, databuf);
-	break;
-    case content_handshake:
-	rv = ssl3_HandleHandshake(ss, databuf);
-	break;
-    case content_application_data:
-	rv = SECSuccess;
-	break;
-    default:
-	SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
-		 SSL_GETPID(), ss->fd, cText->type));
-	/* XXX Send an alert ???  */
-	PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
-	rv = SECFailure;
-	break;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    return rv;
-
-}
-
-/*
- * Initialization functions
- */
-
-/* Called from ssl3_InitState, immediately below. */
-/* Caller must hold the SpecWriteLock. */
-static void
-ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
-{
-    spec->cipher_def               = &bulk_cipher_defs[cipher_null];
-    PORT_Assert(spec->cipher_def->cipher == cipher_null);
-    spec->mac_def                  = &mac_defs[mac_null];
-    PORT_Assert(spec->mac_def->mac == mac_null);
-    spec->encode                   = Null_Cipher;
-    spec->decode                   = Null_Cipher;
-    spec->destroy                  = NULL;
-    spec->mac_size                 = 0;
-    spec->master_secret            = NULL;
-
-    spec->client.write_key         = NULL;
-    spec->client.write_mac_key     = NULL;
-    spec->client.write_mac_context = NULL;
-
-    spec->server.write_key         = NULL;
-    spec->server.write_mac_key     = NULL;
-    spec->server.write_mac_context = NULL;
-
-    spec->write_seq_num.high       = 0;
-    spec->write_seq_num.low        = 0;
-
-    spec->read_seq_num.high        = 0;
-    spec->read_seq_num.low         = 0;
-
-    spec->version                  = ss->enableTLS
-                                          ? SSL_LIBRARY_VERSION_3_1_TLS
-                                          : SSL_LIBRARY_VERSION_3_0;
-}
-
-/* Called from:	ssl3_SendRecord
-**		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
-**		ssl3_SendClientHello()
-**		ssl3_HandleServerHello()
-**		ssl3_HandleClientHello()
-**		ssl3_HandleV2ClientHello()
-**		ssl3_HandleRecord()
-**
-** This function should perhaps acquire and release the SpecWriteLock.
-**
-**
-*/
-static SECStatus
-ssl3_InitState(sslSocket *ss)
-{
-    ssl3State *  ssl3 = NULL;
-    PK11Context *md5  = NULL;
-    PK11Context *sha  = NULL;
-    SECStatus    rv;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
-
-    /* reinitialization for renegotiated sessions XXX */
-    if (ss->ssl3 != NULL)
-	return SECSuccess;
-
-    ssl3 = PORT_ZNew(ssl3State); /* zero on purpose */
-    if (ssl3 == NULL)
-	return SECFailure;	/* PORT_ZAlloc has set memory error code. */
-
-    /* note that entire HandshakeState is zero, including the buffer */
-    ssl3->policy = SSL_ALLOWED;
-
-    ssl_GetSpecWriteLock(ss);
-    ssl3->crSpec = ssl3->cwSpec = &ssl3->specs[0];
-    ssl3->prSpec = ssl3->pwSpec = &ssl3->specs[1];
-    ssl3->hs.rehandshake = PR_FALSE;
-    ssl3_InitCipherSpec(ss, ssl3->crSpec);
-    ssl3_InitCipherSpec(ss, ssl3->prSpec);
-    ssl3->fortezza.tek = NULL;
-
-    ssl3->hs.ws = (ss->sec->isServer) ? wait_client_hello : wait_server_hello;
-    ssl_ReleaseSpecWriteLock(ss);
-
-    /*
-     * note: We should probably lookup an SSL3 slot for these
-     * handshake hashes in hopes that we wind up with the same slots
-     * that the master secret will wind up in ...
-     */
-    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
-    ssl3->hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
-    if (md5 == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	goto loser;
-    }
-    rv = PK11_DigestBegin(ssl3->hs.md5);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	goto loser;
-    }
-
-    sha = ssl3->hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
-    if (sha == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	goto loser;
-    }
-    rv = PK11_DigestBegin(ssl3->hs.sha);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	goto loser;
-    }
-
-    /* Don't hide this from the rest of the world any more. */
-    ss->ssl3 = ssl3;
-
-    return SECSuccess;
-
-loser:
-    if (md5 != NULL) PK11_DestroyContext(md5, PR_TRUE);
-    if (sha != NULL) PK11_DestroyContext(sha, PR_TRUE);
-    if (ssl3 != NULL) PORT_Free(ssl3);
-    return SECFailure;
-}
-
-/* Returns a reference counted object that contains a key pair.
- * Or NULL on failure.  Initial ref count is 1.
- * Uses the keys in the pair as input.
- */
-ssl3KeyPair *
-ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
-{
-    ssl3KeyPair * pair;
-
-    if (!privKey || !pubKey) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return NULL;
-    }
-    pair = PORT_ZNew(ssl3KeyPair);
-    if (!pair)
-    	return NULL;			/* error code is set. */
-    pair->refCount = 1;
-    pair->privKey  = privKey;
-    pair->pubKey   = pubKey;
-    return pair;			/* success */
-}
-
-ssl3KeyPair *
-ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
-{
-    PR_AtomicIncrement(&keyPair->refCount);
-    return keyPair;
-}
-
-void
-ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
-{
-    PRInt32 newCount =  PR_AtomicDecrement(&keyPair->refCount);
-    if (!newCount) {
-	SECKEY_DestroyPrivateKey(keyPair->privKey);
-	SECKEY_DestroyPublicKey( keyPair->pubKey);
-    	PORT_Free(keyPair);
-    }
-}
-
-
-#define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
-
-/*
- * Creates the public and private RSA keys for SSL Step down.
- * Called from SSL_ConfigSecureServer in sslsecur.c
- */
-SECStatus
-ssl3_CreateRSAStepDownKeys(sslSocket *ss)
-{
-    SECStatus             rv  	 = SECSuccess;
-    SECKEYPrivateKey *    privKey;		/* RSA step down key */
-    SECKEYPublicKey *     pubKey;		/* RSA step down key */
-
-    if (ss->stepDownKeyPair)
-	ssl3_FreeKeyPair(ss->stepDownKeyPair);
-    ss->stepDownKeyPair = NULL;
-#ifndef HACKED_EXPORT_SERVER
-    /* Sigh, should have a get key strength call for private keys */
-    if (PK11_GetPrivateModulusLen(ss->serverKey[kt_rsa]) >
-                                                     EXPORT_RSA_KEY_LENGTH) {
-	/* need to ask for the key size in bits */
-	privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
-					     &pubKey, NULL);
-    	if (!privKey || !pubKey ||
-	    !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
-	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	    rv = SECFailure;
-	}
-    }
-#endif
-    return rv;
-}
-
-
-/* record the export policy for this cipher suite */
-SECStatus
-ssl3_SetPolicy(ssl3CipherSuite which, int policy)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->policy = policy;
-
-    if (policy == SSL_RESTRICTED) {
-	ssl3_global_policy_some_restricted = PR_TRUE;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRInt32             policy;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite) {
-    	policy = suite->policy;
-	rv     = SECSuccess;
-    } else {
-    	policy = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *oPolicy = policy;
-    return rv;
-}
-
-/* record the user preference for this suite */
-SECStatus
-ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->enabled = enabled;
-    return SECSuccess;
-}
-
-/* return the user preference for this suite */
-SECStatus
-ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRBool              pref;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite) {
-    	pref   = suite->enabled;
-	rv     = SECSuccess;
-    } else {
-    	pref   = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *enabled = pref;
-    return rv;
-}
-
-SECStatus
-ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->enabled = enabled;
-    return SECSuccess;
-}
-
-SECStatus
-ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRBool              pref;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
-    if (suite) {
-    	pref   = suite->enabled;
-	rv     = SECSuccess;
-    } else {
-    	pref   = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *enabled = pref;
-    return rv;
-}
-
-/* copy global default policy into socket. */
-void
-ssl3_InitSocketPolicy(sslSocket *ss)
-{
-    PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
-}
-
-/* ssl3_config_match_init must have already been called by
- * the caller of this function.
- */
-SECStatus
-ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
-{
-    int i, count = 0;
-
-    PORT_Assert(ss != 0);
-    if (!ss) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-    if (!ss->enableSSL3 && !ss->enableTLS) {
-    	*size = 0;
-	return SECSuccess;
-    }
-    if (cs == NULL) {
-	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
-	return SECSuccess;
-    }
-
-    /* ssl3_config_match_init was called by the caller of this function. */
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
-	    if (cs != NULL) {
-		*cs++ = 0x00;
-		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
-		*cs++ =  suite->cipher_suite       & 0xFF;
-	    }
-	    count++;
-	}
-    }
-    *size = count;
-    return SECSuccess;
-}
-
-/*
-** If ssl3 socket is connected and in idle state, then start a new handshake.
-** If flushCache is true, the SID cache will be flushed first, forcing a
-** "Full" handshake (not a session restart handshake), to be done.
-**
-** called from SSL_RedoHandshake(), which already holds the handshake locks.
-*/
-SECStatus
-ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
-{
-    sslSecurityInfo *sec = ss->sec;
-    sslSessionID *   sid = ss->sec->ci.sid;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (!ss->connected ||
-        ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
-	 ss->ssl3 && (ss->ssl3->hs.ws != idle_handshake))) {
-	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
-	return SECFailure;
-    }
-    if (sid && flushCache) {
-	sec->uncache(sid);	/* remove it from whichever cache it's in. */
-	ssl_FreeSID(sid);	/* dec ref count and free if zero. */
-	ss->sec->ci.sid = NULL;
-    }
-
-    ssl_GetXmitBufLock(ss);	/**************************************/
-
-    /* start off a new handshake. */
-    rv = (sec->isServer) ? ssl3_SendHelloRequest(ss)
-                         : ssl3_SendClientHello(ss);
-
-    ssl_ReleaseXmitBufLock(ss);	/**************************************/
-    return rv;
-}
-
-/* Called from ssl_FreeSocket() in sslsock.c */
-void
-ssl3_DestroySSL3Info(ssl3State *ssl3)
-{
-    if (ssl3 == NULL)
-	return;		/* success the easy way. */
-
-    if (ssl3->clientCertificate != NULL)
-	CERT_DestroyCertificate(ssl3->clientCertificate);
-
-    if (ssl3->clientPrivateKey != NULL)
-	SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
-
-    if (ssl3->peerCertArena != NULL)
-	ssl3_CleanupPeerCerts(ssl3);
-
-    /* clean up handshake */
-    if (ssl3->hs.md5) {
-	PK11_DestroyContext(ssl3->hs.md5,PR_TRUE);
-    }
-    if (ssl3->hs.sha) {
-	PK11_DestroyContext(ssl3->hs.sha,PR_TRUE);
-    }
-
-    if (ssl3->fortezza.tek != NULL) {
-	PK11_FreeSymKey(ssl3->fortezza.tek);
-    }
-    /* free the SSL3Buffer (msg_body) */
-    PORT_Free(ssl3->hs.msg_body.buf);
-
-    /* free up the CipherSpecs */
-    ssl3_DestroyCipherSpec(&ssl3->specs[0]);
-    ssl3_DestroyCipherSpec(&ssl3->specs[1]);
-
-    PORT_Free(ssl3);
-}
-
-/* End of ssl3con.c */
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
deleted file mode 100644
index b3f05d83a..000000000
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Gather (Read) entire SSL3 records from socket into buffer.  
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "ssl3prot.h"
-
-/* 
- * Attempt to read in an entire SSL3 record.
- * Blocks here for blocking sockets, otherwise returns -1 with 
- * 	PR_WOULD_BLOCK_ERROR when socket would block.
- *
- * returns  1 if received a complete SSL3 record.
- * returns  0 if recv returns EOF
- * returns -1 if recv returns <0  
- *	(The error value may have already been set to PR_WOULD_BLOCK_ERROR)
- *
- * Caller must hold the recv buf lock.
- *
- * The Gather state machine has 3 states:  GS_INIT, GS_HEADER, GS_DATA.
- * GS_HEADER: waiting for the 5-byte SSL3 record header to come in.
- * GS_DATA:   waiting for the body of the SSL3 record   to come in.
- *
- * This loop returns when either (a) an error or EOF occurs, 
- *	(b) PR_WOULD_BLOCK_ERROR,
- * 	(c) data (entire SSL3 record) has been received.
- */
-static int
-ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
-{
-    unsigned char *bp;
-    unsigned char *lbp;
-    int            nb;
-    int            err;
-    int            rv		= 1;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    if (gs->state == GS_INIT) {
-	gs->state       = GS_HEADER;
-	gs->remainder   = 5;
-	gs->offset      = 0;
-	gs->writeOffset = 0;
-	gs->readOffset  = 0;
-    }
-    
-    lbp = gs->inbuf.buf;
-    for(;;) {
-	SSL_TRC(30, ("%d: SSL3[%d]: gather state %d (need %d more)",
-		SSL_GETPID(), ss->fd, gs->state, gs->remainder));
-	bp = ((gs->state != GS_HEADER) ? lbp : gs->hdr) + gs->offset;
-	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
-
-	if (nb > 0) {
-	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
-	} else if (nb == 0) {
-	    /* EOF */
-	    SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
-	    rv = 0;
-	    break;
-	} else /* if (nb < 0) */ {
-	    SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
-		     PR_GetError()));
-	    rv = SECFailure;
-	    break;
-	}
-
-	gs->offset    += nb;
-	gs->inbuf.len += nb;
-	gs->remainder -= nb;
-
-	/* if there's more to go, read some more. */
-	if (gs->remainder > 0) {
-	    continue;
-	}
-
-	/* have received entire record header, or entire record. */
-	switch (gs->state) {
-	case GS_HEADER:
-	    /*
-	    ** Have received SSL3 record header in gs->hdr.
-	    ** Now extract the length of the following encrypted data, 
-	    ** and then read in the rest of the SSL3 record into gs->inbuf.
-	    */
-	    gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4];
-
-	    /* This is the max fragment length for an encrypted fragment
-	    ** plus the size of the record header.
-	    */
-	    if(gs->remainder > (MAX_FRAGMENT_LENGTH + 2048 + 5)) {
-		SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-		gs->state = GS_INIT;
-		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-		return SECFailure;
-	    }
-
-	    gs->state     = GS_DATA;
-	    gs->offset    = 0;
-	    gs->inbuf.len = 0;
-
-	    if (gs->remainder > gs->inbuf.space) {
-		err = sslBuffer_Grow(&gs->inbuf, gs->remainder);
-		if (err) {	/* realloc has set error code to no mem. */
-		    return err;
-		}
-		lbp = gs->inbuf.buf;
-	    }
-	    break;	/* End this case.  Continue around the loop. */
-
-
-	case GS_DATA:
-	    /* 
-	    ** SSL3 record has been completely received.
-	    */
-	    gs->state = GS_INIT;
-	    return 1;
-	}
-    }
-
-    return rv;
-}
-
-/* Gather in a record and when complete, Handle that record.
- * Repeat this until the handshake is complete, 
- * or until application data is available.
- *
- * Returns  1 when the handshake is completed without error, or 
- *                 application data is available.
- * Returns  0 if ssl3_GatherData hits EOF.
- * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
- * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
- *
- * Called from ssl_GatherRecord1stHandshake       in sslcon.c, 
- *    and from SSL_ForceHandshake in sslsecur.c
- *    and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c).
- *
- * Caller must hold the recv buf lock.
- */
-int
-ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
-{
-    sslGather *    gs        = ss->gather;
-    SSL3Ciphertext cText;
-    int            rv;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    do {
-	/* bring in the next sslv3 record. */
-	rv = ssl3_GatherData(ss, gs, flags);
-	if (rv <= 0) {
-	    return rv;
-	}
-	
-	/* decipher it, and handle it if it's a handshake. 
-	 * If it's application data, gs->buf will not be empty upon return. 
-	 */
-	cText.type    = (SSL3ContentType)gs->hdr[0];
-	cText.version = (gs->hdr[1] << 8) | gs->hdr[2];
-	cText.buf     = &gs->inbuf;
-	rv = ssl3_HandleRecord(ss, &cText, &gs->buf);
-	if (rv < 0) {
-	    return ss->recvdCloseNotify ? 0 : rv;
-	}
-    } while (ss->ssl3->hs.ws != idle_handshake && gs->buf.len == 0);
-
-    gs->readOffset = 0;
-    gs->writeOffset = gs->buf.len;
-    return 1;
-}
-
-/* Repeatedly gather in a record and when complete, Handle that record.
- * Repeat this until some application data is received.
- *
- * Returns  1 when application data is available.
- * Returns  0 if ssl3_GatherData hits EOF.
- * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
- * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
- *
- * Called from DoRecv in sslsecur.c
- * Caller must hold the recv buf lock.
- */
-int
-ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
-{
-    sslGather *    gs       = ss->gather;
-    int            rv;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    do {
-	rv = ssl3_GatherCompleteHandshake(ss, flags);
-    } while (rv > 0 && gs->buf.len == 0);
-
-    return rv;
-}
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
deleted file mode 100644
index a9162d9b3..000000000
--- a/security/nss/lib/ssl/ssl3prot.h
+++ /dev/null
@@ -1,307 +0,0 @@
-/*
- * Various and sundry protocol constants. DON'T CHANGE THESE. These
- * values are defined by the SSL 3.0 protocol specification.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef __ssl3proto_h_
-#define __ssl3proto_h_
-
-typedef uint8 SSL3Opaque;
-
-typedef uint16 SSL3ProtocolVersion;
-/* version numbers are defined in sslproto.h */
-
-typedef uint16 ssl3CipherSuite;
-/* The cipher suites are defined in sslproto.h */
-
-#define MAX_CERT_TYPES			10
-#define MAX_COMPRESSION_METHODS		10
-#define MAX_MAC_LENGTH			64
-#define MAX_PADDING_LENGTH		64
-#define MAX_KEY_LENGTH			64
-#define EXPORT_KEY_LENGTH		 5
-#define SSL3_RANDOM_LENGTH		32
-
-#define SSL3_RECORD_HEADER_LENGTH	 5
-
-#define MAX_FRAGMENT_LENGTH		16384
-     
-typedef enum {
-    content_change_cipher_spec = 20, 
-    content_alert              = 21,
-    content_handshake          = 22, 
-    content_application_data   = 23
-} SSL3ContentType;
-
-typedef struct {
-    SSL3ContentType     type;
-    SSL3ProtocolVersion version;
-    uint16              length;
-    SECItem             fragment;
-} SSL3Plaintext;
-
-typedef struct {
-    SSL3ContentType     type;
-    SSL3ProtocolVersion version;
-    uint16              length;
-    SECItem             fragment;
-} SSL3Compressed;
-
-typedef struct {
-    SECItem    content;
-    SSL3Opaque MAC[MAX_MAC_LENGTH];
-} SSL3GenericStreamCipher;
-
-typedef struct {
-    SECItem    content;
-    SSL3Opaque MAC[MAX_MAC_LENGTH];
-    uint8      padding[MAX_PADDING_LENGTH];
-    uint8      padding_length;
-} SSL3GenericBlockCipher;
-
-typedef enum { change_cipher_spec_choice = 1 } SSL3ChangeCipherSpecChoice;
-
-typedef struct {
-    SSL3ChangeCipherSpecChoice choice;
-} SSL3ChangeCipherSpec;
-
-typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
-
-typedef enum {
-    close_notify            = 0,
-    unexpected_message      = 10,
-    bad_record_mac          = 20,
-    decryption_failed       = 21,	/* TLS only */
-    record_overflow         = 22,	/* TLS only */
-    decompression_failure   = 30,
-    handshake_failure       = 40,
-    no_certificate          = 41,	/* SSL3 only, NOT TLS */
-    bad_certificate         = 42,
-    unsupported_certificate = 43,
-    certificate_revoked     = 44,
-    certificate_expired     = 45,
-    certificate_unknown     = 46,
-    illegal_parameter       = 47,
-
-/* All alerts below are TLS only. */
-    unknown_ca              = 48,
-    access_denied           = 49,
-    decode_error            = 50,
-    decrypt_error           = 51,
-    export_restriction      = 60,
-    protocol_version        = 70,
-    insufficient_security   = 71,
-    internal_error          = 80,
-    user_canceled           = 90,
-    no_renegotiation        = 100
-
-} SSL3AlertDescription;
-
-typedef struct {
-    SSL3AlertLevel       level;
-    SSL3AlertDescription description;
-} SSL3Alert;
-
-typedef enum {
-    hello_request	= 0, 
-    client_hello	= 1, 
-    server_hello	= 2,
-    certificate 	= 11, 
-    server_key_exchange = 12,
-    certificate_request	= 13, 
-    server_hello_done	= 14,
-    certificate_verify	= 15, 
-    client_key_exchange	= 16, 
-    finished		= 20
-} SSL3HandshakeType;
-
-typedef struct {
-    uint8 empty;
-} SSL3HelloRequest;
-     
-typedef struct {
-    SSL3Opaque rand[SSL3_RANDOM_LENGTH];
-} SSL3Random;
-     
-typedef struct {
-    SSL3Opaque id[32];
-    uint8 length;
-} SSL3SessionID;
-     
-typedef enum { compression_null = 0 } SSL3CompressionMethod;
-     
-typedef struct {
-    SSL3ProtocolVersion   client_version;
-    SSL3Random            random;
-    SSL3SessionID         session_id;
-    SECItem               cipher_suites;
-    uint8                 cm_count;
-    SSL3CompressionMethod compression_methods[MAX_COMPRESSION_METHODS];
-} SSL3ClientHello;
-     
-typedef struct  {
-    SSL3ProtocolVersion   server_version;
-    SSL3Random            random;
-    SSL3SessionID         session_id;
-    ssl3CipherSuite       cipher_suite;
-    SSL3CompressionMethod compression_method;
-} SSL3ServerHello;
-     
-typedef struct {
-    SECItem list;
-} SSL3Certificate;
-
-typedef enum {
-    sign_null, sign_rsa, sign_dsa
-} SSL3SignType;
-
-/* The SSL key exchange method used */     
-typedef enum {
-    kea_null, 
-    kea_rsa, 
-    kea_rsa_export,
-    kea_rsa_export_1024,
-    kea_dh_dss, 
-    kea_dh_dss_export, 
-    kea_dh_rsa, 
-    kea_dh_rsa_export,
-    kea_dhe_dss, 
-    kea_dhe_dss_export, 
-    kea_dhe_rsa, 
-    kea_dhe_rsa_export,
-    kea_dh_anon, 
-    kea_dh_anon_export, 
-    kea_fortezza, 
-    kea_rsa_fips
-} SSL3KeyExchangeAlgorithm;
-     
-typedef struct {
-    SECItem modulus;
-    SECItem exponent;
-} SSL3ServerRSAParams;
-
-typedef struct {
-    SECItem p;
-    SECItem g;
-    SECItem Ys;
-} SSL3ServerDHParams;
-
-typedef struct {
-    union {
-	SSL3ServerDHParams dh;
-	SSL3ServerRSAParams rsa;
-    } u;
-} SSL3ServerParams;
-
-typedef struct {
-    uint8 md5[16];
-    uint8 sha[20];
-} SSL3Hashes;
-     
-typedef struct {
-    union {
-	SSL3Opaque anonymous;
-	SSL3Hashes certified;
-    } u;
-} SSL3ServerKeyExchange;
-     
-typedef enum {
-    ct_RSA_sign 	=  1, 
-    ct_DSS_sign 	=  2, 
-    ct_RSA_fixed_DH 	=  3,
-    ct_DSS_fixed_DH 	=  4, 
-    ct_RSA_ephemeral_DH =  5, 
-    ct_DSS_ephemeral_DH =  6,
-    ct_Fortezza 	= 20
-} SSL3ClientCertificateType;
-     
-typedef SECItem *SSL3DistinquishedName;
-
-typedef struct {
-    SSL3Opaque client_version[2];
-    SSL3Opaque random[46];
-} SSL3RSAPreMasterSecret;
-     
-typedef SECItem SSL3EncryptedPreMasterSecret;
-
-/* Following struct is the format of a Fortezza ClientKeyExchange message. */
-typedef struct {
-    SECItem    y_c;
-    SSL3Opaque r_c                      [128];
-    SSL3Opaque y_signature              [40];
-    SSL3Opaque wrapped_client_write_key [12];
-    SSL3Opaque wrapped_server_write_key [12];
-    SSL3Opaque client_write_iv          [24];
-    SSL3Opaque server_write_iv          [24];
-    SSL3Opaque master_secret_iv         [24];
-    SSL3Opaque encrypted_preMasterSecret[48];
-} SSL3FortezzaKeys;
-
-typedef SSL3Opaque SSL3MasterSecret[48];
-
-typedef enum { implicit, explicit } SSL3PublicValueEncoding;
-     
-typedef struct {
-    union {
-	SSL3Opaque implicit;
-	SECItem    explicit;
-    } dh_public;
-} SSL3ClientDiffieHellmanPublic;
-     
-typedef struct {
-    union {
-	SSL3EncryptedPreMasterSecret  rsa;
-	SSL3ClientDiffieHellmanPublic diffie_helman;
-	SSL3FortezzaKeys              fortezza;
-    } exchange_keys;
-} SSL3ClientKeyExchange;
-
-typedef SSL3Hashes SSL3PreSignedCertificateVerify;
-
-typedef SECItem SSL3CertificateVerify;
-
-typedef enum {
-    sender_client = 0x434c4e54,
-    sender_server = 0x53525652
-} SSL3Sender;
-
-typedef SSL3Hashes SSL3Finished;   
-
-typedef struct {
-    SSL3Opaque verify_data[12];
-} TLSFinished;
-
-#endif /* __ssl3proto_h_ */
diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c
deleted file mode 100644
index 7b7fad11e..000000000
--- a/security/nss/lib/ssl/sslauth.c
+++ /dev/null
@@ -1,257 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include "cert.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "pk11func.h"
-
-/* NEED LOCKS IN HERE.  */
-CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    sslSecurityInfo *sec;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
-		 SSL_GETPID(), fd));
-	return 0;
-    }
-    sec = ss->sec;
-    if (ss->useSecurity && sec && sec->peerCert) {
-	return CERT_DupCertificate(sec->peerCert);
-    }
-    return 0;
-}
-
-/* NEED LOCKS IN HERE.  */
-int
-SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
-		   char **ip, char **sp)
-{
-    sslSocket *ss;
-    sslSecurityInfo *sec;
-    const char *cipherName;
-    PRBool isDes = PR_FALSE;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    if (cp) *cp = 0;
-    if (kp0) *kp0 = 0;
-    if (kp1) *kp1 = 0;
-    if (ip) *ip = 0;
-    if (sp) *sp = 0;
-    if (op) {
-	*op = SSL_SECURITY_STATUS_OFF;
-    }
-
-    if (ss->useSecurity && ss->connected) {
-	PORT_Assert(ss->sec != 0);
-	sec = ss->sec;
-
-	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-	    cipherName = ssl_cipherName[sec->cipherType];
-	} else {
-	    cipherName = ssl3_cipherName[sec->cipherType];
-	}
-	if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
-	/* do same key stuff for fortezza */
-    
-	if (cp) {
-	    *cp = PORT_Strdup(cipherName);
-	}
-
-	if (kp0) {
-	    *kp0 = sec->keyBits;
-	    if (isDes) *kp0 = (*kp0 * 7) / 8;
-	}
-	if (kp1) {
-	    *kp1 = sec->secretKeyBits;
-	    if (isDes) *kp1 = (*kp1 * 7) / 8;
-	}
-	if (op) {
-	    if (sec->keyBits == 0) {
-		*op = SSL_SECURITY_STATUS_OFF;
-	    } else if (sec->secretKeyBits < 90) {
-		*op = SSL_SECURITY_STATUS_ON_LOW;
-
-	    } else {
-		*op = SSL_SECURITY_STATUS_ON_HIGH;
-	    }
-	}
-
-	if (ip || sp) {
-	    CERTCertificate *cert;
-
-	    cert = sec->peerCert;
-	    if (cert) {
-		if (ip) {
-		    *ip = CERT_NameToAscii(&cert->issuer);
-		}
-		if (sp) {
-		    *sp = CERT_NameToAscii(&cert->subject);
-		}
-	    } else {
-		if (ip) {
-		    *ip = PORT_Strdup("no certificate");
-		}
-		if (sp) {
-		    *sp = PORT_Strdup("no certificate");
-		}
-	    }
-	}
-    }
-
-    return 0;
-}
-
-/************************************************************************/
-
-/* NEED LOCKS IN HERE.  */
-int
-SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
-{
-    sslSocket *ss;
-    int rv;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
-		 SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    if ((rv = ssl_CreateSecurityInfo(ss)) != 0) {
-	return(rv);
-    }
-    ss->authCertificate = func;
-    ss->authCertificateArg = arg;
-
-    return(0);
-}
-
-/* NEED LOCKS IN HERE.  */
-int 
-SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
-			      void *arg)
-{
-    sslSocket *ss;
-    int rv;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
-		 SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    if ((rv = ssl_CreateSecurityInfo(ss)) != 0) {
-	return rv;
-    }
-    ss->getClientAuthData = func;
-    ss->getClientAuthDataArg = arg;
-    return 0;
-}
-
-/* NEED LOCKS IN HERE.  */
-int 
-SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
-{
-    sslSocket *ss;
-    int rv;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
-		 SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    if ((rv = ssl_CreateSecurityInfo(ss)) != 0) {
-	return rv;
-    }
-    ss->pkcs11PinArg = arg;
-    return 0;
-}
-
-
-/* This is the "default" authCert callback function.  It is called when a 
- * certificate message is received from the peer and the local application
- * has not registered an authCert callback function.
- */
-int
-SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
-{
-    SECStatus          rv;
-    CERTCertDBHandle * handle;
-    sslSocket *        ss;
-    SECCertUsage       certUsage;
-    char *             hostname    = NULL;
-    
-    ss = ssl_FindSocket(fd);
-    PORT_Assert(ss != NULL);
-
-    handle = (CERTCertDBHandle *)arg;
-
-    /* this may seem backwards, but isn't. */
-    certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
-
-    rv = CERT_VerifyCertNow(handle, ss->sec->peerCert, checkSig, certUsage,
-			    ss->pkcs11PinArg);
-
-    if ( rv != SECSuccess || isServer )
-	return rv;
-  
-    /* cert is OK.  This is the client side of an SSL connection.
-     * Now check the name field in the cert against the desired hostname.
-     * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
-     */
-    hostname = ss->url;
-    if (hostname && hostname[0])
-	rv = CERT_VerifyCertName(ss->sec->peerCert, hostname);
-    else 
-	rv = SECFailure;
-    if (rv != SECSuccess)
-	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-
-    return rv;
-}
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
deleted file mode 100644
index e4a3e3ecd..000000000
--- a/security/nss/lib/ssl/sslcon.c
+++ /dev/null
@@ -1,3683 +0,0 @@
-/*
- * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "sechash.h"
-#include "cryptohi.h"		/* for SGN_ funcs */
-#include "keyhi.h" 		/* for SECKEY_ high level functions. */
-#include "softoken.h"		/* for RSA_FormatBlock */
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "ssl3prot.h"
-#include "sslerr.h"
-#include "pk11func.h"
-#include "prinit.h"
-#include "prtime.h" 	/* for PR_Now() */
-
-#define XXX
-
-static PRBool policyWasSet;
-
-/* This ordered list is indexed by (SSL_CK_xx * 3)   */
-/* Second and third bytes are MSB and LSB of master key length. */
-static const PRUint8 allCipherSuites[] = {
-    0,						0,    0,
-    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
-    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
-    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
-    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80,
-    SSL_CK_IDEA_128_CBC_WITH_MD5,		0x00, 0x80,
-    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
-    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
-    0,						0,    0
-};
-
-#define ssl2_NUM_SUITES_IMPLEMENTED 6
-
-/* This list is sent back to the client when the client-hello message 
- * contains no overlapping ciphers, so the client can report what ciphers
- * are supported by the server.  Unlike allCipherSuites (above), this list
- * is sorted by descending preference, not by cipherSuite number. 
- */
-static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
-    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
-    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
-    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
-    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
-    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
-    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80
-};
-
-typedef struct ssl2SpecsStr {
-    PRUint8           nkm; /* do this many hashes to generate key material. */
-    PRUint8           nkd; /* size of readKey and writeKey in bytes. */
-    PRUint8           blockSize;
-    PRUint8           blockShift;
-    CK_MECHANISM_TYPE mechanism;
-    PRUint8           keyLen;	/* cipher symkey size in bytes. */
-    PRUint8           pubLen;	/* publicly reveal this many bytes of key. */
-    PRUint8           ivLen;	/* length of IV data at *ca.	*/
-} ssl2Specs;
-
-static const ssl2Specs ssl_Specs[] = {
-/* NONE                                 */ 
-				{  0,  0, 0, 0, },
-/* SSL_CK_RC4_128_WITH_MD5		*/ 
-				{  2, 16, 1, 0, CKM_RC4,       16,   0, 0, },
-/* SSL_CK_RC4_128_EXPORT40_WITH_MD5	*/ 
-				{  2, 16, 1, 0, CKM_RC4,       16,  11, 0, },
-/* SSL_CK_RC2_128_CBC_WITH_MD5		*/ 
-				{  2, 16, 8, 3, CKM_RC2_CBC,   16,   0, 8, },
-/* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	*/ 
-				{  2, 16, 8, 3, CKM_RC2_CBC,   16,  11, 8, },
-/* SSL_CK_IDEA_128_CBC_WITH_MD5		*/ 
-				{  0,  0, 0, 0, },
-/* SSL_CK_DES_64_CBC_WITH_MD5		*/ 
-				{  1,  8, 8, 3, CKM_DES_CBC,    8,   0, 8, },
-/* SSL_CK_DES_192_EDE3_CBC_WITH_MD5	*/ 
-				{  3, 24, 8, 3, CKM_DES3_CBC,  24,   0, 8, },
-};
-
-#define SET_ERROR_CODE	  /* reminder */
-#define TEST_FOR_FAILURE  /* reminder */
-
-/*
-** Put a string tag in the library so that we can examine an executable
-** and see what kind of security it supports.
-*/
-const char *ssl_version = "SECURITY_VERSION:"
-			" +us"
-			" +export"
-#ifdef TRACE
-			" +trace"
-#endif
-#ifdef DEBUG
-			" +debug"
-#endif
-			;
-
-const char * const ssl_cipherName[] = {
-    "unknown",
-    "RC4",
-    "RC4-Export",
-    "RC2-CBC",
-    "RC2-CBC-Export",
-    "IDEA-CBC",
-    "DES-CBC",
-    "DES-EDE3-CBC",
-    "unknown",
-    "Fortezza",
-};
-
-
-/* bit-masks, showing which SSLv2 suites are allowed.
- * lsb corresponds to first cipher suite in allCipherSuites[].
- */
-static PRUint16	allowedByPolicy;          /* all off by default */
-static PRUint16	maybeAllowedByPolicy;     /* all off by default */
-static PRUint16	chosenPreference = 0xff;  /* all on  by default */
-
-/* bit values for the above two bit masks */
-#define SSL_CB_RC4_128_WITH_MD5              (1 << SSL_CK_RC4_128_WITH_MD5)
-#define SSL_CB_RC4_128_EXPORT40_WITH_MD5     (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
-#define SSL_CB_RC2_128_CBC_WITH_MD5          (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
-#define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
-#define SSL_CB_IDEA_128_CBC_WITH_MD5         (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
-#define SSL_CB_DES_64_CBC_WITH_MD5           (1 << SSL_CK_DES_64_CBC_WITH_MD5)
-#define SSL_CB_DES_192_EDE3_CBC_WITH_MD5     (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
-#define SSL_CB_IMPLEMENTED \
-   (SSL_CB_RC4_128_WITH_MD5              | \
-    SSL_CB_RC4_128_EXPORT40_WITH_MD5     | \
-    SSL_CB_RC2_128_CBC_WITH_MD5          | \
-    SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 | \
-    SSL_CB_DES_64_CBC_WITH_MD5           | \
-    SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
-
-
-/* Construct a socket's list of cipher specs from the global default values.
- */
-static SECStatus
-ssl2_ConstructCipherSpecs(sslSocket *ss) 
-{
-    PRUint8 *	        cs		= NULL;
-    unsigned int	allowed;
-    unsigned int	count;
-    int 		ssl3_count	= 0;
-    int 		final_count;
-    int 		i;
-    SECStatus 		rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-    count = 0;
-    PORT_Assert(ss != 0);
-    allowed = !ss->enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
-    while (allowed) {
-    	if (allowed & 1) 
-	    ++count;
-	allowed >>= 1;
-    }
-
-    /* Call ssl3_config_match_init() once here, 
-     * instead of inside ssl3_ConstructV2CipherSpecsHack(),
-     * because the latter gets called twice below, 
-     * and then again in ssl2_BeginClientHandshake().
-     */
-    ssl3_config_match_init(ss);
-
-    /* ask SSL3 how many cipher suites it has. */
-    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
-    if (rv < 0) 
-	return rv;
-    count += ssl3_count;
-
-    /* Allocate memory to hold cipher specs */
-    if (count > 0)
-	cs = (PRUint8*) PORT_Alloc(count * 3);
-    else
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-    if (cs == NULL)
-    	return SECFailure;
-
-    if (ss->cipherSpecs != NULL) {
-	PORT_Free(ss->cipherSpecs);
-    }
-    ss->cipherSpecs     = cs;
-    ss->sizeCipherSpecs = count * 3;
-
-    /* fill in cipher specs for SSL2 cipher suites */
-    allowed = !ss->enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
-    for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
-	const PRUint8 * hs = implementedCipherSuites + i;
-	int             ok = allowed & (1U << hs[0]);
-	if (ok) {
-	    cs[0] = hs[0];
-	    cs[1] = hs[1];
-	    cs[2] = hs[2];
-	    cs += 3;
-	}
-    }
-
-    /* now have SSL3 add its suites onto the end */
-    rv = ssl3_ConstructV2CipherSpecsHack(ss, cs, &final_count);
-    
-    /* adjust for any difference between first pass and second pass */
-    ss->sizeCipherSpecs -= (ssl3_count - final_count) * 3;
-
-    return rv;
-}
-
-/* This function is called immediately after ssl2_ConstructCipherSpecs()
-** at the beginning of a handshake.  It detects cases where a protocol
-** (e.g. SSL2 or SSL3) is logically enabled, but all its cipher suites
-** for that protocol have been disabled.  If such cases, it clears the 
-** enable bit for the protocol.  If no protocols remain enabled, or
-** if no cipher suites are found, it sets the error code and returns
-** SECFailure, otherwise it returns SECSuccess.
-*/
-static SECStatus
-ssl2_CheckConfigSanity(sslSocket *ss)
-{
-    unsigned int      allowed;
-    int               ssl3CipherCount = 0;
-    SECStatus         rv;
-
-    /* count the SSL2 and SSL3 enabled ciphers.
-     * if either is zero, clear the socket's enable for that protocol.
-     */
-    if (!ss->cipherSpecs)
-    	goto disabled;
-
-    allowed = ss->allowedByPolicy & ss->chosenPreference;
-    if (! allowed)
-	ss->enableSSL2 = PR_FALSE;     /* not really enabled if no ciphers */
-
-    /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
-    /* Ask how many ssl3 CipherSuites were enabled. */
-    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
-    if (rv != SECSuccess || ssl3CipherCount <= 0) {
-	ss->enableSSL3 = PR_FALSE;     /* not really enabled if no ciphers */
-	ss->enableTLS  = PR_FALSE;
-    }
-
-    if (!ss->enableSSL2 && !ss->enableSSL3 && !ss->enableTLS) {
-	SSL_DBG(("%d: SSL[%d]: Can't handshake! both v2 and v3 disabled.",
-		 SSL_GETPID(), ss->fd));
-disabled:
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* 
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- */
-SECStatus
-ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
-{
-    PRUint32  bitMask;
-    SECStatus rv       = SECSuccess;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (policy == SSL_ALLOWED) {
-	allowedByPolicy 	|= bitMask;
-	maybeAllowedByPolicy 	|= bitMask;
-    } else if (policy == SSL_RESTRICTED) {
-    	allowedByPolicy 	&= ~bitMask;
-	maybeAllowedByPolicy 	|= bitMask;
-    } else {
-    	allowedByPolicy 	&= ~bitMask;
-    	maybeAllowedByPolicy 	&= ~bitMask;
-    }
-    allowedByPolicy 		&= SSL_CB_IMPLEMENTED;
-    maybeAllowedByPolicy 	&= SSL_CB_IMPLEMENTED;
-
-    policyWasSet = PR_TRUE;
-    return rv;
-}
-
-SECStatus
-ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
-{
-    PRUint32     bitMask;
-    PRInt32      policy;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    /* Caller assures oPolicy is not null. */
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*oPolicy = SSL_NOT_ALLOWED;
-    	return SECFailure;
-    }
-
-    if (maybeAllowedByPolicy & bitMask) {
-    	policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
-    } else {
-	policy = SSL_NOT_ALLOWED;
-    }
-
-    *oPolicy = policy;
-    return SECSuccess;
-}
-
-/* 
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- * Called from SSL_CipherPrefSetDefault in sslsock.c
- * These changes have no effect on any sslSockets already created. 
- */
-SECStatus
-ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
-{
-    PRUint32     bitMask;
-    
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (enabled)
-	chosenPreference |= bitMask;
-    else
-    	chosenPreference &= ~bitMask;
-    chosenPreference &= SSL_CB_IMPLEMENTED;
-
-    return SECSuccess;
-}
-
-SECStatus 
-ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
-{
-    PRBool       rv       = PR_FALSE;
-    PRUint32     bitMask;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*enabled = PR_FALSE;
-    	return SECFailure;
-    }
-
-    rv = (PRBool)((chosenPreference & bitMask) != 0);
-    *enabled = rv;
-    return SECSuccess;
-}
-
-SECStatus 
-ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled)
-{
-    PRUint32     bitMask;
-    
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (enabled)
-	ss->chosenPreference |= bitMask;
-    else
-    	ss->chosenPreference &= ~bitMask;
-    ss->chosenPreference &= SSL_CB_IMPLEMENTED;
-
-    return SECSuccess;
-}
-
-SECStatus 
-ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
-{
-    PRBool       rv       = PR_FALSE;
-    PRUint32     bitMask;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*enabled = PR_FALSE;
-    	return SECFailure;
-    }
-
-    rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
-    *enabled = rv;
-    return SECSuccess;
-}
-
-
-/* copy global default policy into socket. */
-void      
-ssl2_InitSocketPolicy(sslSocket *ss)
-{
-    ss->allowedByPolicy		= allowedByPolicy;
-    ss->maybeAllowedByPolicy	= maybeAllowedByPolicy;
-    ss->chosenPreference 	= chosenPreference;
-}
-
-
-/************************************************************************/
-
-/* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
- */
-static SECStatus
-ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey, 
-          int cipherChoice)
-{
-    switch (cipherChoice) {
-
-      case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-      case SSL_CK_RC2_128_CBC_WITH_MD5:
-      case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-      case SSL_CK_RC4_128_WITH_MD5:
-      case SSL_CK_DES_64_CBC_WITH_MD5:
-      case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-	sec->hash = &SECHashObjects[HASH_AlgMD5];
-	SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
-	SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
-	break;
-
-      default:
-	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	return SECFailure;
-    }
-    sec->hashcx = (*sec->hash->create)();
-    if (sec->hashcx == NULL)
-	return SECFailure;
-    return SECSuccess;
-}
-
-/************************************************************************
- * All the Send functions below must acquire and release the socket's 
- * xmitBufLock.
- */
-
-/* Called from all the Send* functions below. */
-static SECStatus
-ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
-{
-    sslConnectInfo *ci;
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert((ss->sec != 0));
-
-    PORT_Assert(ssl_HaveXmitBufLock(ss));
-
-    ci = &ss->sec->ci;
-
-    if (len < 128) {
-	len = 128;
-    }
-    if (len > ci->sendBuf.space) {
-	rv = sslBuffer_Grow(&ci->sendBuf, len);
-	if (rv != SECSuccess) {
-	    SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
-		     SSL_GETPID(), ss->fd, len));
-	    rv = SECFailure;
-	}
-    }
-    return rv;
-}
-
-/* Called from:
- * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
- * ssl2_HandleRequestCertificate()     <- ssl2_HandleMessage() <- 
- 					ssl_Do1stHandshake()
- * ssl2_HandleMessage()                <- ssl_Do1stHandshake()
- * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
-                                     after ssl2_BeginClientHandshake()
- * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
- * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake() 
-                                     after ssl2_BeginServerHandshake()
- * 
- * Acquires and releases the socket's xmitBufLock.
- */	
-int
-ssl2_SendErrorMessage(sslSocket *ss, int error)
-{
-    sslSecurityInfo *sec;
-    int rv;
-    PRUint8 msg[SSL_HL_ERROR_HBYTES];
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    msg[0] = SSL_MT_ERROR;
-    msg[1] = MSB(error);
-    msg[2] = LSB(error);
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
-
-    rv = (*sec->send)(ss, msg, sizeof(msg), 0);
-    if (rv >= 0) {
-	rv = SECSuccess;
-    }
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_TryToFinish().  
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendClientFinishedMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    SECStatus        rv    = SECSuccess;
-    int              sent;
-    PRUint8    msg[1 + SSL_CONNECTIONID_BYTES];
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-    ci = &sec->ci;
-
-    if (ci->sentFinished == 0) {
-	ci->sentFinished = 1;
-
-	SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
-		    SSL_GETPID(), ss->fd));
-
-	msg[0] = SSL_MT_CLIENT_FINISHED;
-	PORT_Memcpy(msg+1, ci->connectionID, sizeof(ci->connectionID));
-
-	DUMP_MSG(29, (ss, msg, 1 + sizeof(ci->connectionID)));
-	sent = (*sec->send)(ss, msg, 1 + sizeof(ci->connectionID), 0);
-	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-    }
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from 
- * ssl2_HandleClientSessionKeyMessage() <- ssl2_HandleClientHelloMessage()
- * ssl2_HandleClientHelloMessage()  <- ssl_Do1stHandshake() 
-                                      after ssl2_BeginServerHandshake()
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendServerVerifyMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    PRUint8 *        msg;
-    int              sendLen;
-    int              sent;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-    ci = &sec->ci;
-
-    sendLen = 1 + SSL_CHALLENGE_BYTES;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) {
-	goto done;
-    }
-
-    msg = ci->sendBuf.buf;
-    msg[0] = SSL_MT_SERVER_VERIFY;
-    PORT_Memcpy(msg+1, ci->clientChallenge, SSL_CHALLENGE_BYTES);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    sent = (*sec->send)(ss, msg, sendLen, 0);
-
-    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_TryToFinish(). 
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendServerFinishedMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    sslSessionID *   sid;
-    PRUint8 *        msg;
-    int              sendLen, sent;
-    SECStatus        rv    = SECSuccess;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-    ci = &sec->ci;
-
-    if (ci->sentFinished == 0) {
-	ci->sentFinished = 1;
-	PORT_Assert(ci->sid != 0);
-	sid = ci->sid;
-
-	SSL_TRC(3, ("%d: SSL[%d]: sending server-finished",
-		    SSL_GETPID(), ss->fd));
-
-	sendLen = 1 + sizeof(sid->u.ssl2.sessionID);
-	rv = ssl2_GetSendBuffer(ss, sendLen);
-	if (rv != SECSuccess) {
-	    goto done;
-	}
-
-	msg = ci->sendBuf.buf;
-	msg[0] = SSL_MT_SERVER_FINISHED;
-	PORT_Memcpy(msg+1, sid->u.ssl2.sessionID,
-		    sizeof(sid->u.ssl2.sessionID));
-
-	DUMP_MSG(29, (ss, msg, sendLen));
-	sent = (*sec->send)(ss, msg, sendLen, 0);
-
-	if (sent < 0) {
-	    /* If send failed, it is now a bogus  session-id */
-	    (*sec->uncache)(sid);
-	    rv = (SECStatus)sent;
-	} else if (!ss->noCache) {
-	    /* Put the sid in session-id cache, (may already be there) */
-	    (*sec->cache)(sid);
-	    rv = SECSuccess;
-	}
-	ssl_FreeSID(sid);
-	ci->sid = 0;
-    }
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_ClientSetupSessionCypher() <- 
- *						ssl2_HandleServerHelloMessage() 
- *                                           after ssl2_BeginClientHandshake()
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendSessionKeyMessage(sslSocket *ss, int cipher, int keySize,
-		      PRUint8 *ca, int caLen,
-		      PRUint8 *ck, int ckLen,
-		      PRUint8 *ek, int ekLen)
-{
-    sslSecurityInfo *sec;
-    PRUint8 *        msg;
-    int              sendLen;
-    int              sent;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-
-    sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) 
-	goto done;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending client-session-key",
-		SSL_GETPID(), ss->fd));
-
-    msg = sec->ci.sendBuf.buf;
-    msg[0] = SSL_MT_CLIENT_MASTER_KEY;
-    msg[1] = cipher;
-    msg[2] = MSB(keySize);
-    msg[3] = LSB(keySize);
-    msg[4] = MSB(ckLen);
-    msg[5] = LSB(ckLen);
-    msg[6] = MSB(ekLen);
-    msg[7] = LSB(ekLen);
-    msg[8] = MSB(caLen);
-    msg[9] = LSB(caLen);
-    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES, ck, ckLen);
-    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen, ek, ekLen);
-    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen+ekLen, ca, caLen);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    sent = (*sec->send)(ss, msg, sendLen, 0);
-    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_TriggerNextMessage() <- ssl2_HandleMessage() 
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendCertificateRequestMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    PRUint8 *        msg;
-    int              sent;
-    int              sendLen;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-    ci = &sec->ci;
-
-    sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) 
-	goto done;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending certificate request",
-		SSL_GETPID(), ss->fd));
-
-    /* Generate random challenge for client to encrypt */
-    PK11_GenerateRandom(ci->serverChallenge, SSL_CHALLENGE_BYTES);
-
-    msg = ci->sendBuf.buf;
-    msg[0] = SSL_MT_REQUEST_CERTIFICATE;
-    msg[1] = SSL_AT_MD5_WITH_RSA_ENCRYPTION;
-    PORT_Memcpy(msg + SSL_HL_REQUEST_CERTIFICATE_HBYTES, ci->serverChallenge,
-	      SSL_CHALLENGE_BYTES);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    sent = (*sec->send)(ss, msg, sendLen, 0);
-    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
- *             ssl2_RestartHandshakeAfterCertReq() <- (application)
- * Acquires and releases the socket's xmitBufLock.
- */
-static int
-ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert, 
-                                    SECItem *encCode)
-{
-    sslSecurityInfo *sec;
-    PRUint8 *msg;
-    int rv, sendLen;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-    sec = ss->sec;
-
-    sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv) 
-    	goto done;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending certificate response",
-		SSL_GETPID(), ss->fd));
-
-    msg = sec->ci.sendBuf.buf;
-    msg[0] = SSL_MT_CLIENT_CERTIFICATE;
-    msg[1] = SSL_CT_X509_CERTIFICATE;
-    msg[2] = MSB(cert->len);
-    msg[3] = LSB(cert->len);
-    msg[4] = MSB(encCode->len);
-    msg[5] = LSB(encCode->len);
-    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES, cert->data, cert->len);
-    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES + cert->len,
-	      encCode->data, encCode->len);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    rv = (*sec->send)(ss, msg, sendLen, 0);
-    if (rv >= 0) {
-	rv = SECSuccess;
-    }
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/********************************************************************
-**  Send functions above this line must aquire & release the socket's   
-**	xmitBufLock.  
-** All the ssl2_Send functions below this line are called vis ss->sec->send
-**	and require that the caller hold the xmitBufLock.
-*/
-
-/*
-** Called from ssl2_SendStream, ssl2_SendBlock, but not from ssl2_SendClear.
-*/
-static SECStatus
-ssl2_CalcMAC(PRUint8             * result, 
-	     sslSecurityInfo     * sec,
-	     const PRUint8       * data, 
-	     unsigned int          dataLen,
-	     unsigned int          paddingLen)
-{
-    const PRUint8 *      secret		= sec->sendSecret.data;
-    unsigned int         secretLen	= sec->sendSecret.len;
-    unsigned long        sequenceNumber = sec->sendSequence;
-    unsigned int         nout;
-    PRUint8              seq[4];
-    PRUint8              padding[32];/* XXX max blocksize? */
-
-    if (!sec->hash || !sec->hash->length)
-    	return SECSuccess;
-    if (!sec->hashcx)
-    	return SECFailure;
-
-    /* Reset hash function */
-    (*sec->hash->begin)(sec->hashcx);
-
-    /* Feed hash the data */
-    (*sec->hash->update)(sec->hashcx, secret, secretLen);
-    (*sec->hash->update)(sec->hashcx, data, dataLen);
-    PORT_Memset(padding, paddingLen, paddingLen);
-    (*sec->hash->update)(sec->hashcx, padding, paddingLen);
-
-    seq[0] = (PRUint8) (sequenceNumber >> 24);
-    seq[1] = (PRUint8) (sequenceNumber >> 16);
-    seq[2] = (PRUint8) (sequenceNumber >> 8);
-    seq[3] = (PRUint8) (sequenceNumber);
-
-    PRINT_BUF(60, (0, "calc-mac secret:", secret, secretLen));
-    PRINT_BUF(60, (0, "calc-mac data:", data, dataLen));
-    PRINT_BUF(60, (0, "calc-mac padding:", padding, paddingLen));
-    PRINT_BUF(60, (0, "calc-mac seq:", seq, 4));
-
-    (*sec->hash->update)(sec->hashcx, seq, 4);
-
-    /* Get result */
-    (*sec->hash->end)(sec->hashcx, result, &nout, sec->hash->length);
-
-    return SECSuccess;
-}
-
-/*
-** Maximum transmission amounts. These are tiny bit smaller than they
-** need to be (they account for the MAC length plus some padding),
-** assuming the MAC is 16 bytes long and the padding is a max of 7 bytes
-** long. This gives an additional 9 bytes of slop to work within.
-*/
-#define MAX_STREAM_CYPHER_LEN	0x7fe0
-#define MAX_BLOCK_CYPHER_LEN	0x3fe0
-
-/*
-** Send some data in the clear. 
-** Package up data with the length header and send it.
-**
-** Return count of bytes succesfully written, or negative number (failure).
-*/
-static PRInt32 
-ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
-{
-    sslSecurityInfo * sec	= ss->sec;
-    PRUint8         * out;
-    int               rv;
-    int               amount;
-    int               count	= 0;
-
-    PORT_Assert(sec != 0);
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
-		 SSL_GETPID(), ss->fd, len));
-    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
-
-    while (len) {
-	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
-	if (amount + 2 > sec->writeBuf.space) {
-	    rv = sslBuffer_Grow(&sec->writeBuf, amount + 2);
-	    if (rv != SECSuccess) {
-		count = rv;
-		break;
-	    }
-	}
-	out = sec->writeBuf.buf;
-
-	/*
-	** Construct message.
-	*/
-	out[0] = 0x80 | MSB(amount);
-	out[1] = LSB(amount);
-	PORT_Memcpy(&out[2], in, amount);
-
-	/* Now send the data */
-	rv = ssl_DefSend(ss, out, amount + 2, flags & ~ssl_SEND_FLAG_MASK);
-	if (rv < 0) {
-	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
-		rv = 0;
-	    } else {
-		/* Return short write if some data already went out... */
-		if (count == 0)
-		    count = rv;
-		break;
-	    }
-	}
-
-	if ((unsigned)rv < (amount + 2)) {
-	    /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
-				   amount + 2 - rv) == SECFailure) {
-		count = SECFailure;
-	    } else {
-		count += amount;
-		sec->sendSequence++;
-	    }
-	    break;
-	}
-
-	sec->sendSequence++;
-	in    += amount;
-	count += amount;
-	len   -= amount;
-    }
-
-    return count;
-}
-
-/*
-** Send some data, when using a stream cipher. Stream ciphers have a
-** block size of 1. Package up the data with the length header
-** and send it.
-*/
-static PRInt32 
-ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
-{
-    sslSecurityInfo *sec	= ss->sec;
-    PRUint8       *  out;
-    int              rv;
-    int              count	= 0;
-
-    int              amount;
-    PRUint8          macLen;
-    int              nout;
-    int              buflen;
-
-    PORT_Assert(sec != 0);
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
-		 SSL_GETPID(), ss->fd, len));
-    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
-
-    while (len) {
-	ssl_GetSpecReadLock(ss);  /*************************************/
-
-	macLen = sec->hash->length;
-	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
-	buflen = amount + 2 + macLen;
-	if (buflen > sec->writeBuf.space) {
-	    rv = sslBuffer_Grow(&sec->writeBuf, buflen);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
-	out    = sec->writeBuf.buf;
-	nout   = amount + macLen;
-	out[0] = 0x80 | MSB(nout);
-	out[1] = LSB(nout);
-
-	/* Calculate MAC */
-	rv = ssl2_CalcMAC(out+2, 		/* put MAC here */
-	                  sec, 
-		          in, amount, 		/* input addr & length */
-			  0); 			/* no padding */
-	if (rv != SECSuccess) 
-	    goto loser;
-
-	/* Encrypt MAC */
-	rv = (*sec->enc)(sec->writecx, out+2, &nout, macLen, out+2, macLen);
-	if (rv) goto loser;
-
-	/* Encrypt data from caller */
-	rv = (*sec->enc)(sec->writecx, out+2+macLen, &nout, amount, in, amount);
-	if (rv) goto loser;
-
-	ssl_ReleaseSpecReadLock(ss);  /*************************************/
-
-	PRINT_BUF(50, (ss, "encrypted data:", out, buflen));
-
-	rv = ssl_DefSend(ss, out, buflen, flags & ~ssl_SEND_FLAG_MASK);
-	if (rv < 0) {
-	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
-		SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
-			     "saving data", SSL_GETPID(), ss->fd));
-		rv = 0;
-	    } else {
-		SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
-			     SSL_GETPID(), ss->fd, PORT_GetError()));
-		/* Return short write if some data already went out... */
-		if (count == 0)
-		    count = rv;
-		goto done;
-	    }
-	}
-
-	if ((unsigned)rv < buflen) {
-	    /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
-				  buflen - rv) == SECFailure) {
-		count = SECFailure;
-	    } else {
-	    	count += amount;
-		sec->sendSequence++;
-	    }
-	    goto done;
-	}
-
-	sec->sendSequence++;
-	in    += amount;
-	count += amount;
-	len   -= amount;
-    }
-
-done:
-    return count;
-
-loser:
-    ssl_ReleaseSpecReadLock(ss);
-    return SECFailure;
-}
-
-/*
-** Send some data, when using a block cipher. Package up the data with
-** the length header and send it.
-*/
-/* XXX assumes blocksize is > 7 */
-static PRInt32
-ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
-{
-    sslSecurityInfo *sec	= ss->sec;
-    PRUint8       *  out;  		    /* begining of output buffer.    */
-    PRUint8       *  op;		    /* next output byte goes here.   */
-    int              rv;		    /* value from funcs we called.   */
-    int              count	= 0;        /* this function's return value. */
-
-    unsigned int     hlen;		    /* output record hdr len, 2 or 3 */
-    unsigned int     macLen;		    /* MAC is this many bytes long.  */
-    int              amount;		    /* of plaintext to go in record. */
-    unsigned int     padding;		    /* add this many padding byte.   */
-    int              nout;		    /* ciphertext size after header. */
-    int              buflen;		    /* size of generated record.     */
-
-    PORT_Assert(sec != 0);
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-
-    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
-		 SSL_GETPID(), ss->fd, len));
-    PRINT_BUF(50, (ss, "clear data:", in, len));
-
-    while (len) {
-	ssl_GetSpecReadLock(ss);  /*************************************/
-
-	macLen = sec->hash->length;
-	/* Figure out how much to send, including mac and padding */
-	amount  = PR_MIN( len, MAX_BLOCK_CYPHER_LEN );
-	nout    = amount + macLen;
-	padding = nout & (sec->blockSize - 1);
-	if (padding) {
-	    hlen    = 3;
-	    padding = sec->blockSize - padding;
-	    nout   += padding;
-	} else {
-	    hlen = 2;
-	}
-	buflen = hlen + nout;
-	if (buflen > sec->writeBuf.space) {
-	    rv = sslBuffer_Grow(&sec->writeBuf, buflen);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
-	out = sec->writeBuf.buf;
-
-	/* Construct header */
-	op = out;
-	if (padding) {
-	    *op++ = MSB(nout);
-	    *op++ = LSB(nout);
-	    *op++ = padding;
-	} else {
-	    *op++ = 0x80 | MSB(nout);
-	    *op++ = LSB(nout);
-	}
-
-	/* Calculate MAC */
-	rv = ssl2_CalcMAC(op, 		/* MAC goes here. */
-	                  sec, 
-		          in, amount, 	/* intput addr, len */
-			  padding);
-	if (rv != SECSuccess) 
-	    goto loser;
-	op += macLen;
-
-	/* Copy in the input data */
-	/* XXX could eliminate the copy by folding it into the encryption */
-	PORT_Memcpy(op, in, amount);
-	op += amount;
-	if (padding) {
-	    PORT_Memset(op, padding, padding);
-	    op += padding;
-	}
-
-	/* Encrypt result */
-	rv = (*sec->enc)(sec->writecx, out+hlen, &nout, buflen-hlen,
-			 out+hlen, op - (out + hlen));
-	if (rv) 
-	    goto loser;
-
-	ssl_ReleaseSpecReadLock(ss);  /*************************************/
-
-	PRINT_BUF(50, (ss, "final xmit data:", out, op - out));
-
-	rv = ssl_DefSend(ss, out, op - out, flags & ~ssl_SEND_FLAG_MASK);
-	if (rv < 0) {
-	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
-		rv = 0;
-	    } else {
-		SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
-			     SSL_GETPID(), ss->fd, PORT_GetError()));
-		/* Return short write if some data already went out... */
-		if (count == 0)
-		    count = rv;
-		goto done;
-	    }
-	}
-
-	if (rv < (op - out)) {
-	    /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
-				  op - out - rv) == SECFailure) {
-		count = SECFailure;
-	    } else {
-		count += amount;
-		sec->sendSequence++;
-	    }
-	    goto done;
-	}
-
-	sec->sendSequence++;
-	in    += amount;
-	count += amount;
-	len   -= amount;
-    }
-
-done:
-    return count;
-
-loser:
-    ssl_ReleaseSpecReadLock(ss);
-    return SECFailure;
-}
-
-/*
-** Called from: ssl2_HandleServerHelloMessage,
-**              ssl2_HandleClientSessionKeyMessage,
-**              ssl2_RestartHandshakeAfterServerCert,
-**              ssl2_HandleClientHelloMessage,
-**              
-*/
-static void
-ssl2_UseEncryptedSendFunc(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-
-    ssl_GetXmitBufLock(ss);
-    PORT_Assert(ss->sec != 0);
-    sec = ss->sec;
-    PORT_Assert(sec->hashcx != 0);
-
-    ss->gather->encrypted = 1;
-    sec->send = (sec->blockSize > 1) ? ssl2_SendBlock : ssl2_SendStream;
-    ssl_ReleaseXmitBufLock(ss);
-}
-
-/* Called while initializing socket in ssl_CreateSecurityInfo().
-** This function allows us to keep the name of ssl2_SendClear static.
-*/
-void
-ssl2_UseClearSendFunc(sslSocket *ss)
-{
-    ss->sec->send = ssl2_SendClear;
-}
-
-/************************************************************************
-** 			END of Send functions.                          * 
-*************************************************************************/
-
-/***********************************************************************
- * For SSL3, this gathers in and handles records/messages until either 
- *	the handshake is complete or application data is available.
- *
- * For SSL2, this gathers in only the next SSLV2 record.
- *
- * Called from ssl_Do1stHandshake() via function pointer ss->handshake.
- * Caller must hold handshake lock.
- * This function acquires and releases the RecvBufLock.
- *
- * returns SECSuccess for success.
- * returns SECWouldBlock when that value is returned by ssl2_GatherRecord() or
- *	ssl3_GatherCompleteHandshake().
- * returns SECFailure on all other errors.
- *
- * The gather functions called by ssl_GatherRecord1stHandshake are expected 
- * 	to return values interpreted as follows:
- *  1 : the function completed without error.
- *  0 : the function read EOF.
- * -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
- * -2 : the function wants ssl_GatherRecord1stHandshake to be called again 
- *	immediately, by ssl_Do1stHandshake.
- *
- * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
- *
- * This function is called from ssl_Do1stHandshake().  
- * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
- *	ssl2_HandleMessage
- *	ssl2_HandleVerifyMessage
- *	ssl2_HandleServerHelloMessage
- *	ssl2_BeginClientHandshake	
- *	ssl2_HandleClientSessionKeyMessage
- *	ssl2_RestartHandshakeAfterCertReq 
- *	ssl3_RestartHandshakeAfterCertReq 
- *	ssl2_RestartHandshakeAfterServerCert 
- *	ssl3_RestartHandshakeAfterServerCert 
- *	ssl2_HandleClientHelloMessage
- *	ssl2_BeginServerHandshake
- */
-SECStatus
-ssl_GatherRecord1stHandshake(sslSocket *ss)
-{
-    int rv;
-
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetRecvBufLock(ss);
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	/* Wait for handshake to complete, or application data to arrive.  */
-	rv = ssl3_GatherCompleteHandshake(ss, 0);
-    } else {
-	/* See if we have a complete record */
-	rv = ssl2_GatherRecord(ss, 0);
-    }
-    SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
-		 SSL_GETPID(), ss->fd, rv));
-
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (rv <= 0) {
-	if (rv == SECWouldBlock) {
-	    /* Progress is blocked waiting for callback completion.  */
-	    SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
-			 SSL_GETPID(), ss->fd, ss->gather->remainder));
-	    return SECWouldBlock;
-	}
-	if (rv == 0) {
-	    /* EOF. Loser  */
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	}
-	return SECFailure;	/* rv is < 0 here. */
-    }
-
-    SSL_TRC(10, ("%d: SSL[%d]: got handshake record of %d bytes",
-		 SSL_GETPID(), ss->fd, ss->gather->recordLen));
-
-    ss->handshake = 0;	/* makes ssl_Do1stHandshake call ss->nextHandshake.*/
-    return SECSuccess;
-}
-
-/************************************************************************/
-
-/* Called from ssl2_ServerSetupSessionCypher()
- *             ssl2_ClientSetupSessionCypher()
- */
-static SECStatus
-ssl2_FillInSID(sslSessionID * sid, 
-          int            cipher,
-	  PRUint8       *keyData, 
-	  int            keyLen,
-	  PRUint8       *ca, 
-	  int            caLen,
-	  int            keyBits, 
-	  int            secretKeyBits)
-{
-    PORT_Assert(sid->references == 1);
-    PORT_Assert(sid->cached == never_cached);
-    PORT_Assert(sid->u.ssl2.masterKey.data == 0);
-    PORT_Assert(sid->u.ssl2.cipherArg.data == 0);
-
-    sid->version = SSL_LIBRARY_VERSION_2;
-
-    sid->u.ssl2.cipherType = cipher;
-    sid->u.ssl2.masterKey.data = (PRUint8*) PORT_Alloc(keyLen);
-    if (!sid->u.ssl2.masterKey.data) {
-	return SECFailure;
-    }
-    PORT_Memcpy(sid->u.ssl2.masterKey.data, keyData, keyLen);
-    sid->u.ssl2.masterKey.len = keyLen;
-    sid->u.ssl2.keyBits = keyBits;
-    sid->u.ssl2.secretKeyBits = secretKeyBits;
-
-    if (caLen) {
-	sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
-	if (!sid->u.ssl2.cipherArg.data) {
-	    return SECFailure;
-	}
-	sid->u.ssl2.cipherArg.len = caLen;
-	PORT_Memcpy(sid->u.ssl2.cipherArg.data, ca, caLen);
-    }
-    return SECSuccess;
-}
-
-/*
-** Construct session keys given the masterKey (tied to the session-id),
-** the client's challenge and the server's nonce.
-**
-** Called from ssl2_CreateSessionCypher() <-
-*/
-static SECStatus
-ssl2_ProduceKeys(sslSocket *    ss, 
-            SECItem *      readKey, 
-	    SECItem *      writeKey,
-	    SECItem *      masterKey, 
-	    PRUint8 *      challenge,
-	    PRUint8 *      nonce, 
-	    int            cipherType)
-{
-    PK11Context * cx        = 0;
-    unsigned      nkm       = 0; /* number of hashes to generate key mat. */
-    unsigned      nkd       = 0; /* size of readKey and writeKey. */
-    unsigned      part;
-    unsigned      i;
-    unsigned      off;
-    SECStatus     rv;
-    PRUint8       countChar;
-    PRUint8       km[3*16];	/* buffer for key material. */
-
-    readKey->data = 0;
-    writeKey->data = 0;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    rv = SECSuccess;
-    cx = PK11_CreateDigestContext(SEC_OID_MD5);
-    if (cx == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	return SECFailure;
-    }
-
-    nkm = ssl_Specs[cipherType].nkm;
-    nkd = ssl_Specs[cipherType].nkd;
-
-    readKey->data = (PRUint8*) PORT_Alloc(nkd);
-    if (!readKey->data) 
-    	goto loser;
-    readKey->len = nkd;
-
-    writeKey->data = (PRUint8*) PORT_Alloc(nkd);
-    if (!writeKey->data) 
-    	goto loser;
-    writeKey->len = nkd;
-
-    /* Produce key material */
-    countChar = '0';
-    for (i = 0, off = 0; i < nkm; i++, off += 16) {
-	rv  = PK11_DigestBegin(cx);
-	rv |= PK11_DigestOp(cx, masterKey->data, masterKey->len);
-	rv |= PK11_DigestOp(cx, &countChar,      1);
-	rv |= PK11_DigestOp(cx, challenge,       SSL_CHALLENGE_BYTES);
-	rv |= PK11_DigestOp(cx, nonce,           SSL_CONNECTIONID_BYTES);
-	rv |= PK11_DigestFinal(cx, km+off, &part, MD5_LENGTH);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-	countChar++;
-    }
-
-    /* Produce keys */
-    PORT_Memcpy(readKey->data,  km,       nkd);
-    PORT_Memcpy(writeKey->data, km + nkd, nkd);
-
-loser:
-    PK11_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-/* Called from ssl2_ServerSetupSessionCypher() <- ssl2_HandleClientSessionKeyMessage()
-                                          <- ssl2_HandleClientHelloMessage()
- *             ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
- */
-static SECStatus
-ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
-{
-    sslSecurityInfo * sec;
-    sslConnectInfo *  ci;
-    SECItem         * rk;
-    SECItem         * wk;
-    SECItem *         param;
-    SECStatus         rv;
-    int               cipherType  = sid->u.ssl2.cipherType;
-    PK11SlotInfo *    slot        = NULL;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem           readKey;
-    SECItem           writeKey;
-
-    void *readcx = 0;
-    void *writecx = 0;
-    readKey.data = 0;
-    writeKey.data = 0;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-    if((ss->sec == 0) || (ss->sec->ci.sid == 0))
-    	goto sec_loser;	/* don't crash if asserts are off */
-
-    /* Trying to cut down on all these switch statements that should be tables.
-     * So, test cipherType once, here, and then use tables below. 
-     */
-    switch (cipherType) {
-    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-    case SSL_CK_RC4_128_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_WITH_MD5:
-    case SSL_CK_DES_64_CBC_WITH_MD5:
-    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-	break;
-
-    default:
-	SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
-		 SSL_GETPID(), ss->fd, cipherType));
-	PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-    sec = ss->sec;
-    ci = &sec->ci;
-    rk = isClient ? &readKey  : &writeKey;
-    wk = isClient ? &writeKey : &readKey;
-
-    /* Produce the keys for this session */
-    rv = ssl2_ProduceKeys(ss, &readKey, &writeKey, &sid->u.ssl2.masterKey,
-		     ci->clientChallenge, ci->connectionID,
-		     cipherType);
-    if (rv != SECSuccess) 
-	goto loser;
-    PRINT_BUF(7, (ss, "Session read-key: ", rk->data, rk->len));
-    PRINT_BUF(7, (ss, "Session write-key: ", wk->data, wk->len));
-
-    PORT_Memcpy(ci->readKey, readKey.data, readKey.len);
-    PORT_Memcpy(ci->writeKey, writeKey.data, writeKey.len);
-    ci->keySize = readKey.len;
-
-    /* Setup the MAC */
-    rv = ssl2_CreateMAC(sec, rk, wk, cipherType);
-    if (rv != SECSuccess) 
-    	goto loser;
-
-    /* First create the session key object */
-    SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
-	    ssl_cipherName[cipherType]));
-
-
-    mechanism  = ssl_Specs[cipherType].mechanism;
-
-    /* set destructer before we call loser... */
-    sec->destroy = (void (*)(void*, PRBool)) PK11_DestroyContext;
-    slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);
-    if (slot == NULL)
-	goto loser;
-
-    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
-    if (param == NULL)
-	goto loser;
-    readcx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
-					CKA_DECRYPT, rk, param,
-					ss->pkcs11PinArg);
-    SECITEM_FreeItem(param, PR_TRUE);
-    if (readcx == NULL)
-	goto loser;
-
-    /* build the client context */
-    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
-    if (param == NULL)
-	goto loser;
-    writecx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
-					 CKA_ENCRYPT, wk, param,
-					 ss->pkcs11PinArg);
-    SECITEM_FreeItem(param,PR_TRUE);
-    if (writecx == NULL)
-	goto loser;
-    PK11_FreeSlot(slot);
-
-    rv = SECSuccess;
-    sec->enc           = (SSLCipher) PK11_CipherOp;
-    sec->dec           = (SSLCipher) PK11_CipherOp;
-    sec->readcx        = (void *) readcx;
-    sec->writecx       = (void *) writecx;
-    sec->blockSize     = ssl_Specs[cipherType].blockSize;
-    sec->blockShift    = ssl_Specs[cipherType].blockShift;
-    sec->cipherType    = sid->u.ssl2.cipherType;
-    sec->keyBits       = sid->u.ssl2.keyBits;
-    sec->secretKeyBits = sid->u.ssl2.secretKeyBits;
-    goto done;
-
-  loser:
-    if (sec->destroy) {
-	if (readcx)  (*sec->destroy)(readcx, PR_TRUE);
-	if (writecx) (*sec->destroy)(writecx, PR_TRUE);
-    }
-    if (slot) PK11_FreeSlot(slot);
-
-  sec_loser:
-    rv = SECFailure;
-
-  done:
-    SECITEM_ZfreeItem(rk, PR_FALSE);
-    SECITEM_ZfreeItem(wk, PR_FALSE);
-    return rv;
-}
-
-/*
-** Setup the server ciphers given information from a CLIENT-MASTER-KEY
-** message.
-** 	"ss"      pointer to the ssl-socket object
-** 	"cipher"  the cipher type to use
-** 	"keyBits" the size of the final cipher key
-** 	"ck"      the clear-key data
-** 	"ckLen"   the number of bytes of clear-key data
-** 	"ek"      the encrypted-key data
-** 	"ekLen"   the number of bytes of encrypted-key data
-** 	"ca"      the cipher-arg data
-** 	"caLen"   the number of bytes of cipher-arg data
-**
-** The MASTER-KEY is constructed by first decrypting the encrypted-key
-** data. This produces the SECRET-KEY-DATA. The MASTER-KEY is composed by
-** concatenating the clear-key data with the SECRET-KEY-DATA. This code
-** checks to make sure that the client didn't send us an improper amount
-** of SECRET-KEY-DATA (it restricts the length of that data to match the
-** spec).
-**
-** Called from ssl2_HandleClientSessionKeyMessage().
-*/
-static SECStatus
-ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
-			 PRUint8 *ck, unsigned int ckLen,
-			 PRUint8 *ek, unsigned int ekLen,
-			 PRUint8 *ca, unsigned int caLen)
-{
-    PRUint8           *kk;
-    sslSecurityInfo * sec;
-    sslSessionID *    sid;
-    PRUint8       *   kbuf = 0;	/* buffer for RSA decrypted data. */
-    unsigned int      el1;	/* length of RSA decrypted data in kbuf */
-    unsigned int      keySize;
-    unsigned int      modulus;
-    SECStatus         rv;
-    PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
-    PORT_Assert((ss->sec != 0) && (ss->serverKey[kt_rsa] != 0));
-    sec = ss->sec;
-    PORT_Assert((sec->ci.sid != 0));
-    sid = sec->ci.sid;
-
-    keySize = (keyBits + 7) >> 3;
-    /* Is the message just way too big? */
-    if (keySize > SSL_MAX_MASTER_KEY_BYTES) {
-	/* bummer */
-	SSL_DBG(("%d: SSL[%d]: keySize=%d ckLen=%d max session key size=%d",
-		 SSL_GETPID(), ss->fd, keySize, ckLen,
-		 SSL_MAX_MASTER_KEY_BYTES));
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-
-    /* Trying to cut down on all these switch statements that should be tables.
-     * So, test cipherType once, here, and then use tables below. 
-     */
-    switch (cipher) {
-    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-    case SSL_CK_RC4_128_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_WITH_MD5:
-    case SSL_CK_DES_64_CBC_WITH_MD5:
-    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-	break;
-
-    default:
-	SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
-		 SSL_GETPID(), ss->fd, cipher));
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-    /* For export ciphers, make sure they didn't send too much key data. */
-    if (ckLen != ssl_Specs[cipher].pubLen) {
-	SSL_DBG(("%d: SSL[%d]: odd secret key size, keySize=%d ckLen=%d!",
-		 SSL_GETPID(), ss->fd, keySize, ckLen));
-	/* Somebody tried to sneak by a strange secret key */
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-    /* allocate the buffer to hold the decrypted portion of the key. */
-    /* XXX Haven't done any range check on ekLen. */
-    kbuf = (PRUint8*) PORT_Alloc(ekLen);
-    if (!kbuf) {
-	goto loser;
-    }
-
-    /*
-    ** Decrypt encrypted half of the key. Note that encrypted half has
-    ** been made to match the modulus size of our public key using
-    ** PKCS#1. keySize is the real size of the data that is interesting.
-    ** NOTE: PK11_PubDecryptRaw will barf on a non-RSA key. This is
-    ** desired behavior here.
-    */
-    rv = PK11_PubDecryptRaw(ss->serverKey[kt_rsa], kbuf, &el1, ekLen, ek, ekLen);
-    if (rv != SECSuccess) 
-	goto hide_loser;
-
-    modulus = PK11_GetPrivateModulusLen(ss->serverKey[kt_rsa]);
-    if (modulus == -1) {
-	/* If the key was really bad, then PK11_pubDecryptRaw
-	 * would have failed, therefore the we must assume that the card
-	 * is just being a pain and not giving us the modulus... but it
-	 * should be the same size as the encrypted key length, so use it
-	 * and keep cranking */
-	modulus = ekLen;
-    }
-    /* Is the length of the decrypted data (el1) the expected value? */
-    if (modulus != el1) 
-	goto hide_loser;
-
-    /* Cheaply verify that PKCS#1 was used to format the encryption block */
-    kk = kbuf + modulus - (keySize - ckLen);
-    if ((kbuf[0] != 0x00) || (kbuf[1] != 0x02) || (kk[-1] != 0x00)) {
-	/* Tsk tsk. */
-	SSL_DBG(("%d: SSL[%d]: strange encryption block",
-		 SSL_GETPID(), ss->fd));
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto hide_loser;
-    }
-
-    /* Make sure we're not subject to a version rollback attack. */
-    if (ss->enableSSL3 || ss->enableTLS) {
-	PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
-			      0x03, 0x03, 0x03, 0x03 };
-	
-	if (PORT_Memcmp(kk - 8 - 1, threes, 8) == 0) {
-	    PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	    goto hide_loser;
-	}
-    }
-    if (0) {
-hide_loser:
-	/* Defense against the Bleichenbacher attack.
-	 * Provide the client with NO CLUES that the decrypted master key
-	 * was erroneous.  Don't send any error messages.
-	 * Instead, Generate a completely bogus master key .
-	 */
-	PK11_GenerateRandom(kbuf, ekLen);
-    }
-
-    /*
-    ** Construct master key out of the pieces.
-    */
-    if (ckLen) {
-	PORT_Memcpy(mkbuf, ck, ckLen);
-    }
-    PORT_Memcpy(mkbuf+ckLen, kk, keySize-ckLen);
-
-    /* Fill in session-id */
-    rv = ssl2_FillInSID(sid, cipher, mkbuf, keySize, ca, caLen,
-		   keyBits, keyBits - (ckLen<<3));
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* Create session ciphers */
-    rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    SSL_TRC(1, ("%d: SSL[%d]: server, using %s cipher, clear=%d total=%d",
-		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
-		ckLen<<3, keySize<<3));
-    rv = SECSuccess;
-    goto done;
-
-  loser:
-    rv = SECFailure;
-
-  done:
-    PORT_Free(kbuf);
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Rewrite the incoming cipher specs, comparing to list of specs we support,
-** (ss->cipherSpecs) and eliminating anything we don't support
-**
-*  Note: Our list may contain SSL v3 ciphers.  
-*  We MUST NOT match on any of those.  
-*  Fortunately, this is easy to detect because SSLv3 ciphers have zero
-*  in the first byte, and none of the SSLv2 ciphers do.
-*
-*  Called from ssl2_HandleClientHelloMessage().
-*/
-static int
-ssl2_QualifyCypherSpecs(sslSocket *ss, 
-                        PRUint8 *  cs, /* cipher specs in client hello msg. */
-		        int        csLen)
-{
-    PRUint8 *    ms;
-    PRUint8 *    hs;
-    PRUint8 *    qs;
-    int          mc;
-    int          hc;
-    PRUint8      qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
-
-    if (!ss->cipherSpecs) {
-	ssl2_ConstructCipherSpecs(ss);
-    }
-
-    PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
-    qs = qualifiedSpecs;
-    ms = ss->cipherSpecs;
-    for (mc = ss->sizeCipherSpecs; mc > 0; mc -= 3, ms += 3) {
-	if (ms[0] == 0)
-	    continue;
-	for (hs = cs, hc = csLen; hc > 0; hs += 3, hc -= 3) {
-	    if ((hs[0] == ms[0]) &&
-		(hs[1] == ms[1]) &&
-		(hs[2] == ms[2])) {
-		/* Copy this cipher spec into the "keep" section */
-		qs[0] = hs[0];
-		qs[1] = hs[1];
-		qs[2] = hs[2];
-		qs   += 3;
-		break;
-	    }
-	}
-    }
-    hc = qs - qualifiedSpecs;
-    PRINT_BUF(10, (ss, "qualified specs from client:", qualifiedSpecs, hc));
-    PORT_Memcpy(cs, qualifiedSpecs, hc);
-    return hc;
-}
-
-/*
-** Pick the best cipher we can find, given the array of server cipher
-** specs.  Returns cipher number (e.g. SSL_CK_*), or -1 for no overlap.
-** If succesful, stores the master key size (bytes) in *pKeyLen.
-**
-** This is correct only for the client side, but presently
-** this function is only called from 
-**	ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
-**
-** Note that most servers only return a single cipher suite in their 
-** ServerHello messages.  So, the code below for finding the "best" cipher
-** suite usually has only one choice.  The client and server should send 
-** their cipher suite lists sorted in descending order by preference.
-*/
-static int
-ssl2_ChooseSessionCypher(sslSocket *ss, 
-                         int        hc,    /* number of cs's in hs. */
-		         PRUint8 *  hs,    /* server hello's cipher suites. */
-		         int *      pKeyLen) /* out: sym key size in bytes. */
-{
-    PRUint8 *       ms;
-    unsigned int    i;
-    int             bestKeySize;
-    int             bestRealKeySize;
-    int             bestCypher;
-    int             keySize;
-    int             realKeySize;
-    PRUint8 *       ohs               = hs;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
-
-    if (!ss->cipherSpecs) {
-	ssl2_ConstructCipherSpecs(ss);
-    }
-
-    if (!ss->preferredCipher) {
-	const PRUint8 * preferred = implementedCipherSuites;
-    	unsigned int    allowed = ss->allowedByPolicy & ss->chosenPreference &
-	                       SSL_CB_IMPLEMENTED;
-	if (allowed) {
-	    for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
-		if (0 != (allowed & (1U << preferred[0]))) {
-		    ss->preferredCipher = preferred;
-		    break;
-		}
-		preferred += 3;
-	    }
-	}
-    }
-    /*
-    ** Scan list of ciphers recieved from peer and look for a match in
-    ** our list.  
-    *  Note: Our list may contain SSL v3 ciphers.  
-    *  We MUST NOT match on any of those.  
-    *  Fortunately, this is easy to detect because SSLv3 ciphers have zero
-    *  in the first byte, and none of the SSLv2 ciphers do.
-    */
-    bestKeySize = bestRealKeySize = 0;
-    bestCypher = -1;
-    while (--hc >= 0) {
-	for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) {
-	    if ((hs[0] == ss->preferredCipher[0]) &&
-		(hs[1] == ss->preferredCipher[1]) &&
-		(hs[2] == ss->preferredCipher[2]) &&
-		 hs[0] != 0) {
-		/* Pick this cipher immediately! */
-		*pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3;
-		return hs[0];
-	    }
-	    if ((hs[0] == ms[0]) && (hs[1] == ms[1]) && (hs[2] == ms[2]) &&
-	         hs[0] != 0) {
-		/* Found a match */
-
-		/* Use secret keySize to determine which cipher is best */
-		realKeySize = (hs[1] << 8) | hs[2];
-		switch (hs[0]) {
-		  case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-		  case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-		    keySize = 40;
-		    break;
-		  default:
-		    keySize = realKeySize;
-		    break;
-		}
-		if (keySize > bestKeySize) {
-		    bestCypher = hs[0];
-		    bestKeySize = keySize;
-		    bestRealKeySize = realKeySize;
-		}
-	    }
-	}
-	hs += 3;
-    }
-    if (bestCypher < 0) {
-	/*
-	** No overlap between server and client. Re-examine server list
-	** to see what kind of ciphers it does support so that we can set
-	** the error code appropriately.
-	*/
-	if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
-	    (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
-	    PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
-	} else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
-		   (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
-	    PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
-	} else {
-	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	}
-	SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
-	goto loser;
-    }
-    *pKeyLen = (bestRealKeySize + 7) >> 3;
-    return bestCypher;
-
-  loser:
-    return -1;
-}
-
-static SECStatus
-ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
-{
-    CERTCertificate *cert      = NULL;
-    SECItem          certItem;
-
-    PORT_Assert(ss->sec != 0);
-
-    certItem.data = certData;
-    certItem.len  = certLen;
-
-    /* decode the certificate */
-    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-				   PR_FALSE, PR_TRUE);
-    
-    if (cert == NULL) {
-	SSL_DBG(("%d: SSL[%d]: decode of server certificate fails",
-		 SSL_GETPID(), ss->fd));
-	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
-	return SECFailure;
-    }
-
-#ifdef TRACE
-    {
-	if (ssl_trace >= 1) {
-	    char *issuer;
-	    char *subject;
-	    issuer = CERT_NameToAscii(&cert->issuer);
-	    subject = CERT_NameToAscii(&cert->subject);
-	    SSL_TRC(1,("%d: server certificate issuer: '%s'",
-		       SSL_GETPID(), issuer ? issuer : "OOPS"));
-	    SSL_TRC(1,("%d: server name: '%s'",
-		       SSL_GETPID(), subject ? subject : "OOPS"));
-	    PORT_Free(issuer);
-	    PORT_Free(subject);
-	}
-    }
-#endif
-
-    ss->sec->peerCert = cert;
-    return SECSuccess;
-}
-
-/*
-** Given the server's public key and cipher specs, generate a session key
-** that is ready to use for encrypting/decrypting the byte stream. At
-** the same time, generate the SSL_MT_CLIENT_MASTER_KEY message and
-** send it to the server.
-**
-** Called from ssl2_HandleServerHelloMessage()
-*/
-static SECStatus
-ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
-{
-    sslSessionID *    sid;
-    PRUint8 *         ca;	/* points to iv data, or NULL if none. */
-    PRUint8 *         ekbuf 		= 0;
-    CERTCertificate * cert 		= 0;
-    SECKEYPublicKey * serverKey 	= 0;
-    unsigned          modulusLen 	= 0;
-    SECStatus         rv;
-    int               cipher;
-    int               keyLen;	/* cipher symkey size in bytes. */
-    int               ckLen;	/* publicly reveal this many bytes of key. */
-    int               caLen;	/* length of IV data at *ca.	*/
-    int               nc;
-
-    SECItem           eblock;	/* holds unencrypted PKCS#1 formatted key. */
-    SECItem           rek;	/* holds portion of symkey to be encrypted. */
-
-    PRUint8           keyData[SSL_MAX_MASTER_KEY_BYTES];
-    PRUint8           iv     [8];
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    eblock.data = 0;
-    eblock.len  = 0;
-
-    sid = ss->sec->ci.sid;
-    PORT_Assert(sid != 0);
-
-    cert = ss->sec->peerCert;
-    
-    serverKey = CERT_ExtractPublicKey(cert);
-    if (!serverKey) {
-	SSL_DBG(("%d: SSL[%d]: extract public key failed: error=%d",
-		 SSL_GETPID(), ss->fd, PORT_GetError()));
-	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
-	rv = SECFailure;
-	goto loser2;
-    }
-
-    /* Choose a compatible cipher with the server */
-    nc = csLen / 3;
-    cipher = ssl2_ChooseSessionCypher(ss, nc, cs, &keyLen);
-    if (cipher < 0) {
-	/* ssl2_ChooseSessionCypher has set error code. */
-	ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
-	goto loser;
-    }
-
-    /* Generate the random keys */
-    PK11_GenerateRandom(keyData, sizeof(keyData));
-
-    /*
-    ** Next, carve up the keys into clear and encrypted portions. The
-    ** clear data is taken from the start of keyData and the encrypted
-    ** portion from the remainder. Note that each of these portions is
-    ** carved in half, one half for the read-key and one for the
-    ** write-key.
-    */
-    ca = 0;
-
-    /* We know that cipher is a legit value here, because 
-     * ssl2_ChooseSessionCypher doesn't return bogus values.
-     */
-    ckLen = ssl_Specs[cipher].pubLen;	/* cleartext key length. */
-    caLen = ssl_Specs[cipher].ivLen;	/* IV length.		*/
-    if (caLen) {
-	PORT_Assert(sizeof iv >= caLen);
-    	PK11_GenerateRandom(iv, caLen);
-	ca = iv;
-    }
-
-    /* Fill in session-id */
-    rv = ssl2_FillInSID(sid, cipher, keyData, keyLen,
-		   ca, caLen, keyLen << 3, (keyLen - ckLen) << 3);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    SSL_TRC(1, ("%d: SSL[%d]: client, using %s cipher, clear=%d total=%d",
-		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
-		ckLen<<3, keyLen<<3));
-
-    /* Now setup read and write ciphers */
-    rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /*
-    ** Fill in the encryption buffer with some random bytes. Then 
-    ** copy in the portion of the session key we are encrypting.
-    */
-    modulusLen = SECKEY_PublicKeyStrength(serverKey);
-    rek.data   = keyData + ckLen;
-    rek.len    = keyLen  - ckLen;
-    rv = RSA_FormatBlock(&eblock, modulusLen, RSA_BlockPublic, &rek);
-    if (rv) 
-    	goto loser;
-    /* Set up the padding for version 2 rollback detection. */
-    /* XXX We should really use defines here */
-    if (ss->enableSSL3 || ss->enableTLS) {
-	PORT_Assert((modulusLen - rek.len) > 12);
-	PORT_Memset(eblock.data + modulusLen - rek.len - 8 - 1, 0x03, 8);
-    }
-    ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
-    if (!ekbuf) 
-	goto loser;
-    PRINT_BUF(10, (ss, "master key encryption block:",
-		   eblock.data, eblock.len));
-
-    /* Encrypt ekitem */
-    rv = PK11_PubEncryptRaw(serverKey, ekbuf, eblock.data, modulusLen,
-						ss->pkcs11PinArg);
-    if (rv) 
-    	goto loser;
-
-    if (eblock.len != modulusLen) {
-	/* Something strange just happened */
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	goto loser;
-    }
-
-    /*  Now we have everything ready to send */
-    rv = ssl2_SendSessionKeyMessage(ss, cipher, keyLen << 3, ca, caLen,
-			       keyData, ckLen, ekbuf, modulusLen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECSuccess;
-    goto done;
-
-  loser:
-    rv = SECFailure;
-
-  loser2:
-  done:
-    PORT_Memset(keyData, 0, sizeof(keyData));
-    PORT_ZFree(ekbuf, modulusLen);
-    SECITEM_ZfreeItem(&eblock, PR_FALSE);
-    SECKEY_DestroyPublicKey(serverKey);
-    return rv;
-}
-
-/************************************************************************/
-
-/* 
- * Called from ssl2_HandleMessage in response to SSL_MT_SERVER_FINISHED message.
- * Caller holds recvBufLock and handshakeLock
- */
-static void
-ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
-{
-    sslSecurityInfo *sec;
-    sslSessionID *sid;
-
-    PORT_Assert((ss->sec != 0));
-    sec = ss->sec;
-    sid = sec->ci.sid;
-
-    /* Record entry in nonce cache */
-    if (sid->peerCert == NULL) {
-	PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
-	sid->peerCert = CERT_DupCertificate(sec->peerCert);
-
-    }
-    if (!ss->noCache)
-	(*sec->cache)(sid);
-}
-
-/* Called from ssl2_HandleMessage() */
-static SECStatus
-ssl2_TriggerNextMessage(sslSocket *ss)
-{
-    sslConnectInfo * ci;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    ci = &ss->sec->ci;
-
-    if ((ci->requiredElements & CIS_HAVE_CERTIFICATE) &&
-	!(ci->sentElements & CIS_HAVE_CERTIFICATE)) {
-	ci->sentElements |= CIS_HAVE_CERTIFICATE;
-	rv = ssl2_SendCertificateRequestMessage(ss);
-	return rv;
-    }
-    return SECSuccess;
-}
-
-/* See if it's time to send our finished message, or if the handshakes are
-** complete.  Send finished message if appropriate.
-** Returns SECSuccess unless anything goes wrong.
-**
-** Called from ssl2_HandleMessage,
-**             ssl2_HandleVerifyMessage 
-**             ssl2_HandleServerHelloMessage
-**             ssl2_HandleClientSessionKeyMessage
-**             ssl2_RestartHandshakeAfterCertReq
-**             ssl2_RestartHandshakeAfterServerCert
-*/
-static SECStatus
-ssl2_TryToFinish(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    SECStatus        rv;
-    char             e, ef;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    sec = ss->sec;
-    ci  = &sec->ci;
-
-    e = ci->elements;
-    ef = e | CIS_HAVE_FINISHED;
-    if ((ef & ci->requiredElements) == ci->requiredElements) {
-	if (sec->isServer) {
-	    /* Send server finished message if we already didn't */
-	    rv = ssl2_SendServerFinishedMessage(ss);
-	} else {
-	    /* Send client finished message if we already didn't */
-	    rv = ssl2_SendClientFinishedMessage(ss);
-	}
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-	if ((e & ci->requiredElements) == ci->requiredElements) {
-	    /* Totally finished */
-	    ss->handshake = 0;
-	    return SECSuccess;
-	}
-    }
-    return SECSuccess;
-}
-
-/*
-** Called from ssl2_HandleRequestCertificate
-**             ssl2_RestartHandshakeAfterCertReq
-*/
-static SECStatus
-ssl2_SignResponse(sslSocket *ss,
-	     SECKEYPrivateKey *key,
-	     SECItem *response)
-{
-    SGNContext *     sgn = NULL;
-    sslConnectInfo * ci;
-    sslSecurityInfo *sec;
-    PRUint8 *        challenge;
-    unsigned int     len;
-    SECStatus        rv		= SECFailure;
-    
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-    sec = ss->sec;
-    ci  = &sec->ci;
-    challenge = ci->serverChallenge;
-    len = ci->serverChallengeLen;
-    
-    /* Sign the expected data... */
-    sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
-    if (!sgn) 
-    	goto done;
-    rv = SGN_Begin(sgn);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, ci->readKey, ci->keySize);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, ci->writeKey, ci->keySize);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, challenge, len);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn,
-		    sec->peerCert->derCert.data, sec->peerCert->derCert.len);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_End(sgn, response);
-    if (rv != SECSuccess) 
-    	goto done;
-
-done:
-    SGN_DestroyContext(sgn, PR_TRUE);
-    return rv == SECSuccess ? SECSuccess : SECFailure;
-}
-
-/*
-** Try to handle a request-certificate message. Get client's certificate
-** and private key and sign a message for the server to see.
-** Caller must hold handshakeLock 
-**
-** Called from ssl2_HandleMessage().
-*/
-static int
-ssl2_HandleRequestCertificate(sslSocket *ss)
-{
-    CERTCertificate * cert	= NULL;	/* app-selected client cert. */
-    SECKEYPrivateKey *key	= NULL;	/* priv key for cert. */
-    SECStatus         rv;
-    SECItem           response;
-    int               ret	= 0;
-    PRUint8           authType;
-
-
-    /*
-     * These things all need to be initialized before we can "goto loser".
-     */
-    response.data = NULL;
-
-    PORT_Assert((ss->sec != 0));
-    if (!ss->sec) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return SECFailure;
-    }
-
-    /* get challenge info from connectionInfo */
-    authType = ss->sec->ci.authType;
-
-    if (authType != SSL_AT_MD5_WITH_RSA_ENCRYPTION) {
-	SSL_TRC(7, ("%d: SSL[%d]: unsupported auth type 0x%x", SSL_GETPID(),
-		    ss->fd, authType));
-	goto no_cert_error;
-    }
-
-    /* Get certificate and private-key from client */
-    if (!ss->getClientAuthData) {
-	SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
-		    SSL_GETPID(), ss->fd));
-	goto no_cert_error;
-    }
-    ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
-				   NULL, &cert, &key);
-    if ( ret == SECWouldBlock ) {
-	ssl_SetAlwaysBlock(ss);
-	goto done;
-    }
-
-    if (ret) {
-	goto no_cert_error;
-    }
-
-    rv = ssl2_SignResponse(ss, key, &response);
-    if ( rv != SECSuccess ) {
-	ret = -1;
-	goto loser;
-    }
-    
-    /* Send response message */
-    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
-    goto done;
-
-  no_cert_error:
-    SSL_TRC(7, ("%d: SSL[%d]: no certificate (ret=%d)", SSL_GETPID(),
-		ss->fd, ret));
-    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
-
-  loser:
-  done:
-    if ( cert ) {
-	CERT_DestroyCertificate(cert);
-    }
-    if ( key ) {
-	SECKEY_DestroyPrivateKey(key);
-    }
-    if ( response.data ) {
-	PORT_Free(response.data);
-    }
-    
-    return ret;
-}
-
-/*
-** Called from ssl2_HandleMessage for SSL_MT_CLIENT_CERTIFICATE message.
-** Caller must hold HandshakeLock and RecvBufLock, since cd and response
-** are contained in the gathered input data.
-*/
-static SECStatus
-ssl2_HandleClientCertificate(sslSocket *    ss, 
-                             PRUint8        certType,	/* XXX unused */
-			     PRUint8 *      cd, 
-			     unsigned int   cdLen,
-			     PRUint8 *      response,
-			     unsigned int   responseLen)
-{
-    sslSecurityInfo *sec        = ss->sec;
-    sslConnectInfo * ci;
-    CERTCertificate *cert	= NULL;
-    SECKEYPublicKey *pubKey	= NULL;
-    VFYContext *     vfy	= NULL;
-    SECStatus        rv		= SECFailure;
-    SECItem          certItem;
-    SECItem          rep;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
-
-    /* Extract the certificate */
-    certItem.data = cd;
-    certItem.len  = cdLen;
-
-    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-			 	   PR_FALSE, PR_TRUE);
-    if (cert == NULL) {
-	goto loser;
-    }
-
-    /* save the certificate, since the auth routine will need it */
-    sec->peerCert = cert;
-
-    /* Extract the public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if (!pubKey) 
-    	goto loser;
-    
-    /* Verify the response data... */
-    rep.data = response;
-    rep.len = responseLen;
-    /* SSL 2.0 only supports RSA certs, so we don't have to worry about
-     * DSA here. */
-    vfy = VFY_CreateContext(pubKey, &rep, SEC_OID_PKCS1_RSA_ENCRYPTION,
-			    ss->pkcs11PinArg);
-    if (!vfy) 
-    	goto loser;
-    rv = VFY_Begin(vfy);
-    if (rv) 
-    	goto loser;
-
-    ci	= &sec->ci;
-    rv = VFY_Update(vfy, ci->readKey, ci->keySize);
-    if (rv) 
-    	goto loser;
-    rv = VFY_Update(vfy, ci->writeKey, ci->keySize);
-    if (rv) 
-    	goto loser;
-    rv = VFY_Update(vfy, ci->serverChallenge, SSL_CHALLENGE_BYTES);
-    if (rv) 
-    	goto loser;
-    rv = VFY_Update(vfy, ss->serverCert[kt_rsa]->derCert.data,
-		    ss->serverCert[kt_rsa]->derCert.len);
-    if (rv) 
-    	goto loser;
-    rv = VFY_End(vfy);
-    if (rv) 
-    	goto loser;
-
-    /* Now ask the server application if it likes the certificate... */
-    rv = (SECStatus) (*ss->authCertificate)(ss->authCertificateArg,
-					    ss->fd, PR_TRUE, PR_TRUE);
-    /* Hey, it liked it. */
-    if (SECSuccess == rv) 
-	goto done;
-
-loser:
-    sec->peerCert = NULL;
-    CERT_DestroyCertificate(cert);
-
-done:
-    VFY_DestroyContext(vfy, PR_TRUE);
-    SECKEY_DestroyPublicKey(pubKey);
-    return rv;
-}
-
-/*
-** Handle remaining messages between client/server. Process finished
-** messages from either side and any authentication requests.
-** This should only be called for SSLv2 handshake messages, 
-** not for application data records.
-** Caller must hold handshake lock.
-**
-** Called from ssl_Do1stHandshake().
-** 
-*/
-static SECStatus
-ssl2_HandleMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    sslGather *      gs;
-    PRUint8 *        data;
-    PRUint8 *        cid;
-    unsigned         len, certType, certLen, responseLen;
-    int              rv;
-    int              rv2;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-
-    ssl_GetRecvBufLock(ss);
-    sec = ss->sec;
-    gs = ss->gather;
-    ci = &sec->ci;
-
-    data = gs->buf.buf + gs->recordOffset;
-
-    if (gs->recordLen < 1) {
-	goto bad_peer;
-    }
-    SSL_TRC(3, ("%d: SSL[%d]: received %d message",
-		SSL_GETPID(), ss->fd, data[0]));
-    DUMP_MSG(29, (ss, data, gs->recordLen));
-
-    switch (data[0]) {
-    case SSL_MT_CLIENT_FINISHED:
-	if (ci->elements & CIS_HAVE_FINISHED) {
-	    SSL_DBG(("%d: SSL[%d]: dup client-finished message",
-		     SSL_GETPID(), ss->fd));
-	    goto bad_peer;
-	}
-
-	/* See if nonce matches */
-	len = gs->recordLen - 1;
-	cid = data + 1;
-	if ((len != sizeof(ci->connectionID)) ||
-	    (PORT_Memcmp(ci->connectionID, cid, len) != 0)) {
-	    SSL_DBG(("%d: SSL[%d]: bad connection-id", SSL_GETPID(), ss->fd));
-	    PRINT_BUF(5, (ss, "sent connection-id",
-			  ci->connectionID, sizeof(ci->connectionID)));
-	    PRINT_BUF(5, (ss, "rcvd connection-id", cid, len));
-	    goto bad_peer;
-	}
-
-	SSL_TRC(5, ("%d: SSL[%d]: got client finished, waiting for 0x%d",
-		    SSL_GETPID(), ss->fd, ci->requiredElements ^ ci->elements));
-	ci->elements |= CIS_HAVE_FINISHED;
-	break;
-
-    case SSL_MT_SERVER_FINISHED:
-	if (ci->elements & CIS_HAVE_FINISHED) {
-	    SSL_DBG(("%d: SSL[%d]: dup server-finished message",
-		     SSL_GETPID(), ss->fd));
-	    goto bad_peer;
-	}
-
-	if (gs->recordLen - 1 != SSL_SESSIONID_BYTES) {
-	    SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d",
-		     SSL_GETPID(), ss->fd, gs->recordLen));
-	    goto bad_peer;
-	}
-	ssl2_ClientRegSessionID(ss, data+1);
-	SSL_TRC(5, ("%d: SSL[%d]: got server finished, waiting for 0x%d",
-		    SSL_GETPID(), ss->fd, ci->requiredElements ^ ci->elements));
-	ci->elements |= CIS_HAVE_FINISHED;
-	break;
-
-    case SSL_MT_REQUEST_CERTIFICATE:
-	len = gs->recordLen - 2;
-	if ((len != SSL_MIN_CHALLENGE_BYTES) ||
-	    (len > SSL_MAX_CHALLENGE_BYTES)) {
-	    /* Bad challenge */
-	    SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d",
-		     SSL_GETPID(), ss->fd, len));
-	    goto bad_peer;
-	}
-	
-	/* save auth request info */
-	ci->authType           = data[1];
-	ci->serverChallengeLen = len;
-	PORT_Memcpy(ci->serverChallenge, data + 2, len);
-	
-	rv = ssl2_HandleRequestCertificate(ss);
-	if (rv == SECWouldBlock) {
-	    SSL_TRC(3, ("%d: SSL[%d]: async cert request",
-			SSL_GETPID(), ss->fd));
-	    /* someone is handling this asynchronously */
-	    ssl_ReleaseRecvBufLock(ss);
-	    return SECWouldBlock;
-	}
-	if (rv) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	break;
-
-    case SSL_MT_CLIENT_CERTIFICATE:
-	if (!ss->authCertificate) {
-	    /* Server asked for authentication and can't handle it */
-	    PORT_SetError(SSL_ERROR_BAD_SERVER);
-	    goto loser;
-	}
-	if (gs->recordLen < SSL_HL_CLIENT_CERTIFICATE_HBYTES) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	certType    = data[1];
-	certLen     = (data[2] << 8) | data[3];
-	responseLen = (data[4] << 8) | data[5];
-	if (certType != SSL_CT_X509_CERTIFICATE) {
-	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
-	    goto loser;
-	}
-	rv = ssl2_HandleClientCertificate(ss, data[1],
-		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
-		certLen,
-		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
-		responseLen);
-	if (rv) {
-	    rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	ci->elements |= CIS_HAVE_CERTIFICATE;
-	break;
-
-    case SSL_MT_ERROR:
-	rv = (data[1] << 8) | data[2];
-	SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
-		    SSL_GETPID(), ss->fd, rv));
-
-	/* Convert protocol error number into API error number */
-	switch (rv) {
-	  case SSL_PE_NO_CYPHERS:
-	    rv = SSL_ERROR_NO_CYPHER_OVERLAP;
-	    break;
-	  case SSL_PE_NO_CERTIFICATE:
-	    rv = SSL_ERROR_NO_CERTIFICATE;
-	    break;
-	  case SSL_PE_BAD_CERTIFICATE:
-	    rv = SSL_ERROR_BAD_CERTIFICATE;
-	    break;
-	  case SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE:
-	    rv = SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
-	    break;
-	  default:
-	    goto bad_peer;
-	}
-	/* XXX make certificate-request optionally fail... */
-	PORT_SetError(rv);
-	goto loser;
-
-    default:
-	SSL_DBG(("%d: SSL[%d]: unknown message %d",
-		 SSL_GETPID(), ss->fd, data[0]));
-	goto loser;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: handled %d message, required=0x%x got=0x%x",
-		SSL_GETPID(), ss->fd, data[0],
-		ci->requiredElements, ci->elements));
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-
-    ss->gather->recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleMessage;
-    return ssl2_TriggerNextMessage(ss);
-
-  bad_peer:
-    PORT_SetError(sec->isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
-    /* FALL THROUGH */
-
-  loser:
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-/************************************************************************/
-
-/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or 
-** ssl2_RestartHandshakeAfterServerCert.
-*/
-static SECStatus
-ssl2_HandleVerifyMessage(sslSocket *ss)
-{
-    sslConnectInfo * ci;
-    sslGather *      gs;
-    PRUint8 *        data;
-    SECStatus        rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    ssl_GetRecvBufLock(ss);
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-    ci = &ss->sec->ci;
-    gs = ss->gather;
-
-    data = gs->buf.buf + gs->recordOffset;
-    DUMP_MSG(29, (ss, data, gs->recordLen));
-    if ((gs->recordLen != 1 + SSL_CHALLENGE_BYTES) ||
-	(data[0] != SSL_MT_SERVER_VERIFY) ||
-	PORT_Memcmp(data+1, ci->clientChallenge, SSL_CHALLENGE_BYTES)) {
-	/* Bad server */
-	PORT_SetError(SSL_ERROR_BAD_SERVER);
-	goto loser;
-    }
-    ci->elements |= CIS_HAVE_VERIFY;
-
-    SSL_TRC(5, ("%d: SSL[%d]: got server-verify, required=0x%d got=0x%x",
-		SSL_GETPID(), ss->fd, ci->requiredElements,
-		ci->elements));
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv) 
-	goto loser;
-
-    ss->gather->recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-    ss->handshake         = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake     = ssl2_HandleMessage;
-    return SECSuccess;
-
-
-  loser:
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-/* Not static because ssl2_GatherData() tests ss->nextHandshake for this value.
- * ICK! 
- * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
- */
-SECStatus
-ssl2_HandleServerHelloMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    sslGather      * gs;
-    sslSessionID *   sid;
-    PRUint8 *        cert;
-    PRUint8 *        cs;
-    PRUint8 *        data;
-    SECStatus        rv; 
-    int              needed, sidHit, certLen, csLen, cidLen, certType, err;
-
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-    if (!ss->enableSSL2) {
-	PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-	return SECFailure;
-    }
-
-    ssl_GetRecvBufLock(ss);
-
-    sec = ss->sec;
-    ci = &sec->ci;
-    gs = ss->gather;
-    PORT_Assert(ci->sid != 0);
-
-    data = gs->buf.buf + gs->recordOffset;
-    DUMP_MSG(29, (ss, data, gs->recordLen));
-
-    /* Make sure first message has some data and is the server hello message */
-    if ((gs->recordLen < SSL_HL_SERVER_HELLO_HBYTES)
-	|| (data[0] != SSL_MT_SERVER_HELLO)) {
-	if ((data[0] == SSL_MT_ERROR) && (gs->recordLen == 3)) {
-	    err = (data[1] << 8) | data[2];
-	    if (err == SSL_PE_NO_CYPHERS) {
-		PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-		goto loser;
-	    }
-	}
-	goto bad_server;
-    }
-
-    sidHit      = data[1];
-    certType    = data[2];
-    ss->version = (data[3] << 8) | data[4];
-    certLen     = (data[5] << 8) | data[6];
-    csLen       = (data[7] << 8) | data[8];
-    cidLen      = (data[9] << 8) | data[10];
-    cert        = data + SSL_HL_SERVER_HELLO_HBYTES;
-    cs          = cert + certLen;
-
-    SSL_TRC(5,
-	    ("%d: SSL[%d]: server-hello, hit=%d vers=%x certLen=%d csLen=%d cidLen=%d",
-	     SSL_GETPID(), ss->fd, sidHit, ss->version, certLen,
-	     csLen, cidLen));
-    if (ss->version != SSL_LIBRARY_VERSION_2) {
-        if (ss->version < SSL_LIBRARY_VERSION_2) {
-	  SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
-		      SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
-		      ss->version));
-	} else {
-	  SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
-		    SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
-	  /* server claims to be newer but does not follow protocol */
-	  PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
-	  goto loser;
-	}
-    }
-
-    /* Save connection-id for later */
-    PORT_Memcpy(ci->connectionID, cs + csLen, sizeof(ci->connectionID));
-
-    /* See if session-id hit */
-    needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY;
-    if (sidHit) {
-	if (certLen || csLen) {
-	    /* Uh oh - bogus server */
-	    SSL_DBG(("%d: SSL[%d]: client, huh? hit=%d certLen=%d csLen=%d",
-		     SSL_GETPID(), ss->fd, sidHit, certLen, csLen));
-	    goto bad_server;
-	}
-
-	/* Total winner. */
-	SSL_TRC(1, ("%d: SSL[%d]: client, using nonce for peer=0x%08x "
-		    "port=0x%04x",
-		    SSL_GETPID(), ss->fd, ci->peer, ci->port));
-	sec->peerCert = CERT_DupCertificate(ci->sid->peerCert);
-	rv = ssl2_CreateSessionCypher(ss, ci->sid, PR_TRUE);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	if (certType != SSL_CT_X509_CERTIFICATE) {
-	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
-	    goto loser;
-	}
-	if (csLen == 0) {
-	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	    SSL_DBG(("%d: SSL[%d]: no cipher overlap",
-		     SSL_GETPID(), ss->fd));
-	    goto loser;
-	}
-	if (certLen == 0) {
-	    SSL_DBG(("%d: SSL[%d]: client, huh? certLen=%d csLen=%d",
-		     SSL_GETPID(), ss->fd, certLen, csLen));
-	    goto bad_server;
-	}
-
-	sid = ci->sid;
-	if (sid->cached != never_cached) {
-	    /* Forget our session-id - server didn't like it */
-	    SSL_TRC(7, ("%d: SSL[%d]: server forgot me, uncaching session-id",
-			SSL_GETPID(), ss->fd));
-	    (*sec->uncache)(sid);
-	    ssl_FreeSID(sid);
-	    ci->sid = sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-	    if (!sid) {
-		goto loser;
-	    }
-	    sid->references = 1;
-	    sid->addr = ci->peer;
-	    sid->port = ci->port;
-	}
-
-	/* decode the server's certificate */
-	rv = ssl2_ClientHandleServerCert(ss, cert, certLen);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
-		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
-	    }
-	    goto loser;
-	}
-
-	/* Setup new session cipher */
-	rv = ssl2_ClientSetupSessionCypher(ss, cs, csLen);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
-		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
-	    }
-	    goto loser;
-	}
-    }
-
-    /* Build up final list of required elements */
-    ci->elements         = CIS_HAVE_MASTER_KEY;
-    ci->requiredElements = needed;
-
-  if (!sidHit) {
-    /* verify the server's certificate. if sidHit, don't check signatures */
-    rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd, 
-				 (PRBool)(!sidHit), PR_FALSE);
-    if (rv) {
-	if (ss->handleBadCert) {
-	    rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
-	    if ( rv ) {
-		if ( rv == SECWouldBlock ) {
-		    /* someone will handle this connection asynchronously*/
-
-		    SSL_DBG(("%d: SSL[%d]: go to async cert handler",
-			     SSL_GETPID(), ss->fd));
-		    ssl_ReleaseRecvBufLock(ss);
-		    ssl_SetAlwaysBlock(ss);
-		    return SECWouldBlock;
-		}
-		/* cert is bad */
-		SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
-			 SSL_GETPID(), ss->fd, PORT_GetError()));
-		goto loser;
-
-	    }
-	    /* cert is good */
-	} else {
-	    SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
-		     SSL_GETPID(), ss->fd, PORT_GetError()));
-	    goto loser;
-	}
-    }
-  }
-    /*
-    ** At this point we have a completed session key and our session
-    ** cipher is setup and ready to go. Switch to encrypted write routine
-    ** as all future message data is to be encrypted.
-    */
-    ssl2_UseEncryptedSendFunc(ss);
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-
-    ss->gather->recordLen = 0;
-
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-
-    SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
-		SSL_GETPID(), ss->fd, ci->requiredElements, ci->elements));
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleVerifyMessage;
-    return SECSuccess;
-
-  bad_server:
-    PORT_SetError(SSL_ERROR_BAD_SERVER);
-    /* FALL THROUGH */
-
-  loser:
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-/* Sends out the initial client Hello message on the connection.
- * Acquires and releases the socket's xmitBufLock.
- */
-SECStatus
-ssl2_BeginClientHandshake(sslSocket *ss)
-{
-    sslSecurityInfo   *sec;
-    sslConnectInfo    *ci;
-    sslSessionID      *sid;
-    PRUint8           *msg;
-    PRUint8           *cp;
-    PRUint8           *localCipherSpecs = NULL;
-    unsigned int      localCipherSize;
-    unsigned int      i;
-    int               sendLen, sidLen;
-    SECStatus         rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0));
-
-    sec = ss->sec;
-    sec->isServer     = 0;
-    sec->sendSequence = 0;
-    sec->rcvSequence  = 0;
-    ssl_ChooseSessionIDProcs(sec);
-    ci  = &sec->ci;
-
-    if (!ss->cipherSpecs) {
-	rv = ssl2_ConstructCipherSpecs(ss);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /* count the SSL2 and SSL3 enabled ciphers.
-     * if either is zero, clear the socket's enable for that protocol.
-     */
-    rv = ssl2_CheckConfigSanity(ss);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /* Get peer name of server */
-    rv = ssl_GetPeerInfo(ss);
-    if (rv < 0) {
-	goto loser;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
-
-    /* Try to find server in our session-id cache */
-    if (ss->noCache) {
-	sid = NULL;
-    } else {
-	sid = ssl_LookupSID(ci->peer, ci->port, ss->peerID, ss->url);
-    }
-    if (sid) {
-	/* if we're not doing this SID's protocol any more, drop it. */
-	if (((sid->version == SSL_LIBRARY_VERSION_2)   && !ss->enableSSL2) ||
-	    ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL3) ||
-	    ((sid->version == SSL_LIBRARY_VERSION_3_1_TLS) && !ss->enableTLS)) {
-	    sec->uncache(sid);
-	    ssl_FreeSID(sid);
-	    goto invalid;
-	}
-	if (ss->enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
-	    /* If the cipher in this sid is not enabled, drop it. */
-	    for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
-		if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
-		    goto sid_cipher_match;
-	    }
-	    sec->uncache(sid);
-	    ssl_FreeSID(sid);
-	    goto invalid;
-	}
-sid_cipher_match:
-	sidLen = sizeof(sid->u.ssl2.sessionID);
-	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
-		      sidLen));
-	ss->version = sid->version;
-    } else {
-invalid:
-	sidLen = 0;
-	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-	if (!sid) {
-	    goto loser;
-	}
-	sid->references = 1;
-	sid->cached     = never_cached;
-	sid->addr       = ci->peer;
-	sid->port       = ci->port;
-	if (ss->peerID != NULL) {
-	    sid->peerID = PORT_Strdup(ss->peerID);
-	}
-	if (ss->url != NULL) {
-	    sid->urlSvrName = PORT_Strdup(ss->url);
-	}
-    }
-    ci->sid = sid;
-
-    PORT_Assert(sid != NULL);
-
-    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->v2CompatibleHello) &&
-        (ss->enableSSL3 || ss->enableTLS)) {
-
-	PORT_Assert(ss->gather != NULL);
-	ss->gather->state = GS_INIT;
-	ss->handshake     = ssl_GatherRecord1stHandshake;
-
-	/* ssl3_SendClientHello will override this if it succeeds. */
-	ss->version       = SSL_LIBRARY_VERSION_3_0;
-
-	ssl_GetXmitBufLock(ss);    /***************************************/
-	ssl_GetSSL3HandshakeLock(ss);
-	rv =  ssl3_SendClientHello(ss);
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	ssl_ReleaseXmitBufLock(ss); /***************************************/
-
-	return rv;
-    }
-   
-    if (!ss->cipherSpecs) {
-        rv = ssl2_ConstructCipherSpecs(ss);
-	if (rv < 0) {
-	    return rv;
-    	}
-    }
-    localCipherSpecs = ss->cipherSpecs;
-    localCipherSize  = ss->sizeCipherSpecs;
-
-    sendLen = SSL_HL_CLIENT_HELLO_HBYTES + localCipherSize + sidLen +
-	SSL_CHALLENGE_BYTES;
-
-    /* Generate challenge bytes for server */
-    PK11_GenerateRandom(ci->clientChallenge, SSL_CHALLENGE_BYTES);
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv) 
-    	goto unlock_loser;
-
-    /* Construct client-hello message */
-    cp = msg = ci->sendBuf.buf;
-    msg[0] = SSL_MT_CLIENT_HELLO;
-    if ( ss->enableTLS ) {
-	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_1_TLS;
-    } else if ( ss->enableSSL3 ) {
-	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_0;
-    } else {
-	ss->clientHelloVersion = SSL_LIBRARY_VERSION_2;
-    }
-    
-    msg[1] = MSB(ss->clientHelloVersion);
-    msg[2] = LSB(ss->clientHelloVersion);
-    msg[3] = MSB(localCipherSize);
-    msg[4] = LSB(localCipherSize);
-    msg[5] = MSB(sidLen);
-    msg[6] = LSB(sidLen);
-    msg[7] = MSB(SSL_CHALLENGE_BYTES);
-    msg[8] = LSB(SSL_CHALLENGE_BYTES);
-    cp += SSL_HL_CLIENT_HELLO_HBYTES;
-    PORT_Memcpy(cp, localCipherSpecs, localCipherSize);
-    cp += localCipherSize;
-    if (sidLen) {
-	PORT_Memcpy(cp, sid->u.ssl2.sessionID, sidLen);
-	cp += sidLen;
-    }
-    PORT_Memcpy(cp, ci->clientChallenge, SSL_CHALLENGE_BYTES);
-
-    /* Send it to the server */
-    DUMP_MSG(29, (ss, msg, sendLen));
-    rv = (*sec->send)(ss, msg, sendLen, 0);
-
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-
-    if (rv < 0) {
-	goto loser;
-    }
-
-    rv = ssl3_StartHandshakeHash(ss, msg, sendLen);
-    if (rv < 0) {
-	goto loser;
-    }
-
-    /* Setup to receive servers hello message */
-    ssl_GetRecvBufLock(ss);
-    ss->gather->recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleServerHelloMessage;
-    return SECSuccess;
-
-unlock_loser:
-    ssl_ReleaseXmitBufLock(ss);
-loser:
-    return SECFailure;
-}
-
-/************************************************************************/
-
-/* Handle the CLIENT-MASTER-KEY message. 
-** Acquires and releases RecvBufLock.
-** Called from ssl2_HandleClientHelloMessage(). 
-*/
-static SECStatus
-ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
-{
-    sslConnectInfo * ci;
-    PRUint8 *        data;
-    sslGather *      gs;
-    unsigned int     caLen;
-    unsigned int     ckLen;
-    unsigned int     ekLen;
-    unsigned int     keySize;
-    int              cipher;
-    SECStatus        rv;
-
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-
-    ssl_GetRecvBufLock(ss);
-    gs = ss->gather;
-    ci = &ss->sec->ci;
-
-    data = gs->buf.buf + gs->recordOffset;
-    DUMP_MSG(29, (ss, data, gs->recordLen));
-
-    if ((gs->recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
-	|| (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
-	goto bad_client;
-    }
-    cipher  = data[1];
-    keySize = (data[2] << 8) | data[3];
-    ckLen   = (data[4] << 8) | data[5];
-    ekLen   = (data[6] << 8) | data[7];
-    caLen   = (data[8] << 8) | data[9];
-
-    SSL_TRC(5, ("%d: SSL[%d]: session-key, cipher=%d keySize=%d ckLen=%d ekLen=%d caLen=%d",
-		SSL_GETPID(), ss->fd, cipher, keySize, ckLen, ekLen, caLen));
-
-    if (gs->recordLen < 
-    	    SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen) {
-	SSL_DBG(("%d: SSL[%d]: protocol size mismatch dataLen=%d",
-		 SSL_GETPID(), ss->fd, gs->recordLen));
-	goto bad_client;
-    }
-
-    /* Use info from client to setup session key */
-    /* XXX should validate cipher&keySize are in our array */
-    rv = ssl2_ServerSetupSessionCypher(ss, cipher, keySize,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES,                 ckLen,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen,         ekLen,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
-    ss->gather->recordLen = 0;	/* we're done with this record. */
-
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    ci->elements |= CIS_HAVE_MASTER_KEY;
-    ssl2_UseEncryptedSendFunc(ss);
-
-    /* Send server verify message now that keys are established */
-    rv = ssl2_SendServerVerifyMessage(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-
-    SSL_TRC(5, ("%d: SSL[%d]: server: waiting for elements=0x%d",
-		SSL_GETPID(), ss->fd, ci->requiredElements ^ ci->elements));
-    ss->handshake         = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake     = ssl2_HandleMessage;
-
-    return ssl2_TriggerNextMessage(ss);
-
-bad_client:
-    ssl_ReleaseRecvBufLock(ss);
-    PORT_SetError(SSL_ERROR_BAD_CLIENT);
-    /* FALLTHROUGH */
-
-loser:
-    return SECFailure;
-}
-
-/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:  
- *	cert	Client cert chosen by application.
- *	key	Private key associated with cert.  
- *
- * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
- *	they take the reference, or bump the ref count!
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
- */
-int
-ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
-				  CERTCertificate *    cert, 
-				  SECKEYPrivateKey *   key)
-{
-    int              ret;
-    SECStatus        rv          = SECSuccess;
-    SECItem          response;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
-    	return SECFailure;
-
-    response.data = NULL;
-
-    PORT_Assert((ss->sec != 0));
-    if (ss->sec == NULL)
-    	return SECFailure;
-
-    /* generate error if no cert or key */
-    if ( ( cert == NULL ) || ( key == NULL ) ) {
-	goto no_cert;
-    }
-    
-    /* generate signed response to the challenge */
-    rv = ssl2_SignResponse(ss, key, &response);
-    if ( rv != SECSuccess ) {
-	goto no_cert;
-    }
-    
-    /* Send response message */
-    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
-    if (ret) {
-	goto no_cert;
-    }
-
-    /* try to finish the handshake */
-    ret = ssl2_TryToFinish(ss);
-    if (ret) {
-	goto loser;
-    }
-    
-    /* done with handshake */
-    if (ss->handshake == 0) {
-	ret = SECSuccess;
-	goto done;
-    }
-
-    /* continue handshake */
-    ssl_GetRecvBufLock(ss);
-    ss->gather->recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleMessage;
-    ret = ssl2_TriggerNextMessage(ss);
-    goto done;
-    
-no_cert:
-    /* no cert - send error */
-    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
-    goto done;
-    
-loser:
-    ret = SECFailure;
-done:
-    /* free allocated data */
-    if ( response.data ) {
-	PORT_Free(response.data);
-    }
-    
-    return ret;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
-*/
-int
-ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    int rv	= SECSuccess;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
-	return SECFailure;
-
-    /* SSL 2
-    ** At this point we have a completed session key and our session
-    ** cipher is setup and ready to go. Switch to encrypted write routine
-    ** as all future message data is to be encrypted.
-    */
-    ssl2_UseEncryptedSendFunc(ss);
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv == SECSuccess && ss->handshake != NULL) {	
-	/* handshake is not yet finished. */
-
-	SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
-		SSL_GETPID(), ss->fd, ss->sec->ci.requiredElements,
-		ss->sec->ci.elements));
-
-	ssl_GetRecvBufLock(ss);
-	ss->gather->recordLen = 0;	/* mark it all used up. */
-	ssl_ReleaseRecvBufLock(ss);
-
-	ss->handshake     = ssl_GatherRecord1stHandshake;
-	ss->nextHandshake = ssl2_HandleVerifyMessage;
-    }
-
-    return rv;
-}
-
-/*
-** Handle the initial hello message from the client
-**
-** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
-*/
-SECStatus
-ssl2_HandleClientHelloMessage(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo  *ci;
-    sslGather       *gs;
-    sslSessionID    *sid = NULL;
-    PRUint8         *msg;
-    PRUint8         *data;
-    PRUint8         *cs;
-    PRUint8         *sd;
-    PRUint8         *cert = NULL;
-    PRUint8         *challenge;
-    unsigned int    challengeLen;
-    SECStatus       rv; 
-    int             hit;
-    int             csLen;
-    int             sendLen;
-    int             sdLen;
-    int             certLen;
-    int             pid;
-    int             sent;
-    int             gotXmitBufLock = 0;
-    PRUint8         csImpl[sizeof implementedCipherSuites];
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-
-    sec = ss->sec;
-    ci = &sec->ci;
-
-    ssl_GetRecvBufLock(ss);
-
-    gs = ss->gather;
-
-    data = gs->buf.buf + gs->recordOffset;
-    DUMP_MSG(29, (ss, data, gs->recordLen));
-
-    /* Make sure first message has some data and is the client hello message */
-    if ((gs->recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
-	|| (data[0] != SSL_MT_CLIENT_HELLO)) {
-	goto bad_client;
-    }
-
-    /* Get peer name of client */
-    rv = ssl_GetPeerInfo(ss);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* Examine version information */
-    /*
-     * See if this might be a V2 client hello asking to use the V3 protocol
-     */
-    if ((data[0] == SSL_MT_CLIENT_HELLO) && 
-        (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) && 
-	(ss->enableSSL3 || ss->enableTLS)) {
-	rv = ssl3_HandleV2ClientHello(ss, data, gs->recordLen);
-	if (rv != SECFailure) { /* Success */
-	    ss->handshake             = NULL;
-	    ss->nextHandshake         = ssl_GatherRecord1stHandshake;
-	    ss->securityHandshake     = NULL;
-	    ss->gather->state         = GS_INIT;
-
-	    /* ssl3_HandleV3ClientHello has set ss->version,
-	    ** and has gotten us a brand new sid.  
-	    */
-	    ss->sec->ci.sid->version  = ss->version;
-	}
-	ssl_ReleaseRecvBufLock(ss);
-	return rv;
-    }
-    /* Previously, there was a test here to see if SSL2 was enabled.
-    ** If not, an error code was set, and SECFailure was returned,
-    ** without sending any error code to the other end of the connection.
-    ** That test has been removed.  If SSL2 has been disabled, there
-    ** should be no SSL2 ciphers enabled, and consequently, the code
-    ** below should send the ssl2 error message SSL_PE_NO_CYPHERS.
-    ** We now believe this is the correct thing to do, even when SSL2
-    ** has been explicitly disabled by the application.
-    */
-
-    /* Extract info from message */
-    ss->version = (data[1] << 8) | data[2];
-
-    /* If some client thinks ssl v2 is 2.0 instead of 0.2, we'll allow it.  */
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	ss->version = SSL_LIBRARY_VERSION_2;
-    }
-    
-    csLen        = (data[3] << 8) | data[4];
-    sdLen        = (data[5] << 8) | data[6];
-    challengeLen = (data[7] << 8) | data[8];
-    cs           = data + SSL_HL_CLIENT_HELLO_HBYTES;
-    sd           = cs + csLen;
-    challenge    = sd + sdLen;
-    PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen));
-
-    if ((unsigned)gs->recordLen != 
-            SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) {
-	SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d",
-		 SSL_GETPID(), ss->fd, gs->recordLen,
-		 SSL_HL_CLIENT_HELLO_HBYTES+csLen+sdLen+challengeLen));
-	goto bad_client;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: client version is %x",
-		SSL_GETPID(), ss->fd, ss->version));
-    if (ss->version != SSL_LIBRARY_VERSION_2) {
-	if (ss->version > SSL_LIBRARY_VERSION_2) {
-	    /*
-	    ** Newer client than us. Things are ok because new clients
-	    ** are required to be backwards compatible with old servers.
-	    ** Change version number to our version number so that client
-	    ** knows whats up.
-	    */
-	    ss->version = SSL_LIBRARY_VERSION_2;
-	} else {
-	    SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
-		SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
-	    PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
-	    goto loser;
-	}
-    }
-
-    /* Qualify cipher specs before returning them to client */
-    csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
-    if (csLen == 0) {
-	/* no overlap, send client our list of supported SSL v2 ciphers. */
-        cs    = csImpl;
-	csLen = sizeof implementedCipherSuites;
-    	PORT_Memcpy(cs, implementedCipherSuites, csLen);
-	csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
-	if (csLen == 0) {
-	  /* We don't support any SSL v2 ciphers! */
-	  ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
-	  PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	  goto loser;
-	}
-	/* Since this handhsake is going to fail, don't cache it. */
-	ss->noCache = 1; 
-    }
-
-    /* Squirrel away the challenge for later */
-    PORT_Memcpy(ci->clientChallenge, challenge, challengeLen);
-
-    /* Examine message and see if session-id is good */
-    ci->elements = 0;
-    if (ss->noCache) {
-	sid = NULL;
-    } else if (sdLen) {
-	SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x",
-		    SSL_GETPID(), ss->fd, ci->peer));
-	sid = (*ssl_sid_lookup)(ci->peer, sd, sdLen, ss->dbHandle);
-    }
-    if (sid) {
-	/* Got a good session-id. Short cut! */
-	SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
-		    SSL_GETPID(), ss->fd, ci->peer, ssl_Time() - sid->time));
-	PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
-	ci->sid = sid;
-	ci->elements = CIS_HAVE_MASTER_KEY;
-	hit = 1;
-	certLen = 0;
-	csLen = 0;
-	rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
-		    SSL_GETPID(), ss->fd));
-	hit = 0;
-	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-	if (!sid) {
-	    goto loser;
-	}
-	sid->references = 1;
-	sid->addr = ci->peer;
-	sid->port = ci->port;
-
-	/* Invent a session-id */
-	ci->sid = sid;
-	PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL_SESSIONID_BYTES-2);
-
-	pid = SSL_GETPID();
-	sid->u.ssl2.sessionID[0] = MSB(pid);
-	sid->u.ssl2.sessionID[1] = LSB(pid);
-	cert = ss->serverCert[kt_rsa]->derCert.data;
-	certLen = ss->serverCert[kt_rsa]->derCert.len;
-    }
-
-    /* Build up final list of required elements */
-    ci->requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
-    if (ss->requestCertificate) {
-	ci->requiredElements |= CIS_HAVE_CERTIFICATE;
-    }
-    ci->sentElements = 0;
-
-    /* Send hello message back to client */
-    sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
-	    + SSL_CONNECTIONID_BYTES;
-
-    ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending server-hello (%d)",
-		SSL_GETPID(), ss->fd, sendLen));
-
-    msg = ci->sendBuf.buf;
-    msg[0] = SSL_MT_SERVER_HELLO;
-    msg[1] = hit;
-    msg[2] = SSL_CT_X509_CERTIFICATE;
-    msg[3] = MSB(ss->version);
-    msg[4] = LSB(ss->version);
-    msg[5] = MSB(certLen);
-    msg[6] = LSB(certLen);
-    msg[7] = MSB(csLen);
-    msg[8] = LSB(csLen);
-    msg[9] = MSB(SSL_CONNECTIONID_BYTES);
-    msg[10] = LSB(SSL_CONNECTIONID_BYTES);
-    if (certLen) {
-	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES, cert, certLen);
-    }
-    if (csLen) {
-	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen, cs, csLen);
-    }
-    PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen+csLen, ci->connectionID,
-	      SSL_CONNECTIONID_BYTES);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-
-    sent = (*sec->send)(ss, msg, sendLen, 0);
-    if (sent < 0) {
-	goto loser;
-    }
-    ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
-
-    ss->gather->recordLen = 0;
-    ss->handshake = ssl_GatherRecord1stHandshake;
-    if (hit) {
-	/* Old SID Session key is good. Go encrypted */
-	ssl2_UseEncryptedSendFunc(ss);
-
-	/* Send server verify message now that keys are established */
-	rv = ssl2_SendServerVerifyMessage(ss);
-	if (rv != SECSuccess) 
-	    goto loser;
-
-	ss->nextHandshake = ssl2_HandleMessage;
-	ssl_ReleaseRecvBufLock(ss);
-	rv = ssl2_TriggerNextMessage(ss);
-	return rv;
-    }
-    ss->nextHandshake = ssl2_HandleClientSessionKeyMessage;
-    ssl_ReleaseRecvBufLock(ss);
-    return SECSuccess;
-
-  bad_client:
-    PORT_SetError(SSL_ERROR_BAD_CLIENT);
-    /* FALLTHROUGH */
-
-  loser:
-    if (gotXmitBufLock) {
-    	ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
-    }
-    SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
-		 SSL_GETPID(), ss->fd));
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-SECStatus
-ssl2_BeginServerHandshake(sslSocket *ss)
-{
-    sslSecurityInfo *sec;
-    sslConnectInfo * ci;
-    SECStatus        rv;
-
-    PORT_Assert((ss->sec != 0));
-    sec = ss->sec;
-    ci = &sec->ci;
-    sec->isServer = 1;
-    ssl_ChooseSessionIDProcs(sec);
-    sec->sendSequence = 0;
-    sec->rcvSequence = 0;
-
-    /* don't turn on SSL2 if we don't have an RSA key and cert */
-    if (!ss->serverKey[kt_rsa] || !ss->serverCert[kt_rsa]) {
-	ss->enableSSL2 = PR_FALSE;
-    }
-
-    if (!ss->cipherSpecs) {
-	rv = ssl2_ConstructCipherSpecs(ss);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /* count the SSL2 and SSL3 enabled ciphers.
-     * if either is zero, clear the socket's enable for that protocol.
-     */
-    rv = ssl2_CheckConfigSanity(ss);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-    ** Generate connection-id. Always do this, even if things fail
-    ** immediately. This way the random number generator is always
-    ** rolling around, every time we get a connection.
-    */
-    PK11_GenerateRandom(ci->connectionID, sizeof(ci->connectionID));
-
-    ss->gather->recordLen = 0;
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleClientHelloMessage;
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c
deleted file mode 100644
index 7f16c26b7..000000000
--- a/security/nss/lib/ssl/ssldef.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * "Default" SSLSocket methods, used by sockets that do neither SSL nor socks.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-
-#if defined(WIN32)
-#define MAP_ERROR(from,to) if (err == from) { PORT_SetError(to); }
-#else
-#define MAP_ERROR(from,to)
-#endif
-
-int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->connect(lower, sa, ss->cTimeout);
-    return rv;
-}
-
-int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->bind(lower, addr);
-    return rv;
-}
-
-int ssl_DefListen(sslSocket *ss, int backlog)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->listen(lower, backlog);
-    return rv;
-}
-
-int ssl_DefShutdown(sslSocket *ss, int how)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->shutdown(lower, how);
-    return rv;
-}
-
-int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
-    if (rv < 0) {
-	PRErrorCode err = PR_GetError();
-	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
-    }
-    return rv;
-}
-
-/* Default (unencrypted) send.
- * Returns SECSuccess or SECFailure,  NOT SECWouldBlock. 
- * Returns positive count if any data was written. 
- * ALWAYS check for a short write after calling ssl_DefSend.
- */
-int ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv, count;
-
-    count = 0;
-    for (;;) {
-	rv = lower->methods->send(lower, (const void *)buf, len,
-				 flags, ss->wTimeout);
-	if (rv < 0) {
-	    PRErrorCode err = PR_GetError();
-	    if (err == PR_WOULD_BLOCK_ERROR) {
-		return count ? count : rv;
-	    }
-	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
-	    /* Loser */
-	    return rv;
-	}
-	count += rv;
-	if (rv < len) {
-	    /* Short send. Send the rest in the next call */
-	    buf += rv;
-	    len -= rv;
-	    continue;
-	}
-	break;
-    }
-    return count;
-}
-
-int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->read(lower, (void *)buf, len);
-    if (rv < 0) {
-	PRErrorCode err = PR_GetError();
-	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
-    }
-    return rv;
-}
-
-int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv, count;
-
-    count = 0;
-    for (;;) {
-	rv = lower->methods->write(lower, (void *)buf, len);
-	if (rv < 0) {
-	    PRErrorCode err = PR_GetError();
-	    if (err == PR_WOULD_BLOCK_ERROR) {
-		return count ? count : rv;
-	    }
-	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
-	    /* Loser */
-	    return rv;
-	}
-	count += rv;
-	if (rv != len) {
-	    /* Short write. Send the rest in the next call */
-	    buf += rv;
-	    len -= rv;
-	    continue;
-	}
-	break;
-    }
-    return count;
-}
-
-int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->getpeername(lower, name);
-    return rv;
-}
-
-int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->getsockname(lower, name);
-    return rv;
-}
-
-int ssl_DefClose(sslSocket *ss)
-{
-    PRFileDesc *fd;
-    PRFileDesc *popped;
-    int         rv;
-
-    fd    = ss->fd;
-
-    /* First, remove the SSL layer PRFileDesc from the socket's stack, 
-    ** then invoke the SSL layer's PRFileDesc destructor.
-    ** This must happen before the next layer down is closed.
-    */
-    PORT_Assert(fd->higher == NULL);
-    if (fd->higher) {
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return SECFailure;
-    }
-    ss->fd = NULL;
-
-    /* PR_PopIOLayer will swap the contents of the top two PRFileDescs on
-    ** the stack, and then remove the second one.  This way, the address
-    ** of the PRFileDesc on the top of the stack doesn't change.
-    */
-    popped = PR_PopIOLayer(fd, PR_TOP_IO_LAYER); 
-    popped->dtor(popped);
-
-    /* fd is now the PRFileDesc for the next layer down.
-    ** Now close the underlying socket. 
-    */
-    rv = fd->methods->close(fd);
-
-    ssl_FreeSocket(ss);
-
-    SSL_TRC(5, ("%d: SSL[%d]: closing, rv=%d errno=%d",
-		SSL_GETPID(), fd, rv, PORT_GetError()));
-    return rv;
-}
diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c
deleted file mode 100644
index b94f4bf65..000000000
--- a/security/nss/lib/ssl/sslenum.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Table enumerating all implemented cipher suites
- * Part of public API.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "ssl.h"
-#include "sslproto.h"
-
-const PRUint16 SSL_ImplementedCiphers[] = {
-
-    SSL_RSA_WITH_NULL_MD5,
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
-    SSL_RSA_WITH_RC4_128_MD5,
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-    SSL_RSA_WITH_DES_CBC_SHA,
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
-
-    SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
-    SSL_FORTEZZA_DMS_WITH_NULL_SHA,
-    SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,
-
-    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-
-    /* SSL2 cipher suites. */
-    SSL_EN_RC4_128_WITH_MD5,
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,
-    SSL_EN_RC2_128_CBC_WITH_MD5,
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
-    SSL_EN_DES_64_CBC_WITH_MD5,
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,
-
-    /* Netscape "experimental" cipher suites. */
-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-    SSL_RSA_FIPS_WITH_DES_CBC_SHA,
-
-    0
-
-};
-
-const PRUint16 SSL_NumImplementedCiphers = 
-    (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
-
diff --git a/security/nss/lib/ssl/sslerr.c b/security/nss/lib/ssl/sslerr.c
deleted file mode 100644
index 5a2d27a3e..000000000
--- a/security/nss/lib/ssl/sslerr.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Function to set error code only when meaningful error has not already 
- * been set.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "prerror.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "seccomon.h"
-
-/* look at the current value of PR_GetError, and evaluate it to see
- * if it is meaningful or meaningless (out of context). 
- * If it is meaningless, replace it with the hiLevelError.
- * Returns the chosen error value.
- */
-int
-ssl_MapLowLevelError(int hiLevelError)
-{
-    int oldErr	= PORT_GetError();
-
-    switch (oldErr) {
-
-    case 0:
-    case PR_IO_ERROR:
-    case SEC_ERROR_IO:
-    case SEC_ERROR_BAD_DATA:
-    case SEC_ERROR_LIBRARY_FAILURE:
-    case SSL_ERROR_BAD_CLIENT:
-    case SSL_ERROR_BAD_SERVER:
-    	PORT_SetError(hiLevelError);
-	return hiLevelError;
-
-    default:	/* leave the majority of error codes alone. */
-	return oldErr;
-    }
-}
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
deleted file mode 100644
index 3285fb60c..000000000
--- a/security/nss/lib/ssl/sslerr.h
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * Enumeration of all SSL-specific error codes.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#ifndef __SSL_ERR_H_
-#define __SSL_ERR_H_
-
-
-#define SSL_ERROR_BASE				(-0x3000)
-#define SSL_ERROR_LIMIT				(SSL_ERROR_BASE + 1000)
-
-#define IS_SSL_ERROR(code) \
-    (((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
-
-#ifndef NO_SECURITY_ERROR_ENUM
-typedef enum {
-SSL_ERROR_EXPORT_ONLY_SERVER 		= (SSL_ERROR_BASE +  0),
-SSL_ERROR_US_ONLY_SERVER 		= (SSL_ERROR_BASE +  1),
-SSL_ERROR_NO_CYPHER_OVERLAP 		= (SSL_ERROR_BASE +  2),
-/* 
- * Received an alert reporting what we did wrong.  (more alerts below)
- */
-SSL_ERROR_NO_CERTIFICATE /*_ALERT */	= (SSL_ERROR_BASE +  3),
-SSL_ERROR_BAD_CERTIFICATE            	= (SSL_ERROR_BASE +  4),
-					/* error 5 is obsolete */
-SSL_ERROR_BAD_CLIENT 			= (SSL_ERROR_BASE +  6),
-SSL_ERROR_BAD_SERVER 			= (SSL_ERROR_BASE +  7),
-SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	= (SSL_ERROR_BASE +  8),
-SSL_ERROR_UNSUPPORTED_VERSION 		= (SSL_ERROR_BASE +  9),
-					/* error 10 is obsolete */
-SSL_ERROR_WRONG_CERTIFICATE		= (SSL_ERROR_BASE + 11),
-SSL_ERROR_BAD_CERT_DOMAIN 		= (SSL_ERROR_BASE + 12),
-SSL_ERROR_POST_WARNING 			= (SSL_ERROR_BASE + 13),
-SSL_ERROR_SSL2_DISABLED 		= (SSL_ERROR_BASE + 14),
-SSL_ERROR_BAD_MAC_READ 			= (SSL_ERROR_BASE + 15),
-/* 
- * Received an alert reporting what we did wrong.
- * (two more alerts above, and many more below)
- */
-SSL_ERROR_BAD_MAC_ALERT 		= (SSL_ERROR_BASE + 16),
-SSL_ERROR_BAD_CERT_ALERT                = (SSL_ERROR_BASE + 17),
-SSL_ERROR_REVOKED_CERT_ALERT 		= (SSL_ERROR_BASE + 18),
-SSL_ERROR_EXPIRED_CERT_ALERT 		= (SSL_ERROR_BASE + 19),
-
-SSL_ERROR_SSL_DISABLED 			= (SSL_ERROR_BASE + 20),
-SSL_ERROR_FORTEZZA_PQG 			= (SSL_ERROR_BASE + 21),
-SSL_ERROR_UNKNOWN_CIPHER_SUITE		= (SSL_ERROR_BASE + 22),
-SSL_ERROR_NO_CIPHERS_SUPPORTED		= (SSL_ERROR_BASE + 23),
-SSL_ERROR_BAD_BLOCK_PADDING		= (SSL_ERROR_BASE + 24),
-SSL_ERROR_RX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 25),
-SSL_ERROR_TX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 26),
-/* 
- * Received a malformed (too long or short) SSL handshake.
- */
-SSL_ERROR_RX_MALFORMED_HELLO_REQUEST	= (SSL_ERROR_BASE + 27),
-SSL_ERROR_RX_MALFORMED_CLIENT_HELLO	= (SSL_ERROR_BASE + 28),
-SSL_ERROR_RX_MALFORMED_SERVER_HELLO	= (SSL_ERROR_BASE + 29),
-SSL_ERROR_RX_MALFORMED_CERTIFICATE	= (SSL_ERROR_BASE + 30),
-SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 31),
-SSL_ERROR_RX_MALFORMED_CERT_REQUEST	= (SSL_ERROR_BASE + 32),
-SSL_ERROR_RX_MALFORMED_HELLO_DONE	= (SSL_ERROR_BASE + 33),
-SSL_ERROR_RX_MALFORMED_CERT_VERIFY	= (SSL_ERROR_BASE + 34),
-SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 35),
-SSL_ERROR_RX_MALFORMED_FINISHED 	= (SSL_ERROR_BASE + 36),
-/* 
- * Received a malformed (too long or short) SSL record.
- */
-SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 37),
-SSL_ERROR_RX_MALFORMED_ALERT	 	= (SSL_ERROR_BASE + 38),
-SSL_ERROR_RX_MALFORMED_HANDSHAKE 	= (SSL_ERROR_BASE + 39),
-SSL_ERROR_RX_MALFORMED_APPLICATION_DATA	= (SSL_ERROR_BASE + 40),
-/*
- * Received an SSL handshake that was inappropriate for the state we're in.
- * E.g. Server received message from server, or wrong state in state machine.
- */
-SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST	= (SSL_ERROR_BASE + 41),
-SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO	= (SSL_ERROR_BASE + 42),
-SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO	= (SSL_ERROR_BASE + 43),
-SSL_ERROR_RX_UNEXPECTED_CERTIFICATE	= (SSL_ERROR_BASE + 44),
-SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 45),
-SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST	= (SSL_ERROR_BASE + 46),
-SSL_ERROR_RX_UNEXPECTED_HELLO_DONE	= (SSL_ERROR_BASE + 47),
-SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY	= (SSL_ERROR_BASE + 48),
-SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 49),
-SSL_ERROR_RX_UNEXPECTED_FINISHED 	= (SSL_ERROR_BASE + 50),
-/*
- * Received an SSL record that was inappropriate for the state we're in.
- */
-SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 51),
-SSL_ERROR_RX_UNEXPECTED_ALERT	 	= (SSL_ERROR_BASE + 52),
-SSL_ERROR_RX_UNEXPECTED_HANDSHAKE 	= (SSL_ERROR_BASE + 53),
-SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA= (SSL_ERROR_BASE + 54),
-/*
- * Received record/message with unknown discriminant.
- */
-SSL_ERROR_RX_UNKNOWN_RECORD_TYPE	= (SSL_ERROR_BASE + 55),
-SSL_ERROR_RX_UNKNOWN_HANDSHAKE 		= (SSL_ERROR_BASE + 56),
-SSL_ERROR_RX_UNKNOWN_ALERT 		= (SSL_ERROR_BASE + 57),
-/* 
- * Received an alert reporting what we did wrong.  (more alerts above)
- */
-SSL_ERROR_CLOSE_NOTIFY_ALERT 		= (SSL_ERROR_BASE + 58),
-SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT 	= (SSL_ERROR_BASE + 59),
-SSL_ERROR_DECOMPRESSION_FAILURE_ALERT 	= (SSL_ERROR_BASE + 60),
-SSL_ERROR_HANDSHAKE_FAILURE_ALERT 	= (SSL_ERROR_BASE + 61),
-SSL_ERROR_ILLEGAL_PARAMETER_ALERT 	= (SSL_ERROR_BASE + 62),
-SSL_ERROR_UNSUPPORTED_CERT_ALERT 	= (SSL_ERROR_BASE + 63),
-SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT 	= (SSL_ERROR_BASE + 64),
-
-SSL_ERROR_GENERATE_RANDOM_FAILURE	= (SSL_ERROR_BASE + 65),
-SSL_ERROR_SIGN_HASHES_FAILURE		= (SSL_ERROR_BASE + 66),
-SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE	= (SSL_ERROR_BASE + 67),
-SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 68),
-SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 69),
-
-SSL_ERROR_ENCRYPTION_FAILURE		= (SSL_ERROR_BASE + 70),
-SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71),
-SSL_ERROR_SOCKET_WRITE_FAILURE		= (SSL_ERROR_BASE + 72),
-
-SSL_ERROR_MD5_DIGEST_FAILURE		= (SSL_ERROR_BASE + 73),
-SSL_ERROR_SHA_DIGEST_FAILURE		= (SSL_ERROR_BASE + 74),
-SSL_ERROR_MAC_COMPUTATION_FAILURE	= (SSL_ERROR_BASE + 75),
-SSL_ERROR_SYM_KEY_CONTEXT_FAILURE	= (SSL_ERROR_BASE + 76),
-SSL_ERROR_SYM_KEY_UNWRAP_FAILURE	= (SSL_ERROR_BASE + 77),
-SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED	= (SSL_ERROR_BASE + 78),
-SSL_ERROR_IV_PARAM_FAILURE		= (SSL_ERROR_BASE + 79),
-SSL_ERROR_INIT_CIPHER_SUITE_FAILURE	= (SSL_ERROR_BASE + 80),
-SSL_ERROR_SESSION_KEY_GEN_FAILURE	= (SSL_ERROR_BASE + 81),
-SSL_ERROR_NO_SERVER_KEY_FOR_ALG		= (SSL_ERROR_BASE + 82),
-SSL_ERROR_TOKEN_INSERTION_REMOVAL	= (SSL_ERROR_BASE + 83),
-SSL_ERROR_TOKEN_SLOT_NOT_FOUND		= (SSL_ERROR_BASE + 84),
-SSL_ERROR_NO_COMPRESSION_OVERLAP	= (SSL_ERROR_BASE + 85),
-SSL_ERROR_HANDSHAKE_NOT_COMPLETED	= (SSL_ERROR_BASE + 86),
-SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE	= (SSL_ERROR_BASE + 87),
-SSL_ERROR_CERT_KEA_MISMATCH		= (SSL_ERROR_BASE + 88),
-SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	= (SSL_ERROR_BASE + 89),
-SSL_ERROR_SESSION_NOT_FOUND		= (SSL_ERROR_BASE + 90),
-
-SSL_ERROR_DECRYPTION_FAILED_ALERT	= (SSL_ERROR_BASE + 91),
-SSL_ERROR_RECORD_OVERFLOW_ALERT		= (SSL_ERROR_BASE + 92),
-SSL_ERROR_UNKNOWN_CA_ALERT		= (SSL_ERROR_BASE + 93),
-SSL_ERROR_ACCESS_DENIED_ALERT		= (SSL_ERROR_BASE + 94),
-SSL_ERROR_DECODE_ERROR_ALERT		= (SSL_ERROR_BASE + 95),
-SSL_ERROR_DECRYPT_ERROR_ALERT		= (SSL_ERROR_BASE + 96),
-SSL_ERROR_EXPORT_RESTRICTION_ALERT	= (SSL_ERROR_BASE + 97),
-SSL_ERROR_PROTOCOL_VERSION_ALERT	= (SSL_ERROR_BASE + 98),
-SSL_ERROR_INSUFFICIENT_SECURITY_ALERT	= (SSL_ERROR_BASE + 99),
-SSL_ERROR_INTERNAL_ERROR_ALERT		= (SSL_ERROR_BASE + 100),
-SSL_ERROR_USER_CANCELED_ALERT		= (SSL_ERROR_BASE + 101),
-SSL_ERROR_NO_RENEGOTIATION_ALERT	= (SSL_ERROR_BASE + 102),
-
-SSL_ERROR_END_OF_LIST	/* let the c compiler determine the value of this. */
-} SSLErrorCodes;
-#endif /* NO_SECURITY_ERROR_ENUM */
-
-#endif /* __SSL_ERR_H_ */
diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c
deleted file mode 100644
index 737a55c9b..000000000
--- a/security/nss/lib/ssl/sslgathr.c
+++ /dev/null
@@ -1,481 +0,0 @@
-/*
- * Gather (Read) entire SSL2 records from socket into buffer.  
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-
-/* Forward static declarations */
-static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
-
-/*
-** Gather a single record of data from the receiving stream. This code
-** first gathers the header (2 or 3 bytes long depending on the value of
-** the most significant bit in the first byte) then gathers up the data
-** for the record into gs->buf. This code handles non-blocking I/O
-** and is to be called multiple times until sec->recordLen != 0.
-** This function decrypts the gathered record in place, in gs_buf.
- *
- * Caller must hold RecvBufLock. 
- *
- * Returns +1 when it has gathered a complete SSLV2 record.
- * Returns  0 if it hits EOF.
- * Returns -1 (SECFailure)    on any error
- * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
-**
-** The SSL2 Gather State machine has 4 states:
-** GS_INIT   - Done reading in previous record.  Haven't begun to read in
-**             next record.  When ssl2_GatherData is called with the machine
-**             in this state, the machine will attempt to read the first 3
-**             bytes of the SSL2 record header, and will advance the state
-**             to GS_HEADER.
-**
-** GS_HEADER - The machine is in this state while waiting for the completion
-**             of the first 3 bytes of the SSL2 record.  When complete, the
-**             machine will compute the remaining unread length of this record
-**             and will initiate a read of that many bytes.  The machine will
-**             advance to one of two states, depending on whether the record
-**             is encrypted (GS_MAC), or unencrypted (GS_DATA).
-**
-** GS_MAC    - The machine is in this state while waiting for the remainder 
-**             of the SSL2 record to be read in.  When the read is completed,
-**             the machine checks the record for valid length, decrypts it,
-**             and checks and discards the MAC, then advances to GS_INIT.
-**
-** GS_DATA   - The machine is in this state while waiting for the remainder
-**             of the unencrypted SSL2 record to be read in.  Upon completion,
-**             the machine advances to the GS_INIT state and returns the data.
-*/
-int 
-ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
-{
-    sslSecurityInfo *sec  = ss->sec;
-    unsigned char *  bp;
-    unsigned char *  pBuf;
-    int              nb, err, rv;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-
-    if (gs->state == GS_INIT) {
-	/* Initialize gathering engine */
-	gs->state         = GS_HEADER;
-	gs->remainder     = 3;
-	gs->count         = 3;
-	gs->offset        = 0;
-	gs->recordLen     = 0;
-	gs->recordPadding = 0;
-	gs->hdr[2]        = 0;
-
-	gs->writeOffset   = 0;
-	gs->readOffset    = 0;
-    }
-    if (gs->encrypted) {
-	PORT_Assert(sec != 0);
-    }
-
-    pBuf = gs->buf.buf;
-    for (;;) {
-	SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
-		     SSL_GETPID(), ss->fd, gs->state, gs->remainder));
-	bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
-	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
-	if (nb > 0) {
-	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
-	}
-	if (nb == 0) {
-	    /* EOF */
-	    SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
-	    rv = 0;
-	    break;
-	}
-	if (nb < 0) {
-	    SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
-		     PR_GetError()));
-	    rv = SECFailure;
-	    break;
-	}
-
-	gs->offset    += nb;
-	gs->remainder -= nb;
-
-	if (gs->remainder > 0) {
-	    continue;
-	}
-
-	/* Probably finished this piece */
-	switch (gs->state) {
-	case GS_HEADER: 
-	    if ((ss->enableSSL3 || ss->enableTLS) && !ss->connected) {
-
-		PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-		/* If this looks like an SSL3 handshake record, 
-		** and we're expecting an SSL2 Hello message from our peer, 
-		** handle it here.
-		*/
-		if (gs->hdr[0] == content_handshake) {
-		    if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
-			(ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
-			rv = ssl2_HandleV3HandshakeRecord(ss);
-			if (rv == SECFailure) {
-			    return SECFailure;
-			}
-		    }
-		    /* XXX_1	The call stack to here is:
-		     * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> 
-		     *			ssl2_GatherRecord -> here.
-		     * We want to return all the way out to ssl_Do1stHandshake,
-		     * and have it call ssl_GatherRecord1stHandshake again. 
-		     * ssl_GatherRecord1stHandshake will call 
-		     * ssl3_GatherCompleteHandshake when it is called again.
-		     *
-		     * Returning SECWouldBlock here causes 
-		     * ssl_GatherRecord1stHandshake to return without clearing 
-		     * ss->handshake, ensuring that ssl_Do1stHandshake will 
-		     * call it again immediately.
-		     * 
-		     * If we return 1 here, ssl_GatherRecord1stHandshake will 
-		     * clear ss->handshake before returning, and thus will not 
-		     * be called again by ssl_Do1stHandshake.  
-		     */
-		    return SECWouldBlock;
-		} else if (gs->hdr[0] == content_alert) {
-		    if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
-			/* XXX This is a hack.  We're assuming that any failure
-			 * XXX on the client hello is a failure to match
-			 * XXX ciphers.
-			 */
-			PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-			return SECFailure;
-		    }
-		}
-	    }	/* ((ss->enableSSL3 || ss->enableTLS) && !ss->connected) */
-
-	    /* we've got the first 3 bytes.  The header may be two or three. */
-	    if (gs->hdr[0] & 0x80) {
-		/* This record has a 2-byte header, and no padding */
-		gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
-		gs->recordPadding = 0;
-	    } else {
-		/* This record has a 3-byte header that is all read in now. */
-		gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
-	    /*  is_escape =  (gs->hdr[0] & 0x40) != 0; */
-		gs->recordPadding = gs->hdr[2];
-	    }
-
-	    if (gs->count > gs->buf.space) {
-		err = sslBuffer_Grow(&gs->buf, gs->count);
-		if (err) {
-		    return err;
-		}
-		pBuf = gs->buf.buf;
-	    }
-
-
-	    if (gs->hdr[0] & 0x80) {
-	    	/* we've already read in the first byte of the body.
-		** Put it into the buffer.
-		*/
-		pBuf[0]        = gs->hdr[2];
-		gs->offset    = 1;
-		gs->remainder = gs->count - 1;
-	    } else {
-		gs->offset    = 0;
-		gs->remainder = gs->count;
-	    }
-
-	    if (gs->encrypted) {
-		gs->state     = GS_MAC;
-		gs->recordLen = gs->count - gs->recordPadding
-		    - sec->hash->length;
-	    } else {
-		gs->state     = GS_DATA;
-		gs->recordLen = gs->count;
-	    }
-
-	    break;
-
-
-	case GS_MAC:
-	    /* Have read in entire rest of the ciphertext.  
-	    ** Check for valid length.
-	    ** Decrypt it.
-	    ** Check the MAC.
-	    */
-	    PORT_Assert(gs->encrypted);
-
-	  {
-	    unsigned int     macLen;
-	    int              nout;
-	    unsigned char    mac[SSL_MAX_MAC_BYTES];
-
-	    ssl_GetSpecReadLock(ss); /**********************************/
-
-	    /* If this is a stream cipher, blockSize will be 1,
-	     * and this test will always be false.
-	     * If this is a block cipher, this will detect records
-	     * that are not a multiple of the blocksize in length.
-	     */
-	    if (gs->count & (sec->blockSize - 1)) {
-		/* This is an error. Sender is misbehaving */
-		SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
-			 SSL_GETPID(), ss->fd, gs->count,
-			 sec->blockSize));
-		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
-		rv = SECFailure;
-		goto spec_locked_done;
-	    }
-	    PORT_Assert(gs->count == gs->offset);
-
-	    if (gs->offset == 0) {
-		rv = 0;			/* means EOF. */
-		goto spec_locked_done;
-	    }
-
-	    /* Decrypt the portion of data that we just recieved.
-	    ** Decrypt it in place.
-	    */
-	    rv = (*sec->dec)(sec->readcx, pBuf, &nout, gs->offset,
-			     pBuf, gs->offset);
-	    if (rv != SECSuccess) {
-		goto spec_locked_done;
-	    }
-
-
-	    /* Have read in all the MAC portion of record 
-	    **
-	    ** Prepare MAC by resetting it and feeding it the shared secret
-	    */
-	    macLen = sec->hash->length;
-	    if (gs->offset >= macLen) {
-		uint32           sequenceNumber = sec->rcvSequence++;
-		unsigned char    seq[4];
-
-		seq[0] = (unsigned char) (sequenceNumber >> 24);
-		seq[1] = (unsigned char) (sequenceNumber >> 16);
-		seq[2] = (unsigned char) (sequenceNumber >> 8);
-		seq[3] = (unsigned char) (sequenceNumber);
-
-		(*sec->hash->begin)(sec->hashcx);
-		(*sec->hash->update)(sec->hashcx, sec->rcvSecret.data,
-				     sec->rcvSecret.len);
-		(*sec->hash->update)(sec->hashcx, pBuf + macLen, 
-				     gs->offset - macLen);
-		(*sec->hash->update)(sec->hashcx, seq, 4);
-		(*sec->hash->end)(sec->hashcx, mac, &macLen, macLen);
-	    }
-
-	    PORT_Assert(macLen == sec->hash->length);
-
-	    ssl_ReleaseSpecReadLock(ss);  /******************************/
-
-	    if (PORT_Memcmp(mac, pBuf, macLen) != 0) {
-		/* MAC's didn't match... */
-		SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
-			 SSL_GETPID(), ss->fd, sec->rcvSequence));
-		PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
-		PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
-		PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-		rv = SECFailure;
-		goto cleanup;
-	    }
-
-
-	    PORT_Assert(gs->recordPadding + macLen <= gs->offset);
-	    if (gs->recordPadding + macLen <= gs->offset) {
-		gs->recordOffset  = macLen;
-		gs->readOffset    = macLen;
-		gs->writeOffset   = gs->offset - gs->recordPadding;
-		rv = 1;
-	    } else {
-		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
-cleanup:
-		/* nothing in the buffer any more. */
-		gs->recordOffset  = 0;
-		gs->readOffset    = 0;
-	    	gs->writeOffset   = 0;
-		rv = SECFailure;
-	    }
-
-	    gs->recordLen     = gs->writeOffset - gs->readOffset;
-	    gs->recordPadding = 0;	/* forget we did any padding. */
-	    gs->state = GS_INIT;
-
-
-	    if (rv > 0) {
-		PRINT_BUF(50, (ss, "recv clear record:", 
-		               pBuf + gs->recordOffset, gs->recordLen));
-	    }
-	    return rv;
-
-spec_locked_done:
-	    ssl_ReleaseSpecReadLock(ss);
-	    return rv;
-	  }
-
-	case GS_DATA:
-	    /* Have read in all the DATA portion of record */
-
-	    gs->recordOffset  = 0;
-	    gs->readOffset    = 0;
-	    gs->writeOffset   = gs->offset;
-	    PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
-	    gs->recordLen     = gs->offset;
-	    gs->recordPadding = 0;
-	    gs->state         = GS_INIT;
-
-	    ++sec->rcvSequence;
-
-	    PRINT_BUF(50, (ss, "recv clear record:", 
-	                   pBuf + gs->recordOffset, gs->recordLen));
-	    return 1;
-
-	}	/* end switch gs->state */
-    }		/* end gather loop. */
-    return rv;
-}
-
-/*
-** Gather a single record of data from the receiving stream. This code
-** first gathers the header (2 or 3 bytes long depending on the value of
-** the most significant bit in the first byte) then gathers up the data
-** for the record into the readBuf. This code handles non-blocking I/O
-** and is to be called multiple times until sec->recordLen != 0.
- *
- * Returns +1 when it has gathered a complete SSLV2 record.
- * Returns  0 if it hits EOF.
- * Returns -1 (SECFailure)    on any error
- * Returns -2 (SECWouldBlock) 
- *
- * Called by ssl_GatherRecord1stHandshake in sslcon.c, 
- * and by DoRecv in sslsecur.c
- * Caller must hold RecvBufLock.
- */
-int 
-ssl2_GatherRecord(sslSocket *ss, int flags)
-{
-    return ssl2_GatherData(ss, ss->gather, flags);
-}
-
-/*
- * Returns +1 when it has gathered a complete SSLV2 record.
- * Returns  0 if it hits EOF.
- * Returns -1 (SECFailure)    on any error
- * Returns -2 (SECWouldBlock) 
- *
- * Called from SocksStartGather in sslsocks.c
- * Caller must hold RecvBufLock. 
- */
-int 
-ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
-{
-    int rv;
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    gs->state     = GS_DATA;
-    gs->remainder = count;
-    gs->count     = count;
-    gs->offset    = 0;
-    if (count > gs->buf.space) {
-	rv = sslBuffer_Grow(&gs->buf, count);
-	if (rv) {
-	    return rv;
-	}
-    }
-    return ssl2_GatherData(ss, gs, 0);
-}
-
-/* Caller should hold RecvBufLock. */
-sslGather *
-ssl_NewGather(void)
-{
-    sslGather *gs;
-
-    gs = (sslGather*) PORT_ZAlloc(sizeof(sslGather));
-    if (gs) {
-	gs->state = GS_INIT;
-    }
-    return gs;
-}
-
-/* Caller must hold RecvBufLock. */
-void 
-ssl_DestroyGather(sslGather *gs)
-{
-    if (gs->inbuf.buf != NULL) {
-	PORT_ZFree(gs->inbuf.buf, gs->inbuf.len);
-    }
-    if (gs) {
-	PORT_Free(gs->buf.buf);
-	PORT_Free(gs);
-    }
-}
-
-/* Caller must hold RecvBufLock. */
-static SECStatus
-ssl2_HandleV3HandshakeRecord(sslSocket *ss)
-{
-    sslGather *         gs      	= ss->gather;
-    SECStatus           rv;
-    SSL3ProtocolVersion version 	= (gs->hdr[1] << 8) | gs->hdr[2];
-
-    PORT_Assert( ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-    /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
-    gs->remainder         = 2;
-    gs->count             = 0;
-
-    /* Clearing these handshake pointers ensures that 
-     * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
-     */
-    ss->nextHandshake     = 0;
-    ss->securityHandshake = 0;
-
-    /* Setting ss->version to an SSL 3.x value will cause 
-    ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() 
-    ** the next time it is called.
-    **/
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    ss->sec->send         = ssl3_SendApplicationData;
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
deleted file mode 100644
index fe4a68f27..000000000
--- a/security/nss/lib/ssl/sslimpl.h
+++ /dev/null
@@ -1,1250 +0,0 @@
-/*
- * This file is PRIVATE to SSL and should be the first thing included by
- * any SSL implementation file.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef __sslimpl_h_
-#define __sslimpl_h_
-
-#ifdef DEBUG
-#undef NDEBUG
-#else
-#undef NDEBUG
-#define NDEBUG
-#endif
-#include "secport.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "ssl3prot.h"
-#include "hasht.h"
-#include "prlock.h"
-#include "pkcs11t.h"
-#ifdef XP_UNIX
-#include "unistd.h"
-#endif
-#include "nssrwlk.h"
-
-
-#if defined(DEBUG) || defined(TRACE)
-#ifdef __cplusplus
-#define Debug 1
-#else
-extern int Debug;
-#endif
-#else
-#undef Debug
-#endif
-#if defined(DEBUG)
-#define TRACE
-#endif
-
-#ifdef TRACE
-#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
-#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
-#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
-#else
-#define SSL_TRC(a,b)
-#define PRINT_BUF(a,b)
-#define DUMP_MSG(a,b)
-#endif
-
-#ifdef DEBUG
-#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
-#else
-#define SSL_DBG(b)
-#endif
-
-#if defined (DEBUG)
-#ifdef macintosh
-#include "pprthred.h"
-#else
-#include "private/pprthred.h"	/* for PR_InMonitor() */
-#endif
-#define ssl_InMonitor(m) PR_InMonitor(m)
-#endif
-
-#define LSB(x) ((unsigned char) (x & 0xff))
-#define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
-
-/************************************************************************/
-
-typedef enum { SSLAppOpRead = 0,
-	       SSLAppOpWrite,
-	       SSLAppOpRDWR,
-	       SSLAppOpPost,
-	       SSLAppOpHeader
-} SSLAppOperation;
-
-#define SSL_MIN_MASTER_KEY_BYTES	5
-#define SSL_MAX_MASTER_KEY_BYTES	64
-
-#define SSL_SESSIONID_BYTES		16
-#define SSL3_SESSIONID_BYTES		32
-
-#define SSL_MIN_CHALLENGE_BYTES		16
-#define SSL_MAX_CHALLENGE_BYTES		32
-#define SSL_CHALLENGE_BYTES		16
-
-#define SSL_CONNECTIONID_BYTES		16
-
-#define SSL_MIN_CYPHER_ARG_BYTES	0
-#define SSL_MAX_CYPHER_ARG_BYTES	32
-
-#define SSL_MAX_MAC_BYTES		16
-
-/* number of wrap mechanisms potentially used to wrap master secrets. */
-#define SSL_NUM_WRAP_MECHS              13
-
-/* This makes the cert cache entry exactly 4k. */
-#define SSL_MAX_CACHED_CERT_LEN		4060
-
-typedef struct sslBufferStr             sslBuffer;
-typedef struct sslConnectInfoStr        sslConnectInfo;
-typedef struct sslGatherStr             sslGather;
-typedef struct sslSecurityInfoStr       sslSecurityInfo;
-typedef struct sslSessionIDStr          sslSessionID;
-typedef struct sslSocketStr             sslSocket;
-typedef struct sslSocketOpsStr          sslSocketOps;
-typedef struct sslSocksInfoStr          sslSocksInfo;
-
-typedef struct ssl3StateStr             ssl3State;
-typedef struct ssl3CertNodeStr          ssl3CertNode;
-typedef struct ssl3BulkCipherDefStr     ssl3BulkCipherDef;
-typedef struct ssl3MACDefStr            ssl3MACDef;
-typedef struct ssl3KeyPairStr		ssl3KeyPair;
-
-struct ssl3CertNodeStr {
-    struct ssl3CertNodeStr *next;
-    CERTCertificate *       cert;
-};
-
-typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
-
-/* This type points to the low layer send func, 
-** e.g. ssl2_SendStream or ssl3_SendPlainText.
-** These functions return the same values as PR_Send, 
-** i.e.  >= 0 means number of bytes sent, < 0 means error.
-*/
-typedef PRInt32       (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
-			             PRInt32 n, PRInt32 flags);
-
-typedef void          (*sslSessionIDCacheFunc)  (sslSessionID *sid);
-typedef void          (*sslSessionIDUncacheFunc)(sslSessionID *sid);
-typedef sslSessionID *(*sslSessionIDLookupFunc)(PRUint32       addr,
-						unsigned char* sid,
-						unsigned int   sidLen,
-                                                CERTCertDBHandle * dbHandle);
-
-
-/* Socket ops */
-struct sslSocketOpsStr {
-    int         (*connect) (sslSocket *, const PRNetAddr *);
-    PRFileDesc *(*accept)  (sslSocket *, PRNetAddr *);
-    int         (*bind)    (sslSocket *, const PRNetAddr *);
-    int         (*listen)  (sslSocket *, int);
-    int         (*shutdown)(sslSocket *, int);
-    int         (*close)   (sslSocket *);
-
-    int         (*recv)    (sslSocket *, unsigned char *, int, int);
-
-    /* points to the higher-layer send func, e.g. ssl_SecureSend. */
-    int         (*send)    (sslSocket *, const unsigned char *, int, int);
-    int         (*read)    (sslSocket *, unsigned char *, int);
-    int         (*write)   (sslSocket *, const unsigned char *, int);
-
-    int         (*getpeername)(sslSocket *, PRNetAddr *);
-    int         (*getsockname)(sslSocket *, PRNetAddr *);
-};
-
-/* Flags interpreted by ssl send functions. */
-#define ssl_SEND_FLAG_FORCE_INTO_BUFFER	0x40000000
-#define ssl_SEND_FLAG_NO_BUFFER		0x20000000
-#define ssl_SEND_FLAG_MASK		0x7f000000
-
-/*
-** A buffer object.
-*/
-struct sslBufferStr {
-    unsigned char *	buf;
-    unsigned int 	len;
-    unsigned int 	space;
-};
-
-/*
-** SSL3 cipher suite policy and preference struct.
-*/
-typedef struct {
-#ifdef AIX
-    unsigned int    cipher_suite : 16;
-    unsigned int    policy       :  8;
-    unsigned int    enabled      :  1;
-    unsigned int    isPresent    :  1;
-#else
-    ssl3CipherSuite cipher_suite;
-    PRUint8         policy;
-    unsigned char   enabled   : 1;
-    unsigned char   isPresent : 1;
-#endif
-} ssl3CipherSuiteCfg;
-
-#define ssl_V3_SUITES_IMPLEMENTED 13
-
-typedef struct sslOptionsStr {
-    unsigned int useSecurity		: 1;  /*  1 */
-    unsigned int useSocks		: 1;  /*  2 */
-    unsigned int requestCertificate	: 1;  /*  3 */
-    unsigned int requireCertificate	: 2;  /*  4-5 */
-    unsigned int handshakeAsClient	: 1;  /*  6 */
-    unsigned int handshakeAsServer	: 1;  /*  7 */
-    unsigned int enableSSL2		: 1;  /*  8 */
-    unsigned int enableSSL3		: 1;  /*  9 */
-    unsigned int enableTLS		: 1;  /* 10 */
-    unsigned int noCache		: 1;  /* 11 */
-    unsigned int fdx			: 1;  /* 12 */
-    unsigned int v2CompatibleHello	: 1;  /* 13 */
-    unsigned int detectRollBack  	: 1;  /* 14 */
-} sslOptions;
-
-/*
-** SSL Socket struct
-**
-** Protection:  XXX
-*/
-struct sslSocketStr {
-    PRFileDesc *	fd;
-
-    /* Pointer to operations vector for this socket */
-    sslSocketOps *	ops;
-
-    /* State flags */
-    unsigned int     useSocks		: 1;
-    unsigned int     useSecurity	: 1;
-    unsigned int     requestCertificate	: 1;
-    unsigned int     requireCertificate	: 2;
-
-    unsigned int     handshakeAsClient	: 1;
-    unsigned int     handshakeAsServer	: 1;
-    unsigned int     enableSSL2		: 1;
-    unsigned int     enableSSL3		: 1;
-    unsigned int     enableTLS		: 1;
-
-    unsigned int     clientAuthRequested: 1;
-    unsigned int     noCache		: 1;
-    unsigned int     fdx		: 1; /* simultaneous read/write threads */
-    unsigned int     v2CompatibleHello	: 1; /* Send v3+ client hello in v2 format */
-    unsigned int     detectRollBack   	: 1; /* Detect rollback to SSL v3 */
-    unsigned int     connected		: 1; /* initial handshake is complete. */
-    unsigned int     recvdCloseNotify	: 1; /* received SSL EOF. */
-
-    /* version of the protocol to use */
-    SSL3ProtocolVersion version;
-    SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
-
-    /* Non-zero if socks is enabled */
-    sslSocksInfo *   socks;
-
-    /* Non-zero if security is enabled */
-    sslSecurityInfo *sec;
-
-    /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
-    const char      *url;				/* ssl 2 & 3 */
-
-    /* Gather object used for gathering data */
-    sslGather *      gather;				/*recvBufLock*/
-
-    sslHandshakeFunc handshake;				/*firstHandshakeLock*/
-    sslHandshakeFunc nextHandshake;			/*firstHandshakeLock*/
-    sslHandshakeFunc securityHandshake;			/*firstHandshakeLock*/
-
-    sslBuffer        saveBuf;				/*xmitBufLock*/
-    sslBuffer        pendingBuf;			/*xmitBufLock*/
-
-    /* the following 3 variables are only used with socks or other proxies. */
-    long             peer;	/* Target server IP address */
-    int              port;	/* Target server port number. */
-    char *           peerID;	/* String uniquely identifies target server. */
-    /* End of socks variables. */
-
-    ssl3State *      ssl3;
-    unsigned char *  cipherSpecs;
-    unsigned int     sizeCipherSpecs;
-const unsigned char *  preferredCipher;
-
-    /* Configuration state for server sockets */
-    CERTCertificate *     serverCert[kt_kea_size];
-    CERTCertificateList * serverCertChain[kt_kea_size];
-    SECKEYPrivateKey *    serverKey[kt_kea_size];
-    ssl3KeyPair *         stepDownKeyPair;	/* RSA step down keys */
-
-    /* Callbacks */
-    SSLAuthCertificate        authCertificate;
-    void                     *authCertificateArg;
-    SSLGetClientAuthData      getClientAuthData;
-    void                     *getClientAuthDataArg;
-    SSLBadCertHandler         handleBadCert;
-    void                     *badCertArg;
-    SSLHandshakeCallback      handshakeCallback;
-    void                     *handshakeCallbackData;
-    void                     *pkcs11PinArg;
-
-    PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
-    PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
-    PRIntervalTime            cTimeout; /* timeout for NSPR I/O */
-
-    PRLock *      recvLock;	/* lock against multiple reader threads. */
-    PRLock *      sendLock;	/* lock against multiple sender threads. */
-
-    PRMonitor *   recvBufLock;	/* locks low level recv buffers. */
-    PRMonitor *   xmitBufLock;	/* locks low level xmit buffers. */
-
-    /* Only one thread may operate on the socket until the initial handshake
-    ** is complete.  This Monitor ensures that.  Since SSL2 handshake is
-    ** only done once, this is also effectively the SSL2 handshake lock.
-    */
-    PRMonitor *   firstHandshakeLock; 
-
-    /* This monitor protects the ssl3 handshake state machine data.
-    ** Only one thread (reader or writer) may be in the ssl3 handshake state
-    ** machine at any time.  */
-    PRMonitor *   ssl3HandshakeLock;
-
-    /* reader/writer lock, protects the secret data needed to encrypt and MAC
-    ** outgoing records, and to decrypt and MAC check incoming ciphertext 
-    ** records.  */
-    NSSRWLock *   specLock;
-
-    /* handle to perm cert db (and implicitly to the temp cert db) used 
-    ** with this socket. 
-    */
-    CERTCertDBHandle * dbHandle;
-
-    PRUint16	shutdownHow; 	/* See ssl_SHUTDOWN defines below. */
-
-    PRUint16	allowedByPolicy;          /* copy of global policy bits. */
-    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */
-    PRUint16	chosenPreference;         /* SSL2 cipher preferences. */
-
-    ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
-
-};
-
-#define SSL_LOCK_RANK_SPEC 	255
-#define SSL_LOCK_RANK_GLOBAL 	NSS_RWLOCK_RANK_NONE
-
-/* These are the valid values for shutdownHow. 
-** These values are each 1 greater than the NSPR values, and the code
-** depends on that relation to efficiently convert PR_SHUTDOWN values 
-** into ssl_SHUTDOWN values.  These values use one bit for read, and 
-** another bit for write, and can be used as bitmasks.
-*/
-#define ssl_SHUTDOWN_NONE	0	/* NOT shutdown at all */
-#define ssl_SHUTDOWN_RCV	1	/* PR_SHUTDOWN_RCV  +1 */
-#define ssl_SHUTDOWN_SEND	2	/* PR_SHUTDOWN_SEND +1 */
-#define ssl_SHUTDOWN_BOTH	3	/* PR_SHUTDOWN_BOTH +1 */
-
-/*
-** A gather object. Used to read some data until a count has been
-** satisfied. Primarily for support of async sockets.
-** Everything in here is protected by the recvBufLock.
-*/
-struct sslGatherStr {
-    int           state;	/* see GS_ values below. */     /* ssl 2 & 3 */
-
-    /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
-     * SSL2: recv'd ciphertext records are put here, then decrypted in place.
-     * SSL3: recv'd ciphertext records are put in inbuf (see below), then 
-     *       decrypted into buf.
-     */
-    sslBuffer     buf;				/*recvBufLock*/	/* ssl 2 & 3 */
-
-    /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). 
-    ** (offset - writeOffset) is the number of ciphertext bytes read in but 
-    **     not yet deciphered.
-    */
-    unsigned int  offset;                                       /* ssl 2 & 3 */
-
-    /* number of bytes to read in next call to ssl_DefRecv (recv) */
-    unsigned int  remainder;                                    /* ssl 2 & 3 */
-
-    /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
-    unsigned int  count;					/* ssl2 only */
-
-    /* size of the final plaintext record. 
-    ** == count - (recordPadding + MAC size)
-    */
-    unsigned int  recordLen;					/* ssl2 only */
-
-    /* number of bytes of padding to be removed after decrypting. */
-    /* This value is taken from the record's hdr[2], which means a too large
-     * value could crash us.
-     */
-    unsigned int  recordPadding;				/* ssl2 only */
-
-    /* plaintext DATA begins this many bytes into "buf".  */
-    unsigned int  recordOffset;					/* ssl2 only */
-
-    int           encrypted;    /* SSL2 session is now encrypted.  ssl2 only */
-
-    /* These next two values are used by SSL2 and SSL3.  
-    ** DoRecv uses them to extract application data.
-    ** The difference between writeOffset and readOffset is the amount of 
-    ** data available to the application.   Note that the actual offset of 
-    ** the data in "buf" is recordOffset (above), not readOffset.
-    ** In the current implementation, this is made available before the 
-    ** MAC is checked!!
-    */
-    unsigned int  readOffset;  /* Spot where DATA reader (e.g. application
-                               ** or handshake code) will read next.
-                               ** Always zero for SSl3 application data.
-			       */
-    /* offset in buf/inbuf/hdr into which new data will be read from socket. */
-    unsigned int  writeOffset; 
-
-    /* Buffer for ssl3 to read (encrypted) data from the socket */
-    sslBuffer     inbuf;			/*recvBufLock*/	/* ssl3 only */
-
-    /* The ssl[23]_GatherData functions read data into this buffer, rather
-    ** than into buf or inbuf, while in the GS_HEADER state.  
-    ** The portion of the SSL record header put here always comes off the wire 
-    ** as plaintext, never ciphertext.
-    ** For SSL2, the plaintext portion is two bytes long.  For SSl3 it is 5.
-    */
-    unsigned char hdr[5];					/* ssl 2 & 3 */
-};
-
-/* sslGather.state */
-#define GS_INIT		0
-#define GS_HEADER	1
-#define GS_MAC		2
-#define GS_DATA		3
-#define GS_PAD		4
-
-typedef SECStatus (*SSLCipher)(void *               context, 
-                               unsigned char *      out,
-			       int *                outlen, 
-			       int                  maxout, 
-			       const unsigned char *in,
-			       int                  inlen);
-typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
-
-
-/*
- * SSL2 buffers used in SSL3.
- *     writeBuf in the SecurityInfo maintained by sslsecur.c is used
- *              to hold the data just about to be passed to the kernel
- *     sendBuf in the ConnectInfo maintained by sslcon.c is used
- *              to hold handshake messages as they are accumulated
- */
-
-/*
-** This is "ci", as in "ss->sec.ci".
-**
-** Protection:  All the variables in here are protected by 
-** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock 
-*/
-struct sslConnectInfoStr {
-    /* outgoing handshakes appended to this. */
-    sslBuffer       sendBuf;	                /*xmitBufLock*/ /* ssl 2 & 3 */
-
-    unsigned long   peer;                                       /* ssl 2 & 3 */
-    unsigned short  port;                                       /* ssl 2 & 3 */
-
-    sslSessionID   *sid;                                        /* ssl 2 & 3 */
-
-    /* see CIS_HAVE defines below for the bit values in *elements. */
-    char            elements;					/* ssl2 only */
-    char            requiredElements;				/* ssl2 only */
-    char            sentElements;                               /* ssl2 only */
-
-    char            sentFinished;                               /* ssl2 only */
-
-    /* Length of server challenge.  Used by client when saving challenge */
-    int             serverChallengeLen;                         /* ssl2 only */
-    /* type of authentication requested by server */
-    unsigned char   authType;                                   /* ssl2 only */
-
-    /* Challenge sent by client to server in client-hello message */
-    /* SSL3 gets a copy of this.  See ssl3_StartHandshakeHash().  */
-    unsigned char   clientChallenge[SSL_MAX_CHALLENGE_BYTES];   /* ssl 2 & 3 */
-
-    /* Connection-id sent by server to client in server-hello message */
-    unsigned char   connectionID[SSL_CONNECTIONID_BYTES];	/* ssl2 only */
-
-    /* Challenge sent by server to client in request-certificate message */
-    unsigned char   serverChallenge[SSL_MAX_CHALLENGE_BYTES];	/* ssl2 only */
-
-    /* Information kept to handle a request-certificate message */
-    unsigned char   readKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
-    unsigned char   writeKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
-    unsigned        keySize;					/* ssl2 only */
-};
-
-/* bit values for ci->elements, ci->requiredElements, sentElements. */
-#define CIS_HAVE_MASTER_KEY		0x01
-#define CIS_HAVE_CERTIFICATE		0x02
-#define CIS_HAVE_FINISHED		0x04
-#define CIS_HAVE_VERIFY			0x08
-
-/* Note: The entire content of this struct and whatever it points to gets
- * blown away by SSL_ResetHandshake().  This is "sec" as in "ss->sec".
- *
- * Unless otherwise specified below, the contents of this struct are 
- * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
- */
-struct sslSecurityInfoStr {
-    sslSendFunc      send;			/*xmitBufLock*/	/* ssl 2 & 3 */
-    int              isServer;			/* Spec Lock?*/	/* ssl 2 & 3 */
-    sslBuffer        writeBuf;			/*xmitBufLock*/	/* ssl 2 & 3 */
-
-    int              cipherType;				/* ssl 2 & 3 */
-    int              keyBits;					/* ssl 2 & 3 */
-    int              secretKeyBits;				/* ssl 2 & 3 */
-    CERTCertificate *peerCert;					/* ssl 2 & 3 */
-    SECKEYPublicKey *peerKey;					/* ssl3 only */
-
-    /*
-    ** Procs used for SID cache (nonce) management. 
-    ** Different implementations exist for clients/servers 
-    ** The lookup proc is only used for servers.  Baloney!
-    */
-    sslSessionIDCacheFunc     cache;				/* ssl 2 & 3 */
-    sslSessionIDUncacheFunc   uncache;				/* ssl 2 & 3 */
-
-    /*
-    ** everything below here is for ssl2 only.
-    ** This stuff is equivalent to SSL3's "spec", and is protected by the 
-    ** same "Spec Lock" as used for SSL3's specs.
-    */
-    uint32           sendSequence;		/*xmitBufLock*/	/* ssl2 only */
-    uint32           rcvSequence;		/*recvBufLock*/	/* ssl2 only */
-
-    /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
-    SECHashObject   *hash;			/* Spec Lock */ /* ssl2 only */
-    void            *hashcx;			/* Spec Lock */	/* ssl2 only */
-
-    SECItem          sendSecret;		/* Spec Lock */	/* ssl2 only */
-    SECItem          rcvSecret;			/* Spec Lock */	/* ssl2 only */
-
-    /* Session cypher contexts; one for each direction */
-    void            *readcx;			/* Spec Lock */	/* ssl2 only */
-    void            *writecx;			/* Spec Lock */	/* ssl2 only */
-    SSLCipher        enc;			/* Spec Lock */	/* ssl2 only */
-    SSLCipher        dec;			/* Spec Lock */	/* ssl2 only */
-    void           (*destroy)(void *, PRBool);	/* Spec Lock */	/* ssl2 only */
-
-    /* Blocking information for the session cypher */
-    int              blockShift;		/* Spec Lock */	/* ssl2 only */
-    int              blockSize;			/* Spec Lock */	/* ssl2 only */
-
-    /* These are used during a connection handshake */
-    sslConnectInfo   ci;					/* ssl 2 & 3 */
-
-};
-
-/*
-** ssl3State and CipherSpec structs
-*/
-
-/* The SSL bulk cipher definition */
-typedef enum {
-    cipher_null,
-    cipher_rc4, 
-    cipher_rc4_40,
-    cipher_rc4_56,
-    cipher_rc2, 
-    cipher_rc2_40,
-    cipher_des, 
-    cipher_3des, 
-    cipher_des40,
-    cipher_idea, 
-    cipher_fortezza,
-    cipher_missing              /* reserved for no such supported cipher */
-} SSL3BulkCipher;
-
-/* The specific cipher algorithm */
-
-typedef enum {
-    calg_null     = (int)0x80000000L, 
-    calg_rc4      = CKM_RC4, 
-    calg_rc2      = CKM_RC2_CBC,
-    calg_des      = CKM_DES_CBC, 
-    calg_3des     = CKM_DES3_CBC, 
-    calg_idea     = CKM_IDEA_CBC,
-    calg_fortezza = CKM_SKIPJACK_CBC64, 
-    calg_init     = (int) 0x7fffffffL
-} CipherAlgorithm;
-
-/* hmac added to help TLS conversion by rjr... */
-typedef enum {
-    malg_null     = (int)0x80000000L, 
-    malg_md5      = CKM_SSL3_MD5_MAC, 
-    malg_sha      = CKM_SSL3_SHA1_MAC, 
-    malg_md5_hmac = CKM_MD5_HMAC,
-    malg_sha_hmac = CKM_SHA_1_HMAC
-} MACAlgorithm;
-
-
-/* Key Exchange values moved to ssl.h */
-typedef SSLKEAType SSL3KEAType;
-
-typedef enum { 
-	mac_null, 
-	mac_md5, 
-	mac_sha, 
-	hmac_md5, 	/* TLS HMAC version of mac_md5 */
-	hmac_sha 	/* TLS HMAC version of mac_sha */
-} SSL3MACAlgorithm;
-
-typedef enum { type_stream, type_block } CipherType;
-
-#define MAX_IV_LENGTH 64
-
-/*
- * Do not depend upon 64 bit arithmetic in the underlying machine. 
- */
-typedef struct {
-    uint32         high;
-    uint32         low;
-} SSL3SequenceNumber;
-
-typedef struct {
-    SSL3Opaque write_iv[MAX_IV_LENGTH];
-    PK11SymKey *write_key;
-    PK11SymKey *write_mac_key;
-    PK11Context *write_mac_context;
-} ssl3KeyMaterial;
-
-typedef struct {
-    SSL3Opaque        wrapped_client_write_key[12]; /* wrapped with Ks */
-    SSL3Opaque        wrapped_server_write_key[12]; /* wrapped with Ks */
-    SSL3Opaque        client_write_iv         [24];
-    SSL3Opaque        server_write_iv         [24];
-    SSL3Opaque        wrapped_master_secret   [48];
-    PRUint16          wrapped_master_secret_len;
-} ssl3SidKeys;
-
-/*
-** These are the "specs" in the "ssl3" struct.
-** Access to the pointers to these specs, and all the specs' contents
-** (direct and indirect) is protected by the reader/writer lock ss->specLock.
-*/
-typedef struct {
-    const ssl3BulkCipherDef *cipher_def;
-    const ssl3MACDef * mac_def;
-    int                mac_size;
-    SSLCipher          encode;
-    void *             encodeContext;
-    SSLCipher          decode;
-    void *             decodeContext;
-    SSLDestroy         destroy;
-    PK11SymKey *       master_secret;
-    ssl3KeyMaterial    client;
-    ssl3KeyMaterial    server;
-    SSL3SequenceNumber write_seq_num;
-    SSL3SequenceNumber read_seq_num;
-    SSL3ProtocolVersion version;
-} ssl3CipherSpec;
-
-typedef enum {	never_cached, 
-		in_client_cache, 
-		in_server_cache, 
-		invalid_cache		/* no longer in any cache. */
-} Cached;
-
-struct sslSessionIDStr {
-    sslSessionID *        next;   /* chain used for client sockets, only */
-
-    CERTCertificate *     peerCert;
-    const char *          peerID;     /* client only */
-    const char *          urlSvrName; /* client only */
-
-    PRUint32              addr;
-    PRUint16              port;
-
-    SSL3ProtocolVersion   version;
-
-    PRUint32              time;
-    Cached                cached;
-    int                   references;
-
-    union {
-	struct {
-	    /* the V2 code depends upon the size of sessionID.  */
-	    unsigned char         sessionID[SSL_SESSIONID_BYTES];
-
-	    /* Stuff used to recreate key and read/write cipher objects */
-	    SECItem               masterKey;
-	    int                   cipherType;
-	    SECItem               cipherArg;
-	    int                   keyBits;
-	    int                   secretKeyBits;
-	} ssl2;
-	struct {
-	    /* values that are copied into the server's on-disk SID cache. */
-	    uint8                 sessionIDLength;
-	    SSL3Opaque            sessionID[SSL3_SESSIONID_BYTES];
-
-	    ssl3CipherSuite       cipherSuite;
-	    SSL3CompressionMethod compression;
-	    PRBool                resumable;
-	    int                   policy;
-	    PRBool                hasFortezza;
-	    ssl3SidKeys           keys;
-	    CK_MECHANISM_TYPE     masterWrapMech;
-				  /* mechanism used to wrap master secret */
-            SSL3KEAType           exchKeyType;
-				  /* key type used in exchange algorithm,
-				   * and to wrap the sym wrapping key. */
-
-	    /* The following values are NOT restored from the server's on-disk
-	     * session cache, but are restored from the client's cache.
-	     */
- 	    PK11SymKey *      clientWriteKey;
-	    PK11SymKey *      serverWriteKey;
-	    PK11SymKey *      tek;
-
-	    /* The following values pertain to the slot that wrapped the 
-	    ** master secret. (used only in client)
-	    */
-	    SECMODModuleID    masterModuleID;
-				    /* what module wrapped the master secret */
-	    CK_SLOT_ID        masterSlotID;
-	    PRUint16	      masterWrapIndex;
-				/* what's the key index for the wrapping key */
-	    PRUint16          masterWrapSeries;
-	                        /* keep track of the slot series, so we don't 
-				 * accidently try to use new keys after the 
-				 * card gets removed and replaced.*/
-
-	    /* The following values pertain to the slot that did the signature
-	    ** for client auth.   (used only in client)
-	    */
-	    SECMODModuleID    clAuthModuleID;
-	    CK_SLOT_ID        clAuthSlotID;
-	    PRUint16          clAuthSeries;
-
-            char              masterValid;
-	    char              clAuthValid;
-
-	    /* the following values are used only in the client, and only 
-	     * with fortezza.
-	     */
-	    SSL3Opaque       clientWriteSave[80]; 
-	    int              clientWriteSaveLen;  
-	} ssl3;
-    } u;
-};
-
-
-typedef struct ssl3CipherSuiteDefStr {
-    ssl3CipherSuite          cipher_suite;
-    SSL3BulkCipher           bulk_cipher_alg;
-    SSL3MACAlgorithm         mac_alg;
-    SSL3KeyExchangeAlgorithm key_exchange_alg;
-} ssl3CipherSuiteDef;
-
-/*
-** There are tables of these, all const.
-*/
-typedef struct {
-    SSL3KeyExchangeAlgorithm kea;
-    SSL3KEAType              exchKeyType;
-    SSL3SignType             signKeyType;
-    PRBool                   is_limited;
-    int                      key_size_limit;
-    PRBool                   tls_keygen;
-} ssl3KEADef;
-
-typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode;
-
-/*
-** There are tables of these, all const.
-*/
-struct ssl3BulkCipherDefStr {
-    SSL3BulkCipher  cipher;
-    CipherAlgorithm calg;
-    int             key_size;
-    int             secret_key_size;
-    CipherType      type;
-    int             iv_size;
-    int             block_size;
-    SSL3KeyGenMode  keygen_mode;
-};
-
-/*
-** There are tables of these, all const.
-*/
-struct ssl3MACDefStr {
-    SSL3MACAlgorithm mac;
-    MACAlgorithm     malg;
-    int              pad_size;
-    int              mac_size;
-};
-
-typedef enum {
-    wait_client_hello, 
-    wait_client_cert, 
-    wait_client_key,
-    wait_cert_verify, 
-    wait_change_cipher, 
-    wait_finished,
-    wait_server_hello, 
-    wait_server_cert, 
-    wait_server_key,
-    wait_cert_request, 
-    wait_hello_done,
-    idle_handshake
-} SSL3WaitState;
-
-/*
-** This is the "hs" member of the "ssl3" struct.
-** This entire struct is protected by ssl3HandshakeLock
-*/
-typedef struct SSL3HandshakeStateStr {
-    SSL3Random            server_random;
-    SSL3Random            client_random;
-    SSL3WaitState         ws;
-    PK11Context *         md5;            /* handshake running hashes */
-    PK11Context *         sha;
-const ssl3KEADef *        kea_def;
-    ssl3CipherSuite       cipher_suite;
-const ssl3CipherSuiteDef *suite_def;
-    SSL3CompressionMethod compression;
-    sslBuffer             msg_body;    /* protected by recvBufLock */
-                               /* partial handshake message from record layer */
-    unsigned int          header_bytes; 
-                               /* number of bytes consumed from handshake */
-                               /* message for message type and header length */
-    SSL3HandshakeType     msg_type;
-    unsigned long         msg_len;
-    SECItem               ca_list;     /* used only by client */
-    PRBool                isResuming;  /* are we resuming a session */
-    PRBool                rehandshake; /* immediately start another handshake 
-                                        * when this one finishes */
-    PRBool                usedStepDownKey;  /* we did a server key exchange. */
-    sslBuffer             msgState;    /* current state for handshake messages*/
-                                       /* protected by recvBufLock */
-} SSL3HandshakeState;
-
-struct SSL3FortezzaKEAParamsStr {
-    unsigned char R_s[128];		/* server's "random" public key	*/
-    PK11SymKey *  tek;
-};
-
-typedef struct SSL3FortezzaKEAParamsStr SSL3FortezzaKEAParams;
-
-/*
-** This is the "ssl3" struct, as in "ss->ssl3".
-** note:
-** usually,   crSpec == cwSpec and prSpec == pwSpec.  
-** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
-** But there are never more than 2 actual specs.  
-** No spec must ever be modified if either "current" pointer points to it.
-*/
-struct ssl3StateStr {
-
-    /*
-    ** The following Specs and Spec pointers must be protected using the 
-    ** Spec Lock.
-    */
-    ssl3CipherSpec *     crSpec; 	/* current read spec. */
-    ssl3CipherSpec *     prSpec; 	/* pending read spec. */
-    ssl3CipherSpec *     cwSpec; 	/* current write spec. */
-    ssl3CipherSpec *     pwSpec; 	/* pending write spec. */
-    ssl3CipherSpec       specs[2];	/* one is current, one is pending. */
-
-    SSL3HandshakeState   hs;
-
-    CERTCertificate *    clientCertificate;  /* used by client */
-    SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
-    CERTCertificateList *clientCertChain;    /* used by client */
-    PRBool               sendEmptyCert;      /* used by client */
-
-    int                  policy;
-			/* This says what cipher suites we can do, and should 
-			 * be either SSL_ALLOWED or SSL_RESTRICTED 
-			 */
-    PRArenaPool *        peerCertArena;  
-			    /* These are used to keep track of the peer CA */
-    void *               peerCertChain;     
-			    /* chain while we are trying to validate it.   */
-    CERTDistNames *      ca_list; 
-			    /* used by server.  trusted CAs for this socket. */
-    SSL3FortezzaKEAParams fortezza;
-};
-
-typedef struct {
-    SSL3ContentType      type;
-    SSL3ProtocolVersion  version;
-    sslBuffer *          buf;
-} SSL3Ciphertext;
-
-struct ssl3KeyPairStr {
-    SECKEYPrivateKey *    privKey;		/* RSA step down key */
-    SECKEYPublicKey *     pubKey;		/* RSA step down key */
-    PRInt32               refCount;	/* use PR_Atomic calls for this. */
-};
-
-typedef struct SSLWrappedSymWrappingKeyStr {
-    SSL3Opaque        wrappedSymmetricWrappingkey[512];
-    SSL3Opaque        wrapIV[24];
-    CK_MECHANISM_TYPE symWrapMechanism;  
-		    /* unwrapped symmetric wrapping key uses this mechanism */
-    CK_MECHANISM_TYPE asymWrapMechanism; 
-		    /* mechanism used to wrap the SymmetricWrappingKey using
-		     * server's public and/or private keys. */
-    SSL3KEAType       exchKeyType;   /* type of keys used to wrap SymWrapKey*/
-    PRInt32           symWrapMechIndex;
-    PRUint16          wrappedSymKeyLen;
-    PRUint16          wrapIVLen;
-} SSLWrappedSymWrappingKey;
-
-/* All the global data items declared here should be protected using the 
-** ssl_global_data_lock, which is a reader/writer lock.
-*/
-extern NSSRWLock *             ssl_global_data_lock;
-extern char                    ssl_debug;
-extern char                    ssl_trace;
-extern CERTDistNames *         ssl3_server_ca_list;
-extern PRUint32                ssl_sid_timeout;
-extern PRUint32                ssl3_sid_timeout;
-extern PRBool                  ssl3_global_policy_some_restricted;
-
-extern const char * const      ssl_cipherName[];
-extern const char * const      ssl3_cipherName[];
-
-extern sslSessionIDLookupFunc  ssl_sid_lookup;
-extern sslSessionIDCacheFunc   ssl_sid_cache;
-extern sslSessionIDUncacheFunc ssl_sid_uncache;
-
-/************************************************************************/
-
-SEC_BEGIN_PROTOS
-
-/* Implementation of ops for default (non socks, non secure) case */
-extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
-extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
-extern int ssl_DefListen(sslSocket *ss, int backlog);
-extern int ssl_DefShutdown(sslSocket *ss, int how);
-extern int ssl_DefClose(sslSocket *ss);
-extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
-extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
-		       int len, int flags);
-extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
-extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
-extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
-extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
-extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
-			     void *optval, PRInt32 *optlen);
-extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
-			     const void *optval, PRInt32 optlen);
-
-/* Implementation of ops for socks only case */
-extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
-extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
-extern int ssl_SocksListen(sslSocket *ss, int backlog);
-extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
-extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
-extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
-			 int len, int flags);
-extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
-extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
-
-/* Implementation of ops for secure only case */
-extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
-extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
-			  int len, int flags);
-extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
-			  int len, int flags);
-extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
-extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
-extern int ssl_SecureShutdown(sslSocket *ss, int how);
-extern int ssl_SecureClose(sslSocket *ss);
-
-/* Implementation of ops for secure socks case */
-extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
-extern PRFileDesc *ssl_FindTop(sslSocket *ss);
-
-/* Gather funcs. */
-extern sslGather * ssl_NewGather(void);
-extern void        ssl_DestroyGather(sslGather *gs);
-extern int         ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
-extern int         ssl2_GatherRecord(sslSocket *ss, int flags);
-extern SECStatus   ssl_GatherRecord1stHandshake(sslSocket *ss);
-
-extern SECStatus   ssl2_HandleClientHelloMessage(sslSocket *ss);
-extern SECStatus   ssl2_HandleServerHelloMessage(sslSocket *ss);
-extern int         ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, 
-                                         unsigned int count);
-
-extern SECStatus   ssl_CreateSecurityInfo(sslSocket *ss);
-extern SECStatus   ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
-extern void        ssl_DestroySecurityInfo(sslSecurityInfo *sec);
-
-extern SECStatus   ssl_CreateSocksInfo(sslSocket *ss);
-extern SECStatus   ssl_CopySocksInfo(sslSocket *ss, sslSocket *os);
-extern void        ssl_DestroySocksInfo(sslSocksInfo *si);
-
-extern sslSocket * ssl_DupSocket(sslSocket *old);
-
-extern void        ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
-extern void        ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
-
-extern int         ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf,
-				          sslSendFunc fp);
-extern SECStatus ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, 
-                                   const void* p, unsigned int l);
-extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
-extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
-extern int       ssl_Do1stHandshake(sslSocket *ss);
-
-extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
-
-extern void      ssl2_UseClearSendFunc(sslSocket *ss);
-extern void      ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
-
-extern sslSessionID *ssl_LookupSID(PRUint32 addr, PRUint16 port, 
-                                   const char *peerID, const char *urlSvrName);
-extern void      ssl_FreeSID(sslSessionID *sid);
-
-extern int       ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
-				          int len, int flags);
-
-extern PRBool    ssl_FdIsBlocking(PRFileDesc *fd);
-
-extern PRBool    ssl_SocketIsBlocking(sslSocket *ss);
-
-extern void      ssl_SetAlwaysBlock(sslSocket *ss);
-
-#define SSL_LOCK_READER(ss)		if (ss->recvLock) PR_Lock(ss->recvLock)
-#define SSL_UNLOCK_READER(ss)	if (ss->recvLock) PR_Unlock(ss->recvLock)
-#define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PR_Lock(ss->sendLock)
-#define SSL_UNLOCK_WRITER(ss)	if (ss->sendLock) PR_Unlock(ss->sendLock)
-
-#define ssl_Get1stHandshakeLock(ss)    PR_EnterMonitor((ss)->firstHandshakeLock)
-#define ssl_Release1stHandshakeLock(ss) PR_ExitMonitor((ss)->firstHandshakeLock)
-#define ssl_Have1stHandshakeLock(ss)	PR_InMonitor(  (ss)->firstHandshakeLock)
-
-#define ssl_GetSSL3HandshakeLock(ss)	PR_EnterMonitor((ss)->ssl3HandshakeLock)
-#define ssl_ReleaseSSL3HandshakeLock(ss) PR_ExitMonitor((ss)->ssl3HandshakeLock)
-#define ssl_HaveSSL3HandshakeLock(ss)	PR_InMonitor(   (ss)->ssl3HandshakeLock)
-
-#define ssl_GetSpecReadLock(ss)		NSSRWLock_LockRead(     (ss)->specLock)
-#define ssl_ReleaseSpecReadLock(ss)	NSSRWLock_UnlockRead(   (ss)->specLock)
-
-#define ssl_GetSpecWriteLock(ss)	NSSRWLock_LockWrite(  (ss)->specLock)
-#define ssl_ReleaseSpecWriteLock(ss)	NSSRWLock_UnlockWrite((ss)->specLock)
-#define ssl_HaveSpecWriteLock(ss)	NSSRWLock_HaveWriteLock((ss)->specLock)
-
-#define ssl_GetRecvBufLock(ss)		PR_EnterMonitor((ss)->recvBufLock)
-#define ssl_ReleaseRecvBufLock(ss)	PR_ExitMonitor( (ss)->recvBufLock)
-#define ssl_HaveRecvBufLock(ss)		PR_InMonitor(   (ss)->recvBufLock)
-
-#define ssl_GetXmitBufLock(ss)		PR_EnterMonitor((ss)->xmitBufLock)
-#define ssl_ReleaseXmitBufLock(ss)	PR_ExitMonitor( (ss)->xmitBufLock)
-#define ssl_HaveXmitBufLock(ss)		PR_InMonitor(   (ss)->xmitBufLock)
-
-
-/* These functions are called from secnav, even though they're "private". */
-
-extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
-extern int SSL_RestartHandshakeAfterServerCert(struct sslSocketStr *ss);
-extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
-					    CERTCertificate *cert,
-					    SECKEYPrivateKey *key,
-					    CERTCertificateList *certChain);
-extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
-extern void ssl_FreeSocket(struct sslSocketStr *ssl);
-extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
-				SSL3AlertDescription desc);
-
-extern int ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
-					     CERTCertificate *    cert, 
-					     SECKEYPrivateKey *   key);
-
-extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket *    ss,
-					     CERTCertificate *    cert, 
-					     SECKEYPrivateKey *   key,
-					     CERTCertificateList *certChain);
-
-extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss);
-extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss);
-
-/*
- * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
- */
-extern SECStatus ssl3_HandleV2ClientHello(
-    sslSocket *ss, unsigned char *buffer, int length);
-extern SECStatus ssl3_StartHandshakeHash(
-    sslSocket *ss, unsigned char *buf, int length);
-
-/*
- * SSL3 specific routines
- */
-SECStatus ssl3_SendClientHello(sslSocket *ss);
-
-/*
- * input into the SSL3 machinery from the actualy network reading code
- */
-SECStatus ssl3_HandleRecord(
-    sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
-
-int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
-int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
-/*
- * When talking to export clients or using export cipher suites, servers 
- * with public RSA keys larger than 512 bits need to use a 512-bit public
- * key, signed by the larger key.  The smaller key is a "step down" key.
- * Generate that key pair and keep it around.
- */
-extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
-
-extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
-extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
-extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
-extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
-
-extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
-extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
-extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
-extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
-
-extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
-extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
-extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
-extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
-
-extern void      ssl2_InitSocketPolicy(sslSocket *ss);
-extern void      ssl3_InitSocketPolicy(sslSocket *ss);
-
-extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
-						 unsigned char *cs, int *size);
-
-extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
-
-extern void ssl3_DestroySSL3Info(ssl3State *ssl3);
-
-extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, 
-                                       SSL3ProtocolVersion peerVersion);
-
-extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
-
-/* Construct a new NSPR socket for the app to use */
-extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
-extern void ssl_FreePRSocket(PRFileDesc *fd);
-
-/* Internal config function so SSL2 can initialize the present state of 
- * various ciphers */
-extern int ssl3_config_match_init(sslSocket *);
-
-
-/* Create a new ref counted key pair object from two keys. */
-extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, 
-                                      SECKEYPublicKey * pubKey);
-
-/* get a new reference (bump ref count) to an ssl3KeyPair. */
-extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
-
-/* Decrement keypair's ref count and free if zero. */
-extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
-
-/* calls for accessing wrapping keys across processes. */
-extern PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-		    SSLWrappedSymWrappingKey *wswk);
-
-/* The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the file on disk.  
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/semaphores necessary to make 
- * the operation atomic.
- */
-extern PRBool
-ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
-
-/********************** misc calls *********************/
-
-extern int ssl_MapLowLevelError(int hiLevelError);
-
-extern PRUint32 ssl_Time(void);
-
-/* emulation of NSPR routines. */
-extern PRInt32 
-ssl_EmulateAcceptRead(	PRFileDesc *   sd, 
-			PRFileDesc **  nd,
-			PRNetAddr **   raddr, 
-			void *         buf, 
-			PRInt32        amount, 
-			PRIntervalTime timeout);
-extern PRInt32 
-ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
-			    PRFileDesc *        fd,
-			    const void *        headers, 
-			    PRInt32             hlen, 
-			    PRTransmitFileFlags flags,
-			    PRIntervalTime      timeout);
-extern PRInt32 
-ssl_EmulateSendFile( PRFileDesc *        sd, 
-		     PRSendFileData *    sfd,
-                     PRTransmitFileFlags flags, 
-		     PRIntervalTime      timeout);
-
-#ifdef TRACE
-#define SSL_TRACE(msg) ssl_Trace msg
-#else
-#define SSL_TRACE(msg)
-#endif
-
-void ssl_Trace(const char *format, ...);
-
-SEC_END_PROTOS
-
-
-#ifdef XP_UNIX
-#define SSL_GETPID() getpid()
-#else
-#define SSL_GETPID() 0
-#endif
-
-#endif /* __sslimpl_h_ */
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
deleted file mode 100644
index 6096de656..000000000
--- a/security/nss/lib/ssl/sslnonce.c
+++ /dev/null
@@ -1,345 +0,0 @@
-/* 
- * This file implements the CLIENT Session ID cache.  
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "ssl.h"
-
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "prlock.h"
-#include "nsslocks.h"
-
-
-PRUint32 ssl_sid_timeout = 100;
-PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */
-
-static sslSessionID *cache;
-static PRLock *      cacheLock;
-
-/* sids can be in one of 4 states:
- *
- * never_cached, 	created, but not yet put into cache. 
- * in_client_cache, 	in the client cache's linked list.
- * in_server_cache, 	entry came from the server's cache file.
- * invalid_cache	has been removed from the cache. 
- */
-
-#define LOCK_CACHE 	lock_cache()
-#define UNLOCK_CACHE	PR_Unlock(cacheLock)
-
-static void 
-lock_cache(void)
-{
-    /* XXX Since the client session cache has no init function, we must
-     * XXX init the cacheLock on the first call.  Fix in NSS 3.0.
-     */
-    if (!cacheLock)
-	nss_InitLock(&cacheLock);
-    PR_Lock(cacheLock);
-}
-
-/* BEWARE: This function gets called for both client and server SIDs !!
- * If the unreferenced sid is not in the cache, Free sid and its contents.
- */
-static void
-ssl_DestroySID(sslSessionID *sid)
-{
-    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
-    PORT_Assert((sid->references == 0));
-
-    if (sid->cached == in_client_cache)
-    	return;	/* it will get taken care of next time cache is traversed. */
-
-    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
-	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
-    }
-    if (sid->peerID != NULL)
-	PORT_Free((void *)sid->peerID);		/* CONST */
-
-    if (sid->urlSvrName != NULL)
-	PORT_Free((void *)sid->urlSvrName);	/* CONST */
-
-    if ( sid->peerCert ) {
-	CERT_DestroyCertificate(sid->peerCert);
-    }
-    
-    PORT_ZFree(sid, sizeof(sslSessionID));
-}
-
-/* BEWARE: This function gets called for both client and server SIDs !!
- * Decrement reference count, and 
- *    free sid if ref count is zero, and sid is not in the cache. 
- * Does NOT remove from the cache first.  
- * If the sid is still in the cache, it is left there until next time
- * the cache list is traversed.
- */
-static void 
-ssl_FreeLockedSID(sslSessionID *sid)
-{
-    PORT_Assert(sid->references >= 1);
-    if (--sid->references == 0) {
-	ssl_DestroySID(sid);
-    }
-}
-
-/* BEWARE: This function gets called for both client and server SIDs !!
- * Decrement reference count, and 
- *    free sid if ref count is zero, and sid is not in the cache. 
- * Does NOT remove from the cache first.  
- * These locks are necessary because the sid _might_ be in the cache list.
- */
-void
-ssl_FreeSID(sslSessionID *sid)
-{
-    LOCK_CACHE;
-    ssl_FreeLockedSID(sid);
-    UNLOCK_CACHE;
-}
-
-/************************************************************************/
-
-/*
-**  Lookup sid entry in cache by Address, port, and peerID string.
-**  If found, Increment reference count, and return pointer to caller.
-**  If it has timed out or ref count is zero, remove from list and free it.
-*/
-
-sslSessionID *
-ssl_LookupSID(PRUint32 addr, PRUint16 port, const char *peerID, 
-              const char * urlSvrName)
-{
-    sslSessionID **sidp;
-    sslSessionID * sid;
-    PRUint32       now;
-
-    if (!urlSvrName)
-    	return NULL;
-    now = ssl_Time();
-    LOCK_CACHE;
-    sidp = &cache;
-    while ((sid = *sidp) != 0) {
-	PORT_Assert(sid->cached == in_client_cache);
-	PORT_Assert(sid->references >= 1);
-
-	SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
-
-	if (sid->time < now || !sid->references) {
-	    /*
-	    ** This session-id timed out, or was orphaned.
-	    ** Don't even care who it belongs to, blow it out of our cache.
-	    */
-	    SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
-			now - sid->time, sid->references));
-
-	    *sidp = sid->next; 			/* delink it from the list. */
-	    sid->cached = invalid_cache;	/* mark not on list. */
-	    if (!sid->references)
-	    	ssl_DestroySID(sid);
-	    else
-		ssl_FreeLockedSID(sid);		/* drop ref count, free. */
-
-	} else if ((sid->addr == addr) && /* server IP addr matches */
-	           (sid->port == port) && /* server port matches */
-		   /* proxy (peerID) matches */
-		   (((peerID == NULL) && (sid->peerID == NULL)) ||
-		    ((peerID != NULL) && (sid->peerID != NULL) &&
-		     PORT_Strcmp(sid->peerID, peerID) == 0)) &&
-		   /* is cacheable */
-		   (sid->version < SSL_LIBRARY_VERSION_3_0 ||
-		    sid->u.ssl3.resumable) &&
-		   /* server hostname matches. */
-	           (sid->urlSvrName != NULL) &&
-		   ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) ||
-		    ((sid->peerCert != NULL) && (SECSuccess == 
-		      CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
-		  ) {
-	    /* Hit */
-	    sid->references++;
-	    break;
-	} else {
-	    sidp = &sid->next;
-	}
-    }
-    UNLOCK_CACHE;
-    return sid;
-}
-
-/*
-** Add an sid to the cache or return a previously cached entry to the cache.
-** Although this is static, it is called via ss->sec->cache().
-*/
-static void 
-CacheSID(sslSessionID *sid)
-{
-    PRUint32  expirationPeriod;
-    SSL_TRC(8, ("SSL: Cache: sid=0x%x cached=%d addr=0x%08x port=0x%04x "
-		"time=%x cached=%d",
-		sid, sid->cached, sid->addr, sid->port, sid->time,
-		sid->cached));
-
-    if (sid->cached == in_client_cache)
-	return;
-
-    /* XXX should be different trace for version 2 vs. version 3 */
-    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-	expirationPeriod = ssl3_sid_timeout;
-	PRINT_BUF(8, (0, "sessionID:",
-		  sid->u.ssl2.sessionID, sizeof(sid->u.ssl2.sessionID)));
-	PRINT_BUF(8, (0, "masterKey:",
-		  sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len));
-	PRINT_BUF(8, (0, "cipherArg:",
-		  sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
-    } else {
-	if (sid->u.ssl3.sessionIDLength == 0) 
-	    return;
-	expirationPeriod = ssl_sid_timeout;
-	PRINT_BUF(8, (0, "sessionID:",
-		      sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
-    }
-
-    /*
-     * Put sid into the cache.  Bump reference count to indicate that
-     * cache is holding a reference. Uncache will reduce the cache
-     * reference.
-     */
-    LOCK_CACHE;
-    sid->references++;
-    sid->cached = in_client_cache;
-    sid->next   = cache;
-    cache       = sid;
-    sid->time   = ssl_Time() + expirationPeriod;
-    UNLOCK_CACHE;
-}
-
-/* 
- * If sid "zap" is in the cache,
- *    removes sid from cache, and decrements reference count.
- * Caller must hold cache lock.
- */
-static void
-UncacheSID(sslSessionID *zap)
-{
-    sslSessionID **sidp = &cache;
-    sslSessionID *sid;
-
-    if (zap->cached != in_client_cache) {
-	return;
-    }
-
-    SSL_TRC(8,("SSL: Uncache: zap=0x%x cached=%d addr=0x%08x port=0x%04x "
-	       "time=%x cipher=%d",
-	       zap, zap->cached, zap->addr, zap->port, zap->time,
-	       zap->u.ssl2.cipherType));
-    if (zap->version < SSL_LIBRARY_VERSION_3_0) {
-	PRINT_BUF(8, (0, "sessionID:",
-		      zap->u.ssl2.sessionID, sizeof(zap->u.ssl2.sessionID)));
-	PRINT_BUF(8, (0, "masterKey:",
-		      zap->u.ssl2.masterKey.data, zap->u.ssl2.masterKey.len));
-	PRINT_BUF(8, (0, "cipherArg:",
-		      zap->u.ssl2.cipherArg.data, zap->u.ssl2.cipherArg.len));
-    }
-
-    /* See if it's in the cache, if so nuke it */
-    while ((sid = *sidp) != 0) {
-	if (sid == zap) {
-	    /*
-	    ** Bingo. Reduce reference count by one so that when
-	    ** everyone is done with the sid we can free it up.
-	    */
-	    *sidp = zap->next;
-	    zap->cached = invalid_cache;
-	    ssl_FreeLockedSID(zap);
-	    return;
-	}
-	sidp = &sid->next;
-    }
-}
-
-/* If sid "zap" is in the cache,
- *    removes sid from cache, and decrements reference count.
- * Although this function is static, it is called externally via 
- *    ss->sec->uncache().
- */
-static void
-LockAndUncacheSID(sslSessionID *zap)
-{
-    LOCK_CACHE;
-    UncacheSID(zap);
-    UNLOCK_CACHE;
-
-}
-
-/* choose client or server cache functions for this sslsocket. */
-void 
-ssl_ChooseSessionIDProcs(sslSecurityInfo *sec)
-{
-    if (sec->isServer) {
-	sec->cache   = ssl_sid_cache;
-	sec->uncache = ssl_sid_uncache;
-    } else {
-	sec->cache   = CacheSID;
-	sec->uncache = LockAndUncacheSID;
-    }
-}
-
-/* wipe out the entire client session cache. */
-void
-SSL_ClearSessionCache(void)
-{
-    LOCK_CACHE;
-    while(cache != NULL)
-	UncacheSID(cache);
-    UNLOCK_CACHE;
-}
-
-/* returns an unsigned int containing the number of seconds in PR_Now() */
-PRUint32
-ssl_Time(void)
-{
-    PRTime now;
-    PRInt64 ll;
-    PRUint32 time;
-
-    now = PR_Now();
-    LL_I2L(ll, 1000000L);
-    LL_DIV(now, now, ll);
-    LL_L2UI(time, now);
-    return time;
-}
-
diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h
deleted file mode 100644
index 51b780ca2..000000000
--- a/security/nss/lib/ssl/sslproto.h
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * Various and sundry protocol constants. DON'T CHANGE THESE. These values 
- * are mostly defined by the SSL2, SSL3, or TLS protocol specifications.
- * Cipher kinds and ciphersuites are part of the public API.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef __sslproto_h_
-#define __sslproto_h_
-
-#define SSL_LIBRARY_VERSION_2			0x0002
-#define SSL_LIBRARY_VERSION_2_1			0x0201
-#define SSL_LIBRARY_VERSION_3_0			0x0300
-#define SSL_LIBRARY_VERSION_3_1_TLS		0x0301
-
-/* Header lengths of some of the messages */
-#define SSL_HL_ERROR_HBYTES			3
-#define SSL_HL_CLIENT_HELLO_HBYTES		9
-#define SSL_HL_CLIENT_MASTER_KEY_HBYTES		10
-#define SSL_HL_CLIENT_FINISHED_HBYTES		1
-#define SSL_HL_SERVER_HELLO_HBYTES		11
-#define SSL_HL_SERVER_VERIFY_HBYTES		1
-#define SSL_HL_SERVER_FINISHED_HBYTES		1
-#define SSL_HL_REQUEST_CERTIFICATE_HBYTES	2
-#define SSL_HL_CLIENT_CERTIFICATE_HBYTES	6
-
-/* Security handshake protocol codes */
-#define SSL_MT_ERROR				0
-#define SSL_MT_CLIENT_HELLO			1
-#define SSL_MT_CLIENT_MASTER_KEY		2
-#define SSL_MT_CLIENT_FINISHED			3
-#define SSL_MT_SERVER_HELLO			4
-#define SSL_MT_SERVER_VERIFY			5
-#define SSL_MT_SERVER_FINISHED			6
-#define SSL_MT_REQUEST_CERTIFICATE		7
-#define SSL_MT_CLIENT_CERTIFICATE		8
-
-/* Certificate types */
-#define SSL_CT_X509_CERTIFICATE			0x01
-#if 0 /* XXX Not implemented yet */
-#define SSL_PKCS6_CERTIFICATE			0x02
-#endif
-#define SSL_AT_MD5_WITH_RSA_ENCRYPTION		0x01
-
-/* Error codes */
-#define SSL_PE_NO_CYPHERS			0x0001
-#define SSL_PE_NO_CERTIFICATE			0x0002
-#define SSL_PE_BAD_CERTIFICATE			0x0004
-#define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE	0x0006
-
-/* Cypher kinds (not the spec version!) */
-#define SSL_CK_RC4_128_WITH_MD5			0x01
-#define SSL_CK_RC4_128_EXPORT40_WITH_MD5	0x02
-#define SSL_CK_RC2_128_CBC_WITH_MD5		0x03
-#define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	0x04
-#define SSL_CK_IDEA_128_CBC_WITH_MD5		0x05
-#define SSL_CK_DES_64_CBC_WITH_MD5		0x06
-#define SSL_CK_DES_192_EDE3_CBC_WITH_MD5	0x07
-
-/* Cipher enables.  These are used only for SSL_EnableCipher 
- * These values define the SSL2 suites, and do not colide with the 
- * SSL3 Cipher suites defined below.
- */
-#define SSL_EN_RC4_128_WITH_MD5			0xFF01
-#define SSL_EN_RC4_128_EXPORT40_WITH_MD5	0xFF02
-#define SSL_EN_RC2_128_CBC_WITH_MD5		0xFF03
-#define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5	0xFF04
-#define SSL_EN_IDEA_128_CBC_WITH_MD5		0xFF05
-#define SSL_EN_DES_64_CBC_WITH_MD5		0xFF06
-#define SSL_EN_DES_192_EDE3_CBC_WITH_MD5	0xFF07
-
-/* SSL v3 Cipher Suites */
-#define SSL_NULL_WITH_NULL_NULL			0x0000
-
-#define SSL_RSA_WITH_NULL_MD5			0x0001
-#define SSL_RSA_WITH_NULL_SHA			0x0002
-#define SSL_RSA_EXPORT_WITH_RC4_40_MD5		0x0003
-#define SSL_RSA_WITH_RC4_128_MD5		0x0004
-#define SSL_RSA_WITH_RC4_128_SHA		0x0005
-#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0x0006
-#define SSL_RSA_WITH_IDEA_CBC_SHA		0x0007
-#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0008
-#define SSL_RSA_WITH_DES_CBC_SHA		0x0009
-#define SSL_RSA_WITH_3DES_EDE_CBC_SHA		0x000a
-						       
-#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	0x000b
-#define SSL_DH_DSS_WITH_DES_CBC_SHA		0x000c
-#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA	0x000d
-#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	0x000e
-#define SSL_DH_RSA_WITH_DES_CBC_SHA		0x000f
-#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA	0x0010
-						       
-#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	0x0011
-#define SSL_DHE_DSS_WITH_DES_CBC_SHA		0x0012
-#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013
-#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0014
-#define SSL_DHE_RSA_WITH_DES_CBC_SHA		0x0015
-#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016
-						       
-#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5	0x0017
-#define SSL_DH_ANON_WITH_RC4_128_MD5		0x0018
-#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA	0x0019
-#define SSL_DH_ANON_WITH_DES_CBC_SHA		0x001a
-#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA	0x001b
-
-#define SSL_FORTEZZA_DMS_WITH_NULL_SHA		0x001c
-#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA	0x001d
-#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	0x001e
-
-/* New TLS cipher suites backported to SSL3. */
-#define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     0x0062
-#define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      0x0064
-
-#define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
-#define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  0x0065
-#define TLS_DHE_DSS_WITH_RC4_128_SHA            0x0066
-
-/* Netscape "experimental" cipher suites. */
-#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA	0xffe0
-#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA	0xffe1
-
-/* New non-experimental openly spec'ed versions of those cipher suites. */
-#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 	0xfeff
-#define SSL_RSA_FIPS_WITH_DES_CBC_SHA      	0xfefe
-
-#endif /* __sslproto_h_ */
diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c
deleted file mode 100644
index dcba7c3ef..000000000
--- a/security/nss/lib/ssl/sslreveal.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* 
- * Accessor functions for SSLSocket private members.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "ssl.h"
-#include "certt.h"
-#include "sslimpl.h"
-
-/* given PRFileDesc, returns a copy of certificate associated with the socket
- * the caller should delete the cert when done with SSL_DestroyCertificate
- */
-CERTCertificate * 
-SSL_RevealCert(PRFileDesc * fd)
-{
-  CERTCertificate * cert = NULL;
-  sslSocket * sslsocket = NULL;
-
-  sslsocket = ssl_FindSocket(fd);
-  
-  /* CERT_DupCertificate increases reference count and returns pointer to 
-   * the same cert
-   */
-  if (sslsocket && sslsocket->sec)
-    cert = CERT_DupCertificate(sslsocket->sec->peerCert);
-  
-  return cert;
-}
-
-/* given PRFileDesc, returns a pointer to PinArg associated with the socket
- */
-void * 
-SSL_RevealPinArg(PRFileDesc * fd)
-{
-  sslSocket * sslsocket = NULL;
-  void * PinArg = NULL;
-  
-  sslsocket = ssl_FindSocket(fd);
-  
-  /* is pkcs11PinArg part of the sslSocket or sslSecurityInfo ? */
-  if (sslsocket)
-    PinArg = sslsocket->pkcs11PinArg;
-  
-  return PinArg;
-}
-
-
-/* given PRFileDesc, returns a pointer to the URL associated with the socket
- * the caller should free url when done  
- */
-char * 
-SSL_RevealURL(PRFileDesc * fd)
-{
-  sslSocket * sslsocket = NULL;
-  char * url = NULL;
-
-  sslsocket = ssl_FindSocket(fd);
-  
-  if (sslsocket && sslsocket->url)
-    url = PL_strdup(sslsocket->url);
-  
-  return url;
-}
-
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
deleted file mode 100644
index 76b252064..000000000
--- a/security/nss/lib/ssl/sslsecur.c
+++ /dev/null
@@ -1,1372 +0,0 @@
-/*
- * Various SSL functions.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include "cert.h"
-#include "secitem.h"
-#include "keyhi.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "secoid.h"	/* for SECOID_GetALgorithmTag */
-#include "pk11func.h"	/* for PK11_GenerateRandom */
-
-#if defined(_WINDOWS)
-#include "winsock.h"	/* for MSG_PEEK */
-#elif defined(XP_MAC)
-#include "macsocket.h"
-#else
-#include <sys/socket.h> /* for MSG_PEEK */
-#endif
-
-#define MAX_BLOCK_CYPHER_SIZE	32
-
-#define TEST_FOR_FAILURE	/* reminder */
-#define SET_ERROR_CODE		/* reminder */
-
-/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock. 
- * 
- * Currently, the list of functions called through ss->handshake is:
- * 
- * In sslsocks.c:
- *  SocksGatherRecord
- *  SocksHandleReply	
- *  SocksStartGather
- *
- * In sslcon.c:
- *  ssl_GatherRecord1stHandshake
- *  ssl2_HandleClientSessionKeyMessage
- *  ssl2_HandleMessage
- *  ssl2_HandleVerifyMessage
- *  ssl2_BeginClientHandshake
- *  ssl2_BeginServerHandshake
- *  ssl2_HandleClientHelloMessage
- *  ssl2_HandleServerHelloMessage
- * 
- * The ss->handshake function returns SECWouldBlock under these conditions:
- * 1.	ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 
- *	the beginning of an SSL v3 hello message and returned SECWouldBlock 
- *	to switch to SSL v3 handshake processing.
- *
- * 2.	ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming
- *	v2 client hello msg, and called ssl3_HandleV2ClientHello which 
- *	returned SECWouldBlock.
- *
- * 3.   SECWouldBlock was returned by one of the callback functions, via
- *	one of these paths:
- * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
- *
- * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
- *
- * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
- *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
- *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 
- *	ss->handleBadCert()
- *
- * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
- *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
- *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() -> 
- *	ss->getClientAuthData()
- *
- * Called from: SSL_ForceHandshake	(below), 
- *              ssl_SecureRecv 		(below) and
- *              ssl_SecureSend		(below)
- *	  from: WaitForResponse 	in sslsocks.c
- *	        ssl_SocksRecv   	in sslsocks.c
- *              ssl_SocksSend   	in sslsocks.c
- *
- * Caller must hold the (write) handshakeLock.
- */
-int 
-ssl_Do1stHandshake(sslSocket *ss)
-{
-    int rv        = SECSuccess;
-    int loopCount = 0;
-
-    PORT_Assert(ss->gather != 0);
-
-    do {
-	PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-	PORT_Assert( !ssl_HaveRecvBufLock(ss)   );
-	PORT_Assert( !ssl_HaveXmitBufLock(ss)   );
-
-	if (ss->handshake == 0) {
-	    /* Previous handshake finished. Switch to next one */
-	    ss->handshake = ss->nextHandshake;
-	    ss->nextHandshake = 0;
-	}
-	if (ss->handshake == 0) {
-	    /* Previous handshake finished. Switch to security handshake */
-	    ss->handshake = ss->securityHandshake;
-	    ss->securityHandshake = 0;
-	}
-	if (ss->handshake == 0) {
-	    ssl_GetRecvBufLock(ss);
-	    ss->gather->recordLen = 0;
-	    ssl_ReleaseRecvBufLock(ss);
-
-	    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
-			SSL_GETPID(), ss->fd));
-            /* call handshake callback for ssl v2 */
-	    /* for v3 this is done in ssl3_HandleFinished() */
-	    if ((ss->sec != NULL) &&               /* used SSL */
-	        (ss->handshakeCallback != NULL) && /* has callback */
-		(!ss->connected) &&                /* only first time */
-		(ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
-		ss->connected       = PR_TRUE;
-		(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-	    }
-	    ss->connected           = PR_TRUE;
-	    ss->gather->writeOffset = 0;
-	    ss->gather->readOffset  = 0;
-	    break;
-	}
-	rv = (*ss->handshake)(ss);
-	++loopCount;
-    /* This code must continue to loop on SECWouldBlock, 
-     * or any positive value.	See XXX_1 comments.
-     */
-    } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */
-
-    PORT_Assert( !ssl_HaveRecvBufLock(ss)   );
-    PORT_Assert( !ssl_HaveXmitBufLock(ss)   );
-
-    if (rv == SECWouldBlock) {
-	PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
- * Handshake function that blocks.  Used to force a
- * retry on a connection on the next read/write.
- */
-#ifdef macintosh
-static SECStatus
-#else
-static int
-#endif
-AlwaysBlock(sslSocket *ss)
-{
-    PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */
-    return SECWouldBlock;
-}
-
-/*
- * set the initial handshake state machine to block
- */
-void
-ssl_SetAlwaysBlock(sslSocket *ss)
-{
-    if (!ss->connected) {
-	ss->handshake = AlwaysBlock;
-	ss->nextHandshake = 0;
-    }
-}
-
-/* Acquires and releases HandshakeLock.
-*/
-SECStatus
-SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
-{
-    sslSocket *ss;
-    SECStatus rv;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    /* Don't waste my time */
-    if (!ss->useSecurity)
-	return SECSuccess;
-
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    /* Reset handshake state */
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    ss->connected = PR_FALSE;
-    ss->handshake = asServer ? ssl2_BeginServerHandshake
-	                     : ssl2_BeginClientHandshake;
-    ss->nextHandshake       = 0;
-    ss->securityHandshake   = 0;
-
-    ssl_GetRecvBufLock(ss);
-    ss->gather->state       = GS_INIT;
-    ss->gather->writeOffset = 0;
-    ss->gather->readOffset  = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    /*
-    ** Blow away old security state and get a fresh setup. This way if
-    ** ssl was used to connect to the first point in communication, ssl
-    ** can be used for the next layer.
-    */
-    if (ss->sec) {
-	ssl_DestroySecurityInfo(ss->sec);
-	ss->sec = 0;
-    }
-    rv = ssl_CreateSecurityInfo(ss);
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-
-    return rv;
-}
-
-/* For SSLv2, does nothing but return an error.
-** For SSLv3, flushes SID cache entry (if requested),
-** and then starts new client hello or hello request.
-** Acquires and releases HandshakeLock.
-*/
-int
-SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
-{
-    sslSocket *ss;
-    int        rv;
-    
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return SECFailure;
-    }
-
-    if (!ss->useSecurity)
-	return SECSuccess;
-    
-    ssl_Get1stHandshakeLock(ss);
-
-    /* SSL v2 protocol does not support subsequent handshakes. */
-    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    } else {
-	ssl_GetSSL3HandshakeLock(ss);
-	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
-	ssl_ReleaseSSL3HandshakeLock(ss);
-    }
-
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-int
-SSL_RedoHandshake(PRFileDesc *fd)
-{
-    return SSL_ReHandshake(fd, PR_TRUE);
-}
-
-/* Register an application callback to be called when SSL handshake completes.
-** Acquires and releases HandshakeLock.
-*/
-int
-SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
-		      void *client_data)
-{
-    sslSocket *ss;
-    
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",
-		 SSL_GETPID(), fd));
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return SECFailure;
-    }
-
-    if (!ss->useSecurity) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    PORT_Assert(ss->sec);
-    ss->handshakeCallback     = cb;
-    ss->handshakeCallbackData = client_data;
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return SECSuccess;
-}
-
-/* Try to make progress on an SSL handshake by attempting to read the 
-** next handshake from the peer, and sending any responses.
-** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
-** read the next handshake from the underlying socket.
-** For SSLv2, returns when handshake is complete or fatal error occurs.
-** For SSLv3, returns when handshake is complete, or application data has
-** arrived that must be taken by application before handshake can continue, 
-** or a fatal error occurs.
-** Application should use handshake completion callback to tell which. 
-*/
-int
-SSL_ForceHandshake(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    /* Don't waste my time */
-    if (!ss->useSecurity) 
-    	return 0;
-
-    ssl_Get1stHandshakeLock(ss);
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-    	ssl_GetRecvBufLock(ss);
-	rv = ssl3_GatherCompleteHandshake(ss, 0);
-	ssl_ReleaseRecvBufLock(ss);
-	if (rv == 0) {
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	    rv = SECFailure;
-	} else if (rv == SECWouldBlock) {
-	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	    rv = SECFailure;
-	}
-    } else if (!ss->connected) {
-	rv = ssl_Do1stHandshake(ss);
-    } else {
-	/* tried to force handshake on a connected SSL 2 socket. */
-    	rv = SECSuccess;	/* just pretend we did it. */
-    }
-
-    ssl_Release1stHandshakeLock(ss);
-
-    if (rv > 0) 
-    	rv = SECSuccess;
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Grow a buffer to hold newLen bytes of data.
-** Called for both recv buffers and xmit buffers.
-** Caller must hold xmitBufLock or recvBufLock, as appropriate.
-*/
-SECStatus
-sslBuffer_Grow(sslBuffer *b, unsigned int newLen)
-{
-    if (newLen > b->space) {
-	if (b->buf) {
-	    b->buf = (unsigned char *) PORT_Realloc(b->buf, newLen);
-	} else {
-	    b->buf = (unsigned char *) PORT_Alloc(newLen);
-	}
-	if (!b->buf) {
-	    return SECFailure;
-	}
-	SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d",
-		     SSL_GETPID(), b->space, newLen));
-	b->space = newLen;
-    }
-    return SECSuccess;
-}
-
-/*
-** Save away write data that is trying to be written before the security
-** handshake has been completed. When the handshake is completed, we will
-** flush this data out.
-** Caller must hold xmitBufLock
-*/
-SECStatus 
-ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, const void *data, 
-                      unsigned int len)
-{
-    unsigned int newlen;
-    SECStatus    rv;
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-    newlen = buf->len + len;
-    if (newlen > buf->space) {
-	rv = sslBuffer_Grow(buf, newlen);
-	if (rv) {
-	    return rv;
-	}
-    }
-    SSL_TRC(5, ("%d: SSL[%d]: saving %d bytes of data (%d total saved so far)",
-		 SSL_GETPID(), ss->fd, len, newlen));
-    PORT_Memcpy(buf->buf + buf->len, data, len);
-    buf->len = newlen;
-    return SECSuccess;
-}
-
-/*
-** Send saved write data. This will flush out data sent prior to a
-** complete security handshake. Hopefully there won't be too much of it.
-** Returns count of the bytes sent, NOT a SECStatus.
-** Caller must hold xmitBufLock
-*/
-int 
-ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf, sslSendFunc send)
-{
-    int rv	= 0;
-    int len	= buf->len;
-
-    PORT_Assert( ssl_HaveXmitBufLock(ss) );
-    if (len != 0) {
-	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
-		     SSL_GETPID(), ss->fd, len));
-	rv = (*send)(ss, buf->buf, len, 0);
-	if (rv < 0) {
-	    return rv;
-	} 
-	if (rv < len) {
-	    /* UGH !! This shifts the whole buffer down by copying it, and 
-	    ** it depends on PORT_Memmove doing overlapping moves correctly!
-	    ** It should advance the pointer offset instead !!
-	    */
-	    PORT_Memmove(buf->buf, buf->buf + rv, len - rv);
-	    buf->len = len - rv;
-	} else {
-	    buf->len = 0;
-    	}
-    }
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Receive some application data on a socket.  Reads SSL records from the input
-** stream, decrypts them and then copies them to the output buffer.
-** Called from ssl_SecureRecv() below.
-**
-** Caller does NOT hold 1stHandshakeLock because that handshake is over.
-** Caller doesn't call this until initial handshake is complete.
-** For SSLv2, there is no subsequent handshake.
-** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake
-** messages from a subsequent handshake.
-**
-** This code is similar to, and easily confused with, 
-**   ssl_GatherRecord1stHandshake() in sslcon.c
-*/
-static int 
-DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
-{
-    sslGather *      gs;
-    int              rv;
-    int              amount;
-    int              available;
-
-    ssl_GetRecvBufLock(ss);
-    PORT_Assert((ss->sec != 0) && (ss->gather != 0));
-    gs = ss->gather;
-
-    available = gs->writeOffset - gs->readOffset;
-    if (available == 0) {
-	/* Get some more data */
-	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	    /* Wait for application data to arrive.  */
-	    rv = ssl3_GatherAppDataRecord(ss, 0);
-	} else {
-	    /* See if we have a complete record */
-	    rv = ssl2_GatherRecord(ss, 0);
-	}
-	if (rv <= 0) {
-	    if (rv == 0) {
-		/* EOF */
-		SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF",
-			     SSL_GETPID(), ss->fd));
-		goto done;
-	    }
-	    if ((rv != SECWouldBlock) && 
-	        (PR_GetError() != PR_WOULD_BLOCK_ERROR)) {
-		/* Some random error */
-		goto done;
-	    }
-
-	    /*
-	    ** Gather record is blocked waiting for more record data to
-	    ** arrive. Try to process what we have already received
-	    */
-	} else {
-	    /* Gather record has finished getting a complete record */
-	}
-
-	/* See if any clear data is now available */
-	available = gs->writeOffset - gs->readOffset;
-	if (available == 0) {
-	    /*
-	    ** No partial data is available. Force error code to
-	    ** EWOULDBLOCK so that caller will try again later. Note
-	    ** that the error code is probably EWOULDBLOCK already,
-	    ** but if it isn't (for example, if we received a zero
-	    ** length record) then this will force it to be correct.
-	    */
-	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	    rv = SECFailure;
-	    goto done;
-	}
-	SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d",
-		     SSL_GETPID(), ss->fd, available));
-    }
-
-    /* Dole out clear data to reader */
-    amount = PR_MIN(len, available);
-    PORT_Memcpy(out, gs->buf.buf + gs->readOffset, amount);
-    if (!(flags & MSG_PEEK)) {
-	gs->readOffset += amount;
-    }
-    rv = amount;
-
-    SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",
-		 SSL_GETPID(), ss->fd, amount, available));
-    PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));
-
-done:
-    ssl_ReleaseRecvBufLock(ss);
-    return rv;
-}
-
-/************************************************************************/
-
-SSLKEAType
-ssl_FindCertKEAType(CERTCertificate * cert)
-{
-  SSLKEAType keaType = kt_null; 
-  int tag;
-  
-  if (!cert) goto loser;
-  
-  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-  
-  switch (tag) {
-  case SEC_OID_X500_RSA_ENCRYPTION:
-  case SEC_OID_PKCS1_RSA_ENCRYPTION:
-    keaType = kt_rsa;
-    break;
-  case SEC_OID_MISSI_KEA_DSS_OLD:
-  case SEC_OID_MISSI_KEA_DSS:
-  case SEC_OID_MISSI_DSS_OLD:
-  case SEC_OID_MISSI_DSS:
-    keaType = kt_fortezza;
-    break;
-  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-    keaType = kt_dh;
-    break;
-  default:
-    keaType = kt_null;
-  }
-  
- loser:
-  
-  return keaType;
-
-}
-
-
-/* XXX need to protect the data that gets changed here.!! */
-
-SECStatus
-SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
-		       SECKEYPrivateKey *key, SSL3KEAType kea)
-{
-    int rv;
-    sslSocket *ss;
-    sslSecurityInfo *sec;
-
-    ss = ssl_FindSocket(fd);
-
-    if ((rv = ssl_CreateSecurityInfo(ss)) != 0) {
-	return((SECStatus)rv);
-    }
-
-    sec = ss->sec;
-    if (sec == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* Both key and cert must have a value or be NULL */
-    /* Passing a value of NULL will turn off key exchange algorithms that were
-     * previously turned on */
-    if (!cert != !key) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* make sure the key exchange is recognized */
-    if ((kea > kt_kea_size) || (kea < kt_null)) {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	return SECFailure;
-    }
-
-    if (kea != ssl_FindCertKEAType(cert)) {
-    	PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH);
-	return SECFailure;
-    }
-
-    /* load the server certificate */
-    if (ss->serverCert[kea] != NULL)
-	CERT_DestroyCertificate(ss->serverCert[kea]);
-    if (cert) {
-	ss->serverCert[kea] = CERT_DupCertificate(cert);
-	if (ss->serverCert[kea] == NULL)
-	    goto loser;
-    } else ss->serverCert[kea] = NULL;
-
-
-    /* load the server cert chain */
-    if (ss->serverCertChain[kea] != NULL)
-	CERT_DestroyCertificateList(ss->serverCertChain[kea]);
-    if (cert) {
-	ss->serverCertChain[kea] = CERT_CertChainFromCert(
-			    ss->serverCert[kea], certUsageSSLServer, PR_TRUE);
-	if (ss->serverCertChain[kea] == NULL)
-	     goto loser;
-    } else ss->serverCertChain[kea] = NULL;
-
-
-    /* Only do this once because it's global. */
-    if (ssl3_server_ca_list == NULL)
-	ssl3_server_ca_list = CERT_GetSSLCACerts(ss->dbHandle);
-
-    /* load the private key */
-    if (ss->serverKey[kea] != NULL)
-	SECKEY_DestroyPrivateKey(ss->serverKey[kea]);
-    if (key) {
-	ss->serverKey[kea] = SECKEY_CopyPrivateKey(key);
-	if (ss->serverKey[kea] == NULL)
-	    goto loser;
-    } else ss->serverKey[kea] = NULL;
-
-    if (kea == kt_rsa) {
-        rv = ssl3_CreateRSAStepDownKeys(ss);
-	if (rv != SECSuccess) {
-	    return SECFailure;	/* err set by ssl3_CreateRSAStepDownKeys */
-	}
-    }
-
-    return SECSuccess;
-
-loser:
-    if (ss->serverCert[kea] != NULL) {
-	CERT_DestroyCertificate(ss->serverCert[kea]);
-	ss->serverCert[kea] = NULL;
-    }
-    if (ss->serverCertChain != NULL) {
-	CERT_DestroyCertificateList(ss->serverCertChain[kea]);
-	ss->serverCertChain[kea] = NULL;
-    }
-    if (ss->serverKey[kea] != NULL) {
-	SECKEY_DestroyPrivateKey(ss->serverKey[kea]);
-	ss->serverKey[kea] = NULL;
-    }
-    return SECFailure;
-}
-
-/************************************************************************/
-
-SECStatus
-ssl_CreateSecurityInfo(sslSocket *ss)
-{
-    sslSecurityInfo * sec  = (sslSecurityInfo *)0;
-    sslGather *       gs   = (sslGather *      )0;
-    int               rv;
-
-    unsigned char     padbuf[MAX_BLOCK_CYPHER_SIZE];
-
-    if (ss->sec) {
-	return SECSuccess;
-    }
-
-    /* Force the global RNG to generate some random data that we never use */
-    PK11_GenerateRandom(padbuf, sizeof padbuf);
-
-    ss->sec = sec = (sslSecurityInfo*) PORT_ZAlloc(sizeof(sslSecurityInfo));
-    if (!sec) {
-	goto loser;
-    }
-
-    /* initialize sslv2 socket to send data in the clear. */
-    ssl2_UseClearSendFunc(ss);
-
-    sec->blockSize  = 1;
-    sec->blockShift = 0;
-
-    ssl_GetRecvBufLock(ss);
-    if ((gs = ss->gather) == 0) {
-	ss->gather = gs = ssl_NewGather();
-	if (!gs) {
-	    goto loser;
-	}
-    }
-
-    rv = sslBuffer_Grow(&gs->buf, 4096);
-    if (rv) {
-	goto loser;
-    }
-    ssl_ReleaseRecvBufLock(ss);
-
-    ssl_GetXmitBufLock(ss);
-    rv = sslBuffer_Grow(&sec->writeBuf, 4096);
-    if (rv) {
-	goto loser;
-    }
-    ssl_ReleaseXmitBufLock(ss);
-
-    SSL_TRC(5, ("%d: SSL[%d]: security info created", SSL_GETPID(), ss->fd));
-    return SECSuccess;
-
-  loser:
-    if (sec) {
-	PORT_Free(sec);
-	ss->sec = sec = (sslSecurityInfo *)0;
-    }
-    if (gs) {
-    	ssl_DestroyGather(gs);
-	ss->gather = gs = (sslGather *)0;
-    }
-    return SECFailure;
-}
-
-/* XXX We should handle errors better in this function. */
-/* This function assumes that none of the pointers in ss need to be 
-** freed.
-*/
-SECStatus
-ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os)
-{
-    sslSecurityInfo *sec, *osec;
-    int rv;
-
-    rv = ssl_CreateSecurityInfo(ss);
-    if (rv < 0) {
-	goto loser;
-    }
-    sec = ss->sec;
-    osec = os->sec;
-
-    sec->send 		= osec->send;
-    sec->isServer 	= osec->isServer;
-    sec->keyBits    	= osec->keyBits;
-    sec->secretKeyBits 	= osec->secretKeyBits;
-
-    sec->peerCert   	= CERT_DupCertificate(osec->peerCert);
-
-    sec->cache      	= osec->cache;
-    sec->uncache    	= osec->uncache;
-
-    /* we don't dup the connection info. */
-
-    sec->sendSequence 	= osec->sendSequence;
-    sec->rcvSequence 	= osec->rcvSequence;
-
-    if (osec->hash && osec->hashcx) {
-	sec->hash 	= osec->hash;
-	sec->hashcx 	= osec->hash->clone(osec->hashcx);
-    } else {
-	sec->hash 	= NULL;
-	sec->hashcx 	= NULL;
-    }
-
-    SECITEM_CopyItem(0, &sec->sendSecret, &osec->sendSecret);
-    SECITEM_CopyItem(0, &sec->rcvSecret,  &osec->rcvSecret);
-
-    PORT_Assert(osec->readcx  == 0);
-    sec->readcx     	= osec->readcx;	/* XXX wrong if readcx  != 0 */
-    PORT_Assert(osec->writecx == 0);
-    sec->writecx    	= osec->writecx; /* XXX wrong if writecx != 0 */
-    sec->destroy    	= 0;		 /* XXX wrong if either cx != 0*/
-
-    sec->enc        	= osec->enc;
-    sec->dec        	= osec->dec;
-
-    sec->blockShift 	= osec->blockShift;
-    sec->blockSize  	= osec->blockSize;
-
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-/*
-** Called from SSL_ResetHandshake (above), and 
-**        from ssl_FreeSocket     in sslsock.c
-*/
-void 
-ssl_DestroySecurityInfo(sslSecurityInfo *sec)
-{
-    if (sec != 0) {
-	/* Destroy MAC */
-	if (sec->hash && sec->hashcx) {
-	    (*sec->hash->destroy)(sec->hashcx, PR_TRUE);
-	    sec->hashcx = 0;
-	}
-	SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
-	SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);
-
-	/* Destroy ciphers */
-	if (sec->destroy) {
-	    (*sec->destroy)(sec->readcx, PR_TRUE);
-	    (*sec->destroy)(sec->writecx, PR_TRUE);
-	} else {
-	    PORT_Assert(sec->readcx == 0);
-	    PORT_Assert(sec->writecx == 0);
-	}
-	sec->readcx = 0;
-	sec->writecx = 0;
-
-	/* etc. */
-	PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space);
-	sec->writeBuf.buf = 0;
-
-	CERT_DestroyCertificate(sec->peerCert);
-	sec->peerCert = NULL;
-
-	PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
-	if (sec->ci.sid != NULL) {
-	    ssl_FreeSID(sec->ci.sid);
-	}
-
-	PORT_ZFree(sec, sizeof *sec);
-    }
-}
-
-/************************************************************************/
-
-int 
-ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
-{
-    PRFileDesc *osfd = ss->fd->lower;
-    int rv;
-
-    PORT_Assert(ss->sec != 0);
-
-    /* First connect to server */
-    rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
-    if (rv < 0) {
-	int olderrno = PR_GetError();
-	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
-		 SSL_GETPID(), ss->fd, olderrno));
-	if ((olderrno == PR_IS_CONNECTED_ERROR) ||
-	    (olderrno == PR_IN_PROGRESS_ERROR)) {
-	    /*
-	    ** Connected or trying to connect.  Caller is Using a non-blocking
-	    ** connect. Go ahead and set things up.
-	    */
-	} else {
-	    return rv;
-	}
-    }
-
-    SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, setting up handshake",
-		SSL_GETPID(), ss->fd));
-
-    if ( ss->handshakeAsServer ) {
-	ss->securityHandshake = ssl2_BeginServerHandshake;
-    } else {
-	ss->securityHandshake = ssl2_BeginClientHandshake;
-    }
-    
-    return rv;
-}
-
-int
-ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *sa)
-{
-    int rv;
-
-    PORT_Assert((ss->socks != 0) && (ss->sec != 0));
-
-    /* First connect to socks daemon */
-    rv = ssl_SocksConnect(ss, sa);
-    if (rv < 0) {
-	return rv;
-    }
-
-    if ( ss->handshakeAsServer ) {
-	ss->securityHandshake = ssl2_BeginServerHandshake;
-    } else {
-	ss->securityHandshake = ssl2_BeginClientHandshake;
-    }
-    
-    return 0;
-}
-
-PRFileDesc *
-ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr)
-{
-#if 0
-    sslSocket *ns;
-    int rv;
-    PRFileDesc *newfd, *fd;
-
-    newfd = ssl_SocksAccept(ss, addr);
-    if (newfd == NULL) {
-	return newfd;
-    }
-
-    /* Create new socket */
-    ns = ssl_FindSocket(newfd);
-    PORT_Assert(ns != NULL);
-
-    /* Make an NSPR socket to give back to app */
-    fd = ssl_NewPRSocket(ns, newfd);
-    if (fd == NULL) {
-	ssl_FreeSocket(ns);
-	PR_Close(newfd);
-	return NULL;
-    }
-
-    if ( ns->handshakeAsClient ) {
-	ns->handshake = ssl2_BeginClientHandshake;
-    } else {
-	ns->handshake = ssl2_BeginServerHandshake;
-    }
-
-    return fd;
-#else
-    return NULL;
-#endif
-}
-
-int
-ssl_SecureClose(sslSocket *ss)
-{
-    int rv;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0 	&&
-    	ss->connected 				&& 
-	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)	&&
-	(ss->ssl3 != NULL)) {
-
-	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
-    }
-    rv = ssl_DefClose(ss);
-    return rv;
-}
-
-/* Caller handles all locking */
-int
-ssl_SecureShutdown(sslSocket *ss, int nsprHow)
-{
-    PRFileDesc *osfd = ss->fd->lower;
-    int 	rv;
-    PRIntn	sslHow	= nsprHow + 1;
-
-    if ((unsigned)nsprHow > PR_SHUTDOWN_BOTH) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return PR_FAILURE;
-    }
-
-    if ((sslHow & ssl_SHUTDOWN_SEND) != 0 		&&
-	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)		&&
-    	(ss->version >= SSL_LIBRARY_VERSION_3_0)	&&
-	ss->connected 					&& 
-	(ss->ssl3 != NULL)) {
-
-	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
-    }
-
-    rv = osfd->methods->shutdown(osfd, nsprHow);
-
-    ss->shutdownHow |= sslHow;
-
-    return rv;
-}
-
-/************************************************************************/
-
-
-int
-ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
-{
-    sslSecurityInfo *sec;
-    int              rv   = 0;
-
-    PORT_Assert(ss->sec != 0);
-    sec = ss->sec;
-
-    if (ss->shutdownHow & ssl_SHUTDOWN_RCV) {
-	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
-    	return PR_FAILURE;
-    }
-    if (flags & ~MSG_PEEK) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return PR_FAILURE;
-    }
-
-    if (!ssl_SocketIsBlocking(ss) && !ss->fdx) {
-	ssl_GetXmitBufLock(ss);
-	if (ss->pendingBuf.len != 0) {
-	    rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
-	    if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
-		ssl_ReleaseXmitBufLock(ss);
-		return SECFailure;
-	    }
-	    /* XXX short write? */
-	}
-	ssl_ReleaseXmitBufLock(ss);
-    }
-    
-    rv = 0;
-    /* If any of these is non-zero, the initial handshake is not done. */
-    if (!ss->connected) {
-	ssl_Get1stHandshakeLock(ss);
-	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
-	    rv = ssl_Do1stHandshake(ss);
-	}
-	ssl_Release1stHandshakeLock(ss);
-    }
-    if (rv < 0) {
-	return rv;
-    }
-
-    if (len == 0) return 0;
-
-    rv = DoRecv(ss, (unsigned char*) buf, len, flags);
-    SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)",
-		SSL_GETPID(), ss->fd, rv, PORT_GetError()));
-    return rv;
-}
-
-int
-ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
-{
-    return ssl_SecureRecv(ss, buf, len, 0);
-}
-
-int
-ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-{
-    sslSecurityInfo *sec;
-    int              rv		= 0;
-
-    PORT_Assert(ss->sec != 0);
-    sec = ss->sec;
-
-    if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
-	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
-    	return PR_FAILURE;
-    }
-    if (flags) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return PR_FAILURE;
-    }
-
-    ssl_GetXmitBufLock(ss);
-    if (ss->pendingBuf.len != 0) {
-	PORT_Assert(ss->pendingBuf.len > 0);
-	rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
-	if (ss->pendingBuf.len != 0) {
-	    PORT_Assert(ss->pendingBuf.len > 0);
-	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	    rv = SECFailure;
-	}
-    }
-    ssl_ReleaseXmitBufLock(ss);
-    if (rv < 0) {
-	return rv;
-    }
-
-    /* If any of these is non-zero, the initial handshake is not done. */
-    if (!ss->connected) {
-	ssl_Get1stHandshakeLock(ss);
-	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
-	    rv = ssl_Do1stHandshake(ss);
-	}
-	ssl_Release1stHandshakeLock(ss);
-    }
-    if (rv < 0) {
-	return rv;
-    }
-
-    /* Check for zero length writes after we do housekeeping so we make forward
-     * progress.
-     */
-    if (len == 0) return 0;
-    PORT_Assert(buf != NULL);
-    
-    SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
-		SSL_GETPID(), ss->fd, len));
-
-    /* Send out the data using one of these functions:
-     *	ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
-     *  ssl3_SendApplicationData
-     */
-    ssl_GetXmitBufLock(ss);
-    rv = (*sec->send)(ss, buf, len, flags);
-    ssl_ReleaseXmitBufLock(ss);
-    return rv;
-}
-
-int
-ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len)
-{
-    return ssl_SecureSend(ss, buf, len, 0);
-}
-
-int
-SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
-{
-    sslSocket *ss;
-    int rv;
-    
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSLBadCertHook",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    if ((rv = ssl_CreateSecurityInfo(ss)) != 0) {
-	return(rv);
-    }
-    ss->handleBadCert = f;
-    ss->badCertArg = arg;
-
-    return(0);
-}
-
-/*
- * Allow the application to pass the url or hostname into the SSL library
- * so that we can do some checking on it.
- */
-int
-SSL_SetURL(PRFileDesc *fd, const char *url)
-{
-    sslSocket *   ss = ssl_FindSocket(fd);
-    int           rv = SECSuccess;
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    if ( ss->url ) {
-	PORT_Free((void *)ss->url);	/* CONST */
-    }
-
-    ss->url = (const char *)PORT_Strdup(url);
-    if ( ss->url == NULL ) {
-	rv = SECFailure;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-/*
-** Returns Negative number on error, zero or greater on success.
-** Returns the amount of data immediately available to be read.
-*/
-int
-SSL_DataPending(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    int        rv  = 0;
-
-    ss = ssl_FindSocket(fd);
-
-
-    if (ss && ss->useSecurity) {
-
-	ssl_Get1stHandshakeLock(ss);
-	ssl_GetSSL3HandshakeLock(ss);
-
-	/* Create ss->sec if it doesn't already exist. */
-	rv = ssl_CreateSecurityInfo(ss);
-	if (rv == SECSuccess) {
-	    ssl_GetRecvBufLock(ss);
-	    rv = ss->gather->writeOffset - ss->gather->readOffset;
-	    ssl_ReleaseRecvBufLock(ss);
-	}
-
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	ssl_Release1stHandshakeLock(ss);
-    }
-
-    return rv;
-}
-
-int
-SSL_InvalidateSession(PRFileDesc *fd)
-{
-    sslSocket *   ss = ssl_FindSocket(fd);
-    int           rv = SECFailure;
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    if (ss && ss->sec && ss->sec->ci.sid) {
-	ss->sec->uncache(ss->sec->ci.sid);
-	rv = SECSuccess;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-SECItem *
-SSL_GetSessionID(PRFileDesc *fd)
-{
-    sslSocket *    ss;
-    SECItem *      item = NULL;
-    sslSessionID * sid;
-
-    ss = ssl_FindSocket(fd);
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    if (ss && ss->useSecurity && ss->connected && ss->sec && ss->sec->ci.sid) {
-        sid = ss->sec->ci.sid;
-        item = (SECItem *)PORT_Alloc(sizeof(SECItem));
-        if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-            item->len = SSL_SESSIONID_BYTES;
-            item->data = (unsigned char*)PORT_Alloc(item->len);
-            PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
-        } else {
-            item->len = sid->u.ssl3.sessionIDLength;
-            item->data = (unsigned char*)PORT_Alloc(item->len);
-            PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len);
-        }
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return item;
-}
-
-SECStatus
-SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle)
-{
-    sslSocket *    ss;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss)
-    	return SECFailure;
-    if (!dbHandle) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    ss->dbHandle = dbHandle;
-    return SECSuccess;
-}
-
-/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:  
- *	cert	Client cert chosen by application.
- *		Note: ssl takes this reference, and does not bump the 
- *		reference count.  The caller should drop its reference
- *		without calling CERT_DestroyCert after calling this function.
- *
- *	key	Private key associated with cert.  This function makes a 
- *		copy of the private key, so the caller remains responsible 
- *		for destroying its copy after this function returns.
- *
- *	certChain  Chain of signers for cert.  
- *		Note: ssl takes this reference, and does not copy the chain.
- *		The caller should drop its reference without destroying the 
- *		chain.  SSL will free the chain when it is done with it.
- *
- * Return value: XXX
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- */
-int
-SSL_RestartHandshakeAfterCertReq(sslSocket *         ss,
-				CERTCertificate *    cert, 
-				SECKEYPrivateKey *   key,
-				CERTCertificateList *certChain)
-{
-    int              ret;
-
-    ssl_Get1stHandshakeLock(ss);   /************************************/
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
-    } else {
-    	ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
-    }
-
-    ssl_Release1stHandshakeLock(ss);  /************************************/
-    return ret;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Return value: XXX
-*/
-int
-SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    int rv	= SECSuccess;
-
-    ssl_Get1stHandshakeLock(ss); 
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	rv = ssl3_RestartHandshakeAfterServerCert(ss);
-    } else {
-	rv = ssl2_RestartHandshakeAfterServerCert(ss);
-    }
-
-    ssl_Release1stHandshakeLock(ss);
-    return rv;
-}
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
deleted file mode 100644
index bf58c954d..000000000
--- a/security/nss/lib/ssl/sslsnce.c
+++ /dev/null
@@ -1,1905 +0,0 @@
-/* This file implements the SERVER Session ID cache. 
- * NOTE:  The contents of this file are NOT used by the client.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
- * cache sids!
- *
- * About record locking among different server processes:
- *
- * All processes that are part of the same conceptual server (serving on 
- * the same address and port) MUST share a common SSL session cache. 
- * This code makes the content of the shared cache accessible to all
- * processes on the same "server".  This code works on Unix and Win32 only,
- * and is platform specific. 
- *
- * Unix: Multiple processes share a single (inherited) FD for a disk 
- * file all share one single file position.  If one lseeks, the position for 
- * all processes is changed.  Since the set of platforms we support do not 
- * all share portable lseek-and-read or lseek-and-write functions, a global 
- * lock must be used to make the lseek call and the subsequent read or write 
- * call be one atomic operation.  It is no longer necessary for cache element 
- * sizes to be a power of 2, or a multiple of a sector size.
- *
- * For Win32, where (a) disk I/O is not atomic, and (b) we use memory-mapped
- * files and move data to & from memory instead of calling read or write,
- * we must do explicit locking of the records for all reads and writes.
- * We have just one lock, for the entire file, using an NT semaphore.
- * We avoid blocking on "local threads" since it's bad to block on a local 
- * thread - If NSPR offered portable semaphores, it would handle this itself.
- *
- * Since this file has to do lots of platform specific I/O, the system
- * dependent error codes need to be mapped back into NSPR error codes.
- * Since NSPR's error mapping functions are private, the code is necessarily
- * duplicated in libSSL.
- *
- * Note, now that NSPR provides portable anonymous shared memory, for all
- * platforms except Mac, the implementation below should be replaced with 
- * one that uses anonymous shared memory ASAP.  This will eliminate most 
- * platform dependent code in this file, and improve performance big time.
- *
- * Now that NSPR offers portable cross-process locking (semaphores) on Unix
- * and Win32, semaphores should be used here for all platforms.
- */
-#include "seccomon.h"
-
-#if defined(XP_UNIX) || defined(XP_WIN32)
-#ifndef NADA_VERISON
-
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "pk11func.h"
-#include "base64.h"
-
-#include <stdio.h>
-
-#ifdef XP_UNIX
-
-#include <syslog.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include "unix_err.h"
-
-#else /* XP_WIN32 */
-#ifdef MC_HTTPD
-#include <ereport.h>
-#endif /* MC_HTTPD */
-#include <wtypes.h>
-#include "win32err.h"
-#endif /* XP_WIN32 */
-#include <sys/types.h>
-
-#define SET_ERROR_CODE /* reminder */
-
-#include "nspr.h"
-#include "nsslocks.h"
-
-static PRLock *cacheLock;
-
-/*
-** The server session-id cache uses a simple flat cache. The cache is
-** sized during initialization. We hash the ip-address + session-id value
-** into an index into the cache and do the lookup. No buckets, nothing
-** fancy.
-*/
-
-static PRBool isMultiProcess  = PR_FALSE;
-
-static PRUint32 numSIDCacheEntries  = 10000; 
-static PRUint32 sidCacheFileSize;
-static PRUint32 sidCacheWrapOffset;
-
-static PRUint32 numCertCacheEntries = 250;
-static PRUint32 certCacheFileSize;
-
-#define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */
-
-
-/*
-** Format of a cache entry.
-*/ 
-typedef struct SIDCacheEntryStr SIDCacheEntry;
-struct SIDCacheEntryStr {
-    PRUint32 addr;
-    PRUint32 time;
-
-    union {
-	struct {
-	    /* This is gross.  We have to have version and valid in both arms
-	     * of the union for alignment reasons.  This probably won't work
-	     * on a 64-bit machine. XXXX
-	     */
-/*  2 */    uint16        version;
-/*  1 */    unsigned char valid;
-/*  1 */    unsigned char cipherType;
-
-/* 16 */    unsigned char sessionID[SSL_SESSIONID_BYTES];
-/* 64 */    unsigned char masterKey[SSL_MAX_MASTER_KEY_BYTES];
-/* 32 */    unsigned char cipherArg[SSL_MAX_CYPHER_ARG_BYTES];
-
-/*  1 */    unsigned char masterKeyLen;
-/*  1 */    unsigned char keyBits;
-
-/*  1 */    unsigned char secretKeyBits;
-/*  1 */    unsigned char cipherArgLen;
-/*120 */} ssl2;
-
-	struct {
-/*  2 */    uint16           version;
-/*  1 */    unsigned char    valid;
-/*  1 */    uint8            sessionIDLength;
-
-/* 32 */    unsigned char    sessionID[SSL3_SESSIONID_BYTES];
-
-/*  2 */    ssl3CipherSuite  cipherSuite;
-/*  2 */    uint16           compression; 	/* SSL3CompressionMethod */
-
-/*122 */    ssl3SidKeys      keys;	/* keys and ivs, wrapped as needed. */
-/*  4 */    PRUint32         masterWrapMech; 
-/*  4 */    SSL3KEAType      exchKeyType;
-
-/*  2 */    int16            certIndex;
-/*  1 */    uint8            hasFortezza;
-/*  1 */    uint8            resumable;
-	} ssl3;
-	/* We can't make this struct fit in 128 bytes 
-	 * so, force the struct size up to the next power of two.
-	 */
-	struct {
-	    unsigned char    filler[248];	/* 248 + 4 + 4 == 256 */
-	} force256;
-    } u;
-};
-
-
-typedef struct CertCacheEntryStr CertCacheEntry;
-
-/* The length of this struct is supposed to be a power of 2, e.g. 4KB */
-struct CertCacheEntryStr {
-    uint16        certLength;				/*    2 */
-    uint16        sessionIDLength;			/*    2 */
-    unsigned char sessionID[SSL3_SESSIONID_BYTES];	/*   32 */
-    unsigned char cert[SSL_MAX_CACHED_CERT_LEN];	/* 4060 */
-};						/* total   4096 */
-
-
-static void IOError(int rv, char *type);
-static PRUint32 Offset(PRUint32 addr, unsigned char *s, unsigned nl);
-static void Invalidate(SIDCacheEntry *sce);
-
-/************************************************************************/
-
-static const char envVarName[] = { SSL_ENV_VAR_NAME };
-
-#ifdef _WIN32
-
-struct winInheritanceStr {
-    PRUint32 numSIDCacheEntries;
-    PRUint32 sidCacheFileSize;
-    PRUint32 sidCacheWrapOffset;
-    PRUint32 numCertCacheEntries;
-    PRUint32 certCacheFileSize;
-
-    DWORD         parentProcessID;
-    HANDLE        parentProcessHandle;
-    HANDLE        SIDCacheFDMAP;
-    HANDLE        certCacheFDMAP;
-    HANDLE        svrCacheSem;
-};
-
-typedef struct winInheritanceStr winInheritance;
-
-static HANDLE svrCacheSem    = INVALID_HANDLE_VALUE;
-
-static char * SIDCacheData    = NULL;
-static HANDLE SIDCacheFD      = INVALID_HANDLE_VALUE;
-static HANDLE SIDCacheFDMAP   = INVALID_HANDLE_VALUE;
-
-static char * certCacheData   = NULL;
-static HANDLE certCacheFD     = INVALID_HANDLE_VALUE;
-static HANDLE certCacheFDMAP  = INVALID_HANDLE_VALUE;
-
-static PRUint32 myPid;
-
-/* The presence of the TRUE element in this struct makes the semaphore 
- * inheritable. The NULL means use process's default security descriptor. 
- */
-static SECURITY_ATTRIBUTES semaphoreAttributes = 
-				{ sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
-
-static SECURITY_ATTRIBUTES sidCacheFDMapAttributes = 
-				{ sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
-
-static SECURITY_ATTRIBUTES certCacheFDMapAttributes = 
-				{ sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
-
-#define DEFAULT_CACHE_DIRECTORY "\\temp"
-
-static SECStatus
-createServerCacheSemaphore(void)
-{
-    PR_ASSERT(svrCacheSem == INVALID_HANDLE_VALUE);
-
-    /* inheritable, starts signalled, 1 signal max, no file name. */
-    svrCacheSem = CreateSemaphore(&semaphoreAttributes, 1, 1, NULL);
-    if (svrCacheSem == NULL) {
-	svrCacheSem = INVALID_HANDLE_VALUE;
-	/* We could get the error code, but what could be do with it ? */
-	nss_MD_win32_map_default_error(GetLastError());
-    	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-_getServerCacheSemaphore(void)
-{
-    DWORD     event;
-    DWORD     lastError;
-    SECStatus rv;
-
-    PR_ASSERT(svrCacheSem != INVALID_HANDLE_VALUE);
-    if (svrCacheSem == INVALID_HANDLE_VALUE &&
-    	SECSuccess   != createServerCacheSemaphore()) {
-	return SECFailure;	/* what else ? */
-    }
-    event = WaitForSingleObject(svrCacheSem, INFINITE);
-    switch (event) {
-    case WAIT_OBJECT_0:
-    case WAIT_ABANDONED:
-	rv = SECSuccess;
-    	break;
-
-    case WAIT_TIMEOUT:
-    case WAIT_IO_COMPLETION:
-    default: 		/* should never happen. nothing we can do. */
-	PR_ASSERT(("WaitForSingleObject returned invalid value.", 0));
-	/* fall thru */
-
-    case WAIT_FAILED:		/* failure returns this */
-	rv = SECFailure;
-	lastError = GetLastError();	/* for debugging */
-	nss_MD_win32_map_default_error(lastError);
-	break;
-    }
-    return rv;
-}
-
-static void
-_doGetServerCacheSemaphore(void * arg)
-{
-    SECStatus * rv = (SECStatus *)arg;
-    *rv = _getServerCacheSemaphore();
-}
-
-static SECStatus
-getServerCacheSemaphore(void)
-{
-    PRThread *    selectThread;
-    PRThread *    me    	= PR_GetCurrentThread();
-    PRThreadScope scope 	= PR_GetThreadScope(me);
-    SECStatus     rv    	= SECFailure;
-
-    if (scope == PR_GLOBAL_THREAD) {
-        rv = _getServerCacheSemaphore();
-    } else {
-        selectThread = PR_CreateThread(PR_USER_THREAD,
-				       _doGetServerCacheSemaphore, &rv,
-				       PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-				       PR_JOINABLE_THREAD, 0);
-        if (selectThread != NULL) {
-	    /* rv will be set by _doGetServerCacheSemaphore() */
-	    PR_JoinThread(selectThread);
-        }
-    }
-    return rv;
-}
-
-static SECStatus
-releaseServerCacheSemaphore(void)
-{
-    BOOL success = FALSE;
-
-    PR_ASSERT(svrCacheSem != INVALID_HANDLE_VALUE);
-    if (svrCacheSem != INVALID_HANDLE_VALUE) {
-	/* Add 1, don't want previous value. */
-	success = ReleaseSemaphore(svrCacheSem, 1, NULL);
-    }
-    if (!success) {
-	nss_MD_win32_map_default_error(GetLastError());
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static void
-destroyServerCacheSemaphore(void)
-{
-    PR_ASSERT(svrCacheSem != INVALID_HANDLE_VALUE);
-    if (svrCacheSem != INVALID_HANDLE_VALUE) {
-	CloseHandle(svrCacheSem);
-	/* ignore error */
-	svrCacheSem = INVALID_HANDLE_VALUE;
-    }
-}
-
-#define GET_SERVER_CACHE_READ_LOCK(fd, offset, size) \
-    if (isMultiProcess) getServerCacheSemaphore();
-
-#define GET_SERVER_CACHE_WRITE_LOCK(fd, offset, size) \
-    if (isMultiProcess) getServerCacheSemaphore();
-
-#define RELEASE_SERVER_CACHE_LOCK(fd, offset, size) \
-    if (isMultiProcess) releaseServerCacheSemaphore();
-
-#endif /* _win32 */
-
-/************************************************************************/
-
-#ifdef XP_UNIX
-static int    SIDCacheFD      = -1;
-static int    certCacheFD     = -1;
-
-static pid_t  myPid;
-
-struct unixInheritanceStr {
-    PRUint32 numSIDCacheEntries;
-    PRUint32 sidCacheFileSize;
-    PRUint32 sidCacheWrapOffset;
-    PRUint32 numCertCacheEntries;
-    PRUint32 certCacheFileSize;
-
-    PRInt32  SIDCacheFD;
-    PRInt32  certCacheFD;
-};
-
-typedef struct unixInheritanceStr unixInheritance;
-
-
-#define DEFAULT_CACHE_DIRECTORY "/tmp"
-
-#ifdef TRACE
-static void 
-fcntlFailed(struct flock *lock) 
-{
-    fprintf(stderr,
-    "fcntl failed, errno = %d, PR_GetError = %d, lock.l_type = %d\n",
-	errno, PR_GetError(), lock->l_type);
-    fflush(stderr);
-}
-#define FCNTL_FAILED(lock) fcntlFailed(lock)
-#else
-#define FCNTL_FAILED(lock) 
-#endif
-
-/* NOTES:  Because there are no atomic seek-and-read and seek-and-write
-** functions that are supported on all our UNIX platforms, we need
-** to prevent all simultaeous seek-and-read operations.  For that reason,
-** we use mutually exclusive (write) locks for read and write operations,
-** and use them all at the same offset (zero).
-*/
-static SECStatus
-_getServerCacheLock(int fd, short type, PRUint32 offset, PRUint32 size)
-{
-    int          result;
-    struct flock lock;
-
-    memset(&lock, 0, sizeof lock);
-    lock.l_type   = /* type */ F_WRLCK;
-    lock.l_whence = SEEK_SET;	/* absolute file offsets. */
-    lock.l_start  = 0;
-    lock.l_len    = 128;
-
-#ifdef TRACE
-    if (ssl_trace) {
-	fprintf(stderr, "%d: %s lock, offset %8x, size %4d\n", myPid,
-	    (type == F_RDLCK) ? "read " : "write", offset, size);
-	fflush(stderr);
-    }
-#endif
-    result = fcntl(fd, F_SETLKW, &lock);
-    if (result == -1) {
-        nss_MD_unix_map_default_error(errno);
-	FCNTL_FAILED(&lock);
-    	return SECFailure;
-    }
-#ifdef TRACE
-    if (ssl_trace) {
-	fprintf(stderr, "%d:   got lock, offset %8x, size %4d\n", 
-	    myPid, offset, size);
-	fflush(stderr);
-    }
-#endif
-    return SECSuccess;
-}
-
-typedef struct sslLockArgsStr {
-    PRUint32    offset;
-    PRUint32    size;
-    PRErrorCode err;
-    SECStatus   rv;
-    int         fd;
-    short       type;
-} sslLockArgs;
-
-static void
-_doGetServerCacheLock(void * arg)
-{
-    sslLockArgs * args = (sslLockArgs *)arg;
-    args->rv = _getServerCacheLock(args->fd, args->type, args->offset, 
-				   args->size );
-    if (args->rv != SECSuccess) {
-	args->err = PR_GetError();
-    }
-}
-
-static SECStatus
-getServerCacheLock(int fd, short type, PRUint32 offset, PRUint32 size)
-{
-    PRThread *    selectThread;
-    PRThread *    me    	= PR_GetCurrentThread();
-    PRThreadScope scope 	= PR_GetThreadScope(me);
-    SECStatus     rv    	= SECFailure;
-
-    if (scope == PR_GLOBAL_THREAD) {
-        rv = _getServerCacheLock(fd, type, offset, size);
-    } else {
-	/* Ib some platforms, one thread cannot read local/automatic 
-	** variables from another thread's stack.  So, get this space
-	** from the heap, not the stack.
-	*/
-	sslLockArgs * args = PORT_New(sslLockArgs);
-
-	if (!args)
-	    return rv;
-
-	args->offset = offset;
-	args->size   = size;
-	args->rv     = SECFailure;
-	args->fd     = fd;
-	args->type   = type;
-        selectThread = PR_CreateThread(PR_USER_THREAD,
-				       _doGetServerCacheLock, args,
-				       PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-				       PR_JOINABLE_THREAD, 0);
-        if (selectThread != NULL) {
-	    /* rv will be set by _doGetServerCacheLock() */
-	    PR_JoinThread(selectThread);
-	    rv = args->rv;
-	    if (rv != SECSuccess) {
-		PORT_SetError(args->err);
-	    }
-        }
-	PORT_Free(args);
-    }
-    return rv;
-}
-
-static SECStatus
-releaseServerCacheLock(int fd, PRUint32 offset, PRUint32 size)
-{
-    int          result;
-    struct flock lock;
-
-    memset(&lock, 0, sizeof lock);
-    lock.l_type   = F_UNLCK;
-    lock.l_whence = SEEK_SET;	/* absolute file offsets. */
-    lock.l_start  = 0;
-    lock.l_len    = 128;
-
-#ifdef TRACE
-    if (ssl_trace) {
-	fprintf(stderr, "%d:     unlock, offset %8x, size %4d\n", 
-	    myPid, offset, size);
-	fflush(stderr);
-    }
-#endif
-    result = fcntl(fd, F_SETLK, &lock);
-    if (result == -1) {
-        nss_MD_unix_map_default_error(errno);
-	FCNTL_FAILED(&lock);
-    	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-/* these defines take the arguments needed to do record locking, 
- * however the present implementation does only file locking.
- */
-
-#define GET_SERVER_CACHE_READ_LOCK( fd, offset, size) \
-    if (isMultiProcess) getServerCacheLock(fd, F_RDLCK, offset, size);
-
-#define GET_SERVER_CACHE_WRITE_LOCK(fd, offset, size) \
-    if (isMultiProcess) getServerCacheLock(fd, F_WRLCK, offset, size);
-
-#define RELEASE_SERVER_CACHE_LOCK(  fd, offset, size) \
-    if (isMultiProcess) releaseServerCacheLock(fd, offset, size);
-
-/*
-** Zero a file out to nb bytes
-*/
-static SECStatus 
-ZeroFile(int fd, int nb)
-{
-    off_t off;
-    int amount, rv;
-    char buf[16384];
-
-    PORT_Memset(buf, 0, sizeof(buf));
-    off = lseek(fd, 0, SEEK_SET);
-    if (off != 0) {
-	if (off == -1) 
-	    nss_MD_unix_map_lseek_error(errno);
-    	else
-	    PORT_SetError(PR_FILE_SEEK_ERROR);
-    	return SECFailure;
-    }
-
-    while (nb > 0) {
-	amount = (nb > sizeof buf) ? sizeof buf : nb;
-	rv = write(fd, buf, amount);
-	if (rv <= 0) {
-	    if (!rv)
-	    	PORT_SetError(PR_IO_ERROR);
-	    else
-		nss_MD_unix_map_write_error(errno);
-	    IOError(rv, "zero-write");
-	    return SECFailure;
-	}
-	nb -= rv;
-    }
-    return SECSuccess;
-}
-
-#endif /* XP_UNIX */
-
-
-/************************************************************************/
-
-/*
-** Reconstitute a cert from the cache
-** This is only called from ConvertToSID().
-** Caller must hold the cache lock before calling this.
-*/
-static CERTCertificate *
-GetCertFromCache(SIDCacheEntry *sce, CERTCertDBHandle *dbHandle)
-{
-    CERTCertificate *cert;
-    PRUint32         offset;
-    int              rv;
-#ifdef XP_UNIX
-    off_t            off;
-#endif
-    SECItem          derCert;
-    CertCacheEntry   cce;
-
-    offset = (PRUint32)sce->u.ssl3.certIndex * sizeof(CertCacheEntry);
-    GET_SERVER_CACHE_READ_LOCK(certCacheFD, offset, sizeof(CertCacheEntry));
-#ifdef XP_UNIX
-    off = lseek(certCacheFD, offset, SEEK_SET);
-    rv = -1;
-    if (off != offset) {
-	if (off == -1) 
-	    nss_MD_unix_map_lseek_error(errno);
-	else 
-	    PORT_SetError(PR_FILE_SEEK_ERROR);
-    } else {
-	rv = read(certCacheFD, &cce, sizeof(CertCacheEntry));
-	if (rv != sizeof(CertCacheEntry)) {
-	    if (rv == -1)
-		nss_MD_unix_map_read_error(errno);
-	    else
-	    	PORT_SetError(PR_IO_ERROR);
-	}
-    }
-#else /* XP_WIN32 */
-    /* Use memory mapped I/O and just memcpy() the data */
-    CopyMemory(&cce, &certCacheData[offset], sizeof(CertCacheEntry));
-    rv = sizeof cce;
-#endif /* XP_WIN32 */
-    RELEASE_SERVER_CACHE_LOCK(certCacheFD, offset, sizeof(CertCacheEntry))
-
-    if (rv != sizeof(CertCacheEntry)) {
-	IOError(rv, "read");	/* error set above */
-	return NULL;
-    }
-
-    /* See if the session ID matches with that in the sce cache. */
-    if((cce.sessionIDLength != sce->u.ssl3.sessionIDLength) ||
-       PORT_Memcmp(cce.sessionID, sce->u.ssl3.sessionID, cce.sessionIDLength)) {
-        /* this is a cache miss, not an error */
-	PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
-	return NULL;
-    }
-
-    derCert.len  = cce.certLength;
-    derCert.data = cce.cert;
-
-    cert = CERT_NewTempCertificate(dbHandle, &derCert, NULL,
-				   PR_FALSE, PR_TRUE);
-
-    return cert;
-}
-
-/* Put a certificate in the cache.  We assume that the certIndex in
-** sid is valid.
-*/
-static void
-CacheCert(CERTCertificate *cert, SIDCacheEntry *sce)
-{
-    PRUint32       offset;
-    CertCacheEntry cce;
-#ifdef XP_UNIX
-    off_t          off;
-    int            rv;
-#endif
-
-    offset = (PRUint32)sce->u.ssl3.certIndex * sizeof(CertCacheEntry);
-    if (cert->derCert.len > SSL_MAX_CACHED_CERT_LEN)
-	return;
-    
-    cce.sessionIDLength = sce->u.ssl3.sessionIDLength;
-    PORT_Memcpy(cce.sessionID, sce->u.ssl3.sessionID, cce.sessionIDLength);
-
-    cce.certLength = cert->derCert.len;
-    PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength);
-
-    GET_SERVER_CACHE_WRITE_LOCK(certCacheFD, offset, sizeof cce);
-#ifdef XP_UNIX
-    off = lseek(certCacheFD, offset, SEEK_SET);
-    if (off != offset) {
-	if (off == -1) 
-	    nss_MD_unix_map_lseek_error(errno);
-	else 
-	    PORT_SetError(PR_FILE_SEEK_ERROR);
-    } else {
-	rv = write(certCacheFD, &cce, sizeof cce);
-	if (rv != sizeof(CertCacheEntry)) {
-	    if (rv == -1)
-		nss_MD_unix_map_write_error(errno);
-	    else
-	    	PORT_SetError(PR_IO_ERROR);
-	    IOError(rv, "cert-write");
-	    Invalidate(sce);
-	}
-    }
-#else /* WIN32 */
-    /* Use memory mapped I/O and just memcpy() the data */
-    CopyMemory(&certCacheData[offset], &cce, sizeof cce);
-#endif /* XP_UNIX */
-
-    RELEASE_SERVER_CACHE_LOCK(certCacheFD, offset, sizeof cce);
-    return;
-}
-
-/*
-** Convert memory based SID to file based one
-*/
-static void 
-ConvertFromSID(SIDCacheEntry *to, sslSessionID *from)
-{
-    to->u.ssl2.valid = 1;
-    to->u.ssl2.version = from->version;
-    to->addr = from->addr;
-    to->time = from->time;
-
-    if (from->version < SSL_LIBRARY_VERSION_3_0) {
-	if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) ||
-	    (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) {
-	    SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d",
-		     myPid, from->u.ssl2.masterKey.len,
-		     from->u.ssl2.cipherArg.len));
-	    to->u.ssl2.valid = 0;
-	    return;
-	}
-
-	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
-	to->u.ssl2.masterKeyLen  = from->u.ssl2.masterKey.len;
-	to->u.ssl2.cipherArgLen  = from->u.ssl2.cipherArg.len;
-	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
-	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
-	PORT_Memcpy(to->u.ssl2.sessionID, from->u.ssl2.sessionID,
-		  sizeof(to->u.ssl2.sessionID));
-	PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data,
-		  from->u.ssl2.masterKey.len);
-	PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data,
-		  from->u.ssl2.cipherArg.len);
-#ifdef DEBUG
-	PORT_Memset(to->u.ssl2.masterKey+from->u.ssl2.masterKey.len, 0,
-		  sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len);
-	PORT_Memset(to->u.ssl2.cipherArg+from->u.ssl2.cipherArg.len, 0,
-		  sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len);
-#endif
-	SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
-		    "time=%d addr=0x%x cipherType=%d", myPid,
-		    to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
-		    to->time, to->addr, to->u.ssl2.cipherType));
-    } else {
-	/* This is an SSL v3 session */
-
-	to->u.ssl3.sessionIDLength  = from->u.ssl3.sessionIDLength;
-	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
-	to->u.ssl3.compression      = (uint16)from->u.ssl3.compression;
-	to->u.ssl3.resumable        = from->u.ssl3.resumable;
-	to->u.ssl3.hasFortezza      = from->u.ssl3.hasFortezza;
-	to->u.ssl3.keys             = from->u.ssl3.keys;
-	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
-	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
-
-	PORT_Memcpy(to->u.ssl3.sessionID, 
-	            from->u.ssl3.sessionID,
-		    from->u.ssl3.sessionIDLength);
-
-	SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%x cipherSuite=%d",
-		    myPid, to->time, to->addr, to->u.ssl3.cipherSuite));
-    }
-}
-
-/*
-** Convert file based cache-entry to memory based one
-** This is only called from ServerSessionIDLookup().
-** Caller must hold cache lock when calling this.
-*/
-static sslSessionID *
-ConvertToSID(SIDCacheEntry *from, CERTCertDBHandle * dbHandle)
-{
-    sslSessionID *to;
-    uint16 version = from->u.ssl2.version;
-
-    to = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-    if (!to) {
-	return 0;
-    }
-
-    if (version < SSL_LIBRARY_VERSION_3_0) {
-	/* This is an SSL v2 session */
-	to->u.ssl2.masterKey.data =
-	    (unsigned char*) PORT_Alloc(from->u.ssl2.masterKeyLen);
-	if (!to->u.ssl2.masterKey.data) {
-	    goto loser;
-	}
-	if (from->u.ssl2.cipherArgLen) {
-	    to->u.ssl2.cipherArg.data = (unsigned char*)
-		PORT_Alloc(from->u.ssl2.cipherArgLen);
-	    if (!to->u.ssl2.cipherArg.data) {
-		goto loser;
-	    }
-	    PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg,
-		      from->u.ssl2.cipherArgLen);
-	}
-
-	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
-	to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen;
-	to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen;
-	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
-	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
-	PORT_Memcpy(to->u.ssl2.sessionID, from->u.ssl2.sessionID,
-		  sizeof from->u.ssl2.sessionID);
-	PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey,
-		  from->u.ssl2.masterKeyLen);
-
-	SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d "
-		    "time=%d addr=0x%x cipherType=%d",
-		    myPid, to->u.ssl2.masterKey.len,
-		    to->u.ssl2.cipherArg.len, to->time, to->addr,
-		    to->u.ssl2.cipherType));
-    } else {
-	/* This is an SSL v3 session */
-
-	to->u.ssl3.sessionIDLength  = from->u.ssl3.sessionIDLength;
-	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
-	to->u.ssl3.compression      = (SSL3CompressionMethod)from->u.ssl3.compression;
-	to->u.ssl3.resumable        = from->u.ssl3.resumable;
-	to->u.ssl3.hasFortezza      = from->u.ssl3.hasFortezza;
-	to->u.ssl3.keys             = from->u.ssl3.keys;
-	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
-	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
-
-	PORT_Memcpy(to->u.ssl3.sessionID, 
-	            from->u.ssl3.sessionID,
-		    from->u.ssl3.sessionIDLength);
-
-	/* the portions of the SID that are only restored on the client
-	 * are set to invalid values on the server.
-	 */
-	to->u.ssl3.clientWriteKey   = NULL;
-	to->u.ssl3.serverWriteKey   = NULL;
-	to->u.ssl3.tek              = NULL;
-	to->urlSvrName              = NULL;
-
-	to->u.ssl3.masterModuleID   = (SECMODModuleID)-1; /* invalid value */
-	to->u.ssl3.masterSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
-	to->u.ssl3.masterWrapIndex  = 0;
-	to->u.ssl3.masterWrapSeries = 0;
-	to->u.ssl3.masterValid      = PR_FALSE;
-
-	to->u.ssl3.clAuthModuleID   = (SECMODModuleID)-1; /* invalid value */
-	to->u.ssl3.clAuthSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
-	to->u.ssl3.clAuthSeries     = 0;
-	to->u.ssl3.clAuthValid      = PR_FALSE;
-
-	to->u.ssl3.clientWriteSaveLen = 0;
-
-	if (from->u.ssl3.certIndex != -1) {
-	    to->peerCert = GetCertFromCache(from, dbHandle);
-	    if (to->peerCert == NULL)
-		goto loser;
-	}
-    }
-
-    to->version    = from->u.ssl2.version;
-    to->time       = from->time;
-    to->cached     = in_server_cache;
-    to->addr       = from->addr;
-    to->references = 1;
-    
-    return to;
-
-  loser:
-    Invalidate(from);
-    if (to) {
-	if (version < SSL_LIBRARY_VERSION_3_0) {
-	    if (to->u.ssl2.masterKey.data)
-		PORT_Free(to->u.ssl2.masterKey.data);
-	    if (to->u.ssl2.cipherArg.data)
-		PORT_Free(to->u.ssl2.cipherArg.data);
-	}
-	PORT_Free(to);
-    }
-    return NULL;
-}
-
-
-/* Invalidate a SID cache entry. 
- * Called from CacheCert, ConvertToSid, and ServerSessionIDUncache. 
- */
-static void 
-Invalidate(SIDCacheEntry *sce)
-{
-    PRUint32	offset;
-#ifdef XP_UNIX
-    off_t	off;
-    int 	rv;
-#endif
-
-    if (sce == NULL) return;
-
-    if (sce->u.ssl2.version < SSL_LIBRARY_VERSION_3_0) {
-	offset = Offset(sce->addr, sce->u.ssl2.sessionID,
-			sizeof sce->u.ssl2.sessionID); 
-    } else {
-	offset = Offset(sce->addr, sce->u.ssl3.sessionID,
-			sce->u.ssl3.sessionIDLength); 
-    }
-	
-    sce->u.ssl2.valid = 0;
-    SSL_TRC(7, ("%d: SSL: uncaching session-id at offset %ld",
-		    myPid, offset));
-
-    GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *sce);
-
-#ifdef XP_UNIX
-    off = lseek(SIDCacheFD, offset, SEEK_SET);
-    if (off != offset) {
-	if (off == -1) 
-	    nss_MD_unix_map_lseek_error(errno);
-	else 
-	    PORT_SetError(PR_FILE_SEEK_ERROR);
-    } else {
-	rv = write(SIDCacheFD, sce, sizeof *sce);
-	if (rv != sizeof *sce) {
-	    if (rv == -1)
-		nss_MD_unix_map_write_error(errno);
-	    else
-	    	PORT_SetError(PR_IO_ERROR);
-	    IOError(rv, "invalidate-write");
-    	}
-    }
-#else /* WIN32 */
-    /* Use memory mapped I/O and just memcpy() the data */
-    CopyMemory(&SIDCacheData[offset], sce, sizeof *sce);
-#endif /* XP_UNIX */
-
-    RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *sce);
-}
-
-
-static void 
-IOError(int rv, char *type)
-{
-#ifdef XP_UNIX
-    syslog(LOG_ALERT,
-	   "SSL: %s error with session-id cache, pid=%d, rv=%d, error='%m'",
-	   type, myPid, rv);
-#else /* XP_WIN32 */
-#ifdef MC_HTTPD 
-    ereport(LOG_FAILURE, "%s error with session-id cache rv=%d\n",type, rv);
-#endif /* MC_HTTPD */
-#endif /* XP_UNIX */
-}
-
-static void 
-lock_cache(void)
-{
-    PR_Lock(cacheLock);
-}
-
-static void 
-unlock_cache(void)
-{
-    PR_Unlock(cacheLock);
-}
-
-/*
-** Perform some mumbo jumbo on the ip-address and the session-id value to
-** compute a hash value.
-*/
-static PRUint32 
-Offset(PRUint32 addr, unsigned char *s, unsigned nl)
-{
-    PRUint32 rv;
-
-    rv = addr ^ (((PRUint32)s[0] << 24) | ((PRUint32)s[1] << 16)
-		 | (s[2] << 8) | s[nl-1]);
-    return (rv % numSIDCacheEntries) * sizeof(SIDCacheEntry);
-}
-
-
-
-/*
-** Look something up in the cache. This will invalidate old entries
-** in the process. Caller has locked the cache!
-** Returns PR_TRUE if found a valid match.  PR_FALSE otherwise.
-*/
-static PRBool 
-FindSID(PRUint32 addr, unsigned char *sessionID,
-	unsigned sessionIDLength, SIDCacheEntry *sce)
-{
-    PRUint32      offset;
-    PRUint32      now;
-    int           rv;
-#ifdef XP_UNIX
-    off_t         off;
-#endif
-
-    /* Read in cache entry after hashing ip address and session-id value */
-    offset = Offset(addr, sessionID, sessionIDLength); 
-    now = ssl_Time();
-    GET_SERVER_CACHE_READ_LOCK(SIDCacheFD, offset, sizeof *sce);
-#ifdef XP_UNIX
-    off = lseek(SIDCacheFD, offset, SEEK_SET);
-    rv = -1;
-    if (off != offset) {
-	if (off == -1) 
-	    nss_MD_unix_map_lseek_error(errno);
-	else 
-	    PORT_SetError(PR_FILE_SEEK_ERROR);
-    } else {
-	rv = read(SIDCacheFD, sce, sizeof *sce);
-	if (rv != sizeof *sce) {
-	    if (rv == -1) 
-		nss_MD_unix_map_read_error(errno);
-	    else 
-		PORT_SetError(PR_IO_ERROR);
-    	}
-    }
-#else /* XP_WIN32 */
-    /* Use memory mapped I/O and just memcpy() the data */
-    CopyMemory(sce, &SIDCacheData[offset], sizeof *sce);
-    rv = sizeof *sce;
-#endif /* XP_WIN32 */
-    RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *sce);
-
-    if (rv != sizeof *sce) {
-	IOError(rv, "server sid cache read");
-	return PR_FALSE;
-    }
-
-    if (!sce->u.ssl2.valid) {
-	/* Entry is not valid */
-	PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
-	return PR_FALSE;
-    }
-
-    if (((sce->u.ssl2.version < SSL_LIBRARY_VERSION_3_0) &&
-	 (now > sce->time + ssl_sid_timeout)) ||
-	((sce->u.ssl2.version >= SSL_LIBRARY_VERSION_3_0) &&
-	 (now > sce->time + ssl3_sid_timeout))) {
-	/* SessionID has timed out. Invalidate the entry. */
-	SSL_TRC(7, ("%d: timed out sid entry addr=%08x now=%x time+=%x",
-		    myPid, sce->addr, now, sce->time + ssl_sid_timeout));
-	sce->u.ssl2.valid = 0;
-
-	GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *sce);
-#ifdef XP_UNIX
-	off = lseek(SIDCacheFD, offset, SEEK_SET);
-	rv = -1;
-	if (off != offset) {
-	    if (off == -1) 
-		nss_MD_unix_map_lseek_error(errno);
-	    else
-	    	PORT_SetError(PR_IO_ERROR);
-	} else {
-	    rv = write(SIDCacheFD, sce, sizeof *sce);
-	    if (rv != sizeof *sce) {
-		if (rv == -1) 
-		    nss_MD_unix_map_write_error(errno);
-		else 
-		    PORT_SetError(PR_IO_ERROR);
-		IOError(rv, "timeout-write");
-	    }
-	}
-#else /* WIN32 */
-	/* Use memory mapped I/O and just memcpy() the data */
-	CopyMemory(&SIDCacheData[offset], sce, sizeof *sce);
-	rv = sizeof *sce;
-#endif /* XP_UNIX */
-	RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *sce);
-	if (rv == sizeof *sce)
-	    PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
-	return PR_FALSE;
-    }
-
-    /*
-    ** Finally, examine specific session-id/addr data to see if the cache
-    ** entry matches our addr+session-id value
-    */
-    if ((sce->addr == addr) &&
-	(PORT_Memcmp(sce->u.ssl2.sessionID, sessionID, sessionIDLength) == 0)) {
-	/* Found it */
-	return PR_TRUE;
-    }
-    PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
-    return PR_FALSE;
-}
-
-/************************************************************************/
-
-/* This is the primary function for finding entries in the server's sid cache.
- * Although it is static, this function is called via the global function 
- * pointer ssl_sid_lookup.
- */
-static sslSessionID *
-ServerSessionIDLookup(	PRUint32       addr,
-			unsigned char *sessionID,
-			unsigned int   sessionIDLength,
-                        CERTCertDBHandle * dbHandle)
-{
-    SIDCacheEntry sce;
-    sslSessionID *sid;
-
-    sid = 0;
-    lock_cache();
-    if (FindSID(addr, sessionID, sessionIDLength, &sce)) {
-	/* Found it. Convert file format to internal format */
-	sid = ConvertToSID(&sce, dbHandle);
-    }
-    unlock_cache();
-    return sid;
-}
-
-/*
-** Place an sid into the cache, if it isn't already there. Note that if
-** some other server process has replaced a session-id cache entry that has
-** the same cache index as this sid, then all is ok. Somebody has to lose
-** when this condition occurs, so it might as well be this sid.
-*/
-static void 
-ServerSessionIDCache(sslSessionID *sid)
-{
-    SIDCacheEntry sce;
-    PRUint32      offset;
-#ifdef XP_UNIX
-    off_t         off;
-    int           rv;
-#endif
-    uint16 version = sid->version;
-
-    if ((version >= SSL_LIBRARY_VERSION_3_0) &&
-	(sid->u.ssl3.sessionIDLength == 0)) {
-	return;
-    }
-
-    if (sid->cached == never_cached || sid->cached == invalid_cache) {
-	lock_cache();
-
-	sid->time = ssl_Time();
-	if (version < SSL_LIBRARY_VERSION_3_0) {
-	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x time=%x "
-			"cipher=%d", myPid, sid->cached, sid->addr,
-			sid->time, sid->u.ssl2.cipherType));
-	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
-			  sizeof(sid->u.ssl2.sessionID)));
-	    PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
-			  sid->u.ssl2.masterKey.len));
-	    PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
-			  sid->u.ssl2.cipherArg.len));
-
-	    /* Write out new cache entry */
-	    offset = Offset(sid->addr, sid->u.ssl2.sessionID,
-			    sizeof(sid->u.ssl2.sessionID)); 
-	} else {
-	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x time=%x "
-			"cipherSuite=%d", myPid, sid->cached, sid->addr,
-			sid->time, sid->u.ssl3.cipherSuite));
-	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
-			  sid->u.ssl3.sessionIDLength));
-
-	    offset = Offset(sid->addr, sid->u.ssl3.sessionID,
-			    sid->u.ssl3.sessionIDLength);
-	    
-	}
-
-	ConvertFromSID(&sce, sid);
-	if (version >= SSL_LIBRARY_VERSION_3_0) {
-	    if (sid->peerCert == NULL) {
-		sce.u.ssl3.certIndex = -1;
-	    } else {
-		sce.u.ssl3.certIndex = (int16)
-		    ((offset / sizeof(SIDCacheEntry)) % numCertCacheEntries);
-	    }
-	}
-	
-	GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof sce);
-#ifdef XP_UNIX
-	off = lseek(SIDCacheFD, offset, SEEK_SET);
-	if (off != offset) {
-	    if (off == -1) 
-		nss_MD_unix_map_lseek_error(errno);
-	    else
-	    	PORT_SetError(PR_IO_ERROR);
-	} else {
-	    rv = write(SIDCacheFD, &sce, sizeof sce);
-	    if (rv != sizeof(sce)) {
-		if (rv == -1) 
-		    nss_MD_unix_map_write_error(errno);
-		else 
-		    PORT_SetError(PR_IO_ERROR);
-		IOError(rv, "update-write");
-	    }
-	}
-#else /* WIN32 */
-	CopyMemory(&SIDCacheData[offset], &sce, sizeof sce);
-#endif /* XP_UNIX */
-	RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof sce);
-
-	if ((version >= SSL_LIBRARY_VERSION_3_0) && 
-	    (sid->peerCert != NULL)) {
-	    CacheCert(sid->peerCert, &sce);
-	}
-
-	sid->cached = in_server_cache;
-	unlock_cache();
-    }
-}
-
-static void 
-ServerSessionIDUncache(sslSessionID *sid)
-{
-    SIDCacheEntry sce;
-    int rv;
-
-    if (sid == NULL) return;
-    
-    lock_cache();
-    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-	SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x time=%x "
-		    "cipher=%d", myPid, sid->cached, sid->addr,
-		    sid->time, sid->u.ssl2.cipherType));
-	PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
-		      sizeof(sid->u.ssl2.sessionID)));
-	PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
-		      sid->u.ssl2.masterKey.len));
-	PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
-		      sid->u.ssl2.cipherArg.len));
-	rv = FindSID(sid->addr, sid->u.ssl2.sessionID,
-		     sizeof(sid->u.ssl2.sessionID), &sce);
-    } else {
-	SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x time=%x "
-		    "cipherSuite=%d", myPid, sid->cached, sid->addr,
-		    sid->time, sid->u.ssl3.cipherSuite));
-	PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
-		      sid->u.ssl3.sessionIDLength));
-	rv = FindSID(sid->addr, sid->u.ssl3.sessionID,
-		     sid->u.ssl3.sessionIDLength, &sce);
-    }
-    
-    if (rv) {
-	Invalidate(&sce);
-    }
-    sid->cached = invalid_cache;
-    unlock_cache();
-}
-
-static SECStatus
-InitSessionIDCache(int maxCacheEntries, PRUint32 timeout,
-		   PRUint32 ssl3_timeout, const char *directory)
-{
-    char *cfn;
-#ifdef XP_UNIX
-    int rv;
-    if (SIDCacheFD >= 0) {
-	/* Already done */
-	return SECSuccess;
-    }
-#else /* WIN32 */
-	if(SIDCacheFDMAP != INVALID_HANDLE_VALUE) {
-	/* Already done */
-	return SECSuccess;
-	}
-#endif /* XP_UNIX */
-
-
-    if (maxCacheEntries) {
-	numSIDCacheEntries = maxCacheEntries;
-    }
-    sidCacheWrapOffset = numSIDCacheEntries * sizeof(SIDCacheEntry);
-    sidCacheFileSize = sidCacheWrapOffset +
-         (kt_kea_size * SSL_NUM_WRAP_MECHS * sizeof(SSLWrappedSymWrappingKey));
-
-    /* Create file names */
-    cfn = (char*) PORT_Alloc(PORT_Strlen(directory) + 100);
-    if (!cfn) {
-	return SECFailure;
-    }
-#ifdef XP_UNIX
-    sprintf(cfn, "%s/.sslsidc.%d", directory, getpid());
-#else /* XP_WIN32 */
-	sprintf(cfn, "%s\\ssl.sidc.%d.%d", directory,
-			GetCurrentProcessId(), GetCurrentThreadId());
-#endif /* XP_WIN32 */
-
-    /* Create session-id cache file */
-#ifdef XP_UNIX
-    do {
-	(void) unlink(cfn);
-	SIDCacheFD = open(cfn, O_EXCL|O_CREAT|O_RDWR, 0600);
-    } while (SIDCacheFD < 0 && errno == EEXIST);
-    if (SIDCacheFD < 0) {
-	nss_MD_unix_map_open_error(errno);
-	IOError(SIDCacheFD, "create");
-	goto loser;
-    }
-    rv = unlink(cfn);
-    if (rv < 0) {
-	nss_MD_unix_map_unlink_error(errno);
-	IOError(rv, "unlink");
-	goto loser;
-    }
-#else  /* WIN32 */
-    SIDCacheFDMAP = 
-    	CreateFileMapping(INVALID_HANDLE_VALUE, /* allocate in swap file */
-			  &sidCacheFDMapAttributes, /* inheritable. */
-			  PAGE_READWRITE,
-			  0,                    /* size, high word. */
-			  sidCacheFileSize,     /* size, low  word. */
-			  NULL);		/* no map name in FS */
-    if(! SIDCacheFDMAP) {
-	nss_MD_win32_map_default_error(GetLastError());
-	goto loser;
-    }
-    SIDCacheData = (char *)MapViewOfFile(SIDCacheFDMAP, 
-                                         FILE_MAP_ALL_ACCESS, 	/* R/W    */
-					 0, 0, 			/* offset */
-				         sidCacheFileSize);	/* size   */
-    if (! SIDCacheData) {
-	nss_MD_win32_map_default_error(GetLastError());
-	goto loser;
-    }
-#endif /* XP_UNIX */
-
-    if (!cacheLock)
-	nss_InitLock(&cacheLock);
-    if (!cacheLock) {
-	SET_ERROR_CODE
-	goto loser;
-    }
-#ifdef _WIN32
-    if (isMultiProcess  && (SECSuccess != createServerCacheSemaphore())) {
-	SET_ERROR_CODE
-	goto loser;
-    }
-#endif
-
-    if (timeout) {   
-	if (timeout > 100) {
-	    timeout = 100;
-	}
-	if (timeout < 5) {
-	    timeout = 5;
-	}
-	ssl_sid_timeout = timeout;
-    }
-
-    if (ssl3_timeout) {   
-	if (ssl3_timeout > 86400L) {
-	    ssl3_timeout = 86400L;
-	}
-	if (ssl3_timeout < 5) {
-	    ssl3_timeout = 5;
-	}
-	ssl3_sid_timeout = ssl3_timeout;
-    }
-
-    GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, 0, sidCacheFileSize);
-#ifdef XP_UNIX
-    /* Initialize the files */
-    if (ZeroFile(SIDCacheFD, sidCacheFileSize)) {
-	/* Bummer */
-	close(SIDCacheFD);
-	SIDCacheFD = -1;
-	goto loser;
-    }
-#else /* XP_WIN32 */
-    ZeroMemory(SIDCacheData, sidCacheFileSize);
-#endif /* XP_UNIX */
-    RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, 0, sidCacheFileSize);
-    PORT_Free(cfn);
-    return SECSuccess;
-
-  loser:
-#ifdef _WIN32
-    if (svrCacheSem)
-	destroyServerCacheSemaphore();
-#endif
-    if (cacheLock) {
-	PR_DestroyLock(cacheLock);
-	cacheLock = NULL;
-    }
-    PORT_Free(cfn);
-    return SECFailure;
-}
-
-static SECStatus 
-InitCertCache(const char *directory)
-{
-    char *cfn;
-#ifdef XP_UNIX
-    int rv;
-    if (certCacheFD >= 0) {
-	/* Already done */
-	return SECSuccess;
-    }
-#else /* WIN32 */
-    if(certCacheFDMAP != INVALID_HANDLE_VALUE) {
-	/* Already done */
-	return SECSuccess;
-    }
-#endif /* XP_UNIX */
-
-    numCertCacheEntries = sidCacheFileSize / sizeof(CertCacheEntry);
-    if (numCertCacheEntries < MIN_CERT_CACHE_ENTRIES)
-    	numCertCacheEntries = MIN_CERT_CACHE_ENTRIES;
-    certCacheFileSize = numCertCacheEntries * sizeof(CertCacheEntry);
-
-    /* Create file names */
-    cfn = (char*) PORT_Alloc(PORT_Strlen(directory) + 100);
-    if (!cfn) {
-	return SECFailure;
-    }
-#ifdef XP_UNIX
-    sprintf(cfn, "%s/.sslcertc.%d", directory, getpid());
-#else /* XP_WIN32 */
-    sprintf(cfn, "%s\\ssl.certc.%d.%d", directory,
-	    GetCurrentProcessId(), GetCurrentThreadId());
-#endif /* XP_WIN32 */
-
-    /* Create certificate cache file */
-#ifdef XP_UNIX
-    do {
-	(void) unlink(cfn);
-	certCacheFD = open(cfn, O_EXCL|O_CREAT|O_RDWR, 0600);
-    } while (certCacheFD < 0 && errno == EEXIST);
-    if (certCacheFD < 0) {
-	nss_MD_unix_map_open_error(errno);
-	IOError(certCacheFD, "create");
-	goto loser;
-    }
-    rv = unlink(cfn);
-    if (rv < 0) {
-	nss_MD_unix_map_unlink_error(errno);
-	IOError(rv, "unlink");
-	goto loser;
-    }
-#else  /* WIN32 */
-    certCacheFDMAP = 
-    	CreateFileMapping(INVALID_HANDLE_VALUE, /* allocate in swap file */
-			  &certCacheFDMapAttributes, /* inheritable. */
-			  PAGE_READWRITE,
-			  0,                /* size, high word. */
-			  certCacheFileSize, /* size, low word. */
-			  NULL);           /* no map name in FS */
-    if (! certCacheFDMAP) {
-	nss_MD_win32_map_default_error(GetLastError());
-	goto loser;
-    }
-    certCacheData = (char *) MapViewOfFile(certCacheFDMAP, 
-                                           FILE_MAP_ALL_ACCESS, /* R/W    */
-					   0, 0, 		/* offset */
-					   certCacheFileSize);	/* size   */
-    if (! certCacheData) {
-	nss_MD_win32_map_default_error(GetLastError());
-	goto loser;
-    }
-#endif /* XP_UNIX */
-
-/*  GET_SERVER_CACHE_WRITE_LOCK(certCacheFD, 0, certCacheFileSize); */
-#ifdef XP_UNIX
-    /* Initialize the files */
-    if (ZeroFile(certCacheFD, certCacheFileSize)) {
-	/* Bummer */
-	close(certCacheFD);
-	certCacheFD = -1;
-	goto loser;
-    }
-#else /* XP_WIN32 */
-    ZeroMemory(certCacheData, certCacheFileSize);
-#endif /* XP_UNIX */
-/*  RELEASE_SERVER_CACHE_LOCK(certCacheFD, 0, certCacheFileSize);   */
-    PORT_Free(cfn);
-    return SECSuccess;
-
-  loser:
-    PORT_Free(cfn);
-    return SECFailure;
-}
-
-int
-SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
-				PRUint32 timeout,
-			       	PRUint32 ssl3_timeout, 
-			  const char *   directory)
-{
-    SECStatus rv;
-
-    PORT_Assert(sizeof(SIDCacheEntry) == 256);
-    PORT_Assert(sizeof(CertCacheEntry) == 4096);
-
-    myPid = SSL_GETPID();
-    if (!directory) {
-	directory = DEFAULT_CACHE_DIRECTORY;
-    }
-    rv = InitSessionIDCache(maxCacheEntries, timeout, ssl3_timeout, directory);
-    if (rv) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-    rv = InitCertCache(directory);
-    if (rv) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-
-    ssl_sid_lookup  = ServerSessionIDLookup;
-    ssl_sid_cache   = ServerSessionIDCache;
-    ssl_sid_uncache = ServerSessionIDUncache;
-    return SECSuccess;
-}
-
-/* Use this function, instead of SSL_ConfigServerSessionIDCache,
- * if the cache will be shared by multiple processes.
- */
-int
-SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
-				PRUint32 timeout,
-			       	PRUint32 ssl3_timeout, 
-		          const char *   directory)
-{
-    char *	envValue;
-    int 	result;
-    SECStatus	putEnvFailed;
-
-    isMultiProcess = PR_TRUE;
-    result = SSL_ConfigServerSessionIDCache(maxCacheEntries, timeout, 
-                                            ssl3_timeout, directory);
-    if (result == SECSuccess) {
-#ifdef _WIN32
-	winInheritance winherit;
-
-	winherit.numSIDCacheEntries	= numSIDCacheEntries;
-	winherit.sidCacheFileSize	= sidCacheFileSize;
-	winherit.sidCacheWrapOffset	= sidCacheWrapOffset;
-	winherit.numCertCacheEntries	= numCertCacheEntries;
-	winherit.certCacheFileSize	= certCacheFileSize;
-	winherit.SIDCacheFDMAP		= SIDCacheFDMAP;
-	winherit.certCacheFDMAP		= certCacheFDMAP;
-	winherit.svrCacheSem		= svrCacheSem;
-	winherit.parentProcessID	= GetCurrentProcessId();
-	winherit.parentProcessHandle	= 
-	    OpenProcess(PROCESS_DUP_HANDLE, TRUE, winherit.parentProcessID);
-        if (winherit.parentProcessHandle == NULL) {
-	    SET_ERROR_CODE
-	    return SECFailure;
-	}
-        envValue = BTOA_DataToAscii((unsigned char *)&winherit, 
-	                             sizeof winherit);
-    	if (!envValue) {
-	    SET_ERROR_CODE
-	    return SECFailure;
-	}
-#else
-	unixInheritance uinherit;
-
-	uinherit.numSIDCacheEntries	= numSIDCacheEntries;
-	uinherit.sidCacheFileSize	= sidCacheFileSize;
-	uinherit.sidCacheWrapOffset	= sidCacheWrapOffset;
-	uinherit.numCertCacheEntries	= numCertCacheEntries;
-	uinherit.certCacheFileSize	= certCacheFileSize;
-	uinherit.SIDCacheFD		= SIDCacheFD;
-	uinherit.certCacheFD		= certCacheFD;
-
-        envValue = BTOA_DataToAscii((unsigned char *)&uinherit, 
-	                             sizeof uinherit);
-    	if (!envValue) {
-	    SET_ERROR_CODE
-	    return SECFailure;
-	}
-#endif
-    }
-    putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue);
-    PORT_Free(envValue);
-    if (putEnvFailed) {
-        SET_ERROR_CODE
-        result = SECFailure;
-    }
-    return result;
-}
-
-SECStatus
-SSL_InheritMPServerSIDCache(const char * envString)
-{
-    unsigned char * decoString = NULL;
-    unsigned int    decoLen;
-#ifdef _WIN32
-    winInheritance  inherit;
-#else
-    unixInheritance inherit;
-#endif
-
-    myPid = SSL_GETPID();
-    if (isMultiProcess)
-    	return SECSuccess;	/* already done. */
-
-    ssl_sid_lookup  = ServerSessionIDLookup;
-    ssl_sid_cache   = ServerSessionIDCache;
-    ssl_sid_uncache = ServerSessionIDUncache;
-
-    if (!envString) {
-    	envString  = getenv(envVarName);
-	if (!envString) {
-	    SET_ERROR_CODE
-	    return SECFailure;
-	}
-    }
-
-    decoString = ATOB_AsciiToData(envString, &decoLen);
-    if (!decoString) {
-    	SET_ERROR_CODE
-	return SECFailure;
-    }
-    if (decoLen != sizeof inherit) {
-    	SET_ERROR_CODE
-    	goto loser;
-    }
-
-    PORT_Memcpy(&inherit, decoString, sizeof inherit);
-    PORT_Free(decoString);
-
-    numSIDCacheEntries	= inherit.numSIDCacheEntries;
-    sidCacheFileSize	= inherit.sidCacheFileSize;
-    sidCacheWrapOffset	= inherit.sidCacheWrapOffset;
-    numCertCacheEntries	= inherit.numCertCacheEntries;
-    certCacheFileSize	= inherit.certCacheFileSize;
-
-#ifdef _WIN32
-    SIDCacheFDMAP	= inherit.SIDCacheFDMAP;
-    certCacheFDMAP	= inherit.certCacheFDMAP;
-    svrCacheSem		= inherit.svrCacheSem;
-
-#if 0
-    /* call DuplicateHandle ?? */
-    inherit.parentProcessID;
-    inherit.parentProcessHandle;
-#endif
-
-    if(!SIDCacheFDMAP) {
-    	SET_ERROR_CODE
-    	goto loser;
-    }
-    SIDCacheData = (char *)MapViewOfFile(SIDCacheFDMAP, 
-                                         FILE_MAP_ALL_ACCESS, 	/* R/W    */
-					 0, 0, 			/* offset */
-				         sidCacheFileSize);	/* size   */
-    if(!SIDCacheData) {
-	nss_MD_win32_map_default_error(GetLastError());
-    	goto loser;
-    }
-
-    if(!certCacheFDMAP) {
-    	SET_ERROR_CODE
-    	goto loser;
-    }
-    certCacheData = (char *) MapViewOfFile(certCacheFDMAP, 
-                                           FILE_MAP_ALL_ACCESS, /* R/W    */
-					   0, 0, 		/* offset */
-					   certCacheFileSize);	/* size   */
-    if(!certCacheData) {
-	nss_MD_win32_map_default_error(GetLastError());
-    	goto loser;
-    }
-
-#else /* must be unix */
-    SIDCacheFD		= inherit.SIDCacheFD;
-    certCacheFD		= inherit.certCacheFD;
-    if (SIDCacheFD < 0 || certCacheFD < 0) {
-    	SET_ERROR_CODE
-    	goto loser;
-    }
-#endif
-
-    if (!cacheLock) {
-	nss_InitLock(&cacheLock);
-	if (!cacheLock) 
-	    goto loser;
-    }
-    isMultiProcess = PR_TRUE;
-    return SECSuccess;
-
-loser:
-    if (decoString) 
-	PORT_Free(decoString);
-#if _WIN32
-    if (SIDCacheFDMAP) {
-	CloseHandle(SIDCacheFDMAP);
-	SIDCacheFDMAP = NULL;
-    }
-    if (certCacheFDMAP) {
-	CloseHandle(certCacheFDMAP);
-	certCacheFDMAP = NULL;
-    }
-#else
-    if (SIDCacheFD >= 0) {
-	close(SIDCacheFD);
-	SIDCacheFD = -1;
-    }
-    if (certCacheFD >= 0) {
-	close(certCacheFD);
-	certCacheFD = -1;
-    }
-#endif
-    return SECFailure;
-
-}
-
-/************************************************************************
- *  Code dealing with shared wrapped symmetric wrapping keys below      *
- ************************************************************************/
-
-
-static PRBool
-getWrappingKey(PRInt32                   symWrapMechIndex,
-               SSL3KEAType               exchKeyType, 
-               SSLWrappedSymWrappingKey *wswk, 
-               PRBool                    grabSharedLock)
-{
-    PRUint32      offset = sidCacheWrapOffset + 
-	       ((exchKeyType * SSL_NUM_WRAP_MECHS + symWrapMechIndex) *
-		   sizeof(SSLWrappedSymWrappingKey));
-    PRBool        rv     = PR_TRUE;
-#ifdef XP_UNIX
-    off_t         lrv;
-    ssize_t       rrv;
-#endif
-
-    if (grabSharedLock) {
-	GET_SERVER_CACHE_READ_LOCK(SIDCacheFD, offset, sizeof *wswk);
-    }
-
-#ifdef XP_UNIX
-    lrv = lseek(SIDCacheFD, offset, SEEK_SET);
-    if (lrv != offset) {
-	if (lrv == -1) 
-	    nss_MD_unix_map_lseek_error(errno);
-	else
-	    PORT_SetError(PR_IO_ERROR);
-	    IOError(rv, "wrapping-read");
-	rv = PR_FALSE;
-    } else {
-	rrv = read(SIDCacheFD, wswk, sizeof *wswk);
-	if (rrv != sizeof *wswk) {
-	    if (rrv == -1) 
-		nss_MD_unix_map_read_error(errno);
-	    else 
-		PORT_SetError(PR_IO_ERROR);
-	    IOError(rv, "wrapping-read");
-	    rv = PR_FALSE;
-	}
-    }
-#else /* XP_WIN32 */
-    /* Use memory mapped I/O and just memcpy() the data */
-    CopyMemory(wswk, &SIDCacheData[offset], sizeof *wswk);
-#endif /* XP_WIN32 */
-    if (grabSharedLock) {
-	RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *wswk);
-    }
-    if (rv) {
-    	if (wswk->exchKeyType      != exchKeyType || 
-	    wswk->symWrapMechIndex != symWrapMechIndex ||
-	    wswk->wrappedSymKeyLen == 0) {
-	    memset(wswk, 0, sizeof *wswk);
-	    rv = PR_FALSE;
-	}
-    }
-    return rv;
-}
-
-PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-		    SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool rv;
-
-    lock_cache();
-
-    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
-    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
-    if ((unsigned)exchKeyType < kt_kea_size &&
-        (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
-	rv = getWrappingKey(symWrapMechIndex, exchKeyType, wswk, PR_TRUE);
-    } else {
-    	rv = PR_FALSE;
-    }
-    unlock_cache();
-    return rv;
-}
-
-/* The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the file on disk.  
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/semaphores necessary to make 
- * the operation atomic.
- */
-PRBool
-ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool        rv;
-    SSL3KEAType   exchKeyType      = wswk->exchKeyType;   
-                                /* type of keys used to wrap SymWrapKey*/
-    PRInt32       symWrapMechIndex = wswk->symWrapMechIndex;
-    PRUint32      offset;
-    SSLWrappedSymWrappingKey myWswk;
-
-    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
-    if ((unsigned)exchKeyType >= kt_kea_size)
-    	return 0;
-
-    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
-    if ((unsigned)symWrapMechIndex >=  SSL_NUM_WRAP_MECHS)
-    	return 0;
-
-    offset = sidCacheWrapOffset + 
-	       ((exchKeyType * SSL_NUM_WRAP_MECHS + symWrapMechIndex) *
-		   sizeof(SSLWrappedSymWrappingKey));
-    PORT_Memset(&myWswk, 0, sizeof myWswk);	/* eliminate UMRs. */
-    lock_cache();
-    GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *wswk);
-
-    rv = getWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, &myWswk, 
-                        PR_FALSE);
-    if (rv) {
-	/* we found it on disk, copy it out to the caller. */
-	PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
-    } else {
-	/* Wasn't on disk, and we're still holding the lock, so write it. */
-
-#ifdef XP_UNIX
-	off_t         lrv;
-	ssize_t       rrv;
-
-	lrv = lseek(SIDCacheFD, offset, SEEK_SET);
-	if (lrv != offset) {
-	    if (lrv == -1) 
-		nss_MD_unix_map_lseek_error(errno);
-	    else
-		PORT_SetError(PR_IO_ERROR);
-	    IOError(rv, "wrapping-read");
-	    rv = PR_FALSE;
-	} else {
-	    rrv = write(SIDCacheFD, wswk, sizeof *wswk);
-	    if (rrv != sizeof *wswk) {
-		if (rrv == -1) 
-		    nss_MD_unix_map_read_error(errno);
-		else 
-		    PORT_SetError(PR_IO_ERROR);
-		IOError(rv, "wrapping-read");
-		rv = PR_FALSE;
-	    }
-	}
-#else /* XP_WIN32 */
-	/* Use memory mapped I/O and just memcpy() the data */
-	CopyMemory(&SIDCacheData[offset], wswk, sizeof *wswk);
-#endif /* XP_WIN32 */
-    }
-    RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *wswk);
-    unlock_cache();
-    return rv;
-}
-
-
-#endif /* NADA_VERISON */
-#else
-
-#include "seccomon.h"
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-
-PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-		    SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool rv = PR_FALSE;
-    PR_ASSERT(!"SSL servers are not supported on the Mac. (ssl_GetWrappingKey)");    
-    return rv;
-}
-
-/* This is a kind of test-and-set.  The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the file on disk.  
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/semaphores necessary to make 
- * the operation atomic.
- */
-PRBool
-ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool        rv = PR_FALSE;
-    PR_ASSERT(!"SSL servers are not supported on the Mac. (ssl_SetWrappingKey)");
-    return rv;
-}
-
-#endif /* XP_UNIX || XP_WIN32 */
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
deleted file mode 100644
index 2921e3b6c..000000000
--- a/security/nss/lib/ssl/sslsock.c
+++ /dev/null
@@ -1,1816 +0,0 @@
-/*
- * vtables (and methods that call through them) for the 4 types of 
- * SSLSockets supported.  Only one type is still supported.
- * Various other functions.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include "seccomon.h"
-#include "cert.h"
-#include "keyhi.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "nspr.h"
-
-#define SET_ERROR_CODE   /* reminder */
-
-struct cipherPolicyStr {
-	int		cipher;
-	unsigned char 	export;	/* policy value for export policy */
-	unsigned char 	france;	/* policy value for france policy */
-};
-
-typedef struct cipherPolicyStr cipherPolicy;
-
-/* this table reflects Netscape's browser policies. */
-static cipherPolicy ssl_ciphers[] = {	   /*   Export           France   */
- {  SSL_EN_RC4_128_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_RC4_128_EXPORT40_WITH_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_EN_RC2_128_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,   SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_EN_DES_64_CBC_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_DES_192_EDE3_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_RC4_128_MD5,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_3DES_EDE_CBC_SHA,	    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_FIPS_WITH_DES_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_DES_CBC_SHA,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_EXPORT_WITH_RC4_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_FORTEZZA_DMS_WITH_NULL_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_NULL_MD5,		    SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_ALLOWED,     SSL_NOT_ALLOWED },
- {  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_ALLOWED,     SSL_NOT_ALLOWED },
- {  0,					    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
-};
-
-static
-sslSocketOps ssl_default_ops = {	/* No SSL, No Socks. */
-    ssl_DefConnect,
-    NULL,
-    ssl_DefBind,
-    ssl_DefListen,
-    ssl_DefShutdown,
-    ssl_DefClose,
-    ssl_DefRecv,
-    ssl_DefSend,
-    ssl_DefRead,
-    ssl_DefWrite,
-    ssl_DefGetpeername,
-    ssl_DefGetsockname
-};
-
-static
-sslSocketOps ssl_socks_ops = {		/* No SSL, has socks. */
-    ssl_SocksConnect,
-    ssl_SocksAccept,
-    ssl_SocksBind,
-    ssl_SocksListen,
-    ssl_DefShutdown,
-    ssl_DefClose,
-    ssl_SocksRecv,
-    ssl_SocksSend,
-    ssl_SocksRead,
-    ssl_SocksWrite,
-    ssl_DefGetpeername,
-    ssl_SocksGetsockname
-};
-
-static
-sslSocketOps ssl_secure_ops = {		/* SSL, no socks. */
-    ssl_SecureConnect,
-    NULL,
-    ssl_DefBind,
-    ssl_DefListen,
-    ssl_SecureShutdown,
-    ssl_SecureClose,
-    ssl_SecureRecv,
-    ssl_SecureSend,
-    ssl_SecureRead,
-    ssl_SecureWrite,
-    ssl_DefGetpeername,
-    ssl_DefGetsockname
-};
-
-static
-sslSocketOps ssl_secure_socks_ops = {	/* Both SSL and Socks. */
-    ssl_SecureSocksConnect,
-    ssl_SecureSocksAccept,
-    ssl_SocksBind,
-    ssl_SocksListen,
-    ssl_SecureShutdown,
-    ssl_SecureClose,
-    ssl_SecureRecv,
-    ssl_SecureSend,
-    ssl_SecureRead,
-    ssl_SecureWrite,
-    ssl_DefGetpeername,
-    ssl_SocksGetsockname
-};
-
-/*
-** default settings for socket enables
-*/
-static sslOptions ssl_defaults = {
-    PR_TRUE, 	/* useSecurity        */
-    PR_FALSE,	/* useSocks           */
-    PR_FALSE,	/* requestCertificate */
-    2,	        /* requireCertificate */
-    PR_FALSE,	/* handshakeAsClient  */
-    PR_FALSE,	/* handshakeAsServer  */
-    PR_TRUE,	/* enableSSL2         */
-    PR_TRUE,	/* enableSSL3         */
-    PR_TRUE, 	/* enableTLS          */ /* now defaults to on in NSS 3.0 */
-    PR_FALSE,	/* noCache            */
-    PR_FALSE,	/* fdx                */
-    PR_TRUE,	/* v2CompatibleHello  */
-    PR_TRUE,	/* detectRollBack     */
-};
-
-sslSessionIDLookupFunc  ssl_sid_lookup;
-sslSessionIDCacheFunc   ssl_sid_cache;
-sslSessionIDUncacheFunc ssl_sid_uncache;
-
-static ssl_inited = PR_FALSE;
-static PRDescIdentity ssl_layer_id;
-
-int                     ssl_lock_readers	= 1;	/* default true. */
-char                    ssl_debug;
-char                    ssl_trace;
-
-
-/* forward declarations. */
-static sslSocket *ssl_NewSocket(void);
-static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 
-                                  PRDescIdentity id);
-
-/************************************************************************/
-
-/*
-** Lookup a socket structure from a file descriptor.
-*/
-static sslSocket *
-ssl_GetPrivate(PRFileDesc *fd)
-{
-    sslSocket *ss;
-
-    PORT_Assert(fd != NULL);
-    PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
-    PORT_Assert(fd->identity == ssl_layer_id);
-
-    ss = (sslSocket *)fd->secret;
-    ss->fd = fd;
-    return ss;
-}
-
-sslSocket *
-ssl_FindSocket(PRFileDesc *fd)
-{
-    PRFileDesc *layer;
-    sslSocket *ss;
-
-    PORT_Assert(fd != NULL);
-    PORT_Assert(ssl_layer_id != 0);
-
-    layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
-    if (layer == NULL)
-	return NULL;
-
-    ss = (sslSocket *)layer->secret;
-    ss->fd = layer;
-    return ss;
-}
-
-#if 0	/* dead code. */
-PRFileDesc *
-ssl_FindTop(sslSocket *ss)
-{
-    PRFileDesc *fd = ss->fd;
-
-    while (fd->higher != NULL)
-	fd = fd->higher;
-
-    return fd;
-}
-#endif
-
-sslSocket *
-ssl_DupSocket(sslSocket *os)
-{
-    sslSocket *ss;
-    SECStatus rv;
-
-    ss = ssl_NewSocket();
-    if (ss) {
-	ss->useSocks           = os->useSocks;
-	ss->useSecurity        = os->useSecurity;
-	ss->requestCertificate = os->requestCertificate;
-	ss->requireCertificate = os->requireCertificate;
-	ss->handshakeAsClient  = os->handshakeAsClient;
-	ss->handshakeAsServer  = os->handshakeAsServer;
-	ss->enableSSL2         = os->enableSSL2;
-	ss->enableSSL3         = os->enableSSL3;
-	ss->enableTLS          = os->enableTLS;
-	ss->noCache            = os->noCache;
-	ss->fdx                = os->fdx;
-	ss->v2CompatibleHello  = os->v2CompatibleHello;
-	ss->detectRollBack     = os->detectRollBack;
-	ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
-	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
-
-	ss->ops      = os->ops;
-	ss->peer     = os->peer;
-	ss->port     = os->port;
-	ss->rTimeout = os->rTimeout;
-	ss->wTimeout = os->wTimeout;
-	ss->cTimeout = os->cTimeout;
-	ss->dbHandle = os->dbHandle;
-
-	/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
-	ss->allowedByPolicy	= os->allowedByPolicy;
-	ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
-	ss->chosenPreference 	= os->chosenPreference;
-	PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
-
-	if (os->cipherSpecs) {
-	    ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
-	    if (ss->cipherSpecs) 
-	    	PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 
-		            os->sizeCipherSpecs);
-	    ss->sizeCipherSpecs    = os->sizeCipherSpecs;
-	    ss->preferredCipher    = os->preferredCipher;
-	} else {
-	    ss->cipherSpecs        = NULL;  /* produced lazily */
-	    ss->sizeCipherSpecs    = 0;
-	    ss->preferredCipher    = NULL;
-	}
-	if (ss->useSecurity) {
-	    /* This int should be SSLKEAType, but CC on Irix complains,
-	     * during the for loop.
-	     */
-	    int i;
-
-	    for (i=kt_null; i < kt_kea_size; i++) {
-		if (os->serverCert[i]) {
-		    ss->serverCert[i] = CERT_DupCertificate(os->serverCert[i]);
-		    ss->serverCertChain[i] = CERT_CertChainFromCert
-				(ss->serverCert[i], certUsageSSLServer, 
-				 PR_TRUE);
-		} else {
-		    ss->serverCert[i]      = NULL;
-		    ss->serverCertChain[i] = NULL;
-		}
-		ss->serverKey[i] = os->serverKey[i] ?
-				SECKEY_CopyPrivateKey(os->serverKey[i]) : NULL;
-	    }
-	    ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
-		                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
-/*
- * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL.
- * XXX We should detect this, and not just march on with NULL pointers.
- */
-	    ss->authCertificate       = os->authCertificate;
-	    ss->authCertificateArg    = os->authCertificateArg;
-	    ss->getClientAuthData     = os->getClientAuthData;
-	    ss->getClientAuthDataArg  = os->getClientAuthDataArg;
-	    ss->handleBadCert         = os->handleBadCert;
-	    ss->badCertArg            = os->badCertArg;
-	    ss->handshakeCallback     = os->handshakeCallback;
-	    ss->handshakeCallbackData = os->handshakeCallbackData;
-	    ss->pkcs11PinArg          = os->pkcs11PinArg;
-    
-	    /* Create security data */
-	    rv = ssl_CopySecurityInfo(ss, os);
-	    if (rv != SECSuccess) {
-		goto losage;
-	    }
-	}
-	if (ss->useSocks) {
-	    /* Create security data */
-	    rv = ssl_CopySocksInfo(ss, os);
-	    if (rv != SECSuccess) {
-		goto losage;
-	    }
-	}
-    }
-    return ss;
-
-  losage:
-    return NULL;
-}
-
-/*
- * free an sslSocket struct, and all the stuff that hangs off of it
- */
-void
-ssl_FreeSocket(sslSocket *ss)
-{
-    /* "i" should be of type SSLKEAType, but CC on IRIX complains during
-     * the for loop.
-     */
-    int        i;
-
-    sslSocket *fs;
-    sslSocket  lSock;
-
-/* Get every lock you can imagine!
-** Caller already holds these:
-**  SSL_LOCK_READER(ss);
-**  SSL_LOCK_WRITER(ss);
-*/
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetRecvBufLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-    ssl_GetXmitBufLock(ss);
-    ssl_GetSpecWriteLock(ss);
-
-#ifdef DEBUG
-    fs = &lSock;
-    *fs = *ss;				/* Copy the old socket structure, */
-    PORT_Memset(ss, 0x1f, sizeof *ss);  /* then blast the old struct ASAP. */
-#else
-    fs = ss;
-#endif
-
-    /* Free up socket */
-    ssl_DestroySocksInfo(fs->socks);
-    ssl_DestroySecurityInfo(fs->sec);
-    ssl3_DestroySSL3Info(fs->ssl3);
-    PORT_Free(fs->saveBuf.buf);
-    PORT_Free(fs->pendingBuf.buf);
-    if (fs->gather) {
-	ssl_DestroyGather(fs->gather);
-    }
-    if (fs->peerID != NULL)
-	PORT_Free(fs->peerID);
-    if (fs->url != NULL)
-	PORT_Free((void *)fs->url);	/* CONST */
-
-    /* Clean up server configuration */
-    for (i=kt_null; i < kt_kea_size; i++) {
-	if (fs->serverCert[i] != NULL)
-	    CERT_DestroyCertificate(fs->serverCert[i]);
-	if (fs->serverCertChain[i] != NULL)
-	    CERT_DestroyCertificateList(fs->serverCertChain[i]);
-	if (fs->serverKey[i] != NULL)
-	    SECKEY_DestroyPrivateKey(fs->serverKey[i]);
-    }
-    if (fs->stepDownKeyPair) {
-	ssl3_FreeKeyPair(fs->stepDownKeyPair);
-	fs->stepDownKeyPair = NULL;
-    }
-
-
-    /* Release all the locks acquired above.  */
-    SSL_UNLOCK_READER(fs);
-    SSL_UNLOCK_WRITER(fs);
-    ssl_Release1stHandshakeLock(fs);
-    ssl_ReleaseRecvBufLock(fs);
-    ssl_ReleaseSSL3HandshakeLock(fs);
-    ssl_ReleaseXmitBufLock(fs);
-    ssl_ReleaseSpecWriteLock(fs);
-
-    /* Destroy locks. */
-    if (fs->firstHandshakeLock) {
-    	PR_DestroyMonitor(fs->firstHandshakeLock);
-	fs->firstHandshakeLock = NULL;
-    }
-    if (fs->ssl3HandshakeLock) {
-    	PR_DestroyMonitor(fs->ssl3HandshakeLock);
-	fs->ssl3HandshakeLock = NULL;
-    }
-    if (fs->specLock) {
-    	NSSRWLock_Destroy(fs->specLock);
-	fs->specLock = NULL;
-    }
-
-    if (fs->recvLock) {
-    	PR_DestroyLock(fs->recvLock);
-	fs->recvLock = NULL;
-    }
-    if (fs->sendLock) {
-    	PR_DestroyLock(fs->sendLock);
-	fs->sendLock = NULL;
-    }
-    if (fs->xmitBufLock) {
-    	PR_DestroyMonitor(fs->xmitBufLock);
-	fs->xmitBufLock = NULL;
-    }
-    if (fs->recvBufLock) {
-    	PR_DestroyMonitor(fs->recvBufLock);
-	fs->recvBufLock = NULL;
-    }
-    if (fs->cipherSpecs) {
-	PORT_Free(fs->cipherSpecs);
-	fs->cipherSpecs     = NULL;
-	fs->sizeCipherSpecs = 0;
-    }
-
-    PORT_Free(ss);	/* free the caller's copy, not ours. */
-    return;
-}
-
-/************************************************************************/
-
-static void
-ssl_ChooseOps(sslSocket *ss)
-{
-    if (ss->useSocks)  {
-    	ss->ops = ss->useSecurity ? &ssl_secure_socks_ops : &ssl_socks_ops ;
-    } else {
-    	ss->ops = ss->useSecurity ? &ssl_secure_ops       : &ssl_default_ops;
-    }
-}
-
-/* Called from SSL_Enable (immediately below) */
-static SECStatus
-PrepareSocket(sslSocket *ss)
-{
-    SECStatus     rv = SECSuccess;
-
-    if (ss->useSocks) {
-	rv = ssl_CreateSocksInfo(ss);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    if (ss->useSecurity) {
-	rv = ssl_CreateSecurityInfo(ss);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-
-    ssl_ChooseOps(ss);
-    return rv;
-}
-
-SECStatus
-SSL_Enable(PRFileDesc *fd, int which, PRBool on)
-{
-    return SSL_OptionSet(fd, which, on);
-}
-
-SECStatus
-SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
-{
-    sslSocket *ss = ssl_FindSocket(fd);
-    SECStatus  rv = SECSuccess;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return SECFailure;
-    }
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    switch (which) {
-      case SSL_SOCKS:
-	ss->useSocks = on;
-	rv = PrepareSocket(ss);
-	break;
-
-      case SSL_SECURITY:
-	ss->useSecurity = on;
-	rv = PrepareSocket(ss);
-	break;
-
-      case SSL_REQUEST_CERTIFICATE:
-	ss->requestCertificate = on;
-	break;
-
-      case SSL_REQUIRE_CERTIFICATE:
-	ss->requireCertificate = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ss->handshakeAsServer && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-	ss->handshakeAsClient = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_SERVER:
-	if ( ss->handshakeAsClient && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-	ss->handshakeAsServer = on;
-	break;
-
-      case SSL_ENABLE_TLS:
-	ss->enableTLS           = on;
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
-
-      case SSL_ENABLE_SSL3:
-	ss->enableSSL3          = on;
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
-
-      case SSL_ENABLE_SSL2:
-	ss->enableSSL2          = on;
-	if (on) {
-	    ss->v2CompatibleHello = on;
-	}
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
-
-      case SSL_NO_CACHE:
-	ss->noCache = on;
-	break;
-
-      case SSL_ENABLE_FDX:
-      	ss->fdx = on;
-	break;
-
-      case SSL_V2_COMPATIBLE_HELLO:
-      	ss->v2CompatibleHello = on;
-	if (!on) {
-	    ss->enableSSL2    = on;
-	}
-	break;
-
-      case SSL_ROLLBACK_DETECTION:  
-	ss->detectRollBack = on;
-        break;
-
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-SECStatus
-SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
-{
-    sslSocket *ss = ssl_FindSocket(fd);
-    SECStatus  rv = SECSuccess;
-    PRBool     on = PR_FALSE;
-
-    if (!pOn) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	*pOn = PR_FALSE;
-	return SECFailure;
-    }
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    switch (which) {
-    case SSL_SOCKS:               on = ss->useSocks;           break;
-    case SSL_SECURITY:            on = ss->useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ss->requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ss->requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ss->handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ss->handshakeAsServer;  break;
-    case SSL_ENABLE_TLS:          on = ss->enableTLS;          break;
-    case SSL_ENABLE_SSL3:         on = ss->enableSSL3;         break;
-    case SSL_ENABLE_SSL2:         on = ss->enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ss->noCache;            break;
-    case SSL_ENABLE_FDX:          on = ss->fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ss->v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ss->detectRollBack;     break;
-
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    *pOn = on;
-    return rv;
-}
-
-SECStatus
-SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
-{
-    SECStatus  rv = SECSuccess;
-    PRBool     on = PR_FALSE;
-
-    if (!pOn) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    switch (which) {
-    case SSL_SOCKS:               on = ssl_defaults.useSocks;           break;
-    case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
-    case SSL_ENABLE_TLS:          on = ssl_defaults.enableTLS;          break;
-    case SSL_ENABLE_SSL3:         on = ssl_defaults.enableSSL3;         break;
-    case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ssl_defaults.noCache;		break;
-    case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
-
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    }
-
-    *pOn = on;
-    return rv;
-}
-
-/* XXX Use Global Lock to protect this stuff. */
-SECStatus
-SSL_EnableDefault(int which, PRBool on)
-{
-    return SSL_OptionSetDefault(which, on);
-}
-
-SECStatus
-SSL_OptionSetDefault(PRInt32 which, PRBool on)
-{
-    switch (which) {
-      case SSL_SOCKS:
-	ssl_defaults.useSocks = on;
-	break;
-
-      case SSL_SECURITY:
-	ssl_defaults.useSecurity = on;
-	break;
-
-      case SSL_REQUEST_CERTIFICATE:
-	ssl_defaults.requestCertificate = on;
-	break;
-
-      case SSL_REQUIRE_CERTIFICATE:
-	ssl_defaults.requireCertificate = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ssl_defaults.handshakeAsServer && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	ssl_defaults.handshakeAsClient = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_SERVER:
-	if ( ssl_defaults.handshakeAsClient && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	ssl_defaults.handshakeAsServer = on;
-	break;
-
-      case SSL_ENABLE_TLS:
-	ssl_defaults.enableTLS = on;
-	break;
-
-      case SSL_ENABLE_SSL3:
-	ssl_defaults.enableSSL3 = on;
-	break;
-
-      case SSL_ENABLE_SSL2:
-	ssl_defaults.enableSSL2 = on;
-	if (on) {
-	    ssl_defaults.v2CompatibleHello = on;
-	}
-	break;
-
-      case SSL_NO_CACHE:
-	ssl_defaults.noCache = on;
-	break;
-
-      case SSL_ENABLE_FDX:
-      	ssl_defaults.fdx = on;
-
-      case SSL_V2_COMPATIBLE_HELLO:
-      	ssl_defaults.v2CompatibleHello = on;
-	if (!on) {
-	    ssl_defaults.enableSSL2    = on;
-	}
-	break;
-
-      case SSL_ROLLBACK_DETECTION:  
-	ssl_defaults.detectRollBack = on;
-	break;
-
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Part of the public NSS API.
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- */
-SECStatus
-SSL_SetPolicy(long which, int policy)
-{
-    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
-    }
-    return SSL_CipherPolicySet(which, policy);
-}
-
-SECStatus
-SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
-{
-    SECStatus rv;
-
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_SetPolicy(which, policy);
-    } else {
-	rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
-    }
-    return rv;
-}
-
-SECStatus
-SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
-{
-    SECStatus rv;
-
-    if (!oPolicy) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_GetPolicy(which, oPolicy);
-    } else {
-	rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
-    }
-    return rv;
-}
-
-/* Part of the public NSS API.
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- * These changes have no effect on any sslSockets already created. 
- */
-SECStatus
-SSL_EnableCipher(long which, PRBool enabled)
-{
-    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
-    }
-    return SSL_CipherPrefSetDefault(which, enabled);
-}
-
-SECStatus
-SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
-{
-    SECStatus rv;
-    
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefSetDefault(which, enabled);
-    } else {
-	rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus 
-SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
-{
-    SECStatus  rv;
-    
-    if (!enabled) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefGetDefault(which, enabled);
-    } else {
-	rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus
-SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
-{
-    SECStatus rv;
-    sslSocket *ss = ssl_FindSocket(fd);
-    
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefSet(ss, which, enabled);
-    } else {
-	rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus 
-SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
-{
-    SECStatus  rv;
-    sslSocket *ss = ssl_FindSocket(fd);
-    
-    if (!enabled) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	*enabled = PR_FALSE;
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefGet(ss, which, enabled);
-    } else {
-	rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus
-NSS_SetDomesticPolicy(void)
-{
-#ifndef EXPORT_VERSION
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
-#else
-    return NSS_SetExportPolicy();
-#endif
-}
-
-SECStatus
-NSS_SetExportPolicy(void)
-{
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, policy->export);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
-}
-
-SECStatus
-NSS_SetFrancePolicy(void)
-{
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, policy->france);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
-}
-
-
-
-/* LOCKS ??? XXX */
-PRFileDesc *
-SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
-{
-    sslSocket * ns = NULL;
-    PRStatus    rv;
-
-    if (model == NULL) {
-	/* Just create a default socket if we're given NULL for the model */
-	ns = ssl_NewSocket();
-    } else {
-	sslSocket * ss = ssl_FindSocket(model);
-	if (ss == NULL) {
-	    SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 
-	    	      SSL_GETPID(), model));
-	    SET_ERROR_CODE
-	    return NULL;
-	}
-	ns = ssl_DupSocket(ss);
-    }
-    if (ns == NULL)
-    	return NULL;
-
-    rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
-    if (rv != PR_SUCCESS) {
-	ssl_FreeSocket(ns);
-	SET_ERROR_CODE
-	return NULL;
-    }
-#ifdef _WIN32
-    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
-#endif
-    return fd;
-}
-
-/************************************************************************/
-/* The following functions are the TOP LEVEL SSL functions.
-** They all get called through the NSPRIOMethods table below.
-*/
-
-static PRFileDesc * PR_CALLBACK
-ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
-{
-    sslSocket  *ss;
-    sslSocket  *ns 	= NULL;
-    PRFileDesc *newfd 	= NULL;
-    PRFileDesc *layer 	= NULL;
-    PRFileDesc *osfd;
-    PRStatus    status;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
-	return NULL;
-    }
-
-    /* IF this is a listen socket, there shouldn't be any I/O going on */
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    ss->cTimeout = timeout;
-
-    osfd = ss->fd->lower;
-
-    /* First accept connection */
-    newfd = osfd->methods->accept(osfd, sockaddr, timeout);
-    if (newfd == NULL) {
-	SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
-		 SSL_GETPID(), ss->fd, PORT_GetError()));
-    } else {
-	/* Create ssl module */
-	ns = ssl_DupSocket(ss);
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);			/* ss isn't used below here. */
-
-    if (ns == NULL)
-	goto loser;
-
-    /* push ssl module onto the new socket */
-    status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
-    if (status != PR_SUCCESS)
-	goto loser;
-
-    /* Now start server connection handshake with client.
-    ** Don't need locks here because nobody else has a reference to ns yet.
-    */
-    if ( ns->useSecurity ) {
-	if ( ns->handshakeAsClient ) {
-	    ns->handshake = ssl2_BeginClientHandshake;
-	} else {
-	    ns->handshake = ssl2_BeginServerHandshake;
-	}
-    }
-    return newfd;
-
-loser:
-    if (ns != NULL)
-	ssl_FreeSocket(ns);
-    if (newfd != NULL)
-	PR_Close(newfd);
-    return NULL;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    PRStatus   rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-
-    /* IF this is a listen socket, there shouldn't be any I/O going on */
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    ss->cTimeout = timeout;
-    rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
-#ifdef _WIN32
-    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
-#endif
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
-{
-    sslSocket * ss = ssl_GetPrivate(fd);
-    PRStatus    rv;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    rv = (PRStatus)(*ss->ops->bind)(ss, addr);
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Listen(PRFileDesc *fd, PRIntn backlog)
-{
-    sslSocket * ss = ssl_GetPrivate(fd);
-    PRStatus    rv;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Shutdown(PRFileDesc *fd, PRIntn how)
-{
-    sslSocket * ss = ssl_GetPrivate(fd);
-    PRStatus    rv;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
-    	SSL_LOCK_READER(ss);
-    }
-    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
-    	SSL_LOCK_WRITER(ss);
-    }
-
-    rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
-
-    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
-    	SSL_UNLOCK_WRITER(ss);
-    }
-    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
-    	SSL_UNLOCK_READER(ss);
-    }
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Close(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    PRStatus   rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-
-    /* There must not be any I/O going on */
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    /* By the time this function returns, 
-    ** ss is an invalid pointer, and the locks to which it points have 
-    ** been unlocked and freed.  So, this is the ONE PLACE in all of SSL
-    ** where the LOCK calls and the corresponding UNLOCK calls are not in
-    ** the same function scope.  The unlock calls are in ssl_FreeSocket().
-    */
-    rv = (PRStatus)(*ss->ops->close)(ss);
-
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
-	 PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_READER(ss);
-    ss->rTimeout = timeout;
-    rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
-	 PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_WRITER(ss);
-    ss->wTimeout = timeout;
-    rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
-    SSL_UNLOCK_WRITER(ss);
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_READER(ss);
-    ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
-    rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_WRITER(ss);
-    ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
-    rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
-    SSL_UNLOCK_WRITER(ss);
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
-{
-    sslSocket *ss;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    return (PRStatus)(*ss->ops->getpeername)(ss, addr);
-}
-
-/*
-** XXX this code doesn't work properly inside a Socks server.
-*/
-SECStatus
-ssl_GetPeerInfo(sslSocket *ss)
-{
-    sslConnectInfo *  ci;
-    PRNetAddr         sin;
-    int               rv;
-    PRFileDesc *      osfd;
-
-    PORT_Assert((ss->sec != 0));
-
-    osfd = ss->fd->lower;
-    ci   = &ss->sec->ci;
-
-    /* If ssl_SocksConnect() has previously recorded the peer's IP & port,
-     * use that.
-     */
-    if ((ss->peer != 0) && (ss->port != 0)) {
-	/* SOCKS code has already recorded the peer's IP addr and port.
-	 * (NOT the proxy's addr and port) in ss->peer & port.
-	 */
-	ci->peer = ss->peer;
-	ci->port = ss->port;
-	return SECSuccess;
-    }
-
-    PORT_Memset(&sin, 0, sizeof(sin));
-    rv = osfd->methods->getpeername(osfd, &sin);
-    if (rv < 0) {
-	return SECFailure;
-    }
-    /* we have to mask off the high byte because AIX is lame */
-    PORT_Assert((sin.inet.family & 0xff) == PR_AF_INET);
-    ci->peer = sin.inet.ip;
-    ci->port = sin.inet.port;
-    return SECSuccess;
-}
-
-static PRStatus PR_CALLBACK
-ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
-{
-    sslSocket *ss;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    return (PRStatus)(*ss->ops->getsockname)(ss, name);
-}
-
-int PR_CALLBACK
-SSL_SetSockPeerID(PRFileDesc *fd, char *peerID)
-{
-    sslSocket *ss;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    ss->peerID = PORT_Strdup(peerID);
-    return 0;
-}
-
-static PRInt16 PR_CALLBACK
-ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *out_flags)
-{
-    sslSocket *ss;
-    PRInt16    ret_flags = how_flags;	/* should select on these flags. */
-
-    *out_flags = 0;
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
-		 SSL_GETPID(), fd));
-	return 0;	/* don't poll on this socket */
-    }
-
-    if ((ret_flags & PR_POLL_WRITE) && 
-        ( (ss->useSocks && ss->handshake) || 
-	  (ss->useSecurity && !ss->connected && 
-	   /* XXX There needs to be a better test than the following. */
-	   /* Don't check ss->securityHandshake. */
-	   (ss->handshake || ss->nextHandshake)))) {
-    	/* The user is trying to write, but the handshake is blocked waiting
-	 * to read, so tell NSPR NOT to poll on write.
-	 */
-	ret_flags ^=  PR_POLL_WRITE;	/* don't select on write. */
-	ret_flags |=  PR_POLL_READ;	/* do    select on read. */
-    }
-
-    if ((ret_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
-	*out_flags = PR_POLL_READ;	/* it's ready already. */
-
-    } else if (ret_flags && (fd->lower->methods->poll != NULL)) {
-        ret_flags = fd->lower->methods->poll(fd->lower, ret_flags, out_flags);
-    }
-
-    return ret_flags;
-}
-
-
-PRBool
-ssl_FdIsBlocking(PRFileDesc *fd)
-{
-    PRSocketOptionData opt;
-    PRStatus           status;
-
-    opt.option             = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_FALSE;
-    status = PR_GetSocketOption(fd, &opt);
-    if (status != PR_SUCCESS)
-	return PR_FALSE;
-    return (PRBool)!opt.value.non_blocking;
-}
-
-PRBool
-ssl_SocketIsBlocking(sslSocket *ss)
-{
-    return ssl_FdIsBlocking(ss->fd);
-}
-
-PRInt32  sslFirstBufSize = 8 * 1024;
-PRInt32  sslCopyLimit    = 1024;
-
-static PRInt32 PR_CALLBACK
-ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
-           PRIntervalTime timeout)
-{
-    PRInt32            bufLen;
-    PRInt32            left;
-    PRInt32            rv;
-    PRInt32            sent      =  0;
-    const PRInt32      first_len = sslFirstBufSize;
-    const PRInt32      limit     = sslCopyLimit;
-    PRBool             blocking;
-    PRIOVec            myIov	 = { 0, 0 };
-    char               buf[MAX_FRAGMENT_LENGTH];
-
-    if (vectors > PR_MAX_IOVECTOR_SIZE) {
-    	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
-	return -1;
-    }
-    blocking = ssl_FdIsBlocking(fd);
-
-#define K16 sizeof(buf)
-#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
-#define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
-#define HANDLE_ERR(rv, len) \
-    if (rv != len) { \
-	if (rv < 0) { \
-	    if (blocking \
-		&& (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
-		&& (sent > 0)) { \
-		return sent; \
-	    } else { \
-		return -1; \
-	    } \
-	} \
-	/* Only a nonblocking socket can have partial sends */ \
-	PR_ASSERT(blocking); \
-	return sent; \
-    } 
-#define SEND(bfr, len) \
-    do { \
-	rv = ssl_Send(fd, bfr, len, 0, timeout); \
-	HANDLE_ERR(rv, len) \
-	sent += len; \
-    } while (0)
-
-    /* Make sure the first write is at least 8 KB, if possible. */
-    KILL_VECTORS
-    if (!vectors)
-	return 0;
-    GET_VECTOR;
-    if (!vectors) {
-	return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
-    }
-    if (myIov.iov_len < first_len) {
-	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
-	bufLen = myIov.iov_len;
-	left = first_len - bufLen;
-	while (vectors && left) {
-	    int toCopy;
-	    GET_VECTOR;
-	    toCopy = PR_MIN(left, myIov.iov_len);
-	    PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
-	    bufLen         += toCopy;
-	    left           -= toCopy;
-	    myIov.iov_base += toCopy;
-	    myIov.iov_len  -= toCopy;
-	}
-	SEND( buf, bufLen );
-    }
-
-    while (vectors || myIov.iov_len) {
-	PRInt32   addLen;
-	if (!myIov.iov_len) {
-	    GET_VECTOR;
-	}
-	while (myIov.iov_len >= K16) {
-	    SEND(myIov.iov_base, K16);
-	    myIov.iov_base += K16;
-	    myIov.iov_len  -= K16;
-	}
-	if (!myIov.iov_len)
-	    continue;
-
-	if (!vectors || myIov.iov_len > limit) {
-	    addLen = 0;
-	} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
-	    /* Addlen is already computed. */;
-	} else if (vectors > 1 && 
-	     iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
-	     addLen = limit - myIov.iov_len;
-	} else 
-	    addLen = 0;
-
-	if (!addLen) {
-	    SEND( myIov.iov_base, myIov.iov_len );
-	    myIov.iov_len = 0;
-	    continue;
-	}
-	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
-	bufLen = myIov.iov_len;
-	do {
-	    GET_VECTOR;
-	    PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
-	    myIov.iov_base += addLen;
-	    myIov.iov_len  -= addLen;
-	    bufLen         += addLen;
-
-	    left = PR_MIN( limit, K16 - bufLen);
-	    if (!vectors 		/* no more left */
-	    ||  myIov.iov_len > 0	/* we didn't use that one all up */
-	    ||  bufLen >= K16		/* it's full. */
-	    ) {
-		addLen = 0;
-	    } else if ((addLen = iov->iov_len % K16) <= left) {
-		/* Addlen is already computed. */;
-	    } else if (vectors > 1 && 
-		 iov[1].iov_len % K16 + addLen <= left + limit) {
-		 addLen = left;
-	    } else 
-		addLen = 0;
-
-	} while (addLen);
-	SEND( buf, bufLen );
-    } 
-    return sent;
-}
-
-/*
- * These functions aren't implemented.
- */
-
-static PRInt32 PR_CALLBACK
-ssl_Available(PRFileDesc *fd)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRInt64 PR_CALLBACK
-ssl_Available64(PRFileDesc *fd)
-{
-    PRInt64 res;
-
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    LL_I2L(res, -1L);
-    return res;
-}
-
-static PRStatus PR_CALLBACK
-ssl_FSync(PRFileDesc *fd)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
-static PRInt32 PR_CALLBACK
-ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRInt64 PR_CALLBACK
-ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
-    PRInt64 res;
-
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    LL_I2L(res, -1L);
-    return res;
-}
-
-static PRStatus PR_CALLBACK
-ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
-static PRStatus PR_CALLBACK
-ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
-static PRInt32 PR_CALLBACK
-ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
-	     PRNetAddr *addr, PRIntervalTime timeout)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRInt32 PR_CALLBACK
-ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
-	   const PRNetAddr *addr, PRIntervalTime timeout)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRIOMethods ssl_methods = {
-    PR_DESC_LAYERED,
-    ssl_Close,           	/* close        */
-    ssl_Read,            	/* read         */
-    ssl_Write,           	/* write        */
-    ssl_Available,       	/* available    */
-    ssl_Available64,     	/* available64  */
-    ssl_FSync,           	/* fsync        */
-    ssl_Seek,            	/* seek         */
-    ssl_Seek64,          	/* seek64       */
-    ssl_FileInfo,        	/* fileInfo     */
-    ssl_FileInfo64,      	/* fileInfo64   */
-    ssl_WriteV,          	/* writev       */
-    ssl_Connect,         	/* connect      */
-    ssl_Accept,          	/* accept       */
-    ssl_Bind,            	/* bind         */
-    ssl_Listen,          	/* listen       */
-    ssl_Shutdown,        	/* shutdown     */
-    ssl_Recv,            	/* recv         */
-    ssl_Send,            	/* send         */
-    ssl_RecvFrom,        	/* recvfrom     */
-    ssl_SendTo,          	/* sendto       */
-    ssl_Poll,            	/* poll         */
-    ssl_EmulateAcceptRead,      /* acceptread   */
-    ssl_EmulateTransmitFile,    /* transmitfile */
-    ssl_GetSockName,     	/* getsockname  */
-    ssl_GetPeerName,     	/* getpeername  */
-    NULL,                	/* getsockopt   OBSOLETE */
-    NULL,                	/* setsockopt   OBSOLETE */
-    NULL,                	/* getsocketoption   */
-    NULL,                	/* setsocketoption   */
-    ssl_EmulateSendFile, 	/* Send a (partial) file with header/trailer*/
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL                 	/* reserved for future use */
-};
-
-static void
-ssl_SetupIOMethods(PRIOMethods *ssl_methods)
-{
-    const PRIOMethods *default_methods;
-
-    default_methods = PR_GetDefaultIOMethods();
-
-    ssl_methods->reserved_fn_6   = default_methods->reserved_fn_6;
-    ssl_methods->reserved_fn_5   = default_methods->reserved_fn_5;
-    ssl_methods->getsocketoption = default_methods->getsocketoption;
-    ssl_methods->setsocketoption = default_methods->setsocketoption;
-    ssl_methods->reserved_fn_4   = default_methods->reserved_fn_4;
-    ssl_methods->reserved_fn_3   = default_methods->reserved_fn_3;
-    ssl_methods->reserved_fn_2   = default_methods->reserved_fn_2;
-    ssl_methods->reserved_fn_1   = default_methods->reserved_fn_1;
-    ssl_methods->reserved_fn_0   = default_methods->reserved_fn_0;
-
-}
-
-static PRStatus
-ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
-{
-    PRFileDesc *layer	= NULL;
-    PRStatus    status;
-
-    if (ssl_inited != PR_TRUE) {
-	ssl_layer_id = PR_GetUniqueIdentity("SSL");
-	ssl_SetupIOMethods(&ssl_methods);
-	ssl_inited = PR_TRUE;
-    }
-
-    if (ns == NULL)
-	goto loser;
-
-    layer = PR_CreateIOLayerStub(ssl_layer_id, &ssl_methods);
-    if (layer == NULL)
-	goto loser;
-    layer->secret = (PRFilePrivate *)ns;
-
-    /* Here, "stack" points to the PRFileDesc on the top of the stack.
-    ** "layer" points to a new FD that is to be inserted into the stack.
-    ** If layer is being pushed onto the top of the stack, then 
-    ** PR_PushIOLayer switches the contents of stack and layer, and then
-    ** puts stack on top of layer, so that after it is done, the top of 
-    ** stack is the same "stack" as it was before, and layer is now the 
-    ** FD for the former top of stack.
-    ** After this call, stack always points to the top PRFD on the stack.
-    ** If this function fails, the contents of stack and layer are as 
-    ** they were before the call.
-    */
-    status = PR_PushIOLayer(stack, id, layer);
-    if (status != PR_SUCCESS)
-	goto loser;
-
-    ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
-    return PR_SUCCESS;
-
-loser:
-    if (layer) {
-	layer->dtor(layer); /* free layer */
-    }
-    return PR_FAILURE;
-}
-
-/*
-** Create a newsocket structure for a file descriptor.
-*/
-static sslSocket *
-ssl_NewSocket(void)
-{
-    sslSocket *ss;
-#ifdef DEBUG
-    static int firsttime = 1;
-#endif
-
-#ifdef DEBUG
-#if defined(XP_UNIX) || defined(XP_WIN32)
-    if (firsttime) {
-	firsttime = 0;
-
-	{
-	    char *ev = getenv("SSLDEBUG");
-	    if (ev && ev[0]) {
-		ssl_debug = atoi(ev);
-		SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
-	    }
-	}
-#ifdef TRACE
-	{
-	    char *ev = getenv("SSLTRACE");
-	    if (ev && ev[0]) {
-		ssl_trace = atoi(ev);
-		SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
-	    }
-	}
-#endif /* TRACE */
-    }
-#endif /* XP_UNIX || XP_WIN32 */
-#endif /* DEBUG */
-
-    /* Make a new socket and get it ready */
-    ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
-    if (ss) {
-        /* This should be of type SSLKEAType, but CC on IRIX
-	 * complains during the for loop.
-	 */
-	int i;
- 
-	ss->useSecurity        = ssl_defaults.useSecurity;
-	ss->useSocks           = ssl_defaults.useSocks;
-	ss->requestCertificate = ssl_defaults.requestCertificate;
-	ss->requireCertificate = ssl_defaults.requireCertificate;
-	ss->handshakeAsClient  = ssl_defaults.handshakeAsClient;
-	ss->handshakeAsServer  = ssl_defaults.handshakeAsServer;
-	ss->enableSSL2         = ssl_defaults.enableSSL2;
-	ss->enableSSL3         = ssl_defaults.enableSSL3;
-	ss->enableTLS          = ssl_defaults.enableTLS ;
-	ss->fdx                = ssl_defaults.fdx;
-	ss->v2CompatibleHello  = ssl_defaults.v2CompatibleHello;
-	ss->detectRollBack     = ssl_defaults.detectRollBack;
-	ss->peer               = 0;
-	ss->port               = 0;
-	ss->noCache            = ssl_defaults.noCache;
-	ss->peerID             = NULL;
-	ss->rTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->wTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->cTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->cipherSpecs        = NULL;
-        ss->sizeCipherSpecs    = 0;  /* produced lazily */
-        ss->preferredCipher    = NULL;
-        ss->url                = NULL;
-
-	for (i=kt_null; i < kt_kea_size; i++) {
-	    ss->serverCert[i]      = NULL;
-	    ss->serverCertChain[i] = NULL;
-	    ss->serverKey[i]       = NULL;
-	}
-	ss->stepDownKeyPair    = NULL;
-	ss->dbHandle           = CERT_GetDefaultCertDB();
-
-	/* Provide default implementation of hooks */
-	ss->authCertificate    = SSL_AuthCertificate;
-	ss->authCertificateArg = (void *)ss->dbHandle;
-	ss->getClientAuthData  = NULL;
-	ss->handleBadCert      = NULL;
-	ss->badCertArg         = NULL;
-	ss->pkcs11PinArg       = NULL;
-
-	ssl_ChooseOps(ss);
-	ssl2_InitSocketPolicy(ss);
-	ssl3_InitSocketPolicy(ss);
-
-	ss->firstHandshakeLock = PR_NewMonitor();
-	ss->ssl3HandshakeLock  = PR_NewMonitor();
-	ss->specLock           = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
-	ss->recvBufLock        = PR_NewMonitor();
-	ss->xmitBufLock        = PR_NewMonitor();
-	if (ssl_lock_readers) {
-	    ss->recvLock       = PR_NewLock();
-	    ss->sendLock       = PR_NewLock();
-	}
-    }
-    return ss;
-}
-
diff --git a/security/nss/lib/ssl/sslsocks.c b/security/nss/lib/ssl/sslsocks.c
deleted file mode 100644
index 787d448d6..000000000
--- a/security/nss/lib/ssl/sslsocks.c
+++ /dev/null
@@ -1,1147 +0,0 @@
-/*
- * Implementation of Socks protocol.
- * None of this code is supported any longer.
- * NSS officially does NOT support Socks.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include "prtypes.h"
-#include "prnetdb.h"
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "prsystem.h"
-#include <stdio.h>
-#include "nspr.h"
-
-#ifdef XP_UNIX
-#include "prprf.h"
-#endif
-
-#ifdef XP_UNIX
-#define SOCKS_FILE	"/etc/socks.conf"
-#endif
-#ifdef XP_MAC
-#define SOCKS_FILE NULL
-#endif
-#ifdef XP_WIN
-#define SOCKS_FILE  NULL
-#endif
-#ifdef XP_OS2
-#define SOCKS_FILE  NULL
-#endif 
-
-#define SOCKS_VERSION	4
-
-#define DEF_SOCKD_PORT	1080
-
-#define SOCKS_CONNECT	1
-#define SOCKS_BIND	2
-
-#define SOCKS_RESULT	90
-#define SOCKS_FAIL	91
-#define SOCKS_NO_IDENTD	92 /* Failed to connect to Identd on client machine */
-#define SOCKS_BAD_ID	93 /* Client's Identd reported a different user-id */
-
-#define MAKE_IN_ADDR(a,b,c,d) \
-    PR_htonl(((PRUint32)(a) << 24) | ((PRUint32)(b) << 16) | ((c) << 8) | (d))
-
-struct sslSocksInfoStr {
-    PRUint32  	sockdHost;
-    PRUint16  	sockdPort;
-
-    char       	direct;
-    char       	didBind;
-
-    PRNetAddr 	bindAddr;
-
-    /* Data returned by sockd.  */
-    PRUint32  	destHost;
-    PRUint16  	destPort;
-};
-
-typedef enum {
-    OP_LESS	= 1,
-    OP_EQUAL	= 2,
-    OP_LEQUAL	= 3,
-    OP_GREATER	= 4,
-    OP_NOTEQUAL	= 5,
-    OP_GEQUAL	= 6,
-    OP_ALWAYS	= 7
-} SocksOp;
-
-typedef struct SocksConfItemStr SocksConfItem;
-
-struct SocksConfItemStr {
-    SocksConfItem *next;
-    PRUint32       daddr;	/* host IP addr, in network byte order. */
-    PRUint32       dmask;	/* mask for IP,  in network byte order. */
-    PRUint16       port;	/* port number,  in host    byte order. */
-    SocksOp        op;
-    char           direct;
-};
-
-static PRUint32 ourHost;		/* network byte order. */
-static SocksConfItem *ssl_socks_confs;
-
-SECStatus
-ssl_CreateSocksInfo(sslSocket *ss)
-{
-    sslSocksInfo *si;
-
-    if (ss->socks) {
-	/* Already been done */
-	return SECSuccess;
-    }
-
-    si = (sslSocksInfo*) PORT_ZAlloc(sizeof(sslSocksInfo));
-    if (si) {
-	ss->socks = si;
-	if (!ss->gather) {
-	    ss->gather = ssl_NewGather();
-	    if (!ss->gather) {
-		return SECFailure;
-	    }
-	}
-	return SECSuccess;
-    }
-    return SECFailure;
-}
-
-SECStatus
-ssl_CopySocksInfo(sslSocket *ss, sslSocket *os)
-{
-    SECStatus rv;
-
-#ifdef __cplusplus
-    os = os;
-#endif
-    rv = ssl_CreateSocksInfo(ss);
-    return rv;
-}
-
-void
-ssl_DestroySocksInfo(sslSocksInfo *si)
-{
-    if (si) {
-	PORT_Memset(si, 0x2f, sizeof *si);
-	PORT_Free(si);
-    }
-}
-
-/* Sets the global variable ourHost to the IP address returned from 
- *    calling GetHostByName on our system's name.
- * Called from SSL_ReadSocksConfFile().
- */
-static SECStatus
-GetOurHost(void)
-{
-    PRStatus   rv;
-    PRHostEnt  hpbuf;
-    char       name[100];
-    char       dbbuf[PR_NETDB_BUF_SIZE];
-
-    PR_GetSystemInfo(PR_SI_HOSTNAME, name, sizeof name);
-
-    rv = PR_GetHostByName(name, dbbuf, sizeof dbbuf, &hpbuf);
-    if (rv != PR_SUCCESS)
-	return SECFailure;
-
-#undef  h_addr
-#define h_addr  h_addr_list[0]  /* address, in network byte order. */
-
-    PORT_Memcpy(&ourHost, hpbuf.h_addr, hpbuf.h_length);
-    return SECSuccess;
-}
-
-/*
-** Setup default SocksConfItem list so that loopback is direct, things to the
-** same subnet (?) address are direct, everything else uses sockd
-*/
-static void
-BuildDefaultConfList(void)
-{
-    SocksConfItem *ci;
-    SocksConfItem **lp;
-
-    /* Put loopback onto direct list */
-    lp = &ssl_socks_confs;
-    ci = (SocksConfItem*) PORT_ZAlloc(sizeof(SocksConfItem));
-    if (!ci) {
-	return;
-    }
-    ci->direct = 1;
-    ci->daddr  = MAKE_IN_ADDR(127,0,0,1);
-    ci->dmask  = MAKE_IN_ADDR(255,255,255,255);
-    ci->op     = OP_ALWAYS;
-    *lp = ci;
-    lp = &ci->next;
-
-    /* Put our hosts's subnet onto direct list */
-    ci = (SocksConfItem*) PORT_ZAlloc(sizeof(SocksConfItem));
-    if (!ci) {
-	return;
-    }
-    ci->direct = 1;
-    ci->daddr  = ourHost;
-    ci->dmask  = MAKE_IN_ADDR(255,255,255,0);
-    ci->op     = OP_ALWAYS;
-    *lp = ci;
-    lp = &ci->next;
-
-    /* Everything else goes to sockd */
-    ci = (SocksConfItem*) PORT_ZAlloc(sizeof(SocksConfItem));
-    if (!ci) {
-	return;
-    }
-    ci->daddr = MAKE_IN_ADDR(255,255,255,255);
-    ci->op    = OP_ALWAYS;
-    *lp = ci;
-}
-
-static int
-FragmentLine(char *cp, char **argv, int maxargc)
-{
-    int argc = 0;
-    char *save;
-    char ch;
-
-    save = cp;
-    for (; (ch = *cp) != 0; cp++) {
-	if ((ch == '#') || (ch == '\n')) {
-	    /* Done */
-	    break;
-	}
-	if (ch == ':') {
-	    break;
-	}
-	if ((ch == ' ') || (ch == '\t')) {
-	    /* Seperator. see if it seperated anything */
-	    if (cp - save > 0) {
-		/* Put a null at the end of the word */
-		*cp = 0;
-		argc++;
-		*argv++ = save;
-		SSL_TRC(20, ("%d: SSL: argc=%d word=\"%s\"",
-			     SSL_GETPID(), argc, save));
-		if (argc == maxargc) {
-		    return argc;
-		}
-	    }
-	    save = cp + 1;
-	}
-    }
-    if (cp - save > 0) {
-	*cp = 0;
-	argc++;
-	*argv = save;
-	SSL_TRC(20, ("%d: SSL: argc=%d word=\"%s\"",
-		     SSL_GETPID(), argc, save));
-    }
-    return argc;
-}
-
-/* XXX inet_addr? */
-static char *
-ConvertOne(char *cp, unsigned char *rvp)
-{
-    char *s = PORT_Strchr(cp, '.');
-    if (s) {
-	*s = 0;
-    }
-    *rvp = PORT_Atoi(cp) & 0xff;
-    return s ? s+1 : cp;
-}
-
-/* returns host address in network byte order. */
-static PRUint32
-ConvertAddr(char *buf)
-{
-    unsigned char b0, b1, b2, b3;
-    PRUint32 addr;
-
-    buf = ConvertOne(buf, &b0);
-    buf = ConvertOne(buf, &b1);
-    buf = ConvertOne(buf, &b2);
-    buf = ConvertOne(buf, &b3);
-    addr = ((PRUint32)b0 << 24) |
-	   ((PRUint32)b1 << 16) |
-	   ((PRUint32)b2 << 8) |
-	    (PRUint32)b3;		/* host byte order. */
-
-    return PR_htonl(addr);		/* network byte order. */
-}
-
-static char *
-ReadLine(char *buf, int len, PRFileDesc *fd)
-{
-    char c, *p = buf;
-    PRInt32 n;
-
-    while(len > 0) {
-	n = PR_Read(fd, &c, 1);
-	if (n < 0)
-	    return NULL;
-	if (n == 0) {
-	    if (p == buf) {
-		return NULL;
-	    }
-	    *p = '\0';
-	    return buf;
-	}
-	if (c == '\n') {
-	    *p = '\0';
-	    return buf;
-	}
-	*p++ = c;
-	len--;
-    }
-    *p = '\0';
-    return buf;
-}
-
-int
-SSL_ReadSocksConfFile(PRFileDesc *fp)
-{
-    SocksConfItem * ci;
-    SocksConfItem **lp;
-    char *          file       = "socks file"; /* XXX Move to nav */
-    SocksOp         op;
-    int             direct;
-    int             port       = 0;
-    int             lineNumber = 0;
-    int             rv         = GetOurHost();
-
-    if (rv < 0) {
-	/* If we can't figure out our host id, use socks. Loser! */
-	return SECFailure;
-    }
-
-#if 0 /* XXX Move to nav */
-    fp = XP_FileOpen(file, xpSocksConfig, XP_FILE_READ);
-#endif
-    if (!fp) {
-	BuildDefaultConfList();
-	return SECSuccess;
-    }
-
-    /* Parse config file and generate config item list */
-    lp = &ssl_socks_confs;
-    for (;;) {
-	char *    s;
-	char *    argv[10];
-	int       argc;
-	PRUint32  daddr;
-	PRUint32  dmask;
-	char      buf[1000];
-
-	s = ReadLine(buf, sizeof buf, fp);
-	if (!s) {
-	    break;
-	}
-	lineNumber++;
-	argc = FragmentLine(buf, argv, 10);
-	if (argc < 3) {
-	    if (argc == 0) {
-		/* must be a comment/empty line */
-		continue;
-	    }
-#ifdef XP_UNIX
-	    PR_fprintf(PR_STDERR, "%s:%d: bad config line\n",
-		       file, lineNumber);
-#endif
-	    continue;
-	}
-	if (PORT_Strcmp(argv[0], "direct") == 0) {
-	    direct = 1;
-	} else if (PORT_Strcmp(argv[0], "sockd") == 0) {
-	    direct = 0;
-	} else {
-#ifdef XP_UNIX
-	    PR_fprintf(PR_STDERR, "%s:%d: bad command: \"%s\"\n",
-		       file, lineNumber, argv[0]);
-#endif
-	    continue;
-	}
-
-	/* Look for port spec */
-	op = OP_ALWAYS;
-	if (argc > 4) {
-	    if (PORT_Strcmp(argv[3], "lt") == 0) {
-		op = OP_LESS;
-	    } else if (PORT_Strcmp(argv[3], "eq") == 0) {
-		op = OP_EQUAL;
-	    } else if (PORT_Strcmp(argv[3], "le") == 0) {
-		op = OP_LEQUAL;
-	    } else if (PORT_Strcmp(argv[3], "gt") == 0) {
-		op = OP_GREATER;
-	    } else if (PORT_Strcmp(argv[3], "neq") == 0) {
-		op = OP_NOTEQUAL;
-	    } else if (PORT_Strcmp(argv[3], "ge") == 0) {
-		op = OP_GEQUAL;
-	    } else {
-#ifdef XP_UNIX
-		PR_fprintf(PR_STDERR, "%s:%d: bad comparison op: \"%s\"\n",
-			   file, lineNumber, argv[3]);
-#endif
-		continue;
-	    }
-	    port = PORT_Atoi(argv[4]);
-	}
-
-	ci = (SocksConfItem*) PORT_ZAlloc(sizeof(SocksConfItem));
-	if (!ci) {
-	    break;
-	}
-	daddr      = ConvertAddr(argv[1]);	/* net byte order. */
-	dmask      = ConvertAddr(argv[2]);	/* net byte order. */
-	ci->daddr  = daddr;			/* net byte order. */
-	ci->dmask  = dmask;			/* net byte order. */
-	ci->direct = direct;
-	ci->op     = op;
-	ci->port   = port;			/* host byte order. */
-	daddr      = PR_ntohl(daddr);		/* host byte order. */
-	dmask      = PR_ntohl(dmask);		/* host byte order. */
-	SSL_TRC(10, (
-"%d: SSL: line=%d direct=%d addr=%d.%d.%d.%d mask=%d.%d.%d.%d op=%d port=%d",
-		     SSL_GETPID(), lineNumber, ci->direct,
-		     (daddr >> 24) & 0xff,
-		     (daddr >> 16) & 0xff,
-		     (daddr >>  8) & 0xff,
-		     (daddr >>  0) & 0xff,
-		     (dmask >> 24) & 0xff,
-		     (dmask >> 16) & 0xff,
-		     (dmask >>  8) & 0xff,
-		     (dmask >>  0) & 0xff,
-		     ci->op, ci->port));
-	*lp = ci;
-	lp = &ci->next;
-    }
-
-
-    if (!ssl_socks_confs) {
-	/* Empty file. Fix it for the user */
-	BuildDefaultConfList();
-    }
-    return SECSuccess;
-}
-
-static int
-ChooseAddress(sslSocket *ss, const PRNetAddr *direct)
-{
-    PRUint32 dstAddr;
-    PRUint16 dstPort;
-    SocksConfItem *ci;
-    int rv;
-
-    if (!ssl_socks_confs) {
-	rv = SSL_ReadSocksConfFile(NULL);
-	if (rv) {
-	    return rv;
-	}
-    }
-
-    /*
-    ** Scan socks config info and look for a direct match or a force to
-    ** use the sockd. Bail on first hit.
-    */
-    dstAddr = direct->inet.ip;
-    dstPort = PR_ntohs(direct->inet.port);
-    ci = ssl_socks_confs;
-    while (ci) {
-	SSL_TRC(10, (
-	"%d: SSL[%d]: match, direct=%d daddr=0x%x mask=0x%x op=%d port=%d",
-		 SSL_GETPID(), ss->fd, ci->direct, PR_ntohl(ci->daddr),
-		 PR_ntohl(ci->dmask), ci->op, ci->port));
-	if ((ci->daddr & ci->dmask)  == (dstAddr & ci->dmask)) {
-	    int portMatch = 0;
-	    switch (ci->op) {
-	      case OP_LESS:	portMatch = dstPort <  ci->port; break;
-	      case OP_EQUAL:	portMatch = dstPort == ci->port; break;
-	      case OP_LEQUAL:	portMatch = dstPort <= ci->port; break;
-	      case OP_GREATER:	portMatch = dstPort >  ci->port; break;
-	      case OP_NOTEQUAL:	portMatch = dstPort != ci->port; break;
-	      case OP_GEQUAL:	portMatch = dstPort >= ci->port; break;
-	      case OP_ALWAYS:	portMatch = 1;                   break;
-	    }
-	    if (portMatch) {
-		SSL_TRC(10, ("%d: SSL[%d]: socks config match",
-			     SSL_GETPID(), ss->fd));
-		return ci->direct;
-	    }
-	}
-	ci = ci->next;
-    }
-    SSL_TRC(10, ("%d: SSL[%d]: socks config: no match",
-		 SSL_GETPID(), ss->fd));
-    return 0;
-}
-
-/*
-** Find port # and host # of socks daemon. Use info in ss->socks struct
-** when valid. If not valid, try to figure it all out.
-*/
-static int
-FindDaemon(sslSocket *ss, PRNetAddr *out)
-{
-    sslSocksInfo *si;
-    PRUint32 host;		/* network byte order. */
-    PRUint16 port;		/* host    byte order. */
-
-    PORT_Assert(ss->socks != 0);
-    si = ss->socks;
-
-    /* For now, assume we are using the socks daemon */
-    host = si->sockdHost;
-    port = si->sockdPort;
-#ifdef XP_UNIX
-    if (!port) {
-	static char firstTime = 1;
-	static PRUint16 sockdPort;
-
-	if (firstTime) {
-	    struct servent *sp;
-
-	    firstTime = 0;
-	    sp = getservbyname("socks", "tcp");
-	    if (sp) {
-		sockdPort = sp->s_port;
-	    } else {
-		SSL_TRC(10, ("%d: SSL[%d]: getservbyname of (socks,tcp) fails",
-			     SSL_GETPID(), ss->fd));
-	    }
-	}
-	port = sockdPort;
-    }
-#endif
-    if (!port) {
-	port = DEF_SOCKD_PORT;
-    }
-    if (host == 0) {
-	SSL_TRC(10, ("%d: SSL[%d]: no socks server found",
-		     SSL_GETPID(), ss->fd));
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-
-    /* We know the ip addr of the socks server */
-    out->inet.family = PR_AF_INET;
-    out->inet.port   = PR_htons(port);
-    out->inet.ip     = host;
-    host             = PR_ntohl(host);	/* now host byte order. */
-    SSL_TRC(10, ("%d: SSL[%d]: socks server at %d.%d.%d.%d:%d",
-		 SSL_GETPID(), ss->fd,
-		 (host >> 24) & 0xff,
-		 (host >> 16) & 0xff,
-		 (host >>  8) & 0xff,
-		 (host >>  0) & 0xff,
-		 port));
-    return SECSuccess;
-}
-
-/*
-** Send our desired address and our user name to the socks daemon.
-** cmd is either SOCKS_CONNECT (client) or SOCKS_BIND (server).
-*/
-static int
-SayHello(sslSocket *ss, int cmd, const PRNetAddr *sa, char *user)
-{
-    int rv, len;
-    unsigned char msg[8];
-    PRUint16 port;
-    PRUint32 host;
-
-    /* Send dst message to sockd */
-    port = sa->inet.port;
-    host = sa->inet.ip;
-    msg[0] = SOCKS_VERSION;
-    msg[1] = cmd;
-    PORT_Memcpy(msg+2, &port, 2);
-    PORT_Memcpy(msg+4, &host, 4);
-    SSL_TRC(10, ("%d: SSL[%d]: socks real dest=%d.%d.%d.%d:%d",
-		 SSL_GETPID(), ss->fd, msg[4], msg[5], msg[6], msg[7],
-		 port));
-
-    rv = ssl_DefSend(ss, msg, sizeof(msg), 0);
-    if (rv < 0) {
-	goto io_error;
-    }
-    /* XXX Deal with short write !! */
-
-    /* Send src-user message to sockd */
-    len = strlen(user)+1;
-    rv = ssl_DefSend(ss, (unsigned char *)user, len, 0);
-    if (rv < 0) {
-	goto io_error;
-    }
-    /* XXX Deal with short write !! */
-
-    return SECSuccess;
-
-  io_error:
-    SSL_TRC(10, ("%d: SSL[%d]: socks, io error saying hello to sockd errno=%d",
-		 SSL_GETPID(), ss->fd, PORT_GetError()));
-    return SECFailure;
-}
-
-/* Handle the reply from the socks proxy/daemon. 
-** Called from ssl_Do1stHandshake().
-*/
-static SECStatus
-SocksHandleReply(sslSocket *ss)
-{
-    unsigned char *msg;
-    unsigned char  cmd;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetRecvBufLock(ss);
-    PORT_Assert(ss->gather != 0);
-
-    msg = ss->gather->buf.buf;
-    cmd = msg[1];
-    SSL_TRC(10, ("%d: SSL[%d]: socks result: cmd=%d",
-		 SSL_GETPID(), ss->fd, cmd));
-
-    /* This is Bogus.  The socks spec says these fields are undefined in 
-     * the reply from the socks daemon/proxy.  No point in saving garbage.
-     */
-    PORT_Memcpy(&ss->socks->destPort, msg+2, 2);
-    PORT_Memcpy(&ss->socks->destHost, msg+4, 4);
-
-    ss->gather->recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    /* Check status back from sockd */
-    switch (cmd) {
-      case SOCKS_FAIL:
-      case SOCKS_NO_IDENTD:
-      case SOCKS_BAD_ID:
-	SSL_DBG(("%d: SSL[%d]: sockd returns an error: %d",
-		 SSL_GETPID(), ss->fd, cmd));
-	PORT_SetError(PR_CONNECT_REFUSED_ERROR);
-	return SECFailure;
-
-      default:
-	break;
-    }
-
-    /* All done */
-    SSL_TRC(1, ("%d: SSL[%d]: using sockd at %d.%d.%d.%d",
-		SSL_GETPID(), ss->fd,
-		(PR_ntohl(ss->socks->sockdHost) >> 24) & 0xff,
-		(PR_ntohl(ss->socks->sockdHost) >> 16) & 0xff,
-		(PR_ntohl(ss->socks->sockdHost) >> 8) & 0xff,
-		(PR_ntohl(ss->socks->sockdHost) >> 0) & 0xff));
-    ss->handshake         = 0;
-    ss->nextHandshake     = 0;
-    return SECSuccess;
-}
-
-static SECStatus
-SocksGatherRecord(sslSocket *ss)
-{
-    int rv;
-
-    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
-    ssl_GetRecvBufLock(ss);
-    rv = ssl2_GatherRecord(ss, 0);
-    ssl_ReleaseRecvBufLock(ss);
-    if (rv <= 0) {
-	if (rv == 0)
-	    /* Unexpected EOF */
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	return SECFailure;
-    }
-    ss->handshake = 0;
-    return SECSuccess;
-}
-
-static SECStatus
-SocksStartGather(sslSocket *ss)
-{
-    int rv;
-
-    ss->handshake     = SocksGatherRecord;
-    ss->nextHandshake = SocksHandleReply;
-    rv = ssl2_StartGatherBytes(ss, ss->gather, 8);
-    if (rv <= 0) {
-	if (rv == 0) {
-	    /* Unexpected EOF */
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	    return SECFailure;
-	}
-	return (SECStatus)rv;
-    }
-    ss->handshake = 0;
-    return SECSuccess;
-}
-
-/************************************************************************/
-
-
-/* BSDI ain't got no cuserid() */
-#ifdef __386BSD__
-#include <pwd.h>
-char *
-bsdi_cuserid(char *b)
-{
-    struct passwd *pw = getpwuid(getuid());
-
-    if (!b) 
-    	return pw ? pw->pw_name : NULL;
-
-    if (!pw || !pw->pw_name)
-	b[0] = '\0';
-    else
-	strcpy(b, pw->pw_name);
-    return b;
-}
-#endif
-
-
-/* sa identifies the server to which we want to connect.
- * First determine whether or not to use socks.
- * If not, connect directly to server.
- * If so,  connect to socks proxy, and send SOCKS_CONNECT cmd, but 
- *	Does NOT wait for reply from socks proxy.
- */
-int
-ssl_SocksConnect(sslSocket *ss, const PRNetAddr *sa)
-{
-    int rv, err, direct;
-    PRNetAddr daemon;
-    const PRNetAddr *sip;
-    char *user;
-    PRFileDesc *osfd = ss->fd->lower;
-
-    /* Figure out where to connect to */
-    rv = FindDaemon(ss, &daemon);
-    if (rv) {
-	return SECFailure;
-    }
-    direct = ChooseAddress(ss, sa);
-    if (direct) {
-	sip = sa;
-	ss->socks->direct = 1;
-    } else {
-	sip = &daemon;
-	ss->socks->direct = 0;
-    }
-    SSL_TRC(10, ("%d: SSL[%d]: socks %s connect to %d.%d.%d.%d:%d",
-		 SSL_GETPID(), ss->fd,
-		 direct ? "direct" : "sockd",
-		 (PR_ntohl(sip->inet.ip) >> 24) & 0xff,
-		 (PR_ntohl(sip->inet.ip) >> 16) & 0xff,
-		 (PR_ntohl(sip->inet.ip) >> 8) & 0xff,
-		 PR_ntohl(sip->inet.ip) & 0xff,
-		 PR_ntohs(sip->inet.port)));
-
-    /* Attempt first connection */
-    rv = osfd->methods->connect(osfd, sip, ss->cTimeout);
-    err = PORT_GetError();
-#ifdef _WIN32
-    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
-#endif
-    if (rv < 0) {
-	if (err != PR_IS_CONNECTED_ERROR) {
-	    return rv;
-	}
-	/* Async connect finished */
-    }
-
-    /* If talking to sockd, do handshake */
-    if (!direct) {
-	/* Find user */
-#ifdef XP_UNIX
-#ifdef __386BSD__
-	user = bsdi_cuserid(NULL);
-#else
-	user = cuserid(NULL);
-#endif
-	if (!user) {
-	    PORT_SetError(PR_UNKNOWN_ERROR);
-	    SSL_DBG(("%d: SSL[%d]: cuserid fails, errno=%d",
-		     SSL_GETPID(), ss->fd, PORT_GetError()));
-	    return SECFailure;
-	}
-#else
-	user = "SSL";
-#endif
-
-	/* Send our message to it */
-	rv = SayHello(ss, SOCKS_CONNECT, sa, user);
-	if (rv) {
-	    return rv;
-	}
-
-	ss->handshake     = SocksStartGather;
-	ss->nextHandshake = 0;
-
-	/* save up who we're really talking to so we can index the cache */
-	ss->peer = sa->inet.ip;
-	ss->port = sa->inet.port;
-    }
-    return 0;
-}
-
-/* Called from ssl_SocksBind(), SSL_BindForSockd(), and ssl_SocksAccept().
- * NOT called from ssl_SocksConnect().
- */
-static int
-SocksWaitForResponse(sslSocket *ss)
-{
-    int rv;
-
-    ss->handshake = SocksStartGather;
-    ss->nextHandshake = 0;
-
-    /* Get response. Do it now, spinning if necessary (!) */
-    for (;;) {
-	ssl_Get1stHandshakeLock(ss);
-	rv = ssl_Do1stHandshake(ss);
-	ssl_Release1stHandshakeLock(ss);
-	if (rv == SECWouldBlock || 
-	   (rv == SECFailure && PORT_GetError() == PR_WOULD_BLOCK_ERROR)) {
-#ifdef XP_UNIX
-	    /*
-	    ** Spinning is really evil under unix. Call select and
-	    ** continue when a read select returns true. We only get
-	    ** here if the socket was marked async before the bind
-	    ** call.
-	    */
-	    PRPollDesc spin;
-	    spin.fd       = ss->fd->lower;
-	    spin.in_flags = PR_POLL_READ;
-	    rv = PR_Poll(&spin, 1, PR_INTERVAL_NO_TIMEOUT);
-	    if (rv < 0) {
-		return rv;
-	    }
-#else
-	    PRIntervalTime ticks = PR_MillisecondsToInterval(1);
-	    PR_Sleep(ticks);
-#endif
-	    continue;
-	}
-	break;
-    }
-    return rv;
-}
-
-/* sa identifies the server address we want to bind to.
- * First, determine if we need to register with a socks proxy.
- * If socks, then Connect to Socks proxy daemon, send SOCKS_BIND message,
- *    wait for response from socks proxy. 
- */
-int
-ssl_SocksBind(sslSocket *ss, const PRNetAddr *sa)
-{
-    sslSocksInfo * si;
-    PRFileDesc *   osfd 	= ss->fd->lower;
-    char *         user;
-    int            rv;
-    int            direct;
-    PRNetAddr      daemon;
-
-    PORT_Assert(ss->socks != 0);
-    si = ss->socks;
-
-    /* Figure out where to connect to */
-    rv = FindDaemon(ss, &daemon);
-    if (rv) {
-	return SECFailure;
-    }
-    direct = ChooseAddress(ss, sa);
-    if (direct) {
-	ss->socks->direct = 1;
-	rv = osfd->methods->bind(osfd, sa);
-	PORT_Memcpy(&ss->socks->bindAddr, sa, sizeof(PRNetAddr));
-    } else {
-	ss->socks->direct = 0;
-	SSL_TRC(10, ("%d: SSL[%d]: socks sockd bind to %d.%d.%d.%d:%d",
-		     SSL_GETPID(), ss->fd,
-		     (PR_ntohl(daemon.inet.ip) >> 24) & 0xff,
-		     (PR_ntohl(daemon.inet.ip) >> 16) & 0xff,
-		     (PR_ntohl(daemon.inet.ip) >> 8) & 0xff,
-		     PR_ntohl(daemon.inet.ip) & 0xff,
-		     PR_ntohs(daemon.inet.port)));
-
-	/* First connect to socks daemon. ASYNC connects must be disabled! */
-	rv = osfd->methods->connect(osfd, &daemon, ss->cTimeout);
-	if (rv < 0) {
-	    return rv;
-	}
-
-	/* Find user */
-#ifdef XP_UNIX
-#ifdef __386BSD__
-	user = bsdi_cuserid(NULL);
-#else
-	user = cuserid(NULL);
-#endif
-	if (!user) {
-	    SSL_DBG(("%d: SSL[%d]: cuserid fails, errno=%d",
-		     SSL_GETPID(), ss->fd, PORT_GetError()));
-	    PORT_SetError(PR_UNKNOWN_ERROR);
-	    return SECFailure;
-	}
-#else
-	user = "SSL";
-#endif
-	/* Send message to sockd */
-	rv = SayHello(ss, SOCKS_BIND, sa, user);
-	if (rv) {
-	    return rv;
-	}
-
-	/* SocksGatherRecord up bind response from sockd */
-	rv = SocksWaitForResponse(ss);
-	if (rv == 0) {
-	    /* Done */
-	    si->bindAddr.inet.family = PR_AF_INET;
-	    si->bindAddr.inet.port   = si->destPort;
-	    if (PR_ntohl(si->destHost) == PR_INADDR_ANY) {
-		si->bindAddr.inet.ip = daemon.inet.ip;
-	    } else {
-		si->bindAddr.inet.ip = si->destHost;
-	    }
-	}
-    }
-    si->didBind = 1;
-    return rv;
-}
-
-
-PRFileDesc *
-ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr)
-{
-    PORT_Assert(0);
-#if 0 /* XXX This doesn't work. */
-    sslSocket *ns;
-    sslSocksInfo *si;
-    PRFileDesc *fd, *osfd = ss->fd->lower;
-    int rv;
-
-    PORT_Assert(ss->socks != 0);
-    si = ss->socks;
-
-    if (!si->didBind || si->direct) {
-	/*
-	** If we didn't do the bind yet this call will generate an error
-	** from the OS. If we did do the bind then we must be direct and
-	** let the OS do the accept.
-	*/
-	fd = osfd->methods->accept(osfd, addr, ss->cTimeout);
-	return NULL;
-    }
-
-    /* Get next accept response from server */
-    rv = SocksWaitForResponse(ss);
-    if (rv) {
-	return NULL;
-    }
-
-    /* Handshake finished. Give dest address back to caller */
-    addr->inet.family = PR_AF_INET;
-    addr->inet.port   = si->destPort;
-    addr->inet.ip     = si->destHost;
-
-    /* Dup the descriptor and return it */
-    fd = osfd->methods->dup(osfd);
-    if (fd == NULL) {
-	return NULL;
-    }
-
-    /* Dup the socket structure */
-    ns = ssl_DupSocket(ss, fd);
-    if (ns == NULL) {
-	PR_Close(fd);
-	return NULL;
-    }
-
-    return fd;
-#else
-    return NULL;
-#endif /* 0 */
-}
-
-int
-ssl_SocksListen(sslSocket *ss, int backlog)
-{
-    PRFileDesc *osfd = ss->fd->lower;
-    int rv;
-
-    PORT_Assert(ss->socks != 0);
-
-    if (ss->socks->direct) {
-	rv = osfd->methods->listen(osfd, backlog);
-	return rv;
-    }
-    return 0;
-}
-
-int
-ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name)
-{
-    PRFileDesc *osfd = ss->fd->lower;
-    int rv;
-
-    PORT_Assert(ss->socks != 0);
-    if (!ss->socks->didBind || ss->socks->direct) {
-	rv = osfd->methods->getsockname(osfd, name);
-	return rv;
-    }
-
-    PORT_Memcpy(name, &ss->socks->bindAddr, sizeof(PRNetAddr));
-    return 0;
-}
-
-int
-ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
-{
-    int rv;
-
-    PORT_Assert(ss->socks != 0);
-
-    if (ss->handshake) {
-	ssl_Get1stHandshakeLock(ss);
-	rv = ssl_Do1stHandshake(ss);
-	ssl_Release1stHandshakeLock(ss);
-	if (rv < 0) {
-	    return rv;
-	}
-	rv = ssl_SendSavedWriteData(ss, &ss->saveBuf, ssl_DefSend);
-	if (rv < 0) {
-	    return SECFailure;
-	}
-	/* XXX Deal with short write !! */
-    }
-
-    rv = ssl_DefRecv(ss, buf, len, flags);
-    SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes from sockd",
-		SSL_GETPID(), ss->fd, rv));
-    return rv;
-}
-
-int
-ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len)
-{
-    return ssl_SocksRecv(ss, buf, len, 0);
-}
-
-int
-ssl_SocksSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-{
-    int rv;
-
-    PORT_Assert(ss->socks != 0);
-
-    if (len == 0) 
-    	return 0;
-    if (ss->handshake) {
-	ssl_Get1stHandshakeLock(ss);
-	rv = ssl_Do1stHandshake(ss);
-	ssl_Release1stHandshakeLock(ss);
-	if (rv < 0) {
-	    if (rv == SECWouldBlock) {
-		return len;		/* ????? XXX */
-	    }
-	    return rv;
-	}
-	rv = ssl_SendSavedWriteData(ss, &ss->saveBuf, ssl_DefSend);
-	if (rv < 0) {
-	    return SECFailure;
-	}
-	/* XXX Deal with short write !! */
-    }
-
-    SSL_TRC(2, ("%d: SSL[%d]: sending %d bytes using socks",
-		SSL_GETPID(), ss->fd, len));
-
-    /* Send out the data */
-    rv = ssl_DefSend(ss, buf, len, flags);
-    /* XXX Deal with short write !! */
-    return rv;
-}
-
-int
-ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len)
-{
-    return ssl_SocksSend(ss, buf, len, 0);
-}
-
-/* returns  > 0 if direct
- * returns == 0 if socks
- * returns  < 0 if error.
- */
-int
-SSL_CheckDirectSock(PRFileDesc *s)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CheckDirectSock", SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    if (ss->socks != NULL) {
-	return ss->socks->direct;
-    }
-    return SECFailure;
-}
-
-
-SECStatus
-SSL_ConfigSockd(PRFileDesc *s, PRUint32 host, PRUint16 port)
-{
-    sslSocket *ss;
-    SECStatus rv;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in ConfigSocks", SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    /* Create socks info if not already done */
-    rv = ssl_CreateSocksInfo(ss);
-    if (rv) {
-	return rv;
-    }
-    ss->socks->sockdHost = host;
-    ss->socks->sockdPort = port;
-    return SECSuccess;
-}
-
diff --git a/security/nss/lib/ssl/ssltrace.c b/security/nss/lib/ssl/ssltrace.c
deleted file mode 100644
index 15f064813..000000000
--- a/security/nss/lib/ssl/ssltrace.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Functions to trace SSL protocol behavior in DEBUG builds.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include <stdarg.h>
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "prprf.h"
-
-#if defined(DEBUG) || defined(TRACE)
-static const char *hex = "0123456789abcdef";
-
-static const char printable[257] = {
-	"................"	/* 0x */
-	"................"	/* 1x */
-	" !\"#$%&'()*+,-./"	/* 2x */
-	"0123456789:;<=>?"	/* 3x */
-	"@ABCDEFGHIJKLMNO"	/* 4x */
-	"PQRSTUVWXYZ[\\]^_"	/* 5x */
-	"`abcdefghijklmno"	/* 6x */
-	"pqrstuvwxyz{|}~."	/* 7x */
-	"................"	/* 8x */
-	"................"	/* 9x */
-	"................"	/* ax */
-	"................"	/* bx */
-	"................"	/* cx */
-	"................"	/* dx */
-	"................"	/* ex */
-	"................"	/* fx */
-};
-
-void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
-{
-    const unsigned char *cp = (const unsigned char *)vp;
-    char buf[80];
-    char *bp;
-    char *ap;
-
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]: %s [Len: %d]", SSL_GETPID(), ss->fd,
-		   msg, len));
-    } else {
-	SSL_TRACE(("%d: SSL: %s [Len: %d]", SSL_GETPID(), msg, len));
-    }
-    memset(buf, ' ', sizeof buf);
-    bp = buf;
-    ap = buf + 50;
-    while (--len >= 0) {
-	unsigned char ch = *cp++;
-	*bp++ = hex[(ch >> 4) & 0xf];
-	*bp++ = hex[ch & 0xf];
-	*bp++ = ' ';
-	*ap++ = printable[ch];
-	if (ap - buf >= 66) {
-	    *ap = 0;
-	    SSL_TRACE(("   %s", buf));
-	    memset(buf, ' ', sizeof buf);
-	    bp = buf;
-	    ap = buf + 50;
-	}
-    }
-    if (bp > buf) {
-	*ap = 0;
-	SSL_TRACE(("   %s", buf));
-    }
-}
-
-#define LEN(cp)		(((cp)[0] << 8) | ((cp)[1]))
-
-static void PrintType(sslSocket *ss, char *msg)
-{
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]: dump-msg: %s", SSL_GETPID(), ss->fd,
-		   msg));
-    } else {
-	SSL_TRACE(("%d: SSL: dump-msg: %s", SSL_GETPID(), msg));
-    }
-}
-
-static void PrintInt(sslSocket *ss, char *msg, unsigned v)
-{
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]:           %s=%u", SSL_GETPID(), ss->fd,
-		   msg, v));
-    } else {
-	SSL_TRACE(("%d: SSL:           %s=%u", SSL_GETPID(), msg, v));
-    }
-}
-
-/* PrintBuf is just like ssl_PrintBuf above, except that:
- * a) It prefixes each line of the buffer with "XX: SSL[xxx]           "
- * b) It dumps only hex, not ASCII.
- */
-static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
-{
-    char buf[80];
-    char *bp;
-
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]:           %s [Len: %d]", 
-		   SSL_GETPID(), ss->fd, msg, len));
-    } else {
-	SSL_TRACE(("%d: SSL:           %s [Len: %d]", 
-		   SSL_GETPID(), msg, len));
-    }
-    bp = buf;
-    while (--len >= 0) {
-	unsigned char ch = *cp++;
-	*bp++ = hex[(ch >> 4) & 0xf];
-	*bp++ = hex[ch & 0xf];
-	*bp++ = ' ';
-	if (bp + 4 > buf + 50) {
-	    *bp = 0;
-	    if (ss) {
-		SSL_TRACE(("%d: SSL[%d]:             %s",
-			   SSL_GETPID(), ss->fd, buf));
-	    } else {
-		SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
-	    }
-	    bp = buf;
-	}
-    }
-    if (bp > buf) {
-	*bp = 0;
-	if (ss) {
-	    SSL_TRACE(("%d: SSL[%d]:             %s",
-		       SSL_GETPID(), ss->fd, buf));
-	} else {
-	    SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
-	}
-    }
-}
-
-void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
-{
-    switch (bp[0]) {
-      case SSL_MT_ERROR:
-	PrintType(ss, "Error");
-	PrintInt(ss, "error", LEN(bp+1));
-	break;
-
-      case SSL_MT_CLIENT_HELLO:
-	{
-	    unsigned lcs = LEN(bp+3);
-	    unsigned ls  = LEN(bp+5);
-	    unsigned lc  = LEN(bp+7);
-
-	    PrintType(ss, "Client-Hello");
-
-	    PrintInt(ss, "version (Major)",                   bp[1]);
-	    PrintInt(ss, "version (minor)",                   bp[2]);
-
-	    PrintBuf(ss, "cipher-specs",         bp+9,        lcs);
-	    PrintBuf(ss, "session-id",           bp+9+lcs,    ls);
-	    PrintBuf(ss, "challenge",            bp+9+lcs+ls, lc);
-	}
-	break;
-      case SSL_MT_CLIENT_MASTER_KEY:
-	{
-	    unsigned lck = LEN(bp+4);
-	    unsigned lek = LEN(bp+6);
-	    unsigned lka = LEN(bp+8);
-
-	    PrintType(ss, "Client-Master-Key");
-
-	    PrintInt(ss, "cipher-choice",                       bp[1]);
-	    PrintInt(ss, "key-length",                          LEN(bp+2));
-
-	    PrintBuf(ss, "clear-key",            bp+10,         lck);
-	    PrintBuf(ss, "encrypted-key",        bp+10+lck,     lek);
-	    PrintBuf(ss, "key-arg",              bp+10+lck+lek, lka);
-	}
-	break;
-      case SSL_MT_CLIENT_FINISHED:
-	PrintType(ss, "Client-Finished");
-	PrintBuf(ss, "connection-id",            bp+1,          len-1);
-	break;
-      case SSL_MT_SERVER_HELLO:
-	{
-	    unsigned lc = LEN(bp+5);
-	    unsigned lcs = LEN(bp+7);
-	    unsigned lci = LEN(bp+9);
-
-	    PrintType(ss, "Server-Hello");
-
-	    PrintInt(ss, "session-id-hit",                     bp[1]);
-	    PrintInt(ss, "certificate-type",                   bp[2]);
-	    PrintInt(ss, "version (Major)",                    bp[3]);
-	    PrintInt(ss, "version (minor)",                    bp[3]);
-	    PrintBuf(ss, "certificate",          bp+11,        lc);
-	    PrintBuf(ss, "cipher-specs",         bp+11+lc,     lcs);
-	    PrintBuf(ss, "connection-id",        bp+11+lc+lcs, lci);
-	}
-	break;
-      case SSL_MT_SERVER_VERIFY:
-	PrintType(ss, "Server-Verify");
-	PrintBuf(ss, "challenge",                bp+1,         len-1);
-	break;
-      case SSL_MT_SERVER_FINISHED:
-	PrintType(ss, "Server-Finished");
-	PrintBuf(ss, "session-id",               bp+1,         len-1);
-	break;
-      case SSL_MT_REQUEST_CERTIFICATE:
-	PrintType(ss, "Request-Certificate");
-	PrintInt(ss, "authentication-type",                    bp[1]);
-	PrintBuf(ss, "certificate-challenge",    bp+2,         len-2);
-	break;
-      case SSL_MT_CLIENT_CERTIFICATE:
-	{
-	    unsigned lc = LEN(bp+2);
-	    unsigned lr = LEN(bp+4);
-	    PrintType(ss, "Client-Certificate");
-	    PrintInt(ss, "certificate-type",                   bp[1]);
-	    PrintBuf(ss, "certificate",          bp+6,         lc);
-	    PrintBuf(ss, "response",             bp+6+lc,      lr);
-	}
-	break;
-      default:
-	ssl_PrintBuf(ss, "sending *unknown* message type", bp, len);
-	return;
-    }
-}
-
-void
-ssl_Trace(const char *format, ... )
-{
-    char buf[2000]; 
-
-    va_list args;
-    va_start(args, format);
-    PR_vsnprintf(buf, sizeof(buf), format, args);
-    va_end(args);
-    puts(buf);
-}
-#endif
diff --git a/security/nss/lib/ssl/unix_err.c b/security/nss/lib/ssl/unix_err.c
deleted file mode 100644
index f4c4b643b..000000000
--- a/security/nss/lib/ssl/unix_err.c
+++ /dev/null
@@ -1,536 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#if 0
-#include "primpl.h"
-#else
-#define _PR_POLL_AVAILABLE 1
-#include "prerror.h"
-#endif
-
-#if defined(_PR_POLL_AVAILABLE)
-#include <poll.h>
-#endif
-#include <errno.h>
-
-/* forward declarations. */
-void nss_MD_unix_map_default_error(int err);
-
-void nss_MD_unix_map_opendir_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_closedir_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_readdir_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case ENOENT:	prError = PR_NO_MORE_FILES_ERROR; break;
-#ifdef EOVERFLOW
-    case EOVERFLOW:	prError = PR_IO_ERROR; break;
-#endif
-    case EINVAL:	prError = PR_IO_ERROR; break;
-    case ENXIO:		prError = PR_IO_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_unlink_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EPERM:		prError = PR_IS_DIRECTORY_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_stat_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_fstat_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_rename_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_access_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_mkdir_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_rmdir_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    case EINVAL:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_read_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_write_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_METHOD_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_lseek_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_fsync_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_close_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_socket_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_socketavailable_error(int err)
-{
-    PR_SetError(PR_BAD_DESCRIPTOR_ERROR, err);
-}
-
-void nss_MD_unix_map_recv_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_recvfrom_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_send_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_sendto_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_writev_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_accept_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENODEV:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_connect_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EACCES:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-#if defined(UNIXWARE) || defined(SNI) || defined(NEC)
-    /*
-     * On some platforms, if we connect to a port on the local host 
-     * (the loopback address) that no process is listening on, we get 
-     * EIO instead of ECONNREFUSED.
-     */
-    case EIO:		prError = PR_CONNECT_REFUSED_ERROR; break;
-#endif
-    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENXIO:		prError = PR_IO_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_bind_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-        /*
-         * UNIX domain sockets are not supported in NSPR
-         */
-    case EIO:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EISDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOTDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EROFS:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_listen_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_shutdown_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_socketpair_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_getsockname_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_getpeername_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_getsockopt_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_setsockopt_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_open_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case EBUSY:		prError = PR_IO_ERROR; break;
-    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_mmap_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case EMFILE:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ENODEV:	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_gethostname_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_select_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-#ifdef _PR_POLL_AVAILABLE
-void nss_MD_unix_map_poll_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_poll_revents_error(int err)
-{
-    if (err & POLLNVAL)
-        PR_SetError(PR_BAD_DESCRIPTOR_ERROR, EBADF);
-    else if (err & POLLHUP)
-        PR_SetError(PR_CONNECT_RESET_ERROR, EPIPE);
-    else if (err & POLLERR)
-        PR_SetError(PR_IO_ERROR, EIO);
-    else
-        PR_SetError(PR_UNKNOWN_ERROR, err);
-}
-#endif /* _PR_POLL_AVAILABLE */
-
-
-void nss_MD_unix_map_flock_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case EWOULDBLOCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_lockf_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EACCES:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case EDEADLK:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-#ifdef HPUX11
-void nss_MD_hpux_map_sendfile_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-#endif /* HPUX11 */
-
-
-void nss_MD_unix_map_default_error(int err)
-{
-    PRErrorCode prError;
-    switch (err ) {
-    case EACCES:	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case EADDRINUSE:	prError = PR_ADDRESS_IN_USE_ERROR; break;
-    case EADDRNOTAVAIL:	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
-    case EAFNOSUPPORT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EAGAIN:	prError = PR_WOULD_BLOCK_ERROR; break;
-    case EALREADY:	prError = PR_ALREADY_INITIATED_ERROR; break;
-    case EBADF:		prError = PR_BAD_DESCRIPTOR_ERROR; break;
-#ifdef EBADMSG
-    case EBADMSG:	prError = PR_IO_ERROR; break;
-#endif
-    case EBUSY:		prError = PR_FILESYSTEM_MOUNTED_ERROR; break;
-    case ECONNREFUSED:	prError = PR_CONNECT_REFUSED_ERROR; break;
-    case ECONNRESET:	prError = PR_CONNECT_RESET_ERROR; break;
-    case EDEADLK:	prError = PR_DEADLOCK_ERROR; break;
-#ifdef EDIRCORRUPTED
-    case EDIRCORRUPTED:	prError = PR_DIRECTORY_CORRUPTED_ERROR; break;
-#endif
-#ifdef EDQUOT
-    case EDQUOT:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-#endif
-    case EEXIST:	prError = PR_FILE_EXISTS_ERROR; break;
-    case EFAULT:	prError = PR_ACCESS_FAULT_ERROR; break;
-    case EFBIG:		prError = PR_FILE_TOO_BIG_ERROR; break;
-    case EINPROGRESS:	prError = PR_IN_PROGRESS_ERROR; break;
-    case EINTR:		prError = PR_PENDING_INTERRUPT_ERROR; break;
-    case EINVAL:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case EIO:		prError = PR_IO_ERROR; break;
-    case EISCONN:	prError = PR_IS_CONNECTED_ERROR; break;
-    case EISDIR:	prError = PR_IS_DIRECTORY_ERROR; break;
-    case ELOOP:		prError = PR_LOOP_ERROR; break;
-    case EMFILE:	prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
-    case EMLINK:	prError = PR_MAX_DIRECTORY_ENTRIES_ERROR; break;
-    case EMSGSIZE:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-#ifdef EMULTIHOP
-    case EMULTIHOP:	prError = PR_REMOTE_FILE_ERROR; break;
-#endif
-    case ENAMETOOLONG:	prError = PR_NAME_TOO_LONG_ERROR; break;
-    case ENETUNREACH:	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
-    case ENFILE:	prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
-#if !defined(SCO)
-    case ENOBUFS:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-#endif
-    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOENT:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOLCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-#ifdef ENOLINK 
-    case ENOLINK:	prError = PR_REMOTE_FILE_ERROR; break;
-#endif
-    case ENOMEM:	prError = PR_OUT_OF_MEMORY_ERROR; break;
-    case ENOPROTOOPT:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ENOSPC:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ENOSR:		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ENOTCONN:	prError = PR_NOT_CONNECTED_ERROR; break;
-    case ENOTDIR:	prError = PR_NOT_DIRECTORY_ERROR; break;
-    case ENOTSOCK:	prError = PR_NOT_SOCKET_ERROR; break;
-    case ENXIO:		prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case EOPNOTSUPP:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
-#ifdef EOVERFLOW
-    case EOVERFLOW:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-#endif
-    case EPERM:		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case EPIPE:		prError = PR_CONNECT_RESET_ERROR; break;
-#ifdef EPROTO
-    case EPROTO:	prError = PR_IO_ERROR; break;
-#endif
-    case EPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
-    case EPROTOTYPE:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ERANGE:	prError = PR_INVALID_METHOD_ERROR; break;
-    case EROFS:		prError = PR_READ_ONLY_FILESYSTEM_ERROR; break;
-    case ESPIPE:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ETIMEDOUT:	prError = PR_IO_TIMEOUT_ERROR; break;
-#if EWOULDBLOCK != EAGAIN
-    case EWOULDBLOCK:	prError = PR_WOULD_BLOCK_ERROR; break;
-#endif
-    case EXDEV:		prError = PR_NOT_SAME_DEVICE_ERROR; break;
-
-    default:		prError = PR_UNKNOWN_ERROR; break;
-    }
-    PR_SetError(prError, err);
-}
diff --git a/security/nss/lib/ssl/unix_err.h b/security/nss/lib/ssl/unix_err.h
deleted file mode 100644
index 2611baf81..000000000
--- a/security/nss/lib/ssl/unix_err.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-/*  NSPR doesn't make these functions public, so we have to duplicate
-**  them in NSS.
-*/
-extern void nss_MD_hpux_map_sendfile_error(int err);
-extern void nss_MD_unix_map_accept_error(int err);
-extern void nss_MD_unix_map_access_error(int err);
-extern void nss_MD_unix_map_bind_error(int err);
-extern void nss_MD_unix_map_close_error(int err);
-extern void nss_MD_unix_map_closedir_error(int err);
-extern void nss_MD_unix_map_connect_error(int err);
-extern void nss_MD_unix_map_default_error(int err);
-extern void nss_MD_unix_map_flock_error(int err);
-extern void nss_MD_unix_map_fstat_error(int err);
-extern void nss_MD_unix_map_fsync_error(int err);
-extern void nss_MD_unix_map_gethostname_error(int err);
-extern void nss_MD_unix_map_getpeername_error(int err);
-extern void nss_MD_unix_map_getsockname_error(int err);
-extern void nss_MD_unix_map_getsockopt_error(int err);
-extern void nss_MD_unix_map_listen_error(int err);
-extern void nss_MD_unix_map_lockf_error(int err);
-extern void nss_MD_unix_map_lseek_error(int err);
-extern void nss_MD_unix_map_mkdir_error(int err);
-extern void nss_MD_unix_map_mmap_error(int err);
-extern void nss_MD_unix_map_open_error(int err);
-extern void nss_MD_unix_map_opendir_error(int err);
-extern void nss_MD_unix_map_poll_error(int err);
-extern void nss_MD_unix_map_poll_revents_error(int err);
-extern void nss_MD_unix_map_read_error(int err);
-extern void nss_MD_unix_map_readdir_error(int err);
-extern void nss_MD_unix_map_recv_error(int err);
-extern void nss_MD_unix_map_recvfrom_error(int err);
-extern void nss_MD_unix_map_rename_error(int err);
-extern void nss_MD_unix_map_rmdir_error(int err);
-extern void nss_MD_unix_map_select_error(int err);
-extern void nss_MD_unix_map_send_error(int err);
-extern void nss_MD_unix_map_sendto_error(int err);
-extern void nss_MD_unix_map_setsockopt_error(int err);
-extern void nss_MD_unix_map_shutdown_error(int err);
-extern void nss_MD_unix_map_socket_error(int err);
-extern void nss_MD_unix_map_socketavailable_error(int err);
-extern void nss_MD_unix_map_socketpair_error(int err);
-extern void nss_MD_unix_map_stat_error(int err);
-extern void nss_MD_unix_map_unlink_error(int err);
-extern void nss_MD_unix_map_write_error(int err);
-extern void nss_MD_unix_map_writev_error(int err);
diff --git a/security/nss/lib/ssl/win32err.c b/security/nss/lib/ssl/win32err.c
deleted file mode 100644
index acfce2c9d..000000000
--- a/security/nss/lib/ssl/win32err.c
+++ /dev/null
@@ -1,373 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#include "prerror.h"
-#include "prlog.h"
-#include <errno.h>
-#include <windows.h>
-
-/*
- * On Win32, we map three kinds of error codes:
- * - GetLastError(): for Win32 functions
- * - WSAGetLastError(): for Winsock functions
- * - errno: for standard C library functions
- *
- * We do not check for WSAEINPROGRESS and WSAEINTR because we do not
- * use blocking Winsock 1.1 calls.
- *
- * Except for the 'socket' call, we do not check for WSAEINITIALISED.
- * It is assumed that if Winsock is not initialized, that fact will
- * be detected at the time we create new sockets.
- */
-
-/* forward declaration. */
-void nss_MD_win32_map_default_error(PRInt32 err);
-
-void nss_MD_win32_map_opendir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_closedir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_readdir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_delete_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/* The error code for stat() is in errno. */
-void nss_MD_win32_map_stat_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_fstat_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_rename_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/* The error code for access() is in errno. */
-void nss_MD_win32_map_access_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_mkdir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_rmdir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_read_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_transmitfile_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_write_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_lseek_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_fsync_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/*
- * For both CloseHandle() and closesocket().
- */
-void nss_MD_win32_map_close_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_socket_error(PRInt32 err)
-{
-    PR_ASSERT(err != WSANOTINITIALISED);
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_recv_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_recvfrom_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_send_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_sendto_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_accept_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_acceptex_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_connect_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
-    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
-    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_bind_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_listen_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_shutdown_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_getsockname_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_getpeername_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_getsockopt_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_setsockopt_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_open_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_gethostname_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/* Win32 select() only works on sockets.  So in this
-** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
-*/
-void nss_MD_win32_map_select_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_lockf_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-
-
-void nss_MD_win32_map_default_error(PRInt32 err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case EACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
-    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
-    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
-    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
-    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-#if ERROR_FILE_NOT_FOUND != ENOENT
-    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
-#endif
-    case ERROR_HANDLE_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ERROR_INVALID_ADDRESS: prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_INVALID_HANDLE: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case ERROR_INVALID_NAME: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ERROR_INVALID_PARAMETER: prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ERROR_INVALID_USER_BUFFER: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_LOCKED:	 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case ERROR_NETNAME_DELETED: prError = PR_CONNECT_RESET_ERROR; break;
-    case ERROR_NOACCESS: 	prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_NOT_ENOUGH_MEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_NOT_ENOUGH_QUOTA: prError = PR_OUT_OF_MEMORY_ERROR; break;
-    case ERROR_NOT_READY: 	prError = PR_IO_ERROR; break;
-    case ERROR_NO_MORE_FILES: 	prError = PR_NO_MORE_FILES_ERROR; break;
-    case ERROR_OPEN_FAILED: 	prError = PR_IO_ERROR; break;
-    case ERROR_OPEN_FILES: 	prError = PR_IO_ERROR; break;
-    case ERROR_OUTOFMEMORY: 	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_PATH_BUSY: 	prError = PR_IO_ERROR; break;
-    case ERROR_PATH_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ERROR_SEEK_ON_DEVICE: 	prError = PR_IO_ERROR; break;
-    case ERROR_SHARING_VIOLATION: prError = PR_FILE_IS_BUSY_ERROR; break;
-    case ERROR_STACK_OVERFLOW: 	prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_TOO_MANY_OPEN_FILES: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
-    case ERROR_WRITE_PROTECT: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case WSAEACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case WSAEADDRINUSE: 	prError = PR_ADDRESS_IN_USE_ERROR; break;
-    case WSAEADDRNOTAVAIL: 	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
-    case WSAEAFNOSUPPORT: 	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case WSAEALREADY: 		prError = PR_ALREADY_INITIATED_ERROR; break;
-    case WSAEBADF: 		prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case WSAECONNABORTED: 	prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAECONNREFUSED: 	prError = PR_CONNECT_REFUSED_ERROR; break;
-    case WSAECONNRESET: 	prError = PR_CONNECT_RESET_ERROR; break;
-    case WSAEDESTADDRREQ: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAEFAULT: 		prError = PR_ACCESS_FAULT_ERROR; break;
-    case WSAEHOSTUNREACH: 	prError = PR_HOST_UNREACHABLE_ERROR; break;
-    case WSAEINVAL: 		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAEISCONN: 		prError = PR_IS_CONNECTED_ERROR; break;
-    case WSAEMFILE: 		prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
-    case WSAEMSGSIZE: 		prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case WSAENETDOWN: 		prError = PR_NETWORK_DOWN_ERROR; break;
-    case WSAENETRESET: 		prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAENETUNREACH: 	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
-    case WSAENOBUFS: 		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case WSAENOPROTOOPT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAENOTCONN: 		prError = PR_NOT_CONNECTED_ERROR; break;
-    case WSAENOTSOCK: 		prError = PR_NOT_SOCKET_ERROR; break;
-    case WSAEOPNOTSUPP: 	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
-    case WSAEPROTONOSUPPORT: 	prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
-    case WSAEPROTOTYPE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAESHUTDOWN: 		prError = PR_SOCKET_SHUTDOWN_ERROR; break;
-    case WSAESOCKTNOSUPPORT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAETIMEDOUT: 		prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAEWOULDBLOCK: 	prError = PR_WOULD_BLOCK_ERROR; break;
-    default: 			prError = PR_UNKNOWN_ERROR; break;
-    }
-    PR_SetError(prError, err);
-}
-
diff --git a/security/nss/lib/ssl/win32err.h b/security/nss/lib/ssl/win32err.h
deleted file mode 100644
index b87dfefd4..000000000
--- a/security/nss/lib/ssl/win32err.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * This code will continue to need to be replicated.
- * 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-/*  NSPR doesn't make these functions public, so we have to duplicate
-**  them in NSS.
-*/
-extern void nss_MD_win32_map_accept_error(PRInt32 err);
-extern void nss_MD_win32_map_acceptex_error(PRInt32 err);
-extern void nss_MD_win32_map_access_error(PRInt32 err);
-extern void nss_MD_win32_map_bind_error(PRInt32 err);
-extern void nss_MD_win32_map_close_error(PRInt32 err);
-extern void nss_MD_win32_map_closedir_error(PRInt32 err);
-extern void nss_MD_win32_map_connect_error(PRInt32 err);
-extern void nss_MD_win32_map_default_error(PRInt32 err);
-extern void nss_MD_win32_map_delete_error(PRInt32 err);
-extern void nss_MD_win32_map_fstat_error(PRInt32 err);
-extern void nss_MD_win32_map_fsync_error(PRInt32 err);
-extern void nss_MD_win32_map_gethostname_error(PRInt32 err);
-extern void nss_MD_win32_map_getpeername_error(PRInt32 err);
-extern void nss_MD_win32_map_getsockname_error(PRInt32 err);
-extern void nss_MD_win32_map_getsockopt_error(PRInt32 err);
-extern void nss_MD_win32_map_listen_error(PRInt32 err);
-extern void nss_MD_win32_map_lockf_error(PRInt32 err);
-extern void nss_MD_win32_map_lseek_error(PRInt32 err);
-extern void nss_MD_win32_map_mkdir_error(PRInt32 err);
-extern void nss_MD_win32_map_open_error(PRInt32 err);
-extern void nss_MD_win32_map_opendir_error(PRInt32 err);
-extern void nss_MD_win32_map_read_error(PRInt32 err);
-extern void nss_MD_win32_map_readdir_error(PRInt32 err);
-extern void nss_MD_win32_map_recv_error(PRInt32 err);
-extern void nss_MD_win32_map_recvfrom_error(PRInt32 err);
-extern void nss_MD_win32_map_rename_error(PRInt32 err);
-extern void nss_MD_win32_map_rmdir_error(PRInt32 err);
-extern void nss_MD_win32_map_select_error(PRInt32 err);
-extern void nss_MD_win32_map_send_error(PRInt32 err);
-extern void nss_MD_win32_map_sendto_error(PRInt32 err);
-extern void nss_MD_win32_map_setsockopt_error(PRInt32 err);
-extern void nss_MD_win32_map_shutdown_error(PRInt32 err);
-extern void nss_MD_win32_map_socket_error(PRInt32 err);
-extern void nss_MD_win32_map_stat_error(PRInt32 err);
-extern void nss_MD_win32_map_transmitfile_error(PRInt32 err);
-extern void nss_MD_win32_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/util/Makefile b/security/nss/lib/util/Makefile
deleted file mode 100644
index 35c2bfb28..000000000
--- a/security/nss/lib/util/Makefile
+++ /dev/null
@@ -1,86 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/arch.mk
-
-ifeq ($(OS_ARCH),HP-UX)
-	ASFILES += ret_cr16.s
-endif
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-tests:: $(OBJDIR)/test_utf8
-
-$(OBJDIR)/test_utf8: utf8.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $(OBJDIR)/test_utf8 -DTEST_UTF8 utf8.c $(OS_LIBS)
diff --git a/security/nss/lib/util/base64.h b/security/nss/lib/util/base64.h
deleted file mode 100644
index 92dc54d7c..000000000
--- a/security/nss/lib/util/base64.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * base64.h - prototypes for base64 encoding/decoding
- * Note: These functions are deprecated; see nssb64.h for new routines.
- *
- * $Id$
- */
-#ifndef _BASE64_H_
-#define _BASE64_H_
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Return an PORT_Alloc'd ascii string which is the base64 encoded
-** version of the input string.
-*/
-extern char *BTOA_DataToAscii(const unsigned char *data, unsigned int len);
-
-/*
-** Return an PORT_Alloc'd string which is the base64 decoded version
-** of the input string; set *lenp to the length of the returned data.
-*/
-extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
- 
-/*
-** Convert from ascii to binary encoding of an item.
-*/
-extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii);
-
-/*
-** Convert from binary encoding of an item to ascii.
-*/
-extern char *BTOA_ConvertItemToAscii(SECItem *binary_item);
-
-SEC_END_PROTOS
-
-#endif /* _BASE64_H_ */
diff --git a/security/nss/lib/util/ciferfam.h b/security/nss/lib/util/ciferfam.h
deleted file mode 100644
index fd2f3bd0f..000000000
--- a/security/nss/lib/util/ciferfam.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * ciferfam.h - cipher familie IDs used for configuring ciphers for export
- *              control
- *
- * $Id$
- */
-
-#ifndef _CIFERFAM_H_
-#define _CIFERFAM_H_
-
-/* Cipher Suite "Families" */
-#define CIPHER_FAMILY_PKCS12			"PKCS12"
-#define CIPHER_FAMILY_SMIME			"SMIME"
-#define CIPHER_FAMILY_SSL2			"SSLv2"
-#define CIPHER_FAMILY_SSL3			"SSLv3"
-#define CIPHER_FAMILY_SSL			"SSL"
-#define CIPHER_FAMILY_ALL			""
-#define CIPHER_FAMILY_UNKNOWN			"UNKNOWN"
-
-#define CIPHER_FAMILYID_MASK			0xFFFF0000L
-#define CIPHER_FAMILYID_SSL			0x00000000L
-#define CIPHER_FAMILYID_SMIME			0x00010000L
-#define CIPHER_FAMILYID_PKCS12			0x00020000L
-
-/* SMIME "Cipher Suites" */
-/*
- * Note that it is assumed that the cipher number itself can be used
- * as a bit position in a mask, and that mask is currently 32 bits wide.
- * So, if you want to add a cipher that is greater than 0033, secmime.c
- * needs to be made smarter at the same time.
- */
-#define	SMIME_RC2_CBC_40		(CIPHER_FAMILYID_SMIME | 0001)
-#define	SMIME_RC2_CBC_64		(CIPHER_FAMILYID_SMIME | 0002)
-#define	SMIME_RC2_CBC_128		(CIPHER_FAMILYID_SMIME | 0003)
-#define	SMIME_DES_CBC_56		(CIPHER_FAMILYID_SMIME | 0011)
-#define	SMIME_DES_EDE3_168		(CIPHER_FAMILYID_SMIME | 0012)
-#define	SMIME_RC5PAD_64_16_40		(CIPHER_FAMILYID_SMIME | 0021)
-#define	SMIME_RC5PAD_64_16_64		(CIPHER_FAMILYID_SMIME | 0022)
-#define	SMIME_RC5PAD_64_16_128		(CIPHER_FAMILYID_SMIME | 0023)
-#define	SMIME_FORTEZZA			(CIPHER_FAMILYID_SMIME | 0031)
-
-/* PKCS12 "Cipher Suites" */
-
-#define	PKCS12_RC2_CBC_40		(CIPHER_FAMILYID_PKCS12 | 0001)
-#define	PKCS12_RC2_CBC_128		(CIPHER_FAMILYID_PKCS12 | 0002)
-#define	PKCS12_RC4_40			(CIPHER_FAMILYID_PKCS12 | 0011)
-#define	PKCS12_RC4_128			(CIPHER_FAMILYID_PKCS12 | 0012)
-#define	PKCS12_DES_56			(CIPHER_FAMILYID_PKCS12 | 0021)
-#define	PKCS12_DES_EDE3_168		(CIPHER_FAMILYID_PKCS12 | 0022)
-
-/* SMIME version numbers are negative, to avoid colliding with SSL versions */
-#define SMIME_LIBRARY_VERSION_1_0			-0x0100
-
-#endif /* _CIFERFAM_H_ */
diff --git a/security/nss/lib/util/config.mk b/security/nss/lib/util/config.mk
deleted file mode 100644
index a73a1086e..000000000
--- a/security/nss/lib/util/config.mk
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
diff --git a/security/nss/lib/util/derdec.c b/security/nss/lib/util/derdec.c
deleted file mode 100644
index 914701e33..000000000
--- a/security/nss/lib/util/derdec.c
+++ /dev/null
@@ -1,552 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secder.h"
-#include "secerr.h"
-
-static uint32
-der_indefinite_length(unsigned char *buf, unsigned char *end)
-{
-    uint32 len, ret, dataLen;
-    unsigned char tag, lenCode;
-    int dataLenLen;
-
-    len = 0;
-    while ( 1 ) {
-	if ((buf + 2) > end) {
-	    return(0);
-	}
-	
-	tag = *buf++;
-	lenCode = *buf++;
-	len += 2;
-	
-	if ( ( tag == 0 ) && ( lenCode == 0 ) ) {
-	    return(len);
-	}
-	
-	if ( lenCode == 0x80 ) {	/* indefinite length */
-	    ret = der_indefinite_length(buf, end); /* recurse to find length */
-	    if (ret == 0)
-		return 0;
-	    len += ret;
-	    buf += ret;
-	} else {			/* definite length */
-	    if (lenCode & 0x80) {
-		/* Length of data is in multibyte format */
-		dataLenLen = lenCode & 0x7f;
-		switch (dataLenLen) {
-		  case 1:
-		    dataLen = buf[0];
-		    break;
-		  case 2:
-		    dataLen = (buf[0]<<8)|buf[1];
-		    break;
-		  case 3:
-		    dataLen = ((unsigned long)buf[0]<<16)|(buf[1]<<8)|buf[2];
-		    break;
-		  case 4:
-		    dataLen = ((unsigned long)buf[0]<<24)|
-			((unsigned long)buf[1]<<16)|(buf[2]<<8)|buf[3];
-		    break;
-		  default:
-		    PORT_SetError(SEC_ERROR_BAD_DER);
-		    return SECFailure;
-		}
-	    } else {
-		/* Length of data is in single byte */
-		dataLen = lenCode;
-		dataLenLen = 0;
-	    }
-
-	    /* skip this item */
-	    buf = buf + dataLenLen + dataLen;
-	    len = len + dataLenLen + dataLen;
-	}
-    }
-}
-
-/*
-** Capture the next thing in the buffer.
-** Returns the length of the header and the length of the contents.
-*/
-static SECStatus
-der_capture(unsigned char *buf, unsigned char *end,
-	    int *header_len_p, uint32 *contents_len_p)
-{
-    unsigned char *bp;
-    unsigned char whole_tag;
-    uint32 contents_len;
-    int tag_number;
-
-    if ((buf + 2) > end) {
-	*header_len_p = 0;
-	*contents_len_p = 0;
-	if (buf == end)
-	    return SECSuccess;
-	return SECFailure;
-    }
-
-    bp = buf;
-
-    /* Get tag and verify that it is ok. */
-    whole_tag = *bp++;
-    tag_number = whole_tag & DER_TAGNUM_MASK;
-
-    /*
-     * XXX This code does not (yet) handle the high-tag-number form!
-     */
-    if (tag_number == DER_HIGH_TAG_NUMBER) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return SECFailure;
-    }
-
-    if ((whole_tag & DER_CLASS_MASK) == DER_UNIVERSAL) {
-	/* Check that the universal tag number is one we implement.  */
-	switch (tag_number) {
-	  case DER_BOOLEAN:
-	  case DER_INTEGER:
-	  case DER_BIT_STRING:
-	  case DER_OCTET_STRING:
-	  case DER_NULL:
-	  case DER_OBJECT_ID:
-	  case DER_SEQUENCE:
-	  case DER_SET:
-	  case DER_PRINTABLE_STRING:
-	  case DER_T61_STRING:
-	  case DER_IA5_STRING:
-	  case DER_VISIBLE_STRING:
-	  case DER_UTC_TIME:
-	  case 0:			/* end-of-contents tag */
-	    break;
-	  default:
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return SECFailure;
-	}
-    }
-
-    /*
-     * Get first byte of length code (might contain entire length, might not).
-     */
-    contents_len = *bp++;
-
-    /*
-     * If the high bit is set, then the length is in multibyte format,
-     * or the thing has an indefinite-length.
-     */
-    if (contents_len & 0x80) {
-	int bytes_of_encoded_len;
-
-	bytes_of_encoded_len = contents_len & 0x7f;
-	contents_len = 0;
-
-	switch (bytes_of_encoded_len) {
-	  case 4:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 3:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 2:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 1:
-	    contents_len |= *bp++;
-	    break;
-
-	  case 0:
-	    contents_len = der_indefinite_length (bp, end);
-	    if (contents_len)
-		break;
-	    /* fallthru */
-	  default:
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return SECFailure;
-	}
-    }
-
-    if ((bp + contents_len) > end) {
-	/* Ran past end of buffer */
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return SECFailure;
-    }
-
-    *header_len_p = bp - buf;
-    *contents_len_p = contents_len;
-
-    return SECSuccess;
-}
-
-static unsigned char *
-der_decode(PRArenaPool *arena, void *dest, DERTemplate *dtemplate,
-	   unsigned char *buf, int header_len, uint32 contents_len)
-{
-    unsigned char *orig_buf, *end;
-    unsigned long encode_kind, under_kind;
-    PRBool explicit, optional, universal, check_tag;
-    SECItem *item;
-    SECStatus rv;
-    PRBool indefinite_length, explicit_indefinite_length;
-
-    encode_kind = dtemplate->kind;
-    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    if (header_len == 0) {
-	if (optional || (encode_kind & DER_ANY))
-	    return buf;
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return NULL;
-    }
-
-    if (encode_kind & DER_POINTER) {
-	void *place, **placep;
-	int offset;
-
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	    place = PORT_ArenaZAlloc(arena, dtemplate->arg);
-	    offset = dtemplate->offset;
-	} else {
-	    if (universal) {
-		under_kind = encode_kind & ~DER_POINTER;
-	    } else {
-		under_kind = dtemplate->arg;
-	    }
-	    place = PORT_ArenaZAlloc(arena, sizeof(SECItem));
-	    offset = 0;
-	}
-	if (place == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return NULL;		/* Out of memory */
-	}
-	placep = (void **)dest;
-	*placep = place;
-	dest = (void *)((char *)place + offset);
-    } else if (encode_kind & DER_INLINE) {
-	PORT_Assert (dtemplate->sub != NULL);
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-	dest = (void *)((char *)dest + dtemplate->offset);
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    orig_buf = buf;
-    end = buf + header_len + contents_len;
-
-    explicit_indefinite_length = PR_FALSE;
-
-    if (explicit) {
-	/*
-	 * This tag is expected to match exactly.
-	 * (The template has all of the bits specified.)
-	 */
-	if (*buf != (encode_kind & DER_TAG_MASK)) {
-	    if (optional)
-		return buf;
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return NULL;
-	}
-	if ((header_len == 2) && (*(buf + 1) == 0x80))
-	    explicit_indefinite_length = PR_TRUE;
-	buf += header_len;
-	rv = der_capture (buf, end, &header_len, &contents_len);
-	if (rv != SECSuccess)
-	    return NULL;
-	if (header_len == 0) {		/* XXX is this right? */
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return NULL;
-	}
-	optional = PR_FALSE;		/* can no longer be optional */
-	encode_kind = under_kind;
-    }
-
-    check_tag = PR_TRUE;
-    if (encode_kind & (DER_DERPTR | DER_ANY | DER_FORCE | DER_SKIP)) {
-	PORT_Assert ((encode_kind & DER_ANY) || !optional);
-	encode_kind = encode_kind & (~DER_FORCE);
-	under_kind = under_kind & (~DER_FORCE);
-	check_tag = PR_FALSE;
-    }
-
-    if (check_tag) {
-	PRBool wrong;
-	unsigned char expect_tag, expect_num;
-
-	/*
-	 * This tag is expected to match, but the simple types
-	 * may or may not have the constructed bit set, so we
-	 * have to have all this extra logic.
-	 */
-	wrong = PR_TRUE;
-	expect_tag = encode_kind & DER_TAG_MASK;
-	expect_num = expect_tag & DER_TAGNUM_MASK;
-	if (expect_num == DER_SET || expect_num == DER_SEQUENCE) {
-	    if (*buf == (expect_tag | DER_CONSTRUCTED))
-		wrong = PR_FALSE;
-	} else {
-	    if (*buf == expect_tag)
-		wrong = PR_FALSE;
-	    else if (*buf == (expect_tag | DER_CONSTRUCTED))
-		wrong = PR_FALSE;
-	}
-	if (wrong) {
-	    if (optional)
-		return buf;
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return NULL;
-	}
-    }
-
-    if (under_kind & DER_DERPTR) {
-	item = (SECItem *)dest;
-	if (under_kind & DER_OUTER) {
-	    item->data = buf;
-	    item->len = header_len + contents_len;
-	} else {
-	    item->data = buf + header_len;
-	    item->len = contents_len;
-	}
-	return orig_buf;
-    }
-
-    if (encode_kind & DER_ANY) {
-	contents_len += header_len;
-	header_len = 0;
-    }
-
-    if ((header_len == 2) && (*(buf + 1) == 0x80))
-	indefinite_length = PR_TRUE;
-    else
-	indefinite_length = PR_FALSE;
-
-    buf += header_len;
-
-    if (contents_len == 0)
-	return buf;
-
-    under_kind &= ~DER_OPTIONAL;
-
-    if (under_kind & DER_INDEFINITE) {
-	int count, thing_size;
-	unsigned char *sub_buf;
-	DERTemplate *tmpt;
-	void *things, **indp, ***placep;
-
-	under_kind &= ~DER_INDEFINITE;
-
-	/*
-	 * Count items.
-	 */
-	count = 0;
-	sub_buf = buf;
-	while (sub_buf < end) {
-	    if (indefinite_length && sub_buf[0] == 0 && sub_buf[1] == 0) {
-		break; 
-	    }
-	    rv = der_capture (sub_buf, end, &header_len, &contents_len);
-	    if (rv != SECSuccess)
-		return NULL;
-	    count++;
-	    sub_buf += header_len + contents_len;
-	}
-
-	/*
-	 * Allocate an array of pointers to items; extra one is for a NULL.
-	 */
-	indp = (void**)PORT_ArenaZAlloc(arena, (count + 1) * sizeof(void *));
-	if (indp == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return NULL;
-	}
-
-	/*
-	 * Prepare.
-	 */
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    tmpt = dtemplate->sub;
-	    PORT_Assert (tmpt != NULL);
-	    thing_size = tmpt->arg;
-	    PORT_Assert (thing_size != 0);
-	} else {
-	    tmpt = NULL;
-	    thing_size = sizeof(SECItem);
-	}
-
-	/*
-	 * Allocate the items themselves.
-	 */
-	things = PORT_ArenaZAlloc(arena, count * thing_size);
-	if (things == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return NULL;
-	}
-
-	placep = (void ***)dest;
-	*placep = indp;
-
-	while (count) {
-	    /* ignore return value because we already did whole thing above */
-	    (void) der_capture (buf, end, &header_len, &contents_len);
-	    if (tmpt != NULL) {
-		void *sub_thing;
-
-		sub_thing = (void *)((char *)things + tmpt->offset);
-		buf = der_decode (arena, sub_thing, tmpt,
-				  buf, header_len, contents_len);
-		if (buf == NULL)
-		    return NULL;
-	    } else {
-		item = (SECItem *)things;
-		if (under_kind == DER_ANY) {
-		    contents_len += header_len;
-		    header_len = 0;
-		}
-		buf += header_len;
-		if (under_kind == DER_BIT_STRING) {
-		    item->data = buf + 1;
-		    item->len = ((contents_len - 1) << 3) - *buf;
-		} else {
-		    item->data = buf;
-		    item->len = contents_len;
-		}
-		buf += contents_len;
-	    }
-	    *indp++ = things;
-	    things = (void *)((char *)things + thing_size);
-	    count--;
-	}
-
-	*indp = NULL;
-
-	goto der_decode_done;
-    }
-
-    switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_dest;
-
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_dest = (void *)((char *)dest + tmpt->offset);
-		rv = der_capture (buf, end, &header_len, &contents_len);
-		if (rv != SECSuccess)
-		    return NULL;
-		buf = der_decode (arena, sub_dest, tmpt,
-				  buf, header_len, contents_len);
-		if (buf == NULL)
-		    return NULL;
-	    }
-	}
-	break;
-
-      case DER_BIT_STRING:
-	item = (SECItem *)dest;
-	item->data = buf + 1;
-	item->len = ((contents_len - 1) << 3) - *buf;
-	buf += contents_len;
-	break;
-
-      case DER_SKIP:
-	buf += contents_len;
-	break;
-
-      default:
-	item = (SECItem *)dest;
-	item->data = buf;
-	item->len = contents_len;
-	buf += contents_len;
-	break;
-    }
-
-der_decode_done:
-
-    if (indefinite_length && buf[0] == 0 && buf[1] == 0) {
-	buf += 2;
-    }
-
-    if (explicit_indefinite_length && buf[0] == 0 && buf[1] == 0) {
-	buf += 2;
-    }
-
-    return buf;
-}
-
-SECStatus
-DER_Decode(PRArenaPool *arena, void *dest, DERTemplate *dtemplate, SECItem *src)
-{
-    unsigned char *buf;
-    uint32 buf_len, contents_len;
-    int header_len;
-    SECStatus rv;
-
-    buf = src->data;
-    buf_len = src->len;
-
-    rv = der_capture (buf, buf + buf_len, &header_len, &contents_len);
-    if (rv != SECSuccess)
-	return rv;
-
-    dest = (void *)((char *)dest + dtemplate->offset);
-    buf = der_decode (arena, dest, dtemplate, buf, header_len, contents_len);
-    if (buf == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-SECStatus
-DER_Lengths(SECItem *item, int *header_len_p, uint32 *contents_len_p)
-{
-    return(der_capture(item->data, &item->data[item->len], header_len_p,
-		       contents_len_p));
-}
diff --git a/security/nss/lib/util/derenc.c b/security/nss/lib/util/derenc.c
deleted file mode 100644
index 191b00528..000000000
--- a/security/nss/lib/util/derenc.c
+++ /dev/null
@@ -1,504 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secder.h"
-#include "secerr.h"
-/*
- * Generic templates for individual/simple items.
- */
-
-DERTemplate SECAnyTemplate[] = {
-    { DER_ANY,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECBitStringTemplate[] = {
-    { DER_BIT_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECBooleanTemplate[] = {
-    { DER_BOOLEAN,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECIA5StringTemplate[] = {
-    { DER_IA5_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECIntegerTemplate[] = {
-    { DER_INTEGER,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECNullTemplate[] = {
-    { DER_NULL,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECObjectIDTemplate[] = {
-    { DER_OBJECT_ID,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECOctetStringTemplate[] = {
-    { DER_OCTET_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECPrintableStringTemplate[] = {
-    { DER_PRINTABLE_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECT61StringTemplate[] = {
-    { DER_T61_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECUTCTimeTemplate[] = {
-    { DER_UTC_TIME,
-	  0, NULL, sizeof(SECItem) }
-};
-
-
-static int
-header_length(DERTemplate *dtemplate, uint32 contents_len)
-{
-    uint32 len;
-    unsigned long encode_kind, under_kind;
-    PRBool explicit, optional, universal;
-
-    encode_kind = dtemplate->kind;
-
-    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    if (encode_kind & DER_POINTER) {
-	if (dtemplate->sub != NULL) {
-	    under_kind = dtemplate->sub->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
-    } else if (encode_kind & DER_INLINE) {
-	under_kind = dtemplate->sub->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    /* This is only used in decoding; it plays no part in encoding.  */
-    if (under_kind & DER_DERPTR)
-	return 0;
-
-    /* No header at all for an "empty" optional.  */
-    if ((contents_len == 0) && optional)
-	return 0;
-
-    /* And no header for a full DER_ANY.  */
-    if (encode_kind & DER_ANY)
-	return 0;
-
-    /*
-     * The common case: one octet for identifier and as many octets
-     * as necessary to hold the content length.
-     */
-    len = 1 + DER_LengthLength(contents_len);
-
-    /* Account for the explicit wrapper, if necessary.  */
-    if (explicit) {
-#if 0		/*
-		 * Well, I was trying to do something useful, but these
-		 * assertions are too restrictive on valid templates.
-		 * I wanted to make sure that the top-level "kind" of
-		 * a template does not also specify DER_EXPLICIT, which
-		 * should only modify a component field.  Maybe later
-		 * I can figure out a better way to detect such a problem,
-		 * but for now I must remove these checks altogether.
-		 */
-	/*
-	 * This modifier applies only to components of a set or sequence;
-	 * it should never be used on a set/sequence itself -- confirm.
-	 */
-	PORT_Assert (under_kind != DER_SEQUENCE);
-	PORT_Assert (under_kind != DER_SET);
-#endif
-
-	len += 1 + DER_LengthLength(len + contents_len);
-    }
-
-    return len;
-}
-
-
-static uint32
-contents_length(DERTemplate *dtemplate, void *src)
-{
-    uint32 len;
-    unsigned long encode_kind, under_kind;
-    PRBool universal;
-
-
-    PORT_Assert (src != NULL);
-
-    encode_kind = dtemplate->kind;
-
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-    encode_kind &= ~DER_OPTIONAL;
-
-    if (encode_kind & DER_POINTER) {
-	src = *(void **)src;
-	if (src == NULL) {
-	    return 0;
-	}
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    src = (void *)((char *)src + dtemplate->offset);
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
-    } else if (encode_kind & DER_INLINE) {
-	PORT_Assert (dtemplate->sub != NULL);
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	src = (void *)((char *)src + dtemplate->offset);
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    /* Having any of these bits is not expected here...  */
-    PORT_Assert ((under_kind & (DER_EXPLICIT | DER_INLINE | DER_OPTIONAL
-				| DER_POINTER | DER_SKIP)) == 0);
-
-    /* This is only used in decoding; it plays no part in encoding.  */
-    if (under_kind & DER_DERPTR)
-	return 0;
-
-    if (under_kind & DER_INDEFINITE) {
-	uint32 sub_len;
-	void **indp;
-
-	indp = *(void ***)src;
-	if (indp == NULL)
-	    return 0;
-
-	len = 0;
-	under_kind &= ~DER_INDEFINITE;
-
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    DERTemplate *tmpt;
-	    void *sub_src;
-
-	    tmpt = dtemplate->sub;
-
-	    for (; *indp != NULL; indp++) {
-		sub_src = (void *)((char *)(*indp) + tmpt->offset);
-		sub_len = contents_length (tmpt, sub_src);
-		len += sub_len + header_length (tmpt, sub_len);
-	    }
-	} else {
-	    /*
-	     * XXX Lisa is not sure this code (for handling, for example,
-	     * DER_INDEFINITE | DER_OCTET_STRING) is right.
-	     */
-	    for (; *indp != NULL; indp++) {
-		SECItem *item;
-		item = (SECItem *)(*indp);
-		sub_len = item->len;
-		if (under_kind == DER_BIT_STRING) {
-		    sub_len = (sub_len + 7) >> 3;
-		    /* bit string contents involve an extra octet */
-		    if (sub_len)
-			sub_len++;
-		}
-		if (under_kind != DER_ANY)
-		    len += 1 + DER_LengthLength (sub_len);
-	    }
-	}
-
-	return len;
-    }
-
-    switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_src;
-	    uint32 sub_len;
-
-	    len = 0;
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (void *)((char *)src + tmpt->offset);
-		sub_len = contents_length (tmpt, sub_src);
-		len += sub_len + header_length (tmpt, sub_len);
-	    }
-	}
-	break;
-
-      case DER_BIT_STRING:
-	len = (((SECItem *)src)->len + 7) >> 3;
-	/* bit string contents involve an extra octet */
-	if (len)
-	    len++;
-	break;
-
-      default:
-	len = ((SECItem *)src)->len;
-	break;
-    }
-
-    return len;
-}
-
-
-static unsigned char *
-der_encode(unsigned char *buf, DERTemplate *dtemplate, void *src)
-{
-    int header_len;
-    uint32 contents_len;
-    unsigned long encode_kind, under_kind;
-    PRBool explicit, optional, universal;
-
-
-    /*
-     * First figure out how long the encoding will be.  Do this by
-     * traversing the template from top to bottom and accumulating
-     * the length of each leaf item.
-     */
-    contents_len = contents_length (dtemplate, src);
-    header_len = header_length (dtemplate, contents_len);
-
-    /*
-     * Enough smarts was involved already, so that if both the
-     * header and the contents have a length of zero, then we
-     * are not doing any encoding for this element.
-     */
-    if (header_len == 0 && contents_len == 0)
-	return buf;
-
-    encode_kind = dtemplate->kind;
-
-    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~DER_OPTIONAL;
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    if (encode_kind & DER_POINTER) {
-	if (contents_len) {
-	    src = *(void **)src;
-	    PORT_Assert (src != NULL);
-	}
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	    src = (void *)((char *)src + dtemplate->offset);
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
-    } else if (encode_kind & DER_INLINE) {
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-	src = (void *)((char *)src + dtemplate->offset);
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    if (explicit) {
-	buf = DER_StoreHeader (buf, encode_kind,
-			       (1 + DER_LengthLength(contents_len)
-				+ contents_len));
-	encode_kind = under_kind;
-    }
-
-    if ((encode_kind & DER_ANY) == 0) {	/* DER_ANY already contains header */
-	buf = DER_StoreHeader (buf, encode_kind, contents_len);
-    }
-
-    /* If no real contents to encode, then we are done.  */
-    if (contents_len == 0)
-	return buf;
-
-    if (under_kind & DER_INDEFINITE) {
-	void **indp;
-
-	indp = *(void ***)src;
-	PORT_Assert (indp != NULL);
-
-	under_kind &= ~DER_INDEFINITE;
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    DERTemplate *tmpt;
-	    void *sub_src;
-
-	    tmpt = dtemplate->sub;
-	    for (; *indp != NULL; indp++) {
-		sub_src = (void *)((char *)(*indp) + tmpt->offset);
-		buf = der_encode (buf, tmpt, sub_src);
-	    }
-	} else {
-	    for (; *indp != NULL; indp++) {
-		SECItem *item;
-		int sub_len;
-
-		item = (SECItem *)(*indp);
-		sub_len = item->len;
-		if (under_kind == DER_BIT_STRING) {
-		    if (sub_len) {
-			int rem;
-
-			sub_len = (sub_len + 7) >> 3;
-			buf = DER_StoreHeader (buf, under_kind, sub_len + 1);
-			rem = (sub_len << 3) - item->len;
-			*buf++ = rem;		/* remaining bits */
-		    } else {
-			buf = DER_StoreHeader (buf, under_kind, 0);
-		    }
-		} else if (under_kind != DER_ANY) {
-		    buf = DER_StoreHeader (buf, under_kind, sub_len);
-		}
-		PORT_Memcpy (buf, item->data, sub_len);
-		buf += sub_len;
-	    }
-	}
-	return buf;
-    }
-
-    switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_src;
-
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (void *)((char *)src + tmpt->offset);
-		buf = der_encode (buf, tmpt, sub_src);
-	    }
-	}
-	break;
-
-      case DER_BIT_STRING:
-	{
-	    SECItem *item;
-	    int rem;
-
-	    /*
-	     * The contents length includes our extra octet; subtract
-	     * it off so we just have the real string length there.
-	     */
-	    contents_len--;
-	    item = (SECItem *)src;
-	    PORT_Assert (contents_len == ((item->len + 7) >> 3));
-	    rem = (contents_len << 3) - item->len;
-	    *buf++ = rem;		/* remaining bits */
-	    PORT_Memcpy (buf, item->data, contents_len);
-	    buf += contents_len;
-	}
-	break;
-
-      default:
-	{
-	    SECItem *item;
-
-	    item = (SECItem *)src;
-	    PORT_Assert (contents_len == item->len);
-	    PORT_Memcpy (buf, item->data, contents_len);
-	    buf += contents_len;
-	}
-	break;
-    }
-
-    return buf;
-}
-
-
-SECStatus
-DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *dtemplate, void *src)
-{
-    unsigned int contents_len, header_len;
-
-    src = (void **)((char *)src + dtemplate->offset);
-
-    /*
-     * First figure out how long the encoding will be. Do this by
-     * traversing the template from top to bottom and accumulating
-     * the length of each leaf item.
-     */
-    contents_len = contents_length (dtemplate, src);
-    header_len = header_length (dtemplate, contents_len);
-
-    dest->len = contents_len + header_len;
-
-    /* Allocate storage to hold the encoding */
-    dest->data = (unsigned char*) PORT_ArenaAlloc(arena, dest->len);
-    if (dest->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* Now encode into the buffer */
-    (void) der_encode (dest->data, dtemplate, src);
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/util/dersubr.c b/security/nss/lib/util/dersubr.c
deleted file mode 100644
index 555d5aff7..000000000
--- a/security/nss/lib/util/dersubr.c
+++ /dev/null
@@ -1,258 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secder.h"
-#include <limits.h>
-#include "secerr.h"
-
-int
-DER_LengthLength(uint32 len)
-{
-    if (len > 127) {
-	if (len > 255) {
-	    if (len > 65535L) {
-		if (len > 16777215L) {
-		    return 5;
-		} else {
-		    return 4;
-		}
-	    } else {
-		return 3;
-	    }
-	} else {
-	    return 2;
-	}
-    } else {
-	return 1;
-    }
-}
-
-unsigned char *
-DER_StoreHeader(unsigned char *buf, unsigned int code, uint32 len)
-{
-    unsigned char b[4];
-
-    b[0] = (len >> 24) & 0xff;
-    b[1] = (len >> 16) & 0xff;
-    b[2] = (len >> 8) & 0xff;
-    b[3] = len & 0xff;
-    if ((code & DER_TAGNUM_MASK) == DER_SET
-	|| (code & DER_TAGNUM_MASK) == DER_SEQUENCE)
-	code |= DER_CONSTRUCTED;
-    *buf++ = code;
-    if (len > 127) {
-	if (len > 255) {
-	    if (len > 65535) {
-		if (len > 16777215) {
-		    *buf++ = 0x84;
-		    *buf++ = b[0];
-		    *buf++ = b[1];
-		    *buf++ = b[2];
-		    *buf++ = b[3];
-		} else {
-		    *buf++ = 0x83;
-		    *buf++ = b[1];
-		    *buf++ = b[2];
-		    *buf++ = b[3];
-		}
-	    } else {
-		*buf++ = 0x82;
-		*buf++ = b[2];
-		*buf++ = b[3];
-	    }
-	} else {
-	    *buf++ = 0x81;
-	    *buf++ = b[3];
-	}
-    } else {
-	*buf++ = b[3];
-    }
-    return buf;
-}
-
-/*
- * XXX This should be rewritten, generalized, to take a long instead
- * of an int32.
- */
-SECStatus
-DER_SetInteger(PRArenaPool *arena, SECItem *it, int32 i)
-{
-    unsigned char bb[4];
-    unsigned len;
-
-    bb[0] = (unsigned char) (i >> 24);
-    bb[1] = (unsigned char) (i >> 16);
-    bb[2] = (unsigned char) (i >> 8);
-    bb[3] = (unsigned char) (i);
-
-    /*
-    ** Small integers are encoded in a single byte. Larger integers
-    ** require progressively more space.
-    */
-    if (i < -128) {
-	if (i < -32768L) {
-	    if (i < -8388608L) {
-		len = 4;
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
-    } else if (i > 127) {
-	if (i > 32767L) {
-	    if (i > 8388607L) {
-		len = 4;
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
-    } else {
-	len = 1;
-    }
-    it->data = (unsigned char*) PORT_ArenaAlloc(arena, len);
-    if (!it->data) {
-	return SECFailure;
-    }
-    it->len = len;
-    PORT_Memcpy(it->data, bb + (4 - len), len);
-    return SECSuccess;
-}
-
-/*
- * XXX This should be rewritten, generalized, to take an unsigned long instead
- * of a uint32.
- */
-SECStatus
-DER_SetUInteger(PRArenaPool *arena, SECItem *it, uint32 ui)
-{
-    unsigned char bb[5];
-    int len;
-
-    bb[0] = 0;
-    bb[1] = (unsigned char) (ui >> 24);
-    bb[2] = (unsigned char) (ui >> 16);
-    bb[3] = (unsigned char) (ui >> 8);
-    bb[4] = (unsigned char) (ui);
-
-    /*
-    ** Small integers are encoded in a single byte. Larger integers
-    ** require progressively more space.
-    */
-    if (ui > 0x7f) {
-	if (ui > 0x7fff) {
-	    if (ui > 0x7fffffL) {
-		if (ui >= 0x80000000L) {
-		    len = 5;
-		} else {
-		    len = 4;
-		}
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
-    } else {
-	len = 1;
-    }
-
-    it->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
-    if (it->data == NULL) {
-	return SECFailure;
-    }
-
-    it->len = len;
-    PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
-
-    return SECSuccess;
-}
-
-/*
-** Convert a der encoded *signed* integer into a machine integral value.
-** If an underflow/overflow occurs, sets error code and returns min/max.
-*/
-long
-DER_GetInteger(SECItem *it)
-{
-    long ival = 0;
-    unsigned len = it->len;
-    unsigned char *cp = it->data;
-    unsigned long overflow = 0xffL << ((sizeof(ival) - 1)*8);
-
-    while (len) {
-	if (ival & overflow) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    if (ival < 0) {
-		return LONG_MIN;
-	    }
-	    return LONG_MAX;
-	}
-	ival = ival << 8;
-	ival |= *cp++;
-	--len;
-    }
-    return ival;
-}
-
-/*
-** Convert a der encoded *unsigned* integer into a machine integral value.
-** If an underflow/overflow occurs, sets error code and returns min/max.
-*/
-unsigned long
-DER_GetUInteger(SECItem *it)
-{
-    unsigned long ival = 0;
-    unsigned len = it->len;
-    unsigned char *cp = it->data;
-    unsigned long overflow = 0xffL << ((sizeof(ival) - 1)*8);
-
-    /* Cannot put a negative value into an unsigned container. */
-    if (*cp & 0x80) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return 0;
-    }
-
-    while (len) {
-	if (ival & overflow) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return ULONG_MAX;
-	}
-	ival = ival << 8;
-	ival |= *cp++;
-	--len;
-    }
-    return ival;
-}
diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c
deleted file mode 100644
index 5fbdca656..000000000
--- a/security/nss/lib/util/dertime.c
+++ /dev/null
@@ -1,334 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "prtypes.h"
-#include "prtime.h"
-#include "secder.h"
-#include "prlong.h"
-#include "secerr.h"
-
-#define HIDIGIT(v) (((v) / 10) + '0')
-#define LODIGIT(v) (((v) % 10) + '0')
-
-#define C_SINGLE_QUOTE '\047'
-
-#define DIGITHI(dig) (((dig) - '0') * 10)
-#define DIGITLO(dig) ((dig) - '0')
-#define ISDIGIT(dig) (((dig) >= '0') && ((dig) <= '9'))
-#define CAPTURE(var,p,label)				  \
-{							  \
-    if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \
-    (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0');	  \
-}
-
-#define SECMIN ((time_t) 60L)
-#define SECHOUR (60L*SECMIN)
-#define SECDAY (24L*SECHOUR)
-#define SECYEAR (365L*SECDAY)
-
-static long monthToDayInYear[12] = {
-    0,
-    31,
-    31+28,
-    31+28+31,
-    31+28+31+30,
-    31+28+31+30+31,
-    31+28+31+30+31+30,
-    31+28+31+30+31+30+31,
-    31+28+31+30+31+30+31+31,
-    31+28+31+30+31+30+31+31+30,
-    31+28+31+30+31+30+31+31+30+31,
-    31+28+31+30+31+30+31+31+30+31+30,
-};
-
-/* gmttime must contains UTC time in micro-seconds unit */
-SECStatus
-DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
-{
-    PRExplodedTime printableTime;
-    unsigned char *d;
-
-    dst->len = 13;
-    dst->data = d = (unsigned char*) PORT_Alloc(13);
-    if (!d) {
-	return SECFailure;
-    }
-
-    /* Convert an int64 time to a printable format.  */
-    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
-
-    /* The month in UTC time is base one */
-    printableTime.tm_month++;
-
-    /* UTC time does not handle the years before 1950 */
-    if (printableTime.tm_year < 1950)
-	    return SECFailure;
-
-    /* remove the century since it's added to the tm_year by the 
-       PR_ExplodeTime routine, but is not needed for UTC time */
-    printableTime.tm_year %= 100; 
-
-    d[0] = HIDIGIT(printableTime.tm_year);
-    d[1] = LODIGIT(printableTime.tm_year);
-    d[2] = HIDIGIT(printableTime.tm_month);
-    d[3] = LODIGIT(printableTime.tm_month);
-    d[4] = HIDIGIT(printableTime.tm_mday);
-    d[5] = LODIGIT(printableTime.tm_mday);
-    d[6] = HIDIGIT(printableTime.tm_hour);
-    d[7] = LODIGIT(printableTime.tm_hour);
-    d[8] = HIDIGIT(printableTime.tm_min);
-    d[9] = LODIGIT(printableTime.tm_min);
-    d[10] = HIDIGIT(printableTime.tm_sec);
-    d[11] = LODIGIT(printableTime.tm_sec);
-    d[12] = 'Z';
-    return SECSuccess;
-}
-
-SECStatus
-DER_AsciiToTime(int64 *dst, char *string)
-{
-    long year, month, mday, hour, minute, second, hourOff, minOff, days;
-    int64 result, tmp1, tmp2;
-    
-    /* Verify time is formatted properly and capture information */
-    second = 0;
-    hourOff = 0;
-    minOff = 0;
-    CAPTURE(year,string+0,loser);
-    if (year < 50) {
-	/* ASSUME that year # is in the 2000's, not the 1900's */
-	year += 100;
-    }
-    CAPTURE(month,string+2,loser);
-    if ((month == 0) || (month > 12)) goto loser;
-    CAPTURE(mday,string+4,loser);
-    if ((mday == 0) || (mday > 31)) goto loser;
-    CAPTURE(hour,string+6,loser);
-    if (hour > 23) goto loser;
-    CAPTURE(minute,string+8,loser);
-    if (minute > 59) goto loser;
-    if (ISDIGIT(string[10])) {
-	CAPTURE(second,string+10,loser);
-	if (second > 59) goto loser;
-	string += 2;
-    }
-    if (string[10] == '+') {
-	CAPTURE(hourOff,string+11,loser);
-	if (hourOff > 23) goto loser;
-	CAPTURE(minOff,string+13,loser);
-	if (minOff > 59) goto loser;
-    } else if (string[10] == '-') {
-	CAPTURE(hourOff,string+11,loser);
-	if (hourOff > 23) goto loser;
-	hourOff = -hourOff;
-	CAPTURE(minOff,string+13,loser);
-	if (minOff > 59) goto loser;
-	minOff = -minOff;
-    } else if (string[10] != 'Z') {
-	goto loser;
-    }
-    
-    
-    /* Convert pieces back into a single value year  */
-    LL_I2L(tmp1, (year-70L));
-    LL_I2L(tmp2, SECYEAR);
-    LL_MUL(result, tmp1, tmp2);
-    
-    LL_I2L(tmp1, ( (mday-1L)*SECDAY + hour*SECHOUR + minute*SECMIN -
-		  hourOff*SECHOUR - minOff*SECMIN + second ) );
-    LL_ADD(result, result, tmp1);
-
-    /*
-    ** Have to specially handle the day in the month and the year, to
-    ** take into account leap days. The return time value is in
-    ** seconds since January 1st, 12:00am 1970, so start examining
-    ** the time after that. We can't represent a time before that.
-    */
-
-    /* Using two digit years, we can only represent dates from 1970
-       to 2069. As a result, we cannot run into the leap year rule
-       that states that 1700, 2100, etc. are not leap years (but 2000
-       is). In other words, there are no years in the span of time
-       that we can represent that are == 0 mod 4 but are not leap
-       years. Whew.
-       */
-
-    days = monthToDayInYear[month-1];
-    days += (year - 68)/4;
-
-    if (((year % 4) == 0) && (month < 3)) {
-	days--;
-    }
-   
-    LL_I2L(tmp1, (days * SECDAY) );
-    LL_ADD(result, result, tmp1 );
-
-    /* convert to micro seconds */
-    LL_I2L(tmp1, PR_USEC_PER_SEC);
-    LL_MUL(result, result, tmp1);
-
-    *dst = result;
-    return SECSuccess;
-
-  loser:
-    PORT_SetError(SEC_ERROR_INVALID_TIME);
-    return SECFailure;
-	
-}
-
-SECStatus
-DER_UTCTimeToTime(int64 *dst, SECItem *time)
-{
-    return DER_AsciiToTime(dst, (char*) time->data);
-}
-
-/*
-   gmttime must contains UTC time in micro-seconds unit.
-   Note: the caller should make sure that Generalized time
-   should only be used for certifiate validities after the
-   year 2049.  Otherwise, UTC time should be used.  This routine
-   does not check this case, since it can be used to encode
-   certificate extension, which does not have this restriction. 
- */
-SECStatus
-DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
-{
-    PRExplodedTime printableTime;
-    unsigned char *d;
-
-    dst->len = 15;
-    dst->data = d = (unsigned char*) PORT_Alloc(15);
-    if (!d) {
-	return SECFailure;
-    }
-
-    /*Convert a int64 time to a printable format. This is a temporary call
-	  until we change to NSPR 2.0
-     */
-    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
-
-    /* The month in Generalized time is base one */
-    printableTime.tm_month++;
-
-    d[0] = (printableTime.tm_year /1000) + '0';
-    d[1] = ((printableTime.tm_year % 1000) / 100) + '0';
-    d[2] = ((printableTime.tm_year % 100) / 10) + '0';
-    d[3] = (printableTime.tm_year % 10) + '0';
-    d[4] = HIDIGIT(printableTime.tm_month);
-    d[5] = LODIGIT(printableTime.tm_month);
-    d[6] = HIDIGIT(printableTime.tm_mday);
-    d[7] = LODIGIT(printableTime.tm_mday);
-    d[8] = HIDIGIT(printableTime.tm_hour);
-    d[9] = LODIGIT(printableTime.tm_hour);
-    d[10] = HIDIGIT(printableTime.tm_min);
-    d[11] = LODIGIT(printableTime.tm_min);
-    d[12] = HIDIGIT(printableTime.tm_sec);
-    d[13] = LODIGIT(printableTime.tm_sec);
-    d[14] = 'Z';
-    return SECSuccess;
-}
-
-/*
-    The caller should make sure that the generalized time should only
-    be used for the certificate validity after the year 2051; otherwise,
-    the certificate should be consider invalid!?
- */
-SECStatus
-DER_GeneralizedTimeToTime(int64 *dst, SECItem *time)
-{
-    PRExplodedTime genTime;
-    char *string;
-    long hourOff, minOff;
-    uint16 century;
-
-    string = (char *)time->data;
-    PORT_Memset (&genTime, 0, sizeof (genTime));
-
-    /* Verify time is formatted properly and capture information */
-    hourOff = 0;
-    minOff = 0;
-
-    CAPTURE(century, string+0, loser);
-    century *= 100;
-    CAPTURE(genTime.tm_year,string+2,loser);
-    genTime.tm_year += century;
-
-    CAPTURE(genTime.tm_month,string+4,loser);
-    if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) goto loser;
-
-    /* NSPR month base is 0 */
-    --genTime.tm_month;
-    
-    CAPTURE(genTime.tm_mday,string+6,loser);
-    if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) goto loser;
-    
-    CAPTURE(genTime.tm_hour,string+8,loser);
-    if (genTime.tm_hour > 23) goto loser;
-    
-    CAPTURE(genTime.tm_min,string+10,loser);
-    if (genTime.tm_min > 59) goto loser;
-    
-    if (ISDIGIT(string[12])) {
-	CAPTURE(genTime.tm_sec,string+12,loser);
-	if (genTime.tm_sec > 59) goto loser;
-	string += 2;
-    }
-    if (string[12] == '+') {
-	CAPTURE(hourOff,string+13,loser);
-	if (hourOff > 23) goto loser;
-	CAPTURE(minOff,string+15,loser);
-	if (minOff > 59) goto loser;
-    } else if (string[12] == '-') {
-	CAPTURE(hourOff,string+13,loser);
-	if (hourOff > 23) goto loser;
-	hourOff = -hourOff;
-	CAPTURE(minOff,string+15,loser);
-	if (minOff > 59) goto loser;
-	minOff = -minOff;
-    } else if (string[12] != 'Z') {
-	goto loser;
-    }
-
-    /* Since the values of hourOff and minOff are small, there will
-       be no loss of data by the conversion to int8 */
-    /* Convert the GMT offset to seconds and save it it genTime
-       for the implode time process */
-    genTime.tm_params.tp_gmt_offset = (PRInt32)((hourOff * 60L + minOff) * 60L);
-    *dst = PR_ImplodeTime (&genTime);
-    return SECSuccess;
-
-  loser:
-    PORT_SetError(SEC_ERROR_INVALID_TIME);
-    return SECFailure;
-	
-}
diff --git a/security/nss/lib/util/mac_rand.c b/security/nss/lib/util/mac_rand.c
deleted file mode 100644
index c8596a9f0..000000000
--- a/security/nss/lib/util/mac_rand.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef notdef
-#include "xp_core.h"
-#include "xp_file.h"
-#endif
-#include "secrng.h"
-#include "mcom_db.h"
-#ifdef XP_MAC
-#include <Events.h>
-#include <OSUtils.h>
-#include <QDOffscreen.h>
-#include <PPCToolbox.h>
-#include <Processes.h>
-#include <LowMem.h>
-
-/* Static prototypes */
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen);
-void FE_ReadScreen();
-
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
-{
-    union endianness {
-        int32 i;
-        char c[4];
-    } u;
-
-    if (srclen <= dstlen) {
-        memcpy(dst, src, srclen);
-        return srclen;
-    }
-    u.i = 0x01020304;
-    if (u.c[0] == 0x01) {
-        /* big-endian case */
-        memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
-    } else {
-        /* little-endian case */
-        memcpy(dst, src, dstlen);
-    }
-    return dstlen;
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbytes)
-{
-    uint32 c = TickCount();
-    return CopyLowBits(buf, maxbytes,  &c, sizeof(c));
-}
-
-void RNG_FileForRNG(char *filename)
-{   
-    unsigned char buffer[BUFSIZ];
-    size_t bytes;
-#ifdef notdef /*sigh*/
-    XP_File file;
-	unsigned long totalFileBytes = 0;
-
-	if (filename == NULL)	/* For now, read in global history if filename is null */
-		file = XP_FileOpen(NULL, xpGlobalHistory,XP_FILE_READ_BIN);
-	else
-		file = XP_FileOpen(NULL, xpURL,XP_FILE_READ_BIN);
-    if (file != NULL) {
-        for (;;) {
-            bytes = XP_FileRead(buffer, sizeof(buffer), file);
-            if (bytes == 0) break;
-            RNG_RandomUpdate( buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > 100*1024) break;	/* No more than 100 K */
-        }
-		XP_FileClose(file);
-    }
-#endif
-    /*
-     * Pass yet another snapshot of our highest resolution clock into
-     * the hash function.
-     */
-    bytes = RNG_GetNoise(buffer, sizeof(buffer));
-    RNG_RandomUpdate(buffer, sizeof(buffer));
-}
-
-void RNG_SystemInfoForRNG()
-{
-/* Time */
-	{
-		unsigned long sec;
-		size_t bytes;
-		GetDateTime(&sec);	/* Current time since 1970 */
-		RNG_RandomUpdate( &sec, sizeof(sec));
-	    bytes = RNG_GetNoise(&sec, sizeof(sec));
-	    RNG_RandomUpdate(&sec, bytes);
-    }
-/* User specific variables */
-	{
-		MachineLocation loc;
-		ReadLocation(&loc);
-		RNG_RandomUpdate( &loc, sizeof(loc));
-	}
-/* User name */
-	{
-		unsigned long userRef;
-		Str32 userName;
-		GetDefaultUser(&userRef, userName);
-		RNG_RandomUpdate( &userRef, sizeof(userRef));
-		RNG_RandomUpdate( userName, sizeof(userName));
-	}
-/* Mouse location */
-	{
-		Point mouseLoc;
-		GetMouse(&mouseLoc);
-		RNG_RandomUpdate( &mouseLoc, sizeof(mouseLoc));
-	}
-/* Keyboard time threshold */
-	{
-		SInt16 keyTresh = LMGetKeyThresh();
-		RNG_RandomUpdate( &keyTresh, sizeof(keyTresh));
-	}
-/* Last key pressed */
-	{
-		SInt8 keyLast;
-		keyLast = LMGetKbdLast();
-		RNG_RandomUpdate( &keyLast, sizeof(keyLast));
-	}
-/* Volume */
-	{
-		UInt8 volume = LMGetSdVolume();
-		RNG_RandomUpdate( &volume, sizeof(volume));
-	}
-/* Current directory */
-	{
-		SInt32 dir = LMGetCurDirStore();
-		RNG_RandomUpdate( &dir, sizeof(dir));
-	}
-/* Process information about all the processes in the machine */
-	{
-		ProcessSerialNumber 	process;
-		ProcessInfoRec pi;
-	
-		process.highLongOfPSN = process.lowLongOfPSN  = kNoProcess;
-		
-		while (GetNextProcess(&process) == noErr)
-		{
-			FSSpec fileSpec;
-			pi.processInfoLength = sizeof(ProcessInfoRec);
-			pi.processName = NULL;
-			pi.processAppSpec = &fileSpec;
-			GetProcessInformation(&process, &pi);
-			RNG_RandomUpdate( &pi, sizeof(pi));
-			RNG_RandomUpdate( &fileSpec, sizeof(fileSpec));
-		}
-	}
-	
-/* Heap */
-	{
-		THz zone = LMGetTheZone();
-		RNG_RandomUpdate( &zone, sizeof(zone));
-	}
-	
-/* Screen */
-	{
-		GDHandle h = LMGetMainDevice();		/* GDHandle is **GDevice */
-		RNG_RandomUpdate( *h, sizeof(GDevice));
-	}
-/* Scrap size */
-	{
-		SInt32 scrapSize = LMGetScrapSize();
-		RNG_RandomUpdate( &scrapSize, sizeof(scrapSize));
-	}
-/* Scrap count */
-	{
-		SInt16 scrapCount = LMGetScrapCount();
-		RNG_RandomUpdate( &scrapCount, sizeof(scrapCount));
-	}
-/*  File stuff, last modified, etc. */
-	{
-		HParamBlockRec			pb;
-		GetVolParmsInfoBuffer	volInfo;
-		pb.ioParam.ioVRefNum = 0;
-		pb.ioParam.ioNamePtr = nil;
-		pb.ioParam.ioBuffer = (Ptr) &volInfo;
-		pb.ioParam.ioReqCount = sizeof(volInfo);
-		PBHGetVolParmsSync(&pb);
-		RNG_RandomUpdate( &volInfo, sizeof(volInfo));
-	}
-/* Event queue */
-	{
-		EvQElPtr		eventQ;
-		for (eventQ = (EvQElPtr) LMGetEventQueue()->qHead; 
-				eventQ; 
-				eventQ = (EvQElPtr)eventQ->qLink)
-			RNG_RandomUpdate( &eventQ->evtQWhat, sizeof(EventRecord));
-	}
-	FE_ReadScreen();
-	RNG_FileForRNG(NULL);
-}
-
-void FE_ReadScreen()
-{
-	UInt16				coords[4];
-	PixMapHandle 		pmap;
-	GDHandle			gh;	
-	UInt16				screenHeight;
-	UInt16				screenWidth;			/* just what they say */
-	UInt32				bytesToRead;			/* number of bytes we're giving */
-	UInt32				offset;					/* offset into the graphics buffer */
-	UInt16				rowBytes;
-	UInt32				rowsToRead;
-	float				bytesPerPixel;			/* dependent on buffer depth */
-	Ptr					p;						/* temporary */
-	UInt16				x, y, w, h;
-
-	gh = LMGetMainDevice();
-	if ( !gh )
-		return;
-	pmap = (**gh).gdPMap;
-	if ( !pmap )
-		return;
-		
-	RNG_GenerateGlobalRandomBytes( coords, sizeof( coords ) );
-	
-	/* make x and y inside the screen rect */	
-	screenHeight = (**pmap).bounds.bottom - (**pmap).bounds.top;
-	screenWidth = (**pmap).bounds.right - (**pmap).bounds.left;
-	x = coords[0] % screenWidth;
-	y = coords[1] % screenHeight;
-	w = ( coords[2] & 0x7F ) | 0x40;		/* Make sure that w is in the range 64..128 */
-	h = ( coords[3] & 0x7F ) | 0x40;		/* same for h */
-
-	bytesPerPixel = (**pmap).pixelSize / 8;
-	rowBytes = (**pmap).rowBytes & 0x7FFF;
-
-	/* starting address */
-	offset = ( rowBytes * y ) + (UInt32)( (float)x * bytesPerPixel );
-	
-	/* don't read past the end of the pixmap's rowbytes */
-	bytesToRead = MIN(	(UInt32)( w * bytesPerPixel ),
-						(UInt32)( rowBytes - ( x * bytesPerPixel ) ) );
-
-	/* don't read past the end of the graphics device pixmap */
-	rowsToRead = MIN(	h, 
-						( screenHeight - y ) );
-	
-	p = GetPixBaseAddr( pmap ) + offset;
-	
-	while ( rowsToRead-- )
-	{
-		RNG_RandomUpdate( p, bytesToRead );
-		p += rowBytes;
-	}
-}
-#endif
diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn
deleted file mode 100644
index 0dd2f3d7e..000000000
--- a/security/nss/lib/util/manifest.mn
+++ /dev/null
@@ -1,100 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	base64.h \
-	ciferfam.h \
-	nssb64.h \
-	nssb64t.h \
-	nsslocks.h \
-	nssrwlk.h \
-	nssrwlkt.h \
-	portreg.h \
-	pqgutil.h \
-	secasn1.h \
-	secasn1t.h \
-	seccomon.h \
-	secder.h \
-	secdert.h \
-	secdig.h \
-	secdigt.h \
-	secitem.h \
-	secoid.h \
-	secoidt.h \
-	secport.h \
-	secrng.h \
-	secrngt.h \
-	secerr.h \
-	watcomfx.h \
-	$(NULL)
-
-MODULE = security
-
-CSRCS = \
-	secdig.c \
-	derdec.c \
-	derenc.c \
-	dersubr.c \
-	dertime.c \
-	nssb64d.c \
-	nssb64e.c \
-	nssrwlk.c \
-	nsslocks.c \
-	portreg.c \
-	pqgutil.c \
-	secalgid.c \
-	secasn1d.c \
-	secasn1e.c \
-	secasn1u.c \
-	secitem.c \
-	secoid.c \
-	sectime.c \
-	secport.c \
-	secinit.c \
-	sysrand.c \
-	utf8.c \
-	$(NULL)
-
-ifeq ($(subst /,_,$(shell uname -s)),OS2)
-	CSRCS += os2_rand.c
-endif
-
-#	mac_rand.c
-#	unix_rand.c
-#	win_rand.c
-#	prelib.c
-
-REQUIRES = security dbm
-
-LIBRARY_NAME = secutil
diff --git a/security/nss/lib/util/nssb64.h b/security/nss/lib/util/nssb64.h
deleted file mode 100644
index 1a813f3ea..000000000
--- a/security/nss/lib/util/nssb64.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Public prototypes for base64 encoding/decoding.
- *
- * $Id$
- */
-#ifndef _NSSB64_H_
-#define _NSSB64_H_
-
-#include "seccomon.h"
-#include "nssb64t.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * Functions to start a base64 decoding/encoding context.
- */
-
-extern NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg);
-
-extern NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg);
-
-/*
- * Push data through the decoder/encoder, causing the output_fn (provided
- * to Create) to be called with the decoded/encoded data.
- */
-
-extern SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size);
-
-extern SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size);
-
-/*
- * When you're done processing, call this to close the context.
- * If "abort_p" is false, then calling this may cause the output_fn
- * to be called one last time (as the last buffered data is flushed out).
- */
-
-extern SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p);
-
-extern SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p);
-
-/*
- * Perform base64 decoding from an ascii string "inStr" to an Item.
- * The length of the input must be provided as "inLen".  The Item
- * may be provided (as "outItemOpt"); you can also pass in a NULL
- * and the Item will be allocated for you.
- *
- * In any case, the data within the Item will be allocated for you.
- * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
- * If "arenaOpt" is NULL, standard allocation (heap) will be used and
- * you will want to free the result via SECITEM_FreeItem.
- *
- * Return value is NULL on error, the Item (allocated or provided) otherwise.
- */
-extern SECItem *
-NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen);
-
-/*
- * Perform base64 encoding of binary data "inItem" to an ascii string.
- * The output buffer may be provided (as "outStrOpt"); you can also pass
- * in a NULL and the buffer will be allocated for you.  The result will
- * be null-terminated, and if the buffer is provided, "maxOutLen" must
- * specify the maximum length of the buffer and will be checked to
- * supply sufficient space space for the encoded result.  (If "outStrOpt"
- * is NULL, "maxOutLen" is ignored.)
- *
- * If "outStrOpt" is NULL, allocation will happen out of the passed-in
- * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
- * will be used.
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-extern char *
-NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem);
-
-SEC_END_PROTOS
-
-#endif /* _NSSB64_H_ */
diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c
deleted file mode 100644
index c49e38f87..000000000
--- a/security/nss/lib/util/nssb64d.c
+++ /dev/null
@@ -1,861 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Base64 decoding (ascii to binary).
- *
- * $Id$
- */
-
-#include "nssb64.h"
-#include "nspr.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/*
- * XXX We want this basic support to go into NSPR (the PL part).
- * Until that can happen, the PL interface is going to be kept entirely
- * internal here -- all static functions and opaque data structures.
- * When someone can get it moved over into NSPR, that should be done:
- *    - giving everything names that are accepted by the NSPR module owners
- *	(though I tried to choose ones that would work without modification)
- *    - exporting the functions (remove static declarations and add
- *	PR_IMPLEMENT as necessary)
- *    - put prototypes into appropriate header file (probably replacing
- *	the entire current lib/libc/include/plbase64.h in NSPR)
- *	along with a typedef for the context structure (which should be
- *	kept opaque -- definition in the source file only, but typedef
- *	ala "typedef struct PLBase64FooStr PLBase64Foo;" in header file)
- *    - modify anything else as necessary to conform to NSPR required style
- *	(I looked but found no formatting guide to follow)
- *
- * You will want to move over everything from here down to the comment
- * which says "XXX End of base64 decoding code to be moved into NSPR",
- * into a new file in NSPR.
- */
-
-/*
- **************************************************************
- * XXX Beginning of base64 decoding code to be moved into NSPR.
- */
-
-/*
- * This typedef would belong in the NSPR header file (i.e. plbase64.h).
- */
-typedef struct PLBase64DecoderStr PLBase64Decoder;
-
-/*
- * The following implementation of base64 decoding was based on code
- * found in libmime (specifically, in mimeenc.c).  It has been adapted to
- * use PR types and naming as well as to provide other necessary semantics
- * (like buffer-in/buffer-out in addition to "streaming" without undue
- * performance hit of extra copying if you made the buffer versions
- * use the output_fn).  It also incorporates some aspects of the current
- * NSPR base64 decoding code.  As such, you may find similarities to
- * both of those implementations.  I tried to use names that reflected
- * the original code when possible.  For this reason you may find some
- * inconsistencies -- libmime used lots of "in" and "out" whereas the
- * NSPR version uses "src" and "dest"; sometimes I changed one to the other
- * and sometimes I left them when I thought the subroutines were at least
- * self-consistent.
- */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Opaque object used by the decoder to store state.
- */
-struct PLBase64DecoderStr {
-    /* Current token (or portion, if token_size < 4) being decoded. */
-    unsigned char token[4];
-    int token_size;
-
-    /*
-     * Where to write the decoded data (used when streaming, not when
-     * doing all in-memory (buffer) operations).
-     *
-     * Note that this definition is chosen to be compatible with PR_Write.
-     */
-    PRInt32 (*output_fn) (void *output_arg, const unsigned char *buf,
-			  PRInt32 size);
-    void *output_arg;
-
-    /*
-     * Where the decoded output goes -- either temporarily (in the streaming
-     * case, staged here before it goes to the output function) or what will
-     * be the entire buffered result for users of the buffer version.
-     */
-    unsigned char *output_buffer;
-    PRUint32 output_buflen;	/* the total length of allocated buffer */
-    PRUint32 output_length;	/* the length that is currently populated */
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Table to convert an ascii "code" to its corresponding binary value.
- * For ease of use, the binary values in the table are the actual values
- * PLUS ONE.  This is so that the special value of zero can denote an
- * invalid mapping; that was much easier than trying to fill in the other
- * values with some value other than zero, and to check for it.
- * Just remember to SUBTRACT ONE when using the value retrieved.
- */
-static unsigned char base64_codetovaluep1[256] = {
-/*   0: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*   8: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  16: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  24: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  32: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  40: */	  0,	  0,	  0,	 63,	  0,	  0,	  0,	 64,
-/*  48: */	 53,	 54,	 55,	 56,	 57,	 58,	 59,	 60,
-/*  56: */	 61,	 62,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  64: */	  0,	  1,	  2,	  3,	  4,	  5,	  6,	  7,
-/*  72: */	  8,	  9,	 10,	 11,	 12,	 13,	 14,	 15,
-/*  80: */	 16,	 17,	 18,	 19,	 20,	 21,	 22,	 23,
-/*  88: */	 24,	 25,	 26,	  0,	  0,	  0,	  0,	  0,
-/*  96: */	  0,	 27,	 28,	 29,	 30,	 31,	 32,	 33,
-/* 104: */	 34,	 35,	 36,	 37,	 38,	 39,	 40,	 41,
-/* 112: */	 42,	 43,	 44,	 45,	 46,	 47,	 48,	 49,
-/* 120: */	 50,	 51,	 52,	  0,	  0,	  0,	  0,	  0,
-/* 128: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0
-/* and rest are all zero as well */
-};
-
-#define B64_PAD	'='
-
-
-/*
- * Reads 4; writes 3 (known, or expected, to have no trailing padding).
- * Returns bytes written; -1 on error (unexpected character).
- */
-static int
-pl_base64_decode_4to3 (const unsigned char *in, unsigned char *out)
-{
-    int j;
-    PRUint32 num = 0;
-    unsigned char bits;
-
-    for (j = 0; j < 4; j++) {
-	bits = base64_codetovaluep1[in[j]];
-	if (bits == 0)
-	    return -1;
-	num = (num << 6) | (bits - 1);
-    }
-
-    out[0] = (unsigned char) (num >> 16);
-    out[1] = (unsigned char) ((num >> 8) & 0xFF);
-    out[2] = (unsigned char) (num & 0xFF);
-
-    return 3;
-}
-
-/*
- * Reads 3; writes 2 (caller already confirmed EOF or trailing padding).
- * Returns bytes written; -1 on error (unexpected character).
- */
-static int
-pl_base64_decode_3to2 (const unsigned char *in, unsigned char *out)
-{
-    PRUint32 num = 0;
-    unsigned char bits1, bits2, bits3;
-
-    bits1 = base64_codetovaluep1[in[0]];
-    bits2 = base64_codetovaluep1[in[1]];
-    bits3 = base64_codetovaluep1[in[2]];
-
-    if ((bits1 == 0) || (bits2 == 0) || (bits3 == 0))
-	return -1;
-
-    num = ((PRUint32)(bits1 - 1)) << 10;
-    num |= ((PRUint32)(bits2 - 1)) << 4;
-    num |= ((PRUint32)(bits3 - 1)) >> 2;
-
-    out[0] = (unsigned char) (num >> 8);
-    out[1] = (unsigned char) (num & 0xFF);
-
-    return 2;
-}
-
-/*
- * Reads 2; writes 1 (caller already confirmed EOF or trailing padding).
- * Returns bytes written; -1 on error (unexpected character).
- */
-static int
-pl_base64_decode_2to1 (const unsigned char *in, unsigned char *out)
-{
-    PRUint32 num = 0;
-    unsigned char bits1, bits2;
-
-    bits1 = base64_codetovaluep1[in[0]];
-    bits2 = base64_codetovaluep1[in[1]];
-
-    if ((bits1 == 0) || (bits2 == 0))
-	return -1;
-
-    num = ((PRUint32)(bits1 - 1)) << 2;
-    num |= ((PRUint32)(bits2 - 1)) >> 4;
-
-    out[0] = (unsigned char) num;
-
-    return 1;
-}
-
-/*
- * Reads 4; writes 0-3.  Returns bytes written or -1 on error.
- * (Writes less than 3 only at (presumed) EOF.)
- */
-static int
-pl_base64_decode_token (const unsigned char *in, unsigned char *out)
-{
-    if (in[3] != B64_PAD)
-	return pl_base64_decode_4to3 (in, out);
-
-    if (in[2] == B64_PAD)
-	return pl_base64_decode_2to1 (in, out);
-
-    return pl_base64_decode_3to2 (in, out);
-}
-
-static PRStatus
-pl_base64_decode_buffer (PLBase64Decoder *data, const unsigned char *in,
-			 PRUint32 length)
-{
-    unsigned char *out = data->output_buffer;
-    unsigned char *token = data->token;
-    int i, n = 0;
-
-    i = data->token_size;
-    data->token_size = 0;
-
-    while (length > 0) {
-	while (i < 4 && length > 0) {
-	    /*
-	     * XXX Note that the following simply ignores any unexpected
-	     * characters.  This is exactly what the original code in
-	     * libmime did, and I am leaving it.  We certainly want to skip
-	     * over whitespace (we must); this does much more than that.
-	     * I am not confident changing it, and I don't want to slow
-	     * the processing down doing more complicated checking, but
-	     * someone else might have different ideas in the future.
-	     */
-	    if (base64_codetovaluep1[*in] > 0 || *in == B64_PAD)
-		token[i++] = *in;
-	    in++;
-	    length--;
-	}
-
-	if (i < 4) {
-	    /* Didn't get enough for a complete token. */
-	    data->token_size = i;
-	    break;
-	}
-	i = 0;
-
-	PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen);
-
-	/*
-	 * Assume we are not at the end; the following function only works
-	 * for an internal token (no trailing padding characters) but is
-	 * faster that way.  If it hits an invalid character (padding) it
-	 * will return an error; we break out of the loop and try again
-	 * calling the routine that will handle a final token.
-	 * Note that we intentionally do it this way rather than explicitly
-	 * add a check for padding here (because that would just slow down
-	 * the normal case) nor do we rely on checking whether we have more
-	 * input to process (because that would also slow it down but also
-	 * because we want to allow trailing garbage, especially white space
-	 * and cannot tell that without read-ahead, also a slow proposition).
-	 * Whew.  Understand?
-	 */
-	n = pl_base64_decode_4to3 (token, out);
-	if (n < 0)
-	    break;
-
-	/* Advance "out" by the number of bytes just written to it. */
-	out += n;
-	n = 0;
-    }
-
-    /*
-     * See big comment above, before call to pl_base64_decode_4to3.
-     * Here we check if we error'd out of loop, and allow for the case
-     * that we are processing the last interesting token.  If the routine
-     * which should handle padding characters also fails, then we just
-     * have bad input and give up.
-     */
-    if (n < 0) {
-	n = pl_base64_decode_token (token, out);
-	if (n < 0)
-	    return PR_FAILURE;
-
-	out += n;
-    }
-
-    /*
-     * As explained above, we can get here with more input remaining, but
-     * it should be all characters we do not care about (i.e. would be
-     * ignored when transferring from "in" to "token" in loop above,
-     * except here we choose to ignore extraneous pad characters, too).
-     * Swallow it, performing that check.  If we find more characters that
-     * we would expect to decode, something is wrong.
-     */
-    while (length > 0) {
-	if (base64_codetovaluep1[*in] > 0)
-	    return PR_FAILURE;
-	in++;
-	length--;
-    }
-
-    /* Record the length of decoded data we have left in output_buffer. */
-    data->output_length = (PRUint32) (out - data->output_buffer);
-    return PR_SUCCESS;
-}
-
-/*
- * Flush any remaining buffered characters.  Given well-formed input,
- * this will have nothing to do.  If the input was missing the padding
- * characters at the end, though, there could be 1-3 characters left
- * behind -- we will tolerate that by adding the padding for them.
- */
-static PRStatus
-pl_base64_decode_flush (PLBase64Decoder *data)
-{
-    int count;
-
-    /*
-     * If no remaining characters, or all are padding (also not well-formed
-     * input, but again, be tolerant), then nothing more to do.  (And, that
-     * is considered successful.)
-     */
-    if (data->token_size == 0 || data->token[0] == B64_PAD)
-	return PR_SUCCESS;
-
-    /*
-     * Assume we have all the interesting input except for some expected
-     * padding characters.  Add them and decode the resulting token.
-     */
-    while (data->token_size < 4)
-	data->token[data->token_size++] = B64_PAD;
-
-    data->token_size = 0;	/* so a subsequent flush call is a no-op */
-
-    count = pl_base64_decode_token (data->token,
-				    data->output_buffer + data->output_length);
-    if (count < 0)
-	return PR_FAILURE;
-
-    /*
-     * If there is an output function, call it with this last bit of data.
-     * Otherwise we are doing all buffered output, and the decoded bytes
-     * are now there, we just need to reflect that in the length.
-     */
-    if (data->output_fn != NULL) {
-	PRInt32 output_result;
-
-	PR_ASSERT(data->output_length == 0);
-	output_result = data->output_fn (data->output_arg,
-					 data->output_buffer,
-					 (PRInt32) count);
-	if (output_result < 0)
-	    return  PR_FAILURE;
-    } else {
-	data->output_length += count;
-    }
-
-    return PR_SUCCESS;
-}
-
-
-/*
- * The maximum space needed to hold the output of the decoder given
- * input data of length "size".
- */
-static PRUint32
-PL_Base64MaxDecodedLength (PRUint32 size)
-{
-    return ((size * 3) / 4);
-}
-
-
-/*
- * A distinct internal creation function for the buffer version to use.
- * (It does not want to specify an output_fn, and we want the normal
- * Create function to require that.)  If more common initialization
- * of the decoding context needs to be done, it should be done *here*.
- */
-static PLBase64Decoder *
-pl_base64_create_decoder (void)
-{
-    return PR_NEWZAP(PLBase64Decoder);
-}
-
-/*
- * Function to start a base64 decoding context.
- * An "output_fn" is required; the "output_arg" parameter to that is optional.
- */
-static PLBase64Decoder *
-PL_CreateBase64Decoder (PRInt32 (*output_fn) (void *, const unsigned char *,
-					      PRInt32),
-			void *output_arg)
-{
-    PLBase64Decoder *data;
-
-    if (output_fn == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
-    }
-
-    data = pl_base64_create_decoder ();
-    if (data != NULL) {
-	data->output_fn = output_fn;
-	data->output_arg = output_arg;
-    }
-    return data;
-}
-
-
-/*
- * Push data through the decoder, causing the output_fn (provided to Create)
- * to be called with the decoded data.
- */
-static PRStatus
-PL_UpdateBase64Decoder (PLBase64Decoder *data, const char *buffer,
-			PRUint32 size)
-{
-    PRUint32 need_length;
-    PRStatus status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL || buffer == NULL || size == 0) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    /*
-     * How much space could this update need for decoding?
-     */
-    need_length = PL_Base64MaxDecodedLength (size + data->token_size);
-
-    /*
-     * Make sure we have at least that much.  If not, (re-)allocate.
-     */
-    if (need_length > data->output_buflen) {
-	unsigned char *output_buffer = data->output_buffer;
-
-	if (output_buffer != NULL)
-	    output_buffer = (unsigned char *) PR_Realloc(output_buffer,
-							 need_length);
-	else
-	    output_buffer = (unsigned char *) PR_Malloc(need_length);
-
-	if (output_buffer == NULL)
-	    return PR_FAILURE;
-
-	data->output_buffer = output_buffer;
-	data->output_buflen = need_length;
-    }
-
-    /* There should not have been any leftover output data in the buffer. */
-    PR_ASSERT(data->output_length == 0);
-    data->output_length = 0;
-
-    status = pl_base64_decode_buffer (data, (const unsigned char *) buffer,
-				      size);
-
-    /* Now that we have some decoded data, write it. */
-    if (status == PR_SUCCESS && data->output_length > 0) {
-	PRInt32 output_result;
-
-	PR_ASSERT(data->output_fn != NULL);
-	output_result = data->output_fn (data->output_arg,
-					 data->output_buffer,
-					 (PRInt32) data->output_length);
-	if (output_result < 0)
-	    status = PR_FAILURE;
-    }
-
-    data->output_length = 0;
-    return status;
-}
-
-
-/*
- * When you're done decoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-static PRStatus
-PL_DestroyBase64Decoder (PLBase64Decoder *data, PRBool abort_p)
-{
-    PRStatus status = PR_SUCCESS;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    /* Flush out the last few buffered characters. */
-    if (!abort_p)
-	status = pl_base64_decode_flush (data);
-
-    if (data->output_buffer != NULL)
-	PR_Free(data->output_buffer);
-    PR_Free(data);
-
-    return status;
-}
-
-
-/*
- * Perform base64 decoding from an input buffer to an output buffer.
- * The output buffer can be provided (as "dest"); you can also pass in
- * a NULL and this function will allocate a buffer large enough for you,
- * and return it.  If you do provide the output buffer, you must also
- * provide the maximum length of that buffer (as "maxdestlen").
- * The actual decoded length of output will be returned to you in
- * "output_destlen".
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-static unsigned char *
-PL_Base64DecodeBuffer (const char *src, PRUint32 srclen, unsigned char *dest,
-		       PRUint32 maxdestlen, PRUint32 *output_destlen)
-{
-    PRUint32 need_length;
-    unsigned char *output_buffer = NULL;
-    PLBase64Decoder *data = NULL;
-    PRStatus status;
-
-    PR_ASSERT(srclen > 0);
-    if (srclen == 0)
-	return dest;
-
-    /*
-     * How much space could we possibly need for decoding this input?
-     */
-    need_length = PL_Base64MaxDecodedLength (srclen);
-
-    /*
-     * Make sure we have at least that much, if output buffer provided.
-     * If no output buffer provided, then we allocate that much.
-     */
-    if (dest != NULL) {
-	PR_ASSERT(maxdestlen >= need_length);
-	if (maxdestlen < need_length) {
-	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
-	    goto loser;
-	}
-	output_buffer = dest;
-    } else {
-	output_buffer = (unsigned char *) PR_Malloc(need_length);
-	if (output_buffer == NULL)
-	    goto loser;
-	maxdestlen = need_length;
-    }
-
-    data = pl_base64_create_decoder();
-    if (data == NULL)
-	goto loser;
-
-    data->output_buflen = maxdestlen;
-    data->output_buffer = output_buffer;
-
-    status = pl_base64_decode_buffer (data, (const unsigned char *) src,
-				      srclen);
-
-    /*
-     * We do not wait for Destroy to flush, because Destroy will also
-     * get rid of our decoder context, which we need to look at first!
-     */
-    if (status == PR_SUCCESS)
-	status = pl_base64_decode_flush (data);
-
-    /* Must clear this or Destroy will free it. */
-    data->output_buffer = NULL;
-
-    if (status == PR_SUCCESS) {
-	*output_destlen = data->output_length;
-	status = PL_DestroyBase64Decoder (data, PR_FALSE);
-	data = NULL;
-	if (status == PR_FAILURE)
-	    goto loser;
-	return output_buffer;
-    }
-
-loser:
-    if (dest == NULL && output_buffer != NULL)
-	PR_Free(output_buffer);
-    if (data != NULL)
-	(void) PL_DestroyBase64Decoder (data, PR_TRUE);
-    return NULL;
-}
-
-
-/*
- * XXX End of base64 decoding code to be moved into NSPR.
- ********************************************************
- */
-
-/*
- * This is the beginning of the NSS cover functions.  These will
- * provide the interface we want to expose as NSS-ish.  For example,
- * they will operate on our Items, do any special handling or checking
- * we want to do, etc.
- */
-
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A boring cover structure for now.  Perhaps someday it will include
- * some more interesting fields.
- */
-struct NSSBase64DecoderStr {
-    PLBase64Decoder *pl_data;
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Function to start a base64 decoding context.
- */
-NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg)
-{
-    PLBase64Decoder *pl_data;
-    NSSBase64Decoder *nss_data;
-
-    nss_data = PORT_ZNew(NSSBase64Decoder);
-    if (nss_data == NULL)
-	return NULL;
-
-    pl_data = PL_CreateBase64Decoder (output_fn, output_arg);
-    if (pl_data == NULL) {
-	PORT_Free(nss_data);
-	return NULL;
-    }
-
-    nss_data->pl_data = pl_data;
-    return nss_data;
-}
-
-
-/*
- * Push data through the decoder, causing the output_fn (provided to Create)
- * to be called with the decoded data.
- */
-SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_UpdateBase64Decoder (data->pl_data, buffer, size);
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * When you're done decoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_DestroyBase64Decoder (data->pl_data, abort_p);
-
-    PORT_Free(data);
-
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * Perform base64 decoding from an ascii string "inStr" to an Item.
- * The length of the input must be provided as "inLen".  The Item
- * may be provided (as "outItemOpt"); you can also pass in a NULL
- * and the Item will be allocated for you.
- *
- * In any case, the data within the Item will be allocated for you.
- * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
- * If "arenaOpt" is NULL, standard allocation (heap) will be used and
- * you will want to free the result via SECITEM_FreeItem.
- *
- * Return value is NULL on error, the Item (allocated or provided) otherwise.
- */
-SECItem *
-NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen)
-{
-    SECItem *out_item = outItemOpt;
-    PRUint32 max_out_len = PL_Base64MaxDecodedLength (inLen);
-    PRUint32 out_len;
-    void *mark = NULL;
-    unsigned char *dummy;
-
-    PORT_Assert(outItemOpt == NULL || outItemOpt->data == NULL);
-
-    if (arenaOpt != NULL)
-	mark = PORT_ArenaMark (arenaOpt);
-
-    out_item = SECITEM_AllocItem (arenaOpt, outItemOpt, max_out_len);
-    if (out_item == NULL) {
-	if (arenaOpt != NULL)
-	    PORT_ArenaRelease (arenaOpt, mark);
-	return NULL;
-    }
-
-    dummy = PL_Base64DecodeBuffer (inStr, inLen, out_item->data,
-				   max_out_len, &out_len);
-    if (dummy == NULL) {
-	if (arenaOpt != NULL) {
-	    PORT_ArenaRelease (arenaOpt, mark);
-	    if (outItemOpt != NULL) {
-		outItemOpt->data = NULL;
-		outItemOpt->len = 0;
-	    }
-	} else {
-	    SECITEM_FreeItem (out_item,
-			      (outItemOpt == NULL) ? PR_TRUE : PR_FALSE);
-	}
-	return NULL;
-    }
-
-    if (arenaOpt != NULL)
-	PORT_ArenaUnmark (arenaOpt, mark);
-    out_item->len = out_len;
-    return out_item;
-}
-
-
-/*
- * XXX Everything below is deprecated.  If you add new stuff, put it
- * *above*, not below.
- */
-
-/*
- * XXX The following "ATOB" functions are provided for backward compatibility
- * with current code.  They should be considered strongly deprecated.
- * When we can convert all our code over to using the new NSSBase64Decoder_
- * functions defined above, we should get rid of these altogether.  (Remove
- * protoypes from base64.h as well -- actually, remove that file completely).
- * If someone thinks either of these functions provides such a very useful
- * interface (though, as shown, the same functionality can already be
- * obtained by calling NSSBase64_DecodeBuffer directly), fine -- but then
- * that API should be provided with a nice new NSSFoo name and using
- * appropriate types, etc.
- */
-
-#include "base64.h"
-
-/*
-** Return an PORT_Alloc'd string which is the base64 decoded version
-** of the input string; set *lenp to the length of the returned data.
-*/
-unsigned char *
-ATOB_AsciiToData(const char *string, unsigned int *lenp)
-{
-    SECItem binary_item, *dummy;
-
-    binary_item.data = NULL;
-    binary_item.len = 0;
-
-    dummy = NSSBase64_DecodeBuffer (NULL, &binary_item, string,
-				    (PRUint32) PORT_Strlen(string));
-    if (dummy == NULL)
-	return NULL;
-
-    PORT_Assert(dummy == &binary_item);
-
-    *lenp = dummy->len;
-    return dummy->data;
-}
- 
-/*
-** Convert from ascii to binary encoding of an item.
-*/
-SECStatus
-ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
-{
-    SECItem *dummy;
-
-    if (binary_item == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /*
-     * XXX Would prefer to assert here if data is non-null (actually,
-     * don't need to, just let NSSBase64_DecodeBuffer do it), so as to
-     * to catch unintended memory leaks, but callers are not clean in
-     * this respect so we need to explicitly clear here to avoid the
-     * assert in NSSBase64_DecodeBuffer.
-     */
-    binary_item->data = NULL;
-    binary_item->len = 0;
-
-    dummy = NSSBase64_DecodeBuffer (NULL, binary_item, ascii,
-				    (PRUint32) PORT_Strlen(ascii));
-
-    if (dummy == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/util/nssb64e.c b/security/nss/lib/util/nssb64e.c
deleted file mode 100644
index 9c802abcd..000000000
--- a/security/nss/lib/util/nssb64e.c
+++ /dev/null
@@ -1,762 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Base64 encoding (binary to ascii).
- *
- * $Id$
- */
-
-#include "nssb64.h"
-#include "nspr.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/*
- * XXX See the big comment at the top of nssb64d.c about moving the
- * bulk of this code over into NSPR (the PL part).  It all applies
- * here but I didn't want to duplicate it, to avoid divergence problems.
- */ 
-
-/*
- **************************************************************
- * XXX Beginning of base64 encoding code to be moved into NSPR.
- */
-
-
-struct PLBase64EncodeStateStr {
-    unsigned chunks;
-    unsigned saved;
-    unsigned char buf[3];
-};
-
-/*
- * This typedef would belong in the NSPR header file (i.e. plbase64.h).
- */
-typedef struct PLBase64EncoderStr PLBase64Encoder;
-
-/*
- * The following implementation of base64 encoding was based on code
- * found in libmime (specifically, in mimeenc.c).  It has been adapted to
- * use PR types and naming as well as to provide other necessary semantics
- * (like buffer-in/buffer-out in addition to "streaming" without undue
- * performance hit of extra copying if you made the buffer versions
- * use the output_fn).  It also incorporates some aspects of the current
- * NSPR base64 encoding code.  As such, you may find similarities to
- * both of those implementations.  I tried to use names that reflected
- * the original code when possible.  For this reason you may find some
- * inconsistencies -- libmime used lots of "in" and "out" whereas the
- * NSPR version uses "src" and "dest"; sometimes I changed one to the other
- * and sometimes I left them when I thought the subroutines were at least
- * self-consistent.
- */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Opaque object used by the encoder to store state.
- */
-struct PLBase64EncoderStr {
-    /*
-     * The one or two bytes pending.  (We need 3 to create a "token",
-     * and hold the leftovers here.  in_buffer_count is *only* ever
-     * 0, 1, or 2.
-     */
-    unsigned char in_buffer[2];
-    int in_buffer_count;
-
-    /*
-     * If the caller wants linebreaks added, line_length specifies
-     * where they come out.  It must be a multiple of 4; if the caller
-     * provides one that isn't, we round it down to the nearest
-     * multiple of 4.
-     *
-     * The value of current_column counts how many characters have been
-     * added since the last linebreaks (or since the beginning, on the
-     * first line).  It is also always a multiple of 4; it is unused when
-     * line_length is 0.
-     */ 
-    PRUint32 line_length;
-    PRUint32 current_column;
-
-    /*
-     * Where to write the encoded data (used when streaming, not when
-     * doing all in-memory (buffer) operations).
-     *
-     * Note that this definition is chosen to be compatible with PR_Write.
-     */
-    PRInt32 (*output_fn) (void *output_arg, const char *buf, PRInt32 size);
-    void *output_arg;
-
-    /*
-     * Where the encoded output goes -- either temporarily (in the streaming
-     * case, staged here before it goes to the output function) or what will
-     * be the entire buffered result for users of the buffer version.
-     */
-    char *output_buffer;
-    PRUint32 output_buflen;	/* the total length of allocated buffer */
-    PRUint32 output_length;	/* the length that is currently populated */
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Table to convert a binary value to its corresponding ascii "code".
- */
-static unsigned char base64_valuetocode[64] =
-    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-#define B64_PAD	'='
-#define B64_CR	'\r'
-#define B64_LF	'\n'
-
-static PRStatus
-pl_base64_encode_buffer (PLBase64Encoder *data, const unsigned char *in,
-			 PRUint32 size)
-{
-    const unsigned char *end = in + size;
-    char *out = data->output_buffer + data->output_length;
-    int i = data->in_buffer_count;
-    PRUint32 n = 0;
-    int off;
-    PRUint32 output_threshold;
-
-    /* If this input buffer is too small, wait until next time. */
-    if (size < (3 - i)) {
-	data->in_buffer[i++] = in[0];
-	if (size > 1)
-	    data->in_buffer[i++] = in[1];
-	PR_ASSERT(i < 3);
-	data->in_buffer_count = i;
-	return PR_SUCCESS;
-    }
-
-    /* If there are bytes that were put back last time, take them now. */
-    if (i > 0) {
-	n = data->in_buffer[0];
-	if (i > 1)
-	    n = (n << 8) | data->in_buffer[1];
-	data->in_buffer_count = 0;
-    }
-
-    /* If our total is not a multiple of three, put one or two bytes back. */
-    off = (size + i) % 3;
-    if (off > 0) {
-	size -= off;
-	data->in_buffer[0] = in[size];
-	if (off > 1)
-	    data->in_buffer[1] = in[size + 1];
-	data->in_buffer_count = off;
-	end -= off;
-    }
-
-    output_threshold = data->output_buflen - 3;
-
-    /*
-     * Populate the output buffer with base64 data, one line (or buffer)
-     * at a time.
-     */
-    while (in < end) {
-	int j, k;
-
-	while (i < 3) {
-	    n = (n << 8) | *in++;
-	    i++;
-	}
-	i = 0;
-
-	if (data->line_length > 0) {
-	    if (data->current_column >= data->line_length) {
-		data->current_column = 0;
-		*out++ = B64_CR;
-		*out++ = B64_LF;
-		data->output_length += 2;
-	    }
-	    data->current_column += 4;	/* the bytes we are about to add */
-	}
-
-	for (j = 18; j >= 0; j -= 6) {
-	    k = (n >> j) & 0x3F;
-	    *out++ = base64_valuetocode[k];
-	}
-	n = 0;
-	data->output_length += 4;
-
-	if (data->output_length >= output_threshold) {
-	    PR_ASSERT(data->output_length <= data->output_buflen);
-	    if (data->output_fn != NULL) {
-		PRInt32 output_result;
-
-		output_result = data->output_fn (data->output_arg,
-						 data->output_buffer,
-						 (PRInt32) data->output_length);
-		if (output_result < 0)
-		    return PR_FAILURE;
-
-		out = data->output_buffer;
-		data->output_length = 0;
-	    } else {
-		/*
-		 * Check that we are about to exit the loop.  (Since we
-		 * are over the threshold, there isn't enough room in the
-		 * output buffer for another trip around.)
-		 */
-		PR_ASSERT(in == end);
-		if (in < end) {
-		    PR_SetError (PR_BUFFER_OVERFLOW_ERROR, 0);
-		    return PR_FAILURE;
-		}
-	    }
-	}
-    }
-
-    return PR_SUCCESS;
-}
-
-static PRStatus
-pl_base64_encode_flush (PLBase64Encoder *data)
-{
-    int i = data->in_buffer_count;
-
-    if (i == 0 && data->output_length == 0)
-	return PR_SUCCESS;
-
-    if (i > 0) {
-	char *out = data->output_buffer + data->output_length;
-	PRUint32 n;
-	int j, k;
-
-	n = ((PRUint32) data->in_buffer[0]) << 16;
-	if (i > 1)
-	    n |= ((PRUint32) data->in_buffer[1] << 8);
-
-	data->in_buffer_count = 0;
-
-	if (data->line_length > 0) {
-	    if (data->current_column >= data->line_length) {
-		data->current_column = 0;
-		*out++ = B64_CR;
-		*out++ = B64_LF;
-		data->output_length += 2;
-	    }
-	}
-
-	/*
-	 * This will fill in more than we really have data for, but the
-	 * valid parts will end up in the correct position and the extras
-	 * will be over-written with pad characters below.
-	 */
-	for (j = 18; j >= 0; j -= 6) {
-	    k = (n >> j) & 0x3F;
-	    *out++ = base64_valuetocode[k];
-	}
-
-	/* Pad with equal-signs. */
-	if (i == 1)
-	    out[-2] = B64_PAD;
-	out[-1] = B64_PAD;
-
-	data->output_length += 4;
-    }
-
-    if (data->output_fn != NULL) {
-	PRInt32 output_result;
-
-	output_result = data->output_fn (data->output_arg, data->output_buffer,
-					 (PRInt32) data->output_length);
-	data->output_length = 0;
-
-	if (output_result < 0)
-	    return PR_FAILURE;
-    }
-
-    return PR_SUCCESS;
-}
-
-
-/*
- * The maximum space needed to hold the output of the encoder given input
- * data of length "size", and allowing for CRLF added at least every
- * line_length bytes (we will add it at nearest lower multiple of 4).
- * There is no trailing CRLF.
- */
-static PRUint32
-PL_Base64MaxEncodedLength (PRUint32 size, PRUint32 line_length)
-{
-    PRUint32 tokens, tokens_per_line, full_lines, line_break_chars, remainder;
-
-    tokens = (size + 2) / 3;
-
-    if (line_length == 0)
-	return tokens * 4;
-
-    if (line_length < 4)	/* too small! */
-	line_length = 4;
-
-    tokens_per_line = line_length / 4;
-    full_lines = tokens / tokens_per_line;
-    remainder = (tokens - (full_lines * tokens_per_line)) * 4;
-    line_break_chars = full_lines * 2;
-    if (remainder == 0)
-	line_break_chars -= 2;
-
-    return (full_lines * tokens_per_line * 4) + line_break_chars + remainder;
-}
-
-
-/*
- * A distinct internal creation function for the buffer version to use.
- * (It does not want to specify an output_fn, and we want the normal
- * Create function to require that.)  All common initialization of the
- * encoding context should be done *here*.
- *
- * Save "line_length", rounded down to nearest multiple of 4 (if not
- * already even multiple).  Allocate output_buffer, if not provided --
- * based on given size if specified, otherwise based on line_length.
- */
-static PLBase64Encoder *
-pl_base64_create_encoder (PRUint32 line_length, char *output_buffer,
-			  PRUint32 output_buflen)
-{
-    PLBase64Encoder *data;
-    PRUint32 line_tokens;
-
-    data = PR_NEWZAP(PLBase64Encoder);
-    if (data == NULL)
-	return NULL;
-
-    if (line_length > 0 && line_length < 4)	/* too small! */
-	line_length = 4;
-
-    line_tokens = line_length / 4;
-    data->line_length = line_tokens * 4;
-
-    if (output_buffer == NULL) {
-	if (output_buflen == 0) {
-	    if (data->line_length > 0)	/* need to include room for CRLF */
-		output_buflen = data->line_length + 2;
-	    else
-		output_buflen = 64;		/* XXX what is a good size? */
-	}
-
-	output_buffer = (char *) PR_Malloc(output_buflen);
-	if (output_buffer == NULL) {
-	    PR_Free(data);
-	    return NULL;
-	}
-    }
-
-    data->output_buffer = output_buffer;
-    data->output_buflen = output_buflen;
-    return data;
-}
-
-/*
- * Function to start a base64 encoding context.
- * An "output_fn" is required; the "output_arg" parameter to that is optional.
- * If linebreaks in the encoded output are desired, "line_length" specifies
- * where to place them -- it will be rounded down to the nearest multiple of 4
- * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
- * will be added.  (FYI, a linebreak is CRLF -- two characters.)
- */
-static PLBase64Encoder *
-PL_CreateBase64Encoder (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			void *output_arg, PRUint32 line_length)
-{
-    PLBase64Encoder *data;
-
-    if (output_fn == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
-    }
-
-    data = pl_base64_create_encoder (line_length, NULL, 0);
-    if (data == NULL)
-	return NULL;
-
-    data->output_fn = output_fn;
-    data->output_arg = output_arg;
-
-    return data;
-}
-
-
-/*
- * Push data through the encoder, causing the output_fn (provided to Create)
- * to be called with the encoded data.
- */
-static PRStatus
-PL_UpdateBase64Encoder (PLBase64Encoder *data, const unsigned char *buffer,
-			PRUint32 size)
-{
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL || buffer == NULL || size == 0) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    return pl_base64_encode_buffer (data, buffer, size);
-}
-
-
-/*
- * When you're done encoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-static PRStatus
-PL_DestroyBase64Encoder (PLBase64Encoder *data, PRBool abort_p)
-{
-    PRStatus status = PR_SUCCESS;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    /* Flush out the last few buffered characters. */
-    if (!abort_p)
-	status = pl_base64_encode_flush (data);
-
-    if (data->output_buffer != NULL)
-	PR_Free(data->output_buffer);
-    PR_Free(data);
-
-    return status;
-}
-
-
-/*
- * Perform base64 encoding from an input buffer to an output buffer.
- * The output buffer can be provided (as "dest"); you can also pass in
- * a NULL and this function will allocate a buffer large enough for you,
- * and return it.  If you do provide the output buffer, you must also
- * provide the maximum length of that buffer (as "maxdestlen").
- * The actual encoded length of output will be returned to you in
- * "output_destlen".
- *
- * If linebreaks in the encoded output are desired, "line_length" specifies
- * where to place them -- it will be rounded down to the nearest multiple of 4
- * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
- * will be added.  (FYI, a linebreak is CRLF -- two characters.)
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-static char *
-PL_Base64EncodeBuffer (const unsigned char *src, PRUint32 srclen,
-		       PRUint32 line_length, char *dest, PRUint32 maxdestlen,
-		       PRUint32 *output_destlen)
-{
-    PRUint32 need_length;
-    PLBase64Encoder *data = NULL;
-    PRStatus status;
-
-    PR_ASSERT(srclen > 0);
-    if (srclen == 0)
-	return dest;
-
-    /*
-     * How much space could we possibly need for encoding this input?
-     */
-    need_length = PL_Base64MaxEncodedLength (srclen, line_length);
-
-    /*
-     * Make sure we have at least that much, if output buffer provided.
-     */
-    if (dest != NULL) {
-	PR_ASSERT(maxdestlen >= need_length);
-	if (maxdestlen < need_length) {
-	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
-	    return NULL;
-	}
-    } else {
-	maxdestlen = need_length;
-    }
-
-    data = pl_base64_create_encoder(line_length, dest, maxdestlen);
-    if (data == NULL)
-	return NULL;
-
-    status = pl_base64_encode_buffer (data, src, srclen);
-
-    /*
-     * We do not wait for Destroy to flush, because Destroy will also
-     * get rid of our encoder context, which we need to look at first!
-     */
-    if (status == PR_SUCCESS)
-	status = pl_base64_encode_flush (data);
-
-    if (status != PR_SUCCESS) {
-	(void) PL_DestroyBase64Encoder (data, PR_TRUE);
-	return NULL;
-    }
-
-    dest = data->output_buffer;
-
-    /* Must clear this or Destroy will free it. */
-    data->output_buffer = NULL;
-
-    *output_destlen = data->output_length;
-    status = PL_DestroyBase64Encoder (data, PR_FALSE);
-    if (status == PR_FAILURE) {
-	PR_Free(dest);
-	return NULL;
-    }
-
-    return dest;
-}
-
-/*
- * XXX End of base64 encoding code to be moved into NSPR.
- ********************************************************
- */
-
-/*
- * This is the beginning of the NSS cover functions.  These will
- * provide the interface we want to expose as NSS-ish.  For example,
- * they will operate on our Items, do any special handling or checking
- * we want to do, etc.
- */
-
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A boring cover structure for now.  Perhaps someday it will include
- * some more interesting fields.
- */
-struct NSSBase64EncoderStr {
-    PLBase64Encoder *pl_data;
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Function to start a base64 encoding context.
- */
-NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg)
-{
-    PLBase64Encoder *pl_data;
-    NSSBase64Encoder *nss_data;
-
-    nss_data = PORT_ZNew(NSSBase64Encoder);
-    if (nss_data == NULL)
-	return NULL;
-
-    pl_data = PL_CreateBase64Encoder (output_fn, output_arg, 64);
-    if (pl_data == NULL) {
-	PORT_Free(nss_data);
-	return NULL;
-    }
-
-    nss_data->pl_data = pl_data;
-    return nss_data;
-}
-
-
-/*
- * Push data through the encoder, causing the output_fn (provided to Create)
- * to be called with the encoded data.
- */
-SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_UpdateBase64Encoder (data->pl_data, buffer, size);
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * When you're done encoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_DestroyBase64Encoder (data->pl_data, abort_p);
-
-    PORT_Free(data);
-
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * Perform base64 encoding of binary data "inItem" to an ascii string.
- * The output buffer may be provided (as "outStrOpt"); you can also pass
- * in a NULL and the buffer will be allocated for you.  The result will
- * be null-terminated, and if the buffer is provided, "maxOutLen" must
- * specify the maximum length of the buffer and will be checked to
- * supply sufficient space space for the encoded result.  (If "outStrOpt"
- * is NULL, "maxOutLen" is ignored.)
- *
- * If "outStrOpt" is NULL, allocation will happen out of the passed-in
- * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
- * will be used.
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-char *
-NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem)
-{
-    char *out_string = outStrOpt;
-    PRUint32 max_out_len;
-    PRUint32 out_len;
-    void *mark = NULL;
-    char *dummy;
-
-    PORT_Assert(inItem != NULL && inItem->data != NULL && inItem->len != 0);
-    if (inItem == NULL || inItem->data == NULL || inItem->len == 0) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
-    max_out_len = PL_Base64MaxEncodedLength (inItem->len, 64);
-
-    if (arenaOpt != NULL)
-	mark = PORT_ArenaMark (arenaOpt);
-
-    if (out_string == NULL) {
-	if (arenaOpt != NULL)
-	    out_string = PORT_ArenaAlloc (arenaOpt, max_out_len + 1);
-	else
-	    out_string = PORT_Alloc (max_out_len + 1);
-
-	if (out_string == NULL) {
-	    if (arenaOpt != NULL)
-		PORT_ArenaRelease (arenaOpt, mark);
-	    return NULL;
-	}
-    } else {
-	if ((max_out_len + 1) > maxOutLen) {
-	    PORT_SetError (SEC_ERROR_OUTPUT_LEN);
-	    return NULL;
-	}
-	max_out_len = maxOutLen;
-    }
-
-
-    dummy = PL_Base64EncodeBuffer (inItem->data, inItem->len, 64,
-				   out_string, max_out_len, &out_len);
-    if (dummy == NULL) {
-	if (arenaOpt != NULL) {
-	    PORT_ArenaRelease (arenaOpt, mark);
-	} else {
-	    PORT_Free (out_string);
-	}
-	return NULL;
-    }
-
-    if (arenaOpt != NULL)
-	PORT_ArenaUnmark (arenaOpt, mark);
-
-    out_string[out_len] = '\0';
-    return out_string;
-}
-
-
-/*
- * XXX Everything below is deprecated.  If you add new stuff, put it
- * *above*, not below.
- */
-
-/*
- * XXX The following "BTOA" functions are provided for backward compatibility
- * with current code.  They should be considered strongly deprecated.
- * When we can convert all our code over to using the new NSSBase64Encoder_
- * functions defined above, we should get rid of these altogether.  (Remove
- * protoypes from base64.h as well -- actually, remove that file completely).
- * If someone thinks either of these functions provides such a very useful
- * interface (though, as shown, the same functionality can already be
- * obtained by calling NSSBase64_EncodeItem directly), fine -- but then
- * that API should be provided with a nice new NSSFoo name and using
- * appropriate types, etc.
- */
-
-#include "base64.h"
-
-/*
-** Return an PORT_Alloc'd ascii string which is the base64 encoded
-** version of the input string.
-*/
-char *
-BTOA_DataToAscii(const unsigned char *data, unsigned int len)
-{
-    SECItem binary_item;
-
-    binary_item.data = (unsigned char *)data;
-    binary_item.len = len;
-
-    return NSSBase64_EncodeItem (NULL, NULL, 0, &binary_item);
-}
-
-/*
-** Convert from binary encoding of an item to ascii.
-*/
-char *
-BTOA_ConvertItemToAscii (SECItem *binary_item)
-{
-    return NSSBase64_EncodeItem (NULL, NULL, 0, binary_item);
-}
diff --git a/security/nss/lib/util/nssb64t.h b/security/nss/lib/util/nssb64t.h
deleted file mode 100644
index b7b079d8c..000000000
--- a/security/nss/lib/util/nssb64t.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Public data structures for base64 encoding/decoding.
- *
- * $Id$
- */
-#ifndef _NSSB64T_H_
-#define _NSSB64T_H_
-
-typedef struct NSSBase64DecoderStr NSSBase64Decoder;
-typedef struct NSSBase64EncoderStr NSSBase64Encoder;
-
-#endif /* _NSSB64T_H_ */
diff --git a/security/nss/lib/util/nsslocks.c b/security/nss/lib/util/nsslocks.c
deleted file mode 100644
index c3bb0f0f2..000000000
--- a/security/nss/lib/util/nsslocks.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * nsslocks.h - threadsafe functions to initialize lock pointers.
- *
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "nsslocks.h"
-#include "pratom.h"
-#include "prthread.h"
-
-/* Given the address of a (global) pointer to a PRLock, 
- * atomicly create the lock and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-SECStatus 
-nss_InitLock(   PRLock    **ppLock)
-{
-    static PRInt32  initializers;
-
-    PORT_Assert( ppLock != NULL);
-
-    /* atomically initialize the lock */
-    while (!*ppLock) {
-        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
-        if (myAttempt == 1) {
-	    *ppLock = PR_NewLock();
-            (void) PR_AtomicDecrement(&initializers);
-            break;
-        }
-        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
-        (void) PR_AtomicDecrement(&initializers);
-    }
-
-    return (*ppLock != NULL) ? SECSuccess : SECFailure;
-}
-
-/* Given the address of a (global) pointer to a PRMonitor, 
- * atomicly create the monitor and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-SECStatus 
-nss_InitMonitor(PRMonitor **ppMonitor)
-{
-    static PRInt32  initializers;
-
-    PORT_Assert( ppMonitor != NULL);
-
-    /* atomically initialize the lock */
-    while (!*ppMonitor) {
-        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
-        if (myAttempt == 1) {
-	    *ppMonitor = PR_NewMonitor();
-            (void) PR_AtomicDecrement(&initializers);
-            break;
-        }
-        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
-        (void) PR_AtomicDecrement(&initializers);
-    }
-
-    return (*ppMonitor != NULL) ? SECSuccess : SECFailure;
-}
diff --git a/security/nss/lib/util/nsslocks.h b/security/nss/lib/util/nsslocks.h
deleted file mode 100644
index 466a1ab4d..000000000
--- a/security/nss/lib/util/nsslocks.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * nsslocks.h - threadsafe functions to initialize lock pointers.
- *
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#ifndef _NSSLOCKS_H_
-#define _NSSLOCKS_H_
-
-#include "seccomon.h"
-#include "prlock.h"
-#include "prmon.h"
-
-SEC_BEGIN_PROTOS
-
-/* Given the address of a (global) pointer to a PRLock, 
- * atomicly create the lock and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-extern SECStatus nss_InitLock(   PRLock    **ppLock);
-
-/* Given the address of a (global) pointer to a PRMonitor, 
- * atomicly create the monitor and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-extern SECStatus nss_InitMonitor(PRMonitor **ppMonitor);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/util/nssrwlk.c b/security/nss/lib/util/nssrwlk.c
deleted file mode 100644
index 0c4ece1ee..000000000
--- a/security/nss/lib/util/nssrwlk.c
+++ /dev/null
@@ -1,512 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "nssrwlk.h"
-#include "nspr.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Reader-writer lock
- */
-struct nssRWLockStr {
-    PRLock *        rw_lock;
-    char   *        rw_name;            /* lock name                    */
-    PRUint32        rw_rank;            /* rank of the lock             */
-    PRInt32         rw_writer_locks;    /* ==  0, if unlocked           */
-    PRInt32         rw_reader_locks;    /* ==  0, if unlocked           */
-                                        /* > 0  , # of read locks       */
-    PRUint32        rw_waiting_readers; /* number of waiting readers    */
-    PRUint32        rw_waiting_writers; /* number of waiting writers    */
-    PRCondVar *     rw_reader_waitq;    /* cvar for readers             */
-    PRCondVar *     rw_writer_waitq;    /* cvar for writers             */
-    PRThread  *     rw_owner;           /* lock owner for write-lock    */
-                                        /* Non-null if write lock held. */
-};
-
-PR_END_EXTERN_C
-
-#include <string.h>
-
-#ifdef DEBUG_RANK_ORDER
-#define NSS_RWLOCK_RANK_ORDER_DEBUG /* enable deadlock detection using
-                                       rank-order for locks
-                                    */
-#endif
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-
-static PRUintn  nss_thread_rwlock_initialized;
-static PRUintn  nss_thread_rwlock;               /* TPD key for lock stack */
-static PRUintn  nss_thread_rwlock_alloc_failed;
-
-#define _NSS_RWLOCK_RANK_ORDER_LIMIT 10
-
-typedef struct thread_rwlock_stack {
-    PRInt32     trs_index;                                  /* top of stack */
-    NSSRWLock    *trs_stack[_NSS_RWLOCK_RANK_ORDER_LIMIT];  /* stack of lock
-                                                               pointers */
-} thread_rwlock_stack;
-
-/* forward static declarations. */
-static PRUint32 nssRWLock_GetThreadRank(PRThread *me);
-static void     nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock);
-static void     nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock);
-static void     nssRWLock_ReleaseLockStack(void *lock_stack);
-
-#endif
-
-#define UNTIL(x) while(!(x))
-
-/*
- * Reader/Writer Locks
- */
-
-/*
- * NSSRWLock_New
- *      Create a reader-writer lock, with the given lock rank and lock name
- *
- */
-
-PR_IMPLEMENT(NSSRWLock *)
-NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
-{
-    NSSRWLock *rwlock;
-
-    rwlock = PR_NEWZAP(NSSRWLock);
-    if (rwlock == NULL)
-        return NULL;
-
-    rwlock->rw_lock = PR_NewLock();
-    if (rwlock->rw_lock == NULL) {
-	goto loser;
-    }
-    rwlock->rw_reader_waitq = PR_NewCondVar(rwlock->rw_lock);
-    if (rwlock->rw_reader_waitq == NULL) {
-	goto loser;
-    }
-    rwlock->rw_writer_waitq = PR_NewCondVar(rwlock->rw_lock);
-    if (rwlock->rw_writer_waitq == NULL) {
-	goto loser;
-    }
-    if (lock_name != NULL) {
-        rwlock->rw_name = (char*) PR_Malloc(strlen(lock_name) + 1);
-        if (rwlock->rw_name == NULL) {
-	    goto loser;
-        }
-        strcpy(rwlock->rw_name, lock_name);
-    } else {
-        rwlock->rw_name = NULL;
-    }
-    rwlock->rw_rank            = lock_rank;
-    rwlock->rw_waiting_readers = 0;
-    rwlock->rw_waiting_writers = 0;
-    rwlock->rw_reader_locks    = 0;
-    rwlock->rw_writer_locks    = 0;
-
-    return rwlock;
-
-loser:
-    NSSRWLock_Destroy(rwlock);
-    return(NULL);
-}
-
-/*
-** Destroy the given RWLock "lock".
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_Destroy(NSSRWLock *rwlock)
-{
-    PR_ASSERT(rwlock != NULL);
-    PR_ASSERT(rwlock->rw_waiting_readers == 0);
-
-    /* XXX Shouldn't we lock the PRLock before destroying this?? */
-
-    if (rwlock->rw_name)
-    	PR_Free(rwlock->rw_name);
-    if (rwlock->rw_reader_waitq)
-    	PR_DestroyCondVar(rwlock->rw_reader_waitq);
-    if (rwlock->rw_writer_waitq)
-	PR_DestroyCondVar(rwlock->rw_writer_waitq);
-    if (rwlock->rw_lock)
-	PR_DestroyLock(rwlock->rw_lock);
-    PR_DELETE(rwlock);
-}
-
-/***********************************************************************
-**  Given the address of a NULL pointer to a NSSRWLock, 
-**  atomically initializes that pointer to a newly created NSSRWLock.
-**  Returns the value placed into that pointer, or NULL.
-**   If the lock cannot be created because of resource constraints, 
-**   the pointer will be left NULL.
-**  
-***********************************************************************/
-PR_IMPLEMENT(NSSRWLock *)
-nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
-			PRUint32      lock_rank, 
-			const char *  lock_name)
-{
-    NSSRWLock  *    rwlock;
-    static PRInt32  initializers;
-
-    PR_ASSERT(prwlock != NULL);
-
-    /* atomically initialize the lock */
-    while (NULL == (rwlock = *prwlock)) {
-        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
-        if (myAttempt == 1) {
-	    *prwlock = rwlock = NSSRWLock_New(lock_rank, lock_name);
-            (void) PR_AtomicDecrement(&initializers);
-            break;
-        }
-        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
-        (void) PR_AtomicDecrement(&initializers);
-    }
-
-    return rwlock;
-}
-
-/*
-** Read-lock the RWLock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_LockRead(NSSRWLock *rwlock)
-{
-    PRThread *me = PR_GetCurrentThread();
-
-    PR_Lock(rwlock->rw_lock);
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-
-    /*
-     * assert that rank ordering is not violated; the rank of 'rwlock' should
-     * be equal to or greater than the highest rank of all the locks held by
-     * the thread.
-     */
-    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
-              (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
-#endif
-    /*
-     * wait if write-locked or if a writer is waiting; preference for writers
-     */
-    UNTIL ( (rwlock->rw_owner == me) ||		  /* I own it, or        */
-	   ((rwlock->rw_owner == NULL) &&	  /* no-one owns it, and */
-	    (rwlock->rw_waiting_writers == 0))) { /* no-one is waiting to own */
-
-	rwlock->rw_waiting_readers++;
-	PR_WaitCondVar(rwlock->rw_reader_waitq, PR_INTERVAL_NO_TIMEOUT);
-	rwlock->rw_waiting_readers--;
-    }
-    rwlock->rw_reader_locks++; 		/* Increment read-lock count */
-
-    PR_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    nssRWLock_SetThreadRank(me, rwlock);/* update thread's lock rank */
-#endif
-}
-
-/* Unlock a Read lock held on this RW lock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_UnlockRead(NSSRWLock *rwlock)
-{
-    PRThread *me = PR_GetCurrentThread();
-
-    PR_Lock(rwlock->rw_lock);
-
-    PR_ASSERT(rwlock->rw_reader_locks > 0); /* lock must be read locked */
-
-    if ((  rwlock->rw_reader_locks  > 0)  &&	/* caller isn't screwey */
-        (--rwlock->rw_reader_locks == 0)  &&	/* not read locked any more */
-	(  rwlock->rw_owner        == NULL) &&	/* not write locked */
-	(  rwlock->rw_waiting_writers > 0)) {	/* someone's waiting. */
-
-	PR_NotifyCondVar(rwlock->rw_writer_waitq); /* wake him up. */
-    }
-
-    PR_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * update thread's lock rank
-     */
-    nssRWLock_UnsetThreadRank(me, rwlock);
-#endif
-    return;
-}
-
-/*
-** Write-lock the RWLock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_LockWrite(NSSRWLock *rwlock)
-{
-    PRInt32 lock_acquired = 0;
-    PRThread *me = PR_GetCurrentThread();
-
-    PR_Lock(rwlock->rw_lock);
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * assert that rank ordering is not violated; the rank of 'rwlock' should
-     * be equal to or greater than the highest rank of all the locks held by
-     * the thread.
-     */
-    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
-                    (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
-#endif
-    /*
-     * wait if read locked or write locked.
-     */
-    PR_ASSERT(rwlock->rw_reader_locks >= 0);
-    PR_ASSERT(me != NULL);
-
-    UNTIL ( (rwlock->rw_owner == me) ||           /* I own write lock, or */
-	   ((rwlock->rw_owner == NULL) &&	  /* no writer   and */
-	    (rwlock->rw_reader_locks == 0))) {    /* no readers, either. */
-
-        rwlock->rw_waiting_writers++;
-        PR_WaitCondVar(rwlock->rw_writer_waitq, PR_INTERVAL_NO_TIMEOUT);
-        rwlock->rw_waiting_writers--;
-	PR_ASSERT(rwlock->rw_reader_locks >= 0);
-    }
-
-    PR_ASSERT(rwlock->rw_reader_locks == 0);
-    /*
-     * apply write lock
-     */
-    rwlock->rw_owner = me;
-    rwlock->rw_writer_locks++; 		/* Increment write-lock count */
-
-    PR_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * update thread's lock rank
-     */
-    nssRWLock_SetThreadRank(me,rwlock);
-#endif
-}
-
-/* Unlock a Read lock held on this RW lock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_UnlockWrite(NSSRWLock *rwlock)
-{
-    PRThread *me = PR_GetCurrentThread();
-
-    PR_Lock(rwlock->rw_lock);
-    PR_ASSERT(rwlock->rw_owner == me); /* lock must be write-locked by me.  */
-    PR_ASSERT(rwlock->rw_writer_locks > 0); /* lock must be write locked */
-
-    if (  rwlock->rw_owner        == me  &&	/* I own it, and            */
-          rwlock->rw_writer_locks  > 0   &&	/* I own it, and            */
-        --rwlock->rw_writer_locks == 0) {	/* I'm all done with it     */
-
-	rwlock->rw_owner = NULL;		/* I don't own it any more. */
-
-	if (rwlock->rw_reader_locks == 0) { /* no readers, wake up somebody. */
-	    /* Give preference to waiting writers. */
-	    if (rwlock->rw_waiting_writers > 0) 
-		PR_NotifyCondVar(rwlock->rw_writer_waitq);
-	    else if (rwlock->rw_waiting_readers > 0)
-		PR_NotifyAllCondVar(rwlock->rw_reader_waitq);
-	}
-    }
-    PR_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * update thread's lock rank
-     */
-    nssRWLock_UnsetThreadRank(me, rwlock);
-#endif
-    return;
-}
-
-/* This is primarily for debugging, i.e. for inclusion in ASSERT calls. */
-PR_IMPLEMENT(PRBool)
-NSSRWLock_HaveWriteLock(NSSRWLock *rwlock) {
-    PRBool ownWriteLock;
-    PRThread *me = PR_GetCurrentThread();
-
-    /* This lock call isn't really necessary.
-    ** If this thread is the owner, that fact cannot change during this call,
-    ** because this thread is in this call.
-    ** If this thread is NOT the owner, the owner could change, but it 
-    ** could not become this thread.  
-    */
-#if UNNECESSARY
-    PR_Lock(rwlock->rw_lock);	
-#endif
-    ownWriteLock = (PRBool)(me == rwlock->rw_owner);
-#if UNNECESSARY
-    PR_Unlock(rwlock->rw_lock);
-#endif
-    return ownWriteLock;
-}
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-
-/*
- * nssRWLock_SetThreadRank
- *      Set a thread's lock rank, which is the highest of the ranks of all
- *      the locks held by the thread. Pointers to the locks are added to a
- *      per-thread list, which is anchored off a thread-private data key.
- */
-
-static void
-nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock)
-{
-    thread_rwlock_stack *lock_stack;
-    PRStatus rv;
-
-    /*
-     * allocated thread-private-data for rwlock list, if not already allocated
-     */
-    if (!nss_thread_rwlock_initialized) {
-        /*
-         * allocate tpd, only if not failed already
-         */
-        if (!nss_thread_rwlock_alloc_failed) {
-            if (PR_NewThreadPrivateIndex(&nss_thread_rwlock,
-                                        nssRWLock_ReleaseLockStack)
-                                                == PR_FAILURE) {
-                nss_thread_rwlock_alloc_failed = 1;
-                return;
-            }
-        } else
-            return;
-    }
-    /*
-     * allocate a lock stack
-     */
-    if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL) {
-        lock_stack = (thread_rwlock_stack *)
-                        PR_CALLOC(1 * sizeof(thread_rwlock_stack));
-        if (lock_stack) {
-            rv = PR_SetThreadPrivate(nss_thread_rwlock, lock_stack);
-            if (rv == PR_FAILURE) {
-                PR_DELETE(lock_stack);
-                nss_thread_rwlock_alloc_failed = 1;
-                return;
-            }
-        } else {
-            nss_thread_rwlock_alloc_failed = 1;
-            return;
-        }
-    }
-    /*
-     * add rwlock to lock stack, if limit is not exceeded
-     */
-    if (lock_stack) {
-        if (lock_stack->trs_index < _NSS_RWLOCK_RANK_ORDER_LIMIT)
-            lock_stack->trs_stack[lock_stack->trs_index++] = rwlock;
-    }
-    nss_thread_rwlock_initialized = 1;
-}
-
-static void
-nssRWLock_ReleaseLockStack(void *lock_stack)
-{
-    PR_ASSERT(lock_stack);
-    PR_DELETE(lock_stack);
-}
-
-/*
- * nssRWLock_GetThreadRank
- *
- *      return thread's lock rank. If thread-private-data for the lock
- *      stack is not allocated, return NSS_RWLOCK_RANK_NONE.
- */
-
-static PRUint32
-nssRWLock_GetThreadRank(PRThread *me)
-{
-    thread_rwlock_stack *lock_stack;
-
-    if (nss_thread_rwlock_initialized) {
-        if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL)
-            return (NSS_RWLOCK_RANK_NONE);
-        else
-            return(lock_stack->trs_stack[lock_stack->trs_index - 1]->rw_rank);
-
-    } else
-            return (NSS_RWLOCK_RANK_NONE);
-}
-
-/*
- * nssRWLock_UnsetThreadRank
- *
- *      remove the rwlock from the lock stack. Since locks may not be
- *      unlocked in a FIFO order, the entire lock stack is searched.
- */
-
-static void
-nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock)
-{
-    thread_rwlock_stack *lock_stack;
-    int new_index = 0, index, done = 0;
-
-    if (!nss_thread_rwlock_initialized)
-        return;
-
-    lock_stack = PR_GetThreadPrivate(nss_thread_rwlock);
-
-    PR_ASSERT(lock_stack != NULL);
-
-    index = lock_stack->trs_index - 1;
-    while (index-- >= 0) {
-        if ((lock_stack->trs_stack[index] == rwlock) && !done)  {
-            /*
-             * reset the slot for rwlock
-             */
-            lock_stack->trs_stack[index] = NULL;
-            done = 1;
-        }
-        /*
-         * search for the lowest-numbered empty slot, above which there are
-         * no non-empty slots
-         */
-        if ((lock_stack->trs_stack[index] != NULL) && !new_index)
-            new_index = index + 1;
-        if (done && new_index)
-            break;
-    }
-    /*
-     * set top of stack to highest numbered empty slot
-     */
-    lock_stack->trs_index = new_index;
-
-}
-
-#endif  /* NSS_RWLOCK_RANK_ORDER_DEBUG */
diff --git a/security/nss/lib/util/nssrwlk.h b/security/nss/lib/util/nssrwlk.h
deleted file mode 100644
index 3cad4b72d..000000000
--- a/security/nss/lib/util/nssrwlk.h
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
-** File:		nsrwlock.h
-** Description:	API to basic reader-writer lock functions of NSS.
-**	These are re-entrant reader writer locks; that is,
-**	If I hold the write lock, I can ask for it and get it again.
-**	If I hold the write lock, I can also ask for and get a read lock.
-**      I can then release the locks in any order (read or write).
-**	I must release each lock type as many times as I acquired it.
-**	Otherwise, these are normal reader/writer locks.
-**
-** For deadlock detection, locks should be ranked, and no lock may be aquired
-** while I hold a lock of higher rank number.
-** If you don't want that feature, always use NSS_RWLOCK_RANK_NONE.
-** Lock name is for debugging, and is optional (may be NULL)
-**/
-
-#ifndef nssrwlk_h___
-#define nssrwlk_h___
-
-#include "prtypes.h"
-#include "nssrwlkt.h"
-
-#define	NSS_RWLOCK_RANK_NONE	0
-
-/* SEC_BEGIN_PROTOS */
-PR_BEGIN_EXTERN_C
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_New
-** DESCRIPTION:
-**  Returns a pointer to a newly created reader-writer lock object.
-** INPUTS:      Lock rank
-**		Lock name
-** OUTPUTS:     void
-** RETURN:      NSSRWLock*
-**   If the lock cannot be created because of resource constraints, NULL
-**   is returned.
-**  
-***********************************************************************/
-PR_EXTERN(NSSRWLock*) NSSRWLock_New(PRUint32 lock_rank, const char *lock_name);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_AtomicCreate
-** DESCRIPTION:
-**  Given the address of a NULL pointer to a NSSRWLock, 
-**  atomically initializes that pointer to a newly created NSSRWLock.
-**  Returns the value placed into that pointer, or NULL.
-**
-** INPUTS:      address of NSRWLock pointer
-**              Lock rank
-**		Lock name
-** OUTPUTS:     NSSRWLock*
-** RETURN:      NSSRWLock*
-**   If the lock cannot be created because of resource constraints, 
-**   the pointer will be left NULL.
-**  
-***********************************************************************/
-PR_EXTERN(NSSRWLock *)
-nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
-			PRUint32      lock_rank, 
-			const char *  lock_name);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_Destroy
-** DESCRIPTION:
-**  Destroys a given RW lock object.
-** INPUTS:      NSSRWLock *lock - Lock to be freed.
-** OUTPUTS:     void
-** RETURN:      None
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_Destroy(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_LockRead
-** DESCRIPTION:
-**  Apply a read lock (non-exclusive) on a RWLock
-** INPUTS:      NSSRWLock *lock - Lock to be read-locked.
-** OUTPUTS:     void
-** RETURN:      None
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_LockRead(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_LockWrite
-** DESCRIPTION:
-**  Apply a write lock (exclusive) on a RWLock
-** INPUTS:      NSSRWLock *lock - Lock to write-locked.
-** OUTPUTS:     void
-** RETURN:      None
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_LockWrite(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_UnlockRead
-** DESCRIPTION:
-**  Release a Read lock. Unlocking an unlocked lock has undefined results.
-** INPUTS:      NSSRWLock *lock - Lock to unlocked.
-** OUTPUTS:     void
-** RETURN:      void
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_UnlockRead(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_UnlockWrite
-** DESCRIPTION:
-**  Release a Write lock. Unlocking an unlocked lock has undefined results.
-** INPUTS:      NSSRWLock *lock - Lock to unlocked.
-** OUTPUTS:     void
-** RETURN:      void
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_UnlockWrite(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_HaveWriteLock
-** DESCRIPTION:
-**  Tells caller whether the current thread holds the write lock, or not.
-** INPUTS:      NSSRWLock *lock - Lock to test.
-** OUTPUTS:     void
-** RETURN:      PRBool	PR_TRUE IFF the current thread holds the write lock.
-***********************************************************************/
-
-PR_EXTERN(PRBool) NSSRWLock_HaveWriteLock(NSSRWLock *rwlock);
-
-/* SEC_END_PROTOS */
-PR_END_EXTERN_C
-
-#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/nssrwlkt.h b/security/nss/lib/util/nssrwlkt.h
deleted file mode 100644
index 62f53bf4f..000000000
--- a/security/nss/lib/util/nssrwlkt.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef nssrwlkt_h___
-#define nssrwlkt_h___
-
-/*
- * NSSRWLock --
- *
- *	The reader writer lock, NSSRWLock, is an opaque object to the clients
- *	of NSS.  All routines operate on a pointer to this opaque entity.
- */
-
-typedef struct nssRWLockStr NSSRWLock;
-
-
-#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/os2_rand.c b/security/nss/lib/util/os2_rand.c
deleted file mode 100644
index cbe20a205..000000000
--- a/security/nss/lib/util/os2_rand.c
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#define INCL_DOS
-#define INCL_DOSERRORS
-#include <os2.h>
-#include <secrng.h>
-#include <stdlib.h>
-
-static BOOL clockTickTime(unsigned long *phigh, unsigned long *plow)
-{
-    APIRET rc = NO_ERROR;
-    QWORD qword = {0,0};
-
-    rc = DosTmrQueryTime(&qword);
-    if (rc != NO_ERROR)
-       return FALSE;
-
-    *phigh = qword.ulHi;
-    *plow  = qword.ulLo;
-
-    return TRUE;
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbuf)
-{
-    unsigned long high = 0;
-    unsigned long low  = 0;
-    clock_t val = 0;
-    int n = 0;
-    int nBytes = 0;
-    time_t sTime;
-
-    if (maxbuf <= 0)
-       return 0;
-
-    clockTickTime(&high, &low);
-
-    /* get the maximally changing bits first */
-    nBytes = sizeof(low) > maxbuf ? maxbuf : sizeof(low);
-    memcpy(buf, &low, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-       return n;
-
-    nBytes = sizeof(high) > maxbuf ? maxbuf : sizeof(high);
-    memcpy(((char *)buf) + n, &high, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-       return n;
-
-    /* get the number of milliseconds that have elapsed since application started */
-    val = clock();
-
-    nBytes = sizeof(val) > maxbuf ? maxbuf : sizeof(val);
-    memcpy(((char *)buf) + n, &val, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-       return n;
-
-    /* get the time in seconds since midnight Jan 1, 1970 */
-    time(&sTime);
-    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
-    memcpy(((char *)buf) + n, &sTime, nBytes);
-    n += nBytes;
-
-    return n;
-}
-
-void RNG_SystemInfoForRNG(void)
-{
-   unsigned long *plong = 0;
-   PTIB ptib;
-   PPIB ppib;
-   APIRET rc = NO_ERROR;
-   DATETIME dt;
-   COUNTRYCODE cc;
-   COUNTRYINFO ci;
-   unsigned long actual;
-   char path[_MAX_PATH]="";
-   unsigned long pathlength = sizeof(path);
-   FSALLOCATE fsallocate;
-   FILESTATUS3 fstatus;
-   unsigned long defaultdrive = 0;
-   unsigned long logicaldrives = 0;
-   unsigned long counter = 0;
-   char buffer[20];
-   int nBytes = 0;
-
-   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
-   RNG_RandomUpdate(buffer, nBytes);
-   
-   /* allocate memory and use address and memory */
-   plong = (unsigned long *)malloc(sizeof(*plong));
-   RNG_RandomUpdate(&plong, sizeof(plong));
-   RNG_RandomUpdate(plong, sizeof(*plong));
-   free(plong);
-
-   /* process info */
-   rc = DosGetInfoBlocks(&ptib, &ppib);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(ptib, sizeof(*ptib));
-      RNG_RandomUpdate(ppib, sizeof(*ppib));
-   }
-
-   /* time */
-   rc = DosGetDateTime(&dt);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&dt, sizeof(dt));
-   }
-
-   /* country */
-   rc = DosQueryCtryInfo(sizeof(ci), &cc, &ci, &actual);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&cc, sizeof(cc));
-      RNG_RandomUpdate(&ci, sizeof(ci));
-      RNG_RandomUpdate(&actual, sizeof(actual));
-   }
-
-   /* current directory */
-   rc = DosQueryCurrentDir(0, path, &pathlength);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(path, strlen(path));
-      // path info
-      rc = DosQueryPathInfo(path, FIL_STANDARD, &fstatus, sizeof(fstatus));
-      if (rc == NO_ERROR)
-      {
-         RNG_RandomUpdate(&fstatus, sizeof(fstatus));
-      }
-   }
-
-   /* file system info */
-   rc = DosQueryFSInfo(0, FSIL_ALLOC, &fsallocate, sizeof(fsallocate));
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&fsallocate, sizeof(fsallocate));
-   }
-
-   /* drive info */
-   rc = DosQueryCurrentDisk(&defaultdrive, &logicaldrives);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&defaultdrive, sizeof(defaultdrive));
-      RNG_RandomUpdate(&logicaldrives, sizeof(logicaldrives));
-   }
-
-   /* system info */
-   rc = DosQuerySysInfo(QSV_MS_COUNT, QSV_MS_COUNT, &counter, sizeof(counter));
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&counter, sizeof(counter));
-   }
-
-   /* more noise */
-   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
-   RNG_RandomUpdate(buffer, nBytes);
-}
-
-void RNG_FileForRNG(char *filename)
-{
-    struct stat stat_buf;
-    unsigned char buffer[1024];
-    FILE *file = 0;
-    int nBytes = 0;
-    static int totalFileBytes = 0;
-    
-    if (stat((char *)filename, &stat_buf) < 0)
-       return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-    
-    file = fopen((char *)filename, "r");
-    if (file != NULL)
-    {
-       for (;;)
-       {
-           size_t bytes = fread(buffer, 1, sizeof(buffer), file);
-
-           if (bytes == 0)
-              break;
-
-           RNG_RandomUpdate(buffer, bytes);
-           totalFileBytes += bytes;
-           if (totalFileBytes > 250000)
-              break;
-       }
-       fclose(file);
-    }
-
-    nBytes = RNG_GetNoise(buffer, 20); 
-    RNG_RandomUpdate(buffer, nBytes);
-}
diff --git a/security/nss/lib/util/portreg.c b/security/nss/lib/util/portreg.c
deleted file mode 100644
index 79d13d67c..000000000
--- a/security/nss/lib/util/portreg.c
+++ /dev/null
@@ -1,317 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/* 
- * shexp.c: shell-like wildcard match routines
- *
- *
- * See shexp.h for public documentation.
- *
- */
-
-#include "seccomon.h"
-#include "portreg.h"
-
-/* ----------------------------- shexp_valid ------------------------------ */
-
-
-static int 
-_valid_subexp(char *exp, char stop) 
-{
-    register int x,y,t;
-    int nsc,np,tld;
-
-    x=0;nsc=0;tld=0;
-
-    while(exp[x] && (exp[x] != stop)) {
-        switch(exp[x]) {
-          case '~':
-            if(tld) return INVALID_SXP;
-            else ++tld;
-          case '*':
-          case '?':
-          case '^':
-          case '$':
-            ++nsc;
-            break;
-          case '[':
-            ++nsc;
-            if((!exp[++x]) || (exp[x] == ']'))
-                return INVALID_SXP;
-            for(++x;exp[x] && (exp[x] != ']');++x)
-                if(exp[x] == '\\')
-                    if(!exp[++x])
-                        return INVALID_SXP;
-            if(!exp[x])
-                return INVALID_SXP;
-            break;
-          case '(':
-            ++nsc;np = 0;
-            while(1) {
-                if(exp[++x] == ')')
-                    return INVALID_SXP;
-                for(y=x;(exp[y]) && (exp[y] != '|') && (exp[y] != ')');++y)
-                    if(exp[y] == '\\')
-                        if(!exp[++y])
-                            return INVALID_SXP;
-                if(!exp[y])
-                    return INVALID_SXP;
-                if(exp[y] == '|')
-                    ++np;
-                t = _valid_subexp(&exp[x],exp[y]);
-                if(t == INVALID_SXP)
-                    return INVALID_SXP;
-                x+=t;
-                if(exp[x] == ')') {
-                    if(!np)
-                        return INVALID_SXP;
-                    break;
-                }
-            }
-            break;
-          case ')':
-          case ']':
-            return INVALID_SXP;
-          case '\\':
-            if(!exp[++x])
-                return INVALID_SXP;
-          default:
-            break;
-        }
-        ++x;
-    }
-    if((!stop) && (!nsc))
-        return NON_SXP;
-    return ((exp[x] == stop) ? x : INVALID_SXP);
-}
-
-int 
-PORT_RegExpValid(char *exp) 
-{
-    int x;
-
-    x = _valid_subexp(exp, '\0');
-    return (x < 0 ? x : VALID_SXP);
-}
-
-
-/* ----------------------------- shexp_match ----------------------------- */
-
-
-#define MATCH 0
-#define NOMATCH 1
-#define ABORTED -1
-
-static int _shexp_match(char *str, char *exp, PRBool case_insensitive);
-
-static int 
-_handle_union(char *str, char *exp, PRBool case_insensitive) 
-{
-    char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
-    register int t,p2,p1 = 1;
-    int cp;
-
-    while(1) {
-        for(cp=1;exp[cp] != ')';cp++)
-            if(exp[cp] == '\\')
-                ++cp;
-        for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
-            if(exp[p1] == '\\')
-                e2[p2++] = exp[p1++];
-            e2[p2] = exp[p1];
-        }
-        for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
-        if(_shexp_match(str,e2, case_insensitive) == MATCH) {
-            PORT_Free(e2);
-            return MATCH;
-        }
-        if(p1 == cp) {
-            PORT_Free(e2);
-            return NOMATCH;
-        }
-        else ++p1;
-    }
-}
-
-
-static int 
-_shexp_match(char *str, char *exp, PRBool case_insensitive) 
-{
-    register int x,y;
-    int ret,neg;
-
-    ret = 0;
-    for(x=0,y=0;exp[y];++y,++x) {
-        if((!str[x]) && (exp[y] != '(') && (exp[y] != '$') && (exp[y] != '*'))
-            ret = ABORTED;
-        else {
-            switch(exp[y]) {
-              case '$':
-                if( (str[x]) )
-                    ret = NOMATCH;
-                else
-                    --x;             /* we don't want loop to increment x */
-                break;
-              case '*':
-                while(exp[++y] == '*'){}
-                if(!exp[y])
-                    return MATCH;
-                while(str[x]) {
-                    switch(_shexp_match(&str[x++],&exp[y], case_insensitive)) {
-                    case NOMATCH:
-                        continue;
-                    case ABORTED:
-                        ret = ABORTED;
-                        break;
-                    default:
-                        return MATCH;
-                    }
-                    break;
-                }
-                if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
-                    return MATCH;
-                else
-                    ret = ABORTED;
-                break;
-              case '[':
-              	neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
-                if (neg)
-                    ++y;
-                
-                if ((isalnum(exp[y])) && (exp[y+1] == '-') && 
-                   (isalnum(exp[y+2])) && (exp[y+3] == ']'))
-                    {
-                        int start = exp[y], end = exp[y+2];
-                        
-                        /* no safeguards here */
-                        if(neg ^ ((str[x] < start) || (str[x] > end))) {
-                            ret = NOMATCH;
-                            break;
-                        }
-                        y+=3;
-                    }
-                else {
-                    int matched;
-                    
-                    for (matched=0;exp[y] != ']';y++)
-                        matched |= (str[x] == exp[y]);
-                    if (neg ^ (!matched))
-                        ret = NOMATCH;
-                }
-                break;
-              case '(':
-                return _handle_union(&str[x],&exp[y], case_insensitive);
-                break;
-              case '?':
-                break;
-              case '\\':
-                ++y;
-              default:
-				if(case_insensitive)
-				  {
-                    if(toupper(str[x]) != toupper(exp[y]))
-                        ret = NOMATCH;
-				  }
-				else
-				  {
-                    if(str[x] != exp[y])
-                        ret = NOMATCH;
-				  }
-                break;
-            }
-        }
-        if(ret)
-            break;
-    }
-    return (ret ? ret : (str[x] ? NOMATCH : MATCH));
-}
-
-int 
-PORT_RegExpMatch(char *str, char *xp, PRBool case_insensitive) {
-    register int x;
-    char *exp = 0;
-
-    exp = PORT_Strdup(xp);
-
-    if(!exp)
-	return 1;
-
-    for(x=strlen(exp)-1;x;--x) {
-        if((exp[x] == '~') && (exp[x-1] != '\\')) {
-            exp[x] = '\0';
-            if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH)
-                goto punt;
-            break;
-        }
-    }
-    if(_shexp_match(str,exp, PR_FALSE) == MATCH) {
-        PORT_Free(exp);
-        return 0;
-    }
-
-  punt:
-    PORT_Free(exp);
-    return 1;
-}
-
-
-/* ------------------------------ shexp_cmp ------------------------------- */
-
-int 
-PORT_RegExpSearch(char *str, char *exp)
-{
-    switch(PORT_RegExpValid(exp)) 
-	  {
-        case INVALID_SXP:
-            return -1;
-        case NON_SXP:
-            return (strcmp(exp,str) ? 1 : 0);
-        default:
-            return PORT_RegExpMatch(str, exp, PR_FALSE);
-      }
-}
-
-int
-PORT_RegExpCaseSearch(char *str, char *exp)
-{
-    switch(PORT_RegExpValid(exp))
-      {
-        case INVALID_SXP:
-            return -1;
-        case NON_SXP:
-            return (strcmp(exp,str) ? 1 : 0);
-        default:
-            return PORT_RegExpMatch(str, exp, PR_TRUE);
-      }
-}
-
diff --git a/security/nss/lib/util/portreg.h b/security/nss/lib/util/portreg.h
deleted file mode 100644
index 39a2df9d5..000000000
--- a/security/nss/lib/util/portreg.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * shexp.h: Defines and prototypes for shell exp. match routines
- * 
- *
- * This routine will match a string with a shell expression. The expressions
- * accepted are based loosely on the expressions accepted by zsh.
- * 
- * o * matches anything
- * o ? matches one character
- * o \ will escape a special character
- * o $ matches the end of the string
- * o [abc] matches one occurence of a, b, or c. The only character that needs
- *         to be escaped in this is ], all others are not special.
- * o [a-z] matches any character between a and z
- * o [^az] matches any character except a or z
- * o ~ followed by another shell expression will remove any pattern
- *     matching the shell expression from the match list
- * o (foo|bar) will match either the substring foo, or the substring bar.
- *             These can be shell expressions as well.
- * 
- * The public interface to these routines is documented below.
- * 
- */
- 
-#ifndef SHEXP_H
-#define SHEXP_H
-
-/*
- * Requires that the macro MALLOC be set to a "safe" malloc that will 
- * exit if no memory is available. 
- */
-
-
-/* --------------------------- Public routines ---------------------------- */
-
-
-/*
- * shexp_valid takes a shell expression exp as input. It returns:
- * 
- *  NON_SXP      if exp is a standard string
- *  INVALID_SXP  if exp is a shell expression, but invalid
- *  VALID_SXP    if exp is a valid shell expression
- */
-
-#define NON_SXP -1
-#define INVALID_SXP -2
-#define VALID_SXP 1
-
-SEC_BEGIN_PROTOS
-
-extern int PORT_RegExpValid(char *exp);
-
-/* same as above but uses case insensitive search
- */
-extern int PORT_RegExpCaseSearch(char *str, char *exp);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/util/pqgutil.c b/security/nss/lib/util/pqgutil.c
deleted file mode 100644
index dad8c6b78..000000000
--- a/security/nss/lib/util/pqgutil.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#include "pqgutil.h"
-#include "prerror.h"
-#include "secitem.h"
-
-#define PQG_DEFAULT_CHUNKSIZE 2048	/* bytes */
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- *                                                                        *
- **************************************************************************/
-
-PQGParams *
-PQG_DupParams(const PQGParams *src)
-{
-    PRArenaPool *arena;
-    PQGParams *dest;
-    SECStatus status;
-
-    if (src == NULL) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return NULL;
-    }
-
-    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	goto loser;
-
-    dest = (PQGParams*)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
-    if (dest == NULL)
-	goto loser;
-
-    dest->arena = arena;
-
-    status = SECITEM_CopyItem(arena, &dest->prime, &src->prime);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = SECITEM_CopyItem(arena, &dest->subPrime, &src->subPrime);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = SECITEM_CopyItem(arena, &dest->base, &src->base);
-    if (status != SECSuccess)
-	goto loser;
-
-    return dest;
-
-loser:
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-
-PQGParams *
-PQG_NewParams(const SECItem * prime, const SECItem * subPrime, 
-              const SECItem * base)
-{
-    PQGParams *  dest;
-    PQGParams    src;
-
-    src.arena    = NULL;
-    src.prime    = *prime;
-    src.subPrime = *subPrime;
-    src.base     = *base;
-    dest         = PQG_DupParams(&src);
-    return dest;
-}
-
-/**************************************************************************
- * Fills in caller's "prime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime)
-{
-    return SECITEM_CopyItem(NULL, prime, &params->prime);
-}
-
-/**************************************************************************
- * Fills in caller's "subPrime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime)
-{
-    return SECITEM_CopyItem(NULL, subPrime, &params->subPrime);
-}
-
-/**************************************************************************
- * Fills in caller's "base" SECItem with the base value in params.
- * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetBaseFromParams(const PQGParams *params, SECItem * base)
-{
-    return SECITEM_CopyItem(NULL, base, &params->base);
-}
-
-/**************************************************************************
- *  Free the PQGParams struct and the things it points to.                *
- **************************************************************************/
-void
-PQG_DestroyParams(PQGParams *params)
-{
-    if (params == NULL) 
-    	return;
-    if (params->arena != NULL) {
-	PORT_FreeArena(params->arena, PR_FALSE);	/* don't zero it */
-	return;
-    }
-    SECITEM_FreeItem(&params->prime,    PR_FALSE); /* don't free prime */
-    SECITEM_FreeItem(&params->subPrime, PR_FALSE); /* don't free subPrime */
-    SECITEM_FreeItem(&params->base,     PR_FALSE); /* don't free base */
-    PORT_Free(params);
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- **************************************************************************/
-
-PQGVerify *
-PQG_DupVerify(const PQGVerify *src)
-{
-    PRArenaPool *arena;
-    PQGVerify *  dest;
-    SECStatus    status;
-
-    if (src == NULL) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return NULL;
-    }
-
-    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	goto loser;
-
-    dest = (PQGVerify*)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
-    if (dest == NULL)
-	goto loser;
-
-    dest->arena   = arena;
-    dest->counter = src->counter;
-
-    status = SECITEM_CopyItem(arena, &dest->seed, &src->seed);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = SECITEM_CopyItem(arena, &dest->h, &src->h);
-    if (status != SECSuccess)
-	goto loser;
-
-    return dest;
-
-loser:
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-
-PQGVerify *
-PQG_NewVerify(unsigned int counter, const SECItem * seed, const SECItem * h)
-{
-    PQGVerify *  dest;
-    PQGVerify    src;
-
-    src.arena    = NULL;
-    src.counter  = counter;
-    src.seed     = *seed;
-    src.h        = *h;
-    dest         = PQG_DupVerify(&src);
-    return dest;
-}
-
-/**************************************************************************
- * Returns the "counter" value from the PQGVerify.
- **************************************************************************/
-unsigned int
-PQG_GetCounterFromVerify(const PQGVerify *verify)
-{
-    return verify->counter;
-}
-
-/**************************************************************************
- * Fills in caller's "seed" SECItem with the seed value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem * seed)
-{
-    return SECITEM_CopyItem(NULL, seed, &verify->seed);
-}
-
-/**************************************************************************
- * Fills in caller's "h" SECItem with the h value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h)
-{
-    return SECITEM_CopyItem(NULL, h, &verify->h);
-}
-
-/**************************************************************************
- *  Free the PQGVerify struct and the things it points to.                *
- **************************************************************************/
-
-void
-PQG_DestroyVerify(PQGVerify *vfy)
-{
-    if (vfy == NULL) 
-    	return;
-    if (vfy->arena != NULL) {
-	PORT_FreeArena(vfy->arena, PR_FALSE);	/* don't zero it */
-	return;
-    }
-    SECITEM_FreeItem(&vfy->seed,   PR_FALSE); /* don't free seed */
-    SECITEM_FreeItem(&vfy->h,      PR_FALSE); /* don't free h */
-    PORT_Free(vfy);
-}
diff --git a/security/nss/lib/util/pqgutil.h b/security/nss/lib/util/pqgutil.h
deleted file mode 100644
index 1ceb87803..000000000
--- a/security/nss/lib/util/pqgutil.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-#ifndef _PQGUTIL_H_
-#define _PQGUTIL_H_ 1
-
-#include "blapi.h"
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- **************************************************************************/
-extern PQGParams * PQG_DupParams(const PQGParams *src);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGParams * PQG_NewParams(const SECItem * prime, 
-                                 const SECItem * subPrime, 
-                                 const SECItem * base);
-
-
-/**************************************************************************
- * Fills in caller's "prime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetPrimeFromParams(const PQGParams *params, 
-                                        SECItem * prime);
-
-
-/**************************************************************************
- * Fills in caller's "subPrime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetSubPrimeFromParams(const PQGParams *params, 
-                                           SECItem * subPrime);
-
-
-/**************************************************************************
- * Fills in caller's "base" SECItem with the base value in params.
- * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetBaseFromParams(const PQGParams *params, SECItem *base);
-
-
-/**************************************************************************
- *  Free the PQGParams struct and the things it points to.                *
- **************************************************************************/
-extern void PQG_DestroyParams(PQGParams *params);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- **************************************************************************/
-extern PQGVerify * PQG_DupVerify(const PQGVerify *src);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGVerify * PQG_NewVerify(unsigned int counter, const SECItem * seed, 
-                                 const SECItem * h);
-
-
-/**************************************************************************
- * Returns "counter" value from the PQGVerify.
- **************************************************************************/
-extern unsigned int PQG_GetCounterFromVerify(const PQGVerify *verify);
-
-/**************************************************************************
- * Fills in caller's "seed" SECItem with the seed value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed);
-
-
-/**************************************************************************
- * Fills in caller's "h" SECItem with the h value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h);
-
-
-/**************************************************************************
- *  Free the PQGVerify struct and the things it points to.                *
- **************************************************************************/
-extern void PQG_DestroyVerify(PQGVerify *vfy);
-
-
-#endif
diff --git a/security/nss/lib/util/ret_cr16.s b/security/nss/lib/util/ret_cr16.s
deleted file mode 100644
index d1fffc577..000000000
--- a/security/nss/lib/util/ret_cr16.s
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef __LP64__
-        .LEVEL   2.0W
-#else
-        .LEVEL   1.1
-#endif
-
-	.CODE	; equivalent to the following two lines
-;       .SPACE   $TEXT$,SORT=8
-;       .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
-
-ret_cr16
-	.PROC
-	.CALLINFO 	FRAME=0, NO_CALLS
-	.EXPORT 	ret_cr16,ENTRY
-	.ENTER
-;	BV		%r0(%rp)
-	BV		0(%rp)
-	MFCTL		%cr16,%ret0
-        .LEAVE
-        .PROCEND
-        .END
diff --git a/security/nss/lib/util/secalgid.c b/security/nss/lib/util/secalgid.c
deleted file mode 100644
index 7b04941a1..000000000
--- a/security/nss/lib/util/secalgid.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secoid.h"
-#include "secder.h"	/* XXX remove this when remove the DERTemplate */
-#include "secasn1.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/* XXX Old template; want to expunge it eventually. */
-DERTemplate SECAlgorithmIDTemplate[] = {
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(SECAlgorithmID) },
-    { DER_OBJECT_ID,
-	  offsetof(SECAlgorithmID,algorithm), },
-    { DER_OPTIONAL | DER_ANY,
-	  offsetof(SECAlgorithmID,parameters), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECAlgorithmID) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SECAlgorithmID,algorithm), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(SECAlgorithmID,parameters), },
-    { 0, }
-};
-
-SECOidTag
-SECOID_GetAlgorithmTag(SECAlgorithmID *id)
-{
-    if (id == NULL || id->algorithm.data == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return SECOID_FindOIDTag (&(id->algorithm));
-}
-
-SECStatus
-SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *id, SECOidTag which,
-		      SECItem *params)
-{
-    SECOidData *oiddata;
-    PRBool add_null_param;
-
-    oiddata = SECOID_FindOIDByTag(which);
-    if ( !oiddata ) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
-    }
-
-    if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
-	return SECFailure;
-
-    switch (which) {
-      case SEC_OID_MD2:
-      case SEC_OID_MD4:
-      case SEC_OID_MD5:
-      case SEC_OID_SHA1:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-	add_null_param = PR_TRUE;
-	break;
-      default:
-	add_null_param = PR_FALSE;
-	break;
-    }
-
-    if (params) {
-	/*
-	 * I am specifically *not* enforcing the following assertion
-	 * (by following it up with an error and a return of failure)
-	 * because I do not want to introduce any change in the current
-	 * behavior.  But I do want for us to notice if the following is
-	 * ever true, because I do not think it should be so and probably
-	 * signifies an error/bug somewhere.
-	 */
-	PORT_Assert(!add_null_param || (params->len == 2
-					&& params->data[0] == SEC_ASN1_NULL
-					&& params->data[1] == 0));
-	if (SECITEM_CopyItem(arena, &id->parameters, params)) {
-	    return SECFailure;
-	}
-    } else {
-	/*
-	 * Again, this is not considered an error.  But if we assume
-	 * that nobody tries to set the parameters field themselves
-	 * (but always uses this routine to do that), then we should
-	 * not hit the following assertion.  Unless they forgot to zero
-	 * the structure, which could also be a bad (and wrong) thing.
-	 */
-	PORT_Assert(id->parameters.data == NULL);
-
-	if (add_null_param) {
-	    (void) SECITEM_AllocItem(arena, &id->parameters, 2);
-	    if (id->parameters.data == NULL) {
-		return SECFailure;
-	    }
-	    id->parameters.data[0] = SEC_ASN1_NULL;
-	    id->parameters.data[1] = 0;
-	}
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *to, SECAlgorithmID *from)
-{
-    SECStatus rv;
-
-    rv = SECITEM_CopyItem(arena, &to->algorithm, &from->algorithm);
-    if (rv) return rv;
-    rv = SECITEM_CopyItem(arena, &to->parameters, &from->parameters);
-    return rv;
-}
-
-void SECOID_DestroyAlgorithmID(SECAlgorithmID *algid, PRBool freeit)
-{
-    SECITEM_FreeItem(&algid->parameters, PR_FALSE);
-    SECITEM_FreeItem(&algid->algorithm, PR_FALSE);
-    if(freeit == PR_TRUE)
-        PORT_Free(algid);
-}
-
-SECComparison
-SECOID_CompareAlgorithmID(SECAlgorithmID *a, SECAlgorithmID *b)
-{
-    SECComparison rv;
-
-    rv = SECITEM_CompareItem(&a->algorithm, &b->algorithm);
-    if (rv) return rv;
-    rv = SECITEM_CompareItem(&a->parameters, &b->parameters);
-    return rv;
-}
diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h
deleted file mode 100644
index f35860ea2..000000000
--- a/security/nss/lib/util/secasn1.h
+++ /dev/null
@@ -1,264 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
- * Encoding Rules).  The routines are found in and used extensively by the
- * security library, but exported for other use.
- *
- * $Id$
- */
-
-#ifndef _SECASN1_H_
-#define _SECASN1_H_
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secasn1t.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * XXX These function prototypes need full, explanatory comments.
- */
-
-/*
-** Decoding.
-*/
-
-extern SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PRArenaPool *pool,
-						    void *dest,
-						    const SEC_ASN1Template *t);
-
-/* XXX char or unsigned char? */
-extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
-				       const char *buf,
-				       unsigned long len);
-
-extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx);
-
-extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
-					 SEC_ASN1WriteProc fn,
-					 void *arg, PRBool no_store);
-
-extern void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx);
-
-extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
-					 SEC_ASN1NotifyProc fn,
-					 void *arg);
-
-extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx);
-
-extern SECStatus SEC_ASN1Decode(PRArenaPool *pool, void *dest,
-				const SEC_ASN1Template *t,
-				const char *buf, long len);
-
-extern SECStatus SEC_ASN1DecodeItem(PRArenaPool *pool, void *dest,
-				    const SEC_ASN1Template *t,
-				    SECItem *item);
-/*
-** Encoding.
-*/
-
-extern SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(void *src,
-						    const SEC_ASN1Template *t,
-						    SEC_ASN1WriteProc fn,
-						    void *output_arg);
-
-/* XXX char or unsigned char? */
-extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
-				       const char *buf,
-				       unsigned long len);
-
-extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
-					 SEC_ASN1NotifyProc fn,
-					 void *arg);
-
-extern void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx);
-
-extern void sec_ASN1EncoderSetDER(SEC_ASN1EncoderContext *cx);
-
-extern void sec_ASN1EncoderClearDER(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx);
-
-extern SECStatus SEC_ASN1Encode(void *src, const SEC_ASN1Template *t,
-				SEC_ASN1WriteProc output_proc,
-				void *output_arg);
-
-extern SECItem * SEC_ASN1EncodeItem(PRArenaPool *pool, SECItem *dest,
-				    void *src, const SEC_ASN1Template *t);
-
-extern SECItem * SEC_ASN1EncodeInteger(PRArenaPool *pool,
-				       SECItem *dest, long value);
-
-extern SECItem * SEC_ASN1EncodeUnsignedInteger(PRArenaPool *pool,
-					       SECItem *dest,
-					       unsigned long value);
-
-extern SECStatus SEC_ASN1DecodeInteger(SECItem *src,
-				       unsigned long *value);
-
-/*
-** Utilities.
-*/
-
-/*
- * We have a length that needs to be encoded; how many bytes will the
- * encoding take?
- */
-extern int SEC_ASN1LengthLength (unsigned long len);
-
-/* encode the length and return the number of bytes we encoded. Buffer
- * must be pre allocated  */
-extern int SEC_ASN1EncodeLength(unsigned char *buf,int value);
-
-/*
- * Find the appropriate subtemplate for the given template.
- * This may involve calling a "chooser" function, or it may just
- * be right there.  In either case, it is expected to *have* a
- * subtemplate; this is asserted in debug builds (in non-debug
- * builds, NULL will be returned).
- *
- * "thing" is a pointer to the structure being encoded/decoded
- * "encoding", when true, means that we are in the process of encoding
- *	(as opposed to in the process of decoding)
- */
-extern const SEC_ASN1Template *
-SEC_ASN1GetSubtemplate (const SEC_ASN1Template *inTemplate, void *thing,
-			PRBool encoding);
-
-SEC_END_PROTOS
-/************************************************************************/
-
-/*
- * Generic Templates
- * One for each of the simple types, plus a special one for ANY, plus:
- *	- a pointer to each one of those
- *	- a set of each one of those
- *	- a sequence of each one of those
- *
- * Note that these are alphabetical (case insensitive); please add new
- * ones in the appropriate place.
- */
-
-extern const SEC_ASN1Template SEC_AnyTemplate[];
-extern const SEC_ASN1Template SEC_BitStringTemplate[];
-extern const SEC_ASN1Template SEC_BMPStringTemplate[];
-extern const SEC_ASN1Template SEC_BooleanTemplate[];
-extern const SEC_ASN1Template SEC_EnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_GeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_IA5StringTemplate[];
-extern const SEC_ASN1Template SEC_IntegerTemplate[];
-extern const SEC_ASN1Template SEC_NullTemplate[];
-extern const SEC_ASN1Template SEC_ObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_OctetStringTemplate[];
-extern const SEC_ASN1Template SEC_PrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_T61StringTemplate[];
-extern const SEC_ASN1Template SEC_UniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_UTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_UTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_VisibleStringTemplate[];
-
-extern const SEC_ASN1Template SEC_PointerToAnyTemplate[];
-extern const SEC_ASN1Template SEC_PointerToBitStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToBMPStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToBooleanTemplate[];
-extern const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_PointerToIA5StringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToIntegerTemplate[];
-extern const SEC_ASN1Template SEC_PointerToNullTemplate[];
-extern const SEC_ASN1Template SEC_PointerToObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_PointerToOctetStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToT61StringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[];
-
-extern const SEC_ASN1Template SEC_SequenceOfAnyTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfNullTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[];
-
-extern const SEC_ASN1Template SEC_SetOfAnyTemplate[];
-extern const SEC_ASN1Template SEC_SetOfBitStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfBMPStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfBooleanTemplate[];
-extern const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_SetOfIA5StringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfIntegerTemplate[];
-extern const SEC_ASN1Template SEC_SetOfNullTemplate[];
-extern const SEC_ASN1Template SEC_SetOfObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_SetOfOctetStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfT61StringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[];
-
-/*
- * Template for skipping a subitem; this only makes sense when decoding.
- */
-extern const SEC_ASN1Template SEC_SkipTemplate[];
-
-
-#endif /* _SECASN1_H_ */
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
deleted file mode 100644
index 544210d3d..000000000
--- a/security/nss/lib/util/secasn1d.c
+++ /dev/null
@@ -1,2934 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support for DEcoding ASN.1 data based on BER/DER (Basic/Distinguished
- * Encoding Rules).
- *
- * $Id$
- */
-
-#include "secasn1.h"
-#include "secerr.h"
-
-typedef enum {
-    beforeIdentifier,
-    duringIdentifier,
-    afterIdentifier,
-    beforeLength,
-    duringLength,
-    afterLength,
-    beforeBitString,
-    duringBitString,
-    duringConstructedString,
-    duringGroup,
-    duringLeaf,
-    duringSaveEncoding,
-    duringSequence,
-    afterConstructedString,
-    afterGroup,
-    afterExplicit,
-    afterImplicit,
-    afterInline,
-    afterPointer,
-    afterSaveEncoding,
-    beforeEndOfContents,
-    duringEndOfContents,
-    afterEndOfContents,
-    beforeChoice,
-    duringChoice,
-    afterChoice,
-    notInUse
-} sec_asn1d_parse_place;
-
-#ifdef DEBUG_ASN1D_STATES
-static const char *place_names[] = {
-    "beforeIdentifier",
-    "duringIdentifier",
-    "afterIdentifier",
-    "beforeLength",
-    "duringLength",
-    "afterLength",
-    "beforeBitString",
-    "duringBitString",
-    "duringConstructedString",
-    "duringGroup",
-    "duringLeaf",
-    "duringSaveEncoding",
-    "duringSequence",
-    "afterConstructedString",
-    "afterGroup",
-    "afterExplicit",
-    "afterImplicit",
-    "afterInline",
-    "afterPointer",
-    "afterSaveEncoding",
-    "beforeEndOfContents",
-    "duringEndOfContents",
-    "afterEndOfContents",
-    "beforeChoice",
-    "duringChoice",
-    "afterChoice",
-    "notInUse"
-};
-#endif /* DEBUG_ASN1D_STATES */
-
-typedef enum {
-    allDone,
-    decodeError,
-    keepGoing,
-    needBytes
-} sec_asn1d_parse_status;
-
-struct subitem {
-    const void *data;
-    unsigned long len;		/* only used for substrings */
-    struct subitem *next;
-};
-
-typedef struct sec_asn1d_state_struct {
-    SEC_ASN1DecoderContext *top;
-    const SEC_ASN1Template *theTemplate;
-    void *dest;
-
-    void *our_mark;	/* free on completion */
-
-    struct sec_asn1d_state_struct *parent;	/* aka prev */
-    struct sec_asn1d_state_struct *child;	/* aka next */
-
-    sec_asn1d_parse_place place;
-
-    /*
-     * XXX explain the next fields as clearly as possible...
-     */
-    unsigned char found_tag_modifiers;
-    unsigned char expect_tag_modifiers;
-    unsigned long check_tag_mask;
-    unsigned long found_tag_number;
-    unsigned long expect_tag_number;
-    unsigned long underlying_kind;
-
-    unsigned long contents_length;
-    unsigned long pending;
-    unsigned long consumed;
-
-    int depth;
-
-    /*
-     * Bit strings have their length adjusted -- the first octet of the
-     * contents contains a value between 0 and 7 which says how many bits
-     * at the end of the octets are not actually part of the bit string;
-     * when parsing bit strings we put that value here because we need it
-     * later, for adjustment of the length (when the whole string is done).
-     */
-    unsigned int bit_string_unused_bits;
-
-    /*
-     * The following are used for indefinite-length constructed strings.
-     */
-    struct subitem *subitems_head;
-    struct subitem *subitems_tail;
-
-    PRPackedBool
-	allocate,	/* when true, need to allocate the destination */
-	endofcontents,	/* this state ended up parsing end-of-contents octets */
-	explicit,	/* we are handling an explicit header */
-	indefinite,	/* the current item has indefinite-length encoding */
-	missing,	/* an optional field that was not present */
-	optional,	/* the template says this field may be omitted */
-	substring;	/* this is a substring of a constructed string */
-
-} sec_asn1d_state;
-
-#define IS_HIGH_TAG_NUMBER(n)	((n) == SEC_ASN1_HIGH_TAG_NUMBER)
-#define LAST_TAG_NUMBER_BYTE(b)	(((b) & 0x80) == 0)
-#define TAG_NUMBER_BITS		7
-#define TAG_NUMBER_MASK		0x7f
-
-#define LENGTH_IS_SHORT_FORM(b)	(((b) & 0x80) == 0)
-#define LONG_FORM_LENGTH(b)	((b) & 0x7f)
-
-#define HIGH_BITS(field,cnt)	((field) >> ((sizeof(field) * 8) - (cnt)))
-
-
-/*
- * An "outsider" will have an opaque pointer to this, created by calling
- * SEC_ASN1DecoderStart().  It will be passed back in to all subsequent
- * calls to SEC_ASN1DecoderUpdate(), and when done it is passed to
- * SEC_ASN1DecoderFinish().
- */
-struct sec_DecoderContext_struct {
-    PRArenaPool *our_pool;		/* for our internal allocs */
-    PRArenaPool *their_pool;		/* for destination structure allocs */
-#ifdef SEC_ASN1D_FREE_ON_ERROR		/*
-					 * XXX see comment below (by same
-					 * ifdef) that explains why this
-					 * does not work (need more smarts
-					 * in order to free back to mark)
-					 */
-    /*
-     * XXX how to make their_mark work in the case where they do NOT
-     * give us a pool pointer?
-     */
-    void *their_mark;			/* free on error */
-#endif
-
-    sec_asn1d_state *current;
-    sec_asn1d_parse_status status;
-
-    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
-    void *notify_arg;			/* argument to notify_proc */
-    PRBool during_notify;		/* true during call to notify_proc */
-
-    SEC_ASN1WriteProc filter_proc;	/* pass field bytes to this  */
-    void *filter_arg;			/* argument to that function */
-    PRBool filter_only;			/* do not allocate/store fields */
-};
-
-
-/*
- * XXX this is a fairly generic function that may belong elsewhere
- */
-static void *
-sec_asn1d_alloc (PRArenaPool *poolp, unsigned long len)
-{
-    void *thing;
-
-    if (poolp != NULL) {
-	/*
-	 * Allocate from the pool.
-	 */
-	thing = PORT_ArenaAlloc (poolp, len);
-    } else {
-	/*
-	 * Allocate generically.
-	 */
-	thing = PORT_Alloc (len);
-    }
-
-    return thing;
-}
-
-
-/*
- * XXX this is a fairly generic function that may belong elsewhere
- */
-static void *
-sec_asn1d_zalloc (PRArenaPool *poolp, unsigned long len)
-{
-    void *thing;
-
-    thing = sec_asn1d_alloc (poolp, len);
-    if (thing != NULL)
-	PORT_Memset (thing, 0, len);
-    return thing;
-}
-
-
-static sec_asn1d_state *
-sec_asn1d_push_state (SEC_ASN1DecoderContext *cx,
-		      const SEC_ASN1Template *theTemplate,
-		      void *dest, PRBool new_depth)
-{
-    sec_asn1d_state *state, *new_state;
-
-    state = cx->current;
-
-    PORT_Assert (state == NULL || state->child == NULL);
-
-    if (state != NULL) {
-	PORT_Assert (state->our_mark == NULL);
-	state->our_mark = PORT_ArenaMark (cx->our_pool);
-    }
-
-    new_state = (sec_asn1d_state*)sec_asn1d_zalloc (cx->our_pool, 
-						    sizeof(*new_state));
-    if (new_state == NULL) {
-	cx->status = decodeError;
-	if (state != NULL) {
-	    PORT_ArenaRelease(cx->our_pool, state->our_mark);
-	    state->our_mark = NULL;
-	}
-	return NULL;
-    }
-
-    new_state->top         = cx;
-    new_state->parent      = state;
-    new_state->theTemplate = theTemplate;
-    new_state->place       = notInUse;
-    if (dest != NULL)
-	new_state->dest = (char *)dest + theTemplate->offset;
-
-    if (state != NULL) {
-	new_state->depth = state->depth;
-	if (new_depth)
-	    new_state->depth++;
-	state->child = new_state;
-    }
-
-    cx->current = new_state;
-    return new_state;
-}
-
-
-static void
-sec_asn1d_scrub_state (sec_asn1d_state *state)
-{
-    /*
-     * Some default "scrubbing".
-     * XXX right set of initializations?
-     */
-    state->place = beforeIdentifier;
-    state->endofcontents = PR_FALSE;
-    state->indefinite = PR_FALSE;
-    state->missing = PR_FALSE;
-    PORT_Assert (state->consumed == 0);
-}
-
-
-static void
-sec_asn1d_notify_before (SEC_ASN1DecoderContext *cx, void *dest, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, dest, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static void
-sec_asn1d_notify_after (SEC_ASN1DecoderContext *cx, void *dest, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, dest, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static sec_asn1d_state *
-sec_asn1d_init_state_based_on_template (sec_asn1d_state *state)
-{
-    PRBool explicit, optional, universal;
-    unsigned char expect_tag_modifiers;
-    unsigned long encode_kind, under_kind;
-    unsigned long check_tag_mask, expect_tag_number;
-
-
-    /* XXX Check that both of these tests are really needed/appropriate. */
-    if (state == NULL || state->top->status == decodeError)
-	return state;
-
-    encode_kind = state->theTemplate->kind;
-
-    if (encode_kind & SEC_ASN1_SAVE) {
-	/*
-	 * This is a "magic" field that saves away all bytes, allowing
-	 * the immediately following field to still be decoded from this
-	 * same spot -- sort of a fork.
-	 */
-	/* check that there are no extraneous bits */
-	PORT_Assert (encode_kind == SEC_ASN1_SAVE);
-	if (state->top->filter_only) {
-	    /*
-	     * If we are not storing, then we do not do the SAVE field
-	     * at all.  Just move ahead to the "real" field instead,
-	     * doing the appropriate notify calls before and after.
-	     */
-	    sec_asn1d_notify_after (state->top, state->dest, state->depth);
-	    /*
-	     * Since we are not storing, allow for our current dest value
-	     * to be NULL.  (This might not actually occur, but right now I
-	     * cannot convince myself one way or the other.)  If it is NULL,
-	     * assume that our parent dest can help us out.
-	     */
-	    if (state->dest == NULL)
-		state->dest = state->parent->dest;
-	    else
-		state->dest = (char *)state->dest - state->theTemplate->offset;
-	    state->theTemplate++;
-	    if (state->dest != NULL)
-		state->dest = (char *)state->dest + state->theTemplate->offset;
-	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
-	    encode_kind = state->theTemplate->kind;
-	    PORT_Assert ((encode_kind & SEC_ASN1_SAVE) == 0);
-	} else {
-	    sec_asn1d_scrub_state (state);
-	    state->place = duringSaveEncoding;
-	    state = sec_asn1d_push_state (state->top, SEC_AnyTemplate,
-					  state->dest, PR_FALSE);
-	    if (state != NULL)
-		state = sec_asn1d_init_state_based_on_template (state);
-	    return state;
-	}
-    }
-
-
-    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_EXPLICIT;
-
-    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_OPTIONAL;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    encode_kind &= ~SEC_ASN1_DYNAMIC;
-    encode_kind &= ~SEC_ASN1_MAY_STREAM;
-
-    if( encode_kind & SEC_ASN1_CHOICE ) {
-#if 0	/* XXX remove? */
-      sec_asn1d_state *child = sec_asn1d_push_state(state->top, state->theTemplate, state->dest, PR_FALSE);
-      if( (sec_asn1d_state *)NULL == child ) {
-        return (sec_asn1d_state *)NULL;
-      }
-
-      child->allocate = state->allocate;
-      child->place = beforeChoice;
-      return child;
-#else
-      state->place = beforeChoice;
-      return state;
-#endif
-    }
-
-    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
-							      && !explicit)) {
-	const SEC_ASN1Template *subt;
-	void *dest;
-	PRBool child_allocate;
-
-	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
-
-	sec_asn1d_scrub_state (state);
-	child_allocate = PR_FALSE;
-
-	if (encode_kind & SEC_ASN1_POINTER) {
-	    /*
-	     * A POINTER means we need to allocate the destination for
-	     * this field.  But, since it may also be an optional field,
-	     * we defer the allocation until later; we just record that
-	     * it needs to be done.
-	     *
-	     * There are two possible scenarios here -- one is just a
-	     * plain POINTER (kind of like INLINE, except with allocation)
-	     * and the other is an implicitly-tagged POINTER.  We don't
-	     * need to do anything special here for the two cases, but
-	     * since the template definition can be tricky, we do check
-	     * that there are no extraneous bits set in encode_kind.
-	     *
-	     * XXX The same conditions which assert should set an error.
-	     */
-	    if (universal) {
-		/*
-		 * "universal" means this entry is a standalone POINTER;
-		 * there should be no other bits set in encode_kind.
-		 */
-		PORT_Assert (encode_kind == SEC_ASN1_POINTER);
-	    } else {
-		/*
-		 * If we get here we have an implicitly-tagged field
-		 * that needs to be put into a POINTER.  The subtemplate
-		 * will determine how to decode the field, but encode_kind
-		 * describes the (implicit) tag we are looking for.
-		 * The non-tag bits of encode_kind will be ignored by
-		 * the code below; none of them should be set, however,
-		 * except for the POINTER bit itself -- so check that.
-		 */
-		PORT_Assert ((encode_kind & ~SEC_ASN1_TAG_MASK)
-			     == SEC_ASN1_POINTER);
-	    }
-	    if (!state->top->filter_only)
-		child_allocate = PR_TRUE;
-	    dest = NULL;
-	    state->place = afterPointer;
-	} else {
-	    dest = state->dest;
-	    if (encode_kind & SEC_ASN1_INLINE) {
-		/* check that there are no extraneous bits */
-		PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
-		state->place = afterInline;
-	    } else {
-		state->place = afterImplicit;
-	    }
-	}
-
-	state->optional = optional;
-	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest, PR_FALSE);
-	state = sec_asn1d_push_state (state->top, subt, dest, PR_FALSE);
-	if (state == NULL)
-	    return NULL;
-
-	state->allocate = child_allocate;
-
-	if (universal) {
-	    state = sec_asn1d_init_state_based_on_template (state);
-	    if (state != NULL) {
-		/*
-		 * If this field is optional, we need to record that on
-		 * the pushed child so it won't fail if the field isn't
-		 * found.  I can't think of a way that this new state
-		 * could already have optional set (which we would wipe
-		 * out below if our local optional is not set) -- but
-		 * just to be sure, assert that it isn't set.
-		 */
-		PORT_Assert (!state->optional);
-		state->optional = optional;
-	    }
-	    return state;
-	}
-
-	under_kind = state->theTemplate->kind;
-	under_kind &= ~SEC_ASN1_MAY_STREAM;
-    } else if (explicit) {
-	/*
-	 * For explicit, we only need to match the encoding tag next,
-	 * then we will push another state to handle the entire inner
-	 * part.  In this case, there is no underlying kind which plays
-	 * any part in the determination of the outer, explicit tag.
-	 * So we just set under_kind to 0, which is not a valid tag,
-	 * and the rest of the tag matching stuff should be okay.
-	 */
-	under_kind = 0;
-    } else {
-	/*
-	 * Nothing special; the underlying kind and the given encoding
-	 * information are the same.
-	 */
-	under_kind = encode_kind;
-    }
-
-    /* XXX is this the right set of bits to test here? */
-    PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
-				| SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);
-
-    if (encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) {
-	PORT_Assert (encode_kind == under_kind);
-	if (encode_kind & SEC_ASN1_SKIP) {
-	    PORT_Assert (!optional);
-	    PORT_Assert (encode_kind == SEC_ASN1_SKIP);
-	    state->dest = NULL;
-	}
-	check_tag_mask = 0;
-	expect_tag_modifiers = 0;
-	expect_tag_number = 0;
-    } else {
-	check_tag_mask = SEC_ASN1_TAG_MASK;
-	expect_tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK
-				& ~SEC_ASN1_TAGNUM_MASK;
-	/*
-	 * XXX This assumes only single-octet identifiers.  To handle
-	 * the HIGH TAG form we would need to do some more work, especially
-	 * in how to specify them in the template, because right now we
-	 * do not provide a way to specify more *tag* bits in encode_kind.
-	 */
-	expect_tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
-
-	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
-	  case SEC_ASN1_SET:
-	    /*
-	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
-	     * If it ever is, remove this assert...
-	     */
-	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
-	    /* fallthru */
-	  case SEC_ASN1_SEQUENCE:
-	    expect_tag_modifiers |= SEC_ASN1_CONSTRUCTED;
-	    break;
-	  case SEC_ASN1_BIT_STRING:
-	  case SEC_ASN1_BMP_STRING:
-	  case SEC_ASN1_GENERALIZED_TIME:
-	  case SEC_ASN1_IA5_STRING:
-	  case SEC_ASN1_OCTET_STRING:
-	  case SEC_ASN1_PRINTABLE_STRING:
-	  case SEC_ASN1_T61_STRING:
-	  case SEC_ASN1_UNIVERSAL_STRING:
-	  case SEC_ASN1_UTC_TIME:
-	  case SEC_ASN1_UTF8_STRING:
-	  case SEC_ASN1_VISIBLE_STRING:
-	    check_tag_mask &= ~SEC_ASN1_CONSTRUCTED;
-	    break;
-	}
-    }
-
-    state->check_tag_mask = check_tag_mask;
-    state->expect_tag_modifiers = expect_tag_modifiers;
-    state->expect_tag_number = expect_tag_number;
-    state->underlying_kind = under_kind;
-    state->explicit = explicit;
-    state->optional = optional;
-
-    sec_asn1d_scrub_state (state);
-
-    return state;
-}
-
-
-static unsigned long
-sec_asn1d_parse_identifier (sec_asn1d_state *state,
-			    const char *buf, unsigned long len)
-{
-    unsigned char byte;
-    unsigned char tag_number;
-
-    PORT_Assert (state->place == beforeIdentifier);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    byte = (unsigned char) *buf;
-    tag_number = byte & SEC_ASN1_TAGNUM_MASK;
-
-    if (IS_HIGH_TAG_NUMBER (tag_number)) {
-	state->place = duringIdentifier;
-	state->found_tag_number = 0;
-	/*
-	 * Actually, we have no idea how many bytes are pending, but we
-	 * do know that it is at least 1.  That is all we know; we have
-	 * to look at each byte to know if there is another, etc.
-	 */
-	state->pending = 1;
-    } else {
-	if (byte == 0 && state->parent != NULL &&
-		    (state->parent->indefinite ||
-			(
-			    (state->parent->place == afterImplicit ||
-			     state->parent->place == afterPointer)
-			    && state->parent->parent != NULL && state->parent->parent->indefinite
-			)
-		    )
-	    ) {
-	    /*
-	     * Our parent has indefinite-length encoding, and the
-	     * entire tag found is 0, so it seems that we have hit the
-	     * end-of-contents octets.  To handle this, we just change
-	     * our state to that which expects to get the bytes of the
-	     * end-of-contents octets and let that code re-read this byte
-	     * so that our categorization of field types is correct.
-	     * After that, our parent will then deal with everything else.
-	     */
-	    state->place = duringEndOfContents;
-	    state->pending = 2;
-	    state->found_tag_number = 0;
-	    state->found_tag_modifiers = 0;
-	    /*
-	     * We might be an optional field that is, as we now find out,
-	     * missing.  Give our parent a clue that this happened.
-	     */
-	    if (state->optional)
-		state->missing = PR_TRUE;
-	    return 0;
-	}
-	state->place = afterIdentifier;
-	state->found_tag_number = tag_number;
-    }
-    state->found_tag_modifiers = byte & ~SEC_ASN1_TAGNUM_MASK;
-
-    return 1;
-}
-
-
-static unsigned long
-sec_asn1d_parse_more_identifier (sec_asn1d_state *state,
-				 const char *buf, unsigned long len)
-{
-    unsigned char byte;
-    int count;
-
-    PORT_Assert (state->pending == 1);
-    PORT_Assert (state->place == duringIdentifier);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    count = 0;
-
-    while (len && state->pending) {
-	if (HIGH_BITS (state->found_tag_number, TAG_NUMBER_BITS) != 0) {
-	    /*
-	     * The given high tag number overflows our container;
-	     * just give up.  This is not likely to *ever* happen.
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return 0;
-	}
-
-	state->found_tag_number <<= TAG_NUMBER_BITS;
-
-	byte = (unsigned char) buf[count++];
-	state->found_tag_number |= (byte & TAG_NUMBER_MASK);
-
-	len--;
-	if (LAST_TAG_NUMBER_BYTE (byte))
-	    state->pending = 0;
-    }
-
-    if (state->pending == 0)
-	state->place = afterIdentifier;
-
-    return count;
-}
-
-
-static void
-sec_asn1d_confirm_identifier (sec_asn1d_state *state)
-{
-    PRBool match;
-
-    PORT_Assert (state->place == afterIdentifier);
-
-    match = (PRBool)(((state->found_tag_modifiers & state->check_tag_mask)
-	     == state->expect_tag_modifiers)
-	    && ((state->found_tag_number & state->check_tag_mask)
-		== state->expect_tag_number));
-    if (match) {
-	state->place = beforeLength;
-    } else {
-	if (state->optional) {
-	    state->missing = PR_TRUE;
-	    state->place = afterEndOfContents;
-	} else {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	}
-    }
-}
-
-
-static unsigned long
-sec_asn1d_parse_length (sec_asn1d_state *state,
-			const char *buf, unsigned long len)
-{
-    unsigned char byte;
-
-    PORT_Assert (state->place == beforeLength);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    /*
-     * The default/likely outcome.  It may get adjusted below.
-     */
-    state->place = afterLength;
-
-    byte = (unsigned char) *buf;
-
-    if (LENGTH_IS_SHORT_FORM (byte)) {
-	state->contents_length = byte;
-    } else {
-	state->contents_length = 0;
-	state->pending = LONG_FORM_LENGTH (byte);
-	if (state->pending == 0) {
-	    state->indefinite = PR_TRUE;
-	} else {
-	    state->place = duringLength;
-	}
-    }
-
-    return 1;
-}
-
-
-static unsigned long
-sec_asn1d_parse_more_length (sec_asn1d_state *state,
-			     const char *buf, unsigned long len)
-{
-    int count;
-
-    PORT_Assert (state->pending > 0);
-    PORT_Assert (state->place == duringLength);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    count = 0;
-
-    while (len && state->pending) {
-	if (HIGH_BITS (state->contents_length, 8) != 0) {
-	    /*
-	     * The given full content length overflows our container;
-	     * just give up.
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return 0;
-	}
-
-	state->contents_length <<= 8;
-	state->contents_length |= (unsigned char) buf[count++];
-
-	len--;
-	state->pending--;
-    }
-
-    if (state->pending == 0)
-	state->place = afterLength;
-
-    return count;
-}
-
-
-static void
-sec_asn1d_prepare_for_contents (sec_asn1d_state *state)
-{
-    SECItem *item;
-    PRArenaPool *poolp;
-    unsigned long alloc_len;
-
-
-    /*
-     * XXX I cannot decide if this allocation should exclude the case
-     *     where state->endofcontents is true -- figure it out!
-     */
-    if (state->allocate) {
-	void *dest;
-
-	PORT_Assert (state->dest == NULL);
-	/*
-	 * We are handling a POINTER or a member of a GROUP, and need to
-	 * allocate for the data structure.
-	 */
-	dest = sec_asn1d_zalloc (state->top->their_pool,
-				 state->theTemplate->size);
-	if (dest == NULL) {
-	    state->top->status = decodeError;
-	    return;
-	}
-	state->dest = (char *)dest + state->theTemplate->offset;
-
-	/*
-	 * For a member of a GROUP, our parent will later put the
-	 * pointer wherever it belongs.  But for a POINTER, we need
-	 * to record the destination now, in case notify or filter
-	 * procs need access to it -- they cannot find it otherwise,
-	 * until it is too late (for one-pass processing).
-	 */
-	if (state->parent->place == afterPointer) {
-	    void **placep;
-
-	    placep = state->parent->dest;
-	    *placep = dest;
-	}
-    }
-
-    /*
-     * Remember, length may be indefinite here!  In that case,
-     * both contents_length and pending will be zero.
-     */
-    state->pending = state->contents_length;
-
-    /*
-     * An EXPLICIT is nothing but an outer header, which we have
-     * already parsed and accepted.  Now we need to do the inner
-     * header and its contents.
-     */
-    if (state->explicit) {
-	state->place = afterExplicit;
-	state = sec_asn1d_push_state (state->top,
-				      SEC_ASN1GetSubtemplate(state->theTemplate,
-							     state->dest,
-							     PR_FALSE),
-				      state->dest, PR_TRUE);
-	if (state != NULL)
-	    state = sec_asn1d_init_state_based_on_template (state);
-	return;
-    }
-
-    /*
-     * For GROUP (SET OF, SEQUENCE OF), even if we know the length here
-     * we cannot tell how many items we will end up with ... so push a
-     * state that can keep track of "children" (the individual members
-     * of the group; we will allocate as we go and put them all together
-     * at the end.
-     */
-    if (state->underlying_kind & SEC_ASN1_GROUP) {
-	/* XXX If this assertion holds (should be able to confirm it via
-	 * inspection, too) then move this code into the switch statement
-	 * below under cases SET_OF and SEQUENCE_OF; it will be cleaner.
-	 */
-	PORT_Assert (state->underlying_kind == SEC_ASN1_SET_OF
-		     || state->underlying_kind == SEC_ASN1_SEQUENCE_OF);
-	if (state->contents_length != 0 || state->indefinite) {
-	    const SEC_ASN1Template *subt;
-
-	    state->place = duringGroup;
-	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest,
-					   PR_FALSE);
-	    state = sec_asn1d_push_state (state->top, subt, NULL, PR_TRUE);
-	    if (state != NULL) {
-		if (!state->top->filter_only)
-		    state->allocate = PR_TRUE;	/* XXX propogate this? */
-		/*
-		 * Do the "before" field notification for next in group.
-		 */
-		sec_asn1d_notify_before (state->top, state->dest, state->depth);
-		state = sec_asn1d_init_state_based_on_template (state);
-	    }
-	} else {
-	    /*
-	     * A group of zero; we are done.
-	     * XXX Should we store a NULL here?  Or set state to
-	     * afterGroup and let that code do it?
-	     */
-	    state->place = afterEndOfContents;
-	}
-	return;
-    }
-
-    switch (state->underlying_kind) {
-      case SEC_ASN1_SEQUENCE:
-	/*
-	 * We need to push a child to handle the individual fields.
-	 */
-	state->place = duringSequence;
-	state = sec_asn1d_push_state (state->top, state->theTemplate + 1,
-				      state->dest, PR_TRUE);
-	if (state != NULL) {
-	    /*
-	     * Do the "before" field notification.
-	     */
-	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
-	    state = sec_asn1d_init_state_based_on_template (state);
-	}
-	break;
-
-      case SEC_ASN1_SET:	/* XXX SET is not really implemented */
-	/*
-	 * XXX A plain SET requires special handling; scanning of a
-	 * template to see where a field should go (because by definition,
-	 * they are not in any particular order, and you have to look at
-	 * each tag to disambiguate what the field is).  We may never
-	 * implement this because in practice, it seems to be unused.
-	 */
-	PORT_Assert(0);
-	state->top->status = decodeError;
-	break;
-
-      case SEC_ASN1_NULL:
-	/*
-	 * The NULL type, by definition, is "nothing", content length of zero.
-	 * An indefinite-length encoding is not alloweed.
-	 */
-	if (state->contents_length || state->indefinite) {
-	    state->top->status = decodeError;
-	    break;
-	}
-	if (state->dest != NULL) {
-	    item = (SECItem *)(state->dest);
-	    item->data = NULL;
-	    item->len = 0;
-	}
-	state->place = afterEndOfContents;
-	break;
-
-      case SEC_ASN1_BMP_STRING:
-	/* Error if length is not divisable by 2 */
-	if (state->contents_length % 2) {
-	   state->top->status = decodeError;
-	   break;
-	}   
-	/* otherwise, handle as other string types */
-	goto regular_string_type;
-
-      case SEC_ASN1_UNIVERSAL_STRING:
-	/* Error if length is not divisable by 4 */
-	if (state->contents_length % 4) {
-	   state->top->status = decodeError;
-	   break;
-	}   
-	/* otherwise, handle as other string types */
-	goto regular_string_type;
-
-      case SEC_ASN1_SKIP:
-      case SEC_ASN1_ANY:
-      case SEC_ASN1_ANY_CONTENTS:
-	/*
-	 * These are not (necessarily) strings, but they need nearly
-	 * identical handling (especially when we need to deal with
-	 * constructed sub-pieces), so we pretend they are.
-	 */
-	/* fallthru */
-regular_string_type:
-      case SEC_ASN1_BIT_STRING:
-      case SEC_ASN1_IA5_STRING:
-      case SEC_ASN1_OCTET_STRING:
-      case SEC_ASN1_PRINTABLE_STRING:
-      case SEC_ASN1_T61_STRING:
-      case SEC_ASN1_UTC_TIME:
-      case SEC_ASN1_UTF8_STRING:
-      case SEC_ASN1_VISIBLE_STRING:
-	/*
-	 * We are allocating for a primitive or a constructed string.
-	 * If it is a constructed string, it may also be indefinite-length.
-	 * If it is primitive, the length can (legally) be zero.
-	 * Our first order of business is to allocate the memory for
-	 * the string, if we can (if we know the length).
-	 */
-	item = (SECItem *)(state->dest);
-
-	/*
-	 * If the item is a definite-length constructed string, then
-	 * the contents_length is actually larger than what we need
-	 * (because it also counts each intermediate header which we
-	 * will be throwing away as we go), but it is a perfectly good
-	 * upper bound that we just allocate anyway, and then concat
-	 * as we go; we end up wasting a few extra bytes but save a
-	 * whole other copy.
-	 */
-	alloc_len = state->contents_length;
-	poolp = NULL;	/* quiet compiler warnings about unused... */
-
-	if (item == NULL || state->top->filter_only) {
-	    if (item != NULL) {
-		item->data = NULL;
-		item->len = 0;
-	    }
-	    alloc_len = 0;
-	} else if (state->substring) {
-	    /*
-	     * If we are a substring of a constructed string, then we may
-	     * not have to allocate anything (because our parent, the
-	     * actual constructed string, did it for us).  If we are a
-	     * substring and we *do* have to allocate, that means our
-	     * parent is an indefinite-length, so we allocate from our pool;
-	     * later our parent will copy our string into the aggregated
-	     * whole and free our pool allocation.
-	     */
-	    if (item->data == NULL) {
-		PORT_Assert (item->len == 0);
-		poolp = state->top->our_pool;
-	    } else {
-		alloc_len = 0;
-	    }
-	} else {
-	    item->len = 0;
-	    item->data = NULL;
-	    poolp = state->top->their_pool;
-	}
-
-	if (alloc_len || ((! state->indefinite)
-			  && (state->subitems_head != NULL))) {
-	    struct subitem *subitem;
-	    int len;
-
-	    PORT_Assert (item->len == 0 && item->data == NULL);
-	    /*
-	     * Check for and handle an ANY which has stashed aside the
-	     * header (identifier and length) bytes for us to include
-	     * in the saved contents.
-	     */
-	    if (state->subitems_head != NULL) {
-		PORT_Assert (state->underlying_kind == SEC_ASN1_ANY);
-		for (subitem = state->subitems_head;
-		     subitem != NULL; subitem = subitem->next)
-		    alloc_len += subitem->len;
-	    }
-
-	    item->data = (unsigned char*)sec_asn1d_zalloc (poolp, alloc_len);
-	    if (item->data == NULL) {
-		state->top->status = decodeError;
-		break;
-	    }
-
-	    len = 0;
-	    for (subitem = state->subitems_head;
-		 subitem != NULL; subitem = subitem->next) {
-		PORT_Memcpy (item->data + len, subitem->data, subitem->len);
-		len += subitem->len;
-	    }
-	    item->len = len;
-
-	    /*
-	     * Because we use arenas and have a mark set, we later free
-	     * everything we have allocated, so this does *not* present
-	     * a memory leak (it is just temporarily left dangling).
-	     */
-	    state->subitems_head = state->subitems_tail = NULL;
-	}
-
-	if (state->contents_length == 0 && (! state->indefinite)) {
-	    /*
-	     * A zero-length simple or constructed string; we are done.
-	     */
-	    state->place = afterEndOfContents;
-	} else if (state->found_tag_modifiers & SEC_ASN1_CONSTRUCTED) {
-	    const SEC_ASN1Template *sub;
-
-	    switch (state->underlying_kind) {
-	      case SEC_ASN1_ANY:
-	      case SEC_ASN1_ANY_CONTENTS:
-		sub = SEC_AnyTemplate;
-		break;
-	      case SEC_ASN1_BIT_STRING:
-		sub = SEC_BitStringTemplate;
-		break;
-	      case SEC_ASN1_BMP_STRING:
-		sub = SEC_BMPStringTemplate;
-		break;
-	      case SEC_ASN1_GENERALIZED_TIME:
-		sub = SEC_GeneralizedTimeTemplate;
-		break;
-	      case SEC_ASN1_IA5_STRING:
-		sub = SEC_IA5StringTemplate;
-		break;
-	      case SEC_ASN1_OCTET_STRING:
-		sub = SEC_OctetStringTemplate;
-		break;
-	      case SEC_ASN1_PRINTABLE_STRING:
-		sub = SEC_PrintableStringTemplate;
-		break;
-	      case SEC_ASN1_T61_STRING:
-		sub = SEC_T61StringTemplate;
-		break;
-	      case SEC_ASN1_UNIVERSAL_STRING:
-		sub = SEC_UniversalStringTemplate;
-		break;
-	      case SEC_ASN1_UTC_TIME:
-		sub = SEC_UTCTimeTemplate;
-		break;
-	      case SEC_ASN1_UTF8_STRING:
-		sub = SEC_UTF8StringTemplate;
-		break;
-	      case SEC_ASN1_VISIBLE_STRING:
-		sub = SEC_VisibleStringTemplate;
-		break;
-	      case SEC_ASN1_SKIP:
-		sub = SEC_SkipTemplate;
-		break;
-	      default:		/* redundant given outer switch cases, but */
-		PORT_Assert(0);	/* the compiler does not seem to know that, */
-		sub = NULL;	/* so just do enough to quiet it. */
-		break;
-	    }
-
-	    state->place = duringConstructedString;
-	    state = sec_asn1d_push_state (state->top, sub, item, PR_TRUE);
-	    if (state != NULL) {
-		state->substring = PR_TRUE;	/* XXX propogate? */
-		state = sec_asn1d_init_state_based_on_template (state);
-	    }
-	} else if (state->indefinite) {
-	    /*
-	     * An indefinite-length string *must* be constructed!
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	} else {
-	    /*
-	     * A non-zero-length simple string.
-	     */
-	    if (state->underlying_kind == SEC_ASN1_BIT_STRING)
-		state->place = beforeBitString;
-	    else
-		state->place = duringLeaf;
-	}
-	break;
-
-      default:
-	/*
-	 * We are allocating for a simple leaf item.
-	 */
-	if (state->contents_length) {
-	    if (state->dest != NULL) {
-		item = (SECItem *)(state->dest);
-		item->len = 0;
-		if (state->top->filter_only) {
-		    item->data = NULL;
-		} else {
-		    item->data = (unsigned char*)
-		                  sec_asn1d_zalloc (state->top->their_pool,
-						   state->contents_length);
-		    if (item->data == NULL) {
-			state->top->status = decodeError;
-			return;
-		    }
-		}
-	    }
-	    state->place = duringLeaf;
-	} else {
-	    /*
-	     * An indefinite-length or zero-length item is not allowed.
-	     * (All legal cases of such were handled above.)
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	}
-    }
-}
-
-
-static void
-sec_asn1d_free_child (sec_asn1d_state *state, PRBool error)
-{
-    if (state->child != NULL) {
-	PORT_Assert (error || state->child->consumed == 0);
-	PORT_Assert (state->our_mark != NULL);
-	PORT_ArenaRelease (state->top->our_pool, state->our_mark);
-	if (error && state->top->their_pool == NULL) {
-	    /*
-	     * XXX We need to free anything allocated.
-	     */
-	    PORT_Assert (0);
-	}
-	state->child = NULL;
-	state->our_mark = NULL;
-    } else {
-	/*
-	 * It is important that we do not leave a mark unreleased/unmarked.
-	 * But I do not think we should ever have one set in this case, only
-	 * if we had a child (handled above).  So check for that.  If this
-	 * assertion should ever get hit, then we probably need to add code
-	 * here to release back to our_mark (and then set our_mark to NULL).
-	 */
-	PORT_Assert (state->our_mark == NULL);
-    }
-    state->place = beforeEndOfContents;
-}
-
-
-static void
-sec_asn1d_reuse_encoding (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    unsigned long consumed;
-    SECItem *item;
-    void *dest;
-
-
-    child = state->child;
-    PORT_Assert (child != NULL);
-
-    consumed = child->consumed;
-    child->consumed = 0;
-
-    item = (SECItem *)(state->dest);
-    PORT_Assert (item != NULL);
-
-    PORT_Assert (item->len == consumed);
-
-    /*
-     * Free any grandchild.
-     */
-    sec_asn1d_free_child (child, PR_FALSE);
-
-    /*
-     * Notify after the SAVE field.
-     */
-    sec_asn1d_notify_after (state->top, state->dest, state->depth);
-
-    /*
-     * Adjust to get new dest and move forward.
-     */
-    dest = (char *)state->dest - state->theTemplate->offset;
-    state->theTemplate++;
-    child->dest = (char *)dest + state->theTemplate->offset;
-    child->theTemplate = state->theTemplate;
-
-    /*
-     * Notify before the "real" field.
-     */
-    PORT_Assert (state->depth == child->depth);
-    sec_asn1d_notify_before (state->top, child->dest, child->depth);
-
-    /*
-     * This will tell DecoderUpdate to return when it is done.
-     */
-    state->place = afterSaveEncoding;
-
-    /*
-     * We already have a child; "push" it by making it current.
-     */
-    state->top->current = child;
-
-    /*
-     * And initialize it so it is ready to parse.
-     */
-    (void) sec_asn1d_init_state_based_on_template(child);
-
-    /*
-     * Now parse that out of our data.
-     */
-    if (SEC_ASN1DecoderUpdate (state->top,
-			       (char *) item->data, item->len) != SECSuccess)
-	return;
-
-    PORT_Assert (state->top->current == state);
-    PORT_Assert (state->child == child);
-
-    /*
-     * That should have consumed what we consumed before.
-     */
-    PORT_Assert (consumed == child->consumed);
-    child->consumed = 0;
-
-    /*
-     * Done.
-     */
-    state->consumed += consumed;
-    child->place = notInUse;
-    state->place = afterEndOfContents;
-}
-
-
-static unsigned long
-sec_asn1d_parse_leaf (sec_asn1d_state *state,
-		      const char *buf, unsigned long len)
-{
-    SECItem *item;
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    if (state->pending < len)
-	len = state->pending;
-
-    item = (SECItem *)(state->dest);
-    if (item != NULL && item->data != NULL) {
-	PORT_Memcpy (item->data + item->len, buf, len);
-	item->len += len;
-    }
-    state->pending -= len;
-    if (state->pending == 0)
-	state->place = beforeEndOfContents;
-
-    return len;
-}
-
-
-static unsigned long
-sec_asn1d_parse_bit_string (sec_asn1d_state *state,
-			    const char *buf, unsigned long len)
-{
-    unsigned char byte;
-
-    PORT_Assert (state->pending > 0);
-    PORT_Assert (state->place == beforeBitString);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    byte = (unsigned char) *buf;
-    if (byte > 7) {
-	PORT_SetError (SEC_ERROR_BAD_DER);
-	state->top->status = decodeError;
-	return 0;
-    }
-
-    state->bit_string_unused_bits = byte;
-    state->place = duringBitString;
-    state->pending -= 1;
-
-    return 1;
-}
-
-
-static unsigned long
-sec_asn1d_parse_more_bit_string (sec_asn1d_state *state,
-				 const char *buf, unsigned long len)
-{
-    PORT_Assert (state->pending > 0);
-    PORT_Assert (state->place == duringBitString);
-
-    len = sec_asn1d_parse_leaf (state, buf, len);
-    if (state->place == beforeEndOfContents && state->dest != NULL) {
-	SECItem *item;
-
-	item = (SECItem *)(state->dest);
-	if (item->len)
-	    item->len = (item->len << 3) - state->bit_string_unused_bits;
-    }
-
-    return len;
-}
-
-
-/*
- * XXX All callers should be looking at return value to detect
- * out-of-memory errors (and stop!).
- */
-static struct subitem *
-sec_asn1d_add_to_subitems (sec_asn1d_state *state,
-			   const void *data, unsigned long len,
-			   PRBool copy_data)
-{
-    struct subitem *thing;
-
-    thing = (struct subitem*)sec_asn1d_zalloc (state->top->our_pool,
-				sizeof (struct subitem));
-    if (thing == NULL) {
-	state->top->status = decodeError;
-	return NULL;
-    }
-
-    if (copy_data) {
-	void *copy;
-	copy = sec_asn1d_alloc (state->top->our_pool, len);
-	if (copy == NULL) {
-	    state->top->status = decodeError;
-	    return NULL;
-	}
-	PORT_Memcpy (copy, data, len);
-	thing->data = copy;
-    } else {
-	thing->data = data;
-    }
-    thing->len = len;
-    thing->next = NULL;
-
-    if (state->subitems_head == NULL) {
-	PORT_Assert (state->subitems_tail == NULL);
-	state->subitems_head = state->subitems_tail = thing;
-    } else {
-	state->subitems_tail->next = thing;
-	state->subitems_tail = thing;
-    }
-
-    return thing;
-}
-
-
-static void
-sec_asn1d_record_any_header (sec_asn1d_state *state,
-			     const char *buf,
-			     unsigned long len)
-{
-    SECItem *item;
-
-    item = (SECItem *)(state->dest);
-    if (item != NULL && item->data != NULL) {
-	PORT_Assert (state->substring);
-	PORT_Memcpy (item->data + item->len, buf, len);
-	item->len += len;
-    } else {
-	sec_asn1d_add_to_subitems (state, buf, len, PR_TRUE);
-    }
-}
-
-
-/*
- * We are moving along through the substrings of a constructed string,
- * and have just finished parsing one -- we need to save our child data
- * (if the child was not already writing directly into the destination)
- * and then move forward by one.
- *
- * We also have to detect when we are done:
- *	- a definite-length encoding stops when our pending value hits 0
- *	- an indefinite-length encoding stops when our child is empty
- *	  (which means it was the end-of-contents octets)
- */
-static void
-sec_asn1d_next_substring (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    SECItem *item;
-    unsigned long child_consumed;
-    PRBool done;
-
-    PORT_Assert (state->place == duringConstructedString);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    child_consumed = child->consumed;
-    child->consumed = 0;
-    state->consumed += child_consumed;
-
-    done = PR_FALSE;
-
-    if (state->pending) {
-	PORT_Assert (!state->indefinite);
-	PORT_Assert (child_consumed <= state->pending);
-
-	state->pending -= child_consumed;
-	if (state->pending == 0)
-	    done = PR_TRUE;
-    } else {
-	PORT_Assert (state->indefinite);
-
-	item = (SECItem *)(child->dest);
-	if (item != NULL && item->data != NULL) {
-	    /*
-	     * Save the string away for later concatenation.
-	     */
-	    PORT_Assert (item->data != NULL);
-	    sec_asn1d_add_to_subitems (state, item->data, item->len, PR_FALSE);
-	    /*
-	     * Clear the child item for the next round.
-	     */
-	    item->data = NULL;
-	    item->len = 0;
-	}
-
-	/*
-	 * If our child was just our end-of-contents octets, we are done.
-	 */
-	if (child->endofcontents)
-	    done = PR_TRUE;
-    }
-
-    /*
-     * Stop or do the next one.
-     */
-    if (done) {
-	child->place = notInUse;
-	state->place = afterConstructedString;
-    } else {
-	sec_asn1d_scrub_state (child);
-	state->top->current = child;
-    }
-}
-
-
-/*
- * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
- */
-static void
-sec_asn1d_next_in_group (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    unsigned long child_consumed;
-
-    PORT_Assert (state->place == duringGroup);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    child_consumed = child->consumed;
-    child->consumed = 0;
-    state->consumed += child_consumed;
-
-    /*
-     * If our child was just our end-of-contents octets, we are done.
-     */
-    if (child->endofcontents) {
-	/* XXX I removed the PORT_Assert (child->dest == NULL) because there
-	 * was a bug in that a template that was a sequence of which also had
-	 * a child of a sequence of, in an indefinite group was not working 
-	 * properly.  This fix seems to work, (added the if statement below),
-	 * and nothing appears broken, but I am putting this note here just
-	 * in case. */
-	/*
-	 * XXX No matter how many times I read that comment,
-	 * I cannot figure out what case he was fixing.  I believe what he
-	 * did was deliberate, so I am loathe to touch it.  I need to
-	 * understand how it could ever be that child->dest != NULL but
-	 * child->endofcontents is true, and why it is important to check
-	 * that state->subitems_head is NULL.  This really needs to be
-	 * figured out, as I am not sure if the following code should be
-	 * compensating for "offset", as is done a little farther below
-	 * in the more normal case.
-	 */
-	PORT_Assert (state->indefinite);
-	PORT_Assert (state->pending == 0);
-	if(child->dest && !state->subitems_head) {
-	    sec_asn1d_add_to_subitems (state, child->dest, 0, PR_FALSE);
-	    child->dest = NULL;
-	}
-
-	child->place = notInUse;
-	state->place = afterGroup;
-	return;
-    }
-
-    /* 
-     * Do the "after" field notification for next in group.
-     */
-    sec_asn1d_notify_after (state->top, child->dest, child->depth);
-
-    /*
-     * Save it away (unless we are not storing).
-     */
-    if (child->dest != NULL) {
-	void *dest;
-
-	dest = child->dest;
-	dest = (char *)dest - child->theTemplate->offset;
-	sec_asn1d_add_to_subitems (state, dest, 0, PR_FALSE);
-	child->dest = NULL;
-    }
-
-    /*
-     * Account for those bytes; see if we are done.
-     */
-    if (state->pending) {
-	PORT_Assert (!state->indefinite);
-	PORT_Assert (child_consumed <= state->pending);
-
-	state->pending -= child_consumed;
-	if (state->pending == 0) {
-	    child->place = notInUse;
-	    state->place = afterGroup;
-	    return;
-	}
-    }
-
-    /*
-     * Do the "before" field notification for next item in group.
-     */
-    sec_asn1d_notify_before (state->top, child->dest, child->depth);
-
-    /*
-     * Now we do the next one.
-     */
-    sec_asn1d_scrub_state (child);
-    state->top->current = child;
-}
-
-
-/*
- * We are moving along through a sequence; move forward by one,
- * (detecting end-of-sequence when it happens).
- * XXX The handling of "missing" is ugly.  Fix it.
- */
-static void
-sec_asn1d_next_in_sequence (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    unsigned long child_consumed;
-    PRBool child_missing;
-
-    PORT_Assert (state->place == duringSequence);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    /*
-     * Do the "after" field notification.
-     */
-    sec_asn1d_notify_after (state->top, child->dest, child->depth);
-
-    child_missing = (PRBool) child->missing;
-    child_consumed = child->consumed;
-    child->consumed = 0;
-
-    /*
-     * Take care of accounting.
-     */
-    if (child_missing) {
-	PORT_Assert (child->optional);
-    } else {
-	state->consumed += child_consumed;
-	/*
-	 * Free any grandchild.
-	 */
-	sec_asn1d_free_child (child, PR_FALSE);
-	if (state->pending) {
-	    PORT_Assert (!state->indefinite);
-	    PORT_Assert (child_consumed <= state->pending);
-	    state->pending -= child_consumed;
-	    if (state->pending == 0) {
-		child->theTemplate++;
-		while (child->theTemplate->kind != 0) {
-		    if ((child->theTemplate->kind & SEC_ASN1_OPTIONAL) == 0) {
-			PORT_SetError (SEC_ERROR_BAD_DER);
-			state->top->status = decodeError;
-			return;
-		    }
-		    child->theTemplate++;
-		}
-		child->place = notInUse;
-		state->place = afterEndOfContents;
-		return;
-	    }
-	}
-    }
-
-    /*
-     * Move forward.
-     */
-    child->theTemplate++;
-    if (child->theTemplate->kind == 0) {
-	/*
-	 * We are done with this sequence.
-	 */
-	child->place = notInUse;
-	if (state->pending) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	} else if (child_missing) {
-	    /*
-	     * We got to the end, but have a child that started parsing
-	     * and ended up "missing".  The only legitimate reason for
-	     * this is that we had one or more optional fields at the
-	     * end of our sequence, and we were encoded indefinite-length,
-	     * so when we went looking for those optional fields we
-	     * found our end-of-contents octets instead.
-	     * (Yes, this is ugly; dunno a better way to handle it.)
-	     * So, first confirm the situation, and then mark that we
-	     * are done.
-	     */
-	    if (state->indefinite && child->endofcontents) {
-		PORT_Assert (child_consumed == 2);
-		state->consumed += child_consumed;
-		state->place = afterEndOfContents;
-	    } else {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-	    }
-	} else {
-	    /*
-	     * We have to finish out, maybe reading end-of-contents octets;
-	     * let the normal logic do the right thing.
-	     */
-	    state->place = beforeEndOfContents;
-	}
-    } else {
-	unsigned char child_found_tag_modifiers = 0;
-	unsigned long child_found_tag_number = 0;
-
-	/*
-	 * Reset state and push.
-	 */
-	if (state->dest != NULL)
-	    child->dest = (char *)state->dest + child->theTemplate->offset;
-
-	/*
-	 * Do the "before" field notification.
-	 */
-	sec_asn1d_notify_before (state->top, child->dest, child->depth);
-
-	if (child_missing) { /* if previous child was missing, copy the tag data we already have */
-	    child_found_tag_modifiers = child->found_tag_modifiers;
-	    child_found_tag_number = child->found_tag_number;
-	}
-	state->top->current = child;
-	child = sec_asn1d_init_state_based_on_template (child);
-	if (child_missing) {
-	    child->place = afterIdentifier;
-	    child->found_tag_modifiers = child_found_tag_modifiers;
-	    child->found_tag_number = child_found_tag_number;
-	    child->consumed = child_consumed;
-	    if (child->underlying_kind == SEC_ASN1_ANY
-		&& !child->top->filter_only) {
-		/*
-		 * If the new field is an ANY, and we are storing, then
-		 * we need to save the tag out.  We would have done this
-		 * already in the normal case, but since we were looking
-		 * for an optional field, and we did not find it, we only
-		 * now realize we need to save the tag.
-		 */
-		unsigned char identifier;
-
-		/*
-		 * Check that we did not end up with a high tag; for that
-		 * we need to re-encode the tag into multiple bytes in order
-		 * to store it back to look like what we parsed originally.
-		 * In practice this does not happen, but for completeness
-		 * sake it should probably be made to work at some point.
-		 */
-		PORT_Assert (child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
-		identifier = child_found_tag_modifiers | child_found_tag_number;
-		sec_asn1d_record_any_header (child, (char *) &identifier, 1);
-	    }
-	}
-    }
-}
-
-
-static void
-sec_asn1d_concat_substrings (sec_asn1d_state *state)
-{
-    PORT_Assert (state->place == afterConstructedString);
-
-    if (state->subitems_head != NULL) {
-	struct subitem *substring;
-	unsigned long alloc_len, item_len;
-	unsigned char *where;
-	SECItem *item;
-	PRBool is_bit_string;
-
-	item_len = 0;
-	is_bit_string = (state->underlying_kind == SEC_ASN1_BIT_STRING)
-			? PR_TRUE : PR_FALSE;
-
-	substring = state->subitems_head;
-	while (substring != NULL) {
-	    /*
-	     * All bit-string substrings except the last one should be
-	     * a clean multiple of 8 bits.
-	     */
-	    if (is_bit_string && (substring->next == NULL)
-			      && (substring->len & 0x7)) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return;
-	    }
-	    item_len += substring->len;
-	    substring = substring->next;
-	}
-
-	if (is_bit_string) {
-#ifdef XP_WIN16		/* win16 compiler gets an internal error otherwise */
-	    alloc_len = (((long)item_len + 7) / 8);
-#else
-	    alloc_len = ((item_len + 7) >> 3);
-#endif
-	} else {
-	    /*
-	     * Add 2 for the end-of-contents octets of an indefinite-length
-	     * ANY that is *not* also an INNER.  Because we zero-allocate
-	     * below, all we need to do is increase the length here.
-	     */
-	    if (state->underlying_kind == SEC_ASN1_ANY && state->indefinite)
-		item_len += 2; 
-	    alloc_len = item_len;
-	}
-
-	item = (SECItem *)(state->dest);
-	PORT_Assert (item != NULL);
-	PORT_Assert (item->data == NULL);
-	item->data = (unsigned char*)sec_asn1d_zalloc (state->top->their_pool, 
-						       alloc_len);
-	if (item->data == NULL) {
-	    state->top->status = decodeError;
-	    return;
-	}
-	item->len = item_len;
-
-	where = item->data;
-	substring = state->subitems_head;
-	while (substring != NULL) {
-	    if (is_bit_string)
-		item_len = (substring->len + 7) >> 3;
-	    else
-		item_len = substring->len;
-	    PORT_Memcpy (where, substring->data, item_len);
-	    where += item_len;
-	    substring = substring->next;
-	}
-
-	/*
-	 * Because we use arenas and have a mark set, we later free
-	 * everything we have allocated, so this does *not* present
-	 * a memory leak (it is just temporarily left dangling).
-	 */
-	state->subitems_head = state->subitems_tail = NULL;
-    }
-
-    state->place = afterEndOfContents;
-}
-
-
-static void
-sec_asn1d_concat_group (sec_asn1d_state *state)
-{
-    const void ***placep;
-
-    PORT_Assert (state->place == afterGroup);
-
-    placep = (const void***)state->dest;
-    if (state->subitems_head != NULL) {
-	struct subitem *item;
-	const void **group;
-	int count;
-
-	count = 0;
-	item = state->subitems_head;
-	while (item != NULL) {
-	    PORT_Assert (item->next != NULL || item == state->subitems_tail);
-	    count++;
-	    item = item->next;
-	}
-
-	group = (const void**)sec_asn1d_zalloc (state->top->their_pool,
-				  (count + 1) * (sizeof(void *)));
-	if (group == NULL) {
-	    state->top->status = decodeError;
-	    return;
-	}
-
-	PORT_Assert (placep != NULL);
-	*placep = group;
-
-	item = state->subitems_head;
-	while (item != NULL) {
-	    *group++ = item->data;
-	    item = item->next;
-	}
-	*group = NULL;
-
-	/*
-	 * Because we use arenas and have a mark set, we later free
-	 * everything we have allocated, so this does *not* present
-	 * a memory leak (it is just temporarily left dangling).
-	 */
-	state->subitems_head = state->subitems_tail = NULL;
-    } else if (placep != NULL) {
-	*placep = NULL;
-    }
-
-    state->place = afterEndOfContents;
-}
-
-
-/*
- * For those states that push a child to handle a subtemplate,
- * "absorb" that child (transfer necessary information).
- */
-static void
-sec_asn1d_absorb_child (sec_asn1d_state *state)
-{
-    /*
-     * There is absolutely supposed to be a child there.
-     */
-    PORT_Assert (state->child != NULL);
-
-    /*
-     * Inherit the missing status of our child, and do the ugly
-     * backing-up if necessary.
-     * (Only IMPLICIT or POINTER should encounter such; all other cases
-     * should have confirmed a tag *before* pushing a child.)
-     */
-    state->missing = state->child->missing;
-    if (state->missing) {
-	PORT_Assert (state->place == afterImplicit
-		     || state->place == afterPointer);
-	state->found_tag_number = state->child->found_tag_number;
-	state->found_tag_modifiers = state->child->found_tag_modifiers;
-	state->endofcontents = state->child->endofcontents;
-    }
-
-    /*
-     * Add in number of bytes consumed by child.
-     * (Only EXPLICIT should have already consumed bytes itself.)
-     */
-    PORT_Assert (state->place == afterExplicit || state->consumed == 0);
-    state->consumed += state->child->consumed;
-
-    /*
-     * Subtract from bytes pending; this only applies to a definite-length
-     * EXPLICIT field.
-     */
-    if (state->pending) {
-	PORT_Assert (!state->indefinite);
-	PORT_Assert (state->place == afterExplicit);
-
-	/*
-	 * If we had a definite-length explicit, then what the child
-	 * consumed should be what was left pending.
-	 */
-	if (state->pending != state->child->consumed) {
-	    if (state->pending < state->child->consumed) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return;
-	    }
-	    /*
-	     * Okay, this is a hack.  It *should* be an error whether
-	     * pending is too big or too small, but it turns out that
-	     * we had a bug in our *old* DER encoder that ended up
-	     * counting an explicit header twice in the case where
-	     * the underlying type was an ANY.  So, because we cannot
-	     * prevent receiving these (our own certificate server can
-	     * send them to us), we need to be lenient and accept them.
-	     * To do so, we need to pretend as if we read all of the
-	     * bytes that the header said we would find, even though
-	     * we actually came up short.
-	     */
-	    state->consumed += (state->pending - state->child->consumed);
-	}
-	state->pending = 0;
-    }
-
-    /*
-     * Indicate that we are done with child.
-     */
-    state->child->consumed = 0;
-
-    /*
-     * And move on to final state.
-     * (Technically everybody could move to afterEndOfContents except
-     * for an indefinite-length EXPLICIT; for simplicity though we assert
-     * that but let the end-of-contents code do the real determination.)
-     */
-    PORT_Assert (state->place == afterExplicit || (! state->indefinite));
-    state->place = beforeEndOfContents;
-}
-
-
-static void
-sec_asn1d_prepare_for_end_of_contents (sec_asn1d_state *state)
-{
-    PORT_Assert (state->place == beforeEndOfContents);
-
-    if (state->indefinite) {
-	state->place = duringEndOfContents;
-	state->pending = 2;
-    } else {
-	state->place = afterEndOfContents;
-    }
-}
-
-
-static unsigned long
-sec_asn1d_parse_end_of_contents (sec_asn1d_state *state,
-				 const char *buf, unsigned long len)
-{
-    int i;
-
-    PORT_Assert (state->pending <= 2);
-    PORT_Assert (state->place == duringEndOfContents);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    if (state->pending < len)
-	len = state->pending;
-
-    for (i = 0; i < len; i++) {
-	if (buf[i] != 0) {
-	    /*
-	     * We expect to find only zeros; if not, just give up.
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return 0;
-	}
-    }
-
-    state->pending -= len;
-
-    if (state->pending == 0) {
-	state->place = afterEndOfContents;
-	state->endofcontents = PR_TRUE;
-    }
-
-    return len;
-}
-
-
-static void
-sec_asn1d_pop_state (sec_asn1d_state *state)
-{
-#if 0	/* XXX I think this should always be handled explicitly by parent? */
-    /*
-     * Account for our child.
-     */
-    if (state->child != NULL) {
-	state->consumed += state->child->consumed;
-	if (state->pending) {
-	    PORT_Assert (!state->indefinite);
-	    PORT_Assert (state->child->consumed <= state->pending);
-	    state->pending -= state->child->consumed;
-	}
-	state->child->consumed = 0;
-    }
-#endif	/* XXX */
-
-    /*
-     * Free our child.
-     */
-    sec_asn1d_free_child (state, PR_FALSE);
-
-    /*
-     * Just make my parent be the current state.  It will then clean
-     * up after me and free me (or reuse me).
-     */
-    state->top->current = state->parent;
-}
-
-static sec_asn1d_state *
-sec_asn1d_before_choice
-(
-  sec_asn1d_state *state
-)
-{
-  sec_asn1d_state *child;
-
-  if( state->allocate ) {
-    void *dest;
-
-    dest = sec_asn1d_zalloc(state->top->their_pool, state->theTemplate->size);
-    if( (void *)NULL == dest ) {
-      state->top->status = decodeError;
-      return (sec_asn1d_state *)NULL;
-    }
-
-    state->dest = (char *)dest + state->theTemplate->offset;
-  }
-
-  child = sec_asn1d_push_state(state->top, state->theTemplate + 1, 
-                               state->dest, PR_FALSE);
-  if( (sec_asn1d_state *)NULL == child ) {
-    return (sec_asn1d_state *)NULL;
-  }
-
-  sec_asn1d_scrub_state(child);
-  child = sec_asn1d_init_state_based_on_template(child);
-  if( (sec_asn1d_state *)NULL == child ) {
-    return (sec_asn1d_state *)NULL;
-  }
-
-  child->optional = PR_TRUE;
-
-  state->place = duringChoice;
-
-  return child;
-}
-
-static sec_asn1d_state *
-sec_asn1d_during_choice
-(
-  sec_asn1d_state *state
-)
-{
-  sec_asn1d_state *child = state->child;
-  
-  PORT_Assert((sec_asn1d_state *)NULL != child);
-
-  if( child->missing ) {
-    unsigned char child_found_tag_modifiers = 0;
-    unsigned long child_found_tag_number = 0;
-
-    child->theTemplate++;
-
-    if( 0 == child->theTemplate->kind ) {
-      /* Ran out of choices */
-      PORT_SetError(SEC_ERROR_BAD_DER);
-      state->top->status = decodeError;
-      return (sec_asn1d_state *)NULL;
-    }
-
-    state->consumed += child->consumed;
-
-    /* cargo'd from next_in_sequence innards */
-    if( state->pending ) {
-      PORT_Assert(!state->indefinite);
-      PORT_Assert(child->consumed <= state->pending);
-      state->pending -= child->consumed;
-      if( 0 == state->pending ) {
-        /* XXX uh.. not sure if I should have stopped this
-         * from happening before. */
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_BAD_DER);
-        state->top->status = decodeError;
-        return (sec_asn1d_state *)NULL;
-      }
-    }
-
-    child->consumed = 0;
-    sec_asn1d_scrub_state(child);
-
-    /* move it on top again */
-    state->top->current = child;
-
-    child_found_tag_modifiers = child->found_tag_modifiers;
-    child_found_tag_number = child->found_tag_number;
-
-    child = sec_asn1d_init_state_based_on_template(child);
-    if( (sec_asn1d_state *)NULL == child ) {
-      return (sec_asn1d_state *)NULL;
-    }
-
-    /* copy our findings to the new top */
-    child->found_tag_modifiers = child_found_tag_modifiers;
-    child->found_tag_number = child_found_tag_number;
-
-    child->optional = PR_TRUE;
-    child->place = afterIdentifier;
-
-    return child;
-  } else {
-    if( (void *)NULL != state->dest ) {
-      /* Store the enum */
-      int *which = (int *)((char *)state->dest + state->theTemplate->offset);
-      *which = (int)child->theTemplate->size;
-    }
-
-    child->place = notInUse;
-
-    state->place = afterChoice;
-    return state;
-  }
-}
-
-static void
-sec_asn1d_after_choice
-(
-  sec_asn1d_state *state
-)
-{
-  state->consumed += state->child->consumed;
-  state->child->consumed = 0;
-  state->place = afterEndOfContents;
-  sec_asn1d_pop_state(state);
-}
-
-unsigned long
-sec_asn1d_uinteger(SECItem *src)
-{
-    unsigned long value;
-    int len;
-
-    if (src->len > 5 || (src->len > 4 && src->data[0] == 0))
-	return 0;
-
-    value = 0;
-    len = src->len;
-    while (len) {
-	value <<= 8;
-	value |= src->data[--len];
-    }
-    return value;
-}
-
-SECStatus
-SEC_ASN1DecodeInteger(SECItem *src, unsigned long *value)
-{
-    unsigned long v;
-    int i;
-    
-    if (src->len > sizeof(unsigned long))
-	return SECFailure;
-
-    if (src->data[0] & 0x80)
-	v = -1;		/* signed and negative - start with all 1's */
-    else
-	v = 0;
-
-    for (i= 0; i < src->len; i++) {
-	/* shift in next byte */
-	v <<= 8;
-	v |= src->data[i];
-    }
-    *value = v;
-    return SECSuccess;
-}
-
-#ifdef DEBUG_ASN1D_STATES
-static void
-dump_states
-(
-  SEC_ASN1DecoderContext *cx
-)
-{
-  sec_asn1d_state *state;
-
-  for( state = cx->current; state->parent; state = state->parent ) {
-    ;
-  }
-
-  for( ; state; state = state->child ) {
-    int i;
-    for( i = 0; i < state->depth; i++ ) {
-      printf("  ");
-    }
-
-    printf("%s: template[0]->kind = 0x%02x, expect tag number = 0x%02x\n",
-           (state == cx->current) ? "STATE" : "State",
-           state->theTemplate->kind, state->expect_tag_number);
-  }
-
-  return;
-}
-#endif /* DEBUG_ASN1D_STATES */
-
-SECStatus
-SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx,
-		       const char *buf, unsigned long len)
-{
-    sec_asn1d_state *state = NULL;
-    unsigned long consumed;
-    SEC_ASN1EncodingPart what;
-
-
-    if (cx->status == needBytes)
-	cx->status = keepGoing;
-
-    while (cx->status == keepGoing) {
-	state = cx->current;
-	what = SEC_ASN1_Contents;
-	consumed = 0;
-#ifdef DEBUG_ASN1D_STATES
-        printf("\nPLACE = %s, next byte = 0x%02x\n",
-               (state->place >= 0 && state->place <= notInUse) ?
-               place_names[ state->place ] : "(undefined)",
-               (unsigned int)((unsigned char *)buf)[ consumed ]);
-        dump_states(cx);
-#endif /* DEBUG_ASN1D_STATES */
-	switch (state->place) {
-	  case beforeIdentifier:
-	    consumed = sec_asn1d_parse_identifier (state, buf, len);
-	    what = SEC_ASN1_Identifier;
-	    break;
-	  case duringIdentifier:
-	    consumed = sec_asn1d_parse_more_identifier (state, buf, len);
-	    what = SEC_ASN1_Identifier;
-	    break;
-	  case afterIdentifier:
-	    sec_asn1d_confirm_identifier (state);
-	    break;
-	  case beforeLength:
-	    consumed = sec_asn1d_parse_length (state, buf, len);
-	    what = SEC_ASN1_Length;
-	    break;
-	  case duringLength:
-	    consumed = sec_asn1d_parse_more_length (state, buf, len);
-	    what = SEC_ASN1_Length;
-	    break;
-	  case afterLength:
-	    sec_asn1d_prepare_for_contents (state);
-	    break;
-	  case beforeBitString:
-	    consumed = sec_asn1d_parse_bit_string (state, buf, len);
-	    break;
-	  case duringBitString:
-	    consumed = sec_asn1d_parse_more_bit_string (state, buf, len);
-	    break;
-	  case duringConstructedString:
-	    sec_asn1d_next_substring (state);
-	    break;
-	  case duringGroup:
-	    sec_asn1d_next_in_group (state);
-	    break;
-	  case duringLeaf:
-	    consumed = sec_asn1d_parse_leaf (state, buf, len);
-	    break;
-	  case duringSaveEncoding:
-	    sec_asn1d_reuse_encoding (state);
-	    break;
-	  case duringSequence:
-	    sec_asn1d_next_in_sequence (state);
-	    break;
-	  case afterConstructedString:
-	    sec_asn1d_concat_substrings (state);
-	    break;
-	  case afterExplicit:
-	  case afterImplicit:
-	  case afterInline:
-	  case afterPointer:
-	    sec_asn1d_absorb_child (state);
-	    break;
-	  case afterGroup:
-	    sec_asn1d_concat_group (state);
-	    break;
-	  case afterSaveEncoding:
-	    /* XXX comment! */
-	    return SECSuccess;
-	  case beforeEndOfContents:
-	    sec_asn1d_prepare_for_end_of_contents (state);
-	    break;
-	  case duringEndOfContents:
-	    consumed = sec_asn1d_parse_end_of_contents (state, buf, len);
-	    what = SEC_ASN1_EndOfContents;
-	    break;
-	  case afterEndOfContents:
-	    sec_asn1d_pop_state (state);
-	    break;
-          case beforeChoice:
-            state = sec_asn1d_before_choice(state);
-            break;
-          case duringChoice:
-            state = sec_asn1d_during_choice(state);
-            break;
-          case afterChoice:
-            sec_asn1d_after_choice(state);
-            break;
-	  case notInUse:
-	  default:
-	    /* This is not an error, but rather a plain old BUG! */
-	    PORT_Assert (0);
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    cx->status = decodeError;
-	    break;
-	}
-
-	if (cx->status == decodeError)
-	    break;
-
-	/* We should not consume more than we have.  */
-	PORT_Assert (consumed <= len);
-
-	/* It might have changed, so we have to update our local copy.  */
-	state = cx->current;
-
-	/* If it is NULL, we have popped all the way to the top.  */
-	if (state == NULL) {
-	    PORT_Assert (consumed == 0);
-#if 0	/* XXX I want this here, but it seems that we have situations (like
-	 * downloading a pkcs7 cert chain from some issuers) that give us a
-	 * length which is greater than the entire encoding.  So, we cannot
-	 * have this be an error.
-	 */
-	    if (len > 0)
-		cx->status = decodeError;
-	    else
-#endif
-		cx->status = allDone;
-	    break;
-	}
-	else if (state->theTemplate->kind == SEC_ASN1_SKIP_REST) {
-	    cx->status = allDone;
-	    break;
-	}
-	  
-	if (consumed == 0)
-	    continue;
-
-	/*
-	 * The following check is specifically looking for an ANY
-	 * that is *not* also an INNER, because we need to save aside
-	 * all bytes in that case -- the contents parts will get
-	 * handled like all other contents, and the end-of-contents
-	 * bytes are added by the concat code, but the outer header
-	 * bytes need to get saved too, so we do them explicitly here.
-	 */
-	if (state->underlying_kind == SEC_ASN1_ANY
-	    && !cx->filter_only && (what == SEC_ASN1_Identifier
-				    || what == SEC_ASN1_Length)) {
-	    sec_asn1d_record_any_header (state, buf, consumed);
-	}
-
-	/*
-	 * We had some number of good, accepted bytes.  If the caller
-	 * has registered to see them, pass them along.
-	 */
-	if (state->top->filter_proc != NULL) {
-	    int depth;
-
-	    depth = state->depth;
-	    if (what == SEC_ASN1_EndOfContents && !state->indefinite) {
-		PORT_Assert (state->parent != NULL
-			     && state->parent->indefinite);
-		depth--;
-		PORT_Assert (depth == state->parent->depth);
-	    }
-	    (* state->top->filter_proc) (state->top->filter_arg,
-					 buf, consumed, depth, what);
-	}
-
-	state->consumed += consumed;
-	buf += consumed;
-	len -= consumed;
-    }
-
-    if (cx->status == decodeError) {
-	while (state != NULL) {
-	    sec_asn1d_free_child (state, PR_TRUE);
-	    state = state->parent;
-	}
-#ifdef SEC_ASN1D_FREE_ON_ERROR	/*
-				 * XXX This does not work because we can
-				 * end up leaving behind dangling pointers
-				 * to stuff that was allocated.  In order
-				 * to make this really work (which would
-				 * be a good thing, I think), we need to
-				 * keep track of every place/pointer that
-				 * was allocated and make sure to NULL it
-				 * out before we then free back to the mark.	
-				 */
-	if (cx->their_pool != NULL) {
-	    PORT_Assert (cx->their_mark != NULL);
-	    PORT_ArenaRelease (cx->their_pool, cx->their_mark);
-	}
-#endif
-	return SECFailure;
-    }
-
-#if 0	/* XXX This is what I want, but cannot have because it seems we
-	 * have situations (like when downloading a pkcs7 cert chain from
-	 * some issuers) that give us a total length which is greater than
-	 * the entire encoding.  So, we have to allow allDone to have a
-	 * remaining length greater than zero.  I wanted to catch internal
-	 * bugs with this, noticing when we do not have the right length.
-	 * Oh well.
-	 */
-    PORT_Assert (len == 0
-		 && (cx->status == needBytes || cx->status == allDone));
-#else
-    PORT_Assert ((len == 0 && cx->status == needBytes)
-		 || cx->status == allDone);
-#endif
-    return SECSuccess;
-}
-
-
-SECStatus
-SEC_ASN1DecoderFinish (SEC_ASN1DecoderContext *cx)
-{
-    SECStatus rv;
-
-    if (cx->status == needBytes) {
-	PORT_SetError (SEC_ERROR_BAD_DER);
-	rv = SECFailure;
-    } else {
-	rv = SECSuccess;
-    }
-
-    /*
-     * XXX anything else that needs to be finished?
-     */
-
-    PORT_FreeArena (cx->our_pool, PR_FALSE);
-
-    return rv;
-}
-
-
-SEC_ASN1DecoderContext *
-SEC_ASN1DecoderStart (PRArenaPool *their_pool, void *dest,
-		      const SEC_ASN1Template *theTemplate)
-{
-    PRArenaPool *our_pool;
-    SEC_ASN1DecoderContext *cx;
-
-    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (our_pool == NULL)
-	return NULL;
-
-    cx = (SEC_ASN1DecoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
-    if (cx == NULL) {
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    cx->our_pool = our_pool;
-    if (their_pool != NULL) {
-	cx->their_pool = their_pool;
-#ifdef SEC_ASN1D_FREE_ON_ERROR
-	cx->their_mark = PORT_ArenaMark (their_pool);
-#endif
-    }
-
-    cx->status = needBytes;
-
-    if (sec_asn1d_push_state(cx, theTemplate, dest, PR_FALSE) == NULL
-	|| sec_asn1d_init_state_based_on_template (cx->current) == NULL) {
-	/*
-	 * Trouble initializing (probably due to failed allocations)
-	 * requires that we just give up.
-	 */
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    return cx;
-}
-
-
-void
-SEC_ASN1DecoderSetFilterProc (SEC_ASN1DecoderContext *cx,
-			      SEC_ASN1WriteProc fn, void *arg,
-			      PRBool only)
-{
-    /* check that we are "between" fields here */
-    PORT_Assert (cx->during_notify);
-
-    cx->filter_proc = fn;
-    cx->filter_arg = arg;
-    cx->filter_only = only;
-}
-
-
-void
-SEC_ASN1DecoderClearFilterProc (SEC_ASN1DecoderContext *cx)
-{
-    /* check that we are "between" fields here */
-    PORT_Assert (cx->during_notify);
-
-    cx->filter_proc = NULL;
-    cx->filter_arg = NULL;
-    cx->filter_only = PR_FALSE;
-}
-
-
-void
-SEC_ASN1DecoderSetNotifyProc (SEC_ASN1DecoderContext *cx,
-			      SEC_ASN1NotifyProc fn, void *arg)
-{
-    cx->notify_proc = fn;
-    cx->notify_arg = arg;
-}
-
-
-void
-SEC_ASN1DecoderClearNotifyProc (SEC_ASN1DecoderContext *cx)
-{
-    cx->notify_proc = NULL;
-    cx->notify_arg = NULL;	/* not necessary; just being clean */
-}
-
-
-SECStatus
-SEC_ASN1Decode (PRArenaPool *poolp, void *dest,
-		const SEC_ASN1Template *theTemplate,
-		const char *buf, long len)
-{
-    SEC_ASN1DecoderContext *dcx;
-    SECStatus urv, frv;
-
-    dcx = SEC_ASN1DecoderStart (poolp, dest, theTemplate);
-    if (dcx == NULL)
-	return SECFailure;
-
-    urv = SEC_ASN1DecoderUpdate (dcx, buf, len);
-    frv = SEC_ASN1DecoderFinish (dcx);
-
-    if (urv != SECSuccess)
-	return urv;
-
-    return frv;
-}
-
-
-SECStatus
-SEC_ASN1DecodeItem (PRArenaPool *poolp, void *dest,
-		    const SEC_ASN1Template *theTemplate,
-		    SECItem *item)
-{
-    return SEC_ASN1Decode (poolp, dest, theTemplate,
-			   (char *) item->data, item->len);
-}
-
-
-/*
- * Generic templates for individual/simple items and pointers to
- * and sets of same.
- *
- * If you need to add a new one, please note the following:
- *	 - For each new basic type you should add *four* templates:
- *	one plain, one PointerTo, one SequenceOf and one SetOf.
- *	 - If the new type can be constructed (meaning, it is a
- *	*string* type according to BER/DER rules), then you should
- *	or-in SEC_ASN1_MAY_STREAM to the type in the basic template.
- *	See the definition of the OctetString template for an example.
- *	 - It may not be obvious, but these are in *alphabetical*
- *	order based on the SEC_ASN1_XXX name; so put new ones in
- *	the appropriate place.
- */
-
-const SEC_ASN1Template SEC_AnyTemplate[] = {
-    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToAnyTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfAnyTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfAnyTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template SEC_BitStringTemplate[] = {
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToBitStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_BitStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BitStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfBitStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_BitStringTemplate }
-};
-
-const SEC_ASN1Template SEC_BMPStringTemplate[] = {
-    { SEC_ASN1_BMP_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToBMPStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_BMPStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BMPStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfBMPStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_BMPStringTemplate }
-};
-
-const SEC_ASN1Template SEC_BooleanTemplate[] = {
-    { SEC_ASN1_BOOLEAN, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToBooleanTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_BooleanTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BooleanTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfBooleanTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_BooleanTemplate }
-};
-
-const SEC_ASN1Template SEC_EnumeratedTemplate[] = {
-    { SEC_ASN1_ENUMERATED, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_EnumeratedTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_EnumeratedTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_EnumeratedTemplate }
-};
-
-const SEC_ASN1Template SEC_GeneralizedTimeTemplate[] = {
-    { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_GeneralizedTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_GeneralizedTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_GeneralizedTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_IA5StringTemplate[] = {
-    { SEC_ASN1_IA5_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToIA5StringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_IA5StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IA5StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfIA5StringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_IA5StringTemplate }
-};
-
-const SEC_ASN1Template SEC_IntegerTemplate[] = {
-    { SEC_ASN1_INTEGER, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToIntegerTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_IntegerTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IntegerTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfIntegerTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_IntegerTemplate }
-};
-
-const SEC_ASN1Template SEC_NullTemplate[] = {
-    { SEC_ASN1_NULL, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToNullTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_NullTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfNullTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_NullTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfNullTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_NullTemplate }
-};
-
-const SEC_ASN1Template SEC_ObjectIDTemplate[] = {
-    { SEC_ASN1_OBJECT_ID, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToObjectIDTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_ObjectIDTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_ObjectIDTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfObjectIDTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_ObjectIDTemplate }
-};
-
-const SEC_ASN1Template SEC_OctetStringTemplate[] = {
-    { SEC_ASN1_OCTET_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToOctetStringTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, SEC_OctetStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_OctetStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfOctetStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_OctetStringTemplate }
-};
-
-const SEC_ASN1Template SEC_PrintableStringTemplate[] = {
-    { SEC_ASN1_PRINTABLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PrintableStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_PrintableStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_PrintableStringTemplate }
-};
-
-const SEC_ASN1Template SEC_T61StringTemplate[] = {
-    { SEC_ASN1_T61_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToT61StringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_T61StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_T61StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfT61StringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_T61StringTemplate }
-};
-
-const SEC_ASN1Template SEC_UniversalStringTemplate[] = {
-    { SEC_ASN1_UNIVERSAL_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_UniversalStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UniversalStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_UniversalStringTemplate }
-};
-
-const SEC_ASN1Template SEC_UTCTimeTemplate[] = {
-    { SEC_ASN1_UTC_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_UTCTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTCTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_UTCTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_UTF8StringTemplate[] = {
-    { SEC_ASN1_UTF8_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_UTF8StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTF8StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_UTF8StringTemplate }
-};
-
-const SEC_ASN1Template SEC_VisibleStringTemplate[] = {
-    { SEC_ASN1_VISIBLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_VisibleStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_VisibleStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_VisibleStringTemplate }
-};
-
-
-/*
- * Template for skipping a subitem.
- *
- * Note that it only makes sense to use this for decoding (when you want
- * to decode something where you are only interested in one or two of
- * the fields); you cannot encode a SKIP!
- */
-const SEC_ASN1Template SEC_SkipTemplate[] = {
-    { SEC_ASN1_SKIP }
-};
diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c
deleted file mode 100644
index bc1be4e47..000000000
--- a/security/nss/lib/util/secasn1e.c
+++ /dev/null
@@ -1,1468 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
- * Encoding Rules).
- *
- * $Id$
- */
-
-#include "secasn1.h"
-
-typedef enum {
-    beforeHeader,
-    duringContents,
-    duringGroup,
-    duringSequence,
-    afterContents,
-    afterImplicit,
-    afterInline,
-    afterPointer,
-    afterChoice,
-    notInUse
-} sec_asn1e_parse_place;
-
-typedef enum {
-    allDone,
-    encodeError,
-    keepGoing,
-    needBytes
-} sec_asn1e_parse_status;
-
-typedef struct sec_asn1e_state_struct {
-    SEC_ASN1EncoderContext *top;
-    const SEC_ASN1Template *theTemplate;
-    void *src;
-
-    struct sec_asn1e_state_struct *parent;	/* aka prev */
-    struct sec_asn1e_state_struct *child;	/* aka next */
-
-    sec_asn1e_parse_place place;	/* where we are in encoding process */
-
-    /*
-     * XXX explain the next fields as clearly as possible...
-     */
-    unsigned char tag_modifiers;
-    unsigned char tag_number;
-    unsigned long underlying_kind;
-
-    int depth;
-
-    PRBool explicit,		/* we are handling an explicit header */
-	   indefinite,		/* need end-of-contents */
-	   is_string,		/* encoding a simple string or an ANY */
-	   may_stream,		/* when streaming, do indefinite encoding */
-	   optional;		/* omit field if it has no contents */
-} sec_asn1e_state;
-
-/*
- * An "outsider" will have an opaque pointer to this, created by calling
- * SEC_ASN1EncoderStart().  It will be passed back in to all subsequent
- * calls to SEC_ASN1EncoderUpdate() and related routines, and when done
- * it is passed to SEC_ASN1EncoderFinish().
- */
-struct sec_EncoderContext_struct {
-    PRArenaPool *our_pool;		/* for our internal allocs */
-
-    sec_asn1e_state *current;
-    sec_asn1e_parse_status status;
-
-    PRBool streaming;
-    PRBool from_buf;
-
-    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
-    void *notify_arg;			/* argument to notify_proc */
-    PRBool during_notify;		/* true during call to notify_proc */
-
-    SEC_ASN1WriteProc output_proc;	/* pass encoded bytes to this  */
-    void *output_arg;			/* argument to that function */
-};
-
-
-static sec_asn1e_state *
-sec_asn1e_push_state (SEC_ASN1EncoderContext *cx,
-		      const SEC_ASN1Template *theTemplate,
-		      void *src, PRBool new_depth)
-{
-    sec_asn1e_state *state, *new_state;
-
-    state = cx->current;
-
-    new_state = (sec_asn1e_state*)PORT_ArenaZAlloc (cx->our_pool, 
-						    sizeof(*new_state));
-    if (new_state == NULL) {
-	cx->status = encodeError;
-	return NULL;
-    }
-
-    new_state->top = cx;
-    new_state->parent = state;
-    new_state->theTemplate = theTemplate;
-    new_state->place = notInUse;
-    if (src != NULL)
-	new_state->src = (char *)src + theTemplate->offset;
-
-    if (state != NULL) {
-	new_state->depth = state->depth;
-	if (new_depth)
-	    new_state->depth++;
-	state->child = new_state;
-    }
-
-    cx->current = new_state;
-    return new_state;
-}
-
-
-static void
-sec_asn1e_scrub_state (sec_asn1e_state *state)
-{
-    /*
-     * Some default "scrubbing".
-     * XXX right set of initializations?
-     */
-    state->place = beforeHeader;
-    state->indefinite = PR_FALSE;
-}
-
-
-static void
-sec_asn1e_notify_before (SEC_ASN1EncoderContext *cx, void *src, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, src, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static void
-sec_asn1e_notify_after (SEC_ASN1EncoderContext *cx, void *src, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, src, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static sec_asn1e_state *
-sec_asn1e_init_state_based_on_template (sec_asn1e_state *state)
-{
-    PRBool explicit, is_string, may_stream, optional, universal;
-    unsigned char tag_modifiers;
-    unsigned long encode_kind, under_kind;
-    unsigned long tag_number;
-
-
-    encode_kind = state->theTemplate->kind;
-
-    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_EXPLICIT;
-
-    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_OPTIONAL;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_MAY_STREAM;
-
-    /* Just clear this to get it out of the way; we do not need it here */
-    encode_kind &= ~SEC_ASN1_DYNAMIC;
-
-    if( encode_kind & SEC_ASN1_CHOICE ) {
-      under_kind = SEC_ASN1_CHOICE;
-    } else
-
-    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
-							      && !explicit)) {
-	const SEC_ASN1Template *subt;
-	void *src;
-
-	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
-
-	sec_asn1e_scrub_state (state);
-
-	if (encode_kind & SEC_ASN1_POINTER) {
-	    /*
-	     * XXX This used to PORT_Assert (encode_kind == SEC_ASN1_POINTER);
-	     * but that was too restrictive.  This needs to be fixed,
-	     * probably copying what the decoder now checks for, and
-	     * adding a big comment here to explain what the checks mean.
-	     */
-	    src = *(void **)state->src;
-	    state->place = afterPointer;
-	    if (src == NULL) {
-		/*
-		 * If this is optional, but NULL, then the field does
-		 * not need to be encoded.  In this case we are done;
-		 * we do not want to push a subtemplate.
-		 */
-		if (optional)
-		    return state;
-
-		/*
-		 * XXX this is an error; need to figure out
-		 * how to handle this
-		 */
-	    }
-	} else {
-	    src = state->src;
-	    if (encode_kind & SEC_ASN1_INLINE) {
-		/* check that there are no extraneous bits */
-		PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
-		state->place = afterInline;
-	    } else {
-		/*
-		 * Save the tag modifiers and tag number here before moving
-		 * on to the next state in case this is a member of a
-		 * SEQUENCE OF
-		 */
-		state->tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK
-					& ~SEC_ASN1_TAGNUM_MASK;
-		state->tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
-		
-		state->place = afterImplicit;
-		state->optional = optional;
-	    }
-	}
-
-	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src, PR_TRUE);
-	state = sec_asn1e_push_state (state->top, subt, src, PR_FALSE);
-	if (state == NULL)
-	    return NULL;
-
-	if (universal) {
-	    /*
-	     * This is a POINTER or INLINE; just init based on that
-	     * and we are done.
-	     */
-	    return sec_asn1e_init_state_based_on_template (state);
-	}
-
-	/*
-	 * This is an implicit, non-universal (meaning, application-private
-	 * or context-specific) field.  This results in a "magic" tag but
-	 * encoding based on the underlying type.  We pushed a new state
-	 * that is based on the subtemplate (the underlying type), but
-	 * now we will sort of alias it to give it some of our properties
-	 * (tag, optional status, etc.).
-	 */
-
-	under_kind = state->theTemplate->kind;
-	if (under_kind & SEC_ASN1_MAY_STREAM) {
-	    may_stream = PR_TRUE;
-	    under_kind &= ~SEC_ASN1_MAY_STREAM;
-	}
-    } else {
-	under_kind = encode_kind;
-    }
-
-    /*
-     * Sanity check that there are no unwanted bits marked in under_kind.
-     * These bits were either removed above (after we recorded them) or
-     * they simply should not be found (signalling a bad/broken template).
-     * XXX is this the right set of bits to test here? (i.e. need to add
-     * or remove any?)
-     */
-    PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
-				| SEC_ASN1_SKIP | SEC_ASN1_INNER
-				| SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);
-
-    if (encode_kind & SEC_ASN1_ANY) {
-	PORT_Assert (encode_kind == under_kind);
-	tag_modifiers = 0;
-	tag_number = 0;
-	is_string = PR_TRUE;
-    } else {
-	tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK;
-	/*
-	 * XXX This assumes only single-octet identifiers.  To handle
-	 * the HIGH TAG form we would need to do some more work, especially
-	 * in how to specify them in the template, because right now we
-	 * do not provide a way to specify more *tag* bits in encode_kind.
-	 */
-	tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
-
-	is_string = PR_FALSE;
-	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
-	  case SEC_ASN1_SET:
-	    /*
-	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
-	     * If it ever is, remove this assert...
-	     */
-	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
-	    /* fallthru */
-	  case SEC_ASN1_SEQUENCE:
-	    tag_modifiers |= SEC_ASN1_CONSTRUCTED;
-	    break;
-	  case SEC_ASN1_BIT_STRING:
-	  case SEC_ASN1_BMP_STRING: 
-	  case SEC_ASN1_GENERALIZED_TIME:
-	  case SEC_ASN1_IA5_STRING:
-	  case SEC_ASN1_OCTET_STRING:
-	  case SEC_ASN1_PRINTABLE_STRING:
-	  case SEC_ASN1_T61_STRING:
-	  case SEC_ASN1_UNIVERSAL_STRING: 
-	  case SEC_ASN1_UTC_TIME:
-	  case SEC_ASN1_UTF8_STRING:
-	  case SEC_ASN1_VISIBLE_STRING: 
-	    /*
-	     * We do not yet know if we will be constructing the string,
-	     * so we have to wait to do this final tag modification.
-	     */
-	    is_string = PR_TRUE;
-	    break;
-	}
-    }
-
-    state->tag_modifiers = tag_modifiers;
-    state->tag_number = tag_number;
-    state->underlying_kind = under_kind;
-    state->explicit = explicit;
-    state->may_stream = may_stream;
-    state->is_string = is_string;
-    state->optional = optional;
-
-    sec_asn1e_scrub_state (state);
-
-    return state;
-}
-
-
-static void
-sec_asn1e_write_part (sec_asn1e_state *state,
-		      const char *buf, unsigned long len,
-		      SEC_ASN1EncodingPart part)
-{
-    SEC_ASN1EncoderContext *cx;
-
-    cx = state->top;
-    (* cx->output_proc) (cx->output_arg, buf, len, state->depth, part);
-}
-
-
-/*
- * XXX This assumes only single-octet identifiers.  To handle
- * the HIGH TAG form we would need to modify this interface and
- * teach it to properly encode the special form.
- */
-static void
-sec_asn1e_write_identifier_bytes (sec_asn1e_state *state, unsigned char value)
-{
-    char byte;
-
-    byte = (char) value;
-    sec_asn1e_write_part (state, &byte, 1, SEC_ASN1_Identifier);
-}
-
-int
-SEC_ASN1EncodeLength(unsigned char *buf,int value) {
-    int lenlen;
-
-    lenlen = SEC_ASN1LengthLength (value);
-    if (lenlen == 1) {
-	buf[0] = value;
-    } else {
-	int i;
-
-	i = lenlen - 1;
-	buf[0] = 0x80 | i;
-	while (i) {
-	    buf[i--] = value;
-	    value >>= 8;
-	}
-        PORT_Assert (value == 0);
-    }
-    return lenlen;
-}
-
-static void
-sec_asn1e_write_length_bytes (sec_asn1e_state *state, unsigned long value,
-			      PRBool indefinite)
-{
-    int lenlen;
-    unsigned char buf[sizeof(unsigned long) + 1];
-
-    if (indefinite) {
-	PORT_Assert (value == 0);
-	buf[0] = 0x80;
-	lenlen = 1;
-    } else {
-	lenlen = SEC_ASN1EncodeLength(buf,value);
-    }
-
-    sec_asn1e_write_part (state, (char *) buf, lenlen, SEC_ASN1_Length);
-}
-
-
-static void
-sec_asn1e_write_contents_bytes (sec_asn1e_state *state,
-				const char *buf, unsigned long len)
-{
-    sec_asn1e_write_part (state, buf, len, SEC_ASN1_Contents);
-}
-
-
-static void
-sec_asn1e_write_end_of_contents_bytes (sec_asn1e_state *state)
-{
-    const char eoc[2] = {0, 0};
-
-    sec_asn1e_write_part (state, eoc, 2, SEC_ASN1_EndOfContents);
-}
-
-static int
-sec_asn1e_which_choice
-(
-  void *src,
-  const SEC_ASN1Template *theTemplate
-)
-{
-  int rv;
-  int which = *(int *)((char *)src + theTemplate->offset);
-
-  for( rv = 1, theTemplate++; theTemplate->kind != 0; rv++, theTemplate++ ) {
-    if( which == theTemplate->size ) {
-      return rv;
-    }
-  }
-
-  return 0;
-}
-
-static unsigned long
-sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src,
-			   PRBool *noheaderp)
-{
-    unsigned long encode_kind, underlying_kind;
-    PRBool explicit, optional, universal, may_stream;
-    unsigned long len;
-
-    encode_kind = theTemplate->kind;
-
-    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_EXPLICIT;
-
-    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_OPTIONAL;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_MAY_STREAM;
-
-    /* Just clear this to get it out of the way; we do not need it here */
-    encode_kind &= ~SEC_ASN1_DYNAMIC;
-
-    if( encode_kind & SEC_ASN1_CHOICE ) {
-      void *src2;
-      int indx = sec_asn1e_which_choice(src, theTemplate);
-      if( 0 == indx ) {
-        /* XXX set an error? "choice not found" */
-        /* state->top->status = encodeError; */
-        return 0;
-      }
-
-      src2 = (void *)((char *)src + theTemplate[indx].offset);
-
-      return sec_asn1e_contents_length(&theTemplate[indx], src2, noheaderp);
-    }
-
-    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || !universal) {
-
-	/* XXX any bits we want to disallow (PORT_Assert against) here? */
-
-	theTemplate = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
-
-	if (encode_kind & SEC_ASN1_POINTER) {
-	    /*
-	     * XXX This used to PORT_Assert (encode_kind == SEC_ASN1_POINTER);
-	     * but that was too restrictive.  This needs to be fixed,
-	     * probably copying what the decoder now checks for, and
-	     * adding a big comment here to explain what the checks mean.
-	     * Alternatively, the check here could be omitted altogether
-	     * just letting sec_asn1e_init_state_based_on_template
-	     * do it, since that routine can do better error handling, too.
-	     */
-	    src = *(void **)src;
-	    if (src == NULL) {
-		if (optional)
-		    *noheaderp = PR_TRUE;
-		else 
-		    *noheaderp = PR_FALSE;
-		return 0;
-	    }
-	} else if (encode_kind & SEC_ASN1_INLINE) {
-	    /* check that there are no extraneous bits */
-	    PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
-	}
-
-	src = (char *)src + theTemplate->offset;
-
-	if (explicit) {
-	    len = sec_asn1e_contents_length (theTemplate, src, noheaderp);
-	    if (len == 0 && optional) {
-		*noheaderp = PR_TRUE;
-	    } else if (*noheaderp) {
-		/* Okay, *we* do not want to add in a header, but our caller still does. */
-		*noheaderp = PR_FALSE;
-	    } else {
-		/* if the inner content exists, our length is
-		 * len(identifier) + len(length) + len(innercontent)
-		 * XXX we currently assume len(identifier) == 1;
-		 * to support a high-tag-number this would need to be smarter.
-		 */
-		len += 1 + SEC_ASN1LengthLength (len);
-	    }
-	    return len;
-	}
-
-	underlying_kind = theTemplate->kind;
-	underlying_kind &= ~SEC_ASN1_MAY_STREAM;
-
-	/* XXX Should we recurse here? */
-    } else {
-	underlying_kind = encode_kind;
-    }
-
-    /* This is only used in decoding; it plays no part in encoding.  */
-    if (underlying_kind & SEC_ASN1_SAVE) {
-	/* check that there are no extraneous bits */
-	PORT_Assert (underlying_kind == SEC_ASN1_SAVE);
-	*noheaderp = PR_TRUE;
-	return 0;
-    }
-
-    /* Having any of these bits is not expected here...  */
-    PORT_Assert ((underlying_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
-				     | SEC_ASN1_INLINE | SEC_ASN1_POINTER
-				     | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-				     | SEC_ASN1_SAVE | SEC_ASN1_SKIP)) == 0);
-
-    if( underlying_kind & SEC_ASN1_CHOICE ) {
-      void *src2;
-      int indx = sec_asn1e_which_choice(src, theTemplate);
-      if( 0 == indx ) {
-        /* XXX set an error? "choice not found" */
-        /* state->top->status = encodeError; */
-        return 0;
-      }
-
-      src2 = (void *)((char *)src - theTemplate->offset + theTemplate[indx].offset);
-      len = sec_asn1e_contents_length(&theTemplate[indx], src2, noheaderp);
-    } else
-
-    switch (underlying_kind) {
-      case SEC_ASN1_SEQUENCE_OF:
-      case SEC_ASN1_SET_OF:
-	{
-	    const SEC_ASN1Template *tmpt;
-	    void *sub_src;
-	    unsigned long sub_len;
-	    void **group;
-
-	    len = 0;
-
-	    group = *(void ***)src;
-	    if (group == NULL)
-		break;
-
-	    tmpt = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
-
-	    for (; *group != NULL; group++) {
-		sub_src = (char *)(*group) + tmpt->offset;
-		sub_len = sec_asn1e_contents_length (tmpt, sub_src, noheaderp);
-		len += sub_len;
-		/*
-		 * XXX The 1 below is the presumed length of the identifier;
-		 * to support a high-tag-number this would need to be smarter.
-		 */
-		if (!*noheaderp)
-		    len += 1 + SEC_ASN1LengthLength (sub_len);
-	    }
-	}
-	break;
-
-      case SEC_ASN1_SEQUENCE:
-      case SEC_ASN1_SET:
-	{
-	    const SEC_ASN1Template *tmpt;
-	    void *sub_src;
-	    unsigned long sub_len;
-
-	    len = 0;
-	    for (tmpt = theTemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (char *)src + tmpt->offset;
-		sub_len = sec_asn1e_contents_length (tmpt, sub_src, noheaderp);
-		len += sub_len;
-		/*
-		 * XXX The 1 below is the presumed length of the identifier;
-		 * to support a high-tag-number this would need to be smarter.
-		 */
-		if (!*noheaderp)
-		    len += 1 + SEC_ASN1LengthLength (sub_len);
-	    }
-	}
-	break;
-
-      case SEC_ASN1_BIT_STRING:
-	/* convert bit length to byte */
-	len = (((SECItem *)src)->len + 7) >> 3;
-	/* bit string contents involve an extra octet */
-	if (len)
-	    len++;
-	break;
-
-      default:
-	len = ((SECItem *)src)->len;
-	if (may_stream && len == 0)
-	    len = 1;	/* if we're streaming, we may have a secitem w/len 0 as placeholder */
-	break;
-    }
-
-    if ((len == 0 && optional) || underlying_kind == SEC_ASN1_ANY)
-	*noheaderp = PR_TRUE;
-    else 
-	*noheaderp = PR_FALSE;
-
-    return len;
-}
-
-
-static void
-sec_asn1e_write_header (sec_asn1e_state *state)
-{
-    unsigned long contents_length;
-    unsigned char tag_number, tag_modifiers;
-    PRBool noheader;
-
-    PORT_Assert (state->place == beforeHeader);
-
-    tag_number = state->tag_number;
-    tag_modifiers = state->tag_modifiers;
-
-    if (state->underlying_kind == SEC_ASN1_ANY) {
-	state->place = duringContents;
-	return;
-    }
-
-    if( state->underlying_kind & SEC_ASN1_CHOICE ) {
-      void *src2;
-      int indx = sec_asn1e_which_choice(state->src, state->theTemplate);
-      if( 0 == indx ) {
-        /* XXX set an error? "choice not found" */
-        state->top->status = encodeError;
-        return;
-      }
-
-      state->place = afterChoice;
-      state = sec_asn1e_push_state(state->top, &state->theTemplate[indx],
-                                   state->src, PR_TRUE);
-
-      if( (sec_asn1e_state *)NULL != state ) {
-        /*
-         * Do the "before" field notification.
-         */
-        sec_asn1e_notify_before (state->top, state->src, state->depth);
-        state = sec_asn1e_init_state_based_on_template (state);
-      }
-      
-      return;
-    }
-
-    /*
-     * We are doing a definite-length encoding.  First we have to
-     * walk the data structure to calculate the entire contents length.
-     */
-    contents_length = sec_asn1e_contents_length (state->theTemplate,
-						 state->src, &noheader);
-    /*
-     * We might be told explicitly not to put out a header.
-     * But it can also be the case, via a pushed subtemplate, that
-     * sec_asn1e_contents_length could not know that this field is
-     * really optional.  So check for that explicitly, too.
-     */
-    if (noheader || (contents_length == 0 && state->optional)) {
-	state->place = afterContents;
-	if (state->top->streaming && state->may_stream && state->top->from_buf)
-	    /* we did not find an optional indefinite string, so we don't encode it.
-	     * However, if TakeFromBuf is on, we stop here anyway to give our caller
-	     * a chance to intercept at the same point where we would stop if the
-	     * field were present. */
-	    state->top->status = needBytes;
-	return;
-    }
-
-    if (state->top->streaming && state->may_stream
-			      && (state->top->from_buf || !state->is_string)) {
-	/*
-	 * We need to put out an indefinite-length encoding.
-	 */
-	state->indefinite = PR_TRUE;
-	/*
-	 * The only universal types that can be constructed are SETs,
-	 * SEQUENCEs, and strings; so check that it is one of those,
-	 * or that it is not universal (e.g. context-specific).
-	 */
-	PORT_Assert ((tag_number == SEC_ASN1_SET)
-		     || (tag_number == SEC_ASN1_SEQUENCE)
-		     || ((tag_modifiers & SEC_ASN1_CLASS_MASK) != 0)
-		     || state->is_string);
-	tag_modifiers |= SEC_ASN1_CONSTRUCTED;
-	contents_length = 0;
-    }
-
-    sec_asn1e_write_identifier_bytes (state, tag_number | tag_modifiers);
-    sec_asn1e_write_length_bytes (state, contents_length, state->indefinite);
-
-    if (contents_length == 0 && !state->indefinite) {
-	/*
-	 * If no real contents to encode, then we are done with this field.
-	 */
-	state->place = afterContents;
-	return;
-    }
-
-    /*
-     * An EXPLICIT is nothing but an outer header, which we have already
-     * written.  Now we need to do the inner header and contents.
-     */
-    if (state->explicit) {
-	state->place = afterContents;
-	state = sec_asn1e_push_state (state->top,
-				      SEC_ASN1GetSubtemplate(state->theTemplate,
-							     state->src,
-							     PR_TRUE),
-				      state->src, PR_TRUE);
-	if (state != NULL)
-	    state = sec_asn1e_init_state_based_on_template (state);
-	return;
-    }
-
-    switch (state->underlying_kind) {
-      case SEC_ASN1_SET_OF:
-      case SEC_ASN1_SEQUENCE_OF:
-	/*
-	 * We need to push a child to handle each member.
-	 */
-	{
-	    void **group;
-	    const SEC_ASN1Template *subt;
-
-	    group = *(void ***)state->src;
-	    if (group == NULL || *group == NULL) {
-		/*
-		 * Group is empty; we are done.
-		 */
-		state->place = afterContents;
-		return;
-	    }
-	    state->place = duringGroup;
-	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src,
-					   PR_TRUE);
-	    state = sec_asn1e_push_state (state->top, subt, *group, PR_TRUE);
-	    if (state != NULL)
-		state = sec_asn1e_init_state_based_on_template (state);
-	}
-	break;
-
-      case SEC_ASN1_SEQUENCE:
-      case SEC_ASN1_SET:
-	/*
-	 * We need to push a child to handle the individual fields.
-	 */
-	state->place = duringSequence;
-	state = sec_asn1e_push_state (state->top, state->theTemplate + 1,
-				      state->src, PR_TRUE);
-	if (state != NULL) {
-	    /*
-	     * Do the "before" field notification.
-	     */
-	    sec_asn1e_notify_before (state->top, state->src, state->depth);
-	    state = sec_asn1e_init_state_based_on_template (state);
-	}
-	break;
-
-      default:
-	/*
-	 * I think we do not need to do anything else.
-	 * XXX Correct?
-	 */
-	state->place = duringContents;
-	break;
-    }
-}
-
-
-static void
-sec_asn1e_write_contents (sec_asn1e_state *state,
-			  const char *buf, unsigned long len)
-{
-    PORT_Assert (state->place == duringContents);
-
-    if (state->top->from_buf) {
-	/*
-	 * Probably they just turned on "take from buf", but have not
-	 * yet given us any bytes.  If there is nothing in the buffer
-	 * then we have nothing to do but return and wait.
-	 */
-	if (buf == NULL || len == 0) {
-	    state->top->status = needBytes;
-	    return;
-	}
-	/*
-	 * We are streaming, reading from a passed-in buffer.
-	 * This means we are encoding a simple string or an ANY.
-	 * For the former, we need to put out a substring, with its
-	 * own identifier and length.  For an ANY, we just write it
-	 * out as is (our caller is required to ensure that it
-	 * is a properly encoded entity).
-	 */
-	PORT_Assert (state->is_string);		/* includes ANY */
-	if (state->underlying_kind != SEC_ASN1_ANY) {
-	    unsigned char identifier;
-
-	    /*
-	     * Create the identifier based on underlying_kind.  We cannot
-	     * use tag_number and tag_modifiers because this can be an
-	     * implicitly encoded field.  In that case, the underlying
-	     * substrings *are* encoded with their real tag.
-	     */
-	    identifier = state->underlying_kind & SEC_ASN1_TAG_MASK;
-	    /*
-	     * The underlying kind should just be a simple string; there
-	     * should be no bits like CONTEXT_SPECIFIC or CONSTRUCTED set.
-	     */
-	    PORT_Assert ((identifier & SEC_ASN1_TAGNUM_MASK) == identifier);
-	    /*
-	     * Write out the tag and length for the substring.
-	     */
-	    sec_asn1e_write_identifier_bytes (state, identifier);
-	    if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
-		char byte;
-		/*
-		 * Assume we have a length in bytes but we need to output
-		 * a proper bit string.  This interface only works for bit
-		 * strings that are full multiples of 8.  If support for
-		 * real, variable length bit strings is needed then the
-		 * caller will have to know to pass in a bit length instead
-		 * of a byte length and then this code will have to
-		 * perform the encoding necessary (length written is length
-		 * in bytes plus 1, and the first octet of string is the
-		 * number of bits remaining between the end of the bit
-		 * string and the next byte boundary).
-		 */
-		sec_asn1e_write_length_bytes (state, len + 1, PR_FALSE);
-		byte = 0;
-		sec_asn1e_write_contents_bytes (state, &byte, 1);
-	    } else {
-		sec_asn1e_write_length_bytes (state, len, PR_FALSE);
-	    }
-	}
-	sec_asn1e_write_contents_bytes (state, buf, len);
-	state->top->status = needBytes;
-    } else {
-	switch (state->underlying_kind) {
-	  case SEC_ASN1_SET:
-	  case SEC_ASN1_SEQUENCE:
-	    PORT_Assert (0);
-	    break;
-
-	  case SEC_ASN1_BIT_STRING:
-	    {
-		SECItem *item;
-		char rem;
-
-		item = (SECItem *)state->src;
-		len = (item->len + 7) >> 3;
-		rem = (len << 3) - item->len;	/* remaining bits */
-		sec_asn1e_write_contents_bytes (state, &rem, 1);
-		sec_asn1e_write_contents_bytes (state, (char *) item->data,
-						len);
-	    }
-	    break;
-
-	  case SEC_ASN1_BMP_STRING:
-	    /* The number of bytes must be divisable by 2 */
-	    if ((((SECItem *)state->src)->len) % 2) {
-		SEC_ASN1EncoderContext *cx;
-
-		cx = state->top;
-		cx->status = encodeError;
-		break;
-	    }
-	    /* otherwise, fall through to write the content */
-	    goto process_string;
-
-	  case SEC_ASN1_UNIVERSAL_STRING:
-	    /* The number of bytes must be divisable by 4 */
-	    if ((((SECItem *)state->src)->len) % 4) {
-		SEC_ASN1EncoderContext *cx;
-
-		cx = state->top;
-		cx->status = encodeError;
-		break;
-	    }
-	    /* otherwise, fall through to write the content */
-	    goto process_string;
-			
-process_string:			
-	  default:
-	    {
-		SECItem *item;
-
-		item = (SECItem *)state->src;
-		sec_asn1e_write_contents_bytes (state, (char *) item->data,
-						item->len);
-	    }
-	    break;
-	}
-	state->place = afterContents;
-    }
-}
-
-
-/*
- * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
- */
-static void
-sec_asn1e_next_in_group (sec_asn1e_state *state)
-{
-    sec_asn1e_state *child;
-    void **group;
-    void *member;
-
-    PORT_Assert (state->place == duringGroup);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    group = *(void ***)state->src;
-
-    /*
-     * Find placement of current item.
-     */
-    member = (char *)(state->child->src) - child->theTemplate->offset;
-    while (*group != member)
-	group++;
-
-    /*
-     * Move forward to next item.
-     */
-    group++;
-    if (*group == NULL) {
-	/*
-	 * That was our last one; we are done now.
-	 */
-	child->place = notInUse;
-	state->place = afterContents;
-	return;
-    }
-    child->src = (char *)(*group) + child->theTemplate->offset;
-
-    /*
-     * Re-"push" child.
-     */
-    sec_asn1e_scrub_state (child);
-    state->top->current = child;
-}
-
-
-/*
- * We are moving along through a sequence; move forward by one,
- * (detecting end-of-sequence when it happens).
- */
-static void
-sec_asn1e_next_in_sequence (sec_asn1e_state *state)
-{
-    sec_asn1e_state *child;
-
-    PORT_Assert (state->place == duringSequence);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    /*
-     * Do the "after" field notification.
-     */
-    sec_asn1e_notify_after (state->top, child->src, child->depth);
-
-    /*
-     * Move forward.
-     */
-    child->theTemplate++;
-    if (child->theTemplate->kind == 0) {
-	/*
-	 * We are done with this sequence.
-	 */
-	child->place = notInUse;
-	state->place = afterContents;
-	return;
-    }
-
-    /*
-     * Reset state and push.
-     */
-
-    child->src = (char *)state->src + child->theTemplate->offset;
-
-    /*
-     * Do the "before" field notification.
-     */
-    sec_asn1e_notify_before (state->top, child->src, child->depth);
-
-    state->top->current = child;
-    (void) sec_asn1e_init_state_based_on_template (child);
-}
-
-
-static void
-sec_asn1e_after_contents (sec_asn1e_state *state)
-{
-    PORT_Assert (state->place == afterContents);
-
-    if (state->indefinite)
-	sec_asn1e_write_end_of_contents_bytes (state);
-
-    /*
-     * Just make my parent be the current state.  It will then clean
-     * up after me and free me (or reuse me).
-     */
-    state->top->current = state->parent;
-}
-
-
-/*
- * This function is called whether or not we are streaming; if we
- * *are* streaming, our caller can also instruct us to take bytes
- * from the passed-in buffer (at buf, for length len, which is likely
- * bytes but could even mean bits if the current field is a bit string).
- * If we have been so instructed, we will gobble up bytes from there
- * (rather than from our src structure) and output them, and then
- * we will just return, expecting to be called again -- either with
- * more bytes or after our caller has instructed us that we are done
- * (for now) with the buffer.
- */
-SECStatus
-SEC_ASN1EncoderUpdate (SEC_ASN1EncoderContext *cx,
-		       const char *buf, unsigned long len)
-{
-    sec_asn1e_state *state;
-
-    if (cx->status == needBytes) {
-	PORT_Assert (buf != NULL && len != 0);
-	cx->status = keepGoing;
-    }
-
-    while (cx->status == keepGoing) {
-	state = cx->current;
-	switch (state->place) {
-	  case beforeHeader:
-	    sec_asn1e_write_header (state);
-	    break;
-	  case duringContents:
-	    sec_asn1e_write_contents (state, buf, len);
-	    break;
-	  case duringGroup:
-	    sec_asn1e_next_in_group (state);
-	    break;
-	  case duringSequence:
-	    sec_asn1e_next_in_sequence (state);
-	    break;
-	  case afterContents:
-	    sec_asn1e_after_contents (state);
-	    break;
-	  case afterImplicit:
-	  case afterInline:
-	  case afterPointer:
-	  case afterChoice:
-	    /*
-	     * These states are more documentation than anything.
-	     * They just need to force a pop.
-	     */
-	    PORT_Assert (!state->indefinite);
-	    state->place = afterContents;
-	    break;
-	  case notInUse:
-	  default:
-	    /* This is not an error, but rather a plain old BUG! */
-	    PORT_Assert (0);
-	    cx->status = encodeError;
-	    break;
-	}
-
-	if (cx->status == encodeError)
-	    break;
-
-	/* It might have changed, so we have to update our local copy.  */
-	state = cx->current;
-
-	/* If it is NULL, we have popped all the way to the top.  */
-	if (state == NULL) {
-	    cx->status = allDone;
-	    break;
-	}
-    }
-
-    if (cx->status == encodeError) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-void
-SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx)
-{
-    /*
-     * XXX anything else that needs to be finished?
-     */
-
-    PORT_FreeArena (cx->our_pool, PR_FALSE);
-}
-
-
-SEC_ASN1EncoderContext *
-SEC_ASN1EncoderStart (void *src, const SEC_ASN1Template *theTemplate,
-		      SEC_ASN1WriteProc output_proc, void *output_arg)
-{
-    PRArenaPool *our_pool;
-    SEC_ASN1EncoderContext *cx;
-
-    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (our_pool == NULL)
-	return NULL;
-
-    cx = (SEC_ASN1EncoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
-    if (cx == NULL) {
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    cx->our_pool = our_pool;
-    cx->output_proc = output_proc;
-    cx->output_arg = output_arg;
-
-    cx->status = keepGoing;
-
-    if (sec_asn1e_push_state(cx, theTemplate, src, PR_FALSE) == NULL
-	|| sec_asn1e_init_state_based_on_template (cx->current) == NULL) {
-	/*
-	 * Trouble initializing (probably due to failed allocations)
-	 * requires that we just give up.
-	 */
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    return cx;
-}
-
-
-/*
- * XXX Do we need a FilterProc, too?
- */
-
-
-void
-SEC_ASN1EncoderSetNotifyProc (SEC_ASN1EncoderContext *cx,
-			      SEC_ASN1NotifyProc fn, void *arg)
-{
-    cx->notify_proc = fn;
-    cx->notify_arg = arg;
-}
-
-
-void
-SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx)
-{
-    cx->notify_proc = NULL;
-    cx->notify_arg = NULL;	/* not necessary; just being clean */
-}
-
-
-void
-SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx)
-{
-    /* XXX is there a way to check that we are "between" fields here? */
-
-    cx->streaming = PR_TRUE;
-}
-
-
-void
-SEC_ASN1EncoderClearStreaming (SEC_ASN1EncoderContext *cx)
-{
-    /* XXX is there a way to check that we are "between" fields here? */
-
-    cx->streaming = PR_FALSE;
-}
-
-
-void
-SEC_ASN1EncoderSetTakeFromBuf (SEC_ASN1EncoderContext *cx)
-{
-    /* 
-     * XXX is there a way to check that we are "between" fields here?  this
-     * needs to include a check for being in between groups of items in
-     * a SET_OF or SEQUENCE_OF.
-     */
-    PORT_Assert (cx->streaming);
-
-    cx->from_buf = PR_TRUE;
-}
-
-
-void
-SEC_ASN1EncoderClearTakeFromBuf (SEC_ASN1EncoderContext *cx)
-{
-    /* we should actually be taking from buf *now* */
-    PORT_Assert (cx->from_buf);
-    if (! cx->from_buf)		/* if not, just do nothing */
-	return;
-
-    cx->from_buf = PR_FALSE;
-
-    if (cx->status == needBytes) {
-	cx->status = keepGoing;
-	cx->current->place = afterContents;
-    }
-}
-
-
-SECStatus
-SEC_ASN1Encode (void *src, const SEC_ASN1Template *theTemplate,
-		SEC_ASN1WriteProc output_proc, void *output_arg)
-{
-    SEC_ASN1EncoderContext *ecx;
-    SECStatus rv;
-
-    ecx = SEC_ASN1EncoderStart (src, theTemplate, output_proc, output_arg);
-    if (ecx == NULL)
-	return SECFailure;
-
-    rv = SEC_ASN1EncoderUpdate (ecx, NULL, 0);
-
-    SEC_ASN1EncoderFinish (ecx);
-    return rv;
-}
-
-
-/*
- * XXX depth and data_kind are unused; is there a PC way to silence warnings?
- * (I mean "politically correct", not anything to do with intel/win platform) 
- */
-static void
-sec_asn1e_encode_item_count (void *arg, const char *buf, unsigned long len,
-			     int depth, SEC_ASN1EncodingPart data_kind)
-{
-    unsigned long *count;
-
-    count = (unsigned long*)arg;
-    PORT_Assert (count != NULL);
-
-    *count += len;
-}
-
-
-/* XXX depth and data_kind are unused; is there a PC way to silence warnings? */
-static void
-sec_asn1e_encode_item_store (void *arg, const char *buf, unsigned long len,
-			     int depth, SEC_ASN1EncodingPart data_kind)
-{
-    SECItem *dest;
-
-    dest = (SECItem*)arg;
-    PORT_Assert (dest != NULL);
-
-    PORT_Memcpy (dest->data + dest->len, buf, len);
-    dest->len += len;
-}
-
-
-/*
- * Allocate an entire SECItem, or just the data part of it, to hold
- * "len" bytes of stuff.  Allocate from the given pool, if specified,
- * otherwise just do a vanilla PORT_Alloc.
- *
- * XXX This seems like a reasonable general-purpose function (for SECITEM_)?
- */
-static SECItem *
-sec_asn1e_allocate_item (PRArenaPool *poolp, SECItem *dest, unsigned long len)
-{
-    if (poolp != NULL) {
-	void *release;
-
-	release = PORT_ArenaMark (poolp);
-	if (dest == NULL)
-	    dest = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
-	if (dest != NULL) {
-	    dest->data = (unsigned char*)PORT_ArenaAlloc (poolp, len);
-	    if (dest->data == NULL) {
-		dest = NULL;
-	    }
-	}
-	if (dest == NULL) {
-	    /* one or both allocations failed; release everything */
-	    PORT_ArenaRelease (poolp, release);
-	} else {
-	    /* everything okay; unmark the arena */
-	    PORT_ArenaUnmark (poolp, release);
-	}
-    } else {
-	SECItem *indest;
-
-	indest = dest;
-	if (dest == NULL)
-	    dest = (SECItem*)PORT_Alloc (sizeof(SECItem));
-	if (dest != NULL) {
-	    dest->data = (unsigned char*)PORT_Alloc (len);
-	    if (dest->data == NULL) {
-		if (indest == NULL)
-		    PORT_Free (dest);
-		dest = NULL;
-	    }
-	}
-    }
-
-    return dest;
-}
-
-
-SECItem *
-SEC_ASN1EncodeItem (PRArenaPool *poolp, SECItem *dest, void *src,
-		    const SEC_ASN1Template *theTemplate)
-{
-    unsigned long encoding_length;
-    SECStatus rv;
-
-    PORT_Assert (dest == NULL || dest->data == NULL);
-
-    encoding_length = 0;
-    rv = SEC_ASN1Encode (src, theTemplate,
-			 sec_asn1e_encode_item_count, &encoding_length);
-    if (rv != SECSuccess)
-	return NULL;
-
-    dest = sec_asn1e_allocate_item (poolp, dest, encoding_length);
-    if (dest == NULL)
-	return NULL;
-
-    /* XXX necessary?  This really just checks for a bug in the allocate fn */
-    PORT_Assert (dest->data != NULL);
-    if (dest->data == NULL)
-	return NULL;
-
-    dest->len = 0;
-    (void) SEC_ASN1Encode (src, theTemplate, sec_asn1e_encode_item_store, dest);
-
-    PORT_Assert (encoding_length == dest->len);
-    return dest;
-}
-
-
-static SECItem *
-sec_asn1e_integer(PRArenaPool *poolp, SECItem *dest, unsigned long value,
-		  PRBool make_unsigned)
-{
-    unsigned long copy;
-    unsigned char sign;
-    int len = 0;
-
-    /*
-     * Determine the length of the encoded value (minimum of 1).
-     */
-    copy = value;
-    do {
-	len++;
-	sign = copy & 0x80;
-	copy >>= 8;
-    } while (copy);
-
-    /*
-     * If this is an unsigned encoding, and the high bit of the last
-     * byte we counted was set, we need to add one to the length so
-     * we put a high-order zero byte in the encoding.
-     */
-    if (sign && make_unsigned)
-	len++;
-
-    /*
-     * Allocate the item (if necessary) and the data pointer within.
-     */
-    dest = sec_asn1e_allocate_item (poolp, dest, len);
-    if (dest == NULL)
-	return NULL;
-
-    /*
-     * Store the value, byte by byte, in the item.
-     */
-    dest->len = len;
-    while (len) {
-	dest->data[--len] = value;
-	value >>= 8;
-    }
-    PORT_Assert (value == 0);
-
-    return dest;
-}
-
-
-SECItem *
-SEC_ASN1EncodeInteger(PRArenaPool *poolp, SECItem *dest, long value)
-{
-    return sec_asn1e_integer (poolp, dest, (unsigned long) value, PR_FALSE);
-}
-
-
-extern SECItem *
-SEC_ASN1EncodeUnsignedInteger(PRArenaPool *poolp,
-			      SECItem *dest, unsigned long value)
-{
-    return sec_asn1e_integer (poolp, dest, value, PR_TRUE);
-}
diff --git a/security/nss/lib/util/secasn1t.h b/security/nss/lib/util/secasn1t.h
deleted file mode 100644
index 1e87ed12c..000000000
--- a/security/nss/lib/util/secasn1t.h
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
- * Encoding Rules).
- *
- * $Id$
- */
-
-#ifndef _SECASN1T_H_
-#define _SECASN1T_H_
-
-/*
-** An array of these structures defines a BER/DER encoding for an object.
-**
-** The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE;
-** such an array is terminated with an entry where kind == 0.  (An array
-** which consists of a single component does not require a second dummy
-** entry -- the array is only searched as long as previous component(s)
-** instruct it.)
-*/
-typedef struct sec_ASN1Template_struct {
-    /*
-    ** Kind of item being decoded/encoded, including tags and modifiers.
-    */
-    unsigned long kind;
-
-    /*
-    ** The value is the offset from the base of the structure to the
-    ** field that holds the value being decoded/encoded.
-    */
-    unsigned long offset;
-
-    /*
-    ** When kind suggests it (SEC_ASN1_POINTER, SEC_ASN1_GROUP, SEC_ASN1_INLINE,
-    ** or a component that is *not* a SEC_ASN1_UNIVERSAL), this points to
-    ** a sub-template for nested encoding/decoding,
-    ** OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer
-    ** to a function which will return the appropriate template when called
-    ** at runtime.  NOTE! that explicit level of indirection, which is
-    ** necessary because ANSI does not allow you to store a function
-    ** pointer directly as a "void *" so we must store it separately and
-    ** dereference it to get at the function pointer itself.
-    */
-    const void *sub;
-
-    /*
-    ** In the first element of a template array, the value is the size
-    ** of the structure to allocate when this template is being referenced
-    ** by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP.
-    ** In all other cases, the value is ignored.
-    */
-    unsigned int size;
-} SEC_ASN1Template;
-
-
-/* default size used for allocation of encoding/decoding stuff */
-/* XXX what is the best value here? */
-#define SEC_ASN1_DEFAULT_ARENA_SIZE	(2048)
-
-/*
-** BER/DER values for ASN.1 identifier octets.
-*/
-#define SEC_ASN1_TAG_MASK		0xff
-
-/*
- * BER/DER universal type tag numbers.
- * The values are defined by the X.208 standard; do not change them!
- * NOTE: if you add anything to this list, you must add code to secasn1d.c
- * to accept the tag, and probably also to secasn1e.c to encode it.
- * XXX It appears some have been added recently without being added to
- * the code; so need to go through the list now and double-check them all.
- * (Look especially at those added in revision 1.10.)
- */
-#define SEC_ASN1_TAGNUM_MASK		0x1f
-#define SEC_ASN1_BOOLEAN		0x01
-#define SEC_ASN1_INTEGER		0x02
-#define SEC_ASN1_BIT_STRING		0x03
-#define SEC_ASN1_OCTET_STRING		0x04
-#define SEC_ASN1_NULL			0x05
-#define SEC_ASN1_OBJECT_ID		0x06
-#define SEC_ASN1_OBJECT_DESCRIPTOR      0x07
-/* External type and instance-of type   0x08 */
-#define SEC_ASN1_REAL                   0x09
-#define SEC_ASN1_ENUMERATED		0x0a
-#define SEC_ASN1_EMBEDDED_PDV           0x0b
-#define SEC_ASN1_UTF8_STRING		0x0c
-#define SEC_ASN1_SEQUENCE		0x10
-#define SEC_ASN1_SET			0x11
-#define SEC_ASN1_NUMERIC_STRING         0x12
-#define SEC_ASN1_PRINTABLE_STRING	0x13
-#define SEC_ASN1_T61_STRING		0x14
-#define SEC_ASN1_TELETEX_STRING SEC_ASN1_T61_STRING
-#define SEC_ASN1_VIDEOTEX_STRING        0x15
-#define SEC_ASN1_IA5_STRING		0x16
-#define SEC_ASN1_UTC_TIME		0x17
-#define SEC_ASN1_GENERALIZED_TIME	0x18
-#define SEC_ASN1_GRAPHIC_STRING         0x19
-#define SEC_ASN1_VISIBLE_STRING		0x1a
-#define SEC_ASN1_GENERAL_STRING         0x1b
-#define SEC_ASN1_UNIVERSAL_STRING	0x1c
-/*                                      0x1d */
-#define SEC_ASN1_BMP_STRING		0x1e
-#define SEC_ASN1_HIGH_TAG_NUMBER	0x1f
-
-/*
-** Modifiers to type tags.  These are also specified by a/the
-** standard, and must not be changed.
-*/
-
-#define SEC_ASN1_METHOD_MASK		0x20
-#define SEC_ASN1_PRIMITIVE		0x00
-#define SEC_ASN1_CONSTRUCTED		0x20
-
-#define SEC_ASN1_CLASS_MASK		0xc0
-#define SEC_ASN1_UNIVERSAL		0x00
-#define SEC_ASN1_APPLICATION		0x40
-#define SEC_ASN1_CONTEXT_SPECIFIC	0x80
-#define SEC_ASN1_PRIVATE		0xc0
-
-/*
-** Our additions, used for templates.
-** These are not defined by any standard; the values are used internally only.
-** Just be careful to keep them out of the low 8 bits.
-** XXX finish comments
-*/
-#define SEC_ASN1_OPTIONAL	0x00100
-#define SEC_ASN1_EXPLICIT	0x00200
-#define SEC_ASN1_ANY		0x00400
-#define SEC_ASN1_INLINE		0x00800
-#define SEC_ASN1_POINTER	0x01000
-#define SEC_ASN1_GROUP		0x02000	/* with SET or SEQUENCE means
-					 * SET OF or SEQUENCE OF */
-#define SEC_ASN1_DYNAMIC	0x04000 /* subtemplate is found by calling
-					 * a function at runtime */
-#define SEC_ASN1_SKIP		0x08000 /* skip a field; only for decoding */
-#define SEC_ASN1_INNER		0x10000	/* with ANY means capture the
-					 * contents only (not the id, len,
-					 * or eoc); only for decoding */
-#define SEC_ASN1_SAVE		0x20000 /* stash away the encoded bytes first;
-					 * only for decoding */
-#define SEC_ASN1_MAY_STREAM	0x40000	/* field or one of its sub-fields may
-					 * stream in and so should encode as
-					 * indefinite-length when streaming
-					 * has been indicated; only for
-					 * encoding */
-#define SEC_ASN1_SKIP_REST	0x80000	/* skip all following fields;
-					   only for decoding */
-#define SEC_ASN1_CHOICE        0x100000 /* pick one from a template */
-
-/* Shorthand/Aliases */
-#define SEC_ASN1_SEQUENCE_OF	(SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE)
-#define SEC_ASN1_SET_OF		(SEC_ASN1_GROUP | SEC_ASN1_SET)
-#define SEC_ASN1_ANY_CONTENTS	(SEC_ASN1_ANY | SEC_ASN1_INNER)
-
-/*
-** Function used for SEC_ASN1_DYNAMIC.
-** "arg" is a pointer to the structure being encoded/decoded
-** "enc", when true, means that we are encoding (false means decoding)
-*/
-typedef const SEC_ASN1Template * (* SEC_ChooseASN1TemplateFunc)(void *arg,
-								PRBool enc);
-
-/*
-** Opaque object used by the decoder to store state.
-*/
-typedef struct sec_DecoderContext_struct SEC_ASN1DecoderContext;
-
-/*
-** Opaque object used by the encoder to store state.
-*/
-typedef struct sec_EncoderContext_struct SEC_ASN1EncoderContext;
-
-/*
- * This is used to describe to a filter function the bytes that are
- * being passed to it.  This is only useful when the filter is an "outer"
- * one, meaning it expects to get *all* of the bytes not just the
- * contents octets.
- */
-typedef enum {
-    SEC_ASN1_Identifier,
-    SEC_ASN1_Length,
-    SEC_ASN1_Contents,
-    SEC_ASN1_EndOfContents
-} SEC_ASN1EncodingPart;
-
-/*
- * Type of the function pointer used either for decoding or encoding,
- * when doing anything "funny" (e.g. manipulating the data stream)
- */ 
-typedef void (* SEC_ASN1NotifyProc)(void *arg, PRBool before,
-				    void *dest, int real_depth);
-
-/*
- * Type of the function pointer used for grabbing encoded bytes.
- * This can be used during either encoding or decoding, as follows...
- *
- * When decoding, this can be used to filter the encoded bytes as they
- * are parsed.  This is what you would do if you wanted to process the data
- * along the way (like to decrypt it, or to perform a hash on it in order
- * to do a signature check later).  See SEC_ASN1DecoderSetFilterProc().
- * When processing only part of the encoded bytes is desired, you "watch"
- * for the field(s) you are interested in with a "notify proc" (see
- * SEC_ASN1DecoderSetNotifyProc()) and for even finer granularity (e.g. to
- * ignore all by the contents bytes) you pay attention to the "data_kind"
- * parameter.
- *
- * When encoding, this is the specification for the output function which
- * will receive the bytes as they are encoded.  The output function can
- * perform any postprocessing necessary (like hashing (some of) the data
- * to create a digest that gets included at the end) as well as shoving
- * the data off wherever it needs to go.  (In order to "tune" any processing,
- * you can set a "notify proc" as described above in the decoding case.)
- *
- * The parameters:
- * - "arg" is an opaque pointer that you provided at the same time you
- *   specified a function of this type
- * - "data" is a buffer of length "len", containing the encoded bytes
- * - "depth" is how deep in a nested encoding we are (it is not usually
- *   valuable, but can be useful sometimes so I included it)
- * - "data_kind" tells you if these bytes are part of the ASN.1 encoded
- *   octets for identifier, length, contents, or end-of-contents
- */ 
-typedef void (* SEC_ASN1WriteProc)(void *arg,
-				   const char *data, unsigned long len,
-				   int depth, SEC_ASN1EncodingPart data_kind);
-
-#endif /* _SECASN1T_H_ */
diff --git a/security/nss/lib/util/secasn1u.c b/security/nss/lib/util/secasn1u.c
deleted file mode 100644
index ea068893b..000000000
--- a/security/nss/lib/util/secasn1u.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Utility routines to complement the ASN.1 encoding and decoding functions.
- *
- * $Id$
- */
-
-#include "secasn1.h"
-
-
-/*
- * We have a length that needs to be encoded; how many bytes will the
- * encoding take?
- *
- * The rules are that 0 - 0x7f takes one byte (the length itself is the
- * entire encoding); everything else takes one plus the number of bytes
- * in the length.
- */
-int
-SEC_ASN1LengthLength (unsigned long len)
-{
-    int lenlen = 1;
-
-    if (len > 0x7f) {
-	do {
-	    lenlen++;
-	    len >>= 8;
-	} while (len);
-    }
-
-    return lenlen;
-}
-
-
-/*
- * XXX Move over (and rewrite as appropriate) the rest of the
- * stuff in dersubr.c!
- */
-
-
-/*
- * Find the appropriate subtemplate for the given template.
- * This may involve calling a "chooser" function, or it may just
- * be right there.  In either case, it is expected to *have* a
- * subtemplate; this is asserted in debug builds (in non-debug
- * builds, NULL will be returned).
- *
- * "thing" is a pointer to the structure being encoded/decoded
- * "encoding", when true, means that we are in the process of encoding
- *	(as opposed to in the process of decoding)
- */
-const SEC_ASN1Template *
-SEC_ASN1GetSubtemplate (const SEC_ASN1Template *theTemplate, void *thing,
-			PRBool encoding)
-{
-    const SEC_ASN1Template *subt;
-
-    PORT_Assert (theTemplate->sub != NULL);
-    if (theTemplate->kind & SEC_ASN1_DYNAMIC) {
-	SEC_ChooseASN1TemplateFunc chooser, *chooserp;
-
-	chooserp = (SEC_ChooseASN1TemplateFunc *) theTemplate->sub;
-	if (chooserp == NULL || *chooserp == NULL)
-	    return NULL;
-	chooser = *chooserp;
-	if (thing != NULL)
-	    thing = (char *)thing - theTemplate->offset;
-	subt = (* chooser)(thing, encoding);
-    } else {
-	subt = (SEC_ASN1Template*)theTemplate->sub;
-    }
-
-    return subt;
-}
diff --git a/security/nss/lib/util/seccomon.h b/security/nss/lib/util/seccomon.h
deleted file mode 100644
index 707db8bbc..000000000
--- a/security/nss/lib/util/seccomon.h
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * seccomon.h - common data structures for security libraries
- *
- * This file should have lowest-common-denominator datastructures
- * for security libraries.  It should not be dependent on any other
- * headers, and should not require linking with any libraries.
- *
- * $Id$
- */
-
-#ifndef _SECCOMMON_H_
-#define _SECCOMMON_H_
-
-#include "prtypes.h"
-
-
-#ifdef __cplusplus 
-# define SEC_BEGIN_PROTOS extern "C" {
-# define SEC_END_PROTOS }
-#else
-# define SEC_BEGIN_PROTOS
-# define SEC_END_PROTOS
-#endif
-
-#include "secport.h"
-
-typedef enum {
-    siBuffer,
-    siClearDataBuffer,
-    siCipherDataBuffer,
-    siDERCertBuffer,
-    siEncodedCertBuffer,
-    siDERNameBuffer,
-    siEncodedNameBuffer,
-    siAsciiNameString,
-    siAsciiString,
-    siDEROID
-} SECItemType;
-
-typedef struct SECItemStr SECItem;
-
-struct SECItemStr {
-    SECItemType type;
-    unsigned char *data;
-    unsigned int len;
-};
-
-/*
-** A status code. Status's are used by procedures that return status
-** values. Again the motivation is so that a compiler can generate
-** warnings when return values are wrong. Correct testing of status codes:
-**
-**	SECStatus rv;
-**	rv = some_function (some_argument);
-**	if (rv != SECSuccess)
-**		do_an_error_thing();
-**
-*/
-typedef enum _SECStatus {
-    SECWouldBlock = -2,
-    SECFailure = -1,
-    SECSuccess = 0
-} SECStatus;
-
-/*
-** A comparison code. Used for procedures that return comparision
-** values. Again the motivation is so that a compiler can generate
-** warnings when return values are wrong.
-*/
-typedef enum _SECComparison {
-    SECLessThan = -1,
-    SECEqual = 0,
-    SECGreaterThan = 1
-} SECComparison;
-
-#endif /* _SECCOMMON_H_ */
diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h
deleted file mode 100644
index 3f957ab9c..000000000
--- a/security/nss/lib/util/secder.h
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECDER_H_
-#define _SECDER_H_
-
-/*
- * secder.h - public data structures and prototypes for the DER encoding and
- *	      decoding utilities library
- *
- * $Id$
- */
-
-#include <time.h>
-#include "plarena.h"
-#include "prlong.h"
-
-#include "seccomon.h"
-#include "secdert.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Decode a piece of der encoded data.
-** 	"dest" points to a structure that will be filled in with the
-**	   decoding results.  (NOTE: it should be zeroed before calling;
-**	   optional/missing fields are not zero-filled by DER_Decode.)
-**	"t" is a template structure which defines the shape of the
-**	   expected data.
-**	"src" is the der encoded data.
-** NOTE: substructures of "dest" will be allocated as needed from
-** "arena", but data subfields will point directly into the buffer
-** passed in as src->data.  That is, the resulting "dest" structure
-** will contain pointers back into src->data, which must remain
-** active (allocated) and unmodified for as long as "dest" is active.
-** If this is a potential problem, you may want to just dup the buffer
-** (allocated from "arena", probably) and pass *that* in instead.
-*/
-extern SECStatus DER_Decode(PRArenaPool *arena, void *dest, DERTemplate *t,
-			   SECItem *src);
-
-/*
-** Encode a data structure into DER.
-**	"dest" will be filled in (and memory allocated) to hold the der
-**	   encoded structure in "src"
-**	"t" is a template structure which defines the shape of the
-**	   stored data
-**	"src" is a pointer to the structure that will be encoded
-*/
-extern SECStatus DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *t,
-			   void *src);
-
-extern SECStatus DER_Lengths(SECItem *item, int *header_len_p, uint32 *contents_len_p);
-
-/*
-** Lower level der subroutine that stores the standard header into "to".
-** The header is of variable length, based on encodingLen.
-** The return value is the new value of "to" after skipping over the header.
-**	"to" is where the header will be stored
-**	"code" is the der code to write
-**	"encodingLen" is the number of bytes of data that will follow
-**	   the header
-*/
-extern unsigned char *DER_StoreHeader(unsigned char *to, unsigned int code,
-				      uint32 encodingLen);
-
-/*
-** Return the number of bytes it will take to hold a der encoded length.
-*/
-extern int DER_LengthLength(uint32 len);
-
-/*
-** Store a der encoded *signed* integer (whose value is "src") into "dst".
-** XXX This should really be enhanced to take a long.
-*/
-extern SECStatus DER_SetInteger(PRArenaPool *arena, SECItem *dst, int32 src);
-
-/*
-** Store a der encoded *unsigned* integer (whose value is "src") into "dst".
-** XXX This should really be enhanced to take an unsigned long.
-*/
-extern SECStatus DER_SetUInteger(PRArenaPool *arena, SECItem *dst, uint32 src);
-
-/*
-** Decode a der encoded *signed* integer that is stored in "src".
-** If "-1" is returned, then the caller should check the error in
-** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
-*/
-extern long DER_GetInteger(SECItem *src);
-
-/*
-** Decode a der encoded *unsigned* integer that is stored in "src".
-** If the ULONG_MAX is returned, then the caller should check the error
-** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
-*/
-extern unsigned long DER_GetUInteger(SECItem *src);
-
-/*
-** Convert a "UNIX" time value to a der encoded time value.
-**	"result" is the der encoded time (memory is allocated)
-**	"time" is the "UNIX" time value (Since Jan 1st, 1970).
-** The caller is responsible for freeing up the buffer which
-** result->data points to upon a successfull operation.
-*/
-extern SECStatus DER_TimeToUTCTime(SECItem *result, int64 time);
-
-/*
-** Convert an ascii encoded time value (according to DER rules) into
-** a UNIX time value.
-**	"result" the resulting "UNIX" time
-**	"string" the der notation ascii value to decode
-*/
-extern SECStatus DER_AsciiToTime(int64 *result, char *string);
-
-/*
-** Same as DER_AsciiToTime except takes an SECItem instead of a string
-*/
-extern SECStatus DER_UTCTimeToTime(int64 *result, SECItem *time);
-
-/*
-** Convert a DER encoded UTC time to an ascii time representation
-** "utctime" is the DER encoded UTC time to be converted. The
-** caller is responsible for deallocating the returned buffer.
-*/
-extern char *DER_UTCTimeToAscii(SECItem *utcTime);
-
-/*
-** Convert a DER encoded UTC time to an ascii time representation, but only
-** include the day, not the time.
-**	"utctime" is the DER encoded UTC time to be converted.
-** The caller is responsible for deallocating the returned buffer.
-*/
-extern char *DER_UTCDayToAscii(SECItem *utctime);
-
-/*
-** Convert a int64 time to a DER encoded Generalized time
-*/
-extern SECStatus DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime);
-
-/*
-** Convert a DER encoded Generalized time value into a UNIX time value.
-**	"dst" the resulting "UNIX" time
-**	"string" the der notation ascii value to decode
-*/
-extern SECStatus DER_GeneralizedTimeToTime(int64 *dst, SECItem *time);
-
-/*
-** Convert from a int64 UTC time value to a formatted ascii value. The
-** caller is responsible for deallocating the returned buffer.
-*/
-extern char *CERT_UTCTime2FormattedAscii (int64 utcTime, char *format);
-
-
-/*
-** Convert from a int64 Generalized time value to a formatted ascii value. The
-** caller is responsible for deallocating the returned buffer.
-*/
-extern char *CERT_GenTime2FormattedAscii (int64 genTime, char *format);
-
-SEC_END_PROTOS
-
-#endif /* _SECDER_H_ */
-
diff --git a/security/nss/lib/util/secdert.h b/security/nss/lib/util/secdert.h
deleted file mode 100644
index 86f3451cf..000000000
--- a/security/nss/lib/util/secdert.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECDERT_H_
-#define _SECDERT_H_
-/*
- * secdert.h - public data structures for the DER encoding and
- *	       decoding utilities library
- *
- * $Id$
- */
-
-typedef struct DERTemplateStr DERTemplate;
-
-/*
-** An array of these structures defines an encoding for an object using DER.
-** The array usually starts with a dummy entry whose kind is DER_SEQUENCE;
-** such an array is terminated with an entry where kind == 0.  (An array
-** which consists of a single component does not require a second dummy
-** entry -- the array is only searched as long as previous component(s)
-** instruct it.)
-*/
-struct DERTemplateStr {
-    /*
-    ** Kind of item being decoded/encoded, including tags and modifiers.
-    */
-    unsigned long kind;
-
-    /*
-    ** Offset from base of structure to field that holds the value
-    ** being decoded/encoded.
-    */
-    unsigned int offset;
-
-    /*
-    ** When kind suggests it (DER_POINTER, DER_INDEFINITE, DER_INLINE),
-    ** this points to a sub-template for nested encoding/decoding.
-    */
-    DERTemplate *sub;
-
-    /*
-    ** Argument value, dependent on "kind" and/or template placement
-    ** within an array of templates:
-    **	- In the first element of a template array, the value is the
-    **	  size of the structure to allocate when this template is being
-    **	  referenced by another template via DER_POINTER or DER_INDEFINITE.
-    **  - In a component of a DER_SET or DER_SEQUENCE which is *not* a
-    **	  DER_UNIVERSAL type (that is, it has a class tag for either
-    **	  DER_APPLICATION, DER_CONTEXT_SPECIFIC, or DER_PRIVATE), the
-    **	  value is the underlying type of item being decoded/encoded.
-    */
-    unsigned long arg;
-};
-
-/************************************************************************/
-
-/* default chunksize for arenas used for DER stuff */
-#define DER_DEFAULT_CHUNKSIZE (2048)
-
-/*
-** BER/DER values for ASN.1 identifier octets.
-*/
-#define DER_TAG_MASK		0xff
-
-/*
- * BER/DER universal type tag numbers.
- * The values are defined by the X.208 standard; do not change them!
- * NOTE: if you add anything to this list, you must add code to derdec.c
- * to accept the tag, and probably also to derenc.c to encode it.
- */
-#define DER_TAGNUM_MASK		0x1f
-#define DER_BOOLEAN		0x01
-#define DER_INTEGER		0x02
-#define DER_BIT_STRING		0x03
-#define DER_OCTET_STRING	0x04
-#define DER_NULL		0x05
-#define DER_OBJECT_ID		0x06
-#define DER_SEQUENCE		0x10
-#define DER_SET			0x11
-#define DER_PRINTABLE_STRING	0x13
-#define DER_T61_STRING		0x14
-#define DER_IA5_STRING		0x16
-#define DER_UTC_TIME		0x17
-#define DER_VISIBLE_STRING	0x1a
-#define DER_HIGH_TAG_NUMBER	0x1f
-
-/*
-** Modifiers to type tags.  These are also specified by a/the
-** standard, and must not be changed.
-*/
-
-#define DER_METHOD_MASK		0x20
-#define DER_PRIMITIVE		0x00
-#define DER_CONSTRUCTED		0x20
-
-#define DER_CLASS_MASK		0xc0
-#define DER_UNIVERSAL		0x00
-#define DER_APPLICATION		0x40
-#define DER_CONTEXT_SPECIFIC	0x80
-#define DER_PRIVATE		0xc0
-
-/*
-** Our additions, used for templates.
-** These are not defined by any standard; the values are used internally only.
-** Just be careful to keep them out of the low 8 bits.
-*/
-#define DER_OPTIONAL		0x00100
-#define DER_EXPLICIT		0x00200
-#define DER_ANY			0x00400
-#define DER_INLINE		0x00800
-#define DER_POINTER		0x01000
-#define DER_INDEFINITE		0x02000
-#define DER_DERPTR		0x04000
-#define DER_SKIP		0x08000
-#define DER_FORCE		0x10000
-#define DER_OUTER		0x40000 /* for DER_DERPTR */
-
-/*
-** Macro to convert der decoded bit string into a decoded octet
-** string. All it needs to do is fiddle with the length code.
-*/
-#define DER_ConvertBitString(item)	  \
-{					  \
-    (item)->len = ((item)->len + 7) >> 3; \
-}
-
-extern DERTemplate SECAnyTemplate[];
-extern DERTemplate SECBitStringTemplate[];
-extern DERTemplate SECBooleanTemplate[];
-extern DERTemplate SECIA5StringTemplate[];
-extern DERTemplate SECIntegerTemplate[];
-extern DERTemplate SECNullTemplate[];
-extern DERTemplate SECObjectIDTemplate[];
-extern DERTemplate SECOctetStringTemplate[];
-extern DERTemplate SECPrintableStringTemplate[];
-extern DERTemplate SECT61StringTemplate[];
-extern DERTemplate SECUTCTimeTemplate[];
-extern DERTemplate SECAlgorithmIDTemplate[];
-
-#endif /* _SECDERT_H_ */
diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c
deleted file mode 100644
index 020829b84..000000000
--- a/security/nss/lib/util/secdig.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-#include "secdig.h"
-
-#include "secoid.h"
-#include "secasn1.h" 
-#include "secerr.h"
-
-/*
- * XXX OLD Template.  Once all uses have been switched over to new one,
- * remove this.
- */
-DERTemplate SGNDigestInfoTemplate[] = {
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(SGNDigestInfo) },
-    { DER_INLINE,
-	  offsetof(SGNDigestInfo,digestAlgorithm),
-	  SECAlgorithmIDTemplate, },
-    { DER_OCTET_STRING,
-	  offsetof(SGNDigestInfo,digest), },
-    { 0, }
-};
-
-/* XXX See comment below about SGN_DecodeDigestInfo -- keep this static! */
-/* XXX Changed from static -- need to change name? */
-const SEC_ASN1Template sgn_DigestInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SGNDigestInfo) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SGNDigestInfo,digestAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SGNDigestInfo,digest) },
-    { 0 }
-};
-
-/*
- * XXX Want to have a SGN_DecodeDigestInfo, like:
- *	SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
- * that creates a pool and allocates from it and decodes didata into
- * the newly allocated DigestInfo structure.  Then fix secvfy.c (it
- * will no longer need an arena itself) to call this and then call
- * DestroyDigestInfo when it is done, then can remove the old template
- * above and keep our new template static and "hidden".
- */
-
-/*
- * XXX It might be nice to combine the following two functions (create
- * and encode).  I think that is all anybody ever wants to do anyway.
- */
-
-SECItem *
-SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest, SGNDigestInfo *diginfo)
-{
-    return SEC_ASN1EncodeItem (poolp, dest, diginfo, sgn_DigestInfoTemplate);
-}
-
-SGNDigestInfo *
-SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
-{
-    SGNDigestInfo *di;
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECItem *null_param;
-    SECItem dummy_value;
-
-    switch (algorithm) {
-      case SEC_OID_MD2:
-      case SEC_OID_MD5:
-      case SEC_OID_SHA1:
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return NULL;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	return NULL;
-    }
-
-    di = (SGNDigestInfo *) PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
-    if (di == NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return NULL;
-    }
-
-    di->arena = arena;
-
-    /*
-     * PKCS #1 specifies that the AlgorithmID must have a NULL parameter
-     * (as opposed to no parameter at all).
-     */
-    dummy_value.data = NULL;
-    dummy_value.len = 0;
-    null_param = SEC_ASN1EncodeItem(NULL, NULL, &dummy_value, SEC_NullTemplate);
-    if (null_param == NULL) {
-	goto loser;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &di->digestAlgorithm, algorithm,
-			       null_param);
-
-    SECITEM_FreeItem(null_param, PR_TRUE);
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    di->digest.data = (unsigned char *) PORT_ArenaAlloc(arena, len);
-    if (di->digest.data == NULL) {
-	goto loser;
-    }
-
-    di->digest.len = len;
-    PORT_Memcpy(di->digest.data, sig, len);
-    return di;
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    return NULL;
-}
-
-SGNDigestInfo *
-SGN_DecodeDigestInfo(SECItem *didata)
-{
-    PRArenaPool *arena;
-    SGNDigestInfo *di;
-    SECStatus rv = SECFailure;
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(arena == NULL)
-	return NULL;
-
-    di = (SGNDigestInfo *)PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
-    if(di != NULL)
-    {
-	di->arena = arena;
-	rv = SEC_ASN1DecodeItem(arena, di, sgn_DigestInfoTemplate, didata);
-    }
-	
-    if((di == NULL) || (rv != SECSuccess))
-    {
-	PORT_FreeArena(arena, PR_TRUE);
-	di = NULL;
-    }
-
-    return di;
-}
-
-void
-SGN_DestroyDigestInfo(SGNDigestInfo *di)
-{
-    if (di && di->arena) {
-	PORT_FreeArena(di->arena, PR_FALSE);
-    }
-
-    return;
-}
-
-SECStatus 
-SGN_CopyDigestInfo(PRArenaPool *poolp, SGNDigestInfo *a, SGNDigestInfo *b)
-{
-    SECStatus rv;
-    void *mark;
-
-    if((poolp == NULL) || (a == NULL) || (b == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(poolp);
-    a->arena = poolp;
-    rv = SECOID_CopyAlgorithmID(poolp, &a->digestAlgorithm, 
-	&b->digestAlgorithm);
-    if (rv == SECSuccess)
-	rv = SECITEM_CopyItem(poolp, &a->digest, &b->digest);
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-
-    return rv;
-}
-
-SECComparison
-SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
-{
-    SECComparison rv;
-
-    /* Check signature algorithm's */
-    rv = SECOID_CompareAlgorithmID(&a->digestAlgorithm, &b->digestAlgorithm);
-    if (rv) return rv;
-
-    /* Compare signature block length's */
-    rv = SECITEM_CompareItem(&a->digest, &b->digest);
-    return rv;
-}
diff --git a/security/nss/lib/util/secdig.h b/security/nss/lib/util/secdig.h
deleted file mode 100644
index bd2703f65..000000000
--- a/security/nss/lib/util/secdig.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * crypto.h - public data structures and prototypes for the crypto library
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _SECDIG_H_
-#define _SECDIG_H_
-
-#include "secdigt.h"
-
-#include "seccomon.h"
-#include "secasn1t.h" 
-#include "secdert.h"
-
-
-extern const SEC_ASN1Template sgn_DigestInfoTemplate[];
-extern DERTemplate SGNDigestInfoTemplate[];
-
-
-SEC_BEGIN_PROTOS
-
-/****************************************/
-/*
-** Digest-info functions
-*/
-
-/*
-** Create a new digest-info object
-** 	"algorithm" one of SEC_OID_MD2, SEC_OID_MD5, or SEC_OID_SHA1
-** 	"sig" the raw signature data (from MD2 or MD5)
-** 	"sigLen" the length of the signature data
-**
-** NOTE: this is a low level routine used to prepare some data for PKCS#1
-** digital signature formatting.
-**
-** XXX It might be nice to combine the create and encode functions.
-** I think that is all anybody ever wants to do anyway.
-*/
-extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
-					   unsigned char *sig,
-					   unsigned int sigLen);
-
-/*
-** Destroy a digest-info object
-*/
-extern void SGN_DestroyDigestInfo(SGNDigestInfo *info);
-
-/*
-** Encode a digest-info object
-**	"poolp" is where to allocate the result from; it can be NULL in
-**		which case generic heap allocation (XP_ALLOC) will be used
-**	"dest" is where to store the result; it can be NULL, in which case
-**		it will be allocated (from poolp or heap, as explained above)
-**	"diginfo" is the object to be encoded
-** The return value is NULL if any error occurred, otherwise it is the
-** resulting SECItem (either allocated or the same as the "dest" parameter).
-**
-** XXX It might be nice to combine the create and encode functions.
-** I think that is all anybody ever wants to do anyway.
-*/
-extern SECItem *SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest,
-				     SGNDigestInfo *diginfo);
-
-/*
-** Decode a DER encoded digest info objct.
-**  didata is thr source of the encoded digest.  
-** The return value is NULL if an error occurs.  Otherwise, a
-** digest info object which is allocated within it's own
-** pool is returned.  The digest info should be deleted
-** by later calling SGN_DestroyDigestInfo.
-*/
-extern SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
-
-
-/*
-** Copy digest info.
-**  poolp is the arena to which the digest will be copied.
-**  a is the destination digest, it must be non-NULL.
-**  b is the source digest
-** This function is for copying digests.  It allows digests
-** to be copied into a specified pool.  If the digest is in
-** the same pool as other data, you do not want to delete
-** the digest by calling SGN_DestroyDigestInfo.  
-** A return value of SECFailure indicates an error.  A return
-** of SECSuccess indicates no error occured.
-*/
-extern SECStatus  SGN_CopyDigestInfo(PRArenaPool *poolp,
-					SGNDigestInfo *a, 
-					SGNDigestInfo *b);
-
-/*
-** Compare two digest-info objects, returning the difference between
-** them.
-*/
-extern SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b);
-
-
-SEC_END_PROTOS
-
-#endif /* _SECDIG_H_ */
diff --git a/security/nss/lib/util/secdigt.h b/security/nss/lib/util/secdigt.h
deleted file mode 100644
index fea6daa99..000000000
--- a/security/nss/lib/util/secdigt.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * secdigt.h - public data structures for digestinfos from the util lib.
- *
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- * $Id$
- */
-
-#ifndef _SECDIGT_H_
-#define _SECDIGT_H_
-
-#include "plarena.h"
-#include "secoidt.h"
-#include "secitem.h"
-
-/*
-** A PKCS#1 digest-info object
-*/
-struct SGNDigestInfoStr {
-    PLArenaPool *  arena;
-    SECAlgorithmID digestAlgorithm;
-    SECItem        digest;
-};
-typedef struct SGNDigestInfoStr SGNDigestInfo;
-
-
-
-#endif /* _SECDIGT_H_ */
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
deleted file mode 100644
index 8b152f8e4..000000000
--- a/security/nss/lib/util/secerr.h
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef __SEC_ERR_H_
-#define __SEC_ERR_H_
-
-
-#define SEC_ERROR_BASE				(-0x2000)
-#define SEC_ERROR_LIMIT				(SEC_ERROR_BASE + 1000)
-
-#define IS_SEC_ERROR(code) \
-    (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
-
-#ifndef NO_SECURITY_ERROR_ENUM
-typedef enum {
-SEC_ERROR_IO 				    =	SEC_ERROR_BASE + 0,
-SEC_ERROR_LIBRARY_FAILURE 		    =	SEC_ERROR_BASE + 1,
-SEC_ERROR_BAD_DATA 			    =	SEC_ERROR_BASE + 2,
-SEC_ERROR_OUTPUT_LEN 			    =	SEC_ERROR_BASE + 3,
-SEC_ERROR_INPUT_LEN 			    =	SEC_ERROR_BASE + 4,
-SEC_ERROR_INVALID_ARGS 			    =	SEC_ERROR_BASE + 5,
-SEC_ERROR_INVALID_ALGORITHM 		    =	SEC_ERROR_BASE + 6,
-SEC_ERROR_INVALID_AVA 			    =	SEC_ERROR_BASE + 7,
-SEC_ERROR_INVALID_TIME 			    =	SEC_ERROR_BASE + 8,
-SEC_ERROR_BAD_DER 			    =	SEC_ERROR_BASE + 9,
-SEC_ERROR_BAD_SIGNATURE 		    =	SEC_ERROR_BASE + 10,
-SEC_ERROR_EXPIRED_CERTIFICATE 		    =	SEC_ERROR_BASE + 11,
-SEC_ERROR_REVOKED_CERTIFICATE 		    =	SEC_ERROR_BASE + 12,
-SEC_ERROR_UNKNOWN_ISSUER 		    =	SEC_ERROR_BASE + 13,
-SEC_ERROR_BAD_KEY 			    =	SEC_ERROR_BASE + 14,
-SEC_ERROR_BAD_PASSWORD 			    =	SEC_ERROR_BASE + 15,
-SEC_ERROR_RETRY_PASSWORD 		    =	SEC_ERROR_BASE + 16,
-SEC_ERROR_NO_NODELOCK 			    =	SEC_ERROR_BASE + 17,
-SEC_ERROR_BAD_DATABASE 			    =	SEC_ERROR_BASE + 18,
-SEC_ERROR_NO_MEMORY 			    =	SEC_ERROR_BASE + 19,
-SEC_ERROR_UNTRUSTED_ISSUER 		    =	SEC_ERROR_BASE + 20,
-SEC_ERROR_UNTRUSTED_CERT 		    =	SEC_ERROR_BASE + 21,
-SEC_ERROR_DUPLICATE_CERT 		    =	(SEC_ERROR_BASE + 22),
-SEC_ERROR_DUPLICATE_CERT_NAME 		    =	(SEC_ERROR_BASE + 23),
-SEC_ERROR_ADDING_CERT 			    =	(SEC_ERROR_BASE + 24),
-SEC_ERROR_FILING_KEY 			    =	(SEC_ERROR_BASE + 25),
-SEC_ERROR_NO_KEY 			    =	(SEC_ERROR_BASE + 26),
-SEC_ERROR_CERT_VALID 			    =	(SEC_ERROR_BASE + 27),
-SEC_ERROR_CERT_NOT_VALID 		    =	(SEC_ERROR_BASE + 28),
-SEC_ERROR_CERT_NO_RESPONSE 		    =	(SEC_ERROR_BASE + 29),
-SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE 	    =	(SEC_ERROR_BASE + 30),
-SEC_ERROR_CRL_EXPIRED 			    =	(SEC_ERROR_BASE + 31),
-SEC_ERROR_CRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 32),
-SEC_ERROR_CRL_INVALID 			    =	(SEC_ERROR_BASE + 33),
-SEC_ERROR_EXTENSION_VALUE_INVALID 	    = 	(SEC_ERROR_BASE + 34),
-SEC_ERROR_EXTENSION_NOT_FOUND 		    = 	(SEC_ERROR_BASE + 35),
-SEC_ERROR_CA_CERT_INVALID 		    = 	(SEC_ERROR_BASE + 36),
-SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 	    = 	(SEC_ERROR_BASE + 37),
-SEC_ERROR_CERT_USAGES_INVALID 		    = 	(SEC_ERROR_BASE + 38),
-SEC_INTERNAL_ONLY 			    =	(SEC_ERROR_BASE + 39),
-SEC_ERROR_INVALID_KEY 			    =	(SEC_ERROR_BASE + 40),
-SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION 	    = 	(SEC_ERROR_BASE + 41),
-SEC_ERROR_OLD_CRL 			    =	(SEC_ERROR_BASE + 42),
-SEC_ERROR_NO_EMAIL_CERT 		    =	(SEC_ERROR_BASE + 43),
-SEC_ERROR_NO_RECIPIENT_CERTS_QUERY 	    =	(SEC_ERROR_BASE + 44),
-SEC_ERROR_NOT_A_RECIPIENT 		    =	(SEC_ERROR_BASE + 45),
-SEC_ERROR_PKCS7_KEYALG_MISMATCH 	    =	(SEC_ERROR_BASE + 46),
-SEC_ERROR_PKCS7_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 47),
-SEC_ERROR_UNSUPPORTED_KEYALG 		    =	(SEC_ERROR_BASE + 48),
-SEC_ERROR_DECRYPTION_DISALLOWED 	    =	(SEC_ERROR_BASE + 49),
-/* Fortezza Alerts */
-XP_SEC_FORTEZZA_BAD_CARD 		    =	(SEC_ERROR_BASE + 50),
-XP_SEC_FORTEZZA_NO_CARD 		    =	(SEC_ERROR_BASE + 51),
-XP_SEC_FORTEZZA_NONE_SELECTED 		    =	(SEC_ERROR_BASE + 52),
-XP_SEC_FORTEZZA_MORE_INFO 		    =	(SEC_ERROR_BASE + 53),
-XP_SEC_FORTEZZA_PERSON_NOT_FOUND 	    =	(SEC_ERROR_BASE + 54),
-XP_SEC_FORTEZZA_NO_MORE_INFO 		    =	(SEC_ERROR_BASE + 55),
-XP_SEC_FORTEZZA_BAD_PIN 		    =	(SEC_ERROR_BASE + 56),
-XP_SEC_FORTEZZA_PERSON_ERROR 		    =	(SEC_ERROR_BASE + 57),
-SEC_ERROR_NO_KRL 			    =	(SEC_ERROR_BASE + 58),
-SEC_ERROR_KRL_EXPIRED 			    =	(SEC_ERROR_BASE + 59),
-SEC_ERROR_KRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 60),
-SEC_ERROR_REVOKED_KEY 			    =	(SEC_ERROR_BASE + 61),
-SEC_ERROR_KRL_INVALID 			    =	(SEC_ERROR_BASE + 62),
-SEC_ERROR_NEED_RANDOM 			    =	(SEC_ERROR_BASE + 63),
-SEC_ERROR_NO_MODULE 			    =	(SEC_ERROR_BASE + 64),
-SEC_ERROR_NO_TOKEN 			    =	(SEC_ERROR_BASE + 65),
-SEC_ERROR_READ_ONLY 			    =	(SEC_ERROR_BASE + 66),
-SEC_ERROR_NO_SLOT_SELECTED 		    =	(SEC_ERROR_BASE + 67),
-SEC_ERROR_CERT_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 68),
-SEC_ERROR_KEY_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 69),
-SEC_ERROR_SAFE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 70),
-SEC_ERROR_BAGGAGE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 71),
-XP_JAVA_REMOVE_PRINCIPAL_ERROR 		    =	(SEC_ERROR_BASE + 72),
-XP_JAVA_DELETE_PRIVILEGE_ERROR 		    =	(SEC_ERROR_BASE + 73),
-XP_JAVA_CERT_NOT_EXISTS_ERROR 		    =	(SEC_ERROR_BASE + 74),
-SEC_ERROR_BAD_EXPORT_ALGORITHM 		    =	(SEC_ERROR_BASE + 75),
-SEC_ERROR_EXPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 76),
-SEC_ERROR_IMPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 77),
-SEC_ERROR_PKCS12_DECODING_PFX 		    =	(SEC_ERROR_BASE + 78),
-SEC_ERROR_PKCS12_INVALID_MAC 		    =	(SEC_ERROR_BASE + 79),
-SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM  =	(SEC_ERROR_BASE + 80),
-SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE =	(SEC_ERROR_BASE + 81),
-SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE 	    =	(SEC_ERROR_BASE + 82),
-SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM  = 	(SEC_ERROR_BASE + 83),
-SEC_ERROR_PKCS12_UNSUPPORTED_VERSION 	    =	(SEC_ERROR_BASE + 84),
-SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT =	(SEC_ERROR_BASE + 85),
-SEC_ERROR_PKCS12_CERT_COLLISION 	    =	(SEC_ERROR_BASE + 86),
-SEC_ERROR_USER_CANCELLED 		    =	(SEC_ERROR_BASE + 87),
-SEC_ERROR_PKCS12_DUPLICATE_DATA 	    =	(SEC_ERROR_BASE + 88),
-SEC_ERROR_MESSAGE_SEND_ABORTED 		    =	(SEC_ERROR_BASE + 89),
-SEC_ERROR_INADEQUATE_KEY_USAGE 		    =	(SEC_ERROR_BASE + 90),
-SEC_ERROR_INADEQUATE_CERT_TYPE 		    =	(SEC_ERROR_BASE + 91),
-SEC_ERROR_CERT_ADDR_MISMATCH 		    =	(SEC_ERROR_BASE + 92),
-SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY 	    =	(SEC_ERROR_BASE + 93),
-SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN 	    =	(SEC_ERROR_BASE + 94),
-SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
-SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY 	    =	(SEC_ERROR_BASE + 96),
-SEC_ERROR_PKCS12_UNABLE_TO_WRITE 	    = 	(SEC_ERROR_BASE + 97),
-SEC_ERROR_PKCS12_UNABLE_TO_READ 	    =	(SEC_ERROR_BASE + 98),
-SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED 	 = (SEC_ERROR_BASE + 99),
-SEC_ERROR_KEYGEN_FAIL 			    =	(SEC_ERROR_BASE + 100),
-SEC_ERROR_INVALID_PASSWORD 		    =	(SEC_ERROR_BASE + 101),
-SEC_ERROR_RETRY_OLD_PASSWORD 		    =	(SEC_ERROR_BASE + 102),
-SEC_ERROR_BAD_NICKNAME 			    =	(SEC_ERROR_BASE + 103),
-SEC_ERROR_NOT_FORTEZZA_ISSUER 		    = 	(SEC_ERROR_BASE + 104),
-/* UNUSED                                       (SEC_ERROR_BASE + 105) */
-SEC_ERROR_JS_INVALID_MODULE_NAME 	    =	(SEC_ERROR_BASE + 106),
-SEC_ERROR_JS_INVALID_DLL 		    =	(SEC_ERROR_BASE + 107),
-SEC_ERROR_JS_ADD_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 108),
-SEC_ERROR_JS_DEL_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 109),
-SEC_ERROR_OLD_KRL 			    =	(SEC_ERROR_BASE + 110),
-SEC_ERROR_CKL_CONFLICT 			    =	(SEC_ERROR_BASE + 111),
-SEC_ERROR_CERT_NOT_IN_NAME_SPACE 	    =	(SEC_ERROR_BASE + 112),
-SEC_ERROR_KRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 113),
-SEC_ERROR_CRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 114),
-SEC_ERROR_UNKNOWN_CERT 			    =	(SEC_ERROR_BASE + 115),
-SEC_ERROR_UNKNOWN_SIGNER 		    =	(SEC_ERROR_BASE + 116),
-SEC_ERROR_CERT_BAD_ACCESS_LOCATION 	    =	(SEC_ERROR_BASE + 117),
-SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE 	    =	(SEC_ERROR_BASE + 118),
-SEC_ERROR_OCSP_BAD_HTTP_RESPONSE 	    =	(SEC_ERROR_BASE + 119),
-SEC_ERROR_OCSP_MALFORMED_REQUEST 	    =	(SEC_ERROR_BASE + 120),
-SEC_ERROR_OCSP_SERVER_ERROR 		    =	(SEC_ERROR_BASE + 121),
-SEC_ERROR_OCSP_TRY_SERVER_LATER 	    =	(SEC_ERROR_BASE + 122),
-SEC_ERROR_OCSP_REQUEST_NEEDS_SIG 	    =	(SEC_ERROR_BASE + 123),
-SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST 	    =	(SEC_ERROR_BASE + 124),
-SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS 	    =	(SEC_ERROR_BASE + 125),
-SEC_ERROR_OCSP_UNKNOWN_CERT 		    =	(SEC_ERROR_BASE + 126),
-SEC_ERROR_OCSP_NOT_ENABLED 		    =	(SEC_ERROR_BASE + 127),
-SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER 	    =	(SEC_ERROR_BASE + 128),
-SEC_ERROR_OCSP_MALFORMED_RESPONSE 	    =	(SEC_ERROR_BASE + 129),
-SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE 	    =	(SEC_ERROR_BASE + 130),
-SEC_ERROR_OCSP_FUTURE_RESPONSE 		    =	(SEC_ERROR_BASE + 131),
-SEC_ERROR_OCSP_OLD_RESPONSE 		    =	(SEC_ERROR_BASE + 132),
-/* smime stuff */
-SEC_ERROR_DIGEST_NOT_FOUND		    =	(SEC_ERROR_BASE + 133),
-SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE	    =	(SEC_ERROR_BASE + 134)
-
-} SECErrorCodes;
-#endif /* NO_SECURITY_ERROR_ENUM */
-
-#endif /* __SEC_ERR_H_ */
diff --git a/security/nss/lib/util/secinit.c b/security/nss/lib/util/secinit.c
deleted file mode 100644
index a18b1243b..000000000
--- a/security/nss/lib/util/secinit.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "nspr.h"
-#include "secport.h"
-
-static int sec_inited = 0;
-
-void 
-SEC_Init(void)
-{
-    /* PR_Init() must be called before SEC_Init() */
-#if !defined(SERVER_BUILD)
-    PORT_Assert(PR_Initialized() == PR_TRUE);
-#endif
-    if (sec_inited)
-	return;
-
-    sec_inited = 1;
-}
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
deleted file mode 100644
index f185d60b9..000000000
--- a/security/nss/lib/util/secitem.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * Support routines for SECItem data structure.
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "base64.h"
-#include "secerr.h"
-
-SECItem *
-SECITEM_AllocItem(PRArenaPool *arena, SECItem *item, unsigned int len)
-{
-    SECItem *result = NULL;
-    void *mark;
-
-    if (arena != NULL) {
-	mark = PORT_ArenaMark(arena);
-    }
-
-    if (item == NULL) {
-	if (arena != NULL) {
-	    result = PORT_ArenaZAlloc(arena, sizeof(SECItem));
-	} else {
-	    result = PORT_ZAlloc(sizeof(SECItem));
-	}
-	if (result == NULL) {
-	    goto loser;
-	}
-    } else {
-	PORT_Assert(item->data == NULL);
-	result = item;
-    }
-
-    result->len = len;
-    if (len) {
-	if (arena != NULL) {
-	    result->data = PORT_ArenaAlloc(arena, len);
-	} else {
-	    result->data = PORT_Alloc(len);
-	}
-    }
-
-    if (arena != NULL) {
-	PORT_ArenaUnmark(arena, mark);
-    }
-    return(result);
-
-loser:
-    if (arena != NULL) {
-	PORT_ArenaRelease(arena, mark);
-	if (item != NULL) {
-	    item->data = NULL;
-	    item->len = 0;
-	}
-    } else {
-	if (result != NULL) {
-	    SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
-	}
-    }
-    return(NULL);
-}
-
-SECStatus
-SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item, unsigned int oldlen,
-		    unsigned int newlen)
-{
-    PORT_Assert(item != NULL);
-    if (item == NULL) {
-	/* XXX Set error.  But to what? */
-	return SECFailure;
-    }
-
-    /*
-     * If no old length, degenerate to just plain alloc.
-     */
-    if (oldlen == 0) {
-	PORT_Assert(item->data == NULL || item->len == 0);
-	if (newlen == 0) {
-	    /* Nothing to do.  Weird, but not a failure.  */
-	    return SECSuccess;
-	}
-	item->len = newlen;
-	if (arena != NULL) {
-	    item->data = PORT_ArenaAlloc(arena, newlen);
-	} else {
-	    item->data = PORT_Alloc(newlen);
-	}
-    } else {
-	if (arena != NULL) {
-	    item->data = PORT_ArenaGrow(arena, item->data, oldlen, newlen);
-	} else {
-	    item->data = PORT_Realloc(item->data, newlen);
-	}
-    }
-
-    if (item->data == NULL) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-SECComparison
-SECITEM_CompareItem(const SECItem *a, const SECItem *b)
-{
-    unsigned m;
-    SECComparison rv;
-
-    m = ( ( a->len < b->len ) ? a->len : b->len );
-    
-    rv = (SECComparison) PORT_Memcmp(a->data, b->data, m);
-    if (rv) {
-	return rv;
-    }
-    if (a->len < b->len) {
-	return SECLessThan;
-    }
-    if (a->len == b->len) {
-	return SECEqual;
-    }
-    return SECGreaterThan;
-}
-
-PRBool
-SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
-{
-    if (SECITEM_CompareItem(a, b) == SECEqual)
-	return PR_TRUE;
-
-    return PR_FALSE;
-}
-
-SECItem *
-SECITEM_DupItem(const SECItem *from)
-{
-    SECItem *to;
-    
-    if ( from == NULL ) {
-	return(NULL);
-    }
-    
-    to = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if ( to == NULL ) {
-	return(NULL);
-    }
-
-    to->data = (unsigned char *)PORT_Alloc(from->len);
-    if ( to->data == NULL ) {
-	PORT_Free(to);
-	return(NULL);
-    }
-
-    to->len = from->len;
-    PORT_Memcpy(to->data, from->data, to->len);
-    
-    return(to);
-}
-
-SECStatus
-SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, const SECItem *from)
-{
-    if (from->data && from->len) {
-	if ( arena ) {
-	    to->data = (unsigned char*) PORT_ArenaAlloc(arena, from->len);
-	} else {
-	    to->data = (unsigned char*) PORT_Alloc(from->len);
-	}
-	
-	if (!to->data) {
-	    return SECFailure;
-	}
-	PORT_Memcpy(to->data, from->data, from->len);
-	to->len = from->len;
-    } else {
-	to->data = 0;
-	to->len = 0;
-    }
-    return SECSuccess;
-}
-
-void
-SECITEM_FreeItem(SECItem *zap, PRBool freeit)
-{
-    if (zap) {
-	PORT_Free(zap->data);
-	zap->data = 0;
-	zap->len = 0;
-	if (freeit) {
-	    PORT_Free(zap);
-	}
-    }
-}
-
-void
-SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
-{
-    if (zap) {
-	PORT_ZFree(zap->data, zap->len);
-	zap->data = 0;
-	zap->len = 0;
-	if (freeit) {
-	    PORT_ZFree(zap, sizeof(SECItem));
-	}
-    }
-}
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
deleted file mode 100644
index 3928cad98..000000000
--- a/security/nss/lib/util/secitem.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECITEM_H_
-#define _SECITEM_H_
-/*
- * secitem.h - public data structures and prototypes for handling
- *	       SECItems
- *
- * $Id$
- */
-
-#include "plarena.h"
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Allocate an item.  If "arena" is not NULL, then allocate from there,
-** otherwise allocate from the heap.  If "item" is not NULL, allocate
-** only the data for the item, not the item itself.  The item structure
-** is allocated zero-filled; the data buffer is not zeroed.
-**
-** The resulting item is returned; NULL if any error occurs.
-**
-** XXX This probably should take a SECItemType, but since that is mostly
-** unused and our improved APIs (aka Stan) are looming, I left it out.
-*/
-extern SECItem *SECITEM_AllocItem(PRArenaPool *arena, SECItem *item,
-				  unsigned int len);
-
-/*
-** Reallocate the data for the specified "item".  If "arena" is not NULL,
-** then reallocate from there, otherwise reallocate from the heap.
-** In the case where oldlen is 0, the data is allocated (not reallocated).
-** In any case, "item" is expected to be a valid SECItem pointer;
-** SECFailure is returned if it is not.  If the allocation succeeds,
-** SECSuccess is returned.
-*/
-extern SECStatus SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item,
-				     unsigned int oldlen, unsigned int newlen);
-
-/*
-** Compare two items returning the difference between them.
-*/
-extern SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b);
-
-/*
-** Compare two items -- if they are the same, return true; otherwise false.
-*/
-extern PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b);
-
-/*
-** Copy "from" to "to"
-*/
-extern SECStatus SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, 
-                                  const SECItem *from);
-
-/*
-** Allocate an item and copy "from" into it.
-*/
-extern SECItem *SECITEM_DupItem(const SECItem *from);
-
-/*
-** Free "zap". If freeit is PR_TRUE then "zap" itself is freed.
-*/
-extern void SECITEM_FreeItem(SECItem *zap, PRBool freeit);
-
-/*
-** Zero and then free "zap". If freeit is PR_TRUE then "zap" itself is freed.
-*/
-extern void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit);
-
-SEC_END_PROTOS
-
-#endif /* _SECITEM_H_ */
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
deleted file mode 100644
index 567508619..000000000
--- a/security/nss/lib/util/secoid.c
+++ /dev/null
@@ -1,1533 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secoid.h"
-#include "mcom_db.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/* MISSI Mosaic Object ID space */
-#define MISSI	0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01
-#define MISSI_OLD_KEA_DSS	MISSI, 0x0c
-#define MISSI_OLD_DSS		MISSI, 0x02
-#define MISSI_KEA_DSS		MISSI, 0x14
-#define MISSI_DSS		MISSI, 0x13
-#define MISSI_KEA               MISSI, 0x0a
-#define MISSI_ALT_KEA           MISSI, 0x16
-
-/**
- ** The Netscape OID space is allocated by Terry Hayes.  If you need
- ** a piece of the space, contact him at thayes@netscape.com.
- **/
-
-/* Netscape Communications Corporation Object ID space */
-/* { 2 16 840 1 113730 } */
-#define NETSCAPE_OID	0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
-/* netscape certificate extensions */
-#define NETSCAPE_CERT_EXT NETSCAPE_OID, 0x01
-
-/* netscape data types */
-#define NETSCAPE_DATA_TYPE NETSCAPE_OID, 0x02
-
-/* netscape directory oid - owned by Tim Howes(howes@netscape.com) */
-#define NETSCAPE_DIRECTORY NETSCAPE_OID, 0x03
-
-/* various policy type OIDs */
-#define NETSCAPE_POLICY NETSCAPE_OID, 0x04
-
-/* netscape cert server oid */
-#define NETSCAPE_CERT_SERVER NETSCAPE_OID, 0x05
-#define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01
-
-/* various algorithm OIDs */
-#define NETSCAPE_ALGS NETSCAPE_OID, 0x06
-
-/* Netscape Other Name Types */
-
-#define NETSCAPE_NAME_COMPONENTS NETSCAPE_OID, 0x07
-
-/* these are old and should go away soon */
-#define OLD_NETSCAPE	0x60, 0x86, 0x48, 0xd8, 0x6a
-#define NS_CERT_EXT	OLD_NETSCAPE, 0x01
-#define NS_FILE_TYPE	OLD_NETSCAPE, 0x02
-#define NS_IMAGE_TYPE	OLD_NETSCAPE, 0x03
-
-/* RSA OID name space */
-#define RSADSI	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
-#define PKCS	RSADSI, 0x01
-#define DIGEST	RSADSI, 0x02
-#define CIPHER	RSADSI, 0x03
-#define PKCS1	PKCS, 0x01
-#define PKCS5	PKCS, 0x05
-#define PKCS7	PKCS, 0x07
-#define PKCS9	PKCS, 0x09
-#define PKCS12	PKCS, 0x0c
-
-/* Fortezza algorithm OID space: { 2 16 840 1 101 2 1 1 } */
-/* ### mwelch -- Is this just for algorithms, or all of Fortezza? */
-#define FORTEZZA_ALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01
-
-/* Other OID name spaces */
-#define ALGORITHM		0x2b, 0x0e, 0x03, 0x02
-#define X500			0x55
-#define X520_ATTRIBUTE_TYPE	X500, 0x04
-#define X500_ALG		X500, 0x08
-#define X500_ALG_ENCRYPTION	X500_ALG, 0x01
-
-/** X.509 v3 Extension OID 
- ** {joint-iso-ccitt (2) ds(5) 29}
- **/
-#define	ID_CE_OID X500, 0x1d
-
-#define RFC1274_ATTR_TYPE  0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
-/* #define RFC2247_ATTR_TYPE  0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */
-
-/* PKCS #12 name spaces */
-#define PKCS12_MODE_IDS		PKCS12, 0x01
-#define PKCS12_ESPVK_IDS	PKCS12, 0x02
-#define PKCS12_BAG_IDS		PKCS12, 0x03
-#define PKCS12_CERT_BAG_IDS	PKCS12, 0x04
-#define PKCS12_OIDS		PKCS12, 0x05
-#define PKCS12_PBE_IDS		PKCS12_OIDS, 0x01
-#define PKCS12_ENVELOPING_IDS	PKCS12_OIDS, 0x02
-#define PKCS12_SIGNATURE_IDS	PKCS12_OIDS, 0x03
-#define PKCS12_V2_PBE_IDS	PKCS12, 0x01
-#define PKCS9_CERT_TYPES	PKCS9, 0x16
-#define PKCS9_CRL_TYPES		PKCS9, 0x17
-#define PKCS9_SMIME_IDS		PKCS9, 0x10
-#define PKCS9_SMIME_ATTRS	PKCS9_SMIME_IDS, 2
-#define PKCS9_SMIME_ALGS	PKCS9_SMIME_IDS, 3
-#define PKCS12_VERSION1		PKCS12, 0x0a
-#define PKCS12_V1_BAG_IDS	PKCS12_VERSION1, 1
-
-/* for DSA algorithm */
-/* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */
-#define ANSI_X9_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x38, 0x4
-
-/* for DH algorithm */
-/* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
-/* need real OID person to look at this, copied the above line
- * and added 6 to second to last value (and changed '4' to '2' */
-#define ANSI_X942_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
-
-#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
-
-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
-#define PKIX_CERT_EXTENSIONS PKIX, 1
-#define PKIX_POLICY_QUALIFIERS PKIX, 2
-#define PKIX_KEY_USAGE PKIX, 3
-#define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
-#define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1
-
-#define PKIX_ID_PKIP     PKIX, 5
-#define PKIX_ID_REGCTRL  PKIX_ID_PKIP, 1 
-#define PKIX_ID_REGINFO  PKIX_ID_PKIP, 2
-
-
-static unsigned char md2[] = { DIGEST, 0x02 };
-static unsigned char md4[] = { DIGEST, 0x04 };
-static unsigned char md5[] = { DIGEST, 0x05 };
-static unsigned char sha1[] = { ALGORITHM, 0x1a };
-static unsigned char rc2cbc[] = { CIPHER, 0x02 };
-static unsigned char rc4[] = { CIPHER, 0x04 };
-static unsigned char desede3cbc[] = { CIPHER, 0x07 };
-static unsigned char rc5cbcpad[] = { CIPHER, 0x09 };
-static unsigned char desecb[] = { ALGORITHM, 0x06 };
-static unsigned char descbc[] = { ALGORITHM, 0x07 };
-static unsigned char desofb[] = { ALGORITHM, 0x08 };
-static unsigned char descfb[] = { ALGORITHM, 0x09 };
-static unsigned char desmac[] = { ALGORITHM, 0x0a };
-static unsigned char desede[] = { ALGORITHM, 0x11 };
-static unsigned char isoSHAWithRSASignature[] = { ALGORITHM, 0xf };
-static unsigned char pkcs1RSAEncryption[] = { PKCS1, 0x01 };
-static unsigned char pkcs1MD2WithRSAEncryption[] = { PKCS1, 0x02 };
-static unsigned char pkcs1MD4WithRSAEncryption[] = { PKCS1, 0x03 };
-static unsigned char pkcs1MD5WithRSAEncryption[] = { PKCS1, 0x04 };
-static unsigned char pkcs1SHA1WithRSAEncryption[] = { PKCS1, 0x05 };
-static unsigned char pkcs5PbeWithMD2AndDEScbc[] = { PKCS5, 0x01 };
-static unsigned char pkcs5PbeWithMD5AndDEScbc[] = { PKCS5, 0x03 };
-static unsigned char pkcs5PbeWithSha1AndDEScbc[] = { PKCS5, 0x0a };
-static unsigned char pkcs7[] = { PKCS7 };
-static unsigned char pkcs7Data[] = { PKCS7, 0x01 };
-static unsigned char pkcs7SignedData[] = { PKCS7, 0x02 };
-static unsigned char pkcs7EnvelopedData[] = { PKCS7, 0x03 };
-static unsigned char pkcs7SignedEnvelopedData[] = { PKCS7, 0x04 };
-static unsigned char pkcs7DigestedData[] = { PKCS7, 0x05 };
-static unsigned char pkcs7EncryptedData[] = { PKCS7, 0x06 };
-static unsigned char pkcs9EmailAddress[] = { PKCS9, 0x01 };
-static unsigned char pkcs9UnstructuredName[] = { PKCS9, 0x02 };
-static unsigned char pkcs9ContentType[] = { PKCS9, 0x03 };
-static unsigned char pkcs9MessageDigest[] = { PKCS9, 0x04 };
-static unsigned char pkcs9SigningTime[] = { PKCS9, 0x05 };
-static unsigned char pkcs9CounterSignature[] = { PKCS9, 0x06 };
-static unsigned char pkcs9ChallengePassword[] = { PKCS9, 0x07 };
-static unsigned char pkcs9UnstructuredAddress[] = { PKCS9, 0x08 };
-static unsigned char pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 };
-static unsigned char pkcs9SMIMECapabilities[] = { PKCS9, 15 };
-static unsigned char x520CommonName[] = { X520_ATTRIBUTE_TYPE, 3 };
-static unsigned char x520CountryName[] = { X520_ATTRIBUTE_TYPE, 6 };
-static unsigned char x520LocalityName[] = { X520_ATTRIBUTE_TYPE, 7 };
-static unsigned char x520StateOrProvinceName[] = { X520_ATTRIBUTE_TYPE, 8 };
-static unsigned char x520OrgName[] = { X520_ATTRIBUTE_TYPE, 10 };
-static unsigned char x520OrgUnitName[] = { X520_ATTRIBUTE_TYPE, 11 };
-static unsigned char x520DnQualifier[] = { X520_ATTRIBUTE_TYPE, 46 };
-
-static unsigned char nsTypeGIF[] = { NETSCAPE_DATA_TYPE, 0x01 };
-static unsigned char nsTypeJPEG[] = { NETSCAPE_DATA_TYPE, 0x02 };
-static unsigned char nsTypeURL[] = { NETSCAPE_DATA_TYPE, 0x03 };
-static unsigned char nsTypeHTML[] = { NETSCAPE_DATA_TYPE, 0x04 };
-static unsigned char nsTypeCertSeq[] = { NETSCAPE_DATA_TYPE, 0x05 };
-static unsigned char missiCertKEADSSOld[] = { MISSI_OLD_KEA_DSS };
-static unsigned char missiCertDSSOld[] = { MISSI_OLD_DSS };
-static unsigned char missiCertKEADSS[] = { MISSI_KEA_DSS };
-static unsigned char missiCertDSS[] = { MISSI_DSS };
-static unsigned char missiCertKEA[] = { MISSI_KEA };
-static unsigned char missiCertAltKEA[] = { MISSI_ALT_KEA };
-static unsigned char x500RSAEncryption[] = { X500_ALG_ENCRYPTION, 0x01 };
-
-/* added for alg 1485 */
-static unsigned char rfc1274Uid[] = { RFC1274_ATTR_TYPE, 1 };
-static unsigned char rfc1274Mail[] = { RFC1274_ATTR_TYPE, 3 };
-static unsigned char rfc2247DomainComponent[] = { RFC1274_ATTR_TYPE, 25 };
-
-/* Netscape private certificate extensions */
-static unsigned char nsCertExtNetscapeOK[] = { NS_CERT_EXT, 1 };
-static unsigned char nsCertExtIssuerLogo[] = { NS_CERT_EXT, 2 };
-static unsigned char nsCertExtSubjectLogo[] = { NS_CERT_EXT, 3 };
-static unsigned char nsExtCertType[] = { NETSCAPE_CERT_EXT, 0x01 };
-static unsigned char nsExtBaseURL[] = { NETSCAPE_CERT_EXT, 0x02 };
-static unsigned char nsExtRevocationURL[] = { NETSCAPE_CERT_EXT, 0x03 };
-static unsigned char nsExtCARevocationURL[] = { NETSCAPE_CERT_EXT, 0x04 };
-static unsigned char nsExtCACRLURL[] = { NETSCAPE_CERT_EXT, 0x05 };
-static unsigned char nsExtCACertURL[] = { NETSCAPE_CERT_EXT, 0x06 };
-static unsigned char nsExtCertRenewalURL[] = { NETSCAPE_CERT_EXT, 0x07 };
-static unsigned char nsExtCAPolicyURL[] = { NETSCAPE_CERT_EXT, 0x08 };
-static unsigned char nsExtHomepageURL[] = { NETSCAPE_CERT_EXT, 0x09 };
-static unsigned char nsExtEntityLogo[] = { NETSCAPE_CERT_EXT, 0x0a };
-static unsigned char nsExtUserPicture[] = { NETSCAPE_CERT_EXT, 0x0b };
-static unsigned char nsExtSSLServerName[] = { NETSCAPE_CERT_EXT, 0x0c };
-static unsigned char nsExtComment[] = { NETSCAPE_CERT_EXT, 0x0d };
-
-/* the following 2 extensions are defined for and used by Cartman(NSM) */
-static unsigned char nsExtLostPasswordURL[] = { NETSCAPE_CERT_EXT, 0x0e };
-static unsigned char nsExtCertRenewalTime[] = { NETSCAPE_CERT_EXT, 0x0f };
-
-#define NETSCAPE_CERT_EXT_AIA NETSCAPE_CERT_EXT, 0x10
-
-static unsigned char nsExtAIACertRenewal[] = { NETSCAPE_CERT_EXT_AIA, 0x01 };
-
-static unsigned char nsExtCertScopeOfUse[] = { NETSCAPE_CERT_EXT, 0x11 };
-
-static unsigned char nsKeyUsageGovtApproved[] = { NETSCAPE_POLICY, 0x01 };
-
-
-/* Standard x.509 v3 Certificate Extensions */
-static unsigned char x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 };
-static unsigned char x509SubjectKeyID[] = { ID_CE_OID, 14 };
-static unsigned char x509KeyUsage[] = { ID_CE_OID, 15 };
-static unsigned char x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 };
-static unsigned char x509SubjectAltName[] = { ID_CE_OID, 17 };
-static unsigned char x509IssuerAltName[] = { ID_CE_OID, 18 };
-static unsigned char x509BasicConstraints[] = { ID_CE_OID, 19 };
-static unsigned char x509NameConstraints[] = { ID_CE_OID, 30 };
-static unsigned char x509CRLDistPoints[] = { ID_CE_OID, 31 };
-static unsigned char x509CertificatePolicies[] = { ID_CE_OID, 32 };
-static unsigned char x509PolicyMappings[] = { ID_CE_OID, 33 };
-static unsigned char x509PolicyConstraints[] = { ID_CE_OID, 34 };
-static unsigned char x509AuthKeyID[] = { ID_CE_OID, 35};
-static unsigned char x509ExtKeyUsage[] = { ID_CE_OID, 37};
-static unsigned char x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
-
-/* Standard x.509 v3 CRL Extensions */
-static unsigned char x509CrlNumber[] = { ID_CE_OID, 20};
-static unsigned char x509ReasonCode[] = { ID_CE_OID, 21};
-static unsigned char x509InvalidDate[] = { ID_CE_OID, 24};
-
-/* pkcs 12 additions */
-static unsigned char pkcs12[] = { PKCS12 };
-static unsigned char pkcs12ModeIDs[] = { PKCS12_MODE_IDS };
-static unsigned char pkcs12ESPVKIDs[] = { PKCS12_ESPVK_IDS };
-static unsigned char pkcs12BagIDs[] = { PKCS12_BAG_IDS };
-static unsigned char pkcs12CertBagIDs[] = { PKCS12_CERT_BAG_IDS };
-static unsigned char pkcs12OIDs[] = { PKCS12_OIDS };
-static unsigned char pkcs12PBEIDs[] = { PKCS12_PBE_IDS };
-static unsigned char pkcs12EnvelopingIDs[] = { PKCS12_ENVELOPING_IDS };
-static unsigned char pkcs12SignatureIDs[] = { PKCS12_SIGNATURE_IDS };
-static unsigned char pkcs12PKCS8KeyShrouding[] = { PKCS12_ESPVK_IDS, 0x01 };
-static unsigned char pkcs12KeyBagID[] = { PKCS12_BAG_IDS, 0x01 };
-static unsigned char pkcs12CertAndCRLBagID[] = { PKCS12_BAG_IDS, 0x02 };
-static unsigned char pkcs12SecretBagID[] = { PKCS12_BAG_IDS, 0x03 };
-static unsigned char pkcs12X509CertCRLBag[] = { PKCS12_CERT_BAG_IDS, 0x01 };
-static unsigned char pkcs12SDSICertBag[] = { PKCS12_CERT_BAG_IDS, 0x02 };
-static unsigned char pkcs12PBEWithSha1And128BitRC4[] = { PKCS12_PBE_IDS, 0x01 };
-static unsigned char pkcs12PBEWithSha1And40BitRC4[] = { PKCS12_PBE_IDS, 0x02 };
-static unsigned char pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 };
-static unsigned char pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 };
-static unsigned char pkcs12PBEWithSha1And40BitRC2CBC[] = { PKCS12_PBE_IDS, 0x05 };
-static unsigned char pkcs12RSAEncryptionWith128BitRC4[] =
-	{ PKCS12_ENVELOPING_IDS, 0x01 };
-static unsigned char pkcs12RSAEncryptionWith40BitRC4[] = 
-	{ PKCS12_ENVELOPING_IDS, 0x02 };
-static unsigned char pkcs12RSAEncryptionWithTripleDES[] = 
-	{ PKCS12_ENVELOPING_IDS, 0x03 }; 
-static unsigned char pkcs12RSASignatureWithSHA1Digest[] =
-	{ PKCS12_SIGNATURE_IDS, 0x01 };
-static unsigned char ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 };
-static unsigned char ansix9DSASignaturewithSHA1Digest[] =
-	{ ANSI_X9_ALGORITHM, 0x03 };
-static unsigned char bogusDSASignaturewithSHA1Digest[] =
-        { ALGORITHM, 0x1b };
-
-/* verisign OIDs */
-static unsigned char verisignUserNotices[] = { VERISIGN, 1, 7, 1, 1 };
-
-/* pkix OIDs */
-static unsigned char pkixCPSPointerQualifier[] = { PKIX_POLICY_QUALIFIERS, 1 };
-static unsigned char pkixUserNoticeQualifier[] = { PKIX_POLICY_QUALIFIERS, 2 };
-
-static unsigned char pkixOCSP[]			= { PKIX_OCSP };
-static unsigned char pkixOCSPBasicResponse[]	= { PKIX_OCSP, 1 };
-static unsigned char pkixOCSPNonce[]		= { PKIX_OCSP, 2 };
-static unsigned char pkixOCSPCRL[]		= { PKIX_OCSP, 3 };
-static unsigned char pkixOCSPResponse[]		= { PKIX_OCSP, 4 };
-static unsigned char pkixOCSPNoCheck[]		= { PKIX_OCSP, 5 };
-static unsigned char pkixOCSPArchiveCutoff[]	= { PKIX_OCSP, 6 };
-static unsigned char pkixOCSPServiceLocator[]	= { PKIX_OCSP, 7 };
-
-static unsigned char pkixRegCtrlRegToken[]       = { PKIX_ID_REGCTRL, 1};
-static unsigned char pkixRegCtrlAuthenticator[]  = { PKIX_ID_REGCTRL, 2};
-static unsigned char pkixRegCtrlPKIPubInfo[]     = { PKIX_ID_REGCTRL, 3};
-static unsigned char pkixRegCtrlPKIArchOptions[] = { PKIX_ID_REGCTRL, 4};
-static unsigned char pkixRegCtrlOldCertID[]      = { PKIX_ID_REGCTRL, 5};
-static unsigned char pkixRegCtrlProtEncKey[]     = { PKIX_ID_REGCTRL, 6};
-static unsigned char pkixRegInfoUTF8Pairs[]      = { PKIX_ID_REGINFO, 1};
-static unsigned char pkixRegInfoCertReq[]        = { PKIX_ID_REGINFO, 2};
-
-static unsigned char pkixExtendedKeyUsageServerAuth[] = 
-        { PKIX_KEY_USAGE, 1 };
-static unsigned char pkixExtendedKeyUsageClientAuth[] = 
-        { PKIX_KEY_USAGE, 2 };
-static unsigned char pkixExtendedKeyUsageCodeSign[] = 
-        { PKIX_KEY_USAGE, 3 };
-static unsigned char pkixExtendedKeyUsageEMailProtect[] = 
-        { PKIX_KEY_USAGE, 4 };
-static unsigned char pkixExtendedKeyUsageTimeStamp[] = 
-        { PKIX_KEY_USAGE, 8 };
-static unsigned char pkixOCSPResponderExtendedKeyUsage[] = 
-        { PKIX_KEY_USAGE, 9 };
-
-/* OIDs for Netscape defined algorithms */
-static unsigned char netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
-
-/* pkcs 12 version 1.0 ids */
-static unsigned char pkcs12V2PBEWithSha1And128BitRC4[] = { PKCS12_V2_PBE_IDS, 0x01 };
-static unsigned char pkcs12V2PBEWithSha1And40BitRC4[] = { PKCS12_V2_PBE_IDS, 0x02 };
-static unsigned char pkcs12V2PBEWithSha1And3KeyTripleDEScbc[] = { PKCS12_V2_PBE_IDS, 0x03 };
-static unsigned char pkcs12V2PBEWithSha1And2KeyTripleDEScbc[] = { PKCS12_V2_PBE_IDS, 0x04 };
-static unsigned char pkcs12V2PBEWithSha1And128BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x05 };
-static unsigned char pkcs12V2PBEWithSha1And40BitRC2cbc[] = { PKCS12_V2_PBE_IDS, 0x06 };
-
-static unsigned char pkcs12SafeContentsID[] = {PKCS12_BAG_IDS, 0x04 };
-static unsigned char pkcs12PKCS8ShroudedKeyBagID[] = { PKCS12_BAG_IDS, 0x05 };
-
-static unsigned char pkcs12V1KeyBag[] = { PKCS12_V1_BAG_IDS, 0x01 };
-static unsigned char pkcs12V1PKCS8ShroudedKeyBag[] = { PKCS12_V1_BAG_IDS, 0x02 };
-static unsigned char pkcs12V1CertBag[] = { PKCS12_V1_BAG_IDS, 0x03 };
-static unsigned char pkcs12V1CRLBag[] = { PKCS12_V1_BAG_IDS, 0x04 };
-static unsigned char pkcs12V1SecretBag[] = { PKCS12_V1_BAG_IDS, 0x05 };
-static unsigned char pkcs12V1SafeContentsBag[] = { PKCS12_V1_BAG_IDS, 0x06 };
-
-static unsigned char pkcs9X509Certificate[] = { PKCS9_CERT_TYPES, 1 };
-static unsigned char pkcs9SDSICertificate[] = { PKCS9_CERT_TYPES, 2 };
-static unsigned char pkcs9X509CRL[] = { PKCS9_CRL_TYPES, 1 };
-static unsigned char pkcs9FriendlyName[] = { PKCS9, 20 };
-static unsigned char pkcs9LocalKeyID[] = { PKCS9, 21 };
-static unsigned char pkcs12KeyUsageAttr[] = { 2, 5, 29, 15 };
-
-/* Fortezza algorithm OIDs */
-static unsigned char skipjackCBC[] = { FORTEZZA_ALG, 0x04 };
-static unsigned char dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 };
-
-/* Netscape other name types */
-static unsigned char netscapeNickname[] = { NETSCAPE_NAME_COMPONENTS, 0x01};
-
-/* OIDs needed for cert server */
-static unsigned char netscapeRecoveryRequest[] = 
-                                        { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
-
-/* RFC2630 (CMS) OIDs */
-static unsigned char cmsESDH[] = { PKCS9_SMIME_ALGS, 5 };
-static unsigned char cms3DESwrap[] = { PKCS9_SMIME_ALGS, 6 };
-static unsigned char cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 };
-
-/* RFC2633 SMIME message attributes */
-static unsigned char smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 };
-
-/*
- * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
- */
-static SECOidData oids[] = {
-    { { siDEROID, NULL, 0 },
-	  SEC_OID_UNKNOWN,
-	  "Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, md2, sizeof(md2) },
-	  SEC_OID_MD2,
-	  "MD2", CKM_MD2, INVALID_CERT_EXTENSION },
-    { { siDEROID, md4, sizeof(md4) },
-	  SEC_OID_MD4,
-	  "MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, md5, sizeof(md5) },
-	  SEC_OID_MD5,
-	  "MD5", CKM_MD5, INVALID_CERT_EXTENSION },
-    { { siDEROID, sha1, sizeof(sha1) },
-	  SEC_OID_SHA1,
-	  "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION },
-    { { siDEROID, rc2cbc, sizeof(rc2cbc) },
-	  SEC_OID_RC2_CBC,
-	  "RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, rc4, sizeof(rc4) },
-	  SEC_OID_RC4,
-	  "RC4", CKM_RC4, INVALID_CERT_EXTENSION },
-    { { siDEROID, desede3cbc, sizeof(desede3cbc) },
-	  SEC_OID_DES_EDE3_CBC,
-	  "DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, rc5cbcpad, sizeof(rc5cbcpad) },
-	  SEC_OID_RC5_CBC_PAD,
-	  "RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, desecb, sizeof(desecb) },
-	  SEC_OID_DES_ECB,
-	  "DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION },
-    { { siDEROID, descbc, sizeof(descbc) },
-	  SEC_OID_DES_CBC,
-	  "DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, desofb, sizeof(desofb) },
-	  SEC_OID_DES_OFB,
-	  "DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, descfb, sizeof(descfb) },
-	  SEC_OID_DES_CFB,
-	  "DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, desmac, sizeof(desmac) },
-	  SEC_OID_DES_MAC,
-	  "DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION },
-    { { siDEROID, desede, sizeof(desede) },
-	  SEC_OID_DES_EDE,
-	  "DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, isoSHAWithRSASignature, sizeof(isoSHAWithRSASignature) },
-	  SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
-	  "ISO SHA with RSA Signature", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs1RSAEncryption, sizeof(pkcs1RSAEncryption) },
-	  SEC_OID_PKCS1_RSA_ENCRYPTION,
-	  "PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION },
-
-    /* the following Signing mechanisms should get new CKM_ values when
-     * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in
-     * PKCS #11.
-     */
-    { { siDEROID, pkcs1MD2WithRSAEncryption, sizeof(pkcs1MD2WithRSAEncryption) },
-	  SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
-	  "PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs1MD4WithRSAEncryption, sizeof(pkcs1MD4WithRSAEncryption) },
-	  SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
-	  "PKCS #1 MD4 With RSA Encryption", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs1MD5WithRSAEncryption, sizeof(pkcs1MD5WithRSAEncryption) },
-	  SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
-	  "PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs1SHA1WithRSAEncryption, sizeof(pkcs1SHA1WithRSAEncryption) },
-	  SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
-	  "PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS,
-	  INVALID_CERT_EXTENSION },
-
-    { { siDEROID, pkcs5PbeWithMD2AndDEScbc, sizeof(pkcs5PbeWithMD2AndDEScbc) },
-	  SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
-	  "PKCS #5 Password Based Encryption with MD2 and DES CBC",
-	  CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs5PbeWithMD5AndDEScbc, sizeof(pkcs5PbeWithMD5AndDEScbc) },
-	  SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
-	  "PKCS #5 Password Based Encryption with MD5 and DES CBC",
-	  CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs5PbeWithSha1AndDEScbc,
-	  sizeof(pkcs5PbeWithSha1AndDEScbc) },
-          SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
-	  "PKCS #5 Password Based Encryption with SHA1 and DES CBC", 
-	  CKM_NETSCAPE_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7, sizeof(pkcs7) },
-	  SEC_OID_PKCS7,
-	  "PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7Data, sizeof(pkcs7Data) },
-	  SEC_OID_PKCS7_DATA,
-	  "PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7SignedData, sizeof(pkcs7SignedData) },
-	  SEC_OID_PKCS7_SIGNED_DATA,
-	  "PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7EnvelopedData, sizeof(pkcs7EnvelopedData) },
-	  SEC_OID_PKCS7_ENVELOPED_DATA,
-	  "PKCS #7 Enveloped Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7SignedEnvelopedData, sizeof(pkcs7SignedEnvelopedData) },
-	  SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
-	  "PKCS #7 Signed And Enveloped Data", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7DigestedData, sizeof(pkcs7DigestedData) },
-	  SEC_OID_PKCS7_DIGESTED_DATA,
-	  "PKCS #7 Digested Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs7EncryptedData, sizeof(pkcs7EncryptedData) },
-	  SEC_OID_PKCS7_ENCRYPTED_DATA,
-	  "PKCS #7 Encrypted Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9EmailAddress, sizeof(pkcs9EmailAddress) },
-	  SEC_OID_PKCS9_EMAIL_ADDRESS,
-	  "PKCS #9 Email Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9UnstructuredName, sizeof(pkcs9UnstructuredName) },
-	  SEC_OID_PKCS9_UNSTRUCTURED_NAME,
-	  "PKCS #9 Unstructured Name", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9ContentType, sizeof(pkcs9ContentType) },
-	  SEC_OID_PKCS9_CONTENT_TYPE,
-	  "PKCS #9 Content Type", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9MessageDigest, sizeof(pkcs9MessageDigest) },
-	  SEC_OID_PKCS9_MESSAGE_DIGEST,
-	  "PKCS #9 Message Digest", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9SigningTime, sizeof(pkcs9SigningTime) },
-	  SEC_OID_PKCS9_SIGNING_TIME,
-	  "PKCS #9 Signing Time", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9CounterSignature, sizeof(pkcs9CounterSignature) },
-	  SEC_OID_PKCS9_COUNTER_SIGNATURE,
-	  "PKCS #9 Counter Signature", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9ChallengePassword, sizeof(pkcs9ChallengePassword) },
-	  SEC_OID_PKCS9_CHALLENGE_PASSWORD,
-	  "PKCS #9 Challenge Password", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9UnstructuredAddress, sizeof(pkcs9UnstructuredAddress) },
-	  SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
-	  "PKCS #9 Unstructured Address", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9ExtendedCertificateAttributes,
-          sizeof(pkcs9ExtendedCertificateAttributes) },
-	  SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
-	  "PKCS #9 Extended Certificate Attributes", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9SMIMECapabilities,
-          sizeof(pkcs9SMIMECapabilities) },
-	  SEC_OID_PKCS9_SMIME_CAPABILITIES,
-	  "PKCS #9 S/MIME Capabilities", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, x520CommonName,
-	  sizeof(x520CommonName) },
-	  SEC_OID_AVA_COMMON_NAME,
-	  "X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, x520CountryName,
-	  sizeof(x520CountryName) },
-	  SEC_OID_AVA_COUNTRY_NAME,
-	  "X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, x520LocalityName,
-	  sizeof(x520LocalityName) },
-	  SEC_OID_AVA_LOCALITY,
-	  "X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, x520StateOrProvinceName,
-	  sizeof(x520StateOrProvinceName) },
-	  SEC_OID_AVA_STATE_OR_PROVINCE,
-	  "X520 State Or Province Name", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, x520OrgName,
-	  sizeof(x520OrgName) },
-	  SEC_OID_AVA_ORGANIZATION_NAME,
-	  "X520 Organization Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, x520OrgUnitName,
-	  sizeof(x520OrgUnitName) },
-	  SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
-	  "X520 Organizational Unit Name", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, x520DnQualifier,
-	  sizeof(x520DnQualifier) },
-	  SEC_OID_AVA_DN_QUALIFIER,
-	  "X520 DN Qualifier", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, rfc2247DomainComponent,
-	  sizeof(rfc2247DomainComponent), },
-	  SEC_OID_AVA_DC,
-	  "RFC 2247 Domain Component", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-
-    { { siDEROID, nsTypeGIF,
-	  sizeof(nsTypeGIF) },
-	  SEC_OID_NS_TYPE_GIF,
-	  "GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, nsTypeJPEG,
-	  sizeof(nsTypeJPEG) },
-	  SEC_OID_NS_TYPE_JPEG,
-	  "JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, nsTypeURL,
-	  sizeof(nsTypeURL) },
-	  SEC_OID_NS_TYPE_URL,
-	  "URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, nsTypeHTML,
-	  sizeof(nsTypeHTML) },
-	  SEC_OID_NS_TYPE_HTML,
-	  "HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, nsTypeCertSeq,
-	  sizeof(nsTypeCertSeq) },
-	  SEC_OID_NS_TYPE_CERT_SEQUENCE,
-	  "Certificate Sequence", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, missiCertKEADSSOld, sizeof(missiCertKEADSSOld) },
-          SEC_OID_MISSI_KEA_DSS_OLD, "MISSI KEA and DSS Algorithm (Old)",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, missiCertDSSOld, sizeof(missiCertDSSOld) },
-          SEC_OID_MISSI_DSS_OLD, "MISSI DSS Algorithm (Old)",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION  },
-    { { siDEROID, missiCertKEADSS, sizeof(missiCertKEADSS) },
-          SEC_OID_MISSI_KEA_DSS, "MISSI KEA and DSS Algorithm",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION  },
-    { { siDEROID, missiCertDSS, sizeof(missiCertDSS) },
-          SEC_OID_MISSI_DSS, "MISSI DSS Algorithm",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION  },
-    { { siDEROID, missiCertKEA, sizeof(missiCertKEA) },
-          SEC_OID_MISSI_KEA, "MISSI KEA Algorithm",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION  },
-    { { siDEROID, missiCertAltKEA, sizeof(missiCertAltKEA) },
-          SEC_OID_MISSI_ALT_KEA, "MISSI Alternate KEA Algorithm",
-          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION  },
-
-    /* Netscape private extensions */
-    { { siDEROID, nsCertExtNetscapeOK,
-	  sizeof(nsCertExtNetscapeOK) },
-	  SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
-	  "Netscape says this cert is OK",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsCertExtIssuerLogo,
-	  sizeof(nsCertExtIssuerLogo) },
-	  SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
-	  "Certificate Issuer Logo",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsCertExtSubjectLogo,
-	  sizeof(nsCertExtSubjectLogo) },
-	  SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
-	  "Certificate Subject Logo",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtCertType,
-	  sizeof(nsExtCertType) },
-	  SEC_OID_NS_CERT_EXT_CERT_TYPE,
-	  "Certificate Type",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtBaseURL,
-	  sizeof(nsExtBaseURL) },
-	  SEC_OID_NS_CERT_EXT_BASE_URL,
-	  "Certificate Extension Base URL",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtRevocationURL,
-	  sizeof(nsExtRevocationURL) },
-	  SEC_OID_NS_CERT_EXT_REVOCATION_URL,
-	  "Certificate Revocation URL",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtCARevocationURL,
-	  sizeof(nsExtCARevocationURL) },
-	  SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
-	  "Certificate Authority Revocation URL",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtCACRLURL,
-	  sizeof(nsExtCACRLURL) },
-	  SEC_OID_NS_CERT_EXT_CA_CRL_URL,
-	  "Certificate Authority CRL Download URL",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtCACertURL,
-	  sizeof(nsExtCACertURL) },
-	  SEC_OID_NS_CERT_EXT_CA_CERT_URL,
-	  "Certificate Authority Certificate Download URL",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtCertRenewalURL,
-	  sizeof(nsExtCertRenewalURL) },
-	  SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
-	  "Certificate Renewal URL", CKM_INVALID_MECHANISM,
-          SUPPORTED_CERT_EXTENSION }, 
-    { { siDEROID, nsExtCAPolicyURL,
-	  sizeof(nsExtCAPolicyURL) },
-	  SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
-	  "Certificate Authority Policy URL",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtHomepageURL,
-	  sizeof(nsExtHomepageURL) },
-	  SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
-	  "Certificate Homepage URL", CKM_INVALID_MECHANISM,
-	  UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtEntityLogo,
-	  sizeof(nsExtEntityLogo) },
-	  SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
-	  "Certificate Entity Logo", CKM_INVALID_MECHANISM,
-	  UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtUserPicture,
-	  sizeof(nsExtUserPicture) },
-	  SEC_OID_NS_CERT_EXT_USER_PICTURE,
-	  "Certificate User Picture", CKM_INVALID_MECHANISM,
-	  UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtSSLServerName,
-	  sizeof(nsExtSSLServerName) },
-	  SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
-	  "Certificate SSL Server Name", CKM_INVALID_MECHANISM,
-	  SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtComment,
-	  sizeof(nsExtComment) },
-	  SEC_OID_NS_CERT_EXT_COMMENT,
-	  "Certificate Comment", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtLostPasswordURL,
-          sizeof(nsExtLostPasswordURL) },
-          SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
-          "Lost Password URL", CKM_INVALID_MECHANISM,
-          SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsExtCertRenewalTime, 
-	sizeof(nsExtCertRenewalTime) },
-	SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME, 
-	"Certificate Renewal Time", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, nsKeyUsageGovtApproved,
-	  sizeof(nsKeyUsageGovtApproved) },
-	  SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
-	  "Strong Crypto Export Approved",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-
-
-    /* x.509 v3 certificate extensions */
-    { { siDEROID, x509SubjectDirectoryAttr, sizeof(x509SubjectDirectoryAttr) },
-	  SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
-	  "Certificate Subject Directory Attributes",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION},
-    { { siDEROID, x509SubjectKeyID, sizeof(x509SubjectKeyID) },
-	  SEC_OID_X509_SUBJECT_KEY_ID, "Certificate Subject Key ID",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509KeyUsage, sizeof(x509KeyUsage) },
-	  SEC_OID_X509_KEY_USAGE, "Certificate Key Usage",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509PrivateKeyUsagePeriod,
-	  sizeof(x509PrivateKeyUsagePeriod) },
-	  SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
-	  "Certificate Private Key Usage Period",
-          CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509SubjectAltName, sizeof(x509SubjectAltName) },
-	  SEC_OID_X509_SUBJECT_ALT_NAME, "Certificate Subject Alt Name",
-          CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509IssuerAltName, sizeof(x509IssuerAltName) },
-	  SEC_OID_X509_ISSUER_ALT_NAME, "Certificate Issuer Alt Name",
-          CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509BasicConstraints, sizeof(x509BasicConstraints) },
-	  SEC_OID_X509_BASIC_CONSTRAINTS, "Certificate Basic Constraints",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509NameConstraints, sizeof(x509NameConstraints) },
-	  SEC_OID_X509_NAME_CONSTRAINTS, "Certificate Name Constraints",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509CRLDistPoints, sizeof(x509CRLDistPoints) },
-	  SEC_OID_X509_CRL_DIST_POINTS, "CRL Distribution Points",
-	  CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509CertificatePolicies, sizeof(x509CertificatePolicies) },
-	  SEC_OID_X509_CERTIFICATE_POLICIES,
-	  "Certificate Policies",
-          CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509PolicyMappings, sizeof(x509PolicyMappings) },
-	  SEC_OID_X509_POLICY_MAPPINGS, "Certificate Policy Mappings",
-          CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509PolicyConstraints, sizeof(x509PolicyConstraints) },
-	  SEC_OID_X509_POLICY_CONSTRAINTS, "Certificate Policy Constraints",
-          CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509AuthKeyID, sizeof(x509AuthKeyID) },
-	  SEC_OID_X509_AUTH_KEY_ID, "Certificate Authority Key Identifier",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509ExtKeyUsage, sizeof(x509ExtKeyUsage) },
-	  SEC_OID_X509_EXT_KEY_USAGE, "Extended Key Usage",
-	  CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509AuthInfoAccess, sizeof(x509AuthInfoAccess) },
-          SEC_OID_X509_AUTH_INFO_ACCESS, "Authority Information Access",
-          CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION },
-
-    /* x.509 v3 CRL extensions */
-    { { siDEROID, x509CrlNumber, sizeof(x509CrlNumber) },
-	  SEC_OID_X509_CRL_NUMBER, "CRL	Number", CKM_INVALID_MECHANISM,
-	  SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509ReasonCode, sizeof(x509ReasonCode) },
-	  SEC_OID_X509_REASON_CODE, "CRL reason code", CKM_INVALID_MECHANISM,
-	  SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, x509InvalidDate, sizeof(x509InvalidDate) },
-	  SEC_OID_X509_INVALID_DATE, "Invalid Date", CKM_INVALID_MECHANISM,
-	  SUPPORTED_CERT_EXTENSION },
-	  
-    { { siDEROID, x500RSAEncryption, sizeof(x500RSAEncryption) },
-	  SEC_OID_X500_RSA_ENCRYPTION,
-	  "X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION },
-
-    /* added for alg 1485 */
-    { { siDEROID, rfc1274Uid,
-	  sizeof(rfc1274Uid) },
-	  SEC_OID_RFC1274_UID,
-	  "RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, rfc1274Mail,
-	  sizeof(rfc1274Uid) },
-	  SEC_OID_RFC1274_MAIL,
-	  "RFC1274 E-mail Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-
-    /* pkcs 12 additions */
-    { { siDEROID, pkcs12, sizeof(pkcs12) },
-	  SEC_OID_PKCS12,
-	  "PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12ModeIDs, sizeof(pkcs12ModeIDs) },
-	  SEC_OID_PKCS12_MODE_IDS,
-	  "PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12ESPVKIDs, sizeof(pkcs12ESPVKIDs) },
-	  SEC_OID_PKCS12_ESPVK_IDS,
-	  "PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12BagIDs, sizeof(pkcs12BagIDs) },
-	  SEC_OID_PKCS12_BAG_IDS,
-	  "PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12CertBagIDs, sizeof(pkcs12CertBagIDs) },
-	  SEC_OID_PKCS12_CERT_BAG_IDS,
-	  "PKCS #12 Cert Bag IDs", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12OIDs, sizeof(pkcs12OIDs) },
-	  SEC_OID_PKCS12_OIDS,
-	  "PKCS #12 OIDs", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PBEIDs, sizeof(pkcs12PBEIDs) },
-	  SEC_OID_PKCS12_PBE_IDS,
-	  "PKCS #12 PBE IDs", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12SignatureIDs, sizeof(pkcs12SignatureIDs) },
-	  SEC_OID_PKCS12_SIGNATURE_IDS,
-	  "PKCS #12 Signature IDs", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12EnvelopingIDs, sizeof(pkcs12EnvelopingIDs) },
-	  SEC_OID_PKCS12_ENVELOPING_IDS,
-	  "PKCS #12 Enveloping IDs", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PKCS8KeyShrouding, 
-    	sizeof(pkcs12PKCS8KeyShrouding) },
-	  SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
-	  "PKCS #12 Key Shrouding", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12KeyBagID, 
-    	sizeof(pkcs12KeyBagID) },
-	  SEC_OID_PKCS12_KEY_BAG_ID,
-	  "PKCS #12 Key Bag ID", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12CertAndCRLBagID, 
-    	sizeof(pkcs12CertAndCRLBagID) },
-	  SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
-	  "PKCS #12 Cert And CRL Bag ID", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12SecretBagID, 
-    	sizeof(pkcs12SecretBagID) },
-	  SEC_OID_PKCS12_SECRET_BAG_ID,
-	  "PKCS #12 Secret Bag ID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12X509CertCRLBag, 
-    	sizeof(pkcs12X509CertCRLBag) },
-	  SEC_OID_PKCS12_X509_CERT_CRL_BAG,
-	  "PKCS #12 X509 Cert CRL Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12SDSICertBag, 
-    	sizeof(pkcs12SDSICertBag) },
-	  SEC_OID_PKCS12_SDSI_CERT_BAG,
-	  "PKCS #12 SDSI Cert Bag", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PBEWithSha1And128BitRC4, 
-    	sizeof(pkcs12PBEWithSha1And128BitRC4) },
-	  SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
-	  "PKCS #12 PBE With Sha1 and 128 Bit RC4", 
-	  CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PBEWithSha1And40BitRC4, 
-    	sizeof(pkcs12PBEWithSha1And40BitRC4) },
-	  SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
-	  "PKCS #12 PBE With Sha1 and 40 Bit RC4", 
-	  CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PBEWithSha1AndTripleDESCBC, 
-    	sizeof(pkcs12PBEWithSha1AndTripleDESCBC) },
-	  SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
-	  "PKCS #12 PBE With Sha1 and Triple DES CBC", 
-	  CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PBEWithSha1And128BitRC2CBC, 
-    	sizeof(pkcs12PBEWithSha1And128BitRC2CBC) },
-	  SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
-	  "PKCS #12 PBE With Sha1 and 128 Bit RC2 CBC", 
-	  CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PBEWithSha1And40BitRC2CBC, 
-    	sizeof(pkcs12PBEWithSha1And40BitRC2CBC) },
-	  SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
-	  "PKCS #12 PBE With Sha1 and 40 Bit RC2 CBC", 
-	  CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12RSAEncryptionWith128BitRC4, 
-    	sizeof(pkcs12RSAEncryptionWith128BitRC4) },
-	  SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
-	  "PKCS #12 RSA Encryption with 128 Bit RC4",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12RSAEncryptionWith40BitRC4, 
-    	sizeof(pkcs12RSAEncryptionWith40BitRC4) },
-	  SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
-	  "PKCS #12 RSA Encryption with 40 Bit RC4",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12RSAEncryptionWithTripleDES, 
-    	sizeof(pkcs12RSAEncryptionWithTripleDES) },
-	  SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
-	  "PKCS #12 RSA Encryption with Triple DES",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12RSASignatureWithSHA1Digest, 
-    	sizeof(pkcs12RSASignatureWithSHA1Digest) },
-	  SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
-	  "PKCS #12 RSA Encryption with Triple DES",
-	  CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-
-    /* DSA signatures */
-    { { siDEROID, ansix9DSASignature, sizeof(ansix9DSASignature) },
-        SEC_OID_ANSIX9_DSA_SIGNATURE,
-	"ANSI X9.57 DSA Signature", CKM_DSA,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, ansix9DSASignaturewithSHA1Digest,
-	sizeof(ansix9DSASignaturewithSHA1Digest) },
-        SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
-	"ANSI X9.57 DSA Signature with SHA1 Digest", CKM_DSA_SHA1,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, bogusDSASignaturewithSHA1Digest,
-	sizeof(bogusDSASignaturewithSHA1Digest) },
-        SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
-	"FORTEZZA DSA Signature with SHA1 Digest", CKM_DSA_SHA1,
-	INVALID_CERT_EXTENSION },
-
-    /* verisign oids */
-    { { siDEROID, verisignUserNotices,
-	sizeof(verisignUserNotices) },
-        SEC_OID_VERISIGN_USER_NOTICES,
-	"Verisign User Notices", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-
-    /* pkix oids */
-    { { siDEROID, pkixCPSPointerQualifier,
-	sizeof(pkixCPSPointerQualifier) },
-        SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
-	"PKIX CPS Pointer Qualifier", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixUserNoticeQualifier,
-	sizeof(pkixUserNoticeQualifier) },
-        SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
-	"PKIX User Notice Qualifier", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-
-    { { siDEROID, pkixOCSP, sizeof(pkixOCSP), },
-	SEC_OID_PKIX_OCSP,
-	"PKIX Online Certificate Status Protocol", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPBasicResponse, sizeof(pkixOCSPBasicResponse), },
-	SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
-	"OCSP Basic Response", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPNonce, sizeof(pkixOCSPNonce), },
-	SEC_OID_PKIX_OCSP_NONCE,
-	"OCSP Nonce Extension", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPCRL, sizeof(pkixOCSPCRL), },
-	SEC_OID_PKIX_OCSP_CRL,
-	"OCSP CRL Reference Extension", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPResponse, sizeof(pkixOCSPResponse), },
-	SEC_OID_PKIX_OCSP_RESPONSE,
-	"OCSP Response Types Extension", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPNoCheck, sizeof(pkixOCSPNoCheck) },
-	SEC_OID_PKIX_OCSP_NO_CHECK,
-	"OCSP No Check Extension", CKM_INVALID_MECHANISM, 
-	SUPPORTED_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPArchiveCutoff, sizeof(pkixOCSPArchiveCutoff) },
-	SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
-	"OCSP Archive Cutoff Extension", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixOCSPServiceLocator, sizeof(pkixOCSPServiceLocator) },
-	SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
-	"OCSP Service Locator Extension", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-
-    { { siDEROID, pkixRegCtrlRegToken,
-	sizeof (pkixRegCtrlRegToken) },
-        SEC_OID_PKIX_REGCTRL_REGTOKEN,
-        "PKIX CRMF Registration Control, Registration Token", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixRegCtrlAuthenticator,
-	sizeof (pkixRegCtrlAuthenticator) },
-        SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
-        "PKIX CRMF Registration Control, Registration Authenticator", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    { { siDEROID, pkixRegCtrlPKIPubInfo,
-	sizeof (pkixRegCtrlPKIPubInfo) },
-        SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
-        "PKIX CRMF Registration Control, PKI Publication Info", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixRegCtrlPKIArchOptions,
-	sizeof (pkixRegCtrlPKIArchOptions) },
-        SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
-        "PKIX CRMF Registration Control, PKI Archive Options", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixRegCtrlOldCertID,
-	sizeof (pkixRegCtrlOldCertID) },
-        SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
-        "PKIX CRMF Registration Control, Old Certificate ID", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixRegCtrlProtEncKey,
-	sizeof (pkixRegCtrlProtEncKey) },
-        SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
-        "PKIX CRMF Registration Control, Protocol Encryption Key", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixRegInfoUTF8Pairs,
-	sizeof (pkixRegInfoUTF8Pairs) },
-        SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
-        "PKIX CRMF Registration Info, UTF8 Pairs", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixRegInfoCertReq,
-	sizeof (pkixRegInfoCertReq) },
-        SEC_OID_PKIX_REGINFO_CERT_REQUEST,
-        "PKIX CRMF Registration Info, Certificate Request", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixExtendedKeyUsageServerAuth,
-	sizeof (pkixExtendedKeyUsageServerAuth) },
-        SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
-        "TLS Web Server Authentication Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixExtendedKeyUsageClientAuth,
-	sizeof (pkixExtendedKeyUsageClientAuth) },
-        SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
-        "TLS Web Client Authentication Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixExtendedKeyUsageCodeSign,
-	sizeof (pkixExtendedKeyUsageCodeSign) },
-        SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
-        "Code Signing Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixExtendedKeyUsageEMailProtect,
-	sizeof (pkixExtendedKeyUsageEMailProtect) },
-        SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
-        "E-Mail Protection Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixExtendedKeyUsageTimeStamp,
-	sizeof (pkixExtendedKeyUsageTimeStamp) },
-        SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
-        "Time Stamping Certifcate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-    { { siDEROID, pkixOCSPResponderExtendedKeyUsage,
-	  sizeof (pkixOCSPResponderExtendedKeyUsage) },
-          SEC_OID_OCSP_RESPONDER,
-          "OCSP Responder Certificate",
-          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION},
-
-    /* Netscape Algorithm OIDs */
-
-    { { siDEROID, netscapeSMimeKEA,
-	sizeof(netscapeSMimeKEA) },
-        SEC_OID_NETSCAPE_SMIME_KEA,
-	"Netscape S/MIME KEA", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-
-      /* Skipjack OID -- ### mwelch temporary */
-    { { siDEROID, skipjackCBC,
-	sizeof(skipjackCBC) },
-        SEC_OID_FORTEZZA_SKIPJACK,
-	"Skipjack CBC64", CKM_SKIPJACK_CBC64,
-	INVALID_CERT_EXTENSION },
-
-    /* pkcs12 v2 oids */
-    { { siDEROID, pkcs12V2PBEWithSha1And128BitRC4,
-	sizeof(pkcs12V2PBEWithSha1And128BitRC4) },
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
-	"PKCS12 V2 PBE With SHA1 And 128 Bit RC4", 
-	CKM_PBE_SHA1_RC4_128,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V2PBEWithSha1And40BitRC4,
-	sizeof(pkcs12V2PBEWithSha1And40BitRC4) },
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
-	"PKCS12 V2 PBE With SHA1 And 40 Bit RC4", 
-	CKM_PBE_SHA1_RC4_40,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
-	sizeof(pkcs12V2PBEWithSha1And3KeyTripleDEScbc) },
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
-	"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc", 
-	CKM_PBE_SHA1_DES3_EDE_CBC,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
-	sizeof(pkcs12V2PBEWithSha1And2KeyTripleDEScbc) },
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
-	"PKCS12 V2 PBE With SHA1 And 2KEY Triple DES-cbc", 
-	CKM_PBE_SHA1_DES2_EDE_CBC,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V2PBEWithSha1And128BitRC2cbc,
-	sizeof(pkcs12V2PBEWithSha1And128BitRC2cbc) },
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
-	"PKCS12 V2 PBE With SHA1 And 128 Bit RC2 CBC", 
-	CKM_PBE_SHA1_RC2_128_CBC,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V2PBEWithSha1And40BitRC2cbc,
-	sizeof(pkcs12V2PBEWithSha1And40BitRC2cbc) },
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
-	"PKCS12 V2 PBE With SHA1 And 40 Bit RC2 CBC", 
-	CKM_PBE_SHA1_RC2_40_CBC,
-	INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12SafeContentsID, 
-    	sizeof(pkcs12SafeContentsID) },
-	  SEC_OID_PKCS12_SAFE_CONTENTS_ID,
-	  "PKCS #12 Safe Contents ID", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12PKCS8ShroudedKeyBagID, 
-    	sizeof(pkcs12PKCS8ShroudedKeyBagID) },
-	  SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
-	  "PKCS #12 Safe Contents ID", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V1KeyBag, 
-    	sizeof(pkcs12V1KeyBag) },
-	  SEC_OID_PKCS12_V1_KEY_BAG_ID,
-	  "PKCS #12 V1 Key Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V1PKCS8ShroudedKeyBag, 
-    	sizeof(pkcs12V1PKCS8ShroudedKeyBag) },
-	  SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
-	  "PKCS #12 V1 PKCS8 Shrouded Key Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V1CertBag, 
-    	sizeof(pkcs12V1CertBag) },
-	  SEC_OID_PKCS12_V1_CERT_BAG_ID,
-	  "PKCS #12 V1 Cert Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V1CRLBag, 
-    	sizeof(pkcs12V1CRLBag) },
-	  SEC_OID_PKCS12_V1_CRL_BAG_ID,
-	  "PKCS #12 V1 CRL Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V1SecretBag, 
-    	sizeof(pkcs12V1SecretBag) },
-	  SEC_OID_PKCS12_V1_SECRET_BAG_ID,
-	  "PKCS #12 V1 Secret Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs12V1SafeContentsBag, 
-    	sizeof(pkcs12V1SafeContentsBag) },
-	  SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
-	  "PKCS #12 V1 Safe Contents Bag", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-
-    { { siDEROID, pkcs9X509Certificate, 
-    	sizeof(pkcs9X509Certificate) },
-	  SEC_OID_PKCS9_X509_CERT,
-	  "PKCS #9 X509 Certificate", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9SDSICertificate, 
-    	sizeof(pkcs9SDSICertificate) },
-	  SEC_OID_PKCS9_SDSI_CERT,
-	  "PKCS #9 SDSI Certificate", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9X509CRL, 
-    	sizeof(pkcs9X509CRL) },
-	  SEC_OID_PKCS9_X509_CRL,
-	  "PKCS #9 X509 CRL", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9FriendlyName, 
-    	sizeof(pkcs9FriendlyName) },
-	  SEC_OID_PKCS9_FRIENDLY_NAME,
-	  "PKCS #9 Friendly Name", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, pkcs9LocalKeyID, 
-    	sizeof(pkcs9LocalKeyID) },
-	  SEC_OID_PKCS9_LOCAL_KEY_ID,
-	  "PKCS #9 Local Key ID", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION }, 
-    { { siDEROID, pkcs12KeyUsageAttr,
-	sizeof(pkcs12KeyUsageAttr) },
-	  SEC_OID_PKCS12_KEY_USAGE,
-	  "PKCS 12 Key Usage", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, dhPublicKey,
-	sizeof(dhPublicKey) },
-	  SEC_OID_X942_DIFFIE_HELMAN_KEY,
-	  "Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
-	  INVALID_CERT_EXTENSION },
-    { { siDEROID, netscapeNickname,
-	sizeof(netscapeNickname) },
-	  SEC_OID_NETSCAPE_NICKNAME,
-	  "Netscape Nickname", CKM_INVALID_MECHANISM,
-	  INVALID_CERT_EXTENSION },
-
-    /* Cert Server specific OIDs */
-    { { siDEROID, netscapeRecoveryRequest,
-        sizeof(netscapeRecoveryRequest) },
-        SEC_OID_NETSCAPE_RECOVERY_REQUEST,
-        "Recovery Request OID", CKM_INVALID_MECHANISM,
-        INVALID_CERT_EXTENSION }, 
-
-    { { siDEROID, nsExtAIACertRenewal,
-        sizeof(nsExtAIACertRenewal) },
-        SEC_OID_CERT_RENEWAL_LOCATOR,
-        "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM,
-        INVALID_CERT_EXTENSION }, 
-
-    { { siDEROID, nsExtCertScopeOfUse,
-        sizeof(nsExtCertScopeOfUse) },
-        SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
-        "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM,
-        SUPPORTED_CERT_EXTENSION },
-
-    /* CMS stuff */
-    { { siDEROID, cmsESDH,
-        sizeof(cmsESDH) },
-        SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
-        "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
-        INVALID_CERT_EXTENSION },
-    { { siDEROID, cms3DESwrap,
-        sizeof(cms3DESwrap) },
-        SEC_OID_CMS_3DES_KEY_WRAP,
-        "CMS 3DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
-        INVALID_CERT_EXTENSION },
-    { { siDEROID, cmsRC2wrap,
-        sizeof(cmsRC2wrap) },
-        SEC_OID_CMS_RC2_KEY_WRAP,
-        "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
-        INVALID_CERT_EXTENSION },
-    { { siDEROID, smimeEncryptionKeyPreference,
-	sizeof(smimeEncryptionKeyPreference) },
-	SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
-	"S/MIME Encryption Key Preference", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION },
-
-};
-
-/*
- * now the dynamic table. The dynamic table gets build at init time.
- *  and gets modified if the user loads new crypto modules.
- */
-
-static DB *oid_d_hash = 0;
-static SECOidData **secoidDynamicTable = NULL;
-static int secoidDynamicTableSize = 0;
-static int secoidLastDynamicEntry = 0;
-static int secoidLastHashEntry = 0;
-
-static SECStatus
-secoid_DynamicRehash(void)
-{
-    DBT key;
-    DBT data;
-    int rv;
-    SECOidData *oid;
-    int i;
-    int last = secoidLastDynamicEntry;
-
-    if (!oid_d_hash) {
-        oid_d_hash = dbopen( 0, O_RDWR | O_CREAT, 0600, DB_HASH, 0 );
-    }
-
-
-    if ( !oid_d_hash ) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return(SECFailure);
-    }
-
-    for ( i = secoidLastHashEntry; i < last; i++ ) {
-	oid = secoidDynamicTable[i];
-
-	/* invalid assert ... guarrenteed not to be true */
-	/* PORT_Assert ( oid->offset == i ); */
-
-	key.data = oid->oid.data;
-	key.size = oid->oid.len;
-	
-	data.data = &oid;
-	data.size = sizeof(oid);
-
-	rv = (* oid_d_hash->put)( oid_d_hash, &key, &data, R_NOOVERWRITE );
-	if ( rv ) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return(SECFailure);
-	}
-    }
-    secoidLastHashEntry = last;
-    return(SECSuccess);
-}
-
-/*
- * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's
- * cheaper to rehash the table when it changes than it is to do the loop
- * each time. Worry: what about thread safety here? Global Static data with
- * no locks.... (sigh).
- */
-static SECStatus
-secoid_FindDynamic(DBT *key, DBT *data) {
-    if (secoidDynamicTable == NULL) {
-	return SECFailure;
-    }
-    if (secoidLastHashEntry != secoidLastDynamicEntry) {
-	SECStatus rv = secoid_DynamicRehash();
-	if ( rv != SECSuccess ) {
-	    return rv;
-	}
-    }
-    return (SECStatus)(* oid_d_hash->get)( oid_d_hash, key, data, 0 );
-	
-}
-
-static SECOidData *
-secoid_FindDynamicByTag(SECOidTag tagnum)
-{
-    int tagNumDiff;
-
-    if (secoidDynamicTable == NULL) {
-	return NULL;
-    }
-
-    if (tagnum < SEC_OID_TOTAL) {
-	return NULL;
-    }
-
-    tagNumDiff = tagnum - SEC_OID_TOTAL;
-    if (tagNumDiff >= secoidLastDynamicEntry) {
-	return NULL;
-    }
-
-    return(secoidDynamicTable[tagNumDiff]);
-}
-
-/*
- * this routine is definately not thread safe. It is only called out
- * of the UI, or at init time. If we want to call it any other time,
- * we need to make it thread safe.
- */
-SECStatus
-SECOID_AddEntry(SECItem *oid, char *description, unsigned long mech) {
-    SECOidData *oiddp = (SECOidData *)PORT_Alloc(sizeof(SECOidData));
-    int last = secoidLastDynamicEntry;
-    int tableSize = secoidDynamicTableSize;
-    int next = last++;
-    SECOidData **newTable = secoidDynamicTable;
-    SECOidData **oldTable = NULL;
-
-    if (oid == NULL) {
-	return SECFailure;
-    }
-
-    /* fill in oid structure */
-    if (SECITEM_CopyItem(NULL,&oiddp->oid,oid) != SECSuccess) {
-	PORT_Free(oiddp);
-	return SECFailure;
-    }
-    oiddp->offset = (SECOidTag)(next + SEC_OID_TOTAL);
-    /* may we should just reference the copy passed to us? */
-    oiddp->desc = PORT_Strdup(description);
-    oiddp->mechanism = mech;
-
-
-    if (last > tableSize) {
-	int oldTableSize = tableSize;
-	tableSize += 10;
-	oldTable = newTable;
-	newTable = (SECOidData **)PORT_ZAlloc(sizeof(SECOidData *)*tableSize);
-	if (newTable == NULL) {
-	   PORT_Free(oiddp->oid.data);
-	   PORT_Free(oiddp);
-	   return SECFailure;
-	}
-	PORT_Memcpy(newTable,oldTable,sizeof(SECOidData *)*oldTableSize);
-	PORT_Free(oldTable);
-    }
-
-    newTable[next] = oiddp;
-    secoidDynamicTable = newTable;
-    secoidDynamicTableSize = tableSize;
-    secoidLastDynamicEntry= last;
-    return SECSuccess;
-}
-	
-
-/* normal static table processing */
-static DB *oidhash     = NULL;
-static DB *oidmechhash = NULL;
-
-static SECStatus
-InitOIDHash(void)
-{
-    DBT key;
-    DBT data;
-    int rv;
-    SECOidData *oid;
-    int i;
-    
-    oidhash = dbopen( 0, O_RDWR | O_CREAT, 0600, DB_HASH, 0 );
-    oidmechhash = dbopen( 0, O_RDWR | O_CREAT, 0600, DB_HASH, 0 );
-
-    if ( !oidhash || !oidmechhash) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- 	PORT_Assert(0); /*This function should never fail. */
-	return(SECFailure);
-    }
-
-    for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) {
-	oid = &oids[i];
-
-	PORT_Assert ( oid->offset == i );
-
-	key.data = oid->oid.data;
-	key.size = oid->oid.len;
-	
-	data.data = &oid;
-	data.size = sizeof(oid);
-
-	rv = (* oidhash->put)( oidhash, &key, &data, R_NOOVERWRITE );
-	if ( rv ) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-            PORT_Assert(0); /*This function should never fail. */
-	    return(SECFailure);
-	}
-
-	if ( oid->mechanism != CKM_INVALID_MECHANISM ) {
-	    key.data = &oid->mechanism;
-	    key.size = sizeof(oid->mechanism);
-
-	    rv = (* oidmechhash->put)( oidmechhash, &key, &data, R_NOOVERWRITE);
-	    /* Only error out if the error value returned is not
-	     * RET_SPECIAL, ie the mechanism already has a registered 
-	     * OID.
-	     */
-	    if ( rv && rv != RET_SPECIAL) {
-	        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-                PORT_Assert(0); /* This function should never fail. */
-		return(SECFailure);
-	    }
-	}
-    }
-
-    PORT_Assert (i == SEC_OID_TOTAL);
-
-    return(SECSuccess);
-}
-
-SECOidData *
-SECOID_FindOIDByMechanism(unsigned long mechanism)
-{
-    DBT key;
-    DBT data;
-    SECOidData *ret;
-    int rv;
-
-    if ( !oidhash ) {
-        rv = InitOIDHash();
-	if ( rv != SECSuccess ) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return NULL;
-	}
-    }
-    key.data = &mechanism;
-    key.size = sizeof(mechanism);
-
-    rv = (* oidmechhash->get)( oidmechhash, &key, &data, 0 );
-    if ( rv || ( data.size != sizeof(unsigned long) ) ) {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-    }
-    PORT_Memcpy(&ret, data.data, data.size);
-
-    return (ret);
-}
-
-SECOidData *
-SECOID_FindOID(SECItem *oid)
-{
-    DBT key;
-    DBT data;
-    SECOidData *ret;
-    int rv;
-    
-    if ( !oidhash ) {
-	rv = InitOIDHash();
-	if ( rv != SECSuccess ) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return NULL;
-	}
-    }
-    
-    key.data = oid->data;
-    key.size = oid->len;
-    
-    rv = (* oidhash->get)( oidhash, &key, &data, 0 );
-    if ( rv || ( data.size != sizeof(SECOidData*) ) ) {
-	rv = secoid_FindDynamic(&key, &data);
-	if (rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return(0);
-	}
-    }
-
-    PORT_Memcpy(&ret, data.data, data.size);
-
-    return(ret);
-}
-
-SECOidTag
-SECOID_FindOIDTag(SECItem *oid)
-{
-    SECOidData *oiddata;
-
-    oiddata = SECOID_FindOID (oid);
-    if (oiddata == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return oiddata->offset;
-}
-
-SECOidData *
-SECOID_FindOIDByTag(SECOidTag tagnum)
-{
-
-    if (tagnum >= SEC_OID_TOTAL) {
-	return secoid_FindDynamicByTag(tagnum);
-    }
-
-    PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
-    return(&oids[tagnum]);
-}
-
-PRBool SECOID_KnownCertExtenOID (SECItem *extenOid)
-{
-    SECOidData * oidData;
-
-    oidData = SECOID_FindOID (extenOid);
-    if (oidData == (SECOidData *)NULL)
-	return (PR_FALSE);
-    return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ?
-            PR_TRUE : PR_FALSE);
-}
-
-
-const char *
-SECOID_FindOIDTagDescription(SECOidTag tagnum)
-{
-  SECOidData *oidData = SECOID_FindOIDByTag(tagnum);
-  if (!oidData)
-    return 0;
-  else
-    return oidData->desc;
-}
diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h
deleted file mode 100644
index 9f8c7b11c..000000000
--- a/security/nss/lib/util/secoid.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECOID_H_
-#define _SECOID_H_
-/*
- * secoid.h - public data structures and prototypes for ASN.1 OID functions
- *
- * $Id$
- */
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-
-extern const SEC_ASN1Template SECOID_AlgorithmIDTemplate[];
-
-SEC_BEGIN_PROTOS
-
-/*
- * OID handling routines
- */
-extern SECOidData *SECOID_FindOID(SECItem *oid);
-extern SECOidTag SECOID_FindOIDTag(SECItem *oid);
-extern SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum);
-extern SECOidData *SECOID_FindOIDByMechanism(unsigned long mechanism);
-
-/****************************************/
-/*
-** Algorithm id handling operations
-*/
-
-/*
-** Fill in an algorithm-ID object given a tag and some parameters.
-** 	"aid" where the DER encoded algorithm info is stored (memory
-**	   is allocated)
-**	"tag" the tag defining the algorithm (SEC_OID_*)
-**	"params" if not NULL, the parameters to go with the algorithm
-*/
-extern SECStatus SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *aid,
-				   SECOidTag tag, SECItem *params);
-
-/*
-** Copy the "src" object to "dest". Memory is allocated in "dest" for
-** each of the appropriate sub-objects. Memory in "dest" is not freed
-** before memory is allocated (use SECOID_DestroyAlgorithmID(dest, PR_FALSE)
-** to do that).
-*/
-extern SECStatus SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *dest,
-				    SECAlgorithmID *src);
-
-/*
-** Get the SEC_OID_* tag for the given algorithm-id object.
-*/
-extern SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid);
-
-/*
-** Destroy an algorithm-id object.
-**	"aid" the certificate-request to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit);
-
-/*
-** Compare two algorithm-id objects, returning the difference between
-** them.
-*/
-extern SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
-					   SECAlgorithmID *b);
-
-extern PRBool SECOID_KnownCertExtenOID (SECItem *extenOid);
-
-/* Given a SEC_OID_* tag, return a string describing it.
- */
-extern const char *SECOID_FindOIDTagDescription(SECOidTag tagnum);
-
-
-SEC_END_PROTOS
-
-#endif /* _SECOID_H_ */
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
deleted file mode 100644
index 66d3424a0..000000000
--- a/security/nss/lib/util/secoidt.h
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECOIDT_H_
-#define _SECOIDT_H_
-/*
- * secoidt.h - public data structures for ASN.1 OID functions
- *
- * $Id$
- */
-
-#include "secitem.h"
-
-typedef struct SECOidDataStr SECOidData;
-typedef struct SECAlgorithmIDStr SECAlgorithmID;
-
-/*
-** An X.500 algorithm identifier
-*/
-struct SECAlgorithmIDStr {
-    SECItem algorithm;
-    SECItem parameters;
-};
-
-/*
- * Misc object IDs - these numbers are for convenient handling.
- * They are mapped into real object IDs
- *
- * NOTE: the order of these entries must mach the array "oids" of SECOidData
- * in util/secoid.c.
- */
-typedef enum {
-    SEC_OID_UNKNOWN,
-    SEC_OID_MD2,
-    SEC_OID_MD4,
-    SEC_OID_MD5,
-    SEC_OID_SHA1,
-    SEC_OID_RC2_CBC,
-    SEC_OID_RC4,
-    SEC_OID_DES_EDE3_CBC,
-    SEC_OID_RC5_CBC_PAD,
-    SEC_OID_DES_ECB,
-    SEC_OID_DES_CBC,
-    SEC_OID_DES_OFB,
-    SEC_OID_DES_CFB,
-    SEC_OID_DES_MAC,
-    SEC_OID_DES_EDE,
-    SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
-    SEC_OID_PKCS1_RSA_ENCRYPTION,
-    SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
-    SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
-    SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
-    SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
-    SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
-    SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
-    SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
-    SEC_OID_PKCS7,
-    SEC_OID_PKCS7_DATA,
-    SEC_OID_PKCS7_SIGNED_DATA,
-    SEC_OID_PKCS7_ENVELOPED_DATA,
-    SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
-    SEC_OID_PKCS7_DIGESTED_DATA,
-    SEC_OID_PKCS7_ENCRYPTED_DATA,
-    SEC_OID_PKCS9_EMAIL_ADDRESS,
-    SEC_OID_PKCS9_UNSTRUCTURED_NAME,
-    SEC_OID_PKCS9_CONTENT_TYPE,
-    SEC_OID_PKCS9_MESSAGE_DIGEST,
-    SEC_OID_PKCS9_SIGNING_TIME,
-    SEC_OID_PKCS9_COUNTER_SIGNATURE,
-    SEC_OID_PKCS9_CHALLENGE_PASSWORD,
-    SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
-    SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
-    SEC_OID_PKCS9_SMIME_CAPABILITIES,
-    SEC_OID_AVA_COMMON_NAME,
-    SEC_OID_AVA_COUNTRY_NAME,
-    SEC_OID_AVA_LOCALITY,
-    SEC_OID_AVA_STATE_OR_PROVINCE,
-    SEC_OID_AVA_ORGANIZATION_NAME,
-    SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
-    SEC_OID_AVA_DN_QUALIFIER,
-    SEC_OID_AVA_DC,
-
-    SEC_OID_NS_TYPE_GIF,
-    SEC_OID_NS_TYPE_JPEG,
-    SEC_OID_NS_TYPE_URL,
-    SEC_OID_NS_TYPE_HTML,
-    SEC_OID_NS_TYPE_CERT_SEQUENCE,
-    SEC_OID_MISSI_KEA_DSS_OLD,
-    SEC_OID_MISSI_DSS_OLD,
-    SEC_OID_MISSI_KEA_DSS,
-    SEC_OID_MISSI_DSS,
-    SEC_OID_MISSI_KEA,
-    SEC_OID_MISSI_ALT_KEA,
-
-    /* Netscape private certificate extensions */
-    SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
-    SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
-    SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
-    SEC_OID_NS_CERT_EXT_CERT_TYPE,
-    SEC_OID_NS_CERT_EXT_BASE_URL,
-    SEC_OID_NS_CERT_EXT_REVOCATION_URL,
-    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
-    SEC_OID_NS_CERT_EXT_CA_CRL_URL,
-    SEC_OID_NS_CERT_EXT_CA_CERT_URL,
-    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
-    SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
-    SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
-    SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
-    SEC_OID_NS_CERT_EXT_USER_PICTURE,
-    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
-    SEC_OID_NS_CERT_EXT_COMMENT,
-    SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
-    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME,
-    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
-
-    /* x.509 v3 Extensions */
-    SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
-    SEC_OID_X509_SUBJECT_KEY_ID,
-    SEC_OID_X509_KEY_USAGE,
-    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
-    SEC_OID_X509_SUBJECT_ALT_NAME,
-    SEC_OID_X509_ISSUER_ALT_NAME,
-    SEC_OID_X509_BASIC_CONSTRAINTS,
-    SEC_OID_X509_NAME_CONSTRAINTS,
-    SEC_OID_X509_CRL_DIST_POINTS,
-    SEC_OID_X509_CERTIFICATE_POLICIES,
-    SEC_OID_X509_POLICY_MAPPINGS,
-    SEC_OID_X509_POLICY_CONSTRAINTS,
-    SEC_OID_X509_AUTH_KEY_ID,
-    SEC_OID_X509_EXT_KEY_USAGE,
-    SEC_OID_X509_AUTH_INFO_ACCESS,
-
-    SEC_OID_X509_CRL_NUMBER,
-    SEC_OID_X509_REASON_CODE,
-    SEC_OID_X509_INVALID_DATE,
-    /* End of x.509 v3 Extensions */    
-
-    SEC_OID_X500_RSA_ENCRYPTION,
-
-    /* alg 1485 additions */
-    SEC_OID_RFC1274_UID,
-    SEC_OID_RFC1274_MAIL,
-
-    /* PKCS 12 additions */
-    SEC_OID_PKCS12,
-    SEC_OID_PKCS12_MODE_IDS,
-    SEC_OID_PKCS12_ESPVK_IDS,
-    SEC_OID_PKCS12_BAG_IDS,
-    SEC_OID_PKCS12_CERT_BAG_IDS,
-    SEC_OID_PKCS12_OIDS,
-    SEC_OID_PKCS12_PBE_IDS,
-    SEC_OID_PKCS12_SIGNATURE_IDS,
-    SEC_OID_PKCS12_ENVELOPING_IDS,
-   /* SEC_OID_PKCS12_OFFLINE_TRANSPORT_MODE,
-    SEC_OID_PKCS12_ONLINE_TRANSPORT_MODE, */
-    SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
-    SEC_OID_PKCS12_KEY_BAG_ID,
-    SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
-    SEC_OID_PKCS12_SECRET_BAG_ID,
-    SEC_OID_PKCS12_X509_CERT_CRL_BAG,
-    SEC_OID_PKCS12_SDSI_CERT_BAG,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
-    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
-    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
-    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
-    SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
-    /* end of PKCS 12 additions */
-
-    /* DSA signatures */
-    SEC_OID_ANSIX9_DSA_SIGNATURE,
-    SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
-    SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
-
-    /* Verisign OIDs */
-    SEC_OID_VERISIGN_USER_NOTICES,
-
-    /* PKIX OIDs */
-    SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
-    SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
-    SEC_OID_PKIX_OCSP,
-    SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
-    SEC_OID_PKIX_OCSP_NONCE,
-    SEC_OID_PKIX_OCSP_CRL,
-    SEC_OID_PKIX_OCSP_RESPONSE,
-    SEC_OID_PKIX_OCSP_NO_CHECK,
-    SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
-    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
-    SEC_OID_PKIX_REGCTRL_REGTOKEN,
-    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
-    SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
-    SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
-    SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
-    SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
-    SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
-    SEC_OID_PKIX_REGINFO_CERT_REQUEST,
-    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
-    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
-    SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
-    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
-    SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
-    SEC_OID_OCSP_RESPONDER,
-
-    /* Netscape Algorithm OIDs */
-    SEC_OID_NETSCAPE_SMIME_KEA,
-
-    /* Skipjack OID -- ### mwelch temporary */
-    SEC_OID_FORTEZZA_SKIPJACK,
-
-    /* PKCS 12 V2 oids */
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
-    SEC_OID_PKCS12_SAFE_CONTENTS_ID,
-    SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
-
-    SEC_OID_PKCS12_V1_KEY_BAG_ID,
-    SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
-    SEC_OID_PKCS12_V1_CERT_BAG_ID,
-    SEC_OID_PKCS12_V1_CRL_BAG_ID,
-    SEC_OID_PKCS12_V1_SECRET_BAG_ID,
-    SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
-    SEC_OID_PKCS9_X509_CERT,
-    SEC_OID_PKCS9_SDSI_CERT,
-    SEC_OID_PKCS9_X509_CRL,
-    SEC_OID_PKCS9_FRIENDLY_NAME,
-    SEC_OID_PKCS9_LOCAL_KEY_ID,
-    SEC_OID_PKCS12_KEY_USAGE,
-
-    /*Diffe Helman OIDS */
-    SEC_OID_X942_DIFFIE_HELMAN_KEY,
-
-    /* Netscape other name types */
-    SEC_OID_NETSCAPE_NICKNAME,
-
-    /* Cert Server OIDS */
-    SEC_OID_NETSCAPE_RECOVERY_REQUEST,
-
-    /* New PSM certificate management OIDs */
-    SEC_OID_CERT_RENEWAL_LOCATOR,
-    SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
-    
-    /* CMS (RFC2630) OIDs */
-    SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
-    SEC_OID_CMS_3DES_KEY_WRAP,
-    SEC_OID_CMS_RC2_KEY_WRAP,
-
-    /* SMIME attributes */
-    SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
-
-    SEC_OID_TOTAL
-} SECOidTag;
-
-/* fake OID for DSS sign/verify */
-#define SEC_OID_SHA SEC_OID_MISS_DSS
-
-typedef enum {
-    INVALID_CERT_EXTENSION,
-    UNSUPPORTED_CERT_EXTENSION,
-    SUPPORTED_CERT_EXTENSION
-} SECSupportExtenTag;
-
-struct SECOidDataStr {
-    SECItem oid;
-    SECOidTag offset;
-    char *desc;
-    unsigned long mechanism;
-    SECSupportExtenTag supportedExtension;	/* only used for x.509 v3 extensions, so
-						   that we can print the names of those
-						   extensions that we don't even support */
-};
-
-#endif /* _SECOIDT_H_ */
diff --git a/security/nss/lib/util/secplcy.c b/security/nss/lib/util/secplcy.c
deleted file mode 100644
index b7f42080d..000000000
--- a/security/nss/lib/util/secplcy.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secplcy.h"
-#include "prmem.h"
-
-SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
-				  secCPStruct *policy,
-				  long *ciphers)
-{
-  SECCipherFind *find = PR_NEWZAP(SECCipherFind);
-  if (find)
-    {
-      find->policy = policy;
-      find->ciphers = ciphers;
-      find->onlyAllowed = onlyAllowed;
-      find->index = -1;
-    }
-  return find;
-}
-
-long sec_CipherFindNext(SECCipherFind *find)
-{
-  char *policy;
-  long rv = -1;
-  secCPStruct *policies = (secCPStruct *) find->policy;
-  long *ciphers = (long *) find->ciphers;
-  long numCiphers = policies->num_ciphers;
-
-  find->index++;
-  while((find->index < numCiphers) && (rv == -1))
-    {
-      /* Translate index to cipher. */
-      rv = ciphers[find->index];
-
-      /* If we're only looking for allowed ciphers, and if this
-	 cipher isn't allowed, loop around.*/
-      if (find->onlyAllowed)
-	{
-	  /* Find the appropriate policy flag. */
-	  policy = (&(policies->begin_ciphers)) + find->index + 1;
-
-	  /* If this cipher isn't allowed by policy, continue. */
-	  if (! (*policy))
-	    {
-	      rv = -1;
-	      find->index++;
-	    }
-	}
-    }
-
-  return rv;
-}
-
-char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
-			 long *ciphers)
-{
-  char result = SEC_CIPHER_NOT_ALLOWED; /* our default answer */
-  long numCiphers = policies->num_ciphers;
-  char *policy;
-  int i;
-  
-  /* Convert the cipher number into a policy flag location. */
-  for (i=0, policy=(&(policies->begin_ciphers) + 1);
-       i<numCiphers;
-       i++, policy++)
-    {
-      if (cipher == ciphers[i])
-	break;
-    }
-
-  if (i < numCiphers)
-    {
-      /* Found the cipher, get the policy value. */
-      result = *policy;
-    }
-
-  return result;
-}
-
-void sec_CipherFindEnd(SECCipherFind *find)
-{
-  PR_FREEIF(find);
-}
diff --git a/security/nss/lib/util/secplcy.h b/security/nss/lib/util/secplcy.h
deleted file mode 100644
index add5d8fac..000000000
--- a/security/nss/lib/util/secplcy.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef __secplcy_h__
-#define __secplcy_h__
-
-#include "prtypes.h"
-
-/*
-** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
-** the purpose of obscuring policy information from potential fortifiers. :-)
-**
-** The following routines are generic and intended for anywhere where cipher
-** policy enforcement is to be done, e.g. SSL and PKCS7&12.
-*/
-
-#define SEC_CIPHER_NOT_ALLOWED 0
-#define SEC_CIPHER_ALLOWED 1
-#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases 
-				   e.g. step-up */
-
-/* The length of the header string for each cipher table. 
-   (It's the same regardless of whether we're using md5 strings or not.) */
-#define SEC_POLICY_HEADER_LENGTH 48
-
-/* If we're testing policy stuff, we may want to use the plaintext version */
-#define SEC_POLICY_USE_MD5_STRINGS 1
-
-#define SEC_POLICY_THIS_IS_THE \
-    "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
-#define SEC_POLICY_STRING_FOR_THE \
-    "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
-#define SEC_POLICY_SSL_TAIL \
-    "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
-#define SEC_POLICY_SMIME_TAIL \
-    "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
-#define SEC_POLICY_PKCS12_TAIL \
-    "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
-
-#if defined(SEC_POLICY_USE_MD5_STRINGS)
-
-/* We're not testing. 
-   Use md5 checksums of the strings. */
-
-#define SEC_POLICY_SSL_HEADER \
-    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
-
-#define SEC_POLICY_SMIME_HEADER \
-    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
-
-#define SEC_POLICY_PKCS12_HEADER \
-    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
-
-#else
-
-/* We're testing. 
-   Use plaintext versions of the strings, for testing purposes. */
-#define SEC_POLICY_SSL_HEADER \
-    "This is the string for the SSL policy table.    "
-#define SEC_POLICY_SMIME_HEADER \
-    "This is the string for the PKCS7 policy table.  "
-#define SEC_POLICY_PKCS12_HEADER \
-    "This is the string for the PKCS12 policy table. "
-
-#endif
-
-/* Local cipher tables have to have these members at the top. */
-typedef struct _sec_cp_struct
-{
-  char policy_string[SEC_POLICY_HEADER_LENGTH];
-  long unused; /* placeholder for max keybits in pkcs12 struct */
-  char num_ciphers;
-  char begin_ciphers;
-  /* cipher policy settings follow. each is a char. */
-} secCPStruct;
-
-struct SECCipherFindStr
-{
-  /* (policy) and (ciphers) are opaque to the outside world */
-  void *policy;
-  void *ciphers;
-  long index;
-  PRBool onlyAllowed;
-};
-
-typedef struct SECCipherFindStr SECCipherFind;
-
-SEC_BEGIN_PROTOS
-
-SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
-				  secCPStruct *policy,
-				  long *ciphers);
-
-long sec_CipherFindNext(SECCipherFind *find);
-
-char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
-			 long *ciphers);
-
-void sec_CipherFindEnd(SECCipherFind *find);
-
-SEC_END_PROTOS
-
-#endif /* __SECPLCY_H__ */
diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c
deleted file mode 100644
index 76b0b195b..000000000
--- a/security/nss/lib/util/secport.c
+++ /dev/null
@@ -1,601 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * secport.c - portability interfaces for security libraries
- *
- * This file abstracts out libc functionality that libsec depends on
- * 
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "prmem.h"
-#include "prerror.h"
-#include "plarena.h"
-#include "secerr.h"
-#include "prmon.h"
-#include "nsslocks.h"
-#include "secport.h"
-
-#ifdef DEBUG
-#define THREADMARK
-#endif /* DEBUG */
-
-#ifdef THREADMARK
-#include "prthread.h"
-#endif /* THREADMARK */
-
-#if defined(XP_UNIX) || defined(XP_MAC)
-#include <stdlib.h>
-#else
-#include "wtypes.h"
-#endif
-
-#define SET_ERROR_CODE	/* place holder for code to set PR error code. */
-
-#ifdef THREADMARK
-typedef struct threadmark_mark_str {
-  struct threadmark_mark_str *next;
-  void *mark;
-} threadmark_mark;
-
-typedef struct threadmark_arena_str {
-  PLArenaPool arena;
-  PRUint32 magic;
-  PRThread *marking_thread;
-  threadmark_mark *first_mark;
-} threadmark_arena;
-
-#define THREADMARK_MAGIC 0xB8AC9BDD /* In honor of nelsonb */
-#endif /* THREADMARK */
-
-/* count of allocation failures. */
-unsigned long port_allocFailures;
-
-/* locations for registering Unicode conversion functions.  
- * XXX is this the appropriate location?  or should they be
- *     moved to client/server specific locations?
- */
-PORTCharConversionFunc ucs4Utf8ConvertFunc;
-PORTCharConversionFunc ucs2Utf8ConvertFunc;
-PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
-
-void *
-PORT_Alloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-    return rv;
-}
-
-void *
-PORT_Realloc(void *oldptr, size_t bytes)
-{
-    void *rv;
-
-    rv = (void *)PR_Realloc(oldptr, bytes);
-    if (!rv) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-    return rv;
-}
-
-#ifdef XP_MAC
-char *
-PORT_Strdup(const char *cp)
-{
-	size_t len = PORT_Strlen(cp);
-	char *buf;
-
-	buf = (char *)PORT_Alloc(len+1);
-	if (buf == NULL) return;
-
-	PORT_Memcpy(buf,cp,len+1);
-	return buf;
-}
-#endif
-
-
-void *
-PORT_ZAlloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-    return rv;
-}
-
-void
-PORT_Free(void *ptr)
-{
-    if (ptr) {
-	PR_Free(ptr);
-    }
-}
-
-void
-PORT_ZFree(void *ptr, size_t len)
-{
-    if (ptr) {
-	memset(ptr, 0, len);
-	PR_Free(ptr);
-    }
-}
-
-void
-PORT_SetError(int value)
-{	
-    PR_SetError(value, 0);
-    return;
-}
-
-int
-PORT_GetError(void)
-{
-    return(PR_GetError());
-}
-
-/********************* Arena code follows *****************************/
-
-PRMonitor * arenaMonitor;
-
-static void
-getArenaLock(void)
-{
-    if (!arenaMonitor) {
-	nss_InitMonitor(&arenaMonitor);
-    }
-    if (arenaMonitor) 
-	PR_EnterMonitor(arenaMonitor);
-}
-
-static void
-releaseArenaLock(void)
-{
-    if (arenaMonitor) 
-	PR_ExitMonitor(arenaMonitor);
-}
-
-PLArenaPool *
-PORT_NewArena(unsigned long chunksize)
-{
-    PLArenaPool *arena;
-    
-    getArenaLock();
-#ifdef THREADMARK
-    {
-      threadmark_arena *tarena = (threadmark_arena *)
-        PORT_ZAlloc(sizeof(threadmark_arena));
-      if( (threadmark_arena *)NULL != tarena ) {
-       arena = &tarena->arena;
-       tarena->magic = THREADMARK_MAGIC;
-      } else {
-        arena = (PLArenaPool *)NULL;
-      }
-    }
-#else /* THREADMARK */
-    arena = (PLArenaPool*)PORT_ZAlloc(sizeof(PLArenaPool));
-#endif /* THREADMARK */
-    if ( arena != NULL ) {
-	PL_InitArenaPool(arena, "security", chunksize, sizeof(double));
-    }
-    releaseArenaLock();
-    return(arena);
-}
-
-void *
-PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    getArenaLock();
-#ifdef THREADMARK
-    {
-      /* Is it one of ours?  Assume so and check the magic */
-      threadmark_arena *tarena = (threadmark_arena *)arena;
-      if( THREADMARK_MAGIC == tarena->magic ) {
-        /* Most likely one of ours.  Is there a thread id? */
-        if( (PRThread *)NULL != tarena->marking_thread ) {
-          /* Yes.  Has this arena been marked by this thread? */
-          if( tarena->marking_thread == PR_GetCurrentThread() ) {
-            /* Yup.  Everything's okay. */
-            ;
-          } else {
-            /* Nope.  BZZT!  error */
-            releaseArenaLock();
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
-            PORT_Assert(0);
-            return (void *)NULL;
-          }
-        } /* tid != null */
-      } /* tarena */
-    } /* scope */
-#endif /* THREADMARK */
-
-    PL_ARENA_ALLOCATE(p, arena, size);
-    releaseArenaLock();
-    if (p == NULL) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    return(p);
-}
-
-void *
-PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    getArenaLock();
-#ifdef THREADMARK
-    {
-      /* Is it one of ours?  Assume so and check the magic */
-      threadmark_arena *tarena = (threadmark_arena *)arena;
-      if( THREADMARK_MAGIC == tarena->magic ) {
-        /* Most likely one of ours.  Is there a thread id? */
-        if( (PRThread *)NULL != tarena->marking_thread ) {
-          /* Yes.  Has this arena been marked by this thread? */
-          if( tarena->marking_thread == PR_GetCurrentThread() ) {
-            /* Yup.  Everything's okay. */
-            ;
-          } else {
-            /* No, it was a different thread  BZZT!  error */
-            releaseArenaLock();
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
-            PORT_Assert(0);
-            return (void *)NULL;
-          }
-        } /* tid != null */
-      } /* tarena */
-    } /* scope */
-#endif /* THREADMARK */
-
-    PL_ARENA_ALLOCATE(p, arena, size);
-    releaseArenaLock();
-    if (p == NULL) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    } else {
-	PORT_Memset(p, 0, size);
-    }
-
-    return(p);
-}
-
-/* XXX - need to zeroize!! - jsw */
-void
-PORT_FreeArena(PLArenaPool *arena, PRBool zero)
-{
-    getArenaLock();
-    PL_FinishArenaPool(arena);
-    PORT_Free(arena);
-    releaseArenaLock();
-}
-
-void *
-PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
-{
-    PORT_Assert(newsize >= oldsize);
-    
-    getArenaLock();
-    /* Do we do a THREADMARK check here? */
-    PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
-    releaseArenaLock();
-    
-    return(ptr);
-}
-
-void *
-PORT_ArenaMark(PLArenaPool *arena)
-{
-    void * result;
-
-    getArenaLock();
-#ifdef THREADMARK
-    {
-      threadmark_mark *tm, **pw;
-
-      threadmark_arena *tarena = (threadmark_arena *)arena;
-      if( THREADMARK_MAGIC == tarena->magic ) {
-        /* one of ours */
-        if( (PRThread *)NULL == tarena->marking_thread ) {
-          /* First mark */
-          tarena->marking_thread = PR_GetCurrentThread();
-        } else {
-          if( PR_GetCurrentThread() != tarena->marking_thread ) {
-            releaseArenaLock();
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
-            PORT_Assert(0);
-            return (void *)NULL;
-          }
-        }
-
-        result = PL_ARENA_MARK(arena);
-        PL_ARENA_ALLOCATE(tm, arena, sizeof(threadmark_mark));
-        if( (threadmark_mark *)NULL == tm ) {
-          releaseArenaLock();
-          PORT_SetError(SEC_ERROR_NO_MEMORY);
-          return (void *)NULL;
-        }
-
-        tm->mark = result;
-        tm->next = (threadmark_mark *)NULL;
-
-        pw = &tarena->first_mark;
-        while( (threadmark_mark *)NULL != *pw ) {
-             pw = &(*pw)->next;
-        }
-
-        *pw = tm;
-      } else {
-        /* a "pure" NSPR arena */
-        result = PL_ARENA_MARK(arena);
-      }
-    }
-#else /* THREADMARK */
-    result = PL_ARENA_MARK(arena);
-#endif /* THREADMARK */
-    releaseArenaLock();
-    return result;
-}
-
-void
-PORT_ArenaRelease(PLArenaPool *arena, void *mark)
-{
-    getArenaLock();
-#ifdef THREADMARK
-    {
-      threadmark_arena *tarena = (threadmark_arena *)arena;
-      if( THREADMARK_MAGIC == tarena->magic ) {
-        threadmark_mark **pw, *tm;
-
-        if( PR_GetCurrentThread() != tarena->marking_thread ) {
-          releaseArenaLock();
-          PORT_SetError(SEC_ERROR_NO_MEMORY);
-          PORT_Assert(0);
-          return /* no error indication available */ ;
-        }
-
-        pw = &tarena->first_mark;
-        while( ((threadmark_mark *)NULL != *pw) && (mark != (*pw)->mark) ) {
-          pw = &(*pw)->next;
-        }
-
-        if( (threadmark_mark *)NULL == *pw ) {
-          /* bad mark */
-          releaseArenaLock();
-          PORT_SetError(SEC_ERROR_NO_MEMORY);
-          PORT_Assert(0);
-          return /* no error indication available */ ;
-        }
-
-        tm = *pw;
-        *pw = (threadmark_mark *)NULL;
-
-        PL_ARENA_RELEASE(arena, mark);
-
-        if( (threadmark_mark *)NULL == tarena->first_mark ) {
-          tarena->marking_thread = (PRThread *)NULL;
-        }
-      } else {
-        PL_ARENA_RELEASE(arena, mark);
-      }
-    }
-#else /* THREADMARK */
-    PL_ARENA_RELEASE(arena, mark);
-#endif /* THREADMARK */
-    releaseArenaLock();
-}
-
-void
-PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
-{
-#ifdef THREADMARK
-    getArenaLock();
-    {
-      threadmark_arena *tarena = (threadmark_arena *)arena;
-      if( THREADMARK_MAGIC == tarena->magic ) {
-        threadmark_mark **pw, *tm;
-
-        if( PR_GetCurrentThread() != tarena->marking_thread ) {
-          releaseArenaLock();
-          PORT_SetError(SEC_ERROR_NO_MEMORY);
-          PORT_Assert(0);
-          return /* no error indication available */ ;
-        }
-
-        pw = &tarena->first_mark;
-        while( ((threadmark_mark *)NULL != *pw) && (mark != (*pw)->mark) ) {
-          pw = &(*pw)->next;
-        }
-
-        if( (threadmark_mark *)NULL == *pw ) {
-          /* bad mark */
-          releaseArenaLock();
-          PORT_SetError(SEC_ERROR_NO_MEMORY);
-          PORT_Assert(0);
-          return /* no error indication available */ ;
-        }
-
-        tm = *pw;
-        *pw = (threadmark_mark *)NULL;
-
-        if( (threadmark_mark *)NULL == tarena->first_mark ) {
-          tarena->marking_thread = (PRThread *)NULL;
-        }
-      } else {
-        PL_ARENA_RELEASE(arena, mark);
-      }
-    }
-    releaseArenaLock();
-#endif /* THREADMARK */
-}
-
-char *
-PORT_ArenaStrdup(PLArenaPool *arena, char *str) {
-    int len = PORT_Strlen(str)+1;
-    char *newstr;
-
-    getArenaLock();
-    newstr = (char*)PORT_ArenaAlloc(arena,len);
-    releaseArenaLock();
-    if (newstr) {
-        PORT_Memcpy(newstr,str,len);
-    }
-    return newstr;
-}
-
-/********************** end of arena functions ***********************/
-
-/****************** unicode conversion functions ***********************/
-/*
- * NOTE: These conversion functions all assume that the multibyte
- * characters are going to be in NETWORK BYTE ORDER, not host byte
- * order.  This is because the only time we deal with UCS-2 and UCS-4
- * are when the data was received from or is going to be sent out
- * over the wire (in, e.g. certificates).
- */
-
-void
-PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
-{ 
-    ucs4Utf8ConvertFunc = convFunc;
-}
-
-void
-PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc)
-{ 
-    ucs2AsciiConvertFunc = convFunc;
-}
-
-void
-PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
-{ 
-    ucs2Utf8ConvertFunc = convFunc;
-}
-
-PRBool 
-PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			 unsigned int inBufLen, unsigned char *outBuf,
-			 unsigned int maxOutBufLen, unsigned int *outBufLen)
-{
-    if(!ucs4Utf8ConvertFunc) {
-      return sec_port_ucs4_utf8_conversion_function(toUnicode,
-        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
-    }
-
-    return (*ucs4Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
-				  maxOutBufLen, outBufLen);
-}
-
-PRBool 
-PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			 unsigned int inBufLen, unsigned char *outBuf,
-			 unsigned int maxOutBufLen, unsigned int *outBufLen)
-{
-    if(!ucs2Utf8ConvertFunc) {
-      return sec_port_ucs2_utf8_conversion_function(toUnicode,
-        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
-    }
-
-    return (*ucs2Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
-				  maxOutBufLen, outBufLen);
-}
-
-PRBool 
-PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
-			  unsigned int inBufLen, unsigned char *outBuf,
-			  unsigned int maxOutBufLen, unsigned int *outBufLen,
-			  PRBool swapBytes)
-{
-    if(!ucs2AsciiConvertFunc) {
-	return PR_FALSE;
-    }
-
-    return (*ucs2AsciiConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
-				  maxOutBufLen, outBufLen, swapBytes);
-}
-
-
-/* Portable putenv.  Creates/replaces an environment variable of the form
- *  envVarName=envValue
- */
-int
-NSS_PutEnv(const char * envVarName, const char * envValue)
-{
-    SECStatus result = SECSuccess;
-#ifdef _WIN32
-    PRBool      setOK;
-
-    setOK = SetEnvironmentVariable(envVarName, envValue);
-    if (!setOK) {
-        SET_ERROR_CODE
-        result = SECFailure;
-    }
-#elif  defined(XP_MAC)
-	result = SECFailure;
-#else
-    char *          encoded;
-    int             putEnvFailed;
-
-    encoded = (char *)PORT_ZAlloc(strlen(envVarName) + 2 + strlen(envValue));
-    strcpy(encoded, envVarName);
-    strcat(encoded, "=");
-    strcat(encoded, envValue);
-
-    putEnvFailed = putenv(encoded); /* adopt. */
-    if (putEnvFailed) {
-        SET_ERROR_CODE
-        result = SECFailure;
-        PORT_Free(encoded);
-    }
-#endif
-    return result;
-}
-
diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h
deleted file mode 100644
index 8ccba60ec..000000000
--- a/security/nss/lib/util/secport.h
+++ /dev/null
@@ -1,274 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * secport.h - portability interfaces for security libraries
- *
- * This file abstracts out libc functionality that libsec depends on
- * 
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#ifndef _SECPORT_H_
-#define _SECPORT_H_
-
-/*
- * define XP_MAC, XP_WIN, or XP_UNIX, in case they are not defined
- * by anyone else
- */
-#ifdef macintosh
-# ifndef XP_MAC
-# define XP_MAC 1
-# endif
-#endif
-
-#ifdef _WINDOWS
-# ifndef XP_WIN
-# define XP_WIN
-# endif
-#if defined(_WIN32) || defined(WIN32)
-# ifndef XP_WIN32
-# define XP_WIN32
-# endif
-#else
-# ifndef XP_WIN16
-# define XP_WIN16
-# endif
-#endif
-#endif
-
-#ifdef unix
-# ifndef XP_UNIX
-# define XP_UNIX
-# endif
-#endif
-
-#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
-#include "watcomfx.h"
-#endif
-
-#ifdef XP_MAC
-#include <types.h>
-#include <time.h> /* for time_t below */
-#else
-#include <sys/types.h>
-#endif
-
-#ifdef notdef
-#ifdef XP_MAC
-#include "NSString.h"
-#endif
-#endif
-
-#include <ctype.h>
-#include <string.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include "prtypes.h"
-#include "prlog.h"	/* for PR_ASSERT */
-#include "plarena.h"
-#include "plstr.h"
-
-/*
- * HACK for NSS 2.8 to allow Admin to compile without source changes.
- */
-#ifndef SEC_BEGIN_PROTOS
-#include "seccomon.h"
-#endif
-
-SEC_BEGIN_PROTOS
-
-extern void *PORT_Alloc(size_t len);
-extern void *PORT_Realloc(void *old, size_t len);
-extern void *PORT_AllocBlock(size_t len);
-extern void *PORT_ReallocBlock(void *old, size_t len);
-extern void PORT_FreeBlock(void *ptr);
-extern void *PORT_ZAlloc(size_t len);
-extern void PORT_Free(void *ptr);
-extern void PORT_ZFree(void *ptr, size_t len);
-extern time_t PORT_Time(void);
-extern void PORT_SetError(int value);
-extern int PORT_GetError(void);
-
-extern PLArenaPool *PORT_NewArena(unsigned long chunksize);
-extern void *PORT_ArenaAlloc(PLArenaPool *arena, size_t size);
-extern void *PORT_ArenaZAlloc(PLArenaPool *arena, size_t size);
-extern void PORT_FreeArena(PLArenaPool *arena, PRBool zero);
-extern void *PORT_ArenaGrow(PLArenaPool *arena, void *ptr,
-			    size_t oldsize, size_t newsize);
-extern void *PORT_ArenaMark(PLArenaPool *arena);
-extern void PORT_ArenaRelease(PLArenaPool *arena, void *mark);
-extern void PORT_ArenaUnmark(PLArenaPool *arena, void *mark);
-extern char *PORT_ArenaStrdup(PLArenaPool *arena, char *str);
-
-#ifdef __cplusplus
-}
-#endif
-
-#define PORT_Assert PR_ASSERT
-#define PORT_ZNew(type) (type*)PORT_ZAlloc(sizeof(type))
-#define PORT_New(type) (type*)PORT_Alloc(sizeof(type))
-#define PORT_ArenaNew(poolp, type)	\
-		(type*) PORT_ArenaAlloc(poolp, sizeof(type))
-#define PORT_ArenaZNew(poolp, type)	\
-		(type*) PORT_ArenaZAlloc(poolp, sizeof(type))
-#define PORT_NewArray(type, num)	\
-		(type*) PORT_Alloc (sizeof(type)*(num))
-#define PORT_ZNewArray(type, num)	\
-		(type*) PORT_ZAlloc (sizeof(type)*(num))
-#define PORT_ArenaNewArray(poolp, type, num)	\
-		(type*) PORT_ArenaAlloc (poolp, sizeof(type)*(num))
-#define PORT_ArenaZNewArray(poolp, type, num)	\
-		(type*) PORT_ArenaZAlloc (poolp, sizeof(type)*(num))
-
-/* Please, keep these defines sorted alphbetically.  Thanks! */
-
-#ifdef XP_STRING_FUNCS
-
-#define PORT_Atoi 	XP_ATOI
-
-#define PORT_Memcmp 	XP_MEMCMP
-#define PORT_Memcpy 	XP_MEMCPY
-#define PORT_Memmove 	XP_MEMMOVE
-#define PORT_Memset 	XP_MEMSET
-
-#define PORT_Strcasecmp XP_STRCASECMP
-#define PORT_Strcat 	XP_STRCAT
-#define PORT_Strchr 	XP_STRCHR
-#define PORT_Strrchr	XP_STRRCHR
-#define PORT_Strcmp 	XP_STRCMP
-#define PORT_Strcpy 	XP_STRCPY
-#define PORT_Strdup 	XP_STRDUP
-#define PORT_Strlen(s) 	XP_STRLEN(s)
-#define PORT_Strncasecmp XP_STRNCASECMP
-#define PORT_Strncat 	strncat
-#define PORT_Strncmp 	XP_STRNCMP
-#define PORT_Strncpy 	strncpy
-#define PORT_Strstr 	XP_STRSTR
-#define PORT_Strtok 	XP_STRTOK_R
-
-#define PORT_Tolower 	XP_TO_LOWER
-
-#else /* XP_STRING_FUNCS */
-
-#define PORT_Atoi 	atoi
-
-#define PORT_Memcmp 	memcmp
-#define PORT_Memcpy 	memcpy
-#ifndef SUNOS4
-#define PORT_Memmove 	memmove
-#else /*SUNOS4*/
-#define PORT_Memmove(s,ct,n)    bcopy ((ct), (s), (n))
-#endif/*SUNOS4*/
-#define PORT_Memset 	memset
-
-#define PORT_Strcasecmp PL_strcasecmp
-#define PORT_Strcat 	strcat
-#define PORT_Strchr 	strchr
-#define PORT_Strrchr    PL_strrchr
-#define PORT_Strcmp 	strcmp
-#define PORT_Strcpy 	strcpy
-#ifdef XP_MAC
-char *PORT_Strdup(const char *);
-#else
-#define PORT_Strdup 	strdup
-#endif
-#define PORT_Strlen(s) 	strlen(s)
-#define PORT_Strncasecmp PL_strncasecmp
-#define PORT_Strncat 	strncat
-#define PORT_Strncmp 	strncmp
-#define PORT_Strncpy 	strncpy
-#define PORT_Strstr 	strstr
-#define PORT_Strtok 	strtok
-
-#define PORT_Tolower 	tolower
-
-#endif /* XP_STRING_FUNCS */
-
-typedef PRBool (* PORTCharConversionWSwapFunc) (PRBool toUnicode,
-			unsigned char *inBuf, unsigned int inBufLen,
-			unsigned char *outBuf, unsigned int maxOutBufLen,
-			unsigned int *outBufLen, PRBool swapBytes);
-
-typedef PRBool (* PORTCharConversionFunc) (PRBool toUnicode,
-			unsigned char *inBuf, unsigned int inBufLen,
-			unsigned char *outBuf, unsigned int maxOutBufLen,
-			unsigned int *outBufLen);
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
-void PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc);
-PRBool PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen);
-PRBool PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen,
-			PRBool swapBytes);
-void PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
-PRBool PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen);
-
-PR_EXTERN(PRBool)
-sec_port_ucs4_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-);
-
-PR_EXTERN(PRBool)
-sec_port_ucs2_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-);
-
-extern int NSS_PutEnv(const char * envVarName, const char * envValue);
-
-SEC_END_PROTOS
-
-#endif /* _SECPORT_H_ */
diff --git a/security/nss/lib/util/secrng.h b/security/nss/lib/util/secrng.h
deleted file mode 100644
index c4c8686ef..000000000
--- a/security/nss/lib/util/secrng.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECRNG_H_
-#define _SECRNG_H_
-/*
- * secrng.h - public data structures and prototypes for the secure random
- *	      number generator
- *
- * $Id$
- */
-
-/******************************************/
-/*
-** Random number generation. A cryptographically strong random number
-** generator.
-*/
-
-#include "blapi.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** The following 3 functions are provided by the security library
-** but are differently implemented for the UNIX, Mac and Win
-** versions
-*/
-
-/*
-** Get the "noisiest" information available on the system.
-** The amount of data returned depends on the system implementation.
-** It will not exceed maxbytes, but may be (much) less.
-** Returns number of noise bytes copied into buf, or zero if error.
-*/
-extern size_t RNG_GetNoise(void *buf, size_t maxbytes);
-
-/*
-** RNG_SystemInfoForRNG should be called before any use of SSL. It
-** gathers up the system specific information to help seed the
-** state of the global random number generator.
-*/
-extern void RNG_SystemInfoForRNG(void);
-
-/* 
-** Use the contents (and stat) of a file to help seed the
-** global random number generator.
-*/
-extern void RNG_FileForRNG(char *filename);
-
-SEC_END_PROTOS
-
-#endif /* _SECUTIL_H_ */
diff --git a/security/nss/lib/util/secrngt.h b/security/nss/lib/util/secrngt.h
deleted file mode 100644
index 6c1c977c0..000000000
--- a/security/nss/lib/util/secrngt.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef _SECRNGT_H_
-#define _SECRNGT_H_
-/*
- * secrngt.h - public data structures for the secure random number generator
- *
- * $Id$
- */
-
-/* This file is really dead now.  */
-
-#endif /* _SECRNGT_H_ */
diff --git a/security/nss/lib/util/sectime.c b/security/nss/lib/util/sectime.c
deleted file mode 100644
index d3cca6f87..000000000
--- a/security/nss/lib/util/sectime.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "prlong.h"
-#include "prtime.h"
-#include "secder.h"
-#include "cert.h"
-#include "secitem.h"
-
-const SEC_ASN1Template CERT_ValidityTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTValidity) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTValidity,notBefore) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTValidity,notAfter) },
-    { 0 }
-};
-
-DERTemplate CERTValidityTemplate[] = {
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(CERTValidity) },
-    { DER_UTC_TIME,
-	  offsetof(CERTValidity,notBefore), },
-    { DER_UTC_TIME,
-	  offsetof(CERTValidity,notAfter), },
-    { 0, }
-};
-
-static char *DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER, char *format);
-
-/* convert DER utc time to ascii time string */
-char *
-DER_UTCTimeToAscii(SECItem *utcTime)
-{
-    return (DecodeUTCTime2FormattedAscii (utcTime, "%a %b %d %H:%M:%S %Y"));
-}
-
-/* convert DER utc time to ascii time string, only include day, not time */
-char *
-DER_UTCDayToAscii(SECItem *utctime)
-{
-    return (DecodeUTCTime2FormattedAscii (utctime, "%a %b %d, %Y"));
-}
-
-CERTValidity *
-CERT_CreateValidity(int64 notBefore, int64 notAfter)
-{
-    CERTValidity *v;
-    int rv;
-    PRArenaPool *arena;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	return(0);
-    }
-    
-    v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity));
-    if (v) {
-	v->arena = arena;
-	rv = DER_TimeToUTCTime(&v->notBefore, notBefore);
-	if (rv) goto loser;
-	rv = DER_TimeToUTCTime(&v->notAfter, notAfter);
-	if (rv) goto loser;
-    }
-    return v;
-
-  loser:
-    CERT_DestroyValidity(v);
-    return 0;
-}
-
-SECStatus
-CERT_CopyValidity(PRArenaPool *arena, CERTValidity *to, CERTValidity *from)
-{
-    SECStatus rv;
-
-    CERT_DestroyValidity(to);
-    to->arena = arena;
-    
-    rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore);
-    if (rv) return rv;
-    rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter);
-    return rv;
-}
-
-void
-CERT_DestroyValidity(CERTValidity *v)
-{
-    if (v && v->arena) {
-	PORT_FreeArena(v->arena, PR_FALSE);
-    }
-    return;
-}
-
-char *
-CERT_UTCTime2FormattedAscii (int64 utcTime, char *format)
-{
-    PRExplodedTime printableTime; 
-    char *timeString;
-   
-    /* Converse time to local time and decompose it into components */
-    PR_ExplodeTime(utcTime, PR_LocalTimeParameters, &printableTime);
-    
-    timeString = (char *)PORT_Alloc(100);
-
-    if ( timeString ) {
-        PR_FormatTime( timeString, 100, format, &printableTime );
-    }
-    
-    return (timeString);
-}
-
-char *CERT_GenTime2FormattedAscii (int64 genTime, char *format)
-{
-    PRExplodedTime printableTime; 
-    char *timeString;
-   
-    /* Decompose time into components */
-    PR_ExplodeTime(genTime, PR_GMTParameters, &printableTime);
-    
-    timeString = (char *)PORT_Alloc(100);
-
-    if ( timeString ) {
-        PR_FormatTime( timeString, 100, format, &printableTime );
-    }
-    
-    return (timeString);
-}
-
-
-/* convert DER utc time to ascii time string, The format of the time string
-   depends on the input "format"
- */
-static char *
-DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER,  char *format)
-{
-    int64 utcTime;
-    int rv;
-   
-    rv = DER_UTCTimeToTime(&utcTime, utcTimeDER);
-    if (rv) {
-        return(NULL);
-    }
-    return (CERT_UTCTime2FormattedAscii (utcTime, format));
-}
diff --git a/security/nss/lib/util/sysrand.c b/security/nss/lib/util/sysrand.c
deleted file mode 100644
index f79cb9d53..000000000
--- a/security/nss/lib/util/sysrand.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "seccomon.h"
-#ifdef XP_UNIX
-#include "unix_rand.c"
-#endif
-#ifdef XP_WIN
-#include "win_rand.c"
-#endif
-#ifdef XP_MAC
-#include "mac_rand.c"
-#endif
diff --git a/security/nss/lib/util/unix_rand.c b/security/nss/lib/util/unix_rand.c
deleted file mode 100644
index 6e9c34dbb..000000000
--- a/security/nss/lib/util/unix_rand.c
+++ /dev/null
@@ -1,792 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-#include <unistd.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/time.h>
-#include <sys/wait.h>
-#include <sys/stat.h>
-#include <assert.h>
-#include "secrng.h"
-
-
-/*
- * When copying data to the buffer we want the least signicant bytes
- * from the input since those bits are changing the fastest. The address
- * of least significant byte depends upon whether we are running on
- * a big-endian or little-endian machine.
- *
- * Does this mean the least signicant bytes are the most significant
- * to us? :-)
- */
-    
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
-{
-    union endianness {
-	int32 i;
-	char c[4];
-    } u;
-
-    if (srclen <= dstlen) {
-	memcpy(dst, src, srclen);
-	return srclen;
-    }
-    u.i = 0x01020304;
-    if (u.c[0] == 0x01) {
-	/* big-endian case */
-	memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
-    } else {
-	/* little-endian case */
-	memcpy(dst, src, dstlen);
-    }
-    return dstlen;
-}
-
-#if defined(SCO) || defined(UNIXWARE) || defined(BSDI)
-#include <sys/times.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    int ticks;
-    struct tms buffer;
-
-    ticks=times(&buffer);
-    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
-}
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
-
-    /* 
-     * Is this really necessary?  Why not use rand48 or something?
-     */
-    si = sysconf(_SC_CHILD_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-
-    si = sysconf(_SC_STREAM_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-
-    si = sysconf(_SC_OPEN_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
-#endif
-
-#if defined(__sun)
-#if defined(__svr4) || defined(SVR4)
-#include <sys/systeminfo.h>
-#include <sys/times.h>
-#include <wait.h>
-
-int gettimeofday(struct timeval *);
-int gethostname(char *, int);
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    hrtime_t t;
-    t = gethrtime();
-    if (t) {
-	return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-    }
-    return 0;
-}
-#else /* SunOS (Sun, but not SVR4) */
-
-#include <sys/wait.h>
-extern long sysconf(int name);
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
-
-    /* This is not very good */
-    si = sysconf(_SC_CHILD_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
-#endif
-#endif /* Sun */
-
-#if defined(__hpux)
-#include <sys/unistd.h>
-#include <sys/wait.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    extern int ret_cr16();
-    int cr16val;
-
-    cr16val = ret_cr16();
-    return CopyLowBits(buf, maxbytes, &cr16val, sizeof(cr16val));
-}
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
-
-    /* This is not very good */
-    si = sysconf(_AES_OS_VERSION);
-    RNG_RandomUpdate(&si, sizeof(si));
-    si = sysconf(_SC_CPU_VERSION);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
-#endif /* HPUX */
-
-#if defined(OSF1)
-#include <sys/types.h>
-#include <sys/sysinfo.h>
-#include <sys/wait.h>
-#include <sys/systeminfo.h>
-#include <c_asm.h>
-
-static void
-GiveSystemInfo(void)
-{
-    char buf[BUFSIZ];
-    int rv;
-    int off = 0;
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-/*
- * Use the "get the cycle counter" instruction on the alpha.
- * The low 32 bits completely turn over in less than a minute.
- * The high 32 bits are some non-counter gunk that changes sometimes.
- */
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    unsigned long t;
-
-    t = asm("rpcc %v0");
-    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-}
-
-#endif /* Alpha */
-
-#if defined(_IBMR2)
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    /* XXX haven't found any yet! */
-}
-#endif /* IBM R2 */
-
-#if defined(__linux)
-#include <linux/kernel.h>
-
-int putenv(const char *);
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    /* XXX sysinfo() does not seem be implemented anywhwere */
-#if 0
-    struct sysinfo si;
-    char hn[2000];
-    if (sysinfo(&si) == 0) {
-	RNG_RandomUpdate(&si, sizeof(si));
-    }
-#endif
-}
-#endif /* __linux */
-
-#if defined(NCR)
-
-#include <sys/utsname.h>
-#include <sys/systeminfo.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-#endif /* NCR */
-
-
-#if defined(sgi)
-#include <fcntl.h>
-#undef PRIVATE
-#include <sys/mman.h>
-#include <sys/syssgi.h>
-#include <sys/immu.h>
-#include <sys/systeminfo.h>
-#include <sys/utsname.h>
-#include <wait.h>
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[4096];
-
-    rv = syssgi(SGI_SYSID, &buf[0]);
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, MAXSYSIDSIZE);
-    }
-#ifdef SGI_RDUBLK
-    rv = syssgi(SGI_RDUBLK, getpid(), &buf[0], sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, sizeof(buf));
-    }
-#endif /* SGI_RDUBLK */
-    rv = syssgi(SGI_INVENT, SGI_INV_READ, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, sizeof(buf));
-    }
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-static size_t GetHighResClock(void *buf, size_t maxbuf)
-{
-    unsigned phys_addr, raddr, cycleval;
-    static volatile unsigned *iotimer_addr = NULL;
-    static int tries = 0;
-    static int cntr_size;
-    int mfd;
-    long s0[2];
-    struct timeval tv;
-
-#ifndef SGI_CYCLECNTR_SIZE
-#define SGI_CYCLECNTR_SIZE      165     /* Size user needs to use to read CC */
-#endif
-
-    if (iotimer_addr == NULL) {
-	if (tries++ > 1) {
-	    /* Don't keep trying if it didn't work */
-	    return 0;
-	}
-
-	/*
-	** For SGI machines we can use the cycle counter, if it has one,
-	** to generate some truly random numbers
-	*/
-	phys_addr = syssgi(SGI_QUERY_CYCLECNTR, &cycleval);
-	if (phys_addr) {
-	    int pgsz = getpagesize();
-	    int pgoffmask = pgsz - 1;
-
-	    raddr = phys_addr & ~pgoffmask;
-	    mfd = open("/dev/mmem", O_RDONLY);
-	    if (mfd < 0) {
-		return 0;
-	    }
-	    iotimer_addr = (unsigned *)
-		mmap(0, pgoffmask, PROT_READ, MAP_PRIVATE, mfd, (int)raddr);
-	    if (iotimer_addr == (void*)-1) {
-		close(mfd);
-		iotimer_addr = NULL;
-		return 0;
-	    }
-	    iotimer_addr = (unsigned*)
-		((__psint_t)iotimer_addr | (phys_addr & pgoffmask));
-	    /*
-	     * The file 'mfd' is purposefully not closed.
-	     */
-	    cntr_size = syssgi(SGI_CYCLECNTR_SIZE);
-	    if (cntr_size < 0) {
-		struct utsname utsinfo;
-
-		/* 
-		 * We must be executing on a 6.0 or earlier system, since the
-		 * SGI_CYCLECNTR_SIZE call is not supported.
-		 * 
-		 * The only pre-6.1 platforms with 64-bit counters are
-		 * IP19 and IP21 (Challenge, PowerChallenge, Onyx).
-		 */
-		uname(&utsinfo);
-		if (!strncmp(utsinfo.machine, "IP19", 4) ||
-		    !strncmp(utsinfo.machine, "IP21", 4))
-			cntr_size = 64;
-		else
-			cntr_size = 32;
-	    }
-	    cntr_size /= 8;	/* Convert from bits to bytes */
-	}
-    }
-
-    s0[0] = *iotimer_addr;
-    if (cntr_size > 4)
-	s0[1] = *(iotimer_addr + 1);
-    memcpy(buf, (char *)&s0[0], cntr_size);
-    return CopyLowBits(buf, maxbuf, &s0, cntr_size);
-}
-#endif
-
-#if defined(sony)
-#include <sys/systeminfo.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-#endif /* sony */
-
-#if defined(sinix)
-#include <unistd.h>
-#include <sys/systeminfo.h>
-#include <sys/times.h>
-
-int gettimeofday(struct timeval *, struct timezone *);
-int gethostname(char *, int);
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    int ticks;
-    struct tms buffer;
-
-    ticks=times(&buffer);
-    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-#endif /* sinix */
-
-#if defined(nec_ews)
-#include <sys/systeminfo.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-#endif /* nec_ews */
-
-size_t RNG_GetNoise(void *buf, size_t maxbytes)
-{
-    struct timeval tv;
-    int n = 0;
-    int c;
-
-    n = GetHighResClock(buf, maxbytes);
-    maxbytes -= n;
-
-#if defined(__sun) && (defined(_svr4) || defined(SVR4)) || defined(sony)
-    (void)gettimeofday(&tv);
-#else
-    (void)gettimeofday(&tv, 0);
-#endif
-    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_usec, sizeof(tv.tv_usec));
-    n += c;
-    maxbytes -= c;
-    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_sec, sizeof(tv.tv_sec));
-    n += c;
-    return n;
-}
-
-#define SAFE_POPEN_MAXARGS	10	/* must be at least 2 */
-
-/*
- * safe_popen is static to this module and we know what arguments it is
- * called with. Note that this version only supports a single open child
- * process at any time.
- */
-static pid_t safe_popen_pid;
-static struct sigaction oldact;
-
-static FILE *
-safe_popen(char *cmd)
-{
-    int p[2], fd, argc;
-    pid_t pid;
-    char *argv[SAFE_POPEN_MAXARGS + 1];
-    FILE *fp;
-    static char blank[] = " \t";
-    static struct sigaction newact;
-
-    if (pipe(p) < 0)
-	return 0;
-
-    /* Setup signals so that SIGCHLD is ignored as we want to do waitpid */
-    newact.sa_handler = SIG_DFL;
-    newact.sa_flags = 0;
-    sigfillset(&newact.sa_mask);
-    sigaction (SIGCHLD, &newact, &oldact);
-
-    pid = fork();
-    switch (pid) {
-      case -1:
-	close(p[0]);
-	close(p[1]);
-	sigaction (SIGCHLD, &oldact, NULL);
-	return 0;
-
-      case 0:
-	/* dup write-side of pipe to stderr and stdout */
-	if (p[1] != 1) dup2(p[1], 1);
-	if (p[1] != 2) dup2(p[1], 2);
-	close(0);
-	for (fd = getdtablesize(); --fd > 2; close(fd))
-	    ;
-
-	/* clean up environment in the child process */
-	putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc");
-	putenv("SHELL=/bin/sh");
-	putenv("IFS= \t");
-
-	/*
-	 * The caller may have passed us a string that is in text
-	 * space. It may be illegal to modify the string
-	 */
-	cmd = strdup(cmd);
-	/* format argv */
-	argv[0] = strtok(cmd, blank);
-	argc = 1;
-	while ((argv[argc] = strtok(0, blank)) != 0) {
-	    if (++argc == SAFE_POPEN_MAXARGS) {
-		argv[argc] = 0;
-		break;
-	    }
-	}
-
-	/* and away we go */
-	execvp(argv[0], argv);
-	exit(127);
-	break;
-
-      default:
-	close(p[1]);
-	fp = fdopen(p[0], "r");
-	if (fp == 0) {
-	    close(p[0]);
-	    sigaction (SIGCHLD, &oldact, NULL);
-	    return 0;
-	}
-	break;
-    }
-
-    /* non-zero means there's a cmd running */
-    safe_popen_pid = pid;
-    return fp;
-}
-
-static int
-safe_pclose(FILE *fp)
-{
-    pid_t pid;
-    int count, status;
-
-    if ((pid = safe_popen_pid) == 0)
-	return -1;
-    safe_popen_pid = 0;
-
-    /* if the child hasn't exited, kill it -- we're done with its output */
-    count = 0;
-    while (waitpid(pid, &status, WNOHANG) == 0) {
-    	if (kill(pid, SIGKILL) < 0 && errno == ESRCH)
-	    break;
-	if (++count == 1000)
-	    break;
-    }
-
-    /* Reset SIGCHLD signal hander before returning */
-    sigaction(SIGCHLD, &oldact, NULL);
-
-    fclose(fp);
-    return status;
-}
-
-void RNG_SystemInfoForRNG(void)
-{
-    FILE *fp;
-    char buf[BUFSIZ];
-    size_t bytes;
-    extern char **environ;
-    char **cp;
-    char *randfile;
-    char *files[] = {
-	"/etc/passwd",
-	"/etc/utmp",
-	"/tmp",
-	"/var/tmp",
-	"/usr/tmp",
-	0
-    };
-
-#ifdef DO_PS
-For now it is considered that it is too expensive to run the ps command
-for the small amount of entropy it provides.
-#if defined(__sun) && (!defined(__svr4) && !defined(SVR4)) || defined(bsdi) || defined(__linux)
-    static char ps_cmd[] = "ps aux";
-#else
-    static char ps_cmd[] = "ps -el";
-#endif
-#endif /* DO_PS */
-    static char netstat_ni_cmd[] = "netstat -ni";
-
-    GiveSystemInfo();
-
-    bytes = RNG_GetNoise(buf, sizeof(buf));
-    RNG_RandomUpdate(buf, bytes);
-
-#ifdef DO_PS
-    fp = safe_popen(ps_cmd);
-    if (fp != NULL) {
-	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
-	    RNG_RandomUpdate(buf, bytes);
-	safe_pclose(fp);
-    }
-#endif
-    fp = safe_popen(netstat_ni_cmd);
-    if (fp != NULL) {
-	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
-	    RNG_RandomUpdate(buf, bytes);
-	safe_pclose(fp);
-    }
-
-    /*
-     * Pass the C environment and the addresses of the pointers to the
-     * hash function. This makes the random number function depend on the
-     * execution environment of the user and on the platform the program
-     * is running on.
-     */
-    cp = environ;
-    while (*cp) {
-	RNG_RandomUpdate(*cp, strlen(*cp));
-	cp++;
-    }
-    RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
-
-    /* Give in system information */
-    if (gethostname(buf, sizeof(buf)) > 0) {
-	RNG_RandomUpdate(buf, strlen(buf));
-    }
-    GiveSystemInfo();
-
-    /* If the user points us to a random file, pass it through the rng */
-    randfile = getenv("NSRANDFILE");
-    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
-	RNG_FileForRNG(randfile);
-    }
-
-    /* pass other files through */
-    for (cp = files; *cp; cp++)
-	RNG_FileForRNG(*cp);
-
-}
-
-void RNG_FileForRNG(char *fileName)
-{
-    struct stat stat_buf;
-    unsigned char buffer[BUFSIZ];
-    size_t bytes;
-    FILE *file;
-    static size_t totalFileBytes = 0;
-    
-    if (stat((char *)fileName, &stat_buf) < 0)
-	return;
-    RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
-    
-    file = fopen((char *)fileName, "r");
-    if (file != NULL) {
-	for (;;) {
-	    bytes = fread(buffer, 1, sizeof(buffer), file);
-	    if (bytes == 0) break;
-	    RNG_RandomUpdate(buffer, bytes);
-	    totalFileBytes += bytes;
-	    if (totalFileBytes > 1024*1024) break;
-	}
-	fclose(file);
-    }
-    /*
-     * Pass yet another snapshot of our highest resolution clock into
-     * the hash function.
-     */
-    bytes = RNG_GetNoise(buffer, sizeof(buffer));
-    RNG_RandomUpdate(buffer, bytes);
-}
diff --git a/security/nss/lib/util/utf8.c b/security/nss/lib/util/utf8.c
deleted file mode 100644
index 7a3c3954d..000000000
--- a/security/nss/lib/util/utf8.c
+++ /dev/null
@@ -1,2061 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
-#endif /* DEBUG */
-
-#include "seccomon.h"
-#include "secport.h"
-
-/*
- * Define this if you want to support UTF-16 in UCS-2
- */
-#define UTF16
-
-/*
- * From RFC 2044:
- *
- * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
- * 0000 0000-0000 007F   0xxxxxxx
- * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
- * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
- * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
- * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
- * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
- */  
-
-/*
- * From http://www.imc.org/draft-hoffman-utf16
- *
- * For U on [0x00010000,0x0010FFFF]:  Let U' = U - 0x00010000
- *
- * U' = yyyyyyyyyyxxxxxxxxxx
- * W1 = 110110yyyyyyyyyy
- * W2 = 110111xxxxxxxxxx
- */
-
-/*
- * This code is assuming NETWORK BYTE ORDER for the 16- and 32-bit
- * character values.  If you wish to use this code for working with
- * host byte order values, define the following:
- *
- * #if IS_BIG_ENDIAN
- * #define L_0 0
- * #define L_1 1
- * #define L_2 2
- * #define L_3 3
- * #define H_0 0
- * #define H_1 1
- * #else / * not everyone has elif * /
- * #if IS_LITTLE_ENDIAN
- * #define L_0 3
- * #define L_1 2
- * #define L_2 1
- * #define L_3 0
- * #define H_0 1
- * #define H_1 0
- * #else
- * #error "PDP and NUXI support deferred"
- * #endif / * IS_LITTLE_ENDIAN * /
- * #endif / * IS_BIG_ENDIAN * /
- */
-
-#define L_0 0
-#define L_1 1
-#define L_2 2
-#define L_3 3
-#define H_0 0
-#define H_1 1
-
-PR_IMPLEMENT(PRBool)
-sec_port_ucs4_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-)
-{
-#ifndef TEST_UTF8
-  PORT_Assert((unsigned int *)NULL != outBufLen);
-#endif /* TEST_UTF8 */
-
-  if( toUnicode ) {
-    unsigned int i, len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      if( (inBuf[i] & 0x80) == 0x00 ) i += 1;
-      else if( (inBuf[i] & 0xE0) == 0xC0 ) i += 2;
-      else if( (inBuf[i] & 0xF0) == 0xE0 ) i += 3;
-      else if( (inBuf[i] & 0xF8) == 0xF0 ) i += 4;
-      else if( (inBuf[i] & 0xFC) == 0xF8 ) i += 5;
-      else if( (inBuf[i] & 0xFE) == 0xFC ) i += 6;
-      else return PR_FALSE;
-
-      len += 4;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      if( (inBuf[i] & 0x80) == 0x00 ) {
-        /* 0000 0000-0000 007F <- 0xxxxxx */
-        /* 0abcdefg -> 
-           00000000 00000000 00000000 0abcdefg */
-
-        outBuf[len+L_0] = 0x00;
-        outBuf[len+L_1] = 0x00;
-        outBuf[len+L_2] = 0x00;
-        outBuf[len+L_3] = inBuf[i+0] & 0x7F;
-
-        i += 1;
-      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0000 0080-0000 07FF <- 110xxxxx 10xxxxxx */
-        /* 110abcde 10fghijk ->
-           00000000 00000000 00000abc defghijk */
-
-        outBuf[len+L_0] = 0x00;
-        outBuf[len+L_1] = 0x00;
-        outBuf[len+L_2] = ((inBuf[i+0] & 0x1C) >> 2);
-        outBuf[len+L_3] = ((inBuf[i+0] & 0x03) << 6) | ((inBuf[i+1] & 0x3F) >> 0);
-
-        i += 2;
-      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0000 0800-0000 FFFF <- 1110xxxx 10xxxxxx 10xxxxxx */
-        /* 1110abcd 10efghij 10klmnop ->
-           00000000 00000000 abcdefgh ijklmnop */
-
-        outBuf[len+L_0] = 0x00;
-        outBuf[len+L_1] = 0x00;
-        outBuf[len+L_2] = ((inBuf[i+0] & 0x0F) << 4) | ((inBuf[i+1] & 0x3C) >> 2);
-        outBuf[len+L_3] = ((inBuf[i+1] & 0x03) << 6) | ((inBuf[i+2] & 0x3F) >> 0);
-
-        i += 3;
-      } else if( (inBuf[i] & 0xF8) == 0xF0 ) {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0001 0000-001F FFFF <- 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
-        /* 11110abc 10defghi 10jklmno 10pqrstu -> 
-           00000000 000abcde fghijklm nopqrstu */
-           
-        outBuf[len+L_0] = 0x00;
-        outBuf[len+L_1] = ((inBuf[i+0] & 0x07) << 2) | ((inBuf[i+1] & 0x30) >> 4);
-        outBuf[len+L_2] = ((inBuf[i+1] & 0x0F) << 4) | ((inBuf[i+2] & 0x3C) >> 2);
-        outBuf[len+L_3] = ((inBuf[i+2] & 0x03) << 6) | ((inBuf[i+3] & 0x3F) >> 0);
-
-        i += 4;
-      } else if( (inBuf[i] & 0xFC) == 0xF8 ) {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+4] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0020 0000-03FF FFFF <- 111110xx 10xxxxxx ... 10xxxxxx */
-        /* 111110ab 10cdefgh 10ijklmn 10opqrst 10uvwxyz -> 
-           000000ab cdefghij klmnopqr stuvwxyz */
-
-        outBuf[len+L_0] = inBuf[i+0] & 0x03;
-        outBuf[len+L_1] = ((inBuf[i+1] & 0x3F) << 2) | ((inBuf[i+2] & 0x30) >> 4);
-        outBuf[len+L_2] = ((inBuf[i+2] & 0x0F) << 4) | ((inBuf[i+3] & 0x3C) >> 2);
-        outBuf[len+L_3] = ((inBuf[i+3] & 0x03) << 6) | ((inBuf[i+4] & 0x3F) >> 0);
-
-        i += 5;
-      } else /* if( (inBuf[i] & 0xFE) == 0xFC ) */ {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+4] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+5] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0400 0000-7FFF FFFF <- 1111110x 10xxxxxx ... 10xxxxxx */
-        /* 1111110a 10bcdefg 10hijklm 10nopqrs 10tuvwxy 10zABCDE -> 
-           0abcdefg hijklmno pqrstuvw xyzABCDE */
-
-        outBuf[len+L_0] = ((inBuf[i+0] & 0x01) << 6) | ((inBuf[i+1] & 0x3F) >> 0);
-        outBuf[len+L_1] = ((inBuf[i+2] & 0x3F) << 2) | ((inBuf[i+3] & 0x30) >> 4);
-        outBuf[len+L_2] = ((inBuf[i+3] & 0x0F) << 4) | ((inBuf[i+4] & 0x3C) >> 2);
-        outBuf[len+L_3] = ((inBuf[i+4] & 0x03) << 6) | ((inBuf[i+5] & 0x3F) >> 0);
-
-        i += 6;
-      }
-
-      len += 4;
-    }
-
-    *outBufLen = len;
-    return PR_TRUE;
-  } else {
-    unsigned int i, len = 0;
-
-    for( i = 0; i < inBufLen; i += 4 ) {
-      if( inBuf[i+L_0] >= 0x04 ) len += 6;
-      else if( (inBuf[i+L_0] > 0x00) || (inBuf[i+L_1] >= 0x20) ) len += 5;
-      else if( inBuf[i+L_1] >= 0x01 ) len += 4;
-      else if( inBuf[i+L_2] >= 0x08 ) len += 3;
-      else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) len += 2;
-      else len += 1;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; i += 4 ) {
-      if( inBuf[i+L_0] >= 0x04 ) {
-        /* 0400 0000-7FFF FFFF -> 1111110x 10xxxxxx ... 10xxxxxx */
-        /* 0abcdefg hijklmno pqrstuvw xyzABCDE ->
-           1111110a 10bcdefg 10hijklm 10nopqrs 10tuvwxy 10zABCDE */
-
-        outBuf[len+0] = 0xFC | ((inBuf[i+L_0] & 0x40) >> 6);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_0] & 0x3F) >> 0);
-        outBuf[len+2] = 0x80 | ((inBuf[i+L_1] & 0xFC) >> 2);
-        outBuf[len+3] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
-                             | ((inBuf[i+L_2] & 0xF0) >> 4);
-        outBuf[len+4] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+5] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 6;
-      } else if( (inBuf[i+L_0] > 0x00) || (inBuf[i+L_1] >= 0x20) ) {
-        /* 0020 0000-03FF FFFF -> 111110xx 10xxxxxx ... 10xxxxxx */
-        /* 000000ab cdefghij klmnopqr stuvwxyz ->
-           111110ab 10cdefgh 10ijklmn 10opqrst 10uvwxyz */
-
-        outBuf[len+0] = 0xF8 | ((inBuf[i+L_0] & 0x03) >> 0);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_1] & 0xFC) >> 2);
-        outBuf[len+2] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
-                             | ((inBuf[i+L_2] & 0xF0) >> 4);
-        outBuf[len+3] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+4] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 5;
-      } else if( inBuf[i+L_1] >= 0x01 ) {
-        /* 0001 0000-001F FFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
-        /* 00000000 000abcde fghijklm nopqrstu ->
-           11110abc 10defghi 10jklmno 10pqrstu */
-
-        outBuf[len+0] = 0xF0 | ((inBuf[i+L_1] & 0x1C) >> 2);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
-                             | ((inBuf[i+L_2] & 0xF0) >> 4);
-        outBuf[len+2] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+3] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 4;
-      } else if( inBuf[i+L_2] >= 0x08 ) {
-        /* 0000 0800-0000 FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
-        /* 00000000 00000000 abcdefgh ijklmnop ->
-           1110abcd 10efghij 10klmnop */
-
-        outBuf[len+0] = 0xE0 | ((inBuf[i+L_2] & 0xF0) >> 4);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+2] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 3;
-      } else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) {
-        /* 0000 0080-0000 07FF -> 110xxxxx 10xxxxxx */
-        /* 00000000 00000000 00000abc defghijk ->
-           110abcde 10fghijk */
-
-        outBuf[len+0] = 0xC0 | ((inBuf[i+L_2] & 0x07) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 2;
-      } else {
-        /* 0000 0000-0000 007F -> 0xxxxxx */
-        /* 00000000 00000000 00000000 0abcdefg ->
-           0abcdefg */
-
-        outBuf[len+0] = (inBuf[i+L_3] & 0x7F);
-
-        len += 1;
-      }
-    }
-                            
-    *outBufLen = len;
-    return PR_TRUE;
-  }
-}
-
-PR_IMPLEMENT(PRBool)
-sec_port_ucs2_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-)
-{
-#ifndef TEST_UTF8
-  PORT_Assert((unsigned int *)NULL != outBufLen);
-#endif /* TEST_UTF8 */
-
-  if( toUnicode ) {
-    unsigned int i, len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      if( (inBuf[i] & 0x80) == 0x00 ) {
-        i += 1;
-        len += 2;
-      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
-        i += 2;
-        len += 2;
-      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
-        i += 3;
-        len += 2;
-#ifdef UTF16
-      } else if( (inBuf[i] & 0xF8) == 0xF0 ) { 
-        i += 4;
-        len += 4;
-
-        if( (inBuf[i] & 0x04) && 
-            ((inBuf[i] & 0x03) || (inBuf[i+1] & 0x30)) ) {
-          /* Not representable as UTF16 */
-          return PR_FALSE;
-        }
-
-#endif /* UTF16 */
-      } else return PR_FALSE;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      if( (inBuf[i] & 0x80) == 0x00 ) {
-        /* 0000-007F <- 0xxxxxx */
-        /* 0abcdefg -> 00000000 0abcdefg */
-
-        outBuf[len+H_0] = 0x00;
-        outBuf[len+H_1] = inBuf[i+0] & 0x7F;
-
-        i += 1;
-        len += 2;
-      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0080-07FF <- 110xxxxx 10xxxxxx */
-        /* 110abcde 10fghijk -> 00000abc defghijk */
-
-        outBuf[len+H_0] = ((inBuf[i+0] & 0x1C) >> 2);
-        outBuf[len+H_1] = ((inBuf[i+0] & 0x03) << 6) | ((inBuf[i+1] & 0x3F) >> 0);
-
-        i += 2;
-        len += 2;
-      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0800-FFFF <- 1110xxxx 10xxxxxx 10xxxxxx */
-        /* 1110abcd 10efghij 10klmnop -> abcdefgh ijklmnop */
-
-        outBuf[len+H_0] = ((inBuf[i+0] & 0x0F) << 4) | ((inBuf[i+1] & 0x3C) >> 2);
-        outBuf[len+H_1] = ((inBuf[i+1] & 0x03) << 6) | ((inBuf[i+2] & 0x3F) >> 0);
-
-        i += 3;
-        len += 2;
-#ifdef UTF16
-      } else if( (inBuf[i] & 0xF8) == 0xF0 ) { 
-        int abcde, BCDE;
-
-        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
-        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
-
-        /* 0001 0000-001F FFFF <- 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
-        /* 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx -> [D800-DBFF] [DC00-DFFF] */
-           
-        /* 11110abc 10defghi 10jklmno 10pqrstu -> 
-           { Let 0BCDE = abcde - 1 }
-           110110BC DEfghijk 110111lm nopqrstu */
-
-        abcde = ((inBuf[i+0] & 0x07) << 2) | ((inBuf[i+1] & 0x30) >> 4);
-        BCDE = abcde - 1;
-
-#ifndef TEST_UTF8
-        PORT_Assert(BCDE < 0x10); /* should have been caught above */
-#endif /* TEST_UTF8 */
-
-        outBuf[len+0+H_0] = 0xD8 | ((BCDE & 0x0C) >> 2);
-        outBuf[len+0+H_1] = ((BCDE & 0x03) << 6) 
-                      | ((inBuf[i+1] & 0x0F) << 2)
-                      | ((inBuf[i+2] & 0x30) >> 4);
-        outBuf[len+2+H_0] = 0xDC | ((inBuf[i+2] & 0x0C) >> 2);
-        outBuf[len+2+H_1] = ((inBuf[i+2] & 0x03) << 6) | ((inBuf[i+3] & 0x3F) >> 0);
-
-        i += 4;
-        len += 4;
-#endif /* UTF16 */
-      } else return PR_FALSE;
-    }
-
-    *outBufLen = len;
-    return PR_TRUE;
-  } else {
-    unsigned int i, len = 0;
-
-    for( i = 0; i < inBufLen; i += 2 ) {
-      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_0] & 0x80) == 0x00) ) len += 1;
-      else if( inBuf[i+H_0] < 0x08 ) len += 2;
-#ifdef UTF16
-      else if( ((inBuf[i+0+H_0] & 0xDC) == 0xD8) ) {
-        if( ((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2) ) {
-          i += 2;
-          len += 4;
-        } else {
-          return PR_FALSE;
-        }
-      }
-#endif /* UTF16 */
-      else len += 3;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; i += 2 ) {
-      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_1] & 0x80) == 0x00) ) {
-        /* 0000-007F -> 0xxxxxx */
-        /* 00000000 0abcdefg -> 0abcdefg */
-
-        outBuf[len] = inBuf[i+H_1] & 0x7F;
-
-        len += 1;
-      } else if( inBuf[i+H_0] < 0x08 ) {
-        /* 0080-07FF -> 110xxxxx 10xxxxxx */
-        /* 00000abc defghijk -> 110abcde 10fghijk */
-
-        outBuf[len+0] = 0xC0 | ((inBuf[i+H_0] & 0x07) << 2) 
-                             | ((inBuf[i+H_1] & 0xC0) >> 6);
-        outBuf[len+1] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
-
-        len += 2;
-#ifdef UTF16
-      } else if( (inBuf[i+H_0] & 0xDC) == 0xD8 ) {
-        int abcde, BCDE;
-
-#ifndef TEST_UTF8
-        PORT_Assert(((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2));
-#endif /* TEST_UTF8 */
-
-        /* D800-DBFF DC00-DFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
-        /* 110110BC DEfghijk 110111lm nopqrstu ->
-           { Let abcde = BCDE + 1 }
-           11110abc 10defghi 10jklmno 10pqrstu */
-
-        BCDE = ((inBuf[i+H_0] & 0x03) << 2) | ((inBuf[i+H_1] & 0xC0) >> 6);
-        abcde = BCDE + 1;
-
-        outBuf[len+0] = 0xF0 | ((abcde & 0x1C) >> 2);
-        outBuf[len+1] = 0x80 | ((abcde & 0x03) << 4) 
-                             | ((inBuf[i+0+H_1] & 0x3C) >> 2);
-        outBuf[len+2] = 0x80 | ((inBuf[i+0+H_1] & 0x03) << 4)
-                             | ((inBuf[i+2+H_0] & 0x03) << 2)
-                             | ((inBuf[i+2+H_1] & 0xC0) >> 6);
-        outBuf[len+3] = 0x80 | ((inBuf[i+2+H_1] & 0x3F) >> 0);
-
-        i += 2;
-        len += 4;
-#endif /* UTF16 */
-      } else {
-        /* 0800-FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
-        /* abcdefgh ijklmnop -> 1110abcd 10efghij 10klmnop */
-
-        outBuf[len+0] = 0xE0 | ((inBuf[i+H_0] & 0xF0) >> 4);
-        outBuf[len+1] = 0x80 | ((inBuf[i+H_0] & 0x0F) << 2) 
-                             | ((inBuf[i+H_1] & 0xC0) >> 6);
-        outBuf[len+2] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
-
-        len += 3;
-      }
-    }
-
-    *outBufLen = len;
-    return PR_TRUE;
-  }
-}
-
-#ifdef TEST_UTF8
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <netinet/in.h> /* for htonl and htons */
-
-/*
- * UCS-4 vectors
- */
-
-struct ucs4 {
-  PRUint32 c;
-  char *utf8;
-};
-
-/*
- * UCS-2 vectors
- */
-
-struct ucs2 {
-  PRUint16 c;
-  char *utf8;
-};
-
-#ifdef UTF16
-/*
- * UTF-16 vectors
- */
-
-struct utf16 {
-  PRUint32 c;
-  PRUint16 w[2];
-};
-#endif /* UTF16 */
-
-
-/*
- * UCS-4 vectors
- */
-
-struct ucs4 ucs4[] = {
-  { 0x00000001, "\x01" },
-  { 0x00000002, "\x02" },
-  { 0x00000003, "\x03" },
-  { 0x00000004, "\x04" },
-  { 0x00000007, "\x07" },
-  { 0x00000008, "\x08" },
-  { 0x0000000F, "\x0F" },
-  { 0x00000010, "\x10" },
-  { 0x0000001F, "\x1F" },
-  { 0x00000020, "\x20" },
-  { 0x0000003F, "\x3F" },
-  { 0x00000040, "\x40" },
-  { 0x0000007F, "\x7F" },
-          
-  { 0x00000080, "\xC2\x80" },
-  { 0x00000081, "\xC2\x81" },
-  { 0x00000082, "\xC2\x82" },
-  { 0x00000084, "\xC2\x84" },
-  { 0x00000088, "\xC2\x88" },
-  { 0x00000090, "\xC2\x90" },
-  { 0x000000A0, "\xC2\xA0" },
-  { 0x000000C0, "\xC3\x80" },
-  { 0x000000FF, "\xC3\xBF" },
-  { 0x00000100, "\xC4\x80" },
-  { 0x00000101, "\xC4\x81" },
-  { 0x00000102, "\xC4\x82" },
-  { 0x00000104, "\xC4\x84" },
-  { 0x00000108, "\xC4\x88" },
-  { 0x00000110, "\xC4\x90" },
-  { 0x00000120, "\xC4\xA0" },
-  { 0x00000140, "\xC5\x80" },
-  { 0x00000180, "\xC6\x80" },
-  { 0x000001FF, "\xC7\xBF" },
-  { 0x00000200, "\xC8\x80" },
-  { 0x00000201, "\xC8\x81" },
-  { 0x00000202, "\xC8\x82" },
-  { 0x00000204, "\xC8\x84" },
-  { 0x00000208, "\xC8\x88" },
-  { 0x00000210, "\xC8\x90" },
-  { 0x00000220, "\xC8\xA0" },
-  { 0x00000240, "\xC9\x80" },
-  { 0x00000280, "\xCA\x80" },
-  { 0x00000300, "\xCC\x80" },
-  { 0x000003FF, "\xCF\xBF" },
-  { 0x00000400, "\xD0\x80" },
-  { 0x00000401, "\xD0\x81" },
-  { 0x00000402, "\xD0\x82" },
-  { 0x00000404, "\xD0\x84" },
-  { 0x00000408, "\xD0\x88" },
-  { 0x00000410, "\xD0\x90" },
-  { 0x00000420, "\xD0\xA0" },
-  { 0x00000440, "\xD1\x80" },
-  { 0x00000480, "\xD2\x80" },
-  { 0x00000500, "\xD4\x80" },
-  { 0x00000600, "\xD8\x80" },
-  { 0x000007FF, "\xDF\xBF" },
-          
-  { 0x00000800, "\xE0\xA0\x80" },
-  { 0x00000801, "\xE0\xA0\x81" },
-  { 0x00000802, "\xE0\xA0\x82" },
-  { 0x00000804, "\xE0\xA0\x84" },
-  { 0x00000808, "\xE0\xA0\x88" },
-  { 0x00000810, "\xE0\xA0\x90" },
-  { 0x00000820, "\xE0\xA0\xA0" },
-  { 0x00000840, "\xE0\xA1\x80" },
-  { 0x00000880, "\xE0\xA2\x80" },
-  { 0x00000900, "\xE0\xA4\x80" },
-  { 0x00000A00, "\xE0\xA8\x80" },
-  { 0x00000C00, "\xE0\xB0\x80" },
-  { 0x00000FFF, "\xE0\xBF\xBF" },
-  { 0x00001000, "\xE1\x80\x80" },
-  { 0x00001001, "\xE1\x80\x81" },
-  { 0x00001002, "\xE1\x80\x82" },
-  { 0x00001004, "\xE1\x80\x84" },
-  { 0x00001008, "\xE1\x80\x88" },
-  { 0x00001010, "\xE1\x80\x90" },
-  { 0x00001020, "\xE1\x80\xA0" },
-  { 0x00001040, "\xE1\x81\x80" },
-  { 0x00001080, "\xE1\x82\x80" },
-  { 0x00001100, "\xE1\x84\x80" },
-  { 0x00001200, "\xE1\x88\x80" },
-  { 0x00001400, "\xE1\x90\x80" },
-  { 0x00001800, "\xE1\xA0\x80" },
-  { 0x00001FFF, "\xE1\xBF\xBF" },
-  { 0x00002000, "\xE2\x80\x80" },
-  { 0x00002001, "\xE2\x80\x81" },
-  { 0x00002002, "\xE2\x80\x82" },
-  { 0x00002004, "\xE2\x80\x84" },
-  { 0x00002008, "\xE2\x80\x88" },
-  { 0x00002010, "\xE2\x80\x90" },
-  { 0x00002020, "\xE2\x80\xA0" },
-  { 0x00002040, "\xE2\x81\x80" },
-  { 0x00002080, "\xE2\x82\x80" },
-  { 0x00002100, "\xE2\x84\x80" },
-  { 0x00002200, "\xE2\x88\x80" },
-  { 0x00002400, "\xE2\x90\x80" },
-  { 0x00002800, "\xE2\xA0\x80" },
-  { 0x00003000, "\xE3\x80\x80" },
-  { 0x00003FFF, "\xE3\xBF\xBF" },
-  { 0x00004000, "\xE4\x80\x80" },
-  { 0x00004001, "\xE4\x80\x81" },
-  { 0x00004002, "\xE4\x80\x82" },
-  { 0x00004004, "\xE4\x80\x84" },
-  { 0x00004008, "\xE4\x80\x88" },
-  { 0x00004010, "\xE4\x80\x90" },
-  { 0x00004020, "\xE4\x80\xA0" },
-  { 0x00004040, "\xE4\x81\x80" },
-  { 0x00004080, "\xE4\x82\x80" },
-  { 0x00004100, "\xE4\x84\x80" },
-  { 0x00004200, "\xE4\x88\x80" },
-  { 0x00004400, "\xE4\x90\x80" },
-  { 0x00004800, "\xE4\xA0\x80" },
-  { 0x00005000, "\xE5\x80\x80" },
-  { 0x00006000, "\xE6\x80\x80" },
-  { 0x00007FFF, "\xE7\xBF\xBF" },
-  { 0x00008000, "\xE8\x80\x80" },
-  { 0x00008001, "\xE8\x80\x81" },
-  { 0x00008002, "\xE8\x80\x82" },
-  { 0x00008004, "\xE8\x80\x84" },
-  { 0x00008008, "\xE8\x80\x88" },
-  { 0x00008010, "\xE8\x80\x90" },
-  { 0x00008020, "\xE8\x80\xA0" },
-  { 0x00008040, "\xE8\x81\x80" },
-  { 0x00008080, "\xE8\x82\x80" },
-  { 0x00008100, "\xE8\x84\x80" },
-  { 0x00008200, "\xE8\x88\x80" },
-  { 0x00008400, "\xE8\x90\x80" },
-  { 0x00008800, "\xE8\xA0\x80" },
-  { 0x00009000, "\xE9\x80\x80" },
-  { 0x0000A000, "\xEA\x80\x80" },
-  { 0x0000C000, "\xEC\x80\x80" },
-  { 0x0000FFFF, "\xEF\xBF\xBF" },
-          
-  { 0x00010000, "\xF0\x90\x80\x80" },
-  { 0x00010001, "\xF0\x90\x80\x81" },
-  { 0x00010002, "\xF0\x90\x80\x82" },
-  { 0x00010004, "\xF0\x90\x80\x84" },
-  { 0x00010008, "\xF0\x90\x80\x88" },
-  { 0x00010010, "\xF0\x90\x80\x90" },
-  { 0x00010020, "\xF0\x90\x80\xA0" },
-  { 0x00010040, "\xF0\x90\x81\x80" },
-  { 0x00010080, "\xF0\x90\x82\x80" },
-  { 0x00010100, "\xF0\x90\x84\x80" },
-  { 0x00010200, "\xF0\x90\x88\x80" },
-  { 0x00010400, "\xF0\x90\x90\x80" },
-  { 0x00010800, "\xF0\x90\xA0\x80" },
-  { 0x00011000, "\xF0\x91\x80\x80" },
-  { 0x00012000, "\xF0\x92\x80\x80" },
-  { 0x00014000, "\xF0\x94\x80\x80" },
-  { 0x00018000, "\xF0\x98\x80\x80" },
-  { 0x0001FFFF, "\xF0\x9F\xBF\xBF" },
-  { 0x00020000, "\xF0\xA0\x80\x80" },
-  { 0x00020001, "\xF0\xA0\x80\x81" },
-  { 0x00020002, "\xF0\xA0\x80\x82" },
-  { 0x00020004, "\xF0\xA0\x80\x84" },
-  { 0x00020008, "\xF0\xA0\x80\x88" },
-  { 0x00020010, "\xF0\xA0\x80\x90" },
-  { 0x00020020, "\xF0\xA0\x80\xA0" },
-  { 0x00020040, "\xF0\xA0\x81\x80" },
-  { 0x00020080, "\xF0\xA0\x82\x80" },
-  { 0x00020100, "\xF0\xA0\x84\x80" },
-  { 0x00020200, "\xF0\xA0\x88\x80" },
-  { 0x00020400, "\xF0\xA0\x90\x80" },
-  { 0x00020800, "\xF0\xA0\xA0\x80" },
-  { 0x00021000, "\xF0\xA1\x80\x80" },
-  { 0x00022000, "\xF0\xA2\x80\x80" },
-  { 0x00024000, "\xF0\xA4\x80\x80" },
-  { 0x00028000, "\xF0\xA8\x80\x80" },
-  { 0x00030000, "\xF0\xB0\x80\x80" },
-  { 0x0003FFFF, "\xF0\xBF\xBF\xBF" },
-  { 0x00040000, "\xF1\x80\x80\x80" },
-  { 0x00040001, "\xF1\x80\x80\x81" },
-  { 0x00040002, "\xF1\x80\x80\x82" },
-  { 0x00040004, "\xF1\x80\x80\x84" },
-  { 0x00040008, "\xF1\x80\x80\x88" },
-  { 0x00040010, "\xF1\x80\x80\x90" },
-  { 0x00040020, "\xF1\x80\x80\xA0" },
-  { 0x00040040, "\xF1\x80\x81\x80" },
-  { 0x00040080, "\xF1\x80\x82\x80" },
-  { 0x00040100, "\xF1\x80\x84\x80" },
-  { 0x00040200, "\xF1\x80\x88\x80" },
-  { 0x00040400, "\xF1\x80\x90\x80" },
-  { 0x00040800, "\xF1\x80\xA0\x80" },
-  { 0x00041000, "\xF1\x81\x80\x80" },
-  { 0x00042000, "\xF1\x82\x80\x80" },
-  { 0x00044000, "\xF1\x84\x80\x80" },
-  { 0x00048000, "\xF1\x88\x80\x80" },
-  { 0x00050000, "\xF1\x90\x80\x80" },
-  { 0x00060000, "\xF1\xA0\x80\x80" },
-  { 0x0007FFFF, "\xF1\xBF\xBF\xBF" },
-  { 0x00080000, "\xF2\x80\x80\x80" },
-  { 0x00080001, "\xF2\x80\x80\x81" },
-  { 0x00080002, "\xF2\x80\x80\x82" },
-  { 0x00080004, "\xF2\x80\x80\x84" },
-  { 0x00080008, "\xF2\x80\x80\x88" },
-  { 0x00080010, "\xF2\x80\x80\x90" },
-  { 0x00080020, "\xF2\x80\x80\xA0" },
-  { 0x00080040, "\xF2\x80\x81\x80" },
-  { 0x00080080, "\xF2\x80\x82\x80" },
-  { 0x00080100, "\xF2\x80\x84\x80" },
-  { 0x00080200, "\xF2\x80\x88\x80" },
-  { 0x00080400, "\xF2\x80\x90\x80" },
-  { 0x00080800, "\xF2\x80\xA0\x80" },
-  { 0x00081000, "\xF2\x81\x80\x80" },
-  { 0x00082000, "\xF2\x82\x80\x80" },
-  { 0x00084000, "\xF2\x84\x80\x80" },
-  { 0x00088000, "\xF2\x88\x80\x80" },
-  { 0x00090000, "\xF2\x90\x80\x80" },
-  { 0x000A0000, "\xF2\xA0\x80\x80" },
-  { 0x000C0000, "\xF3\x80\x80\x80" },
-  { 0x000FFFFF, "\xF3\xBF\xBF\xBF" },
-  { 0x00100000, "\xF4\x80\x80\x80" },
-  { 0x00100001, "\xF4\x80\x80\x81" },
-  { 0x00100002, "\xF4\x80\x80\x82" },
-  { 0x00100004, "\xF4\x80\x80\x84" },
-  { 0x00100008, "\xF4\x80\x80\x88" },
-  { 0x00100010, "\xF4\x80\x80\x90" },
-  { 0x00100020, "\xF4\x80\x80\xA0" },
-  { 0x00100040, "\xF4\x80\x81\x80" },
-  { 0x00100080, "\xF4\x80\x82\x80" },
-  { 0x00100100, "\xF4\x80\x84\x80" },
-  { 0x00100200, "\xF4\x80\x88\x80" },
-  { 0x00100400, "\xF4\x80\x90\x80" },
-  { 0x00100800, "\xF4\x80\xA0\x80" },
-  { 0x00101000, "\xF4\x81\x80\x80" },
-  { 0x00102000, "\xF4\x82\x80\x80" },
-  { 0x00104000, "\xF4\x84\x80\x80" },
-  { 0x00108000, "\xF4\x88\x80\x80" },
-  { 0x00110000, "\xF4\x90\x80\x80" },
-  { 0x00120000, "\xF4\xA0\x80\x80" },
-  { 0x00140000, "\xF5\x80\x80\x80" },
-  { 0x00180000, "\xF6\x80\x80\x80" },
-  { 0x001FFFFF, "\xF7\xBF\xBF\xBF" },
-          
-  { 0x00200000, "\xF8\x88\x80\x80\x80" },
-  { 0x00200001, "\xF8\x88\x80\x80\x81" },
-  { 0x00200002, "\xF8\x88\x80\x80\x82" },
-  { 0x00200004, "\xF8\x88\x80\x80\x84" },
-  { 0x00200008, "\xF8\x88\x80\x80\x88" },
-  { 0x00200010, "\xF8\x88\x80\x80\x90" },
-  { 0x00200020, "\xF8\x88\x80\x80\xA0" },
-  { 0x00200040, "\xF8\x88\x80\x81\x80" },
-  { 0x00200080, "\xF8\x88\x80\x82\x80" },
-  { 0x00200100, "\xF8\x88\x80\x84\x80" },
-  { 0x00200200, "\xF8\x88\x80\x88\x80" },
-  { 0x00200400, "\xF8\x88\x80\x90\x80" },
-  { 0x00200800, "\xF8\x88\x80\xA0\x80" },
-  { 0x00201000, "\xF8\x88\x81\x80\x80" },
-  { 0x00202000, "\xF8\x88\x82\x80\x80" },
-  { 0x00204000, "\xF8\x88\x84\x80\x80" },
-  { 0x00208000, "\xF8\x88\x88\x80\x80" },
-  { 0x00210000, "\xF8\x88\x90\x80\x80" },
-  { 0x00220000, "\xF8\x88\xA0\x80\x80" },
-  { 0x00240000, "\xF8\x89\x80\x80\x80" },
-  { 0x00280000, "\xF8\x8A\x80\x80\x80" },
-  { 0x00300000, "\xF8\x8C\x80\x80\x80" },
-  { 0x003FFFFF, "\xF8\x8F\xBF\xBF\xBF" },
-  { 0x00400000, "\xF8\x90\x80\x80\x80" },
-  { 0x00400001, "\xF8\x90\x80\x80\x81" },
-  { 0x00400002, "\xF8\x90\x80\x80\x82" },
-  { 0x00400004, "\xF8\x90\x80\x80\x84" },
-  { 0x00400008, "\xF8\x90\x80\x80\x88" },
-  { 0x00400010, "\xF8\x90\x80\x80\x90" },
-  { 0x00400020, "\xF8\x90\x80\x80\xA0" },
-  { 0x00400040, "\xF8\x90\x80\x81\x80" },
-  { 0x00400080, "\xF8\x90\x80\x82\x80" },
-  { 0x00400100, "\xF8\x90\x80\x84\x80" },
-  { 0x00400200, "\xF8\x90\x80\x88\x80" },
-  { 0x00400400, "\xF8\x90\x80\x90\x80" },
-  { 0x00400800, "\xF8\x90\x80\xA0\x80" },
-  { 0x00401000, "\xF8\x90\x81\x80\x80" },
-  { 0x00402000, "\xF8\x90\x82\x80\x80" },
-  { 0x00404000, "\xF8\x90\x84\x80\x80" },
-  { 0x00408000, "\xF8\x90\x88\x80\x80" },
-  { 0x00410000, "\xF8\x90\x90\x80\x80" },
-  { 0x00420000, "\xF8\x90\xA0\x80\x80" },
-  { 0x00440000, "\xF8\x91\x80\x80\x80" },
-  { 0x00480000, "\xF8\x92\x80\x80\x80" },
-  { 0x00500000, "\xF8\x94\x80\x80\x80" },
-  { 0x00600000, "\xF8\x98\x80\x80\x80" },
-  { 0x007FFFFF, "\xF8\x9F\xBF\xBF\xBF" },
-  { 0x00800000, "\xF8\xA0\x80\x80\x80" },
-  { 0x00800001, "\xF8\xA0\x80\x80\x81" },
-  { 0x00800002, "\xF8\xA0\x80\x80\x82" },
-  { 0x00800004, "\xF8\xA0\x80\x80\x84" },
-  { 0x00800008, "\xF8\xA0\x80\x80\x88" },
-  { 0x00800010, "\xF8\xA0\x80\x80\x90" },
-  { 0x00800020, "\xF8\xA0\x80\x80\xA0" },
-  { 0x00800040, "\xF8\xA0\x80\x81\x80" },
-  { 0x00800080, "\xF8\xA0\x80\x82\x80" },
-  { 0x00800100, "\xF8\xA0\x80\x84\x80" },
-  { 0x00800200, "\xF8\xA0\x80\x88\x80" },
-  { 0x00800400, "\xF8\xA0\x80\x90\x80" },
-  { 0x00800800, "\xF8\xA0\x80\xA0\x80" },
-  { 0x00801000, "\xF8\xA0\x81\x80\x80" },
-  { 0x00802000, "\xF8\xA0\x82\x80\x80" },
-  { 0x00804000, "\xF8\xA0\x84\x80\x80" },
-  { 0x00808000, "\xF8\xA0\x88\x80\x80" },
-  { 0x00810000, "\xF8\xA0\x90\x80\x80" },
-  { 0x00820000, "\xF8\xA0\xA0\x80\x80" },
-  { 0x00840000, "\xF8\xA1\x80\x80\x80" },
-  { 0x00880000, "\xF8\xA2\x80\x80\x80" },
-  { 0x00900000, "\xF8\xA4\x80\x80\x80" },
-  { 0x00A00000, "\xF8\xA8\x80\x80\x80" },
-  { 0x00C00000, "\xF8\xB0\x80\x80\x80" },
-  { 0x00FFFFFF, "\xF8\xBF\xBF\xBF\xBF" },
-  { 0x01000000, "\xF9\x80\x80\x80\x80" },
-  { 0x01000001, "\xF9\x80\x80\x80\x81" },
-  { 0x01000002, "\xF9\x80\x80\x80\x82" },
-  { 0x01000004, "\xF9\x80\x80\x80\x84" },
-  { 0x01000008, "\xF9\x80\x80\x80\x88" },
-  { 0x01000010, "\xF9\x80\x80\x80\x90" },
-  { 0x01000020, "\xF9\x80\x80\x80\xA0" },
-  { 0x01000040, "\xF9\x80\x80\x81\x80" },
-  { 0x01000080, "\xF9\x80\x80\x82\x80" },
-  { 0x01000100, "\xF9\x80\x80\x84\x80" },
-  { 0x01000200, "\xF9\x80\x80\x88\x80" },
-  { 0x01000400, "\xF9\x80\x80\x90\x80" },
-  { 0x01000800, "\xF9\x80\x80\xA0\x80" },
-  { 0x01001000, "\xF9\x80\x81\x80\x80" },
-  { 0x01002000, "\xF9\x80\x82\x80\x80" },
-  { 0x01004000, "\xF9\x80\x84\x80\x80" },
-  { 0x01008000, "\xF9\x80\x88\x80\x80" },
-  { 0x01010000, "\xF9\x80\x90\x80\x80" },
-  { 0x01020000, "\xF9\x80\xA0\x80\x80" },
-  { 0x01040000, "\xF9\x81\x80\x80\x80" },
-  { 0x01080000, "\xF9\x82\x80\x80\x80" },
-  { 0x01100000, "\xF9\x84\x80\x80\x80" },
-  { 0x01200000, "\xF9\x88\x80\x80\x80" },
-  { 0x01400000, "\xF9\x90\x80\x80\x80" },
-  { 0x01800000, "\xF9\xA0\x80\x80\x80" },
-  { 0x01FFFFFF, "\xF9\xBF\xBF\xBF\xBF" },
-  { 0x02000000, "\xFA\x80\x80\x80\x80" },
-  { 0x02000001, "\xFA\x80\x80\x80\x81" },
-  { 0x02000002, "\xFA\x80\x80\x80\x82" },
-  { 0x02000004, "\xFA\x80\x80\x80\x84" },
-  { 0x02000008, "\xFA\x80\x80\x80\x88" },
-  { 0x02000010, "\xFA\x80\x80\x80\x90" },
-  { 0x02000020, "\xFA\x80\x80\x80\xA0" },
-  { 0x02000040, "\xFA\x80\x80\x81\x80" },
-  { 0x02000080, "\xFA\x80\x80\x82\x80" },
-  { 0x02000100, "\xFA\x80\x80\x84\x80" },
-  { 0x02000200, "\xFA\x80\x80\x88\x80" },
-  { 0x02000400, "\xFA\x80\x80\x90\x80" },
-  { 0x02000800, "\xFA\x80\x80\xA0\x80" },
-  { 0x02001000, "\xFA\x80\x81\x80\x80" },
-  { 0x02002000, "\xFA\x80\x82\x80\x80" },
-  { 0x02004000, "\xFA\x80\x84\x80\x80" },
-  { 0x02008000, "\xFA\x80\x88\x80\x80" },
-  { 0x02010000, "\xFA\x80\x90\x80\x80" },
-  { 0x02020000, "\xFA\x80\xA0\x80\x80" },
-  { 0x02040000, "\xFA\x81\x80\x80\x80" },
-  { 0x02080000, "\xFA\x82\x80\x80\x80" },
-  { 0x02100000, "\xFA\x84\x80\x80\x80" },
-  { 0x02200000, "\xFA\x88\x80\x80\x80" },
-  { 0x02400000, "\xFA\x90\x80\x80\x80" },
-  { 0x02800000, "\xFA\xA0\x80\x80\x80" },
-  { 0x03000000, "\xFB\x80\x80\x80\x80" },
-  { 0x03FFFFFF, "\xFB\xBF\xBF\xBF\xBF" },
-          
-  { 0x04000000, "\xFC\x84\x80\x80\x80\x80" },
-  { 0x04000001, "\xFC\x84\x80\x80\x80\x81" },
-  { 0x04000002, "\xFC\x84\x80\x80\x80\x82" },
-  { 0x04000004, "\xFC\x84\x80\x80\x80\x84" },
-  { 0x04000008, "\xFC\x84\x80\x80\x80\x88" },
-  { 0x04000010, "\xFC\x84\x80\x80\x80\x90" },
-  { 0x04000020, "\xFC\x84\x80\x80\x80\xA0" },
-  { 0x04000040, "\xFC\x84\x80\x80\x81\x80" },
-  { 0x04000080, "\xFC\x84\x80\x80\x82\x80" },
-  { 0x04000100, "\xFC\x84\x80\x80\x84\x80" },
-  { 0x04000200, "\xFC\x84\x80\x80\x88\x80" },
-  { 0x04000400, "\xFC\x84\x80\x80\x90\x80" },
-  { 0x04000800, "\xFC\x84\x80\x80\xA0\x80" },
-  { 0x04001000, "\xFC\x84\x80\x81\x80\x80" },
-  { 0x04002000, "\xFC\x84\x80\x82\x80\x80" },
-  { 0x04004000, "\xFC\x84\x80\x84\x80\x80" },
-  { 0x04008000, "\xFC\x84\x80\x88\x80\x80" },
-  { 0x04010000, "\xFC\x84\x80\x90\x80\x80" },
-  { 0x04020000, "\xFC\x84\x80\xA0\x80\x80" },
-  { 0x04040000, "\xFC\x84\x81\x80\x80\x80" },
-  { 0x04080000, "\xFC\x84\x82\x80\x80\x80" },
-  { 0x04100000, "\xFC\x84\x84\x80\x80\x80" },
-  { 0x04200000, "\xFC\x84\x88\x80\x80\x80" },
-  { 0x04400000, "\xFC\x84\x90\x80\x80\x80" },
-  { 0x04800000, "\xFC\x84\xA0\x80\x80\x80" },
-  { 0x05000000, "\xFC\x85\x80\x80\x80\x80" },
-  { 0x06000000, "\xFC\x86\x80\x80\x80\x80" },
-  { 0x07FFFFFF, "\xFC\x87\xBF\xBF\xBF\xBF" },
-  { 0x08000000, "\xFC\x88\x80\x80\x80\x80" },
-  { 0x08000001, "\xFC\x88\x80\x80\x80\x81" },
-  { 0x08000002, "\xFC\x88\x80\x80\x80\x82" },
-  { 0x08000004, "\xFC\x88\x80\x80\x80\x84" },
-  { 0x08000008, "\xFC\x88\x80\x80\x80\x88" },
-  { 0x08000010, "\xFC\x88\x80\x80\x80\x90" },
-  { 0x08000020, "\xFC\x88\x80\x80\x80\xA0" },
-  { 0x08000040, "\xFC\x88\x80\x80\x81\x80" },
-  { 0x08000080, "\xFC\x88\x80\x80\x82\x80" },
-  { 0x08000100, "\xFC\x88\x80\x80\x84\x80" },
-  { 0x08000200, "\xFC\x88\x80\x80\x88\x80" },
-  { 0x08000400, "\xFC\x88\x80\x80\x90\x80" },
-  { 0x08000800, "\xFC\x88\x80\x80\xA0\x80" },
-  { 0x08001000, "\xFC\x88\x80\x81\x80\x80" },
-  { 0x08002000, "\xFC\x88\x80\x82\x80\x80" },
-  { 0x08004000, "\xFC\x88\x80\x84\x80\x80" },
-  { 0x08008000, "\xFC\x88\x80\x88\x80\x80" },
-  { 0x08010000, "\xFC\x88\x80\x90\x80\x80" },
-  { 0x08020000, "\xFC\x88\x80\xA0\x80\x80" },
-  { 0x08040000, "\xFC\x88\x81\x80\x80\x80" },
-  { 0x08080000, "\xFC\x88\x82\x80\x80\x80" },
-  { 0x08100000, "\xFC\x88\x84\x80\x80\x80" },
-  { 0x08200000, "\xFC\x88\x88\x80\x80\x80" },
-  { 0x08400000, "\xFC\x88\x90\x80\x80\x80" },
-  { 0x08800000, "\xFC\x88\xA0\x80\x80\x80" },
-  { 0x09000000, "\xFC\x89\x80\x80\x80\x80" },
-  { 0x0A000000, "\xFC\x8A\x80\x80\x80\x80" },
-  { 0x0C000000, "\xFC\x8C\x80\x80\x80\x80" },
-  { 0x0FFFFFFF, "\xFC\x8F\xBF\xBF\xBF\xBF" },
-  { 0x10000000, "\xFC\x90\x80\x80\x80\x80" },
-  { 0x10000001, "\xFC\x90\x80\x80\x80\x81" },
-  { 0x10000002, "\xFC\x90\x80\x80\x80\x82" },
-  { 0x10000004, "\xFC\x90\x80\x80\x80\x84" },
-  { 0x10000008, "\xFC\x90\x80\x80\x80\x88" },
-  { 0x10000010, "\xFC\x90\x80\x80\x80\x90" },
-  { 0x10000020, "\xFC\x90\x80\x80\x80\xA0" },
-  { 0x10000040, "\xFC\x90\x80\x80\x81\x80" },
-  { 0x10000080, "\xFC\x90\x80\x80\x82\x80" },
-  { 0x10000100, "\xFC\x90\x80\x80\x84\x80" },
-  { 0x10000200, "\xFC\x90\x80\x80\x88\x80" },
-  { 0x10000400, "\xFC\x90\x80\x80\x90\x80" },
-  { 0x10000800, "\xFC\x90\x80\x80\xA0\x80" },
-  { 0x10001000, "\xFC\x90\x80\x81\x80\x80" },
-  { 0x10002000, "\xFC\x90\x80\x82\x80\x80" },
-  { 0x10004000, "\xFC\x90\x80\x84\x80\x80" },
-  { 0x10008000, "\xFC\x90\x80\x88\x80\x80" },
-  { 0x10010000, "\xFC\x90\x80\x90\x80\x80" },
-  { 0x10020000, "\xFC\x90\x80\xA0\x80\x80" },
-  { 0x10040000, "\xFC\x90\x81\x80\x80\x80" },
-  { 0x10080000, "\xFC\x90\x82\x80\x80\x80" },
-  { 0x10100000, "\xFC\x90\x84\x80\x80\x80" },
-  { 0x10200000, "\xFC\x90\x88\x80\x80\x80" },
-  { 0x10400000, "\xFC\x90\x90\x80\x80\x80" },
-  { 0x10800000, "\xFC\x90\xA0\x80\x80\x80" },
-  { 0x11000000, "\xFC\x91\x80\x80\x80\x80" },
-  { 0x12000000, "\xFC\x92\x80\x80\x80\x80" },
-  { 0x14000000, "\xFC\x94\x80\x80\x80\x80" },
-  { 0x18000000, "\xFC\x98\x80\x80\x80\x80" },
-  { 0x1FFFFFFF, "\xFC\x9F\xBF\xBF\xBF\xBF" },
-  { 0x20000000, "\xFC\xA0\x80\x80\x80\x80" },
-  { 0x20000001, "\xFC\xA0\x80\x80\x80\x81" },
-  { 0x20000002, "\xFC\xA0\x80\x80\x80\x82" },
-  { 0x20000004, "\xFC\xA0\x80\x80\x80\x84" },
-  { 0x20000008, "\xFC\xA0\x80\x80\x80\x88" },
-  { 0x20000010, "\xFC\xA0\x80\x80\x80\x90" },
-  { 0x20000020, "\xFC\xA0\x80\x80\x80\xA0" },
-  { 0x20000040, "\xFC\xA0\x80\x80\x81\x80" },
-  { 0x20000080, "\xFC\xA0\x80\x80\x82\x80" },
-  { 0x20000100, "\xFC\xA0\x80\x80\x84\x80" },
-  { 0x20000200, "\xFC\xA0\x80\x80\x88\x80" },
-  { 0x20000400, "\xFC\xA0\x80\x80\x90\x80" },
-  { 0x20000800, "\xFC\xA0\x80\x80\xA0\x80" },
-  { 0x20001000, "\xFC\xA0\x80\x81\x80\x80" },
-  { 0x20002000, "\xFC\xA0\x80\x82\x80\x80" },
-  { 0x20004000, "\xFC\xA0\x80\x84\x80\x80" },
-  { 0x20008000, "\xFC\xA0\x80\x88\x80\x80" },
-  { 0x20010000, "\xFC\xA0\x80\x90\x80\x80" },
-  { 0x20020000, "\xFC\xA0\x80\xA0\x80\x80" },
-  { 0x20040000, "\xFC\xA0\x81\x80\x80\x80" },
-  { 0x20080000, "\xFC\xA0\x82\x80\x80\x80" },
-  { 0x20100000, "\xFC\xA0\x84\x80\x80\x80" },
-  { 0x20200000, "\xFC\xA0\x88\x80\x80\x80" },
-  { 0x20400000, "\xFC\xA0\x90\x80\x80\x80" },
-  { 0x20800000, "\xFC\xA0\xA0\x80\x80\x80" },
-  { 0x21000000, "\xFC\xA1\x80\x80\x80\x80" },
-  { 0x22000000, "\xFC\xA2\x80\x80\x80\x80" },
-  { 0x24000000, "\xFC\xA4\x80\x80\x80\x80" },
-  { 0x28000000, "\xFC\xA8\x80\x80\x80\x80" },
-  { 0x30000000, "\xFC\xB0\x80\x80\x80\x80" },
-  { 0x3FFFFFFF, "\xFC\xBF\xBF\xBF\xBF\xBF" },
-  { 0x40000000, "\xFD\x80\x80\x80\x80\x80" },
-  { 0x40000001, "\xFD\x80\x80\x80\x80\x81" },
-  { 0x40000002, "\xFD\x80\x80\x80\x80\x82" },
-  { 0x40000004, "\xFD\x80\x80\x80\x80\x84" },
-  { 0x40000008, "\xFD\x80\x80\x80\x80\x88" },
-  { 0x40000010, "\xFD\x80\x80\x80\x80\x90" },
-  { 0x40000020, "\xFD\x80\x80\x80\x80\xA0" },
-  { 0x40000040, "\xFD\x80\x80\x80\x81\x80" },
-  { 0x40000080, "\xFD\x80\x80\x80\x82\x80" },
-  { 0x40000100, "\xFD\x80\x80\x80\x84\x80" },
-  { 0x40000200, "\xFD\x80\x80\x80\x88\x80" },
-  { 0x40000400, "\xFD\x80\x80\x80\x90\x80" },
-  { 0x40000800, "\xFD\x80\x80\x80\xA0\x80" },
-  { 0x40001000, "\xFD\x80\x80\x81\x80\x80" },
-  { 0x40002000, "\xFD\x80\x80\x82\x80\x80" },
-  { 0x40004000, "\xFD\x80\x80\x84\x80\x80" },
-  { 0x40008000, "\xFD\x80\x80\x88\x80\x80" },
-  { 0x40010000, "\xFD\x80\x80\x90\x80\x80" },
-  { 0x40020000, "\xFD\x80\x80\xA0\x80\x80" },
-  { 0x40040000, "\xFD\x80\x81\x80\x80\x80" },
-  { 0x40080000, "\xFD\x80\x82\x80\x80\x80" },
-  { 0x40100000, "\xFD\x80\x84\x80\x80\x80" },
-  { 0x40200000, "\xFD\x80\x88\x80\x80\x80" },
-  { 0x40400000, "\xFD\x80\x90\x80\x80\x80" },
-  { 0x40800000, "\xFD\x80\xA0\x80\x80\x80" },
-  { 0x41000000, "\xFD\x81\x80\x80\x80\x80" },
-  { 0x42000000, "\xFD\x82\x80\x80\x80\x80" },
-  { 0x44000000, "\xFD\x84\x80\x80\x80\x80" },
-  { 0x48000000, "\xFD\x88\x80\x80\x80\x80" },
-  { 0x50000000, "\xFD\x90\x80\x80\x80\x80" },
-  { 0x60000000, "\xFD\xA0\x80\x80\x80\x80" },
-  { 0x7FFFFFFF, "\xFD\xBF\xBF\xBF\xBF\xBF" }
-};
-
-/*
- * UCS-2 vectors
- */
-
-struct ucs2 ucs2[] = {
-  { 0x0001, "\x01" },
-  { 0x0002, "\x02" },
-  { 0x0003, "\x03" },
-  { 0x0004, "\x04" },
-  { 0x0007, "\x07" },
-  { 0x0008, "\x08" },
-  { 0x000F, "\x0F" },
-  { 0x0010, "\x10" },
-  { 0x001F, "\x1F" },
-  { 0x0020, "\x20" },
-  { 0x003F, "\x3F" },
-  { 0x0040, "\x40" },
-  { 0x007F, "\x7F" },
-          
-  { 0x0080, "\xC2\x80" },
-  { 0x0081, "\xC2\x81" },
-  { 0x0082, "\xC2\x82" },
-  { 0x0084, "\xC2\x84" },
-  { 0x0088, "\xC2\x88" },
-  { 0x0090, "\xC2\x90" },
-  { 0x00A0, "\xC2\xA0" },
-  { 0x00C0, "\xC3\x80" },
-  { 0x00FF, "\xC3\xBF" },
-  { 0x0100, "\xC4\x80" },
-  { 0x0101, "\xC4\x81" },
-  { 0x0102, "\xC4\x82" },
-  { 0x0104, "\xC4\x84" },
-  { 0x0108, "\xC4\x88" },
-  { 0x0110, "\xC4\x90" },
-  { 0x0120, "\xC4\xA0" },
-  { 0x0140, "\xC5\x80" },
-  { 0x0180, "\xC6\x80" },
-  { 0x01FF, "\xC7\xBF" },
-  { 0x0200, "\xC8\x80" },
-  { 0x0201, "\xC8\x81" },
-  { 0x0202, "\xC8\x82" },
-  { 0x0204, "\xC8\x84" },
-  { 0x0208, "\xC8\x88" },
-  { 0x0210, "\xC8\x90" },
-  { 0x0220, "\xC8\xA0" },
-  { 0x0240, "\xC9\x80" },
-  { 0x0280, "\xCA\x80" },
-  { 0x0300, "\xCC\x80" },
-  { 0x03FF, "\xCF\xBF" },
-  { 0x0400, "\xD0\x80" },
-  { 0x0401, "\xD0\x81" },
-  { 0x0402, "\xD0\x82" },
-  { 0x0404, "\xD0\x84" },
-  { 0x0408, "\xD0\x88" },
-  { 0x0410, "\xD0\x90" },
-  { 0x0420, "\xD0\xA0" },
-  { 0x0440, "\xD1\x80" },
-  { 0x0480, "\xD2\x80" },
-  { 0x0500, "\xD4\x80" },
-  { 0x0600, "\xD8\x80" },
-  { 0x07FF, "\xDF\xBF" },
-          
-  { 0x0800, "\xE0\xA0\x80" },
-  { 0x0801, "\xE0\xA0\x81" },
-  { 0x0802, "\xE0\xA0\x82" },
-  { 0x0804, "\xE0\xA0\x84" },
-  { 0x0808, "\xE0\xA0\x88" },
-  { 0x0810, "\xE0\xA0\x90" },
-  { 0x0820, "\xE0\xA0\xA0" },
-  { 0x0840, "\xE0\xA1\x80" },
-  { 0x0880, "\xE0\xA2\x80" },
-  { 0x0900, "\xE0\xA4\x80" },
-  { 0x0A00, "\xE0\xA8\x80" },
-  { 0x0C00, "\xE0\xB0\x80" },
-  { 0x0FFF, "\xE0\xBF\xBF" },
-  { 0x1000, "\xE1\x80\x80" },
-  { 0x1001, "\xE1\x80\x81" },
-  { 0x1002, "\xE1\x80\x82" },
-  { 0x1004, "\xE1\x80\x84" },
-  { 0x1008, "\xE1\x80\x88" },
-  { 0x1010, "\xE1\x80\x90" },
-  { 0x1020, "\xE1\x80\xA0" },
-  { 0x1040, "\xE1\x81\x80" },
-  { 0x1080, "\xE1\x82\x80" },
-  { 0x1100, "\xE1\x84\x80" },
-  { 0x1200, "\xE1\x88\x80" },
-  { 0x1400, "\xE1\x90\x80" },
-  { 0x1800, "\xE1\xA0\x80" },
-  { 0x1FFF, "\xE1\xBF\xBF" },
-  { 0x2000, "\xE2\x80\x80" },
-  { 0x2001, "\xE2\x80\x81" },
-  { 0x2002, "\xE2\x80\x82" },
-  { 0x2004, "\xE2\x80\x84" },
-  { 0x2008, "\xE2\x80\x88" },
-  { 0x2010, "\xE2\x80\x90" },
-  { 0x2020, "\xE2\x80\xA0" },
-  { 0x2040, "\xE2\x81\x80" },
-  { 0x2080, "\xE2\x82\x80" },
-  { 0x2100, "\xE2\x84\x80" },
-  { 0x2200, "\xE2\x88\x80" },
-  { 0x2400, "\xE2\x90\x80" },
-  { 0x2800, "\xE2\xA0\x80" },
-  { 0x3000, "\xE3\x80\x80" },
-  { 0x3FFF, "\xE3\xBF\xBF" },
-  { 0x4000, "\xE4\x80\x80" },
-  { 0x4001, "\xE4\x80\x81" },
-  { 0x4002, "\xE4\x80\x82" },
-  { 0x4004, "\xE4\x80\x84" },
-  { 0x4008, "\xE4\x80\x88" },
-  { 0x4010, "\xE4\x80\x90" },
-  { 0x4020, "\xE4\x80\xA0" },
-  { 0x4040, "\xE4\x81\x80" },
-  { 0x4080, "\xE4\x82\x80" },
-  { 0x4100, "\xE4\x84\x80" },
-  { 0x4200, "\xE4\x88\x80" },
-  { 0x4400, "\xE4\x90\x80" },
-  { 0x4800, "\xE4\xA0\x80" },
-  { 0x5000, "\xE5\x80\x80" },
-  { 0x6000, "\xE6\x80\x80" },
-  { 0x7FFF, "\xE7\xBF\xBF" },
-  { 0x8000, "\xE8\x80\x80" },
-  { 0x8001, "\xE8\x80\x81" },
-  { 0x8002, "\xE8\x80\x82" },
-  { 0x8004, "\xE8\x80\x84" },
-  { 0x8008, "\xE8\x80\x88" },
-  { 0x8010, "\xE8\x80\x90" },
-  { 0x8020, "\xE8\x80\xA0" },
-  { 0x8040, "\xE8\x81\x80" },
-  { 0x8080, "\xE8\x82\x80" },
-  { 0x8100, "\xE8\x84\x80" },
-  { 0x8200, "\xE8\x88\x80" },
-  { 0x8400, "\xE8\x90\x80" },
-  { 0x8800, "\xE8\xA0\x80" },
-  { 0x9000, "\xE9\x80\x80" },
-  { 0xA000, "\xEA\x80\x80" },
-  { 0xC000, "\xEC\x80\x80" },
-  { 0xFFFF, "\xEF\xBF\xBF" }
-
-};
-
-#ifdef UTF16
-/*
- * UTF-16 vectors
- */
-
-struct utf16 utf16[] = {
-  { 0x00010000, { 0xD800, 0xDC00 } },
-  { 0x00010001, { 0xD800, 0xDC01 } },
-  { 0x00010002, { 0xD800, 0xDC02 } },
-  { 0x00010003, { 0xD800, 0xDC03 } },
-  { 0x00010004, { 0xD800, 0xDC04 } },
-  { 0x00010007, { 0xD800, 0xDC07 } },
-  { 0x00010008, { 0xD800, 0xDC08 } },
-  { 0x0001000F, { 0xD800, 0xDC0F } },
-  { 0x00010010, { 0xD800, 0xDC10 } },
-  { 0x0001001F, { 0xD800, 0xDC1F } },
-  { 0x00010020, { 0xD800, 0xDC20 } },
-  { 0x0001003F, { 0xD800, 0xDC3F } },
-  { 0x00010040, { 0xD800, 0xDC40 } },
-  { 0x0001007F, { 0xD800, 0xDC7F } },
-  { 0x00010080, { 0xD800, 0xDC80 } },
-  { 0x00010081, { 0xD800, 0xDC81 } },
-  { 0x00010082, { 0xD800, 0xDC82 } },
-  { 0x00010084, { 0xD800, 0xDC84 } },
-  { 0x00010088, { 0xD800, 0xDC88 } },
-  { 0x00010090, { 0xD800, 0xDC90 } },
-  { 0x000100A0, { 0xD800, 0xDCA0 } },
-  { 0x000100C0, { 0xD800, 0xDCC0 } },
-  { 0x000100FF, { 0xD800, 0xDCFF } },
-  { 0x00010100, { 0xD800, 0xDD00 } },
-  { 0x00010101, { 0xD800, 0xDD01 } },
-  { 0x00010102, { 0xD800, 0xDD02 } },
-  { 0x00010104, { 0xD800, 0xDD04 } },
-  { 0x00010108, { 0xD800, 0xDD08 } },
-  { 0x00010110, { 0xD800, 0xDD10 } },
-  { 0x00010120, { 0xD800, 0xDD20 } },
-  { 0x00010140, { 0xD800, 0xDD40 } },
-  { 0x00010180, { 0xD800, 0xDD80 } },
-  { 0x000101FF, { 0xD800, 0xDDFF } },
-  { 0x00010200, { 0xD800, 0xDE00 } },
-  { 0x00010201, { 0xD800, 0xDE01 } },
-  { 0x00010202, { 0xD800, 0xDE02 } },
-  { 0x00010204, { 0xD800, 0xDE04 } },
-  { 0x00010208, { 0xD800, 0xDE08 } },
-  { 0x00010210, { 0xD800, 0xDE10 } },
-  { 0x00010220, { 0xD800, 0xDE20 } },
-  { 0x00010240, { 0xD800, 0xDE40 } },
-  { 0x00010280, { 0xD800, 0xDE80 } },
-  { 0x00010300, { 0xD800, 0xDF00 } },
-  { 0x000103FF, { 0xD800, 0xDFFF } },
-  { 0x00010400, { 0xD801, 0xDC00 } },
-  { 0x00010401, { 0xD801, 0xDC01 } },
-  { 0x00010402, { 0xD801, 0xDC02 } },
-  { 0x00010404, { 0xD801, 0xDC04 } },
-  { 0x00010408, { 0xD801, 0xDC08 } },
-  { 0x00010410, { 0xD801, 0xDC10 } },
-  { 0x00010420, { 0xD801, 0xDC20 } },
-  { 0x00010440, { 0xD801, 0xDC40 } },
-  { 0x00010480, { 0xD801, 0xDC80 } },
-  { 0x00010500, { 0xD801, 0xDD00 } },
-  { 0x00010600, { 0xD801, 0xDE00 } },
-  { 0x000107FF, { 0xD801, 0xDFFF } },
-  { 0x00010800, { 0xD802, 0xDC00 } },
-  { 0x00010801, { 0xD802, 0xDC01 } },
-  { 0x00010802, { 0xD802, 0xDC02 } },
-  { 0x00010804, { 0xD802, 0xDC04 } },
-  { 0x00010808, { 0xD802, 0xDC08 } },
-  { 0x00010810, { 0xD802, 0xDC10 } },
-  { 0x00010820, { 0xD802, 0xDC20 } },
-  { 0x00010840, { 0xD802, 0xDC40 } },
-  { 0x00010880, { 0xD802, 0xDC80 } },
-  { 0x00010900, { 0xD802, 0xDD00 } },
-  { 0x00010A00, { 0xD802, 0xDE00 } },
-  { 0x00010C00, { 0xD803, 0xDC00 } },
-  { 0x00010FFF, { 0xD803, 0xDFFF } },
-  { 0x00011000, { 0xD804, 0xDC00 } },
-  { 0x00011001, { 0xD804, 0xDC01 } },
-  { 0x00011002, { 0xD804, 0xDC02 } },
-  { 0x00011004, { 0xD804, 0xDC04 } },
-  { 0x00011008, { 0xD804, 0xDC08 } },
-  { 0x00011010, { 0xD804, 0xDC10 } },
-  { 0x00011020, { 0xD804, 0xDC20 } },
-  { 0x00011040, { 0xD804, 0xDC40 } },
-  { 0x00011080, { 0xD804, 0xDC80 } },
-  { 0x00011100, { 0xD804, 0xDD00 } },
-  { 0x00011200, { 0xD804, 0xDE00 } },
-  { 0x00011400, { 0xD805, 0xDC00 } },
-  { 0x00011800, { 0xD806, 0xDC00 } },
-  { 0x00011FFF, { 0xD807, 0xDFFF } },
-  { 0x00012000, { 0xD808, 0xDC00 } },
-  { 0x00012001, { 0xD808, 0xDC01 } },
-  { 0x00012002, { 0xD808, 0xDC02 } },
-  { 0x00012004, { 0xD808, 0xDC04 } },
-  { 0x00012008, { 0xD808, 0xDC08 } },
-  { 0x00012010, { 0xD808, 0xDC10 } },
-  { 0x00012020, { 0xD808, 0xDC20 } },
-  { 0x00012040, { 0xD808, 0xDC40 } },
-  { 0x00012080, { 0xD808, 0xDC80 } },
-  { 0x00012100, { 0xD808, 0xDD00 } },
-  { 0x00012200, { 0xD808, 0xDE00 } },
-  { 0x00012400, { 0xD809, 0xDC00 } },
-  { 0x00012800, { 0xD80A, 0xDC00 } },
-  { 0x00013000, { 0xD80C, 0xDC00 } },
-  { 0x00013FFF, { 0xD80F, 0xDFFF } },
-  { 0x00014000, { 0xD810, 0xDC00 } },
-  { 0x00014001, { 0xD810, 0xDC01 } },
-  { 0x00014002, { 0xD810, 0xDC02 } },
-  { 0x00014004, { 0xD810, 0xDC04 } },
-  { 0x00014008, { 0xD810, 0xDC08 } },
-  { 0x00014010, { 0xD810, 0xDC10 } },
-  { 0x00014020, { 0xD810, 0xDC20 } },
-  { 0x00014040, { 0xD810, 0xDC40 } },
-  { 0x00014080, { 0xD810, 0xDC80 } },
-  { 0x00014100, { 0xD810, 0xDD00 } },
-  { 0x00014200, { 0xD810, 0xDE00 } },
-  { 0x00014400, { 0xD811, 0xDC00 } },
-  { 0x00014800, { 0xD812, 0xDC00 } },
-  { 0x00015000, { 0xD814, 0xDC00 } },
-  { 0x00016000, { 0xD818, 0xDC00 } },
-  { 0x00017FFF, { 0xD81F, 0xDFFF } },
-  { 0x00018000, { 0xD820, 0xDC00 } },
-  { 0x00018001, { 0xD820, 0xDC01 } },
-  { 0x00018002, { 0xD820, 0xDC02 } },
-  { 0x00018004, { 0xD820, 0xDC04 } },
-  { 0x00018008, { 0xD820, 0xDC08 } },
-  { 0x00018010, { 0xD820, 0xDC10 } },
-  { 0x00018020, { 0xD820, 0xDC20 } },
-  { 0x00018040, { 0xD820, 0xDC40 } },
-  { 0x00018080, { 0xD820, 0xDC80 } },
-  { 0x00018100, { 0xD820, 0xDD00 } },
-  { 0x00018200, { 0xD820, 0xDE00 } },
-  { 0x00018400, { 0xD821, 0xDC00 } },
-  { 0x00018800, { 0xD822, 0xDC00 } },
-  { 0x00019000, { 0xD824, 0xDC00 } },
-  { 0x0001A000, { 0xD828, 0xDC00 } },
-  { 0x0001C000, { 0xD830, 0xDC00 } },
-  { 0x0001FFFF, { 0xD83F, 0xDFFF } },
-  { 0x00020000, { 0xD840, 0xDC00 } },
-  { 0x00020001, { 0xD840, 0xDC01 } },
-  { 0x00020002, { 0xD840, 0xDC02 } },
-  { 0x00020004, { 0xD840, 0xDC04 } },
-  { 0x00020008, { 0xD840, 0xDC08 } },
-  { 0x00020010, { 0xD840, 0xDC10 } },
-  { 0x00020020, { 0xD840, 0xDC20 } },
-  { 0x00020040, { 0xD840, 0xDC40 } },
-  { 0x00020080, { 0xD840, 0xDC80 } },
-  { 0x00020100, { 0xD840, 0xDD00 } },
-  { 0x00020200, { 0xD840, 0xDE00 } },
-  { 0x00020400, { 0xD841, 0xDC00 } },
-  { 0x00020800, { 0xD842, 0xDC00 } },
-  { 0x00021000, { 0xD844, 0xDC00 } },
-  { 0x00022000, { 0xD848, 0xDC00 } },
-  { 0x00024000, { 0xD850, 0xDC00 } },
-  { 0x00028000, { 0xD860, 0xDC00 } },
-  { 0x0002FFFF, { 0xD87F, 0xDFFF } },
-  { 0x00030000, { 0xD880, 0xDC00 } },
-  { 0x00030001, { 0xD880, 0xDC01 } },
-  { 0x00030002, { 0xD880, 0xDC02 } },
-  { 0x00030004, { 0xD880, 0xDC04 } },
-  { 0x00030008, { 0xD880, 0xDC08 } },
-  { 0x00030010, { 0xD880, 0xDC10 } },
-  { 0x00030020, { 0xD880, 0xDC20 } },
-  { 0x00030040, { 0xD880, 0xDC40 } },
-  { 0x00030080, { 0xD880, 0xDC80 } },
-  { 0x00030100, { 0xD880, 0xDD00 } },
-  { 0x00030200, { 0xD880, 0xDE00 } },
-  { 0x00030400, { 0xD881, 0xDC00 } },
-  { 0x00030800, { 0xD882, 0xDC00 } },
-  { 0x00031000, { 0xD884, 0xDC00 } },
-  { 0x00032000, { 0xD888, 0xDC00 } },
-  { 0x00034000, { 0xD890, 0xDC00 } },
-  { 0x00038000, { 0xD8A0, 0xDC00 } },
-  { 0x0003FFFF, { 0xD8BF, 0xDFFF } },
-  { 0x00040000, { 0xD8C0, 0xDC00 } },
-  { 0x00040001, { 0xD8C0, 0xDC01 } },
-  { 0x00040002, { 0xD8C0, 0xDC02 } },
-  { 0x00040004, { 0xD8C0, 0xDC04 } },
-  { 0x00040008, { 0xD8C0, 0xDC08 } },
-  { 0x00040010, { 0xD8C0, 0xDC10 } },
-  { 0x00040020, { 0xD8C0, 0xDC20 } },
-  { 0x00040040, { 0xD8C0, 0xDC40 } },
-  { 0x00040080, { 0xD8C0, 0xDC80 } },
-  { 0x00040100, { 0xD8C0, 0xDD00 } },
-  { 0x00040200, { 0xD8C0, 0xDE00 } },
-  { 0x00040400, { 0xD8C1, 0xDC00 } },
-  { 0x00040800, { 0xD8C2, 0xDC00 } },
-  { 0x00041000, { 0xD8C4, 0xDC00 } },
-  { 0x00042000, { 0xD8C8, 0xDC00 } },
-  { 0x00044000, { 0xD8D0, 0xDC00 } },
-  { 0x00048000, { 0xD8E0, 0xDC00 } },
-  { 0x0004FFFF, { 0xD8FF, 0xDFFF } },
-  { 0x00050000, { 0xD900, 0xDC00 } },
-  { 0x00050001, { 0xD900, 0xDC01 } },
-  { 0x00050002, { 0xD900, 0xDC02 } },
-  { 0x00050004, { 0xD900, 0xDC04 } },
-  { 0x00050008, { 0xD900, 0xDC08 } },
-  { 0x00050010, { 0xD900, 0xDC10 } },
-  { 0x00050020, { 0xD900, 0xDC20 } },
-  { 0x00050040, { 0xD900, 0xDC40 } },
-  { 0x00050080, { 0xD900, 0xDC80 } },
-  { 0x00050100, { 0xD900, 0xDD00 } },
-  { 0x00050200, { 0xD900, 0xDE00 } },
-  { 0x00050400, { 0xD901, 0xDC00 } },
-  { 0x00050800, { 0xD902, 0xDC00 } },
-  { 0x00051000, { 0xD904, 0xDC00 } },
-  { 0x00052000, { 0xD908, 0xDC00 } },
-  { 0x00054000, { 0xD910, 0xDC00 } },
-  { 0x00058000, { 0xD920, 0xDC00 } },
-  { 0x00060000, { 0xD940, 0xDC00 } },
-  { 0x00070000, { 0xD980, 0xDC00 } },
-  { 0x0007FFFF, { 0xD9BF, 0xDFFF } },
-  { 0x00080000, { 0xD9C0, 0xDC00 } },
-  { 0x00080001, { 0xD9C0, 0xDC01 } },
-  { 0x00080002, { 0xD9C0, 0xDC02 } },
-  { 0x00080004, { 0xD9C0, 0xDC04 } },
-  { 0x00080008, { 0xD9C0, 0xDC08 } },
-  { 0x00080010, { 0xD9C0, 0xDC10 } },
-  { 0x00080020, { 0xD9C0, 0xDC20 } },
-  { 0x00080040, { 0xD9C0, 0xDC40 } },
-  { 0x00080080, { 0xD9C0, 0xDC80 } },
-  { 0x00080100, { 0xD9C0, 0xDD00 } },
-  { 0x00080200, { 0xD9C0, 0xDE00 } },
-  { 0x00080400, { 0xD9C1, 0xDC00 } },
-  { 0x00080800, { 0xD9C2, 0xDC00 } },
-  { 0x00081000, { 0xD9C4, 0xDC00 } },
-  { 0x00082000, { 0xD9C8, 0xDC00 } },
-  { 0x00084000, { 0xD9D0, 0xDC00 } },
-  { 0x00088000, { 0xD9E0, 0xDC00 } },
-  { 0x0008FFFF, { 0xD9FF, 0xDFFF } },
-  { 0x00090000, { 0xDA00, 0xDC00 } },
-  { 0x00090001, { 0xDA00, 0xDC01 } },
-  { 0x00090002, { 0xDA00, 0xDC02 } },
-  { 0x00090004, { 0xDA00, 0xDC04 } },
-  { 0x00090008, { 0xDA00, 0xDC08 } },
-  { 0x00090010, { 0xDA00, 0xDC10 } },
-  { 0x00090020, { 0xDA00, 0xDC20 } },
-  { 0x00090040, { 0xDA00, 0xDC40 } },
-  { 0x00090080, { 0xDA00, 0xDC80 } },
-  { 0x00090100, { 0xDA00, 0xDD00 } },
-  { 0x00090200, { 0xDA00, 0xDE00 } },
-  { 0x00090400, { 0xDA01, 0xDC00 } },
-  { 0x00090800, { 0xDA02, 0xDC00 } },
-  { 0x00091000, { 0xDA04, 0xDC00 } },
-  { 0x00092000, { 0xDA08, 0xDC00 } },
-  { 0x00094000, { 0xDA10, 0xDC00 } },
-  { 0x00098000, { 0xDA20, 0xDC00 } },
-  { 0x000A0000, { 0xDA40, 0xDC00 } },
-  { 0x000B0000, { 0xDA80, 0xDC00 } },
-  { 0x000C0000, { 0xDAC0, 0xDC00 } },
-  { 0x000D0000, { 0xDB00, 0xDC00 } },
-  { 0x000FFFFF, { 0xDBBF, 0xDFFF } },
-  { 0x0010FFFF, { 0xDBFF, 0xDFFF } }
-
-};
-#endif /* UTF16 */
-
-static void
-dump_utf8
-(
-  char *word,
-  unsigned char *utf8,
-  char *end
-)
-{
-  fprintf(stdout, "%s ", word);
-  for( ; *utf8; utf8++ ) {
-    fprintf(stdout, "%02.2x ", (unsigned int)*utf8);
-  }
-  fprintf(stdout, "%s", end);
-}
-
-static PRBool
-test_ucs4_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    struct ucs4 *e = &ucs4[i];
-    PRBool result;
-    unsigned char utf8[8];
-    unsigned int len = 0;
-    PRUint32 back = 0;
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    
-    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
-      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8\n", e->c);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (len >= sizeof(utf8)) ||
-        (strlen(e->utf8) != len) ||
-        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
-      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8: ", e->c);
-      dump_utf8("expected", e->utf8, ", ");
-      dump_utf8("received", utf8, "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back, sizeof(back), &len);
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back) != len) || (e->c != back) ) {
-      dump_utf8("Wrong conversion of UTF-8", utf8, " to UCS-4:");
-      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
-      rv = PR_FALSE;
-      continue;
-    }
-  }
-
-  return rv;
-}
-
-static PRBool
-test_ucs2_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    struct ucs2 *e = &ucs2[i];
-    PRBool result;
-    unsigned char utf8[8];
-    unsigned int len = 0;
-    PRUint16 back = 0;
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    
-    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
-      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UCS-2 0x%04.4x to UTF-8\n", e->c);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (len >= sizeof(utf8)) ||
-        (strlen(e->utf8) != len) ||
-        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
-      fprintf(stdout, "Wrong conversion of UCS-2 0x%04.4x to UTF-8: ", e->c);
-      dump_utf8("expected", e->utf8, ", ");
-      dump_utf8("received", utf8, "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back, sizeof(back), &len);
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-2\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back) != len) || (e->c != back) ) {
-      dump_utf8("Wrong conversion of UTF-8", utf8, "to UCS-2:");
-      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
-      rv = PR_FALSE;
-      continue;
-    }
-  }
-
-  return rv;
-}
-
-#ifdef UTF16
-static PRBool
-test_utf16_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
-    struct utf16 *e = &utf16[i];
-    PRBool result;
-    unsigned char utf8[8];
-    unsigned int len = 0;
-    PRUint32 back32 = 0;
-    PRUint16 back[2];
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    
-    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
-      (unsigned char *)&e->w[0], sizeof(e->w), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8\n", 
-              e->w[0], e->w[1]);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back32, sizeof(back32), &len);
-
-    if( 4 != len ) {
-      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8: "
-              "unexpected len %d\n", e->w[0], e->w[1], len);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    utf8[len] = '\0'; /* null-terminate for printing */
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4 (utf-16 test)\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back32) != len) || (e->c != back32) ) {
-      fprintf(stdout, "Wrong conversion of UTF-16 0x%04.4x 0x%04.4x ", 
-              e->w[0], e->w[1]);
-      dump_utf8("to UTF-8", utf8, "and then to UCS-4: ");
-      if( sizeof(back32) != len ) {
-        fprintf(stdout, "len is %d\n", len);
-      } else {
-        fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back32);
-      }
-      rv = PR_FALSE;
-      continue;
-    }
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    back[0] = back[1] = 0;
-
-    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
-      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8 (utf-16 test)\n",
-              e->c);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back[0], sizeof(back), &len);
-
-    if( 4 != len ) {
-      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8: "
-              "unexpected len %d\n", e->c, len);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    utf8[len] = '\0'; /* null-terminate for printing */
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UTF-16\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back) != len) || (e->w[0] != back[0]) || (e->w[1] != back[1]) ) {
-      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8", e->c);
-      dump_utf8("", utf8, "and then to UTF-16:");
-      if( sizeof(back) != len ) {
-        fprintf(stdout, "len is %d\n", len);
-      } else {
-        fprintf(stdout, "expected 0x%04.4x 0x%04.4x, received 0x%04.4x 0x%04.4xx\n",
-                e->w[0], e->w[1], back[0], back[1]);
-      }
-      rv = PR_FALSE;
-      continue;
-    }
-  }
-
-  return rv;
-}
-#endif /* UTF16 */
-
-static PRBool
-test_zeroes
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  PRBool result;
-  PRUint32 lzero = 0;
-  PRUint16 szero = 0;
-  unsigned char utf8[8];
-  unsigned int len = 0;
-  PRUint32 lback = 1;
-  PRUint16 sback = 1;
-
-  (void)memset(utf8, 1, sizeof(utf8));
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
-    (unsigned char *)&lzero, sizeof(lzero), utf8, sizeof(utf8), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UCS-4 0x00000000 to UTF-8\n");
-    rv = PR_FALSE;
-  } else if( 1 != len ) {
-    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( '\0' != *utf8 ) {
-    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: expected 00 ,"
-            "received %02.2x\n", (unsigned int)*utf8);
-    rv = PR_FALSE;
-  }
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-    "", 1, (unsigned char *)&lback, sizeof(lback), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-4\n");
-    rv = PR_FALSE;
-  } else if( 4 != len ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( 0 != lback ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: "
-            "expected 0x00000000, received 0x%08.8x\n", lback);
-    rv = PR_FALSE;
-  }
-
-  (void)memset(utf8, 1, sizeof(utf8));
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
-    (unsigned char *)&szero, sizeof(szero), utf8, sizeof(utf8), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UCS-2 0x0000 to UTF-8\n");
-    rv = PR_FALSE;
-  } else if( 1 != len ) {
-    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( '\0' != *utf8 ) {
-    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: expected 00 ,"
-            "received %02.2x\n", (unsigned int)*utf8);
-    rv = PR_FALSE;
-  }
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-    "", 1, (unsigned char *)&sback, sizeof(sback), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-2\n");
-    rv = PR_FALSE;
-  } else if( 2 != len ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( 0 != sback ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: "
-            "expected 0x0000, received 0x%04.4x\n", sback);
-    rv = PR_FALSE;
-  }
-
-  return rv;
-}
-
-static PRBool
-test_multichars
-(
-  void
-)
-{
-  int i;
-  unsigned int len, lenout;
-  PRUint32 *ucs4s;
-  char *ucs4_utf8;
-  PRUint16 *ucs2s;
-  char *ucs2_utf8;
-  void *tmp;
-  PRBool result;
-
-  ucs4s = (PRUint32 *)calloc(sizeof(ucs4)/sizeof(ucs4[0]), sizeof(PRUint32));
-  ucs2s = (PRUint16 *)calloc(sizeof(ucs2)/sizeof(ucs2[0]), sizeof(PRUint16));
-
-  if( ((PRUint32 *)NULL == ucs4s) || ((PRUint16 *)NULL == ucs2s) ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  len = 0;
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    ucs4s[i] = ucs4[i].c;
-    len += strlen(ucs4[i].utf8);
-  }
-
-  ucs4_utf8 = (char *)malloc(len);
-
-  len = 0;
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    ucs2s[i] = ucs2[i].c;
-    len += strlen(ucs2[i].utf8);
-  }
-
-  ucs2_utf8 = (char *)malloc(len);
-
-  if( ((char *)NULL == ucs4_utf8) || ((char *)NULL == ucs2_utf8) ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  *ucs4_utf8 = '\0';
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    strcat(ucs4_utf8, ucs4[i].utf8);
-  }
-
-  *ucs2_utf8 = '\0';
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    strcat(ucs2_utf8, ucs2[i].utf8);
-  }
-
-  /* UTF-8 -> UCS-4 */
-  len = sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-    ucs4_utf8, strlen(ucs4_utf8), tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UTF-8 to UCS-4\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-4\n");
-    goto loser;
-  }
-
-  if( 0 != memcmp(ucs4s, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-4\n");
-    goto loser;
-  }
-
-  free(tmp); tmp = (void *)NULL;
-
-  /* UCS-4 -> UTF-8 */
-  len = strlen(ucs4_utf8);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
-    (unsigned char *)ucs4s, sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32), 
-    tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UCS-4 to UTF-8\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UCS-4 to UTF-8\n");
-    goto loser;
-  }
-
-  if( 0 != strncmp(ucs4_utf8, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UCS-4 to UTF-8\n");
-    goto loser;
-  }
-
-  free(tmp); tmp = (void *)NULL;
-
-  /* UTF-8 -> UCS-2 */
-  len = sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-    ucs2_utf8, strlen(ucs2_utf8), tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UTF-8 to UCS-2\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-2\n");
-    goto loser;
-  }
-
-  if( 0 != memcmp(ucs2s, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-2\n");
-    goto loser;
-  }
-
-  free(tmp); tmp = (void *)NULL;
-
-  /* UCS-2 -> UTF-8 */
-  len = strlen(ucs2_utf8);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
-    (unsigned char *)ucs2s, sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16), 
-    tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UCS-2 to UTF-8\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UCS-2 to UTF-8\n");
-    goto loser;
-  }
-
-  if( 0 != strncmp(ucs2_utf8, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UCS-2 to UTF-8\n");
-    goto loser;
-  }
-
-#ifdef UTF16
-  /* implement me */
-#endif /* UTF16 */
-
-  result = PR_TRUE;
-  goto done;
-
- loser:
-  result = PR_FALSE;
- done:
-  free(ucs4s);
-  free(ucs4_utf8);
-  free(ucs2s);
-  free(ucs2_utf8);
-  if( (void *)NULL != tmp ) free(tmp);
-  return result;
-}
-
-void
-byte_order
-(
-  void
-)
-{
-  /*
-   * The implementation (now) expects the 16- and 32-bit characters
-   * to be in network byte order, not host byte order.  Therefore I
-   * have to byteswap all those test vectors above.  hton[ls] may be
-   * functions, so I have to do this dynamically.  If you want to 
-   * use this code to do host byte order conversions, just remove
-   * the call in main() to this function.
-   */
-
-  int i;
-
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    struct ucs4 *e = &ucs4[i];
-    e->c = htonl(e->c);
-  }
-
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    struct ucs2 *e = &ucs2[i];
-    e->c = htons(e->c);
-  }
-
-#ifdef UTF16
-  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
-    struct utf16 *e = &utf16[i];
-    e->c = htonl(e->c);
-    e->w[0] = htons(e->w[0]);
-    e->w[1] = htons(e->w[1]);
-  }
-#endif /* UTF16 */
-
-  return;
-}
-
-int
-main
-(
-  int argc,
-  char *argv[]
-)
-{
-  byte_order();
-
-  if( test_ucs4_chars() &&
-      test_ucs2_chars() &&
-#ifdef UTF16
-      test_utf16_chars() &&
-#endif /* UTF16 */
-      test_zeroes() &&
-      test_multichars() &&
-      PR_TRUE ) {
-    fprintf(stderr, "PASS\n");
-    return 1;
-  } else {
-    fprintf(stderr, "FAIL\n");
-    return 0;
-  }
-}
-
-#endif /* TEST_UTF8 */
diff --git a/security/nss/lib/util/watcomfx.h b/security/nss/lib/util/watcomfx.h
deleted file mode 100644
index bc1d20f72..000000000
--- a/security/nss/lib/util/watcomfx.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
-#ifndef __WATCOM_FIX_H__
-#define __WATCOM_FIX_H__ 1
-/*
- * WATCOM's C compiler doesn't default to "__cdecl" conventions for external
- * symbols and functions.  Rather than adding an explicit __cdecl modifier to 
- * every external symbol and function declaration and definition, we use the 
- * following pragma to (attempt to) change WATCOM c's default to __cdecl.
- * These pragmas were taken from pages 180-181, 266 & 269 of the 
- * Watcom C/C++ version 11 User's Guide, 3rd edition.
- */
-#if defined(XP_WIN16) || defined(WIN16) 
-#pragma aux default "_*" \
-	parm caller [] \
-	value struct float struct routine [ax] \
-	modify [ax bx cx dx es]
-#else
-#pragma aux default "_*" \
-	parm caller [] \
-	value struct float struct routine [eax] \
-	modify [eax ecx edx]
-#endif
-#pragma aux default far
-
-#endif /* once */
-#endif /* WATCOM compiler */
diff --git a/security/nss/lib/util/win_rand.c b/security/nss/lib/util/win_rand.c
deleted file mode 100644
index de2e06ea7..000000000
--- a/security/nss/lib/util/win_rand.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "secrng.h"
-#ifdef XP_WIN
-#include <windows.h>
-#include <time.h>
-#include <io.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-
-#ifndef _WIN32
-#define VTD_Device_ID   5
-#define OP_OVERRIDE     _asm _emit 0x66
-#include <dos.h>
-#endif
-
-static BOOL
-CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
-{
-#ifdef _WIN32
-    LARGE_INTEGER   liCount;
-
-    if (!QueryPerformanceCounter(&liCount))
-        return FALSE;
-
-    *lpdwHigh = liCount.u.HighPart;
-    *lpdwLow = liCount.u.LowPart;
-    return TRUE;
-
-#else   /* is WIN16 */
-    BOOL    bRetVal;
-    FARPROC lpAPI;
-    WORD    w1, w2, w3, w4;
-
-    // Get direct access to the VTD and query the current clock tick time
-    _asm {
-        xor   di, di
-        mov   es, di
-        mov   ax, 1684h
-        mov   bx, VTD_Device_ID
-        int   2fh
-        mov   ax, es
-        or    ax, di
-        jz    EnumerateFailed
-
-        ; VTD API is available. First store the API address (the address actually
-        ; contains an instruction that causes a fault, the fault handler then
-        ; makes the ring transition and calls the API in the VxD)
-        mov   word ptr lpAPI, di
-        mov   word ptr lpAPI+2, es
-        mov   ax, 100h      ; API function to VTD_Get_Real_Time
-;       call  dword ptr [lpAPI]
-        call  [lpAPI]
-
-        ; Result is in EDX:EAX which we will get 16-bits at a time
-        mov   w2, dx
-        OP_OVERRIDE
-        shr   dx,10h        ; really "shr edx, 16"
-        mov   w1, dx
-
-        mov   w4, ax
-        OP_OVERRIDE
-        shr   ax,10h        ; really "shr eax, 16"
-        mov   w3, ax
-
-        mov   bRetVal, 1    ; return TRUE
-        jmp   EnumerateExit
-
-      EnumerateFailed:
-        mov   bRetVal, 0    ; return FALSE
-
-      EnumerateExit:
-    }
-
-    *lpdwHigh = MAKELONG(w2, w1);
-    *lpdwLow = MAKELONG(w4, w3);
-
-    return bRetVal;
-#endif  /* is WIN16 */
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbuf)
-{
-    DWORD   dwHigh, dwLow, dwVal;
-    int     n = 0;
-    int     nBytes;
-    time_t  sTime;
-
-    if (maxbuf <= 0)
-        return 0;
-
-    CurrentClockTickTime(&dwHigh, &dwLow);
-
-    // get the maximally changing bits first
-    nBytes = sizeof(dwLow) > maxbuf ? maxbuf : sizeof(dwLow);
-    memcpy((char *)buf, &dwLow, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-        return n;
-
-    nBytes = sizeof(dwHigh) > maxbuf ? maxbuf : sizeof(dwHigh);
-    memcpy(((char *)buf) + n, &dwHigh, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-        return n;
-
-    // get the number of milliseconds that have elapsed since Windows started
-    dwVal = GetTickCount();
-
-    nBytes = sizeof(dwVal) > maxbuf ? maxbuf : sizeof(dwVal);
-    memcpy(((char *)buf) + n, &dwVal, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-        return n;
-
-    // get the time in seconds since midnight Jan 1, 1970
-    time(&sTime);
-    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
-    memcpy(((char *)buf) + n, &sTime, nBytes);
-    n += nBytes;
-
-    return n;
-}
-
-static BOOL
-EnumSystemFiles(void (*func)(char *))
-{
-    int                 iStatus;
-    char                szSysDir[_MAX_PATH];
-    char                szFileName[_MAX_PATH];
-#ifdef _WIN32
-    struct _finddata_t  fdData;
-    long                lFindHandle;
-#else
-    struct _find_t  fdData;
-#endif
-
-    if (!GetSystemDirectory(szSysDir, sizeof(szSysDir)))
-        return FALSE;
-
-    // tack *.* on the end so we actually look for files. this will
-    // not overflow
-    strcpy(szFileName, szSysDir);
-    strcat(szFileName, "\\*.*");
-
-#ifdef _WIN32
-    lFindHandle = _findfirst(szFileName, &fdData);
-    if (lFindHandle == -1)
-        return FALSE;
-#else
-    if (_dos_findfirst(szFileName, _A_NORMAL | _A_RDONLY | _A_ARCH | _A_SUBDIR, &fdData) != 0)
-        return FALSE;
-#endif
-
-    do {
-        // pass the full pathname to the callback
-        sprintf(szFileName, "%s\\%s", szSysDir, fdData.name);
-        (*func)(szFileName);
-
-#ifdef _WIN32
-        iStatus = _findnext(lFindHandle, &fdData);
-#else
-        iStatus = _dos_findnext(&fdData);
-#endif
-    } while (iStatus == 0);
-
-#ifdef _WIN32
-    _findclose(lFindHandle);
-#endif
-
-    return TRUE;
-}
-
-static DWORD    dwNumFiles, dwReadEvery;
-
-static void
-CountFiles(char *file)
-{
-    dwNumFiles++;
-}
-
-static void
-ReadFiles(char *file)
-{
-    if ((dwNumFiles % dwReadEvery) == 0)
-        RNG_FileForRNG(file);
-
-    dwNumFiles++;
-}
-
-static void
-ReadSystemFiles()
-{
-    // first count the number of files
-    dwNumFiles = 0;
-    if (!EnumSystemFiles(CountFiles))
-        return;
-
-    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
-
-    // now read 10 files
-    if (dwNumFiles == 0)
-        return;
-
-    dwReadEvery = dwNumFiles / 10;
-    if (dwReadEvery == 0)
-        dwReadEvery = 1;  // less than 10 files
-
-    dwNumFiles = 0;
-    EnumSystemFiles(ReadFiles);
-}
-
-void RNG_SystemInfoForRNG(void)
-{
-    DWORD           dwVal;
-    char            buffer[256];
-    int             nBytes;
-#ifdef _WIN32
-    MEMORYSTATUS    sMem;
-    DWORD           dwSerialNum;
-    DWORD           dwComponentLen;
-    DWORD           dwSysFlags;
-    char            volName[128];
-    DWORD           dwSectors, dwBytes, dwFreeClusters, dwNumClusters;
-    HANDLE          hVal;
-#else
-    int             iVal;
-    HTASK           hTask;
-    WORD            wDS, wCS;
-    LPSTR           lpszEnv;
-#endif
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-
-#ifdef _WIN32
-    sMem.dwLength = sizeof(sMem);
-    GlobalMemoryStatus(&sMem);                // assorted memory stats
-    RNG_RandomUpdate(&sMem, sizeof(sMem));
-
-    dwVal = GetLogicalDrives();
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));  // bitfields in bits 0-25
-
-#else
-    dwVal = GetFreeSpace(0);
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-    _asm    mov wDS, ds;
-    _asm    mov wCS, cs;
-    RNG_RandomUpdate(&wDS, sizeof(wDS));
-    RNG_RandomUpdate(&wCS, sizeof(wCS));
-#endif
-
-#ifdef _WIN32
-    dwVal = sizeof(buffer);
-    if (GetComputerName(buffer, &dwVal))
-        RNG_RandomUpdate(buffer, dwVal);
-
-/* XXX This is code that got yanked because of NSPR20.  We should put it
- * back someday.
- */
-#ifdef notdef
-    {
-    POINT ptVal;
-    GetCursorPos(&ptVal);
-    RNG_RandomUpdate(&ptVal, sizeof(ptVal));
-    }
-
-    dwVal = GetQueueStatus(QS_ALLINPUT);      // high and low significant
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-    {
-    HWND hWnd;
-    hWnd = GetClipboardOwner();               // 2 or 4 bytes
-    RNG_RandomUpdate((void *)&hWnd, sizeof(hWnd));
-    }
-
-    {
-    UUID sUuid;
-    UuidCreate(&sUuid);                       // this will fail on machines with no ethernet
-    RNG_RandomUpdate(&sUuid, sizeof(sUuid));  // boards. shove the bits in regardless
-    }
-#endif
-
-    hVal = GetCurrentProcess();               // 4 byte handle of current task
-    RNG_RandomUpdate(&hVal, sizeof(hVal));
-
-    dwVal = GetCurrentProcessId();            // process ID (4 bytes)
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-    volName[0] = '\0';
-    buffer[0] = '\0';
-    GetVolumeInformation(NULL,
-                         volName,
-                         sizeof(volName),
-                         &dwSerialNum,
-                         &dwComponentLen,
-                         &dwSysFlags,
-                         buffer,
-                         sizeof(buffer));
-
-    RNG_RandomUpdate(volName,         strlen(volName));
-    RNG_RandomUpdate(&dwSerialNum,    sizeof(dwSerialNum));
-    RNG_RandomUpdate(&dwComponentLen, sizeof(dwComponentLen));
-    RNG_RandomUpdate(&dwSysFlags,     sizeof(dwSysFlags));
-    RNG_RandomUpdate(buffer,          strlen(buffer));
-
-    if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, &dwNumClusters)) {
-        RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
-        RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
-        RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
-        RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
-    }
-
-#else   /* is WIN16 */
-    hTask = GetCurrentTask();
-    RNG_RandomUpdate((void *)&hTask, sizeof(hTask));
-
-    iVal = GetNumTasks();
-    RNG_RandomUpdate(&iVal, sizeof(iVal));      // number of running tasks
-
-    lpszEnv = GetDOSEnvironment();
-    while (*lpszEnv != '\0') {
-        RNG_RandomUpdate(lpszEnv, strlen(lpszEnv));
-
-        lpszEnv += strlen(lpszEnv) + 1;
-    }
-#endif  /* is WIN16 */
-
-    // now let's do some files
-    ReadSystemFiles();
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-void RNG_FileForRNG(char *filename)
-{
-    FILE*           file;
-    int             nBytes;
-    struct stat     stat_buf;
-    unsigned char   buffer[1024];
-
-    static DWORD    totalFileBytes = 0;
-
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&stat_buf, 0, sizeof stat_buf);
-
-    if (stat((char *)filename, &stat_buf) < 0)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-
-    file = fopen((char *)filename, "r");
-    if (file != NULL) {
-        for (;;) {
-            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
-
-            if (bytes == 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > 250000)
-                break;
-        }
-
-        fclose(file);
-    }
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-#endif  /* is XP_WIN */